3Com WX3000 Bedienungsanleitung

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715

Zur Seite of

Richtige Gebrauchsanleitung

Die Vorschriften verpflichten den Verkäufer zur Übertragung der Gebrauchsanleitung 3Com WX3000 an den Erwerber, zusammen mit der Ware. Eine fehlende Anleitung oder falsche Informationen, die dem Verbraucher übertragen werden, bilden eine Grundlage für eine Reklamation aufgrund Unstimmigkeit des Geräts mit dem Vertrag. Rechtsmäßig lässt man das Anfügen einer Gebrauchsanleitung in anderer Form als Papierform zu, was letztens sehr oft genutzt wird, indem man eine grafische oder elektronische Anleitung von 3Com WX3000, sowie Anleitungsvideos für Nutzer beifügt. Die Bedingung ist, dass ihre Form leserlich und verständlich ist.

Was ist eine Gebrauchsanleitung?

Das Wort kommt vom lateinischen „instructio”, d.h. ordnen. Demnach kann man in der Anleitung 3Com WX3000 die Beschreibung der Etappen der Vorgehensweisen finden. Das Ziel der Anleitung ist die Belehrung, Vereinfachung des Starts, der Nutzung des Geräts oder auch der Ausführung bestimmter Tätigkeiten. Die Anleitung ist eine Sammlung von Informationen über ein Gegenstand/eine Dienstleistung, ein Hinweis.

Leider widmen nicht viele Nutzer ihre Zeit der Gebrauchsanleitung 3Com WX3000. Eine gute Gebrauchsanleitung erlaubt nicht nur eine Reihe zusätzlicher Funktionen des gekauften Geräts kennenzulernen, sondern hilft dabei viele Fehler zu vermeiden.

Was sollte also eine ideale Gebrauchsanleitung beinhalten?

Die Gebrauchsanleitung 3Com WX3000 sollte vor allem folgendes enthalten:
- Informationen über technische Daten des Geräts 3Com WX3000
- Den Namen des Produzenten und das Produktionsjahr des Geräts 3Com WX3000
- Grundsätze der Bedienung, Regulierung und Wartung des Geräts 3Com WX3000
- Sicherheitszeichen und Zertifikate, die die Übereinstimmung mit entsprechenden Normen bestätigen

Warum lesen wir keine Gebrauchsanleitungen?

Der Grund dafür ist die fehlende Zeit und die Sicherheit, was die bestimmten Funktionen der gekauften Geräte angeht. Leider ist das Anschließen und Starten von 3Com WX3000 zu wenig. Eine Anleitung beinhaltet eine Reihe von Hinweisen bezüglich bestimmter Funktionen, Sicherheitsgrundsätze, Wartungsarten (sogar das, welche Mittel man benutzen sollte), eventueller Fehler von 3Com WX3000 und Lösungsarten für Probleme, die während der Nutzung auftreten könnten. Immerhin kann man in der Gebrauchsanleitung die Kontaktnummer zum Service 3Com finden, wenn die vorgeschlagenen Lösungen nicht wirksam sind. Aktuell erfreuen sich Anleitungen in Form von interessanten Animationen oder Videoanleitungen an Popularität, die den Nutzer besser ansprechen als eine Broschüre. Diese Art von Anleitung gibt garantiert, dass der Nutzer sich das ganze Video anschaut, ohne die spezifizierten und komplizierten technischen Beschreibungen von 3Com WX3000 zu überspringen, wie es bei der Papierform passiert.

Warum sollte man Gebrauchsanleitungen lesen?

In der Gebrauchsanleitung finden wir vor allem die Antwort über den Bau sowie die Möglichkeiten des Geräts 3Com WX3000, über die Nutzung bestimmter Accessoires und eine Reihe von Informationen, die erlauben, jegliche Funktionen und Bequemlichkeiten zu nutzen.

Nach dem gelungenen Kauf des Geräts, sollte man einige Zeit für das Kennenlernen jedes Teils der Anleitung von 3Com WX3000 widmen. Aktuell sind sie genau vorbereitet oder übersetzt, damit sie nicht nur verständlich für die Nutzer sind, aber auch ihre grundliegende Hilfs-Informations-Funktion erfüllen.

Inhaltsverzeichnis der Gebrauchsanleitungen

  • Seite 1

    3Com WX3000 Series Unified Switches Switching Engine Operation Manual Manual Version: 6W100 www.3com.com 3Com Corporation 350 Campus Drive, Marlborou gh, MA, USA 01752 3064[...]

  • Seite 2

    Copyright © 2009, 3Com Corporatio n. All rights reserved. No part of this documentation may be reprodu ced in any form or by any means or used to make any de riva tive work (such as translation, transform ation, or adaptation) without written permiss ion from 3Com Corporation. 3Com Corporation re serves the right to revise this docu mentation and [...]

  • Seite 3

    About This Manual Organization 3Com WX3000 Serie s Unified Switches consist s of three models: the WX3024 , the WX301 0 and the WX3008. 3Com WX3000 Series Unified Switche s Switching Engi ne Ope ration Manu al is organized a s follows: Part Contents 1 CLI Introduces the comm and h ierarchy, command view and CLI features of the WX3000 Series Unified[...]

  • Seite 4

    Part Contents 24 SNMP-RMON Introduces the configuratio n for network mana gement through SNMP and RMON 25 Multicast Introduces IGMP snooping and the relate d configuration. 26 NTP Introduces NTP and the related co nfiguration. 27 SSH Introduces SSH2.0 and the related co nfiguration. 28 File System Management Introduces basic config uration for file[...]

  • Seite 5

    Convention Description &<1-n> The argument(s) befo re the ampersa nd (&) sign can be entered 1 to n times. # A line starting with the # sign is comments. GUI conventions Convention Description Boldface Window names, button names, field names, and me nu items are in Boldface. For example, the New User window appears; click OK . > Mu[...]

  • Seite 6

    Manual Description 3Com WX3000 Series Unified Switch es Web-Based Configuration Manual Introduces the Web-b ased functions of the access control engine of WX300 0 se ries unified switches access controller engines. Obtaining Documentation You can access the most u p -to-date 3Com product documentation on the Wo rld Wide Web at this URL: http://www.[...]

  • Seite 7

    i Table of Contents 1 CLI Config uration ············································································································ ·························· 1-1 Introduction to the CLI ·····?[...]

  • Seite 8

    1-1 1 CLI Configuration The sample output inform ation in this manual wa s created on the WX3024. The output information on your device may vary. Introduction to the CLI A command line interface (CLI) is a user interface to interact with a device. Throug h the CLI on a device, a user can enter comma nds to configure the dev ice an d check output in[...]

  • Seite 9

    1-2 z Manage level (level 3): Command s at this level are associated with the basic operation mod ules and support modules of the system. Th ese comman ds provide su pport for services. Comma nds concerning file system, FT P/TFTP/XModem downloading, user management, and level setting are at this level. Users logged into the device fall into four us[...]

  • Seite 10

    1-3 Configuration example After a general user telnet s to the device, his/her user level is 0. Now , the network admi nist rator want s to allow general users to switch to level 3, so that they are able to configure the device. # A level 3 user sets a swit ching passwo rd for u ser level 3. <device> system-view [device] super password level [...]

  • Seite 11

    1-4 # Change the tftp g e t command in user view (sh ell) from level 3 to level 0. (Originally , only level 3 user s can change the level of a comm and.) <device> system-view [device] command-privilege level 0 view shell tftp [device] command-privilege level 0 view shell tftp 192.168.0.1 [device] command-privilege level 0 view shell tftp 192.[...]

  • Seite 12

    1-5 View Available operation Prompt example Enter method Quit method 1000 Mbps Ethernet port view: [device-Gi gabitEth ernet1/0/1] Execute the interface gigabitethernet command in system view. Ethernet port view Configure Ethernet port parameters 10 Gigabit Ethernet port view: [device-TenGigabit Ethernet1/1/1] Execute the interface tengigabitethern[...]

  • Seite 13

    1-6 View Available operation Prompt example Enter method Quit method Edit the RSA public key for SSH users [device-rsa-key- co de] Public key editing view Edit the RSA or DSA public key for SSH users [device-peer-key-c ode] Execute the public-key-code begin command in public key view. Execute the public-key-c ode end command to return to public key[...]

  • Seite 14

    1-7 View Available operation Prompt example Enter method Quit method QinQ view Configure QinQ parameters [device-Gi gabitEth ernet1/0/1-vid-20] Execute the vlan-vpn vid command in Ethernet port view. The vlan-vpn enable command should be first executed. Execute the quit command to return to Ethernet port view. Execute the return command to return t[...]

  • Seite 15

    1-8 timezone Configure time zone If the question mark (?) is at an argument positio n in the command, the descripti on of the argument will be displayed on your terminal. [device] interface vlan-interface ? <1-4094> VLAN interface number If only <cr> is displayed after you enter a question mark (?), it means no p arameter is avail able [...]

  • Seite 16

    1-9 By default, the CLI can store up to 10 latest ex e cuted commands for each user . Y ou can view the command history by performing the operations listed i n T able 1-3 . Table 1-3 View history commands Purpose Operation Remarks Display the latest executed history command s Execute the display history-command command This comm and displays the co[...]

  • Seite 17

    1-10 Table 1-5 Edit operations Press… To… A common key Insert the corresponding characte r at the cursor po sition and move the cursor one character to the right if the comm and is shorter than 254 characters. Backspace key Delete the chara cter o n the left of the cursor a nd mo ve the cursor one character to the left. Left arrow key or Ctrl+B[...]

  • Seite 18

    i Table of Contents 1 Logging In to the Switching Engine ··························································································· ············· 1-1 Logging In to the Sw itching Engine······················[...]

  • Seite 19

    ii Configuring Source IP Address for Telnet Service Packets ··································································· 6-1 Displaying Source IP A ddress Config uration ·····················································[...]

  • Seite 20

    1-1 1 Logging In to the Switching Engine The sample output inform ation in this manual wa s created on the WX3024. The output information on your device may vary. Logging In to the Switching Engine Y ou can log in to the switching engine of the device in one of the following ways: z Logging in through OAP z Logging in locally or remotely through a [...]

  • Seite 21

    1-2 User Interface Index T wo kinds of user interface index exist: absolute user interface index and relative user interfac e index. 1) The absolute user interface indexes are as follo ws: z The absolute AUX user interfa ces is nu mbered 0. z VTY user interface indexes follow AUX user interf ace indexes. The first absolute VTY user interface is num[...]

  • Seite 22

    1-3 To do… Use the command… Remarks Display the information about the current user interface/all user inte rfaces display users [ all ] Display the physical attributes and configuration of the current/a specified user inte rface display user-interface [ type number | number ] Display the information about the current web users display web users[...]

  • Seite 23

    2-1 2 Logging In Through OAP OAP Overview As an open sof tware and hardware system, Ope n App lication Architecture (OAA) provides a set of complete st andard sof tware and hardware inte rf aces. The third party vendors can develop product s with special functions. Th ese product s can be compatible with ea ch other as long as they confo rm to the [...]

  • Seite 24

    2-2 Therefore, when you use the NMS to manage the a ccess control engin e and the switching e ngine on the same interface, you must first obtain the m anagement IP addresses of the two SNMP agents and obtain the link rel ationship between them, and t hen you can a ccess the two agent s. By default, the management IP address of an OAP module is not [...]

  • Seite 25

    2-3 Resetting the OAP Software System If the operating system works abnorm all y or is un der other anom ali es, you ca n reset the OAP sof tware system. Follow these step s to reset the OAP softwa re system: To do… Use the command… Remarks Reset the OAP software system oap reboot slot 0 Required Available in user view The reset operation may c[...]

  • Seite 26

    3-1 3 Logging In Through Telnet Introduction The device support s T elnet. Y ou can manage and mainta in the switching engine remotely by T elnetting to the switching engine. T o log in to the switching engine through T elnet, the corresponding configu ration is required on both the switching engine and the T elnet terminal. Y ou can also log in to[...]

  • Seite 27

    3-2 Configuration Description Make terminal s ervices availa ble Optional By default, terminal services are available in all user interfaces Set the maximum number of lines the screen can contai n Optional By default, the screen can contain up to 24 lines. Set history command buffer size Optional By default, the history command buffer can contain u[...]

  • Seite 28

    3-3 To improve security and prevent attacks to the unus ed Sockets, TCP 23 and TCP 22, ports for Telnet and SSH services respectively, will be enable d or di sabled after correspondi ng configu rations. z If the authentication mode is none , TCP 23 will be enabled, and T CP 22 will be disabled. z If the authentication mode is password , and the cor[...]

  • Seite 29

    3-4 To do… Use the command… Remarks Set the history command buffer size history-command max-size value Optional The default history command buffer size is 10. That is, a history command buffer can store up to 10 commands by default. Set the timeout time of the VTY user interface idle-timeout minutes [ seconds ] Optional The default timeout time[...]

  • Seite 30

    3-5 # S pecify co mmand s of level 2 are available to users logging in through VTY 0. [device-ui-vty0] user privilege level 2 # Configure T elnet protocol is supported. [device-ui-vty0] protocol inbound telnet # Set the maximum number of lines the screen can cont ain to 30. [device-ui-vty0] screen-length 30 # Set the maximum number of commands the [...]

  • Seite 31

    3-6 To do… Use the command… Remarks Set the history command buffer size history-command max-size value Optional The default history command buffer size is 10. That is, a history command buffer can store up to 10 commands by default. Set the timeout time of the user interface idle-timeout minutes [ seconds ] Optional The default timeout time of [...]

  • Seite 32

    3-7 [device-ui-vty0] authentication-mode password # Set the local password to 12345 6 (in plain text). [device-ui-vty0] set authentication password simple 123456 # S pecify co mmand s of level 2 are available to users logging in to VTY 0. [device-ui-vty0] user privilege level 2 # Configure T elnet protocol is supported. [device-ui-vty0] protocol in[...]

  • Seite 33

    3-8 To do… Use the command… Remarks Enter one or more VTY user interface views user-inter face vty first - number [ last-num ber ] — Configure to authenticate users locally or remotely authentication-m ode scheme [ command- authorization ] Required The specified AAA scheme determines whether to authenticate users locally or remotely. Users ar[...]

  • Seite 34

    3-9 Table 3-4 Determine the command l evel whe n users logging in to the switching engi ne a re authenticated in the scheme mode Scenario Authentication mode User type Command Command level The user privilege level level command is not executed, and the service-ty pe command does not specify the available command level. Level 0 The user privilege l[...]

  • Seite 35

    3-10 Refer to AAA Operation and SSH Operation of this manual for inform ation about AAA, RADIUS, and SSH. Configuration Example Network requirements As shown in Figure 3-3 , assume a curre nt user logs in using the oap connect slot 0 command and the user level is set to the manage level (level 3). Perfor m the following configurations for use rs lo[...]

  • Seite 36

    3-11 [device-ui-vty0] protocol inbound telnet # Set the maximum number of lines the screen can cont ain to 30. [device-ui-vty0] screen-length 30 # Set the maximum number of commands the hi story command buf fer can store to 20. [device-ui-vty0] history-command max-size 20 # Set the timeout time to 6 minutes. [device-ui-vty0] idle-timeout 6 Telnetti[...]

  • Seite 37

    3-12 z Perform the following operations i n the terminal window to assi gn IP address 202.38.160.9 0/24 to VLAN–interface 1 of the access cont rol engine. <device> system-view [device] interface Vlan-interface 1 [device-Vlan-interface1] ip address 202.38.160.90 255.255.255.0 z Log in to the switching engine of the device using the oap conn [...]

  • Seite 38

    3-13 Figure 3-7 Launch Telnet 5) If the password authentication mode is specified, enter the password when the Telnet wi ndow displays “Login authentication” and prompt s fo r login password. The CLI prompt (su ch as <System_LSW>) appears if the passw ord is correct. If all VTY user interfaces of the switching engine are in use, you will [...]

  • Seite 39

    3-14 1) Perform Teln et-related configur ation on the switchin g engine opera ting as the Telnet server. For details, refer to Telnet Configuration with Authentication Mode Bei ng None , Telnet Configuration with Authentication Mode Being Password , and Telnet Configuration with Authenticatio n Mode Being Scheme . 2) Telnet to the access control en[...]

  • Seite 40

    4-1 4 Logging In from the Web-Based Network Management System When logging in from the W eb-based network manag ement system, go to these sections fo r information you are interested in: z Introduction z Setting Up a Web Configuration Environment z Configuring the Login Ban ner z Enabling/Disabling the WEB Server Introduction The device has a W eb [...]

  • Seite 41

    4-2 Setting Up a Web Configuration Environment Your WX series a ccess controller products were del ivered with a factory default configuration. This configuration allows you to log into the b uilt-in We b-based management sy stem of the access controller product from a Web browse r on a PC by inputting http ://192.168.0.101 in the addres s bar of t[...]

  • Seite 42

    4-3 Figure 4-1 Web interface of the access cont roller engine 3) Set up a Web configuration environment, as shown in Figure 4-2 . Figure 4-2 Set up a Web configuration environment 4) Log in to the switching engine through IE. Launch IE on the Web-based network management terminal (your PC) and enter h ttp://192.168.0.101 in the address bar. (Make s[...]

  • Seite 43

    4-4 configured by the header command, a user logging in throu gh Web directly enters the user login authentication page. Follow these steps to co nfigure the login banner: To do… Use the command… Remarks Enter syst e m view system-vie w — Configure the banner to be displayed when a user logs in through Web header login text Required By defaul[...]

  • Seite 44

    4-5 Figure 4-5 Banner page displayed when a user lo gs in to the switching engin e through Web Click Continue to enter u ser login authe ntication p age. Y ou will enter the main page of the W eb-based network management syst em if the authentication su cceeds. Enabling/Disabling the WEB Server Follow these steps to ena b le/disable the WEB server:[...]

  • Seite 45

    5-1 5 Logging In from NMS Introduction Y ou can also log in to the switching engine fr om a network management st ation (NMS), and then configure and manage the swit ching engine through the agent module on the switch. Simple network management protocol (SNMP) is applie d between the NMS and the agent. Refer to the SNMP-RMON part for related inform[...]

  • Seite 46

    6-1 6 Configuring Source IP Address for Telnet Service Packets Overview Y ou can configure source IP address or source interf ace for the T elnet server and T elnet client. This provides a way to manage service s and enhan ces security . The source IP address specified for T elnet service p acket s is the IP address of a Loopback interfa ce or VLAN[...]

  • Seite 47

    6-2 To do… Use the command… Remarks Specify a source interface for Telnet client telnet source-interface interface-type interface-number Optional When configuring a source IP addre ss fo r Telnet packets, ensure that: z The source IP address m ust be one on the local device. z The source interface must already exist. z A reachable route is avai[...]

  • Seite 48

    7-1 7 User Control Refer to the ACL part for information about ACL. Introduction The switching engine provides ways to control di f ferent types of login users, as listed in T able 7-1 . Table 7-1 Ways to control different types of login users Login mode Control method Implementation Reference By source IP address Through basic ACLs Controlling Tel[...]

  • Seite 49

    7-2 To do… Use the command… Remarks Enter syst e m view system-vie w — Create a basic ACL or enter basic ACL view acl number acl-number [ match-order { config | auto } ] As for the acl number command, the config keyword is specified by default. Define rules for the ACL rule [ rule-id ] { deny | permit } [ rule-string ] Required Quit to system[...]

  • Seite 50

    7-3 Controlling Telnet Users by Source MAC Addresses Controlling T elnet users by source MAC addresses is achi eved by applying Layer 2 ACLs, which are numbered from 4000 to 4999. Follow these steps to co ntrol T elnet users by sou rce MAC addre sses: To do… Use the command… Remarks Enter syst e m view system-vie w — Create or enter Layer 2 A[...]

  • Seite 51

    7-4 Controlling Network Management Users by Source IP Addresses Y ou can manage the device through network ma nagement sof tware. Network m anagement users can access switching engines throu gh SNMP . Y ou need to perform the following two operations to control net work managem ent users by source IP addresses. z Defining an ACL z Applying the ACL [...]

  • Seite 52

    7-5 You can specify different ACLs while co nfiguri ng the SNMP comm unity name, SNMP group name, and SNMP user name. As SNMP co mmunity name is a feature of SNMPv1 and SNMPv2c, the specified ACLs in the command that configures SNMP community names (the snmp-agent community command) t ake ef fect in the network management syst ems that ad opt SNMPv[...]

  • Seite 53

    7-6 z Applying the ACL to control Web users Prerequisites The controlling policy against W eb users is deter mined, includ ing the source IP addresses to be controlled and the cont rolling actions (p ermitting o r denying). Controlling Web Users by Source IP Addresses Controlling W eb users by source IP addre sses is achieved by applying b asic ACL[...]

  • Seite 54

    7-7 Configuration procedure # Define a basic ACL. <device> system-view [device] acl number 2030 [device-acl-basic-2030] rule 1 permit source 10.110.100.52 0 [device-acl-basic-2030] quit # Apply ACL 2030 to only permit the Web users sou rce d from the IP addre ss of 10.1 10.10 0.52 to access the switching engine. [device] ip http acl 2030[...]

  • Seite 55

    i Table of Contents 1 Configuration F ile Management ································································································ ··············· 1-1 Introduction to C onfigurati on File ················[...]

  • Seite 56

    1-1 1 Configuration File Management The sample output inform ation in this manual wa s created on the WX3024. The output information on your device may vary. Introduction to Configuration File A configuration file records and store s user conf igurations performed to the device. It also enables users to check device configuration s ea sily . Types [...]

  • Seite 57

    1-2 can configure a file to have both main a nd backup attribute, but only one file of either main or backup attribute is allowed on a device. The following three situations a re con cerned with the main/ba ckup attributes: z When saving the current configuration, you can spe cify the file to be a main or backup or normal configuration file. z When[...]

  • Seite 58

    1-3 z Safe mode. This is the mode when yo u use the save command with the safely keyword. The mode saves the file slower but can retain the original configuration file in t he device even if the device reboots or the power fails during the proce ss. The configuration file to be used for ne xt startup may be lost if the device reboots or the power f[...]

  • Seite 59

    1-4 To do… Use the command… Remarks Erase the startup configuration file from the storage device reset saved-configuration [ backup | main ] Required Available in user view Y ou may need to erase the configuration file for one of these reasons: z After you upgrade software, the old configurat ion file d oes not match the new software. z The sta[...]

  • Seite 60

    1-5 The configuration file must use “. cfg” as its extension name and the st artup configuration file must be saved at the root directory of the device. Displaying and Maintain ing Device Configuration To do… Use the command… Remarks Display the initial configuration file saved in the storage device display saved - configurati on [ unit uni[...]

  • Seite 61

    i Table of Contents 1 VLAN Ov erview ·········································································································································· 1-1 VLAN Ov erview ········?[...]

  • Seite 62

    1-1 1 VLAN Overview z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. VLAN Overview Introduction to VLAN The trad[...]

  • Seite 63

    1-2 of network layer devices , such as routers and Layer 3 switch es. Figure 1-1 illustrates a VLAN implementation. Figure 1-1 A VLAN implementation Sw itch Rou te r Sw i t ch VL AN A VLAN B VLA N A VLANB VLAN A VL AN B Advantages of VLANs Compared wi th the traditional Ethernet, VLAN enjoys the followin g advant ages. z Broadcasts are confine d to[...]

  • Seite 64

    1-3 Figure 1-2 Encapsulation format of traditional Ethernet frames Ty pe Dat a DA & SA In Figure 1-2 DA refers to the destination MAC address, SA refers to the sou rce MAC address, and T ype refers to the upper layer protocol type of the packe t. IEEE 802.1Q protocol defines that a 4-byte VLAN tag is encap sulated after the destination MAC ad d[...]

  • Seite 65

    1-4 After VLANs are configu red on a switch, the MAC addr ess learni ng of the switch has the following two modes. z Shared VLAN learning (SVL): the switch records all the MAC addre ss entries learnt by ports in all VLANs to a shared MAC address fo rwarding table. Pa ckets receive d on any port of any VLAN are forwarded according to this table. z I[...]

  • Seite 66

    1-5 The link type of a port on the device can be one of the fo llowing: access, trunk, and hybrid. For the three types of ports, the pro cess of being added into a VLAN and the way of forwarding p ackets are dif ferent. For details, re fer to the “Port Basic C onfi guration” part of the manua l. Port-based VLANs are easy to implement and man ag[...]

  • Seite 67

    1-6 The switch identifies whether a packet is an Ethern et II packet or an 80 2.2/802.3 packet according to the ranges of the two fields. Extended encapsulation formats of 802.2/802.3 packets 802.2/802.3 packet s have the following th re e extended encap sul ation formats: z 802.3 raw encapsulation: only the length field is encap sulated after the [...]

  • Seite 68

    1-7 Procedure for the Switch to Judge Packet Protocol Figure 1-9 Procedure for the switch to judge packet protocol Receive packet s Type (Length) field Ethernet II encaps ulat ion Match th e ty pe va lu e Inval id packe ts that ca nn ot be matched 802.2 /802.3 encap sulatio n Contr ol field Inva lid pa ckets that can not be matched dsap /ssap value[...]

  • Seite 69

    1-8 The protocol template is the st andard to determine th e protocol to which a p acket belongs. Protocol templates include st andard templates and user-define d template s: z The standard template adopts the RFC-defined packe t encap sul ation formats a nd values of som e specific fields as the matching criteria. z The user-defined template adopt[...]

  • Seite 70

    2-1 2 VLAN Configuration VLAN Configuration Configuration Task List Complete the following ta sks to configure VLAN: Task Remarks Basic VLAN Configuration Req uired Basic VLAN Interface Configuration Optional Displaying and Maintaining VLAN Optional Basic VLAN Configuration Follow these steps to ma ke basi c VLAN configuration: To do… Use the com[...]

  • Seite 71

    2-2 Basic VLAN Interface Configuration Configuration prerequisites Before configuring a VLAN interfac e, create the corre sponding VLAN. Configuration procedure Follow these steps to ma ke basi c VLAN interface configuration: To do… Use the command… Remarks Enter syst e m view system-view — Create a VLAN interface and enter VLAN interface vie[...]

  • Seite 72

    2-3 Configuring a Port-Based VLAN Configuring a Port-Based VLAN Configuration prerequisites Create a VLAN before configuring a po rt-ba sed VLAN. Configuration procedure Follow these steps to co nfigure a port-based VLAN: To do… Use the command… Remarks Enter syst e m view system-vie w — Enter VLAN view vlan vlan-id — Add Ethernet ports to [...]

  • Seite 73

    2-4 Configuration procedure z Configure Switch A. # Create VLAN 101, specify it s descriptive string as “DMZ”, and add GigabitEthernet 1/0/1 to V LAN 101. <SwitchA> system-view [SwitchA] vlan 101 [SwitchA-vlan101] description DMZ [SwitchA-vlan101] port GigabitEthernet 1/0/1 [SwitchA-vlan101] quit # Create VLAN 201, and add GigabitEthern e[...]

  • Seite 74

    2-5 For the command of configuri ng a port l ink type ( port link-ty pe ) and the command of allowing packets of certain VLANs to pass t hrough a port ( por t trunk permit ), refer to the se ction of configuring Ethernet ports in the “Port Basic Configuration” part of this do cument. Configuring a Protocol-Based VLAN Configuration Task List Com[...]

  • Seite 75

    2-6 z Because the IP protocol is cl osely asso ciated with the ARP protocol, you are recommended to configure the ARP protocol type when configur ing the IP protocol ty pe and associate the two protocol types with the same port to avoid that ARP packets and IP packets are not assigned to the same VLAN, which will cause IP address resolution failure[...]

  • Seite 76

    2-7 For the operation of adding a hybrid port to a VLAN in the untag ged way (when forwarding a packet, the port removes the VLAN tag of the packet), refer to t he section of configuring Ethernet ports in the “Port Basic Configuration” pa rt of this manu al. Displaying and Maintaining Protocol-Based VLAN To do… Use the command… Remarks Disp[...]

  • Seite 77

    2-8 Configuration procedure # Create VLAN 100 an d VLAN 200, and add Gi gabi tEthernet 1/0/1 1 and GigabitEthernet 1/0/12 to VLAN 100 and VLAN 200 respectively . <device> system-view [device] vlan 100 [device-vlan100] port GigabitEthernet 1/0/11 [device-vlan100] quit [device] vlan 200 [device-vlan200] port GigabitEthernet 1/0/12 # Configure p[...]

  • Seite 78

    2-9 VLAN ID Protocol-Index Protocol-Type 100 0 ip 100 1 ethernetii etype 0x0806 200 0 at The above output information indi cates that Giga bitEthernet 1/0/10 has already been associated with the corresponding protocol templates of VLAN 100 and VLAN 200. Thu s, packet s from the IP and AppleT alk workstations can be aut omatically assigned to VLAN 1[...]

  • Seite 79

    i Table of Contents 1 Auto Detect Configuration ···································································································· ···················· 1-1 Introduction to the Au to Detect Function·······?[...]

  • Seite 80

    1-1 1 Auto Detect Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. When configuring the auto detec[...]

  • Seite 81

    1-2 Auto Detect Configuration Complete the following t a sks to configure auto detect: Task Remarks Auto Detect Basic Configuration Required Auto Detect Implementation in Static Routing Optional Auto Detect Implementation in VLAN Interface Backup Optional Auto Detect Basic Configuration Follow these steps to co nfi gure the auto detect function: To[...]

  • Seite 82

    1-3 Auto Detect Implementation in Static Routing Y ou can bind a static route with a detected g rou p. The Auto Detect function will then detect the reachability of the static ro ute through the p ath specif ied in the detected group. z The static route is valid if the detected group is reachable . z The static route is invalid if the detected grou[...]

  • Seite 83

    1-4 To do… Use the command… Remarks Enter syst e m view system-vie w — Enter VLAN interface view interface Vlan-interface vlan - id — Enable the auto detect function to implement VLAN interface backup standby detect-grou p group-number Required This operation is only needed on the secondary VLAN interface. Auto Detect Configuration Examples[...]

  • Seite 84

    1-5 <SwitchC> system-view # Configure a static route to Switch A. [SwitchC] ip route-static 192.168.1.1 24 10.1.1.3 Configuration Example for Auto Detect Implementation in VLAN Interface Backup Network requirements z As shown in Figure 1-2 , make sure the routes between Switch A, Switch B, and Switch C, and between Switch A, Switch D, and Swi[...]

  • Seite 85

    i Table of Contents 1 Voice VLAN Co nfiguration ····································································································· ··················· 1-1 Voice VLAN Overview ··················[...]

  • Seite 86

    1-1 1 Voice VLAN Configuration The sample output inform ation in this manual wa s created on the WX3024. The output information on your device may vary. Voice VLAN Overview V oice VLANs are VLANs co nfigured sp ecially for voice traf fic. By adding the ports connected wit h voice devices to voice VLANs, you can h ave voice traf fic transmitted with[...]

  • Seite 87

    1-2 Figure 1-1 Network diagram for IP phones DHCP Server1 DHCP Server2 Call agent IP Phone ② ① ③ As shown in Figure 1-1 , the IP phone n eeds to wo rk in conjun ction with the DHCP server a nd the NCP to establish a path for voice data tran smission. An IP phone goes through the follo wing three phases to become capa ble of tran smitting voic[...]

  • Seite 88

    1-3 3) After the IP phone acquires the IP addre ss assigned by DHCP Serv er2, the IP phone establishes a connection to the NCP specified by DHCP Server 1 and do wnloads correspondi ng software. After that, the IP phone can communicate pr ope rly. z An untagged packet carries no VLAN tag. z A tagged packet carries the tag of a VLAN. How the Device I[...]

  • Seite 89

    1-4 Processing mode of untagged packets sent by IP voice devices z Automatic mode. A WX3000 device automatically add s a port connecting an IP voice devi ce to the voice VLAN by learning the source M AC address in the untagged packet sent by the IP voice device when it is powered on. The voice VLAN uses t he aging me chanism to maintain the nu mber[...]

  • Seite 90

    1-5 Table 1-2 Matching relationshi p between po rt types and voice traffic types Port voice VLAN mode Voice traffic type Port type Supported or not Access Not supported Trunk Supported Make sure the default VLAN of the port exists and is not a voice VLAN. And the access port permits the traffic of the default VLAN. Tagged voice traffic Hybrid Suppo[...]

  • Seite 91

    1-6 Voice VLAN Configuration Configuration Prerequisites z Create the correspondi ng VLAN before configuring a voice VLAN. z VLAN 1 (the default VLAN) cannot be configured a s a voice VLAN. Configuring a Voice VLAN to Operate in Automatic Mode Follow these steps to co nfigure a voice VLAN to operate in automatic mode: To do… Use the command… Re[...]

  • Seite 92

    1-7 When the voice VLAN is working normally, if the devic e restarts, in ord er to make the established voice connections work no rmally, the system does not need to be triggered by the voice traffic to add the port in automatic mode to the local devices of the voice VLAN but do es so immedi ately after the restart. Configuring a Voice VLAN to Oper[...]

  • Seite 93

    1-8 To do… Use the command… Remarks Enter VLAN view vlan vlan-id Access port Add the port to the VLAN port interface-list Enter port view interface interface-type interface-num Add the port to the VLAN port trunk permit vlan vlan-id port hybrid vlan vlan-id { tagged | untagged } Required By default, all the ports belong to VLAN 1. Add a port in[...]

  • Seite 94

    1-9 Displaying and Maintaining Voice VLAN To do… Use the command… Remarks Display the information about ports on which voice VLAN configuration fails display voice vlan error-info Display the voice VLAN configuration status display v oice vlan status Display the currently valid OUI addresses dis pl a y voi ce vla n oui Display the ports operati[...]

  • Seite 95

    1-10 [DeviceA] voice vlan aging 100 # Add a user-defined OUI address 001 1-2200-000 an d set the descri ption string to “test”. [DeviceA] voice vlan mac-address 0011-2200-0000 mask ffff-ff00-0000 description test # Enable the voice VLAN function globa lly . [DeviceA] voice vlan 2 enable # Configure the vocie VLAN to operate in automatic mode on[...]

  • Seite 96

    1-11 <DeviceA> system-view [DeviceA] voice vlan security enable # Add a user-defined OUI address 001 1-2200-000 an d set the descri ption string to “test”. [DeviceA] voice vlan mac-address 0011-2200-0000 mask ffff-ff00-0000 description test # Create VLAN 2 and configure it as a voice VLA N. [DeviceA] vlan 2 [DeviceA-vlan2] quit [DeviceA] [...]

  • Seite 97

    i Table of Contents 1 GVRP Conf iguration ··········································································································· ······················· 1-1 Introduction to GVRP ··········?[...]

  • Seite 98

    1-1 1 GVRP Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. Introduction to GVRP GARP VLAN registr[...]

  • Seite 99

    1-2 Leave messages, LeaveAll messa ges, together with Jo in message s ensure attribute information can be deregistered and re-regist ered. Through message exch ange, all the attribute information to be regi stered can be propag ated to all the GARP-enabled switches in the sam e LAN. 2) GARP timers T imers determine the intervals of sending diff ere[...]

  • Seite 100

    1-3 Figure 1-1 Format of GARP packets Et her net F ram e PDU DA DA le ng t h DSA P Ctrl SSAP Protoc ol ID Message 1 Mes s age N ... End Mar k 1 3 N Attr ibu t e T ype Attr ibut e List 12 N At t r ibu t e 1 Att r ibu te N ... End Ma r k 1N Attribut e Lengt h Attribute E v e nt Attr ibute Vlaue 12 3 N G ARP PDU st ruct ure Messag e struct ure Att rib[...]

  • Seite 101

    1-4 GVRP As an implement ation of GARP , GARP VLAN registration protocol (GVRP) m aintains dyna mic VLAN registration information a nd propagates t he in formation to the other devices through GARP . With GVRP enable d on a device, the VLAN registrati on information received by the device from other devices is used to dynamically update the local V[...]

  • Seite 102

    1-5 Configuration procedure Follow these steps to ena b le GVRP on a n Ethernet po rt: To do… Use the com mand… Remarks Enter syst e m view system-view — Enable GVRP globally gvrp Required By default, GVRP is disabled globally. Enter Ethernet port view interface interface-type interface-number — Enable GVRP on the port gvrp Req uired By def[...]

  • Seite 103

    1-6 Table 1-2 Relations between the timers Timer Lower threshold Upper threshold Hold 10 centiseconds This upper threshold is le ss than or equal to one-half of the timeout time of the Join timer. You can change the thre sh old by changing the timeout time of the Join timer. Join This lower threshold is greater than or equal to twice the timeout ti[...]

  • Seite 104

    1-7 GVRP Configuration Example GVRP Configuration Example Network requirements z Enable GVRP on all the switches in the network so that the VLAN configurations on Switch C and Switch E can be applied to all switches i n the network, thus implementing dynami c VLAN information registration and refre sh, as shown in Figu re 1-2 . z By configuring the[...]

  • Seite 105

    1-8 [SwitchA-GigabitEthernet1/0/3] port trunk permit vlan all # Enable GVRP on GigabitEthernet 1/0/3. [SwitchA-GigabitEthernet1/0/3] gvrp [SwitchA-GigabitEthernet1/0/3] quit 2) Configure Switch B # The configuration p ro ced ure of Switch B is sim ilar to that of Switch A and is thus omitted. 3) Configure Switch C # Enable GVRP on Switch C, which i[...]

  • Seite 106

    1-9 [SwitchE-GigabitEthernet1/0/1] gvrp registration fixed # Display the VLAN information dynamically registe r ed on Switch A. [SwitchA] display vlan dynamic Total 3 dynamic VLAN exist(s). The following dynamic VLANs exist: 5, 7, 8, # Display the VLAN information dynamically register ed on Swit ch B. [SwitchB] display vlan dynamic Total 3 dynamic [...]

  • Seite 107

    i Table of Contents 1 Basic Port Co nfiguration ····································································································· ····················· 1-1 Ethernet Port Over view ··············[...]

  • Seite 108

    1-1 1 Basic Port Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. Ethernet Port Overview Types and[...]

  • Seite 109

    1-2 Link Types of Ethernet Ports An Ethernet port of the devic e can operate in one of the following three link types: z Access: An access port can belong to only one VL AN, and is generally used to connect user PCs. z Trunk: A trunk port can bel ong to more than one VLA N . It can receive/send pa ckets from/to multiple VLANs, and is generally used[...]

  • Seite 110

    1-3 Table 1-3 Processing of incoming/outgoing p acket s Processing of an incoming packet Port ty pe If the p acket does not carry a VLAN tag If the packet carries a VLAN tag Processing of an outgoing packet Access z If the VLAN ID is just the default VLAN ID, receive the packet. z If the VLAN ID is not the default VLAN ID, discard the packet. Depri[...]

  • Seite 111

    1-4 To do… Use the command… Remarks Enter syst e m view system-v iew — Enter Ethernet port view interface interface-type interface-number — Enable the Ethernet port undo shutdown By default, the port is enabled. Use the shutdo wn command to disable the port. Set the description of the Ethernet port description text By default, no descriptio[...]

  • Seite 112

    1-5 To do… Use the command… Remarks Configure the available auto-negotiation speed(s) for the port speed auto [ 10 | 100 | 1000 ]* Optional By default, the port speed is auto-negotiated. z Only ports on the front panel of the device suppor t the auto-negotiation speed configuration feature. And ports on the extended interface card do not sup po[...]

  • Seite 113

    1-6 To do… Use the command… Remarks Enter syst e m view system-v iew — Enter Ethernet port view interface interface-type interface-number — Enable flow control on the Ethernet port flow-control Required By default, flow control is not enabled on a port. Configuring Access Port Attribute Follow these steps to co nfi gure access port attribut[...]

  • Seite 114

    1-7 To do… Use the command… Remarks Enter syst e m view Sy stem-view — Enter Ethernet port view interface interface-type interface-number — Set the link type for the port as trunk port link-type trunk Required Set the default VLAN ID for the trunk port port trunk pvid vlan vlan-id Optional By default, the VLAN of a trunk port is VLAN 1. Add[...]

  • Seite 115

    1-8 <device> system-view [device] interface GigabitEthernet 1/0/1 [device-GigabitEthernet1/0/1] shutdown [device-GigabitEthernet1/0/1] %Apr 2 08:11:14:220 2000 device L2INF/5/PORT LINK STATUS CHANGE:- 1 - GigabitEthernet1/0/1 is DOWN [device-GigabitEthernet1/0/1] undo shutdown [device-GigabitEthernet1/0/1] %Apr 2 08:11:32:253 2000 device L2IN[...]

  • Seite 116

    1-9 configuration command on ce on one port and that con figuration will apply to all p ort s in the port grou p. This effe ctively redu ces redundant configurations. A Port group coul d be manually created by users. Mult iple Ethernet ports can b e added to the same port group but one Ethernet port can only be added to on e port group. Follow thes[...]

  • Seite 117

    1-10 To do… Use the command… Remarks Configure the system to run loopback detection on all VLANs for the trunk and hybrid ports loopback-detection per-v l an enable Optional By default, the system runs loopback detection only on the default VLAN for the trunk and hybrid ports. z To enable loopback detection on a sp ecific port, you must use the[...]

  • Seite 118

    1-11 Enabling the System to Test Connected Cable Y ou can enable the system to test the cable connected to a specif ic port. The test result will be returned in five minutes. The system can test these attributes of the cable: Receive and tran smit directions (RX and TX), short circuit/open circuit or n o t, the length of the faulty cable. Follow th[...]

  • Seite 119

    1-12 Displaying and Maintaining Ethernet Ports To do… Use the command… Remarks Display port configuration information display interface [ interface-type | interface-type interface-num ber ] Display information for a specified port grou p display port-group group-id Display port loopback detection state display loopback-detecti on Display brief [...]

  • Seite 120

    1-13 [device] vlan 100 # Configure the default VLAN ID of GigabitEthernet 1/0/1 as 100. [device-GigabitEthernet1/0/1] port trunk pvid vlan 100 Troubleshooting Ethernet Port Configuration Symptom : Default VLAN ID configuration failed. Solution : T ake the following steps. z Use the display interface or display port comma nd t o check if the port i [...]

  • Seite 121

    i Table of Contents 1 Link Aggregati on Configur ation ······························································································· ··············· 1-1 Overview ······························[...]

  • Seite 122

    1-1 1 Link Aggregation Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. Overview Introduction to L[...]

  • Seite 123

    1-2 Operation Key An operation key of an aggregation po rt is a conf iguration combination gen erated by system depending on the configurations of the port (rate, duplex mode, other basi c configuration, and management key) when the port is aggregated. 1) The selected ports in a manual/static ag gre gation group have the same operation key. 2) The [...]

  • Seite 124

    1-3 For an aggregation grou p: z When the rate or duplex mode of a port in the aggregation group changes, packet loss may o ccur on this port; z When the rate of a port decreases, if the port belongs to a man ual or static LACP aggrega tion group, the port will be switched to the unselected state; if the port bel ongs to a dynamic LACP aggregation [...]

  • Seite 125

    1-4 Dynamic LACP Aggregation Group Introduction to dynamic LACP aggregation group A dynamic LA CP aggregati on group is automatically created and removed by th e system. Users cann ot add/remove ports to/from it. A port can particip at e in dynamic link aggregation only when it is LACP-enabled. Port s can be aggregated into a dy nami c aggregation [...]

  • Seite 126

    1-5 Changing the system pri ority of a device may cha nge the preferred device betw een the two parties, and may further change the states (sel ected or unsele cted) of the member ports of dynamic agg regation groups. Configuring port priority LACP determine s the selected and unselected st at es of the dynamic aggregation group members according t[...]

  • Seite 127

    1-6 A load-sharing aggregation gro up contains at least two selected port s, but a non-load-sharing aggregation group ca n only have one selected port at most, while others are un selected ports. Link Aggregation Configuration z The commands of link a ggregation cannot be conf igured with the commands of port loop back detection feature at the same[...]

  • Seite 128

    1-7 To do… Use the command… Remarks Configure a description for the aggregation group link-aggregation group agg-i d description agg-name Optional By default, an aggregation group has no description. Enter Ethernet port view interface interface-type interface-number — Add the Ethernet port to the aggregation group port link-aggregation gro up[...]

  • Seite 129

    1-8 To do… Use the command… Remarks Configure a description for the aggregation group link-aggregation group a gg-id description agg-name Optional By default, an aggregation group has no description. Enter Ethernet port view interface interface-type interface-number — Add the port to the aggregation group port link-aggregation group agg-id Re[...]

  • Seite 130

    1-9 To do… Use the command… Remarks Enable LACP on the port lacp enable Required By default, LACP is disabled on a port. Configure the port priority lacp port - priority port-priority Optional By default, the port priority is 32,768. Displaying and Maintaining Link Aggregation To do… Use the command… Remarks Display summary information of a[...]

  • Seite 131

    1-10 Figure 1-1 Network diagram for link aggregatio n co nfiguration Switch A Link aggregation Switch B Configuration procedure 1) Adopting manual aggregation mode # Create manual aggregation group 1. <device> system-view [device] link-aggregation group 1 mode manual # Add GigabitEthernet 1/0/1 through Gig abitEthernet 1/0/3 to aggregation gr[...]

  • Seite 132

    1-11 Note that, the three LACP-enabled ports ca n be aggregated into a dyn amic aggregation group to implement load sharing only when they have the same basic co nfiguration (such as rate and duplex mode and so on).[...]

  • Seite 133

    i Table of Contents 1 Port Isolation Configuration ································································································· ···················· 1-1 Port Isolati on Overview ·················[...]

  • Seite 134

    1-1 1 Port Isolation Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. Port Isolation Overview Intr[...]

  • Seite 135

    1-2 z When a member port of an agg regation group i s added to an i solation grou p, the other po rts in the same aggregation group are added to the isol ation group automatically. z When a member port of an aggregation group is del et ed from an isolation group, the other ports in the same aggregation group are d eleted fr om the isolation group a[...]

  • Seite 136

    1-3 <device> system-view System View: return to User View with Ctrl+Z. [device] interface GigabitEthernet1/0/2 [device-GigabitEthernet1/0/2] port isolate [device-GigabitEthernet1/0/2] quit [device] interface GigabitEthernet1/0/3 [device-GigabitEthernet1/0/3] port isolate [device-GigabitEthernet1/0/3] quit [device] interface GigabitEthernet1/0[...]

  • Seite 137

    i Table of Contents 1 Port Security Configuration ·································································································· ···················· 1-1 Port Security Overview··················[...]

  • Seite 138

    1-1 1 Port Security Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. Port Security Overview Introd[...]

  • Seite 139

    1-2 Port Security Modes T able 1-1 describes the available port security modes. Table 1-1 Description of port security mode s Security mode Description Feature noRestriction Port security is disabled on the port and access to the port is not restricted. In this mode, neither the NTK nor the intrusion protection feature is triggered. autolearn In th[...]

  • Seite 140

    1-3 Security mode Description Feature userLoginSecure In this mode, a port pe rforms 802.1x au thenticatio n of users and services only one user passing 802. 1x authentication at a time. userLoginSecure Ext In this mode, a port performs 802.1x authentication of users and services users passi n g 802.1x authentication. userLoginWithOU I Similar to t[...]

  • Seite 141

    1-4 Port Security Configuration Complete the following tasks to configure port security: Task Remarks Enabling Port Security Required Setting the Maximum Number of MAC Addresse s Allowed on a Port Optional Setting the Port Security Mode Required Configuring the NTK feature Configuring intrusion p rote ction Configuring Port Security Features Config[...]

  • Seite 142

    1-5 Setting the Maximum Number of MAC Addresses Allowed on a Port Port security allows more than one user to be authenticated on a port. The number of authenticated users allowed, howeve r , ca nnot exceed the configured uppe r limit. By setting the maximum number of MA C addresses allowed on a p ort, you can z Control the maximum number of u sers [...]

  • Seite 143

    1-6 To do… Use the command… Remarks Enter Ethernet port view interface interface-type interface-number — Set the port security mode port-security port-mode { autolearn | mac-and-userlogin-secu re | mac-and-userlogin-secu re-e xt | mac-authentication | mac-else-userlogin-secu re | mac-else-userlogin-s ecure-e xt | secure | userlogin | userlogi[...]

  • Seite 144

    1-7 The WX3000 series devices do not supp ort the ntko nly NTK feature. Configuring intrusion protection Follow these steps to co nfigure t he intrusion protection feature: To do… Use the command… Remarks Enter syst e m view system-vie w — Enter Ethernet port view interface interface-type interface-number — Set the corresponding action to b[...]

  • Seite 145

    1-8 To do… Use the command… Remarks Enter syst e m view system-vie w — Enable sending trap s for the specified type of event port-security trap { addresslearned | intrusi on | dot1xlogon | dot1xlogoff | dot1xlogfailure | ralmlogon | ralmlogoff | ralmlogfailure } Required By default, no trap is sent. Ignoring the Authorization Info rmation fro[...]

  • Seite 146

    1-9 The security MAC addresses manually configured are written to the config uratio n file; they will not get lost when the port is up or down. As long as the c onfig uration file is saved, the secu rity MAC addresses can be restored after the device reboots. Configuration prerequisites z Port security is enabled. z The maximum number of security M[...]

  • Seite 147

    1-10 z To ensure that Host can access the netwo rk, add the MAC address 0001 -0002-0003 of Host as a security MAC address to the port in VLAN 1. z After the number of security MAC addresses reache s 80, the port stops learning MAC addresses. If any frame with an unkno wn MAC add ress arrives, int rusion prote ction is tri ggere d and the po rt will[...]

  • Seite 148

    2-1 2 Port Binding Configuration Port Binding Overview Introduction Port binding enables th e network administrator to bin d the MAC address and IP address of a user to a specific port. Af ter the binding, the switch forwar ds only the packet s received on the po rt whose MAC address and IP address a re identical with the bound MAC addre ss and IP [...]

  • Seite 149

    2-2 Port Binding Configuration Example Network requirements As shown in Figure 2-1 , it is required to bind the MAC and IP addresses of Ho st 1 to GigabitEthernet 1/0/1 on switch A, so as to prevent malicious users from using the IP address they steal from Host 1 to access the net work. Figure 2-1 Network diagram for port binding config uration Swi[...]

  • Seite 150

    i Table of Contents 1 DLDP Conf iguration ··········································································································· ······················· 1-1 DLDP Overview··············?[...]

  • Seite 151

    1-1 1 DLDP Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. DLDP Overview Y ou may have encountere[...]

  • Seite 152

    1-2 Figure 1-2 Fiber correct conne ction/disconnection in one dire ction GE1/0/10 SwitchA GE1/0/11 GE1/0/10 SwitchB GE1/0/11 PC DLDP provid es the following features: z As a link layer protocol, it works together with the physical layer protocol s to monitor the link status of a device. While the auto-negotiatio n mechanism on the physi cal layer d[...]

  • Seite 153

    1-3 Status Description Probe DHCP sends packets to check if it is a unidirectio nal link. It enables the probe sending timer and an echo waiting timer for each target neighbor. Disable DLDP detects a unidirectional link, or finds (in enhanced mod e) that a neighbor disap pears. In this ca se, DL DP do es not receive or se nd DLDP packets. Delaydown[...]

  • Seite 154

    1-4 Timer Des cription Enhanced timer In enhanced mode, if no packet is received from the neigh bor when the entry aging timer expires, DLDP enable s the enhan ced timer for the neighbor. The timeout time for the enhanced timer i s 10 seconds. The enhanced timer then sends one p robe packets every one second and totally eight packets contin uou sly[...]

  • Seite 155

    1-5 Table 1-4 Types of packets sent by DLDP DLDP status Packet types Active Advertisement packets, incl uding tho se with or without RSY tags Advertisement Advertisement packets Probe Probe packets 2) DLDP analyzes and processes re ceived packets as follows: z In authentication mode, DLDP authenticates t he packets, and discards those do not pass t[...]

  • Seite 156

    1-6 DLDP neighbor state A DLDP neighbor ca n be in one of these two st ates: two way and u nkn own. Y ou can check the state of a DLDP neig hbor by using the display dld p command. Table 1-7 Description on the two DLDP neig hbor states DLDP neighbor state Description two way The link to the neighbor operates properly. unknown The device is detectin[...]

  • Seite 157

    1-7 To do… Use the command… Remarks Set the delaydown timer dldp delaydown-timer delaydown-tim e Optional By default, the delaydown timer expires after 1 second it is triggered. Set the DLDP handling mode wh en an unidirectional link is dete ct ed dldp unidirectional-shutdown { auto | manual } Optional. By default, the handling mode is auto. Se[...]

  • Seite 158

    1-8 To do… Use the command… Remarks Enter syst e m view system-v iew Reset the DLDP status of the system dldp reset Enter Ethernet port view interface interface-type interface-number Reset the DLDP status of a port dldp reset Optional This command only applies to the ports i n DLDP down status. DLDP Network Example Network requirements As shown[...]

  • Seite 159

    1-9 [SwitchA-GigabitEthernet1/0/11] duplex full [SwitchA-GigabitEthernet1/0/11] speed 1000 [SwitchA-GigabitEthernet1/0/11] quit # Enable DLDP globally [SwitchA] dldp enable DLDP is enabled on all fiber ports except fabric ports. # Set the interval of sending DLDP packet s to 15 seconds [SwitchA] dldp interval 15 # Configure DLDP to work in enhanced[...]

  • Seite 160

    i Table of Contents 1 MAC Address Tabl e Management································································································· ··········· 1-1 Overview ··································[...]

  • Seite 161

    1-1 1 MAC Address Table Management z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. z This chapter describes the[...]

  • Seite 162

    1-2 1) As shown in Figure 1-1 , User A and User B are both in VLAN 1. When User A communicates with User B, the packet from User A needs to be transmi tted to GigabitEthernet 1/0/1. At this time, the device records the source MAC addr ess of the packet, that is, the address “MAC-A” of User A to the MAC address table of the switch, forming an en[...]

  • Seite 163

    1-3 Figure 1-4 MAC address learning diag ram (3) Geth 1/0/1 Geth 1/0/3 Geth 1/0/4 User A User B User C 4) At this time, the MAC address table of the device in cludes two forwarding entri es shown in Figure 1-5 . When forwarding the response p acket, the dev ice unicasts the packet in stead of broadcas ting it to User A through GigabitEthernet 1/0/ [...]

  • Seite 164

    1-4 Aging timer only takes effect on dynamic MAC address e ntries. Entries in a MAC address table Entries in a MAC address t able fall into the following categories according to their characteri stics and configuration methods: z Static MAC address entry: Also known as perma n ent MAC address entry. This type of MAC address entries are ad ded/remov[...]

  • Seite 165

    1-5 Configuring a MAC Address Entry Y ou can add, modify , or remove a MAC address entry , remove all MAC address entries concerning a specific port, or remove specific type of MAC addre ss entries (dyn amic or st at ic MAC addre ss entries). Y ou can add a MAC address entry in either system view or Ethernet port view . Adding a MAC address entry i[...]

  • Seite 166

    1-6 Setting the Aging Time of MAC Address Entries Setting aging time properly helps ef fective utilization of MAC address aging. The aging time that is too long or too short af fects the performance of the device. z If the aging time is too long, excessive invalid MA C address entries maintained by the device may fill up the MAC address table. This[...]

  • Seite 167

    1-7 To do… Use the comm and… Remarks Set the maximum number of MAC addresses the port can learn mac-add ress max-mac-count count Required By default, the number of the MAC addresses a port can learn is not limited. Specifying the maximum number of MA C addresses a port can lea rn disables centralized MAC ad dress authentication and port secu ri[...]

  • Seite 168

    1-8 Displaying and Maintaining MAC Address Table To do… Use the command… Remarks Display information about the MAC address table display mac-address [ display-option ] Display the aging time of the dynamic MAC address entries in the MAC address table display mac-address aging-time The display command can be executed in any view. Configuration E[...]

  • Seite 169

    i Table of Contents 1 MSTP Conf iguration ··········································································································· ······················· 1-1 STP Over view ··············[...]

  • Seite 170

    ii Configuring R oot Guard········································································································· ········ 1-37 Configuring Loop Guard ··································[...]

  • Seite 171

    1-1 1 MSTP Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024. The output inform ation on your device may vary. STP Overview STP Overview Functions of[...]

  • Seite 172

    1-2 Upon network convergence, the root bridge gen erat es and sends out configu ration BPDUs periodically . Other devices just forward the configura tion BPDUs received. This mechanism e nsures the topologica l stability . 2) Root port On a non-root bridge devi ce, the root port is the po rt with the lowest path cost to the root bridge. The root po[...]

  • Seite 173

    1-3 4) Path cost Path cost is a value used for measuring link cap acity . By comparing the p ath costs of dif ferent links, STP select s the most robu st links and blocks the ot her links to prune the netwo rk into a tree. How STP works STP identifie s the network topology by transmi tting config uration BPDUs between network devices. Configuration[...]

  • Seite 174

    1-4 Step Description 2 The device compares the config uration BPDUs of all the ports and choose s the optimum configuration BPDU. Principle for configuration BPDU com parison: z The configuration BPDU that has the lowe st root bridge ID has the highest priori ty. z If all the configuration BPDUs have the same root bridge ID, they will be compared f[...]

  • Seite 175

    1-5 When the network top ology is stable, only the root port and design ated ports forward traffic, while other ports are all in the blocked state – they only re ce ive STP packets but do not forward user traffic. Once the root bridge, the ro ot port on each non-ro ot bridge and desi gnated port s have been successfully elected, the entire tree -[...]

  • Seite 176

    1-6 Table 1-5 Comparison proce ss and result on each device Device Comparison process BPDU of por t after comparison Device A z Port AP1 receives the configuration BPDU of Device B {1, 0, 1, BP1}. Device A finds that the configuration BPDU of the local port {0, 0, 0, AP1} is superior to the configuration received message, an d discards the received[...]

  • Seite 177

    1-7 Device Comparison process BPDU of por t after comparison z Port CP1 receives the con figur ation BPDU of Devi ce A {0, 0, 0, AP2}. Device C finds that the received configuration BPDU is superior to the configurat ion BPDU of the local port {2, 0, 2, CP1}, and updates the configuratio n BPDU of CP1. z Port CP2 receives the confi guration BPDU of[...]

  • Seite 178

    1-8 Figure 1-3 The final calculated spanning tree AP 1 A P 2 D e vi ce A Wi th p ri ori ty 0 Dev i c e B D e vi ce C BP 1 BP 2 CP 2 5 4 Wi th p ri ori ty 1 Wi th p ri o r i ty 2 To facilitate description, the sp anning tree calculation process in this example is simplified, while the actual process is more complicated. 2) The BPDU forwarding mechan[...]

  • Seite 179

    1-9 For this reason, the protocol use s a state transitio n me chanism. Namely , a newly elected root port and the designated port s must go through a peri od, which is twice the forward delay time, before they transit to the forwarding state. The peri od allows the ne w configuration BPDUs to be propag ated throughout the entire network. z Hello t[...]

  • Seite 180

    1-10 z MSTP supports mapping VLANs to MST instance s by means of a VLAN-to-instan ce mapping table. MSTP introduces “instance” (inte grates multiple VLANs int o a set) and can bind multiple VLA Ns to an instance, thus saving communication over head and improving re source utilization. z MSTP divides a switched network into multiple regions, eac[...]

  • Seite 181

    1-11 MSTI A multiple spanning tree instance (MSTI) refers to a spanning tree i n an MST region. Multiple spanning trees ca n be establis hed in one MST region. These spannin g trees are independent of each other . For example, each region in Figu re 1-4 contain s multiple spanning trees known as MSTIs. Each of thes e spanning tree s corresp onds to[...]

  • Seite 182

    1-12 z A region edge port is locat ed on the edge of an MST region and is used to conne ct one MST region to another MST region, an STP-enabled region or an RSTP-enabled regi on z An alternate port is a seconda ry port of a root port or master po rt and is used for rapid transition. With the root port or master port being blocked, the alternate por[...]

  • Seite 183

    1-13 z Forwarding state. Ports in this state can forw ard user packets and receive/ send BPDU packets. z Learning state. Ports in this st ate can receive/send B PDU packets. z Discarding state. Ports in this st ate can only receive BPDU packet s. Port roles and port st ates are not mutually dependent. T able 1-6 lists possible combinations of port [...]

  • Seite 184

    1-14 For MSTP , CIST configuration informatio n is generally expre ssed as follows: (Root bridge ID, External path cost, Ma ster bridge ID, Internal path cost, Desi gnated bridge ID, ID of sending port, ID of receiving por t), so the compared as follows z The smaller the Root bri dge ID of the configur ati on BPDU is, the higher the p riority of th[...]

  • Seite 185

    1-15 z BPDU guard z Loop guard z TC-BPDU attack guard z BPDU packet drop STP-related Standards STP-related standa rds include the following. z IEEE 802.1D: spanning tree protocol z IEEE 802.1w: rapid spanning tree protocol z IEEE 802.1s: multiple spanning tree protocol Configuring Root Bridge Complete the following t asks to configure a root bridge[...]

  • Seite 186

    1-16 In a network containing de vices with both GVRP and MSTP enabled, GVRP pa ckets are forwarded along the CIST. If you want to advertise packets of a specific VLAN through GV RP, be sure to map the VLAN to the CIST when configuring the MSTP VLAN mapping table (the CIST of a network is spanning tree instance 0). Configuration Prerequisites The ro[...]

  • Seite 187

    1-17 Configuring MST region-related p arameters (especially the VLAN mapping t able) result s in spanning tree recalculation and network topolo gy jitter . T o reduce network topology jitter caused by the configuration, MSTP does not recal culate spanni ng tr ees immediately af ter the configuration; it does this only after you perf orm one of the [...]

  • Seite 188

    1-18 To do… Use the command… Remarks Enter syst em view system-vie w — Specify the current device as the root bridge of a spanning tree stp [ instance instance -id ] root primary [ bridge-diameter bridgenum ber [ hello-time centi-seconds ] ] Required Specify the current device as the secondary root bridge of a spanning tree Follow these steps[...]

  • Seite 189

    1-19 z You can configure a device as th e root bridges of multiple spanni ng tree instan ces. But you cannot configure two or more root bridge s for one span ning tree instance. So, do not configure root bridges for the sam e spanning tree instance on two or mo re devices using the stp root pri mary command. z You can configure multiple se condary [...]

  • Seite 190

    1-20 Configuration example # Set the bridge priority of the current de vice to 4,096 in sp anning tree inst ance 1. <device> system-view [device] stp instance 1 priority 4096 Configuring the Mode a Port R ecognizes and Sends MSTP Packets A port can be configured to recognize and send MSTP packet s in the following mode s. z Automatic mode. Po[...]

  • Seite 191

    1-21 To do… Use the command… Remarks Enter syste m view system-v iew — Enter Ethernet port view interface interface-type interface-number — Configure the mode a port recognizes and send s MSTP packets stp compliance { auto | dot1s | legacy } Required By default, a port recognizes and sends MSTP packets i n the automatic mode. That is, it de[...]

  • Seite 192

    1-22 Configuration example # S pecify the MSTP operation mode as STP-co mpatible. <device> system-view [device] stp mode stp Configuring the Maximum Hop Count of an MST Region The maximum hop count configured on the region root is also the maximum hops of the MST region. The value of the maximum hop count lim it s the size of the MST regi on.[...]

  • Seite 193

    1-23 To do… Use the command… Remarks Enter syst em view system-vie w — Configure the network di ameter of the switched network stp bridge-diameter bridgenumber Required The default network diame ter of a network is 7. The network diameter parameter indicates the size of a network. The bigge r the network diameter i s, the larger the network s[...]

  • Seite 194

    1-24 z The forward delay para meter and the netwo rk diameter a re correlated. Normally , a large network diameter corresponds to a large forward delay. A too small forward delay param eter may result in temporary redundant path s. And a too large forward delay pa rameter may cause a netwo rk unable to resume the no rmal state in time after change [...]

  • Seite 195

    1-25 Configuration procedure Follow these steps to co nfigur e the timeout time factor: To do… Use the command… Remarks Enter syst em view system-vie w — Configure the timeout time factor for the device stp timer-factor number Required The timeout time factor defaults to 3. For a steady network, the timeout time can be five to seven times of [...]

  • Seite 196

    1-26 Configuration example # Set the maximum transmitting speed of GigabitEthernet 1/0/1 to 15. 1) Configure the maximum transmitting speed in system view <device> system-view [device] stp interface GigabitEthernet1/0/1 transmit-limit 15 2) Configure the maximum transmitting speed in Etherne t port view <device> system-view [device] int[...]

  • Seite 197

    1-27 You are recommended to configure the Ethernet ports connected directly to terminal s as edge ports and enable the BPDU guard function at the sa me time. This not only enables these ports to turn to the forwarding state rapidly bu t also secures your netwo rk. Configuration example # Configure GigabitEthernet 1/0/1 as an edge port. 1) Configure[...]

  • Seite 198

    1-28 To do… Use the command… Remarks Specify whether the link connected to a port is a point-to-point link stp point-to-point { force-true | force-false | auto } Required The auto keywo rd is adopted by default. z Among aggregated ports, you can onl y configu re the links of master ports as point-to-poi nt links. z If an auto-negotiating port o[...]

  • Seite 199

    1-29 To do… Use the command… Remar ks Enter syst em view system-vie w — Enable MSTP stp enable Required MSTP is disabled by default. Enter Ethernet port view interface interface-type interface-number — Disable MSTP on the port stp disable Optional By default, MSTP is enabled on all ports after you enable MSTP in system view. To enable a dev[...]

  • Seite 200

    1-30 Task Remarks Configuring the Mode a Port Re cognizes and Sends MSTP Packet s Optional Configuring the Timeout Time Factor Optional Configuring the Maximum Transmitting Speed on the Current Port Optional The default value is recom mended. Configuring the Current Port as an Edg e Port Optional Configuring the Path Cost for a Port Optional Config[...]

  • Seite 201

    1-31 Configuring the Path Cost for a Port The path co st parameter reflect s the rate of the link con nected to the port. For a port on an MSTP-enabled device, the path cost m ay be differ ent in dif ferent sp anning tree inst ance s. Y ou can enable flows of dif ferent VLANs to travel along dif fer ent physi cal links by configuring a ppropriate p[...]

  • Seite 202

    1-32 When calculating the p ath cost of an aggregat ed link, the 802.1D-1998 st andard does not t ake the number of the port s on the aggregated link into account, whereas the 802.1T st andard does. The following formula is used to calculate the path cost of an aggregated link: Path cost = 200,000/ link transmission speed, where ‘link transmissio[...]

  • Seite 203

    1-33 [device] stp pathcost-standard dot1d-1998 2) Perform this configuration in Ethernet port view <device> system-view [device] interface GigabitEthernet1/0/1 [device-GigabitEthernet1/0/1] undo stp instance 1 cost [device-GigabitEthernet1/0/1] quit [device] stp pathcost-standard dot1d-1998 Configuring Port Priority Port priority is an import[...]

  • Seite 204

    1-34 [device] stp interface GigabitEthernet1/0/1 instance 1 port priority 16 2) Perform this configuration in Ethernet port view <device> system-view [device] interface GigabitEthernet1/0/1 [device-GigabitEthernet1/0/1] stp instance 1 port priority 16 Specifying Whether the Link Connected to a Port Is a Point-to-point Link Refer to S pecifyin[...]

  • Seite 205

    1-35 To do… Use the command… Remarks Enter syst em view system-vie w — Enter Ethernet port view interface interface-type interface-num b er — Perform the mCheck operation stp mcheck Required Configuration Example # Perform the mCheck operation on GigabitEthern et 1/0/1. 1) Perform this configuration in system view <device> system-view[...]

  • Seite 206

    1-36 Loop guard A device maintains the st ates of the root port and other blocked por t s by receiving and pr ocessing BPDUs from the upstream device. These BPDUs ma y get lost because of network congestions or unidirectional link failure s. If a device does not rece ive BPDUs from the upst ream device for certai n period, the device selects a new [...]

  • Seite 207

    1-37 Configuration Prerequisites MSTP run s normally on the device. Configuring BPDU Guard Configuration procedure Follow these steps to co nfigure BPDU guard: To do… Use the command… Remarks Enter syst em view system-vie w — Enable the BPDU guard function stp bpdu-protection Required The BPDU guard function is disabled by default. Configurat[...]

  • Seite 208

    1-38 2) Perform this configuration in Ethernet port view <device> system-view [device] interface GigabitEthernet1/0/1 [device-GigabitEthernet1/0/1] stp root-protection Configuring Loop Guard Configuration procedure Follow these steps to co nfigure loop guard: To do… Use the command… Remarks Enter syst em view system-vie w — Enter Ethern[...]

  • Seite 209

    1-39 # Set the maximum times for the device to remove the MAC address t able within 10 se conds to 5. <device> system-view [device] stp tc-protection threshold 5 Configuring BPDU Dropping Follow these steps to co nfigure BPDU dropping: To do… Use the command… Remarks Enter syst em view system-vie w — Enter Ethernet port view interface i[...]

  • Seite 210

    1-40 Configuring Digest Snooping Configure the digest snooping fe ature on a device to enable it to comm unicate with other devices adopting propriet ary protocols to calculate configu r ation digests in the same MST region through MSTIs. Configuration prerequisites The device to be configured is con nected to a dev ice of another ve ndor adopting [...]

  • Seite 211

    1-41 z When the digest snooping feature is enabled on a por t, the port state turns to the discarding state. That is, the port will not send BPDU packets. The port is not involved in the STP calculation until it receives BPDU packets from the peer port. z The digest snooping feature is needed o nly when your device is connected to a device of ano t[...]

  • Seite 212

    1-42 Figure 1-6 The RSTP rapid transition mechanism Figure 1-7 The MSTP rapid transition mechanism The cooperation between MSTP and RSTP is limited in the p rocess of rapid transition. For example, when the upstream devi ce adopts RSTP , the downs tream device adopt s MSTP and the downstream device does not support RSTP-comp atible mode, t he root [...]

  • Seite 213

    1-43 Configuring Rapid Transition Configuration prerequisites As shown in Figure 1-8 , a WX3000 series device i s connected to a device of another ven dor . The former operates as the downstre am device, and the latte r operate s as the upst ream device. The network operates normally . The upstream device is running a proprie tary sp anning tr ee p[...]

  • Seite 214

    1-44 z The rapid transition feature can b e enabled on only root ports or alternate ports. z If you configure the rapid transition feature on a designated port, the feature does not take effect on the port. Configuring VLAN-VPN Tunnel Introduction The VLAN-VPN T unnel f unction enables STP packet s to be transp arently transmitted between geographi[...]

  • Seite 215

    1-45 To do… Use the command… Remarks Enter Ethernet port view interface interface-type interface-number Make sure that you enter the Ethernet port view of the port for which you want to enable the VLAN-VPN tunnel function. Enable the VLAN VPN function for the Ethernet port vlan-vpn enable Required By default, the VLAN VPN function is disabled o[...]

  • Seite 216

    1-46 [device] stp portlog all Enabling Trap Messages Conforming to 802.1d Standard The device sends trap messages conforming to 802. 1d standa rd to the network management device in the following two cases: z The device becomes the root bridge of an insta nce. z Network topology changes are detected. Configuration procedure Follow these steps to en[...]

  • Seite 217

    1-47 MSTP Configuration Example Network requirements Implement MSTP in the network show n in Figure 1-10 to enable p acket s of diff erent VLANs to be forwarded along dif ferent spanning tree i nstances. The det ailed configurations are as follows: z All switches in the network belong to the same MST region. z Packets of VLAN 10, VLAN 30, VLAN 40, [...]

  • Seite 218

    1-48 [SwitchA] stp instance 1 root primary 2) Configure Switch B # Enter MST regi on view . <SwitchB> system-view [SwitchB] stp region-configuration # Configure the region name, VLAN-to -MSTI mapping table, and revision level f or the MST region. [SwitchB-mst-region] region-name example [SwitchB-mst-region] instance 1 vlan 10 [SwitchB-mst-reg[...]

  • Seite 219

    1-49 VLAN-VPN tunnel Configuration Example Network requirements As shown in Figure 1-1 1 : z The WX3000 series devices operate a s the acce ss devices of the operator’s network, that is, Switch C and Switch D in the network di agram. z Devices of other series op erate as the access devi ce s of the user’s netwo rk, that is, Switch A and Switch [...]

  • Seite 220

    1-50 [SwitchC] stp enable # Enable the VLAN-VPN tunnel function. [SwitchC] vlan-vpn tunnel # Add GigabitEthernet 1/0/1 to VLAN 10. [SwitchC] vlan 10 [SwitchC-Vlan10] port GigabitEthernet1/0/1 [SwitchC-Vlan10] quit # Disable STP on GigabitEthernet 1/0/1 and then enable the VLA N VPN function on it. [SwitchC] interface GigabitEthernet1/0/1 [SwitchC-G[...]

  • Seite 221

    i Table of Contents 1 802.1x Confi guration ········································································································· ························ 1-1 Introduction to 802.1x··········[...]

  • Seite 222

    1-1 1 802.1x Configuration The sample output inform ation in this manual wa s created on the WX3024. The output information on your device may vary. Introduction to 802.1x The 802.1x protocol (802.1x for short) was developed by IEEE802 LAN/W AN committee to address security issues of wi reless LANs. It was then use d in Ethernet as a common acce ss[...]

  • Seite 223

    1-2 z The authenticator sy stem, residing at t he other end of the LAN se gment link, is the entity that authenticates the connected su pplicant system. The authenticato r system is usually an 802.1x-supported network device. It pr ovides ports (phy sical or logical) for the supplicant system to access the LA N. z The authentication server system i[...]

  • Seite 224

    1-3 The Mechanism of an 802.1x Authentication System IEEE 802.1x authentication uses the ex tensible authenticatio n protocol (EAP) to exchange information between supplicant system s and the authentication servers. T o be compatibl e with 802.1X in a LAN environment, the client program mu st support t he Extensible Authentication Protocol over LAN[...]

  • Seite 225

    1-4 03: Indicates that the packet is an EAPoL-ke y packet, which carries key informati on. 04: Indicates that the packet is an EAPoL - encapsulat ed-ASF-Alert packe t, which is us ed to suppo rt the alerting messages of ASF (alerting standa rds forum). z The Length field indicate s the size of the Packet bo dy field. A value of 0 indicates that the[...]

  • Seite 226

    1-5 Fields added for EAP authentication T wo fields, EAP-message and Message- authenticator , are added to a RADIUS protocol packet for EAP authentication. (Refer to the Introdu ction to RADIUS protocol se ction in the AAA Operation Manual for information about the format of a RADIUS protocol p acket.) The EAP-message field, whos e format is shown [...]

  • Seite 227

    1-6 z EAP-TTLS is a kind of extended EAP-TLS. EAP-TLS implements bidirectional authentication between the client and authentic ation server. EAP-TTLS transm it message using a tunnel established using TLS. z PEAP creates and uses TLS security channels to en sure data integrity and then performs new EAP negotiations to verify supplicant sy stem s. F[...]

  • Seite 228

    1-7 password using a randomly -generated key, and se nds the key to the device through an RADIUS access-challenge packet. The device the n sen ds the key to the iNode client. z Upon receiving the key (en capsulated in an EAP -requ est/MD5 challenge packet ) from the device, the client program encrypt s the password of t he supplica nt system with t[...]

  • Seite 229

    1-8 Figure 1-9 802.1x authentication procedure (in EA P terminating mode) S uppl icant syst e m PAE Au the n ti c a to r syst e m P A E RA DI US se rve r EAPOL RA DI US EAPOL - Sta r t E A P- R equest /I dent i t y E A P- Respons e / I dent it y E A P - Reque st / MD 5 Chal lenge EAP - Suc c es s E A P - Res pons e / M D 5 Chal l enge RA DI US A cc[...]

  • Seite 230

    1-9 z RADIUS server timer ( server-timeout ). This timer sets the server -timeout pe riod. After sending an authentication request packet to the RADIUS server, the device sen d s another authentication request packet if it does not receive the response from the RADI US server when this timer times out. z Supplicant system timer ( supp-timeout ). Th[...]

  • Seite 231

    1-10 This function needs the cooperation of i Node client and a iMC server . z The iNode client needs to cap able of detecting multiple netwo rk ad apters, pr oxies, and IE proxies. z The iMC server is configured to disable the use of multiple network adapte rs, pr oxies, or IE proxies. By default, an iNode client program allo ws use of multiple ne[...]

  • Seite 232

    1-11 Refer to AAA Operation Ma nual for detailed inform atio n about the dynamic VLAN delivery function. Enabling 802.1x re-authentication 802.1x re-authentication is timer-triggered or p acket -triggered. It re-authe nticates users wh o have passed authentication. Wit h 802. 1x re-authentication enabl ed, the device can monitor th e connection sta[...]

  • Seite 233

    1-12 Figure 1-11 802.1x configuration ISP domai n configuration AA A scheme Local authenticatio n RADIUS scheme 802.1x configuration ISP domain configurati on AAA scheme Local authentication RADIUS scheme 802.1x configuration z An 802.1x user uses the domain name to associ ate with the ISP domain configu red on the device. z Configure the AAA schem[...]

  • Seite 234

    1-13 To do… Use the command… Remarks In system view dot1x [ interface interface-list ] interface interface-type interface-numb er dot1x Enable 802.1x for specified ports In port view quit Required By default, 802.1x is disabled on all ports. Set port authorization mode for specified ports dot1x port-control { authorized -force | unauthorized-fo[...]

  • Seite 235

    1-14 z 802.1x configurations take effect only after you enabl e 802.1x both globally and for specified ports. z If you enable 802.1x for a port, you cannot set t he maximum number of MAC addresses that can be learnt for the port. Meanwhile, if you set the maximum number of MAC addres ses that can be learnt for a port, it is prohibited to enable 802[...]

  • Seite 236

    1-15 To do… Use the command… Remarks Set 802.1x timers dot1x timer { handshake-period handshake-period-valu e | quiet-period quiet-period-value | server-timeout server-timeout-value | supp-timeout supp-timeou t-value | tx-period tx-period-va lue | ver-period v er-period- value } Optional The settings of 802.1x timers are as follows. z handshake[...]

  • Seite 237

    1-16 To do… Use the comm and… Remarks In system view dot1x supp-proxy-check { logoff | trap } [ interface interface-list ] interface interface-type interface-number dot1x supp-proxy-check { logoff | trap } Enable proxy checking for a port/specified ports In port view quit Required By default, the 802.1x proxy checking is disabl ed on a port. z [...]

  • Seite 238

    1-17 As for the dot1x version-user command, if you execute it in sy stem view without specifying the interface-list argument, the command a pplies to all ports. You can also execute this command in port view. In this case, this command applie s to the current port only and the interface-list argument is not needed. Enabling DHCP-triggered Authentic[...]

  • Seite 239

    1-18 Configuring 802.1x Re -Authentication Follow these steps to ena bl e 802.1x re-authentication: To do… Use the command… Remarks Enter syst e m view system-view — Enable 802.1x globally dot1x Required By default, 802.1x is disabled globally. In system vie w dot1x [ interface interface-list ] Enable 802.1x for specified ports In port view d[...]

  • Seite 240

    1-19 Follow these steps to co nfigure the re-authentication interval: To do… Use the command… Remarks Enter syst e m view system-view — Configure a re-authentication interval dot1x timer reauth-period reauth-period -value Optional By default, the re-authentication interval is 3,600 seconds. Displaying and Maintaining 802.1x To do… Use the c[...]

  • Seite 241

    1-20 Figure 1-12 Network diagram for AAA configurati on with 802.1x and RADIUS enabled Configuration procedure Following configuration covers the major AAA/ RADIUS configuration commands. Refer to AAA Operation Manual for the informatio n about these command s. Config uration on the client and the RADIUS servers is omitted . # Enable 802.1x globall[...]

  • Seite 242

    1-21 [device-radius-radius1] key accounting money # Set the interval and the number of the retries for th e switch to send p a ckets to the RADIUS servers. [device-radius-radius1] timer 5 [device-radius-radius1] retry 5 # Set the timer for the switch to send real-tim e accounting p acket s to the RADIUS servers. [device-radius-radius1] timer realti[...]

  • Seite 243

    2-1 2 Quick EAD Deployment Configuration Introduction to Quick EAD Deployment Quick EAD Deployment Overview As an integrated solution, an endpoint admissio n defense (EAD) solution can improve the overall defense power of a network. In real applications , however , deploying EAD clients proves to be time-consuming and incon v enient. The device ena[...]

  • Seite 244

    2-2 Configuration Procedure Configuring a free IP range A free IP range is an IP ran ge that users can access before p assing 802.1x authe ntication. Follow these steps to co nfigure a free IP range: To do… Use the command… Remarks Enter syst e m view system-view — Configure the URL for HTTP redirection dot1x url url-string Req uired Configur[...]

  • Seite 245

    2-3 Follow these steps to co nfigure the ACL timer: To do… Use the command… Remarks Enter syst e m view system-view — Set the ACL timer dot1x timer acl-timeout acl-timeout-value Required By default, the ACL timeout period is 30 minutes. Displaying and Maintaining Quick EAD Deployment To do… Use the command… Remarks Display configuration i[...]

  • Seite 246

    2-4 Configuration procedure Before enabling quick EAD deployment, make su re th at: z The Web server is configured properly. z The default gateway of the PC is configured as the IP addre ss of the Layer-3 virtual interface of the VLAN to which the port that is directly co nne cted with the PC belongs. # Configure the URL for HTTP redirection. <d[...]

  • Seite 247

    3-1 3 System-Guard Configuration System-Guard Overview At first, you must determine whether the CPU i s under att ack to implement sy stem guard for the CP U. Y ou should not determine whether the CPU is unde r at tack just accordin g to whether congestion occurs in a queue. Instead, you must do that in the following ways: z According to the number[...]

  • Seite 248

    3-2 Displaying and Maintaining System-Guard To do… Use the command… Remarks Display the record of detected attacks display system-guard attack-record Available in any view Display the state of the system-guard feature display system-guard state Available in any view[...]

  • Seite 249

    i Table of Contents 1 AAA Ov erview ············································································································································ 1-1 Introducti on to AAA ····[...]

  • Seite 250

    ii Troublesho oting AAA ············································································································ ················ 2-30 Troubleshooting RADI US Config uration················?[...]

  • Seite 251

    1-1 1 AAA Overview The sample output inform ation in this manual wa s created on the WX3024. The output information on your device may vary. Introduction to AAA AAA is the acronym for the three security functions: authentication, author ization and acco unting. It provides a uniform framew ork for you to config ure th ese three functions to impleme[...]

  • Seite 252

    1-2 z Local authorization: Users are autho rized according to the related attribute s configured for their local accounts on this device . z RADIUS authorization: Users are autho rized after they pass RADIUS authenticati on. In RADIUS protocol, authentication and authori zation are combined togeth er, and authorization can not be performed alone wi[...]

  • Seite 253

    1-3 z The RADIUS server receives user co nnection request s, authenticates users, and retu rns all required information to the device. Generally , a RADIUS se rver maint ains the followi ng thre e databa ses (see Figure 1-1 ): z Users: This database stores in formation about users (su ch as us er name, password, protocol adopted and IP addres s). z[...]

  • Seite 254

    1-4 2) The RADIUS client receiv es the user name and password, and then sends an authentication request (Access-Request) to the RADIUS server. 3) The RADIUS server compares the rece ived user information with that in the Users database to authenticate the user. If the auth entication succeeds, the RADIUS server sends back to the RADIUS client an au[...]

  • Seite 255

    1-5 Code Message type Message description 3 Access-Reject Direction: server-> client. The server transmits this message to the client if any attribute value carried in the Access-Request me ssage is unacceptable (that is, the user fails the authentication). 4 Accounting-Requ est Direction: client->server. The client transmits this m essag e t[...]

  • Seite 256

    1-6 Type field value Attribute type Type field value Attribute type 8 Framed-IP-Address 30 Called-Station-Id 9 Framed-IP-Netmask 31 Calling-Station-Id 10 Framed-Routing 32 NAS-Identifier 11 Filter-ID 33 Proxy-State 12 Framed-MTU 34 Login-LAT-Service 13 Framed-Compre ssion 35 Login-LAT-Node 14 Login-IP-Host 36 Login-LAT-Group 15 Login-Service 37 Fra[...]

  • Seite 257

    1-7 Compa red with RADIUS, HWT ACACS provides more reliable transmission and encryption, and therefore is more suit able for secu rity control. T able 1-3 lists the primary dif ferences betwe en HWT ACACS and RADIUS. Table 1-3 Differences between HWTA CACS an d RADIUS HWTACACS RADIUS Adopts TCP, providing more reliable net work transmission. Adopts[...]

  • Seite 258

    1-8 Figure 1-6 AAA implementation procedure for a telnet user TACACS s e r v er Us er TAC ACS c lien t Reques ts t o l og in A ut hent icat i on s t art reques t A ut hent i cati on res pons e , reques t ing username Reques ts user name Ent ers user name A ut hent i cati on co nt i nuous mess age , ca rry ing use rname A ut hent i cati on res pons [...]

  • Seite 259

    1-9 9) After receivin g the response indicatin g an autho rizati on success, the TA CA CS client pushes the configuration interface of the device to the user. 10) The TACACS client sends an accountin g start request to the TACACS server. 11) The TACACS server returns an a ccounting response, indicating that it has receive d the accounting start req[...]

  • Seite 260

    2-1 2 AAA Configuration AAA Configuration Task List Configuration Introduction Y ou need to configure AAA to provide network acce ss se rvices for l egal users while protectin g network devices and preventing unautho rized a ccess and repudiation b ehavior . Complete the following t a sks to configure a combined AAA scheme for an ISP domain: Task R[...]

  • Seite 261

    2-2 Task Remarks Creating an ISP Domain and Configuring Its Attributes Required Configuring sepa rate AAA schemes Required Configuring an AAA Scheme for an ISP Domain Required z With separate AAA schemes, you can specify authentication, authorization and accounting schemes respectively. z You need to configure RADIUS or HWATACACS before performing [...]

  • Seite 262

    2-3 To do… Use the command… Remarks Set the accounting-optional switch accounting optional Optional By default, the accounting-optional switch is off. Set the messenger function messenger time { enable limit interval | disable } Optional By default, the messenger function is disabled. Set the self-service server location function self-service-u[...]

  • Seite 263

    2-4 this way , you cannot specify dif ferent schemes for authenticat ion, authorization and accounting respectively . Follow these steps to co nfigure a com bined AAA scheme: To do… Use the command… Remarks Enter syst e m view system-vie w — Create an ISP domain and enter its view, or enter the view of an existing ISP domain domain isp-name R[...]

  • Seite 264

    2-5 Y ou can use an arbitrary combination of the above im plement ations for your AAA scheme configuration. 2) For FTP users Only authentication is supported for FTP users. Authentication: RADIUS, local, or HWT ACACS. Follow these steps to co nfigure separat e AAA schemes: To do… Use the command… Remarks Enter syst e m view system-vie w — Cre[...]

  • Seite 265

    2-6 upon receiving an integer ID assigned by the RADIUS authentication serv er, the device adds the port to the VLAN whose VLAN ID is equal to the a ssigned integer ID. If no such a VLAN exists, the device first creates a VLAN with the assigned ID, and then adds the port to the newly creat ed VLAN. z String: If the RADIUS authenticatio n server ass[...]

  • Seite 266

    2-7 Follow these steps to co nfigure t he attributes of a local user To do… Use the command… Remarks Enter syst e m view system-vie w — Set the password display mod e of all local users local-user password-display-mode { cipher-force | auto } Optional By default, the password display mode of all access users is auto , indicating the passwords[...]

  • Seite 267

    2-8 z The following characters a re not allowed in the user-name stri ng: /:*?<>. And you cannot input more than one “@” in the string. z After the local-user pass word-display -mode cipher-force com mand is executed, any p assword will be displayed in ciphe r mode even though you specify to display a user password in plain text by using [...]

  • Seite 268

    2-9 Complete the following t a sks configure RADIUS fo r the device functioning as a RADIUS client: Task Remarks Creating a RADIUS Scheme Required Configuring RADIUS Authentication/Authori zation Se rvers Required Configuring RADIUS Accounting Servers Required Configuring Shared Keys for RADIUS M essages Optional Configuring the Maximum Num ber of [...]

  • Seite 269

    2-10 secondary servers with the same configuration but dif ferent IP addresses) in a RADIUS sche me. After creating a new RADIUS scheme, you should configu re the IP addr ess and UDP port number of each RADIUS server you want to use in this sche me. These RADIUS se rvers fall into two types: authentication/authorization, and ac counting. And fo r e[...]

  • Seite 270

    2-11 To do… Use the command… Remarks Enter syst e m view system-vie w — Create a RADIUS scheme and enter its view radius scheme radius-scheme-n ame Required By default, a RADIUS scheme named "system" has alread y been created in the system. Set the IP address and port number of the primary RADIUS authentication/authorization server [...]

  • Seite 271

    2-12 To do… Use the command… Remarks Set the IP address and port number of the secondary RADIUS accounting serve r secondary accounting ip-address [ port-num ber ] Optional By default, the IP address and UDP port number of the secondary accounting serv er are 0.0.0.0 and 1813 for a newly created RADIUS scheme. Enable stop-accounting request buf[...]

  • Seite 272

    2-13 received from each other b y using the shared ke ys that have been set on them, and can accept and respond to the messages only when bo th p arties have the same shared key . Follow these steps to co nfigure sh ared keys for RADIUS messages: To do… Use the command… Remarks Enter syst e m view system-vie w — Create a RADIUS scheme and ent[...]

  • Seite 273

    2-14 To do… Use the command… Remarks Enter syst e m view system-vie w — Create a RADIUS scheme and enter its view radius scheme radius-scheme-n ame Required By default, a RADIUS scheme named "system" has alread y been created in the system. Configure the type of RADIUS servers to be supported server-type { exten ded | standard } Opt[...]

  • Seite 274

    2-15 To do… Use the command… Remarks Set the status of the primary RADIUS authentication/authorization server state primary authentication { block | activ e } Set the status of the primary RADIUS accounting serve r state primary accounting { block | activ e } Set the status of the secondary RADIUS authentication/authorization server state secon[...]

  • Seite 275

    2-16 z Generally, the access users are named in the userid@i sp-name or userid.isp-name format. Here, isp-name after the “ @” or “.” character represents the I SP domain name, by which the device determines which ISP domain a user belon gs to. However, some old RADIUS servers cannot accept the user names that carry ISP domain nam es . In th[...]

  • Seite 276

    2-17 z If you adopt the local RADIUS authentication se rv er function, the UDP port number of the authentication/authorization server must be 1645, the UDP po rt number of the accounting server must be 1646, and the IP addresses of the servers m ust be set to the add resses of this device. z The message encryption key set by the local-serv er nas-i[...]

  • Seite 277

    2-18 To do… Use the command… Remarks Set the response timeout time of RADIUS servers timer response-timeout seconds Optional By default, the response timeout time of RADIUS servers is thr ee seconds. Set the time that the device waits before it try to re-communicate with primary server and restore the stat us of the primary server to active tim[...]

  • Seite 278

    2-19 online when the user re-l ogs into the switching en gi ne before the iMC performs online u ser detection, and the user cannot get au thenticated. In this case, the u ser can access the netwo rk again only when the iMC administrator manually remo ves the user's online info rmat ion. The user re-authentication at rest art function is design[...]

  • Seite 279

    2-20 Task Remarks Creating a HWTACACS Scheme Required Configuring TACACS Authenticatio n Servers Required Configuring TACACS Authori zation Servers Required Configuring TACACS Acco unting Serve rs Optional Configuring Shared Keys for RADIUS Messages Optional Configuring the Attributes of Data to be Sent to TACACS Servers Optional Configuring the TA[...]

  • Seite 280

    2-21 To do… Use the command… Remarks Set the IP address and port number of the primary TACACS authentication server primary authentication ip-address [ port ] Required By default, the IP address of the primary authentication server is 0.0.0.0, and the port number is 0. Set the IP address and port number of the secondary TACACS authentication se[...]

  • Seite 281

    2-22 z You are not allowed to co nfigure the same IP address for both p rimary and secondary autho rization servers. If you do this, the system will prompt that the c onfiguration fails. z You can remove a server only when it is not us ed by any active TCP connection for sending authorization messages. Configuring TACACS Accounting Servers Follow t[...]

  • Seite 282

    2-23 The T ACACS client and server adopt MD5 algo rith m to encrypt HWT ACACS messages before they are exchanged between the two p arties. The two p artie s verify the validity of the HWT ACACS messages received from each other b y using the shared ke ys that have been set on them, and can accept and respond to the messages only when bo th p arties[...]

  • Seite 283

    2-24 Generally, the access users a re named in the userid@i sp-name or userid.isp-nam e format. Where, isp-name after the “ @ ” or “.” character rep resents the ISP domain name. If the TACACS server does not accept the user names that carry ISP domain n ames, it is necessary to remove domain names fro m user names before they are sent to TA[...]

  • Seite 284

    2-25 Displaying and Maintaining AAA Displaying and maintaining AAA information To do… Use the command… Remarks Display configuration information about one specific or all ISP domains displa y domain [ isp-name ] Display information about user connectio ns display connection [ access-type { dot1x | mac-authen tication } | domain isp-name | inter[...]

  • Seite 285

    2-26 Displaying and maintaining HWTACACS protocol information To do… Use the command… Remarks Display the configuration or statistic information about one specific or all HWTACACS schemes display hwtacacs [ hwtacacs-scheme-name [ statis tics ] ] Display buffered non-response stop-accounting re que sts display stop-accounting-buffer hwtacacs-sch[...]

  • Seite 286

    2-27 Figure 2-1 Remote RADIUS authentication of Telnet users Intern et T elnet us er A ut hent i cati on serv er 10 . 110 . 91 . 164 Configuration procedure # Enter system view . <device> system-view # Adopt AAA authentication for T elnet users. [device] user-interface vty 0 4 [device-ui-vty0-4] authentication-mode scheme [device-ui-vty0-4] q[...]

  • Seite 287

    2-28 Local Authentication of FTP/Telnet Users The configuration procedure for local authentication of FTP users is similar to that for Telnet users. The following text only takes Telnet users as example to describe the configuration procedure for local authentication. Network requirements In the network environment shown in Figure 2-2 , you are req[...]

  • Seite 288

    2-29 z Change the server IP address, and the UDP port number of the authent ication server to 127.0.0.1, and 1645 respectively in the co nfiguratio n step "Configure a RADI US scheme" in Remote RADIUS Authentication of Telnet/SSH Users z Enable the local RADIUS server function, set the IP addre ss and shared key for the network access ser[...]

  • Seite 289

    2-30 Troubleshooting AAA Troubleshooting RADIUS Configuration The RADIUS protocol operate s at the application laye r in the TCP/IP protocol suite. This protocol prescribes how the device and the RADIUS server of the ISP exchange u ser information with each other . Symptom 1 : User authentication/authorization always fails. Possible reasons and sol[...]

  • Seite 290

    3-1 3 EAD Configuration Introduction to EAD Endpoint admission defense (EAD) i s an attack def ens e solution. Using thi s solution, you can enhance the active defense cap ability of network end point s, prevent s viruses and worm s from spreading on the network, and protect s the entire network by limiting the access right s of insecure end points[...]

  • Seite 291

    3-2 After the clien t is patched and complia nt with the re quired security st andard, the security policy se rver reissues an ACL to the device, which then assigns access right to the client so that the client ca n access more network r esources. EAD Configuration The EAD configuration include s: z Configuring the attributes of access u sers (such[...]

  • Seite 292

    3-3 Figure 3-2 EAD configuration GE 1 / 0 / 1 In te r n e t Us e r Secur it y Polic y Ser ver s 10. 110. 9 1. 166 V i ru s P a tc h S erv ers 10. 110. 9 1. 168 Au then ti c ati on Se r v ers 10 . 1 10 . 91.164 Configuration procedure # Configure 802.1x on the device. Refer to the section ”Configuring 802.1x” of 802.1x Config uratio n . # Config[...]

  • Seite 293

    i Table of Contents 1 MAC Authen tication Conf iguration····························································································· ············· 1-1 MAC Authenticat ion Overview ·······················?[...]

  • Seite 294

    1-1 1 MAC Authentication Configuration The sample output inform ation in this manual wa s created on the WX3024. The output information on your device may vary. MAC Authentication Overview MAC authentication provides a way for authentic ating users based on p orts and MAC addresses, without requiring any client software to be inst alle d on the hos[...]

  • Seite 295

    1-2 included dependi ng on the format configured with the mac-authentication authmode usernameasmacaddress usernamefo r mat co mman d; otherwise, the authentication will fail. z If the username type is fixed username, you need to configure the fixed username and password on the device, which are used by the de vice to authenticate all use rs. The s[...]

  • Seite 296

    1-3 To do… Use the command… Remarks In system view mac-authentication inter f ace interface-list interface interface-type interface-number mac-authentication Enable MAC authentication for the specified port(s) or the current port In interface view quit Use either method Disabled by default Set the username in MAC address mode for MAC authentica[...]

  • Seite 297

    1-4 MAC Address Authentication Enhanced Function Configuration MAC Address Authentication Enhanced Function Configuration Tasks Complete the following t a sks to configure MAC address authenti cation enhanced function: Task Remarks Configuring a Guest VLAN Optional Configuring the Maximum Num ber of M AC Address Authentication Users Allo wed to Acc[...]

  • Seite 298

    1-5 z Guest VLANs are implemented in the mode of ad di ng a port to a VLAN. For example, when multiple users are connected to a port, if the first us er fails in the authenticat ion, the other users ca n access only the contents of the Guest VLAN. T he device will re-authenticate only the first user accessing this port, and the other users cannot b[...]

  • Seite 299

    1-6 z If more than one client is connected to a port, you ca nnot configure a Guest VLAN for this port . z When a Guest VLAN is configured for a port, only one MAC address authentication user can access the port. Even if you set the limit on th e number of MAC address aut hentication users to more than one, the configur ation does not take effect. [...]

  • Seite 300

    1-7 z If both the limit on the number of MAC address authentication user s and the limit on the numb er of users configured in the p ort security function are configured for a p ort, the smaller value of the two configured limits is adopted as th e maximum numb er of MAC address authenticat ion users allowed to access this port. Refer to the Port S[...]

  • Seite 301

    1-8 # Add a local user . z Specify the username and password. [device] local-user 00-0d-88-f6-44-c1 [device-luser-00-0d-88-f6-44-c1] password simple 00-0d-88-f6-44-c1 z Set the service type to “lan-access”. [device-luser-00-0d-88-f6-44-c1] service-type lan-access [device-luser-00-0d-88-f6-44-c1] quit # Add an ISP domain named aabbcc.net. [devic[...]

  • Seite 302

    i Table of Contents 1 IP Addressing Configuration ·································································································· ·················· 1-1 IP Addressing Overview ···················?[...]

  • Seite 303

    1-1 z The term switch used throughout this docum ent re fers to a switching device in a generi c sense or the switching engine of the WX30 00 seri es. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. 1 IP Addressing Configuration IP Addressing Overview IP Address Classes IP [...]

  • Seite 304

    1-2 Table 1-1 IP address classe s and ranges Class Address range Remarks A 0.0.0.0 to 127.255.255.255 Address 0.0.0.0 means this host no this netwo rk. This address is used by a host at bootstrap when it does not know its IP address. This address is never a valid destination address. Addresses st arting with 127 are reserved for loopback test. Pack[...]

  • Seite 305

    1-3 adds an additional level, subnet ID, to the two-le vel hierarchy with IP addressing, IP routing now involves three steps: deliv ery to the site, de livery to the subnet, and delivery to the host. In the absence of subnetting, some speci al addresses su ch as the addresses with the net ID of all zeros and the addresses with the host ID of all on[...]

  • Seite 306

    1-4 z You can assign at most two IP address t o an inte rface, among which one is the primary IP address and another is secondary IP addresses. A newly specified primary IP address overwrites the previous one if there is any . z The primary and seconda ry IP addresses of an interface cannot reside on the same network segment; the IP address of a VL[...]

  • Seite 307

    1-5 IP Address Configuration Example II Network requirements As shown in Figure 1-4 , VLAN-interfa ce 1 on Switch is connected to a LAN com prising two segment s: 172.16.1.0/24 and 172.16.2.0/24. T o enable the hosts on the two network seg ments to comm unicate with the external networ k through Switch, and the host s o n the LAN can communicate wi[...]

  • Seite 308

    1-6 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 25/26/27 ms The output information shows that Switch can comm unicate with the host s on the subnet 172.16.1.0/24. # Ping a host on the subnet 172.16.2.0/24 fr om Switch to check the con nectivity . <Switch> ping 172.16.2.2 PING 172.16.2.2: 56 data byt[...]

  • Seite 309

    2-1 2 IP Performance Configuration IP Performance Overview Introduction to IP Performance Configuration In some network e nvironment s, you need to adjust the IP paramete rs to achieve best netwo rk performance. The IP performance config uratio n supported by the device include s: z Configuring TCP attributes z Disabling sending of ICMP error packe[...]

  • Seite 310

    2-2 To do… Use the comm and… Remarks Enter syst e m view system-view — Configure TCP synwait timer’s timeout value tcp timer syn-timeou t time-value Optional By default, the timeout value is 75 seconds. Configure TCP finwait timer’s timeout value tcp timer fin-timeout time-value Optional By default, the timeout value is 675 seconds. Confi[...]

  • Seite 311

    2-3 Displaying and Maintaining IP Performance Configuration To do… Use the command… Remar ks Display TCP connection status display tcp status Display TCP connection statistics display tcp statistics Display UDP traffic statistics display udp statistics Display IP traffic statistics display ip statistics Display ICMP traffic statistics displa y [...]

  • Seite 312

    i Table of Contents 1 DHCP Ov erview·········································································································································· 1-1 Introduction to DHCP ······[...]

  • Seite 313

    1-1 z The term switch used throughout this docum ent re fers to a switching device in a generi c sense or the switching engine of the WX30 00 seri es. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. 1 DHCP Overview Introduction to DHCP With networks getting larger in size a[...]

  • Seite 314

    1-2 z Manual assignment. Th e administrator configures static IP-to-M AC bindings for some sp ecial clients, such as a WWW server. Then the DHCP server assign s these fixed IP addresses to the clients. z Automatic assignment. The DHCP serv er assigns IP add resses to DHCP cl ients. The IP addresse s will be occupied by the DH CP clients permanently[...]

  • Seite 315

    1-3 Updating IP Address Lease After a DHCP server dynamically assigns an IP address to a DHCP c lient, the IP address keeps valid only within a specified lease time and will be reclaime d by the DHCP server when the lease expires. If the DHCP cli ent wants to use the IP addres s fo r a longer time, it must update the IP lease. By default, a DHCP cl[...]

  • Seite 316

    1-4 z siaddr: IP address of the DHCP server. z giaddr: IP address of the first DHCP relay agent that the DHCP client passes after it sent the request packet. z chaddr: Hardwa re ad dress of the DHCP client. z sname: Name of the DHCP server. z file: Path and name of the boot configuration file that the DHCP server spe cifies for the DHCP client. z o[...]

  • Seite 317

    2-1 2 DHCP Relay Agent Configuration When configuring the DHCP relay agent, go to these section s for i nformation you are interested in: z Introduction to DHCP Relay Agent z Configuring the DHCP Rel ay Agent z Displaying and Maintaining DHCP Rel ay Agent Config uratio n z DHCP Relay Agent Configuration Example z Troubleshooting DHCP Rel ay Agent C[...]

  • Seite 318

    2-2 Figure 2-1 Typical DHCP relay agent application In the process of dynamic IP address assignment through the DH CP relay age nt, the DHCP cl ient and DHCP serve r interoperate with each oth er in a similar way as they do without the DHCP relay agent. The following sections o nly describe the forwar ding process of the DHCP relay agent. For the i[...]

  • Seite 319

    2-3 Figure 2-2 Padding contents for sub-o ption 1 of Option 82 Figure 2-3 Padding contents for sub -o ption 2 of Option 82 Mechanism of Option 82 supported on DHCP relay agent The procedure for a DHCP client to obtain an IP address from a DHCP serv er through a DHCP relay agent is similar to that for the client to obt ain an IP addre s s from a DHC[...]

  • Seite 320

    2-4 Configuring the DHCP Relay Agent If a device belongs to an I RF fabric, you need to enabl e the UDP Helper function on it before configuring it as a DHCP relay agent. DHCP Relay Agent Conf iguration Task List Complete the following t a sks to configure the DHCP relay agent: Task Remarks Correlating a DHCP Server Grou p with a Relay Agent Interf[...]

  • Seite 321

    2-5 To improve security and avoid maliciou s attack to the unused SOCKETs, the device provides the following functions: z UDP 67 and UDP 68 ports used by DHCP are e nabled only when DHCP is ena bled. z UDP 67 and UDP 68 ports are di sabled when DHCP is disable d. The corresponding implementation is a s follows: z When a VLAN interface is mapped to [...]

  • Seite 322

    2-6 To do… Use the command… Remarks Enter syst e m view system-view — Create a static IP-to-MAC binding dhcp-security static ip-address mac - address Optional Not created by default. Enter interface view interface interface-type int erface-number — Enable the address checking function address-check enable Required Disabled by default. z The[...]

  • Seite 323

    2-7 To do… Use the comm and… Remarks Set the interval at which the DHCP relay agent dynamically updates the client address entries dhcp-security tracker { interval | auto } Optional By default, auto is adopted, that is, the interval is automatically calculated. Enabling unauthorized DHCP server detection If there is an unauthorized DHCP se rver[...]

  • Seite 324

    2-8 To do… Use the command… Remarks Enter syst e m view system-vie w — Enable Option 82 support on the DHCP relay agent dhcp relay information enable Required Disabled by default. Configure the strat egy for the DHCP relay agent to process request packets containing Option 82 dhcp relay information strategy { drop | keep | replace } Optional [...]

  • Seite 325

    2-9 Figure 2-4 Network diagram for DHCP relay agent Configuration procedure # Create DHCP se rver g roup 1 and configure an IP address of 10.1.1.1 for it. <SwitchA> system-view [SwitchA] dhcp-server 1 ip 10.1.1.1 # Map VLAN-interface 1 to DHCP serve r group 1. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] dhcp-server 1 z You [...]

  • Seite 326

    2-10 z Check if an address pool that is o n the same net work seg ment with the D HCP clients is configured on the DHCP server. z Check if a reachable route is configured bet ween the DHCP relay agent and the DHCP serve r. z Check the DHCP relay agent. Check if the corre ct DHCP server group is configu red on the interface connecting the network se[...]

  • Seite 327

    3-1 3 DHCP Snooping Configuration After DHCP snooping is enabl ed on a device, client s con nected with the device cann ot obtain IP addresses dynami cally through BO OTP . DHCP Snooping Overview Function of DHCP Snooping For security , the IP addre sses used by online DHCP client s need to be tracked for the administrator to verify the correspondi[...]

  • Seite 328

    3-2 Figure 3-1 Typical network diagram for DHCP snooping ap plication DHCP Cl ie nt Sw itch A (DHCP S noopi ng ) DHCP Cl ie nt DHCP Cl ie nt DHCP Cl i ent Sw itch B ( DHCP Rel ay ) In te r n e t G E 1/0/ 2 G E1/0/1 DHCP S erv er DHCP snoopi ng listens the following two types of packet s to retrieve the IP addresses the DHCP client s obtain from DHC[...]

  • Seite 329

    3-3 contents). That is, the circuit ID or remote ID sub-op tion defines the type and l ength of a circuit ID or remote ID. The remote ID type field and circuit ID type field are determined by the option storag e format. They are both set to “0” in the case of HEX format and to “1” in the case of ASCII format. Figure 3-2 Extended format of t[...]

  • Seite 330

    3-4 Table 3-1 Ways of handling a DHCP packet with Option 82 Handling policy Sub-op tion configuration The DHCP snooping device will… Drop — Drop the packet. Keep — Forward the packet without changing Option 82. Neither of the two sub-options is configured Forward the packet after replacing the original Optio n 82 with the default content. The[...]

  • Seite 331

    3-5 z The resources on the serv er are ex hausted, so the server does n ot respond to other requests. z After receiving such type of packets, a device ne eds to send them to the CPU for proce s sing. Too many request packets cause high CP U usage rate. As a result, the CPU cannot work n orm ally. The device can filter invalid IP packet s through th[...]

  • Seite 332

    3-6 To do… Use the command… Remarks Specify the current port as a trusted port dhcp-snoopi ng trus t Required By default, after DHCP snooping is enabled, all po rts of a device are untrusted ports. z You need to specify the ports connected to the va lid DHCP servers as tru sted to ensure that DHCP clients can obtain valid IP addre sses. The tru[...]

  • Seite 333

    3-7 To do… Use the command… Remarks Enter syst e m view system-vie w — Enable DHCP-snooping Option 82 support dhcp-snooping information enable Required By default, DHCP snooping Option 82 support is disabled. Configure a handling policy for DHCP packets with Option 82 Follow these steps to co nfigure a handling policy for DHCP packet s with O[...]

  • Seite 334

    3-8 The dhcp-sn ooping information format command applies only to the default content of the Option 82 field. If you have configured the circuit ID or remote ID sub-option, the format of the sub-option is ASCII, instead of the one specified with the dhcp-s nooping information format comm and. Configure the circuit ID sub-option Follow these steps t[...]

  • Seite 335

    3-9 To do… Use the command… Remarks Enter syst e m view s ystem-vie w — Configure the remote ID sub-option in sy stem view dhcp-snooping information remote-id { sy sname | string string } Optional By default, the remote ID sub-option is the MAC addre ss of the DHCP snooping device that received the DHCP client’ s request. Enter Ethernet por[...]

  • Seite 336

    3-10 To do… Use the command… Remarks Enable IP filtering ip check source ip-address [ mac-address ] Required By default, this function is disabled. Create an IP static binding entry ip source static binding ip-address ip-addre ss [ mac-address mac-address ] Optional By default, no static binding entry is created. z Enable DHCP snooping and spec[...]

  • Seite 337

    3-11 Configuration procedure # Enable DHCP sn ooping on Switch. <Switch> system-view [Switch] dhcp-snooping # S pecify Gig abitEthern et 1/0/5 as the trusted port. [Switch] interface gigabitethernet 1/0/5 [Switch-GigabitEthernet1/0/5] dhcp-snooping trust [Switch-GigabitEthernet1/0/5] quit # Enable DHCP-snooping Option 82 su ppo rt. [Switch] d[...]

  • Seite 338

    3-12 Figure 3-7 Network diagram for IP filtering configuration Sw itch DHC P S n ooping GE1 / 0 / 2 Cl i e nt C GE 1 / 0 / 1 DHCP S e r ve r Cl i e n t B Hos t A IP : 1.1.1.1 MA C :0001- 0001-0001 GE1 / 0 / 3 GE1 / 0 / 4 Configuration procedure # Enable DHCP sn ooping on Switch. <Switch> system-view [Switch] dhcp-snooping # S pecify Gig abitE[...]

  • Seite 339

    3-13 Displaying and Maintaining DHCP Snooping Configuration To do… Use the command… Remarks Display the user IP-MAC address mapping entries recorded b y the DHCP snooping function display dhcp-snooping [ unit unit-id ] Display the (enabled/disabled) state of the DHCP snooping function and the trusted ports display dhcp-snooping trust Display th[...]

  • Seite 340

    4-1 4 DHCP/BOOTP Client Configuration Introduction to DHCP Client After you specify a VL AN interface as a DHCP cli ent, the device can use DHCP to obtain parameters such as IP address dynamically from the DHCP server , which fac ilitates user configuration and management. Refer to Obtaining IP Addre sses Dynamically for the process of how a DHCP c[...]

  • Seite 341

    4-2 To do… Use the command… Remarks Configure the VLAN interface to obtain IP address through DHCP or BOOTP ip address { bootp-alloc | dhcp-alloc } Required By default, no IP address is configured for the VLAN interface. Currently, the device operating a s a DHCP cli ent can use an IP addre ss for no m ore than 24 d ays; that is, it can obtain [...]

  • Seite 342

    4-3 Displaying and Maintaining DHCP/ BOOTP Client Configuration To do… Use the command… Remarks Display related information on a DHCP client displa y dhcp client [ verb os e ] Display related information on a BOOTP client display bootp client [ interface vlan-interface vlan-id ] Available in any view[...]

  • Seite 343

    i Table of Contents 1 ACL Confi guration ············································································································ ························· 1-1 ACL Overview ············[...]

  • Seite 344

    1-1 1 ACL Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a WX3 000. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. ACL Overview As the network scale and network traf fic are incr easi[...]

  • Seite 345

    1-2 z auto : where rules in an ACL are matched in the order dete rmined by the system, namely the “depth-first” rule. For depth-first rule, there are two case s: Depth-first match order for rules of a basic ACL 1) Range of source IP address: The smaller the source IP addre ss range (that is, the more the number of zeros in the wildca rd mask ),[...]

  • Seite 346

    1-3 When applying an ACL in this way , you can specify t he order in which the rules in the ACL are matched . The match order cannot be modified once it is determi ned, unless you delete all the rules in the ACL and define the match order . An ACL can be referenced by uppe r-layer software: z Referenced by routing poli cies z Used to control Telnet[...]

  • Seite 347

    1-4 Configuration Procedure Follow these steps to co nfigure a time range: To do… Use the command… Remarks Enter syst e m view s ystem-vie w — Create a time range time-range time-nam e { start-time to end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] | from start-time start-date [ to end-time end-date ] | to en[...]

  • Seite 348

    1-5 Configuring Basic ACL A basic ACL filters p ackets based on their source IP addresses. A basic ACL can be numbered fro m 200 0 to 2999. Configuration Prerequisites z To configure a time range-based basi c ACL rule, you need to create the corre sponding time range first. For information about time range configuration, refer to Config uring Time [...]

  • Seite 349

    1-6 rule 0 deny source 192.168.0.1 0 Configuring Advanced ACL An advanced ACL can filter p acket s by their sou rce an d destination IP addresse s, the protocols carried by IP , and protocol-specific features such as TCP/UDP source and destinatio n ports, ICMP message type and message code. An advanced ACL can be numbe red fro m 3000 to 39 99. Note[...]

  • Seite 350

    1-7 z If the ACL is created with the auto keyword specified, the newly crea ted rules will be inserted in the existent ones by depth-first principle, but the num bers of the existen t rules are unaltered. Configuration Example # Configure ACL 3000 to permit the TCP p acket s so urced from the netwo rk 129.9.0.0/16 and destined for the network 202.3[...]

  • Seite 351

    1-8 Note that: z You can modify any existent rule of the Layer 2 ACL and the unmod ified part of the ACL re main s. z If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically. If the ACL has no rules, the rule is numbered 0; ot herwise, it is the maximum rule number plus one. z The content of a m[...]

  • Seite 352

    1-9 z ACLs assigned globally take prec edence over those t hat are assi gned to VLANs. That is, when a packet matches a rule of a globally assi gned ACL an d a rule of an ACL assigned to a VLAN, the device will perform the acti on defined in the rule of the globally a ssigned ACL if the actions de fined in the two rules conflict. z When a packet ma[...]

  • Seite 353

    1-10 To do… Use the command… Remarks Enter syst e m view system-view — Apply an ACL to a VLAN packet-filter vlan vlan-id inbound acl-rule Required For description on the acl -rule argument, refer to ACL Command . Configuration example # Apply ACL 2000 to VLAN 10 to filter the inbound packet s of VLAN 10 on all the port s. <device> syste[...]

  • Seite 354

    1-11 Assigning an ACL to a Port Configuration prerequisites Before applying ACL rules to a VLAN, you nee d to define the related ACLs. For info rmation about defining an ACL, refe r to Configuring Basic ACL , Configuring Advanced ACL , Con figur ing Layer 2 ACL . Configuration procedure Follow these steps to appl y an ACL to a port: To do… Use th[...]

  • Seite 355

    1-12 Examples for Upper-layer Software Referencing ACLs Example for Controlling Telnet Login Users by Source IP Network requirements As shown in Figure 1-1 , apply an ACL to permit users with t he source IP address of 10.1 10.100.52 to telnet to the switching engine. Figure 1-1 Network diagram for controlling Telnet login u se rs by source IP Sw it[...]

  • Seite 356

    1-13 Configuration procedure # Define ACL 2001. <device> system-view [device] acl number 2001 [device-acl-basic-2001] rule 1 permit source 10.110.100.46 0 [device-acl-basic-2001] quit # Reference ACL 20 01 to control users loggin g in to the W eb serv er . [device] ip http acl 2001 Examples for Applying ACLs to Hardware Basic ACL Configuratio[...]

  • Seite 357

    1-14 GigabitEthernet 1/0/1 of Switch. Apply an ACL to d eny requests from the R& D department and destin ed for the wage server durin g the working hours (8:00 to 18:00 ). Figure 1-4 Network diagram for advance d ACL configuration GEt h 1/ 0/ 1 Th e R & D Depart ment S witch T o the router W age qu ery s erv er 192. 1 68 . 1 . 2 GE th 1/ 0/[...]

  • Seite 358

    1-15 <device> system-view [device] time-range test 8:00 to 18:00 daily # Define ACL 4000 to filter p ackets with the sour ce MAC address of 000f-e20f -0101 and the destination MAC address of 000f-e20f-0303. [device] acl number 4000 [device-acl-ethernetframe-4000] rule 1 deny source 000f-e20f-0101 ffff-ffff-ffff dest 000f-e20f-0303 ffff-ffff-f[...]

  • Seite 359

    1-16 # Apply ACL 3000 to VLAN 10. [device] packet-filter vlan 10 inbound ip-group 3000[...]

  • Seite 360

    i Table of Contents 1 QoS Confi guration ············································································································ ························· 1-1 Overview ··············[...]

  • Seite 361

    ii Applying a Qo S Profile ········································································································· ··········· 2-2 Displaying and Mainta ining QoS Profile ······················?[...]

  • Seite 362

    1-1 1 QoS Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of the WX 3000 series. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. Overview Introduction to QoS Quality of service (QoS) is a [...]

  • Seite 363

    1-2 Video-on -Demand (V oD). Enterprise users expect to connect their regional b ranches together usi ng VPN techniques for coping with daily business, fo r insta nce, accessing datab ases or manage remote equipment s through T elnet. All these new applications have o ne thing in comm on, that is, they have special requi rements for bandwid th, del[...]

  • Seite 364

    1-3 information carried in p acket header . Packet paylo ad is rarely adopted for traf fic classification. The identifying rule is unlimited in ra nge. It can be a quin tuplet consisting of sour ce address, source port number , protocol number , destination address, and destination port number . It can also be simply a network segment. Precedence I[...]

  • Seite 365

    1-4 z Class selector (CS ) class: This class comes from the IP ToS field and includes ei ght subclasses; z Best Effort (BE) class: This class is a special cl ass without any assurance in the CS class. Th e AF class can be deg raded to the BE clas s if it exceed s the limit. Current IP net work traffic belongs to this class by default. Table 1-2 Des[...]

  • Seite 366

    1-5 As shown in the figure a bove, each host suppo rti ng 802.1Q protoc ol adds a 4-byte 802.1Q t ag header after the source address of the former Et hernet frame header whe n sending p acket s. The 4-byte 802.1Q t a g header consist s of the t ag pr otocol identifier (TPID, two bytes in len g th), whose value is 0x8100, and the t ag control in for[...]

  • Seite 367

    1-6 The device does not supp ort marking drop preceden ce for packets. A device can operate in one of the following two priority trust modes when assigning precedence to received packet s: z Packet priority trusted mode z Port priority trusted mode In terms of priority trust mode, the priority mapping pr oce ss is shown in Figure 1-4 . Figure 1-4 A[...]

  • Seite 368

    1-7 The devices provide COS-pre cedence-to-other-pr ecedence, DSCP-precedence-to-othe r-precedence, and DSCP-precedence -to-DSCP- precedence m apping tabl es for priority mapping. T able 1-4 through T able 1-6 list the default settings of these tables. Table 1-4 The default COS-precedence-to-oth er-pr ecedence m apping table of the devices 802.1p p[...]

  • Seite 369

    1-8 Protocol Priority Protocol packet s carry their own priority . Y ou can modi fy the priority of a prot ocol packet to implement QoS. Priority Marking The priority marking function is to use ACL rules i n traf fic classification and reassi gn the priority for the packet s matching the ACL rule s. Traffic Policing and Traffic Shaping The network [...]

  • Seite 370

    1-9 Evaluating the traffic with the token bucket When token bucket is used for traf fic evaluation, the number of the tokens in the token bucket determines the amount of the pa ckets that can be forw arded. If the number of token s in the bucket is enough to forward the pa ckets, the traf fic is conformi ng to the spe cification; otherwise, the tra[...]

  • Seite 371

    1-10 Figure 1-6 Diagram for traffic shaping Tok en buc k et Dr o p Pa ck et cl a ssif i ca ti o n P ac k et s t o be s ent t h roug h t h i s port Con tin u e to sen d Pu t to k e n s i n th e b u cket a t the set r a te Queu e For example, if the device A sends packet s to the device B. The dev ice B will perform traf fic pol icing on packet s fro[...]

  • Seite 372

    1-11 1) SP queuing Figure 1-7 Diagram for SP queuing P ac k et s t o be s ent th r o ug h th is po rt Pa cke t cla ssifi ca ti o n Queu e s c heduling Queue 2 w eig ht 2 Queue N - 1 w eight N -1 Queue N w eight N S e nt pa c k et s S en di ng qu eue In te r face …… Q ueue 7 Q ueue 6 Q ueue 1 Qu e u e 0 H i gh pri orit y Low pri orit y SP queue [...]

  • Seite 373

    1-12 Figure 1-8 Diagram for WRR queuing P ac k et s t o be s ent t hro ugh t hi s port Packe t cla ssifi ca tio n Queu e s c hedul ing Queue 2 w e ight 2 Queue N -1 w e i g h t N -1 Queue N w eight N Se n t p a cke ts S endin g queue In te r face …… Q ueue 1 Q ueue 2 W eight 2 Q ueue N - 1 W eight N-1 Qu e u e N We i g h t N W eight 1 WRR queue[...]

  • Seite 374

    1-13 Table 1-7 Queue-scheduling sequence of SDWRR Scheduling algorithm Queue-scheduling sequence Des cription WRR 0, 0, 0, 0, 0, 1, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1 SDWRR 0, 1, 0, 1, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0 0 indicates packets in queue0 1 indicates packets in queue1 Flow-based Traffic Accounting The function of flow-based traf fic accounting[...]

  • Seite 375

    1-14 Task Remarks Enabling the Burst Function Optional Configuring Traffic Mirroring Optional Configuring Priority Trust Mode Refer to Priority T rust Mode for introduction to priority trust mode. Configuration prerequisites z The priority trust mode to be adopted is determi ned. z The port where priority trust mode is to be configured i s determin[...]

  • Seite 376

    1-15 Configuration example z Configure to trust port priority on GigabitEthernet 1/0/1 and set the priority of GigabitEthernet 1/0/1 to 7. Configuration procedure: <device> system-view [device] interface GigabitEthernet1/0/1 [device-GigabitEthernet1/0/1] priority 7 z Configure to trust 802.1p preceden ce on GigabitEthernet 1/0/1. Configuratio[...]

  • Seite 377

    1-16 To do… Use the command… Remarks Configure COS-precedence-to-DSCP -precedence mapping table qos cos-dscp -map cos0-map-dscp cos1-map-d s cp cos2-map-dscp cos3-map-d s cp cos4-map-dscp cos5-map-d scp cos6-m ap -dscp cos7-m ap-dscp Required Follow these steps to co nfigur e the DSCP-precedence-to-other-pre ced ence mapping t abl e: To do… U[...]

  • Seite 378

    1-17 [device] qos dscp-local-precedence-map 8 9 10 11 12 13 14 15 : 3 [device] qos dscp-local-precedence-map 16 17 18 19 20 21 22 23 : 4 [device] qos dscp-local-precedence-map 24 25 26 27 28 29 30 31 : 1 [device] qos dscp-local-precedence-map 32 33 34 35 36 37 38 39 : 7 [device] qos dscp-local-precedence-map 40 41 42 43 44 45 46 47 : 0 [device] qos[...]

  • Seite 379

    1-18 37 : 7 38 : 7 39 : 7 40 : 0 41 : 0 42 : 0 43 : 0 44 : 0 45 : 0 46 : 0 47 : 0 48 : 5 49 : 5 50 : 5 51 : 5 52 : 5 53 : 5 54 : 5 55 : 5 56 : 6 57 : 6 58 : 6 59 : 6 60 : 6 61 : 6 62 : 6 63 : 6 Setting the Priority of Protocol Packets Refer to Protocol Priority for information about priority of protocol p ackets. Configuration prerequisites z The p[...]

  • Seite 380

    1-19 Configuration example z Set the IP precedence of ICMP packets to 3. z Display the configuration. Configuration procedure: <device> system-view [device] protocol-priority protocol-type icmp ip-precedence 3 [device] display protocol-priority Protocol: icmp IP-Precedence: flash(3) Marking Packet Priority Refer to Priority Marking for inform[...]

  • Seite 381

    1-20 Follow these step s to mark the priority for packets t hat are of a port group and match specific ACL rules: To do… Use the command… Remarks Enter syst e m view system-vie w — Enter port group view port-group group-id — Mark the priorities for packets matching specific ACL rules traffic-priority inbound acl-rule { dscp dscp-value | cos[...]

  • Seite 382

    1-21 Configuration prerequisites z The ACL rules used for traffic class ifi cation are defined. Refe r to the ACL module of this man ual for information about defining ACL rules. z The rate limit for traffic policing, and the actions for the packets exceeding the rate limit are determined. Configuration procedure Y ou can configure traf fic po lici[...]

  • Seite 383

    1-22 To do… Use the command… Remarks Enter syste m view system-v iew — Enter Ethernet port view interface interface-type interface-numb er — Configure traffic policing traffic-limit inbound acl-rule target-r ate [ conform con-action ] [ exceed exceed-actio n ] [ meter-statistic ] Required By default, traffic policing is disabled. Clear the [...]

  • Seite 384

    1-23 Configuration procedure Follow these steps to co nfigure traffic sh aping: To do… Use the com mand… Remarks Enter syst e m view s ystem-vie w — Enter Ethernet port view interface interface-type interface-number — Configure traffic shaping traffic-shape [ queue queue-id ] max-rate burst-size Required Traffic shaping is not enabled by de[...]

  • Seite 385

    1-24 Follow these steps to re direct packet s that ar e of a VLAN and match specific ACL rules: To do… Use the command… Remarks Enter syste m view system-v iew — Configure traffic redirecting tra ffic-redirect vlan vlan-i d inbound acl-rule interface interface-type interface-numb er Required Follow these steps to re direct packet s that are o[...]

  • Seite 386

    1-25 [device-acl-basic-2000] quit [device] interface GigabitEthernet1/0/1 [device-GigabitEthernet1/0/1] traffic-redirect inbound ip-group 2000 interface GigabitEthernet1/0/7 2) Method II <device> system-view [device] acl number 2000 [device-acl-basic-2000] rule permit source 10.1.1.1 0.0.0.255 [device-acl-basic-2000] quit [device] traffic-red[...]

  • Seite 387

    1-26 Configuration prerequisites The algorithm for queue scheduling to b e used and the related pa rameters are determined. Configuration procedure Follow these steps to co nfigure SP queu e sched uling algorithm: To do… Use the comm and… Remarks Enter syst e m view system-view — Configure SP queue scheduling algorithm undo queue-scheduler [ [...]

  • Seite 388

    1-27 Configuration example # Configure a device to adopt SP+SDWRR combi nation for queue sch eduling, assigning queu e 3, queue 4, and queue 5 to WRR scheduling gro up 1, wi th the weigh of 20, 20 an d 30; assigning queue 0, queue 1, and queue 2 to WRR scheduling group 2 , with the weight 20, 20, and 40; using SP for scheduling queue 6 and queue 7.[...]

  • Seite 389

    1-28 To do… Use the command… Remarks Collect the statistics on the packets matching specific ACL rules traffic-statistic vl an vlan-id inbound acl-rule Required Clear the statistics on the packets matching specific ACL rules reset traffic-statistic vlan vlan-id inbound acl-rule Optional Follow these step s to collect traffic st atistics on pa c[...]

  • Seite 390

    1-29 [device] acl number 2000 [device-acl-basic-2000] rule permit source 10.1.1.1 0.0.0.255 [device-acl-basic-2000] quit [device] interface GigabitEthernet1/0/1 [device-GigabitEthernet1/0/1] traffic-statistic inbound ip-group 2000 [device-GigabitEthernet1/0/1] reset traffic-statistic inbound ip-group 2000 2) Method II <device> system-view [de[...]

  • Seite 391

    1-30 Configuration procedure Y ou can configure traffic mirro ring on all the packet s matching spe cific ACL rules, or on pa ckets that match specific ACL rule s and are of a VLAN, of a port group, or pa ss a p ort. Follow these steps to co nfigure traffic mi rroring globally : To do… Use the command… Remarks Enter syst e m view system-vie w ?[...]

  • Seite 392

    1-31 Follow these steps to co nfigure traffic mi rroring for a port: To do… Use the command… Remarks Enter syst e m view system-vie w — Enter Ethernet port view of the destination port interface interface-type interface-number — Define the current port as the destination port monitor-port Required Exit current view quit — Enter Ethernet p[...]

  • Seite 393

    1-32 [device] mirrored-to vlan 2 inbound ip-group 2000 monitor-interface Displaying and Maintaining Qo S To do… Use the command… Remarks Display the protocol packet priority configuration display protocol-priority Display the COS-precedence-to-Drop-preceden ce mapping relationship display qos cos-drop-precedence -map Display the COS-precedence-[...]

  • Seite 394

    1-33 To do… Use the command… Remarks Display VLAN mapping configuration of a port or all the ports display qos-interface { interface-type interface-num ber | unit-id } traffic-remark-v lanid Display traffic mirroring configuration of a port or all the ports display qos-interface { interface-type interface-num ber | unit-id } mirrored-to Display[...]

  • Seite 395

    1-34 # Create ACL 2000 and enter basi c ACL view to cl assify packet s sourced from the 192.1 68.1.0/24 network segment. <device> system-view [device] acl number 2000 [device-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255 [device-acl-basic-2000] quit # Create ACL 2001 and enter basi c ACL view to cl assify packet s sourced from the [...]

  • Seite 396

    2-1 2 QoS Profile Configuration Overview Introduction to QoS Profile QoS profile is a set of QoS configurations. It provides an easy way for performing and managing QoS configuration. A QoS profile can contain one or mult iple QoS functions. In networks where host s change their positions frequently , you can define QoS policies for the hosts and a[...]

  • Seite 397

    2-2 QoS Profile Configuration QoS Profile Configuration Task List Complete the following t a sks to configure a QoS profile: Task Remarks Configuring a QoS Profile Required Applying a QoS Profile Optional Applying a QoS Profile Optional Configuring a QoS Profile Configuration prerequisites z The ACL rules used for traffic class ifi cation are defin[...]

  • Seite 398

    2-3 Configuration procedure Follow these steps to co nfigure to apply a QoS profile dynamically: To do… Use the command… Remarks Enter syst e m view system-vie w — Enter Ethernet port view interface inte rface-type interface-number — Configure the mode to apply a QoS profile as port-based qos-profile port-based Specify the mode to apply a Q[...]

  • Seite 399

    2-4 Configuration Example QoS Profile Configuration Example Network requirements As shown in Figure 2-1 , the user name is “someone”, and the auth enticatio n password is “he llo”. It is connected to GigabitEthernet 1/0/1 of the switch and belongs to the test.net domain. It is required to configure a QoS profile to limit the ra te of all th[...]

  • Seite 400

    2-5 # Create the user domain test.net and specify radiu s 1 as you r RADIUS server group. [device] domain test.net [device-isp-test.net] radius-scheme radius1 [device-isp-test.net] quit # Create ACL 3000 to permit IP packet s destined for any IP address. [device] acl number 3000 [device-acl-adv-3000] rule 1 permit ip destination any [device-acl-adv[...]

  • Seite 401

    i Table of Contents 1 Mirroring Conf iguration ······································································································ ······················ 1-1 Mirroring Overview ···············[...]

  • Seite 402

    1-1 1 Mirroring Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. Mirroring Overview Mirroring refe[...]

  • Seite 403

    1-2 z VLAN-based mirroring: a device copies packet s of a specified VLAN to the destination port. Local Port Mirroring In local port mirroring, packet s pa ssi ng through one or more source port s of a device are copied to the destination port on the same device for packet analy sis and monitoring. In this case, the source ports and the destination[...]

  • Seite 404

    1-3 Table 1-1 Ports involved in the mirroring operation Sw it ch Ports involved Function Source port Port monitored. It copies packets to the refle ctor po rt through local port mirroring. There can b e more than one source port. Reflector port Receives packets from the sou r ce port and broadcasts the packets in the rem ote-probe VLAN. Source swit[...]

  • Seite 405

    1-4 Mirroring Configuration Complete the following t a sks to configure mirroring: Task Remarks Configuring Local Port Mirrorin g Optional Configuring Remote Port Mirro rin g Optional Configuring MAC-Base d Mirroring Optional Configuring VLAN-Based Mirroring Optional Configuring Local Port Mirroring Configuration prerequisites z The source port is [...]

  • Seite 406

    1-5 Configuring Remote Port Mirroring The device can serve as a source switch, an intermedi ate switch, or a destination switch in a remote port mirroring networking e nvironm ent. Configuration on the device acting as a source switch 1) Configuration prerequisites z The source port, the reflector port, and the remote-probe VLAN a r e determined. z[...]

  • Seite 407

    1-6 When configuring the source swit ch, note that: z All ports of a remote source mirroring gro up are on the same device. Each remote sour ce mirroring group can be configured wi th only one re flector port. z The reflector port cannot be a membe r port of an existing mirroring group, a member port of an aggregation group, or a po rt enabled with[...]

  • Seite 408

    1-7 Follow these steps to co nfigure remote port mirroring on the destination switch: To do… Use the command… Remarks Enter syste m view system-v iew — Create a VLAN and enter VLAN view vlan vlan-id v lan-id is the ID of the remote-probe VLAN. Configure the current VLAN as a remote-probe VLAN remote-prob e vlan enable Req uired Return to syst[...]

  • Seite 409

    1-8 Configuration prerequisites z The MAC address to be matched is det ermined. z The destination port is det ermined. Configuration procedure Follow these steps to co nfi gure MAC-based mirroring: To do… Use the command… Remarks Enter syst e m view system-vie w — Create a local or remote source mirroring group mirroring-group group- id { loc[...]

  • Seite 410

    1-9 Configuration procedure Follow these steps to co nfigure VLAN-b ased mirroring: To do… Use the command… Remarks Enter syst e m view system-vie w — Create a local or remote source mirroring group mirroring-group group- id { local | remote-sour ce } Required Configuring VLAN-Based Mirroring mirroring-group group-id mirroring-vlan vlan-id in[...]

  • Seite 411

    1-10 Use the local port mirroring functio n to meet the requirement. Perform the follo wing configurations on Switch C. z Configure GigabitEthernet 1/0/1 and Gi gabitEt hernet 1/0/2 as mirroring source ports. z Configure GigabitEthernet 1/0/3 as the mirroring de stination po rt. Figure 1-3 Network diagram for local port mirroring Sw itch C D a t a [...]

  • Seite 412

    1-11 z Department 1 is connected to GigabitEthern et 1/0/1 of Switch A. z Department 2 is connected to GigabitEthern et 1/0/2 of Switch A. z GigabitEthernet 1/0/3 of Switch A connects to GigabitE thern et 1/0/1 of Switch B. z GigabitEthernet 1/0/2 of Switch B connects to GigabitE thern et 1/0/1 of Switch C. z The data detection device is conne cted[...]

  • Seite 413

    1-12 [device] mirroring-group 1 mirroring-port GigabitEthernet 1/0/1 GigabitEthernet 1/0/2 inbound [device] mirroring-group 1 reflector-port GigabitEthernet 1/0/4 [device] mirroring-group 1 remote-probe vlan 10 # Configure GigabitEthernet 1/0/3 as trunk port, allowi ng packet s of VLAN 10 to pass. [device] interface GigabitEthernet 1/0/3 [device-Gi[...]

  • Seite 414

    1-13 # Configure the destination port and re mote-probe VL AN for the remote destination mirrorin g group. [device] mirroring-group 1 monitor-port GigabitEthernet 1/0/2 [device] mirroring-group 1 remote-probe vlan 10 # Configure GigabitEthernet 1/0/1 as the trun k port, allowing p ackets of VLAN 10 to p ass. [device] interface GigabitEthernet 1/0/1[...]

  • Seite 415

    i Table of Contents 1 ARP Confi gurati on············································································································ ························· 1-1 Introduction to ARP ········?[...]

  • Seite 416

    1-1 1 ARP Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of the WX 3000 series. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. Introduction to ARP ARP Function Address Resolution Protoco[...]

  • Seite 417

    1-2 Figure 1-1 ARP message format Hardwa re t ype (16 bits ) Protocol t yp e (1 6 bi ts) Length o f ha rdware addr ess Length of pr otocol addres s Op erator (16 bits) Hardware addres s o f the s ender IP ad dress o f the s ender Hardware ad dress of the rec eiver I P a dd re s s of th e r e ce i v er Hardwa re t ype (16 bits ) Hardwa re t ype (16 [...]

  • Seite 418

    1-3 Value Description 5 Chaos 6 IEEE802.X 7 ARC netw ork ARP Table In an Ethernet, the MAC addresses of two host s must be available for the two host s to communicate with each other . Each host in an Ethernet main tains an ARP table, where the late st used IP address-to-MAC address mappi ng entries ar e stored. The device provide s the display arp[...]

  • Seite 419

    1-4 mode, all hosts on this su bnet can receive the requ est, but only the requested h ost (namely, Host B) will process the request. 4) Host B compares its own IP address with the des tination IP address in the ARP request. If they are the same, Host B saves the sou rce IP address a nd source MAC address into i ts ARP mapping table, encapsulates i[...]

  • Seite 420

    1-5 After you enable the ARP attack detection function, the device will check the following items of an ARP packet: the source MAC a ddress, source IP addre ss, port number of the port receiving the ARP p acket, and the ID of the VLAN the port resi des. If these item s match the ent ries of the DHCP snoo ping table or the manual configured IP bindi[...]

  • Seite 421

    1-6 To do… Use the command… Remarks Enable the ARP entry checking function (that is, disable the device from learning ARP entries with multicast MAC addresses) arp check enable Optional By default, the ARP entry checking function is enabled. z Static ARP entries are valid as lo ng as the device operates normally. But some ope rations, such as r[...]

  • Seite 422

    1-7 To do… Use the command… Remarks Quit to system view quit — Enter VLAN view vlan vlan-id — Enable ARP restricted forwarding a rp rest ricted- forward ing enable Optional By default, the ARP restricted forwarding function is disabled. The device forwards legal ARP packets through all its ports. z You need to enable DHCP snooping and confi[...]

  • Seite 423

    1-8 Displaying and Maintaining ARP To do… Use the command… Remarks Display specific ARP mapping table entries display arp [ static | dynam ic | ip-address ] Display the ARP mapping entries related to a specified string in a specified way display arp [ dyna mic | static ] | { begin | include | exclude } text Display the number of the ARP entries[...]

  • Seite 424

    1-9 Figure 1-4 ARP attack detection configuration GE1 / 0 / 3 Cl i ent B GE 1 / 0/ 2 Cl i e nt A DHCP S er v er Sw itch A DHCP S noo pin g G E 1/0/1 Configuration procedure # Enable DHCP sn ooping on Switch A. <SwitchA> system-view [SwitchA] dhcp-snooping # S pecify Gig abitEthern et 1/0/1 as the DHCP snoopi ng trusted port and the ARP truste[...]

  • Seite 425

    i Table of Contents 1 SNMP Conf iguration ··········································································································· ······················· 1-1 SNMP Overview ··············[...]

  • Seite 426

    1-1 1 SNMP Configuration z The term switch used throughout this docum ent re fers to a switching device in a generi c sense or the switching engine of a WX30 00 seri es. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. SNMP Overview The simple network man agement protocol (S[...]

  • Seite 427

    1-2 SNMP NMS and SNMP agent. Comm unity name functions as password. It can limit acce sses made by SNMP NMS to SNMP agent. Y ou can perform the fo llowing community name-related configuration. z Specifying MIB view that a community can access. z Set the permission for a community to access an MIB object to be read-only or read -write. Communities w[...]

  • Seite 428

    1-3 MIB attribute MIB content R elated RFC DHCP MIB QACL MIB MSTP MIB VLAN MIB IPV6 ADDRESS MIB MIRRORGROUP MIB QINQ MIB 802.x MIB HGMP MIB NTP MIB Device management Private MIB Interface management — Configuring Basic SNMP Functions Because the configuration of SNMPv3 is quite di f ferent from that of SNMPv1 and SNMPv2c, their configuration proc[...]

  • Seite 429

    1-4 To do… Use the command… Remarks Direct configura tion Set a community name snmp-agent community { read | write } community-nam e [ acl acl-number | mib-vie w view-name ]* Set an SNMP group snmp-agent group { v1 | v2c } group-name [ read-view read-view ] [ writ e-vi ew write-view ] [ noti fy- view notify-view ] [ acl acl-n umber ] Set a comm[...]

  • Seite 430

    1-5 To do… Use the command… Remarks Set an SNMP group snmp-agent group v3 group-name [ authentica tion | privacy ] [ read-view read-view ] [ writ e-vi ew write-view ] [ noti fy- view notify-view ] [ acl acl-num ber ] Required Encrypt a plain-text password to generate a cipher-text one snmp-agent calculate-pass w ord plain-password mode { md5 | [...]

  • Seite 431

    1-6 To do… Use the command… Remarks Enter syst e m view system-vie w — Enable the device to send Trap messages to NMS snmp-agent trap enable [ configuration | flash | standard [ authentication | coldstart | linkdo wn | linkup | warmstart ]* | system | ] Enter port view or interface view interface interface-type interface-number Enable the por[...]

  • Seite 432

    1-7 Enabling Logging for Network Management Follow these steps to ena b le logging for network managem ent: To do… Use the command… Remarks Enter syst e m view system-vie w — Enable logging for network management snmp-agent log { set-operation | get-operation | all } Optional Disabled by default. Use the display logbuffer command to view the [...]

  • Seite 433

    1-8 z Perform the following configuration on Switch A: setting the community name and access permission, administrato r ID, contact and location of Switch A, and enabli ng the device to sent trap messages. Thus, the NMS is able to access Switch A and receive the trap messages sent by Switch A. Figure 1-2 Network diagram for SNMP configuration Et he[...]

  • Seite 434

    1-9 [device] snmp-agent trap enable standard linkdown [device] snmp-agent target-host trap address udp-domain 10.10.10.1 udp-port 5000 params securityname public Configuring the NMS The device support s iMC NMS. SNMPv3 adopt s user name and p assword aut hentication. Whe n you use the iMC, you need to set user names and choose the security level in[...]

  • Seite 435

    2-1 2 RMON Configuration Introduction to RMON Remote monitoring (RMO N) is a kind of management informati on base (MIB) defined by Internet Engineering T ask Force (IETF). It is an important enhan cement made to MIB II st andards. RMON i s mainly used to monitor the data traf fic across a net work segment or even the e ntire network, and is current[...]

  • Seite 436

    2-2 Commonly Used RMON Groups Event group Event group is used to def ine the indexes of event s and the processing m ethods of the events. The events defined in a n event group are mainly u sed by entries in the alarm group an d extended alarm group to trigger alarms. Y ou can specify a network device to act in one of the following ways in response[...]

  • Seite 437

    2-3 The statistics include the numb er of the following it ems: collisions, packet s with cyclic redund ancy check (CRC) errors, und ersize (or oversize) packe t s, broadcast pa ckets, multicast p ackets, and received bytes and p acket s. With the RMON statistics mana gement function, y ou can monitor the use of a port and make st atistics on the e[...]

  • Seite 438

    2-4 Displaying and Maintaining RMON To do… Use the command… Remarks Display RMO N st at istics display rmon statistics [ interface-t ype interface-number | unit unit -number ] Display RMON history information display rmon history [ interface-t ype interface-number | unit unit-numbe r ] Display RMON alarm information display rmon alarm [ entry-n[...]

  • Seite 439

    2-5 [device] rmon prialarm 2 (.1.3.6.1.2.1.16.1.1.1.9.1+.1.3.6.1.2.1.16.1.1.1.10.1) test 10 changeratio rising_threshold 50 1 falling_threshold 5 2 entrytype forever owner user1 # Display the RMON extended alarm entry numbere d 2. [device] display rmon prialarm 2 Prialarm table 2 owned by user1 is VALID. Samples type : changeratio Variable formula [...]

  • Seite 440

    i Table of Contents 1 Multicast Overview ··········································································································· ························· 1-1 Multicast Overview ··········[...]

  • Seite 441

    1-1 1 Multicast Overview z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of the WX 3000 series device s. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. Multicast Overview With development of networks o[...]

  • Seite 442

    1-2 Figure 1-1 Information transmission in the unicast mode Sourc e Server Receiver Re ceiv er Receive r Host A Host B Host C Host D Host E Pack ets for Ho st B Packet s for Host D Pack ets for Ho st E Assume that Host s B, D and E need this informati on. The source serve r establishe s transmission channels for the devi ces of these users respecti[...]

  • Seite 443

    1-3 Figure 1-2 Information transmission in the broadcast mode Sourc e Server Receiver Re cei ver Rece iver Hos t A Host B Host C Host D Hos t E Packet s for all the network Assume that Hosts B, D, a nd E need the information. The source server broadcast s this information through routers, and Ho sts A and C on the net work also receive this informa[...]

  • Seite 444

    1-4 Figure 1-3 Information transmission in the multicast mode Sourc e Server Receiver Re cei ver Rece iver Hos t A Host B Host C Host D Hos t E Packets for the mul ticast group Assume that Host s B, D and E need the inform ation. T o transmit the information to the right users, it is necessary to group Host s B, D and E into a receiver set. The rou[...]

  • Seite 445

    1-5 Table 1-1 An analogy between TV transmission and multicast transmi ssion Step TV transmission Multicast transmission 1 A TV station transmits a TV program through a television channel. A multicast source sends multicast data to a multicast group. 2 A user tunes the TV set to the channel . A receiver joins the multicast group. 3 The user starts [...]

  • Seite 446

    1-6 ASM model In the ASM model, any sender can become a multic ast source and send informatio n to a multicast group; numbers of re ceivers can join a multicast grou p identified by a group addre ss and obt ain multicast information addressed to that multicast gr oup. In this model, receive rs are not aware of the position of a multicast source in [...]

  • Seite 447

    1-7 As receivers are multiple host s in a multicast group, you should be concerned about the following questions: z What destination should th e informatio n source s end the information to in the multicast mo de? z How to select the destinati on address? These questions are about multicast addressing. T o enable the communication b etween the info[...]

  • Seite 448

    1-8 Class D address range Description 239.0.0.0 to 239.255.255.255 Administratively scoped multicast addresses, which are for specific local use only. As specified by IANA, the IP addre sses ranging from 224.0.0.0 to 224.0.0.255 ar e reserved for network protocols on local networ ks. The following t able lists commonly u se d re served IP multica s[...]

  • Seite 449

    1-9 multicast MAC address is used as the destination ad dress because the destin ation is a group with an uncertain number of mem bers. As stipulated by IANA, the high-order 24 bit s of a multicast MAC address are 0x01005e, while the low-order 23 bits of a MAC add ress are the low- ord er 23 bits of the multicast IP address. Figure 1-4 describes th[...]

  • Seite 450

    1-10 Figure 1-5 Positions of Layer 3 multicast protocols AS 1 A S 2 Sour ce Receiver Re ceiv er Receiver PIM PIM MSDP IGMP IG MP IGMP 1) Multicast management protocols T ypically , the Internet Group Management Protoc ol (IGMP) is used between host s and Layer 3 multicast devices directly conn ected with the hosts. These protocols defin e the mecha[...]

  • Seite 451

    1-11 Figure 1-6 Positions of Layer 2 multicast protocols So u rce Rece iver R eceiver multic as t pack ets IG M P S noo pi n g 2) IGMP Snooping Running on Layer 2 devices, Internet Group M anagement Protocol Snoopi ng (IGMP Snooping) are multicast constraining mecha nisms that manage and control multicast group s by listening to and analyzing IGMP [...]

  • Seite 452

    1-12 2) If the corresponding (S, G) entry exists, but the in terface on which the packet actually arrived is not the incoming interface in the multicast forwardi ng t able, the multicast packet is subject to an RPF check. z If the result of the RP F check show s that the RPF interface is the in coming interface of the existing (S, G) entry, this me[...]

  • Seite 453

    1-13 z A multicast packet from Source arrives to VLAN -interface 1 of Switch C, and the corresponding forwarding entry doe s not exist in the mult icast forw arding table of Switch C. Switch C pe rforms an RPF check, and finds in its unicast routing table that the outgoing interfac e to 192.16 8.0.0/24 is VLAN-interface 2. This me ans that the inte[...]

  • Seite 454

    2-1 2 IGMP Snooping Configuration IGMP Snooping Overview Internet Group Management Protocol Snooping (I GMP Snooping) is a multicast constraini ng mechanism that runs on Layer 2 devices to manage and control multicast groups. Principle of IGMP Snooping By analyzing received IGMP messages, a Layer 2 device running IGMP Snooping est ablishes mappings[...]

  • Seite 455

    2-2 Figure 2-2 IGMP Snooping related ports Rou ter A Swi tc h A Sw it ch B Et h 1/ 0/ 1 Et h1/0 /2 Et h 1/0/ 3 Et h 1/0/ 1 Et h1/0 /2 Rece ive r Rece ive r Hos t A Hos t B Hos t C Hos t D So u rce Mu lt i c as t pac k e ts Rou ter port Member p or t Ports involved in IGMP Snooping, as shown in Figure 2-2 , are described as follows: z Router port: A[...]

  • Seite 456

    2-3 When receiving a general query The IGMP qu erier pe riodi cally sen ds IGMP general q ueri es to all h ost s and ro uters on the local su bne t to find out whether active multicast group members exist on the subnet. Upon receiving an IGMP general query , the device forwards it through all ports in the VLAN except the receiving port and perform [...]

  • Seite 457

    2-4 immediately delete the forwarding entry corresponding to that port from the forwarding t able; instead, it reset s the agi ng timer of the membe r port. Upon receiving the IGMP leave message from a hos t, the IGMP querier resolves from the message the address of the multicast group that the host just lef t and sends an IGMP group-specific que r[...]

  • Seite 458

    2-5 Operation Remarks Configuring a VLAN Tag for Que ry Message s Optional Configuring Multicast VLAN Optional Enabling IGMP Snooping Follow these steps to ena b le IGMP Snooping: To do… Use the command… Remarks Enter syst e m view system-v iew — Enable IGMP Snooping globally igmp-snoopi ng enable Required By default, IGMP Snooping is disable[...]

  • Seite 459

    2-6 z Before configuring related IGMP Snooping func tions, you must enable IGMP Snooping in the specified VLAN. z Different multicast group addresse s should be conf ig ured for different multicast sources beca use IGMPv3 Snooping cannot distinguish multica st data from different sources to the same multicast group. Configuring Timers This section [...]

  • Seite 460

    2-7 Enabling fast leave processing in Ethernet port view Follow these steps to ena b le fast leave processing in Ethernet view: To do… Use the command… Remarks Enter syst e m view sy stem - view — Enter Ethernet port view interface interface-type interface-number — Enable fast leave processi ng for specific VLANs igmp-snooping fast-leav e [[...]

  • Seite 461

    2-8 Configuring a multicast group filter in system vie w Follow these steps to co nfigure a mult icast group filter in system view: To do… Use the command… Remarks Enter syst e m view system-view — Configure a multicast group filter igmp - snooping group - policy acl-number [ vlan vlan-list ] Required No group filter is configured by default,[...]

  • Seite 462

    2-9 Follow these steps to co nfigure the maximu m number of multicast group s on a port: To do… Use the command… Remarks Enter syst e m view system-view — Enter Ethernet port view interface interface-type interface-number — Limit the number of multicast groups on a port igmp-snooping group-limit limit [ vlan vlan - list [ overflow-replace ][...]

  • Seite 463

    2-10 To do… Use the command… Remarks Enable IGMP Snooping querier igmp-snooping querier Required By default, IGMP Snooping querier is disabled. Configure the interval of sending general querie s igmp-snooping query-interval seconds Optional By default, the interval of sending general querie s is 60 seconds. Configure the source IP address of ge[...]

  • Seite 464

    2-11 In Ethernet port view Follow these steps to co nfigure a static multicast gro up memb er port in Ethernet port view: To do… Use the command… Remarks Enter syst e m view system-vie w — Enter Ethernet port view interface interface-type interface-number — Configure the current port as a static member port for a multicast group in a VLAN m[...]

  • Seite 465

    2-12 In VLAN view Follow these steps to co nfigure a st ati c router port in VLAN view: To do… Use the command… Remarks Enter syst e m view system-vie w — Enter VLAN view vlan vlan-id — Configure a specified port as a static router port multicast static-router-port interface-type interface-n umber Required By default, no static router port [...]

  • Seite 466

    2-13 z Before configuring a simulated host, enabl e IGMP Snooping in VL AN view first. z The port to be configured must belong to the specified VLAN; otherwise the conf iguration does not take effect. z You can use the source-i p sourc e-address com mand to specify a multicast source address that the port will join as a sim ulated host. This co nfi[...]

  • Seite 467

    2-14 To do… Use the command… Remarks Enter VLAN interface view interface Vlan-interface vlan-id — Enable IGMP igmp enable Required By default, the IGMP feature is disabled. Return to system view quit — Enter Ethernet port view for the Layer 2 device to be configured interface interface-type interface-number — Define the port as a trunk or[...]

  • Seite 468

    2-15 z One port can belong to only one multica st VLAN. z The port connected to a user terminal must be a hy brid port. z The multicast member ports must be in the sa me VLAN with the route r port. Otherwise, the multicast member port cannot receive multica st packets. z If a router port is in a multicast VL AN, the router port must be configured a[...]

  • Seite 469

    2-16 Figure 2-3 Network diagram for IGMP Snooping co nfiguration Mu lticast p acket s So u rc e Route r A Swi tch A Re ceiver Re ceiver Hos t B Hos t A Hos t C 1. 1. 1. 1/ 24 GE1/ 0/ 4 GE1/ 0/ 2 GE 1/ 0/ 3 IG M P querier GE1 / 0/1 GE 1/ 0/ 1 1 0 .1 .1 . 1 / 2 4 GE1/0/ 2 1 .1. 1. 2/ 24 VLAN 100 Configuration procedure 1) Configure the IP address of [...]

  • Seite 470

    2-17 Total 1 IP Group(s). Total 1 MAC Group(s). Vlan(id):100. Total 1 IP Group(s). Total 1 MAC Group(s). Static Router port(s): Dynamic Router port(s): GigabitEthernet1/0/1 IP group(s):the following ip group(s) match to one mac group. IP group address: 224.1.1.1 Static host port(s): Dynamic host port(s): GigabitEthernet1/0/3 GigabitEthernet1/0/4 MA[...]

  • Seite 471

    2-18 Configure a multicast VLAN, so that users in VLAN 2 and VLAN 3 can re ceive multicast streams through the multicast VLAN. Figure 2-4 Network diagram for multicast VLAN configuratio n Hos tA Hos tB Wor kSt a tio n Swit chA Sw itchB Vl an - i nt 20 168 .10 . 1. 1 GE 1/0 /1 G E1 / 0/ 10 V l a n 2 V l a n 3 G E 1/ 0 / 10 Vl an 10 G E 1 / 0 / 1 G E[...]

  • Seite 472

    2-19 # Configure VLAN 10 as the multicast VLAN and enable IGMP Snooping on it. [SwitchB] vlan 10 [SwitchB-vlan10] service-type multicast [SwitchB-vlan10] igmp-snooping enable [SwitchB-vlan10] quit # Define GigabitEthernet 1/0/10 as a hybrid po rt, add the port to VLAN 2, VLAN 3, and VLAN 10, and configure the port to forward tagged p acket s for VL[...]

  • Seite 473

    3-1 3 Common Multicast Configuration Common Multicast Configuration Configuring a Multicast MAC Address Entry In Layer 2 multicast, the system can add multicas t forwarding entries dynami cally through a Layer 2 multicast protocol. Alternatively , you can stati cally bind a port to a multica st MAC address entry by configuring a multicast MAC add r[...]

  • Seite 474

    3-2 Configuring Dropping Unknown Multicast Packets Generally , if the multicast address of the multica s t pa cket received on the device i s not registered on the local device, the packet will be flooded in the VLAN. When the functi on of dropping unknown multicast packet s is enabled, the device will drop any multicas t p ackets whose multicast a[...]

  • Seite 475

    i Table of Contents 1 NTP Confi guration ············································································································ ························· 1-1 Introduction to NTP ········?[...]

  • Seite 476

    1-1 1 NTP Configuration When configuring NTP , go to these secti ons for information you are intere sted in: z Introduction to NTP z NTP Configuration Task Li st z Configuring NTP Implementation Modes z Configuring Access Control Right z Configuring NTP Authentication z Configuring Optional NTP Parameters z Displaying and Maintain ing NTP Co nfigur[...]

  • Seite 477

    1-2 z In network management, the an alysis of the log information and debugging i nformation collected from different devices is meani ngful and valid only when netwo rk devices that generate t he information adopts the same time. z The billing system requires that the clocks of all network devices be consi stent. z Some functions, such as restarti[...]

  • Seite 478

    1-3 Figure 1-1 Implementation principle of NTP IP n e tw o r k IP n e tw o r k IP n e tw o r k IP n e tw o r k D e vi ce B D e vice A D e vi ce B D e vice A D e vi ce B D e vice A D e vi ce B D e vice A 10 :00:00 am 11:0 0:01 a m 10:00:0 0 am N T P m e ssa g e 10 :00: 00 am 11:00:01 am 11: 00: 02 am NTP m e s sa g e NT P mess age NT P mess age r ec[...]

  • Seite 479

    1-4 Server/client mode Figure 1-2 Server/client mode Ser ver Cl oc k sy n c hr oni z atio n re q u e s t R e sp o n se Net wo r k Cl i ent Wo r ks in se r ver m o d e au t o m a t ica l ly a n d send s a r espon se pack et F ilt er s a n d se le ct s a c lo ck and sync hron iz es t he loc al cl oc k to th at of the pr efer r ed ser ver Symmetric pe[...]

  • Seite 480

    1-5 Multicast mode Figure 1-5 Multicast mode Cl i e nt Mu lt ica st clo ck syn ch r o niza t i o n pac k ets pe ri od i c a l l y Net work Se r ver I nitia t es a client /se r ver mo d e r eq uest after r ecei v i ng the fi rst m u lt i c a s t p ac k e t Wo r ks in t h e se r ve r m o de a u t o m a t ica l ly a nd se nd s r e sp o n se s Cli ent/[...]

  • Seite 481

    1-6 NTP Configuration Task List Complete the following tasks to configure NTP: Task Remarks Configuring NTP Implementation Modes Req uired Configuring Access Control Right Optional Configuring NTP Authentication Optional Configuring Optional NTP Parameters Optional Displaying and Maintain ing NTP Co nfiguration Optional Configuring NTP Implementati[...]

  • Seite 482

    1-7 To do… Use the command… Remarks Enter syst e m view system-view — Configure an NTP client ntp-service unicast-s erver { remote-ip | server-name } [ authentic ation-keyid key-id | priority | source-interfac e Vlan-interface vlan-id | versi on number ]* Required By default, the device is not configured to work in the NTP client mode. z The [...]

  • Seite 483

    1-8 z In the symmetric peer mode, you need to execute the related NTP configuration comm and s (refer to Configuring NTP Implementation M odes for details) to enable NTP on a symmetric-p assive peer; otherwise, the symmetric-passive peer will not process NTP mess ages from the symmetric-active peer. z The remote device specified by rem ote-ip or pe[...]

  • Seite 484

    1-9 Configuring the device to work in the NTP broadcast client mode To do… Use the command… Remarks Enter syst e m view system-vie w — Enter VLAN interface view interface Vlan-in terface vlan-id — Configure the device to work in the NTP broadcast client mode ntp-service broadc ast-client Required Not configured by default. Configuring NTP M[...]

  • Seite 485

    1-10 Configuring Access Control Right With the following command, you ca n configure the NTP service access-control ri ght to the lo cal device for a peer device. There are four access-control right s, as follows: z query : Control query right. This level of right permits the peer device to perform control que ry to the NTP service on the local dev[...]

  • Seite 486

    1-11 synchronized only to that of the serv er that pa sses the authentication. Thi s improves network secu rity . T able 1-2 shows the roles of devices in the NTP auth entication function. Table 1-2 Description on the roles of devic es in NTP authentication functio n Role of device Working mode Client in the server/client mode Client in the broadca[...]

  • Seite 487

    1-12 To do… Use the command… Remarks Configure the NTP authentication key ntp-service authentication-k eyid key-id authentication-m odel md 5 value Required By default, no NTP authentication key is configured. Configure the specified key as a trusted key ntp-service reliable authenticati on-keyid key-id Required By default, no trusted key is co[...]

  • Seite 488

    1-13 To do… Use the command… Remarks Configure on the NTP broadc ast server ntp-service broadcas t-server authentication-k eyid key-id Associate the specified key with the correspondi ng broadcas t/m ulticast client Configure on the NTP multicast server ntp-service multicast-se rver authentication-k eyid key-id z In NTP broadcast server mode an[...]

  • Seite 489

    1-14 Configuring the Number of Dynamic Sessions Allowed on the Local Device Follow these steps to co nfigure the number of dynamic sessions all owed on the local device: To do… Use the command… Remarks Enter syst e m view system-vie w — Configure the maximum number of dynamic sessions that can be established on the local device ntp-service ma[...]

  • Seite 490

    1-15 Figure 1-6 Network diagram for the NTP se rver/client mode confi guration 1. 0. 1. 11/ 24 1 .0.1. 12/ 24 D e vice A D e vice B Configuration procedure Perform the following configurations on Device B. # View the NTP st atus of Devi ce B before synchronization. <DeviceB> display ntp-service status Clock status: unsynchronized Clock stratu[...]

  • Seite 491

    1-16 [12345]1.0.1.11 127.127.1.0 2 1 64 1 350.1 15.1 0.0 note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured Total associations : 1 Configuring NTP Symmetric Peer Mode Network requirements z As shown in Figure 1-7 , the local clock of Device A is set as the NTP master cloc k, with the clock stratum level of 2. z Device C (a WX[...]

  • Seite 492

    1-17 Reference clock ID: 3.0.1.32 Nominal frequency: 60.0002 Hz Actual frequency: 60.0002 Hz Clock precision: 2^18 Clock offset: 0.66 ms Root delay: 27.47 ms Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Thu Sep 7 2006 (BF422AE4.05AEA86C) The output information indicates that the clock of Device C is syn ch ro[...]

  • Seite 493

    1-18 Configuration procedure 1) Configure Device C. # Enter system view . <DeviceC> system-view # Set Device C as the broadca st server , which sends broadcast messages throu gh Vlan-i nterface2. [DeviceC] interface Vlan-interface 2 [DeviceC-Vlan-interface2] ntp-service broadcast-server 2) Configure Device A. (perform t he same configuration [...]

  • Seite 494

    1-19 Configuring NTP Multicast Mode Network requirements z As shown in Figure 1-9 , the local clo ck of Device C i s set as the NTP mast er clock, with a clock stratum level of 2. Configure Device C to work in the NTP multicast server mode and advertise multicast NTP messages through Vlan -i nterface2. z Device A and Device D are two WX3000 series [...]

  • Seite 495

    1-20 Clock status: synchronized Clock stratum: 3 Reference clock ID: 3.0.1.31 Nominal frequency: 60.0002 Hz Actual frequency: 60.0002 Hz Clock precision: 2^18 Clock offset: 198.7425 ms Root delay: 27.47 ms Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Thu Sep 7 2006 (BF422AE4.05AEA86C) The output information i[...]

  • Seite 496

    1-21 # Configure an MD5 authentication key , with the key ID being 42 and the key being aNiceKey . [DeviceB] ntp-service authentication-keyid 42 authentication-mode md5 aNiceKey # S pecify the key 42 a s a trusted key . [DeviceB] ntp-service reliable authentication-keyid 42 [DeviceB] ntp-service unicast-server 1.0.1.11 authentication-keyid 42 After[...]

  • Seite 497

    i Table of Contents 1 SSH Confi guration ············································································································ ························· 1-1 SSH Overview ············[...]

  • Seite 498

    1-1 1 SSH Configuration z The term switch used throughout this docum ent re fers to a switching device in a generi c sense or the switching engine of a WX30 00 seri es. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary SSH Overview Introduction to SSH Secure Shell (SSH) is a p[...]

  • Seite 499

    1-2 Figure 1-1 Encryption and decryption En cr yp ti o n Ke y D e cr yp tio n Ciph er t ex t Pla in text Ke y P l ai n t ex t En cr yp ti o n Ke y D e cr yp tio n Ciph er t ex t Pla in text Ke y P l ai n t ex t Key-based algorithm is usually classifie d into sy mmetric key algori thm and asymmetric key algorithm. Asymmetric Key Algorithm Asymmetric[...]

  • Seite 500

    1-3 Version negotiation z The server opens port 22 to listen to connection requ ests from clie nts. z The client sends a TCP connection request to the server. After the TCP conn ection is esta blished, the server sends the first packet to the client, whic h includes a version identification string in the format of “SSH-<primary protocol vers i[...]

  • Seite 501

    1-4 z In password authentication, the c lient encrypts the use rname an d password, encapsulates them into a password authentication request, and sends t he reque st to the server. Upon receiving the request, the server decrypts the username and passw ord, compares them with those it maintains, and then informs the client of the authentication re s[...]

  • Seite 502

    1-5 SSH Server Configuration Tasks Complete the following tasks to configure SSH server: Task Remark Configuring the Protocol Suppo rt for the User Interface Required Generating/Destroying a RSA or DSA Key Pair Required Exporting the RSA or DSA Public Key Optional Creating an SSH User and Specify an Authentication Type Required Specifying a Service[...]

  • Seite 503

    1-6 z If you have configured a user interface to s upport SSH protocol, you must configure AAA authentication for the user interface by using the authentica tion-mode schem e command to ensure successful login. z On a user interface, if the authentication-mo de password or authentication-mode none command has been execut ed, the protocol inbound ss[...]

  • Seite 504

    1-7 Exporting the RSA or DSA Public Key Y ou can display the generated RSA or DSA key pair on the scree n in a specified format, or export it to a specified file for configuring the key at a remote end. Follow these steps to expo rt the RSA public key: To do… Use the command… Remarks Enter syst e m view system-view — Display the RSA key on th[...]

  • Seite 505

    1-8 z For pass word authentication type, the username argument must be consistent with the valid user name defined in AAA; for publickey authentication, the username argument is the SSH local use r name, so that there is no need to configure a local user in AAA. z If the default authentication type for SSH users i s password and local AAA authentic[...]

  • Seite 506

    1-9 To do… Use the command… Remarks Enter syst e m view system-vie w — Set SSH authentication timeout time ssh server timeout seconds Optional By default, the timeout time is 60 seconds. Set SSH authentication retry times ssh server authentication-re tries times Optional By default, the number of retry times is 3. Set RSA server key update in[...]

  • Seite 507

    1-10 To do… Use the command… Remarks Enter public key edit view public-key-code begin — Configure a public key for the client Enter the content of the public key When you input the key data, spaces are allowed betwee n the characters you input (because the system can remove the spaces automatically); you can also press <Enter> to contin[...]

  • Seite 508

    1-11 Follow these steps to impo rt the RSA public key from a public key file: To do… Use the command… Remarks Enter syst e m view system-vie w — Import the RSA public key from a public key file rsa peer-public-key keyname import sshkey filename Required The result of the display rsa local-key -pair public command or the public key converted w[...]

  • Seite 509

    1-12 Follow these steps to sp ecify a source IP address/interface for the S SH server: To do… Use the command… Remarks Enter syst e m view system-vie w — Specify a source IP address for the SSH server ssh-server source-ip ip-address Required By default, the system determines the IP address for clients to access. Specify a source interface for[...]

  • Seite 510

    1-13 z Selecting the protocol for remote con nection as SSH. Usually, a client can use a variety of remote connection protocols, such as Telnet, Rlogin, and SSH. To establish an SSH connection, you must select SSH z Selecting the SSH version. Since the device suppor ts SSH Server 2 .0 now, select 2.0 or lower for the client. z Specifying the privat[...]

  • Seite 511

    1-14 Figure 1-3 Generate the client keys (2) After the key pai r is generated, click Save public key and enter the name of the file for saving th e public key ( public in this case) to save the public key . Figure 1-4 Generate the client keys (3)[...]

  • Seite 512

    1-15 Likewise, to save the priv ate key , click Sav e private key . A warning window pop s up to prompt you whether to save the private key witho ut any precaution. Cli ck Ye s and enter the name of the file for saving the private key (“pri vate” in this case ) to save the private key . Figure 1-5 Generate the client keys (4) T o generate RSA p[...]

  • Seite 513

    1-16 Figure 1-7 SSH client configuration interface 1 In the Host Name (or IP address) text box, enter the IP address of t he server . Note that there must be a route available between the IP addres s of the server and the client. Select a protocol for remote connection As shown in Figure 1-7 , select SSH under Protocol . Select an SSH version From [...]

  • Seite 514

    1-17 Figure 1-8 SSH client configuration interface 2 Under Protocol options , sele ct 2 from Preferred SSH protocol version . Some SSH client software, for example, Tectia c lient software, supports the DES algorithm only when the ssh1 version is selected. The PuTTY client software support s DES algorithm negotiation ssh2. Open an SSH connection wi[...]

  • Seite 515

    1-18 Figure 1-9 SSH client configuration interface 3 Click Browse… to bring up the file selection window , navigate to the private key file and click Open to enter the following SSH client interface. If the connection is normal, a user will be prompted for a username. Once p assing the authentica ti on, the user can log onto the server . Figure 1[...]

  • Seite 516

    1-19 Open an SSH connection with passw ord authentication From the window shown in Figure 1-9 , click Open. The following SSH client interface appears. If the connection is normal, you will be prompted to ent er the usern ame and password, as shown in Figure 1-1 1 . Figure 1-11 SSH client interface (2) Enter the username and p assword to establish [...]

  • Seite 517

    1-20 Follow these steps to ena ble the device to support first-time authent ication: To do… Use the command… Remarks Enter syst e m view system-vie w — Enable the device to support first-time authentication ssh client first-time enable Optional By default, the client is enabled to run initial authentication. Follow these steps to disa ble fir[...]

  • Seite 518

    1-21 When logging into the SSH server usi ng public key authentication, an SSH client needs to read the local private key for authentication. As two algor ithms (RS A or DSA) are available, the identity-key keyword must be used to specify one algorithm in orde r to get the correct private key. Specifying a Source IP address/Interface for the SSH cl[...]

  • Seite 519

    1-22 SSH Configuration Examples When the Device Acts as the SSH Server a nd the Authentication Type is Password Network requirements As shown in Figure 1-12 , est ablish an SSH conne ction between the host (SSH Client) and the device (SSH Server) for secure data exch ange. The ho st run s SSH2.0 client software. Pa ssword authentication is required[...]

  • Seite 520

    1-23 T ake SSH client software “Putty” (version 0.58) as an example: 1) Run PuTTY.exe to enter the fo llowing configuration interface. Figure 1-13 SSH client configuration interface In the Host Name (or IP addres s) text box, enter the IP address of the SSH server . 2) As shown in Figure 1-13 , click Open to enter the following interface. If th[...]

  • Seite 521

    1-24 Figure 1-14 SSH client interface When the Device Acts as an SSH Server a nd the Authentication Type is Publickey Network requirements As shown in Figure 1-15 , establish an SSH connection between t he host (SSH client) and the device (SSH Server) for secure data excha nge. The ho st runs SSH2.0 client sof tware. Publickey authentication is req[...]

  • Seite 522

    1-25 <device> system-view [device] interface vlan-interface 1 [device-Vlan-interface1] ip address 192.168.0.1 255.255.255.0 [device-Vlan-interface1] quit # Generate RSA and DSA key p airs. [device] public-key local create rsa [device] public-key local create dsa # Set the authentication mode for the user interfaces to AAA. [device] user-inter[...]

  • Seite 523

    1-26 Figure 1-16 Generate a cl ient key pai r (1) While generating the key pair, you m ust move the mouse continuously and keep the m ouse off the green process b ar shown in Figure 1-17 . Otherwise, the process b ar stops moving and the key pair generating process is sto p ped.[...]

  • Seite 524

    1-27 Figure 1-17 Generate a cl ient key pai r (2) After the key pai r is generated, click Save public key and enter the name of the file for saving th e public key (“public” in this case). Figure 1-18 Generate a cl ient key pai r (3)[...]

  • Seite 525

    1-28 Likewise, to save the priv ate key , click Sav e private key . A warning window pop s up to prompt you whether to save the private ke y without any protection. Click Ye s and enter the name of the file for saving the private key (“pri vate” in this case ). Figure 1-19 Generate a cl ient key pai r (4) After a public key pair is generated, y[...]

  • Seite 526

    1-29 Figure 1-21 SSH client configuration interface (2 ) Click Browse… to bring up the file selection window , navigate to the private key file and click OK . 3) From the window shown in Figure 1-21 , click Ope n . The following SSH client interface appears. If the connection is normal, you will be pro mpted to enter the username and password, as[...]

  • Seite 527

    1-30 When the Switch Acts as an SSH Client and the Authentication Type is Password Network requirements As shown in Figure 1-23 , est ablish an SSH conne ction between Switch A (SSH Client) and Switch B (SSH Server) for secure dat a exchange. The user name for login is client001 a nd the SSH server ’s IP address is 10.165.87.13 6. Password authen[...]

  • Seite 528

    1-31 [device-Vlan-interface1] ip address 10.165.87.137 255.255.255.0 [device-Vlan-interface1] quit # Establish a con nection to the server 10.165.87.136. [device] ssh2 10.165.87.136 Username: client001 Trying 10.165.87.136 ... Press CTRL+K to abort Connected to 10.165.87.136 ... The Server is not authenticated. Do you continue to access it?(Y/N):y [...]

  • Seite 529

    1-32 <device> system-view [device] interface vlan-interface 1 [device-Vlan-interface1] ip address 10.165.87.136 255.255.255.0 [device-Vlan-interface1] quit # Generate RSA and DSA key p airs. [device] public-key local create rsa [device] public-key local create dsa # Set the authentication mode for the user interfaces to AAA. [device] user-int[...]

  • Seite 530

    1-33 After the key pair is generated, you need to upload the pubic key file to the server through FTP or TFTP and complete the server end configuratio n bef ore you continue to configure the client. # Establish an SSH con ne ction to the server 10.165.87.136. [device] ssh2 10.165.87.136 identity-key dsa Username: client001 Trying 10.165.87.136 ... [...]

  • Seite 531

    1-34 [device-Vlan-interface1] quit # Generate RSA and DSA key p airs. [device] public-key local create rsa [device] public-key local create dsa # Set AAA authentication on user interfaces. [device] user-interface vty 0 4 [device-ui-vty0-4] authentication-mode scheme # Configure the user interfaces to support SSH. [device-ui-vty0-4] protocol inbound[...]

  • Seite 532

    1-35 [device-Vlan-interface1] ip address 10.165.87.137 255.255.255.0 [device-Vlan-interface1] quit # Generate a DSA key pair [device] public-key local create dsa # Export the generated DSA key pair to a file named Switch001. [device] public-key local export dsa ssh2 Switch001 After generating the key pai r, you need to upload the ke y pair file to [...]

  • Seite 533

    i Table of Contents 1 File System Manage ment Confi guration ························································································· ········ 1-1 File System C onfiguration ·······························[...]

  • Seite 534

    1-1 1 File System Management Configuration The sample output inform ation in this manual wa s created on the WX3024. The output information on your device may vary. File System Configuration Introduction to File System T o facilitate management on the device memory , the device provides the file system functio n, allowing you to access and manage t[...]

  • Seite 535

    1-2 z Displaying the current work directo ry, or content s in a specified directory Follow these steps to pe rfo rm director y-related operations in user view: To do… Use the command… Remarks Create a directory mkdir directory Optional Delete a directory rmdir directory Optional Display the current work directory pw d Optional Display the infor[...]

  • Seite 536

    1-3 To do… Use the command… Remarks Enter syst e m view system-vie w — Execute the specified batch file execute filename Optional This command sho uld be executed in system view. z For deleted files who se names are the same, only the latest del eted file is kept in the recycle bin and can be restored. z The files which are deleted by the del[...]

  • Seite 537

    1-4 Follow these steps to pe rform configur ation on p rompt mode of file system: To do… Use the command… Remarks Enter syst e m view system-vie w — Configure the prompt mode of the file system file prompt { alert | quiet } Required By default, the prompt mode of the file system is alert . File System Configuration Example # Display all the f[...]

  • Seite 538

    1-5 <device> dir unit1>flash:/test/ Directory of unit1>flash:/test/ 1 -rw- 1443 Apr 02 2000 02:45:13 1.cfg 6858 KB total (6841 KB free) (*) -with main attribute (b) -with backup attribute (*b) -with both main and backup attribute File Attribute Configuration Introduction to File Attributes The following two st a rtup files supp ort file[...]

  • Seite 539

    1-6 attribute. If you download a valid file with t he same name as the deleted file to the flash memory , the file will possess the ma in attribute. Configuring File Attributes Y ou can configure and view the main at tribute or ba ckup attribute of the st artup file used for the next startup of a switch, and ch ange the m ain or backup attribute of[...]

  • Seite 540

    i Table of Contents 1 FTP and SFTP Configur ation ··································································································· ················· 1-1 Introduction to FTP and SFTP ················?[...]

  • Seite 541

    1-1 1 FTP and SFTP Configuration z The term switch used throughout this docum ent re fers to a switching device in a generi c sense or the switching engine of a WX30 00 seri es. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. z FTP banner is newly added. For detail s, see C[...]

  • Seite 542

    1-2 Introduction to SFTP Secure FTP (SFTP) is establish ed based on an SSH2 con nec tion. It allows a remote user to log in to the switching eng ine to manage and transmit files, prov iding a securer guarante e for data transmissi on. In addition, since the device can be used as a cli ent, you can log in to remote devices to transfer files securely[...]

  • Seite 543

    1-3 Enabling an FTP server Follow these steps to ena b le an FTP se rver: To do… Use the command… Remarks Enter syst e m view system-vie w — Enable the FTP server function ftp server enable Required Disabled by default. z Only one user can access the device at a given ti me whe n the latter op erate s as an FTP server. z Operating as an FTP s[...]

  • Seite 544

    1-4 Source interface refers to the existing V LAN inte rface or Loopback interface on the device. Source IP address refers to the IP a ddress configured for the i nterface on the device. Each source interface corresponds t o a source IP address. Th erefore, specifying a source inte rfa ce for the FTP server is the same as specifying the IP address [...]

  • Seite 545

    1-5 With the device acting as the FTP se rver, if a network administrator atte mpts to disconnect a user that is uploading/downloading d ata to/from the FTP server the d evice will disconnect the use r after the data transmission is complet e d. Configuring the banner for an FTP server Displaying a banner: With a banner configure d on t he FTP serv[...]

  • Seite 546

    1-6 To do… Use the command… Remarks Configure a shell banner header shell text Use either command o r both. By default, no banner is configured. For details about the header comman d, refer to the Login part of the manual. Displaying FTP server information To do… Use the command… Remarks Display the information about FTP server configuratio[...]

  • Seite 547

    1-7 To do… Use the command… Remarks Change the worki ng directory on the remote FTP server cd pathn ame Change the worki ng directory to be the parent directory cdup Get the local working path on the FTP client lcd Display the working directory on the FTP server pw d Create a directory on the remote FTP server mkdir pathname Remove a directory [...]

  • Seite 548

    1-8 Specifying the source interface and source IP address for an FTP client Y ou can specify the source interface and source IP address for the device acting as an FTP client, so that it can connect to a remote FTP server . Follow these steps to sp ecify the source interface an d sou rce IP addre ss for an FTP client: To do… Use the command… Re[...]

  • Seite 549

    1-9 saved-configuration com mand to specify config.cfg as the main configuration file for next startup and then reboot the device. z Create a user account on the FTP server with t he user name “switch” an d password “hello”. z The IP addresses 1.1.1.1 for a VLAN interfa ce on the switching engine and 2.2.2.2 for the PC have been configured.[...]

  • Seite 550

    1-10 200 Port command okay. 150 Opening ASCII mode data connection for config.cfg. 226 Transfer complete. This example uses the command lin e window tool pr ovided by Windows. When you log in to the FTP server through another FTP client, refer to the corresponding instruction s for o p eration description. z If available space on the flash memory o[...]

  • Seite 551

    1-11 Figure 1-4 Network diagram for FTP banner di spl ay configuration Net work Switch PC FTP S e r ver FTP C lie n t Vlan-I nt 1 1.1. 1. 1 / 8 2. 2 . 2. 2/ 8 Configuration procedure 1) Configure the sw itch (FTP server ) # Configure the logi n banner of the switching e ngine as “l ogin banner a ppears” a nd the shell b anner as “shell banner[...]

  • Seite 552

    1-12 Figure 1-5 Network diagram for FTP configurations: the device operating a s an FTP client Switch A FTP Cl i e nt FTP S er ve r Vlan -I nt 1 1. 1. 1.1/ 8 2. 2.2 . 2/ 8 Net wo r k PC Configuration procedure 1) Configure the PC (FTP server) Perform FTP server–rel ated configuratio ns on the PC , that is, creat e a user account on the FT P serve[...]

  • Seite 553

    1-13 <device> # After downloadi ng the file, use the st artup sav ed-configuration command to sp ecify the downloaded configuration file as th e main configuration file for next st artup, and then rest art the device. <device>startup saved-configuration config.cfg main Please wait........................................Done! For informa[...]

  • Seite 554

    1-14 To do… Use the command… Remarks Enter syste m view system-v iew — Configure the connection idle time for the SFTP server ftp timeout time-out-value Optional 10 minutes by default Supported SFTP client software The device operating as an SFTP server can intero perate with SFTP client sof tware, including SSH T ectia Client v4.2.0 (SFTP), [...]

  • Seite 555

    1-15 To do… Use the command… Remarks Enter SFTP client view sftp { host-ip | host-name } [ port-num ] [ identity-key { dsa | rsa } | prefer_kex { dh_group1 | dh_exchange_group } | prefer_ctos_cipher { des | aes128 } | prefer_stoc_cipher { des | aes128 } | prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } | prefer_stoc_hmac { sha1 | sha1_96 | m[...]

  • Seite 556

    1-16 If you specify to authenticate a client th rough public key on the server, the client need s to read the lo cal private key when logging in to the SFTP server. Since both RSA and DSA are available for publi c key authentication, you need to use the ide ntity-key key word to specify the algorit hms to get co rre ct local private key; otherwise [...]

  • Seite 557

    1-17 # Create a VLAN interface on the device and assign to it an IP address, which is used as the destination address for the client to conne ct to the SFTP server . [device] interface vlan-interface 1 [device-Vlan-interface1] ip address 192.168.0.1 255.255.255.0 [device-Vlan-interface1] quit # S pecify the SSH authenti cation m ode as AAA. [device[...]

  • Seite 558

    1-18 sftp-client> # Display the current directory of the server . Delete the file z and verify the result. sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 n[...]

  • Seite 559

    1-19 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2 Received status: End of file Received status: Success # Download the file pubkey2 from the server a nd ren ame it as public. sftp-client> get pubkey2[...]

  • Seite 560

    2-1 2 TFTP Configuration Introduction to TFTP Compared with FTP , TFTP (trivial file transfer protocol ) features simple interactive access interface and no authentication control. Therefore, TFT P is appli cabl e in the networks where c lient-server interaction s are relatively simple. TFTP is implemented based on UDP . It transfers data through U[...]

  • Seite 561

    2-2 Task Remarks TFTP server configuration For details, see the corresponding manual — TFTP Configuration: The Device Operating as a TFTP Client Basic configurations on a TFTP client By default the device can operate as a T FTP client. In this case you can connect the devi ce to the TFTP server to perform TFTP-related o perations (such a s creati[...]

  • Seite 562

    2-3 To do… Use the command… Remarks Specify an interface as the source interface a TFTP client uses every time it connects to a TFTP server tftp source-interfac e interface-type interface-n umber Specify an IP address as the source IP address a TFTP client uses every time it connects to a TFTP server tftp source-ip ip-address Use either command[...]

  • Seite 563

    2-4 Configuration procedure 1) Configure the TFTP server (PC) S t art the TFT P server and configure the working directory on the PC. 2) Configure the TFTP client (switch). # Log in to the switching engine. (Y ou can log in to the switching engine through the console port or by telnetting the device. See the “Login” module fo r detailed inform [...]

  • Seite 564

    i Table of Contents 1 Informatio n Cent er··········································································································· ·························· 1-1 Information Cent er Overview ···?[...]

  • Seite 565

    1-1 1 Information Center z The term switch used throughout this docum ent re fers to a switching device in a generi c sense or the switching engine of a WX30 00 seri es. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. Information Center Overview Introduction to Information [...]

  • Seite 566

    1-2 Severity Sev erity v alue Description informational 7 Informational information to be recorded debugging 8 Information generated duri ng debugging Information filtering by severity works this way: information with the seve ri ty value greater than the configured threshold is not output during the filtering. z If the threshold is set to 1, only [...]

  • Seite 567

    1-3 Configurations for the six output directions function independe ntly and take effect only after the information center is enabled. Outputting system information by source module The system information ca n be classified by source module and t hen filtered. Some module names and description are shown in T able 1-3 . Table 1-3 Source module name [...]

  • Seite 568

    1-4 Module name Description NTP Network time protocol module PKI Public key infrastructure module RDS Radius module RMON Rem ote monitor module RSA Revest, Shamir and Adleman encryption mod ule SHELL User interface module SNMP Simple network management protocol m odule SOCKET Socket module SSH Secure shell module SYSMIB System MIB module TAC HWTACA[...]

  • Seite 569

    1-5 Priority The priority is calculated using the followi ng formula: facility*8+severity-1, in which z facility (the device name) defaults to local7 with the value being 23 (the value of local6 is 22, that of local5 is 21, and so on). z severity (the information level) ranges from 1 to 8. Table 1-1 details the value and meaning associated with eac[...]

  • Seite 570

    1-6 Y ou can use the sysname command to modify the system name. Refer to the System Maintenance an d Debugging p art of this manual for detail s) Note that there is a space betwe en the sysn ame and module fields. Module The module field represent s the n ame of the module t hat gen erates system in formation. Y ou can enter the info-center source [...]

  • Seite 571

    1-7 Task Remarks Setting to Output System Information to the SNMP NMS Optional Configuring Synchronous Information Output Synchronous information output refers to the feature that if the system informatio n such as log, trap, or debugging information is output when the user is in putting commands, the command lin e prompt (in command editing mode a[...]

  • Seite 572

    1-8 To do… Use the command… Remarks Log host direction info-center timestamp loghost date Set the time stamp format in the output direction of the information center to date Non log host direction info-center timestamp { log | trap | debugging } date Required Use either command Set to display the UTC time zone in the output information of the i[...]

  • Seite 573

    1-9 Table 1-4 Default output rules for differe nt output dire ction s LOG TRAP DEBUG Output direction Modules allowed Enable d/disab led Severit y Enabled/ disabled Severity Enabled/ disabled Severity Console default (all modules) Enable d warning s Enabled debuggin g Enabled debuggin g Monitor terminal default (all modules) Enable d warning s Enab[...]

  • Seite 574

    1-10 Setting to Output System Info rmation to a Monitor Terminal System information can also be output to a monitor te rminal, whi ch is a user terminal that has login connections through the AUX, VTY , or TTY user interf ace. Setting to output system information to a monitor terminal Follow these steps to set to output syst em information to a mon[...]

  • Seite 575

    1-11 Follow these steps to ena b le the display of system information on a monitor termi nal: To do… Use the command… Remarks Enable the debugging/log/trap information terminal display function terminal monitor Optional Enabled by default Enable debugging informat ion terminal display function terminal debugging Optional Disabled by default Ena[...]

  • Seite 576

    1-12 To do… Use the command… Remarks Set the format of the time stamp to be sent to the log host info-center timestamp loghost { date | no-y ear-date | none } Optional By default, the time stamp format of the information output to the log host is date . Be sure to set the correct IP address when usin g the info-center loghost command. A loop ba[...]

  • Seite 577

    1-13 To do… Use the command… Remarks Enable information output to the log buffer info-center logbuffer [ channel { channel - number | channel - name } | size buffersize ]* Optional By default, the device uses information channel 4 to output log information to the log buffer, which can holds up to 512 items by default. Configure the output rules[...]

  • Seite 578

    1-14 Displaying and Maintaining Information Center To do… Use the command… Remarks Display information on an information channel display channel [ channel - number | channel - name ] Display the operation status of information center, the configuration of information channels, the format of time stamp display info-center [ unit unit-id ] Displa[...]

  • Seite 579

    1-15 # Configure the host whose IP address is 202.3 8.1.1 0 as the log host. Permit ARP and IP modules to output information with severity level higher than informational to the log ho st. [Switch] info-center loghost 202.38.1.10 facility local4 [Switch] info-center source arp channel loghost log level informational debug state off trap state off [[...]

  • Seite 580

    1-16 Through combined configuration of the device name (facility), informatio n severity level threshold (severity), module name (filter) and the fil e “syslog.con f ”, you can sort inform ation precisely for fi ltering. Log Output to a Linux Log Host Network requirements As shown in Figure 1-2 , Switch send s the following log information to t[...]

  • Seite 581

    1-17 Note the following items when you edit file “/etc/syslo g.conf”. z A note must start in a new line, starting with a “#" sign. z In each pair, a tab should be used a s a separator instead of a space. z No space is permitted at the end of the file name. z The device name (facility) and received log informatio n severity sp ecified in [...]

  • Seite 582

    1-18 [Switch] info-center enable # Disable the function of outputting in formation to the console ch an nels. [Switch] undo info-center source default channel console # Enable log information output to the console. Pe rm it ARP and IP modules to output log informatio n with severity level higher than informatio nal to the con sole. [Switch] info-ce[...]

  • Seite 583

    i Table of Contents 1 Host Configurat ion File Loading ······························································································ ················ 1-1 Introduction to Loading Approaches ·················[...]

  • Seite 584

    1-1 1 Host Configuration File Loading z The term switch used throughout this docum ent re fers to a switching device in a generi c sense or the switching engine of a WX30 00 seri es. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. T raditionally , device software is loaded [...]

  • Seite 585

    1-2 Connected to OAP! <device_LSW> ftp 192.168.0.100 Trying ... Press CTRL+K to abort Connected. 220 3Com 3CDaemon FTP Server Version 2.0 User(none):admin 331 User name ok, need password Password: 230 User logged in [ftp]get config.cfg config.cfg 227 Entering passive mode (192,168,0,100,5,95) 125 Using existing data connection ..........226 C[...]

  • Seite 586

    1-3 Figure 1-2 Remote loading using FTP server Sw i tch PC Et hernet p ort In te r n e t F T P Ser ve 10 .1 . 1.1 FTP S erv e r 192 . 16 8 . 0.51 S tep 1: As shown in Figure 1-2 , connect Switch through an Ethernet por t to the PC (whose IP address is 10.1.1.1) S tep 2: Configure the IP address of VLAN-interface 1 on Switch to 192.168.0.51, and sub[...]

  • Seite 587

    1-4 S tep 6: Enter f tp 192.168.0.51 and enter the user name test , p assword pas s to log on to the FTP server . C:Documents and SettingsAdministrator>d: D:>cd update D:Update>ftp 192.168.0.51 Connected to 192.168.0.51. 220 FTP service ready. User (192.168.0.51:(none)): test 331 Password required for test. Password: 230 User logged in[...]

  • Seite 588

    1-5 z The steps listed ab ove are performed in the Windows operating system, if you use other F TP client software, refer to the corresponding user guid e before ope ration. z Only the configuration steps concerning loading are listed here. For detail ed description on the correspondi n g configuration commands, refer to the “FTP-SFTP-TFTP” par[...]

  • Seite 589

    2-1 2 Basic System Configuration and Debugging Basic System Configuration Follow these steps to pe rform basic system configuration: To do… Use the command… Remarks Set the current date and time of the system clock datetime HH:MM:SS { YYYY/MM/DD | MM/DD/YYYY } Required Execute this command in user view. The default value is 23:55:00 04/01/200 0[...]

  • Seite 590

    2-2 Displaying the System Status To do… Use the command… Remarks Display the current date and time of the system display clock Display the version of the system di sp l ay ve rs i on Display the information about users logging onto the device display users [ all ] Available in any view Debugging the System Enabling/Disabling System Debugging Th[...]

  • Seite 591

    2-3 Y ou can use the following commands to enable the two settings. Follow these steps to ena ble debugging and termi nal display for a specific module: To do… Use the command… Remarks Enable system debugging for specific module debugging module-name [ debugging - option ] Required Disabled for all modules by default. Enable terminal display fo[...]

  • Seite 592

    3-1 3 Network Connectivity Test Network Connectivity Test ping Y ou can use the ping command to check the network connectivity and the reachability of a host. Follow these steps to execute the ping comm and: To do… Use the command… Remarks Check the IP network connectivity and the reachability of a host ping [ -a ip-address ] [ -c count ] [ -d [...]

  • Seite 593

    4-1 4 Device Management Introduction to Device Management Device Management includes the following: z Reboot the device z Configure real-time monitoring of t he running status of the system z Specify the main configuration file to be used at the next reboot Device Management Configuration Device Management Configuration Tasks Complete the following[...]

  • Seite 594

    4-2 Scheduling a Reboot on the Device After you schedule a reb oot on the device, t he device will reboot at the specified time. Follow these steps to sche dul e a reboot on the device: To do… Use the command… Remarks Schedule a reboot on the device, and set the reboot date and time schedule reboot at hh:mm [ mm/dd/yyyy | yyy y/ mm/dd ] Optiona[...]

  • Seite 595

    4-3 Follow the step below to specify the main configuration file to be used at rebo ot: To do… Use the command… Remarks Specify the main configuration file to be used at next reboot startup sav ed-configuration filename [ main | backup ] Required Identifying and Diagnosing Pluggable Transceivers Introduction to pluggable transceivers At present[...]

  • Seite 596

    4-4 Follow these steps to ident ify pluggable transceivers: To do… Use the command… Remarks Display main parameters of the pluggable transceiver(s) display transceiver interfac e [ interface-type interface-number ] Available for all pluggable transceivers Diagnosing pluggable transceivers The system outputs alarm informatio n for you to diagnos[...]

  • Seite 597

    i Table of Contents 1 VLAN-VPN C onfigurat ion ·························································································································· 1-1 VLAN-VPN Overview ··················[...]

  • Seite 598

    1-1 1 VLAN-VPN Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. VLAN-VPN Overview Introduction to [...]

  • Seite 599

    1-2 Figure 1-2 Structure of packets with double-laye r VLAN tag s Des ti na ti o n MA C addres s 0 31 Dat a Sour ce MA C ad dr ess 15 Inn er VLAN T a g O uter VLAN T ag Compared wi th MPLS-based Layer 2 VPN, VLAN-VPN ha s the followin g features: z It provides Layer 2 VPN tunnels that are simple r. z VLAN-VPN can be implemented throug h manual conf[...]

  • Seite 600

    1-3 As the position of the TPID field in an Ethernet packe t is the same as that of the upper-layer protocol type field in a packet without VLAN T ag, to avoid confusion in the process of receiving/forwardin g a packet, the TPID value cannot be any of the protocol type value listed in T able 1-1 . Table 1-1 Commonly used protocol type values in Eth[...]

  • Seite 601

    1-4 TPID Adjusting Configuration Configuration Prerequisites z To change the global TPID value 0x8100, you need to specify a port on the device as a VLAN VPN uplink port. Before the configuration, ma ke sure that VLAN VPN is disabled on the port. z For proper packet transmi ssion, confirm the TPID value of the peer device in the public network befo[...]

  • Seite 602

    1-5 VLAN-VPN Configuration Example Transmitting User Packets through a Tunnel in the Public Network by Using VLAN-VPN Network requirements z As shown in Figure 1-4 , both Switch A and Switch B are the WX3000 series device s. They connect the users to the servers th rough the publ ic network. z PC users and PC serve rs are in VLAN 100 created in the[...]

  • Seite 603

    1-6 # Set the global TPID value of Switch A to 0x9200 and configure GigabitEthernet 1/0/12 a s a VLAN VPN uplink port, so that Switch A can interco mmunicate with devices in the public net work. [SwitchA] vlan-vpn tpid 9200 [SwitchA] interface GigabitEthernet1/0/12 [SwitchA-GigabitEthernet1/0/12] port link-type trunk [SwitchA-GigabitEthernet1/0/12][...]

  • Seite 604

    1-7 1) As GigabitEthernet 1/0/11 of Switch A is a VLAN-VPN port, when a packet from the custo mer’s network side reaches this port, it is tagged with the default VLAN tag of the port (VLAN 1040). 2) The device sets the TPID value for the outer VL AN tags of packets to user-defined value 0x 9200 and then forwards these packets to the public networ[...]

  • Seite 605

    2-1 2 Selective QinQ Configuration Selective QinQ Overview Selective QinQ Overview Selective QinQ is an enhanced appli cation of the VLAN -VPN feature. With the selective QinQ feature, you can configure inner-to- outer VLAN t ag mapping, according to whi ch you can add dif ferent outer VLAN tags to the p acket s with dif ferent inner VLAN t ags. Th[...]

  • Seite 606

    2-2 In this way , you can configure dif ferent forwarding polici es for dat a of differ ent type of users, thus improving the flexibility of network management. On the other hand, network resources are well utilized, and users of the same type are also isolated by thei r inner VLAN t ags. This help s to improve network security . Inner-to-Outer Tag[...]

  • Seite 607

    2-3 You are recommended not to configure both the DHCP snooping and selective Q-in-Q function on the device, which may result in the DH CP snooping to function abno rm ally. Configuring the Inner-to-Outer Tag Priority Mapping Feature Configuration Prerequisites Enabling the VLAN-VPN feature on the current port Configuration Procedure Follow these s[...]

  • Seite 608

    2-4 Figure 2-2 Network diagram for select ive QinQ configuration Pu b l i c N e tw o r k VL AN 1 0 0 0 / VLAN 12 0 0 PC Us er VLAN 10 0 ~ 1 08 IP Phone User VLA N 200~ 2 30 G E1/0/3 GE1 / 0 / 5 Fo r P C U s e r V LAN 100~ 10 8 Fo r IP P h o ne VL AN 2 0 0 ~ 23 0 Sw it chA Sw itchB G E 1/ 0/11 G E 1/0/12 G E 1/0/13 Configuration procedure z Configur[...]

  • Seite 609

    2-5 [SwitchA-GigabitEthernet1/0/3] vlan-vpn enable # Enable the selective QinQ featur e on GigabitEthernet 1/0/3 to tag pa ckets of VLAN 100 through VLAN 108 with the tag of VLAN 1 000 as the outer VLAN tag, and tag p ackets of VLAN 200 thro ugh VLAN 230 with the tag of VLAN 1200 as the oute r VLAN tag. [SwitchA-GigabitEthernet1/0/3] vlan-vpn vid 1[...]

  • Seite 610

    2-6 T o make the packets fro m the servers be transmit ted to the client s in the same way , you need to configure the selective QinQ feature on GigabitEthernet 1/0/ 12 and GigabitEthernet 1/0/13. The configuration on Switch B is similar to that on Switch A and is thus omitted. z The port configuration on Switch B is only an exam ple for a specific[...]

  • Seite 611

    i Table of Contents 1 HWPing Conf iguration ········································································································· ····················· 1-1 HWPing Ov erview ···············?[...]

  • Seite 612

    1-1 1 HWPing Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a WX3 000. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. HWPing Overview Introduction to HWPing HWPing (pronounced Hua ’[...]

  • Seite 613

    1-2 Figure 1-1 HWPing illustration Sw itc h A Switch B HW P i ng Cl i en t I P net work H WPing Ser ver Test Types Supported by HWPing Table 1-1 Test types supported by HWPing Supported test types Description ICMP test DHCP test FTP test HTTP test DNS test SNMP test For these types of tests, you need to configure HWPing client and corresponding ser[...]

  • Seite 614

    1-3 Test parameter Description Source interface ( source-interfac e ) z For DHCP test, you must spe cify a source interface, which will be used by HWPing client to send DHCP requests. If no source interfac e is specified for a DHCP test, the test will not succeed. z After a source interface is specified, HWPi ng client uses this source interface to[...]

  • Seite 615

    1-4 Test parameter Description File name for FTP operation ( filename ) Name of a file to be transferred between HWPing client and FTP server Number of jitter test packets to be se nt per probe ( jitter-packetnum ) z Jitter test is used to collect statis tics about delay jitter in UDP packet transmissi on z In a jitter probe, the HWPing cli ent sen[...]

  • Seite 616

    1-5 HWPing server configuration The following t able describes the configuration on HW Ping server , which is the same for HWPing test types that need to configure HWPing server . Follow these steps to co nf igure the HWPing server: To do… Use the command… Remarks Enter syst e m view system-vie w — Enable the HWPing server function hwping-ser[...]

  • Seite 617

    1-6 To do… Use the command… Remarks Configure the number of probes per test count times Optional By default, each test makes one probe. Configure the packet size datasize size Optional By default, the packet size is 56 bytes. Configure the maximum number of history records that can be s aved history-records number Optional By default, the maxim[...]

  • Seite 618

    1-7 To do… Use the command… Remarks Configure the source interface source-interface interface-type interface-number Required You can only configure a VLAN interface as the source interface. By default, no source interface is configured. Configure the test type test-type dhcp Required By default, the test type is ICMP. Configure the number of pr[...]

  • Seite 619

    1-8 To do… Use the comm and… Remarks Configure the number of probes per test count times Optional By default, each test makes one probe. Configure the maximum number of history records that can be s aved history-records number Optional By default, the maximum number is 50. Configure the automatic test interval frequency interval Optional By def[...]

  • Seite 620

    1-9 To do… Use the command… Remarks Configure the destination IP address destination-ip ip-address Required You can configure an IP address or a host name. By default, no destination address is configured. Configure dns-server dns-server ip-address Required when you use the destination-ip command to configure the destination address as the host[...]

  • Seite 621

    1-10 5) Configuring jitter test on HWPing client Follow these steps to co nfigur e jitter test on HWPing client: To do… Use the command… Remarks Enter syst e m view system-vie w — Enable the HWPing client function hwping-agent enable Required By default, the HWPing client function is disabled. Create a HWPing test group and enter its view hwp[...]

  • Seite 622

    1-11 To do… Use the command… Remarks Configure the probe timeout time timeout time Optional By default, a probe times out in three second s. Configure the type of service tos value Optional By default, the service type is zero. Configure the number of test packets that will be sent in each jitter probe jitter-packetnum number Optional By defaul[...]

  • Seite 623

    1-12 To do… Use the command… Remarks Configure the maximum number of history records that can be s aved history-records number Optional By default, the maximum number is 50. Configure the automatic test interval frequency interval Optional By default, the automatic test interval is zero se conds, indicating no automatic test will be made. Confi[...]

  • Seite 624

    1-13 To do… Use the command… Remarks Configure the destination port destination -port port-number Required in a Tcpprivate test A Tcppublic test is a TCP connection test on port 7. Use the hwping-server tcpconnect ip-a ddress 7 command on the server to configure the listening service port; otherwise the test will fail. No port number needs to b[...]

  • Seite 625

    1-14 To do… Use the command… Remarks Enter syste m view system-v iew — Enable the HWPing client function hwping-agent enable Required By default, the HWPing client function is disabled. Create a HWPing test group and enter its view h w ping administrator-name operation- tag Required By default, no test group is configured. Configure the desti[...]

  • Seite 626

    1-15 To do… Use the command… Remarks Configure the automatic test interval frequency interval Optional By default, the automatic test interval is zero se conds, indicating no automatic test will be made. Configure the probe timeout time timeout time Optional By default, a probe times out in three second s. Configure the service type tos value O[...]

  • Seite 627

    1-16 To do… Use the command… Remarks Configure the probe timeout time timeout time Optional By default, a probe times out in three second s. Configure the type of service tos value Optional By default, the service type is zero. Configure the domain name to be resolved dns resolve-targ etdomai domainname Required By default, the domain name to b[...]

  • Seite 628

    1-17 Displaying and Maintaining HWPing To do… Use the command… Remarks Display test history display hwping history [ administrator-nam e opera tion-tag ] Display the results of the latest test display hwping results [ administrator-nam e operation-tag ] Available in any view HWPing Configuration Example ICMP Test Network requirements As shown i[...]

  • Seite 629

    1-18 # Display test results. [device-hwping-administrator-icmp] display hwping results administrator icmp HWPing entry(admin administrator, tag icmp) test result: Destination ip address:10.2.2.2 Send operation times: 10 Receive response times: 10 Min/Max/Average Round Trip Time: 3/6/3 Square-Sum of Round Trip Time: 145 Last succeeded test time: 200[...]

  • Seite 630

    1-19 # Create a HWPing test group, setting the admini strator name to "administrator" and test t ag to "DHCP". [device] Hwping administrator dhcp # Configure the test type as dhcp . [device-hwping-administrator-dhcp] test-type dhcp # Configure the source interfa ce, which must be a VLAN interface. Make sure the DHCP server re si[...]

  • Seite 631

    1-20 FTP Test Network requirements As shown in Figure 1-4 , both the HWPing client and the FTP server are WX3000 se ries devices. Perform a HWPing FTP test between the two devices to test the connectivity to the specified FTP server and the time required to uploa d a file to the serv er after the connection is est ablished. Both the username and p [...]

  • Seite 632

    1-21 [device-hwping-administrator-ftp] count 10 # Set the probe timeout time to 30 seconds. [device-hwping-administrator-ftp] timeout 30 # Configure the source IP address [device-hwping-administrator-ftp] source-ip 10.1.1.1 # S t art the test. [device-hwping-administrator-ftp] test-enable # Display test results [device-hwping-administrator-ftp] dis[...]

  • Seite 633

    1-22 HTTP Test Network requirements As shown in Figure 1-5 , Switch serves as the HWPing client, and a PC serves as the HTTP server . Perform a HWPing HTTP test betwe en Switch and the H TTP se rver to test the connectivity and the time required to download a file from the HT TP server af ter the conn ection to the server is established. Figure 1-5[...]

  • Seite 634

    1-23 SD Maximal delay: 0 DS Maximal delay: 0 Packet lost in test: 0% Disconnect operation number: 0 Operation timeout number: 0 System busy operation number: 0 Connection fail number: 0 Operation sequence errors: 0 Drop operation number: 0 Other operation errors: 0 Http result: DNS Resolve Time: 0 HTTP Operation Time: 675 DNS Resolve Min Time: 0 HT[...]

  • Seite 635

    1-24 Network diagram Figure 1-6 Network diagram for the Jitter test Sw itc h A Sw itc h B HW Pi ng Cl i en t I P net w ork 10.1 .1 .1/8 10 . 2.2.2/ 8 HWP in g S e r v er Configuration procedure z Configure HWPing Server (Switch B): # Enable the HWPing server an d co nfigure the IP ad dress and port to listen on. <device> system-view [device] [...]

  • Seite 636

    1-25 Packet lost in test: 0% Disconnect operation number: 0 Operation timeout number: 0 System busy operation number: 0 Connection fail number: 0 Operation sequence errors: 0 Drop operation number: 0 Other operation errors: 0 Jitter result: RTT Number:100 Min Positive SD:1 Min Positive DS:1 Max Positive SD:6 Max Positive DS:8 Positive SD Number:38 [...]

  • Seite 637

    1-26 Network diagram Figure 1-7 Network diagram for the SNMP test Sw itc h A Sw it ch B HW Pi ng Cl i en t IP n e tw o rk 10.1 .1.1 /8 10.2 .2 .2/ 8 SN MP Agen t Configuration procedure z Configure SNMP Agent (Switch B): # S t art SNMP agent and set SNMP versi on to V2C, read-only community name to "public", and read-write community name [...]

  • Seite 638

    1-27 [device-hwping-administrator-snmp] test-enable # Display test results [device-hwping-administrator-snmp] display hwping results administrator snmp HWPing entry(admin administrator, tag snmp) test result: Destination ip address:10.2.2.2 Send operation times: 10 Receive response times: 10 Min/Max/Average Round Trip Time: 9/11/10 Square-Sum of Ro[...]

  • Seite 639

    1-28 Configuration procedure z Configure HWPing Server (Switch B): # Enable the HWPing server an d co nfigure the IP ad dress and port to listen on. <device> system-view [device] hwping-server enable [device] hwping-server tcpconnect 10.2.2.2 8000 z Configure HWPing Client (Switch A): # Enable the HWPing client. <device> system-view [de[...]

  • Seite 640

    1-29 Index Response Status LastRC Time 1 4 1 0 2000-04-02 08:26:02.9 2 5 1 0 2000-04-02 08:26:02.8 3 4 1 0 2000-04-02 08:26:02.8 4 5 1 0 2000-04-02 08:26:02.7 5 4 1 0 2000-04-02 08:26:02.7 6 5 1 0 2000-04-02 08:26:02.6 7 6 1 0 2000-04-02 08:26:02.6 8 7 1 0 2000-04-02 08:26:02.5 9 5 1 0 2000-04-02 08:26:02.5 10 7 1 0 2000-04-02 08:26:02.4 For detail[...]

  • Seite 641

    1-30 [device-hwping-administrator-udpprivate] destination-ip 10.2.2.2 # Configure the destination port on the HWPi ng server . [device-hwping-administrator-udpprivate] destination-port 8000 # Configure to make 10 probes per test. [device-hwping-administrator-udpprivate] count 10 # Set the probe timeout time to 5 seconds. [device-hwping-administrato[...]

  • Seite 642

    1-31 Network diagram Figure 1-10 Network diagram for the DNS test Swit ch HW P i ng Cl i en t IP n e tw o r k 10.1 .1. 1/8 10 . 2.2.2 /8 DN S Se r ver Configuration procedure z Configure DNS Server: Use Windows 2003 Serv er as the DNS server . For DNS server configuration, refer to the related instruction on Windows 2003 Serve r co nfiguration. z C[...]

  • Seite 643

    1-32 System busy operation number: 0 Connection fail number: 0 Operation sequence errors: 0 Drop operation number: 0 Other operation errors: 0 Dns result: DNS Resolve Current Time: 10 DNS Resolve Min Time: 6 DNS Resolve Times: 10 DNS Resolve Max Time: 10 DNS Resolve Timeout Times: 0 DNS Resolve Failed Times: 0 [device-hwping-administrator-dns] disp[...]

  • Seite 644

    i Table of Contents 1 DNS Confi gurati on············································································································ ························· 1-1 DNS Overview ············[...]

  • Seite 645

    1-1 1 DNS Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of the WX 3000 series. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. z This chapter covers only IPv4 DNS configurat ion. For d e[...]

  • Seite 646

    1-2 Figure 1-1 Dynamic domain name resolution Req ue s t Response Re sp o n se Requ est Save Read DNS c lient DNS se rv e r Res olver Cac he Use r pr o gr a m Figure 1-1 shows the relationship betwe en user p rogram, DNS client, and DNS se rver . The resolver and ca che comprise th e DNS client. Th e user program and DNS client run on the same devi[...]

  • Seite 647

    1-3 To do… Use the command… Remarks Enter syst e m view system-view — Configure a mapping between a host name and an IP address ip host hostnam e ip-address Required No IP address is assigned to a host name by default. The IP address you assign to a host name last time will overwrite the previous one if there i s any. You may create up to 50 [...]

  • Seite 648

    1-4 Figure 1-2 Network diagram for stat ic DNS configuration 1 0 . 1 . 1 .1 /2 4 10 . 1. 1 . 2 / 24 hos t . c om Ho s t Sw it ch Configuration procedure # Configure a mapping betwee n ho st name host.com and IP address 10.1.1.2. <device> system-view [device] ip host host.com 10.1.1.2 # Execute the ping host.com command to verify that the devi[...]

  • Seite 649

    1-5 Configuration procedure Before doing the following configuration, make sure that: z The routes between the DNS server, Switch, an d Host are reachable. z Necessary configurations are don e on the devices. For the IP addresses of the interfaces, see the figure above. z There is a mapping between domai n na me host and IP address 3.1.1.1/16 on th[...]

  • Seite 650

    1-6 Displaying and Maintaining DNS To do… Use the com mand… Remarks Display static DNS database display ip host Display the DNS server information display dns server [ dy nam ic ] Display the DNS suffixes display dns domain [ dynam ic ] Display the information in the dynamic domain name cache display dns dynamic-host Available in any view Displ[...]

  • Seite 651

    i Table of Contents 1 Smart Link C onfigurat ion ························································································································· 1-1 Smart Link Overview ·················[...]

  • Seite 652

    1-1 1 Smart Link Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. Smart Link Overview As shown in [...]

  • Seite 653

    1-2 Master port The master port can be either an Ethernet port or a manually-configured or st atic LACP aggregation group. For example, you can configure GigabitEtherne t 1/0/1 of switch A in Figure 1-1 as the mas ter port through the comman d line. Slave port The slave port can be either an Ethernet port or a manually-configured or st atic LACP ag[...]

  • Seite 654

    1-3 Operating Mechanism of Smart Link Figure 1-2 Network diagram of Smart Link operatin g mechani sm BLOC K Switch A Switch B GE 1/ 0 / 1 GE1 / 0/ 2 Switc h C Switc h D Switch E GE1 /0/1 GE1 /0/2 GE 1/ 0 / 3 G E 1/ 0/1 GE 1/ 0/ 2 GE1/0/ 3 GE 1/ 0/ 11 GE 1/ 0/ 12 As shown in Figure 1-2 , GigabitEthernet 1/0/1 on Switch A is ac tive and GigabitEthern[...]

  • Seite 655

    1-4 Task Remarks Create a Smart Link group Add member ports to the Smart Link group Configuring a Smart Link Device Enable the function of sending flush messages in the specified control VLAN Required Configuring Associated Devices Enable the function of processing flush messa ges received from the specified control VLAN Required Configuring a Smar[...]

  • Seite 656

    1-5 To do… Use the command… Remarks Enable the function of sending flush messages in the spe cified control VLAN flush enable control-vl an vlan-id Optional By default, no control VLAN for sending flush messages i s specified. Configuring Associated Devices An associated device mentioned in thi s document re fers to a device that supports Sma r[...]

  • Seite 657

    1-6 z When you copy a port, the Smart Link/Monitor Li nk group member informatio n configured on the port will not be copied to other ports. z If a single port is specifie d as a member of a Sm art Link/Monitor Link group, you cannot execute the lacp enable command on this port or add this po rt into other dynamic link aggregation g roups, because [...]

  • Seite 658

    1-7 Figure 1-3 Network diagram for Smart Link configuration Sw itch A G E 1 / 0 /1 G E 1 /0 /2 Swit ch C Ser ve r GE1/ 0/ 1 GE1/ 0/ 2 GE 1/ 0/ 2 PC Sw i t ch D Swi tch E GE 1/0 / 3 GE 1/ 0/ 2 GE 1/0 / 1 Configuration procedure 1) Configure a Smart Link group on Switch A and conf igure member ports for it. Enable the function of sending flush messag[...]

  • Seite 659

    1-8 # Enable the function of processing flu sh messages received from VLAN 1 on GigabitEthernet 1/0/2. <SwitchC> smart-link flush enable control-vlan 1 port GigabitEthernet 1/0/2 3) Enable the function of processing flush me ssages received from VLAN 1 on Swi tch D. # Enter system view . <SwitchD> system-view # Enable the function of pr[...]

  • Seite 660

    2-1 2 Monitor Link Configuration Introduction to Monitor Link Monitor Link is a collaborat ion scheme introduced to compleme nt for Smart Link. It is used to monitor uplink and to perfect the backup fun ction of Smart Link. A monitor Li nk consist s of an uplink port and on e or multiple downlink port s. When the link fo r the uplink port of a Moni[...]

  • Seite 661

    2-2 How Monitor Link Works Figure 2-2 Network diagram for a Monitor Link group implem ent ation BLOC K Switch A Switch B GE 1/ 0 / 1 GE1 / 0/ 2 Switc h C Switc h D Switch E GE1 /0/1 GE1 /0/2 GE 1/ 0 / 3 G E 1/ 0/1 GE 1/ 0/ 2 GE1/0/ 3 GE 1/ 0/ 11 GE 1/ 0/ 12 As shown in Figure 2-2 , the devices S witch C and Switch D are con nected to the uplink dev[...]

  • Seite 662

    2-3 Configuring Monitor Link Before configuring a Monitor Link grou p, you mu st create a Monitor Link group and configure member ports for it. A Monitor Link gro up consists of an uplin k port and one or multipl e downlink port s. The uplink port can be a manually-co nfigured or static LACP lin k aggregation group, an Ethernet po rt, or a Smart Li[...]

  • Seite 663

    2-4 To do… Use the command… Remarks Configure the specified link aggregation group as the uplink port of the Monitor Link group link-aggregation group group-id uplink Configure the specified Smart Link group as the uplink port of the Monitor Link group smart-link group group-id uplink Monitor Link group view port interface-type interface-number[...]

  • Seite 664

    2-5 z A Smart Link/Monitor Link group with members cannot be deleted. A Smart Link group as a Monitor Link group member ca nnot be deleted. z The Smart Link/Monitor Link fun ction and the remote port mirrori ng function are incompatible with each other. z If a single port is specified as a Smart Li nk /Monitor Link group me mber, do not use the lac[...]

  • Seite 665

    2-6 Figure 2-3 Network diagram for Monitor Link configuration BLOC K Swi tc h A Swi tc h B GE1 / 0/1 GE 1 / 0 / 2 Sw i tch C Switch D Sw itch E GE1 / 0 / 1 GE1 / 0 / 2 GE1 / 0/3 Se r ver GE 1/ 0/ 2 GE 1/ 0/ 2 GE 1/ 0/ 1 GE1 /0/ 1 GE1 /0/ 3 GE 1/ 0/ 11 GE1/ 0/ 10 PC 1 PC 4 PC 3 PC 2 Configuration procedure 1) Enable Smart Link on S witch A and Switc[...]

  • Seite 666

    2-7 2) Enable Monitor Link on Switch C and Switch D and enable the function of proces sing flush messages received from VLAN 1. Perform the fo llowing configu ration on Switch C. The operation procedure on Switch D is the same a s that performe d on Switch C. # Enter system view . <SwitchC> system-view # Create Monitor Link group 1 and ente r[...]

  • Seite 667

    i Table of Contents 1 PoE Confi guration ············································································································ ························· 1-1 PoE Overview ············[...]

  • Seite 668

    1-1 1 PoE Configuration When configuring PoE, go to these secti ons fo r inform ation you are interested in: z PoE Overview z PoE Configuration z PoE Configuration Example The terms switching engine and Ethernet switch u sed throughout this documentation ref er to a switching device in a ge neric sense or the swit ching engine of a unified swit ch [...]

  • Seite 669

    1-2 PoE Features Supported by the Device Table 1-1 Power supply param eters of PoE device Device Input power supply Number of electrical ports supplying power Maximum PoE distance Maximum power provided by each electrical port Total Maximum PoE output power DC input 600 W WX3024 AC input 24 100 m (328.08 ft.) 25 W 370 W WX3010 DC in put 8 100 m (32[...]

  • Seite 670

    1-3 Task Remarks Enabling the PoE Feature on a Port Required Setting the Maximum Output Power on a Port Optional Setting PoE Management Mode and PoE Priority of a Port Optional Setting the PoE Mode on a Port Optional Configuring the PD Compatibility Detection Function Optional Upgrading the PSE Processing Software Online Optional Displaying and Mai[...]

  • Seite 671

    1-4 Setting PoE Management Mode a nd PoE Priority of a Port When the device is close to it s full load in suppl ying power , you can adjust the power supply of the device through the cooperation of the PoE mana gement mode and the po rt PoE priority settings. The device support s two PoE manageme nt modes, auto and manual. The auto mo de is adopted[...]

  • Seite 672

    1-5 To do… Use the command… Remarks Set the PoE mode on the port to signal poe mode signal Optional signal by default. Configuring the PD Compat ibility Detection Function After the PD com patibility detection function is enabled, the devi ce can det ect the PDs that do not conform to the 802.3af sta ndard and supply power to them. After the Po[...]

  • Seite 673

    1-6 z In the case that the PSE processi ng software is damaged (that is, no PoE command can be executed successfully), use the full upd ate mode to upgrade and thus restore th e software. z The refresh update mode is to upgrade the original processing software in the PSE through refreshing the software, while the full update mode i s to delete the [...]

  • Seite 674

    1-7 Figure 1-1 Network diagram for PoE Sw it ch A Net w or k GE 1/ 0 / 2 GE1 /0/ 1 GE1 / 0/ 8 Sw it ch B AP AP Configuration procedure # Upgrade the PSE processing software online. <SwitchA> system-view [SwitchA] poe update refresh 0290_021.s19 # Enable the PoE feature on GigabitEthernet 1/0/ 1, and set the PoE maximum output p ower of Gigabi[...]

  • Seite 675

    2-1 2 PoE Profile Configuration Introduction to PoE Profile On a large-sized network or a n etwork with mobil e u sers, to help netwo rk admi nistrators to monitor the PoE features of the device, the dev ice provides the PoE profile featur es. A PoE profile is a set of PoE configurations, including multiple PoE features. Features of PoE profile: z [...]

  • Seite 676

    2-2 To do… Use the command… Remarks In system vie w apply poe-profile profile-n ame interface interface-type interface-number [ to interface-type interface-number ] Enter Ethernet port view interface interface-type interface-number Apply the existing PoE profile to the specified Ethernet port In Ethernet port view Apply the existing PoE profile[...]

  • Seite 677

    2-3 PoE Profile Configuration Example PoE Profile Application Example Network requirements As shown in Figure 2-1 , Switch A supports PoE. GigabitEthernet 1/0/1 through GigabitEthernet 1/0/10 of Switch A are used by users of group A, who have the following requirem ent s: z The PoE function can be enabled on all port s in use. z Signal mode is used[...]

  • Seite 678

    2-4 [SwitchA-poe-profile-Profile1] poe enable [SwitchA-poe-profile-Profile1] poe mode signal [SwitchA-poe-profile-Profile1] poe priority critical [SwitchA-poe-profile-Profile1] poe max-power 3000 [SwitchA-poe-profile-Profile1] quit # Display detailed configu r ation inform ation for Profile1. [SwitchA] display poe-profile name Profile1 Poe-profile:[...]

  • Seite 679

    i Table of Contents 1 IP Routing Prot ocol Overview ································································································· ················· 1-1 Introduction to IP Rout e and Routin g Table ·········?[...]

  • Seite 680

    ii Filters ························································································································ ······················· 4-1 IP Route Policy Conf iguration Task List···?[...]

  • Seite 681

    1-1 1 IP Routing Protocol Overview Go to these sections for information you are inte re sted in: z Introduction to IP Route and Routing Ta ble z Routing Protocol Overview z Displaying and Maintaining a Routing T a ble The term router in this cha pter refers to a router in a g eneric sense or a WX3000 serie s device running a routing protocol. Intro[...]

  • Seite 682

    1-2 host or router resides. For exam ple, if the destination address is 129.102.8.10 and the mask is 255.255.0.0, the address of the network segment where the desti nation ho st or router resides is 129.102.0.0. A mask consists of some consec utive 1s, represented either in dotted de cimal notation or by the number of t he consecutive 1s in the mas[...]

  • Seite 683

    1-3 Routing Protocol Overview Static Routing and Dynamic Routing S t atic routing is easy to configu re and requires le s s system resourc es. It works well in s mall, st able networks with simple topolo gies. It cannot adapt itse lf to any network topology ch ange automatically so that you must perform routing configu rati on again whenever the ne[...]

  • Seite 684

    1-4 each routing protocol (including st atic routes) is assigned a pri ority . The route found by the routing protocol with the highest priority is preferred. The following t able list s some routin g protocol s an d the default priorities for routes found by them: Table 1-1 Routing protocols and priorities of their d efault route Routing approach [...]

  • Seite 685

    1-5 routing information. Each routin g protocol shares routin g information discovered by oth er routing protocols through a route redist ribution mechanism. Displaying and Maintaining a Routing Table To do… Use the command… Remarks Display brief information about a routing table display ip routing-table [ | { begin | exclude | include } regula[...]

  • Seite 686

    2-1 2 Static Route Configuration When configuring a st atic route, go to these sections for information you are interested in: z Introduction to Static Route z Static Route Configuration z Displaying and Mainta ining Static Routes z Static Route Configuration Example z Troubleshooting a Static Route The term router in this cha pter refers to a rout[...]

  • Seite 687

    2-2 Default Route T o avoid too large a routing table, you can configure a default ro ute. When the destination address of a p acket fails to match any entry in the routing t able, z If there is default route in the routing table, the default route will be selected to forward the packet. z If there is no default route, the packet will be di scarded[...]

  • Seite 688

    2-3 Displaying and Maintaining Static Routes To do... Use the command... Remarks Display the current configuration information display current-configuration Display the brief information of a routing table display ip routing-table Display the detailed information of a routing table display ip routing-table verbose Display the information of static [...]

  • Seite 689

    2-4 Configuration procedure When only one interface of the device is interc onnected with another network se gment, you can implement network communication by configuri ng either a static route or default route. 1) Perform the following conf igurations on the device. # Approach 1: Configure static routes on Switch A. <SwitchA> system-view [Sw[...]

  • Seite 690

    3-1 3 RIP Configuration When configuring RIP , go to these secti ons for information you are intere sted in: z RIP Overview z RIP Configuration Task List z RIP Configuration Example z Troubleshooting RIP Configuration The term router in this cha pter refers to a router in a g eneric sense or a WX3000 serie s device running a routing protocol. RIP O[...]

  • Seite 691

    3-2 z Interface: Outbound interface on thi s router, th rough which IP packets shoul d be forwarded to reach the destination. z Metric: Cost from the local router to the destination. z Route time: Time elapsed si nce the routing entry was last updated. T he time is reset to 0 every time the routing entry is updated. RIP timers As defined in RFC 105[...]

  • Seite 692

    3-3 RIP Configuration Task List Complete the following tasks to configure RIP: Task Remarks Enabling RIP on the interfaces attached to a spe cified network segment Req uired Setting the RIP operating status on an interface Optional Configuring Basic RIP Functions Specifying the RIP version on an interface Optional Setting the additional routing met[...]

  • Seite 693

    3-4 z Related RIP commands configured in interfa ce view can take effect only after RIP is enabled. z RIP operates on the interfaces attached to a spe cified netwo rk segment. Whe n RIP is disabled o n an interface, it does not operate on the interface, that is, it neit her receives/sends routes on the interface, nor forwards any interface route. T[...]

  • Seite 694

    3-5 z Set the preference of RIP to change the preference ord er of routing protocols. This orde r makes sense when more th an one route to the same des tination is d iscovered by multiple routing protocols. z Redistribute external route s in an envi ro n ment with multiple ro uting protocols. Configuration Prerequisites Before configuring RIP route[...]

  • Seite 695

    3-6 Follow these steps to co nfigur e RIP route summarizat ion: To do... Use the command... Remarks Enter syste m view system-v iew — Enter RIP view rip — Enable RIP-2 automatic route summarization summary Required Enabled by default Disabling the router from receiving host routes In some special cases, the router can re ceive a lot of host rou[...]

  • Seite 696

    3-7 z The filter-polic y import command filters the RIP ro utes receiv ed from neigh bors, and the ro utes being filtered out will neither be added to the routing table no r be advertised to any neighbors. z The filter-policy export command filters all the routes to be advertised, including the routes redistributed with the import-route command and[...]

  • Seite 697

    3-8 Configuration Prerequisites Before adjusting RIP , perform the following tasks: z Configuring the network l ayer addresses of interfaces so that adjace nt nodes are reachable to each other at the network layer z Configuring basi c RIP functions Configuration Tasks Configuring RIP timers Follow these steps to co nfigure RIP timers: To do... Use [...]

  • Seite 698

    3-9 To do... Use the command... Remarks Enter syste m view system-v iew — Enter RIP view rip — Enable the check of the must be zero field in RIP-1 packets checkzero Required Enabled by default Some fields in a RIP-1 packet mu st be 0, and they are known a s must be zero field. For RIP-1, the must be zero field is checked for incoming packets, a[...]

  • Seite 699

    3-10 To do... Use the command... Remarks Configure RIP to unicast RIP packets peer ip-address Required When RIP runs on the link that does not support b roadcast or multicast, you must configure RIP to unicast RIP packets. Displaying and Maintaining RIP Configuration To do... Use the command... Remarks Display the current RIP running status and con[...]

  • Seite 700

    3-11 Configuration procedure Only the configuration related to RIP is listed below. Before the follo wing configuration, make sure the Ethernet link layer works normally and the IP addres se s of VLAN interfaces are configured correctly. 1) Configure Switch A: # Configure RIP . <SwitchA> system-view [SwitchA] rip [SwitchA-rip] network 110.11.[...]

  • Seite 701

    4-1 4 IP Route Policy Configuration When configuring an IP route policy , go to thes e sections for inform ation you are intere sted in: z IP Route Policy Overview z IP Route Policy Configuration Task List z Displaying and Maintaining IP Route Policy z IP Route Policy Configuration Example z Troubleshooting IP Route Policy The term router in this c[...]

  • Seite 702

    4-2 For ACL configuration, refer to the p art discussing ACL. Route policy A route policy is used to match some attributes with given routing information and the attributes of the information will be set if the conditions are satisfied. A route poli cy can comprise multiple nodes. Each no de is a unit for matching test, and the no des will be match[...]

  • Seite 703

    4-3 z Match conditions z Route attributes to be changed Defining a Route Policy Follow these steps to defin e a route p olicy: To do... Use the command... Remarks Enter syste m view system-v iew — Define a route policy and enter the route policy view route-policy route-policy-n ame { permit | deny } node node-n umber Required Not defined by defau[...]

  • Seite 704

    4-4 To do... Use the command... Remarks Define a rule to match the next-hop address of routing information if-match ip next-hop acl acl-number Optional By default, no matching is performed on the next-hop address of routing information. Apply a cost to routes satisfying matching rules apply cost value Optional By default, no cost is applied to rout[...]

  • Seite 705

    4-5 Figure 4-1 Network diagram Device Interface IP address Switch A Vlan-int 2 2.2.2.1/8 Vlan-int 3 3.3.3.254/8 Vlan-int 10 1.1.1.254/8 Switch B Vlan-int 3 3.3.3.253/8 Vlan-int 6 6.6.6.5/8 Vlan-int 10 1.1.1.253/8 Switch C Vlan-int 1 192.168.0.39/24 Vlan-int 2 2.2.2.2/8 Vlan-int 6 6.6.6.6/8 OA Server 1.1.1.1/32 Service Server 3.3.3.3/32 Host 192.168[...]

  • Seite 706

    4-6 [SwitchA-rip] network 2.0.0.0 [SwitchA-rip] network 3.0.0.0 2) Configure Switch B. # Create VLANs and co nfigure IP addresse s for the VLAN interfaces. The conf iguration procedure is omitted. # Configure RIP . <SwitchB> system-view [SwitchB] rip [SwitchB-rip] network 1.0.0.0 [SwitchB-rip] network 3.0.0.0 [SwitchB-rip] network 6.0.0.0 3) [...]

  • Seite 707

    4-7 # Create node 40 with the matching mode bein g permit in the route policy . Define if-match clauses. Apply the cost 5 to routes matching the outgoi n g interface VLAN-in terface 6 and ACL 2001. [SwitchC] route-policy in permit node 40 [SwitchC-route-policy] if-match interface Vlan-interface6 [SwitchC-route-policy] if-match acl 2001 [SwitchC-rou[...]

  • Seite 708

    4-8 Precautions 1) When you configure the apply cost co mmand in a route policy: z The new cost should be greater than the original one to prevent RIP from generati ng routing loop in the case that a loop exists in the topology. z The cost will become 16 if you try to set it to a value greater than 16. z The cost will become the original one if you[...]

  • Seite 709

    i Table of Contents 1 UDP Helper C onfigurat ion ························································································································ 1-1 Introduction to UDP Helper ··············?[...]

  • Seite 710

    1-1 1 UDP Helper Configuration When configuring UDP helper , go to these sections for information you are intere sted in: z Introduction to UDP Helper z Configuring UDP Helper z Displaying and Maintaining UDP Helper z UDP Helper Configuration Example Introduction to UDP Helper Sometimes, a host needs to forward broadcast s to obt ain network config[...]

  • Seite 711

    1-2 Protocol UDP port number Time Service 37 Configuring UDP Helper Follow these steps to co nfigure UDP He lper: To do… Use the command… Remarks Enter syst e m view system-vie w — Enable UDP Helper udp-helper enable Required Disabled by default. Specify a UDP port number udp-helper port { port-number | dns | netbios-ds | netbios-ns | tacacs [...]

  • Seite 712

    1-3 Displaying and Maintaining UDP Helper To do… Use the command… Remarks Display the UD P broadcast r elay forwarding information of a specified VLAN interface on the device display udp-helper server [ interface vlan-interface vlan-id ] Available in any view Clear statistics about packets forwarded by UDP Helper reset udp-helper packet Availab[...]

  • Seite 713

    i Table of Contents Appendix A Acronyms ············································································································ ···················· A-1[...]

  • Seite 714

    A-1 Appendix A Acronyms A AAA Authentication, Authorization and Accounting ABR Area Border Router ACL Access Control List ARP Address Resolution Protocol AS Autonomous System ASBR Autonomous System Border Router B BDR Backup Designated Router C CAR Committed Access Rate CLI Command Line Interface CoS Class of Service D DDM Distributed Device Manage[...]

  • Seite 715

    A-2 L LSA Link State Advertisement LSDB Link State Da taBase M MAC Medium Access Control MIB Management Information B ase N NBMA Non Broadca st MultiAcc ess NIC Network Information Center NMS Network Management System NVRAM Nonvolatile RAM P PIM Protocol Independent Multi cast PIM-DM Protocol Independent Multicast-Dense Mode PIM-SM Protocol Indepen[...]