3Com 5500G manuel d'utilisation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336

Aller à la page of

Un bon manuel d’utilisation

Les règles imposent au revendeur l'obligation de fournir à l'acheteur, avec des marchandises, le manuel d’utilisation 3Com 5500G. Le manque du manuel d’utilisation ou les informations incorrectes fournies au consommateur sont à la base d'une plainte pour non-conformité du dispositif avec le contrat. Conformément à la loi, l’inclusion du manuel d’utilisation sous une forme autre que le papier est autorisée, ce qui est souvent utilisé récemment, en incluant la forme graphique ou électronique du manuel 3Com 5500G ou les vidéos d'instruction pour les utilisateurs. La condition est son caractère lisible et compréhensible.

Qu'est ce que le manuel d’utilisation?

Le mot vient du latin "Instructio", à savoir organiser. Ainsi, le manuel d’utilisation 3Com 5500G décrit les étapes de la procédure. Le but du manuel d’utilisation est d’instruire, de faciliter le démarrage, l'utilisation de l'équipement ou l'exécution des actions spécifiques. Le manuel d’utilisation est une collection d'informations sur l'objet/service, une indice.

Malheureusement, peu d'utilisateurs prennent le temps de lire le manuel d’utilisation, et un bon manuel permet non seulement d’apprendre à connaître un certain nombre de fonctionnalités supplémentaires du dispositif acheté, mais aussi éviter la majorité des défaillances.

Donc, ce qui devrait contenir le manuel parfait?

Tout d'abord, le manuel d’utilisation 3Com 5500G devrait contenir:
- informations sur les caractéristiques techniques du dispositif 3Com 5500G
- nom du fabricant et année de fabrication 3Com 5500G
- instructions d'utilisation, de réglage et d’entretien de l'équipement 3Com 5500G
- signes de sécurité et attestations confirmant la conformité avec les normes pertinentes

Pourquoi nous ne lisons pas les manuels d’utilisation?

Habituellement, cela est dû au manque de temps et de certitude quant à la fonctionnalité spécifique de l'équipement acheté. Malheureusement, la connexion et le démarrage 3Com 5500G ne suffisent pas. Le manuel d’utilisation contient un certain nombre de lignes directrices concernant les fonctionnalités spécifiques, la sécurité, les méthodes d'entretien (même les moyens qui doivent être utilisés), les défauts possibles 3Com 5500G et les moyens de résoudre des problèmes communs lors de l'utilisation. Enfin, le manuel contient les coordonnées du service 3Com en l'absence de l'efficacité des solutions proposées. Actuellement, les manuels d’utilisation sous la forme d'animations intéressantes et de vidéos pédagogiques qui sont meilleurs que la brochure, sont très populaires. Ce type de manuel permet à l'utilisateur de voir toute la vidéo d'instruction sans sauter les spécifications et les descriptions techniques compliquées 3Com 5500G, comme c’est le cas pour la version papier.

Pourquoi lire le manuel d’utilisation?

Tout d'abord, il contient la réponse sur la structure, les possibilités du dispositif 3Com 5500G, l'utilisation de divers accessoires et une gamme d'informations pour profiter pleinement de toutes les fonctionnalités et commodités.

Après un achat réussi de l’équipement/dispositif, prenez un moment pour vous familiariser avec toutes les parties du manuel d'utilisation 3Com 5500G. À l'heure actuelle, ils sont soigneusement préparés et traduits pour qu'ils soient non seulement compréhensibles pour les utilisateurs, mais pour qu’ils remplissent leur fonction de base de l'information et d’aide.

Table des matières du manuel d’utilisation

  • Page 1

    3Com ® Stackable Switch Family Advanced Configuration Guide 3Com Switch 5500 3Com Switch 5500G 3Com Switch 4500 3Com Switch 4200G 3Com Switch 4210 www.3Com.com Part Number: 10016492 Rev. AB Published: February 2008[...]

  • Page 2

    3Com Corporation 350 Campus Drive Marlbor ough, MA USA 01752-3064 Copyright © 2006-2008, 3Com Corporation . All rights reserved . No part of this documentati on may be rep roduced in an y form or by any means or used to make any derivative work ( such as translation, transforma tion, or adaptation) without written permissio n from 3Com Corporat io[...]

  • Page 3

    C ONTENTS A BOUT T HIS G UIDE Conventions 9 Related Docum entation 9 Products Supported by this Docu ment 10 1 L OGIN C ONFIGURATION G UIDE Logging In fr om the Console Port 13 Logging In Thr ough T elnet 15 Configuring Login Access Contr ol 18 2 VLAN C ONFIGURATION G UIDE Configuring Port -Based VLAN 21 Configuring Pr otocol-Based VLAN 23 3 IP A D[...]

  • Page 4

    4 3C OM S TACKABLE S WITCHES A DVANCED C ONFIGURATION G UIDE 9 P ORT S ECURITY C ONFIGURATION G UIDE Configuring Port Security autolearn Mode 47 Configuring Port Security mac- authenticati on Mode 48 Configuring Port Security us erlogin-wit houi Mode 51 Configuring Port Security mac-els e-userlogin-secur e-ext Mode 55 10 P ORT B INDING C ONFIGURATI[...]

  • Page 5

    Contents 5 Configuring Anycast RP Application 159 17 802.1 X C ONFIGURATION G UIDE Configuring 802.1x Access Control 165 18 AAA C ONFIGURATION G UIDE Configuring RADIU S Authentication for T elnet User s 169 Configuring Dynamic VLAN Assignme nt with RADIUS Authentication 171 Configuring Local Authentica tion for T elnet Users 173 Configuring HWT AC[...]

  • Page 6

    6 3C OM S TACKABLE S WITCHES A DVANCED C ONFIGURATION G UIDE 25 M IRR ORING C ONFIGURATION G UIDE Local Port Mirroring Configuration 229 Remote Port Mirr oring Configur ation 231 T raf fic Mirr oring Configur ation 236 26 XRN C ONFIGURATION G UIDE XRN Fabric Configuration 239 27 C LUSTER C ONFIGURATION G UIDE Cluster Configuration 247 Network M ana[...]

  • Page 7

    Contents 7 Configuring a Switch as F TP Client 307 Configuring a Switch as TF TP Client 309 34 I NFORMATION C ENTER C ONFIGURATION G UIDE Outputting Log Infor mation to a Unix Log Host 311 Outputting Log Informatio n to a Linux Log Host 313 Outputting Log and T rap Information to a Log Host Thr ough the Same Ch annel 314 Outputting Log Information [...]

  • Page 8

    8 3C OM S TACKABLE S WITCHES A DVANCED C ONFIGURATION G UIDE[...]

  • Page 9

    A BOUT T HIS G UIDE Provides advanced configuration exampl es for the 3Com stackable switches, which includes the following: ■ 3Com Swi tch 55 00 ■ 3Com Swit ch 5500G ■ 3Com Swi tch 45 00 ■ 3Com Swit ch 4200G ■ 3Com Swi tch 42 10 This guide is intended for Qualified Se rvice personnel who are responsible for configuring, using, and managi[...]

  • Page 10

    10 A BOUT T HIS G UIDE ■ 3Com Switch Family Configuration Guides — Describe how to configure your Stackable Switch using the supported protocols and CLI commands. ■ 3Com Switch Family Quick Reference Guides — Pr ovide a summary of command line inte rface (CLI) co mmands that are required for you to manage your Stackable Sw itch . ■ 3Com S[...]

  • Page 11

    Products Supported by this Document 11[...]

  • Page 12

    12 A BOUT T HIS G UIDE[...]

  • Page 13

    1 L OGIN C ONFIGURATION G UIDE n Unless otherwise specified, all the switch es used in the following configuration examples and configuratio n procedures are Switch 5500 (r elease V03.02.04). Logging In from the Console Port Y ou can log in locally from the console por t to configure and ma intain your switch , including configuring other login mod[...]

  • Page 14

    14 C HAPTER 1: L OGIN C ONFIGURATION G UIDE # Set the history command buffer size to 20 for VTY 0. [3Com-ui-vty0] history-command max -size 20 # Set the idle-timeout time of VTY 0 to 6 minutes. [3Com-ui-vty0] idle-timeout 6 ■ Configure an authentication mode for T elnet login The following three authentication modes are available for T eln et log[...]

  • Page 15

    Logging In Th rough Telnet 15 Complete Configuration ■ T elnet login configuration with the authentication mode being none user-interface vty 0 authentication-mode none user privilege level 2 history-command max-size 20 idle-timeout 6 0 screen-length 30 protocol inbound telnet ■ T elnet login configuration wit h the authentication mode being pa[...]

  • Page 16

    16 C HAPTER 1: L OGIN C ONFIGURATION G UIDE Network Diagram Figure 2 T elneting to the switch to configure console login Networking and Configuration Requirements As shown in Figure 2, telnet to the switch to configure console login. The curr ent user level is manage level (level 3). Applicable Products Configuration Pr ocedur e ■ Common configur[...]

  • Page 17

    Logging In Th rough Telnet 17 The following three authentication modes are available for console login: none, password, and scheme. The configurat ion procedures for the three authentication modes are described below: 1 Configure not to authenticate console login users. [3Com] user-interface aux 0 [3Com-ui-aux0] authentication-mode none 2 Configure[...]

  • Page 18

    18 C HAPTER 1: L OGIN C ONFIGURATION G UIDE ■ Console login configuration w ith the authentication mode being scheme # local-user guest password simple 123456 service-type terminal level 2 # user-interface aux 0 authentication-mode scheme user privilege level 2 history-command max-size 20 idle-timeout 6 0 speed 19200 screen-length 30 Precautions [...]

  • Page 19

    Configuring Login Acce ss Control 19 [3Com-acl-basic-2000] rule 1 permit sou rce 10.110.100.52 0 [3Com-acl-basic-2000] rule 2 permit sou rce 10.110.100.46 0 [3Com-acl-basic-2000] rule 3 deny sourc e any [3Com-acl-basic-2000] quit # Reference ACL 2000 to control T elnet login by sour ce IP address. [3Com] user-interface vty 0 4 [3Com-ui-vty0-4] acl [...]

  • Page 20

    20 C HAPTER 1: L OGIN C ONFIGURATION G UIDE[...]

  • Page 21

    2 VLAN C ONFIGURATION G UIDE Configuring Port-Based VLAN The VLAN technology allows you to divide a broadcast LAN into multiple distinct broadc ast domains, each as a virtual work gr oup. Port-based VLAN is the simplest approach to VLAN implementation. The idea is to assign the ports on a switch to dif fer ent VLANs, confining t he pr opagation of [...]

  • Page 22

    22 C HAPTER 2: VLAN C ONFIGURATI ON G UIDE [SwitchA-vlan101] quit [SwitchA] vlan 201 [SwitchA-vlan201] port Ethernet 1/ 0/2 # Configure Ethernet 1/0/3 of Switch A to be a trunk port and to permit the packets carrying the tag of VLAN 101 or VLAN 201 to pass through. [SwitchA-vlan201] quit [SwitchA] interface Ethernet 1/0/3 [SwitchA-Ethernet1/0/3] po[...]

  • Page 23

    Configuring Protocol-Based VLAN 23 # interface Ethernet1/0/11 port access vlan 101 # interface Ethernet1/0/12 port access vlan 201 Precautions ■ After you assign the servers and the workstations to dif ferent VLANs, they cannot communicate with each other . For them to communicate, you need to configure a Layer 3 VLAN interface fo r each of them [...]

  • Page 24

    24 C HAPTER 2: VLAN C ONFIGURATI ON G UIDE Configuration Pr ocedur e # Create VLAN 100 and VLAN 200; a dd Ethernet 1/0/11 to VLAN 100 and Ethern et 1/0/12 to VLAN 20 0. 1 Create VLAN 100 and add Ethernet1/0/11 to VLAN 100. [3Com] vlan 100 [3Com-vlan100] port Ethernet 1/0/1 1 2 Create VLAN 200 and add Ethernet 1/0/12 to VLAN 200. [3Com-vlan100] quit[...]

  • Page 25

    Configuring Protocol-Based VLAN 25 port hybrid protocol-vlan vlan 200 0 # interface Ethernet1/0/11 port access vlan 100 # interface Ethernet1/0/12 port access vlan 200 Precautions Because IP depends on ARP for address r esolution in Ether net, you are recommended to configure the IP and ARP templates in the same VLAN and associate them with the sam[...]

  • Page 26

    26 C HAPTER 2: VLAN C ONFIGURATI ON G UIDE[...]

  • Page 27

    3 IP A DDR ESS C ONFIGURATION G UIDE IP Address Configuration Guide If you want to manage a re mote Ethern et switch through network management or telnet, you need to config ure an IP add ress f or the r emote switch and ensur e that the local device and the remote switch are r eachable to each other . A 32-bit IP address identifi es a host on the [...]

  • Page 28

    28 C HAPTER 3: IP A DDRESS C ONFIGURATION G UIDE Configuration Pr ocedur e Assign a primary and second ary IP addresses to VLAN-interface 1 of Switch to ensure that all the hosts on the LAN can acce ss external ne tworks through Switch. Set Switch as the gateway on all the ho sts of the two network segments to ensure that they can communica te with[...]

  • Page 29

    4 V OICE VLAN C ONFIGURATION G UIDE Configuring V oice VLAN In automatic mode, the switch configured with voice VLAN checks the source MAC address of each incoming packet agai nst the voice device vendor OUI. If a match is found, the switch assigns the receiving port to the voice VLAN and tags the packet with the voice VLAN ID automatically . When [...]

  • Page 30

    30 C HAPTER 4: V OICE VLAN C ONFIGURATION G UIDE ■ As the OUI address of IP phone 2 is not in the default voice device vendor OUI list of the switch, you need to add it s OUI address 000f-2200-0000. In addition, configure its description as IP Phone2 . Applicable Products Configuration Pr ocedur e # Create VLAN 2 and VLAN 6. <SwitchA> syste[...]

  • Page 31

    Configuring Voice VLAN 31 phone traffic arrives at Ethernet 1/0/1, the port automatically permits the voice VLAN and transmits the voice traffic with the voice VLAN tag, so that the IP phone can receive packets normally . ■ Y ou ca n set Etherne t 1/0/1 as a hybrid or trunk port fo llowing the same procedure. In either case, you need to set the s[...]

  • Page 32

    32 C HAPTER 4: V OICE VLAN C ONFIGURATION G UIDE Pre cautions ■ Y ou cannot add a port operating in automatic mode to the voice VLAN manually . Therefore, if you configure a VLAN as a voice VLAN and a pr otocol VLAN at the same time, you will be unable to associat e the pr otocol VLAN with such a port. Refer to “Configuring Protocol-Based VLAN?[...]

  • Page 33

    5 GVRP C ONFIGURATION G UIDE Configuring GVRP GVRP enables a switch to propagate loca l VLAN r egistration information to other participant switches and dynamically upda te the VLAN registration information from other switches to its local d ataba se about active VLAN members and through which port they can be reached. GVRP en sures that all switch[...]

  • Page 34

    34 C HAPTER 5: GVR P C ONFIGURATI ON G UIDE Configuration Pr ocedur e ■ Configu re Switch A # Enable GVRP globally . <SwitchA> system-view [SwitchA] gvrp # Configure Ethernet 1/0/1 to be a trunk port and to permit the packets of all the VLANs to pass through. [SwitchA] interface Ethernet 1/0/1 [SwitchA-Ethernet1/0/1] port link- type trunk [[...]

  • Page 35

    Configuring GVRP 35 # Configur e Et hernet 1/0/1 to be a trunk port and t o permit the packet s of all the VLANs to pass through. Enable GVRP globa lly and enable GVRP on the port. # The configuration on Switch C is similar to that on Switch A. n For simplicity , the following provides only configuration steps. For configurat ion commands, refer to[...]

  • Page 36

    36 C HAPTER 5: GVR P C ONFIGURATI ON G UIDE [SwitchA] display vlan dynamic Total 3 dynamic VLAN exist(s). The following dynamic VLANs exist: 5, 7, 8, # Display the dynamic VLAN information on Switch B. [SwitchB] display vlan dynamic Total 3 dynamic VLAN exist(s). The following dynamic VLANs exist: 5, 7, 8, # Display the dynamic VLAN information on [...]

  • Page 37

    Configuring GVRP 37 # interface Ethernet1/0/3 port link-type trunk port trunk permit vlan all gvrp ■ Configuratio n on Switch B # gvrp # interface Ethernet1/0/1 port link-type trunk port trunk permit vlan all gvrp # interface Ethernet1/0/2 port link-type trunk port trunk permit vlan all gvrp ■ Configuratio n on Switch C # gvrp # vlan 5 # interf[...]

  • Page 38

    38 C HAPTER 5: GVR P C ONFIGURATI ON G UIDE Precautions ■ The port trunk permit vlan all command is designed for GVRP only . T o prevent users of unauthorized VLANs fr om accessing r estrictive resour ces from a port, do not use the command when GVRP is disabled on the port. ■ Before enabling GVRP on a port, en able GVRP globally first. ■ Use[...]

  • Page 39

    6 P ORT B ASIC C ONFIGURATION G UIDE Configuring the Basic Functions of an Ethernet Port An Ether net port on a Switch 5500 can operate in one of the thr ee link types: ■ Access: an access port can belong to only one VLAN and is generally used to connect to a PC. ■ T runk: a trunk port can belong to multiple VLANs. It can r eceive/send pa ckets[...]

  • Page 40

    40 C HAPTER 6: P ORT B ASIC C ONFIGURATION G UIDE # Enter Ethernet port view of Ethernet 1/0/1. <3Com> system-view System View: return to User View w ith Ctrl+Z. [3Com] interface ethernet1/0/1 # Configure Ether net 1/0/1 as a trun k port. [3Com-Ethernet1/0/1] port link-typ e trunk # Configure Ethernet 1/0/1 to permit the packets of VLAN 2, VL[...]

  • Page 41

    7 L INK A GGR EGATION C ONFIGURATION G UIDE Configuring Link Aggregation Link aggregation aggr egates multiple ports into one logical link, also called an aggregation gr oup. Link aggregation allows you to in crease bandwidt h by distribu ting incoming/outgoing traffic on the member ports in the aggregation group. In addition, it provides r eliable[...]

  • Page 42

    42 C HAPTER 7: L INK A GGREGATION C ONFIGURATION G UIDE Configuration Pr ocedur e n The example only provides the configur ation on Switch A. Perform the same configuration on Swit ch B to implement link aggregation. 1 In manual aggregation mode # Create manual aggr egation group 1. <3Com> system-view [3Com] link-aggregation group 1 mo de man[...]

  • Page 43

    Configuring Link Aggreg ation 43 Complete Configuration 1 In manual aggregation mode # link-aggregation group 1 mode manual # interface Ethernet1/0/1 port link-aggregation group 1 # interface Ethernet1/0/2 port link-aggregation group 1 # interface Ethernet1/0/3 port link-aggregation group 1 # 2 In static LACP aggr egat ion mode # link-aggregation g[...]

  • Page 44

    44 C HAPTER 7: L INK A GGREGATION C ONFIGURATION G UIDE[...]

  • Page 45

    8 P ORT I SOLATION C ONFIGURATION G UIDE Configuring Port Isolation Port isolation allows you to add a port into an isolation group to isolate Layer -2 and Layer -3 tr affic of the port fr om that of all other ports in the isolation group. While incr easing network security , this allows for gr eat fl exibility . Currently , t he Switch 5500 suppor[...]

  • Page 46

    46 C HAPTER 8: P ORT I SOLATION C ON FIGURATIO N G UIDE Configuration Pr ocedur e # Add Ether net 1/0/2, Ether n et 1/0/3, and Ether net 1/0/4 to the isolation group. <3Com> system-view System View: return to User View w ith Ctrl+Z. [3Com] interface ethernet1/0/2 [3Com-Ethernet1/0/2] port isolate [3Com-Ethernet1/0/2] quit [3Com] interface eth[...]

  • Page 47

    9 P ORT S ECURITY C ONFIGURATION G UIDE Configuring Port Security autolearn Mode In autolear n mode, a port can learn a specified nu mber of MAC addr esses and save those addresses as secur e MAC addr esses . Once the numb er of secure MAC addresses learnt by the port exce eds the upper limit defined by the por t-security max-mac-count command, the[...]

  • Page 48

    48 C HAPTER 9: P ORT S ECURITY C ONFIGURAT ION G UIDE # Enter Ether net 1/0/1 port view . [3Com] interface Ethernet1/0/1 # Set the maximum number of MAC addresses allowed on the port to 80. [3Com-Ethernet1/0/1] port-security max-mac-count 80 # Set th e port se curity mo de to autolearn . [3Com-Ethernet1/0/1] port-security port-mode autolearn # Add [...]

  • Page 49

    Configuring Port Security mac-authentication Mode 49 Network Diagram Figure 13 Network diagram for configuring po rt security mac-authentication mode Networking and Configuration Requiremen ts The host connects to the switch through the port Ethernet 1/0/1, and the switch authenticates the host through the RADIUS server . If the authentication is s[...]

  • Page 50

    50 C HAPTER 9: P ORT S ECURITY C ONFIGURAT ION G UIDE # Specify the secondar y RADIUS authen tication server and secondary RADIUS accounting server . [3Com-radius-radius1] secondary au thentication 192.168.1.2 [3Com-radius-radius1] secondary ac counting 192.168.1.3 # Set the shar ed key for message exchan ge between the switch and the RADIUS authen[...]

  • Page 51

    Configuring Port Security userlogin-withoui Mode 51 [3Com-Ethernet1/0/1] port-security intr usion-mode blockmac Complete Configuration # domain default enable aabbcc.net # port-security enable # MAC-authentication domain aabbcc.net # radius scheme radius1 server-type standard primary authentication 192.168.1.3 primary accounting 192.168.1.2 seconda[...]

  • Page 52

    52 C HAPTER 9: P ORT S ECURITY C ONFIGURAT ION G UIDE On port Ether net 1/0/1 of the switch, perform configurat ions to meet the following requir ements: ■ Allow one 802.1x user to get online. ■ Set two OUI values, and allow only on e user whose MAC address matches one of the two OUI values to get online. ■ Configure port security trapping to[...]

  • Page 53

    Configuring Port Security userlogin-withoui Mode 53 [3Com-radius-radius1] timer 5 [3Com-radius-radius1] retry 5 # Set the timer for the switch to send re al-time accounting packets to the RADIUS server to 15 minutes. [3Com-radius-radius1] timer realtime-ac counting 15 # Configure the switch to send a username without the domain name to the RADIUS s[...]

  • Page 54

    54 C HAPTER 9: P ORT S ECURITY C ONFIGURAT ION G UIDE [3Com] interface Ethernet 1/0/1 [3Com-Ethernet1/0/1] port-security port-mode userlogin-withoui [3Com-Ethernet1/0/1] quit # Configure port security trapping. [3Com] port-security trap dot1xlog failure [3Com] port-security trap dot1xlog on [3Com] port-security trap dot1xlog off Complete Configurat[...]

  • Page 55

    Configuring Port Security mac-els e-userlogin-secure-ext Mode 55 Configuring Port Security mac-else-userlogin-sec ure-ext Mode In mac-else-userlogin-secure-ext mode, a port first performs MAC authentication of a user . If the authentication is successful, the user can access the port; otherwise, the port perfor ms 802.1x authentication of the user [...]

  • Page 56

    56 C HAPTER 9: P ORT S ECURITY C ONFIGURAT ION G UIDE # Cr eate a RADIUS scheme named radius1 . <3Com> system-view [3Com] radius scheme radius1 # Specify the primary RADIUS authentication server and primary RADIUS accounting server . [3Com-radius-radius1] primary auth entication 192.168.1.3 [3Com-radius-radius1] primary acco unting 192.168.1.[...]

  • Page 57

    Configuring Port Security mac-els e-userlogin-secure-ext Mode 57 # Set aabbcc.net as the default user domain. [3Com] domain default enable aabbcc.net # Set the maximum number of concurrent 802.1x users. [3Com] dot1x max-user 64 # Configure the switch to use MAC addresses as user names for authentication, specifying that the MAC addr esses shou ld b[...]

  • Page 58

    58 C HAPTER 9: P ORT S ECURITY C ONFIGURAT ION G UIDE idle-cut enable 20 2000 # interface Ethernet1/0/1 port-security max-mac-count 200 port-security port-mode mac-else-userlogin-secure-ext port-security ntk-mode ntkonly dot1x max-user 64 Precautions ■ Befor e enabling port security , be sure to disable 802.1x and MAC authentication g lobally . ?[...]

  • Page 59

    10 P ORT B INDING C ONFIGURATION G UIDE Configuring a Port Binding Port binding allows the network administ rator to bind the MAC and IP addresses of a user to a specific port. After the port binding operation, the switch forwards a packet received fr om the port only if the source MAC addr ess and IP addr ess carried in the packet have been bound [...]

  • Page 60

    60 C HAPTER 10: P ORT B INDING C ONFIGURATION G UIDE # Bind the MAC address and the IP addr ess of Host A to Ethernet 1/0/1. [3Com-Ethernet1/0/1] am user-bind mac-addr 0001-0002-0003 ip-addr 10.12.1.1 Complete Configuration <3Com> system-view [3Com] interface Ethernet1/0/1 [3Com-Ethernet1/0/1] am user-bind mac-addr 0001-0002-0003 ip-addr 10.1[...]

  • Page 61

    11 MAC A DDR ESS T ABLE M ANAGEMENT C ONFIGURATION G UIDE MAC Address T able Management The Switch 5500 provides the MAC address table managemen t function. Through configuration commands, you can add/m odify/remove a MAC addr ess, set the aging time for dynamic MAC addresses, and set the maximum number of MAC addresses an Ethernet port can learn. [...]

  • Page 62

    62 C HAPTER 11: MAC A DDRESS T ABLE M ANAGEMENT C ONFIGURATION G UIDE # Add a static MAC address entry . [3Com] mac-address static 000f-e20f-dc71 interface Ethernet 1/0/2 vlan 1 # Set the aging time of dynamic MAC address entries on Switch to 500 seconds. [3Com] mac-address timer aging 500 # Display the MAC address table configuration in system vie[...]

  • Page 63

    12 DLDP C ONFIGURATION G UIDE Configuring DLDP Sometimes, unidirectional lin ks may appear in networks. On a unidir ectional link, one end can receive packets fr om th e other end but the other end cannot. Unidirectional links can be ca used by fiber cross-connectio n or fiber cu t (including single-fiber cut and lack of a fiber connection). They c[...]

  • Page 64

    64 C HAPTER 12: DLDP C ONFIGURATION G UIDE # Configure the ports to work in mand atory full duplex mode at 100 0 Mbps. <SwitchA> system-view [SwitchA] interface GigabitEtherne t 1/1/3 [SwitchA-GigabitEthernet1/1/3] dup lex full [SwitchA-GigabitEthernet1/1/3] spe ed 1000 [SwitchA-GigabitEthernet1/1/3] qui t [SwitchA] interface GigabitEtherne t[...]

  • Page 65

    Configuring DLDP 65 The configuration on Switch B is th e same as that on Switch A. Precautions 1 When enabling DLDP on two connected devi ces, make sure that they ar e using the same software version. Othe rwise, DLDP may malfunction. 2 When optical fibers are cr oss-connected, two or three ports ar e in the disable state, and the r emaining ports[...]

  • Page 66

    66 C HAPTER 12: DLDP C ONFIGURATION G UIDE[...]

  • Page 67

    13 A UTO D ETECT C ONFIGURATION G UIDE Auto Detect Implementation in Static Routing Y ou can bind a stat ic r oute with a detecte d gr oup. The auto dete ct functio n will then detect the reachability of the static route through the path specified in the detected group. ■ The static route is valid if the detected group is r eachable . ■ The sta[...]

  • Page 68

    68 C HAPTER 13: A UTO D ETECT C ONFIGURATION G UIDE ■ Create detected gr oup 9 on Switch C; detect the r eachability of IP address 10.1.1.3, with the next hop being 192.168.1.1/24, an d the detecting numbe r being 1. Applicable Products Configuration Pr ocedur e Configure IP addresses for the interfaces according to Figure 19. The con figuration [...]

  • Page 69

    Auto Detect Implementation in VRRP 69 # Detect the reachability of 10.1.1.3, with the next hop being 192.1 68.1.1/24, and the detecting number being 1. [SwitchC-detect-group-9] detect-list 1 ip address 192.168.1.1 nextho p 10.1.1.3 [SwitchC-detect-group-9] quit # Configure a static route to Switch A. [SwitchC] ip route-static 192.168.1.1 2 4 10.1.1[...]

  • Page 70

    70 C HAPTER 13: A UTO D ETECT C ONFIGURATION G UIDE ■ The master swit ch remains as master when the detected group is reachable . ■ The priority of the master switch decr eases and thus becomes a backup when the detected group is unr eachable . Network Diagram Figure 20 Network diagram of applying auto detect to VRRP Networking and Configuratio[...]

  • Page 71

    Auto Detect Implementation in VRRP 71 # Configure an IP addr ess for VLAN-interface 2. [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 10 .1.1.1 24 # Enable VRRP on VLAN-interface 2, and set the virtual IP address of the VRRP group to 10.1.1.10. [SwitchA-Vlan-interface2] vrrp vrid 1 v irtual-ip 10.1.1.10 # Set the VRRP pri[...]

  • Page 72

    72 C HAPTER 13: A UTO D ETECT C ONFIGURATION G UIDE Auto Detect Implementation in VLAN Interface Backup Y ou can imp lement VLAN interface backup through auto detect. When data can be transmitted through two VLAN interfaces on the switch to the same destination, conf igure one of the VLAN in terfaces as the active interface and the other as the sta[...]

  • Page 73

    Auto Detect Implementation in VLAN Interface Backup 73 Applicable Products Configuration Procedur e ■ Configure Switch A # Enter system view . <SwitchA> system-view # Configure an IP addr ess for VLAN-interface 1. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 19 2.168.1.1 24 [SwitchA-Vlan-interface1] quit # Confi[...]

  • Page 74

    74 C HAPTER 13: A UTO D ETECT C ONFIGURATION G UIDE [SwitchC] interface vlan-interface 1 [SwitchC-Vlan-interface1] ip addre ss 10.1.2.1 24 [SwitchC-Vlan-interface1] quit # Cr eate detected group 9. [SwitchC] detect-group 9 # Detect the reachability of 192.168.1.1/24, with the next hop being 10.1.1.3, and the det ecting numb er being 1. [SwitchC-det[...]

  • Page 75

    Auto Detect Implementation in VLAN Interface Backup 75 ip address 10.1.1.4 255.255.255.0 # Precautions None[...]

  • Page 76

    76 C HAPTER 13: A UTO D ETECT C ONFIGURATION G UIDE[...]

  • Page 77

    14 MSTP C ONFIGURATION G UIDE Configuring MSTP The Switch 5500 suppor ts the Multiple Spanning T ree Pr ot ocol (MSTP), which allows you to map one or multiple VLANs to a multiple spanni ng tr ee instance (MSTI). Note that one VLAN can be ma pped to only one MSTI. With MSTP , the packets of a specifi c VLAN ar e transm itte d in the MSTI to which t[...]

  • Page 78

    78 C HAPTER 14: MSTP C ONFIGURATION G UIDE Applicable Products Configuration Pr ocedur e 1 Configuratio n on Switch A # Enter MST region view . <3Com> system-view [3Com] stp region-configuration # Configure the region name, VLAN-to-MST I mapping, and revi sion level of the MST r egi on. [3Com-mst-region] region-name example [3Com-mst-region] [...]

  • Page 79

    Configuring MSTP 79 3 Configuratio n on Switch C # Configure the MST region. <3Com> system-view [3Com] stp region-configuration [3Com-mst-region] region-name example [3Com-mst-region] instance 1 vlan 10 [3Com-mst-region] instance 3 vlan 30 [3Com-mst-region] instance 4 vlan 40 [3Com-mst-region] revision-level 0 # Activate the MST region conf i[...]

  • Page 80

    80 C HAPTER 14: MSTP C ONFIGURATION G UIDE instance 4 vlan 40 active region-configuration # ■ Configuratio n on Switch C # stp instance 4 root primary stp region-configuration region-name example instance 1 vlan 10 instance 3 vlan 30 instance 4 vlan 40 active region-configuration # ■ Configuratio n on Switch D # stp region-configuration instanc[...]

  • Page 81

    Configuring VLAN-VPN Tunneli ng 81 Applicable Products Configuration Procedur e 1 Configuratio n on Switch A # Enable MS TP . <3Com> system-view [3Com] stp enable # Add Ethernet 1/0/1 to VLAN 10. [3Com] vlan 10 [3Com-Vlan10] port Ethernet1/0/1 2 Configuratio n on Switch B # Enable MS TP . <3Com> system-view [3Com] stp enable # Add Ether[...]

  • Page 82

    82 C HAPTER 14: MSTP C ONFIGURATION G UIDE [3Com] interface Ethernet1/0/2 [3Com-Ethernet1/0/2] port link-typ e trunk # Add the trunk port Ethernet 1/0/2 to all the VLANs. [3Com-Ethernet1/0/2] port trunk pe rmit vlan all 4 Configuratio n on Switch D # Enable MSTP . <3Com> system-view [3Com] stp enable # Enable VLAN-VPN tunneling. [3Com] vlan-v[...]

  • Page 83

    Configuring RSTP 83 # stp enable # vlan-vpn tunnel # interface Ethernet1/0/1 port access vlan 10 vlan-vpn enable # interface Ethernet1/0/2 port link-type trunk port trunk permit vlan all # 4 Configuratio n on Switch D # stp enable # vlan-vpn tunnel # interface Ethernet1/0/2 port access vlan 10 vlan-vpn enable # interface Ethernet1/0/1 port link-typ[...]

  • Page 84

    84 C HAPTER 14: MSTP C ONFIGURATION G UIDE Network Diagram Figure 24 Network diagram for RSTP configuration Networking and Configuration Requirements ■ Switch A is operating at the core. ■ Switch B and Switch C are operating at the distribution layer . ■ Switch D, Switch E, and Switch F are operating at the access layer . At the distrib ution[...]

  • Page 85

    Configuring RSTP 85 Configuration Procedur e 1 Configuratio n on Switch A # Enable MS TP . <3Com> system-view [3Com] stp enable # Enabling MST P globally on the swi tch enables RST P on all the ports. Disab le MSTP on the ports that are not involved in RSTP calculation, for example GigabitEther net 2/0/4. [3Com] interface GigabitEthernet 2/0/[...]

  • Page 86

    86 C HAPTER 14: MSTP C ONFIGURATION G UIDE # Configure Switch C and Switch B to back up each other , and set the bridge priority of Switch B to 4096. [3Com] stp priority 4096 # Enable the root guard function on each designated port. [3Com] interface Ethernet 1/0/4 [3Com-Ethernet1/0/4] stp root-protection [3Com-Ethernet1/0/4] quit [3Com] interface E[...]

  • Page 87

    Configuring RSTP 87 # Enable MS TP . <3Com> system-view [3Com] stp enable # Enabling MST P globally on the swi tch enables RST P on all the ports. Disab le MSTP on the ports that ar e not involved in RSTP calculation, for example Ethe rnet 1/0/3. [3Com] interface Ethernet 1/0/3 [3Com-Ethernet1/0/3] stp disable # Configure the ports dir ectly [...]

  • Page 88

    88 C HAPTER 14: MSTP C ONFIGURATION G UIDE interface Ethernet1/0/8 stp disable # 3 Configuratio n on Switch C # stp instance 0 priority 8192 stp enable # interface Ethernet1/0/1 stp root-protection # interface Ethernet1/0/2 stp root-protection # interface Ethernet1/0/3 stp root-protection # interface Ethernet1/0/8 stp disable # 4 Configuratio n on [...]

  • Page 89

    Configuring Digest Snooping and Ra pid Transition 89 Network Diagram Figure 25 Network diagram for digest snooping and rapid transition configuration Networking and Configuration Requiremen ts ■ Use another vendor’ s switch, Swit ch A in this scenario, as the r oot switch. ■ Switch B and Switch C are connected to Switch A. For Switch B: ■ S[...]

  • Page 90

    90 C HAPTER 14: MSTP C ONFIGURATION G UIDE [3Com] interface Ethernet 1/0/1 [3Com-Ethernet1/0/1] stp config-di gest-snooping # Enable rapid transition on the r oot port Ether net 1/0/1. [3Com-Ethernet1/0/1] stp no-agreement-check [3Com-Ethernet1/0/1] quit 2 Configuratio n on Switch C # Enable MSTP . <3Com> system-view [3Com] stp enable # Set t[...]

  • Page 91

    Configuring Digest Snooping and Ra pid Transition 91 stp config-digest-snooping # interface Ethernet1/0/1 stp no-agreement-check # interface Ethernet1/0/2 stp config-digest-snooping #[...]

  • Page 92

    92 C HAPTER 14: MSTP C ONFIGURATION G UIDE[...]

  • Page 93

    15 R OUTING C ONFIGURATION G UIDE Configuring Static Routes A static route is manually configured by an administrator . In a simple network, you only need to configure static routes to make the network work normally . The pro per conf iguration and usag e of static r outes ca n impr ove ne twork pe rformanc e and ensure the bandwidth for important [...]

  • Page 94

    94 C HAPTER 15: R OUTING C ONFIGURATION G UIDE Configuration Pr ocedur e Configure the switches: ■ Configure static r outes on Switch A. <SwitchA> system-view [SwitchA] ip route-static 1.1.3.0 255.255.255.0 1.1.2.2 [SwitchA] ip route-static 1.1.4.0 255.255.255.0 1.1.2.2 [SwitchA] ip route-static 1.1.5.0 255.255.255.0 1.1.2.2 ■ Configure s[...]

  • Page 95

    Configuring RIP 95 ■ Y ou cannot configur e the next hop of a static r oute as the addr ess of an interface on the local switch. ■ Y ou can configur e dif fer ent pr e fer ences or an identical pr efer ence for r outes to the same destination for route backup or load sharing. ■ The default route has both the destinati on and mask configured a[...]

  • Page 96

    96 C HAPTER 15: R OUTING C ONFIGURATION G UIDE Configuration Pr ocedur e ■ Configu re Switch A. # Configure RIP . <SwitchA> system-view [SwitchA] interface Vlan-interface 1 [SwitchA-Vlan-interface1] ip addre ss 110.11.2.1 24 [SwitchA-Vlan-interface1] rip vers ion 2 [SwitchA-Vlan-interface1] quit [SwitchA] interface Vlan-interface 2 [SwitchA[...]

  • Page 97

    Configuring RIP 97 Complete Configuration ■ Perform the following config uration on Switch A. # vlan 1 # vlan 2 # interface Vlan-interface1 ip address 110.11.2.1 255.255.255.0 rip version 2 multicast # interface Vlan-interface2 ip address 155.10.1.1 255.255.255.0 rip version 2 multicast # rip undo summary network 110.0.0.0 network 155.10.0.0 # ?[...]

  • Page 98

    98 C HAPTER 15: R OUTING C ONFIGURATION G UIDE Precautions ■ RIPv2 supports automatic route summarization (with the summary command). This function is enabled by default. ■ Based on your needs, you can configure the switch to receive or send RIP packets with the rip input command or the rip output command. ■ RIPv2 can transmit packets in two [...]

  • Page 99

    Configuring OSPF 99 Networking and Configuration Requiremen ts Network devices run OSPF to forward pack ets. For network security , disable the device interfaces not enabled with OSPF from sending OSPF packets. Configuration Procedur e ■ Configure Switch A. # Create VLANs and configure IP addr esses for VLAN interfaces. The configuration pro cedu[...]

  • Page 100

    100 C HAPTER 15: R OUTING C ONFIGURATION G UIDE [SwitchC-ospf-1-area-0.0.0.1] netw ork 192.168.2.0 0.0.0.255 [SwitchC-ospf-1-area-0.0.0.1] quit [SwitchC-ospf-1] quit ■ Configure Switch D (r efer to “Configure Switch C.” on page 99). Complete Configuration ■ Perform the following configur ation on Switch A. # vlan 100 # vlan 200 # interface [...]

  • Page 101

    Configuring OSPF 101 interface Vlan-interface20 ip address 192.168.2.1 255.255.255.0 # interface Vlan-interface200 ip address 10.1.2.2 255.255.255.0 # interface Vlan-interface300 ip address 10.1.4.1 255.255.255.0 # ospf 1 silent-interface Vlan-interface10 silent-interface Vlan-interface20 area 0.0.0.1 network 192.168.1.0 0.0.0.255 network 192.168.2[...]

  • Page 102

    102 C HAPTER 15: R OUTING C ONFIGURATION G UIDE Precautions ■ Befor e configuring OSPF basic functions, configure a router ID for each OSPF process to ensur e OSPF runs normally . Y ou ar e r ecommended to use the ospf command to configure r outer IDs for th e proc esses, especia lly on a de vice running multiple processes. ■ T o prevent r oute[...]

  • Page 103

    Configuring OSPF DR Election 103 Networking and Configuration Requiremen ts Use OSPF to enable communication betw een devices in a broadcast network. Devices with higher performance shoul d become the DR and BDR to improve network performance. Disable the devices with lower performance from taking part in the DR/BDR election. Based on the customer [...]

  • Page 104

    104 C HAPTER 15: R OUTING C ONFIGURATION G UIDE [SwitchB-ospf-1-area-0.0.0.0] quit [SwitchB-ospf-1] quit ■ Configure Switch C. # Assign a r outer ID to Switch C. <SwitchC> system-view [SwitchC] router id 3.3.3.3 # Configure an IP addr ess for the VLAN interface. [SwitchC] interface Vlan-interface 1 [SwitchC-Vlan-interface1] ip addre ss 196.[...]

  • Page 105

    Configuring OSPF DR Election 105 area 0.0.0.0 network 196.1.1.0 0.0.0.255 ■ Perform the following configuration on Switch B. # router id 2.2.2.2 # vlan 1 # interface Vlan-interface 1 ip address 196.1.1.2 255.255.255.0 ospf dr-priority 0 # ospf 1 area 0.0.0.0 network 196.1.1.0 0.0.0.255 ■ Perform the following configuration on Switch C. # router[...]

  • Page 106

    106 C HAPTER 15: R OUTING C ONFIGURATION G UIDE Configuring a (T otally) Stub Area When a large number of OSPF routers ar e pr esent on a network, the LSDB of routers may become so large that a gr eat amount of storage space is occupied and CPU resour ces ar e exhausted when performing the SPF computation. In addition, as the topology of a large ne[...]

  • Page 107

    Configuring a (Totally) Stub Area 107 Configuration Procedur e Non-backbone ar ea and backbone ar ea configuration (ar ea 1 is a non-backbone area) ■ Configure Switch A. # Create VLANs and configure IP addr esses for the VLAN interfaces. The configurat ion pr ocedur e is omitt ed. # Configure OS PF for area 1. <SwitchA> system-view [SwitchA[...]

  • Page 108

    108 C HAPTER 15: R OUTING C ONFIGURATION G UIDE # Redistribute the stat ic route to specify Switch D as an ASBR. [SwitchD-ospf-1] import-route static [SwitchD-ospf-1] quit n ■ The above-mentioned steps configur e non-backbon e areas, backbon e area, and ABRs/AS BRs. ■ By using the display ospf lsdb command on Switch C, you can see that T ype-3 [...]

  • Page 109

    Configuring a (Totally) Stub Area 109 ip address 10.2.1.1 255.255.255.0 # ospf 1 router-id 1.1.1.1 area 0.0.0.1 network 10.2.1.0 0.0.0.255 # area 0.0.0.0 network 10.1.1.0 0.0.0.255 # ■ Perform the following configuration on Switch B. # vlan 100 # vlan 200 # interface Vlan-interface100 ip address 10.1.1.2 255.255.255.0 # interface Vlan-interface20[...]

  • Page 110

    110 C HAPTER 15: R OUTING C ONFIGURATION G UIDE ip address 10.5.1.1 255.255.255.0 # ospf 1 router-id 4.4.4.4 import-route static area 0.0.0.2 network 10.3.1.0 0.0.0.255 network 10.5.1.0 0.0.0.255 # ip route-static 1.0.0.0 255.0.0.0 10.5.1.2 preference 60 # Configuration information when ar ea 1 is a stub ar ea: ■ Perform the following configurati[...]

  • Page 111

    Configuring a (Totally) NSSA Area 111 Refer to the configuration of Switch D when area 1 is a non-backbone area. Configuration information when area 1 is a totally stub ar ea: ■ Perform the following configuration on Switch A. # vlan 100 # vlan 200 # interface Vlan-interface100 ip address 10.1.1.1 255.255.255.0 # interface Vlan-interface200 ip ad[...]

  • Page 112

    112 C HAPTER 15: R OUTING C ONFIGURATION G UIDE Network Diagram Figure 31 Network diagram for (totally) NSSA area configuration Networking and Configuration Requirements Run OSPF on the network devices. Based on actual conditions, you can configure an (totally) NSSA area to reduce the r outing table size in the area. Applicable Products Configurati[...]

  • Page 113

    Configuring a (Totally) NSSA Area 113 <SwitchC> system-view [SwitchC] ip route-static 2.0.0.0 8 10. 4.1.2 # Configure OS PF for area 1. [SwitchC] ospf 1 router-id 3.3.3.3 [SwitchC-ospf-1] area 1 [SwitchC-ospf-1-area-0.0.0.1] network 1 0.2.1.0 0.0.0.255 [SwitchC-ospf-1-area-0.0.0.1] network 1 0.4.1.0 0.0.0.255 [SwitchC-ospf-1-area-0.0.0.1] qui[...]

  • Page 114

    114 C HAPTER 15: R OUTING C ONFIGURATION G UIDE # Configure ar ea 1 as an NSSA area. [SwitchA-ospf-1-area-0.0.0.1] nssa [SwitchC-ospf-1-area-0.0.0.1] nssa n ■ The steps above configure an NSSA area. ■ Use the display ospf lsdb command on Switch C t o display the LSDB. Y ou can see that no T ype-4 LSAs or T ype-5 LSAs exist in the LSDB. But T yp[...]

  • Page 115

    Configuring a (Totally) NSSA Area 115 ■ Use the display ospf lsdb command on Switch C to display the LSDB. Y ou can see that no T ype-4 LSAs or T ype-5 LSAs exist in the LSDB. But T ype-7 LSAs and a T ype-7 default LSA are installed. T otally NSSA area configuration (ar ea 1 is a totally NSSA area) Based on the configuration in “Non -backbone a[...]

  • Page 116

    116 C HAPTER 15: R OUTING C ONFIGURATION G UIDE interface Vlan-interface200 ip address 10.3.1.1 255.255.255.0 # ospf 1 router-id 2.2.2.2 area 0.0.0.2 network 10.3.1.0 0.0.0.255 # area 0.0.0.0 network 10.1.1.0 0.0.0.255 # ■ Perform the following configuration on Switch C. # vlan 200 # vlan 300 # interface Vlan-interface200 ip address 10.2.1.2 255.[...]

  • Page 117

    Configuring OSPF Route Summarization 117 ■ After you configure an area as a totally NSSA ar ea, the ABR of the totally NSSA area will automatically generate a T ype -3 default LSA int o the totally NSSA are a. ■ For the ASBR of an NSSA ar ea to gene rate a default T ype-7 LSA, the default route with the destination addr ess 0.0.0. 0/0 must exis[...]

  • Page 118

    118 C HAPTER 15: R OUTING C ONFIGURATION G UIDE If this featur e is configured on the ABR of the NSSA ar ea, the ABR will summarize T ype-5 LSAs translated from T ype-7 LSAs. Network Diagram Figure 33 Network diagram for route summarization configuration Networking and Configuration Requirements Network devices run OSPF to forward packets. Configur[...]

  • Page 119

    Configuring OSPF Route Summarization 119 # Configur e the static r outes 2.1.3. 0/24 , 2.1.4.0/24, 2.1.5.0/ 24, 2.1.6.0/24, and 2.1.7.0/24. <SwitchC> system-view [SwitchC] ip route-static 2.1.3.0 24 20 .1.2.2 [SwitchC] ip route-static 2.1.4.0 24 20 .1.2.2 [SwitchC] ip route-static 2.1.5.0 24 20 .1.2.2 [SwitchC] ip route-static 2.1.6.0 24 20 .[...]

  • Page 120

    120 C HAPTER 15: R OUTING C ONFIGURATION G UIDE # Configure ABR r oute summarization to summarize the routes 30.1.1.0/24 and 30.1.2.0/24 in area 2 into 30.1.0.0/22. [SwitchB-ospf-1] area 2 [SwitchB-ospf-1-area-0.0.0.2] abr-summary 30.1.0.0 255.255 .252.0 [SwitchB-ospf-1-area-0.0.0.2] quit ASBR route summarization configuration 1 n This configuratio[...]

  • Page 121

    Configuring OSPF Route Summarization 121 network 20.1.1.0 0.0.0.255 nssa # area 0.0.0.0 network 10.1.1.0 0.0.0.255 # ■ Perform the following configuration on Switch B. # vlan 100 # vlan 200 # interface Vlan-interface100 ip address 10.1.1.2 255.255.255.0 # interface Vlan-interface200 ip address 30.1.1.1 255.255.255.0 # ospf 1 router-id 2.2.2.2 are[...]

  • Page 122

    122 C HAPTER 15: R OUTING C ONFIGURATION G UIDE vlan 300 # interface Vlan-interface200 ip address 30.1.1.2 255.255.255.0 # interface Vlan-interface300 ip address 30.1.2.1 255.255.255.0 # ospf 1 router-id 4.4.4.4 import-route static area 0.0.0.2 network 30.1.1.0 0.0.0.255 network 30.1.2.0 0.0.0.255 # ip route-static 1.1.3.0 255.255.255.0 30.1.2.2 pr[...]

  • Page 123

    Configuring OSPF Route Summarization 123 ospf 1 router-id 2.2.2.2 area 0.0.0.2 network 30.1.1.0 0.0.0.255 # area 0.0.0.0 network 10.1.1.0 0.0.0.255 # ■ Configure Switch C. # vlan 200 # vlan 300 # interface Vlan-interface200 ip address 20.1.1.2 255.255.255.0 # interface Vlan-interface300 ip address 20.1.2.1 255.255.255.0 # ospf 1 router-id 3.3.3.3[...]

  • Page 124

    124 C HAPTER 15: R OUTING C ONFIGURATION G UIDE ip route-static 1.1.7.0 255.255.255.0 30.1.2.2 preference 60 # ASBR route summarization configuration 2 n Configure ASBR route summarizat ion on Switch A to summarize the T ype-5 LSAs translated from T ype-7 LSAs. ■ Configure Switch A. # vlan 100 # vlan 200 # interface Vlan-interface100 ip address 1[...]

  • Page 125

    Configuring OSPF Route Summarization 125 ip address 20.1.1.2 255.255.255.0 # interface Vlan-interface300 ip address 20.1.2.1 255.255.255.0 # ospf 1 router-id 3.3.3.3 import-route static area 0.0.0.2 network 20.1.1.0 0.0.0.255 network 20.1.2.0 0.0.0.255 nssa # ip route-static 2.1.3.0 255.255.255.0 20.1.2.2 preference 60 ip route-static 2.1.4.0 255.2[...]

  • Page 126

    126 C HAPTER 15: R OUTING C ONFIGURATION G UIDE Configuring OSPF Virtual Link Among OSPF areas in an AS, one area is different fr om any other area. Its area ID is 0 and it is usually called the backbone ar ea. The backbone area is r esponsible for distributing routing information between none-backbone areas. Therefor e, OSPF req u ire s th a t: ?[...]

  • Page 127

    Configuring OSPF Virtual Link 127 Configuration Procedur e 1 Configure OSPF basic functions. # Configure Switch A. <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 19 6.1.1.2 255.255.255.0 [SwitchA-Vlan-interface1] quit [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 19 [...]

  • Page 128

    128 C HAPTER 15: R OUTING C ONFIGURATION G UIDE # router id 1.1.1.1 # vlan 1 # vlan 2 # interface Vlan-interface1 ip address 196.1.1.2 255.255.255.0 # interface Vlan-interface2 ip address 197.1.1.2 255.255.255.0 # ospf 1 area 0.0.0.0 network 196.1.1.0 0.0.0.255 area 0.0.0.1 network 197.1.1.0 0.0.0.255 vlink-peer 2.2.2.2 # ■ Perform the following [...]

  • Page 129

    Configuring Routing Policies 129 Network Diagram Figure 35 Network diagram for r outing policy configuration Networking and Configuration Requiremen ts ■ As shown in the figure above, Switch A an d Switch B run OSPF . The router ID of Switch A is 1.1.1.1 and that of Switch B is 2.2.2.2. ■ Configure three static route s and enable OSPF on Switch[...]

  • Page 130

    130 C HAPTER 15: R OUTING C ONFIGURATION G UIDE # Configure an ACL. [SwitchA] acl number 2000 [SwitchA-acl-basic-2000] rule deny source 30.0.0.0 0.255.255.255 [SwitchA-acl-basic-2000] rule perm it source any [SwitchA-acl-basic-2000] quit # Configure a r outing policy . [SwitchA] route-policy ospf permit node 10 [SwitchA-route-policy] if-match ac l [...]

  • Page 131

    Configuring Routing Policies 131 [SwitchA] router id 1.1.1.1 [SwitchA] ospf [SwitchA-ospf-1] area 0 [SwitchA-ospf-1-area-0.0.0.0] network 1 0.0.0.0 0.255.255.255 [SwitchA-ospf-1-area-0.0.0.0] quit [SwitchA-ospf-1] quit # Configure an ACL. [SwitchA] acl number 2000 [SwitchA-acl-basic-2000] rule deny sour ce 30.0.0.0 0.255.255.255 [SwitchA-acl-basic-[...]

  • Page 132

    132 C HAPTER 15: R OUTING C ONFIGURATION G UIDE # Configure r oute summarization to prevent network 30.0.0.0/8 from being advertised. [SwitchA-ospf-1] asbr-summary 30.0 .0.0 255.0.0.0 not-advertise # Redistribute the s tatic routes. [SwitchA-ospf-1] import-route stat ic ■ Configure Switch B. The configuration on Switch B is the same as that in me[...]

  • Page 133

    Configuring Routing Policies 133 ip address 10.0.0.2 255.0.0.0 # ospf 1 area 0.0.0.0 network 10.0.0.0 0.255.255.255 # Precautions In an OSPF network, when an ASBR redistributes r outes, you can use the command combination of filter -policy export and import-r oute , r oute-policy and import-route , or import-r oute and asbr -summary not-advertise t[...]

  • Page 134

    134 C HAPTER 15: R OUTING C ONFIGURATION G UIDE[...]

  • Page 135

    16 M ULTICAST C ONFIGURATION G UIDE Configuring IGMP Snooping Inter net Group Management Protocol Snooping (IGMP Snooping) is a multicas t constraint mechanis m that runs on Laye r 2 Ether net switch es to manage and control multicast gr oups. By listening to and an alyzing IGMP me ssages, a Layer 2 device runn ing IGMP Snooping establishes and mai[...]

  • Page 136

    136 C HAPTER 16: M ULTICAST C ONFIGURATION G UIDE Configuration Pr ocedur e Configuring IP a ddresses for the inte rfaces of each device Configure the IP address a nd subnet mask for each interface as per Figu re 36. The detailed configuration steps are omitted here. Configuring Router A # Enable IP multicast routing, enable PI M-DM on each interfa[...]

  • Page 137

    Configuring IGMP Snoopi ng 137 MAC group address: 0100-5e01-0101 Host port(s): Ethernet1/0/3 Ethernet1/0/4 As shown above, a multicast group entry for 224.1.1.1 has been cr eated on Switch A, with Ethernet 1/0/ 1 as the r o uter port and Ethe rnet 1/0/3 and Ethernet 1/0/4 as dynamic member ports. This means that Host A and Host B have join ed the m[...]

  • Page 138

    138 C HAPTER 16: M ULTICAST C ONFIGURATION G UIDE Configuring IGMP Snooping Only Network Diagram Figure 37 Network diagram for IGMP Snooping only configuration Networking and Configuration Requirements Where it is unnecessary or infeasible to build a Layer 3 multicast network, enabling IGMP Snooping on all the devices in th e Layer 2 network can im[...]

  • Page 139

    Configuring IGMP Snooping On ly 139 [SwitchA] vlan 100 [SwitchA-vlan100] port Ethernet 1/0/1 Ethernet 1/0/2 [SwitchA-vlan100] igmp-snooping enable # Enable IGMP Snooping querier in VLAN 100. [SwitchA-vlan100] igmp-snooping querier [SwitchA-vlan100] quit # Enable dropping unknown multicast packets. [SwitchA] unknown-multicast drop enable Configuring[...]

  • Page 140

    140 C HAPTER 16: M ULTICAST C ONFIGURATION G UIDE V erifying the configuration Check the reception of multicast stream for mult icast group 224.1.1.1 on Host A, and take the following steps to verify the configurations made on the switches. 1 View the information on Switch B # View the IGMP packet statistics on Switch B. <SwitchB> display igm[...]

  • Page 141

    Configuring IGMP Snooping On ly 141 <Switch A> display igmp-snooping group Total 1 IP Group(s). Total 1 MAC Group(s). Vlan(id):100. Total 1 IP Group(s). Total 1 MAC Group(s). Router port(s): IP group(s):the following ip group( s) match to one mac group. IP group address:224.1.1.1 Host port(s):Ethernet1/0/1 MAC group(s): MAC group address:0100[...]

  • Page 142

    142 C HAPTER 16: M ULTICAST C ONFIGURATION G UIDE vlan 100 igmp-snooping enable igmp-snooping querier # interface Ethernet1/0/1 port access vlan 100 # interface Ethernet1/0/2 port access vlan 100 # Configuration on Switch B # unknown-multicast drop enable # igmp-snooping enable # vlan 100 igmp-snooping enable # interface Ethernet1/0/1 port access v[...]

  • Page 143

    Configuring Multicast VLAN 143 Since multicast packets are transmitted within the multicast VLAN, which is isolated from user VLAN s, the band width and security can be guaranteed. Network Diagram Figure 38 Net work diagram for multicast VLAN Networking and Configuration Requiremen ts Configure the multica st VLAN feature so that Switch A just send[...]

  • Page 144

    144 C HAPTER 16: M ULTICAST C ONFIGURATION G UIDE Configuration Pr ocedur e Assume that the IP addresses have been configured and the devices have been connected co rrectly . 1 Configure Switch A. # Configure the IP address of VLAN-int erface 20 as 168.10.1.1, and enable PIM-DM. <SwitchA> system-view [SwitchA] multicast routing-enable [Switch[...]

  • Page 145

    Configuring Multicast VLAN 145 [SwitchB-vlan10] igmp-snooping enable [SwitchB-vlan10] quit # Configure Ethernet 1/0/10 as a Hybrid po rt, assign it to VLAN 2, VLAN 3 and VLAN 10, and configure it to send packets of VLAN 2, VLAN 3, and VLAN 10 with the respective VLAN tags kept. [SwitchB] interface Ethernet1/0/10 [SwitchB-Ethernet1/0/10] port link-t[...]

  • Page 146

    146 C HAPTER 16: M ULTICAST C ONFIGURATION G UIDE # v l a n1t o3 # vlan 10 service-type multicast igmp-snooping enable # interface Ethernet1/0/1 port link-type hybrid port hybrid vlan 1 to 2 10 untagged port hybrid pvid vlan 2 # interface Ethernet1/0/2 port link-type hybrid port hybrid vlan 1 3 10 untagged port hybrid pvid vlan 3 # interface Ethern[...]

  • Page 147

    Configuring PIM-SM plus IGMP plus IGMP Snoopi ng 147 Then, the multicast sour ce se nds the mu lticast tra ffi c along the SPT to the RP . Upon reaching the RP , the multicast traffic flows down the R PT to the receivers. Network Diagram Figure 39 Network diagram for PIM-SM, IGMP , and IGMP Snooping configuration Device Interface IP address Ports S[...]

  • Page 148

    148 C HAPTER 16: M ULTICAST C ONFIGURATION G UIDE Networking and Configuration Requirements Requirement Analysis When users receive VOD information through mult icast, the information receiving mode may vary depending on user requir ements: 1 T o avoid flooding of the video in formati on at Layer 2, IG MP Snooping needs to be enabled on Switch E, t[...]

  • Page 149

    Configuring PIM-SM plus IGMP plus IGMP Snoopi ng 149 [SwitchA-Vlan-interface100] igmp enable [SwitchA-Vlan-interface100] pim sm [SwitchA-Vlan-interface100] quit [SwitchA] interface vlan-interface 101 [SwitchA-Vlan-interface101] pim sm [SwitchA-Vlan-interface101] quit [SwitchA] interface vlan-interface 102 [SwitchA-Vlan-interface102] pim sm n It is [...]

  • Page 150

    150 C HAPTER 16: M ULTICAST C ONFIGURATION G UIDE Using the following commands to de termine whether Host A and Host C can receive multicast data # View the PIM neighboring relationships on Switch E. <SwitchE> display pim neighbor Neighbor’s Address Interface Name Uptime Expires 192.168.9.1 Vlan-interface102 02:47:04 00:01:42 192.168.2.1 Vl[...]

  • Page 151

    Configuring PIM-SM plus IGMP plus IGMP Snoopi ng 151 Vlan-interface100, Protocol 0x1: IGMP, ne ver timeout Matched 1 (S,G) entries, 1 (*,G) entrie s, 0 (*,*,RP) entry The information on Switch B and Switch C is similar to that on Switch A. # View th e PIM routing table on Switch D. <SwitchD> display pim routing-table PIM-SM Routing Table Tota[...]

  • Page 152

    152 C HAPTER 16: M ULTICAST C ONFIGURATION G UIDE MAC group address:0100-5e01-0101 Host port(s):Ethernet1/0/19 # View the multicast group information that contains port information on Switch B. <SwitchB> display mpm group Total 1 IP Group(s). Total 1 MAC Group(s). Vlan(id):200. Total 1 IP Group(s). Total 1 MAC Group(s). Router port(s): IP gro[...]

  • Page 153

    Configuring PIM-SM plus IGMP plus IGMP Snoopi ng 153 Vlan(id):103. Total 0 IP Group(s). Total 0 MAC Group(s). Router port(s):Ethernet1/0/10 As shown above, Ether net 1/0/21 has be come a member port fo r multicast group 225.1.1.1. Complete Configuration Configuration on Switch A # multicast routing-enable # interface Vlan-interface100 ip address 10[...]

  • Page 154

    154 C HAPTER 16: M ULTICAST C ONFIGURATION G UIDE Configuration on Switch D # acl number 2005 rule 0 permit source 225.1.1.0 0.0.0.255 # multicast routing-enable # interface Vlan-interface101 ip address 192.168.1.2 255.255.255.0 pim sm # interface Vlan-interface105 ip address 192.168.4.2 255.255.255.0 pim sm # interface Vlan-interface300 ip address[...]

  • Page 155

    Configuring PIM-DM plus IGMP 155 vlan 100 igmp-snooping enable # Precautions ■ Only one C-BSR can be configured on a Layer 3 switch. Configuration of a C-BSR on another interface overwrites the previous configuratio n. ■ It is recommended that C-BSRs and C-RP s be configured on Layer 3 switches in the backbone network. ■ If you do not specify[...]

  • Page 156

    156 C HAPTER 16: M ULTICAST C ONFIGURATION G UIDE Network Diagram Figure 40 Network diagram for PI M-DM configuration Networking and Configuration Requirements ■ Receivers re ceive multicast VOD informat ion thr ough multicast. The receiver groups of dif fer ent organizations form two stub networks, and at least one receiver host exists in each s[...]

  • Page 157

    Configuring PIM-DM plus IGMP 157 Configuration Procedur e Configuring the interface IP addr esses and unicast r outing protocol for each switch Configure the IP address and subnet mask for each interface as per Figure 40. The detailed configuration steps are omitted her e. Configure OSPF for interoperation among the switches in the PIM-DM domain. E[...]

  • Page 158

    158 C HAPTER 16: M ULTICAST C ONFIGURATION G UIDE Use the display pim routing-table command to view the PIM routing information on the switches. For example: # View the PIM routing table on Switch A. <SwitchA> display pim routing-table PIM-DM Routing Table Total 1 (S,G) entry (10.110.5.100, 225.1.1.1) Protocol 0x40: PIMDM, Flag 0xC: SPT NE G_[...]

  • Page 159

    Configuring Anycast R P Application 159 ip address 192.168.2.1 255.255.255.0. pim dm # interface Vlan-interface200 ip address 10.110.2.1 255.255.255.0 igmp enable pim dm # Configuration on Switch C # multicast routing-enable # interface Vlan-interface102 ip address 192.168.3.1 255.255.255.0. pim dm # interface Vlan-interface200 ip address 10.110.2.[...]

  • Page 160

    160 C HAPTER 16: M ULTICAST C ONFIGURATION G UIDE Network Diagram Figure 41 Network diagram for anycast RP configuration Networking and Configuration Requirements ■ The PIM-SM domain in this example has multiple multicast sources and receivers. OSPF needs to run in the domain to provide unicast routes. ■ The anycast RP application needs to be i[...]

  • Page 161

    Configuring Anycast R P Application 161 Configure OSPF for interconnection between the switches. The detailed configuration steps are omitted here . Enabling IP multic ast r outing a nd enabling PIM-SM on each interface # Enable multicast routing on Switch C, and enable PIM-SM on each interface. <SwitchC> system-view [SwitchC] multicast routi[...]

  • Page 162

    162 C HAPTER 16: M ULTICAST C ONFIGURATION G UIDE As shown above, the multicast source has been registered on Switch C, which is deemed as the RP . # View the PIM routing in fo rmation on Swit ch F . <Switch F>dis pim routing-table PIM-SM Routing Table Total 0 (S,G) entry, 1 (*,G) entri es, 0 (*,*,RP) entry (*, 225.1.1.1), RP 10.1.1.1 Protoco[...]

  • Page 163

    Configuring Anycast R P Application 163 After the peering relationship is establis hed, the multicast r eceiver can r eceive multicast data from the source. # View th e PIM routing information on Switch C ag ain. [Switch C] display pim routing-table PIM-SM Routing Table Total 1 (S,G) entries, 0 (*,G) entry, 0 (*,*,RP) entry (10.110.5.100, 225.1.1.1[...]

  • Page 164

    164 C HAPTER 16: M ULTICAST C ONFIGURATION G UIDE ip address 3.3.3.3 255.255.255.255 pim sm # interface LoopBack10 ip address 10.1.1.1 255.255.255.255 pim sm # pim c-bsr LoopBack1 24 c-rp LoopBack10 # msdp originating-rp Vlan-interface101 peer 192.168.3.2 connect-interface Vlan-i nterface101 # Configuration on Switch F # multicast routing-enable # [...]

  • Page 165

    17 802.1 X C ONFIGURATION G UIDE n The following configurations involve most AAA/RADIUS configuration commands. Refer to “AAA Configuration” in the Configuration Guid e for your product for information about the co mmands. Configurations on the user host and the RADIUS servers are omitted. Configuring 802.1x Access Control As a port-based acces[...]

  • Page 166

    166 C HAPTER 17: 802 .1 X C ONFIGURATION G UIDE seconds, it retransmits the packet for up to 5 times. The swit ch sends real-time accounting packets at an interval of 15 minutes. A username is sent to th e RADIUS server with the domain name truncated. ■ The username an d password for local 802.1x authentication are localuser and localpass (in pla[...]

  • Page 167

    Configuring 802.1 x Access Control 167 # Set the interval and the number of packet transmission att empts for the switch to send packets to the RADIUS server . [3Com-radius-radius1] timer 5 [3Com-radius-radius1] retry 5 # Set the interval for the switch to se nd real-time accounting packets to the RADIUS server . [3Com-radius-radius1] timer realtim[...]

  • Page 168

    168 C HAPTER 17: 802 .1 X C ONFIGURATION G UIDE primary authentication 10.11.1.1 primary accounting 10.11.1.2 secondary authentication 10.11.1.2 secondary accounting 10.11.1.1 key authentication name key accounting money timer realtime-accounting 15 timer response-timeout 5 retry 5 user-name-format without-domain # domain aabbcc.net scheme radius-s[...]

  • Page 169

    18 AAA C ONFIGURATION G UIDE Configuring RADIUS Authentication for T elnet Users Authentication, Auth orization and Accounting (AAA) is a uniform fr amework used to configure the thr ee functions for network security management. It can be implemented by multiple protocols. RADIUS configurations are made in R ADIUS schemes. When performing RADIUS co[...]

  • Page 170

    170 C HAPTER 18: AAA C ONFIGURATION G UIDE usernames and logi n passwor ds. Note that t he T elnet us ernames added to the RADIUS server must be in the format of userid @ isp-name . ■ Configure the swit ch to inclu de domain names in the usernames to be sent to the RADIUS server in the RADIU S scheme. Applicable Products Configuration Pr ocedur e[...]

  • Page 171

    Configuring Dynamic VLAN Assignme nt with RADIUS Authentication 171 primary authentication 10.110.91.164 key authentication aabbcc server-type extended user-name-format with-domain quit # domain cams scheme radius-scheme cams Precautions The T elnet user needs to enter the userna me with the domain name ca ms , in the format userid @cams, so that t[...]

  • Page 172

    172 C HAPTER 18: AAA C ONFIGURATION G UIDE Configuration Pr ocedur e # Create a RADIUS scheme named cams and specify th e primary and secondary servers. <3Com> system-view [3Com] radius scheme cams [3Com-radius-cams] primary authent ication 192.168.1.19 [3Com-radius-cams] primary account ing 192.168.1.19 [3Com-radius-cams] secondary authe nti[...]

  • Page 173

    Configuring Local Authen ti cation for Telnet Users 173 radius scheme cams primary authentication 192.168.1.19 primary accounting 192.168.1.19 secondary authentication 192.168.1.20 secondary accounting 192.168.1.20 key authentication expert key accounting expert user-name-format with-domain server-type extended # domain abc radius-scheme cams vlan-[...]

  • Page 174

    174 C HAPTER 18: AAA C ONFIGURATION G UIDE Configuration Pr ocedur e # Enter system view . <3Com> system-view # Configure the switch to u se AAA authentication for T elnet users. [3Com] user-interface vty 0 4 [3Com-ui-vty0-4] authentication-mode scheme [3Com-ui-vty0-4] quit # Configure a local user named telnet . [3Com] local-user telnet [3Co[...]

  • Page 175

    Configuring HWTACACS Authen tication for Telnet Users 175 Network Diagram Figure 46 Network diagram for configuring HWT ACACS authentication for T elnet users Networking and Configuration Requiremen ts As shown in Figure 46, you ar e r equir ed to configure the switch so that T elnet users logging into the switch are authenticated and auth orized b[...]

  • Page 176

    176 C HAPTER 18: AAA C ONFIGURATION G UIDE Complete Configuration # system-view hwtacacs scheme hwtac primary authentication 10.110.91.1 64 49 primary authorization 10.110.91.16 4 49 key authentication expert key authorization expert user-name-format without-domain quit # domain hwtacacs scheme hwtacacs-scheme hwtac accounting optional Precautions [...]

  • Page 177

    Configuring EAD 177 Networking and Configuration Requiremen ts As shown in Figure 47, a user host is connected to Ether net 1/0/1 on the switch. On the host runs the 802.1x client sup porting 3Com EAD extended funct ion. Y o u are r equir ed to configure the switch to use the RADIUS server for r emote user authentication and the security policy ser[...]

  • Page 178

    178 C HAPTER 18: AAA C ONFIGURATION G UIDE quit domain system radius-scheme cams Precautions T o support all extended functio ns of CA MS, you are recommended to configur e the 802.1x authentication met hod as EAP an d the RADIUS scheme server type as extended on the switc h.[...]

  • Page 179

    19 MAC A UTHENTICATION C ONFIGURATION G UIDE Configuring MAC Authentication MAC authentication provides a way for authenticating users based on ports and MAC addresses, without requiring any client software to be installed on the hosts. Once detect ing a new M AC addr ess, a switch with MAC aut hentication configured will initiate the authenticatio[...]

  • Page 180

    180 C HAPTER 19: MAC A UTHENTICATION C ONFIGURATION G UIDE Configuration Pr ocedur e # Enable MAC authentication for por t Ethern et 1/0/2. <3Com> system-view [3Com] mac-authentication interfac e Ethernet 1/0/2 # Specify the MAC authentication username type as MAC addr ess and the MAC address format as with-hyphen . [3Com] mac-authentication [...]

  • Page 181

    Configuring MAC Authentic ation 181 h-hyphen # domain aabbcc.net # local-user 00-0d-88-f6-44-c1 password simple 00-0d-88-f6-44-c1 service-type lan-access # Precautions ■ Y ou cannot conf igure the maximum number of MAC addresses that can be learn t on a MAC authentication enabled port, or ena ble MAC authentication on a port that is configured wi[...]

  • Page 182

    182 C HAPTER 19: MAC A UTHENTICATION C ONFIGURATION G UIDE[...]

  • Page 183

    20 VRRP C ONFIGURATION G UIDE Single VRRP Group Configuration Virtual Router Red undancy Pr otocol (VRRP) is an error -tolerant protocol defined in RFC 2338. In LANs with multicast or broadcast capabilities (such as Ether net), VRRP can avoid single point failure through establishing backup links without modifying the configuration of dynamic routi[...]

  • Page 184

    184 C HAPTER 20: VRRP C ONFIGURATION G UIDE Applicable Products Configuration Pr ocedur e 1 Configure Switch A. # Configure VLAN 2. <LSW-A> system-view [LSW-A] vlan 2 [LSW-A-vlan2] port Ethernet1/0/6 [LSW-A-vlan2] quit [LSW-A] interface Vlan-interface 2 [LSW-A-Vlan-interface2] ip address 202.38.160.1 255.255.255.0 [LSW-A-Vlan-interface2] quit[...]

  • Page 185

    Single VRRP Group Configuration 185 [LSW-B] interface Vlan-interface 2 [LSW-B-Vlan-interface2] ip address 202.38.160.2 255.255.255.0 [LSW-B-Vlan-interface2] quit # Enable the VRRP group to r espond to ping operations destined for its virtual IP address. [LSW-B] vrrp ping-enable # Create a VRRP group. [LSW-B] interface vlan 2 [LSW-B-Vlan-interface2][...]

  • Page 186

    186 C HAPTER 20: VRRP C ONFIGURATION G UIDE ■ If both switches in the preemptive mode and switches in the non-preemptive mode exist in a VRRP group, the working mode of the VRRP group conforms to that of the master . For example, if th e master works in the pree mptive mode, when the master fails, the VRRP group will elect a new master thr ough p[...]

  • Page 187

    Multiple VRRP Groups Configuration 187 <LSW-A> system-view [LSW-A] vlan 2 [LSW-A-vlan2] port Ethernet1/0/6 [LSW-A-vlan2] quit [LSW-A] interface Vlan-interface 2 [LSW-A-Vlan-interface2] ip address 202. 38.160.1 255.255.255.0 # Create VRRP group 1. [LSW-A-Vlan-interface2] vrrp vrid 1 vir tual-ip 202.38.160.111 # Set the priority of Switch A in [...]

  • Page 188

    188 C HAPTER 20: VRRP C ONFIGURATION G UIDE ip address 202.38.160.2 255.255.25 5.0 vrrp vrid 1 virtual-ip 202.38.160. 111 vrrp vrid 2 virtual-ip 202.38.160. 112 vrrp vrid 2 priority 110 # interface Ethernet1/0/6 port access vlan 2 # Precautions ■ The Switch 5500 supports VRRP , while the Switch 4500 does not. ■ For the IP address owner , its pr[...]

  • Page 189

    VRRP Interface Tracking 189 Network Diagram Figure 51 Network diagram for VRRP Networking and Configuration Requiremen ts Switch A is the master and Switch B is the backup in a VRRP group. Both Switch A and Switch B have an interface connected with the Inter net. Configure the VRRP interface tracking function, so that wh en the interface connected [...]

  • Page 190

    190 C HAPTER 20: VRRP C ONFIGURATION G UIDE # Create VRRP group 1. [LSW-A] interface Vlan-interface 2 [LSW-A-Vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 # Set the priority of Switch A in VRRP group 1 to 110. [LSW-A-Vlan-interface2] vrrp vrid 1 priority 110 # Set the interface to be tracked. [LSW-A-Vlan-interface2] vrrp vrid 1 track inter[...]

  • Page 191

    VRRP Port Tracking 191 port access vlan 2 # ■ Configuratio ns on Switch B # vrrp ping-enable # interface Vlan-interface2 ip address 202.38.160.2 255.255.255.0 vrrp vrid 1 virtual-ip 202.38.160.111 # interface Ethernet1/0/5 port access vlan 2 # Precautions ■ The Switch 5500 supports VRRP , while the Switch 4500 does not. ■ For the IP address o[...]

  • Page 192

    192 C HAPTER 20: VRRP C ONFIGURATION G UIDE Networking and Configuration Requirements ■ There ar e two switches, the master and the backup, in VRRP group 1. ■ The IP addresses of the master and the backup are 10.100.10.2 and 10.100.10.3 respectively . ■ The master is connected with the upstream network through port Ether net 1/0/1 that belong[...]

  • Page 193

    VRRP Port Tracking 193 [3Com] interface Vlan-interface 3 [3Com-Vlan-interface3] vrrp vrid 1 virt ual-ip 10.100.10.1 # Enter port view of Ethernet 1/0/1 and enable th e VRRP port tracking function. [3Com] interface Ethernet1/0/1 [3Com-Ethernet1/0/1] vrrp Vlan-interfac e 3 vrid 1 track reduced 50 Complete Configuration On the master: # interface Vlan[...]

  • Page 194

    194 C HAPTER 20: VRRP C ONFIGURATION G UIDE[...]

  • Page 195

    21 DHCP C ONFIGURATION G UIDE DHCP Server Global Address Pool Configuration Guide In general, there ar e two typical DHCP ne twork topologies. One is to deploy the DHCP server and DHCP clients in the sa me network segment. This enables the clients to communicate with the server directly . The other is to deploy the DHCP server and DHCP clients in d[...]

  • Page 196

    196 C HAPTER 21: DHCP C ONFIGURATION G UIDE Applicable Products Configuration Pr ocedur e # Enable DHCP . [SwitchA] dhcp enable # Exclude the IP addr esses of the DNS se rver , WINS server , and gateways from dynamic assignment. [SwitchA] dhcp server forbidden-ip 10.1.1.2 [SwitchA] dhcp server forbidden-ip 10.1.1.4 [SwitchA] dhcp server forbidden-i[...]

  • Page 197

    DHCP Server Global Address Po ol Configuration Guide 197 <SwitchA> %Apr 10 21:34:55:782 2000 3Com DHCPS/4/ DHCPS_LOCAL_SERVER:- 1 - Local DHCP server information(detect b y server):SERVER IP = 10.1.1. 5; Sourceclient information: interface = Vlan-interface2, type = DHC P_REQUEST, CHardAddr= 00e0-fc55-0011 Complete Configuration # dhcp server [...]

  • Page 198

    198 C HAPTER 21: DHCP C ONFIGURATION G UIDE DHCP Server Interface Address Pool Configuration Guide Network Diagram Figure 54 Network diagram for DHCP server in terface address pool configuration Networking and Configuration Requirements ■ Configure the IP address of VLAN-interfa ce 1 on the DHCP server (Switch A) as 192.168.0.1/24. ■ The DHCP c[...]

  • Page 199

    DHCP Relay Agent Configuration Guide 199 [SwitchA-Vlan-interface1] dhcp select i nterface # Configure a static IP-to-MAC binding in t he DHCP interface address pool. [SwitchA-Vlan-interface1] dhcp server s tatic-bind ip-address 192.168 .0.10 mac-address 000D-88F7-0001 # Specify the lease duration, DNS server address, and WINS server address in the [...]

  • Page 200

    200 C HAPTER 21: DHCP C ONFIGURATION G UIDE Network Diagram Figure 55 Network diagram for DHCP relay agent configuration Networking and Configuration Requirements ■ VLAN-interface 1 on the DHCP relay agen t (Switch A) connects to the network where DHCP clients r eside. The IP addre ss of VLAN-interface 1 is 10.10.1.1/24 and the IP addr ess of VLA[...]

  • Page 201

    DHCP Snooping Configuratio n Guide 201 [SwitchA] dhcp-security static 10.10.10 .5 0001-0010-0001 # Enable the address check function on the DHCP relay agent. [SwitchA] interface Vlan-interface 1 [SwitchA-Vlan-interface1] address-check enable Currently , a Switch 4500 operating as a DHCP relay agent does not support the address check function. Compl[...]

  • Page 202

    202 C HAPTER 21: DHCP C ONFIGURATION G UIDE Network Diagram Figure 56 Network diagram for DHCP snooping configuration Networking and Configuration Requirements As shown in Figur e 56, Ethernet 1/0/5 of Switch is connected to the DHCP serv er , and Eth ernet 1/0/1, Ethernet 1/ 0/2, a nd Ethernet 1/0/3 are respectively connected to Client A, Client B[...]

  • Page 203

    DHCP Accounting Configuration G uide 203 Precautions ■ Y ou need to specify the port connected to the auth orized DHCP server as a trusted port to ensure that DHCP clie nts can obtain valid IP addresses. The trusted port and the ports co nnected to th e DHCP clients must be in the same VLAN. ■ T o enable DHCP snooping on a Switch 5500 t hat bel[...]

  • Page 204

    204 C HAPTER 21: DHCP C ONFIGURATION G UIDE # Enter Ether net 1/0/1 view and add the port to VLAN 2. [3Com] interface Ethernet 1/0/1 [3Com-Ethernet1/0/1] port access v lan 2 [3Com-Ethernet1/0/1] quit # Enter Ether net 1/0/2 view and add the port to VLAN 3. [3Com] interface Ethernet 1/0/2 [3Com-Ethernet1/0/2] port access v lan 3 [3Com-Ethernet1/0/2][...]

  • Page 205

    DHCP Client Configuration G uide 205 # vlan 2 # vlan 3 # interface Vlan-interface2 ip address 10.1.1.1 255.255.255.0 # interface Vlan-interface3 ip address 10.1.2.1 255.255.255.0 # interface Ethernet1/0/1 port access vlan 2 # interface Ethernet1/0/2 port access vlan 3 # Precautions Befor e configuring DHCP accounting, make sure that: ■ The DHCP s[...]

  • Page 206

    206 C HAPTER 21: DHCP C ONFIGURATION G UIDE Complete Configuration # interface Vlan-interface1 ip address dhcp-alloc # Precautions None[...]

  • Page 207

    22 ACL C ONFIGURATION G UIDE Configuring Basic ACLs Basic ACLs filter packets base d on only sour ce IP address. The numbers of basic ACLs range from 2000 to 2999. Network Diagram Figure 58 Network diagram for basic ACL configuration Networking and Configuration Requiremen ts PC 1 and PC 2 connect to the switch th rough Ethernet 1/0/1 (assuming tha[...]

  • Page 208

    208 C HAPTER 22: ACL C ONFIGURATION G UIDE Complete Configuration # acl number 2000 rule 1 deny source 10.1.1.1 0 time-range test # interface Ethernet1/0/1 packet-filter inbound ip-group 2000 rule 1 # time-range test 08:00 to 18:00 daily # Precautions ■ If a packet m atches mult iple ACL r ules at the sa me time and some ac tions of the rules con[...]

  • Page 209

    Configuring Ethernet Frame He ader ACLs 209 Configuration Procedur e # Define a periodic time range that is from 8:00 to 18:00 on working days. <3Com> system-view [3Com] time-range test 8:00 to 18:00 wo rking-day # Define advanced ACL 3000 to filter pack ets destined for the wage query server . [3Com] acl number 3000 [3Com-acl-adv-3000] rule [...]

  • Page 210

    210 C HAPTER 22: ACL C ONFIGURATION G UIDE Network Diagram Figure 60 Network diagram for Ether net frame header ACL configuration Networking and Configuration Requirements PC 1 and PC 2 co nnect to the switch th rough Ethernet 1/0/1 (assuming t hat the switch is a Switch 5500). PC 1 ’ s MAC address is 0011-0011-0011. Apply an Ethern et frame head[...]

  • Page 211

    Configuring User-Defined ACLs 211 Precautions ■ If a packet matches multiple ACL rules at the same time and some ac tions of the rules conflict, th e last assigned rule takes effective. For an Ethernet frame header ACL appl ied to a port, you cannot configure the fo rmat-type argument as 802.3/802.2, 802.3, et her_ii or snap. ■ When applying mu[...]

  • Page 212

    212 C HAPTER 22: ACL C ONFIGURATION G UIDE # Define ACL 5000 to deny any ARP pa cket whose source IP addr ess is 192.168.0.1 from 8:00 to 18:00 everyday (provided that VLAN-VPN is not enabled on any port).In the ACL rule, 0806 is the AR P protocol number , 16 is the protocol type field offset of the internally processed Ethernet frame, c0a80001 is [...]

  • Page 213

    Configuring User-Defined ACLs 213 ■ W ith the Switch 5500/5500G, for a user - defined ACL to be assigned successfully , the maximum length of a user -defined rule string is 32 bytes. The string may or may not contain spaces, and can occupy up to eight mask offset units. Besides, any two offset units ca nnot belong to the same offset gr oup. ■ F[...]

  • Page 214

    214 C HAPTER 22: ACL C ONFIGURATION G UIDE[...]

  • Page 215

    23 Q O S/Q O S P R OFILE C ONFIGURATION G UIDE Configuring T raffic Policing and LR Network Diagram Figure 62 Network diagram for traf fic policing and LR configuration Networking and Configuration Requiremen ts A company uses a switch (a Switch 5500 in this example) to inter connect all the departments. PC 1 with IP address 192 .1 68.0.1 belongs t[...]

  • Page 216

    216 C HAPTER 23: Q O S/Q O S P ROFILE C ONFIGURATION G UIDE Configuration Pr ocedur e 1 Define traffic classification rules # Create basic ACL 2000 and enter b asic ACL view . <3Com> system-view [3Com] acl number 2000 # Define a rule to match th e packets with source IP address 192.168.0.1. [3Com-acl-basic-2000] rule permit source 192.168.0.1[...]

  • Page 217

    Configuring Priority Marki ng and Queue Scheduling 217 Configuring Priority Marking and Queue Scheduling Network Diagram Figure 63 Network diagram for priority marking and queue scheduling configuration Networking and Configuration Requiremen ts A company uses a switch (a Switch 5500 in this example) to inter connect all the departments. PC 1, PC 2[...]

  • Page 218

    218 C HAPTER 23: Q O S/Q O S P ROFILE C ONFIGURATION G UIDE Configuration Pr ocedur e 1 Define traffic classification rules # Cr eate advanced ACL 3000 and enter advanced ACL view . <3Com> system-view [3Com] acl number 3000 # Define traffic classification rules wi th destination IP address as the match criterion. [3Com-acl-adv-3000] rule 0 pe[...]

  • Page 219

    Configuring Priority Marki ng and Queue Scheduling 219 acl number 3000 rule 0 permit IP destination 192.168.0 .1 0 rule 1 permit IP destination 192.168.0 .2 0 rule 2 permit IP destination 192.168.0 .3 0 # interface Ethernet1/0/1 traffic-priority inbound ip-group 3000 rule 0 local-precedence 4 traffic-priority inbound ip-group 3000 rule 1 local-prec[...]

  • Page 220

    220 C HAPTER 23: Q O S/Q O S P ROFILE C ONFIGURATION G UIDE ■ The Switch 4210 supports the WRR queue schedulin g algorithm and the high queue-WRR (HQ-WRR) queue schedulin g algorithm. HQ-WRR is implemented based on WRR. HQ-WRR selects queue 3 as the high-prior ity queue from the four output queues. If the bandwidth o ccupied by the four queues ex[...]

  • Page 221

    Configuring Traffic Redirecti on and Traffic Accounting 221 ■ During non-working time, count the HTTP traffic from PC 1 to the Internet. Applicable Products Configuration Procedur e 1 Define a time range for working days # Create time range tr1 , setting it to become acti ve between 8:30 to 18:00 during working days. <3Com> system-view [3Co[...]

  • Page 222

    222 C HAPTER 23: Q O S/Q O S P ROFILE C ONFIGURATION G UIDE rule 1 permit TCP source 192.168.0.1 0 destination-port eq www time-range tr2 # interface Ethernet1/0/1 traffic-redirect inbound ip-group 3000 rule 0 interface Ethernet1/0/2 traffic-statistic inbound ip-group 3000 rule 1 # time-range tr2 00:00 to 08:30 working-day time-range tr2 18:00 to 2[...]

  • Page 223

    Configuring QoS Profile 223 Applicable Products Configuration Procedur e 1 Configurat ion on the AAA serv er Configure authentication information and user name-t o-QoS-profile mapping for the user on the AAA server . Refer to “AAA Configuration” in the Configuration Guide for your product for detailed information. 2 Configuratio n on the switch[...]

  • Page 224

    224 C HAPTER 23: Q O S/Q O S P ROFILE C ONFIGURATION G UIDE # Enable 802.1x. [3Com] dot1x [3Com] dot1x interface Ethernet 1/ 0/1 Complete Configuration # dot1x # radius scheme system radius scheme radius1 server-type standard primary authentication 10.11.1.1 primary accounting 10.11.1.2 secondary authentication 10.11.1.2 secondary accounting 10.11.[...]

  • Page 225

    24 W EB C ACHE R EDIR ECTION C ONFIGURATION G UIDE Configuring Web Cache Redirection The Web cache r edirection function r edire cts the packets accessing We b pages to a Web cache server , thus reducing the load on the links between a LAN and the Inter net and improving the speed of ob taining information from the Internet. Network Diagram Figure [...]

  • Page 226

    226 C HAPTER 24: W EB C ACHE R EDIRE CTION C ONFIGURATION G UIDE ■ The Web cache server belongs to VLAN 40 and is connected to Ether net 1/0/4 of the switch. The IP ad dress of the VLAN interface for VLAN 40 is 192.168.4.1/24. The IP address and the MAC address of the W eb cache server is 192.168.4.2 and 0012-0990-2 250. ■ The router is connect[...]

  • Page 227

    Configuring Web Cache Redirection 227 [3Com-Vlan-interface40] ip address 192.168.4.1 24 [3Com-Vlan-interface40] quit # Create VLAN 50 for the switch to connect to t he router and configure the IP address of VLAN-interface 50 as 192.168.5.1. [3Com] vlan 50 [3Com-vlan50] port Ethernet 1/0/5 [3Com-vlan50] quit [3Com] interface Vlan-interface 50 [3Com-[...]

  • Page 228

    228 C HAPTER 24: W EB C ACHE R EDIRE CTION C ONFIGURATION G UIDE interface Ethernet1/0/1 port access vlan 10 # interface Ethernet1/0/2 port access vlan 20 # interface Ethernet1/0/3 port access vlan 30 # interface Ethernet1/0/4 port link-type trunk port trunk permit vlan 1 40 50 webcache address 192.168.4.2 mac 0012-0990-2250 vlan 40 # webcache redi[...]

  • Page 229

    25 M IRR ORING C ONFIGURATION G UIDE Local Port Mirroring Configuration In local port mirroring, packets of one or more source ports of a device are copied to a destination port on the device for pac ket analysis a nd monito ring. In local port mirroring, the sour ce ports and the destination port are on the same device. Network Diagram Figure 67 N[...]

  • Page 230

    230 C HAPTER 25: M IRRORING C ONFIGURATION G UIDE Configuration Pr ocedur e Configu re Switch C: # Create a local mirr oring group. <3Com> system-view [3Com] mirroring-group 1 local # Configure the source ports and destination port for the local mirroring group. [3Com] mirroring-group 1 mirroring-port Ethernet 1/0/1 Ethernet 1/0/2 both [3Com][...]

  • Page 231

    Remote Port Mirroring Configuration 231 Remote Port Mi rroring Configuration Remote port mirroring does not require th e source and destination ports to be on the same devic e. The sour c e and destina tion por ts can be lo cated on mu ltiple devices acr oss the network. Ther efor e, ad ministrators can monitor the traffic on remote devices conv en[...]

  • Page 232

    232 C HAPTER 25: M IRRORING C ONFIGURATION G UIDE Network Diagram Figure 69 Network diagram for r emote port mirr oring Networking and Configuration Requirements The departments of a company connect to each other through Switch 5500s: ■ Switch A, Switch B, and Switch C are Switch 5500s. ■ Department 1 is connected to Ether net 1/0/1 of Switch A[...]

  • Page 233

    Remote Port Mirroring Configuration 233 Configuration Procedur e 1 Configure the sour ce switch (Switch A) # Create r emote source mirr oring group 1. <3Com> system-view [3Com] mirroring-group 1 remote-source # Configure VLAN 10 as the remote-probe VLAN. [3Com] vlan 10 [3Com-vlan10] remote-probe vlan enable [3Com-vlan10] quit # Configure the [...]

  • Page 234

    234 C HAPTER 25: M IRRORING C ONFIGURATION G UIDE [3Com] vlan 10 [3Com-vlan10] remote-probe vlan en able [3Com-vlan10] quit # Configure the destination port and remote-probe VLAN for the remote destinatio n mirroring gr oup. [3Com] mirroring-group 1 monitor-p ort Ethernet 1/0/2 [3Com] mirroring-group 1 remote-pr obe vlan 10 # Configure Ether net 1/[...]

  • Page 235

    Remote Port Mirroring Configuration 235 3 Configurat ion on the dest ination switch (Switch C) # mirroring-group 1 remote-destination # vlan 10 remote-probe vlan enable # interface Ethernet1/0/1 port link-type trunk port trunk permit vlan 1 10 # interface Ethernet1/0/2 port access vlan 10 mirroring-group 1 monitor-port # Precautions Note the follow[...]

  • Page 236

    236 C HAPTER 25: M IRRORING C ONFIGURATION G UIDE ■ Packets received on the destination p o rt are those pr ocessed and forwarded by the switch. ■ The destination port to be configured cannot be a member port of an existing mirroring group; a fabric port (only the Switch 5500/5 500G have this limitation), a member port of an aggreg ation gr oup[...]

  • Page 237

    Traffic Mirroring Config uration 237 Configuration Procedur e # Configure a basic ACL 2000, matching th e packets whose source IP address is 192.168.0.1. <3Com> system-view [3Com] acl number 2000 [3Com-acl-basic-2000] rule permit sourc e 192.168.0.1 0 [3Com-acl-basic-2000] quit # Configure traf fic mirr oring on Ethernet 1/ 0/1. Mirror packet[...]

  • Page 238

    238 C HAPTER 25: M IRRORING C ONFIGURATION G UIDE[...]

  • Page 239

    26 XRN C ONFIGURATION G UIDE XRN Fabric Configuration Several Expandable Resilient Networking (XRN) supported switches can be interconnected to form a fabric, in wh ich each switch is a unit, the ports connecting the units are called fabric ports, and the other ports that are used to connect the fabric to users are called user ports. In this way , [...]

  • Page 240

    240 C HAPTER 26: XRN C ONFIGURATION G UIDE Fabric Cable Connection n Y ou are recommended to connect the switches with cables after the configuration in “Configuration Procedure” on page 241 “Config uration Procedure” on page 241. Fabric cable connection mode of Switch 5500s When building an XRN fabric of Switch 5500s, note the fabric cable[...]

  • Page 241

    XRN Fabric Configuration 241 ■ An Switch 5500Gs switch has two ports: up port and down port. Given a switch, its up port is connected to the down port of an other switch, and its down port is connected to the up port of a third one. ■ Plug the cable connectors completely into the fabric ports. n On a Switch 5500Gs Ethernet switch, on ly two spe[...]

  • Page 242

    242 C HAPTER 26: XRN C ONFIGURATION G UIDE # Configure the fabric name as hello . [3Com] sysname hello # Configure the authentication mode as simple and password as welcome . [hello] XRN-fabric authentication- mode simple welcome 2 Configure Switch B. # Bring up the fabric ports. <3Com> system-view [3Com] fabric-port GigabitEthernet 1/1/1 ena[...]

  • Page 243

    XRN Fabric Configuration 243 By viewing the Left Port and Right Port fields in the output information, yo u can know the running status of the current fabric ports. The above prompt information indicates that the fabric por ts are working normally (displayed as Normal). Y ou can also use the display XRN command to view the switches in the current X[...]

  • Page 244

    244 C HAPTER 26: XRN C ONFIGURATION G UIDE [3Com] sysname hello The configurations and verification on Sw itch C are the same as those on a Switch 5500. Therefore they ar e omitted here. Complete Configuration Complete configuration on the Switch 5500 n T o avoid repetition, only the complete c onfiguration of Switch A is listed below . ■ Configu[...]

  • Page 245

    XRN Fabric Configuration 245 Otherwise, you cannot enable the fab ric port. For detailed restrictions, refer to the error information output by devices. ■ When configuring XRN, do not confi gure other functions, and before configuring other funct ions, make sure the fabric has been established and works normally . ■ After a fabric is establishe[...]

  • Page 246

    246 C HAPTER 26: XRN C ONFIGURATION G UIDE[...]

  • Page 247

    27 C LUSTER C ONFIGURATION G UIDE Cluster Configuration The cluster function is implemented th rough 3Com Group Management Protocol version 2 (Switch Clusteringv2). Using Switch Clusteringv2, yo u can manage multiple switches through the public IP addr ess of a master device. In a c luster , the master switch is called the management device, and th[...]

  • Page 248

    248 C HAPTER 27: C LUSTER C ONFIGURATI ON G UIDE ■ Ethern et 1/0/1 belongs to VLAN 2, whos e interface IP address is 163.172.55 .1. ■ All the devices in t he cluster share the same F T P/TF TP server . ■ The F TP/TF TP server uses IP address 63.172.55.1. ■ The NMS/logging host uses IP address 69.172.55.4. Applicable Products n The Switch 42[...]

  • Page 249

    Cluster Configuration 249 [3Com] ndp enable [3Com] undo ndp enable intferface Ethernet 1/0/1 [3Com] interface Ethernet 1/0/1 [3Com-Ethernet1/0/1] undo ntdp enable [3Com-Ethernet1/0/1] quit # Enable NDP on Ethernet 1/0/2 and Eth ernet 1/0/3. [3Com] interface Ethernet 1/0/2 [3Com-Ethernet1/0/2] ndp enable [3Com-Ethernet1/0/2] quit [3Com] interface Et[...]

  • Page 250

    250 C HAPTER 27: C LUSTER C ONFIGURATI ON G UIDE [3Com] cluster [3Com-cluster] # Configure a private IP address pool for a cluster . The IP address pool contains six IP addresses, starting fr om 172.16.0.1. [3Com-cluster] ip-pool 172.16.0.1 255.255.255.248 # Name and build a cluster . [3Com-cluster] build aaa [aaa_0.3Com-cluster] # Add the two swit[...]

  • Page 251

    Network Management Interface Configuration 251 Complete Configuration 1 Configurat ions on the manage ment devic e # interface Vlan-interface2 ip address 163.172.55.1 255.255.255.0 # ntdp hop 2 ntdp timer port-delay 15 ntdp timer hop-delay 150 ntdp timer 3 # ndp timer hello 70 ndp timer aging 200 # cluster ip-pool 172.16.0.1 255.255.255.248 build a[...]

  • Page 252

    252 C HAPTER 27: C LUSTER C ONFIGURATI ON G UIDE Network Diagram Figure 75 Network diagram for network mana gement interface configuration Networking and Configuration Requirements ■ Configure VLAN-interface 2 as th e network management interface. ■ Configur e VLAN 3 as the ma nagement VLAN . ■ The IP address of the F TP server is 192.168.4.3[...]

  • Page 253

    Network Management Interface Configuration 253 # Add Ethernet 1/0/2 to VLAN 2. [3Com] vlan 2 [3Com-vlan2] port Ethernet 1/0/2 [3Com-vlan2] quit # Configure the IP address of VLAN-interface 2 as 192.168.4.22. [3Com] interface Vlan-interface 2 [3Com-Vlan-interface2] ip address 192.168.4.22 255.255.255.0 [3Com-Vlan-interface2] quit # Enable the cluste[...]

  • Page 254

    254 C HAPTER 27: C LUSTER C ONFIGURATI ON G UIDE ■ The netwo rk manageme nt interfa ce can be conf igur ed on the ma nagement switch only . n The network management in terface cannot be co nfigured on the Switch 4 210. Cluster Configuration in Real Networking In a complicated network, you can manage switches remotely in a bulk thr ough Switch Clu[...]

  • Page 255

    Cluster Configuration in Real Networking 255 The member switches: ■ Member switch Switch B is connected to Switch D through Ethernet 1/0/2. ■ Switch B is connected to Switch E through Ethernet 1/0/3. ■ Switch B is connected to Switch F through Ethernet 1/0/4. n ■ Switch A, Switch B and Switch C are usually the Switch 5500 and Switch 5500G. [...]

  • Page 256

    256 C HAPTER 27: C LUSTER C ONFIGURATI ON G UIDE [3Com] interface Ethernet 1/0/2 [3Com-Ethernet1/0/2] ntdp enable [3Com-Ethernet1/0/2] quit [3Com] interface Ethernet 1/0/3 [3Com-Ethernet1/0/3] ntdp enable [3Com-Ethernet1/0/3] quit [3Com] interface Ethernet 1/0/4 [3Com-Ethernet1/0/4] ntdp enable [3Com-Ethernet1/0/4] quit # Enable the cluster functio[...]

  • Page 257

    Cluster Configuration in Real Networking 257 [3Com] ntdp timer hop-delay 180 # Set the delay for a port of a member device to forward topology collection request to 20 ms. [3Com] ntdp timer port-delay 20 # Set the topology collection interval to three minutes. [3Com] ntdp timer 3 # Enable the cluster fun ction. [3Com] cluster enable # Enter cluster[...]

  • Page 258

    258 C HAPTER 27: C LUSTER C ONFIGURATI ON G UIDE Complete Configuration 1 Configuratio n on Switch A # ntdp hop 2 ntdp timer port-delay 20 ntdp timer hop-delay 180 ntdp timer 3 # ndp timer hello 100 ndp timer aging 300 # cluster ip-pool 172.16.0.1 255.255.255.248 build aaa holdtime 100 tftp-server 10.1.1.15 snmp-host 10.1.1.16 #[...]

  • Page 259

    28 P O E/P O E P R OFILE C ONFIGURATION G UIDE PoE Configuration Power over Ether net (PoE)-enabled devices use 10BASE- T , 100BASE-TX and 1000BASE-T twisted pair cables to sup p ly power to powered devices (PD) and implement power supply and data transmission simultaneously . Network Diagram Figure 77 Network diagram for PoE configuration Networki[...]

  • Page 260

    260 C HAPTER 28: P O E/P O E P ROFI LE C ONFIGURATION G UIDE Configuration Pr ocedur e # Upgrade the power processing software. <SwitchA> system-view [SwitchA] poe update refresh 0290_ 021.s19 Update PoE board successfully # Enable the PoE feature on ports Ethernet 1/0/1, Ether net 1/0/2 and Ether net 1/0/8. [SwitchA] interface Ethernet 1/0/1[...]

  • Page 261

    PoE Profile Configuration 261 Ethernet1/0/8 on enable signal critical Standard PD was detected ...... # View the PoE pow er information of all the ports on the switch. <SwitchA> display poe interface power PORT INDEX POWER (mW) PORT INDEX POWER (mW) Ethernet1/0/1 11500 Ethernet1/0/2 2300 Ethernet1/0/3 0 Ethernet1/0/4 0 Ethernet1/0/5 0 Etherne[...]

  • Page 262

    262 C HAPTER 28: P O E/P O E P ROFI LE C ONFIGURATION G UIDE Network Diagram Figure 78 Network diagram for PoE profile configuration Networking and Configuration Requirements Switch A is a Switch 5500 supporting PoE. Ethern et 1/0/1 through Ether net 1/0/10 of Switch A are used by users of group A, whom have the following requir ements: ■ The PoE[...]

  • Page 263

    PoE Profile Configuration 263 # In Pr ofile1, add the Po E policy configuratio n applicabl e to Ethe rnet 1/0/1 through Ethernet 1/0/5 for users of group A. [SwitchA-poe-profile-Profile1] poe enable [SwitchA-poe-profile-Profile1] poe mode signal [SwitchA-poe-profile-Profile1] poe prio rity critical [SwitchA-poe-profile-Profile1] poe max- power 3000[...]

  • Page 264

    264 C HAPTER 28: P O E/P O E P ROFI LE C ONFIGURATION G UIDE # interface Ethernet1/0/7 apply poe-profile Profile2 # interface Ethernet1/0/8 apply poe-profile Profile2 # interface Ethernet1/0/9 apply poe-profile Profile2 # interface Ethernet1/0/10 apply poe-profile Profile2 Precautions 1 When the apply poe-profile command is used to apply a PoE prof[...]

  • Page 265

    29 UDP H ELPER C ONFIGURATION G UIDE UDP Helper Configuration Guide The Switch 5500 provides the UDP Helper f unction to relay specified UDP packets. In other words, U DP Helper functions as a relay agent that converts UDP br oadc ast packets into unicast packets and forwards them to a specified destination server . W ith UDP Helper enabled, the de[...]

  • Page 266

    266 C HAPTER 29: UDP H ELPER C ONFIGURATION G UIDE [SwitchA] udp-helper enable # Configure the switch to forward br oadcasts containing the destination UDP port number 137. (By default, the device, after enabled with UDP Helper , forwards the broadcasts containing the destination UDP port n umber 137.) [SwitchA] udp-helper port 137 # Specify the de[...]

  • Page 267

    30 SNMP-RMON C ONFIGURATION G UIDE SNMP Configuration The Simple Network Management Protoc ol (SNMP) is used for ensuring the transmission of t he management informat ion b etween any two network nodes. In this way , network administrators can ea sily retrieve and modify the information about any node on the network, locate an d diagnose network pr[...]

  • Page 268

    268 C HAPTER 30: SNMP-RMON C ONFIGURATION G UIDE # For SNMPv3, set the SNMPv3 group and user , set the security level to authentication with p rivacy , authentication protocol to HMAC-MD5 , authentication password to passmd5 , encryption protocol to DES , and encryption password to cfb128cfb128 . [3Com] snmp-agent group v3 managev 3group privacy wr[...]

  • Page 269

    RMON Configuration 269 RMON Configuration Remote Monitoring (RMON) is a kind of MI B defined by Inter net Engineering T as k Force (IETF). It is an important enhancem ent to MIB II standards. RMON is mainly used to monitor the data traffic acr oss a network segment or even the entire network, a nd is curr ent ly a commo nly used network management [...]

  • Page 270

    270 C HAPTER 30: SNMP-RMON C ONFIGURATION G UIDE [3Com] rmon prialarm 2 (.1.3.6.1.2 .1.16.1.1.1.9.1+.1.3.6.1.2.1.16. 1. 1.1.10.1) test 10 changeratio risi ng_threshold 50 1 falling_thresh ol d 5 2 entrytype forever owner user 1 Complete Configuration # rmon event 1 description null log owner n ull rmon event 2 description null trap 10.21. 30.55 own[...]

  • Page 271

    31 NTP C ONFIGURATION G UIDE NTP Client/Server Mode Configuration Defined in RFC 1305, the Network T ime Protocol (NTP) sync hronizes timekeeping among distributed time servers and client s. NTP runs over the User Datagram Protocol (UDP), using UDP port 123. The purpose of using NTP is to keep consistent timekeeping among all clock-depe ndent devic[...]

  • Page 272

    272 C HAPTER 31: NTP C ONFIGURATION G UIDE [DeviceB] display ntp-service sess ions Complete Configuration # ntp-service unicast-server 1.0.1.11 Precautions The local clock of a 3Com Switch 5500, 550 0G, or 4210 cannot be set as a refer ence clock. It can synchr onize other de vices as a r efer ence clock only when its clock is synchr on ized. NTP S[...]

  • Page 273

    NTP Broadcast Mode Configuration 273 # Set Device C as the symmetric-peer . <DeviceB> system-view [DeviceB] ntp-service unicast-peer 3.0. 1.33 # View NTP status and NTP session information of Device C after clock synchronization. [DeviceC] display ntp-service status [DeviceC] display ntp-service sessions Complete Configuration ■ Configurati[...]

  • Page 274

    274 C HAPTER 31: NTP C ONFIGURATION G UIDE Applicable Products Configuration Pr ocedur e ■ Configu re Device C. # Set Device C to work as the br oadc as t sever and send br oadcasts through its VLAN-interface 2. <DeviceC> system-view [DeviceC] interface Vlan-interface 2 [DeviceC-Vlan-interface2] ntp-serv ice broadcast-server ■ Configure D[...]

  • Page 275

    NTP Multicast Mode Configuration 275 Precautions The local clock of the Switch 5500, 5500G, or 4210 cannot be set as a r eference clock. It can synchronize ot her devices as a r efer ence clock only when its clock is synchronized. NTP Multicast Mode Configuration Network Diagram Figure 85 Network diagram for NTP multicast mode configuration Network[...]

  • Page 276

    276 C HAPTER 31: NTP C ONFIGURATION G UIDE <DeviceA> system-view [DeviceA] interface Vlan-interface 2 [DeviceA-Vlan-interface2] ntp-serv ice multicast-client ■ View the NTP status and NTP session information of Device D after clock synchr onizati on (Y ou can use the same command to view t he NTP status and NTP session information of Device[...]

  • Page 277

    NTP Client/Server Mode with Authentication Configuration 277 ■ Device B is a Switch 5500, which takes Device A as the time server and works in the client mode. Device A automa tically works in the server mode. ■ Configur e NTP auth entication between Device A and Device B. Applicable Products Configuration Procedur e ■ Configure Device B. # S[...]

  • Page 278

    278 C HAPTER 31: NTP C ONFIGURATION G UIDE ntp-service reliable authentication-keyid 42 ntp-service unicast-server 1.0.1.11 ■ Configuration on Device A. # ntp-service authentication enable ntp-service authentication-keyid 42 authe ntication-mode md5 X&9#$^U (!:[Q=^Q‘MAF4<1!! ntp-service reliable authentication-keyid 42 Precautions The lo[...]

  • Page 279

    32 SSH C ONFIGURATION G UIDE Configuring the Switch to Act as the SSH Server and Use Password Authentication Network Diagram Figure 87 Network diagram for configuring the switch to act as the SSH server and use password authentication Networking and Configuration Requiremen ts In scenarios where users log into a switch over an insecure network, SSH[...]

  • Page 280

    280 C HAPTER 32: SSH C ONFIGURATION G UIDE # Set the authentication mode for the user interfaces to AAA. [3Com] user-interface vty 0 4 [3Com-ui-vty0-4] authentication-mo de scheme # Enable the user inter faces to support SSH. [3Com-ui-vty0-4] protocol inbound ssh [3Com-ui-vty0-4] quit # Create local user client001 , and set the authen tication pass[...]

  • Page 281

    Configuring the Switch to Act as the SSH Server and Use Password Authentication 281 T ake SSH client software PuTTY v0.58 as an example: 1 Run PuTTY .exe to enter the following configuration interface. Figure 88 SSH client configuration interface In the Host Name (or IP address) text box, enter the IP address of the SSH server . 2 From the category[...]

  • Page 282

    282 C HAPTER 32: SSH C ONFIGURATION G UIDE Figure 89 SSH client configuration interface 2 Under Protocol options , select 2 fr om Pr eferred SSH pr otocol version . 3 As shown in Figure 89, click Open . If the connect ion is normal, you can enter the username client001 and password abc at pr ompt. Once auth entication succeeds, you will log onto th[...]

  • Page 283

    Configuring the Switch to Act as th e SSH Server and Use RSA Authentication 283 Configuring the Switch to Act as the SSH Server and Use RSA Authentication Network Diagram Figure 90 Network diagram for configuring the switch to act as the SSH server and use RSA authentication Networking and Configuration Requiremen ts In scenarios where users log in[...]

  • Page 284

    284 C HAPTER 32: SSH C ONFIGURATION G UIDE [3Com-ui-vty0-4] user privilege le vel 3 [3Com-ui-vty0-4] quit # Configure the authentication method of the SSH client n amed client001 as RSA. [3Com] ssh user client001 authenti cation-type rsa n Before performing the following steps, yo u mu st generate an RSA key pair by using the client software on the[...]

  • Page 285

    Configuring the Switch to Act as th e SSH Server and Use RSA Authentication 285 n During the generation process, you must move the mo use continuously and keep the mouse off the green process bar shown in Figure 92. Otherwise, the process bar stops moving and the key pair generation process is stopped. Figure 92 Client key pair generation interface[...]

  • Page 286

    286 C HAPTER 32: SSH C ONFIGURATION G UIDE Figure 93 Client key pair generation interface 3 Likewise, to save the private ke y , click Save private key . A warning window pops up to prompt you whether to save the private key without any protection. Click Ye s and enter the name of the file for saving the private key ( private.ppk in th is case). Fi[...]

  • Page 287

    Configuring the Switch to Act as th e SSH Server and Use RSA Authentication 287 T ake SSH client software PuTTY v0.58 as an example: 1 Run PuTTY .exe to enter the following configuration interface. Figure 95 SSH client configuration interface 1 In the Host Name (or IP address) text box, enter the IP address of the SSH server . 2 From the category o[...]

  • Page 288

    288 C HAPTER 32: SSH C ONFIGURATION G UIDE Figure 96 SSH client configuration interface 2 Under Protocol options , select 2 fr om Pr eferred SSH pr otocol version . 3 From the category , select Connection / SSH / Auth . The following window app ears.[...]

  • Page 289

    Configuring the Switch to Act as th e SSH Server and Use RSA Authentication 289 Figure 97 SSH client configuration interface 2 Click Br owse... to bring up the file selection wi ndow , navigate to the private key file and click OK . 4 In the window shown in Figure 97, click Open . If the connection is normal, you will be prompted to enter the usern[...]

  • Page 290

    290 C HAPTER 32: SSH C ONFIGURATION G UIDE Configuring the Switch to Act as the SSH Client and Use Password Authenticati on Network Diagram Figure 98 Network diagram for configuring the switch to act as the SSH client and use password authentication Networking and Configuration Requirements In scenarios where users log into a switch over an insecur[...]

  • Page 291

    Configuring the Switch to Act as the SS H Client and Use Password Authenticati on 291 [3Com-ui-vty0-4] protocol inbound ssh [3Com-ui-vty0-4] quit # Cre ate local user client001 , and set the authentication password to abc , protocol type to SSH, and command privilege level to 3 for the client. [3Com] local-user client001 [3Com-luser-client001] pass[...]

  • Page 292

    292 C HAPTER 32: SSH C ONFIGURATION G UIDE authentication-mode scheme protocol inbound ssh ■ Configure Switch A # interface Vlan-interface1 ip address 10.165.87.137 255.255.255.0 # Precautions None Configuring the Switch to Act as the SSH Client and Use RSA Authenticati on Network Diagram Figure 99 Network diagram for configuring the switch to ac[...]

  • Page 293

    Configuring the Switch to Act as the SSH Client and Use RSA Authentication 293 [3Com] rsa local-key-pair create # Set the authentication mode for the user interfaces to AAA. [3Com] user-interface vty 0 4 [3Com-ui-vty0-4] authentication-mode sc heme # Enable the user interfaces to support SSH. [3Com-ui-vty0-4] protocol inbound ssh # Set the client?[...]

  • Page 294

    294 C HAPTER 32: SSH C ONFIGURATION G UIDE # Display the host p ublic key . <3Com> display rsa local-key-pair public ================================== =================== Time of Key pair created: 05:15:04 2006/12/08 Key name: 3Com_Host Key type: RSA encryption Key ================================== =================== Key code: 3047 0240 C8[...]

  • Page 295

    Configuring the Switch to Act as the SSH Client and Not to Support First-Time Authentication 295 ip address 10.165.87.136 255.255.255.0 # ssh user client001 assign rsa-key Swit ch001 ssh user client001 authentication-type rsa ssh user client001 service-type stelne t # user-interface vty 0 4 authentication-mode scheme user privilege level 3 protocol[...]

  • Page 296

    296 C HAPTER 32: SSH C ONFIGURATION G UIDE # Create a VLAN interface on the switch and assign an IP address for it. The SSH client will use this address as the destination for SSH connection. <3Com> system-view [3Com] interface vlan-interface 1 [3Com-Vlan-interface1] ip address 10.165.87.136 255.255.255.0 [3Com-Vlan-interface1] quit # Generat[...]

  • Page 297

    Configuring the Switch to Act as the SSH Client and Not to Support First-Time Authentication 297 # Display the server host public key . [3Com] display rsa local-key-pair public ======================================= ============== Time of Key pair created: 09:04:41 2000/04/04 Key name: 3Com_Host Key type: RSA encryption Key =======================[...]

  • Page 298

    298 C HAPTER 32: SSH C ONFIGURATION G UIDE n After generating a key pair on a client, y ou need to manually configur e the host public key on the server and have the co nfiguration on the ser ver done before continuing configurat ion on the client. # Disable first-time authentication. [3Com] undo ssh client first-time n When the switch acting as th[...]

  • Page 299

    Configuring the Switch to Act as the SSH Client and Not to Support First-Time Authentication 299 D5E2C4F8 AED72834 74D3404A 0B14363D D709 CC63 68C8CE00 57C0EE6 B 074C0CA9 0203 010001 public-key-code end peer-public-key end # vlan 1 # interface Vlan-interface1 ip address 10.165.87.136 255.255.255.0 # ssh user client001 assign rsa-key Swit ch001 ssh [...]

  • Page 300

    300 C HAPTER 32: SSH C ONFIGURATION G UIDE Configuring SF TP Network Diagram Figure 101 Network diagram for configuring SF TP Networking and Configuration Requirements As shown in Figure 101, establish an SS H connection between the SF TP client (Switch A) and the SF TP server (Switch B) . Log in to Switch B with the user name client001 and passwor[...]

  • Page 301

    Configuring SFTP 301 [3Com] ssh user client001 authenticatio n-type password # Specify the service type as SF TP . [3Com] ssh user client001 service-type sftp # Enable the SF TP server . [3Com] sftp server enable ■ Configure the SF TP client (Switch A) # Create a VLAN interface on the switch and assign an IP address for it. This address must be i[...]

  • Page 302

    302 C HAPTER 32: SSH C ONFIGURATION G UIDE drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub # Add a directory named new1 , and then check that the new directory has been successfully created. sftp-client> mkdir new1 New directory created sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52[...]

  • Page 303

    Configuring SFTP 303 Complete Configuration ■ Configure Switch B # local-user client001 password simple abc service-type ssh # interface Vlan-interface1 ip address 192.168.0.1 255.255.255.0 # sftp server enable ssh user client001 authentication-type password ssh user client001 service-type sftp # user-interface vty 0 4 authentication-mode scheme [...]

  • Page 304

    304 C HAPTER 32: SSH C ONFIGURATION G UIDE[...]

  • Page 305

    33 F TP AND TF TP C ONFIGURATION G UIDE Configuring a Switch as F TP Server The Ethernet switch can act as an F TP serv er to provide file transfer services. Y ou can run F TP client software on a PC to log into the F TP server to access the files on the server . Note that you need to configure the IP address of the F TP server correctly for the se[...]

  • Page 306

    306 C HAPTER 33: FTP AND TFTP C ONFIGURATI ON G UIDE # Assign IP address 1.1.1.1/16 to VLAN-int erface 1. (Y ou can log in to the switch through the Console port. For detailed info rmatio n, r efer to “Logging in through the Console Port” in the Configuration Guide for your product.) <3Com> <3Com> system-view [3Com] interface Vlan-i[...]

  • Page 307

    Configuring a Swit ch as FTP Client 307 Complete Configuration Configure the switch # local-user switch password simple hello service-type ftp # vlan 1 # interface Vlan-interface1 ip address 1.1.1.1 255.255.0.0 # FTP server enable Precautions ■ If the fr ee Flash memory of the switch is not enough for t he application file to be uploaded, remove [...]

  • Page 308

    308 C HAPTER 33: FTP AND TFTP C ONFIGURATI ON G UIDE Applicable Products Configuration Pr ocedur e ■ Perform F TP service-r elated configuratio ns on the PC, that is, create a user account on th e F TP server with the user name switch and password hello . For detailed configuration, refer to the configuration instruction of the F TP server softwa[...]

  • Page 309

    Configuring a Switch as TFTP Client 309 <3Com> boot boot-loader switch.bin <3Com> reboot Complete Configuration # vlan 1 # interface Vlan-interface1 ip address 1.1.1.1 255.255.0.0 Precautions ■ If the fr ee Flash memory of the switch is not enough for downloading the application file from the F T P server , remove those unused ap plic[...]

  • Page 310

    310 C HAPTER 33: FTP AND TFTP C ONFIGURATI ON G UIDE ■ Configure the TF TP client (the switch): # Assign IP address 1.1.1.1/16 to VLAN-int erface 1. (Y ou can log in to the switch through the Console port. For detailed info rmatio n, see “Logging in through the Console Port” in the Configuration Guide fo r your product.) <3Com> <3Com[...]

  • Page 311

    34 I NFORMATION C ENTER C ONFIGURATION G UIDE Outputting Log Information to a Unix Log Host Network Diagram Figure 105 Network diagram for outpu tting log information to a Unix log host Networking and Configuration Requiremen ts Send log information with severity higher than informational to a Unix log host with an IP address of 202.38.1.10 . The i[...]

  • Page 312

    312 C HAPTER 34: I NFORMATION C ENTER C ONFIGURATION G UIDE [3Com] info-center source ip chann el loghost log level information al debug state off trap state off ■ Configuration on the log host. The following configurations were perfo rmed on SunO S 4.0 which has similar configurations with the Unix operating systems imp lemented by other vendors[...]

  • Page 313

    Outputting Log Information to a Linux Log Host 313 Outputting Log Information to a Linux Log Host Network Diagram Figure 106 Network diagram for outpu tting log information to a Linux log host Networking and Configuration Requiremen ts Send log information to a Linux log host with an IP address of 202.38.1.10; Log information with severity higher t[...]

  • Page 314

    314 C HAPTER 34: I NFORMATION C ENTER C ONFIGURATION G UIDE # ps -ae | grep syslogd 147 # kill -9 147 # syslogd -r & Complete Configuration ■ Configurat ion on the switch. # info-center source default channel 2 log level error trap state off info-center loghost 202.38.1.10 ■ Configuration on the log host. # # mkdir /var/log/3Com # touch /va[...]

  • Page 315

    Outputting Log and Trap Information to a Log Host Through the Same Channel 315 Applicable Products Configuration Procedur e ■ Configuratio n on the switch. # Enable the information center . <3Com> system-view [3Com] info-center enable # The system outputs information of al l modules through channel6 by default. Therefor e, you need to disab[...]

  • Page 316

    316 C HAPTER 34: I NFORMATION C ENTER C ONFIGURATION G UIDE # Open the TF TPD32 application program on the W indows operating system as shown in the following figure: 1 Current Dir ectory indicates the dir ectory of the log file syslog.t xt . Y ou can click the Browse button to set it. In this example, the dir ectory is D:T oolsTF TP . 2 Server int[...]

  • Page 317

    Outputting Log Informa tion to the Console 317 Precautions On the Windows operating system, software settings vary with log host software. Outputting Log Information to the Console Network Diagram Figure 108 Network diagram for outpu tting log information to the console Networking and Configuration Requiremen ts Log information with a severity high[...]

  • Page 318

    318 C HAPTER 34: I NFORMATION C ENTER C ONFIGURATION G UIDE info-center source IP channel 0 trap stat e off undo info-center source default channel 0 Precautions None Displaying the Time Stamp with the UTC Time Zone Network Diagram Figure 109 Network diagram for displaying the time stamp with the UTC time zone Networking and Configuration Requireme[...]

  • Page 319

    Use of the Facility Argument in Log Information Output 319 Use of the Facility Argument in Log Information Output Network Diagram Figure 110 Network diagram for use of the facility argument in log information output Networking and Configuration Requiremen ts Multiple switches in a LAN send log in format ion to the same log host. Y ou can know the r[...]

  • Page 320

    320 C HAPTER 34: I NFORMATION C ENTER C ONFIGURATION G UIDE [SwitchA]info-center enable [SwitchA]info-center source default channel loghost log level debugging [SwitchA]info-center loghost 192.168.0.208 facility local0 channel loghost ■ Perform the same configurations on Swit ch B, Switch C, Switch D and Switch E, and specify the facility argumen[...]

  • Page 321

    35 VLAN-VPN C ONFIGURATION G UIDE Configuring VLAN-VPN W ith VLAN-VPN en abled, a device tags a priv ate net work pack et with an oute r VLAN tag, thus enabling the packet to be transmitted through the service providers’ backbone network with both i nner and outer VLAN ta gs. After reaching the peer private network, the packet’ s outer VLAN tag[...]

  • Page 322

    322 C HAPTER 35: VLAN-VPN C ONFIGUR ATION G UID E n Only the Switch 5 500 supports the configuration of TPID. The Switch 5500G and the Switch 4210 do not support that configur ation. ■ Configure VLAN-VPN on Switch A and Switch B to enab le the PC users and the terminal users to communicate with their respective servers. Applicable Products Config[...]

  • Page 323

    Configuring VLAN-VPN 323 # Set the TPID valu e of Ethernet 1/0/12 to 0x 9200. [SwitchA-Ethernet1/0/12] vlan-vpn tpid 9200 ■ Configure Switch B # Enable VLAN-VPN on Ether net 1/0/21 of Switch B, using the tag of VLAN 1040 as the outer VLAN tag for packets received on this port. <SwitchB> system-view [SwitchB] vlan 1040 [SwitchB-vlan1040] por[...]

  • Page 324

    324 C HAPTER 35: VLAN-VPN C ONFIGUR ATION G UID E ■ Configure Switch B # vlan 1040 # interface Ethernet1/0/21 port access vlan 1040 undo ntdp enable stp disable vlan-vpn enable vlan-vpn tpid 9200 # interface Ethernet1/0/22 port link-type trunk port trunk permit vlan 1 1040 vlan-vpn tpid 9200 Precautions ■ Do not configure VLAN 1040 as the defau[...]

  • Page 325

    Configuring BPDU Tunnel 325 ■ Configure the service provider network to transmit NDP packets of the customer network through a BPDU tunnel. ■ Enable VLAN-VPN for the service provider network, and enable the service provider network to use VLAN 100 to transmit data packets of the customer network . Applicable Products Configuration Procedur e ?[...]

  • Page 326

    326 C HAPTER 35: VLAN-VPN C ONFIGUR ATION G UID E [3Com] interface Ethernet 1/0/3 [3Com-Ethernet1/0/3] port link-typ e trunk [3Com-Ethernet1/0/3] port trunk pe rmit vlan 100 Complete Configuration ■ Configure Provider 1 # interface Ethernet1/0/1 undo ndp enable port access vlan 100 vlan-vpn enable bpdu-tunnel ndp # interface Ethernet1/0/2 port li[...]

  • Page 327

    36 R EMOTE - PING C ONFIGURATION G UIDE Remote-ping Configuration Remote-ping is a network diagnostic tool. It is used to test the performance of various protocols running in networks. Re mote-ping provides more functions than the ping command. The ping command can only use the Internet Co ntrol Message Protocol (ICMP) to test the round trip time ([...]

  • Page 328

    328 C HAPTER 36: R EMOTE - PING C ONFIGURATION G UIDE Configuration procedur e # Enable the Remote-ping client. <3Com> system-view System View: return to User View w ith Ctrl+Z. [3Com] remote-ping-agent enable # Create a Remote-ping test gr oup, configuring the administrator name as administrator and test operation tag as ICMP . [3Com] remote[...]

  • Page 329

    37 DNS C ONFIGURATION G UIDE Static Domain Name Resolution Configuration Guide Static domain name resolution is ba sed on manually configured domain name-to-IP address mappings. If you teln et a r emote device using its name, the local device will look up th e corr esponding IP address in the static domain name reso lution table . Network Diagram F[...]

  • Page 330

    330 C HAPTER 37: DNS C ONFIGURATION G UIDE 0.00% packet loss round-trip min/avg/max = 2/3/5 ms Complete Configuration # ip host host.com 10.1.1.2 Dynamic Domain Name Resolution Configuration Guide Domain Name System (DNS) is a distribute d database used by TCP/IP applications to translate domain names into correspond ing IP addresses. With DNS, you[...]

  • Page 331

    Dynamic Domain Name Resolution Configuration Guide 331 PING host.com (3.1.1.1): 56 data bytes, press CTRL_C to break Reply from 3.1.1.1: bytes=56 Sequen ce=1 ttl=125 time=4 ms Reply from 3.1.1.1: bytes=56 Sequen ce=2 ttl=125 time=4 ms Reply from 3.1.1.1: bytes=56 Sequen ce=3 ttl=125 time=4 ms Reply from 3.1.1.1: bytes=56 Sequen ce=4 ttl=125 time=4 [...]

  • Page 332

    332 C HAPTER 37: DNS C ONFIGURATION G UIDE[...]

  • Page 333

    38 A CCESS M ANAGEMENT C ONFIGURATION G UIDE Configuring Access Management The access management f unction is de signed to co ntrol user accesses on access switches. It allows you to control the access of hosts to external networks. The idea is to bind a range of IP addresses to a port by configuring an access management IP address pool on the port[...]

  • Page 334

    334 C HAPTER 38: A CCESS M ANAGEMENT C ONFIGURATION G UIDE ■ Permit all the PCs of organization 1 to access the Inter net through Ethernet 1/0/1 on Switch A. Ethernet 1/0/ 1 carrie s VLAN 1. The IP a ddr ess assigned to the interface of VLAN 1 is 202.10.20.200/24. ■ PCs that do not belong to organization 1, such as P C 2 and PC 3, are not allow[...]

  • Page 335

    Configuring Access Management with Port Isolation 335 Configuring Access Management with Port Isolation Network Diagram Figure 117 Network diagram for access management and port isolation configuration Networking and Configuration Requiremen ts Client PCs are connected to the Internet through Switch A. The IP address range for organization 1 is 202[...]

  • Page 336

    336 C HAPTER 38: A CCESS M ANAGEMENT C ONFIGURATION G UIDE # Configure the IP address of VL AN-interface 1 as 202.10.20.200/24. [SwitchA] interface Vlan-interface 1 [SwitchA-Vlan-interface1] ip address 202.10.20.200 24 [SwitchA-Vlan-interface1] quit # Configur e an acce ss manageme nt IP addr ess pool for Ethe rnet 1/0/1. [SwitchA] interface Ethern[...]