3Com 10014298 manual

http://www.3com.com/ Switch 7750 Configuration Guide Version 3.1.5 Published August 2005 Part No.10014298[...]

3Com Corporation 350 Campus Drive Marlbor ough, MA 01752-3064 Copyright © 2005, 3Com C orporation. All rights reserv ed. No part of th is documentation may be r eproduced in any form or by any means or used to make any deri vative work (such as translat ion, transformation, or adaptation) without written perm ission fr om 3Com Corporation. 3Com Co[...]

C ONTENTS A BOUT T HIS G UIDE Conventions 9 S YSTEM A CCESS Product Overview 11 Features 11 Configuring the Swit ch 7750 12 Setting T erminal Parame ters 13 Configuring Through T elnet 16 Configuring Through a Dial-up Modem 18 Configuring the User Interface 20 Command Line Interface 28 Command Line Vi ew 28 Features and Fu nctions of the Command Li[...]

Subnet and Mask 68 Configuring an IP Addr ess 68 T roubleshooting an IP Address Configuration 70 Configuring Addr ess Resolution Pr otocol (ARP) 70 Configuring ARP 71 DHCP Relay 72 Configuring DHCP Relay 73 T roubleshooting a DHCP Relay Configuration 76 IP Performance 77 Configuring TCP Attributes 77 Configuring Special IP Packet T ransmission to t[...]

Configuring PIM-DM 131 Configuring PIM-SM 136 PIM-SM Operating Principles 136 Pr eparing to Con figur e PIM-SM 137 Configuring PIM-SM 138 GMRP 146 Configuring GMRP 146 Q O S/ O PERATION ACL Overview 149 Filtering or Classifying Data T ransmitted by the Hard ware 149 Filtering or Classifying Data T ransmitted by the Softwar e 150 ACL Support on the [...]

Configuring the Bridge Priori ty for a Switch 1 93 Configuring the Max Hops in an MST Region 194 Configuring the Switching Network Diameter 194 Configuring the T ime Parameters of a Switch 195 Configuring the Max T ransmission Speed on a Port 196 Configuring a Port as an Edge Port 197 Configuring the Pat h Cost of a Port 198 Configuring the Priorit[...]

Displaying Devices 255 Maintaining and Debugging the System 255 Configuring System Basics 256 Displaying System Information and State 257 Debugging the System 257 T e sting T ools for N etwork Conn ection 259 Logging Function 260 SNMP 265 SNMP V e rsions and Supported MIB 26 6 Configuring SNMP 267 RMON 274 Configuring R MON 274 NTP 278 Configuring [...]

[...]

A BOUT T HIS G UIDE This guide describes the 3Com ® Switch 7750 and how to configure it in ver sion 3.0 of the software. Conventions Ta b l e 1 lists icon conventions that are used throughout this book. Ta b l e 2 lists the text convent ions used in this book. Ta b l e 1 Notice Icons Icon Notice Type Descri ption Information note Information that [...]

10 A BOUT T HIS G UIDE Words in italics Italics are used to: ■ Emphasize a point. ■ Denote a new term at the place where it is defined in the text. ■ Identify command variables. ■ Identify menu names, menu commands, and software button names. Examples: From the Help menu, select Contents . Click OK . Words in bold Boldface type is used to h[...]

1 S YSTEM A CCESS This chapter covers the following topics: ■ Produc t Overview ■ Configuring the Switch 7750 ■ Setting T ermina l Paramete rs ■ Command Line Interface Product Overview The 3Com Switch 77 50 is a large capa city , modu larized wire speed Layer 2/Layer 3 switch. It is designed for IP metropolitan area networks (MAN), large-si[...]

12 C HAPTER 1: S YSTEM A CCESS Configuring the Switch 7750 On the Switch 7750, you can set up the configuration environment through the console port. T o set up the local configuratio n environment: 1 Plug the DB-9 or DB-25 female plug of the console cable into the serial port of the PC or the terminal wher e the switch is to be configured. 2 Conne[...]

Setting Terminal Parameters 13 Setting T erminal Parameters T o set terminal p arameters : 1 Start the PC and select Start > Programs > Accesso ries > Communications > HyperT erminal . The HyperT erminal window disp lays the Connection Description dialog box, as shown in Figur e 2. Figure 2 Set Up the New Connection 2 Enter the name of [...]

14 C HAPTER 1: S YSTEM A CCESS ■ Baud rate = 9600 ■ Databit = 8 ■ Parity check = none ■ Stopbit = 1 ■ Flow control = none Figure 4 Set Communication Parameters 5 Click OK . The HyperT erminal dialogue box displays, as shown in Figure 5. 6 Select Prop erties .[...]

Setting Terminal Parameters 15 Figure 5 HyperT erminal Window 7 In the Properties dialog box, select the Settings tab, as shown in Figure 6 . 8 Select VT100 in the Emula tion dropdown menu. 9 Click OK . Figure 6 Settings T ab[...]

16 C HAPTER 1: S YSTEM A CCESS Setting the T er minal Parameters is described in the following sections: ■ Configuring Through T elnet ■ Configuring Through a Dial-up Modem ■ Configuring the User Interface Configuring Through Te l n e t Before you can telnet to a Switch 7750 and configure it, you must: 1 Configure the IP addr ess of a VLAN in[...]

Setting Terminal Parameters 17 4 Run T elnet on th e PC by selecting Start > Run from the Windows desktop and entering Te l n e t in the Open field , as shown in Figure 8 . Click OK . Figure 8 Run T elnet The terminal displays Login authentication and prompts you for the logon passwor d. 5 Enter the password. The terminal di splays the command l[...]

18 C HAPTER 1: S YSTEM A CCESS Figure 9 Pr ovide T elnet Client Service 1 Authenticate the T elnet user through the console port on the T elnet Server (Switch 7750) before login. By default, a password is required for authenticating the T elnet user to log in the Switch 7750. If a user logs into T elnet without password, the system displays the fol[...]

Setting Terminal Parameters 19 Figure 10 Set Up Remote Configuratio n Environment 4 Dial for a connection to the switch, us ing the terminal emulator and modem on the remote end. Dial the telephone number of the modem connected to the Switch 7750. See Figure 11 and Figur e 12 . Figure 11 Set the Dialed Number Console port Remote telephone: 555-5555[...]

20 C HAPTER 1: S YSTEM A CCESS Figure 12 Dial the Remote PC 5 Enter the preset login password on the r emote terminal emulator and wait for the <SW7750> prompt. 6 Use the appropriate commands to configur e the Switch 7750 or view its operational state. E nter ? to get immediate help. For details on a specific command, refer to the appr opr ia[...]

Setting Terminal Parameters 21 T o n umber the user in terface by relative number , represented by interface + number assigned to each type of user interface: ■ AUX user interface = AUX 0. ■ The first VTY interface = VTY 0, th e second one = VTY 1, and so on. T asks fo r configuring the user interface are described in the following sections: ?[...]

22 C HAPTER 1: S YSTEM A CCESS Configuring the T erminal Attributes The following commands can be used for configuring the terminal attributes, including enabling/disabling terminal service, disconnection upon timeout, lockable user interface, configuring term inal screen length and history command buffer size. Perform the following configuration i[...]

Setting Terminal Parameters 23 Configuring idle-timeout By default, idle-timeout is enabled and set to 10 minutes on all the user interfaces. The idle-timeout command is described in Ta b l e 7. Locking the User Interface The lock command locks the current user interface and prompts the user to enter a password. This makes it impossible for others [...]

24 C HAPTER 1: S YSTEM A CCESS Configuring the Authentication Method The authentication-mode command configures the user login authen tication method that allows access to an unauthorized user . Ta b l e 11 describes the authentication-mode command. Perform the following configuration in user interface view . By default, terminal authentication is [...]

Setting Terminal Parameters 25 authentication server before executing the other commands. Commands that differ ent users can execute are defined on the T ACACS authentication server . For example, the user tel@hwtac passes th e authentication of the T A CACS server 192.168.6.1 and logs into the switch through the port vt y0. As the authentication-m[...]

26 C HAPTER 1: S YSTEM A CCESS By default, a user can access the command s at Level 3 after logg ing in through the AUX user interface, and the commands at Level 0 af ter logging in through the VTY user interface. When a user log s in to the switch, th e command level that the user can access depends on two points. One is the command level that the[...]

Setting Terminal Parameters 27 Perform the following configuration in user view . The auto-execute Command is used to run a command auto matically after you log in. The command is automatically executed when you log in again. See Ta b l e 18 . This command is usually used to execute the telnet command automatically on a terminal, which connects the[...]

28 C HAPTER 1: S YSTEM A CCESS Command Line Interface The Switch 7750 provides a series o f configuration comman ds and command line interfaces for configuring and managing the Swit ch 7750. The command line interface has the following features. ■ Local configuration through the console port. ■ Local or remote configuration through T elnet. ■[...]

Command Line Interface 29 Login users are also classified into four levels that correspond to the four command levels. After users of different le vels log in, they can only use commands at their own, or lower , levels. T o prevent unauthoriz ed users fr om illega l intrusion, users are identified when switching from a lower level to a higher level[...]

30 C HAPTER 1: S YSTEM A CCESS For all views, use the quit command to return to system view and use the return command to return to user view . Ta b l e 20 Function Feature of Command View Command view Function Prompt Command to enter User view Show basic infor- mation about operation and statistics <SW7750> Enter immediately after connecting[...]

Command Line Interface 31 Features and Functions of the Command Line T asks for configuring the features and functions of the command line are described as follows: ■ Online Help ■ Common Command Line Error Messages ■ History Command ■ Editing Feature s of the Command Line ■ Displaying Features of the Command Line Online Help The command [...]

32 C HAPTER 1: S YSTEM A CCESS -v Verbose output. ICMP packets other than ECHO_RESPONSE that are received are listed STRING<1-20> IP address or hostna me of a remote system Ip IP Protocol ■ Enter a command with a ? , sep arated by a space. If this p osition is for parameters, all the parameters and their brief descriptions will be listed. [[...]

Command Line Interface 33 Editing Featur es of the Command Line The command line interface provides a basic command editing function and supports editing multiple lines. A command cannot be longer than 256 characters. See Ta b l e 23 . Displaying Features of the Command Line If information to be displa yed exceeds one scr een, the pause function al[...]

34 C HAPTER 1: S YSTEM A CCESS[...]

2 P ORT C ONFIGURATION This chapter covers the following topics: ■ Ethernet Port Overview ■ Configuring Link Aggregation Ether net Port Overview The following features are found in the Ethernet ports of the Switch 7750: ■ 10BASE-T/100BASE-TX Gigabit Ethe r net ports supp ort MDI/MDI-X auto-sensing, and can be configured to operate in half/ful[...]

36 C HAPTER 2: P ORT C ONFIGURATION ■ Setting Flow Control for Ethernet Port ■ Permitting/Forbidding Jumb o Fr ames on th e Ether net port ■ Setting Ethernet Port Broa dcast Suppression Ratio ■ Setting the Link T ype for an Ether net Port ■ Adding the Ether net Port to a VLAN ■ Setting the Default VLAN ID for Ethernet Port ■ Copying a[...]

Ethernet Port Overview 37 Setting Duplex Attribute of the Ether net Port Set the port to full duplex to send and rece ive data packets at the same t ime. Set the port to half-duplex to either send or receive only . If the port has been set to auto-negotiation mode, the local and peer ports will automatical ly negotiate the duplex mode. Perform the [...]

38 C HAPTER 2: P ORT C ONFIGURATION Setting Flow Control fo r Ethernet Port If congestion occurs in the local switch afte r enabling flow control in both the local and the peer switch , th en the switch will inform its peer to pause sending packets. Once the peer switch receives this messa ge, it will pause pack et sending, and vice versa. In this [...]

Ethernet Port Overview 39 Perform the following configuration in Ether net port view . By default, 100% broadcast traffic is allowed to pass through, that is, no bro adcast suppr ession will b e performed. Note that in the Switch 7750, you ca n only use the command at the po rt on a 20-port 10/100/1000BASE-T Gigabit Ethe rnet card or a 20-port 100 [...]

40 C HAPTER 2: P ORT C ONFIGURATION Perform the following configuration in Ether net port view . The access port will be added to an exis ting VLAN other than VLAN 1. The VLAN to which a Hybrid port is added must exist. The VLAN to which a T ru nk port is added cannot be VLAN 1. After adding the Ethernet port to the sp ecified VLANs, the local port[...]

Ethernet Port Overview 41 ■ T o guarantee proper packet transmission, the default VLAN ID of local hybr id port or T runk port should be identical to t hat of the hybr id port or T runk port on the peer switch. The VLAN of hybrid port and trunk port is VLAN 1 by default. The access port is the VLAN to which it belongs. Copying a Port Configuratio[...]

42 C HAPTER 2: P ORT C ONFIGURATION Example: Configuring the Default VLAN ID of the T runk Port In this example, the Ether net Switch (Switc h A) is connected to the peer (Switch B) through the trunk port Ether net1/0/1. This example shows the default VLAN ID for the trunk port and verifies the port trunk pvid vlan command. As a typical application[...]

Configuring Link Aggreg ation 43 The operation key i s a conf iguration set generated by LACP based on port setting (speed, duplex mode, basic configuration and management key). When LACP is enabled, the management key of a dynami c aggregation port is 0 by default, but the management key of a static aggregat ion port includes the aggregation group[...]

44 C HAPTER 2: P ORT C ONFIGURATION In a manual or static LACP aggregation gr oup, its ports may be in an active or inactive state. However , only the a ctive por ts can receive user service packets. The active port with the minimum port number se rves as the master port, while others act as sub-ports. In a manual aggregation group, the system se t[...]

Configuring Link Aggreg ation 45 Dynamic LACP aggr egation Dynamic LACP aggregation allows aut oma tic adding/deleting by the syst em but prohibits manual configuration of user s. Dynamic LACP aggregation can be established for a single port; this is calle d single port aggregation. LACP is enabled on dynamic aggregation ports. Only ports with the [...]

46 C HAPTER 2: P ORT C ONFIGURATION A load sharing aggregation group may contain several selected ports, but a non-load sharing aggregation group can only have one selected port, while others as standby ports. Selection criteria of se lected ports vary for differ ent types of aggr egation gr oups. Configuring Link Aggregation The Switch 7750 only s[...]

Configuring Link Aggreg ation 47 Creating or Deleting an Aggregation Gr oup Y ou can use the following command to create a manual aggregation gr oup or static LACP aggregation group, but the dynamic LACP aggr egation gr oup is established by the system wh en LACP is enabled on the ports. Y ou can also delete an existing aggregation gr oup: when you[...]

48 C HAPTER 2: P ORT C ONFIGURATION Setting or Deleting an Aggregation Group Descrip tor Perform the following confi guration in system view . By default, an aggregatio n group has no descriptor . Note that if you have saved the current configuration with the save command, the configured manual aggregation gr oup s, static LACP aggregation groups a[...]

Configuring Link Aggreg ation 49 Perform the following configuration in Ether net port view . The default value for port priority is 32768. Displaying and Debugging Link Aggr egation After you have completed your configuratio n, execute the display command in any view to display the link aggr egation configuration, and to verify the effect of the c[...]

50 C HAPTER 2: P ORT C ONFIGURATION Example: Link Aggregation Configuration Switch A connects switch B with th r ee aggregation ports, number ed as Ethernet1/0/ 1 to Ethernet1/ 0/3, so th at the incom ing and o utgoing l oads can be balanced among the member ports. Figure 14 Networking For Link Aggr egation The following code example lists only the[...]

Configuring Link Aggreg ation 51 Only when the three ports are configur ed with identical basic configuration, r ate and duplex mode, can they be added in to a same dynamic aggregation group after LACP is enabled on them, for load sharing.[...]

52 C HAPTER 2: P ORT C ONFIGURATION[...]

3 VLAN C ONFIGURATION This chapter covers the following topics: ■ VLAN Overview ■ Configuring VLANs ■ Configuring GARP/GVRP ■ VLAN Overview A virtual local area network (VLAN) creat es logical gr oups of LAN devices into segments to implement virtual workgroups. Using VLAN technolog y , you can logically divide the physical LAN into dif fer[...]

54 C HAPTER 3: VLAN C ONFIGURATI ON Common VLAN Configuration T asks The following sections discuss the common tasks fo r configuring a VLAN: ■ Creating or Deleting a VLAN ■ Specifying the Broadcast Suppression Ratio for a VLAN ■ Setting or Deleting the VLAN Description Character String ■ Specifying or Remo ving VLAN Interfaces ■ Shutting[...]

Configuring VLANs 55 Setting or Deleting the VLAN Description Character String Y ou can use the following comma nd to set or delete the VLAN description character string. The description characte r strings, such as workgroup_name and department_name , are used to distinguish the dif ferent VLANs. Perform the following configuration in VLAN view . B[...]

56 C HAPTER 3: VLAN C ONFIGURATI ON status of one or more Ethernet ports is UP , the status of the VLAN interface is UP also, so the VLAN interface is enabled. Displaying and Debugging a VLAN After the configuring a VLAN, execute the display command in any view to display the VLAN configuration, and to verify the effect of the configuration. Exampl[...]

Configuring VLANs 57 Configuring Port-Based VLANs Adding Ethernet Ports to a VLAN Use the following command to add Ether net ports to a VLAN. Perform the following configuration in VLAN view . For the meanings of the parameters related to the Ether net ports and the specific numbering rules of the ports, see “Por t Configuration” on page 35 . T[...]

58 C HAPTER 3: VLAN C ONFIGURATI ON Creating and Deleting a VLAN Protocol T ype Y ou can use the following command to crea te or delete a VLAN protocol type. Perform the following conf iguration in VLAN view . Creating and Deleting the Asso ciation Between a Port and a Protocol-Based VLAN Perform the following configuration in Ether net port view .[...]

Configuring VLANs 59 [SW7750-vlan2] port ethernet1/0/1 to eth ernet1/0/2 3 Create VLAN 3 and enters its view . [SW7750-vlan2] vlan 3 4 Add Ethernet1/0/3 and Ether net1/0/4 to VLAN3. [SW7750-vlan3] port ethernet1/0/3 to eth ernet1/0/4 Example: Protocol-Based VLAN Configuration From port G1/0/1, all the traffic with sour ce IP 10.0.0.1 will belong to[...]

60 C HAPTER 3: VLAN C ONFIGURATI ON port hybrid vlan 1 untagged # return 2 Configure VLAN 2 and VLAN 3 as pr otoc ol VLANs. Set VLAN 2 as IP 10.0.0.1 protocol and VLAN 3 as IP pr otocol [SW7750-vlan2] protocol-vlan ? at Specify AT(AppleTalk Proto col) configuration information ip Specify IP(Internet Protoc ol) configuration information mode Specify[...]

Configuring GARP/GVRP 61 vlan Specify current hybrid p ort's VLAN ID [SW7750-GigabitEthernet1/0/1] port hybri d protocol [SW7750-GigabitEthernet1/0/1] port hybri d protocol-vlan 2 0 [SW7750-GigabitEthernet1/0/1] port hybri d protocol-vlan 3 0 [SW7750-GigabitEthernet1/0/1] display th # interface GigabitEthernet1/0/1 port link-type hybrid port h[...]

62 C HAPTER 3: VLAN C ONFIGURATI ON join message. When the GARP particip ant wants to remove its attribute information from other switches, it sends a leave message. Th e leaveall timer is started at the same time that each GARP participant is enabled and a leaveall message is sent out when the leaveall timer times out. The join and leave messages [...]

Configuring GARP/GVRP 63 Note that the value of the join timer sh oul d be no less than twice the value of the hold timer , and the value of the leave time r shou ld be greater than twice the value of the join timer an d smaller than the le aveall timer value. Otherwise, the system displays an err or message. Join timer > 2 x hold timer Leave ti[...]

64 C HAPTER 3: VLAN C ONFIGURATI ON All the switches that support GVRP can distribute their local VLAN registration information to other switches so that VL AN in formation is consistent on all GVRP devices in the same network. The VLAN regi stration information that is distributed by GVRP in cludes both the local sta tic re gistration information [...]

Configuring GARP/GVRP 65 ■ When an Ether net port registration type is set to normal, the dynamic and manual creation, r egistration, and log out of VLAN are allowed on this port. ■ When one trunk port registration type is se t to fix ed, the system adds the po rt to the VLAN if a static VL AN is cr eate d on the switch and the trunk port allow[...]

66 C HAPTER 3: VLAN C ONFIGURATI ON Figure 18 GVRP Configuration Example Configure Switch A: 1 Set Ethernet1/0/1 as a tr unk port and allow all the VLANs to pass thro ugh. [SW7750] interface Ethernet 1/0/1 [SW7750-Ethernet1/0/1] port link-ty pe trunk [SW7750-Ethernet1/0/1] port trunk p ermit vlan all 2 Cr eate VLANs. [SW7750-Ethernet1/0/1] vlan 3 [[...]

4 N ETWORK P RO T O C O L O PERATION This chapter covers the following topics: ■ Configuring IP Address ■ Configuring Address Resolution Protocol (ARP) ■ DHCP Relay ■ IP Performance Configuring IP Address IP address is a 32-bit addr ess repr esented by four octets. IP addresses ar e divided into five classes, A, B, C, D and E. The octets ar[...]

68 C HAPTER 4: N ETWORK P ROTOCOL O PERATION ■ T roubleshooting an IP Address Configuration Subnet and Mask IP protocol allocates one IP ad dress for each network interface. Multiple IP addresses can only be allocate d to a device which has mu ltiple network interfaces. IP addresses on a device with multiple interfaces have no relationship among [...]

Configuring IP Address 69 Perform the following configuration in VLAN interface view . The network ID of an IP address is identified by the mask. For example , the IP address of a VLAN interface is 129.9.30.42 an d the mask is 255.255 .0.0. After performing the AND operation for the IP address and the mask, you can assign that device to the ne twor[...]

70 C HAPTER 4: N ETWORK P ROTOCOL O PERATION Figure 19 IP Address Configuration Networking 1 Enter VLAN interface 1. [SW7750] interface vlan 1 2 Configure the IP addr ess for VLAN interface 1. [SW7750-vlan-interface1] ip address 129.2. 2.1 255.255.255.0 T roubleshooting an IP Address Configuration If the Ether net Switch cannot ping a ce rtain host[...]

Configuring Address Resolution Protoc ol (ARP) 71 corresponding MAC address is not found, Host A will store the IP packet in the queue waiting for transmission, and broa dcast an ARP request to attempt to resolve the MAX addr ess of Host B. The ARP request packet contains the IP ad dr ess of Host B and the IP address and MAC address of Host A. Sinc[...]

72 C HAPTER 4: N ETWORK P ROTOCOL O PERATION By default, the switch does not learn gratuitous ARPs. Configuring the Dynamic ARP Aging Timer The following commands assign a dynamic ARP aging period to enable flexible configurations. Wh en the system lear ns a dynamic ARP entry , its aging period is based on the currently configur ed value. Perform t[...]

DHCP Re lay 73 Figure 20 DH CP Relay Schematic Diagram When the DHCP Client pe rforms initialization, it broadcas ts the r equest packet on the local network segment. If there is a DHCP server on the local network segment (e.g. the Ethernet on the right side of the figure) , then the DHCP can be configured dir ectly without the r elay . If there is[...]

74 C HAPTER 4: N ETWORK P ROTOCOL O PERATION The back up server IP address ca nnot be configured independently , inst ead, it has to be configured together with the master ser ver IP address. By default, the IP address of the DHCP Se rver is not configured. The DH CP Server address must be configured be for e DHCP re lay can be used. Configuring th[...]

DHCP Re lay 75 By default, DHCP security featur es function are disabled. Displaying and Debugging DHCP Relay Execute display command in all views to di splay the current DHCP Relay configuration, and to verify th e effect of the configuration. Execute the debugging command in user view to debug DHCP Relay configuration. Example: Configuring DHCP R[...]

76 C HAPTER 4: N ETWORK P ROTOCOL O PERATION [SW7750] vlan 2 [SW7750-vlan2] port Ethernet 1/0/2 [SW7750] interface vlan 2 [SW7750-VLAN-Interface2] ip address 1.1.2.1 255.255.0.0 6 Configure the corr esponding interface and gateway address of VLAN3. [SW7750] vlan 3 [SW7750-vlan3] port Ethernet 1/0/3 [SW7750] interface vlan 3 [SW7750-VLAN-Interface3][...]

IP Performance 77 debugging command to output the debugging in formation to the console. In this way , you can view the detailed informat ion of all DHCP packets on the console while applying for the IP address, ther eb y , conveniently locatin g the problem. IP Performance IP performan ce configuration includes: ■ Configuring TCP Attributes ■ [...]

78 C HAPTER 4: N ETWORK P ROTOCOL O PERATION operation, you may have to use the following commands to prevent the corresponding packets from being sent to the CPU. Perform the following confi guration in system view . By default, redir ection pack ets and route unreachable packets ar e not sent to CPU, while TTL timeout packets are sent to CPU. Con[...]

IP Performance 79 T roubleshooting IP Performance If the IP layer protocol works normally , but TCP and UDP do not work normally , you can enable the corresponding debugging information output to view the debugging informat ion. ■ Use the terminal debugging command to output the debugging information to the consol e. ■ Use the debugging udp pac[...]

80 C HAPTER 4: N ETWORK P ROTOCOL O PERATION[...]

5 IP R OUTING P R OTOCOL O PERATION This chapter covers the following topics: ■ IP Routing Protocol Overview ■ Static Routes ■ RIP ■ IP Routing Policy ■ Route Capacity IP Routing Protocol Overview Routers select an appropriate path through a network for an IP packet accor ding to the destination addr ess of the packet. Each r outer on the[...]

82 C HAPTER 5: IP R OUTING P ROTOCOL O PERATION Figure 22 About Hops Networks can have differ ent sizes, so , the segment lengths connected between two differ ent pairs of routers ar e also dif ferent. If a router in a network is regarded as a node an d a route segment in the Inter net is regar ded as a link, message routing in the Internet w orks [...]

IP Routing Protocol Overview 83 ■ The output interface — Indicates an interface through which an IP packet should be forwarded. ■ The next hop address — Indicates the next router that an IP packet will pass through. ■ The priority added to the IP routing table for a route — Indicates the type of route that is selected. Ther e may be mul[...]

84 C HAPTER 5: IP R OUTING P ROTOCOL O PERATION user are managed together with the dyna mic routes as detected by the r outing protocol. The static routes and the r outes learned or config ured by r outing protocols can be shared with each other . Routing protocols (as well as the static configuration) can generate diff erent routes to the same des[...]

Static Routes 85 ■ Unreachable r oute — When a static route to a destinatio n has the reject attribute, all the IP packets to this dest ination are discar ded, and the originat ing host is informed th at the destination is unreachable. ■ Blackhole route — When a static r oute to a destination has the blackhol e attribute, all the IP packets[...]

86 C HAPTER 5: IP R OUTING P ROTOCOL O PERATION The parameters are explained as follows: ■ IP address and mask The IP address and mask use a decimal format. B ecause the 1s in the 32-bit mask must be consecutive, the dotted decimal mask can also be r eplaced by the mask-length which refers to the digits of the consecutive 1s in the mask. ■ T ra[...]

Static Routes 87 Perform the following configuration in system view . Displaying and Debugging Static Routes After you configure static an d default r outes, execute the display command in all views, to display the static route configur ation, and to verify the effect of the configuration. Example: T ypical Static Route Configuration As shown in th[...]

88 C HAPTER 5: IP R OUTING P ROTOCOL O PERATION Figure 24 Static Route Configuration 1 Configure the static route for Etherne t Switch A: [Switch A] ip route-static 1.1.3.0 255.255.255.0 1.1.2.2 [Switch A] ip route-static 1.1.4.0 255.255.255.0 1.1.2.2 [Switch A] ip route-static 1.1.5.0 255.255.255.0 1.1.2.2 2 Configure the static route for Etherne [...]

RIP 89 RIP Routing Information Protocol (RIP) is a simple, dynamic r outing protocol, that is Distance-V ector (D-V) algorithm-based. It uses hop counts to measure the distance to the destination ho st, which is called routing cost. In R IP , the hop co unt from a router to its dir ectly connected network is 0. The hop count to a network which can [...]

90 C HAPTER 5: IP R OUTING P ROTOCOL O PERATION validity of the routes. With these mechanisms, RIP , an interior routing protocol, enables the router to learn the routing information of the entire network. RIP has become one of the most p opular standards of transmitting router and host routes. It can be used in most campus n etworks and regional n[...]

RIP 91 By default, RIP is not enabled. Enabling the RIP Interface For flexible contr ol of RIP operation, y ou can specify the interface and configure the network where it is located in the RIP network, so that these interfaces can send and receive RIP packets. Perform the following configurations in RIP view . After the RIP interface is enabled, y[...]

92 C HAPTER 5: IP R OUTING P ROTOCOL O PERATION default multicast address is 224.0.0.9. The advantage of transmitting packets in the multicast mode is that t he hosts in t he same network that do not run R IP , do not receive RIP broadcast packets. In addi tion, this mode prevents the hosts that are running RIP-1 from incorr ectly receiving and pro[...]

RIP 93 In fact, you may find that the timeout time of garbage-collection timer is not fixed. If period update timer is set to 30 sec onds, garbage-collection timer might range from 90 to 120 seconds. Before RIP completely deletes an unre achable route from the r outing table, it advertises the route by sending four updat e packets with route metric[...]

94 C HAPTER 5: IP R OUTING P ROTOCOL O PERATION By default, all interfaces except lo opb ack interface s both receive and transmit RIP update packets. Disabling Host Route In some cases, the r outer can receive many host routes fr om the same segment, and these routes ar e of little help in route addressing but consume a lot of network resources. R[...]

RIP 95 ■ MD5 authentication — This mode uses two packet formats: One format follows RFC1723 (RIP V ersion 2 Carrying Additional Information); the other format follows RFC2082 (RIP- 2 MD5 Authentication). Perform the following configuration in VLAN interface view The usual packet format follows RFC1723 and nonstandard follows RFC2082. Configurin[...]

96 C HAPTER 5: IP R OUTING P ROTOCOL O PERATION Perform the following configurations in RIP view . By default, RIP does not import the route information of other protocols. Configuring the Default Cost for the Imported Route When you use th e import-route command to import the routes of other protocols, you can specify their cost. If y ou do not sp[...]

RIP 97 By default, the additional routing metric added to the r oute when RIP sends the packet is 1. The additional routing metric when RIP r eceives the packet is 0. Configuring Route Filtering The router pr ovides the route filtering function. Y ou can configure the filter policy rules by specifying the ACL and ip-prefix for r oute r edistributio[...]

98 C HAPTER 5: IP R OUTING P ROTOCOL O PERATION Example: T ypical RIP Configuration As shown in Figure 25 , the Switch C connects to the subnet 117.102.0.0 through the Ethernet port. The Ether net ports of Switch A and Switch B are connected to the network 155.10.1.0 and 196.38.165.0. Switch C, Switch A, and Switch B are connected by Ether net 110.[...]

IP Routing Policy 99 IP Routing Policy When a router distributes or re ceives routing information, it needs to implement policies to filter the routing information so it can receive or distribute the r outing information that meets only the specified c ondition. A routing protocol such as RIP may need to import routing information discovered by oth[...]

100 C HAPTER 5: I P R OUTING P ROTOCOL O PERATION A basic ACL is usually used for routing information filtering. When the user defines the ACL, the user defines the range of an IP address, subnet for the destination net work segment address, or the next-hop address of the r outing information. If an advanced ACL is used , perform the matching oper [...]

IP Routing Policy 101 The permit argument specifies that if a r oute sa tisfies all the if-m atch clauses of a node, the route passes the filtering of the node, and the apply clauses for the node are executed without taking the t est of the next node. If a route does not satisfy all the if-match clauses of a node, however , the route takes the test[...]

102 C HAPTER 5: I P R OUTING P ROTOCOL O PERATION The if-match clauses for a node in the ro ut e policy require that the ro ute satisfy all the clauses to match the node before the actions specified by the apply clauses can be executed. If no if-match clauses are specified, all the routes pass the filtering on the node. Defining Apply Clauses for a[...]

IP Routing Policy 103 Defining IP Prefix A prefix list is identified by the IP prefix name. Each IP prefix can include multiple items, and each item can specify the m atc hing range of the network prefix forms. The index-number parameter specifies the matching sequence in the prefix list. Perform the following configurations in system view . During[...]

104 C HAPTER 5: I P R OUTING P ROTOCOL O PERATION Configuring for Filtering Distributed Routes Define a policy concerning route distribution that filters th e routing information that does not satisfy the conditions, and di stributes routes with the help of an ACL or address ip-prefix. Perform the following con figuration in routing protocol view .[...]

Route Capacity 105 routing information not satisfying the requ irement, but if all the items ar e in the deny mode, no routes will pass the ip-prefix filtering. Y ou can define an item of permit 0.0.0.0/0 le ss-equal 32 after the multiple list items in the deny mode, so as to let all the other r outes pass the filtering (If less-equal 32 is not spe[...]

106 C HAPTER 5: I P R OUTING P ROTOCOL O PERATION If automatic memory restoration is en ab led, when the free memory of the Ethern et switch exceeds the safety value, the disconnected routes will be restor ed. Perform the following confi gurations in system view . By default, the safety value of the Ether net switch memory is 4Mbytes. The safety va[...]

Route Capacity 107 Enabling Automatic Recovery of Di sconnected Routing Protocols Perform the following configurations in system view . By default, memory automatic restoration function is enabled. Displaying and Debuggi ng Route Cap acity Execute the display command in all views to display the r oute capacity configuration. Ta b l e 112 Enabling A[...]

108 C HAPTER 5: I P R OUTING P ROTOCOL O PERATION[...]

6 M ULTICAST P RO T O C O L This chapter includes information on the following: ■ IP Multicast Overview ■ Configuring Common Multicast ■ Configuring IGMP ■ IGMP Snooping ■ Configuring PIM-DM ■ Configuring PIM-SM ■ GMRP IP Multicast Overview Many transmission methods can be used when the destination (including data, voice and video) is[...]

110 C HAPTER 6: M ULTICAST P ROTOCOL Figure 26 Comparison Between the Unicast and Multicast T ransmission A multicast source does not necessarily be long to a multicas t group. It only send s data to the multicast group and it is not necessarily a receiver . Multiple sources can send packets to a multicast group simultaneously . A router that does [...]

IP Multicast Overview 111 A multicast group can be either permanent or temporary . Part of addresses in the multicast group are r eserved by th e IANA and are known as the permanent multicast group. IP addresses of a permanent group are unchanged, but the members in the g roup can change. The number of members in a permanent multicast group can be [...]

112 C HAPTER 6: M ULTICAST P ROTOCOL Assigned Number Au thority) stipulates t hat the higher 24 bits of the multicast MAC address is 0x01005e and the lower 23 bits of the MAC address is the lower 23 bits of the multicast IP address. Figure 27 Mapping Between the Multicast IP Address and the Ethernet MAC Addr ess Only 23 bits of the last 28 bits in [...]

IP Multicast Overview 113 The multicast routing cr eates a loop-free data transmission path from one data source to multiple receivers. The task of the multicast r outing protocol is to cr eate a distribution tree ar chitecture. A multicast router can use multiple methods to build up a path for data transmi ssion, i.e., the distribution tree. ■ P[...]

114 C HAPTER 6: M ULTICAST P ROTOCOL multicast routing table, to determine the incoming interface at which the packet arrives. If a source tr ee is used, the source address is the addr ess of the source host sending the multicast packet. If a shared tr ee is used, the source address is the addr ess of the root of the shared tr ee. When a multicast [...]

Configuring Common Multicast 115 Only when multicast is en abled can another multicast co nfiguration be used. Configuring the Multicast Route Limit If the existing route entries exceed the capacity value you configur ed when using this command, the system will not delete the existing entries, but displays the message, “Existing route entrie s ex[...]

116 C HAPTER 6: M ULTICAST P ROTOCOL Displaying and Debugging Common Multicast Con figuration After the previous configu rations, execute the display command to view the multicast configurat ion, and to verify the configuration. Execute debugging command in user view for the debugging of multicast. Configuring IGMP IGMP (Internet Group Management P[...]

Configuring IGMP 117 discover whether hosts join the specified group on its subnets accord ing to the received r esponse messages. When the router r eceives the report that hosts leave the group, the r outer will send a gr oup-sp ecific query (IGMP V ersion 2) to discover whether there are no members in the group. IGMP has three versions, IGMP V er[...]

118 C HAPTER 6: M ULTICAST P ROTOCOL Advanced IGMP configuration includes: ■ Configuring the IGMP V ersion ■ Configuring the Interval for Sending the IGMP Group-Specific Query Packet ■ Configuring the Interval for Sending IGMP Group-Specific Query Packet ■ Configuring the Limit of IGMP Groups on an Interface ■ Configuring a Router to be a[...]

Configuring IGMP 119 Configuring the Interval for Sendi ng the IGMP Gr oup-Specific Query Packet In the shared network, where the same network segment includes multiple host s and multicast routers, the query r outer is responsible for maintaining the IGMP group membership on the interface. When the IGMP v2 host leave s a group, it sends an IGMP Gr[...]

120 C HAPTER 6: M ULTICAST P ROTOCOL query router r eceives the IGMP Member ship Report message within the defined period (equal to robust-value seconds), it continues to maintain the membership of this group. When the IGMP query rout er receives no IGMP Membership Report messages from any hosts within the defined period, it perceives a timeout and[...]

Configuring IGMP 121 By default, a router does not join a multicast gr oup. Limiting Access to IP Multicast Groups A multicast router lear ns whether there are members of a multicast gr oup on the network when it receives an IGMP member ship message. A filter can be set on an interface to limit the range of allowed multicast groups. Perform the fol[...]

122 C HAPTER 6: M ULTICAST P ROTOCOL Configuring the IGMP Querier Present Timer The IGMP querier present timer defines the peri od of time before the router takes over as the querier . Perform the following configuration in VLAN interface view . By default, the value is 120 seconds. If the router has r eceived no quer y message within twice the int[...]

Configuring IGMP 123 Displaying and Debugging IGMP After the previous configurations, execute the display command in all views to display the running o f IGMP configuration, and to verify the effect of the configuration. Execute the debugging command in user view to debug IGMP . Ta b l e 132 Display and Debug IGMP Operation Command Display the info[...]

124 C HAPTER 6: M ULTICAST P ROTOCOL IGMP Snooping IG MP Snooping (Internet Group Management Protocol Snooping) is a multicast control mechanism running on layer 2. It is used for multicast group management and contr ol. IGMP Snooping runs on the link layer . When receiving the IGMP messages, the Switch 7750 uses IGMP Snooping to analyze the inform[...]

IGMP Snooping 125 Figure 29 Multicast Packet T ransmission W ith IGMP Snooping Implement IGMP Snooping This section introduces r elated switch concepts of IGMP Snooping: ■ Router Port: The port directly connected t o the multicast router . ■ Multicast member port: The port connected to the multicast member . The multicast member refers to a hos[...]

126 C HAPTER 6: M ULTICAST P ROTOCOL Figure 30 Implementing IGMP Snooping 1 IGMP general query message: T ransmitted by the multicast router to query which multicast group contains member . When a router port re ceives an IGMP general query message, the Switch 7750 will r eset the aging ti mer of the port. When a port other than a router port recei[...]

IGMP Snooping 127 not have any member , the switch will notify the multicast r outer to remove i t from the multicast tree. Configuring IGMP Snooping is desc rib ed in the following sections: ■ Configuring IGMP Snooping ■ Example: IGMP Snooping Configuration ■ T roubleshooting IGMP Snooping Configuring IGMP Snooping The main IGMP Snooping con[...]

128 C HAPTER 6: M ULTICAST P ROTOCOL By default, the port ag in g time is 260 seconds. Configuring Maximum Response Time This task sets the maximum response time. If the Switch 7750 receives no r eport message from a port in the maximum r espon se time, it will r emove the port from the multicast group. Perform the following confi guration in syste[...]

IGMP Snooping 129 Example: IGMP Snooping Configuration T o implement IGMP Snooping on the sw itch, first enable it. The switch is connected with the router thr ough the router port, and with user PC through the non-router ports. Figure 31 IGMP Snooping Co nfiguration Network 1 Display the status of GMRP . <SW7750> display gmrp status 2 Displa[...]

130 C HAPTER 6: M ULTICAST P ROTOCOL ■ Input the display igmp-snooping group command to see if the multicast group is the expected one. ■ V erify that th e source IP address is correct for each multicast str eam. 3 Multicast forwarding table set up on the bottom layer is wrong. ■ Enable IGMP Snooping group in user view and then input th e dis[...]

Configuring PIM-DM 131 as a re dundancy packet without the multicast forwarding. The unicast routing information as path judgment can come from any unicast r outing protocol independent of any specified unicast routing pr otocol such as the routing information learned by RIP. ■ Assert mechanism As shown in t he following fig ure, both r outers A [...]

132 C HAPTER 6: M ULTICAST P ROTOCOL ■ Configuring the Maximum Number of PIM Neighbor on an Interface ■ Displaying and Debuggi ng PIM-DM When the router is run in the PIM-DM do ma in, it is best to en able PIM-DM on all interfaces of the no n-border r outer . Enabling Multicast See “Configuring Common Multicast ” on page 114 . Enabling PIM-[...]

Configuring PIM-DM 133 Perform the following configuration in VLAN interface view . The default interval is 30 seconds. Y ou can configure the value according to differ ent network en vironments. Generally , this parameter does not need to be modified. This configuration can be perfo rmed on ly after PIM (P IM-DM or PIM-SM) is enabled in VLAN inter[...]

134 C HAPTER 6: M ULTICAST P ROTOCOL Configuring the Maximum Number of PIM Neighbor on an In terface Y ou can limit the PIM neighbors on an interface. No neighbor can be add ed any more when the limit is r eached. Perform the following configuration in th e PIM view . By default, the PIM neighbor s on the interface are limited to 128. If the existi[...]

Configuring PIM-DM 135 Example: PIM-DM Configuration LS_A has a port carrying Vlan 10 to co nnect Multicast Sour ce, a port carrying Vlan11 to connect LS_B and a port carryi ng Vlan12 to connect LS_C. Configure to implement multicast between Multicast S ource and Receiver 1 and Receiver 2. Figure 33 PIM-DM Configuration Networking Configuration pr [...]

136 C HAPTER 6: M ULTICAST P ROTOCOL [SW7750-vlan-interface12] pim dm Configuring PIM-SM PIM-SM (Protocol Independent Multicast, Sparse Mode) belongs to sparse mo de multicast routing protocols. PIM-SM is ma inly applicable to large-scale networks with broad scope a nd few group members. Differ ent fr om the flood & prune principle of the dense[...]

Configuring PIM-SM 137 Figure 34 RPT Schematic Diagram Multicast Sour ce Registration When multicast source S sends a multicast packet to group G, the PIM-SM multicast router is r esponsible for encapsulating the packet into a registration packet upon receipt. It then sends the packet to the corresponding RP in unicast. If there ar e multiple PIM-S[...]

138 C HAPTER 6: M ULTICAST P ROTOCOL be configured to specify RP . As the back up of dynamic RP , static RP improves network robustness and enhances the oper ation and management capability of multicast network. Configuring PIM-SM Basic PIM-SM configuration includes: ■ Enabling Multicast ■ Enabling IGMP on an Interface ■ Enabling PIM-SM ■ S[...]

Configuring PIM-SM 139 Repeat this configuration t o enable PIM-SM on other interfaces. Only one multicast r outing pr otoc ol can be enabled on an interface at a time. Once enabled, PIM-DM cannot be enabled on the same interface. Setting the PIM-SM Domain Bor der After the PIM-SM domain border is configur ed, bootstrap mess ages cannot cr oss the [...]

140 C HAPTER 6: M ULTICAST P ROTOCOL Otherwise, the candidate BSR will keep it s BSR addr ess and continue to r egard itself as the BSR. Perform the following conf iguration in PIM view . Candidate-BSRs should be configured on the routers in the network backbone. By default, no BSR is set. The default priority is 0. Only one router can be configure[...]

Configuring PIM-SM 141 If static RP is in use, all r outers in the PIM domain must adopt the same configuration. If the configured static RP addr ess is the interf ace address of the local route r whose state is UP , the router will function as the static RP . It is unnecessary to enab le PIM on the interface that funct ions as static RP . When the[...]

142 C HAPTER 6: M ULTICAST P ROTOCOL Only the register messages matching the ACL permit clause ca n be accepted b y the RP . Specifying an undefine d ACL will make the RP de ny all register messages. Limiting the Range of Legal BSR In the PIM SM network using BSR (bootstrap router) mechanism, every router can set itself as C-BSR (candidate BSR) and[...]

Configuring PIM-SM 143 For detailed information of the crp-policy command, see the Switch 7750 Command Reference Guide . Clearing Multicast Route Entries from PIM Routing T able Perform the following configuration in user view . If in this command, the group-address is 224.0.0.0/24 and source-address is the RP address (wher e group addr ess can hav[...]

144 C HAPTER 6: M ULTICAST P ROTOCOL Execute the debugging command in user view to debug PIM-SM. Example: Configuring PIM-SIM Host A is the receiver of the multicast group at 225.0.0.1. Host B begins transmitting data destined to 225.0.0.1. Sw itch A receives the mul ticast data from Host B by Swit ch B. Figure 35 PIM-SM Configuration Networking Co[...]

Configuring PIM-SM 145 [SW7750-pim] interface vlan-interface 11 [SW7750-vlan-interface11] pim sm [SW7750-vlan-interface11] quit [SW7750] vlan 12 [SW7750-vlan12] port Ethernet 1/0/6 to E thernet 1/0/7 [SW7750-vlan12] quit [SW7750] pim [SW7750-pim] interface vlan-interface 12 [SW7750-vlan-interface12] pim sm [SW7750-vlan-interface12] quit Configure S[...]

146 C HAPTER 6: M ULTICAST P ROTOCOL Configure Switch C: 1 Enable PIM-SM. [SW7750] multicast routing-enable [SW7750] vlan 10 [SW7750-vlan10] port Ethernet 1/0/2 to Ethernet 1/0/3 [SW7750-vlan10] quit [SW7750] pim [SW7750-pim] interface vlan-interfa ce 10 [SW7750-vlan-interface10] pim sm [SW7750-vlan-interface10] quit [SW7750] vlan 11 [SW7750-vlan11[...]

GMRP 147 Enable/Disable GMR P Globally Perform the following configuration in system view . By default, GMRP is disabled. Enabling/Disabling GMRP on the Port Perform the following configuration in Ether net port view . GMRP should be enabled globally before being enabled on a port. By default, GMRP is disabled on the port. Displaying and Debugging [...]

148 C HAPTER 6: M ULTICAST P ROTOCOL 2 Enable GMRP on the port. [SW7750] interface Ethernet 1/0/1 [SW7750-Ethernet1/0/1] gmrp Configure LS_B: 1 Enable G MRP globally . [SW7750] gmrp 2 Enable GMRP on the port. [SW7750] interface Ethernet 1/0/1 [SW7750-Ethernet1/0/1] gmrp[...]

7 Q O S/ O PERATION ■ ACL Overview ■ Configuring ACLs ■ Displaying and Debugging an ACL ■ Configuring QoS ■ Configuring ACL Control ACL Overview T he Access Control List (ACL) classifies the data packets with a series of ma tching rules, including source a ddress, destination address and port number . The switch verifies the data packets [...]

150 C HAPTER 7: Q O S/ O PERA TION This type of filtering includes ACLs that are used with the QoS function, ACLs used to filter the packet transmit ted by the hardware, and so on. Filtering or Classifying Data T ransmitted by the Software An ACL can be used to filter or classify the data transmitted by the software of the switch. The user can dete[...]

Configuring ACLs 151 Configuring ACLs ACL configuration includes the tasks de scribed in the following sections: ■ Configuring the T ime Range ■ Selecting the ACL Mode ■ Defining an ACL ■ Activating an ACL Configure the time range first, then defi ne the ACL (using th e defined time range in the definition), f ollowed by activating the ACL [...]

152 C HAPTER 7: Q O S/ O PERA TION To d e f i n e t h e A C L : 1 Enter the corresponding ACL view 2 Add a rule to the ACL Y ou can add multiple rules to one ACL. If a specific time range is not defined, the ACL functions aft er it is activated. During the process of defining the ACL, you can use the rule command several times to define multiple ru[...]

Configuring ACLs 153 Perform the following configuration in designated view . An advanced ACL is identified with numbers rangin g from 3000 to 3999. Note that port1 and port2 in this command specify the TCP or UDP ports used by various high-layer applications. For some common port numbers, you can use the mnemonic symbols as a shortcut. When you co[...]

154 C HAPTER 7: Q O S/ O PERA TION A Layer -2 ACL can be identified with numb ers ranging from 4000 to 4999. If you assign an ACL to an interface and then make changes to the ACL, you must reassign the ACL to the interface before the changes to the ACL will apply on the interface . Activating an ACL A defined ACL can be active after b eing enabled [...]

ACL Configuration Examples 155 The matched information of the display acl config command specifies the rules treated by the switch’ s CPU. The matched information of the transmitted data by the switch can be displayed with the display qos-info traffic-statistic command. For a description of the synt ax of these commands, se e the Switch 7750 Comm[...]

156 C HAPTER 7: Q O S/ O PERA TION Define the work time range: 1 Set the time range 8:00 to 18:00. [SW7750] time-range 3com 8:00 to 1 8:00 working day Define the ACL to access the payment server: 1 Enter the name of the advanced ACL, named traffic-of-payserver . [SW7750] acl name traffic-of-payser ver advanced match-order config 2 Set the rules for[...]

Configuring QoS 157 Define the rules for packet with source IP address 10.1.1.1. [SW7750-acl-basic-traffic-of-host] rule 1 deny ip source 10.1.1.1 0 time-range 3com 4 Activate ACL. Activate the ACL traffic-of-host . [SW7750-Ethernet2/0/1] qos [QSW7750-qoss-Ethernet2/0/1] packet-filt er inbound ip-group traffic-of-host Link ACL Using Link ACL, filte[...]

158 C HAPTER 7: Q O S/ O PERA TION packets to the destination, not making any commitment or guarantee of the transmission reliabil ity , delay , or to satisfy othe r performanc e requir ements . Ethernet technology is currently the most widely used network technology . Ethernet has been the dominant technology of various independent Local Area Netw[...]

Configuring QoS 159 the classification standards are encapsulat ed in the header of the packets. The packet content is seldom used as the classification standar d. Packet Filter Packet filters filter netwo rk traffic. For example, the deny operation discar ds the traffic that is matched with a traf fic cla ssification rule, while allowing other tra[...]

160 C HAPTER 7: Q O S/ O PERA TION Figure 39 SP SP is designed for the key ser vice application. A significant feat ure of the key service is requir ed, for priority t o enjoy the service, to reduce the response delay when congestion occu rs. T ake 4 egress queues for each port as example, SP divides the queue of a port into 4 kinds at most, high-p[...]

Configuring QoS 161 This random number is compared with the discarding pr obability for the current queue. Any packet whose random numb er is greater than the probability is discar ded. The longer th e queue, the higher the discarding probability . However , there is a maximum discar ding pr obability . Through randomly discarding packets, RE D avo[...]

162 C HAPTER 7: Q O S/ O PERA TION Perform the following two configurat ion tasks in system view . Setting Port Mirroring Port mirroring means duplicating data on the monitored port to the designated monitor port, for purpose of data an alysis and supervision. The switch supports many-to-one mirroring, that is, you can dup licate packets from multi[...]

Configuring QoS 163 Configuring the Mapping List for 802.1p Priority Y ou cannot modify the mappin g between local priority levels and outboun d queues, but you can change the mapp in g between 802.1p and local priority levels. Then the mapping bet ween 802.1 p priorit y levels and outbound queues change. Perform the following configurations in sys[...]

164 C HAPTER 7: Q O S/ O PERA TION Configuring the Priority for Queue Scheduling Y ou can use the following command to con figure which priority is used for queue scheduling . Perform the following confi guration in system view . By default, the switch chooses the lo cal pr efer ence as the basic priority . Entering QoS View Y ou should run most Qo[...]

Configuring QoS 165 Setting Line Limit Line limit r efers to limiting the total rate at the port. The adjustment step for the line rate of the Switch 7750 is 1Mbps. Perform the following configurations in QoS view . Y ou can set line limit at a single port. Setting T raffic Bandwidth Y ou can set desired traffic bandwidth to ensur e target services[...]

166 C HAPTER 7: Q O S/ O PERA TION Only the 20-Port 10/100/1000BASE-T a nd 20- Port 1000BASE-X -SFP I/O modules support this configuration. Relabeling the Priority Level Relabeling the priority level creates a polic y to tag the priority of the packets so they match the ACL. The new priority can be filled in the priority field of the packet header [...]

Configuring QoS 167 Configuring T raffic Statistics The traffic statistics function counts th e transmitted dat a that matches the ACL rules. After the traffic statistics function is configured, you can use the dis play qos-info traffic-statistic command to display the statistics information. Perform the following configuration in QoS view . For de[...]

168 C HAPTER 7: Q O S/ O PERA TION For output and description of the related commands, see the Switch 7750 Command Reference Guide . QoS Configuration Examples This section provides the following configuration examples: ■ T raffic Limit and Line Rate ■ Port Mirroring ■ Priority Relabeling Configuration Example ■ Packet Redirection ■ Queue[...]

Configuring QoS 169 Figure 40 T raffic Limit and Line Rate Configuration Only the commands concerning Qo S/AC L configuratio n are listed here. T o create this configuration: 1 Define outbound traffic for the wage server . Enter name-based advanced ACL view using the traffi c-of-payserver . [SW7750] aclname traffic-of-payserver ad vanced Define the[...]

170 C HAPTER 7: Q O S/ O PERA TION For a 48-port modu le, the monitoring po rt and the monitored port must all be at the ports 1-24 or ports 25-48, on which only one mirroring group can be configured in one direction. Figure 41 Port Mirroring Configuration T o create this configuration: Define a mirroring gr oup, with monitor ing port being Ether n[...]

Configuring QoS 171 [SW7750-acl-basic-2000] rule 0 permit ip source 1.0.0.2 0 time-range 3com 3 Relabel ef priority for PC1 packets. Enter QoS view . [SW7750-GigabitEthernet7/0/1] qos [SW7750-qosb-GigabitEthernet7/0/1] Relabel ef priority for PC1 packets. [SW7750-qosb-GigabitEthernet7/0/1] traff ic-priority inbound ip-group 1 dscp ef Packet Redirec[...]

172 C HAPTER 7: Q O S/ O PERA TION [SW7750-qosb-GigabitEthernet7/0/1] traffic-redirect inbound ip-group 1 rule 0 interface gigabitetherent 7/0/8 Queue Scheduling Modify the correspondence between 802.1p pr iority levels and lo cal priority levels to change the mapping between 802.1p prio rity levels and queu es. That is, put packets into outbound q[...]

Configuring QoS 173 RED Run the RED operation for the packets se nt between 8:00 and 18:00 every day from IP addr ess 1.0.0.1 to the p ort E3/0/8 . RED operation is set so that the queue length that trigger s random discarding rang es from 64 Kbytes to 128 Kbytes. The probability for random discar ding is 20%. The 20-Port 10/100/1000BASE-T and 20-P[...]

174 C HAPTER 7: Q O S/ O PERA TION The 20-Port 10/100/1000 BASE-T and 20-Po rt 10 00BASE-X-SFP I/O modules do not support this configuration. Figure 46 T raffic Bandwidth T o create this configuration: 1 Define the time ra nge 8:00 to 18:00. [SW7750] time-range 3com 8:00 to 18 :00 daily 2 Define traffic rules for the packets of IP addr esses 1.0. 0[...]

Configuring ACL Control 175 Figure 47 T raffic Statistics T o create this configuration: 1 Define the time range 8:00 to 18:00. [SW7750] time-range 3com 8:00 to 18:00 d aily 2 Define traffic rules for PC1 packets. [SW7750] acl number 2000 [SW7750-acl-basic-2000] rule 0 permit ip source 1.0.0.1 0.0.0.0 time-range 3com 3 Count PC1 packets, view the s[...]

176 C HAPTER 7: Q O S/ O PERA TION Configuring ACL Control for TELNET Users By configuring ACL control over TELNET , us ers can filter the malicious and illegal connection requests before passwor d authentication, and ensure device security . The steps to control TELNET users with ACL are described in the following sections: ■ Defining an ACL ■[...]

Configuring ACL Control 177 Figure 48 Con trol TELNET User With ACL Use the following commands to control TELNET users with ACL. 1 Define the basic ACLs. [SW7750] acl number 2000 match-order con fig [SW7750-acl-basic-2000] rule 1 permit so urce 10.110.100.52 0 [SW7750-acl-basic-2000] rule 2 permit so urce 10.110.100.46 0 [SW7750-acl-basic-2000] qui[...]

178 C HAPTER 7: Q O S/ O PERA TION The privacy-mod priv-passwor d parameters are supported only in the extended version of the software. SNMP community is one of the features of SN MP v1 and SNMP v2, so with these versions of SNMP , you can import the ACL into the commands with SNMP community already config ured. SNMP user name or group name is one[...]

Configuring ACL Control 179 2 Import the basic ACLs. [SW7750] snmp-agent community read 3com acl 2000 [SW7750] snmp-agent group v2c 3comgroup acl 2001 [SW7750] snmp-agent usm-user v2c 3comuse r 3comgroup acl 2002[...]

180 C HAPTER 7: Q O S/ O PERA TION[...]

8 STP O PERATION This chapter covers the following topics: ■ STP Overview ■ Configuring STP ■ MSTP Overview ■ Configuring MSTP STP Overview Spanning T ree Pr otocol (STP) is applied in a loop network to block und esirable redundant paths. Using STP avoids the pr olif eration and infinite cycling of a packet in a loop network. The fundament [...]

182 C HAPTER 8: STP O PERAT ION Designating Switches and Ports A designated switch is a switch in charge of forwarding packets to the local switch by a port called the designated port. For a LAN, the designated sw itch is a switch that forwards packets to the network segment by the designated po rt. As illustrated in Figure 50 , Switch A forwar ds [...]

Configuring STP 183 Generating the Configuration BPDU When initialized, each port of the switch es will generate the configuration BPDU taking itself as the root, root path cost as 0, designated switch IDs as their own switch IDs, and the designated ports as their ports. ■ Switch A Configuration BPDU of Ether net 1/0/1: {0, 0, 0, e1/0/1} Configur[...]

184 C HAPTER 8: STP O PERAT ION The comparison process of each switch is: ■ Switch A Ethernet 1/0/1 receives the configurat ion BPDU fr om Switch B and finds out that the local configuration BPDU priority is higher than that of the received one, so it discards the r eceived configuration BPDU. The configuration BPDU is processed on the Ether net [...]

Configuring STP 185 calculation is launched agai n by new events, for example, th e link from Switch B to C is down or the port receives a better configuration BPDU. Ethernet 1/0/1 receives the updated conf ig uration BPDU, {0, 5, 1, e1/0/4}, from Switch B. Since this configuration BPDU is better then the old one, the old BPDU will be updated to {0[...]

186 C HAPTER 8: STP O PERAT ION a transitional state mechanism is then ado pted to ensure the new configuration BPDU has been propagated throughout the network befor e the root port and designated port begin to sen d data again. That is, the root port and designated port should undergo a tran sitional state for a period of Forwar d Delay befor e th[...]

MSTP Overview 187 Figure 53 MSTP Concepts MST Region A multiple spanning tree r egion contains several physically a nd directly connected MSTP-capable switches sharing the same region name, VLAN-spanning tree mapping configuration and MSTP revision level config uration, and the network segments between them. There can be several MST r egions on a s[...]

188 C HAPTER 8: STP O PERAT ION Multiple Spanning T ree Instance (MSTI) Multiple spanning trees can be generated in an MST region and ar e independent of one another . Each of these sp anning tr ees is called an MST I. MSTI Region root The MSTI re gion root r efers to the root of the MSTI in an MST r egion. Each spanning tree in an MST r egion can [...]

Configuring MSTP 189 Figure 54 Port Roles MSTP Principl es MSTP divides the ent ire Layer 2 network in to several MST r egions, and calculates and generates CST for them. Multiple spanning trees are generated in a r egion and each of them is called an MSTI. The in stance 0 is called IST , and others are called MSTI. CIST calculation The CIST root i[...]

190 C HAPTER 8: STP O PERAT ION ■ Configuring the Path Cost of a Po rt ■ Configuring the Priority of a Port ■ Configuring the Port Connection with the Point-to-Point Link ■ Configuring the mCheck V ariable of a Port ■ Configuring the Switch Security Function ■ Enabling MSTP on the Device ■ Enabling or Disabling MSTP on a Por t ■ Dis[...]

Configuring MSTP 191 Configuring the MST Region Perform the following configuration in MST region view . An MST region can contain up to 16 spanning tree instances, among which Instance 0 is an IST and instances 1 through 16 are MSTIs. Upon the completion of these configurations, the current switch is put into a specified MST region. T wo switches [...]

192 C HAPTER 8: STP O PERAT ION Y ou can use the following commands to specify th e current switch as the primary or secondary root of the spanning tree. Perform the following confi guration in system view . After a switch is configured as primary root switch or second ary root switch, you cannot modify the brid ge priority of the switch. Y ou can [...]

Configuring MSTP 193 provides two operation modes, STP-compatible mode and MSTP mode. In STP-compatible mode, the switch sends ST P packets by every port and serves as a region itself. In MSTP mode, the switch ports send MSTP or STP packets (when connected to the STP switch) and the switch pr ovides the multiple spanning tr ee function. Y ou can us[...]

194 C HAPTER 8: STP O PERAT ION Configuring the Max Hops in an MST Region The scale of an MST region is limited by the max hops in the MST region; which is configured on the region r oot. As the BPDU travels from the spanning tr ee root, each time it is forwarded by a switch, the max hop is reduced by 1. The switch discards the configuration BPDU w[...]

Configuring MSTP 195 Configuring the Time Parameters of a Switch The switch has three time parameters: ■ Forward delay ■ Hello time ■ Max age Forward delay is the switch state transitio n mechanism. The spanning tree will be recalculated upon link faults and its structure will change accor dingly . The configuration BPDU recalculated canno t [...]

196 C HAPTER 8: STP O PERAT ION that is too short, the switch frequently sends configuration BPDU, which adds burden and wastes the network resources. A max age that is too short, can caus e the network device to calculate the spanning tree frequent ly and mistake the congestion as a link fault. If the ma x age is too long, the network device may n[...]

Configuring MSTP 197 This parameter only takes a relative value without units. If it is set too large, too many packets will be transmitted during every hello time and too many network resour ces will be occupied. The default value is recommended. By default, the max transmission speed on every Ether net port of the switch is 3. Configuring a Port [...]

198 C HAPTER 8: STP O PERAT ION Configuring the Path Cost of a Port Path cost is r elated to the speed of th e link connected to the port. On the MSTP switch, a port can be configured with dif ferent path costs for dif ferent STIs. Thus the traffic fr om differ ent VLANs can run over differ ent physical links, thereby implementing the VLAN -based l[...]

Configuring MSTP 199 Perform the following configuration in system view . By default, the switch calculates the defaul t Path Cost of a port by the IEEE 8 02.1t standard. Generally the path cost of the links in full duplex status is lower than those in half duplex status. Ta b l e 204 Specifying the Standard T o Be Fo llowed in Path Cost Calculatio[...]

200 C HAPTER 8: STP O PERAT ION In calculating the path cost of aggregat ion links, the 80 2.1D -1998 does not take into account the nu mber of aggregation links, but the 80 2.1T does. The formula involve d is: Path Cost = 200,000,000/link speed in 100Kbps Where the link speed is the sum of the speed of the ports in unblocked status within the aggr[...]

Configuring MSTP 201 Configuring the Port Connection with the Point-to-Point Link The point-to-point link directly connects two switches. Y ou can config ure the port to connect or not connect with th e point-to-po int link in the following ways. Configuring in System View Perform the following configuration in system view . Configuring in Ethernet[...]

202 C HAPTER 8: STP O PERAT ION configure a port not physically connecte d with the point-to -point link, rather , connected to such a link by forc e. By default, th e parameter is configured as auto . Configuring the mCheck V ariable of a Port The port of an MSTP s witch operates in either STP-compa tible or MSTP mode. If a port of an MSTP switch [...]

Configuring MSTP 203 low-speed link and congestion will occur on the network. The r oot pr otection function is used against such problem. The root port and other blocked ports main tain their state according to the BPDUs sent by an uplink switch. Once th e link is blocked or has trouble, the ports cannot receive BPDUs and the switch will select a [...]

204 C HAPTER 8: STP O PERAT ION For more about the configuratio n commands, see the Swit ch 7750 Comman d Reference Guide . Enabling MSTP on the Device Y ou can use the following command to en able MSTP on the device. Perform the following confi guration in system view . Only if MSTP has been enabled on the de vice will other MSTP configurations ta[...]

Digest Snooping 205 By default, MSTP is enabled on all the ports after it is enabled on the device. Displaying and Debugging MSTP After you configure MSTP , execute the display command in all views to display the running of the MSTP configu ration, and to verify the effect of the configuration. Execute the reset command in user view to clear the st[...]

206 C HAPTER 8: STP O PERAT ION Prer equisites Switches of differ ent manufacturers are interconnected in a network and have MSTP properly employed. The network operates properly . Configuration Pr ocedure Note the following: ■ Y ou must enable digest sno oping on an interface first before enabling it globally . ■ Digest snooping is unnecessay [...]

9 AAA AND RADIUS O PERATION This chapter covers the following topics: ■ IEEE 802.1x ■ Implementing the AAA and RADIUS Protocols ■ Configuring AAA ■ Configuring the RADIUS Protocol ■ Configuring HWT ACACS ■ Displaying and Debugging t he AAA, RADIUS, and HWT ACACS Protocols ■ AAA, RADIUS, and HWT ACACS Protocol Configuration Examples ?[...]

208 C HAPTER 9: AAA AND RADIUS O PERATION The LAN access contr ol device needs to provide the Authenticator System of 802.1x. The computers need to be installed with the 802.1x client Supplicant software, for example, the 802.1x client pr ovided by Microsoft Windows XP . Th e 802.1x Authentication Server system norma lly stays in the carrier’ s A[...]

IEEE 802.1x 209 ■ EAPoL-Key: Key information frame, su pporting to encrypt the EAP packets. ■ EAPoL-Encapsulated-ASF-A lert: Suppor ts the Al erting message of Alert Standard Forum (ASF). The EAPoL-Sta rt, EAPoL-Logoff, and EAPoL-Key only exist be tween the Supplicant and the Authenticator . The EAP-Packet information is re-encapsulated by the [...]

210 C HAPTER 9: AAA AND RADIUS O PERATION Enabling/Disabling 802.1x The following commands can be used to enable/disable t he 802.1x on the specified port. When no port is specified in system view , the 802.1x is enabled/disabled globally . Perform the following con figurations in system view or Ether net port view . User can configure 802.1x on an[...]

IEEE 802.1x 211 By default, 802.1x authentication meth od on the port is MAC-based. That is, authentication is performed based on MAC addresses. Checking the Users that L og on the Switch by Pr oxy The following commands are used for ch ecking the users that log on by prox y . Perform the following configurations in system view or Ether net port vi[...]

212 C HAPTER 9: AAA AND RADIUS O PERATION By default, authenticati on will not be launched when the user runs DHCP and applies for dynamic IP addr esses. Configuring the Authenticati on Method for 802.1x Users The following commands can be used to configure the authentication method for 802.1x users. Three kinds methods of authentication ar e avail[...]

IEEE 802.1x 213 By defa ult, the qu iet-period-value is 60 seconds, the tx-period-value is 30 seconds, the supp-timeout-value is 30 seconds, the se rver-timeout-value is 100 seconds. For more detailed information on the dot1x timer command, see the Switch 7750 Command R eference Guide . Enabling/Disabling Quiet-Period Timer Y ou can use the follo w[...]

214 C HAPTER 9: AAA AND RADIUS O PERATION All the supplicants belong t o the defaul t domain 3com163.net, which can contain up to 30 users. RADIUS authentication is performed first. If there is no response from the RADIUS server , local authenticati on will be performed. For accounting, if the RADIUS server fails to account, the user will be discon[...]

Implementing the AAA and RADIUS Protocols 215 [SW7750-radius-radius1] primary authentication 10.11.1.1 [SW7750-radius-radius1] primary accounting 10.11.1.2 5 Set the IP address of the second au then tication/accountin g RADIUS servers. [SW7750-radius-radius1] secondary authen tication 10.11.1.2 [SW7750-radius-radius1] secondary accoun ting 10.11.1.[...]

216 C HAPTER 9: AAA AND RADIUS O PERATION The network security mentioned here refers to access contr ol, including: ■ Which user can acc ess the network server ■ Which service can the authorized user enjoy ■ How to keep accounts for the user who is using network resource AAA pr ovides the following services: ■ Authenticates whether the user[...]

Configuring AAA 217 RADIUS server generally uses a pr oxy function of the devices, like access server , to perform user a uthentication. The o peration process is as fo llows: 1 Send client user name and encryp ted password to RADIUS server . 2 User receives one of the following r esponse messages: ■ ACCEPT : Indicates that the user has passed th[...]

218 C HAPTER 9: AAA AND RADIUS O PERATION userid@isp-name format, the system will take userid part as username for identification and take isp-name part as domain name. The purpose of int roducing ISP domain settings is to support the mult i-ISP application environment. In such an environment, one access device might access users of differ ent ISPs[...]

Configuring AAA 219 By default, after an ISP domain is cr eate d, the used RADIUS server group is the default system (for relevant parameter configur ation, refer to “Configuring th e RADIUS Pr otoco l ” ), the state of domain is active , there is no limit to the amount of supplicants, and the idle-cut is disabled . Creating a Local User A loca[...]

220 C HAPTER 9: AAA AND RADIUS O PERATION Disconnecting a User by Force Sometimes it is necessary to disco nnect a user or a category of users by force. The system provides the following command to serve this purpose. Perform the following confi guration s in system view . By default, no online user will be disconnected by force. Configuring the RA[...]

Configuring the RADIUS Protocol 221 the RADIUS server group, and specify it to use RADIUS AAA schemes. For more about the configuration commands, refer to “Configuring AAA ” . T asks fo r configuring RADIUS are de scribed in the following sections: ■ Crea ting/Deleting a RADIUS Server Gr oup ■ Setting the IP Address and Port Number of RADIU[...]

222 C HAPTER 9: AAA AND RADIUS O PERATION Several ISP domains can use a RADIUS server group at the same time. By default, the system has a RADIUS server group named system whose attributes are all default values. The defau lt attribute valu es are intr oduced in the following section. Setting the IP Address and Po rt Number of RADIUS Server After c[...]

Configuring the RADIUS Protocol 223 ones sugge sted. (Espec ially for some ea rlier RADIUS Servers, authentication/authorization po rt number is often set to 1645 and accounting port number is 1646.) The RADIUS service port settings on the Switch 7750 need to be consistent with the port settings on the RADIUS server . Normally , RADIUS accounting s[...]

224 C HAPTER 9: AAA AND RADIUS O PERATION re sponse, NAS conside rs the communication with the curr ent RADIUS server disconnected a nd will transmit the r equest pack et to other RADIUS servers. Perform the following con figurations in RADIUS server group view . By default, RADIUS request packet will be retransmitted up to three times. Enabling th[...]

Configuring the RADIUS Protocol 225 larger value. The following ta ble r ecommends the ratio of minute value to the number of users. By defa ult, minute is set to 12 minutes. Setting Maximum Times of Real-time Accounting Request The RADIUS server usually verifies that a user is online with timeout timer . If the RADIUS server has not received the r[...]

226 C HAPTER 9: AAA AND RADIUS O PERATION Perform the following configurations in RADIUS server group view . By default, the stop accounting request will be saved in the buf fer . Setting the Maximum Retransmitting Times of the Stop Accountin g Request Because the stop accounting request concer ns account balance, and will affect the amount to char[...]

Configuring the RADIUS Protocol 227 communicate, NAS returns to the primary server . The following commands can be used to set the p rimary server to be acti ve manually , so that NAS can communicate with it immediately after troubleshooting. When the primary and second servers are both active or block, NAS sends the packets to the primary server o[...]

228 C HAPTER 9: AAA AND RADIUS O PERATION By default, the default data unit is a byte and the default da ta packet unit is one packet. Configuring a Local RADIUS Server Gr oup RADIUS service adopts authentication/aut horization/accounting servers to manage users. Local authentication/auth orization/accounting service is also used in these products [...]

Configuring the RADIUS Protocol 229 RADIUS server , it has to re transmit the request to guarantee RADIUS service for the user . Y ou can use the following command to set response timeout timer of RADIUS server . Perform the following configurations in RADIUS scheme view . T able 2- 32 Setting the response ti meout timer of the RADIUS server Operat[...]

230 C HAPTER 9: AAA AND RADIUS O PERATION 500 to 99912 =1000=15 By default, minute is set to 12 minutes. III. Configure the RADIUS Server Response T imer If the NAS receives no r esponse from th e RADIUS server after sending a RADIUS request (authentication/authorization or accounting request) for a period of time, the NAS re sends the request, thu[...]

Configuring HWTACACS 231 4 Configuring the T ACACS accounting server and r elated featuresprimary accountingHWT ACACS viewConf iguring the primary accountin g server secondary accountingHWT ACACS vi ewConfiguring the secondary accounting server retry stop-accountingHWT ACACS view Enabling stop-accounting packet retransmission and setting the allo w[...]

232 C HAPTER 9: AAA AND RADIUS O PERATION As afor ementi oned, HWT ACACS prot ocol is config ured scheme by schem e. Therefor e, you must create a HWT ACACS scheme and enter HWT ACACS view before you perform other configuration tasks. Perform the following confi guration in system view . T able 2-37 Creating a HWT ACACS scheme OperationCommand Crea[...]

Configuring HWTACACS 233 2.4.4 Configuring HWT ACACS Authorization Servers Perform the following configuration in HWT ACACS view . T able 2- 39 Configuring HWT ACACS authorization servers OperationCom mand Configure the primary HWT ACACS author ization server .prima ry authorization ip-address [ port ] Delete the primary HWT ACACS authorization ser[...]

234 C HAPTER 9: AAA AND RADIUS O PERATION Perform the following confi guration in HWT ACACS view . T able 2-41 Configuring stop-ac co unting packet retransmission OperationCommand Enable stop -accounting packet r etran smission and set the allowed maximum number of transmission attemptsre try stop-accounting retry-times Disable stop-accounting pack[...]

Configuring HWTACACS 235 T able 2- 43 Setting a key for securing the communication with the HWT ACACS server OperationCom mand Configure a key for securing the co mmunication with the acco unting, authorization or aut hentication server key { accounting | author ization | authentication } string Delete the configurationundo key { account ing | auth[...]

236 C HAPTER 9: AAA AND RADIUS O PERATION Setting T ACACS Server Time rs Setting the response timeout timer After HWT ACACS is implemented on the basis of TCP , server response time out or TCP timeout may terminate the connection to the T ACACS server . Perform the following confi guration in HWT ACACS view . The default response timeout timer is s[...]

Displaying and Debugging the AAA, RADIUS, and HWTACACS Protocols 237 The real-time accounting interval defaults to 12 minutes. Displaying and Debugging the AAA, RADIUS, and HWT ACACS Protocols After you configure RADI US, execute the display command in all views to display the running of the AAA, RADIUS, and HWT A CACS configuration, and to verify [...]

238 C HAPTER 9: AAA AND RADIUS O PERATION AAA, RADIUS, and HWT ACACS Protocol Configuration Examples AAA/RADIUS protocol configuration comma nds are generally used together with 802.1x configuration co mmands. Refer to the typical configu ration examples provided in “Configuring 802.1x” on page 209 . Configuring F TP/T elnet User Authentication[...]

AAA, RADIUS, and HWTACACS Protocol Configuration Examples 239 Figure 58 Con figuring Remote RADIUS Authentication for T elnet Users 1 Add a T elnet user . For details about configuring F TP and T elnet users, see “Conf iguring the User Interface” on page 20 . 2 Configure the remote authentication mode for the T elnet user , in this example, the[...]

240 C HAPTER 9: AAA AND RADIUS O PERATION switch, set the shar ed key fo r AAA packet encryption to expert . Configure the switch to send user names to the T A CACS server with isp-name removed. On the T ACACS server , s et the shared key for encrypting the packets exchange d with the switch t o expert ; add the user names and passwords of users: 1[...]

Troubleshooting AAA, RADIUS, and HWTACACS Configurations 241 T roubleshooting AAA, RADIUS, and HWT ACACS Configurations The RADIUS pr otocol of th e TCP/IP pr otocol suite is located on the applica tion layer . It specifies how to exchange user information b etween the NAS and RADIUS servers of an ISP . T asks for T roubleshooting AAA and Radius ar[...]

242 C HAPTER 9: AAA AND RADIUS O PERATION[...]

11 S YSTEM M ANAGEMENT This chapter covers the following topics: ■ File System ■ Managing the MAC Address T able ■ Managing Devices ■ Maintaining and Debuggin g the System ■ SNMP ■ RMON ■ NTP File System The Switch 7750 provides a file system module for efficient management with storage devices such as flash memory . Th e file system [...]

244 C HAPTER 11: S YSTEM M ANAGEMENT Managing Files Y ou can use the file system to delete, unde lete, or permanen tly delete a file. It can also be used to d isplay file contents; rename, copy , and move a file; and display the information about a specifie d file. Use the commands in Ta b l e 258 to perform file operations. Perform the following o[...]

File System 245 Example: File System Operation 1 Format the flash. <SW7750> format flash: All sectors will be erased, proceed? [c onfirm] y Format flash: completed 2 Display the working directory in the flash. <SW7750> cd flash:/ <SW7750> pwd flash:/ 3 Create a directory named test. <SW7750> mkdir test 4 Display the flash di[...]

246 C HAPTER 11: S YSTEM M ANAGEMENT Perform the following conf iguration in all views. The configuration files are displayed in their corresponding saving formats. Saving the Curre nt Configuration Use the save command t o retain the current-configuration in the flash memory . The configurations are saved and used when the system is next powered o[...]

File System 247 ■ F TP client — After connecting to the server by running the terminal emulator or T elnet on a PC, you can access the files on it, using the F T P command. F TP Server configuration includes task s described in the following section s: ■ Enabling and Disabli ng the F TP Server ■ Configuring the F TP Server Auth entication a[...]

248 C HAPTER 11: S YSTEM M ANAGEMENT Configuring F T P Server Parameters Y ou can use the following commands to config ure the connection timeout of the F TP server . If the F TP server does not receive a service request from the F TP client for a period of time, it will cut the connec tion to it, thereby avoiding illegal access by unauthorized use[...]

Managing the MAC Address Table 249 ■ Download ing Files with TF TP Configuring the File T ransmission Mode TF TP transmits files in two modes; binary mode for program files and ASCII mode for text files. Use the following commands to configure the file transmission mode. Perform the following configuration in system view . By default, TF TP trans[...]

250 C HAPTER 11: S YSTEM M ANAGEMENT switch learns and adds in the MAC addre ss table. After this, subsequent packets destined for the same MAC address can be forwarded directly . If the MAC address cannot be found after broadcasting the pack et, the switch will drop it and notify the transmitter that the packet did not arr ive at the destination. [...]

Managing the MAC Address Table 251 Perform the following configuration in system view . Disabling or Enabling Global MAC Addr ess Learning W ith the address learning function, an Ethernet switch can lear n new MAC addresses. When it receives a packet destined for a MAC address it has alr eady learned, the switch forwards the packet dir ectly , inst[...]

252 C HAPTER 11: S YSTEM M ANAGEMENT By defaul t, the MAC a ddre ss learning functi on is enabl ed. Setting MAC Addr ess Aging Time Setting an appropriate aging time implem ents MAC addr ess aging. T oo long or too short an aging time set by subscr ibers will cause t he Ethernet sw itch to flood a large amount of data packets. This af fects the swi[...]

Managing Devices 253 Example: Configuring MAC Ad dr ess T able Management The user logs in to the switch through the console port to configure the addr ess table management. Set the address aging time to 500s and add a static address 00e0-fc35-dc71 to Ether net 1/0/2 in vlan1. Figure 60 T ypical Configuration of Address T able Management 1 Enter th[...]

254 C HAPTER 11: S YSTEM M ANAGEMENT Configuring the Managing Devices is described in the following sections: ■ Designating the APP for the Next Boot ■ Displaying Devices Designating the APP for the Next Boot In the case t hat there are several operational images in th e flash memory , you ca n use this command to designate the operationa l fil[...]

Maintaining and Debugging the Sys tem 255 Setting the Slot T empera ture Limit The Switch 7750 sounds an alarm when the temperature on a slot exceeds the pre set limit. Perform the following configuration in user view . Setting the Backboard View The backboard view command determines the back plane bandwidth allocated to each slot in the Switch 775[...]

256 C HAPTER 11: S YSTEM M ANAGEMENT ■ Debugging the System ■ T esting T ools for Network Connection ■ Logging Function Configuring System Basics This section describes the followi ng basic system configuration tasks: ■ Setting the System Name ■ Setting the System Clock ■ Setting the T ime Zone ■ Setting Daylight Saving T ime Setting [...]

Maintaining and Debugging the Sys tem 257 Perform this command in user view . By default, daylight saving time is not set. Displaying System Information and State The following display commands are used for displaying the system state and the statistics information. For the display commands related to each pr otocol and differ ent ports, refer to t[...]

258 C HAPTER 11: S YSTEM M ANAGEMENT Figure 61 Debugging Output Y ou can use the following commands to control debugging. Perform the following operatio ns in user view . For more about the usage and format of the debugging commands, refer to the appropriate chapters. Since the debugging output will affect the system op erating efficiency , do not [...]

Maintaining and Debugging the Sys tem 259 all the information needed. In this case, use display diagnostic-information command. Y ou can perform the fo llowing operations in all views. T o view the data later , enable savin g a screen capture to a file. T esting T ools for Network Connection The descriptions of testing tools for a network connect i[...]

260 C HAPTER 11: S YSTEM M ANAGEMENT The following list provides the tracert execution process: 1 T racert sends a pack et with TTL value of 1. 2 The first hop sends back an ICMP err or me ssage indicating that the packet cannot be sent, for the TTL is timeout. 3 Re-send the packet w ith TTL value of 2. 4 The second hop returns t he TTL timeout mes[...]

Maintaining and Debugging the Sys tem 261 For the above configuration, the lo g host is not configured on the switch. All ot her configurations will take effect af ter enabling the logging function. Enabling and Disabling the Logging Function Y ou can u se the following commands t o enable or disable the logg ing function. Perform the following ope[...]

262 C HAPTER 11: S YSTEM M ANAGEMENT The system assigns a channel in each output direction by default. See Ta b l e 293 . The six settings are independent from each other . The settings will take effect only after enabling the information ce nter . Defining the Log Filtering Rules The SYSLOG classifies the information into eight levels of severity [...]

Maintaining and Debugging the Sys tem 263 Use the following commands to define the filtering rules of the channels. Perform the following oper ation in system view . ■ modu-name : specifies the module name. ■ level : r efers to the severity levels. ■ severity : specifies the severity level of in formation. The information with the level below[...]

264 C HAPTER 11: S YSTEM M ANAGEMENT Configuring the Info-center Loghost This configuration is performed on the info-center loghost. The followin g configuration example is implemented on SunOS 4.0. The configurations on the Unix operating systems of ot her vendors are similar . 1 Perform the following commands with the identity of root mkdir /var/[...]

SNMP 265 Configur e the info-ce nter loghost as fo llows: 1 Enable the logging system. [SW7750] info-center enable 2 Set the host at 202.38.1.10 as info- center loghost, sets the severity threshold to informational, the output language to E nglish and allows the RSTP and IP modules to output infor mation. [SW7750] info-center loghost 202.38.1.10 la[...]

266 C HAPTER 11: S YSTEM M ANAGEMENT In terms of structure, SNMP can be divi ded into two parts, NMS and Agent. NMS (Network Management Station) is the work station for running the client program. At present, the commonly used NM platforms include Sun NetManager and IBM NetView . The agent is the server softwa re operated on network devices. NMS ca[...]

SNMP 267 The current SNMP Agent of Ether net s witch supports SNMP V1, V2 C and V3. The MIBs supported are listed in the following table. Configuring SNMP Configuring SNMP includes tasks that are described in the following sections: ■ Setting the Community Name ■ Enabling and Disabling the SNMP Agent to Send a T rap ■ Setting the Destination [...]

268 C HAPTER 11: S YSTEM M ANAGEMENT only query the device information, whereas the community with r ead-write authority can also configure the device. Use the following commands to set the community name. Perform the following confi guration in system view . Enabling and Disabling the SNMP Agent to Send a T rap The managed device transmits a t rap[...]

SNMP 269 The authentication parameter specifies that th e packet is aut henticated withou t encryption. This parameter is supported only in SNMP V3. The privacy parameter specifies that the packet is authen ticated and encrypted. This parameter is supported only in SNMP V3. Setting the Lifetime of the T rap Message Y ou can use the following comma [...]

270 C HAPTER 11: S YSTEM M ANAGEMENT By default, the engine ID is expressed as enterprise No. + device information. The device info rmation can be IP addr ess, MAC ad dress, or user -defined text. Setting and Deleting an SNMP Gr oup Use the following commands to set or delete an SNMP group. Perform the following confi guration in system view . The [...]

SNMP 271 Perform the following configuration in system view . The authentication-mode parameter specifies the use of authentication. The privacy-mode parameter specifies the use of authentication and encryption. This parameter is supported only in SNMP V3. For details, see the Switch 7750 Comman d Reference Guid e . Creating and Updating View Infor[...]

272 C HAPTER 11: S YSTEM M ANAGEMENT Enabling and Disabling T ransm ission of T rap Information T o enable or disable tran smission of trap in formation, perform the following configuration in Ethernet po rt view . Disabling the SNMP Agent T o disable the SNMP Agent, perform the following configuration in system view . If a user disa bles an NMP Ag[...]

SNMP 273 Example: SNMP Configuration A Network Management Station (NMS) and the Et hernet swit ch are connected by the Ether net. The IP address of NMS is 129.102.149.23 and the IP add ress of the VLAN interface on the switch is 129.102.0.1. Perform the following conf igurations on the switch: ■ Set the community name and access au thority ■ Se[...]

274 C HAPTER 11: S YSTEM M ANAGEMENT 5 Set the administrat or ID, contact and the physical location of the Ether net swit ch. [SW7750] snmp-agent sys-info contac t Mr.Smith-Tel:3306 [SW7750] snmp-agent sys-info locati on telephone-closet,3rd-floor 6 Enable the SNMP agent to send the trap to Network Management Station whose IP address is 129.102.149[...]

RMON 275 ■ Adding an d Deleting an Entry to or fro m the Alarm T able ■ Adding an d Deleting an Entry to or fr om the Ev ent T able ■ Adding and Deleting an Entry to or from the History Contr ol T able ■ Adding an d Deleting an Entry to or fr om the Ex tended RMO N Alarm T able ■ Adding and Deleting an Entry to or from the Statistics T ab[...]

276 C HAPTER 11: S YSTEM M ANAGEMENT Adding and Deleting an Entry to or fr om the History Contr ol T able The history data management helps you set the history data colle ctio n, periodical data collection, and storage of the specified por ts. The sampling information includes the utilization ratio, error co unts, and the total number of packets. U[...]

RMON 277 Displaying the RMON Configuration Execute the display command in all views to display the RMON configuration, and to verify the configurat ion. Example: RMON Configuration Set an entry in the RMON Ethernet statistics table for Ether net port performance, which is convenient for network administrators’ query . Figure 64 RMON Configu ratio[...]

278 C HAPTER 11: S YSTEM M ANAGEMENT Dropped packet events (due to la ck of resources):0 Packets received according to le ngth (in octets): 64 :644 , 65-127 :518 , 128-255 :688 256-511:101 , 512-1023:3 , 1024-1518:0 NTP As the network topo logy gets more and more complex, it becomes important to synchronize the clocks of the equipmen t on the entir[...]

NTP 279 ■ Ether net Switch B serves as an NTP time server and Ethern et Switch A synchronizes the local clock with the clock of B. ■ It takes 1 second to t ransmit a data pack et from either A or B to the opposite end. The system clocks ar e synchr onized as follows: ■ Ethernet Switch A sends an NTP pack et to Ether net Switch B. The packet c[...]

280 C HAPTER 11: S YSTEM M ANAGEMENT Y ou can set the NTP operating mode of the Switch 7750 according to its location in the network, and the network structur e. For example, you can set a remote server as the time server of the local eq uipment. In this case the local Ethernet Switch works as an NTP client. If you set a remote server as a peer of [...]

NTP 281 than a broadcast, multicast, or reference clock IP address. In this mode, both the local switch and the remote server can sy nchronize their clocks with the clock of the opposite end. Perform the following configurations in system view . NTP version number number ranges from 1 to 3 and defaults to 3; the authentication key ID keyid ranges f[...]

282 C HAPTER 11: S YSTEM M ANAGEMENT Perform the following configurations in VLAN interface view . This command can only be configured on the interface wher e the NTP br oadcast packets are r eceived. Configuring NTP Multicast Server Mode Designate an interf ace on the local switch to transmit NTP multicast packet s. In this case, the local equipme[...]

NTP 283 Configuring NTP ID Authentication Enable NTP authentication, set the MD5 authentication key , and specify th e reliable key . A client will synchronize itself by a server only if the server can provide a relia ble key . Perform the following configurations in system view . Setting the NTP Authentication Key This configuration task sets th e[...]

284 C HAPTER 11: S YSTEM M ANAGEMENT Perform the following confi gurations in system view . An interface is specified by interface-name or interface-type interface-number . The source address of the pack ets will be taken from the IP address of the interface. If the ntp-service unicas t-server or ntp-service unicast-peer command also designates a t[...]

NTP 285 Setting the Authority to Access a Local Switch Set the authority to access the NTP servic es on a local switch. This is a basic security measure. An access request will be matched with peer , serve , serve only , and query only in an ascending order of th e limitation. The first matched authority will be granted. Perform the following confi[...]

286 C HAPTER 11: S YSTEM M ANAGEMENT NTP Configuration Examples NTP configuration examples are shown in the following: ■ Example: Configuring NTP Servers ■ Example: Configuring NTP Peers ■ Example: Configuring NTP Broadcast Mode ■ Example: Configuring NTP Multicast Mode ■ Example: Configuring Authentica tion- Enabled NTP Server Mode Examp[...]

NTP 287 The above examples synchronized SW77502 by SW77501. Before the synchronization, the SW77502 is shown in the following status: [SW77502] display ntp-service status clock status: unsynchronized clock stratum: 16 reference clock ID: none nominal frequency: 100.0000 Hz actual frequency: 100.0000 Hz clock precision: 2^17 clock offset: 0.0000 ms [...]

288 C HAPTER 11: S YSTEM M ANAGEMENT Display the sessions of SW77502 and y ou will see SW77502 ha s been connected with SW77501. [SW77502] display ntp-service sessions source reference stra reach p oll now offset delay disper ********************************** ********************************** ****** [12345]127.127.1.0 LOCAL(0) 7 377 64 57 0.0 0.0[...]

NTP 289 The previous examples configure SW77504 and SW77505 as peers and configure SW77505 as in active peer mode and SW77504 in passive peer mode. Since SW77505 is at stratum 1 and SW77504 is at strat um 3, synchronize SW77504 by SW77505. After synchronization, SW77504 status is shown as follows: [SW77504] display ntp-service status clock status: [...]

290 C HAPTER 11: S YSTEM M ANAGEMENT Example: Configuring NTP Broadcast Mode On SW77503, set local clock as t he NTP master clock at stratum 2, and configure to broadcast packets fr om Vlan-interface2. Configu re SW77504 and SW77501 to listen to the broadcast from their Vlan-interface2. See Figure 66 . Configure Ethernet Switch SW77503: 1 Enter sys[...]

NTP 291 clock offset: 0.0000 ms root delay: 0.00 ms root dispersion: 10.94 ms peer dispersion: 10.00 ms reference time: 20:54:25.156 UTC Mar 7 2002(C0325201.2811A112) By this time, SW77504 has been synchronized by SW77503 and it is at st ratum 3, higher than SW77 503 by 1. Display the status of SW77504 sessi ons and you will se e SW77504 has been c[...]

292 C HAPTER 11: S YSTEM M ANAGEMENT 3 Enable multicast client mode. [SW77504-Vlan-Interface2] ntp-service multi cast-client Configure Ethernet Switch SW77501: 1 Enter system view . <SW77501> system-view 2 Enter Vlan-interface2 view . [SW77501] interface vlan-interface 2 3 Enable multicast client mode. [SW77501-Vlan-Interface2] ntp-service mu[...]

NTP 293 Perform the following additional configurat ions on SW77501: 1 Enable authentication. [SW77501] ntp-service authentication ena ble 2 Set the key . [SW77501] ntp-service authentication-key id 42 authentication-mode md5 aNiceKey 3 Configure the key as reliable. [SW77501] ntp-service reliable authentic ation-keyid 42[...]

294 C HAPTER 11: S YSTEM M ANAGEMENT[...]