3Com 5500-SI manual

3Com ® Switch 5500 Family Configuration Guide Switch 5500-SI Switch 5500-EI Switch 5500G-EI www.3Com.com Part Number: 1001492 2 Rev. AC Published: December 2006[...]

3Com Corporation 350 Campus Drive Marlbor ough, MA USA 01752-3064 Copyright © 2006, 3Com Corporati on. All rights re served. No part of this documentati on may be repro duced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corpo ration. 3Com C[...]

3 C ONTENTS C ONTENTS A BOUT T HIS G UIDE Organization o f the Manu al 21 Intended Readership 22 Conventions 22 Related Manuals 23 1 G ETTING S TARTED Product Overview 25 XRN Overview 26 Major T echnologies 26 T ypical Networki ng T opology 26 Product Features 27 Logging in to the Switch 29 Setting up Configur ation Envir onment thr ough the Consol[...]

4 C HAPTER : C ONTENTS Displaying Port Configurat ion Information in Brief 67 Ethernet Port Conf iguration Example 67 Ethernet Port T roubleshooting 68 Link Aggregation Configuration 68 Link Aggregation Configuration 71 Displaying and Debugging Link Aggr egation 74 Link Aggregation Configuration Example 75 Global Broadcast Suppr ession Featur e 76 [...]

5 Protocol- Based VLAN Configuration 100 Configuring Protocol-Based VLANs 100 Displaying the Info rmation about Protocol-Based VLANs 101 V oice VLA N Configuration 102 V oice VLA N Configuration 102 Displaying and Debugging of V oice VLAN 106 V oice VLAN Configuration Example 106 Creati ng VLANs in Batches 107 V oice VLA N Configuration 107 Configu[...]

6 C HAPTER : C ONTENTS 10 DHCP S ERVER C ONFIGURATION Introduction to DHCP Server 125 Usage of DHCP Server 125 DHCP Fundamentals 125 DHCP Packet Processing Modes 127 DHCP Address Pool 127 Global Address Pool-Based DHCP Server Configuration 128 Configuration Overview 128 Enabling DHCP 128 Configuring Globa l Address Pool Mode on Interf ace(s) 1 29 C[...]

7 12 VRRP C ONFIGURATION VRRP Overview 151 Virtual Ro uter Overview 152 Intr oduction to Backup Gr oup 153 VRRP Configuratio n 155 Configuring a Virtual Router IP addr ess 155 Configuring Backup Gr oup-R elated Parameters 156 Displaying and Clearing VRRP Infor mation 157 VRRP Configuratio n Example 157 Single-VRRP Backup Gr oup Configu ration Examp[...]

8 C HAPTER : C ONTENTS Intr oduction to the Pr otection Funct ions 185 Prer equisites 186 Configuring BPDU Pr otection 187 Configuring Root Pr otect ion 187 Configuring Loop Pr evention 188 Configuring TC-BPDU Attack Prevention 188 BPDU T unnel Configuration 188 Introduction to BPDU T unnel 188 Configuring BPDU T unnel 189 Displaying and Debugging [...]

9 Displaying and Debugging RIP 233 Example: T ypical RIP Configuration 233 T roubleshootin g RIP 234 OSPF Configuration 235 Calculating OSPF Routes 235 Basic Concepts Related to OSPF 23 6 Configuring OSPF 237 Displaying and Debugging OSPF 253 254 Example: Configuring DR Electi on Based on OSPF Priority 254 Example: Configuring OSPF Virtual Link 256[...]

10 C HAPTER : C ONTENTS Option 82 Su pporting Co nfiguration 288 Prer equisites 288 Enabling Option 82 Supporting on a DHCP Relay 288 Option 82 Su pporting Co nfiguration Examp le 289 Introduction to DHCP Snooping 290 DHCP Snooping Co nfiguration 291 Configuration Example 292 Introduction to DHCP Accounting 292 Structure of the DHCP Accounting Pack[...]

11 Displaying Multicast MAC Address Configuration 324 Multicast Source Deny Configuration 325 Clearing MFC Forwarding Entrie s or Statistics Inform ation 325 Clearing Route Entries From The Cor e Multicast Ro uting T able 325 Displaying and Debugging Commo n Multicast Configurat ion 326 Inter net Group Manageme nt Protocol (IGMP) 326 Configuring IG[...]

12 C HAPTER : C ONTENTS Applying QoS Profile to the Port 374 QoS Profile Configuration Example 374 ACL Contro l Configuration 376 Configuring ACL for T elnet Users 376 Defining ACL 376 Importing ACL 3 77 Configuration Example 377 Configuring ACL for SNMP Users 377 Configuration Example 379 Configuring ACL Contr ol over the HTTP Users 379 Defining A[...]

13 Configuring Timers 398 Enabling/Disabling a Quiet-Period T imer 399 802.1x Client V ersion Checking Configuration 399 Enabling the 802.1x Client V ersion Checking Fun ction 399 Configuring the Maximum Number of Retires to Send V ersion Checking Request Packets 399 Configuring the V ersion Checking Timer 400 802.1x Client V ersion Checking Config[...]

14 C HAPTER : C ONTENTS Configuring User Re-authentication at Rebo ot 425 Configuration Example for User Re-auth entication at Reboot 425 Setting the RADIUS Packet Encryption Key 425 T ag VLAN Assignment on T run k/Hybrid Por t Supported by 802.1x Authentication 426 Identifier Auth entication Method Attribute in RADIUS 426 Setting Retransmission T [...]

15 MAC Addr ess T able Management 451 MAC Addres s T able Configuration 452 Displaying MAC Address T able 454 MAC Addr ess T able Management Display Example 454 MAC Addres s T able Management Configuration Example 455 Device Management 456 Device Management Configuratio n 456 Device Management Configuration Example 457 System Maintenance an d Debug[...]

16 C HAPTER : C ONTENTS Configur e NTP Br oadcast Mode 502 Configure NTP Multicast Mode 504 Configur e Authentication-enab led NTP Server Mode 505 SSH T erminal Services 506 Configuring SSH Server 507 Setting System Protocol 507 Configuring SSH Client 510 SSH Configuration Example 515 File System Configuration 516 Intr oduction to File System 516 F[...]

17 26 RSTP C ONFIGURATION STP Overview 539 Implemen t STP 539 Configuration BP DU Forwarding Mechanism in S TP 543 Implement RSTP on the Switch 543 RSTP Configuration 544 Enable/Disable RSTP on a Switch 547 Enable/Disable RSTP on a Port 547 Configure RSTP Operating Mode 548 Configur e the STP-Ignor e attribute of VLANs on a Switch 548 Set Prior ity[...]

18 C HAPTER : C ONTENTS Network Management Operat ion Logging Con figuration 569 Displaying and Debugging SNMP 570 SNMP Configuration Example 570 Reading Usmusr T able Configuration Examp le 571 29 S OURCE IP A DDRESS C ONFIGURATION Configuring Source IP Address for Service Packets 573 Displaying the Source IP Address Configuratio n 574 30 P ASSWOR[...]

19 32 C LUSTERING Clustering Overview 601 Switch Roles 6 02 Intr oduction to NDP 603 Intr oduction to NTDP 603 Intr oduction to Clu ster Roles 604 Management Device Configuratio n 605 Enabling System and Port NDP 605 Configuring NDP Parameters 605 Enabling System and Port NTDP 605 Configuring NTDP Parameters 605 Configuring Cluster Para meters 606 [...]

20 C HAPTER : C ONTENTS B RADIUS S ERVER AND RADIUS C LIENT S ETUP Setting Up A RADIUS Server 627 Configuring Micr osoft IAS RADIUS 627 Configuring Funk RADIUS 652 Configuring FreeRADIUS 656 Setting Up the RADIUS Client 658 Windows 2000 built-in client 658 Windows XP built-in client 658 Aegis Client Installation 659 C A UTHENTICATING THE S WITCH 55[...]

A BOUT T HIS G UIDE This guide provides information about configuring your network using the commands supported on the 3Com ® Switch 5500 Family . The descriptions in this g uide apply to the Switch 5500-SI and Switch 5500-EI. Differ ences betwee n the models are noted in the text . Organization of the Manual The Switch 5500 Family Configuration G[...]

22 A BOUT T HIS G UIDE ■ ACL by RADIUS —Details ACL by RADUIS Configuration. ■ Auto Detect —Details Auto Detect Conf iguration. ■ RSTP —Details Spanning T ree Protocol Configuration. ■ PoE —Details PoE profile Configuration. ■ SNMP —Details Simple Network Management Protocol Configuration. ■ Source IP Addr ess —Details Sour [...]

Related Manu als 23 Related Manuals The 3Com Switch 5500 Family Getting Started Guide provides information about installation. The 3Com Switch 5500 Family Command Reference Guid e provides all the information you need to use the configuration commands. Variable command text This typeface indicates the variable part of a command text. You must type [...]

24 A BOUT T HIS G UIDE[...]

1 G ETTING S TARTED This chapter covers the following topics: ■ Product Overview ■ XRN Overview ■ Product Featur es ■ Logging in to the Switch ■ Command Line Interface ■ User Interface Configuration Product Overview The Switch 5500 Family are Layer 3 switchin g products supporting expandable resilient networking (XRN). The Switch 550 0 [...]

26 C HAPTER 1: G ETTING S TARTED The Switch 5500 family supports the following services: ■ Internet broadband access ■ MAN (metropolitan area network), enterprise/campus networking ■ Multicast service, multicast routing, and audio and video multicast service. XRN Overview With the XRN (eXpandable Resilient Networ king) feature, you can conne [...]

Product Features 27 Figure 1 Networking T opology with XRN Product Featur es T able 4 describes the featur es: Unit 2 Unit 1 Unit3 Unit 4 Fabric Server Core switche s Workgroup switche s Deskto p PCs Ta b l e 4 Function Features Features Description Port 802.1D Learning Static MAC (unicast/multicast) Jumbo Frame (9k) (EI models only) Unidirectional[...]

28 C HAPTER 1: G ETTING S TARTED Multicas t Internet Group Management Protocol (IGMP) Snooping Multicast VLAN Registration (MVR) Internet Group Management Protocol (IGMP) (EI models only) Protocol-Independent Multicas t-Dense Mode (PIM-DM) (EI models only) Protocol-Independent Multicas t-Sparse Mode (PIM-SM) (EI models only) Mulitcast Source Discov[...]

Logging in to the Switch 29 Logging in to the Switch This section descr ibes how to lo g in to the switch. Setting up Configuration Environment thr ough the Console Port Perform the following procedure to set up the configuration environment through the console port. 1 T o set up the local configuration environmen t, connect the serial port of a PC[...]

30 C HAPTER 1: G ETTING S TARTED Figure 3 Setting up a New Connection Figure 4 Configuring the Port for Connection[...]

Logging in to the Switch 31 Figure 5 Setting Communication Parameters 3 The Switch is powered on and it displays self-test information. Press < Enter> to show the comman d line p rom pt such as <SW5500> . 4 Enter a command to configure the Switch or view the operation state. Enter a ? to view online help. For details of specific command[...]

32 C HAPTER 1: G ETTING S TARTED Figure 6 Setting up the Configuration Envir onment thro ugh T elnet 3 Run T e lnet on the PC and enter the IP addr ess of the VLAN connected to the network port on the PC. Figure 7 Running T elnet 4 The terminal displays Login authentication and prompts the user to enter the logon password. After you enter the corr [...]

Logging in to the Switch 33 Figure 8 Pr oviding T elnet Client Service 1 Authenticate the T eln et user through the console por t on the T elnet Server (a Switch) before login. By default, the password is r equired to authen ticate T elnet users and to enable them to log on to the Switch. If a user logs in through T elnet without the password, the [...]

34 C HAPTER 1: G ETTING S TARTED 2 Perform the following configur ations on the Modem that is directly connected to the Switch. (Y ou are not requir ed to configure the Modem connected to the terminal.) AT&F-------------------Reset Modem f actory settings ATS0=1-----------------Set auto resp onse (ring once) AT&D-------------------Ignore DT[...]

Logging in to the Switch 35 Figure 9 Setting up Remote Configuration Envir onment 4 Dial for connection to the Switch, using the terminal emulator and Mo dem on the remote end. The number you dial is the telephone nu mber of the Modem connected to the Switch. See Figure 10 and Figur e 11. Figure 10 Setting the Dialed Number Modem Tel ep hone l i n [...]

36 C HAPTER 1: G ETTING S TARTED Figure 11 Dialing on the Remote PC 5 Enter the preset login password on the r emote terminal emulator and wait for the pr ompt < SW5500> . Then you can configure a nd manage the Switch. Enter ? to view online help. For details of specific commands, re fer to the following chapters. By default , after lo gin, a[...]

Command Line Interface 37 Command Line Interface The Switch 5500 family provide a series of configuration commands and command line interfaces for configuring and managing the Switch. The command line interface has the following characteristics: ■ Local configuration through the console port. ■ Local or remote configuration through T elnet or S[...]

38 C HAPTER 1: G ETTING S TARTED user has entered super password [ level level ] { simple | cipher } password . .) For the sake of confidentiality , on the screen the user cannot see the password that they entered. Only when correct passwor d is input three times, can the user switch to the higher level. Otherwise, the origin al user level will rem[...]

Command Line Interface 39 VLAN Interface View Configure IP interface parameters for a VLAN or a VLAN aggregation [SW5500-Vlan-interface1] Enter interface vlan-interface 1 in System View quit returns to System View return returns to User View Local-User View Configure local user parameters [SW5500-luser-user1] Enter local-user user1 in System View q[...]

40 C HAPTER 1: G ETTING S TARTED Features and Functions of Command Line Command Line Help The command line interface provid es full and partial online help. Y ou can get help information through the online help commands, which are described below: 1 Enter ? in any view to get all the commands in that vi ew . 2 Enter a command with a ? separated by [...]

Command Line Interface 41 Displaying Characteristics of the Command Line The command line interface provides a paus ing f unction. If the inf ormation to be displayed exceeds one scr een, users have three choices, as shown in T able 6. History Command The command line interface provides a function similar to that of the DosKey . Commands enter ed b[...]

42 C HAPTER 1: G ETTING S TARTED Editing Characteristics of Command Line The command line interface provides basic comman d editing and suppor ts the editing of multiple lines. A command cannot be longer than 256 characters. See T able 9. User Interface Configuration User interface configuration is another way provided by the Switch to configure an[...]

User Interface Configuration 43 T o number the user interface by relative number , repr esented by interface + number assigned to each type of user interface : ■ AUX user interface = AU X 0. ■ The first VTY interface = VTY 0, th e second one = VTY 1, and so on. User Interface Configuration T asks for configuring the user interface are described[...]

44 C HAPTER 1: G ETTING S TARTED Configuring the Attributes of AUX (Console) Port Use the speed , flow control , parity , stop bit , and data bit commands to configure these attributes of the AUX (console) port. Perform the following configurations in User Interface (AUX user interface on ly) View . Configuring the T ransmission Speed on the AUX (C[...]

User Interface Configuration 45 Configuring the T erminal Attributes The following commands can be used for configuring the terminal attributes, including enabling/disabling terminal serv ice, disconnection upon timeout, lockab le user interface, configuring terminal screen length, and history command buffer size. Perform the following configu rati[...]

46 C HAPTER 1: G ETTING S TARTED Setting the Screen Length If a command displays more than one scr een of information, you can use the following command to set how many lines to be displayed in a screen, so that the information can be separated in differ ent screens and you can view it more conveniently . By default, the terminal screen length is 2[...]

User Interface Configuration 47 Perform the following configu rat ion in User Interface View . Configure for password authentication when a user logs in thr ough a VTY 0 user interface and set the password to 3Com. [SW5500] user-interface vty 0 [SW5500-ui-vty0] authentication-mode password [SW5500-ui-vty0] set authentication p assword simple 3Com 2[...]

48 C HAPTER 1: G ETTING S TARTED By default, the specified log ged-in us er can access the co mmands at Level 1. Setting the Command Level used after a Us er Logs In from a U ser Interface Y ou can use the following command to set the command level after a user logs in from a specific user interface, so tha t a us er is able to execute the co mmand[...]

User Interface Configuration 49 auto-execute command The following command is us ed to automa tically ru n a command after you log in. Afte r a command is configured to be run automatically , it will be automatically execut ed when you log in again. This command is usu ally used to automatically execute the telnet command on the terminal, which wil[...]

50 C HAPTER 1: G ETTING S TARTED[...]

2 A DDR ESS M ANAGEMENT C ONFIGURATION Introduction to Address Management Y ou can easily configure the switch on wh ich the Address Manage (AM) featur e is enabled to allow a user with the specif ied MAC address to gain network access through the specified IP address in a small network, such as a campus network. This facilitates the implementation[...]

52 C HAPTER 2: A DDRESS M ANAGEMENT C ONFIGURATION Perform the follo wing operations to bind the MAC addr ess and IP addr ess of a legal user to the specified port; no other configuration is required. Address Management Configuration Example This section contains co nfiguration examples . Port-Based Address Management IP Address Pool Configuration [...]

Address Management Configuration Example 53 T o configure an address management IP address pool on GigabitEthernet 1/0/1, allowing 20 IP addresses starting from 202.10.20.1 to 202.10.20.20 to access the network, enter the following: [S5500] interface GigabitEthernet 1/ 0/1 [S5500-GigabitEthernet 1/0/1] am ip- pool 202.10.20.1 20 Configuration Examp[...]

54 C HAPTER 2: A DDRESS M ANAGEMENT C ONFIGURATION[...]

3 P ORT O PERATION This chapter covers the following topics: ■ Ether net Port Configuration In troduction ■ Link Aggregation Configuration ■ Global Broadcast Suppression Featur e ■ Configuring VCT ■ Global Broadcast Suppression Featur e ■ Displaying Port Configurati on Information in Brief ■ Displaying Information Abou t a Specified O[...]

56 C HAPTER 3: P ORT O PERATION Entering Ethernet Port View Before configuring an Ethernet port, enter Ether net Port View . Perform the following co nfiguration in System Vi ew . Enabling/Disabling an Ethern et Port Use the following command to disable or enable the port. After configuring the related parameters and protocol of the po rt, you can [...]

Ethernet Port Configuration Introduction 57 duplex and can be configured to operate in full (full duplex) or auto (auto-negotiation) mode. The port defaults to auto (auto-negotiatio n) mode. Setting Speed on the Ethernet Port Use the following command to set the speed of the Ether net port. If the speed is set to auto-negotiation mode, the local an[...]

58 C HAPTER 3: P ORT O PERATION Permitting/Forbidding Jumbo Frames to Pass through an Ethernet Port An Ethernet port may encounter jumbo fram es exceeding the standard frame length, when switching large throughput data like transmitting files. This command can forbid or permit jumbo frames to pass through an Ethernet port. Perform the following co [...]

Ethernet Port Configuration Introduction 59 Perform the following co nfiguration in Ether net Port View . By default, the port is access port. Note that: ■ Y ou can configure four types of ports co ncurrently on the same Switch, but you cannot switch port type betw een trunk por t, hybrid por t and stack port. Y ou mu st re turn it first into acc[...]

60 C HAPTER 3: P ORT O PERATION can configure to tag some VLAN packet s, based on w hich the packets can be pr ocessed dif fer ent ly . Setting the Default VLAN ID for the Ethernet Port Because the access port can only be included in one VLAN, its defaul t VLAN is the one to which it belongs. Because a hybrid port an d a trunk port can be in cluded[...]

Ethernet Port Configuration Introduction 61 Loopback detection function for a port is enabled on ly when the loopback-detection enable command is enabled under both system view and port view . When the undo loopback-detectio n enable command is used under system view , the loopback detection function wi ll be disabled for all ports. Setting Loopbac[...]

62 C HAPTER 3: P ORT O PERATION By default, port loopback detection and the loopback detectio n control function on trunk and hybrid ports are disabled. The de tection interval is 30 seconds, and the system detects the default VLAN on the trunk and hybrid ports. Configuring VCT Y ou can start the virtual cable t est (VCT) to make the system test th[...]

Ethernet Port Configuration Introduction 63 authenticated devices can obtain data frame s from the port so as to p revent illegal devices from filching network data. 2 Intrusion Protection: By way of checking the sour ce MAC addr esses of the data frames received on a port, this featur e disc overs illegal packets and takes appropriate action (temp[...]

64 C HAPTER 3: P ORT O PERATION The time set by the port-security timer di sableport timer comma nd takes effect when the disableport-temporarily mode is se t by the port-security intrusion-mod e command. T o avoid confliction, the following lim itation on the 802.1x and the MAC address authentication will be taken after port security is enabled: 1[...]

Ethernet Port Configuration Introduction 65 Network diagram Figure 14 Network diagram for port security configuration Configuration procedur e Configure switch A as follows: 1 Enter the system view . <S5500> system-view 2 Enable port security . [S5500] port-security enable 3 Enter Ethern et1/0/1 port view . [S5500] interface Ethernet1/0/1 4 A[...]

66 C HAPTER 3: P ORT O PERATION statistics. The VLAN setting includes permit ted VLAN types, and default VLAN ID. The port setting includes port link type, po rt speed, and duplex mode. LACP setting includes LACP enabling/disabling. Perform the following co nfiguration in System Vi ew . Note that if the co py source is an aggreg ation group, take t[...]

Ethernet Port Configuration Introduction 67 Displaying Port Configuration Information in Brief This S5500 version has a new command , display brief interface for you to display the port configuration information in brief, in cluding the port type, link state, link rate, duplex attribute, link type and default VLAN ID. Ethernet Port Configuration Ex[...]

68 C HAPTER 3: P ORT O PERATION Ethernet Port T roubleshooting Fault: Default VLAN ID configuration failed. T roubleshooting: T ake the following steps. 1 Use the display interface or display port command to check if the port is a trunk port or a h ybrid port. If it is neither , configure it as a trunk port or a hybrid p ort. 2 Configure the defaul[...]

Link Aggregation Configu ration 69 T ypes of Link Aggregation The types of link aggregation are described in the following sections: ■ Manual Aggregation and Static LACP Aggregation ■ Dynamic LACP Aggr egation Manual Aggregation and Static LACP Aggregation Both manual aggregation and static LACP aggregation require manual configuration of aggre[...]

70 C HAPTER 3: P ORT O PERATION ■ The system sets to inactive state the port s with basic configurations different fr om that of the active port with minimum port number . Because only a defined number of ports can b e supported in an aggregation gr oup, if the active ports in an aggregation group exceed the port quantity threshold for that group[...]

Link Aggregation Configu ration 71 ■ Aggregation gr oups with the minimum master port numbers if they reach the equal rate with other groups after the r esources ar e allocated to them When aggregation groups of higher priority levels appear , the aggregation groups of lower priority levels releas e their hardwar e resour ces. For single-port agg[...]

72 C HAPTER 3: P ORT O PERATION Creating/Deleting an Aggr egation Group Use the following command to create a manual aggregation group or static LACP aggregation group, but the dynamic LACP aggregation gr oup is established by the system when LACP is enabled on the po rts. Y ou can also delete an existing aggregation group: when you delete a manual[...]

Link Aggregation Configu ration 73 ■ port with static ARP configured ■ port with 802.1x enabled. ■ Y ou must delete the aggregation gr oup, inst ead of the port, if the manual or static LACP aggregation gr oup contains only one port. Setting/Deleting the Aggreg ation Gr oup Descriptor Perform the following co nfiguration in System Vi ew . By [...]

74 C HAPTER 3: P ORT O PERATION Perform the following co nfiguration in Ether net Port View . By default, port priorit y is 32768. Displaying and Debugging Link Aggregation After the above configuration, enter the display command in any view to display the running of the link aggregation configurat ion, and to verify the effect of the configuration[...]

Link Aggregation Configu ration 75 Link Aggregation Configuration Example Networking Requirement Switch A connects Switch B with three aggregation ports, numbered as Ethernet1/0/1 to Ethernet1/0/3, s o that incoming/o utgoing load can be balanced among th e member ports. Networking Diagram Figure 16 Networking for Link Aggr egation Configuration Pr[...]

76 C HAPTER 3: P ORT O PERATION Only when the three ports ar e configur ed wi th identical basic conf iguration, rate and duplex mode, can they be added into a sa me dynamic aggregation group after LACP is enabled on them, for load sharing. Global Broadcast Suppression Featur e This section descr ibes how to con figure the Glob al Br oadcast Suppr [...]

Displaying Information About a Specified Optical Port 77 Displaying Information About a Specified Optical Port Y ou can use the disp lay transceiver -inform ation interface comma nd to display the following information about a specified optical por t: ■ Ha rd w are t y p e ■ Interface type ■ W avelength ■ V ender ■ Serial number ■ T ran[...]

78 C HAPTER 3: P ORT O PERATION[...]

4 XRN C ONFIGURATION This chapter covers the following topics: n Introduction to XRN n Configuring an XRN Fabric n Fabric Configuration Example Introduction to XRN Several XRN Switches of the same model ca n be interconnected to create a “Fabric”, in which each Switch is a unit. The ports us ed to inter connect all the uni ts are called Fabric [...]

80 C HAPTER 4: XRN C ONFIGURA TION T able 60 Configuring F TM The Switch 5500 Series : the SI units supports basic XRN, that is, Distributed Device Management (DDM) and Distributed Link Aggregation (DLA); the EI units support enhanced XRN, that is DDM, Distributed Resilient Ro uting (DRR). Specifying the Stacking VLAN of the Switch Y ou can use the[...]

Configuring an XRN Fabric 81 n If the modified unit ID is an existing one, the Switch prompts you to confirm if you really want to change the unit ID. If you choose to change, the existing unit ID is replaced and the priority is set to 5. Then you can use th e fabric save-unit-id command to save the modified unit ID into the unit Flash memory and c[...]

82 C HAPTER 4: XRN C ONFIGURA TION T able 66 Setting a Fa bric Name for Switches By default, the Fabric name is “550 0-EI”. Setting an XRN Authentication Mode for Switches Only the Switches with the same Fabric name and XRN authentication mode can constitute a Fabric. Y ou can use the command s in the following ta ble to set an authentication m[...]

RMON on XRN 83 Networking Diagram Figure 18 Networking Diagram of a Fabric Configuration Procedur e Configure Switch A: [SW5500] change unit-id 1 to 1 [SW5500] fabric-port gigabitethernet1/0/51 enable [SW5500] fabric-port gigabitethernet1/0/52 enable [SW5500] sysname hello [hello] xrn-fabric authentication-mod e simple welcome Configure Switch B : [...]

84 C HAPTER 4: XRN C ONFIGURA TION If you configure the same entry in the same ROM group for devices of a fabric to be differ ent values, the entry values of all the conflicting devices will adopt that of the conflicting device with the smallest Unit ID when you syn chronize the devices. Such a mechanism eliminates configuration conf licts between [...]

Peer Fabric Port Detection 85 n If the switch can r eceive DISC packets sent by the peer , the F TM module determines whether peer sending ports correspond to local receiving ports according to informatio n in the packet. That is, if a DISC packet received by the left port of the switch is sent by the right port of the peer device, the packet is re[...]

86 C HAPTER 4: XRN C ONFIGURA TION reached max units Analysis: The "reached max units" message indicates that the maximum number of units allowed by the current fabric is reache d. Y ou will fail to add new devices to the fabric in this case. Solution: Remove the new device or existing devices in the fabric. Up to eight devices can be in [...]

Multiple Fabric Port Candidates 87 A port cannot be a fabric port if the jumboframe function is enabled on the port. So make sure the jumboframe function is disabled on a p ort if you want to configure the port to be a fabric port. With a port group of a switch being the current fabric port group, you need to invalidate the current fabric port grou[...]

88 C HAPTER 4: XRN C ONFIGURA TION[...]

5 DLDP C ONFIGURATION This chapter contain s DLDP overvi ew , fundamentals, precautions during configuration, and configuration inf ormation. DLDP Overview Y ou may have encountered unidirectional links in networking. When a unidirectional link occurs, the local device can r eceive pack ets fr om the peer device through the link layer , but the pee[...]

90 C HAPTER 5: DLDP C ONFIGURATION DLDP provides the following featur es: n As a link layer pr otocol, it works together with the physical layer protocol to monitor the link status o f a device. n While the auto-negotiat ion mechanism on the physical layer detects physical signals and faults; DLDP id entifies peer devices and unidirectional links, [...]

DLDP Overview 91 DLDP operating mode DLDP can operate in two modes: nor mal and enhanced. DLDP implementation 1 If the link is up after DLDP is enabled on the port, DLDP sends DLDP packets to the peer device, and analyses and pr ocesses DLDP packets received fr om the peer device. DLDP in dif fer ent status sends dif fere nt packets. . Entry aging [...]

92 C HAPTER 5: DLDP C ONFIGURATION 2 DLDP analyzes and pr ocesses re ceived packets as follows: n In authentication mode, DLDP authenticate s the packets on the port, and discards those do not pass the au thentication. n DLDP processes the r eceived DLDP packets as follows: 3 If no echo packet is received fr om the neighbor , DLDP performs the foll[...]

DLDP Configuration 93 Precautions During DLDP Configuration It is recommended that the followi ng pr ecautions be taken during DLDP configuration: n DLDP works only when the link is up. n T o ensure unidirectional links can be detected, you should make sure: DLDP is enabled on both ends, and the time interv al for sen ding adve rtisement packets, a[...]

94 C HAPTER 5: DLDP C ONFIGURATION When you use the dldp enable/dldp di sable command in system view to enable/disable DLDP gl obally on all optical ports of the switch, this comman d is only valid for existing optical ports on the de vice, it is not valid for t hose added subsequently . DLDP can opera te normally only whe n th e same authenticati [...]

DLDP Configuration Example 95 Network diagram Figure 21 Fiber cr oss-connection Figure 22 Corr ect connection/disconnection in one dir ection Configuration procedur e 1 1Configure SwitchA a Configure the ports to work in mandatory full duplex mode <S5500A> system-view [S5500A] interface gigabitethernet 2 /0/3 [S5500A-GigabitEthernet2/0/3] dup[...]

96 C HAPTER 5: DLDP C ONFIGURATION e Set the DLDP handling mode for unidirectional links to auto [S5500A] dldp unidirectional-shutdow n auto f Display the DLDP st atus on Switch A [S5500A] display dldp 2 If the fibers are correctly connected between the two switches, the system displays the connections with the neighbor as bidirectional links, or e[...]

6 VLAN O PERATION This chapter covers the following topics: ■ VLAN Configuration ■ V oice VLAN Configuration VLAN Configuration This chapter describes how to configure a VLAN VLAN Overview A virtual local area network (VLAN) cr ea tes logical gr oups of LAN devices into segments to implement virtual workgroups . IEEE issued the IEEE 802.1Q in 1[...]

98 C HAPTER 6: VLAN O PERA TION Adding Ethernet Ports to a VLAN Use the following command to add Ethernet ports to a VLAN. Perform the following configu ration in VLAN View . By default, the system adds all the ports to a default VLAN, whose ID is 1. Note that you can add/delete a trunk port or a hybrid po rt to/from VLAN by using the port and undo[...]

VLAN Configuration 99 Shutting Down/Enabling the VLAN Interface Use the following command to shut down/enable a VLAN interface. Perform the following co nfiguration in VLAN Interface Vi ew . The operation of shutting down or enablin g the VLAN interface has no effect on the UP/DOWN status of the Ethernet ports on the local VLAN. By default, when al[...]

100 C HAPTER 6: VLAN O PER ATION Configuration Procedur e 1 Create VLAN 2 and enter its view . [SW5500] vlan 2 2 Add Ether net1/0/1 and Ethernet1/0/2 to VLAN2. [SW5500-vlan2] port ethernet1/0/1 to ethernet1/0/2 3 Create VLAN 3 and enter its view . [SW5500-vlan2] vlan 3 4 Add Ether net1/0/3 and Ethernet1/0/4 to VLAN3. [SW5500-vlan3] port ethernet1/0[...]

Protocol-Based VLAN Configu ration 101 I. Creating a VLAN pr otocol type T able 85 lists the operatio ns to create a VLAN pr otocol type. As the mode llc dsap ff ssap ff and ipx r aw keywords result in the same packet format, the ipx raw keyword takes precedence over the mode llc d sap ff ss ap ff keyword, and the syst em stops matching the subsequ[...]

102 C HAPTER 6: VLAN O PER ATION Vo i c e V L A N Configuration V oice VLAN is specially designed for users’ voice flow , and it distributes different port prec edence in diff ere nt cases. The system uses the source MAC of the tr affic travelling thr ough the port to identify the IP Phone data flow . Y ou can either pres et an OUI address or ado[...]

Voice VLAN Configuration 103 Enabling/Disabling V oice VLAN Featur es Enable/disable the V oice VLAN in System View . The VLAN must already exist before you can enable V oice VLAN features. Y ou cannot delete a speci fied VLAN that has enabled V oice VLAN feat ures and only one VLAN can enable V oice VLAN at one time. Enabling/Disabling V oice VLAN[...]

104 C HAPTER 6: VLAN O PER ATION Enabling/Disabling V oice VLAN Security Mode In security mode, the system can filter out the traffic whose source MAC is not OUI within the V oice VLAN, while the other VLANs are not influenced. If security mode is disabled, the system cannot filter anything. Perform the following co nfiguration in System Vi ew . By[...]

Voice VLAN Configuration 105 Configuring a voice VLAN to operate in manual mode Refer to T able 96 to configu re a VLAN in manual mode. Y ou can enable voice VLAN feature for only one VLAN at a moment. A port operating in the automatic mode cannot be added to/removed from a voice VLAN. When a voice VLAN operates in the security mode, the devices in[...]

106 C HAPTER 6: VLAN O PER ATION Displaying and Debugging of V oice VLAN After completing the above co nfiguration, enter the display command in any view to view the configuration and running state of V oice VLAN. Vo i c e V L A N Configuration Example Networking Requirements Create VLAN 2 as the V oice VLAN in manual mode and enable its security m[...]

Creating VLANs in Batches 107 Creating VLANs in Batches T o improve efficiency , you can create VLANs in batches by performing the operations listed in T able 98. Vo i c e V L A N Configuration V oice VLANs are VLANs configured specially for voice data str eam. By adding the ports with voice devices attached to vo ice VLANs, you can perform QoS-rel[...]

108 C HAPTER 6: VLAN O PER ATION As multiple types of IP phones exist, you ne ed to match port mode with types of voice stream sent by IP phones, as listed in T able 99T Configuring the V oice VLAN Function Configuration Prer equisites ■ Create the corr esponding VLAN before configuring a voice VLAN. ■ VLAN 1 is the default VLAN and do not need[...]

Voice VLAN Configuration 109 Configuring a voice VLAN to operate in automatic mode V oice VLAN Displaying and Debugging Refer to T able 101 to display or debug a voice VLAN. Vo i c e V L A N Configuration Example Network requir ements ■ Create VLAN 3 as a voice VLAN. ■ Add/remove Ethernet1 /0/3 port to/from the voice VLAN manually . ■ Configu[...]

110 C HAPTER 6: VLAN O PER ATION 3 Enable the voice VLAN function for the po rt and configure the port to operate in manual mode. [S5500-vlan3] quit [S5500] interface Ethernet1/0/3 [S5500-Ethernet1/0/3] voice vlan enable [S5500-Ethernet1/0/3] undo voice vla n mode auto [S5500-Ethernet1/0/3] quit 4 Specify the OUI address. [S5500] voice vlan mac-add[...]

7 GVRP C ONFIGURATION This chapter co ntains GVRP conf iguration informat ion. Introduction to GVRP GVRP (GARP VLAN Registration Protocol) is an application of GARP (Generic Attr ibute Registration Protocol). GVRP is based on the work scheme of GARP; it maintains dynamic VLAN registration information an d propagates the information to other switche[...]

112 C HAPTER 7: GVRP C ONFIGU RATION ■ Leave: When a GARP entity e xpects to unre gister a piece of attribute information, it sends out a Leave message . Any GARP entity re ceives this message starts its Leave timer , and unregister the attribute in formation after the timer times out if it does not receives a Join message again befor e the timeo[...]

Introduction to GVRP 113 GVRP Packet Format The GVRP packets are in the fo llowing format: Figure 26 Format of GVRP packets T able 102 describes the pack et fields in Figure 26. Protocol Specifications GVRP is defined in IE EE 802.1Q standard. T able 102 Descript ion of the packet fields Field Descri ption Value Protocol ID Protocol ID 1 Message Ea[...]

114 C HAPTER 7: GVRP C ONFIGU RATION GVRP Configuration The GVRP configuration tasks includ e c onfiguring the timers, en abling GVRP , and configuring the GVRP p ort registration mode. Configuration Prer equisite The port on which GVRP will be enabled must be conf igured to the T runk port. Configuration Procedur e Refer to T able 103 for configur[...]

GVRP Configuration 115 T able 104 describes the relations between the timer s: Configuration Example Network requir ements Y ou should enable GVRP on the switches to implement the dynamic r egistration and update of VLAN information between the switches. Network diagram Figure 27 Network diagram for GVRP configuration Configuration procedur e 1 Con[...]

116 C HAPTER 7: GVRP C ONFIGU RATION b Configur e the port Ethernet1/0/ 2 to the T r unk port, and allow a ll VLAN packets to pass [S5500] interface Ethernet1/0/2 [S5500-Ethernet1/0/2] port link-type trunk [S5500-Ethernet1/0/2] port trunk per mit vlan all c Enable GVRP on the T runk p ort. [S5500-Ethernet1/0/2] gvrp Displaying GVRP Y ou can use the[...]

8 VLAN-VPN C ONFIGURATION This chapter contain s configuratio n information to create VLAN-VPNs. VLAN-VPN Overview The VLAN-VPN function enables packe ts to be transmitted across the operators' backbone networks with VLAN tags of private networks nested in those of public networks. In public networks, packets of this type are transmitted by th[...]

118 C HAPTER 8: VLAN-VPN C ONFIGURATION Adjusting the TPID V alues of VLAN-VPN Packet T ag protocol identifier (TPID) is a portion of the VLAN tag field. IEEE 802.1Q specifies the value of TPID to be 0x8100. Figur e 30 illustrates the structur e of the T ag field of an Ether net frame defined by IEEE 802.1Q. Figure 30 The structur e of the T ag fie[...]

Inner VLAN Tag Priority Replication Configu ration 119 The VLAN-VPN function is unavailable if the port has any of the protocols among GVRP , GMRP , XRN, NTDP , STP and 802.1x enabled. Inner VLAN T ag Priority Replication Configuration Y ou can configure to replicate the tag priority of the inner VLAN tag of a VLAN-VPN packet to the outer VLAN tag [...]

120 C HAPTER 8: VLAN-VPN C ONFIGURATION Y ou can execute the vlan-vpn enable or vl an-vpn uplink enable co mmand for a port, but do not execute both of the two command s for a port. When the TPID field is set to the default va lue (that is, 0x8100), a p ort can serve as an uplink port no matter whether or not you enable the VLAN-VPN uplink function[...]

VLAN-VPN Configuration Example 121 Configuration Procedur e Perform the following procedur e to configure switches A and C. 1 Configure Switch A and Switch C. As the configuration performed on Switch A and Sw itch C is th e same, config uration on Switch C is omitted. a Configure Ethernet1/0/2 port of Switch A to be a VLAN-VPN uplink port and add i[...]

122 C HAPTER 8: VLAN-VPN C ONFIGURATION[...]

9 DHCP O VERVIEW Introduction to DHCP W ith networks getting larger in size and more complicated in structure, lack of available IP addresses beco mes the common situation the network administrat ors have to face, and network configuration becomes a tough task for the network administr ators. With the em erging of wir e less netw orks and the using[...]

124 C HAPTER 9: DHCP O VERV IEW DHCP IP Address Assignment This section contains infor mati on on DHCP IP Address Assignments. IP Address Assignment Policy Currently , DHCP provides the following three IP address assignment policies to meet the requir ements of diff erent clients: ■ Manual assignment. The administrator stat ically binds IP addres[...]

10 DHCP S ERVER C ONFIGURATION Introduction to DHCP Server This section contains configu ration introduction on DHCP Server . Usage of DHCP Server Generally , DHCP se rvers are used in the fo llowing networks to assig n IP addresses: ■ Large-sized networks, where manual configuration method bears heavy load and is difficult to manage the whole ne[...]

126 C HAPTER 10: DHCP S ERVER C ONFIGURATION IP addr ess lease update After a DHCP server dy namically assigns an IP address to a DHCP client, the IP add ress keeps valid only within a sp ecified lease time and will be reclaimed by the DHCP server when the lease expir es. If the DH CP client wants to use the IP address for a longer time, it must up[...]

Introduction to DHCP Server 127 DHCP Packet Processing Modes ■ Global address pool: In r esponse to the DH CP packets receiv ed from DHCP clients, the DHCP server picks IP ad dr esses from its global address pools and assigns them to the DHCP clients. ■ Interface address pool: In response to the DHCP packets r eceived fr om DHCP clients, the DH[...]

128 C HAPTER 10: DHCP S ERVER C ONFIGURATION (such as domain name), you just need to configu re them on the network segment or the corresponding subnets. The following is the details of configuratio n inheritance. ■ A newly created child addr ess pool inherits th e configurations of its parent address pool. ■ For an existing parent-child addres[...]

Global Address Pool-Based DHCP Server Configuration 129 Configuring Global Address Pool Mode on Interface(s) Y ou can configure the global address pool mo de on the specified or all interfaces of a DHCP server . After that, when the DHCP se rver receives DHCP packets from DHCP clients through these interfaces, it assigns IP addresses in local globa[...]

130 C HAPTER 10: DHCP S ERVER C ONFIGURATION The static-bind ip-address command and the stat ic-bind mac-address command can be executed repeatedly . In this case, the new configuration overwrites the previo us one. Configuring to assign IP addr esses dynamically IP addresses dynamically assigned to DH CP clients (including those that are permanent[...]

Global Address Pool-Based DHCP Server Configuration 131 Y ou can configure domain names to be used by DHCP clients for ad dress pools. After you do this, the DHCP server pr ovides the domain names to the DHCP clients as well while the former assigns IP addr esses to th e DHCP clients. Configuring NetBIOS Services for DHCP Clients For Microsoft Wind[...]

132 C HAPTER 10: DHCP S ERVER C ONFIGURATION Customizing DHCP Service Wi th the evolution of DHCP , new optio ns are constantly coming into being. Y ou can add the new options as the properties of DHCP servers by performing the fo llowing configuration. Configuring Gateway Addresses for DHCP Clients Gateways are necessary for DHCP clients to access[...]

Interface Address Pool-based DHCP Server Configuration 133 interfaces eases configuration work load and makes you to configure in a mor e convenient way . Enabling DHCP Y ou need to enable DHCP before perf orming DHCP configurations. DHCP-related configurations are valid on ly when DHCP is enabled. Configuring to Assign the IP addresses of Local In[...]

134 C HAPTER 10: DHCP S ERVER C ONFIGURATION bound to a DHCP client to come from a sp ecial DHCP addr ess pool that contains only the IP address. Configuring to assign IP ad dr esses by static binding Some DHCP clients, such as WWW servers, need to be assigned fixed IP addr esses. This is achieved by binding IP addresses to the MAC addresses of the[...]

Interface Address Pool-based DHCP Server Configuration 135 The dhcp serv er forbidden-ip command can be executed repeatedly . That is, you can repeatedly configure IP addresses that ar e not dynamically assigned to DHCP clients. Configuring DNS Services for DHCP Clients If a host accesses the Inter net through doma in names, DNS is need ed to trans[...]

136 C HAPTER 10: DHCP S ERVER C ONFIGURATION Configuring NetBIOS Services for DHCP Clients For Microsoft Windows-based DHCP clie nts th at communicate through NetBIOS protocol, the host name-to-IP address transla tion is carried out by WINS servers. So you need to perform WINS-related conf iguration for most Win dows-based hosts. Currently , you ca[...]

DHCP Security Configurati on 137 Customizing DHCP Service Wi th the evolution of DHCP , new optio ns are constantly coming into being. Y ou can add the new options as the properties of DHCP servers by performing the fo llowing configuration. DHCP Security Configuration DHCP security configuration is needed to ensure the security of DHCP service. Pr[...]

138 C HAPTER 10: DHCP S ERVER C ONFIGURATION receives a r esponse or the number of the se nt ICMP packets reaches the specified maximum number . The DHCP server assigns the IP address to the DHCP client only when no response is r eceived during the whole course. Such a mechanism ensures an IP address is assigned to one DHCP client exclusi vely . A [...]

Option 184 Supporti ng Configurati on 139 The sub-option 3 of opt ion 184 comprises two parts, w hich carry the previously mentioned two items respectively . A flag value of 0 indicates that the voice VLAN identification function is not enab led, in which case the inform ation carried by the VLAN ID part will be neglected. A flag va lue of 1 indica[...]

140 C HAPTER 10: DHCP S ERVER C ONFIGURATION Configuring the option 184 supporting function in system view Perform the operation s listed in T able 129 if you specify to assign IP addresses of an interface-based address pool to DHCP clients. This method allows you to configure the opt ion 184 supporting function for multip le interfaces. T able 129[...]

Option 184 Supporti ng Configurati on 141 Configuring the option 184 supporting function in interface view Perform the operation s listed in T able 130 if you specify to assign IP addresses of an interface-based address pool to DHCP clients. This method allows you to configure the optio n 184 supporting function for a sp ecific interface. T able 13[...]

142 C HAPTER 10: DHCP S ERVER C ONFIGURATION Configuring the option 184 supporting func tion in global DHCP address pool view Perform the operation s listed in T able 131 if you specify to assign IP addresses of a global DHCP address pool to DHCP clients. Configuration Example Network requir ements A 3COM VCX dev ice operating as a DHCP client r eq[...]

Option 184 Supporti ng Configurati on 143 Network diagram Figure 33 Network diagram for option 184 supporting configuration Configuration procedur e 1 Configure the DHCP client Configure the 3COM VCX device to operate as a DHCP client and to re quest for all sub-options of option 184 . (Omitted) 2 Configure the DHCP server . a Enter system view . &[...]

144 C HAPTER 10: DHCP S ERVER C ONFIGURATION DHCP Server Displaying and Debugging Y ou can verify your DHCP-related configuration by executing the display command in any view . T o clear the informatio n about DHCP servers, execute the reset command in user view . Executing the save command will not save the lease information on a DHCP ser ver to t[...]

DHCP Server Configuration Example 145 The DHCP settings o f the 10.1.1 .0/25 network segment are as follows: ■ Lease time: 10 days plus 12 hours ■ Domain name: aabbcc.com ■ DNS server: 10.1.1.2 ■ NetBIOS server: none ■ Gateway: 10.1 .1.126 The DHCP settings of the 10.1.1 .128/25 network segment are as follows: ■ Lease time: 5 days ■ D[...]

146 C HAPTER 10: DHCP S ERVER C ONFIGURATION 5 Return to sys tem view . [S5500-dhcp-pool-1] quit 6 Configure DHCP addr ess pool 2, including address range, domain name, DNS server address, lease time, NetBIOS server address, and gateway address. [S5500] dhcp server ip-pool 2 [S5500-dhcp-pool-2] network 10.1.1.128 mask 255.255.255.128 [S5500-dhcp-po[...]

11 DHCP R ELAY C ONFIGURATION Introduction to DHCP Relay This section contains an introduction to DHCP Relay Usage of DHCP Relay Early DHCP implementations assumes that DH CP clients and DHCP servers ar e on the same network segment, that is, you ne ed to deploy at least one DHCP server for each network segment, which is far from economical. DHCP R[...]

148 C HAPTER 11: DHCP R ELAY C ONFIGURAT ION Actually , a DHCP r elay enab les DHCP clients and DHCP se rvers on differ ent networks to communicate with each other by fo rwarding the DHCP br oadcasting packets transparently between them. DHCP Relay Configuration If a switch belongs to a fabric, you need to enable the UDP-helper function on it befor[...]

DHCP Relay Displayi ng 149 The group number referenced in the dh cp-ser ver groupNo command must has already been configured by using the dhcp-ser ver groupNo ip ipaddress1 [ ipaddress-list ] command. DHCP Relay Displaying Y ou can verify your DHCP relay-related configuration by executing the following display commands in any view . DHCP Relay Conf[...]

150 C HAPTER 11: DHCP R ELAY C ONFIGURAT ION 5 Configure an IP addr ess for VLAN 2 interface , so that th is interface is on the same network segment with the DHCP clients.) [S5500-Vlan-interface2] ip address 1 0.110.1.1 255.255.0.0 Y ou need to perform co rresponding configurat ions on the DHCP ser ver to enable the DHCP clients to obtain IP addre[...]

12 VRRP C ONFIGURATION VRRP Overview Vi rtual router r edundancy protocol (VRRP) is a fault-tolerant pr otocol. As shown in Figure 37, in general, ■ A default route (for example, the next hop address of the default r oute is 10.100.10.1, as shown in Figure 37) is configured for every host on a networ k. ■ The packets destine d to the exter nal [...]

152 C HAPTER 12: VRRP C ONFIGURA TION Figure 38 Virtual r outer The switches in the backup gro up have the following features: ■ This virtual router has its own IP addre ss: 10.100.10.1 (which can be the interface address of a switch within the backup gr oup). ■ The switches within the backup group have their own IP addr esses (such as 10.100.1[...]

VRRP Overview 153 ■ The virtual router IP addresses and the real IP addr esses used by the member switches in the backup group must belong to the same network segment. If they are not in the same network segment, th e backup group wi ll be in initial state. ■ A backup group is removed if its last virt ual router IP address is r emoved from the [...]

154 C HAPTER 12: VRRP C ONFIGURA TION Configuring switch priority The status of each switch in a backup group is determined by its priority . The master switch in a backup group is the one currently with the highest priority . Switch priority ranges from 0 to 255 (a larger number indicates a higher switch priority) and defaults to 100. Note th at o[...]

VRRP Configuration 155 Configuring VRRP timer The master switch advertises its normal ope ration state to the switches within the VRRP backup group by sending VRRP pack ets once in each specified interval (determined by the adver -interv al argument). If the backup swit ches do not receive VRRP packets from the master after a specific period (deter[...]

156 C HAPTER 12: VRRP C ONFIGURA TION Configuring Backup Gr oup-Related Parameters T able 138 lists the operations to configure a switch in a backup group. Configure a virtual router IP address vrrp vrid virtual-router-ID virtual-ip virtual-address Optional virtual -router -ID : VRRP backup group ID. virtual-address : Virtua l router IP address to [...]

Displaying and Clearing VRRP Information 157 Displaying and Clearing VRRP Information Y ou can execute the display command in any view to view VRRP configuration. VRRP Configuration Example This section contains exampl es of VRRP configuration s. Single-VRRP Backup Group Configuration Example Network requir ements Host A uses the VRRP virtual r out[...]

158 C HAPTER 12: VRRP C ONFIGURA TION Configuration procedur e 1 Configure Switch A. a Configure VLAN 2. <LSW-A> system-view System View: return to User View wit h Ctrl+Z. [LSW-A] vlan 2 [LSW-A-vlan2] port Ethernet 1/0/6 [LSW-A-vlan2] quit [LSW-A] interface vlan-interface 2 [LSW-A-Vlan-interface2] ip address 2 02.38.160.1 255.255.255.0 [LSW-A[...]

VRRP Configuration Example 159 Network diagram Figure 40 Network diagram for interface tracking configuration Configuration procedur e 1 Configure Switch A. a Configure VLAN 2. <LSW-A> system-view System View: return to User View wit h Ctrl+Z. [LSW-A] vlan 2 [LSW-A-vlan2] port Ethernet 1/0/6 [LSW-A-vlan2] quit [LSW-A] interface vlan-interface[...]

160 C HAPTER 12: VRRP C ONFIGURA TION 2 Configure switch B. a Configure VLAN 2. <LSW-B> system-view System View: return to User View wit h Ctrl+Z. [LSW-B] vlan 2 [LSW-B-vlan2] port Ethernet 1/0/5 [LSW-B-vlan2] quit [LSW-B] interface vlan-interface 2 [LSW-B-Vlan-interface2] ip address 2 02.38.160.2 255.255.255.0 [LSW-B-Vlan-interface2] quit b [...]

VRRP Configuration Example 161 Network diagram Figure 41 Network diagram for multiple-VRRP backup gr oup configuration Configuration procedur e 1 Configure Switch A. a Configure VLAN 2. <LSW-A> system-view System View: return to User View wit h Ctrl+Z. [LSW-A] vlan 2 [LSW-A-vlan2] port Ethernet 1/0/6 [LSW-A-vlan2] quit [LSW-A] interface vlan-[...]

162 C HAPTER 12: VRRP C ONFIGURA TION b Create backup group 1. [LSW-B-Vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 c Create backup group 2. [LSW-B-Vlan-interface2] vrrp vrid 2 virtual-ip 202.38.160.112 d Set the prio rity for ba ckup gr oup 2. [LSW-B-Vlan-interface2] vrrp vrid 2 priority 110 Normally , multiple backup gr oups are used in [...]

13 MSTP C ONFIGURATION MSTP Overview Sp anning tree pr otocol (STP) cannot enable Ethern et ports to transit their states rapidly . It costs two times of the forward delay for a port to transit to the forwarding state even if the port is on a point-to-point link or is an edge port. Rapid spanning tree protocol (RSTP) supports rapid conver gence. Ho[...]

164 C HAPTER 13: MSTP C ONFIGURATION Basic MSTP T erminologies Figure 42 illustrates primary MS TP terms (assuming that each switch in it has MSTP employed). Figure 42 Basic MSTP terminologies MST region A multiple spanning tree (MST) region comp rises multiple switches and the connected network segments. Th e switches are all MSTP -enabled and phy[...]

MSTP Overview 165 IST An internal spanning tree (IST) is a spanning tree in an MST region. IST s, along with the common spanning tree (CST), form the common and internal spanning tree ( CIST) of the entir e switched network. An IST is a branch of CIST and is a special MSTI. In Figur e 42, CIST has a branch in each MST region, which is the IST in th[...]

166 C HAPTER 13: MSTP C ONFIGURATION The role of a region edge port is consist ent with that of the port in the CIST . For example, port 1 on switch A shown in Figure 43 is a region edge port, and it is a master port in the CIST . Therefore, it is a master port in all MS TIs in the region. Figure 43 Port r oles Port state In MSTP , depending o n wh[...]

MSTP Overview 167 Determining an MSTI In an MST reg ion, MSTP generates dif fer en t MSTIs for differ ent VLANs accor ding to VLAN-to-spanning tree mapping s. MSTP calculates each s panning tree independently in the same way as STP/RSTP does. Implementation of STP algorithm In the beginning, each of the ports on each switch generate its own BPDU, t[...]

168 C HAPTER 13: MSTP C ONFIGURATION MSTP Implementation on Switches MSTP is compatible with both STP an d RSTP . That is, sw itches running MSTP ca n recognize STP and RSTP packets and use them to calculate spanning trees. In addition to the basic MSTP functions, a S5500 series swit ch also provides many special functions for ease of manag ement t[...]

Root Bridge Configu ration 169 Prer equisites Before configuration, determ ine what r oles the switches will play in the spanning trees, that is, whether a swit ch will be the root, a branch, or a leaf in a spanning tr ee. Configuring an MST Region Configuration procedur e Changes of MST region paramete rs, especially those of th e VLAN mapping tab[...]

170 C HAPTER 13: MSTP C ONFIGURATION Configuration example 1 Configure an MST r egion, with the name being info, the MSTP revision level being level 1, VLAN 2 through VLAN 10 being mapped to MSTI 1, and VLAN 20 thr ough VLAN 30 being mapped to MSTI 2. <S5500> system-view System View: return to User View wit h Ctrl+Z. [S5500] stp region-config[...]

Root Bridge Configu ration 171 A secondary root bridge becomes a r oot bridge if the original root bridge fails or is turned off . A seconda ry r oot bridge re mains uncha nged if a ne w ro ot bridg e is configured. If you configure multiple secondary r oot bridges for a spanning tree instance, the one with the least MAC addre ss replaces the root [...]

172 C HAPTER 13: MSTP C ONFIGURATION Configuration example Configure the bridge priority of the current switch to be 4,096 in spanning tr ee instance 1. <S5500> system-view System View: return to User View wit h Ctrl+Z. [S5500] stp instance 1 priority 4096 Configuring MSTP Operation Mode A switch running MSTP can operate in one of these three[...]

Root Bridge Configu ration 173 Configuration procedur e Note that only the maximum hop count setting configured on a switch acting as the region r oot limits the size of the MST r egion. Configuration example Set the maximum hop count of the MST r egion to 30 on the future r egion root. <S5500> system-view System View: return to User View wit[...]

174 C HAPTER 13: MSTP C ONFIGURATION T o solve this problem, MSTP adopts the state transiti on mechanism. W ith this mechanism, new root ports and designated ports must go through an intermediate state to the forwarding state, so that the new BPDUs can be advertised throughout the network. The introduced delay is dictated by the Forwar d delay argu[...]

Root Bridge Configu ration 175 It is recommended that you specify the network diameter and the Hello time b y using the stp root primary or stp root secondary command. MSTP will then automatically calculate the optimal values of the three parameters. Configuration example Set the Forward delay to 1,600 centiseconds, the Hello time to 300 centisecon[...]

176 C HAPTER 13: MSTP C ONFIGURATION Configuration procedur e in system view Configuration procedur e in Eth ernet port view Y ou can configure the maximum transmission sp eed of ports with either of the above two methods. A too high maximum tran smission spee d can cause too many MSTP BPDUs transmitted in each Hello time interval, resu lting in wa[...]

Root Bridge Configu ration 177 Configuration procedur e in system view Configuration procedur e in Eth ernet port view On a switch with BPDU protection not enabled, an edge port becomes a non-edge port again once it receives a BPDU fr om another port. It is recommended that you configure Et hernet ports wi th termin als directly connected to be edg[...]

178 C HAPTER 13: MSTP C ONFIGURATION Configuration procedur e in system view Configuration procedur e in Eth ernet port view Only the master ports of aggregation ports can be configured to connect to point-to-point link. Y ou can config ure a port to connect to point-to-point link if the port operates in auto-negotiation mode and the neg otiated op[...]

Root Bridge Configu ration 179 Configuration example Configure Ethernet1/0/1 port to connect to point-to-point link. 1 Configure in system view . <S5500> system-view System View: return to User View wit h Ctrl+Z. [S5500] stp interface ethernet1/0/1 point-to-point force-true 2 Configure in Ethernet port view . <S5500> system-view System [...]

180 C HAPTER 13: MSTP C ONFIGURATION Configuration example Enable MSTP on the switch and di sab le MSTP on port Ether net1/0/1. 1 Configure in system view . <S5500> system-view System View: return to User View wit h Ctrl+Z. [S5500] stp enable [S5500] stp interface ethernet1/0/1 disable 2 Configure in Ethernet port view . <S5500> system-[...]

Leaf Node Configuration 181 Configuring MSTP Operation Mode Refer to “Configuring MSTP Operation Mode”. Configuring the Timeout Time Factor Refer to “Configuring the T imeout T ime Factor”. Configuring the Maximum T ransmission Speed of a Port Refer to “Configuring the Maximu m T ransmission Speed of a Port”. Setting a Port as an Edge P[...]

182 C HAPTER 13: MSTP C ONFIGURATION Normally , the path cost of a por t in full-duple x mode is slightly less than that of the port in half-duplex mode. When calculating the path cost of an aggr egate link, the 802.1D-1998 standa rd doe s not take the number of the aggregated links into account, whereas the 802.1T standard does so by using the fol[...]

Leaf Node Configuration 183 Configuration example (A) Configure the path cost of port Ether net1/0/1 in spanning tree instance 1 to be 2,000. 1 Configure in system view . <S5500> system-view System View: return to User View wit h Ctrl+Z. [S5500] stp interface ethernet1/0/1 instance 1 cost 2000 2 Configure in Ethernet port view . <S5500>[...]

184 C HAPTER 13: MSTP C ONFIGURATION Configuring the priority of a port in Ethernet port view Changes of port priorities ca n cause MSTP to redetermine the roles of ports, r esulting in state transition of ports. A lower port priority value in dicates a higher port priority . If all ports of a switch have the same port priority setting, the actual [...]

Protection F unctions C onfiguratio n 185 Configuration Procedur e Y ou can perfo rm the mCheck operation in the following two ways. Performing the mCheck operation in system view Performing the mCheck operation in Ethe rnet port view CAUTION: Execute the stp mcheck command on switches configured to operate in MSTP mode only . If a switch is config[...]

186 C HAPTER 13: MSTP C ONFIGURATION automatically shut it down and notifies th e network ad ministrator of the situation. Only the administrator can r estore edge ports that are shut down. Root protection A root bridge and its secondary root br idges must re side in the same region. Particularly , a CIST and its secondary root bridges ar e usually[...]

Protection F unctions C onfiguratio n 187 Configuring BPDU Protection Configuration procedur e Configuration example Enable the BPDU protection function. <S5500> system-view System View: return to User View wit h Ctrl+Z. [S5500] stp bpdu-protection As 1000 Mbps ports of an Switch 5500 cannot be shut down, the BPDU protection function is not a[...]

188 C HAPTER 13: MSTP C ONFIGURATION Configuring Loop Prevention Configuration procedur e Configuration example Enable the loop prevention fu nction on port Et hernet1/0/1. <S5500> system-view System View: return to User View wit h Ctrl+Z. [S5500] interface ethernet1/0/1 [S5500-Ethernet1/0/1] stp loop-prote ction Configuring TC-BPDU Attack Pr[...]

BPDU Tunnel Configuration 189 Figure 44 BPDU T unnel network hierarchy Configuring BPDU T unnel Notes: ■ Y ou must enable STP on a device before enabling the BPDU tunnel function on it. ■ The BPDU tunnel function is on ly available to access ports. ■ T o implement the BPDU tu nnel function, the links between operator networks must be trunk li[...]

190 C HAPTER 13: MSTP C ONFIGURATION Displaying and Debugging MSTP After completing the above co nfigurations, you ca n display MSTP o peration and verify your configuration by executing the display command in any view . Y ou can also clear MSTP-related statistics by executing the re se t command in user view or debug the MSTP module by executing t[...]

MSTP Configuration Example 191 Configuration procedur e 1 Configure Switch A. a Enter MST region view . <S5500> system-view System View: return to User View wit h Ctrl+Z. [S5500] stp region-configuration b Configure the MST region. [S5500-mst-region] region-name examp le [S5500-mst-region] instance 1 vlan 1 0 [S5500-mst-region] instance 3 vla[...]

192 C HAPTER 13: MSTP C ONFIGURATION 4 Configure Switch D. a Enter MST region view . <S5500> system-view System View: return to User View wit h Ctrl+Z. [S5500] stp region-configuration b Configure the MST region. [S5500-mst-region] region-name examp le [S5500-mst-region] instance 1 vlan 1 0 [S5500-mst-region] instance 3 vlan 3 0 [S5500-mst-re[...]

BPDU Tunnel Configuration Example 193 2 Configure Switch B. a Enable RSTP . <S5500> system-view System View: return to User View wit h Ctrl+Z. [S5500] stp enable b Add Ether net0/1 port to VLAN 10. [S5500] vlan 10 [S5500-Vlan10] port Ethernet 0/1 3 Configure Switch C. a Enable MSTP . <S5500> system-view System View: return to User View [...]

194 C HAPTER 13: MSTP C ONFIGURATION f Add the trunk port to all VLANs. [S5500-Ethernet1/0/1] port trunk per mit vlan all Notes: ■ Y ou must enable STP on a device before enabling the BPDU tunnel function on it. ■ The BPDU tunnel function is on ly available to access ports. ■ T o implement the BPDU tu nnel function, the links between operator[...]

14 C ENTRALIZED MAC A DDR ESS A UTHENTICATION C ONFIGURATION Introduction to Centralized MAC Address Authentication Centralized MAC address authentication controls accesses to a netw ork through ports and MAC addresses. This kind of au thentication requires no client softwar e. When operating in centralized MAC address authentication mode, a switch[...]

196 C HAPTER 14: C ENTRALIZED MAC A DDRESS A UTHENTICATION C ONFIGURATION Centralized MAC Address Authentication Configuration The following sections describe cen tralized MAC addre ss authentication configuration tasks: ■ Enabling Global/Port-based Centraliz ed MAC Address Authentication ■ Setting Centralized MAC Address Authentication Timers [...]

Centralized MAC Address Authentication Configu ration 197 ■ Server -timeout timer . If the connection b etween a switch and a RADIUS server times out when the switch authenticates a user on one of its ports, th e switch turns dow n the user . Y ou can use the server -timeout timer to set the time out time. ■ T able 177 lists the operations to s[...]

198 C HAPTER 14: C ENTRALIZED MAC A DDRESS A UTHENTICATION C ONFIGURATION 4 Enable globa l centralized M AC address authenti cation. [S5500] mac-authentication 5 Configure the domain name for centralized MAC address authentication user to be aabbcc163.net. [S5500] mac-authentication domain aa bbcc163.net[...]

15 SSH T ERMINAL S ERVICES SSH T erminal Services This section contains infor mat ion for SSH T erminal Services. I ntr oduction to SSH Secure Shell (SSH) can pr ovide information security and powerful authenticatio n to prevent such assaults as IP address spoofi ng, plain-text password inter ception when users log on to the Switch remotely using a[...]

200 C HAPTER 15: SSH T ERMINAL S ERVICES Figure 48 Establish SSH channels thr ough W A N The communication process between the server and client includes these five stages: 1 V ersion negot iation stage. These opera tions are completed at this stage: ■ The client sends TCP connection requirement to the server . ■ When TCP connection is establis[...]

SSH Terminal Services 201 ■ The client authenticates infor mation from the user at the server till the authentication succeeds o r the connection is tur ned off due to aut hentication timeout. SSH supports two authentication types: password authentication and RSA authentication. 1 Password authentication works as follows: ■ The client sends its[...]

202 C HAPTER 15: SSH T ERMINAL S ERVICES Configuring supported protocols When SSH protocol is specified, to ensure a successful login, you must config ure the AAA authentication using the authentication-mode scheme command. The protocol inbound ssh configuration fails if you conf igured authentication-mode password and authentication-mode none . Wh[...]

SSH Terminal Services 203 Configuring authentication type New users must specify authentication ty pe. Otherwise, they cannot access the switch. If RSA authentication type is defined, then the RSA public key of the client user must be configured on the switch. By default, no authentication type is spec ified for a new user , so they cannot access t[...]

204 C HAPTER 15: SSH T ERMINAL S ERVICES The manual mode is rather complex since it requires format conversation with the specific software first and then manual configuration. 2 Automatic mode with the command Operations on the client include: ■ SSH1.5/2.0-support ed client software generates randomly RSA key pairs. ■ Send the public key file [...]

SSH Terminal Services 205 SSH Client Configuration T able 186 describes SSH configurat ion tasks. In the initial authentication, if the SSH c lient does not have the public key for the serv er which it accesses for the f irst time, th e client continues to access the server and save locally the public key of the server . Then at the next access, th[...]

206 C HAPTER 15: SSH T ERMINAL S ERVICES SSH Server Configuration Example Network requir ements As shown in Figure 49 , configure a local connection fr om the SSH client to the switch. The PC runs the SSH 2.0-supported client software. Network diagram Figure 49 Network diagram for SSH server configuration Configuration procedur e 1 Generate a local[...]

SSH Terminal Services 207 RSA public key authentication 1 Set AAA authentication on the user interfaces. [S5500] user-interface vty 0 4 [S5500-ui-vty0-4] authentication-mod e scheme 2 Set the user interf aces to support SSH. [S5500-ui-vty0-4] protocol inbound s sh 3 Configure the login protocol for the client002 user as SSH and authentication type [...]

208 C HAPTER 15: SSH T ERMINAL S ERVICES Network diagram Figure 50 Network diagram for SSH client configuration Configuration procedur e 1 Configure the client to run the initial authentication. [S5500] ssh client first-time enable 2 Configure server public keys on the client. [S5500] rsa peer-public-key public [S5500-rsa-public-key] public-key-co [...]

SSH Terminal Services 209 b Start the client and use the RSA public key authentication according to the encryption algorithm defined. [S5500] ssh2 10.165.87.136 22 perfer _kex dh_group1 perfer_ctos_cipher des perfer_ctos_h mac md5 perfer_stoc_hmac md5 username: client003 Trying 10.165.87.136... Press CTRL+K to abort Connected to 10.165.87.136... Th[...]

210 C HAPTER 15: SSH T ERMINAL S ERVICES BOTH the private AND public key MUST be in /home/user/ for OpenSSH to work. result: [root@localhost openssh-4.2p1]# ./ssh -2 -l 1 -i /home/user/ssh_rsa_key 192.168.0.131 SF TP Service Th e following sections describe SF TP service. SF TP Overview Secure F TP (SF TP) is a new feature intr oduced in SSH 2.0. S[...]

SFTP Service 211 SF TP Client Configuration The following sections describe SF TP client configuration tasks: ■ Configuring SF TP client ■ Enabling the SF TP clie nt ■ Disabling the SF TP client ■ Operating with SF TP directories ■ Operating with SF TP files Configuring SF TP client Enabling the SF TP client Y ou can enable the SF TP clie[...]

212 C HAPTER 15: SSH T ERMINAL S ERVICES Disabling the SF TP client Operating with SF TP directories SF TP directory-r elated operations include: ch anging or displaying the cu rrent dir ectory , creating or deleting a dir ectory , displaying fi les or information of a specific dir ectory . Operating with SF TP files SF TP file-related operations i[...]

SFTP Service 213 Displaying help information Y ou can display help information about a co mmand, such as synta x and parameter s. SF TP Configuration Example Network requir ements As shown in Figure 51, ■ An SSH connection is present between Switch A and Switch B. ■ Switch B serves as an SF TP server , with IP address 10.111.27.91. ■ Switch A[...]

214 C HAPTER 15: SSH T ERMINAL S ERVICES 2 Configure Switch A (SF TP client) a Establish a connection to the remote SF TP server and enter SF TP client view . [S5500] sftp 10.111.27.91 b Display the current directory on the SF TP server , delete file z and verify the operation. sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 vrpcfg[...]

SFTP Service 215 f Upload file pu to the SF TP server and re name it to puk. V erify the operations. sftp-client> put pu puk Local file: pu ---> Remote file: fl ash:/puk Uploading file successfully ended sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 vrpcfg.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1[...]

216 C HAPTER 15: SSH T ERMINAL S ERVICES[...]

16 IP R OUTING P RO T O C O L O PERATION IP Routing Pr otocol Overview Routers select an appropriate path through a network for an IP packet accor ding to the destination add ress of the packet. Each router on the path receives the packet and forwards it to the next router . The last router in the path submits the packet to the destination host. In[...]

218 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION Configuring the IP Routing Protocol is described in the following sections: ■ Selecting Routes Through the Routing T able ■ Routing Management Policy Selecting Routes Through the Ro uting Ta b l e For a router , the routing table is the key to forwarding packets. Each r outer saves a routing tab[...]

IP Routing Protocol Overview 219 Figure 53 The r outing table Routing Management Policy The Switch 5500 support s the configuration of a series o f dynamic routing protocols such as RIP and OSPF , as well as stat ic routes . The static routes configur ed by the user are managed together with the dynamic r out es as detected by the routing protocol.[...]

220 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION Supporting Load Sh aring and Route Backup I. Load sharing Supports mult i-route mode, allowing the us er to configure multiple routes that reach the same destination and use the same precedence. The same destination can be reached using multiple dif fer ent paths, w hose precedences are equal. When [...]

Static Routes 221 The following routes are static r outes: ■ Reachable route—The IP packet is sent to the next hop towards the destination. This is a common type of static route. ■ Unreachable r oute—When a static route to a destination has the reject attribute, all the IP packets to this destination are discar ded, and the originating host[...]

222 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION The parameters are explained as follows: ■ IP address and mask The IP address and mask use a decimal format. Because the 1s in the 32-bit mask must be consecutive, the dotted decima l mask can also be replaced by the mask-length which refers to the digits of the consecutive 1s in the mask. ■ Nex[...]

Static Routes 223 Displaying and Debugging Static Routes After you configure static and default routes, execute the display command in any view to display the static route configur ation, and to verify the effect of the configuration. Example: T ypical Static Route Configuration Networking Requirements The masks of all the IP addresses shown in Fig[...]

224 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION 2 Configure the static route for Ethernet Switch B [Switch B] ip route-static 1.1.2.0 25 5.255.255.0 1.1.3.1 [Switch B] ip route-static 1.1.5.0 25 5.255.255.0 1.1.3.1 [Switch B] ip route-static 1.1.1.0 25 5.255.255.0 1.1.3.1 3 Configure the static route for Ethernet Switch C [Switch C] ip route-stat[...]

RIP 225 ■ Cost—The cost for the router to reach the destination, which should be an integer in the range of 0 to 16. ■ T imer—The length of time from the last time that the routing entry was modified until now . The timer is reset to 0 wheneve r a routing entry is modified. ■ Route tag—The indication whether the route is generated by an[...]

226 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION ■ Enabling RIP to Impo rt Routes of Other Pro tocols ■ Configuring t he Defaul t Cost for the Impor ted Route ■ Setting th e RIP Prefer ence ■ Setting Addit ional Rout ing Metrics ■ Configur in g Route Fi lt ering Enabling RIP and Entering the RIP View Perform the following co nfigurations[...]

RIP 227 3Com does not recommend the use of this command, because the destination address does not need to r eceive two copies of the same message at the same time. Note that peer should be restricted using the following commands: rip work , rip output , rip input and network . Specifying the RIP V ersion RIP has two versions, RIP-1 and RIP-2. Y ou [...]

228 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION By default, the values of the period updat e and timeout timer s are 30 seconds and 180 seconds respectively . The value of the garbage-collection timer is four times of that of Period Update ti mer: 120 seconds. In fact, you may find that the timeout time of the garbage- collection timer is not fix[...]

RIP 229 In addition, the rip work command is functionally equivalent to both the rip input and rip output commands. By default, all interfaces except loopback interfaces both receive and transmit RIP update packets. Disabling Host Route In some cases, the router can r eceive many host r outes fr om the same segment, an d these routes ar e of little[...]

230 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION Perform the following configu ration in Interface View: The usual packet format follows RFC1723 an d nonstandard follows RFC2082. Configuring Split Horizon Split horizon means that the r oute r eceived through an interface will not be sent through this interface again. The split hor izon algorithm c[...]

RIP 231 Perform the following configu rations in RIP View . By default, the cost value for the RIP imported route is 1. Setting the RIP Preference Each routing protocol has its own prefer ence by which the routing policy selects the optimal route from the routes of differ ent protocols. The greater the preference value, the lower the preference. Th[...]

232 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION Perform the following configu rations in RIP View . Configuring RIP to Filter the Received Routes Configuring RIP to Filter the Distributed Routes By default, RIP will not filter the r ece ived and distributed routing information. ■ The filter-policy import command filters th e RIP routes r eceive[...]

RIP 233 T raffic Sharing Across RIP Interfaces Equal-cost routes are routes with the same destination but dif fer ent next hop addresses in a r outing table. After traffic sh aring across RIP interfaces is enabled, th e system averagely distributes the traffic to its RIP interfaces through equal-cost routes. Configuration Procedur e Y ou can perfor[...]

234 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION Networking Diagram Figure 55 RIP configuration networking Configuration Procedur e The following configuration only shows the operat ions related to RIP . Before performing the following configuration, please make sure the Ethernet link la yer can work normally . 1 Configure RIP on Switch A [Switch [...]

OSPF Configuration 235 OSPF Configuration Open Shortest Path First (OSPF) is an Inte rior Gateway Protocol based on the link state developed by IETF . Only the Switch 5500-EI su pports the OSPF protocol. The Switch 5500 uses OSPF versio n 2 (RFC 2328), which has the fo llowing features: ■ Scope—Supports networks of various sizes and can support[...]

236 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION OSPF Packets OSPF uses five types of packets: ■ Hello Packet. The Hello Packet is the most common packet sent by the OSPF protocol. A ro uter periodic ally sends it to its neighb or . It contains the valu es of some timers, DR, BDR and the known neighbor . ■ Database Description (DD) Packet. Whe[...]

OSPF Configuration 237 ■ Backup Designated Router (BDR) If the DR fails, a new DR must be elected and synchronized with the other routers on the segment. This process will take a r elatively long time, during which the route calculation is incorrect. T o shor t en the process, OSPF cr eates a BDR as backup for the DR. A new DR and BDR ar e electe[...]

238 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION ■ Setting the Interface Pr iority for DR Election ■ Configuring the Pe er ■ Setting the Interval of Hello Packet T ransmission ■ Setting a Dead T imer for the Neighboring Routers ■ Configuring an Interval Required for Sending LSU Packets ■ Setting an Interval for LSA Retransm ission betw[...]

OSPF Configuration 239 Entering OSPF Area View Perform the following configurat ions in OSPF View . area_id is the ID of the OSPF ar ea, which can be a decimal integer or in IP addr ess format. Specifying the Interface OSPF divides the AS into dif ferent areas. Y ou must configure each OSPF interface to belong to a particular area, identified by an[...]

240 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION Configuring the Network T ype on the OSPF Interface The route calculation of OSPF is based upon the topology of the adjacent network of the local router . Each router describes the topology of its adjacent network and transmits it to all the other routers. OSPF divides networks into four types by li[...]

OSPF Configuration 241 Configuring the Cost for Sending Packets on an Interface Y ou can control network traffic by configuring dif ferent message sending costs for differ ent interfaces. Otherwise, OSPF automa tically calculates th e cost accor ding to the baud rate on the current interface. Perform the following configu ration in Interface View: [...]

242 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION Perform the following configu ration in Interface View: By default, the priority of the Interface is 1 in the DR election. The value can be taken from 0 to 255. Configuring the Peer In an NBMA network, some special conf igurations are r equir ed. Si nce an NBMA interface on the network cannot d isco[...]

OSPF Configuration 243 Setting a Dead Timer for the Neighboring Routers If hello packets are not received fr om a neighboring router , that router is considered dead. The dead timer of neighboring routers refers to the interval after which a router considers a neighboring router dead. Y ou can set a dead timer for the neighboring rou t er s . Perfo[...]

244 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION The value of interval should be bigger than the interval in which a packet can be transmitted and returned between two routers. An LSA retransmission inter val that is too small will cause unne cessary retransmission. Setting a Shortest Path First (SPF ) Calculation Interval for OSPF Whenever the OS[...]

OSPF Configuration 245 By default, the STUB area is not configured, and the cost of the default r oute to the STUB ar ea is 1. Configuring the NSSA of OSPF T o ke ep the adva ntages of stub areas and simultaneously improve the netwo rking flexibility , RFC1587 (OSPF NSSA Option) de fines a new type of area, namely NSSA, which has the capability of [...]

246 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION generated on the ABR, even though the defa ult route 0.0.0.0 is not in the routing table. On an ASBR, however , the default ty pe-7 LSA r ou te can be generated only if the default route 0.0.0.0 is in the r outing table. Executing the no-import-route command on the ASBR pr events the external routes[...]

OSPF Configuration 247 After the summarization of impo rted routes is configured, if the local router is an autonomous system border router (ASBR) , this command summarizes the imported T ype-5 LSAs in the summary address range. When NSSA is configured, this command will also summarize the imported T ype-7 LSA in the summary address range. If the l[...]

248 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION Configuring the OSPF Area to Support Packet Authentication All the r outers in an ar ea must use the sa me authentication mode. In addition, all routers on the same segment must use th e same authentication key password. Use the authentication-mode simple command to configure a simple authentication[...]

OSPF Configuration 249 Intra-area and inter -area r outes describe the int ern al AS topolo gy whereas the external routes describes how to select th e route to the destinations beyond the AS. The exter nal type-1 routes refer to imported IGP routes (such as static route and RIP). Since these routes ar e more r eliable, the calc ulated cost of the [...]

250 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION By default, when importing exter nal routes, the type of imported route is type-2, the cost is 1 and the tag is 1. The interval of importing the external route is 1 second. The upper limit to the exter nal routes imported is 1000 per second. Configuring OSPF to Import the Default Route The import-ro[...]

OSPF Configuration 251 Configuring OSPF Route Filtering Perform the following configu ration in OSPF View . Configuring OSPF to Filter the Received Routes Configuring OSPF to filter the distributed routes By default, OSPF will not filter the im ported and distributed r outing information. ■ The filter-policy imp ort command only filters the OSPF [...]

252 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION Disabling the Interface to Send OSPF Packets Use the silent-interface command to prevent the interface from transmitting OSPF packets. Perform the following configu ration in OSPF View . By default, all the interfaces are allowed to transmit and receive OSPF packets. After an OSPF interface is set t[...]

OSPF Configuration 253 Perform the following co nfiguration in System Vi ew . By default, OSPF TRAP function is disabled, so the switch does not send TRAP packets when any OSPF process is abnormal. The conf i guration is valid to all OSPF proce sses if you do not specify a process ID. For detailed co nfiguratio n of SNMP TRAP , refer to “S ystem [...]

254 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION Display Command for OSPF Neighb or Information Use the command display ospf peer statistics , which has the same display output as that of display ospf peer brief command. The display ospf peer brief command has the following fields in its display output : ■ Router ID ■ Address (IP address of th[...]

OSPF Configuration 255 The commands listed in the follow ing examples enable Switch A and Switch C to be DR and BDR, respectively . Th e priority of Switch A is 100, which is the highest on the network, so it is elected as the DR. S witch C has the second highest prior ity , so it is elected as the BDR. The priority of Switch B is 0, which means th[...]

256 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION Only when the curren t DR is of fline does the DR change. Shut down Switch A, and run display ospf peer command on Switch D to display its neighbors. Note that the original BDR (Switch C) becomes the DR, and Switch B is the new BDR. If all Ethern et Switches on the networ k are r emoved and added ag[...]

OSPF Configuration 257 [Switch B-ospf-1] area 1 [Switch B-ospf-1-area-0.0.0.1] networ k 197.1.1.0 0.0.0.255 [Switch B-ospf-1-area-0.0.0.1] vlink- peer 3.3.3.3 3 Configure Switch C: [Switch C] interface Vlan-interface 1 [Switch C-Vlan-interface1] ip address 152.1.1.1 255.255.255.0 [Switch C] interface Vlan-interface 2 [Switch C-Vlan-interface2] ip a[...]

258 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION ■ Ensure the backbone area connects with all other areas. ■ The virtual links cannot pass through the STUB area. T roubleshooting globally: If OSPF cannot discover the remote routes and you have checked all troubleshooting item s listed above, check the following configurations: ■ If more than[...]

IP Routing Policy 259 and the matching object s are attributes of routing information. The relationship of if-match clauses for a node uses a series of Boolean “AND” statements. As a result, a match is found unless all the matching conditions specified by the if-match clauses are satisfied. The appl y clause specifies the ac tions that ar e per[...]

260 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION Defining a Route Policy A r oute policy can include multiple nodes. Each node is a unit for the matching operation. The nodes are tested against the node_number . Perform the following co nfigurations in System View . The permit parameter specifies that if a route satisfies all the if-match clauses [...]

IP Routing Policy 261 By default, no matching is performed. The if-match clauses for a node in the route policy require that the route satisfy all the clauses to match the node before the actions specified by the apply clauses can be executed. If no if-match clauses are specified, all the rout es will pass the f iltering on the node. Defining Apply[...]

262 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION Perform the following configu ration in Routing Protocol View . By default, the routes di scovered by othe r pr otocols will not be distributed. In different routing protocol views, the pa rameter options are d ifferent. For details, refer to the description of the import-route command for each prot[...]

IP Routing Policy 263 By default, the filtering of received r outes is not performed. Configuring the Filtering of Distributed Routes Define a policy concerning route distribution that filters the routing information that does not satisfy the conditions, and distribut es routes with the help of an ACL or address ip-pr efix. Perform the following co[...]

264 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION stop forwarding the packet to the n etwork. Using the following configuration tasks, you can choose to forward the br oadcast packet to the network for broadcast. Perform the following configurat ion in system view . Displaying and Debugging the Routing Policy Enter the display command in any view t[...]

Route Capacity Configur ation 265 c Enable OSPF protocol and specifies the num ber of the area to which the interface belongs. [Switch A] router id 1.1.1.1 [Switch A] ospf [Switch A-ospf-1] area 0 [Switch A-ospf-1-area-0.0.0.0] networ k 10.0.0.0 0.255.255.255 d Import the static routes [Switch A-ospf-1] import-route static 2 Configure Switch B: a C[...]

266 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION to add new routes to the routing table and whether or not to keep connection with a routing pr otocol. The defaul t value n ormally meet s the net work requi rements. Y ou must be carefu l when modifying the configuratio n to avoi d reducing the stability of the networ k. Limiting Route Capacity The[...]

Route Capacity Configur ation 267 Displaying and Debugging Route Capacity Enter th e display command in any view to display the operation of the Rou te Capacity configuration. T able 264 Displaying and debugging route capacity Operation Command Display the route capacity memory information display memory [ unit unit_id ] Display the route capacity [...]

268 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION[...]

17 N ETWORK P R OTOCOL O PERATION This chapter covers the following topics: ■ IP Address Configuration ■ ARP Configuration ■ Resilient ARP Configuration ■ BOOTP Client Configur ation ■ DHCP Configuration ■ Access Management Configuration ■ UDP Helper Configuration ■ IP Performance Configuration IP Address Configuration This section [...]

270 C HAPTER 17: N ETWORK P ROTOCOL O PERATION When using IP addresses, note that some of them are r eserved for special uses, and are seldom used. The IP addresses you can use are listed in T able 265. Subnet and Mask Wi th the rapid development of the Inter net, available IP addresse s are depleting very fast. The traditional IP addre ss allocati[...]

IP Address Configurati on 271 address. If there is no subnet division, then its subnet mask is the defaul t value and the length of "1" indicates the net-id length. Therefore, for IP addr esses of classes A, B and C, the default values of correspondi ng subnet mask are 255.0.0.0, 255.255.0.0 and 255.255.255.0 respectively . The mask can b[...]

272 C HAPTER 17: N ETWORK P ROTOCOL O PERATION Perform the following co nfiguration in System Vi ew . By default, there is no host name associated to any host IP address. For further information on IP Address conf ig uration, please refer to the Getting Started Guide that accompanies your S witch. Configuring the IP Address of the VLAN Interface Y [...]

ARP Configuration 273 IP Addr ess Configuration Example Networking Requirements Configure the IP address as 129.2.2.1 an d subnet mask as 255.255.2 55.0 for VLAN interface 1 of the Switch. Networking Diagram Figure 63 IP Addr ess Configuration Networking Configuration Procedur e 1 Enter VLAN interface 1. [SW5500] interface vlan-interface 1 2 Config[...]

274 C HAPTER 17: N ETWORK P ROTOCOL O PERATION Suppose there are two hosts on the same network segment: Host A and Host B. The IP address of Host A is IP_A and the IP ad dr ess of Host B is IP_B. Host A will transmit messages to Host B. Host A checks its own AR P mapping table first to make sure whether there ar e corresponding ARP entries of IP_B [...]

Introduction to Gratuitous ARP 275 Note that: ■ Static ARP map entry will be always valid as long as the Switch works normally . But if the VLAN corresponding to the ARP ma pping entry is deleted, the ARP mapping entry will be also deleted. The valid pe riod of dynamic ARP map entries will l ast only 20 minutes by default. ■ The parameter vlan-[...]

276 C HAPTER 17: N ETWORK P ROTOCOL O PERATION By sending gratuitous ARP pa ckets, a network device can: ■ Determine whether or not IP addr ess conf licts exist between it and other network devices. ■ T rigger other network devices to upd ate its hardwar e address stor ed in their caches. When the gratuitous ARP packet learning function is enab[...]

Introduction to Gratuitous ARP 277 Resilient ARP Configuration This section contains configuration information for Resilient ARP . Overview of Resilient ARP T o support resilient networking in XRN applications, redundant links ar e r equired between the XRN fabric and other devices. But if intra-fabric connections are broken and the original fabric[...]

278 C HAPTER 17: N ETWORK P ROTOCOL O PERATION Y ou can use the following command to configure thr ough which VLAN interface the resilient ARP packet is sent. The system provides a default VLAN interface to send resilient ARP packets. Perform the following co nfiguration in System Vi ew . By default, the system sends resilien t ARP packets thr ough[...]

BOOTP Client Configurati on 279 Networking Diagram Figure 64 Networking for Resilient ARP Configuration Configuration Procedur e 1 Enable resilient ARP function. [SW5500] resilient-arp enable 2 Set VLAN interface 2 to send resilient ARP packets. [SW5500] resilient-arp interface vlan -interface 2 BOOTP Client Configuration This section contains conf[...]

280 C HAPTER 17: N ETWORK P ROTOCOL O PERATION BOOTP Client Configuration BOOTP client is described in the following section. Configuring a VLAN Interface to Ob tain the IP Address Using BOOTP Perform the following co nfiguration in VLAN Interface Vi ew . By default, the VLAN interface cann ot use BOOTP to get an IP addr ess. For further informatio[...]

DHCP Configuration 281 Figure 65 T ypical DHCP Application. T o obtain valid dynamic IP addresses, the DHCP client exchanges differ ent types of information with the server at differ ent stages. One of the following three situations may occur: ■ A DHCP client logs into the network for the first time When a DHCP client logs into the netw ork for t[...]

282 C HAPTER 17: N ETWORK P ROTOCOL O PERATION ■ A DHCP client extends its I P lease pe riod There is a time limit for the IP addr esses leased to DHCP clients. The DHCP server shall withdraw the IP addr e sses when their lease period expires. If the DHCP client wants to continue use of the old IP a ddr ess, it has to extend the IP lease. In prac[...]

DHCP Configuration 283 Option 82 supporting Intr oduction to option 82 supporting Option 82 is a relay agent information op tion in DHCP packets. When a request packet from a DHCP client travels thr o ugh a DHCP r elay on its way to the DHCP server , the DHCP relay adds option 82 into the request packet. Op tion 82 includes many sub-options, but t [...]

284 C HAPTER 17: N ETWORK P ROTOCOL O PERATION ■ Len: Specifies the Length of the agent information field. ■ Agent information field: Specifies the sub-opt ions used. 2 Sub-option format Figure 68 illustrates th e sub-option format. Figure 68 Sub-option format ■ SubOpt: Sub-option number . Currently , the value of this sub-field can be 1, 2, [...]

DHCP Configuration 285 Mechanism of option 82 supporting on DHCP r elay The procedur e for a DHCP client to obtain an IP address from a DHCP server thr ough a DHCP r elay is exac tly the same as tha t for the client to obtain an IP address from a DHCP server directly . The following are the mechanism of option 82 supporting on DHCP relay . 1 A DHCP[...]

286 C HAPTER 17: N ETWORK P ROTOCOL O PERATION DHCP Relay Configuration DHCP relay configuration is desc ribed in the following sections: ■ Enabling DHCP ■ Enabling DHCP ■ Configuring the DHCP Server Group for the VLAN Interfaces ■ Configuring the User Addr ess Entry for the DHCP Server Gr oup ■ Enabling/Disabling the DHCP Security Featur[...]

DHCP Configuration 287 Configuring the User Addr ess En try for the DHCP Server Group T o ensure that a valid user with a fixed IP addr ess in a VLAN configur ed with DHCP Relay passes the addr ess validity check of the DHCP security featur e, you must add a static address entry which indicates the co rrespondence between an IP address and a MAC ad[...]

288 C HAPTER 17: N ETWORK P ROTOCOL O PERATION to DHCP servers by DHCP clients thro ugh unicast when the DHCP clients release IP addresses, the user address entries maintained by the DHCP cannot be updated in time. The dyna mic user addr ess entry updatin g function is developed to resolve this problem. The dynamic user address entry updating fu nc[...]

DHCP Configuration 289 Option 82 Supporting Configuration Example Network requir ements T wo DHCP clients are on the network segm ent 10.110.0.0 (255.2 55. 0.0). They obtain IP addresses fr om a DHCP se rver thr ough a switch acting as DHCP relay . Option 82 supporting is enabled on the DHCP relay . Network diagram Figure 69 Network diagram for opt[...]

290 C HAPTER 17: N ETWORK P ROTOCOL O PERATION 6 Return to sys tem view . [S5500-vlan-interface 100] quit 7 Enable option 82 suppo rting on the DHCP relay , with t he keep keyword specified. [S5500] dhcp relay information enabl e [S5500] dhcp relay information strat egy keep Introduction to DHCP Snooping For the sake of security , the IP addr esse [...]

DHCP Configuration 291 Figure 71 Interaction between a DHCP client and a DHCP server . ■ DHCP snooping listens the following two types of packets to retrieve the IP addresses the DHCP clients obtain fr om DHCP servers and the MAC addr esses of the DHCP clients: ■ DHCP-ACK packet ■ DHCP-REQUEST packet DHCP Snooping Configuration T able 288 sho[...]

292 C HAPTER 17: N ETWORK P ROTOCOL O PERATION Configuration Example I. Network requir ements As shown in Figure 71, the Ethernet1/0/1 port of Switch A (an S5500 series switch) is connected to Switch B (acting as a DHCP re lay). A network segment containing some DHCP clients is connect to the Ethernet1/0 /2 port of Switch A. ■ The DHCP snooping f[...]

Introduction to DHCP Accounting 293 ■ Length: T wo bytes, identifying the to tal length of the ac countin g packet. ■ Authenticator: 16 bytes, identifying the information between the RADIUS server and client. The Attributes field contain s multiple sub-fields. The content of the Attribu tes field is slightly differ ent between an Accounting ST [...]

294 C HAPTER 17: N ETWORK P ROTOCOL O PERATION DHCP Accounting Fundamentals After you complete AAA and RADIUS configur ation on a switch with the DHCP server function enabled, the DHCP server a cts as a RADIUS client. For the authentication process of the DHCP server acting as a RA DIUS client. The following describes only the accounting interactio[...]

Introduction to DHCP Accounting 295 ■ DHCP accounting is en abled on the DHCP serv er . ■ The IP addresses of the global DHCP addr ess pool belongs to the network segment 10.1.1.0/24. The DHCP server operates as a RADIUS client and adopts AA A for authentication. Network diagram Figure 73 Network diagram for DHCP accounting configuration Config[...]

296 C HAPTER 17: N ETWORK P ROTOCOL O PERATION 11 Enter VLAN 3 interface view and assign the IP addre ss 10.1.2.1/24 to the VLAN interface. [S5500] interface vlan-interface 3 [S5500-Vlan-interface3] ip address 1 0.1.2.1 24 12 Return to sys tem view . [S5500-Vlan-interface3] quit 13 Create a domain and a RADIUS scheme. Associate the domain with the [...]

Introduction to DHCP Accounting 297 DHCP Relay D isplaying Y ou can verify your DHCP relay-r elated configuration by executing the following display commands in any view . DHCP Snooping Displaying After the above configurati on, you can display IP addresses and the corresponding MAC addresses tracked by the DHCP snoo ping function by executing the [...]

298 C HAPTER 17: N ETWORK P ROTOCOL O PERATION Configuration Procedur e 1 Cre ate a DHCP server group tha t will use tw o DHCP servers (a master and an optional backup) and assign it the IP add resses of the two D HCP servers (th e first IP address is the master). [SW5500] dhcp-server 0 ip 192.168.1.1 192.168.2.1 2 Configure the Switch so all cl ie[...]

Access Management Configuration 299 T roubleshootin g DHCP Relay Configuration Perform the following procedur e if a user ca nnot apply for an IP address dynamically: 1 Use the display dhcp-server groupNo command to check if the IP address of the corresponding DHCP Server has been configur ed. 2 Use the display vlan and display ip interface vla n-i[...]

300 C HAPTER 17: N ETWORK P ROTOCOL O PERATION By default, the system disables the access management function. Configuring the Access Management IP Address Pool Based on the Port Y ou can use the following command to set the IP address pool for access management on a port. The pack et whose source IP addr ess is in the specified pool is allowed to [...]

Access Management Configuration 301 ■ In the same aggregation gr oup, the port isolation feature on one unit is consistent. ■ If a port is removed fr om an aggregation gr oup, its port isolation configuration will not change. ■ If a port of an aggregation gr oup is is olated on unit 1, then you can achieve port-to-port isolatio n between this[...]

302 C HAPTER 17: N ETWORK P ROTOCOL O PERATION Access Management Configuration Example Networking Requirements Organization 1 is connected to port 1 of th e Switch, and organization 2 to port 2. Ports 1 and 2 belong to the same VLAN. The IP addresses range 202.10.20.1 to 202.10.20.20 can be accessed from port 1 and the range 202.10.20.21 to 202.10.[...]

UDP Helper Configuration 303 T o delete this feature, enter: <SW5500> system-view [SW5500] acl number 2500 [SW5500-acl-basic-2500] undo rule 0 UDP Helper Configuration This section contains UDP Helper configuration information . Overview of UDP Helper The major function of th e UDP Helper is to relay-forward UDP br oadcast packets, that is, i[...]

304 C HAPTER 17: N ETWORK P ROTOCOL O PERATION Perform the following co nfiguration in System Vi ew . Note that : ■ Y ou must first enable the UDP Helper fu nction an d then config ur e the UDP port with the relay function. Otherwise, err or information will appear . ■ The parameters dns , netbios-ds , netbios-ns , tacacs , tftp and time respec[...]

IP Performance Configuration 305 Displaying and Debugging UDP Helper Configuration After the above configuration, enter the display command in any v iew to display the running of the UDP Helper destination se rver , and to verify the effect of the configuration. Enter the debugging command in User V iew to debug UDP Helper configuration. UDP Helper[...]

306 C HAPTER 17: N ETWORK P ROTOCOL O PERATION be terminated. The timeout of synwait timer range is 2 to 600 seconds and it is 75 seconds by default. ■ finwait timer: When the TCP connection state tur ns from FIN_W AIT_1 to FIN_W A IT_2, finwait timer will be started. If FIN packets ar e not received befor e finwait timer timeout, the TCP connect[...]

IP Performance Configuration 307 T roubleshooting IP Performance Fault: IP layer protocol works normall y but TCP and UDP cannot work normally . In the event of such a fault, yo u can enable the corresponding d ebugging informatio n output to view th e debugging info rmation. ■ Use the terminal debugging command to output the debugging informatio[...]

308 C HAPTER 17: N ETWORK P ROTOCOL O PERATION[...]

18 M ULTICAST P RO T O C O L This chapter includes informat ion on the following: ■ IP Multicast Overview ■ IGMP Snooping ■ Common Multicast Configuration ■ Internet Group Management Protocol (IGMP) ■ PIM-DM Overview ■ PIM-SM Overview IP Multicast Overview Th e Switch 5500-EI supports all of th e multicast protocols listed in this manua[...]

310 C HAPTER 18: M ULTICAST P ROTOCOL Figure 78 Comparison between the unicast and multicast transmission A multicast source does n ot necessarily belong to a multicast group. It only sends data to the multicast group and it is not necess arily a receiver . Multiple sources can send packets to a multicast group simultan eously . A router that does [...]

IP Multicast Overview 311 Ranges and meanings of Class D addresses ar e shown in T able 306 Reserved multicast addresses that are commonly used are shown in T able 307. Ethernet Multicast MAC Addresses When unicast IP packets ar e transmitted in Ethernet, the destination MAC address is the MAC addr ess of the re ceiver . However , when multicast pa[...]

312 C HAPTER 18: M ULTICAST P ROTOCOL Figure 79 Mapping between the multicast IP addr ess and the Ethernet MAC address Only 23 bits of th e last 28 b its in the IP multicast addr ess ar e mapped to the MAC address. Therefor e, the 32 IP multicast addresses are mapped to the same MAC address. IP Multicast Protocols Mu lticast uses the multicast grou[...]

IP Multicast Overview 313 PIM-DM (Protocol-Independent Multicast Dense Mode, PIM-DM) PIM dense mode is suitable for small networks. It assumes that each su bnet in the network contains at least one receiver inter ested in the multicast source. As a r esult, multicast packets are flooded to all points of the network, consuming network bandwid th and[...]

314 C HAPTER 18: M ULTICAST P ROTOCOL Applying Multicast IP multicast technology effectively solves the pr oblem of packet forwarding from single-point to multi-point. It implements highly-efficient data transmission from single-point to multi-point in IP networks and can save a large amount of network bandwidth and reduce network loads. New valu e[...]

IGMP Snooping 315 Figure 81 Multicast packet transmission when IGMP Snooping runs IGMP Snooping T erminology T able 308 explains switching terminology relevant to IGMP Snooping. The Switch 5500 runs IGMP Snooping to listen to the IGMP messages and map the host and its ports to the corresponding multicast group address. T o implement IG MP Snooping,[...]

316 C HAPTER 18: M ULTICAST P ROTOCOL Figure 82 Implementing IGMP Snooping T able 309 explains IGMP Snooping terminology . T able 309 IGMP Snooping T erminology Term Meaning IGMP general query message Transmitted by the multicast r outer to query which multicast group contains member. When a router port receiv es an IGMP general query message, the [...]

IGMP Snooping 317 Configuring IGMP Snooping IGMP Snooping configur ation includes: ■ Enabling/Disabling IG MP Snooping ■ Configuring Router Port Agin g Time ■ Configuring Maximum Response T ime ■ Configuring Aging Time of Multicast Group Member Of the above configurat ion tasks, enabling IGMP Snooping is required, while others are optional.[...]

318 C HAPTER 18: M ULTICAST P ROTOCOL Perform the following configu ration in system view . By default, the port aging time is 105 seconds. Configuring Maximum Response Time Use the commands in T able 312 to manually configure the maxi mum response time. If the Switch 5500 receives no r eport message from a port within the maximum response time, th[...]

IGMP Snooping 319 If IGMP fast leave pr ocessing is enabled, when r eceiving an IGMP Leave message, IGMP Snooping immediately removes the port from the multicast group. When a port has only one user , enabling IG MP fast leave processing on the port can save bandwidth. Configuring IGMP Snooping Filter ACL Y ou can configure multicast filter ACLs gl[...]

320 C HAPTER 18: M ULTICAST P ROTOCOL Configuring Multicast VLAN In old multicast mode, when users in differ ent VLANs order the same multicast group, the multicast str eam is copied to each of the VLANs. This mode wastes a lot of bandwidth. By configuring a multicast VLAN, adding switch p orts to the multicast VLAN and enabling IGMP Snooping, you [...]

IGMP Snooping 321 Note that: ■ Y ou cannot set the isolate VLAN as a multicast VLAN. ■ One user port can belong to only one multicast VLAN. ■ The port connected to a user end can only be set as a hybrid port. ■ A multicast member port must belong to th e same multicast VLAN with the router port. Or else, it cannot receive multicast packets.[...]

322 C HAPTER 18: M ULTICAST P ROTOCOL Configuration Example—Enable IGMP Snooping Networking Requirements T o implemen t IGMP Snooping on the switch, first en able it. The switch is connected to the router via the r outer port, and with user PCs through the non-router ports on vlan 10. Networking Diagram Figure 83 IGMP Snooping configuration netwo[...]

Common Multicast Configuration 323 Diagnosis 3: Multicast forwarding table set up on the bottom layer is wrong. 1 Enable IGMP Snooping group in user view and then inpu t the command display igmp-snooping group to check if MAC multicast forwarding table in the bottom layer and that created by IGMP Snooping is consistent. Y ou may also input the disp[...]

324 C HAPTER 18: M ULTICAST P ROTOCOL Multicast MAC Addr ess Entry Configuration In Layer 2 multicast, the system can a dd multicast forwar ding entries dynamically through Layer 2 multicast prot ocol. However , you can also manually create a static multicast address entry to bind a port to a multicast address. Generally , when receiving a multicas[...]

Common Multicast Configuration 325 Multicast Source Deny Configuration The purpose of the multicast source deny feature is to filter out multicast packets on an unauthorized multicast source port to prevent the user connected to the port from setting up a multicast server without permission. Enabling Multicast Source Deny Clearing MFC Forwar ding E[...]

326 C HAPTER 18: M ULTICAST P ROTOCOL The forwarding entries in MFC are deleted along with the routing entries in the multicast kern el routing table. Displaying and Debugging Common Multicast Configuration Execute display command in any view to display the running of the mu lticast configuration, and to verify t he effect of the configuration. Exe[...]

Internet Group Manage ment Protocol (IGMP) 327 IGMP is not sym metric on hosts and r outer s. Hosts need to r espond to IGMP query messages from the multicast router , —, report the group membership to the router . The router needs to send membership que ry messages periodically to discover whether hosts join the specified group on its subnets ac[...]

328 C HAPTER 18: M ULTICAST P ROTOCOL Configuring IGMP Basic IGMP configuration includes: ■ Enabling Multicast ■ Enabling IGMP on an Interface Advanced IGMP configuration includes: ■ Configuring the IGMP V ersion ■ Configuring the Interval and the Number of IGMP Query Packets ■ Configuring the Limit of IGMP Groups on an Interface ■ Conf[...]

Internet Group Manage ment Protocol (IGMP) 329 Configuring the Interval for Querying IGMP Packets The router finds out which multicast groups on its connected network segment have members by sending IGMP query messages periodically . Upon the r eception of a response message, the r outer r efreshes the membership information of the corresponding mu[...]

330 C HAPTER 18: M ULTICAST P ROTOCOL Configuring the Limit of IGMP Groups on an Interface If there is no limit to the number of IGMP gr oups added on a router interface or a router , the router memory may be exhaus ted, which may cause router failur e. Y ou can set number limit for the IGMP groups added on the interface, but not the number limit f[...]

Internet Group Manage ment Protocol (IGMP) 331 By default, a router joins no mult icast group. Limiting Multicast Gr oups An Interface Can Access A multicast r outer learns whether there are members of a multicast gr oup on the network via the received IGMP member sh ip message. A filter can be set on an interface so as to limit the ra nge of allow[...]

332 C HAPTER 18: M ULTICAST P ROTOCOL Configuring the Present Ti me of IGMP Querier The IGMP querier present timer defines the period of time before the router takes over as the querier sending query messages, after the previous querier has stopped doing so. Perform the following co nfiguration in Inter face view . By default, the value is 1 20 sec[...]

PIM-DM Overview 333 Displaying and debugging IGMP After the above conf iguration, execute display command in any view to display the running of IGMP configuration, and to verify the effect of the configuration. Execute debugging command in u ser view for t he debugging of IGMP . PIM-DM Overview PIM-DM (Pro tocol Independ ent Multicast, Dense Mode) [...]

334 C HAPTER 18: M ULTICAST P ROTOCOL This process is called “flood & prune” pr ocess. In addition, nodes that are pruned provide timeout mechanism. Each router re-starts the “flood & prune” process upon pruning timeout. The consistent “flood & prune” process of PIM-DM is performed periodically . During this process, PIM-DM [...]

PIM-DM Overview 335 Configuring PIM-DM PIM-DM basic configuration includes: ■ Enabling Multicast ■ Enabling PIM-DM PIM-DM advanced con figuration includes: ■ Entering the PIM View ■ Configuring Sending Inte rv al for the Hello Packets ■ Configuring the Filtering of Multicast Sour ce/Group ■ Configuring the Filtering of PIM Neighbor ■ [...]

336 C HAPTER 18: M ULTICAST P ROTOCOL Using undo pim command, you can clear the configur ation in PIM view , and back to system view . Configuring Sending Interval for the Hello Packets After PIM is enabled on an interface, it will send Hello message s periodically on the interface. The interval at wh ich Hello messages are sent can be modified acc[...]

PIM-DM Overview 337 Only the routers that match the filtering ru le in the ACL can serve as a PIM neighbor of the current interface. Configuring the Maximum Number of PIM Neighbor on an Interface The maximum number of PIM neighbors of a router interface can be configured to avoid exhausting the memory of the router or router faults. The maximum num[...]

338 C HAPTER 18: M ULTICAST P ROTOCOL Displaying and Debugging PIM-DM After the above config uration, execute the display command in any view to display the running of PIM-DM configuration, and to verify the effect of the configuration. Execute the debugging command in user view for the debugging of PIM-DM. PIM-DM Configuration Example Networking R[...]

PIM-SM Overview 339 Configuration Procedur e This section on ly describes the co nfiguration p rocedur e for Switch_A. Fo llow a similar configuration procedur e for Switch_B and Switch_C. 1 Enable the multicast routing protocol. [SW5500] multicast routing-enable 2 Enable IGMP and PIM-DM. [SW5500] vlan 10 [SW5500-vlan10] port ethernet 1/0/2 t o eth[...]

340 C HAPTER 18: M ULTICAST P ROTOCOL PIM-SM Operating Principle The working procedur es for PIM-SM incl ude: neighbor discovery , building the RP-rooted shar ed tree (RPT), multicast sour ce registration and switch over to the SPT . Neighbor Discovery The PIM-SM router uses Hello messages to perform neighbor discovery when it is started. All netwo[...]

PIM-SM Overview 341 Preparations befor e Configuring PIM-SM Configuring Candidate RPs In a PIM-SM network, multiple RPs (c andidate-RPs) can be configured. Each Candidate-RP (C-R P) is responsible fo r forwarding multicast packets with the destination addresses in a certain range. C onfiguring multiple C- RPs is to i mplement load balancing o f the[...]

342 C HAPTER 18: M ULTICAST P ROTOCOL ■ Clearing PIM Neighbors It should be noted that at least one router in an entire PIM-SM domain should be configured with Candidate -RPs and Candidate- BSRs. Enabling Multicast Refer to “Common Multicast Configuratio n” on page 323. Enabling PIM-SM This configuration can be effectiv e only after multicast[...]

PIM-SM Overview 343 Configuring Candidate-BSRs In a PIM domain, one or more candidate BSRs sho uld be configured. A BSR (Bootstrap Router) is elected among ca ndidate BSRs. The BSR takes charge of collecting and advertising RP information . The automatic election among candi date BSRs operates as follows: ■ One interface which has sta rted PIM-SM[...]

344 C HAPTER 18: M ULTICAST P ROTOCOL Configuring Static RP Static RP serves as the backup of dynamic RP , so as to improve network r obusticity . Perform the following co nfiguration in PIM view . Basic ACL can control the range of multicast group served by static RP . If static RP is in use, all r outers in the PIM domain must adopt the same conf[...]

PIM-SM Overview 345 Perform the following co nfiguration in PIM view . If an entry of a source gr oup is denied by the ACL, or the ACL does not define operation to it, or ther e is no ACL defined, the RP will send RegisterStop messages to the DR to prevent the register process of the multicast data stream. Only the register messages matching the AC[...]

346 C HAPTER 18: M ULTICAST P ROTOCOL In BSR mechanism, a C-RP router unicasts C-RP messages to the BSR, which then propagates the C-RP messages among the net work by BSR message. T o prevent C-RP spoofing, you need to configure crp-policy on the BSR to limit legal C-RP range and their service group range. Since each C-BSR has the chan ce to become[...]

PIM-SM Overview 347 Networking Diagram Figure 87 PIM-SM configuration networking Configuration Procedur e 1 On Switch_A: a Enable PIM- SM. [SW5500] multicast routing-enable [SW5500] vlan 10 [SW5500-vlan10] port ethernet 1/0/2 t o ethernet 1/0/3 [SW5500-vlan10] quit [SW5500] interface vlan-interface 10 [SW5500-vlan-interface10] igmp enable [SW5500-v[...]

348 C HAPTER 18: M ULTICAST P ROTOCOL [SW5500] vlan 11 [SW5500-vlan11] port ethernet 1/0/4 t o ethernet 1/0/5 [SW5500-vlan11] quit [SW5500] interface vlan-interface 11 [SW5500-vlan-interface11] igmp enable [SW5500-vlan-interface11] pim sm [SW5500-vlan-interface11] quit [SW5500] vlan 12 [SW5500-vlan12] port ethernet 1/0/6 t o ethernet 1/0/7 [SW5500-[...]

349[...]

350 C HAPTER 18: M ULTICAST P ROTOCOL[...]

19 ACL C ONFIGURATION This chapter covers the following topics: ■ Brief Introduction to ACL ■ QoS Configurat ion ■ QoS Profile Configurat ion ■ ACL Control Configuration ■ ACL Control Configuration Brief Introduction to ACL A series of matchi ng rules ar e r equir ed for the network devices to identify the packets to be filtered. After id[...]

352 C HAPTER 19: ACL C ONFIGURATION The depth-first princip le is to put the st atement specifying the s mallest range of packets on the top of the list. This can be implement ed through comparin g the wildcards of the addresses. Th e smaller the wildcard is, th e less hosts it can specify . For example, 129.102.1.1 0. 0.0.0 specifies a host, wh il[...]

Brief Introduction to ACL 353 T able 362 Set the Absolute T ime Range When the start-time and end-time are not co nfigur ed, it will be all the time for one day . The end time shall be later than the start time. When end-time end-date is not configur ed, it will be all the time fr om now to the date which can be displayed by the system. The end tim[...]

354 C HAPTER 19: ACL C ONFIGURATION T able 363 Define Basic ACL Define Advanced ACL The rules of the classification for advanc ed ACL ar e defined on the basis of the attributes such as source and destination IP address, the TCP or UDP port number in use and packet priority to process the da ta packets. The advanced ACL supports the analysis of thr[...]

Brief Introduction to ACL 355 T able 365 Define Layer -2 ACL Defining the User -defined ACL The user - defined ACL matches any bytes in the first 80 bytes of the Layer -2 dat a frame with the character string defined by the user and then processes them accordingly . T o correctly use the user - defined ACL, yo u are r equired to understand the Laye[...]

356 C HAPTER 19: ACL C ONFIGURATION T able 367 Activate ACL Displaying and Debugging ACL After the above conf iguration, execute display command in all views to display the running of the ACL configurat ion, and to verify the effect of the configurat ion. Execute reset command in User View to clear the statistics of the ACL mo dule. T able 368 Disp[...]

Brief Introduction to ACL 357 Configuration Procedur e In the following configurations, only the command s related to ACL configurations are listed. 1 Define the work time range Define time range from 8:00 to 18:00. [SW5500] time-range 3Com 8:00 to 18:0 0 working-day 2 Define the ACL to access the payment server . a Enter the numbered advanced ACL,[...]

358 C HAPTER 19: ACL C ONFIGURATION [SW5500] acl number 2000 b Define the rules for packet which sour ce IP is 10.1.1.1. [SW5500-acl-basic-2000] rule 1 deny s ource 10.1.1.1 0 time-range 3Com 3 Activate ACL. Activate the ACL 2000. [SW5500-GigabitEthernet1/0/50] packet -filter inbound ip-group 2000 Link ACL Configuration Example Networking Requireme[...]

QoS Configuration 359 QoS Configuration Tr a f f i c T raffic r efers to all packets passing through a Switch. T raffic Classification T raffic classification means identifying the packets with certain ch aracteristics, using the matching rule called classification ru le, set by the configuratio n administrator based on the actual requirements. The[...]

360 C HAPTER 19: ACL C ONFIGURATION Figure 91 SP The SP is designed for the key se rvice application. A significant feature of the key service is the need for priority to enjoy the service to r educe the responding delay when congestion occurs. T ake 8 egress queu es for each port as an example, SP divides the queue of the port into up to 8 kinds, [...]

QoS Configuration 361 QoS Configuration The process of QoS based traffic: 1 Identify the traffic by ACL 2 Perform the QoS opera tion to th e traffic. The configuration steps of QoS based traffic: 1 Define the ACL 2 Configure the QoS operation If QoS is not based on traffic, you need not define ACL first. See “Configuring ACL” for informatio n o[...]

362 C HAPTER 19: ACL C ONFIGURATION Configuration example for setting pr iority of a pr otocol packet 1 Change OSPF protocol packets’ IP pr iority to be 3.Enter system view . <S5500> system-view [S5500] 2 Set OSPF protocol packets’ IP priority to be 3. [S5500] protocol-priority protocol-t ype OSPF ip-precedence 3 3 Display the priority of[...]

QoS Configuration 363 Configure T raffic Mirr oring 1 Configure monitor port Perform the following configu ration in the Ethernet Port V iew . T able 375 Configure Monitor Port Only one monitor port can be configured on one Switch. If a group of Switches form a Fabric, only one monitor port can be configured on one Fabric. 2 Configure traf fic mirr[...]

364 C HAPTER 19: ACL C ONFIGURATION Configuring the Mapping Relationship Between COS and Local Precedence Using the following commands, you can configure the maps. Perform the following co nfiguration in System Vi ew . T able 380 Map Configuration By default, the Switch uses the default mapping relationship. Configuring the Queue Scheduler . Perfor[...]

QoS Configuration 365 Y ou should first define an ACL before this configuration task. The granularity of traf fic limit is 64kbps. If the tar get-ra te user input is in ( N*64, (N+1)*64], in which N is a natural number , Switch automaticaly sets (N+1)*64 as the parameter value. This configuration achieves rate control for those pack ets that match [...]

366 C HAPTER 19: ACL C ONFIGURATION T able 385 Configuring T raffic Statistics For details about the command, refer to the Command Reference Manual. Configuring WRED Operation The func tion of W RED Operat ion is to av oid cong estion in advance. Perform the following configu ration in the Ethernet Port V iew . T able 386 Configuring WRED Operation[...]

QoS Configuration 367 Controlling T elnet using So urce IP and Destination IP This configu ration can be implemente d by means of advanced ACL, which ranges from 3000 to 3999. For the definition of ACL, r efer to ACL part. Create or enter basic ACL view acl numbe r acl-number [ match-order { co nfig | auto } ] By default, the matching order is conf[...]

368 C HAPTER 19: ACL C ONFIGURATION Contro lling T elnet using Source MAC This configuration can b e implemented by means of Layer 2 ACL, which ranges f rom 4000 to 4999. For the definition of ACL, refer to ACL part. Configuration Example Network requir ements Only T elnet users from 10.110.100.52 a nd 10.110.100.46 can access the switch. Network d[...]

QoS Configuration 369 Displaying and Debugging QoS Configuration Y ou can use the display command in any view to see the QoS operation and to check the status of the configuration. Y ou can also clear the statistic information using the reset command in the Eth er net Interface View . QoS Configuration Example T raffic Limit and Line Rate Configura[...]

370 C HAPTER 19: ACL C ONFIGURATION Networking Diagram Figure 93 QoS Configuration Example Configuration Procedur e Only the commands c oncerning Qo S/ACL configura tion are listed here . 1 Define outbound traffic for the wage server . a Enter numbered advanced ACL view . [SW5500] acl number 3000 b Define the traffic-of-payserver rule in the advanc[...]

QoS Configuration 371 Networking Diagram Figure 94 QoS Configuration Example Configuration Procedur e Define port mirroring, with monitoring port being Ethernet3/0/8. [SW5500-Ethernet3/0/8] monitor-port [SW5500-Ethernet3/0/1] mirroring-port both Priority Rela beling Configuration Example Networking Requirement In this example, ef labels are appende[...]

372 C HAPTER 19: ACL C ONFIGURATION QoS Profile Configuration When used together with the 802.1x authentication function, th e QoS profile function can offer preconfigur ed QoS settings for a qualified user in authentication (or a group of users). When the user passes the 802.1x authentication, the Switch delivers the right profile dynamically to t[...]

QoS Profile Configuration 373 Perform the following co nfiguration in System Vi ew . T able 393 Entering QoS Profile View Y ou cannot delete the specific QoS profile which has been applied to the port. Adding/Removing T raffic Action to a QoS Profile From the QoS Pr ofile View , you can configure the QoS actions for current QoS pr ofile. The maximu[...]

374 C HAPTER 19: ACL C ONFIGURATION ■ Port-based mode: The Switch delivers the traffic actions in the QoS profile dir ectly to the user port. Perform the following co nfiguration in Ether net Port V iew . T able 395 Configuring Profile Application Mode By default, port-based mod e is enabled on the port. Applying QoS Profile to the Port Wi th thi[...]

QoS Profile Configuration 375 The user (with user name someone and authentication password hello ) is accessed fr om the E thernet1/0/1 port into the Sw itch. The user is assigned into the 3com163.net domain. The QoS profile exam ple r efere nces the ACL with bandwidth limited to 128 kbps and new DSCP prefer ence value 46. Network Diagram Figure 97[...]

376 C HAPTER 19: ACL C ONFIGURATION g Configure the QoS pr ofile [SW5500] qos-profile example [SW5500-qos-profile-example] traffic-limit inb ound ip-group 3000 128 exceed drop [SW5500-qos-profile-example] traffic-priority inbound ip-group 3000 dscp 46 [SW5500-qos-profile-example] quit h Set user based mode on the Ethernet1/0/1 port [SW5500] interfa[...]

ACL Control Configurati on 377 Importing ACL Y ou can import a defined ACL in User In terface View to achieve ACL contr ol. Perform the following configu rations respecti vely in System View and User Interfa ce View . T able 400 Importing ACL See the Command Referenc e Manual for details about these commands. Configuration Example Networking Requir[...]

378 C HAPTER 19: ACL C ONFIGURATION Importing ACL Import the defined ACL into the command s with SNMP communit y , user name and group name configur ed, to achieve ACL contr ol over SNMP users. Perform the following co nfigurations in System Vi ew . T able 401 Importing ACL SNMP community is one of the featu res of SNMP v1 and SNMP v2, so you impor[...]

ACL Control Configurati on 379 Configuration Example Networking Requirement Only SNMP users from 10.110.100.52 an d 10.110.100.46 can access the Sw itch. Networking Diagram Figure 99 ACL Configuration for SNMP Users Configuration Procedur e 1 Define a basic ACL. [SW5500] acl number 2000 match-order config [SW5500-acl-baisc-2000] rule 1 permit sourc[...]

380 C HAPTER 19: ACL C ONFIGURATION For more about the commands, r efer to the Command Reference Manual. Only the numbered basic ACL can be called for WEB NM user control. Configuration Example Networking Requirements Only permit Web NM user fr om 10.110.100.46 access Switch. Networking Diagram Figure 100 Contr olling Web NM users with ACL Configur[...]

20 C ONFIGURATION FOR Q O S F EATUR ES RSP AN Features Remote switched port analyzer (RSP AN) refers to remote port mirr oring. It breaks through the limitation that the mirror ed port and the mirroring port have to be located in the same switch, and makes it possible that the mirror ed and mirroring ports be located across seve ral devices in the [...]

382 C HAPTER 20: C ONFIGURATION FOR Q O S F EATURES T o implement the remote port management , a special VLAN, called Remote-probe VLAN, needs to be defined in all thre e types of switches. All the mirr or ed packets will be forwarded to destination switch fr om the sour ce switch using this VLAN, and therefor e the destination switch can monitor t[...]

RSPAN Features 383 Configuration Procedur es in the Source Switch Configuration Procedur es in the Intermediate Switch T able 404 Configuration procedures in the sour ce switch Operation Command Description Enter system view system-view — Establish Remote-probe VLAN, and enter VLAN view vlan vlan-id The parameter vlan-id represent s the ID of the[...]

384 C HAPTER 20: C ONFIGURATION FOR Q O S F EATURES Configuration Procedur es in the Source Switch Configuration Example Network diagram requir ements The network description is as follows: ■ Switch A is connected to the data mo nitoring device using Ether net1/0/2. ■ Ether net1/0/1, the T runk p ort of Switch A, is connected to Ether net 1/0 /[...]

RSPAN Features 385 ■ Configure Switch C to be the sour ce switch, Ethernet 1/0/2 to be the source port of remote mirr oring, and Ethernet1/0/5 to be the reflector port. Set Ethernet1/0/5 to be Access port, with STP disabled. Network Diagram Figure 102 Network diagram for RSP AN Configuration Procedur e 1 Configure Switch C. <S5500> system-v[...]

386 C HAPTER 20: C ONFIGURATION FOR Q O S F EATURES [S5500-Ethernet1/0/1] port trunk per mit vlan 10 [S5500-Ethernet1/0/1] quit [S5500] mirroring-group 1 remote-des tination [S5500] mirroring-group 1 monitor-po rt ethernet1/0/2 [S5500] mirroring-group 1 remote-pro be vlan 10 [S5500] display mirroring-group remo te-destination Features of T raffic S[...]

Displaying Information of the display acl command 387 ■ A fixed weighting value is deducted from the weighting value of each element of the rule. The rule with the smallest weig hting value left has the highest priority . ■ If the number and type of elements are the same for all rule s, then the rule with the smallest sum value of all its eleme[...]

388 C HAPTER 20: C ONFIGURATION FOR Q O S F EATURES The Synchronization Feature of Queue Scheduling for Aggregation Ports This featu re pr ovi des the sync hro nization function of queue scheduling on each individual port of the ag gregation port group, as illustrated as follows: 1 The new feature supports the synchronization of queue scheduling wi[...]

Configuring Control Over Telnet 389 Controlling T elnet using Sour ce IP This configu ration can be implemente d by means of basic ACL, which ranges from 2000 to 2999. Controlling T elnet using Source IP and Destination IP This configu ration can be implemente d by means of advanced ACL, which ranges from 3000 to 3999. For the definition of ACL, r [...]

390 C HAPTER 20: C ONFIGURATION FOR Q O S F EATURES Controlling T elnet using Source MAC This configuration can b e implemented by means of Layer 2 ACL, which ranges f rom 4000 to 4999. For the definition of ACL, refer to ACL part. Configuration Example Network requir ements Only T elnet users from 10.110.100.52 a nd 10.110.100.46 can access the sw[...]

21 802.1 X C ONFIGURATION This chapter covers the following topics: ■ IEEE 802.1x Over view ■ Configuring 802.1x ■ Centralized MAC Address Authentication ■ AAA and RADIUS Pr otocol Configuration For information on sett ing up a RADIUS serv er and RADIUS client refer to Appendix B. For details on how to authenticate the Sw itch5500 with a Ci[...]

392 C HAPTER 21: 802.1 X C ONFIG URATION Authenticator and Authentication Serv er exchange information through EAP (Extensible Authentication Protocol) frames. The user and the Authenticator exchange information thr ough the EAPoL (Extensible Au thentication Protocol over LANs) frame defined by IEEE 802.1x. Authentication da ta are encapsulated in [...]

Configuring 802.1 x 393 Implementing 802.1x on the Switch The Switch 5500 Family not only sup por ts the port access authentication method regulated by 802.1x, but also extends and optimizes it in the following way: ■ Support to connect several End Stations in the downstream using a physical port. ■ The access control (or the user authenticatio[...]

394 C HAPTER 21: 802.1 X C ONFIG URATION Setting the Port Access Control Mode The following commands can be used for setting 802.1x access control mode on the specified port. When no port is specified, the access control mode of all ports is configured. Perform the following co nfigurations in System Vi ew or Ether net Port View . T able 413 Settin[...]

Configuring 802.1 x 395 Setting the User Number on a Port The following commands are used for setting the number of users allowed by 802.1x on a specified port. When no port is specifie d, all the po rts accept the same n umber of users. Perform the following co nfigurations in System Vi ew or Ether net Port View . T able 416 Setting the Ma ximum N[...]

396 C HAPTER 21: 802.1 X C ONFIG URATION The EAP-TLS mode authentica tes supplicant systems by authenticatin g licenses of both authentication servers and supplicant systems on both sides. In this mode, supplicant systems are authenticated by their lice nses only , which are applied for from authenti cation serv ers. User na me and passwor d a re n[...]

Configuring 802.1 x 397 Network diagram Figure 105 Network diagram for 802.1x PEAP configuration Configuration procedur e The following configur ations assume that PE AP is selected on 802.1x clients and the RADIUS server to authentica te 802.1x supplicant systems. Configure the switch. 1 Enter system view . <S5500> system-view 2 Enable 802.1[...]

398 C HAPTER 21: 802.1 X C ONFIG URATION Configuring Timers The following commands are used for configuring the 802.1x timers. Perform the following co nfigurations in System Vi ew . T able 421 Configuring T imers handshake-period: This timer begins after the user has passed the authentication. After setting handshake-period , system will send the [...]

802.1x Client Version Checking Configu ration 399 Enabling/Disabling a Quiet-Period Timer Y ou can use the following commands to en able/disable a quiet-period timer of an Authenticator (which can be a Switch 5500). If an 802.1x user has not passed the authentication, the Authentica tor will keep quiet for a while (which is specified by dot1x timer[...]

400 C HAPTER 21: 802.1 X C ONFIG URATION the supplicant system. Such a process goes on and on until the maximum number of retries is r eached. If the maximum number of retries is r eached and the supplicant system still does not r espond, the switch ceases checking the client version of the supplicant system and continues th e followed auth enticat[...]

802.1x Client Version Checking Configu ration 401 When the Guest VLAN function is enabled: ■ The switch broadcasts active authentica tion packets to all 802.1x-enabled ports. ■ The switch adds the ports that do not return response packets to Guest VLAN When the maximum number of authentication retries is r eached. ■ Users belonging to the Gue[...]

402 C HAPTER 21: 802.1 X C ONFIG URATION Configuration procedur e 1 Enter system view . <S5500> system-view 2 Create VLAN 2. [S5500] vlan 2 3 Enter Ethern et1/0/1 port view . [S5500] interface ethernet1/0/1 4 Configure the port to operate in port-based authentication mode. [S5500-Ethernet1/0/1] dot1x port-method portbased 5 Configure Guest VL[...]

802.1x Client Version Checking Configu ration 403 ■ CAMS is configured to disable use of multiple network adapters, proxies, or IE proxies. By default, an 802.1x client allows the use of multiple networ k adapters, proxies, and IE proxies. If CAMS is conf igur ed to disable the use of multiple network adapters, proxies, or IE pr oxies, it pr ompt[...]

404 C HAPTER 21: 802.1 X C ONFIG URATION A server group, consisting of two RADI US servers at 10.11. 1.1 and 10.11.1.2 respectively , is connect ed to the switch. The former o ne acts as the primary-authentication/second -accounting server . The latter one acts as the secondary-authen tication/primary-account ing server . Set the encryption key as [...]

Centralized MAC Address Authentication 405 6 Set the encryption key when the system exchanges packets with the authentication RADIUS server . [SW5500-radius-radius1] key authentic ation name 7 Set the encryption key when the system exchanges packets with the accounting RADIUS server . [SW5500-radius-radius1] key accountin g money 8 Set the timeouts[...]

406 C HAPTER 21: 802.1 X C ONFIG URATION Centralized MAC Address Au thentication Configuration Centralized MAC address authentication configuration includes: ■ Enabling MAC address authentication both globally and on the port ■ Configuring domain name u sed by the MAC address authentication user ■ Configuring centralized MAC a ddress authenti[...]

Centralized MAC Address Authentication 407 Configuring the User Name and Password for Fixed Mode If you configure the centralized MAC addre ss authentication mode to be fixed mode, you need to configure the user name and passwor d for fixed mode. Configuring Domain Name Used by the MAC Address Au thentication User Y ou can use the following command[...]

408 C HAPTER 21: 802.1 X C ONFIG URATION Displaying and Debugging Centralized MAC Address Authentication After the above config uration, perform the display command in an y view , you can view the centralized MAC addr ess authentication running state an d check the configuration result. Perform the debugging command in User View , you can debug the[...]

AAA and RADIUS Protocol Configuration 409 2 Add local access user . a Set the user name and password. [SW5500] local-user 00e0fc010101 [SW5500-luser-00e0fc010101] password simple 00e0fc0101 01 b Set the service type of the user to lan-access. [SW5500-luser-00e0fc010101] service-t ype lan-access 3 Enable the MAC address authentication globally . [SW[...]

410 C HAPTER 21: 802.1 X C ONFIG URATION returns the configuration information and accounting dat a to NAS. Here, NAS controls users and corresponding conn ections, while the RADIUS protocol regulates how to transmit configurat ion and accounting information between NAS and RADIUS. NAS and RADIUS exchange the informat ion with UDP packets. During t[...]

AAA and RADIUS Protocol Configuration 411 Among the a bove conf iguration tasks, cr ea ting ISP domain is compulsory , otherwise the user attributes canno t be distinguishe d. The other tasks are optional. Y ou can configure them at r equirements. Creating/Deleting an ISP Domain What is Inter net Service Prov ider (ISP) domain? T o make i t simple,[...]

412 C HAPTER 21: 802.1 X C ONFIG URATION ■ None—no authentication and accounting. T able 438 Configuring AAA Scheme A dopted by the ISP Domain By default, after an ISP domain is cr eated, the default AAA scheme is local . Y ou cannot use a RADIUS sche me together with the local or none scheme. Y ou can use either scheme or radius-scheme command[...]

AAA Separation 413 Enabling the Selection of the RADIUS Accounting Option If no RADIUS server is available or if th e RA DIUS accounting server fails when the accounting optional is configur ed, the user can still use the network resour ce, otherwise, the user will be disconnect ed. The user configured with the accounting optional command in RADIUS[...]

414 C HAPTER 21: 802.1 X C ONFIG URATION Configuring Separate AAA Schemes If a bound AAA scheme (that is , the authenticati on, authorization and accounting are bound in one scheme) is configured as well as the separate authentication, authorization and accounti ng schemes, the separate ones will be adopted in precedence. RADIUS scheme and local sc[...]

AAA Separation 415 Network diagram Figure 108 Network diagram for separate AAA schemes Configuration procedur e 1 Enter system view . <S5500> system-view 2 Create an ISP domain named cams. [S5500] domain cams 3 Return to sys tem view . [S5500-isp-cams] quit 4 Configure a RADIUS scheme named radius. [S5500] radius scheme radius [S5500-radius-r[...]

416 C HAPTER 21: 802.1 X C ONFIG URATION ■ If the threshold is reached, the switch sends messages containing the user's remaining online tim e to the client at the i nterval you configur ed. ■ The client keeps the user informed of the updated remaining online time through a dialog box. Perform the following configu r ation in ISP domain vi[...]

Dynamic VLAN Assignment 417 Dynamic VLAN Assignment Through dynamic VLAN assignment, the Ethe r net swit ch dynamically adds the ports of the successfully authenticated users to differ ent VLANs depending on the attribute values assigned by RADIUS server , so as to control the network resour ces the users can access. Currently , the switch supports[...]

418 C HAPTER 21: 802.1 X C ONFIG URATION Network diagram Figure 109 Network diagram for dynamic VLAN assignment Configuration procedur e 1 Create a RADIUS scheme. [S5500] radius scheme ias [S5500-radius-ias] primary authentic ation 1.11.1.1 [S5500-radius-ias] primary accountin g 1.11.1.1 [S5500-radius-ias] key authenticatio n hello [S5500-radius-ia[...]

Dynamic VLAN Assignment 419 Setting Attributes of the Local User The attributes of a local user inclu de its password display mode, state, service type and some other settings. Setting the Password Display Mode Perform the following co nfigurations in System View . T able 447 Setting the Password Display Mode of Local Users auto means that the pass[...]

420 C HAPTER 21: 802.1 X C ONFIG URATION However , the user -privilege level is a global value for all service types. Entering the following two commands will result in the user having a level of 3 for all service types. In this case both telnet and SSH: [5500-SI-luser-adminpwd] service-type telnet level 1 [5500-SI-luser-adminpwd] service-type ssh [...]

Dynamic VLAN Assignment 421 Among the above tasks, cr eating the RADI US scheme and setting the IP address of the RADIUS server are r equir ed, while othe r tasks are optional and can be performed as per your requir ements. Creating/Deleting a RADIUS Scheme As mentioned above, RADIUS protocol configurations are performed on the per RADIUS scheme ba[...]

422 C HAPTER 21: 802.1 X C ONFIG URATION The authorization informatio n from the RADIUS server is sent to RADIUS clients in authentication response packets, so you do not need to specify a separate authorization server . In real networking envir onments, you may sp ecify two RADIUS serv ers as primary and secondary authentication/author ization ser[...]

Dynamic VLAN Assignment 423 Setting the Maximum Times of Real-tim e Accounting Request Failing to be Responded to A RADIUS server usually checks if a user is online with a timeout timer . If the RADIUS server has not recei ved the real-ti me account ing packet fr om NAS for a while, it will consider that there is device failure and stop account ing[...]

424 C HAPTER 21: 802.1 X C ONFIG URATION T able 455 Setting the Ma ximum Retransmitting Ti mes of Stopping Accounting Reques t By default, the stopping accountin g request can be r etransmitted up to 500 times. Enabling the Selection of the Radius Accounting Op tion Perform the following configu rat ions in RADIUS Scheme V iew . T able 456 Enabling[...]

User Re-authentication at Reb oot 425 The switch can automatically generate th e main attributes (NAS-ID, NAS-IP and session ID) of the Accounting-On packets. However , you can also manually configure the NAS-IP attribute with th e nas-ip command. When doing this, be sure to configure a correct and valid IP address. If t his attribute is not manual[...]

426 C HAPTER 21: 802.1 X C ONFIG URATION By default, the keys of RADIUS authenti cation/authorization a nd accounting packets are all “3com”. T ag VLAN Assignment on T runk/Hybrid Port Supported by 802.1x Authentication Currently , the 802 .1x authentication module suppor ts T ag VLAN assignment only on Access port. But some applications (for e[...]

User Re-authentication at Reb oot 427 By default, the newly created RADIUS scheme supports the server type standard , while the "system" RADIUS scheme created by the system supports the server type 3com . Setting the RADIUS Server State For the primary and secondary serv ers (no matter if they ar e an authentication/authorization ser ver [...]

428 C HAPTER 21: 802.1 X C ONFIG URATION Setting the Unit of Data Flow that T ransmitted to the RADIUS Server The following command defines the unit of the data flow sent to RADIUS server . Perform the following configu rat ions in RADIUS Scheme V iew T able 463 Setting the Unit of Data Flow T ransmitted to the RADIUS Server By default, the default[...]

User Re-authentication at Reb oot 429 Setting the Timers of the RADIUS Se rver Setting the Response Timeout Timer of the RADIUS Server After RADIUS (authentication/authorization or accounting) request packet has been transmitted for a period of time, if NAS has not r eceived the response fr om the RADIUS server , it has to retransmit the re quest t[...]

430 C HAPTER 21: 802.1 X C ONFIG URATION Configure the RADIUS Server Response Timer If the NAS receives no r esponse fr om th e RADIUS server afte r sending a RADIUS request (authentication/authorization or a ccounting request) for a period of time, the NAS resends the r equest, thus ensuring the user can obtain the RADIUS service. Y ou can specify[...]

User Re-authentication at Reb oot 431 AAA and RADIUS Protocol Con figuration Example For the hybrid configuration example of AAA/RADIUS protocol and 802.1x protocol, refer to “802.1x Configuration Example” on page 403. Configuring the F TP/T elnet User Authen tication at a Remote RADIUS Server Configuring T elnet user authen tication at th e re[...]

432 C HAPTER 21: 802.1 X C ONFIG URATION Configuration Procedur e 1 Add a T elnet user . For details about configuring F TP and T e lnet users, refer to User Interface Configuration in the Getting Start ed chapter . 2 Configure r emote authentication mode for the T elnet user , that is, scheme mode. [SW5500-ui-vty0-4] authentication-mod e scheme 3 [...]

User Re-authentication at Reb oot 433 2 Method 2: Using Local RADIUS authentication server . Local server method is similar to r emote RADIUS authentication. But you should modify the server IP address to 127.0.0.1, authent ication password to 3com, the UDP port number of the authenti cation server to 1645. Configuring the Switch 5500 General RADIU[...]

434 C HAPTER 21: 802.1 X C ONFIG URATION And that completes the configuration of the new radius server and associating it with a domain. Network Login Network login must first be enabled globally by issuing the co mmand dot1x: [5500-xx] dot1x 802.1x is enabled globally (where xx is either EI or SI) Once enabled globally , the network login ne eds t[...]

User Re-authentication at Reb oot 435 Once the RADIUS scheme and domain have been set up, see Domain and RADIUS scheme cr eation, then switch login is enabled. By default, when you use the user name admin to login, you are actually logging in as "admin@local". If no domain is given, the "@ local" is automatically added at the en[...]

436 C HAPTER 21: 802.1 X C ONFIG URATION Fault Three: After being authenticated and authorized, the user cannot send charging bill to the RADIUS server . T roubleshooting: ■ The accounting port number may be set im properly . Please set a proper number . ■ The accounting service and aut hentication/a uth orization service are pr ovided on diffe[...]

22 F ILE S YSTEM M ANAGEMENT This chapter covers the following topics: ■ File System Overvie w ■ File Attribute Configuration ■ Configuring File Management ■ Configurat ion File Ba ckup and Restoration ■ F TP Overview ■ TF TP Overview ■ MAC Address T able Management ■ Device Manage ment ■ System Maintenance and Debugging ■ T erm[...]

438 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Based on the operated objects, the file system can be divided as follows: ■ Directory operation ■ File operation ■ Storage device oper ation ■ Set the prompt mode of the file system Directory Operation Y ou can use the file syst em to create or dele te a directory , disp lay the current working di[...]

File Attribute Configuration 439 File Attribute Configuration Y ou can assign the main/backup attribut e to a file so as to use this file as the main/backup startup file upon next startu p of switch, check the main and backup files, and toggle between the main and backup attri butes of file. Y ou can use an App, BootROM, or Web file on one unit in [...]

440 C HAPTER 22: F IL E S YSTEM M ANAGEMENT File Operation The file system can be used to delete or undelet e a file and permanently delete a file. Also, it can be used to display file cont en ts, rename, copy and mo ve a file and display the information about a s pecified file. Using the delete file-url command to delete a file, leav es the conten[...]

Configuring File Management 441 Setting the Pr ompt Mode of the File System The following command can be used for sett in g the prompt mode of the current file system. Perform the following co nfiguration in System Vi ew . T able 477 File System Opera tion Configuring File Management The management module of the configuratio n file provides a user [...]

442 C HAPTER 22: F IL E S YSTEM M ANAGEMENT The configuration files ar e displayed in their corresponding saving for mats. Saving the Curr ent-configuration Use the save command to save the current-configuration in the Flash Memory , and the configurations will beco me the saved- configuration when the system is powered on for the next time. Perfor[...]

Configuration File Backup and Resto ration 443 Configuration File Backup and Restoration The configuration file backup and restorat ion feature enables you to perform the following tasks: 1 Copy the current configurations on switch to a file on a TF TP server as a backup. 2 Download the configuration file backed up on the TF TP server to switch, an[...]

444 C HAPTER 22: F IL E S YSTEM M ANAGEMENT T able 484 Configuration of the S witch as F TP Client T able 485 Configuration of the S witch as F TP Server The prerequisite for normal F TP function is that the Switch and PC are reacha ble. Enabling/Disabling F TP Server Y ou can use the following commands to enab le/disable the F TP server on the Swi[...]

FTP Overview 445 If the ip-addr in the command is not an address of the device, your configuration fails. If you specify a non-existent interface in the command, your config uration fails. Configuring the F TP Server Authenti cation and Authorization Y ou can use the following commands to configure F T P server authentication and authorization. The[...]

446 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Displaying and Debugging F TP Server After the above conf iguration, execute display command in all views to display the running of the F TP Server configuration, and to verify the effect of the configuration. T able 490 Display and Debug F TP Server The display ftp-server command can be used for displayi[...]

FTP Overview 447 Displaying the Source IP Address of the F TP Client Use the display command in any view to display the sou rce IP address of the F TP clie nt for service packets. F TP Client Configuration Example Networking Requirement The Switch serves as the F TP client and the remote PC as the F TP server . The configuration on the F TP server:[...]

448 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Password:***** 230 Logged in successfully [ftp] 3 T ype in the authorized directory of the F T P server . [ftp] cd switch 4 Use the put command to upload the config.cfg to the F TP server . [ftp] put config.cfg 5 Use the get command to download the switch.app from the F TP server to the flash directory on[...]

TFTP Overview 449 3 Run F TP client on the PC an d establish F TP connection. Upload the switch.app to the Switch under the Flash d irectory and download the config.cfg from the Switch. F TP client is not shipped with the Switch, so you need to buy it se parately . If the flash memory of the Switch is not enough, you need to first delete the existi[...]

450 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Downloading Files by means of TF TP T o download a file, the client sends a request to the TF TP server and then r eceives data from it and sends acknowledgement to it. Y ou can use the following commands to download files by means of TF TP . Perform the following configu ration in User View . T able 495 [...]

MAC Address Table Management 451 3 Enter System View an d download the switch.app from the TF TP server to the flash memory of the Switch. <SW5500> system-view [SW5500] 4 Configure IP addr ess 1.1.1.1 for the VLAN interface, ensur e the port connecting the PC is also in this V ALN (VLAN 1 in this example). [SW5500] interface vlan 1 [SW5500-vl[...]

452 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Figure 117 The Switch Forwar ds Packets with MAC Address T able The Switch also provides the function o f MAC address aging. If the Switch r eceives no packet for a period of time, it will delete the related entry from the MAC address table. However , this function takes no effect on the static MAC addres[...]

MAC Address Table Management 453 Setting MAC Address Aging Time Setting an ap propriate aging time implemen ts MAC address aging. T oo long or too short an aging time set by subscribers will cause the Ethernet switch to flood a large amount of data packets. This affects the switch operation p erformance. If the aging time is set too long, the Switc[...]

454 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Displaying MAC Addr ess Ta b l e After the above config uration, execute the display command in all views to display the running of the MAC address table configuration, and to verify the effect of the configuration. Execute the debugging command in User View to debug MAC address table configuration. T abl[...]

MAC Address Table Management 455 Configuration procedur e The display command shows a stack wide view of the MAC addr ess table. [SW5500] display mac-address MAC ADDR VLAN ID STATE PORT I NDEX AGING TIME(s) 00e0-fc00-3943 1 Learned Ethernet1/0/11 300 0000-0000-5100 1 Learned Etherne t2/0/22 300 0020-9c08-e774 1 Learned Etherne t2/0/7 288 0000-0000-[...]

456 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Device Management With the device management function, th e Switch can display t he current running state and event debugging information ab out the unit, thereby implementing the maintenance and management of the stat e and commun ication of the physical devices. In addition, th ere is a command availabl[...]

Device Management 457 Upgrading BootROM Y ou can use this command to upgrade the Boo tROM with the BootROM program in the Flash Memory . This conf iguration task facilitates the remote upgrade. Y ou can upload the BootROM program file from a r emote end to the Switch using F TP and then use this command to upgrade the BootROM. Perform the following[...]

458 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Networking Diagram Figure 120 Networking for F TP Configuration Configuration Procedur e 1 Configure F TP server pa rameters on the PC. Define a user named as Switch , password hello , r ead and write authority over the Switch directory on the PC. 2 Configure the Switch The Switch has been co nfigured wit[...]

System Maintenance and Debuggi ng 459 8 Use the boot boot-loader command to specify the download ed program as the application at the next login and reboot the Switch. <SW5500> boot boot-loader switch.app <SW5500> display boot-loader The app to boot at the next time is: flash:/Switch.app The app to boot of board 0 at this t ime is: flas[...]

460 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Basic System Configuration Setting the System Name f or the Switch Perform the op eration of sysname command in the System View . T able 508 Set the Name for the Switch Setting the System Clock Perform the op eration of clock datetime command in the User View . T able 509 Set the System Clock Setting the [...]

Terminating the FTP Connection of a Specified User 461 T erminating the F TP Connection of a Specified User By using the following command, the network administrator can forcibly terminate the F TP connection of a specified user on the F TP server , in order to secur e the operation of the network. Restarting the Switch Y ou can use the following c[...]

462 C HAPTER 22: F IL E S YSTEM M ANAGEMENT System Debugging Enable/Disable the T erminal Debugging The Switch provides various ways for debugging most of the supported protocols and functions, which can help you diagnose and address the errors. The following Switches can control the outputs of the debugging information: ■ Protocol debugging Swit[...]

Displaying the State and Information of the System 463 T able 515 Enable/Disable the De bugging For more about the usage and format of the debugging commands, refer to the relevant chapters. Since the debugging output will a ffect the system ope rating efficiency , do not enable the debugging without necessit y , especially use the debugging all co[...]

464 C HAPTER 22: F IL E S YSTEM M ANAGEMENT T esting T ools for Network Connection This section contains the tools nece ssar y to test network connections. ping The ping command can be used to check the network connection and if the host is rea c h ab l e . Perform the following ope ration in all views. T able 517 The ping Command The output of the[...]

Introduction to Remote-ping 465 The execution process of tracert is described as follows: Send a packet with TTL value as 1 and the first hop sends back an ICMP error message indicating that the packet cannot be sent, for th e TTL is timeout. Re-send the p acket with TTL value a s 2 and the second hop returns the TTL timeout messag e. The process i[...]

466 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Remote-ping Configuration This section contains infor mation on remote-ping. Introduction to Remote-ping Configuration The configuration tasks for remote-ping include: ■ Enabling remote-ping Client ■ Creating test gr oup ■ Configuring test parameters The test parameters that you can configure includ[...]

Remote-ping Configuration 467 The remote-ping test does not display te st results. Y ou can use the display remote-ping command to view the test results. Y ou can use th e display remote-ping command to check the test history as well as the latest test results. Configuration Example Network Requirement Perform an remote-ping ICMP test between two s[...]

468 C HAPTER 22: F IL E S YSTEM M ANAGEMENT 5 Display the test r esults. [S5500-remote-ping-administrator-icm p] display remote-ping results administrator icmp [S5500-remote-ping-administrator-icm p] display remote-ping history administrator icmp Logging Function Th is section contains infor mation on the Logging functio n. Introduction to Info-cen[...]

Logging Functi on 469 " yyyy " is the year field. If changed to boot format, it r epresen ts the milliseconds fr om system booting. Generally , the dat a are so large that two 32 bits integers are used, and separated with a dot '.'. For example: <189>0.166970 SW5500 IFNET/6/UPDOWN: Line protocol on interface Ethernet1/0/2,[...]

470 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Note that there is a slash ('/') between module name and severity . 5 Severity Switch information falls into three categories: log information, debugging information and trap in formation. The info-c enter classifies every kind of inf ormation into 8 severity or urgent le vels. The log filtering[...]

Logging Functi on 471 T able 521 I nfo-Ce nter -Defined Sev erity Note that there is a slash between severity and digest. 6 Digest The digest is abbreviation, it r e present the abstract of contents. Note that the re i s a colon betwee n digest and content. 7 Content It is the contents of logging informatio n. Info-Center Configuration The Switch s[...]

472 C HAPTER 22: F IL E S YSTEM M ANAGEMENT 1 Sending the informatio n to loghost. T able 523 Sending the Information to Loghos t 2 Sending the information to the control terminal. T able 524 Sending the Information to the Control T erminal . Device Configuration Default Value Configurati on Descripti on Switch Enable info-center By default, info-c[...]

Logging Functi on 473 3 Sending the Information to monitor terminal 4 Sending the Information to log buffer . T able 526 Sending the Information to Log Buffer 5 Sending the Information to trap buffer . T able 527 Sending the Information to T rap Buffer T able 525 S ending the Information to Monitor T ermina l Device Configuration Default Value Conf[...]

474 C HAPTER 22: F IL E S YSTEM M ANAGEMENT 6 Sending the Inf ormation to SNMP T able 528 Sending the Information to SNMP 7 T ur n on/off the information synchronization Switch in Fabric Figure 124 T ur n on/off the Information Synchronization Switch in Fabric Sending the Information to Loghost T o send infor mation to the loghost, follow the steps[...]

Logging Functi on 475 T able 530 Configuring to Output Information to Loghost Ensure to enter the correct IP address using the info-center loghost command to configure loghost IP address. If you enter a loopback addre ss, the system prompts of invalid address appears. 3 Configuring the informatio n source on the Swit ch With this command, you can d[...]

476 C HAPTER 22: F IL E S YSTEM M ANAGEMENT 4 Configuring loghost The configuration on th e loghost must be the same with that on the Switch. For related configuration, see the config uration examples in the latter part of this chapter . Setting Format of Time Stamps Due to be Sent to Log Host T able 532 describes t he detailed configu ration tasks[...]

Logging Functi on 477 T able 534 Configuring to Output Information to Control T ermina l 3 Configuring the informatio n source on the Swit ch. Wi th this configuration, you can define th e informat ion sent to the control terminal that is generated by which modules, inform ation type, information level, and so on. Perform the following ope ration i[...]

478 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Perform the following operation in User View: T able 537 Enabling T erminal Display Function Sending the Information t o Te l n e t Te r m i n a l o r Dumb T ermina l T o send information t o a T e lnet terminal or dumb term inal, follow the steps below: 1 Enabling info-center Perform the following ope ra[...]

Logging Functi on 479 modu-name specifies the module name; default r epr esents all the modules; l evel re fers to the severit y levels; severity specifies the severity level of information. The information with the level be low it will not be output. channel-number specifies the channel number and channel-name specifies the channel name. When defi[...]

480 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Sending the Information to the Log Buffer T o send in formation to the log buffer , follow the steps below: 1 Enabling info-center Perform the following ope ration in System View . T able 543 Enabling/Disabling Info-cente r Info-center is enabled by default. After in fo-center is enabled, system performan[...]

Logging Functi on 481 If you want to view the debugging information of some modu les on the Switch, you must select debugging as the information type when configuring the information source, meantime using the debugging command to turn on the debugging Switch of those modules. Y ou can use the following commands to configure log information, debugg[...]

482 C HAPTER 22: F IL E S YSTEM M ANAGEMENT modu-name specifies the module name; default r epr esents all the modules; l evel re fers to the severit y levels; severity specifies the severity level of information. The information with the level be low it will not be output. channel-number specifies the channel number and channel-name specifies the c[...]

Logging Functi on 483 3 Configuring the informatio n source on the Swit ch. Wi th this configuration, you can define the information that is sent to SNMP NM: generated by which modules, information type, informat ion level, and so on. Perform the following ope ration in System View . T able 553 Defining Information Source modu-name specifies the mo[...]

484 C HAPTER 22: F IL E S YSTEM M ANAGEMENT The Switch provides a command to tur n on/off the synchronization Switch in every Switch. If the synchr onization Switch of a Switch is turned off, it does not send information to other Switches but sti ll receives information from others. 1 Enable info-center Perform the following ope ration in System Vi[...]

Logging Functi on 485 Configuring Synchronous Information Output Function Synchronous information output function work s to prevent users’ input from being interrupted by system output. While enabled, this function allows users to view their input so far after each system output; th us avoids displaying commands on separate lines and increases th[...]

486 C HAPTER 22: F IL E S YSTEM M ANAGEMENT 2 Configuration on the loghost This configuration is performed on the l ogho st. The following example is performed on SunOS 4.0 and the operation on Unix operation system produced by other manufactures is generally the same to the operation on SunOS 4.0. a Perform the following command as the super user [...]

Logging Functi on 487 Networking diagram Figure 128 Schematic Diagram of Configuration Configuration Procedur e 1 Enabling info-center [SW5500] info-center enable Set the host with th e IP address of 202.38.1.10 as the loghost; set t he severity level threshold value as informational, set the out put language to English; set all the modules are all[...]

488 C HAPTER 22: F IL E S YSTEM M ANAGEMENT c After the establishment of informat ion (log file) and the revision of /etc/syslog.conf , you should view th e number of syslogd (system daemon) through the following command, kill syslog d daemon and reuse -r option the start syslogd in daemon. # ps -ae | grep syslogd 147 # kill -9 147 # syslogd -r &am[...]

RMON Configuration 489 RMON Configuration Remote Network Monitoring (RMON) is a type of IETF-defined MIB. It is the most important enhancement to the MIB II standard. It is mainly used for monitoring the data traffic on a segment and even on a whole network. It is one of the most widely used Network Manage ment standards. RMON is implemented fully [...]

490 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Y ou can use the following commands to add/delete an entry to/from the alarm table. Perform the following co nfiguration in System Vi ew . T able 558 Add/Delete an Entry to/from the Alarm T able Adding/Deleting an Entry to/fr om the Event T able RMON event ma nagement defines the ev ent ID and the handlin[...]

RMON Configuration 491 T able 561 Add/De lete an Entry to/from the Extended RMON Alarm T able Adding/Deleting an Entry to/fr om the Statistics T able The RMON statistics manage ment concer ns the port usage mo nitoring and error statistics when usin g the ports. The statis tics include collision, CRC and queuing, undersize packets or oversize packe[...]

492 C HAPTER 22: F IL E S YSTEM M ANAGEMENT RMON Configuration Example Networking Requirements Set an entry in RMON Ethernet statistics table for the Ethern et port performance, which is convenient for network administrators’ query . Networking Diagram Figure 130 RMON Configuration Networking Configuration Procedur e 1 Configure RMON. [SW5500-Eth[...]

NTP Overview 493 ■ Record for an application when a user logs in to a system, a file is modified, or Basic Operating Principle of NTP Figure 131 illustrates the basi c operating principle of NTP: Figure 131 Basic Operating Principle of NTP In Figure 131, Switch A and Switch B ar e connected using the Ethernet port. They have independent system cl[...]

494 C HAPTER 22: F IL E S YSTEM M ANAGEMENT In this way , Switch A uses the above information to set the local clo ck and synchronize it with the clock on Switch B. The operatin g principle of NTP is briefly introduced above. For more information, refer to RFC1305. NTP Configuration NTP is used for time synchronization thr oughout a network. NTP co[...]

NTP Configuration 495 T able 563 Configure NTP T ime Server NTP version number number ranges fr om 1 to 3 and defaults to 3; the authentication key ID keyid ranges from 0 to 4294967295; interface-name or interface-type interface-number specifies the IP addr ess of an inte rface, from which the source IP address of the NTP packets sent from the loca[...]

496 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Configuring NTP Broadcast Client Mode Designate an interface on the loc al Switch to r eceive NTP br oadcast messages and operate in broadcast client mode. The local Switch listens to the broadcast fr om the server . When it receives the first br oadcast pa ckets, it star ts a brief client/server mode to [...]

NTP Configuration 497 Multicast IP address ip-add ress defaults to 224.0.1.1. This command can only be configured on the interface where the NTP multicast packets will be received. Configuring NTP ID Authentication Enable NTP authen tication, set MD5 au thentication key , a nd specify the reliable key . A client will synchr onize itself by a server[...]

498 C HAPTER 22: F IL E S YSTEM M ANAGEMENT An interface is specified by interface-name or interface-type interface-nu mber . The source addr ess of the pack ets will be taken fr om the IP address of the interface. If the ntp-service unicast-server or ntp-service unicast-peer command also designates a transmitting interface, use the one designated [...]

Typical NTP Configuration Examples 499 Setting Maximum Local Sessions This configuration task is to set the maximum local sessions. Perform the following co nfigurations in System Vi ew . T able 575 Set the Maximum Local Sessions number specifies the maximum number of lo cal sessions, ranges from 0 to 100, and defaults to 100. Displaying and Debugg[...]

500 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Networking Diagram Figure 132 T ypical NTP Configuration Networking Diagram Configuration Procedur e Configure Switch 1: 1 Enter System View . <switch1> system-view 2 Set the local clock as the NTP master clock at str atum 2. [switch1] ntp-service refclock-master 2 Configure Switch 2: 1 Enter System[...]

Typical NTP Configuration Examples 501 After the synchronization, Switch 2 turns into the follo wing status: [switch2] display ntp-service status clock status: synchronized clock stratum: 8 reference clock ID: 1.0.1.11 nominal frequency: 100.0000 Hz actual frequency: 100.0000 Hz clock precision: 2^17 clock offset: 0.0000 ms root delay: 0.00 ms root[...]

502 C HAPTER 22: F IL E S YSTEM M ANAGEMENT 3 Configure Switch 5: (Switch 4 has been synchr onized by Switch 3) a Enter System View . <switch5> system-view b After performing local synchroniz ation, set Switch 4 as a pee r . [switch5] ntp-service unicast-peer 3. 0.1.32 The above exampl es configure Switch 4 and Switch 5 as peers and configure[...]

Typical NTP Configuration Examples 503 c Enter Vlan-interf ace2 view . [switch3] interface vlan-interface 2 d Set it as broadcast server . [switch3-Vlan-Interface2] ntp-service broadcast-server 2 Configure Switch 4: a Enter System View . <switch4> system-view b Enter Vlan-interf ace2 view . [switch4] interface vlan-interface 2 [switch4-Vlan-I[...]

504 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Configure NTP Multicast Mode Network Requirements Switch 3 sets the local clock as th e master clock at stratum 2 and multicast packets from Vlan-interface2. Set Switch 4 and Sw itch 1 to receive multicast messages fr om their respective Vlan-interface2. (Note that Switch 3 must support setting local cloc[...]

Typical NTP Configuration Examples 505 Configure Authentication-enabled NTP Server Mode Network Requirements Switch 1 sets the local clock as the NTP master clock at stratum 2. Switch 2 sets Switch 1 as its time server in server mo de and itself in clie nt mode and enables authentication. (Note that Switch 1 must suppo rt setting local clock as the[...]

506 C HAPTER 22: F IL E S YSTEM M ANAGEMENT SSH T erminal Services Secure Shell (SSH) can pr ovide information security and powerful authentication to prevent such assaults as IP address spoofi ng, plain-text password inter ception when users log on to the Switch remotely fr om an insecur e network environment. A Switch can connect to multiple SSH [...]

SSH Terminal Services 507 way: The RSA public key of the client user is configured at the server . The client first sends the member modules of its RSA public key to the server , which ch ecks its validity . If it is valid, the server ge nerates a random number , which is sent to the client after being encrypted with RSA public key . Both ends calc[...]

508 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Configuring and Canceling Local RSA Key Pair In executing this command, if you have conf igured RSA host key pair , t he system gives an alarm after using this command and prompt s that the existing one will be replaced. The server key pair is created dynamically by the SSH server . The maximum bit range [...]

SSH Terminal Services 509 Defining SSH Authentication Retry V alue Setting SSH authentication retry value can effectively prevent malicious r egistration attempt. Perform the following co nfigurations in System View . T able 582 Defining SSH Authentication Retry V alue By default, the retry value is 3. Entering Public Key Edit View and Editing Publ[...]

510 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Configuring SSH Client There ar e several types of SSH client sof tware, such as PuTTY and FreeBSD. Y ou should first configure the client’ s connecti on with the server . The b asic configuration tasks on the client include: ■ Specifying server IP add ress. ■ Selecting SSH protocol. The client supp[...]

SSH Terminal Services 511 Figure 137 SSH key convert. Use the save button to save this converted key to a file. Open the public key file in Notepad and the following li nes of text befor e the ex isting text: rsa peer-public-key mykey public-key-code begin where myKey is a name used to identify the key within the switch, you may choose any name for[...]

512 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Figure 138 T ext file of myKey Save this to a file ending with a ".bat" extension e.g "keys.bat". This file can be transferred to the switch using F TP or TF TP . The key is installed using th e execute command in the System view [SW5500] execute keys.bat Specifying Server IP Address S[...]

SSH Terminal Services 513 In the Host Name (or IP address) text box key in the IP address of the Switch, for example, 10.110.28.10. Y ou can also input the IP ad dress of an interface in UP state, but its route to SSH client PC must be r eachable. Selecting SSH Protocol Select SSH for the Protocol item. Choosing SSH V ersion Click the left menu [Ca[...]

514 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Figure 141 SSH client configuration interface (3) Click Browse to enter the File Select interface . Choose a desir ed file an d click OK . Opening SSH Connection Click Open to enter SSH client interfa ce. If it runs normally , you are prompted to enter username an d password. See Figure 142. Figure 142 SS[...]

SSH Terminal Services 515 Displaying and Debugging SSH Run the display command in any view to view the running of SSH and further to check configuration result. Run the debugging command to debug the SSH. Perform the following configurat ions in any view . T able 584 Display SSH Information SSH Configuration Example Networking Requirements As shown[...]

516 C HAPTER 22: F IL E S YSTEM M ANAGEMENT [SW5500-luser-client002] service-type ssh 4 Specify AAA authentication on the user inter face. [SW5500] user-interface vty 0 4 [SW5500-ui-vty0-4] authentication-mod e scheme 5 Select SSH protocol on the Switch. [SW5500-ui-vty0-4] protocol inbound s sh 6 Specify RSA authent ication on t he Swit ch. [SW5500[...]

File System Configuration 517 File System Configuration Perform the following file system co nfiguration in user view . If you delete a file and then another f ile with the same name under the same directory , the recycle bin only re ser ves the last deleted file. The files which are deleted by using the delete command withou t the /unreserved para[...]

518 C HAPTER 22: F IL E S YSTEM M ANAGEMENT T o ensure that the switch can use the current configu rations after it restarts, you are recommended to save the current co nfigurations by using the sa ve command before restarting the switch. If multiple switches compos e one fabric, executing the save command will make each unit in the fabric save its[...]

FTP Lighting Co nfiguration 519 Enabling F TP Server on Switch After F TP server is enabled on an SWITCH 5500 switch, the seven-segmen t digital LED on the front panel of the switch will rotate clockwise when an F TP client is uploading file to the F T P server (the SWITCH 5500 switch), and will st op rotating when the file uploading is finished, a[...]

520 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Enabling F TP Client on the Switch After F TP client is enable d on an SWITCH 5500 switch, the seven-segment digital LED on the front panel of the switch will rotate clockwise when the F TP client (the SWITCH 5500 switch) is downloading file from a F TP server , and will stop rotating when the file downlo[...]

TFTP Lighting Configu ration 521 The switch can only act as a TF TP clie nt. Figure 146 Network diagram for TF T P configuration TF TP Lighting Procedur e The TF TP ser ver and the TF TP client must be rea chable to each other for the TF TP function operates normally . After TF TP client is enabled on an SWIT CH 5500 switch, the seven-segment digit[...]

522 C HAPTER 22: F IL E S YSTEM M ANAGEMENT[...]

23 P ORT T RACKING C ONFIGURATION Introduction to the Port T racking Function Wi th the port tracking function enabled, yo u can specify to track the link state of the master’ s uplink por t and decrease the priority of the switch when the port fails. This in tur n triggers the new ma ster to be determined in the backup group. Port T rack ing Con[...]

524 C HAPTER 23: P ORT T RACKING C ONFIGURATIO N Network diagram Figure 147 Network diagram for port tracking configuration Configuration procedur e Configure the master switch. 1 Enter system view . <S5500> system-view System View: return to User View wit h Ctrl+Z. 2 Create VLAN 2. [S5500] vlan 2 [S5500-vlan2] port Ethernet1/0/1 [S5500-vlan2[...]

24 D YNAMICALLY A PPLY ACL BY RADIUS S ERVER C ONFIGURATION Introduction to Dynamically Apply ACL by RADIUS Server The switch can dynamically provide pr e-de fined ACL rules for one or one group of authenticated user(s) through the combination of Dynamically Apply ACL by RADIUS Server function and 802.1x authentication function. After you have pass[...]

526 C HAPTER 24: D YNAMICALL Y A PPLY ACL BY RADIUS S ERVER C ONFIGURATION Configuration Example This section contains a co nfiguration example. Network requir ements The switch implements the Dynamically Appl y ACL by RADIUS Server function for the access users. The IP address of the VLAN interface, wh ich conn ects the switch and the RADIUS Serve[...]

Configuration Example 527 Configuration procedur e Configuration on the RADIUS server 1 Click User/Manage Users. See Figure 150. Figure 150 The first step 2 Create a new user , and then on the General Attributes page input the password of the user , meanwhile set the "Account Expiration Date" as Dec-31-2049. See Figur e 151. Figure 151 Th[...]

528 C HAPTER 24: D YNAMICALL Y A PPLY ACL BY RADIUS S ERVER C ONFIGURATION Figure 152 The thir d step 4 Click Options/Encryption Keys, set the encryption ke y . See Figure 153. Figure 153 The fourth step 5 Input the NAS IP and the encryption key . See Figure 154.[...]

Configuration Example 529 Figure 154 The fifth step Configuration on the switch 1 Enable 802.1x. <S5500> system-view [S5500] dot1x [S5500] dot1x interface ethernet 1/0 /1 2 Configure the IP address information for the RADIUS server . [S5500] radius scheme radius1 [S5500-radius-radius1] primary authe ntication 10.153.1.2 1645 [S5500-radius-rad[...]

530 C HAPTER 24: D YNAMICALL Y A PPLY ACL BY RADIUS S ERVER C ONFIGURATION On Unit 1:Total 1 connections match ed, 1 listed. Total 1 connections matched, 1 list ed. [S5500] display connection ucibindex 28 ------------------------Unit 1------ ------------------ Index=28 , Username=test@test163.ne t MAC=000a-eb7e-d28e , IP=10.153.1.9 Access=8021X ,Au[...]

25 A UTO D ETECT C ONFIGURATION Introduction to the Auto Detect Function The auto detect fu nction uses ICMP request/r eply packets to test the connectivity of a network regularly . The auto detect function is carried out through detecting groups. A detecting group comprises of a group of the IP addresse s to be detected. Y o u can examine the conn[...]

532 C HAPTER 25: A UTO D ETECT C ONFIGURATION Network diagram Figure 155 Network diagram for auto detect configuration Configuration procedur e 1 Enter system view . <S5500> system-view 2 Create detecting gr oup 10. [S5500] detect-group 10 3 Specify to detect the IP address of 10.1.1. 4, taking the IP address of 192.168.1.2 as the next hop an[...]

Auto Detect Implementation in Static Routing 533 Y ou can utilize a single detecting group si multaneously in multiple implementations mentioned above. Refer to the Routing Pro tocol part in Switch 5500 Series Switch O peration Manual for information about static routing. Refer to the Reliability part in Switch 5500 Series Sw itch Operation Manual [...]

534 C HAPTER 25: A UTO D ETECT C ONFIGURATION Configuration procedur e Configure Switch A. <S5500 A> system-view [S5500 A] detect-group 8 [S5500 A-detect-group-8] detect-list 1 ip address 10.1.1.4 nexthop 192.168.1.2 [S5500 A] ip route-static 10.1.1.4 2 4 192.168.1.2 detect-group 8 Auto Detect Implementation in VRRP Y ou can control the prefe[...]

Auto Detect Implementation in VRRP 535 Network diagram Figure 157 Network diagram for VRRP Configuration procedur e 1 Configure Switch B. a Create detecting gr oup 9. <S5500 B> system-view [S5500 B] detect-group 9 b Specify to detect the reacha bility of the IP addr ess 10. 1.1.4, setting the detect number to 1. [S5500 B-detect-group-9] detec[...]

536 C HAPTER 25: A UTO D ETECT C ONFIGURATION c Set the backup group pr eference value of Switch D to 100. [S5500 D-vlan-interface1] vrrp vrid 1 priority 100 Auto Detect Implementation in VLAN Interface Backup The interface backup function is used to back up VLAN interfaces by using the auto detect function. For two VLAN interfaces configured with [...]

Auto Detect Implementation in VLAN Interface Backup 537 Network diagram Figure 158 Network diagram for VLAN inte rface backup Configuration procedur e 1 Configure Switch C. a Enter system view . <S5500 C> system-view b Configure a static r oute to VLAN interface 1 on Switch A as the primary route, with the IP address of 10.1.1.3 as the next h[...]

538 C HAPTER 25: A UTO D ETECT C ONFIGURATION g Add the IP address of 10.1.1.4 to detec ti ng group 10 to detect the reachability of the IP address, with the IP address of 192.168.1.2 as the next hop, and set the detecting nu mber to 1. [S5500 A-detect-group-10] detect-lis t 1 ip address 10.1.1.4 nexthop 192.168.1.2 [S5500 A-detect-group-10] quit h[...]

26 RSTP C ONFIGURATION This chapter covers the following topics: ■ STP Overview ■ RSTP Configuration ■ RSTP Configuration Example STP Overview Spanning T ree Protocol (STP) is applied in loop networks to block some undesirable redundant paths with certain algorithms an d prune the network in to a loop-free tree, thereby avoiding the pr olifer[...]

540 C HAPTER 26: RSTP C ONFIGURATION For a Switch, the designat ed bridge is a Switch in charge of forwarding BPDU to the local Switch using a port called the designate d po rt. For a LAN, the designated b ridge is a Switch that is in charge of forwarding BPDU to the network s egment using a port called the designated port. As illustrated in Figur [...]

STP Overview 541 2 Select the optimum configuration BPDU Every Switch transmits its configurat ion BPDU to other s. When a port r eceives a configuration BPDU with a lower priority than that of its own, it will discard the message and keep the local BPDU unchanged. When a higher -priority co nfiguration BPDU is r eceived, the local BPDU is upda ted[...]

542 C HAPTER 26: RSTP C ONFIGURATION Switch B compares the configuration BPDUs of the ports and selects th e BP1 BPDU as the optimum one. Thus BP1 is elected as the r oot port and the configuration BPDUs of Switch B ports a re updated as follows. The configuration BPDU of the root port BP1 retains as {0, 0, 0, BP1 } . BP2 up dates root ID with that[...]

STP Overview 543 T o facilitate the descriptions, the descri ption of the example is simplified. For example, the root ID and t he designated b r idge ID in actual calculation should comprise both Switch priority and Switch MAC ad dress. Designated port ID should comprise port priority and port MAC addr ess. In the updat ing process of a configurat[...]

544 C HAPTER 26: RSTP C ONFIGURATION In a Switch equipped with the XRN feature, RSTP has the following characteristi cs: 1) Processing the whole Fabric as a node; 2) Participation of all ports except those used as Fabric ports in role select ion; 3) A single root port and bridge id f or the whole Fabric; 4) Distributed saving of RSTP port informati[...]

RSTP Configuration 545 Specify a Switch as the root or backup root bridge The role of the current Switch as the root or backup root bridge depend s on the STP calculation. A Switch can be made the root bridge by specifying its Bridge preference to 0. Configure the Bridge preference of a Switch The Bridge preference of a Switch is 32768. A Switch ca[...]

546 C HAPTER 26: RSTP C ONFIGURATION Configure the timeout time factor of a Switch The Switch, if has not received any Hel lo packet from the upstream Switch for thrice the Hello Time, will consider the upstream Switch failed and recalculate the spanning tree. In a stable network, it is recommended to set the timeout time factor to 5, 6, or 7. Then[...]

RSTP Configuration 547 After the STP protocol is enable d, the modifi cation of any parameter will result in the re-calculation of the spanning tre e on the Switch . It is therefore recomme nded to configure all the RSTP parame ters before en abling the STP feature on th e Switch and the port. Enable/Disable RSTP on a Switch Y ou can use the follow[...]

548 C HAPTER 26: RSTP C ONFIGURATION Perform the following co nfigurations in Ether net Port View . T able 597 Enable/Disable RSTP on a P ort Note that the redundancy route may be gene rated after RSTP is disabled on the Ether net port. By default, RSTP on all the ports will be enabled after it is enabled on the Switch. Configure RSTP Operating Mod[...]

RSTP Configuration 549 Set Priority of a Specified Bridge Whether a bridge can be selected as the “r oot” of the spanning tree depends on its priority . By assignin g a lower p riority , a bridge can be artificially specif ied as the root of the spanning tree. Y ou can use the following command to confi gure the priority of a specified bridge. [...]

550 C HAPTER 26: RSTP C ONFIGURATION By default, a Switch is neither the pr im ary root nor the secondary root of the spanning tree. Set Forward Delay of a Specified Bridge Link failure will cause re calculation of th e spanning t ree and ch ange its structure. However , the newly calculated co nfiguration BPDU cannot b e propagated throughout the [...]

RSTP Configuration 551 T able 604 Set Max Age of the Specifie d Bridge If the Max Age is too short, it will r esult in fr equent calculation of spanning tr ee or misjudge the network congestion as a link fault. On the other hand, too lo ng Max Age may make the bridge unable to find link failure in time and weaken the network auto-sensing ability . [...]

552 C HAPTER 26: RSTP C ONFIGURATION By default, an Ethernet port can transmit at most 3 STP packets within one Hello Ti m e . Set Specified Port to be an EdgePort EdgePort is not connected to any Switch di rectly or indirectly using the connected network. Y ou can use the following command to set a specified port as an EdgePort. Perform the follow[...]

RSTP Configuration 553 Specify the standard to be followed in Path Cost calculation The following two standards are cu rrently avail able on the Switch: ■ dot1d-1998 : The Switch calculates the default Path Cost of a port by the IEEE 802.1D-199 8 standard. ■ dot1t : The Switch calculates the default Path Cost of a port by the IEEE 802.1t standa[...]

554 C HAPTER 26: RSTP C ONFIGURATION T able 611 Configure a Specified Port to be Connected to a Point-to-Point Link The two ports connected using the Point-to-Point link can enter the for warding state rapidly by transmitting synchronous packets, so that the unnecessary forwarding delay can be r educed. If this parame ter is conf igur ed to be auto[...]

RSTP Configuration 555 causes the network topolog y to reconfigure and may cause links to switch state. In normal cases, these ports will not receive STP BPDU. If someone forges a BPDU to attack the Switch , the network topology to reconfigure. BPDU protection function is used against such network attack. In case of configuration error or maliciou [...]

556 C HAPTER 26: RSTP C ONFIGURATION For detailed information about the configuration commands, refer to the Command Manual . Display and Debug RSTP After the above conf iguration, execute display command in all views to display the running of the RSTP configuration, and to verify the effect of the configuration. Execute reset command in User View [...]

RSTP Configuration Example 557 Configuration Procedur e 1 Configure Switch A a Enable RSTP globally . [SW5500] stp enable b The port RSTP defaults are enabled after global RSTP is enabled. Y o u can disable RSTP on those ports t hat are not involved in the RSTP calcul ation, however , be careful and do not disable those involv ed. (The following c [...]

558 C HAPTER 26: RSTP C ONFIGURATION b The port RSTP defaults are enabled after global RSTP is enabled. Y ou can disable RSTP on those ports that are not involved in RSTP calculation, however , be care ful and do not disable those involved. (The following configuratio n takes Ether net 1/0/4 as an example.) [SW5500] interface Ethernet 1/0/4 [SW5500[...]

27 P O E P R OFILE C ONFIGURATION I ntr oduction to PoE Pr ofile On a large-sized network or a network with mobile users, to help network administrators to monitor the PoE features of the switch, 3Com Switch 5500 Family have provide d PoE Profile featur es. Featur es of PoE Pr ofile: ■ V arious PoE Profiles can be created. Po E policy configurati[...]

560 C HAPTER 27: P O E P ROFILE C ONFIGURATION V arious PoE feat ures can be configured within one PoE Profile. The followin g holds while using the apply poe-profile command to apply a PoE Profile to a group of ports: ■ The display current-configuration command can be used to indicate that the PoE Profile is being used properly , so long as one [...]

PoE Profile Configuration 561 Figure 164 PoE Pr ofile application Configuration procedur es 1 Create Pr ofile 1, and enter PoE Profile view . <S5500> system-view [S5500] poe-profile Profile1 2 In Profile 1, add the PoE policy configurat ion applicable to Ether net1/0/1 through Ether net1/0/5 ports for type A group users. [S5500-poe-profile-Pr[...]

562 C HAPTER 27: P O E P ROFILE C ONFIGURATION 7 Apply the configured Profile 1 to Ether net1/0/1 through Ether net1/0/5 port s. [S5500] ap ply poe-profile profile1 interface ethernet1/0/1 to ethernet1/0/5 8 Apply the configured Profile 2 to Ether net1/0/6 through Ether net1/0/10 por ts. [S5500] apply poe-profile profil e2 interface ethernet1/0/6 t[...]

28 SNMP C ONFIGURATION SNMP Configuration Introduction The Simple Network Management Protocol (SNMP) has gained the most extensive application in the computer networks. SNMP has been put into use an d widely accepted as an industry s tandard in practice. It is used for ensuring the tr ansmission of the management information between any two nodes. [...]

564 C HAPTER 28: SNMP C ONFIGURATION The current SNMP Agent of the Switch supports SNM P V1, V2C and V3. The MIBs supported are listed in T able 616. T able 616 MIBs Supported by the Switch (Sheet 1 of 2) MIB attribute MIB content References Public MIB MIB II based on TCP/IP network device RFC1213 OSPF MIB RFC125 3 BRIDGE MIB RFC1493 IF MIB-II RFC1[...]

SNMP Configuration Introduction 565 Configure SNMP The main co nfiguration of SNMP includes: ■ Set commun ity name ■ Set the Method of Id entifying and Contacting th e Administrator ■ Enable/Disable snmp Agent to Send T rap ■ Set the Destination Addr ess of T rap ■ Set SNMP System Information ■ Set the Engine ID of a Local or Remote Dev[...]

566 C HAPTER 28: SNMP C ONFIGURATION Setting Community Name SNMP V1 and SNMPV2C adopt the commun ity name authentication scheme. The SNMP message incompliant with the communit y name accepted by the device will be discarded. SNMP Community is named wi th a character string, which is called Community Name . The various comm unities can ha ve read-on[...]

SNMP Configuration Introduction 567 Setting Lifetime of T rap Message Y ou can use the following command to set the lifetime of a T rap message. A trap message that e xists longer than the set lifetime will be dropped. Perform the following co nfiguration in System Vi ew . T able 620 Set the Lifetime of T rap Message By default, the lifetime of T r[...]

568 C HAPTER 28: SNMP C ONFIGURATION T able 623 Set/Delete an SNMP G roup Setting the Source Address of T rap Y ou can use the following commands to set or remove the source address of the trap. Perform the following co nfiguration in System Vi ew . T able 624 Set the Source Address of T rap Adding/Deleting a User to/from an SNMP Gr oup Y ou can us[...]

SNMP Configuration Introduction 569 T able 627 Set the Siz e of SNMP Packet sent/received by an Agent The agent can receive/send the SNMP pack ets of the sizes ranging from 484 to 17940, measured in bytes. By default, th e size of SNMP packet is 1500 bytes. Enabling/Disabling a Port T ransmitting T rap Information SNMP Agent T o en able/disable a p[...]

570 C HAPTER 28: SNMP C ONFIGURATION Displaying and Debugging SNMP After the above config uration, execute the display command in all views to display the running of the SNMP configuration, and to verify the effect of the configuration. Execute the debugging command in User View to debug SNMP configuration. T able 631 Display and Debug SNMP SNMP Co[...]

SNMP Configuration Introduction 571 Configuration Procedur e 1 Enter the Syst em View . <SW5500> system-view 2 Set the community name , group name and user . [SW5500] snmp-agent sys-info version all [SW5500] snmp-agent community write p ublic [SW5500] snmp-agent mib include inter net 1.3.6.1 [SW5500] snmp-agent group v3 managev3 group write-v[...]

572 C HAPTER 28: SNMP C ONFIGURATION Networking diagram Figure 167 SNMP configuration example Configuration procedur e [SW5500] snmp-agent community read pu blic [SW5500] snmp-agent community write p rivate [SW5500] snmp-agent sys-info version all [SW5500] snmp-agent group v3 sdsdsd [SW5500] snmp-agent usm-user v3 paul sdsdsd authentication-mode md[...]

29 S OUR CE IP A DDR ESS C ONFIGURATION Configuring Source IP Address f or Service Packets Y ou can configure source IP addr ess or sour ce interface for the F TP server , F TP client, TF TP client, T elnet server , T elnet client, SSH ser ver , SSH2 client and SF TP client to enhance service manageability . T able 632 shows the source IP address c[...]

574 C HAPTER 29: S OURCE IP A DDRESS C ONFIGURATION If the ip-addr in the command is not an address of the device, your configuration fails. If you specify a non-existent interface in the command, your config uration fails. Displaying the Source IP Address Configuration Use the display commands in any view to display the source IP addr ess configur[...]

30 P ASSWOR D C ONTR OL C ONFIGURATION O PERATIONS Introduction to Password Contr ol Configuration The password contr ol feature is designe d to manage the following passwords: ■ T elnet passwords: passwords for logging into the switch through T elnet . ■ SSH passwords: passwor ds for logging into the switch through SSH. ■ F TP passwords: pas[...]

576 C HAPTER 30: P ASSWORD C ONTR OL C ONFIGURATION O PERATIONS Password Contr ol Configuration This section contains configu ration infor mation on Password Control. Configuration Prer equisites A user PC is connected to the switch to be configured; both devices ar e operating normally . Configuration T asks The following sections describe the c o[...]

Password Control Configuration 577 length limitation, the conf igured minimum passwor d length (if available); the enable/disable state of history password re cor ding, the maximum number of hist ory password r ecor ds, the time when the passwor d history was last clear ed; the timeout time for password authentication; the maxi mum number of attemp[...]

578 C HAPTER 30: P ASSWORD C ONTR OL C ONFIGURATION O PERATIONS After password aging is enabled, the devi ce will decide whether the user password ages out when a user logging into the system is undergoing the password authentication. This has three cases: 1 The password has not expir ed. The user logs in before the configur ed alert time. In this [...]

Password Control Configuration 579 Configuring History Password Recor ding With this function enabled, when a login password expires, the system r equires the user to input a new password and save the old password automatically . Y ou can configure the maximum number of history records allowed for each user . The purpo se is to inhibit the users fr[...]

580 C HAPTER 30: P ASSWORD C ONTR OL C ONFIGURATION O PERATIONS Configuring a User Login Password in Encryption Mode Configuring Login Attempts Limitation and Failure Pr ocessing Mode When the maximum number of attempts is exceeded, the system operates in one of the following processing mode: ■ locktime : In this mode, the system inhibits the use[...]

Displaying Password Control 581 The system administrator ca n perform the followin g operations to manually remove one or all user entries in the blacklist. Configuring the Timeout Time for Users to be authenticated When the local/remote server re ceives the user name, the authentication starts; when the user authentication is completed, the authen[...]

582 C HAPTER 30: P ASSWORD C ONTR OL C ONFIGURATION O PERATIONS Password Contr ol Configuration Example Network requir ements A PC is connected to the switch to be configured. Y ou can co nfigure the password control parameters as r equir ed. Network diagram Figure 168 Network diagram for passwor d control configuration Configuration procedur e 1 C[...]

Password Contro l Configuration Example 583 7 Display the information abo ut the password contr ol for all users. S5500[S5500] display password-contro l Global password settings for all use rs: Password Aging: Enabled (90 da ys) Password Length: Enabled (10 Cha racters) Password History: Enabled (Max history-record num : 6) Password alert-before-ex[...]

584 C HAPTER 30: P ASSWORD C ONTR OL C ONFIGURATION O PERATIONS[...]

31 MSDP C ONFIGURATION Among Switch 5500 Series Ethernet Switches, only Switch 5500-EI Series Ethernet Switches support the configu rations described in this chapter . Routers and router icons in this chapter represent r outers in the common sense and Ethernet swit ches running routing proto cols. Introduction to MSDP Internet service providers (IS[...]

586 C HAPTER 31: MSDP C ONFIGURATION MSDP peers ar e interconnected o ver TCP connections (usin g port 639). A T CP connection can be establishe d between RPs in different PIM-SM domains, between RPs in the same PIM -SM domain, betwee n an RP and a common router , or between common ro uters. Figu re 169 sho ws the MSDP peering re lationshi p betwee[...]

Introduction to MSDP 587 Figure 170 T ypical networking of Anycast RP . T ypically , a multicast source S registers to the near est RP to cr eate an SPT , and receivers also send Join message s to the nearest RP to construct an RPT , so it is likely that the RP to which the multicast source has register ed is not the RP that receivers Join. T o ens[...]

588 C HAPTER 31: MSDP C ONFIGURATION Figure 171 Identifying the multicast sour ce and receiving multicast data The complete interoperation process betw een a mul ticast source S in the PIM-SM1 domain and receivers in the PIM-SM1 and PIM-SM4 domains is as follows: 1 The multicast sour ce S in the PIM-SM1 domain begins to send data packets. 2 The des[...]

Introduction to MSDP 589 Figure 172 Forwar ding SA messages between MSDP peers As shown above, RP1 belongs to AS1. RP2, RP3 and RP4 belong to AS2. R P5 and RP6 belong to AS3. An MSDP peering relationship exists among these RPs. RP2, RP3, and RP4 form a mesh group. These MSDP peers perform RPF check and process SA messages forwarded to one another a[...]

590 C HAPTER 31: MSDP C ONFIGURATION Configuring MSDP Basic Functions T o enable exchange of information from the mult icast source S between two PIM-SM domains, you need to establish MSDP peer ing relationships between RPs in these PIM-SM domains, so that the information from the multicast source can be sent through SA messages between the MSDP pe[...]

Configuring Connection Between MSDP Peers 591 Configuring MSDP Basic Functions Configuring Connection Between MSDP Peers An AS may contain multiple MSDP peers. T o avoid SA floodi ng between the MSDP peers, you can use the MSDP mesh mechan ism to impr ove traffic. When m ultiple MSDP peers are fully connected with one another , these MSDP peers for[...]

592 C HAPTER 31: MSDP C ONFIGURATION Configuring Description Information for MSDP Peers Y ou can configure description information for each MSDP peer to manage and memorize the MSDP peers. Configuring Anycast RP Application If you configure RPs that have the same address on two r outers in the same PIM-SM domain, the two routers will be MSDP peers [...]

Configuring SA Me ssage Transmission 593 Configuring MSDP Peer Connection Contr ol The connection between MSDP peers can be flexibly controlled. Y ou can disable the MSDP peering r elationships temporarily by shutting down the MSDP peers. As a result, SA messages cannot be transmitted between such two peers. On the oth er hand, when resetting an MS[...]

594 C HAPTER 31: MSDP C ONFIGURATION Configuring the T ransmission and Filtering of SA Request Messages After you enable sending SA request messages to MSDP peer s, when a router receives a Join message, it sends an SA request me ssage to the specified re mote MSDP peer , which responds with an SA message that it has cached. After sending an SA req[...]

Configuring SA Me ssage Transmission 595 Configuring a Rule for Filtering Received and Forwarded SA Messages Besides the creation of source information, controlling multicast sour ce information allows you to control the forwarding and reception of source information. Y ou can control the reception of SA messages usin g the MSDP inbound filter (cor[...]

596 C HAPTER 31: MSDP C ONFIGURATION Displaying and Debugging MSDP Configuration After the above-mentioned configuration, you can use the display command in any view to view the MSDP running information, so as to verify configuration re sult. In the user view , you ca n execute the re s et command to reset the MSDP counter . T racing the transmissi[...]

MSDP Configuration Example 597 The PIM-SM network imp lements OSPF to provide unicast routes and establish MSDP peers between SwitchC and SwitchD. Me anw hile, the Loopback10 interfaces of SwitchC and SwitchD play the roles of C-BSR and C-RP . Network diagram Figure 173 Network diagram for Anycast RP configuration Configuration procedur e 1 Configu[...]

598 C HAPTER 31: MSDP C ONFIGURATION c When the multicast source S1 in the PI M-SM domain send s multicast information, the receivers attached to SwitchD can r e ceive the multicast information and can view the PIM ro uting infor mation on the switc h by using the display pim routing-table command. For example, the follow ing PIM routing informatio[...]

Troubleshooting MSDP Co nfiguration 599 T roubleshooting MSDP Configuration The following sections provide troublesh ooting guidelines for MSDP configuration. MSDP Peer Always in the Down State Symptom An MSDP peer is configured, but it is always in the down state. Analysis An MSDP peer r elatio nship bet ween the locally co nfigur ed connect-inter[...]

600 C HAPTER 31: MSDP C ONFIGURATION[...]

32 C LUSTERING Clustering Overview Clustering enable s the network to manage mu ltiple switches through the public IP address of a switch named the management device. Managed switches in a cluster are member devices, and often may not have an assigned pub lic IP addr ess. Management and maintenance on member devices are made thr ough management dev[...]

602 C HAPTER 32: C LUSTERING ■ T opology co llection: Clustering implemen ts NTDP (Neighbor T opology Discovery Protocol) to collect information on devi ce connections and candidate devices within a specified hop range. ■ Member recognition: Members in the cluster can be located, thus the management device can r ecognize them and deliver config[...]

Clustering Overview 603 Figure 175 Role changing rule ■ A cluster can have only one management device, which is necessary to the cluster . The management device collects NDP/NTDP information to discover and confirm candidate devices, w hich can be then added into the cluster through manual configurations. ■ A candidate device ca n be adde d int[...]

604 C HAPTER 32: C LUSTERING When the NDP on the member device finds ch anges of neighbors, it will advertise the changes to the management device by ha ndshake pack ets. The management device can run NTDP to collect the specified to pology information and show the network topology c hanges in time. On a manageme nt device, you n eed to enable syst[...]

Management Devi ce Configura tion 605 Management Device Configuration Management device c onfiguration involves: ■ Enable system and port NDP ■ Configure NDP parameters ■ Enable system and port NTDP ■ Configure NTDP parameters ■ Enable the cluster function ■ Configure cluster parameters ■ Configuring internal-exter nal interaction ■[...]

606 C HAPTER 32: C LUSTERING Enabling the Cluster Function Configuring Cluster Parameters Configuring cluster parameters manually Configure the time that collected devices wait before forwarding the topology-collection request ntdp timer hop-delay time Optional Argument time is the dela y time. Configure the time that a port waits before it forward[...]

Management Devi ce Configura tion 607 Configuring a cluster Automatically Configuring Intern al-Exter nal Interaction NM Interface for Cluster Management Configuration Configuration Preparation ■ The cluster swit ches are properly connected. ■ The inter nal server is properly co nnected with the management switch. Configuration Procedur e Confi[...]

608 C HAPTER 32: C LUSTERING Member Device Configuration Member device configuratio n involves: ■ Enable system and port NDP ■ Enable system and port NTDP ■ Specifying the cluster F TP/TF TP server Enabling System and Port NDP Enabling System and Port NTDP Specifying the cluster F TP/TF TP server T able 665 Enable sy stem and port NDP Operati[...]

Configuring Cluster Parameters 609 Configuring Cluster Parameters Displaying and Maintaining Cluster Configurations Y ou can view the configuration information of a cluster with the display commands, which can be executed in any view . T able 668 Configure cluster parameters Operation Command Remark Enter system view system-view — Enter cluster v[...]

610 C HAPTER 32: C LUSTERING Clustering Configuration Example Network requir ements Three switches form a cluster , in which: ■ Switch 5500 acts as the man agement device. ■ Other two switch es act as member devices. As the management device, Switch 5 500 manages the member devices and is configured as follows: ■ It attaches two member de vic[...]

Clustering Configuration Ex ample 611 b Configure holdtime of NDP information as 200 seconds. [S5500] ndp timer aging 200 c Configure interval of NDP packets as 70 seconds. [S5500] ndp timer hello 70 d Enable system NTDP and port NTDP on E 1/0/2 and E1/0 /3. [S5500] ntdp enable [S5500] interface ethernet 1/0/2 [S5500-Ethernet1/0/2] ntdp enable [S55[...]

612 C HAPTER 32: C LUSTERING 2 Configure member devices (take one member as example) a Enable system NDP and port NDP on port Ether net1/1. [S5500] ndp enable [S5500] interface ethernet 1/1 [S5500-Ethernet1/1] ndp enable b Enable system NTDP and po rt NTDP on port Ether net1/1. [S5500] ntdp enable [S5500] interface ethernet 1/1 [S5500-Ethernet1/1] [...]

Clustering Configuration Ex ample 613 Network diagram Figure 176 Network diagram for the interfaces of cluster management network Configuration procedur e Configuring the Swit ch 5500 switch 1 Enter system view . Specify VLAN 3 as the mana gement VLAN. <S5500> system-view System View: return to User View wit h Ctrl+Z. [S5500] management-vlan [...]

614 C HAPTER 32: C LUSTERING[...]

33 HWT ACACS C ONFIGURATION Configuring HWT ACACS This chapter contains information on HWT ACACS configuration. HWT ACACS configuration tasks Refer to the tasks in T able 671 to configure HWT ACACS. T able 671 HWT ACACS configuration Section Task Command View Description Creating a HWTACAS Scheme Creating a HWTACACS scheme hwtacacs scheme System Cr[...]

616 C HAPTER 33: HWTACACS C ONFIGURATION Pay attention to the following when configuring a T ACACS serv er: ■ HWT ACACS server does not check whether a scheme is being used by users when changing most of HWT ACACS attributes, unless you delete the scheme. ■ By default, the T ACACS server has no key . In the above configuration tasks, cr eating [...]

Configuring HWTACACS 617 Configuring HWT ACACS Authentication Servers Perform the following configu ration in HWT ACACS view . The primary and secondar y authentication servers ca nnot use the same IP address. The default port number is 49. If you execute this command repeatedly , th e new settings will replace the old settings. The authentication [...]

618 C HAPTER 33: HWTACACS C ONFIGURATION Configuring Source Address for HWT ACACS Packets Sent by NAS Perform the following configu ration in the corresponding view . The HWT ACACS view takes precedence over the system view wh en configuring the source addr ess for HWT ACACS packets sent from the NAS. By default, the source address is not spec ifie[...]

Configuring HWTACACS 619 Setting the Unit of Data Flows Destined for the T ACA CS Server Perform the following configu ration in HWT ACACS view . The default data flow unit is byte. Setting Timers Regarding T ACACS Server Setting the response timeout timer Since HWT ACACS is implemented on the basis of TCP , server r esponse timeout or TCP timeout [...]

620 C HAPTER 33: HWTACACS C ONFIGURATION The setting of real-time accounting interval somewhat depends on the performance of the NAS and the T ACACS server: a sh orter inter val requir es higher device performance. Y ou are therefor e recommended to adopt a longer interval when there are a large number of users (mor e than 1000, inclusive). T able [...]

HWTACACS Protocol Configuration Ex ample 621 HWT ACACS Protocol Configuration Example For the hybrid configuration example of AAA/RADIUS protocol and 802.1x protocol, refer to Configuration Example in 802 .1x C onfig uration. It will not be detailed here. Configuring the F TP/T elnet User Authentication at a Remote T ACACS Server Networking requir [...]

622 C HAPTER 33: HWTACACS C ONFIGURATION Configuration procedur e 1 Configure a HWT ACACS scheme. [S5500] hwtacacs scheme hwtac [S5500-hwtacacs-hwtac] primary authe ntication 10.110.91.164 49 [S5500-hwtacacs-hwtac] primary autho rization 10.110.91.164 49 [S5500-hwtacacs-hwtac] key authentic ation expert [S5500-hwtacacs-hwtac] key authoriza tion exp[...]

A P ASSWOR D R ECOVERY P RO C E S S Introduction The Switch 5500 has two separate password systems: n Passwords which ar e used by the Web User Interface and the CLI and are stored in the 3comoscfg.cfg file. For more information on this, r efer to the Getting Started Guide which accompanies your Switch. n A password system which pr otects the bootr[...]

624 C HAPTER A: P ASSWORD R ECOVERY P ROCESS Bootrom Interface During the initial boot phase of the Switch (w hen directly connected using the console), various messages are displayed and the following prompt is shown with a five second countdown timer: Press Ctrl-B to enter Boot Menu... 4 Before the countdown reaches 0 enter <CTRL>B. The tim[...]

Bootrom Interface 625 Skipping the Current Configuration File Enter boot menu option 7 to enable the Sw itch to boo t from the factory default configuration file 3comoscfg.def . When the Switch has booted from the factor y default it can be configur ed with an IP address and defaul t gateway if needed. The live configuration file ( 3comoscfg.cfg ) [...]

626 C HAPTER A: P ASSWORD R ECOVERY P ROCESS If the user configured bootrom passwor d is lost, a fixed, unit unique password can be provided by 3Com T ech nical Support to bypass the lost password. Please ensure that the Swit ch is registered with 3Com promptly as the unit uniqu e password will only be supplied to th e registered owner of the Switc[...]

B RADIUS S ERVER AND RADIUS C LIENT S ETUP This appendix covers the following topics: n Setting Up A RADIUS Server n Setting Up the RADIUS Client Setting Up A RADIUS Server There ar e many third party applications available to config ure a RADIUS server . 3Com has successfully insta lled and tested the following applications on networks with the Sw[...]

628 C HAPTER B: RADIUS S ERVER AND RADIU S C LIENT S ETUP b The server will need to run in Native mode in or der to support EAP-TLS which is not available in Mixed mode. T o change mode go to the Active Directory Users and Computer s window , rig ht-click Dom ain and choose Properties , select Change Mode . c Add a user that is allowed to u se the [...]

Setting Up A RADIUS Server 629 d Follow the wizard to cr eate a user , enter the required information at each stage e The password for the user must be set to be stored in r eversible encryption. Right-click the user account an d select Properties . Select the Account tab, check the box labe lled Store password using reversible encryption . f Now r[...]

630 C HAPTER B: RADIUS S ERVER AND RADIU S C LIENT S ETUP a Go to Control Panel > Add/Remove Programs > Add/Remove Windows Components . The Certificate Services component should be checked. b Select Next and continue through the wizar d. In the Certificate Authority T ype window select Enterprise ro ot CA Enter information to identify the Cer[...]

Setting Up A RADIUS Server 631 4 Install the Internet Authenti cation Service (IAS) program. a Go to Control Panel > Add/Remove Programs > Add/Remove Windows Components. Enable Networking Services and ensur e Internet Authentication Service component is checked. b Select OK to end the wizar d. 5 Configure a Certificate Authority a Go to Progr[...]

632 C HAPTER B: RADIUS S ERVER AND RADIU S C LIENT S ETUP d Go to Programs > Administrative T ools > Active Director y Users and Computers and right-click your active directory domain. Select Properties e Select the Group Policy tab, and ensure that the Default Domain Policy is highlighted. Click Edit to launch the Gr oup Policy editor . f Go[...]

Setting Up A RADIUS Server 633 g The Certificate Request W izard will start. Select Next > Computer certificate template and click Next . h Ensure that your Certi ficate Authority is checked, then click Next . Review the Policy Change Information and click Finish . i Open up a co mmand prompt ( Start > Run , enter cmd ). Enter secedit /refres[...]

634 C HAPTER B: RADIUS S ERVER AND RADIU S C LIENT S ETUP e Give the policy a name, for example EAP-TL S, and select Next . f Click Add... g Set the conditions for using the policy to access the network. Select Day-An d-Time-Restrictions, and click Add... Click Permitted , then OK. Select Next . h Select Grant remo te access permission , and select[...]

Setting Up A RADIUS Server 635 k Select the appropriate certificate and click OK . T here should be at le ast one certificate. This is the certificate that has been created during the installation of the Certification Authority Service. Windows may ask if you wish to view the Help topic for EAP . Select No if you want to continue with the installat[...]

636 C HAPTER B: RADIUS S ERVER AND RADIU S C LIENT S ETUP b When you are pr ompted for a login, enter the user account name and password that you will be using for the certificate. c Select Request a certificate and click Next > There ar e two ways to request a certificate: the Ad vanced Request or th e Standard Request. The following st eps sho[...]

Setting Up A RADIUS Server 637 f Either copy the settings fr om the scr eenshot below or ch oose dif fer ent key options. Click Save to save the PKCS #10 file. The PKCS #10 file is used to gener ate a certifica te. g Y ou will receive thi s warning messages, select Ye s followed by this warning message, select Ye s and then OK The PKCS #10 file is [...]

638 C HAPTER B: RADIUS S ERVER AND RADIU S C LIENT S ETUP j Select the second option as shown in the screenshot below , and click Next > k Open the previously saved PKCS #10 cert i ficate file in Notepad, select all (Control + a) and copy (Contr ol + c), as shown below l Paste the copied informat ion into the Saved Request field as shown below .[...]

Setting Up A RADIUS Server 639 m Download the cert ificate and ce rtification path. Click on the Download CA Certificate hyperlink to save the ce rtificate. Save the fil e as DER encoded. Click on the Download CA certification path hyperlin k to save the PKCS #7, and select Save The certificate is also insta lled on the Certification Authority . Y [...]

640 C HAPTER B: RADIUS S ERVER AND RADIU S C LIENT S ETUP p Leave the settings on the next screen as is, click Next > followe d by Finish and OK . This will install the certificate, q Launch the Certification Authority management tool on the ser ver and expand the Issued Certificates folder . Y ou should see the newly cr eated certificate. r Dou[...]

Setting Up A RADIUS Server 641 Save the certificate using DER x.509 encoding, select DER encoded binar y followed by Next . Pr ovide a name for the certificate and save it to a specified location. Click Finish and followed by OK . t Exit the Certification Authority management tool and launch the Active Directory Users an d Computers management tool[...]

642 C HAPTER B: RADIUS S ERVER AND RADIU S C LIENT S ETUP u Select the user that becomes the IEEE 80 2.1x client. Right-click on the user and select Name mappings . Select Add v Select the cer tificate that you h ave just exported and click Open . Click OK w In the Security Identity Mapping screen, clic k OK to close i t. x Close the Active Directo[...]

Setting Up A RADIUS Server 643 b Create a new r emote access policy under IAS and name it Switch Login. S elect Next> c Specify Switch Login to matc h the user s in the switch access gr oup, select Next > d Allow Switch Login to grant access to these users, select Next >[...]

644 C HAPTER B: RADIUS S ERVER AND RADIU S C LIENT S ETUP e Use the Edit button to change the Service-T ype to Administrative. f Add a V endor specific attribu te to indi cate the access level that should be provided:[...]

Setting Up A RADIUS Server 645 The V alue 010600000003 indicates admin privileges for the switch. 01 at the end indicates monitor and 02 indicates ma nager access. On the Sw itch 5500, 00 indicates visitor level. 11 Configure the RADIUS client. Refer to “Setting Up the RADIU S Client” fo r information on setting up the client. 12 Establish an I[...]

646 C HAPTER B: RADIUS S ERVER AND RADIU S C LIENT S ETUP Follow these steps to set up auto VLAN and QoS for use by Microsoft IAS: 1 Define the VLAN Gr oups o n the Acti ve Dir ectory ser ver and assign the user accounts to each VLAN Group. Go to Programs > Administrative T o ols > Active Directory Users and Computers a For example, to create[...]

Setting Up A RADIUS Server 647 d Go to Programs > Administrative T ools > Internet Authentication Ser vice . an d select Remote Access Policies . Select the policy that you configured earlier , right-click and select Properties . e Click Add to add policy membership. f Select the Windows-Groups attribute type, and select Add and Add again[...]

648 C HAPTER B: RADIUS S ERVER AND RADIU S C LIENT S ETUP g Select the VLAN group that you have just created and click Add and then OK to confirm. h Click OK again to r etu rn you to the Security Policy pr operties.[...]

Setting Up A RADIUS Server 649 i Click Edit Profile... and select the Advanced tab. Click Add . Refer to T able 686 and T able 687 for the RADIUS attribut es to add to the profile. j Select T unnel-Medium-T ype and click Add . k Ensure that the Attribute value is set to 802 and click OK . l Click OK again on the Multivalued Attribute In formation s[...]

650 C HAPTER B: RADIUS S ERVER AND RADIU S C LIENT S ETUP m Select the T unnel-Pvt-Gro up-ID entry and click Add . n Click Add, ensure that the Attribute value is set to 4 (Attribute value in string format), and click OK . This value represents the VLAN ID. o Click OK again on the Multivalued Attribute Information screen to r eturn to the the Add A[...]

Setting Up A RADIUS Server 651 p Click Add again. In the pull down menu, sele ct Vir t u a l L AN s and click OK . q Click OK again and to return to the Add Attributes screen. Click Close . Y ou will now see the added attributes r Click OK to close the Profile scr een and OK again to clo se the Policy screen. This completes the configuration of the[...]

652 C HAPTER B: RADIUS S ERVER AND RADIU S C LIENT S ETUP Configuring Funk RADIUS 3Com has successfully inst alled and tested Funk RADIUS running on a Windows server in a network with Switch 5500 deployed. Download the Funk Steel-Belted RADIUS Server application fr om www.funk.com and install the application. Once installed you have a 30 day licens[...]

Setting Up A RADIUS Server 653 3 Either re-boot the server or stop then r estart the RADIUS service. T o stop and restart the Steel-Belted RADIUS service, go to Control Panel > Administrative tools > Ser vices . Scroll down to the Steel-Belted service, stop and restart it. Funk RADIUS is now ready to run. If you intend to use auto VLAN and Qo[...]

654 C HAPTER B: RADIUS S ERVER AND RADIU S C LIENT S ETUP Passwords are case sensitive. 6 Enter the shared secret to encrypt the au thentication data. The shar ed secr et must be identical on the Switch 5500 and the RADIUS Server a Select RAS Clients from the left hand list, ent er a Client name , the IP address and the Sh ared secret . SWITCH 5500[...]

Setting Up A RADIUS Server 655 Configuring auto VLAN and QoS for Funk RADIUS T o set up auto VLAN and QoS using Funk RADIUS, follow these steps: 1 Edit the dictionary file radius.dct so that Retur n list attributes from the Funk RADIUS server ar e r eturned to the Sw itch 5500. The changes to make are: a Add an R at the end of the corr ect attribut[...]

656 C HAPTER B: RADIUS S ERVER AND RADIU S C LIENT S ETUP The following example shows the User name HOMER with the correct Return list Attributes inserted, The VLANs and QoS profiles must also be created on the 3Com Switch 5500. Configuring FreeRADIUS 3Com has successfully installed and tested FreeRADIUS running on Solaris 2.6 and RedHat Linux serv[...]

Setting Up A RADIUS Server 657 2 Update the dictionary for Switch login a In /usr/local/etc/raddb cr eate a new file called dictionary.3Com containing the following info rmation: VENDOR 3Com 43 ATTRIBUTE 3Com-User-Access-Level 1 Integer 3Com VALUE 3Com-User-Access-Level Moni tor 1 VALUE 3Com-User-Access-Level Mana ger 2 VALUE 3Com-User-Access-Level[...]

658 C HAPTER B: RADIUS S ERVER AND RADIU S C LIENT S ETUP In the example above, T unnel-Medium-T yp e has been set to TMT802, to force FreeRADIUS to treat 802 as a string requiring to be looked up in the dictionary an d return integer 6, rather than return integer 802 which would be the case if T unnel-Medium-T ype was set to 802. Setting Up the RA[...]

Setting Up the RADIUS Client 659 generate an EAPOL-Logoff message when the user logs-off, which leaves the port authorized. T o reduce the impact of this issue, decrease the "session-timeout" return list attribute to fo rce r e-authentication of the port more often. Alter natively , use a RADIUS client wit hout this secu rity flaw , for e[...]

660 C HAPTER B: RADIUS S ERVER AND RADIU S C LIENT S ETUP b This screen will appear: c Leave the Profile as default . The Identity is an account created on the RADIUS Server with the Password . d Click OK to finish the configurat ion. e Restart the client either by rebooting, or stopping and re-starting the service. f Click the OK button, then retu[...]

C A UTHENTICATING THE S WITCH 5500 WITH C ISCO S ECUR E ACS This appendix covers the following topics: n Cisco Secure A CS (T ACACS+) and the 3Com Switch 5500 n Setting Up the Cisco Secur e ACS (T ACACS+) server Cisco Secure ACS (T ACACS+) and the 3Com Switch 5500 Cisco Secure AC S and T ACACS+ are pr opri etary protocols and software cr eated by C[...]

662 C HAPTER C: A UTHENTICATING THE S WITCH 5500 WI TH C ISCO S ECURE ACS Adding a 3Com Switch 5500 as a RADIUS client Once logged into the Cisco Secure ACS interface, follow these steps: 1 Select Network Configuration from the left hand side 2 Select Add Entr y from under AAA Clients. 3 Enter the details of the 3Com switch. Spaces are not permitte[...]

Setting Up the Cisco Secure ACS (TACACS+) server 663 5 Select Interface Configuration from the left h and side. 6 Select RADIUS ( IETF) from the list under Interface Configuration . 7 Check the RADIUS attribute s that you wish to install. If you want to use auto VLAN and QoS, ensur e that you have the following options selected for bot h the User a[...]

664 C HAPTER C: A UTHENTICATING THE S WITCH 5500 WI TH C ISCO S ECURE ACS 8 Select Submit . 9 Repeat step 1 through step 8 for each Switch 5 500 on your n etwork. When all of the Switch 5500s have been added as cl ients to the Cisco Secur e ACS server , restart the Secur e ACS server by selecting System Configuratio n from the left hand side, then [...]

Setting Up the Cisco Secure ACS (TACACS+) server 665 The screen below shows specific RADIUS attributes having been selected for the user . The user has the student profile selected and is assigned to VLAN 10 untagged. The RADIUS attributes need t o have already been selected , see step 7 in Ad ding a 3Com Switch 5500 as a RADIUS client. The User ca[...]

666 C HAPTER C: A UTHENTICATING THE S WITCH 5500 WI TH C ISCO S ECURE ACS 1=Monitor 2=Manager 3=Administrator b Locate the applica tion csutil.exe . in the utils dir ectory of the install path (eg. C:pro gram filesCisc o Secur e ACSutils). c Copy the 3Com.ini file int o the utils directory d At the command prompt enter csutil -addUDV 0 3Com.ini[...]

Setting Up the Cisco Secure ACS (TACACS+) server 667 2 T o use the new RADIUS attributes, a client needs to be a user of RADIUS (3Com) attributes. Select Network Configuration from the left hand side and select an existing device or add a new device. In the AAA Client Setup window select RADIUS (3C OM) fr om the Authenticate Using pull down list. .[...]

668 C HAPTER C: A UTHENTICATING THE S WITCH 5500 WI TH C ISCO S ECURE ACS 5 Ensure that the 3Com-User -Access-Level option is selected for both User and Group setup, as shown below 6 Select User Setup and either modify the attributes of an existing user (select Fin d to display the User List in the right hand windo w) or Add a new user (s ee Adding[...]

Setting Up the Cisco Secure ACS (TACACS+) server 669 7 In the RADIUS (3Com) Attribute box , check 3Com-User -Access-Level and select Administrator from the pull down list, see below: 8 Select Submit . The Switch 5500 can now be managed by the Network Administrator through the CISCO Secure ACS serv er .[...]

670 C HAPTER C: A UTHENTICATING THE S WITCH 5500 WI TH C ISCO S ECURE ACS[...]

D 3C OM XRN This section explains what 3Com XRN™ (eXpandabl e Resilient Networking) is and how you can use it to benefit your networ k. It also explains how to implement XRN on your network. This chapter contains the following sections: n What is XRN? n XRN T erminology n Benefits of XRN n XRN Features n How to Implement XRN—Overview n Importan[...]

672 A PPENDIX D: 3C OM XRN What is XRN? XRN (eXpandable Resilient Network) is a 3Com LAN technology built into the software and hardwar e of your Switch that of fers high availability , scalability , and connectiv ity . Supported Switches XRN is supported by the 3Com Operati ng System on the following Sw itches installed with V ersion 1.0 soft ware[...]

Benefits of XRN 673 Benefits of XRN The benefits of XRN include: n Increased envir onmental r esilience provided by: n Hardwar e and Software r edundancy per unit or across the Distributed Fabric. n Distributed management acro ss the Distributed Fabric. n Distributed Link Ag gre gation acr oss the Distributed Fabric. n Distributed Resilient Routing[...]

674 A PPENDIX D: 3C OM XRN Switch units within the Distributed Fabric provide the same r outer interfaces and mirror each other’ s routing tables. This a llows each unit to keep the routing local to the unit for locally connected hosts and devices. In the example shown in Figure 178, there is a single logical r outer across the XRN Distributed Fa[...]

XRN Features 675 T able 691 Aggregated Links and Member Links Supported within a Fabric Distribut ed Link A ggregation Ex ample Y ou can also use DLA to create highly r esilient network backbones, supporting multihomed links to the wiring closets as shown in Figure 179. Intelligent local forwarding ensur es that each Switch in the XRN Distributed F[...]

676 A PPENDIX D: 3C OM XRN How to Implement XRN—Overview This section provides an overview on how to implement XRN in your network. Following the steps below will ensure that your XRN network operates corr ectly . 1 Design your network using XRN Distributed Fabrics, taking into account all the important considerations and recommendat ions (see ?[...]

Important Considerations and Recommendations 677 n When you create a Distributed Fabric th e relevant port-based tables do n ot double in size, they r emain as they wer e. n When Switch 5500 units are in an XRN Distributed Fabric their unit IDs are user configurable. n The maximum numbe r of Switch units tha t can be inter connecte d is shown in Ta[...]

678 A PPENDIX D: 3C OM XRN n All multihomed links and al ter nate paths must carry all VLANs, and packets must be tagged. n The Distributed Fabric is the ST P root bridge. n Individual port memb ers of each aggregated link must have VLAN memb ership manually configured before the aggregated link is set up. Y ou must not rely on port members inherit[...]

Network Example using XRN 679 Figure 180 A Dual XRN Distribut ed Fabric Network How to Set up this Network This section provides information on how to configure an XRN network as shown in Figure 180. It assumes you have carrie d out step 1 to step 4 as detailed in “How to Implement XRN—Overview” on page 676. 1 Enable LACP on the required port[...]

680 A PPENDIX D: 3C OM XRN Recovering your XRN Network In the event of a failure within your XRN network, 3Com recommends that you follow the recommendations below . Unit Failure The step s below outline the procedure to recover your XRN network in the event of a unit failure within your Distributed Fabric. 1 Obtain a Switch and ensur e it is insta[...]

How XRN Interacts with other Features 681 How XRN Interacts with other Features This section provides supplementary info rmation on how XRN interacts with other software featur es supported by your Switch. VLANs Figure 181 shows a single aggregated link, created automatically using LACP , connecting the Switch 5500 stack to the Di stributed Fab ric[...]

682 A PPENDIX D: 3C OM XRN Figure 182 How XRN interacts with VLANs—Example 2 Legacy Aggregated Links Legacy aggr egated l inks, will r eact in the normal way if a unit within the Distributed Fabric fails, that is, all traf fic will be re directed down the link(s) to the unit that is still operating. However , in Figure 183, if th e inter connect [...]

How XRN Interacts with other Features 683 STP/RSTP STP/RSTP should be used for multihom ed li nks if you ar e not able to use aggregated links. Figur e 184 shows how STP will prevent a loop occurring on a multihomed link. STP/RSTP should al ways be enabled i f yo ur multihomed links are aggr egated links. Figure 182 shows how , on interconnect fail[...]

684 A PPENDIX D: 3C OM XRN How a Failur e af fects the Distributed Fabric This section provides supplementary information on how the Distributed Fabric and traffic flow is affected by failur e of an Fabric Interconnect and of a unit in the Distributed Fabric. Loss of a Switch within the XRN Distributed Fabric When a Switch unit in the Distributed F[...]

How a Failure affects the Distributed Fabric 685 Router Switch B will continue to do all the routing. As it was r outing prior to Switch A ’ s failure ther e will be no change of the r outer identity , that is, the router interface IP addresses will not change. The router interface MAC addresses may change but this will have no visible impact on [...]

686 A PPENDIX D: 3C OM XRN IEEE802.1D (Legacy STP) and RSTP The Switch 4200 is using legacy STP . ST P (and RSTP) will rec onfigure the network to open the previously blocked link to Switch B. The STP reconfiguration will cause all Switch forwarding databases (MAC addr ess tables) to be fast aged (if using RSTP , they will be flushed ). If STP is e[...]