Professional Documents
Culture Documents
Configuration Guide
4500G 24-Port (3CR17761-91)
4500G 48-Port (3CR17762-91)
4500G 24-Port PWR (3CR17771-91)
4500G 48-Port PWR (3CR17772-91)
www.3Com.com
Part Number: 10014900 Rev. AA
Published: October 2006
3Com Corporation Copyright © 2006, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form or
350 Campus Drive by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written
permission from 3Com Corporation.
Marlborough, MA
3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time
USA 01752-3064 without obligation on the part of 3Com Corporation to provide notification of such revision or change.
3Com Corporation provides this documentation without warranty, term, or condition of any kind, either implied or
expressed, including, but not limited to, the implied warranties, terms or conditions of merchantability, satisfactory quality,
and fitness for a particular purpose. 3Com may make improvements or changes in the product(s) and/or the program(s)
described in this documentation at any time.
If there is any software on removable media described in this documentation, it is furnished under a license agreement
included with the product as a separate document, in the hard copy documentation, or on the removable media in a
directory file named LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy, please contact 3Com and a copy will
be provided to you.
UNITED STATES GOVERNMENT LEGEND
If you are a United States government agency, then this documentation and the software described herein are provided to
you subject to the following:
All technical data and computer software are commercial in nature and developed solely at private expense. Software is
delivered as “Commercial Computer Software” as defined in DFARS 252.227-7014 (June 1995) or as a “commercial item”
as defined in FAR 2.101(a) and as such is provided with only such rights as are provided in 3Com’s standard commercial
license for the Software. Technical data is provided with limited rights only as provided in DFAR 252.227-7015 (Nov 1995) or
FAR 52.227-14 (June 1987), whichever is applicable. You agree not to remove or deface any portion of any legend provided
on any licensed program or documentation contained in, or delivered to you in conjunction with, this User Guide.
Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not be registered
in other countries.
3Com and the 3Com logo are registered trademarks of 3Com Corporation.
Cisco is a registered trademark of Cisco Systems, Inc.
Funk RADIUS is a registered trademark of Funk Software, Inc.
Aegis is a registered trademark of Aegis Group PLC.
Intel and Pentium are registered trademarks of Intel Corporation. Microsoft, MS-DOS, Windows, and Windows NT are
registered trademarks of Microsoft Corporation. Novell and NetWare are registered trademarks of Novell, Inc. UNIX is a
registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd.
IEEE and 802 are registered trademarks of the Institute of Electrical and Electronics Engineers, Inc.
All other company and product names may be trademarks of the respective companies with which they are associated.
ENVIRONMENTAL STATEMENT
It is the policy of 3Com Corporation to be environmentally-friendly in all operations. To uphold our policy, we are committed
to:
Establishing environmental performance standards that comply with national legislation and regulations.
Conserving energy, materials and natural resources in all operations.
Reducing the waste generated by all operations. Ensuring that all waste conforms to recognized environmental standards.
Maximizing the recyclable and reusable content of all products.
Ensuring that all products can be recycled, reused and disposed of safely.
Ensuring that all products are labelled according to recognized environmental standards.
Improving our environmental record on a continual basis.
End of Life Statement
3Com processes allow for the recovery, reclamation and safe disposal of all end-of-life electronic components.
Regulated Materials Statement
3Com products do not contain any hazardous or ozone-depleting material.
Environmental Statement about the Documentation
The documentation for this product is printed on paper that comes from sustainable, managed forests; it is fully
biodegradable and recyclable, and is completely chlorine-free. The varnish is environmentally-friendly, and the inks are
vegetable-based with a low heavy-metal content.
CONTENTS
10 DEVICE MANAGEMENT
Introduction to Device Management 89
BootROM and Host Software Loading 89
Device Management Configuration 102
Displaying the Device Management Configuration 104
Remote Switch Update Configuration Example 104
12 VLAN CONFIGURATION
VLAN Overview 123
Basic VLAN Configuration 124
Basic VLAN Interface Configuration 125
Port-Based VLAN Configuration 125
Displaying VLAN Configuration 129
VLAN Configuration Example 130
CONTENTS 5
14 GVRP CONFIGURATION
Introduction to GARP 139
Configuring GVRP 142
Displaying and Maintaining GVRP 143
GVRP Configuration Example 143
19 MSTP CONFIGURATION
MSTP Overview 179
Configuring the Root Bridge 192
Configuring Leaf Nodes 204
Performing mCheck 208
MSTP Configuration Example 212
6 CONTENTS
20 IP ADDRESSING CONFIGURATION
Configuring IP Addresses 219
Displaying IP Addressing 220
21 IP PERFORMANCE CONFIGURATION
Introduction to IP performance 221
Configuring TCP attributes 221
Configuring sending ICMP error packets 222
Permitting Receiving and Forwarding of Directed Broadcast Packets 224
Displaying and maintaining IP performance 226
22 IP ROUTING OVERVIEW
IP Routing and Routing Table 227
Routing Protocol Overview 229
Displaying and Maintaining a Routing Table 231
24 RIP CONFIGURATION
RIP Overview 239
RIP Basic Configuration 243
RIP Route Control 245
RIP Configuration Optimization 248
Displaying and Maintaining RIP 250
RIP Configuration Example 251
Troubleshooting RIP Configuration 252
26 802.1X CONFIGURATION
802.1x Overview 263
Configuring 802.1x 272
Configuring GuestVlan 274
Displaying and Maintaining 802.1x 274
802.1x Configuration Example 275
Typical GuestVlan Configuration Example 277
27 ABP CONFIGURATION
Introduction to ABP 281
ABP Server Configuration 281
ABP Client Configuration 282
Displaying ABP 282
32 ARP CONFIGURATION
ARP Overview 351
Configuring ARP 352
Configuring Gratuitous ARP 354
Displaying and Maintaining ARP 355
34 DHCP OVERVIEW
Introduction to DHCP 359
DHCP Address Allocation 359
DHCP Message Format 361
Protocols and Standards 362
39 ACL OVERVIEW
ACL Overview 381
Time-Based ACL 381
IPv4 ACL 381
41 QOS OVERVIEW
Introduction 395
Traditional Packet Delivery Service 395
New Requirements Brought forth by New Services 395
Occurrence and Influence of Congestion and the Countermeasures 396
Major Traffic Management Techniques 397
LR Configuration 402
43 CONGESTION MANAGEMENT
Overview 413
Congestion Management Policy 413
Configuring SP Queue Scheduling 415
Configuring WRR Queue Scheduling 416
Configuring SP+WRR Queue Scheduling 417
44 PRIORITY MAPPING
Overview 419
Configuring Port Priority 420
Displaying Priority Mapping Table 421
10 CONTENTS
48 GMP V2 CONFIGURATION
Introduction to GMP V2 433
GMP V2 Configuration Task Overview 438
Management Device Configuration 439
Configuring Member Devices 446
Displaying and Maintaining a Cluster 447
GMP V2 Configuration Example 448
49 SNMP CONFIGURATION
SNMP Overview 451
Configuring Basic SNMP Functions 453
Trap Configuration 455
Displaying and Maintaining SNMP 456
SNMP Configuration Example 456
50 RMON CONFIGURATION
RMON Overview 459
Configuring RMON 462
Displaying and Maintaining RMON 463
RMON Configuration 463
CONTENTS 11
51 NTP CONFIGURATION
NTP Overview 465
Configuring the Operation Modes of NTP 469
Configuring Optional Parameters of NTP 472
Configuring Access-Control Rights 473
Configuring NTP Authentication 474
Displaying and Maintaining NTP 476
NTP Configuration Examples 476
52 DNS CONFIGURATION
DNS Overview 489
Configuring Static Domain Name Resolution 491
Configuring Dynamic Domain Name Resolution 491
Displaying and Maintaining DNS 492
Troubleshooting DNS Configuration 492
53 INFORMATION CENTER
Information Center Overview 493
Configuring Information Center 494
Displaying and Maintaining Information Center 500
Information Center Configuration Example 501
54 NQA CONFIGURATION
NQA Overview 507
Configuring NQA Tests 508
Configuring Optional Parameters for NQA Tests 525
Displaying and Maintaining NQA 528
56 SFTP SERVICE
SFTP Overview 549
Configuring the SFTP Server 549
Configuring the SFTP Client 550
SFTP Configuration Example 554
12 CONTENTS
58 SSL CONFIGURATION
SSL Overview 561
Configuring an SSL Server Policy 562
Configuring an SSL Client Policy 564
Displaying and Maintaining SSL 564
Troubleshooting SSL Configuration 565
60 PKI CONFIGURATION
Introduction to PKI 573
Introduction to PKI Configuration Task 575
Configuring PKI Certificate Request 575
Configuring PKI Certificate Validation 582
Configuring a Certificate Attribute Access Control Policy 583
Displaying and Maintaining PKI 584
Typical Configuration Examples 584
Troubleshooting 587
61 POE CONFIGURATION
PoE Overview 589
PoE Configuration Tasks 590
Configuring the PoE Interface 590
Configuring PD Power Management 593
Configuring a Power Alarm Threshold for the PSE 594
Upgrading PSE Processing Software Online 594
Configuring a PD Disconnection Detection Mode 595
Enabling the PSE to Detect Nonstandard PDs 595
Displaying and Maintaining PoE 596
PoE Configuration Example 596
Troubleshooting PoE 598
ABOUT THIS GUIDE
This guide provides information about configuring your network using the
commands supported on the 3Com® Switch 4500G Family.
Organization of the The Switch 4500G Family Configuration Guide consists of the following chapters:
Manual ■ Logging In—Provides information on the different ways to log into the switch.
■ Basic System Configuration and Maintenance Operation—Details the
basic configuration and maintenance of a switch.
■ File System Management—Details how to manage storage devices.
■ VLAN Operation—Details VLAN, including Voice VLANS and GVRP
configuration.
■ Port Correlation Configuration—Details Ethernet interface, link aggregation
and port isolation configuration.
■ MAC Address Table Management—Details MAC address table
configuration.
■ MSTP—Details multiple spanning tree protocol configuration.
■ IP Address and Performance Operation—Details how to assign IP addresses
to interfaces and to adjust the parameters for the best IP performance.
■ IPV4 Routing Operation—Details IPV4 routing operation, static routing and
policy configuration and RIP configuration
■ 802.1x HABP MAC Authorization Operation—Details HABP, 802.1x and
MAC Authentication Configuration.
■ AAA &RADIUS—Details AAA and RADIUS configuration.
■ Multicast Protocol—Details multicast protocol configuration.
■ ARP—Details address resolution protocol table configuration.
■ DHCP—Details dynamic host configuration protocol.
■ ACL Configuration—Details ACL configuration.
■ QoS—Details quality of service configuration.
■ Port Mirroring—Details local and remote port mirroring configuration.
■ Clustering—Details clustering configuration.
■ SNMP—Details simple network management protocol configuration.
■ RMON—Details remote monitoring configuration.
■ NTP—Details network time protocol configuration.
14 ABOUT THIS GUIDE
Table 1 Icons
Convention Description
Screen This typeface represents text as it appears on the screen.
displays
Keyboard key If you must press two or more keys simultaneously, the key names are
names linked with a plus sign (+), for example:
Press Ctrl+Alt+Del
The words “enter” When you see the word “enter” in this guide, you must type something,
and “type” and then press Return or Enter. Do not press Return or Enter when an
instruction simply says “type.”
Fixed command This typeface indicates the fixed part of a command text. You must type
text the command, or this part of the command, exactly as shown, and press
Return or Enter when you are ready to enter the command.
Example: The command display history-command must be
entered exactly as shown.
Variable command This typeface indicates the variable part of a command text. You must
text type a value here, and press Return or Enter when you are ready to enter
the command.
Example: in the command super level, a value in the range 0 to 3 must
be entered in the position indicated by level.
Related Documentation 15
Convention Description
{x|y|…} Alternative items, one of which must be entered, are grouped in braces
and separated by vertical bars. You must select and enter one of the
items.
Example: in the command flow-control { hardware | none |
software }, the braces and the vertical bars combined indicate that
you must enter one of the parameters. Enter either hardware, or
none, or software.
[ ] Items shown in square brackets [ ] are optional.
Example 1: in the command display users [ all ], the square brackets
indicate that the parameter all is optional. You can enter the command
with or without this parameter.
Example 2: in the command user-interface [ type ]
first-number [ last-number ] the square brackets indicate that
the parameters [ type] and [ last-number ] are both optional. You
can enter a value in place of one, both or neither of these parameters.
Alternative items, one of which can optionally be entered, are grouped
in square brackets and separated by vertical bars.
Example 3: in the command header [ shell | incoming | login ]
text, the square brackets indicate that the parameters shell,
incoming and login are all optional. The vertical bars indicate that
only one of the parameters is allowed.
Related In addition to this guide, the Switch 4500G documentation set includes the
Documentation following:
■ 3Com Switch 4500G Family Quick Reference Guide
This guide contains:
■ a list of the features supported by the switch.
■ a summary of the command line interface commands for the switch. This
guide is also available under the Help button on the web interface.
■ 3Com Switch 4500G Family Command Reference Guide
This guide provides detailed information about the web interface and
command line interface that enable you to manage the switch. It is supplied in
PDF format on the CD-ROM that accompanies the switch.
■ 3Com Switch 4500G Family Getting Started Guide
This guide provides preliminary information about hardware installation and
communication interfaces.
■ Release notes
These notes provide information about the current software release, including
new features, modifications, and known problems. The release notes are
supplied in hard copy with the switch.
16 ABOUT THIS GUIDE
1 LOGGING INTO AN ETHERNET SWITCH
Logging into an You can log into a Switch 4500G Ethernet switch in one of the following ways:
Ethernet Switch ■ Log in locally through the Console port
■ Telnet locally or remotely to an Ethernet port
■ Telnet to the Console port using a modem
■ Log into the Web-based network management system
■ Log in through NMS (network management station)
Introduction to the
User Interface
Supported User Switch 4500G Family Ethernet switch supports two types of user interfaces: AUX and
Interfaces VTY.
As the AUX port and the Console port of a 3Com Switch 4500G Family series switch are
the same one, you will be in the AUX user interface if you log in through this port.
User Interface Two kinds of user interface index exist: absolute user interface index and relative user
Number interface index.
1 The absolute user interface indexes are as follows:
■ AUX user interface: 0
■ VTY user interfaces: Numbered after AUX user interfaces and increases in the step of
1
2 A relative user interface index can be obtained by appending a number to the identifier
of a user interface type. It is generated by user interface type. The relative user interface
indexes are as follows:
■ AUX user interface: AUX 0
■ VTY user interfaces: VTY 0, VTY 1, VTY 2, and so on.
18 CHAPTER 1: LOGGING INTO AN ETHERNET SWITCH
Common User
Table 4 Common User Interface Configuration
Interface
Configuration To do… Use the command… Remarks
Lock the current user lock Optional
interface
Execute this command in user
view.
A user interface is not locked by
default.
Specify to send messages to send { all | number | type Optional
all user interfaces/a specified number }
Execute this command in user
user interface
view.
Disconnect a specified user free user-interface [ Optional
interface type ] number
Execute this command in user
view.
Enter system view system-view –
Set the banner header { incoming | Optional
legal | login | shell |
motd } text
Set a system name for the sysname string Optional
switch
Enter user interface view user-interface [ type ] –
first-number [
last-number ]
Define a shortcut key for escape-key { default | Optional
aborting tasks character }
The default shortcut key
combination for aborting tasks is
< Ctrl+C >.
Set the history command history-command Optional
buffer size max-size value The default history command
buffer size is 10. That is, a history
command buffer can store up to
10 commands by default.
Set the timeout time for the idle-timeout minutes [ Optional
user interface seconds ]
The default timeout time of a user
interface is 10 minutes.
With the timeout time being 10
minutes, the connection to a user
interface is terminated if no
operation is performed in the user
interface within 10 minutes.
You can use the
idle-timeout 0 command
to disable the timeout function.
Set the maximum number of screen-length Optional
lines the screen can contain screen-length
By default, the screen can contain
up to 24 lines.
You can use the
screen-length 0
command to disable the function
to display information in pages.
Make terminal services shell Optional
available
By default, terminal services are
available in all user interfaces.
Introduction to the User Interface 19
Introduction To log in through the Console port is the most common way to log into a switch. It is also
the prerequisite to configure other login methods. By default, you can log into a Switch
4500G Family Ethernet switch through its Console port only.
To log into an Ethernet switch through its Console port, the related configuration of the
user terminal must be in accordance with that of the Console port.
Setting Default
Baud rate 19,200 bps
Flow control Off
Check mode No check bit
Stop bits 1
Data bits 8
After logging into a switch, you can perform configuration for AUX users. Refer to
“Console Port Login Configuration” for more.
Setting up the ■ Connect the serial port of your PC/terminal to the Console port of the switch, as
Connection to the shown in Figure 1.
Console Port
Figure 1 Diagram for setting the connection to the Console port
RS-232 port
Console port
Configuration cable
■ If you use a PC to connect to the Console port, launch a terminal emulation utility
(such as Terminal in Windows 3.X or HyperTerminal in Windows 9X/Windows
2000/Windows XP) and perform the configuration shown in Figure 2 through
Figure 4 for the connection to be created. Normally, the parameters of a terminal are
configured as those listed in Table 5.
22 CHAPTER 2: LOGGING IN THROUGH THE CONSOLE PORT
■ You can then configure the switch or check the information about the switch by
executing commands. You can also acquire help by type the ? character. Refer to the
following chapters for information about the commands.
24 CHAPTER 2: LOGGING IN THROUGH THE CONSOLE PORT
Configuration Description
Console port Baud rate Optional
configuration
The default baud rate is 9,600 bps.
Check mode Optional
By default, the check mode of the Console port is set
to “none”, which means no check bit.
Stop bits Optional
The default stop bits of a Console port is 1.
Data bits Optional
The default data bits of a Console port is 8.
AUX user Define a shortcut key for Optional
interface starting terminal sessions
By default, pressing Enter key starts the terminal
configuration
session.
Configure the command Optional
level available to the users
By default, commands of level 3 are available to the
logging into the AUX user
users logging into the AUX user interface.
interface
Terminal Define a shortcut key for Optional
configuration aborting tasks
The default shortcut key combination for aborting
tasks is < Ctrl+C >.
Make terminal services Optional
available
By default, terminal services are available in all user
interfaces
Set the maximum number Optional
of lines the screen can
By default, the screen can contain up to 24 lines.
contain
Set history command Optional
buffer size
By default, the history command buffer can contain up
to 10 commands.
Set the timeout time of a Optional
user interface
The default timeout time is 10 minutes.
Console Port Login Table 7 lists Console port login configurations for different authentication modes.
Configurations for
Different Table 7 Console port login configurations for different authentication modes
Authentication Authentication
Modes mode Console port login configuration Description
None Perform common Perform common Optional
configuration configuration for
Refer to “Common Configuration” for
Console port login
more.
Password Configure the Configure the Required
password password for local
authentication
Perform common Perform common Optional
configuration configuration for
Refer to “Common Configuration” for
Console port login
more.
Scheme Specify to AAA configuration Optional
perform local specifies whether to
Local authentication is performed by
authentication or perform local
default.
RADIUS authentication or
authentication RADIUS Refer to the “AAA, RADIUS, and
authentication TACACS+ Configuration” chapter for
more.
Configure user Configure user Required
name and names and
■ The user name and password of a
password passwords for
local user are configured on the
local/remote users
switch.
■ The user name and password of a
remote user are configured on the
DADIUS server. Refer to user
manual of RADIUS server for more.
Manage AUX Set service type for Required
users AUX users
Perform common Perform common Optional
configuration configuration for
Refer to “Common Configuration” for
Console port login
more.
Changes of the authentication mode of Console port login will not take effect unless you
exit and enter again the CLI.
26 CHAPTER 2: LOGGING IN THROUGH THE CONSOLE PORT
Configuration
Table 8 Configuration Procedure
Procedure
To do… Use the command… Remarks
Enter system view system-view –
Enter AUX user interface view user-interface aux –
0
Configure not to authenticate authentication-mod Required
users e none By default, users logging in through
the Console port are not
authenticated.
Configure the Set the baud speed speed-value Optional
Console port rate
The default baud rate of an AUX
port (also the Console port) is 9,600
bps.
Set the check parity { even | mark | Optional
mode none | odd | space } By default, the check mode of a
Console port is set to none, that is,
no check bit.
Set the stop bits stopbits { 1 | 1.5 | 2 } Optional
The stop bits of a Console port is 1.
Set the data bits databits { 5 | 6 | 7 | 8 } Optional
The default data bits of a Console
port is 8.
Configure the command level user privilege Optional
available to users logging into level level By default, commands of level 3 are
the user interface
available to users logging into the
AUX user interface.
Define a shortcut key for activation-key Optional
starting terminal sessions character
By default, pressing Enter key starts
the terminal session.
Define a shortcut key for escape-key { Optional
aborting tasks default | character } The default shortcut key
combination for aborting tasks is
< Ctrl+C >.
Make terminal services available shell Optional
By default, terminal services are
available in all user interfaces.
Console Port Login Configuration with Authentication Mode Being None 27
Note that the command level available to users logging into a switch depends on both
the authentication-mode none command and the user privilege level
level command, as listed in the following table.
Scenario
Authentication
mode User type Command Command level
None Users logging in The user privilege Level 3
(authentication- through Console level level command not
mode none) ports executed
The user privilege Determined by
level level command already the level
executed argument
Network diagram
Figure 6 Network diagram for AUX user interface configuration (with the authentication mode
being none)
RS-232
Console port
Console cable
Configuration procedure
1 Enter system view.
<3Com> system-view
2 Enter AUX user interface view.
[3Com] user-interface aux 0
3 Specify not to authenticate users logging in through the Console port.
[3Com-ui-aux0] authentication-mode none
4 Specify commands of level 2 are available to users logging into the AUX user interface.
[3Com-ui-aux0] user privilege level 2
5 Set the baud rate of the Console port to 19,200 bps.
[3Com-ui-aux0] speed 19200
6 Set the maximum number of lines the screen can contain to 30.
[3Com-ui-aux0] screen-length 30
7 Set the maximum number of commands the history command buffer can store to 20.
[3Com-ui-aux0] history-command max-size 20
8 Set the timeout time of the AUX user interface to 6 minutes.
[3Com-ui-aux0] idle-timeout 6
Console Port Login Configuration with Authentication Mode Being Password 29
Configuration
Table 10 Configuration Procedure
Procedure
To do… Use the command… Remarks
Enter system view system-view —
Enter AUX user interface user-interface —
view aux 0
Configure to authenticate authentication-mo Required
users using the local de password By default, users logging in through the
password
Console port are not authenticated.
Set the local password set Required
authentication
password { cipher |
simple } password
Configure Set the baud speed speed-value Optional
the Console rate
The default baud rate of an AUX port (also
port
the Console port) is 9,600 bps.
Set the parity { even | mark | Optional
check mode none | odd | space } By default, the check mode of a Console
port is set to none, that is, no check bit.
Set the stop stopbits { 1 | 1.5 | 2 Optional
bits }
The default stop bits of a Console port is
1.
Set the data databits { 5 | 6 | 7 | 8 Optional
bits }
The default data bits of a Console port is
8.
Configure the command user privilege Optional
level available to users level level By default, commands of level 3 are
logging into the user
available to users logging into the AUX
interface
user interface.
Define a shortcut key for activation-key Optional
starting terminal sessions character
By default, pressing Enter key starts the
terminal session.
Define a shortcut key for escape-key { Optional
aborting tasks default | character } The default shortcut key combination for
aborting tasks is < Ctrl+C >.
Make terminal services shell Optional
available to the user
By default, terminal services are available
interface
in all user interfaces.
30 CHAPTER 2: LOGGING IN THROUGH THE CONSOLE PORT
Note that the level the commands of which are available to users logging into a switch
depends on both the authentication-mode password and the user
privilege level level command, as listed in the following table.
Scenario
Authentication mode User type Command Command level
Local authentication Users logging into The user privilege Level 3
(authentication-mode the AUX user level level command not
password) interface executed
The user privilege Determined by the
level level command level argument
already executed
Network diagram
Figure 7 Network diagram for AUX user interface configuration (with the authentication mode
being password)
RS-232
Console port
Console cable
Configuration procedure
1 Enter system view.
<3Com> system-view
2 Enter AUX user interface view.
[3Com] user-interface aux 0
3 Specify to authenticate users logging in through the Console port using the local
password.
[3Com-ui-aux0] authentication-mode password
4 Set the local password to 123456 (in plain text).
[3Com-ui-aux0] set authentication password simple 123456
5 Specify commands of level 2 are available to users logging into the AUX user interface.
[3Com-ui-aux0] user privilege level 2
6 Set the baud rate of the Console port to 19,200 bps.
[3Com-ui-aux0] speed 19200
7 Set the maximum number of lines the screen can contain to 30.
[3Com-ui-aux0] screen-length 30
8 Set the maximum number of commands the history command buffer can store to 20.
[3Com-ui-aux0] history-command max-size 20
9 Set the timeout time of the AUX user interface to 6 minutes.
[3Com-ui-aux0] idle-timeout 6
32 CHAPTER 2: LOGGING IN THROUGH THE CONSOLE PORT
Configuration
Table 12 Configuration Procedure
Procedure
To do… Use the command… Remarks
Enter system view system-view —
Configure Enter the domain Domain name Optional
the default ISP
By default, the local AAA scheme is applied.
authentica domain view
If you specify to apply the local AAA scheme,
tion mode
Specify the authentication you need to perform the configuration
AAA default { concerning local user as well.
scheme to hwtacacs- scheme If you specify to apply an existing scheme by
be applied hwtacacs-scheme-name
providing the radius-scheme-name
to the [ local ] | local |
argument, you need to perform the
domain none | following configuration as well:
radius-scheme
radius-scheme-name [ ■ Perform AAA & RADIUS configuration on
local ] } the switch. (Refer to the “AAA, RADIUS,
and TACACS+ Configuration” chapter
Quit to quit for more.)
system view
■ Configure the user name and password
accordingly on the AAA server. (Refer to
the user manual of AAA server.)
Create a local user (Enter local-user Required
local user view.) user-name
No local user exists by default.
Set the authentication password { simple | Required
password for the local cipher } password
user
Specify the service type service-type Required
for AUX users terminal [ level
level ]
Quit to system view quit —
Enter AUX user interface user-interface —
view aux 0
Configure to authentication-mo Required
authenticate users locally de scheme [
The specified AAA scheme determines
or remotely command- whether to authenticate users locally or
authorization ] remotely.
Users are authenticated locally by default.
Console Port Login Configuration with Authentication Mode Being Scheme 33
Note that the level the commands of which are available to users logging into a switch
depends on the authentication-mode scheme [ command-authorization ]
command, the user privilege level level command, and the service-type
terminal [ level level ] command, as listed in Table 13.
34 CHAPTER 2: LOGGING IN THROUGH THE CONSOLE PORT
Scenario
Authentication
mode User type Command Command level
authentication-mode Users logging The user privilege level Level 0
scheme [ command- into the level command is not executed, and
authorization ] Console port the service-type terminal
and pass [ level level ] command does not
AAA&RADIUS specify the available command level.
or local
The user privilege level Determined by the
authentication
level command is not executed, and service-typ
the service-type terminal e terminal [
[ level level ] command specifies level level ]
the available command level. command
The user privilege level Level 0
level command is executed, and the
service-type terminal [
level level ] command does not
specify the available command level.
The user privilege level Determined by the
level command is executed, and the service-typ
service-type terminal [ e terminal [
level level ] command specifies level level ]
the available command level. command
Network diagram
Figure 8 Network diagram for AUX user interface configuration (with the authentication mode
being scheme)
RS-232
Console port
Console cable
Configuration procedure
1 Enter system view.
<3Com> system-view
2 Create a local user named guest and enter local user view.
[3Com] local-user guest
3 Set the authentication password to 123456 (in plain text).
[3Com-luser-guest] password simple 123456
4 Set the service type to Terminal, Specify commands of level 2 are available to users
logging into the AUX user interface.
[3Com-luser-guest] service-type terminal level 2
[3Com-luser-guest] quit
5 Enter AUX user interface view.
[3Com] user-interface aux 0
6 Configure to authenticate users logging in through the Console port in the scheme
mode.
[3Com-ui-aux0] authentication-mode scheme
7 Set the baud rate of the Console port to 19,200 bps.
[3Com-ui-aux0] speed 19200
8 Set the maximum number of lines the screen can contain to 30.
[3Com-ui-aux0] screen-length 30
9 Set the maximum number of commands the history command buffer can store to 20.
[3Com-ui-aux0] history-command max-size 20
10 Set the timeout time of the AUX user interface to 6 minutes.
[3Com-ui-aux0] idle-timeout 6
36 CHAPTER 2: LOGGING IN THROUGH THE CONSOLE PORT
3 LOGGING IN THROUGH TELNET
Introduction You can telnet to a remote switch to manage and maintain the switch. To achieve this,
you need to configure both the switch and the Telnet terminal properly.
Item Requirement
Switch The management VLAN of the switch is created and the route between
the switch and the Telnet terminal is available. (Refer to the VLAN
module for more.)
The authentication mode and other settings are configured. Refer to
Table 15 and Table 16.
Telnet terminal Telnet is running.
The IP address of the management VLAN of the switch is available.
Configuration Description
VTY user Configure the command level Optional
interface available to users logging into the
By default, commands of level 0 is available to
configuration VTY user interface
users logging into a VTY user interface.
Configure the protocols the user Optional
interface supports
By default, Telnet and SSH protocol are
supported.
Set the command that is Optional
automatically executed when a
By default, no command is automatically
user logs into the user interface
executed when a user logs into a user interface.
VTY terminal Define a shortcut key for aborting Optional
configuration tasks
The default shortcut key combination for
aborting tasks is < Ctrl+C >.
Make terminal services available Optional
By default, terminal services are available in all
user interfaces
Set the maximum number of lines Optional
the screen can contain
By default, the screen can contain up to 24
lines.
Set history command buffer size Optional
By default, the history command buffer can
contain up to 10 commands.
Set the timeout time of a user Optional
interface
The default timeout time is 10 minutes.
38 CHAPTER 3: LOGGING IN THROUGH TELNET
CAUTION:
■ The auto-execute command command may cause you unable to perform
common configuration in the user interface, so use it with caution.
■ Before executing the auto-execute command command and save your
configuration, make sure you can log into the switch in other modes and cancel the
configuration.
Telnet Configurations Table 16 lists Telnet configurations for different authentication modes.
for Different
Authentication Table 16 Telnet configurations for different authentication modes
Modes Authentication
mode Telnet configuration Description
None Perform common Perform common Optional
configuration Telnet configuration
Refer to Table 15.
Password Configure the Configure the Required
password password for local
authentication
Perform common Perform common Optional
configuration Telnet configuration
Refer to Table 15.
Scheme Specify to perform AAA configuration Optional
local specifies whether to
Local authentication is performed
authentication or perform local
by default.
RADIUS authentication or
authentication RADIUS Refer to the “AAA, RADIUS, and
authentication TACACS+ Configuration” chapter
for more information.
Configure user Configure user Required
name and names and
zThe user name and password of
password passwords for
a local user are configured on the
local/remote users
switch.
zThe user name and password of
a remote user are configured on
the DADIUS server. Refer to user
manual of RADIUS server for more.
Manage VTY users Set service type for Required
VTY users
Perform common Perform common Optional
configuration Telnet configuration
Refer to Table 15.
Telnet Configuration with Authentication Mode Being None 39
Telnet
Configuration with
Authentication
Mode Being None
Configuration
Table 17 Configuration Procedure
Procedure
To do… Use the command… Remarks
Enter system view system-view –
Enter one or more VTY user user-interface vty –
interface views first-number [
last-number ]
Configure not to authentication-mod Required
authenticate users logging e none By default, VTY users are authenticated
into VTY user interfaces
after logging in.
Configure the command user privilege Optional
level available to users level level By default, commands of level 0 are
logging into VTY user
available to users logging into VTY user
interface
interfaces.
Configure the protocols to protocol inbound { Optional
be supported by the VTY all | ssh | telnet } By default, both Telnet protocol and SSH
user interface
protocol are supported.
Set the command that is auto-execute Optional
automatically executed command text By default, no command is automatically
when a user logs into the
executed when a user logs into a user
user interface
interface.
Define a shortcut key for escape-key { Optional
aborting tasks default | character } The default shortcut key combination for
aborting tasks is < Ctrl+C >.
Make terminal services shell Optional
available
By default, terminal services are available
in all user interfaces.
Set the maximum number screen-length Optional
of lines the screen can screen-length
By default, the screen can contain up to
contain
24 lines.
You can use the screen-length
0 command to disable the function to
display information in pages.
Set the history command history-command Optional
buffer size max-size value The default history command buffer size
is 10. That is, a history command buffer
can store up to 10 commands by default.
40 CHAPTER 3: LOGGING IN THROUGH TELNET
Note that if you configure not to authenticate the users, the command level available to
users logging into a switch depends on both the authentication-mode none
command and the user privilege level level command, as listed in Table 18.
Table 18 Determine the command level when users logging into switches are not authenticated
Scenario
Authentication
mode User type Command Command level
None (authentica- VTY users The user privilege level Level 0
tion-mode none) level command not executed
The user privilege level Determined by the
level command already executed level argument
Network diagram
Figure 9 Network diagram for Telnet configuration (with the authentication mode being none)
GigabitEthernet1/0/1
Ethernet
Configuration procedure
1 Enter system view.
<3Com> system-view
2 Enter VTY 0 user interface view.
[3Com] user-interface vty 0
3 Configure not to authenticate Telnet users logging into VTY 0.
[3Com-ui-vty0] authentication-mode none
4 Specify commands of level 2 are available to users logging into VTY 0.
[3Com-ui-vty0] user privilege level 2
5 Configure Telnet protocol is supported.
[3Com-ui-vty0] protocol inbound telnet
6 Set the maximum number of lines the screen can contain to 30.
[3Com-ui-vty0] screen-length 30
7 Set the maximum number of commands the history command buffer can store to 20.
[3Com-ui-vty0] history-command max-size 20
8 Set the timeout time to 6 minutes.
[3Com-ui-vty0] idle-timeout 6
42 CHAPTER 3: LOGGING IN THROUGH TELNET
Telnet
Configuration with
Authentication
Mode Being
Password
Configuration
Table 19 Configuration Procedure
Procedure
To do… Use the command… Remarks
Enter system view system-view –
Enter one or more VTY user user-interface vty –
interface views first-number [
last-number ]
Configure to authenticate authentication-mode Required
users logging into VTY user password
interfaces using the local
password
Set the local password set authentication Required
password { cipher |
simple } password
Configure the command user privilege level Optional
level available to users level
By default, commands of level 0 are
logging into the user
available to users logging into VTY
interface
user interface.
Configure the protocol to protocol inbound { Optional
be supported by the user all | ssh | telnet } By default, both Telnet protocol and
interface
SSH protocol are supported.
Set the command that is auto-execute command Optional
automatically executed text
By default, no command is
when a user logs into the
automatically executed when a user
user interface
logs into a user interface.
Define a shortcut key for escape-key { default | Optional
aborting tasks character }
The default shortcut key combination
for aborting tasks is < Ctrl+C >.
Make terminal services shell Optional
available
By default, terminal services are
available in all user interfaces.
Telnet Configuration with Authentication Mode Being Password 43
Note that if you configure to authenticate the users in the password mode, the
command level available to users logging into a switch depends on both the
authentication-mode password command and the user privilege level
level command, as listed in Table 20.
Table 20 Determine the command level when users logging into switches are authenticated in
the password mode
Scenario
Authentication
mode User type Command Command level
Password (authentica- VTY users The user privilege level Level 0
tion-mode password) level command not executed
The user privilege level Determined by the
level command already executed level argument
Network diagram
Figure 10 Network diagram for Telnet configuration (with the authentication mode being
password)
GigabitEthernet1/0/1
Ethernet
Configuration procedure
1 Enter system view.
<3Com> system-view
2 Enter VTY 0 user interface view.
[3Com] user-interface vty 0
3 Configure to authenticate users logging into VTY 0 using the local password.
[3Com-ui-vty0] authentication-mode password
4 Set the local password to 123456 (in plain text).
[3Com-ui-vty0] set authentication password simple 123456
5 Specify commands of level 2 are available to users logging into VTY 0.
[3Com-ui-vty0] user privilege level 2
6 Configure Telnet protocol is supported.
[3Com-ui-vty0] protocol inbound telnet
7 Set the maximum number of lines the screen can contain to 30.
[3Com-ui-vty0] screen-length 30
8 Set the maximum number of commands the history command buffer can store to 20.
[3Com-ui-vty0] history-command max-size 20
9 Set the timeout time to 6 minutes.
[3Com-ui-vty0] idle-timeout 6
Telnet Configuration with Authentication Mode Being Scheme 45
Telnet
Configuration with
Authentication
Mode Being
Scheme
Configuration
Table 21 Configuration Procedure
Procedure
To do… Use the command… Remarks
Enter system view system-view –
Configure Enter the domain Domain name Optional
the default ISP
By default, the local AAA scheme is
authenticatio domain view
applied. If you specify to apply the local
n scheme
Configure the authentication AAA scheme, you need to perform the
AAA scheme default { configuration concerning local user as
to be applied hwtacacs-scheme well.
to the hwtacacs-scheme- name
If you specify to apply an existing
domain [ local ] | local |
scheme by providing the
none | radius-scheme radius-scheme-name argument, you
radius-scheme-name [
need to perform the following
local ] } configuration as well:
Quit to quit Perform AAA & RADIUS configuration
system view
on the switch. (Refer to the “AAA,
RADIUS, and TACACS+ Configuration”
chapter for more information.
Configure the user name and password
accordingly on the AAA server. (Refer
to the user manual of the AAA server.)
Create a local user and enter local-user No local user exists by default.
local user view user-name
Set the authentication password { simple | Required
password for the local user cipher } password
Specify the service type for service-type Required
VTY users telnet [ level level ]
Quit to system view quit –
Enter one or more VTY user user-interface vty –
interface views first-number [
last-number ]
Configure to authenticate authentication-mod Required
users locally or remotely e scheme The specified AAA scheme determines
whether to authenticate users locally or
remotely.
Users are authenticated locally by
default.
Configure the command user privilege Optional
level available to users level level By default, commands of level 0 are
logging into the user
available to users logging into the VTY
interface
user interfaces.
Configure the supported protocol inbound { Optional
protocol all | ssh | telnet } Both Telnet protocol and SSH protocol
are supported by default.
46 CHAPTER 3: LOGGING IN THROUGH TELNET
Note that if you configure to authenticate the users in the scheme mode, the command
level available to users logging into a switch depends on the authentication-mode
scheme [ command-authorization ] command, the user privilege level
level command, and the service-type { ftp [ ftp-directory directory ] |
lan-access | { ssh | telnet | terminal }* [ level level ] } command, as listed in
Table 22.
Telnet Configuration with Authentication Mode Being Scheme 47
Table 22 Determine the command level when users logging into switches are authenticated in
the scheme mode
Scenario
Authentication
mode User type Command Command level
Scheme VTY users that The user privilege level level Level 0
(authentication are command is not executed, and the
-mode scheme AAA&RADIUS service-type command does not
[ authenticated specify the available command level.
command-auth or locally
The user privilege level level Determined by the
orization ]) authenticated
command is not executed, and the service-typ
service-type command specifies the e command
available command level.
The user privilege level level Level 0
command is executed, and the
service-type command does not
specify the available command level.
The user privilege level level Determined by the
command is executed, and the service-type service-typ
command specifies the available command e command
level.
VTY users that The user privilege level level Level 0
are command is not executed, and the
authenticated in service-type command does not
the RSA mode specify the available command level.
of SSH
The user privilege level level
command is not executed, and the
service-type command specifies the
available command level.
The user privilege level level Determined by the
command is executed, and the user
service-type command does not privilege
specify the available command level. level level
command
The user privilege level level
command is executed, and the
service-type command specifies the
available command level.
VTY users that The user privilege level level Level 0
are command is not executed, and the
authenticated in service-type command does not
the password specify the available command level.
mode of SSH
The user privilege level level Determined by the
command is not executed, and the service-typ
service-type command specifies the e command
available command level.
The user privilege level level Level 0
command is executed, and the
service-type command does not
specify the available command level.
The user privilege level level Determined by the
command is executed, and the service-typ
service-type command specifies the e command
available command level.
Refer to the corresponding chapters in this guide for information about AAA, RADIUS,
TACACS+, and SSH.
48 CHAPTER 3: LOGGING IN THROUGH TELNET
Network diagram
Figure 11 Network diagram for Telnet configuration (with the authentication mode being
scheme)
GigabitEthernet1/0/1
Ethernet
Configuration procedure
1 Enter system view.
<3Com> system-view
2 Create a local user named “guest” and enter local user view.
[3Com] local-user guest
3 Set the authentication password of the local user to 123456 (in plain text).
[3Com-luser-guest] password simple 123456
4 Set the service type to Telnet, Specify commands of level 2 are available to users logging
into VTY 0.
[3Com-luser-guest] service-type telnet level 2
5 Enter VTY 0 user interface view.
[3Com] user-interface vty 0
6 Configure to authenticate users logging into VTY 0 in the scheme mode.
[3Com-ui-vty0] authentication-mode scheme
Telnet Connection Establishment 49
Telnet Connection
Establishment
Telneting to a Switch You can Telnet to a switch and then to configure the switch if the interface of the
from a Terminal management VLAN of the switch is assigned an IP address.
1 Log into the switch through the Console port and assign an IP address to the
management VLAN interface of the switch.
■ Connect to the Console port. Refer to the chapter “Setting up the Connection to the
Console Port”.
■ Execute the following commands in the terminal window to assign an IP address to
the management VLAN interface of the switch.
<3Com> system
a Enter management VLAN interface view.
[3Com] interface Vlan-interface 1
b Remove the existing IP address of the management VLAN interface.
[3Com-Vlan-interface1] undo ip address
c Configure the IP address of the management VLAN interface to be 202.38.160.92.
[3Com-Vlan-interface1] ip address 202.38.160.92 255.255.255.0
2 Configure the user name and password for Telnet on the switch. Refer to “Telnet
Configuration with Authentication Mode Being None”,“Telnet Configuration with
Authentication Mode Being Password”, and “Telnet Configuration with Authentication
Mode Being Scheme”.
3 Connect your PC to the Switch, as shown in Figure 12. Make sure the Ethernet port to
which your PC is connected belongs to the management VLAN of the switch and the
route between your PC and the switch is available.
50 CHAPTER 3: LOGGING IN THROUGH TELNET
Workstation
Ethernet port
Ethernet
4 Launch Telnet on your PC, with the IP address of the management VLAN interface of the
switch as the parameter, as shown in the following figure.
5 Enter the password when the Telnet window displays “Login authentication” and
prompts for login password. The CLI prompt (such as <3Com>) appears if the password
is correct. If all VTY user interfaces of the switch are in use, you will fail to establish the
connection and receive the message that says “All user interfaces are used, please try
later!”. A 3Com Switch 4500G Family Ethernet switch can accommodate up to five
Telnet connections at same time.
6 After successfully Telneting to a switch, you can configure the switch or display the
information about the switch by executing corresponding commands. You can also type
? at any time for help. Refer to the following chapters for the information about the
commands.
■ A Telnet connection will be terminated if you delete or modify the IP address of the
VLAN interface in the Telnet session.
■ By default, commands of level 0 are available to Telnet users authenticated by
password. Refer to the Basic System Configuration and Maintenance module for
information about command hierarchy.
Telnet Connection Establishment 51
Telneting to Another You can Telnet to another switch from the current switch. In this case, the current switch
Switch from the operates as the client, and the other operates as the server. If the interconnected
Current Switch Ethernet ports of the two switches are in the same LAN segment, make sure the IP
addresses of the two management VLAN interfaces to which the two Ethernet ports
belong to are of the same network segment, or the route between the two VLAN
interfaces is available.
As shown in Figure 14, after Telneting to a switch (labeled as Telnet client), you can
Telnet to another switch (labeled as Telnet server) by executing the telnet command
and then to configure the later.
Figure 14 Network diagram for Telneting to another switch from the current switch
1 Configure the user name and password for Telnet on the switch operating as the Telnet
server. Refer to “Telnet Configuration with Authentication Mode Being None”, “Telnet
Configuration with Authentication Mode Being Password”, and “Telnet Configuration
with Authentication Mode Being Scheme” for more.
2 Telnet to the switch operating as the Telnet client.
3 Execute the following command on the switch operating as the Telnet client:
<3Com> telnet xxxx
Where xxxx is the IP address or the host name of the switch operating as the Telnet
server. You can use the ip host to assign a host name to a switch.
4 Enter the password. If the password is correct, the CLI prompt (such as <3Com>)
appears. If all VTY user interfaces of the switch are in use, you will fail to establish the
connection and receive the message that says “All user interfaces are used, please try
later!”.
5 After successfully Telneting to the switch, you can configure the switch or display the
information about the switch by executing corresponding commands. You can also type
? at any time for help. Refer to the following chapters for the information about the
commands.
52 CHAPTER 3: LOGGING IN THROUGH TELNET
4 LOGGIN* IN USING MODEM
Introduction The administrator can log into the Console port of a remote switch using a modem
through PSTN (public switched telephone network) if the remote switch is connected to
the PSTN through a modem to configure and maintain the switch remotely. When a
network operates improperly or is inaccessible, you can log into the switches in the
network in this way to configure these switches, to query logs and warning messages,
and to locate problems.
To log into a switch in this way, you need to configure the terminal and the switch
properly, as listed in the following table.
Item Requirement
Administrator side The PC can communicate with the modem connected to it.
The modem is properly connected to PSTN.
The telephone number of the switch side is available.
Switch side The modem is connected to the Console port of the switch properly.
The modem is properly configured.
The modem is properly connected to PSTN and a telephone set.
The authentication mode and other related settings are configured on the switch.
Refer to Table 7.
Configuration on The PC can communicate with the modem connected to it. The modem is properly
the Administrator connected to PSTN. And the telephone number of the switch side is available.
Side
Configuration on
the Switch Side
Modem Perform the following configuration on the modem directly connected to the switch:
Configuration AT&F ----------------------- Restore the factory settings
ATS0=1-----------------------Configure to answer automatically after the
first ring
AT&D ----------------------- Ignore DTR signal
AT&K0 ----------------------- Disable flow control
AT&R1 ----------------------- Ignore RTS signal
AT&S0 ----------------------- Set DSR to high level by force
ATEQ1&W----------------------- Disable the modem from returning command
response and the result, save the changes
54 CHAPTER 4: LOGGING IN USING MODEM
The configuration commands and the output of different modems may differ. Refer to
the user manual of the modem when performing the above configuration.
Switch Configuration
After logging into a switch through its Console port by using a modem, you will enter
the AUX user interface. The corresponding configuration on the switch is the same as
those when logging into the switch locally through its Console port except that:
■ When you log in through the Console port using a modem, the baud rate of the
Console port is usually set to a value lower than the transmission speed of the
modem. Otherwise, packets may get lost.
■ Other settings of the Console port, such as the check mode, the stop bits, and the data
bits, remain the default.
The configuration on the switch depends on the authentication mode the user is in.
Refer to Table 7 for the information about authentication mode configuration.
Modem Connection
Establishment
1 Configure the user name and password on the switch. Refer to “Console Port Login
Configuration with Authentication Mode Being None”, “Console Port Login
Configuration with Authentication Mode Being Password”, and “Console Port Login
Configuration with Authentication Mode Being Scheme” for more information.
2 Perform the following configuration on the modem directly connected to the switch.
AT&F ----------------------- Restore the factory settings
ATS0=1------------------- Configure to answer automatically after the
first ring
AT&D ----------------------- Ignore DTR signal
AT&K0 ----------------------- Disable flow control
AT&R1 ----------------------- Ignore RTS signal
AT&S0 ----------------------- Set DSR to high level by force
ATEQ1&W----------------------- Disable the modem from returning command
response and the result, save the changes
■ The configuration commands and the output of different modems may differ. Refer
to the user manual of the modem when performing the above configuration.
■ Set the baud rate of the AUX port (also the Console port) to a value lower than the
transmission speed of the modem. Otherwise, packets may get lost.
3 Connect your PC, the modems, and the switch, as shown in the following figure.
Serial cable
Modem PC
Telephone line
PSTN
Modem
4 Launch a terminal emulation utility on the PC and set the telephone number to call the
modem directly connected to the switch, as shown in Figure 16 and Figure 17. Note that
you need to set the telephone number to that of the modem directly connected to the
switch.
5 Provide the password when prompted. If the password is correct, the prompt (such as
<3Com>) appears. You can then configure or manage the switch. You can also enter the
character ? at anytime for help. Refer to the following chapters for information about
the configuration commands.
If you perform no AUX user-related configuration on the switch, the commands of level
3 are available to modem users. Refer to the Basic System Configuration and
Maintenance module for information about command level.
5 LOGGING IN THROUGH WEB-BASED
NETWORK MANAGEMENT SYSTEM
Introduction A Switch 4500G Series switch has a Web server built in. You can log into a Switch 4500G
series switch through a Web browser and manage and maintain the switch intuitively by
interacting with the built-in Web server.
To log into an Switch 4500G through the built-in Web-based network management
system, you need to perform the related configuration on both the switch and the PC
operating as the network management terminal.
Table 24 Requirements for logging into a switch through the Web-based network management
system
Item Requirement
Switch The management VLAN of the switch is configured. The route between
the switch and the network management terminal is available. (Refer
to the VLAN module for more.)
The user name and password for logging into the Web-based network
management system are configured.
PC operating as the network IE is available.
management terminal
The IP address of the management VLAN interface of the switch is
available.
HTTP Connection
Establishment
1 Log into the switch through the Console port and assign an IP address to the
management VLAN interface of the switch.
■ Connect to the Console port. Refer to “Setting up the Connection to the Console
Port”.
■ Execute the following commands in the terminal window to assign an IP address to
the management VLAN interface of the switch.
<3Com> system
a Enter management VLAN interface view.
[3Com] interface Vlan-interface 1
b Remove the existing IP address of the management VLAN interface.
[3Com-Vlan-interface1] undo ip address
c Configure the IP address of the management VLAN interface to be 10.153.17.82.
[3Com-Vlan-interface1] ip address 10.153.17.82 255.255.255.0
58 CHAPTER 5: LOGGING IN THROUGH WEB-BASED NETWORK MANAGEMENT SYSTEM
2 Configure the user name and the password for the Web-based network management
system.
a Configure the user name to be admin.
[3Com] local-user admin
b Set the user level to level 3.
[3Com-luser-admin] service-type telnet level 3
c Set the password to admin.
[3Com-luser-admin] password simple admin
3 Establish an HTTP connection between your PC and the switch, as shown in the
following figure.
Sw itch
HTTP connection
Connection
HTTP Connection
PC
PC
4 Log into the switch through IE. Launch IE on the Web-based network management
terminal (your PC) and enter the IP address of the management VLAN interface of the
switch (here it is http://10.153.17.82). (Make sure the route between the Web-based
network management terminal and the switch is available.)
5 When the login interface (shown in Figure 19) appears, enter the user name and the
password configured in step 2 and click <Login> to bring up the main page of the
Web-based network management system.
Web Server You can shut down or start up the Web server.
Shutdown/Startup
Table 25 Web Server Shutdown/Startup
Introduction You can also log into a switch through an NMS (network management station), and then
configure and manage the switch through the agent module on the switch.
■ The agent here refers to the software running on network devices (switches) and as
the server.
■ SNMP (simple network management protocol) is applied between the NMS and the
agent.
To log into a switch through an NMS, you need to perform related configuration on both
the NMS and the switch.
Item Requirement
Switch The management VLAN of the switch is configured. The route between the
NMS and the switch is available. (Refer to the VLAN module for more.)
The basic SNMP functions are configured. (Refer to the SNMP-RMON module
for more.)
NMS The NMS is properly configured. (Refer to the user manual of your NMS for
more.)
Switch
HTTP Connection
PC
62 CHAPTER 6: LOGGING IN THROUGH NMS
7 CONTROLLING LOGIN USERS
Introduction A switch provides ways to control different types of login users, as listed in Table 27.
Controlling Telnet
Users
Prerequisites The controlling policy against Telnet users is determined, including the source and
destination IP addresses to be controlled and the controlling actions (permitting or
denying).
64 CHAPTER 7: CONTROLLING LOGIN USERS
Controlling Telnet Controlling Telnet users by source IP addresses is achieved by applying basic ACLs, which
Users by Source IP are numbered from 2000 to 2999.
Addresses
Table 28 Controlling Telnet Users by Source IP Addresses
Controlling Telnet Controlling Telnet users by source and destination IP addresses is achieved by applying
Users by Source and advanced ACLs, which are numbered from 3000 to 3999. Refer to the ACL module for
Destination IP information about defining an ACL.
Addresses
Table 29 Controlling Telnet Users by Source and Destination IP Addresses
Controlling Telnet Controlling Telnet users by source MAC addresses is achieved by applying Layer 2 ACLs,
Users by Source MAC which are numbered from 4000 to 4999. Refer to the ACL module for information about
Addresses defining an ACL.
Table 30 Controlling Telnet Users by Source MAC Addresses
Network diagram
Internet
Sw itch
Configuration procedure
1 Define a basic ACL.
<3Com> system-view
[3Com] acl number 2000 match-order config
[3Com-acl-basic-2000] rule 1 permit source 10.110.100.52 0
[3Com-acl-basic-2000] rule 2 permit source 10.110.100.46 0
[3Com-acl-basic-2000] rule 3 deny source any
[3Com-acl-basic-2000] quit
2 Apply the ACL.
[3Com] user-interface vty 0 4
[3Com-ui-vty0-4] acl 2000 inbound
66 CHAPTER 7: CONTROLLING LOGIN USERS
Controlling You can manage a Switch 4500G Series Ethernet switch through network management
Network software. Network management users can access switches through SNMP.
Management Users You need to perform the following two operations to control network management
by Source IP users by source IP addresses.
Addresses
■ Defining an ACL
■ Applying the ACL to control users accessing the switch through SNMP
Prerequisites The controlling policy against network management users is determined, including the
source IP addresses to be controlled and the controlling actions (permitting or denying).
Controlling Network Controlling network management users by source IP addresses is achieved by applying
Management Users basic ACLs, which are numbered from 2000 to 2999.
by Source IP
Addresses Table 31 Controlling Network Management Users by Source IP Addresses
You can specify different ACLs while configuring the SNMP community name, the SNMP
group name and the SNMP user name.
Controlling Network Management Users by Source IP Addresses 67
As SNMP community name is a feature of SNMPv1 and SNMPv2c, the specified ACLs in
the command that configures SNMP community names (the snmp-agent community
command) take effect in the network management systems that adopt SNMPv1 or
SNMPv2c.
Similarly, as SNMP group name and SNMP user name are features of SNMPv2c and the
higher SNMP versions, the specified ACLs in the commands that configure SNMP group
names (the snmp-agent group command and the snmp-agent group v3
command) and SNMP user names (the snmp-agent usm-user command and the
snmp-agent usm-user v3 command) take effect in the network management
systems that adopt SNMPv2c or higher SNMP versions. If you configure both the SNMP
group name and the SNMP user name and specify ACLs in the two operations, the
switch will filter network management users by both SNMP group name and SNMP user
name.
Network diagram
Internet
Sw itch
Configuration procedure
1 Define a basic ACL.
<3Com> system-view
[3Com] acl number 2000 match-order config
[3Com-acl-basic-2000] rule 1 permit source 10.110.100.52 0
[3Com-acl-basic-2000] rule 2 permit source 10.110.100.46 0
[3Com-acl-basic-2000] rule 3 deny source any
[3Com-acl-basic-2000] quit
2 Apply the ACL to only permit SNMP users sourced from the IP addresses of
10.110.100.52 and 10.110.100.46 to access the switch.
[3Com] snmp-agent community read 3com acl 2000
[3Com] snmp-agent group v2c 3comgroup acl 2000
[3Com] snmp-agent usm-user v2c 3comuser 3comgroup acl 2000
68 CHAPTER 7: CONTROLLING LOGIN USERS
Controlling Web You can manage a Switch 4500G Series Ethernet switch remotely through Web. Web
Users by Source IP users can access a switch through HTTP connections.
Address
You need to perform the following two operations to control Web users by source IP
addresses.
■ Defining an ACL
■ Applying the ACL to control Web users
Prerequisites The controlling policy against Web users is determined, including the source IP addresses
to be controlled and the controlling actions (permitting or denying).
Controlling Web Controlling Web users by source IP addresses is achieved by applying basic ACLs, which
Users by Source IP are numbered from 2000 to 2999.
Addresses
Table 32 Controlling Web Users by Source IP Addresses
Disconnecting a Web The administrator can disconnect a Web user by force using the related command.
User by Force
Table 33 Disconnecting a Web User by Force
Network diagram
Internet
Sw itch
Configuration procedure
1 Define a basic ACL.
<3Com> system-view
[3Com] acl number 2030 match-order config
[3Com-acl-basic-2030] rule 1 permit source 10.110.100.46 0
[3Com-acl-basic-2030] rule 2 deny source any
2 Apply the ACL to only permit the Web users sourced from the IP address of
10.110.100.46 to access the switch.
[3Com] ip http acl 2030
70 CHAPTER 7: CONTROLLING LOGIN USERS
8 BASIC SYSTEM CONFIGURATION AND
MAINTENANCE
Command Line
Feature
Command Line Switch 4500G Family provides a series of configuration commands and command line
Interface Overview interface for you to configure and maintain the Ethernet switches. The command line
interface is featured by the following:
■ Configure the command levels to make sure that unauthorized users cannot use
related commands to configure a switch.
■ You can enter <?> at any time to get the online help.
■ Provide network test commands, such as tracert, and ping, to help you to
diagnose the network.
■ Provide plenty of detail debugging information to help you to diagnose and locate
the network failures.
■ Provide a function similar to Doskey to execute a history command.
■ Adopt the partial match method to search for the keywords of a command line. You
only need to enter a non-conflicting keyword to execute the command correctly.
Online Help of The command line interface provides the following online help modes.
Command Line ■ Full help
■ Partial help
You can get the help information through these online help commands, which are
described as follows.
1 Input “?” in any view to get all the commands in it and corresponding descriptions.
<Sysname> ?
User view commands:
backup Backup next startup-configuration file to TFTP
server
boot-loader Set boot loader
bootrom Update/read/backup/restore bootrom
cd Change current directory
clock Specify the system clock
cluster Run cluster command
copy Copy from one file to another
debugging Enable system debugging functions
delete Delete a file
dir List files on a file system
display Show running system information
<Omit>
72 CHAPTER 8: BASIC SYSTEM CONFIGURATION AND MAINTENANCE
2 Input a command with a “?” separated by a space. If this position is for keywords, all the
keywords and the corresponding brief descriptions will be listed.
<Sysname> language-mode ?
chinese Chinese environment
english English environment
3 Input a command with a “?” separated by a space. If this position is for parameters, all
the parameters and their brief descriptions will be listed.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface vlan-interface ?
<1-4094> VLAN interface number
[Sysname] interface vlan-interface 1 ?
<cr>
<cr> indicates no parameter in this position. The next command line repeats the
command, you can press <Enter> to execute it directly.
4 Input a character string with a “?”, then all the commands with this character string as
their initials will be listed.
<Sysname>pi?
ping
5 Input a command with a character string and “?”, then all the key words with this
character string as their initials in the command will be listed.
<Sysname> display ver?
version
6 Input the first letters of a keyword of a command and press <Tab> key. If no other
keywords are headed by this letters, then this unique keyword will be displayed
automatically. If other keywords headed by this letter exist, press <Tab> key repeatedly to
display these keywords
7 To switch to the Chinese display for the above information, perform the language-mode
command.
History Command of Command line interface provides the function similar to that of DosKey. The CLI can
Command Line automatically save the commands that have been entered. You can invoke and
repeatedly execute them as needed. By default, the CLI can save up to ten commands for
each user. Table 35 lists the operation that you can perform.
Table 35 Retrieve history command
Cursor keys can be used to retrieve the history commands in Windows 3.X Terminal and
Telnet. However, in Windows 9X HyperTerminal, the cursor keys ? and ? do not work,
because Windows 9X HyperTerminal defines the two keys differently. In this case, use the
combination keys <Ctrl+P> and <Ctrl+N> instead for the same purpose.
Common Command The commands are executed only if they have no syntax error. Otherwise, error
Line Error Messages information is reported. Table 36 lists some common errors.
Editing Command line interface provides the basic command editing function and supports to
Characteristics of edit multiple lines. A command cannot longer than 256 characters. See the table below.
Command Line
Table 37 Editing functions
Key Function
Common keys Insert from the cursor position and the cursor moves to the right, if the
edition buffer still has free space.
Backspace Delete the character preceding the cursor and the cursor moves
backward.
Leftwards cursor key <?> or Move the cursor a character backward
<Ctrl+B>
Rightwards cursor key <?> or Move the cursor a character forward
<Ctrl+F>
Up cursor key <?> or <Ctrl+P> Retrieve the history command.
Down cursor key <?> or
<Ctrl+N>
<Tab> Press <Tab> after typing the incomplete key word and the system will
execute the partial help: If the key word matching the typed one is
unique, the system will replace the typed one with the complete key
word and display it in a new line; if there is not a matched key word or
the matched key word is not unique, the system will do no
modification but display the originally typed word in a new line.
Command Line Different command views are implemented according to different requirements. They are
view related to one another. For example, after logging in the switch, you will enter user view,
in which you can only use some basic functions such as displaying the running state and
statistics information. In user view, key in system-view to enter system view, in which
you can key in different configuration commands and enter the corresponding views.
■ User view
■ System view
■ Ethernet Port view
■ NULL interface view
■ VLAN view
■ VLAN interface view
■ LoopBack interface view
■ Local-user view
■ User interface view
■ FTP Client view
■ MST region view
■ IGMP-Snooping view
■ Traffic classifier view
■ Traffic behavior view
■ QoS policy view
■ Cluster view
Command Line Feature 75
The following table describes the function features of different views and the ways to
enter or quit.
Command Command to
view Function Prompt Command to enter exit
User view Show the basic <Sysname> Enter right after quit
information about connecting the switch disconnects
operation and to the switch
statistics
System view Configure system [Sysname] Key in quit or
parameters system-view in return
user view returns to
user view
Ethernet Port Configure Ethernet [Sysname- GigabitEthernet port quit
view port parameters GigabitEthernet1/0 view returns to
/1] system view
Key in interface
gigabitethernet return
1/0/1 in system view returns to
user view
NULL interface Configure NULL [Sysname-NULL0] Key in interface quit
view interface parameters null 0 in system view returns to
system view
return
returns to
user view
VLAN view Configure VLAN [Sysname-vlan1] Key in vlan 1 in quit
parameters system view returns to
system view
return
returns to
user view
76 CHAPTER 8: BASIC SYSTEM CONFIGURATION AND MAINTENANCE
Command Command to
view Function Prompt Command to enter exit
VLAN interface Configure IP interface [Sysname-Vlan- Key in interface quit
view parameters for a interface1] vlan-interface returns to
VLAN or a VLAN 1 in system view system view
aggregation
return
returns to
user view
LoopBack Configure LoopBack [Sysname- Key in interface quit
interface view interface parameters LoopBack0] loopback 0 in returns to
system view system view
return
returns to
user view
Local-user view Configure local user [Sysname-luser- Key in local-user quit
parameters user1] user1 in system view returns to
system view
return
returns to
user view
User interface Configure user [Sysname-ui0] Key in quit
view interface parameters user-interface returns to
0 in system view system view
return
returns to
user view
FTP Client view Configure FTP Client [ftp] Key in ftp in user view quit
parameters returns to
user view
MST region Configure MST region [Sysname-mst- Key in stp quit
view parameters region] region-configur returns to
ation in system view system view
return
returns to
user view
IGMP-Snoopin Configure [Sysname-igmp- Key in quit
g view IGMP–Snooping snooping] igmp-snooping in returns to
protocol parameters system view system view
return
returns to
user view
Traffic classifier Configure traffic [Sysname-classifier- Key in traffic quit
view classifier related test] classifier test in returns to
parameters system view system view
return
returns to
user view
Traffic Configure traffic [Sysname-behavior Key in traffic quit
behavior view behavior related - test] behavior test in returns to
parameters system view system view
return
returns to
user view
Command Line Feature 77
Command Command to
view Function Prompt Command to enter exit
QoS policy Configure QoS policy [Sysname-qospolicy Key in qos policy quit
view related parameters - test] test in system view returns to
system view
return
returns to
user view
Cluster view Configure cluster [Sysname-cluster] Key in cluster in quit
parameters system view returns to
system view
return
returns to
user view
Port group Configure manual [Sysname-port-gro Key in port-group quit
view port group up- manual-test] manual test in system returns to
parameters view system view
Configure aggregate [Sysname-port-gro Key in port-group return
port group up- aggregation-1] aggregation 1 in returns to
parameters system view user view
HWping view Configure HWping [Sysname-hwping- Key in hwping admin quit
test group parameters admin-test] test in system view returns to
system view
return
returns to
user view
TACACS Configure TACACS+ [Sysname-hwtacacs Key in hwtacacs quit
scheme view parameters - test] scheme test in system returns to
view system view
return
returns to
user view
RSA public key Configure RSA public [Sysname-rsa-publi Key in rsa peer-pub
view key of SSH user c- key] peer-public-key lic-key
003 in system view end returns
to system
view
RSA key code Edit RSA public key of [Sysname-rsa-key- Key in public-k
view SSH user code] public-key-code ey-code
begin in RSA public end returns
key view to RSA public
key view
Route policy Configure route [Sysname-route-pol Key in quit
view policy icy] route-policy returns to
policy1 permit system view
node 10 in system view return
returns to
user view
Basic ACL view Define the sub rule of [Sysname-acl-basic- Key in acl number quit
the basic ACL (in the 2000] 2000 in system view returns to
range of 2,000 to system view
2,999)
return
returns to
user view
78 CHAPTER 8: BASIC SYSTEM CONFIGURATION AND MAINTENANCE
Command Command to
view Function Prompt Command to enter exit
Advanced ACL Define the sub rule of [Sysname-acl-adv- Key in acl number quit
view the advanced ACL (in 3000] 3000 in system view returns to
the range of 3,000 to system view
3,999)
return
returns to
user view
Layer 2 ACL Define the sub rule of [Sysname-acl- Key in acl number quit
view the Layer 2 ACL (in ethernetframe-400 4000 in system view returns to
the range of 4,000 to 0] system view
4,999)
return
returns to
user view
RADIUS Configure RADIUS [Sysname-radius-1] Key in radius quit
scheme view parameters scheme 1 in system returns to
view system view
return
returns to
user view
RIP view Configure RIP [Sysname-rip-1] Key in rip in system quit
parameters view returns to
system view
return
returns to
user view
RIPng view Configure RIPng [Sysname-ripng-1] Key in ripng 1 in quit
parameters system view returns to
system view
return
returns to
user view
ISP domain Configure ISP domain [Sysname-isp- Key in domain quit
view parameters aabbcc.net] aabbcc.net in system returns to
view system view
return
returns to
user view
Basic System
Configuration
Entering System When logging in to the switch, you are in the user view, and the corresponding prompt is
View from User View <Sysname>. Follow these operations and you can enter or exit the system view.
Use the quit command to return from current view to lower level view. Use the
return command to return from current view to user view. The composite key <Ctrl+Z>
has the same effect with the return command.
Setting the CLI The switch can give prompt information either in Chinese or English. You can use the
Language Mode following command to change the language.
Table 40 Set the CLI language mode
Setting the System You can define the system name, which corresponds to the prompts in CLI. For example,
Name of the Switch if you define the system name, then the prompt for user view is <3Com>.
Setting the Date and To ensure the coordination of the switch with other devices, you need to set correct
Time of the System system time as follows:
Table 42 Set the date and time of the system
Set banner
Table 43 Set banner
Specifying Shortcut The system provides five shortcut keys for you to simplify the operating of common used
Keys for Command commands. As long as you enter the corresponding shortcut key, the system will execute
Lines the corresponding command.
Table 44 Specify shortcut keys for command lines
By default, the system specifies the corresponding command line for CTRL_G, CTRL_L,
and CTRL_O. The other two shortcut keys CTRL_T, and CTRL_U default to NULL.
■ CTRL_G corresponds to the display current-configuration command
(display the current configuration).
■ CTRL_L corresponds to the display ip routing-table command (display
information about IPv4 routing table).
■ CTRL_O corresponds to the undo debugging all command (disable the
debugging for all modules).
The above shortcut keys are defined by the system of the device. When you use terminal
software on the device, these shortcut keys may be defined as other instructions in the
terminal software. In this case, the shortcut keys defined in the terminal software take
effect.
User Level and All the commands are defaulted to different views and categorized into four levels: visit,
Command Level monitor, system, and manage, identified respectively by 0 through 3. If a user wants to
Configuration acquire a higher privilege, he must switch to a higher user level, and it requires password
to do so for the security’s sake.
User level determines which commands users can use after login. For example, if the user
level is defined as 3 and the command level for the VTY 0 user interface, the user can use
level 3 commands or lower levels when logging into the switch from VTY 0.
CAUTION: If you do not specify user level in the super password command, the
password is set for switching to the level 3 user.
Displaying the System Status 83
Displaying the You can use the following display commands to check the status and configuration
System Status information about the system.
■ Only the display commands related to global configurations are listed here. For the
display commands about protocols and interfaces, refer to the corresponding
contents.
■ If the switch boots without using any configuration file, nothing will be displayed
when you use the display saved-configuration command; if you have save
the configuration after system booting, the command display
saved-configuration displays the configurations you saved last time.
Displaying Operating When your Ethernet switch is in trouble, you may need to view a lot of operating
Information about information to locate the problem. Each functional module has its own operating
System information display command(s). You can use the command here to display the
current operating information about the modules (settled when this command is
designed) in the system for troubleshooting your system.
Table 49 Display the current operation information about the modules in the system.
■ display interface
■ display fib
■ display ip interface
■ display ip statistics
■ display memory
■ display logbuffer
■ display history-command
9 SYSTEM MAINTENANCE AND DEBUGGING
System
Maintenance and
Debugging
Overview
System Maintenance You can use the ping command and the tracert command to verify the current
Overview network connectivity.
1 The source device sends ICMP ECHO-REQUEST packets to the destination device.
2 If the network is functioning properly, the destination device will respond by sending the
source device ICMP ECHO-REPLY packets after receiving the ICMP ECHO-REQUEST
packets.
3 If there is network failure, the source device will display information indicating that the
address is unreachable.
4 Display the relative statistics after execution of the ping command.
For a low-speed network, set a larger value for the time-out timer (indicated by the -t
parameter in the command) when configuring the ping command.
86 CHAPTER 9: SYSTEM MAINTENANCE AND DEBUGGING
1 The source device sends a packet with a TTL value of 1 to the destination device.
2 The first hop (the router that has received the packet first) responds by sending a
TTL-expired ICMP message with its IP address encapsulated to the source. In this way, the
source device can get the address of the first router.
3 The source device sends a packet with a TTL value of 2 to the destination device.
4 The second hop responds with a TTL-expired ICMP message, which gives the source
device the address of the second router.
5 The above process continues until the ultimate destination device is reached. In this way,
the source device can trace the addresses of all the routers that have been used to get to
the destination device.
System Debugging 3Com Switch 4500G Family provides various ways for debugging most of the supported
Overview protocols and functions and for you to diagnose and locate the problems.
Debugging
information
1
Protocol debugging
switch
ON OFF ON
1
1
3
OFF ON
3
1
System Maintenance and Debugging Configuration 87
System
Maintenance and
Debugging
Configuration
System Maintenance
Table 50 System Maintenance Configuration
Configuration
To do… Use the command… Remarks
check the ping [ ip ] [ -a source-ip | -c count | -f | -h ttl | -i interface-type Any view
network interface-number | -m interval | -n | -p pad | -q | -r | -s packet-size
connection | -t timeout | -tos tos | -v] * { ip-address | hostname }
The tracert tracert [ -a source-ip | -f first-ttl | -m max-ttl | -p
command port | -q packet-num | -w timeout ] * { ip-address |
hostname }
System Debugging
Table 51 System debugging configuration
Configuration
To do… Use the command… Remarks
Enable specified module debugging { all [ timeout time ] | User view
debugging module-name [ option ] }
Enable terminal debugging terminal debugging
view the enabled display debugging [ interface Any view
debugging process interface-type interface-number ] [
module-name ]
■ The debugging commands are normally used when the administrator is diagnosing
network failure.
■ Output of the debugging information may reduce system efficiency, especially during
execution of the debugging all command.
■ After the debugging is completed, users may use the undo debugging all
command to disable all the debugging functions simultaneously.
■ Use the command debuggingterminal debugging and display
debugging the debug information will display on the screen.
88 CHAPTER 9: SYSTEM MAINTENANCE AND DEBUGGING
Configuration procedure
<3Com> tracert nis.nsf.net
traceroute to nis.nsf.net (10.1.1.4) 30 hops max, 40 bytes packet
1 128.3.112.1 19 ms 19 ms 0 ms
2 128.32.216.1 39 ms 39 ms 19 ms
3 128.32.136.23 39 ms 40 ms 39 ms
4 128.32.168.22 39 ms 39 ms 39 ms
5 128.32.197.4 40 ms 59 ms 59 ms
6 131.119.2.5 59 ms 59 ms 59 ms
7 129.140.70.13 99 ms 99 ms 80 ms
8 129.140.71.6 139 ms 239 ms 319 ms
9 129.140.81.7 220 ms 199 ms 199 ms
10 10.1.1.4 239 ms 239 ms 239 ms
10 DEVICE MANAGEMENT
You can define the file path and filename of .btm file.app file or .cfg file in the following
forms:
■ Path + filename. It is a full filename, a string of 1 to 63 characters, standing for the
file in the specified path.
■ Filename. It has only a filename, string of 1 to 56 characters, standing for the file in
the current path.
■ Those file (.btm file.app file or .cfg file) can only be stored in the root directory in
Flash memory.
Introduction to Through the device management function, you can view the current working state of
Device devices, configure operation parameters, and perform daily device maintenance and
Management management.
■ Rebooting a device
■ Specifying a scheduled device reboot.
■ Specifying an .app file for the next device reboot
■ Upgrading a BootROM file.
BootROM and Host Traditionally, the loading of switch software is accomplished through a serial port. This
Software Loading approach is slow, inconvenient, and cannot be used for remote loading. To resolve these
problems, the TFTP and FTP modules are introduced into the switch. With these modules,
you can load/download software/files conveniently to the switch through an Ethernet
port.
This chapter introduces how to load BootROM and host software to a switch locally and
how to do this remotely.
The BootROM software version should be compatible with the host software version
when you load the BootROM and host software.
Local Software If your terminal is directly connected to the switch, you can load the BootROM and host
Loading software locally.
Before loading the software, make sure that your terminal is correctly connected to the
switch to insure successful loading.
The loading process of the BootROM software is the same as that of the host software,
except that during the former process, you should press <Ctrl+U> and <Enter> after
entering the Boot Menu and the system gives different prompts. The following text
mainly describes the BootROM loading process.
Boot Menu
Starting......
***********************************************************
* *
* 3Com Switch 4500G Family BOOTROM, Version 106 *
* *
***********************************************************
To enter the Boot Menu, you should press <Ctrl+B> within five seconds after the
information Press Ctrl-B to enter Boot Menu... appears. Otherwise, the system starts to
decompress the program; and if you want to enter the Boot Menu at this time, you will
have to restart the switch.
Input the correct BootROM password (no password is need by default). The system
enters the Boot Menu:
BOOT MENU
If you have chosen 9600 bps as the download baud rate, you need not modify the
HyperTerminal’s baud rate, and therefore you can skip step d and step e below and
proceed to step f directly. In this case, the system will not display the above information.
Following are configurations on PC. Take the Hyperterminal using Windows operating
system as example.
92 CHAPTER 10: DEVICE MANAGEMENT
e Click the <Disconnect> button to disconnect the HyperTerminal from the switch and
then click the <Connect> button to reconnect the HyperTerminal to the switch, as
shown in Figure 27.
The new baud rate takes effect only after you disconnect and reconnect the
HyperTerminal program.
f Press <Enter> to start downloading the program. The system displays the following
information:
Now please start transfer file with XMODEM protocol.
If you want to exit, Press <Ctrl+X>.
Loading ...CCCCCCCCCC
g Choose [Transfer/Send File] in the HyperTerminal’s window, and click <Browse> in
pop-up dialog box, as shown in Figure 28. Select the software you need to download,
and set the protocol to XMODEM.
h Click <Send>. The system displays the page, as shown in Figure 29.
94 CHAPTER 10: DEVICE MANAGEMENT
i After the download completes, the system displays the following information:
Loading ...CCCCCCCCCC done!
j Reset HyperTerminal’s baud rate to 9600 bps (refer to step d and step e). Then, press
any key as prompted. The system will display the following information when it
completes the loading.
Bootrom updating.....................................done!
■ If the HyperTerminal’s baud rate is not reset to 9600 bps, the system prompts "Your
baudrate should be set to 9600 bps again! Press enter key when ready".
■ You need not reset the HyperTerminal’s baud rate and can skip the last step if you
have chosen 9600 bps. In this case, the system upgrades BootROM automatically and
prompts Bootrom updating now.....................................done!.
2 Loading host software
Follow these steps to load the host software:
a Select <1> in Boot Menu and press <Enter>. The system displays the following
information:
1. Set TFTP protocol parameter
2. Set FTP protocol parameter
3. Set XMODEM protocol parameter
0. Return to boot menu
Enter your choice(0-3):
b Enter 3 in the above menu to download the host software using XMODEM.
The subsequent steps are the same as those for loading the BootROM software,
except that the system gives the prompt for host software loading instead of
BootROM loading.
BootROM and Host Software Loading 95
Switch
Console port Ethernet port
a As shown in Figure 30, connect the switch through an Ethernet port to the TFTP
server, and connect the switch through the Console port to the configuration PC.
You can use one PC as both the configuration device and the TFTP server.
b Run the TFTP server program on the TFTP server, and specify the path of the program
to be downloaded.
CAUTION: TFTP server program is not provided with the 3Com Switch 4500G Family
Ethernet Switches.
c Run the HyperTerminal program on the configuration PC. Start the switch. Then enter
the Boot Menu.
At the prompt "Enter your choice(0-9):" in the Boot Menu, press <6> or <Ctrl+U>,
and then press <Enter> to enter the BootROM update menu shown below:
Bootrom update menu:
1. Set TFTP protocol parameter
2. Set FTP protocol parameter
3. Set XMODEM protocol parameter
0. Return to boot menu
Enter your choice(0-3):
d Enter 1 to in the above menu to download the BootROM software using TFTP. Then
set the following TFTP-related parameters as required:
Load File name :4500G.btm
Switch IP address :1.1.1.2
Server IP address :1.1.1.1
e Press <Enter>. The system displays the following information:
Are you sure to update your bootrom? Yes or No(Y/N)
f Enter Y to start file downloading or N to return to the Bootrom update menu. If you
enter Y, the system begins to download and update the BootROM software. Upon
completion, the system displays the following information:
Loading........................................done
Bootrom updating..........done!
96 CHAPTER 10: DEVICE MANAGEMENT
CAUTION: When loading BootROM and host software using Boot menu, you are
recommended to use the PC directly connected to the device as TFTP server to promote
upgrading reliability.
You can use the switch as an FTP client or a server, and download software to the switch
through an Ethernet port. The following is an example.
Switch
Console port Ethernet port
a As shown in Figure 31, connect the switch through an Ethernet port to the FTP server,
and connect the switch through the Console port to the configuration PC.
You can use one computer as both configuration device and FTP server.
b Run the FTP server program on the FTP server, configure an FTP user name and
password, and copy the program file to the specified FTP directory.
c Run the HyperTerminal program on the configuration PC. Start the switch. Then enter
the Boot Menu.
At the prompt "Enter your choice(0-9):" in the Boot Menu, press <6> or <Ctrl+U>,
and then press <Enter> to enter the BootROM update menu shown below:
Bootrom update menu:
d Enter 2 in the above menu to download the BootROM software using FTP. Then set
the following FTP-related parameters as required:
Load File name :4500G.btm
Switch IP address :10.1.1.2
Server IP address : 10.1.1.1
FTP User Name :4500G
FTP User Password :abc
e Press <Enter>. The system displays the following information:
Are you sure to update your bootrom?Yes or No(Y/N)
f Enter Y to start file downloading or N to return to the Bootrom update menu. If you
enter Y, the system begins to download and update the program. Upon completion,
the system displays the following information:
Loading........................................done
Bootrom updating..........done!
2 Loading host software
Follow these steps to load the host software:
a Select <1> in Boot Menu and press <Enter>. The system displays the following
information:
1. Set TFTP protocol parameter
2. Set FTP protocol parameter
3. Set XMODEM protocol parameter
0. Return to boot menu
Enter your choice(0-3):
b Enter 2 in the above menu to download the host software using FTP.
The subsequent steps are the same as those for loading the BootROM program, except
for that the system gives the prompt for host software loading instead of BootROM
loading.
When loading BootROM and host software using Boot menu, you are recommended to
use the PC directly connected to the device as TFTP server to promote upgrading
reliability.
Remote Software If your terminal is not directly connected to the switch, you can telnet to the switch, and
Loading use FTP or TFTP to load BootROM and host software remotely.
FTP Server
10.1.1.1
PC
Internet
Switch
GigabitEthernet port
FTP Client
When using different FTP server software on PC, different information will be output to
the switch.
b Update the BootROM program on the switch.
<3Com> bootrom update file 4500G.btm
This will update BootRom file ,Continue? [Y/N] y
Upgrading BOOTROM, please wait...
Upgrade BOOTROM succeeded!
c Restart the switch.
<3Com> reboot
Before restarting the switch, make sure you have saved all other configurations that you
want, so as to avoid losing configuration information.
Loading the host software is the same as loading the BootROM program, except for that
the file to be downloaded is the host software file, and that you need to use the
boot-loader command to select the host software at reboot of the switch.
After the above operations, the BootROM and host software loading is completed.
BootROM and Host Software Loading 99
■ The loading of BootROM and host software takes effect only after you restart the
switch with the reboot command.
■ If the space of the Flash memory is not enough, you can delete the useless files in the
Flash memory before software downloading.
■ No power-down is permitted during software loading.
2 Loading Process Using FTP Server
As shown in Figure 33, the switch is used as the FTP server. You can telnet to the switch,
and then execute the FTP commands to download the BootROM program 4500G.btm
from the switch.
FTP Client
10.1.1.1
PC
Internet
Switch
FTP Server
192.168.0.39
a As shown in Figure 33, connect the switch through an Ethernet port to the PC (with IP
address 10.1.1.1)
b Configure the IP address of VLAN1 on the switch to 192.168.0.39, and subnet mask
to 255.255.255.0.
You can configure the IP address for any VLAN on the switch for FTP transmission.
However, before configuring the IP address for a VLAN interface, you have to make sure
whether the IP addresses of this VLAN and PC can be routed.
<3Com> system-view
System View: return to User View with Ctrl+Z.
[3Com] interface Vlan-interface 1
[3Com-Vlan-interface1] ip address 192.168.0.39 255.255.255.0
c Enable FTP service on the switch, configure the FTP user name to test and password to
pass.
[3Com-Vlan-interface1] quit
[3Com] ftp server enable
[3Com] local-user test
New local user added.
[3Com-luser-test] password simple pass
[3Com-luser-test] service-type ftp
100 CHAPTER 10: DEVICE MANAGEMENT
d Enable FTP client software on PC. Refer to Figure 34 for the command line interface in
Windows operating system.
e Enter cd in the interface to switch to the path that the BootROM upgrade file is to be
stored, and assume the name of the path is D:\Bootrom, as shown in Figure 35.
f Enter ftp 192.168.0.39 and enter the user name test, password pass, as shown in
Figure 36, to log on the FTP server.
g Use the put command to upload the file 4500G.btm to the switch, as shown in
Figure 37.
h Configure 4500G.btm to be the BootROM at reboot, and then restart the switch.
<3Com> bootrom update file 4500G.btm
This will update Bootrom on unit 1. Continue? [Y/N] y
Upgrading Bootrom, please wait...
Upgrade Bootrom succeeded!
<3Com> reboot
102 CHAPTER 10: DEVICE MANAGEMENT
When rebooting the switch, use the file 4500G.btm as BootROM to finish BootROM
loading.
Loading the host software is the same as loading the BootROM program, except for that
the file to be downloaded is the host software file, and that you need to use the
boot-loader command to select the host software at reboot of the switch.
■ The steps listed above are performed in the Windows operating system, if you use
other FTP client software, refer to the corresponding user’s guide before operation.
■ Only the configurations steps concerning loading are illustrated here, for detailed
description on the corresponding configuration commands, refer to the chapter File
System Management .
Device
Management
Configuration
Rebooting an When a fault occurs to a running device, you can remove the fault by rebooting it,
Ethernet Switch depending on the actual situation. You can also set a time at which the device can
automatically reboot.
Table 52 Reboot an Ethernet switch
The precision of switch timer is 1 minute. That is, with the timing reboot function
enabled, a switch reboots in one minute after the rebooting time is due.
Specifying the App If multiple .app files reside in the Flash, you can specify the one to be used for the next
File to be Used for startup by performing the operation listed in Table 53.
the Next Startup
Table 53 Specify the .app file to be used for the next startup
Upgrading BootROM During the operation of the device, you can use the Bootrom programs in the FLASH to
upgrade the running Bootrom programs.
Since the BootROM files of switching processing units (SRPUs) and line processing units
(LPUs) vary with devices, users are easily confused to make serious mistakes when
upgrading BootROM files. After the validity check function is enabled, the device will
strictly check the BootROM upgrade files for correctness and version configuration
information to ensure a successful upgrade. You are recommended to enable the validity
check function before upgrading BootROM files.
Clearing the Unused In real network, network management software requires the device to provide the
16-Bit Interface Index unified and stable 16-bit interface indexes, that is, it is best to keep one interface name
in the Current System match one interface index on a device.
To ensure the stability of the interface index, the system will keep the 16-bit interface
index for the interface even if the logical interface or the card is removed from the
system. In this way, the interface index keeps unchanged when the interface is created
again.
Repeated insertion and removal of different sub cards or interface cards, or creating or
deleting large amount of logical interfaces of different types may use up the interface
indexes. If so, you may fail to create an interface. To avoid this, you can perform the
following configuration in user view to clear the saved but unused 16-bit interface
indexes in the current system.
■ For new created interface, its new index cannot be ensured to be identical with the
original one.
■ For the existing interface, its interface index will not be changed.
104 CHAPTER 10: DEVICE MANAGEMENT
Table 55 Clear the unused 16-bit interface index in the current system
CAUTION: Your conformation is needed when the command is executed. If you do not
confirm during 30 seconds, or input N, the operation will be canceled.
Displaying the After the above configurations, you can execute the display command in any view to
Device display the operating status of the device management to verify the configuration
Management effects.
Configuration
Table 56 Display the operating status of the device management
Network diagram
User
Telnet
Network
Configuration procedure
1 Configure the FTP-Server
■ Set the FTP username to aaa and password to hello.
■ Configure users to have access to the directory.
2 Configure the switch as follows:
CAUTION: If the Flash memory of the switch is not sufficient, delete the original
applications in it before downloading the new ones.
1 Execute the telnet command on the PC to log into the switch.
<3Com> ftp 2.2.2.2
Trying ...
Press CTRL+K to abort
Connected.
220 FTP service ready.
User(none):switch
331 Password required for switch.
Password:
230 User logged in.
[ftp]
2 Enter the authorized path on the FTP server.
[ftp] cd switch
3 Execute the get command to download the switch.app and boot.btm files on the FTP
server to the Flash memory of the switch.
[ftp] get switch.app
[ftp] get boot.btm
4 Execute the quit command to terminate the FTP connection and return to user view.
[ftp] quit
<3Com>
5 Enter system view
<3Com> system-view
System View: return to User View with Ctrl+Z.
106 CHAPTER 10: DEVICE MANAGEMENT
File System
Management
Overview A major function of the file system is to manage storage devices. It allows you to perform
operations such as directory create and delete, and file copy and display.
If an operation, delete or overwrite for example, may cause problems such as data loss or
corruption, the file system will ask you to confirm the operation by default.
Depending on the managed object, file system operations fall into directory operations,
file operations, storage device operations, and file system prompt mode setting.
Directory Operations Directory operations include create, delete, display the current directory, display files or
subdirectories in a specific directory as shown in Table 57.
File Operations File operations include delete (removing files into the recycle bin), restore the deleted,
permanently delete (deleting files from the recycle bin), display, rename, copy, and move
as shown in Table 58.
CAUTION: You can create a file by using operations such as copy, download or save.
108 CHAPTER 11: FILE SYSTEM MANAGEMENT
CAUTION:
■ Empty the recycle bin timely with the reset recycle-bin command to save
memory space.
■ As the delete /unreserved file-url command deletes a file permanently
and the action cannot be undone, use it with caution.
■ You can only move a file on the same device. The move command fails if you try to
move a file to another device.
Storage Device Storage device operations include disk fix and format as shown in Table 59. You may use
Operations these two commands when some space of a storage device becomes inaccessible as the
result of some abnormal operations for example.
CAUTION: Use caution when formatting the storage device (usually the Flash) where the
configuration file is stored, as the operation can destroy all data on the storage device
and the action cannot be undone.
Configuration File Management 109
File System Prompt The file system provides the following two prompt modes:
Mode Setting ■ Alert, where the system warns you about operations that may bring undesirable
consequence such as file corruption or data loss.
■ Quiet: where the system does not do that in any cases. To prevent undesirable
consequence resulted from mis-operations, the alert mode is preferred.
File System
Operations Example
1 Display the files under the root directory.
<3Com> dir
Directory of flash:/
Configuration File
Management
Main/backup attributes
The main and backup attributes allow configuration files that are of the corresponding
attributes. When the main configuration file is corrupted or gets lost, the backup
configuration files can be used to start or configure the device. Compared with the
systems supporting only one type of configuration file, the main/backup configuration
file mechanism enhances the security and reliability of the file system. The main keyword
represents the main attributes of the configuration file, and the backup keyword
represents the backup attribute of the configuration file. You can use corresponding
commands to configure the main/backup attributes of a configuration file. A
configuration file can be configured with both the main attribute and the backup
attribute at the same time. However, a device can have only one configuration file that is
of a specific attribute at a time.
The main and backup attributes are mainly used as follows in file system.
■ You can specify the main/backup/common attribute of the configuration file when
saving the current configuration.
■ You can specify to erase the main configuration file or the backup configuration file
when you erase the configuration file in the device. For the configuration file with
both the main attribute and the backup attribute, you can specify to erase the main
attribute or backup attribute of the configuration file.
■ You can specify the main/backup attribute of a configuration file when you specify
the configuration file to be used the next time.
Saving Running You can modify running configuration on your device at the command line interface
Configuration (CLI). To use it at next startup, you need to save it to the startup configuration file before
rebooting the system with the save command.
You can save the current configuration files in one of the following two ways:
■ You are recommended to adopt the fast saving mode in the conditions of stable
power and adopt the safe mode in the conditions of unstable power or remote
maintenance.
■ The extension of a configuration file must be cfg.
112 CHAPTER 11: FILE SYSTEM MANAGEMENT
Erasing the Startup You may erase the startup configuration file by using the command showed in Table 62 .
Configuration File If no startup configuration is available, the default parameters are used.
You may need to erase the startup configuration file for one of these reasons:
■ After you upgrade software, the old configuration file does not match the new
software.
■ The startup configuration file is destroied or not the one you needed.
When you erase a configuration file, the following cases may occur:
Specifying a You can set the main/backup attributes of a configuration file. The attribute of an
Configuration File for configuration file is generated in two ways, as described below.
Next Startup
Set the main attribute of the startup configuration file
■ When the current configuration is saved into the main configuration file, the system
will automatically adopt the main configuration file as the main startup configuration
file.
■ Use the startup saved-configuration cfgfile [ main ] command to set a
configuration file as the main startup configuration file.
CAUTION: This operation can delete the configuration file from the device permanently,
so be careful to perform this operation..
You can only back up and restore the main configuration file.
■ Before restoring the configuration file, make sure that the route between the device
and the server is reachable, TFTP is enabled at the server end, and the client on which
you will perform the backup and restoration operations obtains the corresponding
read/write right.
■ After the command is executed successfully, use the display startup command
in user view to check whether the name of the configuration file for next startup is
consistent with the filename argument, and then use the dir command to check
whether the restored configuration file for next startup exists.
114 CHAPTER 11: FILE SYSTEM MANAGEMENT
Displaying and
Table 66 Displaying and maintaining device configuration
Maintaining Device
Configuration To do Use the command Remarks
Display the contents of the display Available in any view
startup configuration file saved-configuration
[ by-linenum ]
Display the configuration file display startup Available in any view
used for this and next startup
Display the running configuration display this Available in any view
in current view [ by-linenum ]
Display running configuration display Available in any view
current-configuration
[ configuration
[ configuration-type ] |
interface
[ interface-type ]
[ interface-number ] ]
[ by-linenum ] [ | { begin |
include | exclude } text ]
Configuration files are displayed in the same format in which they are saved.
FTP Configuration
Overview FTP (file transfer protocol) is commonly used in IP-based networks to transmit files. Before
World Wide Web comes into being, files are transferred through command lines, and the
most popular application is FTP. At present, although E-mail and Web are the usual
methods for file transmission, FTP still has its strongholds.
An Ethernet switch can act as an FTP client or the FTP server in FTP-employed data
transmission:
■ FTP server
An Ethernet switch can operate as an FTP server to provide file transmission services for
FTP clients. You can log into a switch operating as an FTP server by running an FTP client
program on your PC to access files on the FTP server. Before you log into the FTP server,
the administrator must configure an IP address for it.
■ FTP client
A switch can operate as an FTP client, through which you can access files on FTP servers.
In this case, you need to establish a connection between your PC and the switch through
a terminal emulation program or Telnet and then execute the ftp command on your
PC.
The configurations needed when a switch operates as an FTP client are showed in
Table 67.
The configurations needed when a switch operates as an FTP server are showed in
Table 68.
CAUTION: The FTP-related functions require that the route between a FTP client and the
FTP server is reachable.
Configuring the FTP Table 69 lists the operations that can be performed on an FTP client.
Client
Table 69 Configurations on an FTP client
CAUTION: FTP-based file transmission is performed in the following two modes: Binary
mode for program file transfer and ASCII mode for text file transfer.
■ The ls command can just query the name of all files and directories, while the dir
command can query the details of all files and directories.
FTP Configuration 117
For more information about authentication and authorization commands, refer to the
AAA-RADIUS-TACACS+ chapter of this manual.
118 CHAPTER 11: FILE SYSTEM MANAGEMENT
On the FTP server, an FTP user account has been created for the FTP client, with the
username being abc and the password being pwd.
Network diagram
Figure 40 Network diagram for FTPing a startup file from an FTP Server
cable
Configuration procedure
1 Check files on your device. Remove those redundant to ensure adequate space for the
APP file to be downloaded.
<3Com> dir
Directory of flash:/
0 drw- - Dec 07 2005 10:00:57 filename
1 drw- - Jan 02 2006 14:27:51 logfile
2 -rw- 1216 Jan 02 2006 14:28:59 config.cfg
3 -rw- 1216 Jan 02 2006 16:27:26 backup.cfg
4 -rw- 184108 May 26 2006 18:02:16 aaa.bin
15240 KB total (2511 KB free)
<3Com> delete flash:/backup.cfg
2 Download the APP file from the server.
<3Com> ftp 10.1.1.1
Trying 10.1.1.1...
Press CTRL+K to abort
Connected to 10.1.1.1.
220 FTP service ready.
User(10.1.1.1:(none)):abc
331 Password required for abc.
Password:
230 User logged in.
[ftp] binary
200 Type set to I
[ftp] get aaa.bin bbb.bin
FTP Configuration 119
The APP file for next startup specified by boot-loader command must be saved
under the root directory. You can use copy or move operation to change its path.
Network diagram
Figure 41 Network diagram for FTPing a startup file to the FTP server
Configuration procedure
1 Configure the Ethernet Switch
a Create an FTP user account, setting its username and password.
<3Com> system-view
[3Com] local-user abc
[3Com-luser-abc] service-type ftp
[3Com-luser-abc] password simple pwd
b Authorize the access of the user account to certain directory.
[3Com-luser-abc] service-type ftp ftp-directory flash:/
c Validate the authorized directory.
[3Com-luser-abc] quit
[3Com] domain system
[3Com-isp-system] authorization login local
d Enable FTP server.
[3Com] ftp server enable
[3Com] quit
120 CHAPTER 11: FILE SYSTEM MANAGEMENT
e Check files on your device. Remove those redundant to ensure adequate space for the
APP file to be uploaded.
<3Com> dirDirectory of flash:/
0 drw- - Dec 07 2005 10:00:57 filename
1 drw- - Jan 02 2006 14:27:51 logfile
2 -rw- 1216 Jan 02 2006 14:28:59 config.cfg
3 -rw- 1216 Jan 02 2006 16:27:26 back.cfg
4 drw- - Jan 02 2006 15:20:21 ftp
5 -rw- 184108 May 26 2006 18:02:16 aaa.bin
15240 KB total (2511 KB free)
<3Com> delete flash:/back.cfg
2 Configure the PC
a Upload the APP file to the FTP server.
c:\> ftp 1.1.1.1
ftp> put aaa.bin bbb.bin
■ When upgrading the configuration file with FTP, put the new file on under the root
directory.
■ When upgrading the Boot ROM program with FTP remotely, you must perform the
bootrom update command after the file transfer is completed.
b Specify the main APP file for next startup with the boot-loader command.
<3Com> boot-loader file bbb.bin main
<3Com> reboot
CAUTION: The APP file for next startup must be saved under the root directory.
TFTP Configuration
Overview The trivial file transfer protocol (TFTP) provides functions similar to those provided by FTP,
but it is not as complex as FTP in interactive access interface and authentication.
Therefore, it is more suitable where complex interaction is not needed between client
and server.
TFTP uses the UDP service for data delivery. In TFTP, file transfer is initiated by the client.
In a normal file downloading process, the client sends a read request to the TFTP server,
receives data from the server, and then sends the acknowledgement to the server.
In a normal file uploading process, the client sends a write request to the TFTP server,
sends data to the server, and receives the acknowledgement from the server.
TFTP transfers files in two modes: binary for programming files and ASCII for text files.
Table 73 describes the operations needed when a switch operates as a TFTP client.
Configuring the TFTP Follow these steps to configure the TFTP client:
Client
Table 74 Configurations on an TFTP client
■ PC uses IP address 1.2.1.1/16 and a TFTP working directory has been defined for the
client.
■ On your device, VLAN interface 1 is assigned an IP address 1.1.1.1/16, making that
the port connected to PC belongs to the same VLAN.
■ TFTP an APP file from PC for upgrading and a configuration file to PC for backup.
122 CHAPTER 11: FILE SYSTEM MANAGEMENT
Network diagram
Configuration procedure
1 On PC
Enable TFTP server and configure a TFTP working directory for the TFTP client.
2 On Device
CAUTION: If available space on the Flash memory of the switch is not enough to hold
the file to be uploaded, you need to delete files from the Flash memory to make room
for the new file.
a Enter system view.
<Sysname> system-view
b Assign VLAN interface 1 an IP address 1.1.1.1/16, making sure that the port
connected to PC belongs to the same VLAN.
[Sysname] interface vlan-interface 1
[Sysname-vlan-interface1] ip address 1.1.1.1 255.255.0.0
[Sysname-vlan-interface1] return
c Download an application file aaa.bin from the TFTP server. (Before that, make sure
that adequate memory is available.)
<Sysname> tftp 1.2.1.1 get aaa.bin bbb.bin
d Upload a configuration file config.cfg to the TFTP server.
<Sysname> tftp 1.2.1.1 put config.cfg config.cfg
e Specify the APP file for next startup with the boot-loader command.
<Sysname> boot-loader file bbb.bin
<Sysname> reboot
CAUTION: The APP file for next startup must be saved under the root directory. You can
use copy or move operation to change its path.
12 VLAN CONFIGURATION
VLAN Overview
Introduction to VLAN The virtual local area network (VLAN) technology is developed for switches to control
broadcast operations in LANs.
By creating VLANs in a physical LAN, you can divide the LAN into multiple logical LANs,
each of which has a broadcast domain of its own. Hosts in the same VLAN communicate
with each other as if they are in a LAN. However, hosts in different VLANs cannot
communicate with each other directly. In this way, broadcast packets are confined within
a VLAN. Figure 44 illustrates a VLAN implementation.
VLAN A
LAN Switch
VLAN B
VLAN A
VLAN B
Router
A VLAN can span across multiple switches, or even routers. This enables hosts in a VLAN
to be dispersed in a more loose way. That is, hosts in a VLAN can belong to different
physical network segments.
■ Broadcasts are confined to VLANs. This decreases bandwidth utilization and improves
network performance.
■ Network security is improved. VLANs cannot communicate with each other directly.
That is, hosts in different VLANs cannot communicate with each other directly. To
enable communications between different VLANs, network devices operating on
Layer 3 (such as routers or Layer 3 switches) are needed.
■ Configuration workload is reduced. VLAN can be used to group specific hosts. When
the physical position of a host changes, no additional network configuration is
required if the host still belongs to the same VLAN
124 CHAPTER 12: VLAN CONFIGURATION
VLAN Classification Depending on how VLANs are established, VLANs fall into the following six categories:
■ Port-based VLAN
■ MAC-based VLAN
■ Protocol-based VLAN
■ IP sub network-based VLAN
■ Policy-based VLAN
■ Other VLAN
3Com Switch 4500G Ethernet Switch supports the port-based VLAN. This chapter
focuses on the port-based VLAN.
Basic VLAN
Table 75 Basic VLAN configuration
Configuration
To do… Use the command… Remarks
Enter system view system-view –
Create VLAN vlan { vlan-id1 [ to Optional
vlan-id2 ] }
This command is mainly used to create
multiple VLANs
Enter VLAN view vlan vlan-id Required
If the specified VLAN does not exist,
this command will first create the
VLAN, and then enter VLAN view.
Specify the description description text Optional
string of the VLAN
By default, the description string of a
VLAN is its VLAN ID, such as “VLAN
0001”.
Exit VLAN view quit –
Basic VLAN Interface Configuration 125
Basic VLAN VLAN interface is a virtual interface in Layer 3 mode, and mainly used in realizing the
Interface Layer 3 connectivity between different VLANs.
Configuration
Table 76 Configure a VLAN interface
Before creating a VLAN interface, the corresponding VLAN must exist. Otherwise, you
cannot create the VLAN interface successfully.
Port-Based VLAN
Configuration
Introduction of Port-based VLAN is the simplest and most effective VLAN division method. It defines its
Port-Based VLAN VLAN members according to the ports of a switch. After a specified port is added into a
specified VLAN, the port can forward the packets of the specified VLAN.
The difference between the hybrid port and the trunk port is that:
■ A hybrid port allows the packets from multiple VLANs to be sent without tags.
■ A trunk port only allows the packets from the default VLAN to be sent without tags.
Default VLAN
You can configure some VLANs allowed to pass through a port. In additional, you can
also configure a default VLAN for the port. By default, the default VLAN of all the ports is
VLAN 1. But you can configure it as needed.
■ An access port can only belong to one VLAN, so that its default VLAN is the VLAN it
belongs to, and it is not necessary for you to configure it.
■ Both of the trunk port and hybrid port allow multiple VLANs to pass through. You can
configure the default VLAN for them.
■ After you delete the default VLAN of a port through the undo vlan command, for
an access port, its default VLAN restore to VLAN 1; for a trunk or a hybrid port, its
default VLAN configuration remain unchanged, that is, a trunk port or hybrid port can
use the presently nonexistent VLAN as the default VLAN.
After the default VLAN is configured, a port receives and sends packets in different ways.
Refer to the following table for details:
Receive packets
When the received
packets are When the received
Port type without tag packets are with tag Send packets
Access port Normally add the Receive the packet when the Send the packet directly for the
default VLAN tag to VLAN ID (recorded in the VLAN ID is just the default VLAN
the packets tag) is the same with the ID.
default VLAN ID.
Drop the packet when the
VLAN ID is different with the
default VLAN ID.
Trunk port Receive the packet when the When the VLAN ID is the same
VLAN ID (recorded in the with the default VLAN ID,
tag) is the same with the remove the tag of the packet
default VLAN ID. first and then send the packet.
Receive the packet when the When the VLAN ID is different
VLAN ID is different with the with the default VLAN ID, keep
default VLAN ID but is the original tag and send the
allowed to pass through the packet.
port.
Hybrid port When the VLAN ID is the same
Drop the packet when the with the default VLAN ID,
VLAN ID is different with the remove the tag of the packet
default ID and is not allowed first and then send the packet.
to pass through the port.
When the VLAN ID is different
with the default VLAN ID, send
the packet, and you can
configure whether the sent
packet is with the tag or not
through the port hybrid
vlan vlan-id-list {
tagged | untagged }
command.
Port-Based VLAN Configuration 127
Configuring an You can add an access port to a specified VLAN in two ways: configure it in VLAN view,
Access Port-Based or configure it in Ethernet port view/port group view.
VLAN
Table 78 Configure an access port-based VLAN (in VLAN view)
Table 79 Configure an access port-based VLAN (in Ethernet port view or port group view)
Configuring a Trunk A trunk port allows multiple VLANs to pass, but you can only configure it in Ethernet port
Port-Based VLAN view/port group view.
■ A trunk port and a hybrid port cannot switch to each other directly but must be
configured as an access port first. For example, a trunk port cannot be configured to
be a hybrid port directly; you must specify it as an access port first, and then specify it
as a hybrid port.
■ The default VLAN ID of the trunk port on the local switch must be the same as that of
the trunk port on the opposite switch. Otherwise, the packets cannot be transmitted
correctly.
Displaying VLAN Configuration 129
Configuring a Hybrid A hybrid port allows multiple VLANs to pass, but you can only configure it in Ethernet
Port-Based VLAN port view/port group view.
■ A trunk port and a hybrid port cannot switch to each other directly but must be
configured as an access port first. For example, a trunk port cannot be configured to
be a hybrid port directly. You must specify it as an access port first, and then specify it
to a hybrid port.
■ The VLANs configured to be permitted to pass through a hybrid port must exist.
■ The default VLAN ID of the hybrid port on the local switch must be the same as that
of the hybrid on the opposite switch. Otherwise, the packets cannot be transmitted
correctly.
Displaying VLAN After the above configuration, you can execute the display command in any view to
Configuration view the running of the VLAN configuration, and to verify the effect of the configuration.
VLAN
Configuration
Example
Network ■ Switch A connects with Switch B through the trunk port GigabitEthernet1/0/1.
Requirements ■ The default VLAN ID of the port is 100.
■ The port permits the packets from VLAN 2, VLAN 6 through 50, and VLAN 100 to
pass.
Network Diagram Figure 45 Configure packets to pass through the default VLAN
GigabitEthernet1/0/1
Switch A Switch B
Configuration
Procedure
1 Configure Switch A
a Create VLAN 2, VLAN 6 through VLAN 50 and VLAN 100.
<3Com> system-view
System View: return to User View with Ctrl+Z.
[3Com] vlan 2
[3Com-vlan2] vlan 100
[3Com-vlan100] vlan 6 to 50
Please wait... Done.
b Enter Ethernet port view of GigabitEthernet1/0/1.
[3Com] interface GigabitEthernet 1/0/1
c Configure GigabitEthernet1/0/1 as a trunk port, and configure its default VLAN ID as
VLAN 100.
[3Com-GigabitEthernet1/0/1] port link-type trunk
[3Com-GigabitEthernet1/0/1] port trunk pvid vlan 100
d Configure GigabitEthernet1/0/1 to permit the packets from VLAN 2, VLAN 6 through
50, and VLAN 100 to pass.
[3Com-GigabitEthernet1/0/1] port trunk permit vlan 2 6 to 50 100
Please wait... Done.
2 Configuration on Switch B is the same as that on Switch A.
13 VOICE VLAN CONFIGURATION
Voice VLAN Voice VLANs are VLANs configured specially for voice data stream. By adding the ports
Overview with voice devices attached to voice VLANs, you can perform QoS (quality of
service)-related configuration for voice data, ensuring the transmission priority of voice
data stream and voice quality.
The Switch 4500G determines whether a received packet is a voice packet by checking
its source MAC address. If the source MAC addresses of packets comply with the
organizationally unique identifier (OUI) addresses configured by the system, the packets
are determined as voice packets and transmitted in voice VLAN.
You can configure an OUI address for voice packets or specify to use the default OUI
address.
The following table shows the five default OUI addresses of a switch.
■ An OUI address is a globally unique identifier assigned to a vendor by IEEE. You can
determine which vendor a device belongs to according to the OUI address which
forms the first 24 bits of a MAC address.
■ You can add or delete the default OUI address manually.
Automatic Mode and A voice VLAN can operate in two modes: automatic mode and manual mode. You can
Manual Mode of configure the operation mode for a voice VLAN according to data stream passing
Voice VLAN through the ports of the voice VLAN.
■ In automatic mode, the system identifies the source MAC address contained in the
untagged packet sent when the IP phone is powered on and matches it against the
OUI addresses. If a match is found, the system will automatically add the port into the
Voice VLAN and send ACL rules to ensure the packet precedence. An aging time can
be configured on the device. The system will remove a port from the voice VLAN if no
voice packets are received from it within the aging time. The adding and deleting of
ports are automatically realized by the system.
132 CHAPTER 13: VOICE VLAN CONFIGURATION
■ In manual mode, administrators add the IP phone access port directly to the voice
VLAN. It then identifies the source MAC address contained in the packet, matches it
against the OUI addresses, and decides whether to forward the packet in the voice
VLAN. The administrators send ACL rules while adding or deleting a port from the
voice VLAN. In this mode, the adding or deleting of ports is realized by the
administrators.
■ Both modes forward tagged packets in the same manner: forward them based on the
VLAN ID contained in the packets.
The above two working modes are only configured under Ethernet interface view. The
working modes for different voice VLAN vary and different ports can be configured to
work in different modes.
The following table lists the co-relation between the working modes of a voice VLAN, the
voice traffic type of an IP phone, and the interface modes of a VLAN interface.
Voice
Port voice stream
VLAN mode type Port type Supported or not
Automatic Tagged Access Not supported
mode voice stream
Trunk Supported
Make sure the default VLAN of the port exists and is
not a voice VLAN. And the access port permits the
packets of the default VLAN.
Hybrid Supported
Make sure the default VLAN of the port exists and is in
the list of the tagged VLANs whose packets are
permitted by the access port.
Untagged Access Not supported., because the default VLAN of the port
voice stream must be a voice VLAN and the access port is in the
Trunk
voice VLAN. To do so, you can also add the port to the
Hybrid voice VLAN manually.
Manual mode Tagged Access Not supported
voice stream
Trunk Supported
Make sure the default VLAN of the port exists and is
not a voice VLAN. And the access port permits the
packets of the default VLAN.
Hybrid Supported
Make sure the default VLAN of the port exists and is in
the list of the tagged VLANs whose packets are
permitted by the access port.
Untagged Access Supported
voice stream
Make sure the default VLAN of the port is a voice
VLAN.
Trunk Supported
Make sure the default VLAN of the port is a voice
VLAN and the port permits the packets of the VLAN.
Hybrid Supported
Make sure the default VLAN of the port is a voice
VLAN and is in the list of untagged VLANs whose
packets are permitted by the port.
Voice VLAN Configuration 133
CAUTION:
■ If the voice stream transmitted by your IP phone is with VLAN tag and the port which
the IP phone is attached to is enabled with 802.1x authentication and 802.1x guest
VLAN, assign different VLAN IDs for the voice VLAN, the default VLAN of the port,
and the 802.1x guest VLAN to ensure the two functions to operate properly.
■ If the voice stream transmitted by the IP phone is without VLAN tag, the default VLAN
of the port which the IP phone is attached can only be configured as a voice VLAN for
the voice VLAN function to take effect. In this case, 802.1x authentication is
unavailable.
■ The default VLAN of all ports is VLAN 1. You can use the corresponding command to
specify a default VLAN for a port, and allow certain VLAN to pass through the port.
Relate command “1.4 Port-Based VLAN”.
■ Use the display interface command to display the VLANs allowed to pass
through a port and the default VLAN of the port.
Security Mode and Voice VLAN works in security mode or ordinary mode according to the packet filtering
Ordinary Mode of rule of the port enabled with voice VLAN function.
Voice VLAN ■ In security mode, the port with the voice VLAN function enabled allow only the voice
packets with source MAC address being recognizable OUI address. Other packets are
discarded (including some authentication packets, like 802.1x authentication
packets).
■ In ordinary mode, the port with voice VLAN function enabled allow both voice
packets and other types of packets to pass. Voice packets comply with the filtering
rule of the voice VLAN and other types of packets comply with the filtering rule of the
ordinary VLAN.
You are recommended not to transmit voice data and other service data in a voice VLAN
simultaneously. If you need to do so, make sure you have disabled the security mode of
the voice VLAN.
Voice VLAN
Configuration
Configuring a Voice
Table 85 Configure a voice VLAN to operate in automatic mode
VLAN to Operate in
Automatic Mode To do… Use the command… Remarks
Enter system view system-view –
Set the aging time for the voice voice vlan aging Optional
VLAN minutes
The default aging time is 1,440
minutes, and only effective for the
port in automatic mode.
Enable the voice VLAN security voice vlan security Optional
mode enable By default, the voice VLAN security
mode is enabled.
Set an OUI address that can be voice vlan Optional
identified by the voice VLAN mac-address oui mask A voice VLAN has five default OUI
oui-mask [ description text ]
addresses.
Enable the voice VLAN function voice vlan vlan-id Required
globally enable
Enter port view interface –
interface-type
interface-number
Set the voice VLAN operation voice vlan mode auto Optional
mode to automatic mode
The default voice VLAN operation
mode is automatic mode.
Enable the voice VLAN function voice vlan enable Required
for the port
Execute the voice vlan security enable command and the undo voice
vlan security enable command before you enabled the voice VLAN function
globally. Otherwise, the two commands will not take effect.
Configuring a Voice
Table 86 Configure a voice VLAN to operate in manual mode
VLAN to Operate in
Manual Mode To do… Use the command… Remarks
Enter system view system-view –
Set aging time for the voice voice vlan aging Optional
VLAN minutes
The default aging time is 1,440
minutes, and only effective for
the port in automatic mode.
Enable the voice VLAN security voice vlan security Optional
mode enable By default, the voice VLAN
security mode is enabled.
Set an OUI address to be one voice vlan Optional
that can be identified by the mac-address oui mask If you do not set the address,
voice VLAN oui-mask [ description
the default OUI address is used.
text ]
Enable the voice VLAN function voice vlan vlan-id Required
globally enable
Enter port view interface –
interface-type
interface-number
Displaying and Maintaining Voice VLAN 135
■ You can enable the voice VLAN function for only one VLAN on a switch at a time.
■ You cannot enable the voice VLAN function for a port if it has been enabled with the
link aggregation control protocol (LACP).
■ A dynamic VLAN will be changed to a static VLAN after the VLAN is enabled with the
voice VLAN function.
■ Execute the voice vlan security enable command and the undo voice
vlan security enable command before you enabled the voice VLAN function
globally. Otherwise, the two commands will not take effect.
Displaying and After the above configurations, you can execute the display command in any view to
Maintaining Voice view the running status and verify the configuration effect.
VLAN
Table 87 Display and debug a voice VLAN
Voice VLAN
Configuration
Example
Configuration procedure
1 Create VLAN 2, VLAN 6.
<3Com> system-view
System View: return to User View with Ctrl+Z.
[3Com] vlan 2
[3Com-vlan2] quit
[3Com] vlan 6
[3Com-vlan6] quit
2 Set aging time for the voice VLAN
[3Com] voice vlan aging 100
3 Set 0011-2200-0000 to be one that can be identified by the voice VLAN
[3Com] voice vlan mac-address 0011-2200-0000 mask ffff-ff00-0000
description test
4 Enable the global voice VLAN feature.
[3Com] voice vlan 2 enable
5 Set the voice VLAN operation mode of GigabitEthernet1/0/1 to automatic mode.(It
default to automatic mode)
[3Com] interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] voice vlan mode auto
6 Specify port GigabitEthternet1/0/1 as a Trunk port.
[3Com-GigabitEthernet1/0/1] port link-type trunk
7 Set the default VLAN of the port to VLAN 6, and the port permits VLAN 6 to pass.
[3Com-GigabitEthernet1/0/1] port trunk permit vlan 6
[3Com-GigabitEthernet1/0/1] port trunk pvid vlan 6
8 Enable the voice VLAN function for the port.
[3Com-GigabitEthernet1/0/1] voice vlan enable
Voice VLAN Configuration Example 137
Network diagram
None
Configuration procedure
1 Set the voice VALN to work in security mode to permit the legal voice packets to pass
(optional, defaults to security mode).
<3Com> system-view
[3Com] voice vlan security enable
2 Set aging time for the voice VLAN
[3Com] voice vlan aging 100
3 Set 0011-2200-0000 to be one that can be identified by the voice VLAN
[3Com] voice vlan mac-address 0011-2200-0000 mask ffff-ff00-0000
description test
4 Create VLAN 2, and enable the voice VLAN function for it.
[3Com] vlan 2
[3Com-vlan2] quit
[3Com] voice vlan 2 enable
5 Set GigabitEthernet1/0/1 to work in the manual mode.
[3Com] interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] undo voice vlan mode auto
6 Configure GigabitEthernet1/0/1 as a Hybrid port.
[3Com-GigabitEthernet1/0/1] port link-type hybrid
7 Configure the voice VLAN as the default VLAN of port GigabitEthernet1/0/1.
[3Com-GigabitEthernet1/0/1] port hybrid pvid vlan 2
8 Manually add Hybrid port GigabitEthernet1/0/1 in the untagged format to the voice
VLAN.
[3Com-GigabitEthernet1/0/1] port hybrid vlan 2 untagged
9 Enable the voice VLAN function for the port GigabitEthernet1/0/1.
[3Com-GigabitEthernet1/0/1] voice vlan enable
138 CHAPTER 13: VOICE VLAN CONFIGURATION
Introduction to
GARP
Introduction to GARP The generic attribute registration protocol (GARP), provides a mechanism that allows
participants in a GARP application to distribute, propagate, and register with other
participants in a bridged LAN the attributes specific to the GARP application, such as the
VLAN or multicast address attribute.
■ GARP-compliant application entities are called GARP applications. One example is
GVRP. When a GARP application entity is present on a port on your device, this port is
regarded a GARP application entity.
Through message exchange, all attribute information that needs registration propagates
to all GARP participants throughout a bridged LAN.
2 GARP timers
GARP sets interval for sending GARP messages by using these four timers:
■ Hold timer –– When a GARP application entity receives the first registration request, it
starts a hold timer and collects succeeding requests. When the timer expires, the
entity sends all these requests in one Join message. This can thus help you save
bandwidth.
■ Join timer –– Each GARP application entity sends a Join message twice for reliability
sake and uses a join timer to set the sending interval.
■ Leave timer –– Starts upon receipt of a Leave message. When this timer expires, the
GARP application entity removes attribute information as requested.
■ Leaveall timer –– Starts when a GARP application entity starts. When this timer
expires, the entity sends a LeaveAll message so that other entities can re-register its
attribute information. Then, a leaveall timer starts again.
140 CHAPTER 14: GVRP CONFIGURATION
■ The settings of GARP timers apply to all GARP applications, such as GVRP, running on
a LAN.
■ Unlike other three timers which are set on a port basis, the leaveall timer is set in
system view and takes effect globally.
■ A GARP application entity may send LeaveAll messages at the interval set by its
LeaveAll timer or the leaveall timer of another GARP application entity on the
network, whichever is smaller.
GARP application entities send protocol data units (PDU) with a particular multicast MAC
address as destination. Based on this address, a device can identify to which GVRP
application, GVRP for example, should a GARP PDU be delivered.
Introduction to GVRP GVRP enables a device to propagate local VLAN registration information to other
participant devices and dynamically update the VLAN registration information from other
devices to its local database. It thus ensures that all GVRP participants on a bridged LAN
maintain the same VLAN registration information. The VLAN registration information
propagated by GVRP includes both manually configured local static entries and dynamic
entries from other devices.
Configuring GVRP When configuring GVRP, you need to configure timers, enable GVRP, and configure
GVRP registration mode.
Configuration Use the port link-type trunk command to set the link type of the port on which
Prerequisites you want to use GVRP to trunk.
When configuring GARP timers, note that their values are dependent on each other and
must be a multiplier of five centiseconds. If the value range for a timer is not desired, you
may change it by tuning the value of another timer as shown in the following table:
Displaying and
Table 92 Display and Maintain GVRP
Maintaining GVRP
To do… Use the command… Remarks
Display statistics about display garp statistics [ Available in any view
GARP interface interface-list ]
Display GARP timers for all display garp timer [
or specified ports interface interface-list ]
Display statistics about display gvrp statistics [
GVRP interface interface-list ]
Display the global GVRP display gvrp status
state
Clear the GARP statistics reset garp statistics [ Available in user view
interface interface-list ]
GVRP Configuration
Example
Network diagram
GE1/0/1 GE1/0/2
Switch A Switch B
144 CHAPTER 14: GVRP CONFIGURATION
Configuration procedure
1 Configure Switch A
a Enable GVRP globally.
<3Com> system-view
[3Com] gvrp
b Configure port GigabitEthernet 1/0/1 as trunk, allowing all VLANs to pass.
[3Com] interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] port link-type trunk
[3Com-GigabitEthernet1/0/1] port trunk permit vlan all
c Enable GVRP on GigabitEthernet 1/0/1.
[3Com-GigabitEthernet1/0/1] gvrp
d Display static VLAN2.
[3Com] vlan 2
2 Configure Switch B
a Enable GVRP globally.
<3Com> system-view
[3Com] gvrp
b Configure port GigabitEthernet 1/0/2 as trunk, allowing all VLANs to pass.
[3Com] interface GigabitEthernet 1/0/2
[3Com-GigabitEthernet1/0/2] port link-type trunk
[3Com-GigabitEthernet1/0/2] port trunk permit vlan all
c Enable GVRP on GigabitEthernet 1/0/2.
[3Com-GigabitEthernet1/0/2] gvrp
d Configure static VLAN3.
[3Com] vlan 3
e Display dynamic VLAN on Switch A.
[3Com] display vlan dynamic
Now, the following dynamic VLAN exist(s):
3
f Display dynamic VLAN on Switch B
[3Com] display vlan dynamic
Now, the following dynamic VLAN exist(s):
2
Network diagram
GE1/0/1 GE1/0/2
Switch A Switch B
Configuration procedure
1 Configure Switch A
a Enable GVRP globally.
<3Com> system-view
System View: return to User View with Ctrl+Z.
[3Com] gvrp
b Configure port GigabitEthernet1/0/1 as trunk, allowing all VLANs to pass.
[3Com] interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] port link-type trunk
[3Com-GigabitEthernet1/0/1] port trunk permit vlan all
c Enable GVRP on GigabitEthernet1/0/1
[3Com-GigabitEthernet1/0/1] gvrp
d Configure the GVRP registration mode as fixed.
[3Com-GigabitEthernet1/0/1] gvrp registration fixed
e Create static VLAN 2.
[3Com] vlan 2
2 Configure Switch B
a Enable GVRP globally.
<3Com> system-view
System View: return to User View with Ctrl+Z.
[3Com] gvrp
b Configure port GigabitEthernet1/0/2 as trunk, allowing all VLANs to pass.
[3Com] interface GigabitEthernet 1/0/2
[3Com-GigabitEthernet1/0/2] port link-type trunk
[3Com-GigabitEthernet1/0/2] port trunk permit vlan all
c Enable GVRP on GigabitEthernet1/0/2
[3Com-GigabitEthernet1/0/2] gvrp
d Create static VLAN 3.
[3Com] vlan 3
3 Display the configuration
a Display the dynamic VLAN information on Switch A
[3Com] display vlan dynamic
No dynamic vlans exist!
146 CHAPTER 14: GVRP CONFIGURATION
Network diagram
GE1/0/1 GE1/0/2
Switch A Switch B
Configuration procedure
1 Configure Switch A
a Enable GVRP globally.
<3Com > system-view
System View: return to User View with Ctrl+Z.
[3Com] gvrp
b Configure GigabitEthernet1/0/1 as a trunk port, allowing all VLANs to pass.
[3Com] interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] port link-type trunk
[3Com-GigabitEthernet1/0/1] port trunk permit vlan all
c Enable GVRP on the trunk port.
[3Com-GigabitEthernet1/0/1] gvrp
d Configure the GVRP registration mode as forbidden.
[3Com-GigabitEthernet1/0/1] gvrp registration forbidden
e Create static VLAN 2.
[3Com] vlan 2
2 Configure Switch B
a Enable GVRP globally.
<3Com > system-view
System View: return to User View with Ctrl+Z.
[3Com] gvrp
b Configure GigabitEthernet1/0/2 as a trunk port, allowing all VLANs to pass.
[3Com] interface GigabitEthernet 1/0/2
[3Com-GigabitEthernet1/0/2] port link-type trunk
[3Com-GigabitEthernet1/0/2] port trunk permit vlan all
GVRP Configuration Example 147
General Ethernet
Interface
Configuration
A Combo port is a logical port with two physical connections, one is called optical port,
the other electrical port. The Combo port corresponds to a single forwarding port inside
the device. Only one port can be active at a time. When one is active, the other is
automatically deactivated.
For ease of management, a Combo port can be categorized into one of the two
following types:
■ Single Combo port: the two Ethernet interfaces in the device panel correspond to
only one interface view, in which the state on the two interfaces can be realized. A
single Combo port can be a Layer 2 Ethernet interface or a Layer 3 Ethernet interface.
■ Double Combo port: the two Ethernet interfaces in the device panel correspond to
two interface views. The state switchover can be realized in user’s own interfaces
view. A double Combo port can only be a layer 2 Ethernet interface.
Currently, the Switch 4500G Family series support double combo ports.
150 CHAPTER 15: ETHERNET INTERFACE CONFIGURATION
Basic Ethernet Three types of duplex modes exist for Ethernet interfaces:
Interface ■ Full-duplex mode (full): in this mode, the sending and receiving of data packets
Configuration happen simultaneously;
■ Half-duplex mode (half): in this mode, at a particular time, either the sending or
receiving of data packets is allowed, but not both;
■ Autonegotiation mode (auto): in this mode, the transmission mode is negotiated
between peer Ethernet interfaces.
If you configure the transmission rate for an Ethernet interface to be auto, then the rate
will be automatically negotiated between peer Ethernet interfaces.
■ For the double combo port, the optical port goes up when you use the undo
shutdown command on it, and the electrical port in pair goes down, and vice versa.
■ The mdi and virtual-cable-test commands are not available on the optical
combo port.
■ The optical combo port cannot work in half-duplex mode, only supports two speed
options: 1000 Mbps and auto.
■ When the port works at 1000 Mbps, you cannot configure it in half-duplex mode,
and vice versa.
Configuring Flow When flow control is turned on between peer Ethernet interfaces, if traffic congestion
Control on an occurs at the ingress interface, it will send a Pause frame notifying the egress interface to
Ethernet Interface temporarily suspend the sending of packets. The egress interface is expected to stop
sending any new packets when it receives the Pause frame. In this way, flow controls
helps to avoid the dropping of packets. Note that only after both the ingress and the
egress interfaces have turned on their flow control will this be possible.
Currently, the Switch 4500G Family series only support flow control in inbound direction.
Configuring You can enable loopback testing to check whether the Ethernet interface is functioning
Loopback Testing on properly. Note that no data packets can be forwarded during the testing. Loopback
an Ethernet Interface testing falls into the following two categories:
■ Internal loopback testing: The packets from an interface go inside the switch and
then back to the original interface. If the internal loopback test succeeds, the
interface is OK.
■ External loopback testing: a loopback plug needs to be plugged into an Ethernet
interface, if data packets sent from the interface is received by the same interface
through the loopback plug, the external loopback testing is successful indicating that
the interface is functioning properly.
152 CHAPTER 15: ETHERNET INTERFACE CONFIGURATION
■ The loopback testing is not applicable when the interface is in a shutdown state;
■ The speed, duplex, mdi, and shutdown commands are not applicable during a
loopback testing;
■ Loopback testing is not supported on certain interfaces. Performing a loopback
testing on these interfaces will trigger a system prompt indicating as such.
Configuring a Port To make the configuration task easier for users, certain devices allow users to configure
Group on a single port as well as on multiple ports in a port group. In port group view, the user
only needs to input the configuration command once on one port and that
configuration will apply to all ports in the port group. This effectively reduces redundant
configurations.
■ Manual port group: manually created by users. Multiple Ethernet interfaces can be
added to the same port group;
■ Dynamic port group: dynamically created by system, currently mainly applied in link
aggregation port groups. A link aggregation port group is automatically created
together with the creation of a link aggregation group and cannot be created by
users through command line input. Adding or deleting of ports in a link aggregation
port group can only be achieved through operations on the link aggregation group.
■ For details on configuring link aggregation port group, refer to Link Aggregation.
■ The manual port groups cannot survive a system rebooting.
Configuring Storm You can use the following commands to suppress the broadcast/multicast/unknown
Suppression Ratio on unicast flow.
an Ethernet Interface
Traffic that has exceeded the configured threshold will be discarded so that it remains
below the configured threshold. This effectively prevents storms, avoids network
congestion, and ensures that the network functions properly.
Copying Using the copy configuration command you can easily copy configurations from a
Configurations from specified Ethernet interface to other Ethernet interfaces provided that they all work in
a Specified Port to Layer 2 mode.
Other Ports
Configurations that can be copied include VLAN, QoS, STP, and port configurations, as
illustrated below:
■ VLAN configurations: VLANs that are allowed to pass through the port, default VLAN
ID;
■ QoS configurations: rate limiting, port priority, default 802.1p priorities;
■ STP configuration: STP enabled/disabled, link types (point-to-point or not), STP
priority, route cost, rate limit, looping, root protection, edge ports or not.
■ Port configuration: link type, rate, duplex mode.
Follow the following steps to copy configurations from a specified port to other ports:
Enabling the Due to tremendous amount of traffic occurred in Ethernet, it is likely that some frames
Forwarding of Jumbo might have a frame size greater than the standard Ethernet frame size. By allowing such
Frames frames (called jumbo frames) to pass through Ethernet interfaces, you can forward
frames with a size greater than the standard Ethernet frame size and yet still within the
specified size range.
■ If an Access port has been detected with loopbacks, it will be shutdown. A Trap
message will be sent to the terminal and the corresponding MAC address forwarding
entries will be deleted.
■ If a Trunk port or Hybrid port has been detected with loopbacks, a Trap messag
loopback detection control feature is enabled on them. In addition, a Trap message
will be sent to the terminal and the corresponding MAC address forwarding entries
will be deleted.
CAUTION:
■ Loopback detection on a given port is enabled only after the
loopback-detection enable command has been issued in both system view
and the interface view of the port.
■ Loopback detection on all ports will be disabled after the issuing of the undo
loopback-detection enable command under system view.
156 CHAPTER 15: ETHERNET INTERFACE CONFIGURATION
Configuring Cable Ethernet interfaces use two types of cable: cross-over cable and straight-through cable.
Type on an Ethernet The former is normally used in connecting data terminal equipment (DTE) and Data
Interface communication equipment (DCE) while the latter connects DTEs only.
Ethernet Interface Follow the following steps to test the current working state of Ethernet interface cables.
Cable Testing System will return the testing result within five seconds, indicating the receiving direction
(RX), the transmit direction (TX), any short cut or open cut, and the length of failed
cables.
Table 104 Ethernet Interface Cable Testing
Maintaining and
Table 105 Maintaining and Displaying an Ethernet Interface
Displaying an
Ethernet Interface To do... Use the command... Remarks
Display the current state of a display interface [ Available in any view
specified interface and related interface-type [
information interface-number ] ]
Display a summary of a specified display brief interface [ Available in any view
interface interface-type [
interface-number ] ] [ | { begin |
include | exclude}
regular-expression ]
Reset the statistics of a specified reset counters interface [ Available in user view
interface interface-type [
interface-number ] ]
Display the current ports of a display port { hybrid | Available in any view
specified type trunk I combo }
158 CHAPTER 15: ETHERNET INTERFACE CONFIGURATION
16 LINK AGGREGATION CONFIGURATION
Link aggregation aggregates multiple physical Ethernet ports into one logical link, also
called a logical group, to increase reliability and bandwidth.
When configuring this feature, use the following table to identify where to go for
interested information:
Link Aggregation Link aggregation allows you to increase bandwidth by distributing incoming/outgoing
Overview traffic on the member ports in an aggregation group. In addition, it provides reliable
connectivity because these member ports can dynamically back up each other.
Consistency To participate in traffic sharing, member ports in an aggregation must use consistent
Considerations for configurations with respect to STP, QoS, BPDU TUNNEL, GVRP, VLAN, and port attribute,
Ports in an as shown in the following table.
Aggregation
Table 107 Consistency considerations for ports in an aggregation
Item Considerations
STP Enable/disable state of port-level STP
Attribute of the link (point-to-point or otherwise) connected to the port
Port rout metrics STP port cost
STP priority port
Maximum transmission rate
Enable/disable state of loop protection
Enable/disable state of root protection
Whether the port is an edge port
MSTP BPDU format
STP no-agreement-check
STP config-digest-snooping
QoS Rate limiting
Priority remark
Default 802.1p priority
Bandwidth assurance
Congestion avoidance
Traffic redirection
Traffic accounting
Traffic policing, SP queueing, WRR queue scheduling, packet priority trust
mode
GVRP GVRP enable/disable state, GVRP registration type, GVRP timer value
BPDU Tunnel BPDU Tunnel configuration
VLAN VLANs carried on the port
Default VLAN ID on the port
Link type of the port, which can be trunk, hybrid, or access
Tagged VLAN packet or not
Port attribute Port rate
Duplex mode
Up/down state of the link
Inside the isolate group or not
LACP The link aggregation control protocol (LACP), as defined in IEEE 802.3ad, dynamically
aggregates ports and removes aggregations.
LACP interacts with its peer by sending link aggregation control protocol data units
(LACPDUs).
Link Aggregation Overview 161
After LACP is enabled on a port, the port sends an LACPDU to notify the remote system
of its system LACP priority, system MAC address, port LACP priority, port number, and
operational key. Upon receipt of a LACPDU, the remote system compares the received
information with the information received on other ports to make aggregation decision.
This allows the two systems to reach agreement on whether the port could join or leave
a dynamic aggregation group. (Sometimes, local and remote systems are referred to as
actor and partner systems in link aggregation.)
When aggregating ports, link aggregation control automatically assigns each port an
operational key based on its rate, duplex mode, and other basic configurations. In a
dynamic aggregation, all ports share the same operational key; in a manual or static
aggregation, the selected ports share the same operational key.
Approaches to Link When aggregating ports, you may use three approaches: manual link aggregation, static
Aggregation LACP link aggregation, and dynamic LACP link aggregation.
Each aggregation group must contain at least one port. When only one port is
contained, you can remove it only by removing the group.
The port in the Selected state and with the least port ID is the master port of the
aggregation group, and other ports in the aggregation group are member ports.
When setting the state of the ports in a manual aggregation group, the system performs
the following:
■ When ports in up state are present in the group, select a master port in the order of
full duplex/high speed, full duplex/low speed, half duplex/high speed, and half
duplex/low speed, with the full duplex/high speed being the most preferred. When
two ports with the same duplex mode/speed pair are present, the one with the lower
port number wins out. Then, place those ports with the same speed/duplex pair, link
state and basic configuration in selected state and others in unselected state.
■ When all ports in the group are down, select the port with the lowest port number as
the master port and set all ports (including the master) in unselected state.
■ Place the ports that cannot aggregate with the master in unselected state.
Manual aggregation limits the number of selected ports in an aggregation group. When
the limit is exceeded, the system changes the state of selected ports with greater port
numbers to unselected until the number of selected ports drops under the limit. In
addition, to ensure the ongoing service on current selected ports, a port that joins the
group after the limit is reached will not be placed in selected state as it should be in
normal cases.
162 CHAPTER 16: LINK AGGREGATION CONFIGURATION
When the duplex mode/speed pair of some port in a manual aggregation group
changes, the system does not remove the aggregation; instead, it re-sets the
selected/unselected state of the member ports and re-selects a master port.
Each aggregation group must contain at least one port. On the ports in the group, LACP
is enabled and cannot be administratively disabled. Like in manual aggregation, you need
to synchronize their basic configurations manually to ensure consistency.
When only one port is contained in a static aggregation group, you can remove the port
only by removing the group. After the group is removed, all the ports in up state form
one or multiple dynamic aggregations with LACP enabled.
In a static aggregation group, ports can be selected or unselected, where both can
receive and transmit LACPDUs but only selected ports can receive and transmit data
frames. The selected port with the lowest port number is the master port.
All member ports that cannot aggregate with the master are placed in unselected state.
These ports include those using the basic configurations different from the master port ..
Member ports in up state can be selected if they have the configuration same as that of
the master port. The number of selected ports however, is limited in a static aggregation
group. When the limit is exceeded, the local and remote systems negotiate the state of
their ports as follows:
1 Compare the actor and partner system IDs that each comprises a two-byte system LACP
priority plus a six-byte system MAC address as follow:
■ First compare the system LACP priorities.
■ If they are the same, compare the MAC addresses. The system with the smaller ID has
higher priority.
2 Compare the port IDs that each comprises a two-byte port LACP priority and a two-byte
port number on the system with higher ID as follows:
■ Compare the port LACP priorities
■ If two ports with the same port LACP priority are present, compare their port
numbers. The state of the ports with higher IDs then changes to unselected, so does
the state of the corresponding remote ports.
The ports in a dynamic aggregation group must terminate at the same device, and have
the same speed/duplex pair and other basic configurations. Disabling LACP on one port
can result in the removal of all ports from the group. It is possible for a single port to
form a dynamic aggregation group. This is called single aggregation.
In a dynamic aggregation group, ports can be selected or unselected, where both can
receive and transmit LACPDUs but only selected ports can receive and transmit data
frames. The selected port with the lowest port number is the master port.
Link Aggregation Overview 163
Load Sharing in a Link A link aggregation group performs load sharing upon its creation if hardware resources
Aggregation Group are available for aggregation. After these resources, 10GE ports for example, are
exhausted, the created aggregation groups perform non-load sharing.
The difference between the groups that perform these two types of load sharing is that a
load sharing aggregation group can contain more than one selected port while a
non-load sharing aggregation group cannot. Note that a load sharing aggregation group
may contain only one port.
When an aggregation group has two or more ports inside, load-sharing are implemented
on the aggregation groups. When the aggregation resources are used up, the
aggregation groups created later will be non-load sharing.
When an aggregation group has only one port, it is non-load sharing. These ports can
only form single-port aggregation groups: loopback port, half-duplex port, the
LACP-disabled port.
Note that:
When only one single port is left in an aggregation group, the group will be become
non-load sharing.
Aggregation Port As mentioned earlier, in a manual or static aggregation group, a port can be selected
Group only when its configuration is the same as that of the master port in terms of
duplex/speed pair, link state, and other basic configurations. Their configuration
consistency requires administrative maintenance, which is troublesome after you change
some configuration.
To simplify configuration, port-groups are provided allowing you to configure for all ports
in individual groups at one time. One example of port-groups is aggregation port group.
For more information about port-groups, refer to the “Configuring a Port Group”
section in “Ethernet Interface Configuration”chapter in this manual.
164 CHAPTER 16: LINK AGGREGATION CONFIGURATION
Configuring Link
Aggregation
CAUTION:
■ Do not create a manual or static aggregation group without any member port. This
may cause no aggregation group ID available for dynamic groups.
■ When you change the configurations for a member port of an aggregation group in
the port view, the change will not be synchronized to other member ports of the
group; to realize configuration synchronization, you must make configuration in port
group view.
■ For two connected ports, they must both in the aggregation group.
You may create a manual aggregation group by changing the type of a static or dynamic
aggregation group that has existed. If the specified group contains ports, its group type
changes to manual with LACP disabled on its member ports; if not, its group type directly
changes to manual.
• The aggregation group type is changed to the new type you configured if there is no
port in the group.
• If there are ports in the aggregation group, you can only change the dynamic or static
aggregation group to the manual one, or change the dynamic aggregation group to the
static one.
Configuring Link Aggregation 165
When assigning an Ethernet port to a manual aggregation group, consider the following:
■ An aggregation group cannot include monitor ports in mirroring, ports with static
MAC addresses, or 802.1x-enabled ports.
■ After you assign an LACP-enabled port to a manual aggregation group, its LACP is
disabled.
You can remove all ports in a manual aggregation group by removing the group. If this
group contains only one port, you can remove the port only by removing the group.
You may create a static aggregation group by changing the type of an existing link
aggregation group. If this group exists with ports, its type can be manual or dynamic
LACP; if not, its type must be dynamic LACP. Creating a static aggregation group from a
dynamic one does not affect the enabling state of LACP on the member ports.
When assigning an Ethernet port to a static aggregation group, consider the following:
After you remove a static LACP aggregation group, all its ports in up state form one or
multiple dynamic LACP aggregations with LACP enabled. If this group contains only one
port, you can remove the port only by removing the group.
166 CHAPTER 16: LINK AGGREGATION CONFIGURATION
After you remove a dynamic aggregation group, all its member ports form a new
dynamic aggregation group.
CAUTION:
■ An aggregation group cannot include ports with static MAC addresses or
802.1x-enabled ports.
■ Enabling LACP on a member port in manual aggregation group will fail.
CAUTION:
■ When configuring a name for a link aggregation group, make sure that the group has
existed. You may check for existing link aggregation groups with the display
link-aggregation summary command or the display
link-aggregation interface command.
■ The configuration of dynamic aggregation groups including their group names
cannot survive a reboot even if you have saved configuration before that.
Displaying and Maintaining Link Aggregation 167
Entering Aggregation In aggregation port group view, you can configure for all the member ports in a link
Port Group View aggregation group at one time.
CAUTION: In aggregation port group view, you can configure aggregation related
settings such as STP, VLAN, QoS, GVRP, multicast, but cannot add or remove member
ports.
Displaying and
Table 113 Displaying and Maintaining Link Aggregation
Maintaining Link
Aggregation To do… Use the command Remarks
Display the local system ID display lacp system-id Available in any view
Display detailed information on display
link aggregation for the specified link-aggregation
port or ports interface interface-type
interface-number [ to
interface-type
interface-number ]
Display summaries for all link display
aggregation groups link-aggregation
summary
Display detailed information display
about specified or all link link-aggregation
aggregation groups verbose [ agg-id ]
Clear the statistics about LACP reset lacp statistics [ Available in user view
for specified or all ports interface interface-type
interface-number [ to
interface-type
interface-number ] ]
168 CHAPTER 16: LINK AGGREGATION CONFIGURATION
Network diagram
Switch A
Link aggregation
Switch B
Configuration procedure
This example only describes how to configure on Switch A. To achieve link aggregation,
do the same on Switch B.
1 In manual aggregation approach
a Create manual aggregation group 1.
<3Com> system-view
[3Com] sysname SwitchA
[SwitchA] link-aggregation group 1 mode manual
b Assign ports GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to the group.
[SwitchA] interface GigabitEthernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-aggregation group 1
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface GigabitEthernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-aggregation group 1
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface GigabitEthernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-aggregation group 1
2 In static aggregation approach
a Create static aggregation group 1.
<SwitchA> system-view
[SwitchA] link-aggregation group 1 mode static
b Assign ports GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to the group.
[SwitchA] interface GigabitEthernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-aggregation group 1
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface GigabitEthernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-aggregation group 1
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface GigabitEthernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-aggregation group 1
Link Aggregation Configuration Example 169
The three ports can form one dynamic aggregation group only when they share the
same basic configuration.
170 CHAPTER 16: LINK AGGREGATION CONFIGURATION
17 PORT ISOLATION CONFIGURATION
Port Isolation Through the port isolation feature, you can add the ports to be controlled into an
Overview isolation group to isolate the Layer 2 and Layer 3 data between each port in the isolation
group. Thus, you can improve the network security and network in a more flexible way.
Currently, you can configure only one isolation group on a switch. The number of
Ethernet ports an isolation group can accommodate is not limited.
Port Isolation Figure 51 lists the operations to add an Ethernet port to an isolation group
Configuration
Table 114 Configure port isolation
Displaying Port After the above configuration, you can execute the display command in any view to
Isolation display the running state after port isolation configuration. You can verify the
Configuration configuration effect through checking the displayed information.
Network diagram
Internet
GE1/0/1
Switch
GE1/0/2 GE1/0/4
GE1/0/3
Configuration procedure
1 Add GigabitEthernet1/0/2, GigabitEthernet1/0/3, and GigabitEthernet1/0/4 ports to the
isolation group.
<3Com> system-view
System View: return to User View with Ctrl+Z.
[3Com] interface GigabitEthernet1/0/2
[3Com-GigabitEthernet1/0/2] port-isolate enable
[3Com-GigabitEthernet1/0/2] quit
[3Com] interface GigabitEthernet1/0/3
[3Com-GigabitEthernet1/0/3] port-isolate enable
[3Com-GigabitEthernet1/0/3] quit
[3Com] interface GigabitEthernet1/0/4
[3Com-GigabitEthernet1/0/4] port-isolate enable
2 Display the information about the ports in the isolation group.
<3Com> display port-isolate group
Port-isolate group information:
Uplink port support: NO
Group ID: 1
GigabitEthernet1/0/2 GigabitEthernet1/0/3 GigabitEthernet1/0/4
18 MAC ADDRESS TABLE MANAGEMENT
Introduction to A Ethernet switch needs to maintain a MAC address table to speed up packet
Managing MAC forwarding. A table entry includes the MAC address of a device connected to the
Address Table Ethernet switch, the interface number and VLAN ID of the Ethernet switch connected to
the device. A MAC address table includes both static and dynamic address entries. The
static entries are manually configured by users whereas the dynamic entries can be
manually configured by users, or dynamically learned by the Ethernet switch. The static
entries will not be aged whereas the dynamic entries can be aged (if the entry has its
aging time configured as aging, it will be aged; if it is configured as no-aging, it will not
be aged).
A Ethernet switch learns a MAC address in the following way: after receiving a data
frame from a port (assumed as port A), the Ethernet switch analyzes its source MAC
address (assumed as MAC-SOURCE) and considers that the packets destined for
MAC-SOURCE can be forwarded through port A. If the table contains the
MAC-SOURCE, the Ethernet switch will update the corresponding entry, otherwise, it will
add the new MAC address and the related forwarding port as a new entry to the table.
During MAC address learning, static MAC addresses that are manually configured by
users will not be overwritten by dynamic MAC addresses. However, the latter can be
overwritten by the former.
The Ethernet switch forwards packets whose destination MAC addresses can be found in
the MAC address table and broadcasts those whose destination MAC addresses are not
in the table. Upon receipt of the broadcast packet, the destination network device sends
a response packet back which contains the MAC address of the device. The Ethernet
switch learns and adds this new MAC address to the MAC address table of the device.
The consequent packets destined for the same MAC address can be forwarded directly
thereafter.
174 CHAPTER 18: MAC ADDRESS TABLE MANAGEMENT
Figure 52 A Ethernet switch forwards packets according to the MAC address tab
MAC AddressPort
MACA 1
MACB 1
MACC 2
MACD 2
MACDMACA ......
Port 1 Port 2
MACDMACA ......
The Ethernet switch also provides the function of MAC address aging. If the Ethernet
switch does not receive a packet from a network device within a period of time, it will
delete the corresponding entry from the MAC address table.
You can configure (add or modify) the MAC address entries manually according to the
actual network environment. The entries can be static ones or dynamic ones.
Configuring the
MAC Address Table
Configuring MAC Administrators can manually add, modify, or delete the entries in a MAC address table
Address Table Entries according to actual needs.
Configuring MAC Setting the aging time too long results in a large number of outdated table entries being
Address Aging Time kept in the MAC address table, and thereby exhausting the MAC address table resources
for the System and making it impossible for the Ethernet switch to update the MAC address table
according to the network change. On the other hand, if the aging time is set too short,
valid MAC address table entries may be deleted by the the Ethernet switch, resulting in
flooding a large number of data packets and degrades the switch performance.
Therefore, it is important that subscribers set an appropriate aging time according to the
actual network environment in order to implement MAC address aging effectively.
Table 117 Configure MAC address aging time for the system
This command takes effect on all ports. However, the address aging only functions on
the dynamic addresses (the learned or configured as age entries by the user).
Configuring the Use the following commands, users can set an amount limit on MAC address table
Maximum MAC entries maintained by the Ethernet switch. Setting the number too big may degrade the
Addresses that an forwarding performance. If the maximum number of MAC address is set to count, then
Ethernet Port or a after the number of learned MAC addresses has reached to count, the interface will no
Port Group Can Learn longer learn any more MAC addresses.
Table 118 Configuring the maximum MAC addresses that an Ethernet port or a port group can
learn
Displaying and
Table 119 Display and maintain the MAC address table
Maintaining the
MAC Address Table To do... Use the command… Remarks
Display the information in the display mac-address [ Available in any view
address table mac-address [ vlan
vlan-id ] | [ blackhole |
dynamic | static ] [
interface
interface-type
interface-number ] [
vlan vlan-id ] [ count ] ]
Display the aging time of display mac-address Available in any view
dynamic address table entries aging-time
Network The user logs on the switch through the Console port. Configure the MAC address table
requirements management function. Configure the aging time for dynamic table entries to be 500
seconds. Add a static address table entry “00e0-fc35-dc71” to the interface Gigabit
Ethernet 1/0/7 in VLAN 1.
Internet
Network Port
Console Port
Switch
MAC Address Table Management Configuration Example 177
Configuration
procedure
1 Enter the system view of the switch.
<3Com> system-view
2 Add a static MAC address (specify the native VLAN, port, and state).
[3Com] mac-address static 00e0-fc35-dc71 interface GigabitEthernet 1/0/7
vlan 1
3 Configure the aging time for dynamic MAC address table entries to be 500 seconds.
[3Com] mac-address timer aging 500
4 Display the MAC address configurations under any view.
[3Com] display mac-address interface gigabitEthernet 1/0/7
MAC ADDR VLAN ID STATE PORT INDEX AGING
TIME(s)
MSTP Overview
A tree network must have a root; hence the concept of “root bridge” has been
introduced in STP.
There is one and only one root bridge in the entire network, and the root bridge can
change alone with changes of the network topology. Therefore, the root bridge is not
fixed.
Upon network convergence, the root bridge generates and sends out at a certain interval
a BPDU and other devices just forward this BPDU. This mechanism ensures the
topological stability.
2 Root port
On a non-root bridge device, the root port is the port with the lowest path cost to the
root bridge. The root port is responsible for forwarding data to the root bridge. A
non-root-bridge device has one and only one root port. The root bridge has no root port.
Refer to the following table for the description of designated bridge and designated
port.
Figure 54 shows designated bridges and designated ports. In the figure, AP1 and AP2,
BP1 and BP2, and CP1 and CP2 are ports on Switch A, Switch B, and Switch C
respectively.
■ If Switch A forwards BPDUs to Switch B through AP1, the designated bridge for
Switch B is Switch A, and the designated port is the port AP1 on Switch A.
■ Two devices are connected to the LAN: Switch B and Switch C. If Switch B forwards
BPDUs to the LAN, the designated bridge for the LAN is Switch B, and the designated
port is the port BP2 on Switch B.
AP1 AP2
BP1 CP1
Switch B Switch C
BP2 CP2
LAN
For the convenience of description, the description and examples below involve only four
parts of a configuration BPDU:
■ Root bridge ID (in the form of device priority)
■ Root path cost
■ Designated bridge ID (in the form of device priority)
■ Designated port ID (in the form of port name)
1 Specific computing process of the STP algorithm
■ Initial state
Upon initialization of a device, each port generates a BPDU with itself as the root, in
which the root path cost is 0, designated bridge ID is the device ID, and the designated
port is the local port.
Each device sends out its configuration BPDU and receives configuration BPDUs from
other devices.
The process of selecting the root port and designated ports is as follows:
When the network topology is stable, only the root port and designated ports forward
traffic, while other ports are all in the blocked state – they only receive STP packets but
do not forward user traffic.
Once the root bridge, the root port on each non-root bridge and designated ports have
been successfully elected, the entire tree-shaped topology has been constructed.
The following is an example of how the STP algorithm works. The specific network
diagram is shown in Figure 55. In the feature, the priority of Switch A is 0, the priority of
Switch B is 1, the priority of Switch C is 2, and the path costs of these links are 5, 10 and
4 respectively.
Switch A
Switch A
with priority 0 0
AP1 AP2
5
BP1 10
Switch
Switch BB
with priority 11 CP1
BP2 4
CP2
Switch C
Switch C
with priority 22
MSTP Overview 183
The following table shows the comparison process and result on each device.
After the comparison processes described in the table above, a spanning tree with
Switch A as the root bridge is stabilized, as shown in Figure 56
AP1
5
BP1
SwitchBB
Switch
with priority11
BP2 4
CP2
SwitchCC
Switch
with priority22
However, the newly computed configuration BPDU will not be propagated throughout
the network immediately, so the old root ports and designated ports that have not
detected the topology change continue forwarding data through the old path. If the
new root port and designated port begin to forward data as soon as they are elected, a
temporary loop may occur. For this reason, STP uses a state transition mechanism.
Namely, a newly elected root port or designated port requires twice the forward delay
time before transitioning to the forwarding state, when the new configuration BPDU has
been propagated throughout the network.
MSTP Overview 187
STP does not support rapid state transition of ports. A newly elected root port or
designated port must wait twice the forward delay time before transitioning to the
forwarding state, even if it is a port on a point-to-point link or it is an edge port, which
directly connects to a user terminal rather than to another device or a shared LAN
segment.
The rapid spanning tree protocol (RSTP) is an optimized version of STP. RSTP allows a
newly elected root port or designated port to enter the forwarding state much quicker
under certain conditions than in STP. As a result, it takes a shorter time for the network
to reach the final topology stability.
■ In RSTP, a newly elected root port can enter the forwarding state rapidly if this
condition is met: The old root port on the device has stopped forwarding data and
the upstream designated port has started forwarding data.
■ In RSTP, a newly elected designated port can enter the forwarding state rapidly if this
condition is met: The designated port is an edge port or a port connected with a
point-to-point link. If the designated port is an edge port, it can enter the forwarding
state directly; if the designated port is connected with a point-to-point link, it can
enter the forwarding state immediately after the device undergoes handshake with
the downstream device and gets a response.
Although RSTP support rapid network convergence, it has the same drawback as STP
does: All bridges within a LAN share the same spanning tree, so redundant links cannot
be blocked based on VLANs, and the packets of all VLANs are forwarded along the same
spanning tree.
2 Features of MSTP
The multiple spanning tree protocol (MSTP) overcomes the shortcomings of STP and
RSTP. In addition to support for rapid network convergence, it also allows data flows of
different VLANs to be forwarded along their own paths, thus providing a better load
sharing mechanism for redundant links.
Region A0
VLAN 1 mapped to instance 1
VLAN 2 mapped to instance 2
Other VLANs mapped CIST
BPDU BPDU
CST
B
C
D
Region D0 BPDU
VLAN 1 mapped to instance 1, Region B0
B as regional root bridge VLAN 1 mapped to instance 1
VLAN 2 mapped to instance 2, VLAN 2 mapped to instance 2
C as regional root bridge Other VLANs mapped CIST
Region C0
Other VLANs mapped CIST VLAN 1 mapped to instance 1
VLANs 2 and 3 mapped to instance 2
Other VLANs mapped CIST
1 MST region
3 IST
Internal spanning tree (IST) is a spanning tree that runs in an MSTP region, with the
instance number of 0. ISTs in all MST regions the common spanning tree (CST) jointly
constitute the common and internal spanning tree (CIST) of the entire network. An IST is
a section of the CIST in an MST region. In Figure 57, for example, the CIST has a section
is each MST region, and this section is the IST in each MST region.
4 CST
The CST is a single spanning tree that connects all MST regions in a switched network. If
you regard each MST region as a “device”, the CST is a spanning tree computed by these
devices through MSTP. For example, the red lines in Figure 57 describe the CST.
5 CIST
Jointly constituted by ISTs and the CST, the CIST is a single spanning tree that connects all
devices in a switched network. In Figure 57, for example, the ISTs in all MST regions plus
the inter-region CST constitute the CIST of the entire network.
6 MSTI
Multiple spanning trees can be generated in an MST region through MSTP, one spanning
tree being independent of another. Each spanning tree is referred to as a multiple
spanning tree instance (MSTI). In Figure 57, for example, multiple spanning tree can exist
in each MST region, each spanning tree corresponding to a VLAN. These spanning trees
are called MSTIs.
The root bridge of the IST or an MSTI within an MST region is the regional root bridge of
the MST or that MSTI. Based on the topology, different spanning trees in an MST region
may have different regional roots. For example, in region D0 in Figure 57, the regional
root of instance 1 is device B, while that of instance 2 is device C.
The root bridge of the CIST is the common root bridge. In Figure 57, for example, the
common root bridge is a device in region A0.
9 Boundary port
A boundary port is a port that connects an MST region to another MST configuration, or
to a single spanning-tree region running STP, or to a single spanning-tree region running
RSTP.
During MSTP computing, a boundary port assumes the same role on the CIST and on
MST instances. Namely, if a boundary port is master port on the CIST, it is also the master
port on all MST instances within this region. In Figure 57, for example, if a device in
region A0 is interconnected with the first port of a device in region D0 and the common
root bridge of the entire switched network is located in region A0, the first port of that
device in region D0 is the boundary port of region D0.
190 CHAPTER 19: MSTP CONFIGURATION
10 Roles of ports
In the MSTP computing process, port roles include designated port, root port, master
port, alternate port, backup port, and so on.
■ Root port: a port responsible for forwarding data to the root bridge.
■ Designated port: a port responsible for forwarding data to the downstream network
segment or device.
■ Master port: A port on the shortest path from the entire region to the common root
bridge, connect the MST region to the common root bridge.
■ Alternate port: The standby port for a root port or master port. If a root port or
master port is blocked, the alternate port becomes the new root port or master port.
■ Backup port: If a loop occurs when two ports of the same device are interconnected,
the device will block either of the two ports, and the backup port is that port to be
blocked.
By comparison of “configuration BPDUs”, one device with the highest priority is elected
as the root bridge of the CIST. MSTP generates an IST within each MST region through
computing, and, at the same time, MSTP regards each MST region as a single device and
generates a CST among these MST regions through computing. The CST and ISTs
constitute the CIST of the entire network.
2 MSTI computing
Within an MST region, MSTP generates different MSTIs for different VLANs based on the
VLAN-to-instance mappings.
■ Within an MST region, the packet is forwarded along the corresponding MSTI.
■ Between two MST regions, the packet is forwarded along the CST.
Configuring the
Root Bridge
Configuration Tasks Before configuring the root bridge, you need to know the position of each device in each
MST instances: root bridge or leave node. In each instance, one, and only one device acts
as the root bridge, while all others as leaf nodes. Complete these tasks to configure a
device that acts as the root bridge:
Table 125 Configuration Tasks
Task Remarks
Configuring an MST Region Required
Specifying the Root Bridge or a Secondary Root Bridge Optional
Configuring the Work Mode of MSTP Optional
Configuring the Priority of the Current Device Optional
Configuring the Maximum Hops of an MST Region Optional
Configuring the Network Diameter of a Switched Network Optional
Configuring Timers of MSTP Optional
Configuring the Timeout Factor Optional
Configuring the Maximum Transmission Rate of Ports Optional
Configuring Ports as Edge Ports Optional
Configuring Whether Ports Connect to Point-to-Point Links Optional
Configuring the MSTP Packet Format for Ports Optional
Enabling the MSTP Feature Required
If both GVRP and MSTP are enabled on a device at the same time, GVRP packets will be
forwarded along the CIST. Therefore, if both GVRP and MSTP are running on the same
device and you wish to advertise an certain VLAN within the network through GVRP,
make sure that this VLAN is mapped to the CIST (instance 0) when configuring the
VLAN-to-instance mapping table.
Configuring the Root Bridge 193
CAUTION: Two device belong to the same MST region only if they are configure to have
the same MST region name, the same VLAN-to-instance mapping entries in the MST
region and the same MST region revision level, and they are interconnected via a physical
link.
Configuration example
1 Configure the MST region name to be “info”, the MSTP revision level to be 1, and VLAN
2 through VLAN 10 to be mapped to instance 1 and VLAN 20 through VLAN 30 to
instance 2.
<3Com> system-view
[3Com] stp region-configuration
[3Com-mst-region] region-name info
[3Com-mst-region] instance 1 vlan 2 to 10
[3Com-mst-region] instance 2 vlan 20 to 30
[3Com-mst-region] revision-level 1
[3Com-mst-region] active region-configuration
194 CHAPTER 19: MSTP CONFIGURATION
Specifying the Root MSTP can determine the root bridge of a spanning tree through MSTP computing.
Bridge or a Secondary Alternatively, you can specify the current device as the root bridge using the commands
Root Bridge provided by the system.
Specifying the current device as the root bridge of a specific spanning tree
Follow these steps to specify the current device as the root bridge of a specific spanning
tree:
Table 127 Specifying the current device as the root bridge of a specific spanning tree
Table 128 Specifying the current device as a secondary root bridge of a specific spanning tree
Note that:
■ Upon specifying the current device as the root bridge or a secondary root bridge, you
cannot change the priority of the device.
■ You can configure the current device as the root bridge or a secondary root bridge of
an MST instance, which is specified by instance instance-id in the command. If
you set instance-id to 0, the current device will be the root bridge or a secondary root
bridge of the CIST.
■ The current device has independent roles in different instances. It can act as the root
bridge or a secondary root bridge of one instance while it can also act as the root
bridge or a secondary root bridge of another instance. However, the same device
cannot be the root bridge and a secondary root bridge in the same instance at the
same time.
■ You can specify the current device as the root bridge of different MST instances, but
you cannot specify two or more root bridges for the same instance at the same time.
Namely, do not use the same command on two or more devices to specify root
bridges for the same instance.
■ You can specify multiple secondary root bridges for the same instance. Namely, you
can specify secondary root bridges for the same instance on two or more than two
device.
Configuring the Root Bridge 195
■ When the root bridge of an instance fails or is shut down, the secondary root bridge
(if you have specified one) can take over the role of the instance. However, if you
specify a new root bridge for the instance at this time, the secondary root bridge will
not become the root bridge. If you have specified multiple secondary root bridges for
an instance, when the root bridge fails, MSTP will select the secondary root bridge
with the lowest MAC address as the new root bridge.
■ When specifying the root bridge or a secondary root bridge, you can specify the
network diameter and hello time. However, these two options are effective only for
MST instance 0, namely the CIST. If you include these two options in your command
for any other instance, your configuration can succeed, but they will not actually
work. For the description of network diameter and hello time, refer to “Configuring
the Network Diameter of a Switched Network” and “Configuring Timers of MSTP”.
■ Alternatively, you can also specify the current device as the root bridge by setting by
priority of the device to 0. For the device priority configuration, refer to “Configuring
the Priority of the Current Device”.
Configuration example
1 Specify the current device as the root bridge of MST instance 1 and a secondary root
bridge of MST instance 2.
<3Com> system-view
[3Com] stp instance 1 root primary
[3Com] stp instance 2 root secondary
Configuring the MSTP and RSTP can recognize each other’s protocol packets, so they are mutually
Work Mode of compatible. However, STP is unable to recognize MSTP packets. For hybrid networking
MSTP Device with legacy STP devices and full inter operability with RSTP-compliant devices, MSTP
supports three work modes: STP-compatible mode, RSTP mode, and MSTP mode.
■ In STP-compatible mode, all ports of the device send out STP BPDUs,
■ In RSTP mode, all ports of the device send out RSTP BPDUs. If the device detects that
it is connected with a legacy STP device, the port connecting with the legacy STP
device will automatically migrate to STP-compatible mode.
■ In MSTP mode, all ports of the device send out MSTP BPDUs. If the device detects that
it is connected with a legacy STP device, the port connecting with the legacy STP
device will automatically migrate to STP-compatible mode.
Configuration procedure
Follow these steps to configure the MSTP work mode:
Table 129 Configuring the Work Mode of MSTP Device
Configuration example
1 Configure MSTP to work in STP-compatible mode.
<3Com> system-view
[3Com] stp mode stp
196 CHAPTER 19: MSTP CONFIGURATION
Configuring the The priority of a device determines whether it can be elected as the root bridge of a
Priority of the spanning tree. A lower value indicates a higher priority. By setting the priority of a device
Current Device to a low value, you can specify the device as the root bridge of spanning tree. An
MSTP-compliant device can have different priorities in different MST instances.
Configuration procedure
Follow these steps to configure the priority of the current device:
CAUTION:
■ Upon specifying the current device as the root bridge or a secondary root bridge, you
cannot change the priority of the device.
■ During root bridge selection, if all devices in a spanning tree have the same priority,
the one with the lowest MAC address will be selected as the root bridge of the
spanning tree.
Configuration example
1 Set the device priority in MST instance 1 to 4096.
<3Com> system-view
[3Com] stp instance 1 priority 4096
Configuring the By setting the maximum hops of an MST region, you can restrict the region size. The
Maximum Hops of maximum hops setting configured on the regional root bridge will be used as the
an MST Region maximum hops of the MST region.
After a configuration BPDU leaves the root bridge of the spanning tree in the region, its
hop count is decremented by 1 whenever it passes a device. When its hop count reaches
0, it will be discarded by the device that has received it. As a result, devices beyond the
maximum hops are unable to take part in spanning tree computing, and thereby the size
of the MST region is restricted.
Configuration procedure
Follow these steps to configure the maximum hops of the MST region
A larger maximum hops setting means a larger size of the MST region. Only the
maximum hops configured on the regional root bridge can restrict the size of the MST
region.
Configuring the Root Bridge 197
Configuration example
1 Set the maximum hops of the MST region to 30.
<3Com> system-view
[3Com] stp max-hops 30
Configuring the Any two stations in a switched network are interconnected through specific paths, which
Network Diameter of are composed of a series of devices. Represented by the number of devices on a path,
a Switched Network the network diameter is the path that comprises more devices than any other among
these paths.
Configuration procedure
Follow these steps to configure the network diameter of the switched network:
Table 132 Configuring the Network Diameter of a Switched Network
Configuration example
1 Set the network diameter of the switched network to 6.
<3Com> system-view
[3Com] stp bridge-diameter 6
Configuring Timers of MSTP involves three timers: forward delay, hello time and max age.
MSTP ■ Forward delay: the time a device will wait before changing states. A link failure can
trigger a spanning tree computing process, and the spanning tree structure will
change accordingly. However, as a new configuration BPDU cannot be propagated
throughout the network immediately, if the new root port and designated port begin
to forward data as soon as they are elected, a temporary loop may occur. For this
reason, the protocol uses a state transition mechanism. Namely, a newly elected root
port or designated port must wait twice the forward delay time before transitioning
to the forwarding state, when the new configuration BPDU has been propagated
throughout the network.
■ Hello time is sued to detect whether a link is faulty. A device sends a hello packet to
the devices around it at a regular interval of hello time to check whether any link is
faulty.
■ Max time is a used for determining whether a configuration BPDU has “expired”. A
BPDU that has “expired” will be discarded by the device.
198 CHAPTER 19: MSTP CONFIGURATION
Configuration procedure
Follow these steps to configure the timers of MSTP:
Table 133 Configuring Timers of MSTP
These three timers set on the root bridge of the CIST apply on all the devices on the
entire switched network.
CAUTION:
■ The length of the forward delay time is related to the network diameter of the
switched network. Typically, the larger the network diameter is, the longer the
forward delay time should be. Note that if the forward delay setting is too small,
temporary redundant paths may be introduced; if the forward delay setting is too big,
it may take a long time for the network to resume connectivity. We recommend that
you use the default setting.
■ An appropriate hello time setting enables the device to timely detect link failures on
the network without using excessive network resources. If the hello time is set too
long, the device will take packet loss on a link for link failure and trigger a new
spanning tree computing process; if the hello time is set too short, the device will
send repeated configuration BPDUs frequently, which adds to the device burden and
causes waste of network resources. We recommend that you use the default setting.
■ If the max age time setting is too small, the network devices will frequently launch
spanning tree computing and may take network congestion to a link failure; if the
max age setting is too large, the network may fail to timely detect link failures and fail
to timely launch spanning tree computing, thus reducing the auto-sensing capability
of the network. We recommend that you use the default setting.
The setting of hello time, forward delay and max age must meet the following formulae;
otherwise network instability will frequently occur.
We recommend that you specify the network diameter in the stp root primary
command and let MSTP automatically calculate an optimal setting of these three timers.
Configuring the Root Bridge 199
Configuration example
1 Set the forward delay to 1,600 centiseconds, hello time to 300 centiseconds, and max
age to 2,100 centiseconds.
<3Com> system-view
[3Com] stp timer forward-delay 1600
[3Com] stp timer hello 300
[3Com] stp timer max-age 2100
Configuring the A device sends a BPDU to the devices around it at a regular interval of hello time to check
Timeout Factor whether any link is faulty. Typically, if a device does not receive a BPDU from the
upstream device within nine times the hello time, it will assume that the upstream device
has failed and start a new spanning tree computing process.
In a very stable network, this kind of spanning tree computing may occur because the
upstream device is busy. In this case, you can avoid such unwanted spanning tree
computing by lengthening the timeout time.
Configuration procedure
Follow these steps to configure the timeout factor:
Table 134 Configuring the Timeout Factor
Configuration example
1 Set the timeout factor to 6.
<3Com> system-view
[3Com] stp timer-factor 6
Configuring the The maximum transmission rate of a port refers to the maximum number of MSTP
Maximum packets that the port can send within each hello time.
Transmission Rate of
Ports The maximum transmission rate of an Ethernet port is related to the physical status of
the port and the network structure. You can make your configuration based on the
actual networking condition.
200 CHAPTER 19: MSTP CONFIGURATION
Configuration procedure
Following these steps to configure the maximum transmission rate of a port or a group
of ports:
If the maximum transmission rate setting of a port is too big, the port will send a large
number of MSTP packets within each hello time, thus using excessive network resources.
We recommend that you use the default setting.
Configuration example
1 Set the maximum transmission rate of port GigabitEthernet 1/0/1 to 5.
<3Com> system-view
[3Com] interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] stp transmit-limit 5
Configuring Ports If a port directly connects to a user terminal rather than another device or a shared LAN
as Edge Ports segment, this port is regarded as an edge port. When the network topology changes, an
edge port will not cause a temporary loop. Therefore, if you specify a port as an edge
port, this port can transition rapidly from the blocked state to the forwarding state
without delay.
Configuration procedure
Following these steps to specify a port or a group of ports as edge port(s):
Table 136 Configuring Ports as Edge Ports
■ With BPDU guard disabled, when a port set as an edge port receives a BPDU from
another port, it will become a non-edge port again. In this case, you must reset the
port before you can configure it to be an edge port again.
■ If a port directly connects to a user terminal, configure it to be an edge port and
enable BPDU guard for it. This enables the port to transition to the forwarding state
while ensuring network security.
Configuration example
1 Configure GigabitEthernet1/0 /1to be an edge port.
<3Com> system-view
[3Com] interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] stp edged-port enable
Configuring Whether A point-to-point link is a link directly connecting with two devices. If the two ports across
Ports Connect to a point-to-point link are root ports or designated ports, the ports can rapidly transition to
Point-to-Point Links the forwarding state by transmitting synchronization packets.
Configuration procedure
Following these steps to configure whether a port or a group of ports connect to
point-to-point links:
Configuration example
1 Configure port GigabitEthernet 1/0/1 as connecting to a point-to-point link.
<3Com> system-view
[3Com] interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] stp point-to-point force-true
202 CHAPTER 19: MSTP CONFIGURATION
The default packet format setting is auto, namely a port recognizes the two MSTP
packet formats automatically. You can configure the MSTP packet format to be used by a
port on your command line. After your configuration, when working in MSTP mode, the
port sends and receives only MSTP packets of the format you have configured.
Configuration procedure
Follow these steps to configure the MSTP packet format for a port or a group of ports:
Table 138 Configuring the MSTP Packet Format for Ports
■ If the port is configured not to detect the packet format automatically while it works
in the MSTP mode, and if it receives a packet in the format other than as configured,
that port will become a designated port, and the port will remain in the discarding
state to prevent the occurrence of a loop.
■ If a port receives MSTP packets of different formats frequently, this means that the
MSTP packet formation configuration contains error. In this case, if the port is
working in MSTP mode, it will be disabled for protection. Those ports closed thereby
can be restored only by the network administers.
Configuration example
1 Configure port GigabitEthernet 1/0/1 to receive and send standard-format MSTP
packets.
<3Com> system-view
[3Com] interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] stp compliance dot1s
Configuring the Root Bridge 203
You must enable MSTP for the device before any other MSTP-related configuration can
take effect.
Configuration example
1 Enable MSTP for the device and disable MSTP for port GigabitEthernet 1/0/1.
<3Com> system-view
[3Com] stp enable
[3Com] interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] stp disable
204 CHAPTER 19: MSTP CONFIGURATION
Configuring Leaf
Nodes
Configuration Tasks Before configuring the root bridge, you need to know the position of each device in each
MST instances: root bridge or leaf node. In each instance, one and only one device acts
as the root bridge, while all others as leaf nodes. Complete these tasks to configure a
device that acts as a leaf node:
Table 140 Configuring Leaf Nodes
Task Remarks
Configuring an MST Region Required
Configuring the Work Mode of MSTP Optional
Configuring the Timeout Factor Optional
Configuring the Maximum Transmission Rate of Ports Optional
Configuring Ports as Edge Ports Optional
Configuring Path Costs of Ports Optional
Configuring Port Priority Optional
Configuring Whether Ports Connect to Point-to-Point Links Optional
Configuring the MSTP Packet Format for Ports Optional
Enabling the MSTP Feature Required
If both GVRP and MSTP are enabled on a device, GVRP packets will be forwarded along
the CIST. Therefore, if both GVRP and MSTP are running on the same device and you
wish to advertise an certain VLAN within the network through GVRP, make sure that this
VLAN is mapped to the CIST (instance 0) when configuring the VLAN-to-instance
mapping table.
Configuring the Work Refer to section “Configuring the Work Mode of MSTP Device”.
Mode of MSTP
Configuring the Refer to section “Configuring the Maximum Transmission Rate of Ports”.
Maximum
Transmission Rate of
Ports
Configuring Path Path cost is a parameter related to the rate of port-connected links. On an
Costs of Ports MSTP-compliant device, ports can have different priorities in different MST instances.
Setting an appropriate path cost allows VLAN traffic flows to be forwarded along
different physical links, thus to enable per-VLAN load balancing.
Configuring Leaf Nodes 205
The device can automatically calculate the default path cost; alternatively, you can also
configure the path cost for ports.
Specifying a standard that the device uses when calculating the default path
cost
You can specify a standard for the device to use in automatic calculation for the default
path cost. The device supports the following standards:
■ dot1d-1998: The device calculates the default path cost for ports based on IEEE
802.1D-1998.
■ dot1t: The device calculates the default path cost for ports based on IEEE 802.1t.
■ legacy: The device calculates the default path cost for ports based on a private
standard.
Follow these steps to specify a standard for the device to use when calculating the
default path cost:
Table 141 Specifying a standard that the device uses when calculating the default path cost
Private
Link speed Duplex state 802.1D-1998 802.1t standard
0 — 65535 200,000,000 200,000
10Mbit/s Half-Duplex/Full-Duplex 100 2,000,000 2,000
Aggregated Link 2 Ports 100 1,000,000 1,800
Aggregated Link 3 Ports 100 666,666 1,600
Aggregated Link 4 Ports 100 500,000 1,400
100Mbit/s Half-Duplex/Full-Duplex 19 200,000 200
Aggregated Link 2 Ports 19 100,000 180
Aggregated Link 3 Ports 19 66,666 160
Aggregated Link 4 Ports 19 50,000 140
1000Mbit/s Full-Duplex 4 20,000 20
Aggregated Link 2 Ports 4 10,000 18
Aggregated Link 3 Ports 4 6,666 16
Aggregated Link 4 Ports 4 5,000 14
10Gbit/s Full-Duplex 2 2,000 2
Aggregated Link 2 Ports 2 1,000 1
Aggregated Link 3 Ports 2 666 1
Aggregated Link 4 Ports 2 500 1
206 CHAPTER 19: MSTP CONFIGURATION
In the calculation of the path cost value of an aggregated link, 802.1D-1998 does not
take into account the number of ports in the aggregated link. Whereas, 802.1T takes the
number of ports in the aggregated link into account. The calculation formula is: Path
Cost = 200,000,000/link speed in 100 kbps, where link speed is the sum of the link
speed values of the non-blocked ports in the aggregated link.
CAUTION:
■ If you change the standard that the device uses in calculating the default path cost,
the port path cost value set through the stp cost command will be out of effect.
■ When the path cost of a port is changed, MSTP will re-compute the role of the port
and initiate a state transition. If you use 0 as instance-id, you are setting the path cost
of the CIST.
Configuration example(1)
1 Set the path cost of GigabitEthernet 1/0/1 in MST instance 1 to 2000.
<3Com> system-view
[3Com] interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] stp instance 1 cost 2000
Configuring Port The priority of a port is an import basis that determines whether the port can be elected
Priority as the root port of device. If all other conditions are the same, the port with the highest
priority will be elected as the root port.
Configuring Leaf Nodes 207
Configuration procedure
Follow these steps to configure the priority of a port or a group of ports:
■ When the priority of a port is changed, MSTP will re-compute the role of the port and
initiate a state transition.
■ Generally, a lower configured value priority indicates a higher priority of the port. If
you configure the same priority value for all the Ethernet ports on the a device, the
specific priority of a port depends on the index number of that port. Changing the
priority of an Ethernet port triggers a new spanning tree computing process.
Configuration example
1 Set the priority of port GigabitEthernet 1/0/1 to 16 in MST instance 1.
<3Com> system-view
[3Com] interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] stp instance 1 port priority 16
Configuring the Refer to “Configuring the MSTP Packet Format for Ports”.
MSTP Packet Format
for Ports
Performing mCheck Ports on an MSTP-compliant device have three working modes: STP compatible mode,
RSTP mode, and MSTP mode.
In a switched network, if a port on the device running MSTP (or RSTP) connects to a
device running STP, this port will automatically migrate to the STP-compatible mode.
However, if the device running STP is removed, this will not be able to migrate
automatically to the MSTP (or RSTP) mode, but will remain working in the
STP-compatible mode. In this case, you can perform an mCheck operation to force the
port to migrate to the MSTP (or RSTP) mode.
You can perform mCheck on a port through two approaches, which lead to the same
result.
Configuration prerequisites
MSTP has been correctly configured on the device.
CAUTION: The stp mcheck command is meaningful only when the device works in
the MSTP (or RSTP) mode, not in the STP-compatible mode.
Configuration example
1 Perform mCheck on port GigabitEthernet 1/0/1.
a Method 1: Perform mCheck globally.
<3Com> system-view
[3Com] stp mcheck
b Method 2: Perform mCheck in Ethernet port view
<3Com> system-view
[3Com] interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] stp mcheck
Performing mCheck 209
Among loop guard, root guard and edge port setting, only one function can take effect
on the same port at the same time.
■ BPDU guard
For access layer devices, the access ports generally connect directly with user terminals
(such as PCs) or file servers. In this case, the access ports are configured as edge ports to
allow rapid transition of these ports. When these ports receive configuration BPDUs, the
system will automatically set these ports as non-edge ports and starts a new spanning
tree computing process. This will cause network topology instability. Under normal
conditions, these ports should not receive configuration
MSTP provides the BPDU guard function to protect the system against such attacks.
With the BPDU guard function enabled on the devices, when edge ports receive
configuration BPDUs, the system will close these ports and notify the NMS that these
ports have been closed by MSTP.Those ports closed thereby can be restored only by the
network administers.
■ Root guard
The root bridge and secondary root bridge of a panning tree should be located in the
same MST region. Especially for the CIST, the root bridge and secondary root bridge are
generally put in a high-bandwidth core region during network design. However, due to
possible configuration errors or malicious attacks in the network, the legal root bridge
may receive a configuration BPDU with a higher priority. In this case, the current root
bridge will be superseded by another device, causing undesired change of the network
topology. As a result of this kind of illegal topology change, the traffic that should go
over high-speed links is drawn to low-speed links, resulting in network congestion.
To prevent this situation from happening, MSTP provides the root guard function to
protect the root bridge. If the root guard function is enabled on a port, this port will
keep playing the role of designated port on all MST instances. Once this port receives a
configuration BPDU with a higher priority from an MST instance, it immediate sets that
instance port to the listening state, without forwarding the packet (this is equivalent to
disconnecting the link connected with this port). If the port receives no BPDUs with a
higher priority within a sufficiently long time, the port will revert to its original state.
210 CHAPTER 19: MSTP CONFIGURATION
■ Loop guard
By keeping receiving BPDUs from the upstream device, a device can maintain the state of
the root port and other blocked ports. However, due to link congestion or unidirectional
link failures, these ports may fail to receive BPDUs from the upstream device. In this case,
the downstream device will reselect the port roles: those ports failed to receive upstream
BPDUs will become designated ports and the blocked ports will transition to the
forwarding state, resulting in loops in the switched network. The loop guard function
can suppress the occurrence of such loops.
If a loop guard–enabled port fails to receive BPDUs from the upstream device, and if the
port took part in STP computing, all the instances on the port, no matter what roles they
play, will be set to, and stay in, the Discarding state.
With the TC-BPDU guard function enabled, the device performs a deletion operation
only once within a certain period of time (typically 10 seconds) after it receives a
TC-BPDU, and monitors whether a new TC-BPDU is received within that period of time. If
a new TC-BPDU is received within that period of time, the device will perform another
deletion operation after that period of time elapses. This prevents frequent deletion of
MAC address entries and ARP entries.
Configuration procedure
Following these steps to enable BPDU guard:
Table 147 Enabling BPDU Guard
Configuration example
1 Enable BPDU protection.
<3Com> system-view
[3Com] stp bpdu-protection
Performing mCheck 211
Configuration procedure
Follow these steps to enable root guard:
Configuration example
1 Enable the root guard function for port GigabitEthernet 1/0/1.
<3Com> system-view
[3Com] interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] stp root-protection
Configuration procedure
Follow these steps to enable loop guard:
Table 149 Enabling Loop Guard
Configuration example
1 Enable the loop guard function for port GigabitEthernet 1/0/1.
<3Com> system-view
[3Com] interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] stp loop-protection
Configuration example
1 Enable the TC-BPDU attack guard function.
<3Com> system-view
[3Com] stp tc-protection enable
Displaying and
Table 151 Displaying and Maintaining MSTP
Maintaining MSTP
To do... Use the command... Remarks
View the status information display stp [ instance Available in any
and statistics information of instance-id ] [ interface view
MSTP interface-list | slot slot-number ] [
brief ]
View the MST region display stp Available in any
configuration information that region-configuration view
has taken effect
Clear the statistics information reset stp [ interface Available in user
of MSTP interface-list ] view
Network diagram
Switch A Switch B
Permit : Permit :
VLAN 10, 20 VLAN 20, 30
Permit : Permit :
VLAN 10, 20 VLAN 20, 30
Switch D
Switch C
Permit :VLAN 20, 40
“Permit:“ beside each link in the figure is followed by the VLANs the packets of which are
permitted to pass this link.
Configuration procedure
1 Configuration on Switch A
a Configure an MST region.
<3Com> system-view
[3Com] stp region-configuration
[3Com-mst-region] region-name example
[3Com-mst-region] instance 1 vlan 10
[3Com-mst-region] instance 3 vlan 30
[3Com-mst-region] instance 4 vlan 40
[3Com-mst-region] revision-level 0
b Activate MST region configuration manually.
[3Com-mst-region] active region-configuration
c Define Switch A as the root bridge of MST instance 1.
[3Com] stp instance 1 root primary
d View the MST region configuration information that has taken effect.
[3Com] display stp region-configuration
Oper configuration
Format selector :0
Region name :example
Revision level :0
2 Configuration on Switch B
a Configure an MST region.
<3Com> system-view
[3Com] stp region-configuration
[3Com-mst-region] region-name example
[3Com-mst-region] instance 1 vlan 10
[3Com-mst-region] instance 3 vlan 30
[3Com-mst-region] instance 4 vlan 40
[3Com-mst-region] revision-level 0
b Activate MST region configuration manually.
[3Com-mst-region] active region-configuration
c Define Switch B as the root bridge of MST instance 3.
[3Com] stp instance 3 root primary
d View the MST region configuration information that has taken effect.
[3Com] display stp region-configuration
Oper configuration
Format selector :0
Region name :example
Revision level :0
d View the MST region configuration information that has taken effect.
[3Com] display stp region-configuration
Oper configuration
Format selector :0
Region name :example
Revision level :0
This chapter tells you how to assign IP addresses to interfaces on your device. When
doing that, use the following table to identify where to go for interested information.
IP Address Classes IP addresses are represented in dotted decimal notation, each being four octets in length,
for example, 10.1.1.1.
■ Net-id, the first several bits of the IP address defining a network, also known as class
bits.
■ Host-id, identifies a host on a network.
For administration sake, IP addresses are divided into five classes. Which class an IP
address belongs to depends on the first one to four bits of the net-id, as shown in the
following figure.
218 CHAPTER 20: IP ADDRESSING CONFIGURATION
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
The following table describes the address ranges of these five classes.
Subnetting and In 1980s, subnetting was developed to address the risk of IP address exhaustion resulted
Masking from fast expansion of the Internet. The idea is to break a network down into smaller
networks called subnets by using some bits of the host-id to create a subnet-id. To
identify the boundary between the net-id and the host-id, masking is used.
Each subnet mask comprises 32 bits related to the corresponding bits in an IP address. In
a mask, the part containing consecutive ones identifies the net-id whereas the part
containing consecutive zeros identifies the host-id.
0 7 15 21 31
Class B address Net-id Host-id
Mask 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Mask 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0
Configuring IP Addresses 219
While allowing you to create multiple logical networks within a single Class A, B, or C
network, subnetting is transparent to the rest of the Internet. All these networks still
appear as one. As subnetting adds an additional level, subnet-id, to the two-level
hierarchy with IP addressing, IP routing now involves three steps: delivery to the site,
delivery to the subnet, and delivery to the host.
Class A, B, and C networks, before being subnetted, use these default masks (also called
natural masks): 255.0.0.0, 255.255.0.0, and 255.255.255.0 respectively.
Configuring IP For a VLAN interface, an IP address can be obtained in one of the three ways:
Addresses ■ Manually configured by using the IP address configuration command
■ Allocated by the BOOTP server
■ Allocated by the DHCP server
The three methods are mutually exclusive and the use of a new method will result in the
IP address obtained by the old method being released. For example, if you obtain an IP
address by using the IP address configuration command, and then use the ip address
bootp-alloc command to apply for an IP address, the originally configured IP address
is deleted and a new IP address will be allocated by BOOTP for the VLAN interface.
This chapter only introduces how to configure an IP address manually. For the other two
methods of obtaining IP addresses, refer to the DHCP module.
You can configure IP addresses for VLAN interface and Loopback interface on Switch
4500G Switches.
Network diagram
Console cable
Sw itch
PC
Configuration procedure
Configure an IP address for VLAN interface 1.
<3Com> system-view
[3Com] interface Vlan-interface 1
[3Com-Vlan-interface1] ip address 129.2.2.1 255.255.255.0
Displaying IP
Table 155 Displaying IP Addressing
Addressing
To do… Use the command… Remarks
Display detailed information display ip interface [ Available in any view
about the IP configuration of a interface-type
specified interface interface-number ]
Display brief information about display ip interface Available in any view
the basic IP configuration of a brief [ interface-type
specified or all interfaces interface-number ]
21 IP PERFORMANCE CONFIGURATION
Introduction to IP In some network environments, you need to adjust the parameters for the best IP
performance performance. IP performance configuration includes:
■ TCP timer
■ Size of TCP receiving/sending buffer
■ Sending ICMP error packets
■ Permitting Receiving and Forwarding of Directed Broadcast Packets
Configuring Sending error packets is a major function of ICMP protocol. ICMP packets are typically
sending ICMP error sent by protocols on the network or transfer layer to notify corresponding devices so as
packets to facilitate control and management.
It may have only one default route to the default gateway in the routing table when the
host starts. The default gateway will send ICMP redirect packets to the source host and
notify it to reselect a correct router for the next hop in order to send the following
packets, if the following conditions are satisfied:
■ The device finds that the receiving and sending interfaces are the same while
forwarding data packets.
■ The selected router has not been created or modified by ICMP redirect packets.
■ The selected router is not the default router of the host.
■ The source IP address of the data packets and the next hop’s IP address in the selected
router belong to the same network section.
You can use ICMP redirect packets to simplify host administration and find out the best
routing by establishing a sound routing table for hosts with little routing information.
Sending ICMP timeout packet will enable the device to drop the data packet and send an
ICMP error packet to the source when there is a timeout error after a device received an
IP data packet.
The device will send an ICMP timeout packet under the following conditions:
■ If a device finds the destination of the packet is not local after receiving a data packet
whose TTL field is 1, it will send a “TTL timeout” ICMP error message.
■ When the device receives the first fragment IP packets whose destination address is
local, it will start the timer. If the timer timeouts before receiving all the fragments,
the device will send a “reassembly timeout” ICMP error packets.
3 Sending ICMP destination unreachable packets
Sending ICMP destination unreachable packet means when there happens a destination
timeout error after a device received an IP data packet, the device will drop the data
packet and send an ICMP error packet to the source.
The device will send an ICMP destination unreachable packet under the following
conditions:
■ When forwarding a packet, if the device finds no corresponding forward route and
default route in the routing table, it will send a “network unreachable” ICMP error
packets.,
Configuring sending ICMP error packets 223
■ When receiving a data packet whose destination address is local, if the transfer layer
protocol is unavailable for the device, then the device sends a “protocol
unreachable” ICMP error packets.
■ When receiving a data packet with the destination address as local and transfer layer
as UDP, if the packet’s port number does not match with the running process, the
device will send source a “port unreachable” ICMP error packet.
■ When sending packets using “strict source routing", if the intermediate finds that the
source point to a device not directly connected to the network, it will send source a
“source routing fails” ICMP error packets.
■ When forwarding a packet, if the MTU of the forward interface is smaller than the
packet but the packet has been set unfragmentable, the device sends the source a
“fragmenting is required but unavailable” ICMP error packet.
In order to prevent such phenomena, you can disable the device sending ICMP error
packets to reduce network flows and avoid malicious attacks.
■ The device stops sending “network unreachable” and “source route unsuccessful”
ICMP error packets after sending ICMP destination unreachable packets is disabled.
But other destination unreachable packets will be sent normally.
■ The device stops sending “TTL timeout” ICMP error packets after sending ICMP
timeout packets is disabled. But “reassembly timeout” error packets will be sent
normally.
224 CHAPTER 21: IP PERFORMANCE CONFIGURATION
Permitting
Receiving and
Forwarding of
Directed Broadcast
Packets
Permitting Receiving Directed broadcasts packets include: network directed broadcast packets, subnetwork
and Forwarding of directed broadcast packets and all-subnetwork directed broadcast packets. As specified
Directed Broadcast in RFC 2644, the device can receive and forward directed broadcast packets by default.
Packets However, hackers can use such packets to attack the network system, thus bringing forth
great potential dangers to the network.
Switch 4500G series switches do not receive and forward directed broadcast packets by
default. You can configure to permit Switch 4500G series switches to receive and
forward directed broadcast packets.
Table 158 Configure to permit the receiving and forwarding of directed broadcast packets
If ACL rules are configured when VLAN interfaces are enabled to forward directed
broadcast packets, the directed broadcast packets to be forwarded must be filtered by
the configured ACL rule. The directed broadcast packets which do not match the ACL
rule will be dropped.
Network diagram
Figure 63 Network diagram for permitting receiving and forwarding of directed broadcast
packets
PC
PC1
1.1.1.1/24
VLAN1 VLAN2 VLAN2
1.1.1.2/24 2.2.2.1/24 2.2.2.2/24
Switch A Switch B
PC2
PC
1.1.1.3/24
Configuration procedure
1 Configure Switch A
a Permit the receiving of directed broadcast packets.
<3Com> system-view
[3Com] ip forward-broadcast
b Define ACL 2000.
[3Com] acl number 2000
[3Com-acl-basic-2000] rule permit source 1.1.1.1 0
[3Com-acl-basic-2000] rule deny source any
c Configure to permit VLAN-interface 2 to forward directed broadcast packets matching
ACL 2000.
[3Com] interface vlan-interface 2
[3Com-Vlan-interface2] ip forward-broadcast acl 2000
2 Configure Switch B
a Permit the receiving of directed broadcast packets.
<3Com> system-view
[3Com] ip forward-broadcast
After this configuration, use the ping command on PC 1 to ping the broadcast address
2.2.2.255 of the subnetwork segment where VLAN-interface 2 of Switch A resides, as a
result, PC 1 receives response packets from both Switch A and Switch B; use the ping
command on PC 2 to ping the broadcast address 2.2.2.255 of the subnetwork segment
where VLAN-interface 2 of Switch A resides, as a result, PC 2 receives response packets
from only Switch A.
226 CHAPTER 21: IP PERFORMANCE CONFIGURATION
Displaying and After finishing the configuration, run the display command in any view to display
maintaining IP running status and configuration effect of the IP performance.
performance
In user view, you can run the reset command to clear statistics of IP, TCP and UDP
flows.
Go to these sections for information about IP routing that you are interested in:
■ IP Routing and Routing Table
■ Routing Protocol Overview
■ Displaying and Maintaining a Routing Table
A router in this chapter refers to a generic router or a Layer 3 switch running routing
protocols. To improve readability, this will not be described in the present manual again.
IP Routing and
Routing Table
Routing Routing in the Internet is achieved through routers. Upon receiving a packet, a router
identifies an optimal route based on the destination address and forwards the packet to
the next router in the path until the packet reaches the last router, which forwards the
packet to the intended destination host.
■ Direct routes: Routes discovered by data link protocols, also known as interface
routes.
■ Static routes: Routes that are manually configured.
■ Dynamic routes: Routes that are discovered dynamically by routing protocols.
■ Outbound interface: Specifies the interface through which the IP packets are to be
forwarded.
■ IP address of the next hop: Specifies the address of the next router on the route. If
only the outbound interface is configured, its address will be the IP address of the
next hop.
■ Priority for the route. Multiple routes may exist to the same destination, each of
which has a different next hop and may be generated by various routing protocols or
be manually configured. The optimal route is the one with the highest priority (with
the smallest metric).
Based on whether the destination is directly connected to a given router, routes can be
divided into:
To prevent the routing table from getting too large, you can configure a default route. All
packets with no matching entry in the routing table will be forwarded through the
default route.
In Figure 64, the IP address on each cloud represents the address of the network. Router
R8 resides in three networks and therefore has three IP addresses for its three physical
interfaces. Its routing table is shown on the right of the network topology.
Routing Protocol
Overview
Static Routing and Static routing is easy to configure and requires less system resources. It works well in
Dynamic Routing small, stable networks with simple topologies. Its major drawback is that you must
perform routing configuration again whenever the network topology changes; it cannot
adjust to network changes by itself.
Dynamic routing, on the other hand, is based on dynamic routing protocols, which can
detect network topology changes and recalculate the routes accordingly. Therefore,
dynamic routing is suitable for large networks. Its disadvantages are that it is complicated
to configure, and that it not only imposes higher requirements on the system, but also
eats away a certain amount of network resources.
Classification of Dynamic routing protocols can be classified based on the following standards:
Dynamic Routing
Protocols Operational scope
■ Interior gateway protocols (IGPs): Work within an autonomous system, typically
includes RIP, OSPF, and IS-IS.
■ Exterior gateway protocols (EGPs): Work between autonomous systems. The most
popular one is BGP.
An autonomous system refers to a group of routers that share the same routing policy
and work under the same administration.
Routing algorithm
■ Distance-vector protocols: Includes mainly RIP and BGP. BGP is also considered a
path-vector protocol.
■ Link-state protocols: Includes mainly OSPF and IS-IS.
The main differences between the above two types of routing algorithms lie in the way
routes are discovered and calculated.
This chapter focuses on unicast routing protocols. For information on multicast routing
protocols, refer to “Multicast Configuration”.
Routing Protocols Different routing protocols may find different routes to the same destination. However,
and Routing Priority not all of those routes are optimal. In fact, at a particular moment, only one protocol can
uniquely determine the current optimal routing to the destination. For the purpose of
route selection, every route (including static routes) is assigned a priority according to its
origin. The route with the highest priority is preferred.
230 CHAPTER 22: IP ROUTING OVERVIEW
The following table lists some routing protocols and the default priorities for routes
found by them:
A given routing protocol may find several routes with the same metric to the same
destination, and if this protocol has the highest priority among all the active protocols,
then all its routes will be regarded as valid current routes. Therefore, realizes load
balancing of network traffic.
In current implementations, routing protocols supporting load balancing are RIP, OSPF,
and IS-IS. In addition, load balancing is also supported for static routes.
Route backup
Route backup can help in improving network reliability. With route backup, you can
configure multiple routes to the same destination, expecting the one with the highest
priority to be the main routes and all the rest backup routes.
Under normal circumstances, packets are forwarded through the main route. When the
main route goes down, the route with the highest priority among the backup routes is
selected to forward packets. When the main route recovers, the route selection process is
performed again and the main route is selected again to forward packets.
Displaying and Maintaining a Routing Table 231
Sharing of Routing As different routing protocols use different algorithms to calculate routes, they may find
Information different routes. In a large network with multiple routing protocols, routing protocols
must share their routing information. Each routing protocol has its own route
redistribution mechanism. For detailed information, refer to “IP Routing Configuration”.
Displaying and
Table 161 Displaying and Maintaining a Routing Table
Maintaining a
Routing Table To do… Use the command… Remarks
Display summary information display ip routing-table Available in any view
about the active routes in the
routing table
Display detailed information display ip routing-table Available in any view
about the specified routes in the ip-address [ mask ] [
routing table longer-match ] [ verbose ]| | {
begin | exclude | include }
regular-expression]
Display information about routes display ip routing-table Available in any view
to the specified destination ip-address [ mask-length | mask ]
[ longer-match ] [ verbose ]
Display information about routes display ip routing-table Available in any view
with destination addresses in the ip-address1 { mask-length |
specified range mask } ip-address2 {
mask-length | mask } [ verbose ]
Display information about routes display ip routing-table Available in any view
permitted by a specified basic acl acl-number [ verbose ]
ACL
Display information about routes display ip routing-table Available in any view
selected by a specified prefix list ip-prefix ip-prefix-name [
verbose ]
Display protocol specific routes display ip routing-table Available in any view
protocol protocol [ inactive
| verbose ]
Display statistics about the display ip routing-table Available in any view
routing table statistics
Clear statistics for the routing reset ip routing-table Available in user view
table statistics protocol { all
| protocol }
232 CHAPTER 22: IP ROUTING OVERVIEW
23 STATIC ROUTING CONFIGURATION
A router in this chapter refers to a generic router or a Layer 3 switch running routing
protocols. To improve readability, this will not be described in the present manual again.
Introduction
Static Routing A static route is a special route that is manually configured by the network administrator.
If a network is relatively simple, you only need to configure static routes for the network
to work normally. The proper configuration and usage of static routes can improve a
network’s performance and ensure bandwidth for important network applications.
The disadvantage of static routing is that, if a fault or a topological change occurs to the
network, the route will be unreachable and the network breaks. In this case, the network
administrator has to modify the configuration manually.
Default Routes A default route is another special route generated from a static route or some dynamic
routes, such as OSPF and IS-IS.
Generally, a router selects the default route only when it cannot find any matching entry
in the routing table. In a routing table, the default route is in the form of the route to the
network 0.0.0.0 (with the mask 0.0.0.0). You can check whether a default route has
been configured by running the display ip routing-table command.
If the destination address of a packet fails to match any entry in the routing table, the
router selects the default route to forward the packet. If there is no default route and the
destination address of the packet is not in the routing table, the packet will be discarded
and an ICMP packet is sent to the source reporting that the destination or the network is
unreachable.
In the ip route-static command, the IPv4 address is in dotted decimal format and
the mask can be in either dotted decimal format or the mask length (the digits of
consecutive 1s in the mask).
While configuring static routes, you can specify either the output interface or next hop
address. Whether you should specify the output interface or the next hop address
depends on the specific occasion.
234 CHAPTER 23: STATIC ROUTING CONFIGURATION
In fact, all the route entries must specify the next hop address. While forwarding a
packet, the corresponding route is determined by searching the routing table for the
packet’s destination address. Only after the next hop address is specified, the
corresponding link-layer address can be found for the link-layer to forward the packet.
3 Other attributes
You can configure different preferences for different static routes for the purpose of easy
routing management policy. For example, while configuring multiple routes to the same
destination, using identical preference allows for load sharing while using different
preference allows for routing backup.
Configuring Static
Route
Configuration Before configuring a static route, you need to finish the following tasks:
Prerequisites ■ Configuring the physical parameters for relative interfaces
■ Configuring the link-layer attribute for relative interfaces
■ Configuring the IP address for relative interfaces
■ While configuring a static route, it will use the default preference if no value is
specified. After resetting the default preference, it is valid only for the newly created
static route.
■ The description text can describe the usage and function of some specific routes, thus
make it easy for you to classify and manage different static routes.
■ You can easily control the routes by using the tag set in the routing policy.
Displaying and Maintaining Static Routes 235
Displaying and After the configuration, you can run the display command in any view to display the
Maintaining Static running status and configuration effect of the static route configuration.
Routes
You can use the delete command in the system view to delete all the static routes
configured.
Operation Command
Display the current configuration display current-configuration
Display the summary of the IP routing table display ip routing-table
Display the details of the IP routing table display ip routing-table verbose
Display the information of a static route display ip routing-table protocol
static [ inactive | verbose ]
Delete all static routes delete static-routes all
You can use the undo ip route-static demand in the system view to delete a static route,
and use the delete state-routes all demand in the system view to delete all the static
routes configured (including the default IPv4 routes configured manually) at the same
time.
Network diagram
PC2
1.1.2. 2/24
Configuration procedure
1 Configuring the interfaces’ IP addresses
Omitted.
The default gateways for the three hosts PC1, PC2 and PC3 are configured as 1.1.1.1,
1.1.2.1 and 1.1.3.1 respectively.
The term "router" in this document refers to a router in a generic sense or a Layer 3
switch. To improve readability, this will not be described in the present manual again.
RIP Overview RIP is a simple Interior Gateway Protocol (IGP), which is mainly used in small-size
networks, such as academic networks and simple structured LANs.
RIP is still widely used in practical networking due to its simple implementation, and
easier configuration and maintenance than OSPF and IS-IS.
RIP uses a routing metric (Hop Count) to measure the distance to the destination. The
Hop Count value of a router to its directly connected network is 0. Networks which are
reachable through one other router are one hop etc. To reduce the convergence time, RIP
limits the metric value from 0 to 15. It is considered infinity if the value is equal or larger
than 16, which means the destination network is unreachable. That is why RIP cannot be
used in large scale networks.
RIP prevents routing loops by implementing Split Horizon and Poison Reverse functions.
RIP timers
RIP uses four timers to control its operation. They are Update, Timeout, Suppress, and
Garbage-Collect.
■ Update timer triggers sending new update messages periodically.
240 CHAPTER 24: RIP CONFIGURATION
In RIP, the routing table on each router is updated upon receipt of RIP messages
periodically advertised by neighboring routers. The aged routes are deleted to make sure
routes are always valid. The procedure is as follows: RIP periodically advertises the local
routing table to neighboring routers, which update their local routes upon receipt of the
packets. This procedure repeats on all RIP-enabled routers.
■ Counting to infinity. The metric value of 16 is defined as infinity. When a routing loop
occurs, the route is considered as unreachable when the metric value reaches 16.
■ Split Horizon. The router does not send the routing table to neighboring routers via
the same interface on which it receives. Split Horizon can definitely prevent routing
loops and save the bandwidth.
■ Poison Reverse. The router sends routing tables through the same interface from
which the tables are received with a metric value of 16 (means infinite). This method
can remove useless information in routing tables of neighboring routers.
■ Triggered Updates. Each router sends out its new routing table as long as it receives
an update, rather than waiting until the usual update period expires. This can speed
up the network convergence.
RIP Overview 241
RIP-2 is a Classless Routing Protocol. Compared with RIP-1, RIP-2 has the following
advantages.
■ Supports Route Tag. The Route Tag is intended to differentiate the internal RIP routes
from the external RIP routes.
■ Supports masks, route summarization and CIDR (Classless Inter-Domain Routing).
■ Supports next hop, which must be directly reachable on the broadcast network.
■ Supports multicasting to reduce unnecessary load on hosts that do not need to listen
to RIP-2 messages.
■ Supports authentication to enhance security. Plain text authentication and MD5
(Message Digest 5) are two authentication methods.
RIP-2 authentication
RIP-2 supports plain text authentication, which uses the first Route Entry for
authentication. The value of 0xFFFF indicates that the entry is authentication information
rather than routing information. See Figure 68
FC 1723 only defines plain text authentication. For information about MD5
authentication, see RFC2082 “RIP-2 MD5 Authentication”.
RIP Feature Currently, Comware 5.0 supports the following RIP features.
Supported ■ RIP-1
■ RIP-2
RIP Basic Configuration 243
RIP Basic In this section, you are presented with the information needed to configure the basic RIP
Configuration features.
Configuration Before configuring RIP features, please first configure IP address on each interface, and
Prerequisites make sure all routers are reachable.
■ If you perform some RIP configurations in interface view before enabling RIP, those
configurations will take effect after RIP is enabled.
■ The router does not send, receive or forward any routing information if you do not
enable RIP on that network.
■ You can enable RIP on all interfaces of the network by using the network 0.0.0.0
command.
244 CHAPTER 24: RIP CONFIGURATION
Stopping routing updates means that the router receives routing updates without
forwarding them.
If the RIP version specified on the interface and the global RIP version are inconsistent,
the RIP version specified on the interface is used.
If no RIP version is specified on the interface, the global RIP version is used.
RIP Route Control 245
RIP Route Control In some complex network environments, you need to make the RIP configuration more
precise.
Before configuring RIP routing information, finish the following tasks first:
■ Configure IP address on each interface, and make sure all routers are reachable.
■ Configure basic RIP functions
rip metricout is only applied to its own routing and those learned by RIP. For those
imported from other routing protocols, this command is not applicable.
RIP-1 does not support route summarization. So when RIP-2 is running, you need to
disable the route summarization function if you want to advertise all subnet routes.
246 CHAPTER 24: RIP CONFIGURATION
Redistributing route
Follow these steps to import exterior route:
Table 173 Redistributing route
When advertising routing information, you can set the protocol parameter to filter those
routing information imported from other protocols. If the no protocol parameter is set,
all routing information including RIP routes (directly connected routes) and imported
routes are advertised.
RIP Configuration In special network environment, you need to configure some other RIP features to
Optimization optimize the network performance.
When configuring the values of RIP timers, you should take network performance into
consideration and perform consistent configuration on all routers running RIP to avoid
unnecessary network traffic and network route oscillation.
RIP Configuration Optimization 249
■ Some fields in RIP-1 message must be zero, which is called zero fields. The RIP-1
message is not processed if the value in the zero field is not zero. As a RIP-2 packet
has no zero fields, this configuration is invalid for RIP-2.
■ The RIP router checks the source address when receiving messages. For messages
received on the Ethernet interface, if the source address and the router’s interface
address are not in the same network, the router discards the message.
■ Disable the source address validation when RIP is not running on the neighboring
routers.
In plain text authentication, the authentication information is sent with the RIP message,
which cannot provide high security guarantee.
Displaying and
Table 179 Displaying and Maintaining RIP
Maintaining RIP
Operation Command Description
Display RIP current status and display rip [ process-id | Available in any view
configuration information
Display RIP database display rip process-id
database
Display RIP interface information display rip process-id
interface [ interface-type
interface-number ]
Display active and inactive RIP display rip process-id
routes route
Display RIP routing table display rip process-id
route [ statistics |
ip-address mask | peer
ip-address ]
Clear statistic data maintained reset rip process-id Available in user view
by certain RIP processes statistics
RIP Configuration Example 251
RIP Configuration
Example
Network diagram
Loopback1 Loopback1
172.17.1.1/24
172.17.1.1/32 10.2.1.1/24
10.2.1.1/32
Vlan-interface100
GE 1/0/1 192.168.1.2/24
Loopback0 Vlan-interface100 GE 1/0/1 Loopback0
172.16.1.1/24
172.16.1.1/32 192.168.1.1/24 10.1.1.1/24
10.1.1.1/32
Sw itchA Sw itchB
Configuration procedure
1 Configure IP address for each interface (only the VLAN configuration procedures are
given in the following examples)
a Configure Switch A.
<Switch A> system-view
[Switch A] vlan 100
[Switch A-vlan100]quit
[Switch A]interface GigabitEthernet 1/0/1
[Switch A-GigabitEthernet1/0/1]port access vlan 100
[Switch A-GigabitEthernet1/0/1]quit
[Switch A] interface vlan-interface 100
[Switch A-Vlan-interface100] ip-address 192.168.1.1 24
b Configure Switch B.
<Switch B> system-view
[Switch B] vlan 100
[Switch B-vlan100]quit
[Switch B]interface GigabitEthernet 1/0/1
[Switch B-GigabitEthernet1/0/1]port access vlan 100
[Switch B-GigabitEthernet1/0/1]quit
[Switch B] interface vlan-interface 100
[Switch B-Vlan-interface100] ip-address 192.168.1.2 24
2 Configure basic RIP function
a Configure Switch A.
<Switch A> system-view
[Switch A] rip
[Switch A-rip-1] network 192.168.1.0
[Switch A-rip-1] network 172.16.0.0
[Switch A-rip-1] network 172.17.0.0
b Configure Switch B.
<Switch B> system-view
[Switch B] rip
[Switch B-rip-1] network 192.168.1.0
[Switch B-rip-1] network 10.0.0.0
252 CHAPTER 24: RIP CONFIGURATION
From the routing table, you can see RIP-2 use classless subnet mask.
Due to the long aging time of the routing information, RIP-1 routing information can
exist in the routing table after RIP-2 is configured.
Troubleshooting RIP
Configuration
Symptom 1 The device cannot get any RIP updating messages with all connections are alive.
Analysis: After enabling RIP, make sure you use the network command to enable corresponding
interfaces. If the interface behavior is configured, make sure you do not disable the
interface or forbid receiving and forwarding RIP messages.
If RIP messages are multicast on the other end of the router, multicast should be used on
the local router as well.
Symptom 2 With all connections alive, route shaking happens, which means that sometimes you
cannot see some of the routes in the routing table.
Analysis In the RIP network, make sure all timers within the whole network are set to coordinate
each other. For example, the timeout value should be greater than the update value.
Solution ■ Use the display rip command to check the configuration of RIP timers
■ Use the timers command to adjust timers where appropriate.
254 CHAPTER 24: RIP CONFIGURATION
25 ROUTING POLICY CONFIGURATION
A routing policy is used on the router for route inspection, filtering, attributes modifying
when routes are received, advertised, or redistributed.
When configuring routing policy, go to these sections for information you are interested
in:
The term router in this document refers to a router in a generic sense or a Layer 3 switch.
To improve readability, this will not be described in the present manual again.
Introduction to
Routing Policy
Routing Policy and By modifying route attributes (including reachability), routing policy is adopted to change
Policy Routing routing paths for network traffic.
When distributing or receiving routing information, a router can apply some policy to
filter routing information, for example, a router handles only routing information that
matches some rules, or a routing protocol redistributes from other protocols only routes
matching some rules and modifies some attributes of these routes to satisfy its needs.
To implement routing policy, first define the features of routing information, namely, a
set of matching rules. You can make definitions according to attributes in routing
information, such as destination address, advertising router’s address. The matching rules
can be set beforehand and then apply them to a routing policy for route distribution,
reception and redistribution.
Filters Routing protocols can use three filters: ACL, IP prefix list and route policy.
ACL
When defining an ACL, you can specify IP addresses and subnet segments for matching
destinations or next hops of routing information.
256 CHAPTER 25: ROUTING POLICY CONFIGURATION
IP prefix list
IP-prefix list plays a role similar to ACL, but it is more flexible than ACL and easier to
understand. When IP-prefix list is applied for routing information filtering, its matching
object is the destination address information field of routing information. Moreover, you
can specify the gateway option to specify that only routing information advertised by
certain routers will be received.
An IP-prefix list is identified by the IP-prefix list name. Each IP-prefix list can comprise
multiple items, and each item, which is identified by an index number, can specify a
matching range in network prefix format. The index number indicates the matching
sequence in the IP-prefix list.
During matching, a router checks list items identified by index number in ascending
order. If an item is matched, the IP-prefix list filtering is passed, without the need of
matching the next item.
Routing policy
A routing policy is used for matching some attributes in given routing information and
modifying the attributes of the information if matching conditions are satisfied. A
routing policy can utilize the above filters to define its own matching rules.
A routing policy can comprise multiple nodes, which are in logic OR relationship. Each
node is a matching unit, and the system checks nodes in the order of node sequence
number. Once the matching test of a node is passed, the route-policy is passed without
needing to match other nodes.
Each node comprises a set of if-match and apply clauses. The if-match clauses define
the matching rules. The matching objects are some attributes of routing information. The
different if-match clauses on the same node is in logic AND relationship. Only when the
matching conditions specified by all the if-match clauses on a node are satisfied, can
routing information passes the matching test of the node. The apply clauses specify the
actions performed after the node matching test passed, concerning the attribute settings
for the routing information.
Defining Filtering
Lists
Defining IPv4 Prefix Identified by name, each IPv4 prefix list can comprise multiple items. Each item specifies a
List matching address range in the form of network prefix, which is identified by index
number. For example, the following IPv4 prefix list named abcd:
ip ip-prefix abcd index 10 permit 1.0.0.0 8
ip ip-prefix abcd index 20 permit 2.0.0.0 8
During matching, the system checks list items identified by index number in the
ascending order. If one item matched, IP-prefix list filtering is passed, without needing to
match other items.
If all items are set to the deny mode, no route can pass the IPv4 prefix list. In order to
allow other IPv4 routing information to pass, define the permit 0.0.0.0 0 less-equal 32
item following multiple deny mode items.
If more than one ip-prefix item is defined, the match mode of at least one item should be
the permit mode.
Configuring a Routing policy is used to match attributes in given routing information, and modify some
Routing Policy attributes of the routing information after rules satisfied. Matching rules can be
configured using filters above mentioned.
■ if-match clauses: define the matching rules routing information must satisfy. The
matching objects are some attributes of routing information.
■ apply clauses: specifies the actions performed after specified matching rules satisfied,
concerning attribute settings for passed routing information.
258 CHAPTER 25: ROUTING POLICY CONFIGURATION
■ If a node is specified as permit mode using permit, routing information meeting the
node’s conditions will be handled using the apply clauses of this node, without
needing to match the next node. If routing information does meet the node’s
conditions, it will go to the next node for matching.
■ If a node specified as deny mode using deny, the apply clauses of the node will not
be executed. When routing information meets all if-match clauses, it cannot pass the
node, nor can it go to the next node. If route information cannot meet some
if-match clause of the node, it will go to the next node for matching.
■ When a routing policy defined with more than one node, at least one node should be
configured using the permit keyword. If the routing policy is applied for filtering
routing information, routing information that does not meet any node’s conditions
cannot pass the routing policy. If all nodes of the routing policy are set using the
deny keyword, no routing information can pass it.
Configuring a Routing Policy 259
Defining if-match To define if-match clauses for a route-policy, use the following commands:
Clauses for the
Routing Policy Table 182 Defining if-match Clauses for the Routing Policy
■ The if-match clauses of a route-policy are in logic AND relationship, namely, routing
information has to satisfy all if-match clauses before executed with apply clauses.
■ If no if-match clause specified, all routing information can pass the node.
■ You can specify no if-match clause or multiple if-match clauses for a node.
Defining apply To define apply clauses for a route-policy, use the following commands:
Clauses for the
Routing Policy Table 183 Defining apply Clauses for the Routing Policy
Displaying and
Table 184 Displaying and Maintaining the Routing Policy
Maintaining the
Routing Policy Operation Command Description
Display IPv4 prefix list statistics display ip ip-prefix [ Available in all views
ip-prefix-name ]
Display routing policy information display route-policy [
route-policy-name ]
Clear IPv4 prefix list statistics reset ip ip-prefix [ Available in user view
ip-prefix-name ]
Routing Policy
Configuration
Example
Network diagram
static 20.0.0.0/8
30.0.0.0/8
40.0.0.0/8 Vlan-interface100
10.0.0.1/8
Vlan-interface200
12.0.0.1/8 Vlan-interface100
Switch A 10.0.0.2/8 Switch B
Configuration procedure
1 Configure Switch A.
a Configure IP addresses for interfaces.
[Switch A] interface vlan-interface 100
[Switch A-Vlan-interface100] ip address 10.0.0.1 255.0.0.0
[Switch A-Vlan-interface100] quit
[Switch A] interface vlan-interface 200
[Switch A-Vlan-interface200] ip address 12.0.0.1 255.0.0.0
[Switch A-Vlan-interface200] quit
b Configure three static routes.
[Switch A] ip route-static 20.0.0.1 255.0.0.0 12.0.0.2
[Switch A] ip route-static 30.0.0.1 255.0.0.0 12.0.0.2
[Switch A] ip route-static 40.0.0.1 255.0.0.0 12.0.0.2
Routing Policy Configuration Example 261
c Enable RIP.
[Switch A] rip
[Switch A-rip-1]network 10.0.0.0
[Switch A-rip-1] quit
d Configure an ACL.
[Switch A] acl number 2000
[Switch A-acl-basic-2000] rule deny source 30.0.0.0 0.255.255.255
[Switch A-acl-basic-2000] rule permit source any
[Switch A-acl-basic-2000] quit
e Configure a routing policy.
[Switch A] route-policy ospf permit node 10
[Switch A-route-policy] if-match acl 2000
[Switch A-route-policy] quit
f Apply the routing policy for static route redistribution.
[Switch A] rip
[Switch A-rip-1] import-route static route-policy rip
2 Configure Switch B.
a Configure IP addresses for interfaces.
<Switch B> system-view
[Switch B] interface vlan-interface 100
[Switch B-Vlan-interface100] ip address 10.0.0.2 255.0.0.0
[Switch B-Vlan-interface100] quit
b Enable RIP.
[Switch B] rip
[Switch B-rip-1] network 10.0.0.0
c Display RIP routing table information to verify the configuration on Switch B.
<Switch B>display rip 1 route
Route Flags: R - RIP, T - TRIP
P - Permanent, A - Aging, S - Suppressed, G - Garbage-collect
----------------------------------------------------------------------
Peer 10.0.0.1 on Vlan-interface100
Destination/Mask Nexthop Cost Tag Flags Sec
40.0.0.0/8 10.0.0.1 1 0 RA 29
20.0.0.0/8 10.0.0.1 1 0 RA 29
262 CHAPTER 25: ROUTING POLICY CONFIGURATION
Troubleshooting
Routing Policy
Configuration
Processing procedure
1 Use the display ip ip-prefix command to display IP prefix list.
2 Use the display route-policy command to display route policy information.
26 802.1X CONFIGURATION
The 802.1x protocol was proposed by IEEE802 LAN/WAN committee for security
problems on wireless LANs (WLAN). Currently, it is used on Ethernet as a common port
access control mechanism.
When configuring 802.1x, use the following table to identify where to go for interested
information:
802.1x Overview 802.1x is a port-based access control protocol. It authenticates and controls accessing
devices at the level of port. A device connecting to an 802.1x-enabled port of an access
device can access the resources behind only after passing authentication. A user failing
the authentication is physically disconnected.
■ Architecture of 802.1x
■ Operation of 802.1x
■ EAP Encapsulation over LANs
■ EAP Encapsulation over RADIUS
■ Authentication Process of 802.1x
■ 802.1x Timers
■ Implementation of 802.1x
■ Features Working Together with 802.1x
264 CHAPTER 26: 802.1X CONFIGURATION
Architecture of 802.1x operates in the typical client/server model and defines three entities: supplicant
802.1x system, authenticator system, and authentication server system, as shown in Figure 71.
LAN/WLAN
■ Supplicant system: A system at one end of the LAN segment, which is authenticated
by the system at the other end. A supplicant system is usually a user-end device and
initiates 802.1x authentication through 802.1x client software supporting the EAP
over LANs (EAPOL) protocol.
■ Authenticator system: A system at one end of the LAN segment, which authenticates
the system at the other end. An authenticator system is usually an 802.1x-enabled
network device and provides ports (physical or logical) for supplicants to access the
LAN.
■ Authentication server system: The system providing authentication, authorization,
and accounting services for the authenticator system.
The above systems involve three basic concepts: PAE, controlled port, control direction.
PAE
Port access entity (PAE) refers to the entity on a given port of a device that performs the
802.1x algorithm and protocol operations. The authenticator PAE uses the
authentication server to authenticate the supplicant trying to access the LAN and
controls the status of the controlled port (authorized or unauthorized) according to the
authentication result. The supplicant PAE responds to the authentication request of the
authenticator PAE and provides authentication information. The supplicant PAE can also
send authentication requests and logoff requests to the authenticator.
Controlled port
An authenticator provides ports for supplicants to access the LAN. Each of the ports can
be regarded as two virtual ports: a controlled port and an uncontrolled port.
■ The uncontrolled port is always open in both the inbound and outbound directions to
allow EAPOL protocol frames to pass, guaranteeing that the supplicant can always
send or receive authentication frames.
■ The controlled port is open to allow normal traffic to pass only when it is in the
authorized state.
■ The controlled port and uncontrolled port are two parts of the same port. Any frames
arriving at the port are visible to both of them.
802.1x Overview 265
Control direction
In the unauthorized state, the controlled port can be set to deny traffic to and from the
supplicant or just the traffic from the supplicant. Currently, Devices support only denying
the traffic from the supplicant.
Operation of 802.1x The 802.1x authentication system employs the extensible authentication protocol (EAP)
to support authentication information exchange between the supplicant PAE,
authenticator PAE, and authentication server.
■ Between the supplicant PAE and authenticator PAE, EAP protocol packets are
encapsulated using EAPOL and transferred over LANs.
■ Between the authenticator PAE and authentication server, EAP protocol packets can
be encapsulated using the EAP attributes of RADIUS and then relayed to the RADIUS
server, or terminated at the authenticator PAE, repackaged in the PAP or CHAP
attributes of RADIUS, and then transferred to the RADIUS server. The former is
referred to as EAP relay mode, and the latter as EAP termination mode.
■ The authentication server is usually a RADIUS server. It maintains information about
users, such as the account, password, VLAN to which the user belongs, CAR
parameters, priority level, and ACL.
■ After a user passes the authentication, the authentication server passes information
about the user to the authenticator, which controls the status of the controlled port
according to the instruction of the authentication server.
Protocol version: Version of the EAPOL protocol supported by the EAPOL frame sender.
Length: Length of the data, that is, length of the Packet body field, in bytes. If the value
of this field is 0, no subsequent data field is present.
Packet body: The format of this field varies with the value of the Type field.
0 1 2 4 N by
Code Identifier Length Data
Code: Type of the EAP packet, which can be Request, Response, Success, or Failure.
Length: Length of the EAP packet, including the Code, Identifier, Length, and Data fields.
Data: This field is zero or more bytes and its format is determined by the Code field.
An EAP packet of the type of Success or Failure has no Data field, and has a length of 4.
An EAP packet of the type of Request or Response is in the format shown in Figure 75
Type: EAP authentication type. A value of 1 represents Identity, indicating that the packet
is for querying the identity of the supplicant. A value of 4 represents MD5-Challenge,
which corresponds closely to the PPP CHAP protocol.
EAP Encapsulation Two attributes of RADIUS are intended for supporting EAP authentication: EAP-Message
over RADIUS and Message-Authenticator. For information about RADIUS packet format, refer to the
RADIUS overview section in the“AAA, RADIUS, and TACACS+ Configuration” chapter.
EAP-Message
The EAP-Message attribute is used to encapsulate EAP packets. Figure 76 shows its
encapsulation format. The value of the Type field is 79. The String field can be up to 253
bytes. If the EAP packet is longer than 253 bytes, it can be fragmented and encapsulated
into multiple EAP-Message attributes.
802.1x Overview 267
0 1 2 bytes
Type Length String...
EAP-Packets
Message-Authenticator
The Message-Authenticator attribute is used to prevent access requests from being
snooped during EAP authentication. It must be included in any packet with the
EAP-Message attribute; otherwise, the packet will be considered invalid and get
discarded. Figure 77 shows the encapsulation format of the Message-Authenticator
attribute.
Authentication 802.1x authentication can be initiated by either a user or the authenticator system. A
Process of 802.1x user initiates authentication by launching the 802.1x client software to send an
EAPOL-Start frame to the authenticator system, while the authenticator system sends an
EAP-Request/Identity frame to an unauthenticated user when detecting that the user is
trying to login. An 802.1x authenticator system communicates with a remotely located
RADIUS server in two modes: EAP relay and EAP termination. The following description
takes the first case as an example to show the 802.1x authentication process.
EAP relay
EAP relay is an IEEE 802.1x standard mode. In this mode, EAP packets are carried in a
high layer protocol, such as RADIUS, so that they can go through complex networks and
reach the authentication server. Generally, EAP relay requires that the RADIUS server
support the EAP attributes of EAP-Message and Message-Authenticator. See Figure 78
for the message exchange procedure.
268 CHAPTER 26: 802.1X CONFIGURATION
EAP-Request/Identity
RADIUS Access-Request
EAP-Response/Identity
(EAP-Response/Identity)
RADIUS Access-Challenge
EAP-Request/MD5 Challenge (EAP-Request/MD5 Challenge)
RADIUS Access-Request
EAP-Response/MD5 Challenge (EAP-Response/MD5 Challenge)
RADIUS Access-Accept
EAP-Success (EAP-Success)
Port
authorized
Handshake response
[EAP-Response/Identity]
......
EAPOL-Logoff
Port unauthorized
3 When a user launches the 802.1x client software and enters the registered username and
password, the 802.1x client software generates an EAPOL-Start frame and sends it to the
authenticator to initiate an authentication process.
4 Upon receiving the EAPOL-Start frame, the authenticator responds with an
EAP-Request/Identity packet for the identity of the supplicant.
5 When the supplicant receives the EAP-Request/Identity packet, it encapsulates the
identity information in an EAP-Response/Identity packet and sends the packet to the
authenticator.
6 Upon receiving the EAP-Response/Identity packet, the authenticator relays the packet in
a RADIUS Access-Request packet to the authentication server.
7 When receiving the RADIUS Access-Request packet, the authentication server compares
the identify information against its user information table to obtain the corresponding
password information. Then, it encrypts the password information using a randomly
generated challenge, and sends the challenge information through a RADIUS
Access-Challenge packet to the authenticator.
8 After receiving the RADIUS Access-Challenge packet, the authenticator relays the
contained EAP-Request/MD5 Challenge packet to the supplicant.
9 When receiving the EAP-Request/MD5 Challenge packet, the supplicant uses the offered
challenge to encrypt the password part (this process is not reversible), creates an
EAP-Response/MD5 Challenge packet, and then sends the packet to the authenticator.
802.1x Overview 269
10 After receiving the EAP-Response/MD5 Challenge packet, the authenticator relays the
packet in a RADIUS Access-Request packet to the authentication server.
11 When receiving the RADIUS Access-Request packet, the authentication server compares
the password information encapsulated in the packet with that generated by itself. If the
two are identical, the authentication server considers the user valid and sends to the
supplicant a RADIUS Access-Accept packet, instructing the authenticator to open the
port to permit the access request of the supplicant.
12 After the supplicant gets online, the authenticator periodically sends
EAP-Request/Identity packets to the supplicant to check whether the supplicant is still
online. By default, if two consecutive handshake attempts end up with failure, the
authenticator concludes that the supplicant has gone offline and performs the necessary
operations, guaranteeing that the authenticator always knows when a supplicant goes
offline.
13 The supplicant can also sends an EAPOL-Logoff frame to the authenticator to terminate
the authenticated status. In this case, the authenticator changes the status of the port
from authorized to unauthorized.
EAP termination
In EAP termination mode, EAP packets are terminated at the authenticator and then
repackaged into the PAP or CHAP attributes of RADIUS and transferred to the RADIUS
server for authentication, authorization, and accounting. See Figure 79 for the message
exchange procedure.
270 CHAPTER 26: 802.1X CONFIGURATION
EAP-Request/Identity
EAP-Response/Identity
EAP-Request/MD5 Challenge
EAP-Response/MD5 Challenge
RADIUS Access-Request
(CHAP-Response/MD5 Challenge)
Port
authorized
The handshake
Handshake request timer expir es.
[EAP-Request/Identity]
Handshake respons e
[EAP-Res ponse/Identity]
......
EAPOL-Logoff
Port
unauthorized
Different from the authentication process in EAP relay mode, it is the authenticator that
generates the random challenge for encrypting the user password information in EAP
termination authentication process. Consequently, the authenticator sends the challenge
together with the username and encrypted password information from the supplicant to
the authentication server for authentication.
802.1x Timers Several timers are used in the 802.1x authentication process to guarantee that the
accessing users, the authenticators, and the RADIUS server interact with each other in a
reasonable manner. The following are the major 802.1x timers:
■ Identity request timeout timer (tx-period): Once an authenticator sends an
EAP-Request/Identity frame to a supplicant, it starts this timer. If this timer expires but
it receives no response from the supplicant, it retransmits the request.
■ Password request timeout timer (supp-timeout): Once an authenticator sends an
EAP-Request/MD5 Challenge frame to a supplicant, it starts this timer. If this timer
expires but it receives no response from the supplicant, it retransmits the request.
■ Authentication server timeout timer (server-timeout): Once an authenticator sends a
RADIUS Access-Request packet to the authentication server, it starts this timer. If this
timer expires but it receives no response from the server, it retransmits the request.
■ Handshake timer (handshake-period): After a supplicant passes authentication, the
authenticator sends to the supplicant handshake requests at this interval to check
802.1x Overview 271
Implementation of Devices extend and optimize the mechanism that the 802.1x protocol specifies by:
802.1x ■ Allowing multiple users to access network services through the same physical port.
■ Supporting two authentication methods: portbased and macbased. With the
portbased method, after the first user of a port passes authentication, all other users
of the port can access the network without authentication, and when the first user
goes offline, all other users get offline at the same time. With the macbased method,
each user of a port must be authenticated separately, and when an authenticated
user goes offline, no other users are affected.
These extensions can help improve network security and manageability dramatically.
For information on how to configure CAMS or Windows 2000 Server for VLAN
assignment, refer to the configuration guides for CAMS or Windows 2000 server.
For the Switch 4500G, currently the VLAN assignment function is available only for the
ports whose link type is ACCESS.
GuestVlan
If you fail to pass authentication for many reasons such as there is no proprietary
authentication Client or lower Client version, you will be added into GuestVlan.
GuestVlan is a default VLAN that you can access it without authentication. You can
access the resources in the VLAN, like Client download and upgrade. After installing or
upgrading the authentication Client, with these resources, you can carry out the
authentication procedure so as to access network resources.
After 802.1x is enabled and GuestVlan is configured correctly, the switch sends
authentication-triggering packet (EAP-Request/identity) through a port. The port will be
added in GuestVlan when the switch sends authentication-triggering packet
(EAP-Request/Identity) beyond the maximum times before it receives no response packet.
272 CHAPTER 26: 802.1X CONFIGURATION
At this point, you initiate an authentication. If you fail to pass the authentication, the
port is still in GuestVlan. If you pass the authentication, there are two following cases:
■ The authentication server delivers a VLAN. In this case, the port leaves from GuestVlan
and joins the delivered VLAN. After you disconnect the Internet, the port first returns
back to the configured VLAN (the one where the port locates before it joins
GuestVlan, i.e. “original VLAN”).
■ The authentication server does not deliver a VLAN. In this case, the port leaves from
GuestVLan and joins the configured VLAN. After you disconnect the Internet, the port
is still in the configured VLAN.
Configuring 802.1x Except the configuration of enabling 802.1x globally or on ports, other configurations of
802.1 x are optional. You can perform these configurations as required. For specific
parameters and parameter meanings, see 802.1x-HABP-MAC Authentication Command
Manual.
Configuration 802.1x provides a user identity authentication scheme. However, 802.1x cannot
Prerequisites implement the authentication scheme solely by itself. RADIUS or local authentication
must be configured to work with 802.1x:
■ For remote RADIUS authentication, the username and password information must be
configured on the RADIUS server and the relevant configurations must be performed
on the authenticator.
■ For local authentication, the username and password information must be configured
on the authenticator and the service type must be set to lan-access.
For details about these configuration tasks, refer to “AAA, RADIUS, and TACACS+
Configuration”.
CAUTION:
■ 802.1x must be enabled both globally in system view and definitely for the intended
ports in system view or Ethernet interface view. Otherwise, it does not function.
■ Some 802.1x timers are configurable. This makes sense in some special or extreme
network environments. Normally, leave the defaults unchanged.
■ With 802.1x enabled on a port, you cannot configure the maximum number of MAC
addresses that the port can learn (by using the mac-address max-mac-count
command), and vice versa.
■ 802.1x-related configurations can all be performed in system view. Enable 802.1x
,Port access control mode, port access method, and the maximum number of
accessing users can also be configured in port view.
■ If you perform a configuration in system view and do not specify the interface-list
argument, the configuration applies to all ports. Configurations performed in
Ethernet port view apply to the current Ethernet port only and the interface-list
argument is not needed in this case.
■ If EAP authentication is used for 802.1x users, the contents you enter on the client
will be directly sent to the server after encapsulation. In this case, the configuration
with the user-name-format command is invalid.
274 CHAPTER 26: 802.1X CONFIGURATION
■ If version number included is configured on the client or you enter a username with a
blank character included, you cannot search or release user connections by username.
However, you can search or release user connections in other ways, such as using IP
addresses or connection indexes.
■ If 802.1x is enabled on a port, the port cannot be added in an aggregation group. If a
port is added into an aggregation group, you cannot enable 802.1x on the port.
■ 802.1x cannot block cluster handshake packets.
■ Currently 10GE ports of the Switch 4500G does not support 802.1x.
Configuring
GuestVlan
Displaying and
Table 187 Displaying and Maintaining 802.1x
Maintaining 802.1x
To do Use the command Remarks
Display 802.1x session display dot1x [ Available in any view
information, statistics, or sessions | statistics ]
configuration information of [ interface
specified or all ports interface-list ]
Clear 802.1x statistics reset dot1x Available in user view
statistics [
interface
interface-list ]
802.1x Configuration Example 275
Network diagram
Authentication Servers
(RADIUS Server Cluster
IP Address: 10.11.1.1
10.11.1.2)
Switch
GigabitEthernet1/0/1 Internet
Supplicant Authenticator
276 CHAPTER 26: 802.1X CONFIGURATION
Configuration procedure
13 Set radius1 as the RADIUS scheme for users of the domain and specify to use local
authentication as the secondary scheme.
[3Com-isp-aabbcc.net] authentication default radius-scheme radius1
local
[3Com-isp-aabbcc.net] authorization default radius-scheme radius1 local
[3Com-isp-aabbcc.net] accounting default radius-scheme radius1 local
14 Set the maximum number of users for the domain as 30.
[3Com-isp-aabbcc.net] access-limit enable 30
15 Enable the idle cut function and set the idle interval.
[3Com-isp-aabbcc.net] idle-cut enable 20
[3Com-isp-aabbcc.net] quit
16 Add local access user localuser, Enable the idle cut function and set the idle interval.
[3Com] local-user localuser
[3Com-luser-localuser] service-type lan-access
[3Com-luser-localuser] password simple localpass
[3Com-luser-localuser] attribute idle-cut 20
GigabitEthernet1/0/8
GigabitEthernet1/0/3
VLAN 5
VLAN 1
Internet
Supplicant
278 CHAPTER 26: 802.1X CONFIGURATION
GigabitEthernet1/0/3 GigabitEthernet1/0/8
Guest VL AN 10 VLAN 5
Internet
Supplicant
Typical GuestVlan Configuration Example 279
As shown in Figure 84, Authentication Server delivers Vlan 5 after you pass
authentication and access the Internet . In this case, Supplicant and GigabitEthernet1/0/8
belong to VLAN 5. Supplicant can access the Internet.
GigabitEthernet1/0/3 GigabitEthernet1/0/8
VLAN 5 VLAN 5
VLAN 5 Internet
Supplicant
Configuration procedure
1 Enable 802.1x globally.
<3Com> system-view
[3Com] dot1x
2 Enable 802.1x on the specified port. .
[3Com] interface GigabitEthernet 1/0/3
[3Com-GigabitEthernet1/0/3] dot1x
3 Configure the way of access control on the port as portbased.
[3Com-ethernet1/0/3] dot port-method portbased
4 Configure the mode of access control on the port as auto.
[3Com-ethernet1/0/3] dot1x port-control auto
5 Configure the link type of the port as access.
[3Com-ethernet1/0/3] port link-type access
[3Com-ethernet1/0/3] quit
6 Create VLAN 10.
[3Com] vlan 10
[3Com-vlan10] quit
7 Configure GuestVlan of the specified port.
[3Com] dot1x guest-vlan 10 interface GigabitEthernet1/0/3
280 CHAPTER 26: 802.1X CONFIGURATION
Introduction to ABP With 802.1x (or MAC authentication) enabled, a switch authenticates 802.1x-enabled
(or MAC authentication-enabled) ports. Packets can be forwarded only by authorized
ports. If ports connected to the switch are not authenticated, their received packets will
be filtered.
This means that users can no longer manage the attached switches. To address this
problem, authentication bypass protocol (ABP) has been developed.
An ABP packet carries the MAC addresses of the attached switches with it. It can bypass
the 802.1x authentications or MAC authentications when traveling between
ABP-enabled switches, through which management devices can obtain the MAC
addresses of the attached switches and thus the management of the attached switches is
feasible.
ABP is implemented by ABP server and ABP client. Normally, an ABP server sends ABP
request packets regularly to ABP clients to collect the MAC addresses of the attached
switches. ABP clients respond to the ABP request packets and forward the ABP request
packets to lower-level switches. ABP servers usually reside on management devices and
ABP clients usually on attached switches.
For ease of switch management, enable ABP for 802.1x-enabled (or MAC
authentication-enabled) switches.
ABP Server With the ABP server launched, a management device sends ABP request packets
Configuration regularly to the attached switches to collect their MAC addresses. You need also to
configure the interval on the management device for an ABP server to send ABP request
packets.
Table 188 Configure an ABP server
ABP Client ABP clients reside on switches attached to ABP servers. After you enable ABP for a
Configuration switch, the switch operates as an ABP client by default. So you only need to enable ABP
on a switch to make it an ABP client.
Displaying ABP After performing the above configuration, you can display and verify your ABP-related
configuration by execute the display command in any view.
MAC authentication is a method for authenticating users based on port and MAC
address.
When configuring MAC authentication, use the following table to identify where to go
for interested information:
MAC MAC authentication controls user network access based on port and MAC address. It
Authentication does not require users to have any supplicant system software installed. The MAC
Overview address of the host is used as the user name and password for authentication. Once a
switch detects a new MAC address, it initiates the authentication process.
Configuring MAC
Authentication
CAUTION:
■ You can enable MAC authentication for specified ports or set MAC authentication
parameters before enabling MAC authentication globally. However, your
configuration takes effect only after you enable MAC authentication globally.
■ MAC authentication cannot coexist with 802.1x authentication on the same port.
■ If MAC authentication is enabled on a port, you cannot configure the maximum
number of MAC addresses to be learned on the port. You can use the mac-address
max-mac-count command to configure the maximum number of MAC addresses to
be learned on the port. If the maximum number of MAC addresses to be learned is
configured on a port, you cannot enable MAC authentication on the port.
Displaying and
Table 193 Displaying and Maintaining MAC Authentication
Maintaining MAC
Authentication To do… Use the command… Remarks
Display the global MAC display Available in any view
authentication information or mac-authentication [
the MAC authentication interface
information about specified interface-list ]
interfaces
MAC Authentication Configuration Example 285
MAC
Authentication
Configuration
Example
■ For local authentication, you configure the MAC address of a host as the user name
and password on the switch.
■ For RADIUS authentication, you configure the MAC address of a host as the user
name and password on the RADIUS server.
Network requirements
As shown in Figure 85, a user is connected to the switch through port GigabitEthernet
1/0/1.
■ MAC authentication is required on every port to control user access to the Internet.
■ All users belong to domain aabbcc.net.
■ Set the offline-detect timer to 180 seconds and the quiet timer to 3 minutes.
■ Configure the switch to perform local authentication.
Network diagram
Switch
GigabitEthernet 1/0/1 Internet
PC Authenticator
Configuration procedure
1 Add a local user.
<3Com> system-view
[3Com] local-user 00e0fc010101
[3Com-luser-00e0fc010101] password simple 00e0fc010101
[3Com-luser-00e0fc010101] service-type lan-access
[3Com-luser-00e0fc010101] quit
2 Configure ISP domain aabbcc.net, and specify to perform local authentication.
[3Com] domain aabbcc.net
[3Com-isp-aabbcc.net] authentication lan-access local
[3Com-isp-aabbcc.net] quit
3 Enable MAC authentication globally.
[3Com] mac-authentication
4 Enable MAC authentication on port GigabitEthernet 1/0/1.
[3Com] mac-authentication interface GigabitEthernet 1/0/1
5 Specify the ISP domain for centralized MAC authentication.
[3Com] mac-authentication domain aabbcc.net
286 CHAPTER 28: MAC AUTHENTICATION CONFIGURATION
Overview
Introduction to AAA AAA is shortened from the three security functions: authentication, authorization and
accounting. It provides a uniform framework for you to configure the three security
functions to implement the network security management.
The network security mentioned here mainly refers to access control. It mainly controls:
Authentication
AAA supports the following authentication methods:
■ None authentication: Users are trusted and are not authenticated. Generally, this
method is not recommended.
■ Local authentication: User information (including user name, password, and
attributes) is configured on this device. Local authentication is fast and requires lower
operational cost. But the information storage capacity is limited by device hardware.
■ Remote authentication: Users are authenticated remotely through the RADIUS
protocol or TACACS+ protocol. This device (for example, a 3Com series switch) acts
as the client to communicate with the RADIUS server or TACACS server. For RADIUS
protocol, both standard and extended RADIUS protocols can be used.
Authorization
AAA supports the following authorization methods:
■ Direct authorization: Users are trusted and directly authorized. Users have the default
rights now.
■ Local authorization: Users are authorized according to the related attributes
configured for their local accounts on the device.
■ RADIUS authorization: Users are authorized after they pass the RADIUS
authentication. The authentication and authorization of RADIUS protocol are bound
together, and you cannot perform RADIUS authorization alone without RADIUS
authentication.
■ TACACS+ authorization: Users are authorized by TACACS server.
288 CHAPTER 29: AAA, RADIUS, AND TACACS+ CONFIGURATION
Accounting
AAA supports the following accounting methods:
■ None accounting: No accounting is performed for users.
■ Remote accounting: User accounting is performed on the remote RADIUS server or
TACACS server.
■ Local accounting: This function can count the accessed users, for a purpose of
limiting access of local users.
Generally, AAA adopts the client/server structure, where the client acts as the managed
resource and the server stores user information. This structure has good scalability and
facilitates the centralized management of user information. AAA can be based on
multiple protocols, and currently RADIUS or TACACS+ is used.
Introduction to ISP An Internet service provider (ISP) domain is a group of users who belong to the same ISP.
Domain For a user name in the format of userid@isp-name, the isp-name following the @
character is the ISP domain name. The access device uses userid as the user name for
authentication, and isp-name as the domain name.
In a multi-ISP environment, the users connected to the same access device may belong to
different domains. Since the users of different ISPs may have different attributes (such as
different compositions of user name and password, different service types/rights), it is
necessary to distinguish the users by setting ISP domains.
You can configure a set of ISP domain attributes (including AAA policy, RADIUS scheme,
and so on) for each ISP domain independently in ISP domain view.
Introduction to AAA is a management framework. It can be implemented by not only one protocol. But
RADIUS in practice, the most commonly used protocol for AAA is RADIUS.
What is RADIUS
RADIUS (remote authentication dial-in user service) is a distributed information exchange
protocol in client/server structure. It can prevent unauthorized access to the network and
is commonly used in network environments where both high security and remote user
access service are required.
■ Protocol: Based on the UDP/IP layer, RFC 2865 and 2866 define the frame format and
message transfer mechanism of RADIUS, and define 1812 as the authentication port
and 1813 as the accounting port.
■ Server: The RADIUS server runs on a computer or workstation at the center. It stores
and maintains the information on user authentication and network service access.
■ Client: The RADIUS clients run on the dial-in access server device. They can be
deployed anywhere in the network.
RADIUS is based on client/server model. Acting as a RADIUS client, the switch passes user
information to a designated RADIUS server, and makes processing (such as
connecting/disconnecting users) depending on the responses returned from the server.
The RADIUS server receives user’s connection requests, authenticates users, and returns
all required information to the switch.
Overview 289
Generally, the RADIUS server maintains the following three databases (as shown in
Figure 86):
■ Users: This database stores information about users (such as user name, password,
adopted protocol and IP address).
■ Clients: This database stores the information about RADIUS clients (such as shared
keys).
■ Dictionary: This database stores the information used to interpret the attributes and
attribute values of the RADIUS protocol.
In addition, the RADIUS server can act as the client of some other AAA server to provide
the authentication or accounting proxy service.
Authenticator
Attribute
1 The Code field decides the type of the RADIUS packet, as shown in Table 194.
2 The Identifier field (one byte) identifies the request and response packets. It is subject to
the Attribute field and varies with the received valid responses, but keeps unchanged
during retransmission.
292 CHAPTER 29: AAA, RADIUS, AND TACACS+ CONFIGURATION
3 The Length field (two bytes) specifies the total length of the packet (including the Code,
Identifier, Length, Authenticator and Attribute fields). The bytes beyond the length will
be regarded as padding bytes and are ignored upon receiving the packet. If the received
packet is shorter than the value of this field, it will be discarded.
4 The Authenticator field (16 bytes) is used to verify the packet returned from the RADIUS
server; it is also used in the password hiding algorithm. There are two kinds of
authenticators: Request and Response.
5 The Attribute field contains special authentication, authorization, and accounting
information to provide the configuration details of a request or response packet. This
field is represented by a field triplet (Type, Length and Value):
■ The Type field (one byte) specifies the type of the attribute. Its value ranges from 1 to
255. Table 195 lists the attributes that are commonly used in RADIUS authentication
and authorization.
■ The Length field (one byte) specifies the total length of the Attribute field in bytes
(including the Type, Length and Value fields).
■ The Value field (up to 253 bytes) contains the information about the attribute. Its
content and format are determined by the Type and Length fields.
The RADIUS protocol takes good scalability. Attribute 26 (Vender-Specific) defined in this
protocol allows a device vendor to extend RADIUS to implement functions that are not
defined in standard RADIUS.
Overview 293
Figure 89 depicts the structure of attribute 26. The Vendor-ID field representing the code
of the vendor occupies four bytes. The first byte is 0, and the other three bytes are
defined in RFC1700. Here, the vendor can encapsulate multiple customized
sub-attributes (containing Type, Length and Value) to obtain extended RADIUS
implementation.
Compared with RADIUS, TACACS+ provides more reliable transmission and encryption,
and therefore is more suitable for security control. Table 196 lists the primary differences
between TACACS+ and RADIUS protocols.
TACACS+ RADIUS
Adopts TCP, providing more reliable network Adopts UDP.
transmission.
Encrypts the entire packet except the TACACS+ Encrypts only the password field in an
header. authentication packets.
Separates authentication from authorization. For Brings together authentication and authorization.
example, you can provide authentication and
authorization on different TACACS servers.
Suitable for security control. Suitable for accounting.
Supports to authorize the use of configuration Not support.
commands.
294 CHAPTER 29: AAA, RADIUS, AND TACACS+ CONFIGURATION
In a typical TACACS+ application, a dial-up or terminal user needs to log in to the device
for operations. As the client of TACACS+ in this case, the switch sends the username and
password to the TACACS server for authentication. After passing authentication and
being authorized, the user can log in to the switch to perform operations, as shown in
Figure 90.
Terminal user
TACACS server
ISDN /PSTN
ISDN/PSTN 129.7.66.66
TACACS server
129.7.66.67
Overview 295
U s e r lo g s in A u th e n tic a ti o n S ta r t R e q u e s t p a c k e t
A u th e n tic a ti o n r e s p o n s e p a c k e t,
re q u e s ti n g fo r th e u s e r n a m e
R e q u e s t U s e r fo r th e u s e r n a m e
U s e r e n te rs t h e u s e r n a m e A u th e n tic a ti o n c o n tin u a n c e p a c k e t
c a rry in g th e u s e r n a m e
A u th e n tic a ti o n r e s p o n s e p a c k e t,
re q u e s ti n g f o r th e p a s s w o r d
R e q u e s t U s e r fo r th e p a s s w o rd
U s e r e n te rs t h e p a s s w o r d A u th e n tic a ti o n c o n tin u a n c e p a c k e t
c a rry in g th e p a s s w o r d
A u th e n tic a ti o n s u c c e s s p a c k e t
A u th o riz a ti o n r e q u e s t p a c k e t
A u th o riz a ti o n s u c c e s s p a c k e t
U s e r is p e rm i tte d
A c c o u n tin g s ta r t re q u e s t p a c k e t
A c c o u n tin g s t a r t re s p o n s e p a c k e t
U s e r q u its
A c c o u n tin g s to p p a c k e t
A c c o u n tin g s to p r e s p o n s e p a c k e t
1 A user requests access to the switch; the TACACS client sends an authentication start
request packet to TACACS server upon receipt of the request.
2 The TACACS server sends back an authentication response requesting for the username;
the TACACS client asks the user for the username upon receipt of the response.
3 The TACACS client sends an authentication continuance packet carrying the username
after receiving the username from the user.
4 The TACACS server sends back an authentication response, requesting for the password.
Upon receipt of the response, the TACACS client requests the user for the login
password.
5 After receiving the login password, the TACACS client sends an authentication
continuance packet carrying the login password to the TACACS server.
296 CHAPTER 29: AAA, RADIUS, AND TACACS+ CONFIGURATION
6 The TACACS server sends back an authentication response indicating that the user has
passed the authentication.
7 The TACACS client sends the user authorization request packet to the TACACS server.
8 The TACACS server sends back the authorization response, indicating that the user has
passed the authorization.
9 Upon receipt of the response indicating an authorization success, the TACACS client
pushes the configuration interface of the switch to the user.
10 The TACACS client sends an accounting start request packet to the TACACS server.
11 The TACACS server sends back an accounting response, indicating that it has received
the accounting start request.
12 The user logs out; the TACACS client sends an accounting stop request to the TACACS
server.
13 The TACACS server sends back an accounting stop packet, indicating that the
accounting stop request has been received.
Configuration Tasks
Table 197 Configuration tasks
AAA Configuration The goal of AAA configuration is to protect network devices against unauthorized access
and at the same time provide network access services to authorized users. If you need to
use ISP domains to implement AAA management on access users, you need to configure
the ISP domains.
Configuration If you want to adopt remote AAA method, you must create a RADIUS or TACACS+
Prerequisites scheme.
■ RADIUS scheme (radius-scheme): You can reference a configured RADIUS scheme
to implement AAA services. For the configuration of RADIUS scheme, refer to section
“RADIUS Configuration”.
■ TACACS+ scheme (tacacs+-scheme): You can reference a configured TACACS+
scheme to implement AAA services. For the configuration of TACACS+ scheme, refer
to section “TACACS+ Configuration”.
Creating an ISP
Table 198 Create an ISP domain
Domain
Operation Command Description
Enter system view system-view —
Create an ISP domain and enter domain isp-name Required
its view, enter the view of an
existing ISP domain,
Quit to system view quit —
configure the default ISP domain domain default { Optional
disable |enable The default ISP domain is
isp-name}
"system".
To remove the default ISP domain you define, you must first use the domain default
disable command.
Configuring the
Table 199 Configure the attributes of an ISP domain
Attributes of an ISP
Domain Operation Command Description
Enter system view system-view —
Create an ISP domain or enter domain isp-name Required
the view of an existing ISP
domain
Activate/deactivate the ISP state { active | block } Optional
domain
By default, once an ISP domain is
created, it is in the active
state and all the users in this
domain are allowed to access
the network.
AAA Configuration 299
Configuring AAA Authentication, authorization and accounting are three independent service procedures
Authentication of an in AAA. Authentication fulfills interactive authentication of user name/password/user
ISP Domain profile to meet individual access or service requests. It neither delivers authorization
message to the users who make service requests nor triggers accounting. In AAA, you
can use only authentication rather than authorization or accounting. Without any
configuration, by default the authentication of the domain is local. You can configure
authentication according to the following three steps:
1 To use RADIUS solution for authentication, you first need to configure a RADIUS scheme
to cite; to use local or none solution for authentication, you do not need to configure a
scheme.
2 Determine the access ways or service types to configure. You can configure
authentication based on different access ways and service types, and restrict the
authentication protocols available for access through configuration.
3 Determine whether to configure a default authentication for all access ways or service
types.
300 CHAPTER 29: AAA, RADIUS, AND TACACS+ CONFIGURATION
■ There are three types of users for AAA: login, command authorization, and
lan-access. You can configure authentication/authorization/accounting policy
independently according to the real requirements of users.
■ The authentication configured by the authentication default command is
applicable to all users. That is, the configuration takes effect for all users. But its
priority is lower than that configured in the specified access mode.
■ If you have configured RADIUS as the solution for authentication, AAA only receives
authentication results from RADIUS Server. Although it is carried in the packet
responded for authentication success, but RADIUS authorization information is not
handled in the process of authentication response.
■ If you have configured the radius-scheme radius-scheme-name local
command, or hwtacacs-scheme hwtacacs-scheme-name local command, local is
used as the alternative authentication when the RADIUS Server or TACACS server
fails. That is, the local authentication is used only when the RADIUS Server or TACACS
server does not work.
■ In the case of that local or none is used as the first solution for authentication, you
can only use the local authentication or unauthentication. You cannot use RADIUS
solution simultaneously.
Configuring AAA Authorization is an independent procedure at the same level as authentication and
Authorization of an accounting in AAA, which is responsible for sending authorization requests to the
ISP Domain configured authorization server and delivering relevant authorization messages to users
after authorization. It is optional in the AAA configuration of an ISP domain.
AAA Configuration 301
By fault, the authorization scheme for an ISP domain is local. If you configure the
authorization scheme as none, no authorization is required. In this case, the
authenticated users have only default right. For example, by default ECEC users (for
instance, Telnet users) have the lowest visit right. And FTP users are authorized to use the
root directory. You can configure authorization according to the following three steps:
1 If you choose TACACS+ authorization scheme, you should first define the TACACS+
scheme to be used. For RADIUS authorization, it takes effect only when the RADIUS
scheme of authentication and authorization are configured similarly.
2 Determine the access ways or service types to configure. You can configure authorization
based on different access ways and service types, and restrict the authorization protocols
available for access through configuration.
3 Determine whether to configure a default authorization for all access ways or service
types.
■ In the case of that local or none is used as the first solution for authorization, you
can only use the local authorization or unauthorization. You cannot use RADIUS
solution simultaneously.
■ Since the authorization information of the RADIUS server is transmitted to the
RADIUS client together with the authentication response packet, if you specify both
authentication and authorization schemes as RADIUS scheme, you must ensure that
the RADIUS authorization server and the RADIUS authentication server run on the
same device; otherwise the system will give an error prompt.
Configuring AAA Accounting is an independent procedure at the same level as authentication and
Accounting of an ISP authorization in AAA, which sends a request of starting/updating/ending accounting to
Domain the configured accounting server. Accounting is not required in the AAA configuration of
an ISP domain. Without accounting, users accessing the domain do not need to go the
accounting procedure. You can configure accounting according to the following three
procedures:
1 To use RADIUS or TACACS+ solution for accounting, you need to first configure the
RADIUS scheme or TACACS+ scheme to cite; to use local or none solution for
accounting, you do need to configure a scheme.
2 Determine the access ways or service types to configure. You can configure accounting
based on different access ways and service types, and restrict the accounting protocols
available for access through configuration.
3 Determine whether to configure a default accounting for all access ways or service types.
■ When charging a user, if the system does not find any available accounting server or
fails to communicate with any accounting server, it will not disconnect the user as
long as the accounting optional command has been executed.
■ The accounting configured by the accounting default command is applicable to
all users. That is, the configuration takes effect for users. But its priority is lower than
that configured in the specified access mode.
■ Local accounting is only used to manage the connections of local users. It has no real
statistics function. The management of local connections only has effect to local
accounting, not local authentication and authorization.
■ If the radius-scheme radius-scheme-name local or hwtacacs-scheme
hwtacacs-scheme-name local command is configured, the local is used as the
alternative accounting when the RADIUS Server or TACACS server fails. That is, the
local accounting is used only when the RADIUS Server or TACACS server does not
work.
■ In the case of that local or none is used as the first solution for accounting, you can
only use the local accounting or no accounting. You cannot use RADIUS or TACACS+
solution simultaneously.
■ FTP does not support accounting for login.
Configuring the When local scheme is chosen as the AAA scheme, you should create local users on the
Attributes of a Local switch and configure the relevant attributes.
User
The local users are users set on the switch, with each user uniquely identified by a user
name. To make a user who is requesting network service pass through the local
authentication, you should add an entry in the local user database on the switch for the
user.
RADIUS The RADIUS protocol configuration is performed on a RADIUS scheme basis. In an actual
Configuration network environment, you can either use a single RADIUS server or two RADIUS servers
(primary and secondary servers with the same configuration but different IP addresses) in
a RADIUS scheme. After creating a new RADIUS scheme, you should configure the IP
address and UDP port number of each RADIUS server you want to use in this scheme.
These RADIUS servers fall into two types: authentication/authorization, and accounting.
And for each kind of server, you can configure two servers in a RADIUS scheme: primary
server and secondary server. A RADIUS scheme has the following attributes: IP addresses
of the primary and secondary servers, shared keys, and types of the RADIUS servers.
Actually, the RADIUS protocol configuration only defines the parameters used for
information exchange between the switch and the RADIUS servers. To make these
parameters take effect, you must reference the RADIUS scheme configured with these
parameters in an ISP domain view. For specific configuration commands, refer to section
“AAA Configuration”.
Creating a RADIUS The RADIUS protocol configuration is performed on a RADIUS scheme basis. You should
Scheme first create a RADIUS scheme and enter its view before performing other RADIUS
protocol configurations.
Configuring RADIUS
Table 206 Configure RADIUS authentication/authorization server
Authentication/Auth
orization Servers Operation Command Description
Enter system view system-view —
Create a RADIUS scheme and radius scheme Required
enter its view radius-scheme-name
By default, a RADIUS scheme
named "system" has already
been created in the system.
Set the IP address and port primary Required
number of the primary RADIUS authentication By default, the IP address and
authentication/authorization ip-address [
UDP port number of the primary
server port-number ]
server are 0.0.0.0 and 1812
respectively.
Set the IP address and port secondary Optional
number of the secondary authentication By default, the IP address and
RADIUS ip-address [
UDP port number of the
authentication/authorization port-number ]
secondary server are 0.0.0.0 and
server
1812 respectively.
■ The authentication response sent from the RADIUS server to the RADIUS client carries
the authorization information. Therefore, no separate authorization server can be
specified.
■ In an actual network environment, you can either specify two RADIUS servers as the
primary and secondary authentication/authorization servers respectively, or specify
only one server as both the primary and secondary authentication/authorization
servers.
■ The IP address and port number of the primary authentication server used by the
default RADIUS scheme "system" are 127.0.0.1 and 1645.
■ You are not allowed to assign the same IP address to both primary and secondary
authentication/authorization servers; otherwise, unsuccessful operation is prompted
RADIUS Configuration 307
Configuring RADIUS
Table 207 Configure RADIUS accounting server
Accounting Servers
Operation Command Description
Enter system view system-view —
Create a RADIUS scheme and radius scheme Required
enter its view radius-scheme-name
By default, a RADIUS scheme
named "system" has already
been created in the system.
Set the IP address and port primary accounting Required
number of the primary RADIUS ip-address [ port-number
By default, the IP address and
accounting server ]
UDP port number of the primary
accounting server are 0.0.0.0
and 1813.
Set the IP address and port secondary accounting Optional
number of the secondary ip-address [ port-number ]
By default, the IP address and
RADIUS accounting server
UDP port number of the
secondary accounting server are
0.0.0.0 and 1813.
Enable stop-accounting packet stop-accounting-buf Optional
buffering fer enable By default, stop-accounting
packet buffering is enabled.
Enable stop-accounting packet retry Optional
retransmission and set the stop-accountingretry By default, the system tries at
maximum number of -times
most 500 times to transmit a
transmission attempts of the
buffered stop-accounting
buffered stop-accounting
request.
packets
Set the maximum retry Optional
number of
realtime-accounting By default, the maximum
retry-times
number of real-time accounting
real-time
request attempts is 5. After that,
accounting request the user connection is cut down.
attempts
■ In an actual network environment, you can either specify two RADIUS servers as the
primary and secondary accounting servers respectively, or specify only one server as
both the primary and secondary accounting servers. In addition, because RADIUS
adopts different UDP ports to transceive authentication/authorization packets and the
accounting packets, you must set a port number for accounting different from that
set for authentication/authorization.
■ Stop-accounting requests are critical to billing and will eventually affect the charges
of the users; they are important for both the users and the ISP. Therefore, the switch
should do its best to transmit them to the RADIUS accounting server. If the RADIUS
server does not respond to such a request, the switch should first buffer the request
on itself, and then retransmit the request to the RADIUS accounting server until it
gets a response, or the maximum number of transmission attempts is reached (in this
case, it discards the request).
■ You can set the maximum number of real-time accounting request attempts in the
case that the accounting fails. If the switch makes all the allowed real-time
accounting request attempts but fails to perform accounting, it cuts down the
connection of the user.
308 CHAPTER 29: AAA, RADIUS, AND TACACS+ CONFIGURATION
■ The IP address and the port number of the default primary accounting server
"system" are 127.0.0.1 and 1646.
■ Currently, RADIUS does not support the accounting of FTP users.
■ You are not allowed to assign the same IP address to both primary and secondary
accounting servers; otherwise, unsuccessful operation is prompted
Configuring Shared The RADIUS client and server adopt MD5 algorithm to encrypt the RADIUS packets
Keys for RADIUS exchanged with each other. The two parties verify the validity of the exchanged packets
Packets by using the shared keys that have been set on them, and can accept and respond to the
packets sent from each other only if both of them have the same shared keys.
Table 208 Configure shared keys for RADIUS packets
Configuring the The communication in RADIUS is unreliable because this protocol adopts UDP packets to
Maximum Number of carry data. Therefore, it is necessary for the switch to retransmit a RADIUS request if it
Transmission gets no response from the RADIUS server after the response timeout timer expires. If the
Attempts of RADIUS maximum number of transmission attempts is reached and the switch still receives no
Requests answer, the switch considers that the request fails.
Table 209 Configure the maximum transmission attempts of RADIUS request
The product of the retry-times here and the seconds of the timer
response-timeout command can be greater than 75.
RADIUS Configuration 309
Configuring the
Table 210 Configure the supported RADIUS server type
Supported RADIUS
Server Type Operation Command Description
Enter system view system-view —
Create a RADIUS scheme and radius scheme Required
enter its view radius-scheme-name
By default, a RADIUS scheme
named "system" has already
been created in the system.
Specify the type of RADIUS server-type { Optional
server supported by the switch extended | standard } By default, the switch supports
the standard type of RADIUS
server. The type of RADIUS
server in the default RADIUS
scheme "system" is extended.
Configuring the For the primary and secondary servers (authentication/authorization servers, or
Status of RADIUS accounting servers) in a RADIUS scheme:
Servers
When the switch fails to communicate with the primary server due to some server
trouble, the switch will actively exchange packets with the secondary server.
After the time the primary server keeps in the block state exceeds the time set with the
timer quiet command, the switch will try to communicate with the primary server
again when it receives a RADIUS request. If the primary server recovers, the switch
immediately restores the communication with the primary server instead of
communicating with the secondary server, and at the same time restores the status of
the primary server to the active state while keeping the status of the secondary server
unchanged.
When both the primary and secondary servers are in active or block state, the switch
sends packets only to the primary server.
Configuring the
Table 212 Configure the attributes for data to be sent to the RADIUS servers
Attributes for Data to
be Sent to RADIUS Operation Command Description
Servers Enter system view system-view —
Create a RADIUS scheme and radius scheme Required
enter its view
radius-scheme-name By default, a RADIUS scheme
named "system" has already
been created in the system.
Set the format of the user names user-name-format Optional
to be sent to RADIUS servers
{ with-domain By default, the user names sent
from the switch to RADIUS
without-domain } servers carry ISP domain names.
Set the units of measure for data data-flow-format { Optional
flows sent to RADIUS servers data { byte | giga-byte By default, in a RADIIUS scheme,
| kilo-byte |
the unit of measure for data is
mega-byte } | packet { byte and that for packets is
giga-packet | one-packet.
kilo-packet | mega-
packet | one-packet } }*
Set the source IP address used by RADIUS scheme view Optional
the switch to send RADIUS nas-ip ip-address By default, no source IP address
packets
System view is specified; and the IP address of
the outbound interface is used
radius nas-ip as the source IP address.
ip-address
■ Generally, the access users are named in the userid@isp-name format. Where,
isp-name behind the @ character represents the ISP domain name, by which the
device determines which ISP domain it should ascribe the user to. However, some old
RADIUS servers cannot accept the user names that carry ISP domain names. In this
case, it is necessary to remove the domain names carried in the user names before
sending the user names to the RADIUS server. For this reason, the user-name-format
command is designed for you to specify whether or not ISP domain names are carried
in the user names sent to the RADIUS server.
■ For a RADIUS scheme, if you have specified that no ISP domain names are carried in
the user names, you should not adopt this RADIUS scheme in more than one ISP
domain. Otherwise, such errors may occur: the RADIUS server regards two different
users having the same name but belonging to different ISP domains as the same user
(because the usernames sent to it are the same).
■ In the default RADIUS scheme "system", no ISP domain names are carried in the user
names by default.
■ The nas-ip command in RADIUS scheme view only takes effect for the current
RADIUS scheme, while that in system view is for all RADIUS schemes. The former one
takes priority in implementation.
RADIUS Configuration 311
Configuring a Local
Table 213 Configure local RADIUS authentication server
RADIUS
Authentication Operation Command Description
Server Enter system view system-view —
Create a local RADIUS local-server nas-ip Required
authentication server ip-address key password
By default, a local RADIUS
authentication server, with
NAS-IP 127.0.0.1, has already
been created.
■ When you use the local RADIUS authentication server function, the UDP port number
for the authentication/authorization service must be 1645, the UDP port number for
the accounting service is 1646, and the IP addresses of the servers must be set to the
addresses of the switch.
■ The packet encryption key set by the local-server command with the key
password parameter must be identical with the authentication/authorization packet
encryption key set by the key authentication command in RADIUS scheme
view.
■ The switch supports up to 16 local RADIUS authentication servers (including the
default local RADIUS authentication server).
Configuring the If the switch gets no response from the RADIUS server after sending out a RADIUS
Timers of RADIUS request (authentication/authorization request or accounting request) and waiting for a
Servers period of time, it should retransmit the packet to ensure that the user can obtain the
RADIUS service. This wait time is called response timeout time of RADIUS servers; and the
timer in the switch system that is used to control this wait time is called the response
timeout timer of RADIUS servers.
Table 214 Set the timers of RADIUS server
The product of the retry-times of retry command and the seconds of the timer
response-timeout command can be greater than 75.
312 CHAPTER 29: AAA, RADIUS, AND TACACS+ CONFIGURATION
TACACS+
Configuration
Creating a TACACS+ TACACS+ protocol is configured scheme by scheme. Therefore, you must create a
Scheme TACACS+ scheme and enter TACACS+ view before you perform other configuration
tasks.
The system supports up to 16 TACACS+ schemes. You can only delete the schemes that
are not being used.
Configuring TACACS+
Table 216 Configure TACACS+ authentication servers
Authentication
Servers Operation Command Description
Enter system view system-view —
Create a TACACS+ scheme and hwtacacs scheme Required
enter its view hwtacacs-scheme-name
By default, no TACACS+ scheme
exists.
Set the IP address and port primary Required
number of the primary authentication By default, the IP address of the
TACACS+ authentication server ip-address [ port ]
primary authentication server is
0.0.0.0, and the port number is
49
Set the IP address and port secondary Required
number of the secondary authentication By default, the IP address of the
TACACS+ authentication server ip-address [ port ]
secondary authentication server
is 0.0.0.0, and the port number
is 49.
■ The primary and secondary authentication servers cannot use the same IP address.
Otherwise, the system will prompt unsuccessful configuration.
■ You can remove a server only when it is not used by any active TCP connection for
sending authentication packets.
TACACS+ Configuration 313
Configuring TACACS+
Table 217 Configure TACACS+ authorization servers
Authorization Servers
Operation Command Description
Enter system view system-view —
Create a TACACS+ scheme and hwtacacs scheme Required
enter its view hwtacacs-scheme-name
By default, no TACACS+ scheme
exists.
Set the IP address and port primary Required
number of the primary authorization By default, the IP address of the
TACACS+ authorization server ip-address [ port ]
primary authorization server is
0.0.0.0, and the port number is
49
Set the IP address and port secondary Required
number of the secondary authorization By default, the IP address of the
TACACS+ authorization server
ip-address [ port ] secondary authorization server is
0.0.0.0, and the port number is
49.
■ The primary and secondary authorization servers cannot use the same IP address.
Otherwise, the system will prompt unsuccessful configuration.
■ You can remove a server only when it is not used by any active TCP connection for
sending authorization packets.
Configuring TACACS+
Table 218 Configure TACACS+ accounting servers
Accounting Servers
Operation Command Description
Enter system view system-view —
Create a TACACS+ scheme and hwtacacs scheme Required
enter its view hwtacacs-scheme-name
By default, no TACACS+ scheme
exists.
Set the IP address and port primary accounting Required
number of the primary ip-address [ port ]
By default, the IP address of the
TACACS+ accounting server
primary accounting server is
0.0.0.0, and the port number is
49.
Set the IP address and port secondary accounting Required
number of the secondary ip-address [ port ]
By default, the IP address of the
TACACS+ accounting server
secondary accounting server is
0.0.0.0, and the port number is
49.
enable the switch to buffer the stop-accounting-buf Optional
stop-accounting requests that fer enable By default, the switch is enabled
bring no response.
to buffer the stop-accounting
requests that bring no response.
Enable the stop-accounting retry Optional
packets retransmission function stop-accounting
By default, the stop-accounting
and set the maximum number of retry-times
packets retransmission function
attempts
is enabled and the system can
transmit a stop-accounting
request for 100 times.
314 CHAPTER 29: AAA, RADIUS, AND TACACS+ CONFIGURATION
■ The primary and secondary accounting servers cannot use the same IP address.
Otherwise, the system will prompt unsuccessful configuration.
■ You can remove a server only when it is not used by any active TCP connection for
sending accounting packets.
■ Currently, RADIUS and TACACS+ does not support the accounting of FTP users
Configuring Shared When using a TACACS+ server as an AAA server, you can set a key to improve the
Keys for RADIUS communication security between the router and the TACACS+ server.
Packets
The TACACS+ client and server adopt MD5 algorithm to encrypt the exchanged
TACACS+ packets. The two parties verify the validity of the exchanged packets by using
the shared keys that have been set on them, and can accept and respond to the packets
sent from each other only if both of them have the same shared keys.
Configuring the
Table 220 Configure the attributes for data to be sent to TACACS servers
Attributes for Data to
be Sent to TACACS+ Operation Command Description
Servers Enter system view system-view —
Create a TACACS+ scheme and hwtacacs scheme Required
enter its view hwtacacs-scheme-name
By default, no TACACS+ scheme
exists.
Set the format of the user names user-name-format { Optional
to be sent to TACACS servers with-domain | By default, the user names sent
without-domain } from the switch to TACACS
servers carry ISP domain names.
Set the units of measure for data data-flow-format Optional
flows sent to TACACS servers data { byte | giga-byte By default, in a TACACS scheme,
| kilo-byte | ega-byte
the unit of measure for data is
}m
byte and that for packets is
data-flow-format one-packet.
packet { giga-packet |
kilo-packet |
mega-packet |
one-packet }
Set the source IP address used by TACACS+ view Optional
the switch to send TACACS+
packets
nas-ip ip-address By default, no source IP address
is specified; the IP address of the
System view
outbound interface is used as the
hwtacacs nas-ip source IP address.
ip-address
TACACS+ Configuration 315
■ Generally, the access users are named in the userid@isp-name format. Where,
isp-name behind the @ character represents the ISP domain name. If the TACACS
server does not accept the user name carrying isp domain name, it is necessary to
remove the domain name from the user names before they are sent to the TACACS
server.
■ The nas-ip command in TACACS+ scheme view only takes effect for the current
TACACS+ scheme, while that in system view is for all TACACS+ schemes. The former
one takes priority in implementation.
Configuring the
Table 221 Configure the timers of TACACS servers
Timers of TACACS
Servers Operation Command Description
Enter system view system-view —
Create a TACACS+ scheme and hwtacacs scheme Required
enter its view hwtacacs-scheme-name
By default, no TACACS+ scheme
exists.
Set the response timeout time of timer Optional
TACACS servers response-timeout By default, the response timeout
seconds
time is five seconds.
Set the wait time for the primary timer quiet minutes Optional
server to restore the active state
By default, the primary server
waits five minutes before
restoring the active state.
Set the real-time accounting timer Optional
interval realtime-accounting By default, the real-time
minutes
accounting interval is 12
minutes.
Displaying and After the above configurations, you can execute the display commands in any view
Maintaining AAA & to view the operation of AAA, RADIUS and TACACS+ and verify your configuration.
RADIUS & TACACS+
Information You can use the reset command in user view to clear the corresponding statistics.
Remote RADIUS
Authentication of
Telnet/SSH Users
■ The configuration procedure for the remote authentication of SSH users through
RADIUS server is similar to that of Telnet users. The following description only takes
the remote authentication of Telnet users as example.
■ Currently, RADIUS and TACACS+ does not support the accounting of FTP users.
Network requirements
In the network environment shown in Figure 92, you are required to configure the switch
so that the Telnet users logging into the switch are authenticated by the RADIUS server.
■ A RADIUS server with IP address 10.110.91.164 is connected to the switch. This
server will be used as the authentication server.
■ On the switch, set the shared key that is used to exchange packets with the
authentication RADIUS server to "expert".
You can use a CAMS server as the RADIUS server. If you use a third-party RADIUS server,
you can select standard or extended as the server type in the RADIUS scheme. When you
use a CAMS server, you should select extended for server-type in the RADIUS scheme.
318 CHAPTER 29: AAA, RADIUS, AND TACACS+ CONFIGURATION
■ Set the shared key it uses to exchange packets with the switch to "expert".
■ Set the port number for authentication.
■ Add Telnet user names and login passwords.
The Telnet user name added to the RADIUS server must be in the format of
userid@isp-name if you have configure the switch to include domain names in the user
names to be sent to the RADIUS server.
Network diagram
Configuration procedure
1 Enter system view.
<3Com> system-view
[3Com]
2 Adopt AAA authentication for Telnet users.
[3Com] user-interface vty 0 4
[3Com-ui-vty0-4] authentication-mode scheme
[3Com-ui-vty0-4] quit
3 Configure an ISP domain.
[3Com] domain cams
[3Com-isp-cams] access-limit enable 10
[3Com-isp-cams] quit
4 Configure optional accounting. This configuration is required if the CAMS server also
serves as the RADIUS severer, since the CAMS server does not respond to accounting
packets. If independent RADIUS server, Windows 2000 for example, is used, this
configuration is not required.
[3Com-isp-cams] accounting optional
[3Com-isp-cams] quit
AAA & RADIUS & TACACS+ Configuration Example 319
Local Authentication,
Authorization and
Accounting for
FTP/Telnet of Users
For FTP users, no accounting is required and their local authentication and authorization
are the same as those of Telnet users. Therefore, the following only describes the
configurations for Telnet users.
Network requirements
Make local authentication, authorization and accounting schemes on the switch for
Telnet users.
Networking diagram
Figure 93 Local authentication, authorization and accounting configuration for Telnet users
Internet
telnet user
320 CHAPTER 29: AAA, RADIUS, AND TACACS+ CONFIGURATION
Configuration procedure
1 Method 1: Using local authentication, authorization and accounting.
a Set Telnet users to use AAA scheme.
<3Com> system-view
[3Com] user-interface vty 0 4
[3Com-ui-vty0-4] authentication-mode scheme
[3Com-ui-vty0-4] quit
b Create local user telnet.
[3Com] local-user telnet
[3Com-luser-telnet] service-type telnet
[3Com-luser-telnet] password simple 3Com
[3Com-luser-telnet] attribute idle-cut 5 access-limit 5
[3Com-luser-telnet] quit
[3Com] domain system
[3Com-isp-system] authentication login local
[3Com-isp-system] authorization login local
[3Com-isp-system] accounting login local
c Configure default AAA schemes, in which user type is not checked.
[3Com-isp-system] authentication default local
[3Com-isp-system] authorization default local
[3Com-isp-system] accounting default local
The user enters the username userid @system, to use the authentication of the system
domain.
Configure the shared key to “expert” on the TACACS server for exchanging packets with
the switch.
AAA & RADIUS & TACACS+ Configuration Example 321
Networking diagram
Configuration procedure
1 Set Telnet users to use AAA scheme
<3Com> system-view
[3Com] user-interface vty 0 4
[3Com-ui-vty0-4] authentication-mode scheme
[3Com-ui-vty0-4] quit
2 Configure TACACS+ scheme
[3Com] hwtacacs scheme hwtac
[3Com-hwtacacs-hwtac] primary authentication 10.110.91.164 49
[3Com-hwtacacs-hwtac] primary authorization 10.110.91.164 49
[3Com-hwtacacs-hwtac] primary accounting 10.110.91.164 49
[3Com-hwtacacs-hwtac] key authentication expert
[3Com-hwtacacs-hwtac] key authorization expert
[3Com-hwtacacs-hwtac] key accounting expert
[3Com-hwtacacs-hwtac] user-name-format without-domain
[3Com-hwtacacs-hwtac] quit
3 Configure AAA scheme for the domain
[3Com] domain hwtacacs
[3Com-isp-hwtacacs] authentication login hwtacacs-scheme hwtac
[3Com-isp-hwtacacs] authorization login hwtacacs-scheme hwtac
[3Com-isp-hwtacacs] accounting login hwtacacs-scheme hwtac
4 Configure default AAA schemes, in which user type is not checked.
[3Com] domain hwtacacs
[3Com-isp-hwtacacs] authentication default hwtacacs-scheme hwtac
[3Com-isp-hwtacacs] authorization default hwtacacs-scheme hwtac
[3Com-isp-hwtacacs] accounting default hwtacacs-scheme hwtac
322 CHAPTER 29: AAA, RADIUS, AND TACACS+ CONFIGURATION
For the AAA applications of users of other access types, their AAA configurations on the
domain are similar to those of Telnet users, except different access types.
Networking diagram
Figure 95 Local authentication, TACACS+ authorization and RADIUS accounting of Telnet users
Configuration procedure
1 Set Telnet users to use AAA scheme
<3Com> system-view
[3Com] user-interface vty 0 4
[3Com-ui-vty0-4] authentication-mode scheme
[3Com-ui-vty0-4] quit
2 Configure a TACACS+ scheme.
[3Com] hwtacacs scheme hwtac
[3Com-hwtacacs-hwtac] primary authorization 10.110.91.164 49
[3Com-hwtacacs-hwtac] key authorization expert
[3Com-hwtacacs-hwtac] user-name-format without-domain
[3Com-hwtacacs-hwtac] quit
3 Configure a RADIUS scheme.
[3Com] radius scheme cams
[3Com-radius-cams] primary accounting 10.110.91.165 1813
[3Com-radius-cams] key accounting expert
[3Com-radius-cams] server-type extended
[3Com-radius-cams] user-name-format with-domain
[3Com-radius-cams] quit
4 Create local user telnet.
[3Com] local-user telnet
[3Com-luser-telnet] service-type telnet
[3Com-luser-telnet] password simple telnet
Troubleshooting AAA & RADIUS & TACACS+ Configuration 323
Troubleshooting
AAA & RADIUS &
TACACS+
Configuration
Troubleshooting the The RADIUS protocol is at the application layer in the TCP/IP protocol suite. This protocol
RADIUS Protocol prescribes how the switch and the RADIUS server of the ISP exchange user information
with each other.
Possible reasons and ■ The user name is not in the userid@isp-name format, or no default ISP domain is
solutions specified on the switch - Use the correct user name format, or set a default ISP
domain on the switch.
■ The user is not configured in the database of the RADIUS server - Check the database
of the RADIUS server, make sure that the configuration information about the user
exists.
■ The user input an incorrect password - Be sure to input the correct password.
■ The switch and the RADIUS server have different shared keys - Compare the shared
keys at the two ends, make sure they are identical.
■ The switch cannot communicate with the RADIUS server (you can determine by
pinging the RADIUS server from the switch) - Take measures to make the switch
communicate with the RADIUS server normally.
Possible reasons and ■ The communication links (physical/link layer) between the switch and the RADIUS
solutions server is disconnected/blocked - Take measures to make the links
connected/unblocked.
■ None or incorrect RADIUS server IP address is set on the switch - Be sure to set a
correct RADIUS server IP address.
■ One or all AAA UDP port settings are incorrect - Be sure to set the same UDP port
numbers as those on the RADIUS server.
Symptom 3 The user passes the authentication and gets authorized, but the accounting information
cannot be transmitted to the RADIUS server.
324 CHAPTER 29: AAA, RADIUS, AND TACACS+ CONFIGURATION
Possible reasons and ■ The accounting port number is not properly set - Be sure to set a correct port number
solutions for RADIUS accounting.
■ The switch requests that both the authentication/authorization server and the
accounting server use the same device (with the same IP address), but in fact they are
not resident on the same device - Be sure to configure the RADIUS servers on the
switch according to the actual situation.
Troubleshooting the See the previous section if you encounter a TACACS+ fault.
TACACS+ Protocol
30 IGMP SNOOPING CONFIGURATION
IGMP Snooping Internet Group Management Protocol Snooping (IGMP Snooping) is a multicast
Overview constraining mechanism that runs on Layer 2 devices to manage and control multicast
groups.
Principle of IGMP By analyzing received IGMP messages, a Layer 2 device running IGMP Snooping
Snooping establishes mappings between ports and MAC multicast groups and forwards multicast
data based on these mappings.
As shown in Figure 96, when IGMP Snooping is not running, multicast packets are
broadcast to all devices at Layer 2. When IGMP Snooping runs, multicast packets for
known multicast groups are multicast to the receivers at Layer 2.
Multicas t Multicas t
Router Router
Source S ourc e
Receiver
Router A Sw itch A
GigabitEthernet 1/0/1 GigabitEthernet 1/0/2 Host A
GigabitEthernet 1/0/3
Receiver
GigabitEthernet 1/0/1 Host B
GigabitEthernet 1/0/ 2
Multicast Packets
Router Port
Member Port Host D
Ports involved in IGMP Snooping, as shown in Figure 97, are described as follows:
■ Router port: On an Ethernet switch, a router port connects the switch to a multicast
router. In the figure, GigabitEthernet1/0/1 of Switch A and GigabitEthernet1/0/1 of
Switch B are router ports. A switch registers all its local router ports in its router port
list.
■ Member port: On an Ethernet switch, a member port (also known as multicast group
member port) connects the switch to a multicast group member. In the figure,
GigabitEthernet1/0/2 and GigabitEthernet1/0/3 of Switch A and GigabitEthernet1/0/2
of Switch B are member ports.
Whenever mentioned in this document, a router port is a router-connecting port on a
switch, rather than a port on a router.
Port aging timers in IGMP Snooping and related messages and actions
Table 225 Port aging timers in IGMP Snooping and related messages and actions
Message before
Timer Description expiry Action after expiry
Router port For each router port, the switch IGMP general query or The switch removes this
aging timer sets a timer initialized to the aging PIM hello message port from its router
time of the route port port list
Member port When a port joins an multicast IGMP report message The switch removes this
aging timer group, the switch sets a timer for port from the multicast
the port, which is initialized to the group forwarding table
member port aging time
IGMP Snooping Overview 327
Work Mechanism of A switch running IGMP Snooping processes IGMP messages as follows:
IGMP Snooping
IGMP general queries
The IGMP periodically sends IGMP general queries to all hosts and routers on the local
subnet to find out whether multicast group members exist on the subnet.
Upon receiving an IGMP general query, the switch forwards it to all ports in the VLAN
except the receiving port and performs the following to the receiving port:
■ If the receiving port is a router port existing in its router port list, the switch resets the
aging timer of this router port.
■ If the receiving port is not a router port existing in its router port list, the switch adds
it into its router port list and sets an aging timer for this router port.
IGMP reports
A host sends an IGMP report to the multicast router in the following circumstances:
■ Upon receiving an IGMP query, a multicast group member host responds with an
IGMP report.
■ When intended to join a multicast group, a host sends an IGMP report to the
multicast router to announce that it is to join the multicast group.
Upon receiving the IGMP report, the switch forwards it to all the router ports in the VLAN
and performs the following to the receiving port:
■ Resolves the address of the multicast group that the host is to join and add a
forwarding entry for this port in the forwarding table.
■ Sets or resets a member port aging timer for this port.
A switch will not an IGMP report to a non-router port in the VLAN for the following
reason: When IGMP report suppression is enabled, if member hosts of that multicast
group still exist under other non-router ports, the switch will stop sending IGMP reports
when it receives the message. Thus, the switch will not know that members of that
multicast group are still attached to these ports.
When an IGMPv2 or IGMPv3 host leaves a multicast group, the host sends an IGMP leave
message to the multicast router to announce that it has leaf the multicast group.
Upon receiving an IGMP leave message, a switch forwards it to all router ports in the
VLAN. Because the switch does not know whether any other member hosts of that
multicast group still exists under the port to which the IGMP leave message arrived, the
switch does not immediately delete the forwarding entry corresponding to that port
from the forwarding table; instead, it resets the aging timer of the member port.
328 CHAPTER 30: IGMP SNOOPING CONFIGURATION
Upon receiving the IGMP group-specific query, a switch forwards it to all the router ports
in the VLAN and all member ports of that multicast group, and performs the following to
the receiving port:
■ If a response to an IGMP report from that multicast group is arrives to the member
port before its aging timer expires, this means that some other members of that
multicast group still exist under that port: the switch resets the aging timer of the
member port.
■ If no IGMP report from that multicast group arrives to this member port before its
aging timer expires as a response to the IGMP group-specific query , this means that
no members of that multicast group still exist under the port: the switch deletes the
forwarding entry corresponding to the port from the forwarding table when the
aging timer expires.
Task Remarks
Configuring Basic Functions of Enabling IGMP Snooping Required
IGMP Snooping
Configuring the Version of IGMP Snooping Optional
Configuring Port Aging Timers Optional
Configuring Port Functions Configuring Static Ports Optional
Enabling Simulated Host Joining Optional
Enabling Port Fast Leave Optional
Configuring IGMP Report Suppression Optional
Configuring IGMP-Related Enabling IGMP Querier Optional
Functions
Configuring IGMP Timers Optional
Configuring Source IP Address of IGMP Optional
Queries
Configuring the Function of Dropping Optional
Unknown Multicast Data
Configuring a Multicast Group Configuring a Multicast Group Filter Optional
Policy
Configuring Multicast Source Port Filtering Optional
Configuring Maximum Multicast Groups that Optional
Can Pass Ports
Configuring Multicast Group Replacement Optional
■ Configurations performed in IGMP Snooping view are effective for all VLANs, while
configurations made in VLAN view are effective only for ports belonging to the
current VLAN. However, configurations made in VLAN view override the
corresponding configurations made in IGMP Snooping view.
■ Configurations performed in IGMP Snooping view are globally effective;
configurations performed in port view are effective only for the current port;
Configuring Basic Functions of IGMP Snooping 329
configurations performed in port group view are effective only for all the ports in the
current port group.
■ The system gives priority to configurations made in port view or port group view.
Configurations made in IGMP Snooping view are used only if the corresponding
configurations have not been carried out in port view or port group view.
Configuring Basic
Functions of IGMP
Snooping
Configuration Before configuring the basic functions of IGMP Snooping, complete the following tasks:
Prerequisites ■ Configure the corresponding VLANs
■ Configure the corresponding port groups
Before configuring the basic functions of IGMP Snooping, prepare the following data:
■ Before enabling IGMP Snooping in a VLAN, be sure to enable IGMP Snooping globally
in system view; otherwise the IGMP Snooping setting will not take effect.
■ If you enable IGMP Snooping in a specified VLAN, this function takes effect for
Ethernet ports in this VLAN only.
Configuring the By configuring the IGMP Snooping version, you are actually configuring the version of
Version of IGMP IGMP messages that can be analyzed and processed by IGMP Snooping.
Snooping ■ If the current version is 2, IGMP Snooping can analyze and process IGMPv1 and
IGMPv2 messages, but cannot analyze and process IGMPv3 messages: in this case,
IGMPv3 messages will be broadcast in the VLAN.
■ If the current is 3, IGMP Snooping can analyze and process IGMPv1, IGMPv2 and
IGMPv3 messages.
330 CHAPTER 30: IGMP SNOOPING CONFIGURATION
CAUTION: If you switch IGMP Snooping from version 3 to version 2, the system will
automatically delete all the IGMP Snooping entries and re-effectuate the valid static
configurations.
Configuring Port If the switch does not receive an IGMP general query or an PIM hello message before the
Aging Timers aging timer of a router port expires, the switch deletes this router port from the router
port list when the aging timer times out.
If the switch does not receive an IGMP report from a multicast group before the aging
timer of a member port expires, the switch deletes this member port from the
forwarding table for that multicast group when the aging timers times out.
If multicast group memberships change frequently, you can set a relatively small value for
the member port aging timer, and vice versa.
Configuring Port
Functions
Configuring Static If the host attached to a port needs to receive multicast data addressed to a particular
Ports multicast group or from a particular multicast source/group, you can configure this port
to be a static member port of that multicast group or multicast source/group.
In a network with a stable topology structure, you can configure router ports of a switch
into static router ports, through which the switch can receive IGMP messages from
routers or Layer 3 switches.
■ The function of static joining to a multicast source/group is available only for IGMP
Snooping version 3.
■ When you configure or remove a port as a static member port of a multicast group or
multicast source/group, the port will not initiate an IGMP report or an IGMP leave
message.
■ Static member ports and static router ports never age out. To delete such a port, you
need to use the corresponding command.
Enabling Simulated Generally, a host running IGMP responds to IGMP queries from a multicast router. If a
Host Joining host fails to respond due to some reasons, the multicast router will deem that no
member of this multicast group exists on the network segment, and therefore will
remove the corresponding forwarding path.
332 CHAPTER 30: IGMP SNOOPING CONFIGURATION
To avoid this situation from happing, you can configure a port of the switch as a member
of the multicast group. When an IGMP query arrives, that member port will give a
response. As a result, the switch can continue receive multicast data.
A simulated host can implement the following multicast functions of a real host:
■ When simulated host joining is enabled on an Ether port, the simulated sends an
IGMP report to this port.
■ When receiving an IGMP general query, the simulated host responds with an IGMP
report.
■ When simulated host joining is disabled on an Ether port, the simulated sends an
IGMP leave message to this port.
Enabling Port Fast By default, when receiving an IGMP leave message from host announcing its leaving a
Leave multicast group, the switch sends an IGMP group-specific query message through the
receiving port rather than directly deleting the port from the multicast forwarding table.
If the switch receives no response within a certain period of waiting time, it deletes the
port from the forwarding table.
With the port fast leave function enabled, when the switch receive an IGMP leave
message from a host announcing its leaving a multicast group, the switch directly deletes
this port from the forwarding table. From then on, when receiving an IGMP query
specific to that multicast group, the switch will not forward the IGMP message to that
port.
Configuring Port Functions 333
Configuring IGMP When a Layer 2 device receives an IGMP report from a multicast group member, the
Report Suppression switch forwards the message to the Layer 3 device directly connected with it. Thus, when
multiple members belonging to a multicast group exit on the Layer device, the Layer 3
device directly connected with it will receive identical IGMP reports from the multiple
members of the same group.
With the IGMP report suppression function enabled, within a query interval, the Layer 2
device forwards only the first IGMP report of a multicast group to the Layer device and
discards the rest IGMP reports from the same multicast group.
Configuring
IGMP-Related
Functions
Enabling IGMP On a multicast network running IGMP, a Layer 3 multicast device may exist that serves as
Snooping Querier an IGMP querier responsible for sending IGMP query messages.
CAUTION:
■ An IGMP Snooping querier does not take part in IGMP querier election.
■ Configuring an IGMP Snooping querier on a multicast network running IGMP makes
no sense. Moreover, IGMP querier election may be affected adversely because of the
source IP address of the IGMP general query messages sent by the IGMP Snooping
querier configured is too small.
Configuring IGMP-Related Functions 335
Configuring IGMP You can tune the IGMP general query interval based on actual condition of the network.
Timers
Upon receiving an IGMP query (general query or group-specific query), a host starts a
timers for each multicast group it has joined. This timer is initialized to a random value in
the range of 0 to the maximum response time (the host obtains the value of the
maximum response time from the Max Response Time field in the IGMP query it
received). When the timer value comes down to 0, the host sends an IGMP report to the
corresponding multicast group.
An appropriate setting of the maximum response time for IGMP queries allows hosts to
respond to queries quickly and avoids burstiness of IGMP traffic on the network caused
by reports simultaneously sent by a large number of hosts when corresponding timers
expires simultaneously.
■ For IGMP general queries, you can configure the maximum response time to fill their
Max Response time field.
■ For IGMP group-specific queries, you can configure the IGMP last-member query
interval to fill their Max Response time field. Namely, for IGMP group-specific queries,
the maximum response time equals to the IGMP last-member query interval.
CAUTION: In the configuration, make sure that the IGMP general query interval is larger
than the maximum response time for IGMP general queries.
336 CHAPTER 30: IGMP SNOOPING CONFIGURATION
Configuring Source IP We recommend that you configure a valid IP address as the source IP address of IGMP
Address of IGMP queries to prevent some switches from automatically dropping messages whose source IP
Queries address is 0.0.0.0.
CAUTION: The source address of IGMP query messages may affect IGMP querier
selection within the segment.
Configuring the Unknown multicast data refers to multicast data whose forwarding entries do not exist in
Function of Dropping the corresponding multicast forwarding table.
Unknown Multicast
Data Follow these steps to configure the function of dropping unknown multicast data in a
VLAN:
Configuring a
Multicast Group
Policy
Configuration Before configuring a multicast group filtering policy, complete the following tasks:
Prerequisites ■ Enable IGMP Snooping in the VLAN or enable IGMP on the desired VLAN interface
Before configuring a multicast group filtering policy, prepare the following data:
Configuring a On an IGMP Snooping–enabled switch, the configuration of a multicast group allows the
Multicast Group Filter service provider to define limits of multicast programs available to different users, so that
different video on demand (VOD) users can be differentiated based on different program
groups.
In actual application, when a user requests a multicast program, the user’s host initiates
an IGMP report. After the message reaches the switch, the switch checks the report
against the ACL rule configured on the receiving port. If this port can join this multicast
group, the switch adds this port to the IGMP Snooping multicast group list; otherwise
the switch drops this report message. Thus, the multicast data will not be sent to this
port. In this way, the service provider can control the VOD programs provided for
multicast users.
Configuring Multicast When enabled to filter multicast based on the source ports, the switch filters multicast
Source Port Filtering data received on the router ports.
Configuring By configuring the maximum number of multicast groups that can pass a port or a group
Maximum Multicast of ports, you can limit the number of number of multicast programs available to VOD
Groups that Can Pass users, thus to control the port bandwidth.
Ports
When the number of multicast groups an Ethernet port has joined exceeds the maximum
number configured, the system deletes all IGMP Snooping entries related to that port
and restarts to add new entries to the IGMP Snooping multicast group list.
Configuring a Multicast Group Policy 339
Follow these steps to configure the maximum number of multicast groups that can pass
the port(s):
Table 245 Configuring Maximum Multicast Groups that Can Pass Ports
If you have configured a port to be as static member port or enabled simulated host
joining, the system deletes all IGMP Snooping entries related to that port and
re-effectuate these configurations, until the number of multicast groups the has joined
exceeds the maximum number configured.
Configuring Multicast For some special reasons, the number of multicast groups passing through a switch or
Group Replacement Ethernet port may exceed the number configured for the switch or the port. To address
this situation, you can enable the multicast group replacement function on the switch or
certain Ethernet ports. When the number of multicast groups an Ethernet port has joined
exceeds the limit,
■ If the multicast group replacement is enabled, the newly joined multicast group
automatically replaces an existing multicast group with the lowest address.
■ If the multicast group replacement is not enabled, new IGMP reports will be
automatically discarded.
Displaying and
Maintaining IGMP Table 248 Displaying and Maintaining IGMP Snooping
Snooping
To do... Use the command... Remarks
View the information of display igmp-snooping Available in any view
multicast groups learned by group [ vlan vlan-id ] [
IGMP Snooping verbose ]
View the statistics information of display igmp-snooping Available in any view
IGMP messages learned by IGMP statistics
Snooping
Clear IGMP Snooping entries reset igmp-snooping Available in user view
group { group-address | all }
[ vlan vlan-id ]
Clear the statistics information reset igmp-snooping Available in user view
of all kinds of IGMP messages statistics
learned by IGMP Snooping
IGMP Snooping
Configuration
Examples
Network diagram
Receiv er
Host A
1. 1. 1.1/24
Receiv er
GigabitEthernet 1/0/4 GigabitEthernet 1/0/3
GigabitEthernet 1/0/1
Multicast Packets
Host C
Configuration procedure
1 Configuring a VLAN
a Create VLAN 100.
<SwitchA> system-view
[SwitchA] vlan 100
b Add ports GigabitEthernet1/01 through GigabitEthernet1/0/4 into VLAN 100.
[SwitchA-vlan100] port GigabitEthernet 1/0/1 to GigabitEthernet1/0/4
[SwitchA-vlan100] quit
2 Enabling simulated host joining to a multicast source/group
a Enable IGMP Snooping in VLAN 100, and set its version to 3.
[SwitchA] igmp-snooping
[SwitchA-igmp-snooping] quit
[SwitchA] vlan 100
[SwitchA-vlan100] igmp-snooping enable
[SwitchA-vlan100] igmp-snooping version 3
[SwitchA-vlan100] quit
342 CHAPTER 30: IGMP SNOOPING CONFIGURATION
Network diagram
Router B
GigabitEthernet 1/0/3
Receiver
Host B
Multicast Packets
Host A
Configuration procedure
1 Configuring a VLAN
a Create VLAN 100.
<SwitchA> system-view
[SwitchA] vlan 100
b Add ports GigabitEthernet1/0/1 through GigabitEthernet1/0/4 into VLAN 100.
[SwitchA-vlan100] port GigabitEthernet1/0/1 to GigabitEthernet1/0/4
[SwitchA-vlan100] quit
2 Configuring a static router port
a Enable IGMP Snooping in VLAN 100.
[SwitchA] igmp-snooping
[SwitchA-igmp-snooping] quit
[SwitchA] vlan 100
[SwitchA-vlan100] igmp-snooping enable
[SwitchA-vlan100] quit
b Configure GigabitEthernet1/0/4 to be a static router port.
[SwitchA] interface GigabitEthernet1/0/4
[SwitchA- GigabitEthernet1/0/4] igmp-snooping static-router-port vlan
100
[SwitchA- GigabitEthernet1/0/4] quit
3 Verifying the configuration
a View the detailed information of the multicast group in VLAN 100.
[SwitchA] display igmp-snooping group vlan 100 verbose
Total 1 IP Group(s).
344 CHAPTER 30: IGMP SNOOPING CONFIGURATION
Total 1 IP Source(s).
Total 1 MAC Group(s).
Troubleshooting
IGMP Snooping
Configuration
Solution
1 Enter the display current-configuration command to view the running status
of IGMP Snooping.
2 If IGMP Snooping is not enabled, use the igmp-snooping command to enable IGMP
Snooping globally and then use igmp-snooping enable command to enable IGMP
Snooping in VLAN view.
3 If IGMP Snooping is disabled only for the corresponding VLAN, just use the
igmp-snooping enable command in VLAN view to enable IGMP Snooping in the
corresponding VLAN.
Troubleshooting IGMP Snooping Configuration 345
Configured Multicast
Group Policy Fails to
Take Effect
Symptom Although a multicast group policy has been configured to allow hosts to join specific
multicast groups, the hosts can still receive multicast data from other groups than these
multicast groups.
Solution
1 Use the display acl command to check the configured ACL rule. Make sure that the
ACL rule conforms to the multicast group policy to be implemented.
2 Use the display this command to whether the multicast group policy has been
applied. If not, use the igmp-snooping group-policy command to apply the
multicast group policy.
3 Use the display current-configuration command to whether the function of
dropping unknown multicast data is enabled. If not, use the drop-unknown or
igmp-snooping drop-unknown command to enable the function of dropping
unknown multicast data.
4 Use the display igmp-snooping group command to check whether any port has
been configured as a static member port of any multicast group. If so, check whether this
configuration conflicts with the configured multicast group policy. If any conflict exists,
remove the configuration.
346 CHAPTER 30: IGMP SNOOPING CONFIGURATION
31 MULTICAST VLAN CONFIGURATION
Multicast VLAN Based on the current multicast-on-demand mode, when users in different VLANs request
the service, a multicast flow is duplicated in each VLAN. This mode causes waste of a
great deal of bandwidth.
By configuring multicast VLAN, you can add switch ports to a multicast VLAN and enable
IGMP Snooping to allow users in different VLANs to share the same multicast VLAN, with
the multicast flow transferred in only one multicast VLAN, thus saving bandwidth.
As multicast VLAN is isolated from user VLANs, this guarantees both data security and
enough bandwidth. Therefore, the multicast VLAN function ensures continuous
transmission of multicast information flow to users.
CAUTION:
■ You cannot configure a multicast VLAN as a multicast sub-VLAN.
■ You cannot configure a multicast sub-VLAN as a multicast VLAN.
■ A multicast sub-VLAN can correspond to only one multicast VLAN.
■ If you have enabled multicast routing in the system by means of the
multicast-routing-enable command, you cannot configure the multicast
VLAN function.
348 CHAPTER 31: MULTICAST VLAN CONFIGURATION
Device
Device connected
Device ID type Port to configure to the port Description
Router A Router Ethernet0/0/0 Switch B Ethernet0/0/0 belongs to
VLAN1024. Enable PIM SM
and IGMP on Ethernet0/0/0.
Switch B Layer 3 GigabitEthernet1/0/1 Router A GigabitEthernet1/0/1 belongs
switch to VLAN1024.
GigabitEthernet1/0/2 Switch C
Configure
GigabitEthernet1/0/3 Switch D
GigabitEthernet1/0/2 as a
TRUNK port belonging to
VLAN1 through VLAN3.
Configure
GigabitEthernet1/0/3 as a
TRUNK port belonging to
VLAN4 through VLAN6.
Switch C Layer 2 — — Connected to users belonging
switch to VLAN1 through VLAN3,
and configured to support
IGMP-Snooping
Switch D Layer 2 — — Connected to users belonging
switch to VLAN4 through VLAN6,
and configured to support
IGMP-Snooping
Network diagram
Router A
Ethernet 0/0/0
Layer 3 Switch
Switch B
Configuration procedure
1 Configure Router A.
<Router-A> system-view
Enter system view, return to user view with Ctrl+Z
[Router-A] multicast routing-enable
[Router-A] interface Ethernet0/0/0
[Router-A-Ethernet0/0/0] pim sm
[Router-A-Ethernet0/0/0] igmp enable
[Router-A-Ethernet0/0/0] quit
[Router-A]
2 Configure Switch B.
<3Com> system-view
Enter system view, return to user view with Ctrl+Z
[3Com] igmp-snooping enable
[3Com] vlan 1024
[3Com-vlan1024] multicast-vlan enable
[3Com-vlan1024] quit
[3Com] multicast-vlan 1024 subvlan 1 to 6
350 CHAPTER 31: MULTICAST VLAN CONFIGURATION
32 ARP CONFIGURATION
When configuring ARP, go to these sections for information you are interested in:
■ ARP Overview
■ Configuring ARP
■ Configuring Gratuitous ARP
■ Displaying and Maintaining ARP
ARP Overview Address resolution protocol (ARP) is used for resolution from IP address to MAC address.
For a host on an Ethernet to send an IP packet to another host, it must know the MAC
address of the latter. This is where ARP comes into play.
With ARP, each host on an Ethernet maintains an ARP mapping table to keep the IP
addresses and the corresponding MAC addresses of the hosts that it recently
communicated with. This table is empty whenever the host boots up.
As shown in Figure 101, the ARP protocol resolves an IP address in the following steps:
Host A Host B
192 .168 . 1 . 1 192 . 168 . 1 . 2
0002 - 6779 - 0 f 4 c 00 a 0 -2470 - febd
Source MAC address Source IP address Destination MAC address Destination IP address
0002 - 6779 - 0 f 4 c 192 . 168 . 1 .1 00 a 0 -2470 -febd 192 . 168 . 1. 2
Source MAC address Source IP address Destination MAC address Destination IP address
00 a 0 - 2470 - febd 192 . 168 . 1 .2 0002 -6779 -0 f 4 c 192 . 168 . 1 .1
352 CHAPTER 32: ARP CONFIGURATION
1 When Host A wants to send an IP packet to Host B on the same segment, it looks in its
ARP mapping table to see whether there is a mapping entry for Host B. If it finds the
entry, it uses the MAC address in the entry to encapsulate the IP packet into a data link
layer frame and sends the frame to Host B.
2 If Host A finds no entry for Host B, it pushes the packet to the ARP outbound waiting
queue and creates an ARP request, which contains the IP address of Host B and the IP
address and MAC address of Host A. Then, it broadcasts the request on the Ethernet.
Since the ARP request is broadcast, all hosts on the Ethernet except for Host A will
receive the request. However, only the requested host (Host B) responds to the request.
3 Upon receiving the ARP request from Host A, Host B saves the IP address and MAC
address of Host A into its ARP mapping table, encapsulates its MAC address into an ARP
response, and unicasts the response to Host A.
4 After receiving the ARP response, Host A adds the MAC address and IP address of Host B
into its ARP mapping table, and sends all data packets for Host B in the waiting queue
out to Host B.
Configuring ARP ARP entries fall into two categories: dynamic and static.
1 A dynamic entry is automatically created and maintained by the ARP protocol. It can get
aged, be updated by a new ARP packet, or be overwritten by a static ARP entry. When
the aging timer expires, the interface goes down, or the VLAN interface goes down, the
corresponding dynamic ARP entries will be removed.
2 A static ARP entry is configured and maintained manually. It can be permanent or
non-permanent.
■ A permanent static ARP entry can be directly used to forward data and never gets
aged or overwritten by a dynamic ARP entry. When configuring a permanent static
ARP entry, you must configure the IP address and MAC address, as well as the VLAN
and outbound interface for the entry.
■ A non-permanent static ARP entry is initially in the state of unresolved and cannot be
directly used to forward data. When configuring a non-permanent static ARP entry,
you only need to configure the IP address and MAC address; the VLAN and outbound
interface will be dynamically resolved by ARP packets. A resolved non-permanent
static ARP entry can be used to forward data and does not get aged. When the
interface or VLAN interface goes down, or something like that occurs, the entry
becomes unresolved again. Non-permanent static ARP entries are used primarily
when IP and MAC binding is required.
By default, the ARP mapping table of a device is empty and ARP entries are added by
automatically the ARP protocol. The ARP mapping table is usually maintained by the
dynamic ARP protocol and requires manual configuration only in some special cases. In
addition, the ARP mapping table is used within a LAN, and address resolution on a WAN
depends on other configurations or methods, such as reverse address resolution of frame
relay.
Configuring ARP 353
Adding a Static ARP Follow these steps to add a static ARP entry:
Entry
Table 251 Adding a Static ARP Entry
■ A static ARP mapping is effective when the device works normally. However, when
the VLAN or VLAN interface to which an ARP entry of a switch corresponds is deleted,
the entry is deleted accordingly.
■ The default active time of a dynamic ARP entry is 20 minutes.
■ The vlan-id argument is used to configure ARP entries on Ethernet switches and
must be the ID of an existing VLAN interface. In addition, the Ethernet interface
following the argument must belong to that VLAN.
Setting the Maximum Follow these steps to set the maximum number of ARP entries that a VLAN interface can
Number of ARP learn:
Entries for a VLAN
Interface Table 252 Setting the Maximum Number of ARP Entries for a VLAN Interface
Setting the Aging Follow these steps to set the aging time for dynamic ARP entries:
Time for Dynamic
ARP Entries Table 253 Setting the Aging Time for Dynamic ARP Entries
Enabling ARP Entry The ARP entry checking function can prevent the device from learning multicast MAC
Checking addresses.
Configuring
Gratuitous ARP
Introduction to Gratuitous ARP means that the device sends gratuitous ARP packets. Gratuitous ARP
Gratuitous ARP packets are a kind of special packets. The source IP address and destination IP address
carried in such packets are both the address of the local device, the source MAC address
is the MAC address of the local device, and the destination MAC address is the broadcast
address.
With gratuitous ARP, a device can implement the following functions by sending
gratuitous ARP packets:
Through learning gratuitous ARP packets, the device implements the following
functions:
When the device receives a gratuitous ARP packet, it will add the information carried in
the gratuitous ARP packet into the local dynamic ARP mapping table if no ARP entry in
the cache is corresponding to the packet.
Displaying and
Table 256 Displaying and Maintaining ARP
Maintaining ARP
To do Use the command Remarks
Display information about ARP display arp { { all | static | Available in any view
entries in the ARP mapping dynamic } | vlan vlan-id |
table interface interface-type
interface-number } [ [ | { begin |
include | exclude } text ] |
count ]
Display the ARP entries display arp ip-address [ | { Available in any view
corresponding to the specified begin | include | exclude }
IP address text ]
Display the aging time for display arp timer aging Available in any view
dynamic ARP entries
Clear ARP entries from the ARP reset arp { all | dynamic | Available in user view
mapping table static | interface
interface-type
interface-number }
356 CHAPTER 32: ARP CONFIGURATION
33 PROXY ARP CONFIGURATION
When configuring proxy ARP, go to these sections for information you are interested in:
■ Proxy ARP Overview
■ Enabling Proxy ARP
■ Displaying and Maintaining Proxy ARP
Proxy ARP If a host in a network sends an ARP request to another host in the same network
Overview segment but not in the same physical network, the proxy-ARP-enabled device
connecting the two hosts can respond to this ARP request. This process is named proxy
ARP.
Proxy ARP includes normal proxy ARP and local proxy ARP.
In the same network segment, the hosts connected to different VLAN interfaces of the
device can use the normal proxy ARP function of the device to interwork with each other
through forwarding on Layer 3.
In the following case, the local proxy ARP function must be enabled to interwork
interfaces on Layer 3.
Through configuring the proxy-arp enable command, you can enable hosts
connected to different VLAN interfaces of the device to interwork with each other
through forwarding on Layer 3.
358 CHAPTER 33: PROXY ARP CONFIGURATION
Displaying and
Table 258 Displaying and Maintaining Proxy ARP
Maintaining Proxy
ARP To do Use the command Remarks
Display whether proxy ARP is display proxy-arp [ Available in any view
enabled interface interface-type
interface-number ]
Display whether local proxy ARP display Available in any view
is enabled local-proxy-arp [
interface interface-type
interface-number ]
34 DHCP OVERVIEW
Introduction to The fast expansion and growing complexity of networks result in scarce IP addresses
DHCP assignable to hosts. Meanwhile, with the wide application of the wireless network, the
frequent movement of laptops across the network requires that the IP addresses be
changed accordingly. Therefore, related configurations on hosts become more complex.
Dynamic host configuration protocol (DHCP) was introduced to ease network
configuration by providing a framework for passing configuration information to hosts
on a TCP/IP network.
DHCP is built on a client-server model, in which the client sends a configuration request
and then the server returns a reply to send configuration parameters such as an IP
address to the client.
A typical DHCP application, as shown in Figure 102, includes a DHCP server and multiple
clients (PCs and laptops).
DHCP Server
LAN
DHCP Address
Allocation
Dynamic IP Address For dynamic allocation, a DHCP client obtains an IP address from a DHCP server via four
Allocation Procedure steps:
1 The client broadcasts a DHCP-DISCOVER message to locate a DHCP server.
2 A DHCP server offers configuration parameters such as an IP address to the client in a
DHCP-OFFER message.
3 If several DHCP servers send offers to the client, the client accepts the first received offer,
and broadcasts it in a DHCP-REQUEST message to formally request the IP address.
4 All DHCP servers receive the DHCP-REQUEST message, but only the server to which the
client sent a formal request for the offered IP address returns a DHCP-ACK message to
the client confirming that the IP address has been allocated to the client, or returns a
DHCP-NAK unicast message denying the IP address allocation.
■ If the client receives the DHCP-ACK message, it will probe the IP address using
gratuitous ARP with destination address as the IP address assigned by the server to
check whether the IP address is in use. If the client receives no response within the
specified time, the client can use this IP address.
■ If there are multiple DHCP servers in the network, the IP addresses offered by other
DHCP servers are still assignable to other clients.
IP Address Lease The IP address dynamically allocated by a DHCP server to a client has a lease. After the
Extension lease duration elapses, the IP address will be reclaimed by the DHCP server. If the client
wants to use the IP address again, it has to extend the lease duration.
After the half lease duration elapses, the DHCP client will send the DHCP server a
DHCP-REQUEST unicast message to extend the lease duration. Upon availability of the IP
address, the DHCP server returns a DHCP-ACK unicast confirming that the client’s lease
duration has been extended, or a DHCP-NAK unicast denying the request.
If the client receives the DHCP-NAK message, it will broadcast another DHCP-REQUEST
message for lease extension after 7/8 lease duration elapses. The DHCP server will handle
the request as above mentioned.
DHCP Message Format 361
DHCP Message The figure below gives the DHCP message format, which is based on the BOOTP
Format message format and involves eight types. These types of messages have the same format
except that some fields have different values. The numbers in parentheses indicate the
size of each field in octets
When configuring the DHCP relay agent, go to these sections for information you are
interested in:
■ Introduction to DHCP Relay Agent
■ Configuring the DHCP Relay Agent
■ Displaying and Maintaining the DHCP Relay Agent Configuration
■ DHCP Relay Agent Configuration Example
■ Troubleshooting DHCP Relay Agent Configuration
Introduction to
DHCP Relay Agent
Application Since DHCP clients request IP addresses via broadcast messages, the DHCP sever and
Environment clients must be on the same subnet. Therefore, a DHCP server must be available on each
subnet. It is not practical.
DHCP relay agent solves the problem. Via a relay agent, DHCP clients communicate with
a DHCP server on another subnet to obtain configuration parameters. Thus, DHCP clients
on different subnets can contact the same DHCP server for ease of centralized
management and cost reduction.
Ethernet Internet
No matter whether a relay agent exists or not, the DHCP server and client interact with
each other in a similar way (see Dynamic IP Address Allocation Procedure). The following
describes the forwarding process on the DHCP relay agent.
Configuring the
DHCP Relay Agent
Configuration Task In order to configure the DHCP relate agent, complete the following tasks.
List Table 259 Configuration Task List
Task Remarks
Enabling DHCP Required
Enabling the DHCP Relay Agent on Interfaces Required
Correlating a DHCP Server Group with Relay Agent Interfaces Required
Configuring the DHCP Relay Agent to Send the IP Address Release Request Optional
Configuring the DHCP Relay Agent Security Functions Optional
Configuring the DHCP Relay Agent to Support Option 82 Optional
Enabling the DHCP With this task completed, upon receiving a DHCP request from an enabled interface, the
Relay Agent on relay agent will forward the request to an outside DHCP server for address allocation.
Interfaces
To enable the DHCP relay agent on interfaces, use the following commands:
When a DHCP client obtains an IP address from a DHCP server through the DHCP relay,
an IP address pool with the same network segment (network number and mask) as that
of the IP address of the DHCP relay interface connecting the client must has already been
configured on the DHCP server. Otherwise, the DHCP client cannot obtain a correct IP
address.
Correlating a DHCP To improve reliability, you can specify several DHCP servers as a group on the DHCP relay
Server Group with agent and correlate a relay agent interface with the server group. When the interface
Relay Agent receives requesting messages from clients, the relay agent will forward them to all the
Interfaces DHCP servers of the group.
To correlate a DHCP server group with relay agent interfaces, use the following
commands:
Table 262 Correlating a DHCP Server Group with Relay Agent Interfaces
■ You can specify up to twenty DHCP server groups on the relay agent.
■ You can configure up to eight DHCP servers for a server group.
■ The IP address of any DHCP server in a DHCP server group cannot be on the same
network segment with that of a DHCP relay interface connecting with DHCP clients;
otherwise, the DHCP clients may not be able to obtain IP addresses.
■ A DHCP server group can correlate with one or multiple DHCP relay agent interfaces,
while a relay agent interface can only correlate with one DHCP server group. Using
the dhcp relay server-select command repeatedly overwrites the previous
configuration. However, if the specified DHCP server group does not exist, the
interface still uses the previous correlation.
■ The group-id in the dhcp relay server-select command was specified by the
dhcp relay server-group command.
366 CHAPTER 35: DHCP RELAY AGENT CONFIGURATION
Configuring the Relay Sometimes, you need to release a client’s IP address manually on the DHCP relay agent.
Agent to Forward a With this task completed, the DHCP relay agent can actively send a DHCP-RELEASE
DHCP-Release request that contains the client’s IP address to the DHCP server. The DHCP server then
Request releases the IP address for the client.
Configure the release of a client’s IP address through the DHCP relay (in system
view)
In system view, when you configure to release a client’s IP address through DHCP relay, if
you do not specify the IP address of the DHCP server, the DHCP relay will send a
DHCP-RELEASE request to the DHCP servers of DHCP server groups that correspond to all
interfaces working in the DHCP relay mode.
Table 263 Configure to release a client’s IP address through the DHCP relay (in system view)
Configure to release a client’s IP address through the DHCP relay (in interface
view)
In interface view, when you configure to release a client’s IP address through DHCP relay,
if you do not specify a DHCP server, the DHCP relay will send a DHCP-RELEASE request to
all the DHCP servers of DHCP server group that correspond to the interface. If you specify
a DHCP server, the DHCP relay will send the DHCP-RELEASE request to the specified
DHCP server only.
Table 264 Configure to release a client’s IP address through the DHCP relay (in interface view)
Configuring the DHCP Creating static bindings and enabling invalid IP addresses check
Relay Agent Security
Functions The DHCP relay agent can dynamically record IP-to-MAC bindings after clients got IP
addresses. You can also create static bindings on the DHCP relay agent.
For avoidance of invalid IP address configuration, you can configure the DHCP relay
agent to check whether a requesting client’s IP and MAC addresses match a binding on
it (both dynamic and static bindings). If not, the client cannot access outside networks via
the DHCP relay agent.
To create a static binding and enable invalid IP address check, use the following
commands:
Configuring the DHCP Relay Agent 367
Table 265 Creating static bindings and enabling invalid IP addresses check
The DHCP relay agent regularly sends a DHCP-REQUEST message using its own MAC
address and a client’s IP address to the DHCP server. If the server returns a DHCP-ACK
message, which means the client’s IP address is assignable now, the DHCP relay agent
will refresh its bindings by aging out the binding entry of the client’s IP address. If the
server returns a DHCP-NAK message, which means the IP address is still in use, the relay
agent will not age out it.
With this task completed, upon receiving a DHCP-REQUEST message from a client, the
DHCP relay agent will record from the message the IP addresses of servers that have ever
offered IP addresses to the client and the receiving interface address. The administrator
can use this information to check out any DHCP pseudo servers.
With pseudo DHCP server detection enabled, the device puts a record once for each
DHCP server. The administrator needs to find pseudo DHCP servers from the records.
Option 82 has no unified definition. Its padding formats vary with venders. Currently the
device supports two padding formats: normal and verbose.
The padding contents for sub-options in the normal padding format are:
■ sub-option 1: padded with the number of the port that receives the DHCP client’s
request, and the number of the VLAN where the port belongs.
■ sub-option 2: padded with the MAC address of the interface that received the client’s
request.
The padding contents for sub-options in the verbose padding format are:
■ sub-option 1: padded with specified access node identifier, the type and number of
the port that receives the DHCP client’s request, and the number of the VLAN where
the port belongs.
■ sub-option 2: padded with the MAC address of the interface that received the client’s
request.
If a reply returned by the DHCP server contains option 82, the DHCP relay agent will
remove the option 82 before forwarding the reply to the client.
Configuring the DHCP Relay Agent 369
If a client’s
requesting message Handling Padding
has strategy format The DHCP relay agent will
Option 82 Drop — Drop the message.
Keep — Forward the message without changing Option
82.
Replace Normal Forward the message after replacing the
original Option 82 with the Option 82 padded
in normal format.
Verbose Forward the message after replacing the
original Option 82 with the Option 82 padded
in verbose format.
no option 82 — Normal Forward the message after adding the Option
82 padded in normal format.
— Verbose Forward the message after adding the Option
82 padded in verbose format.
Prerequisites
You need to complete the following tasks before configuring the DHCP relay agent to
support option 82
■ Enabling DHCP
■ Enabling the DHCP relay agent on the specified interface
■ Configure network parameters for DHCP relay agent to ensure the route between the
DHCP relay and the DHCP server is reachable
■ To support option 82, you must perform related configurations on both the DHCP
server and relay agent. Since the DHCP server configuration varies with devices, it is
not mentioned here.
■ If the handling strategy of the DHCP relay agent is configured as replace, you need to
configure a padding format for option 82. If the handling strategy is keep or drop,
you need not configure any padding format.
Displaying and
Table 270 Displaying and Maintaining the DHCP Relay Agent
Maintaining the
DHCP Relay Agent To do Use the command Remarks
Configuration Display information about DHCP display dhcp relay { all | Available in any view
server groups correlated to a interface interface-type
specified interface or all interfaces interface-number }
Display information about display dhcp relay
bindings of DHCP relay agents security [ ip-address |
dynamic | static ]
Display statistics information display dhcp relay
about bindings of DHCP relay security statistics
agents
Display information about the display dhcp relay
refreshing interval for entries of security tracker
dynamic IP-to-MAC bindings
Display information about the display dhcp relay
configuration of a specified or all server-group { group-id | all
DHCP server groups }
Display packet statistics on relay display dhcp relay Available in user view
agent statistics [ server-group {
group-id | all } ]
Clear packet statistics from relay reset dhcp relay Available in user view
agent statistics [ server-group
group-id ]
DHCP Relay Agent Configuration Example 371
Network diagram
D H C P c li e n t D H C P c lie n t
DHCP
s e rve r
E th e rn e t
1 0 .1 0 .1 .1 /2 4
1 0 .1 .1 .1 /2 4
Vla n -in te rfa c e 1
IP n e tw o rk E th e rn e t
D H C P re la y 1 0 .1 .1 .2 /2 4
Vla n -in te rfa c e 2
Configuration procedure
1 Enable DHCP.
<Sysname> system-view
[Sysname] dhcp enable
2 Enable the DHCP relay agent on Vlan-interface1.
[Sysname] interface vlan-interface 1
[Sysname-Vlan-interface1] dhcp select relay
[Sysname-Vlan-interface1] quit
3 Configure the DHCP server group 1 with the DHCP server 10.1.1.1, and correlate the
DHCP server group 1 to Vlan-interface1.
[Sysname] dhcp relay server-group 1 ip 10.1.1.1
[Sysname] interface vlan-interface 1
[Sysname-Vlan-interface1] dhcp relay server-select 1
■ Performing the configuration on the DHCP server is also required to guarantee the
client-to-server communication via the relay agent. Since the DHCP server
configuration varies with devices, it is not mentioned here.
■ In this example, the DHCP relay agent and server are on the same subnet. If they are
on different subnets, the routes in between must be reachable.
372 CHAPTER 35: DHCP RELAY AGENT CONFIGURATION
Troubleshooting
DHCP Relay Agent
Configuration
Symptom DHCP clients cannot obtain any configuration parameters via the DHCP relay agent.
Analysis Some problems may occur with the DHCP relay agent or server configuration. Enable
debugging and execute the display command on the DHCP relay agent to view the
debugging information and interface state information for locating the problem.
When configuring the DHCP client, go to these sections for information you are
interested in:
■ Introduction to DHCP Client
■ Enabling the DHCP Client on an Interface
■ Displaying and Maintaining the DHCP Client
■ DHCP Client Configuration Example
Introduction to With the DHCP client enabled on an interface, the interface will use DHCP to obtain
DHCP Client configuration parameters such as an IP address from the DHCP server.
Enabling the DHCP Follow these steps to enable the DHCP client on an interface:
Client on an
Interface Table 271 Configuring DHCP Snooping
Displaying the
Table 272 Displaying DHCP Client
DHCP Client
To do Use the command Remarks
Display the specified display dhcp client [ Available in any view
configuraiton information verbose ] [ interface
interface-type
interface-number ]
VLA N-interface1
10.1.1.1/25
LAN
DHCP Server
VLAN-interface1
Configuration procedure
The following is the configuration on the client switch shown in Figure 106.
1 Enable the DHCP client on Vlan-interface1.
<Sysname> system-view
[Sysname] interface vlan-interface 1
[Sysname-Vlan-interface1] ip address dhcp-alloc
To implement the DHCP client-server model, you need to perform related configuration
on the DHCP server. Since the DHCP server configuration varies with devices, it is not
mentioned here.
37 DHCP SNOOPING CONFIGURATION
■ The DHCP Snooping supports no link aggregation. If an Ethernet port is added into an
aggregation group, DHCP Snooping configuration on it will not take effect. When the
port is removed from the group, DHCP Snooping can take effect.
■ The DHCP snooping enabled device does not work if it is between the DHCP relay
agent and DHCP server, and it can work when it is between the DHCP client and relay
agent or between the DHCP client and server.
■ The DHCP Snooping enabled device cannot be a DHCP server, DHCP relay agent,
DHCP client, or BOOTP client. Therefore, DHCP Snooping must be disabled on a DHCP
server, relay agent, DHCP relay agent, DHCP client, and BOOTP client.
DHCP Snooping
Overview
Function of DHCP DHCP snooping is a DHCP security feature for preventing DHCP clients from receiving IP
Snooping addresses provided by untrusted DHCP servers. It allows a device to:
■ Drop DHCP responses received on untrusted ports, preventing DHCP clients from
receiving IP addresses provided by untrusted DHCP servers.
■ Listen to DHCP-REQUEST and DHCP-ACK messages, record and maintain binding
information about MAC addresses of DHCP clients and the obtained IP addresses, so
that network administrators can easily see which IP addresses are assigned to the
DHCP clients.
How Does DHCP On a network, DHCP servers fall into two categories: valid and invalid. With DHCP
Snooping Work snooping, the ports of a device can be differentiated by whether they are trusted or
untrusted:
■ Trusted: A trusted port is connected to a valid DHCP server directly or indirectly. It
forwards DHCP messages normally, guaranteeing that DHCP clients can obtain valid
IP addresses.
■ Untrusted: An untrusted port is connected to an invalid DHCP server. The DHCP-ACK
or DHCP-OFFER packets received from the port are discarded, preventing DHCP
clients from receiving invalid IP addresses.
376 CHAPTER 37: DHCP SNOOPING CONFIGURATION
You must specify the ports connected to the valid DHCP servers as trusted to ensure that
DHCP clients can obtain valid IP addresses. The trusted port and the port connected to
the DHCP client must be in the same VLAN.
Displaying DHCP
Table 274 Displaying DHCP Snooping
Snooping
To do Use the command Remarks
Display DHCP snooping address display dhcp-snooping Available in any view
binding information
Display information about display dhcp-snooping Available in any view
trusted ports trust
D H C P S erve r
G E 1/0/1
D H C P S n oo ping
G E 1 /0/2 G E 1/0/3
D H C P C lien t D H C P C lie nt
DHCP Snooping Configuration Example 377
Configuration procedure
1 Enable DHCP snooping.
<Sysname> system-view
[Sysname] dhcp-snooping
2 Specify GigabitEthernet1/0/1 as trusted.
[Sysname] interface GigabitEthernet1/0/1
[Sysname-GigabitEthernet1/0/1] dhcp-snooping trust
All of the DHCP clients and DHCP servers must be configured for the DHCP clients to
obtain IP addresses. The configuration details, varying with the device type, are omitted
here.
378 CHAPTER 37: DHCP SNOOPING CONFIGURATION
38 BOOTP CLIENT CONFIGURATION
BOOTP Application After you specify an interface of the device as a BOOTP client, the interface can use
BOOTP to get information (such as IP address) from the BOOTP server, which simplifies
your configuration.
Before using BOOTP, an administrator needs to configure a BOOTP parameter file for
each BOOTP client on the BOOTP server. The parameter file contains information such as
MAC address and IP address of a BOOTP client. When a BOOTP client originates a
request to the BOOTP server, the BOOTP server will search for the BOOTP parameter file
and return the corresponding configuration information.
Because you need to configure a parameter file for each client on the BOOTP server,
BOOTP usually runs under a relatively stable environment. If the network changes
frequently, dynamic host configuration protocol (DHCP) can be applied. For an
introduction to DHCP, refer to Chapter 1 DHCP Overview
Because a DHCP server can interact with a BOOTP client, you can use the DHCP server to
configure IP address for the BOOTP client without any BOOTP server.
380 CHAPTER 38: BOOTP CLIENT CONFIGURATION
Obtaining an IP
Address Dynamically
A DHCP server can take the place of the BOOTP server in the following dynamic IP
address acquisition.
A BOOTP client dynamically obtains an IP address from a BOOTP server in the following
ways:
1 The BOOTP client broadcasts a BOOTP request, which contains its own the BOOTP client’s
MAC address.
2 The BOOTP server receives the request and searches the configuration file for the
corresponding IP address according to the MAC address of the BOOTP client. The BOOTP
server then returns a BOOTP response to the BOOTP client.
3 The BOOTP client obtains the IP address from the received response.
Displaying BOOTP
Table 276 Displaying BOOTP Client Configuration
Client
Configuration To do… Use the command… Remarks
Display related information display bootp client [ Available in any view
on a BOOTP client interface interface-type
interface-number ]
39 ACL OVERVIEW
ACL Overview An access control list (ACL) is used primarily to identify traffic flows. In order to filter data
packets, a series of match rules must be configured on the network device to identify the
packets to be filtered. After the specific packets are identified, and based on the
predefined policy, the network device can permit/prohibit the corresponding packets to
pass.
ACLs classify packets based on a series of match conditions, which can be the source
addresses, destination addresses and port numbers carried in the packets.
The packet match rules defined by ACLs can be referenced by other functions that need
to differentiate traffic flows, such as the definition of traffic classification rules in QoS.
Time-Based ACL A time range-based ACL enables you to implement ACL control over packets by
differentiating the time ranges.
A time range can be specified in each rule in an ACL. If the time range specified in a rule
is not configured, the system will give a prompt message and allow such a rule to be
successfully created. However, the rule does not take effect immediately. It takes effect
only when the specified time range is configured and the system time is within the time
range. If you remove the time range of an ACL rule, the ACL rule becomes invalid the
next time the ACL rule timer refreshes.
IPv4 ACL IPv4 ACLs are numbered ACLs. Depending on the header fields used for filtering, they
Classification fall into the following three types:
■ Basic ACL, based on source IP address.
■ Advanced ACL, based on source IP address, destination IP address, upper layer
protocol carried on IP, and other Layer 3 or Layer 4 protocol header fields.
■ Ethernet frame header ACL, based on Layer 2 protocol header fields such as source
MAC address, destination MAC address, 802.1p priority, and link layer protocol type.
IPv4 ACL Match Order Each ACL is a sequential collection of rules defined with different matching criteria. The
order in which a packet is matched against the rules may thus affect how the packet is
handled.
382 CHAPTER 39: ACL OVERVIEW
■ config: where rules are compared against in the order in which they are configured.
■ auto: where depth-first match is performed.
1 Sort rules first by the wildcard length of source IP address, with the one configured with
shorter wildcard being compared first.
2 When two rules with the same source IP address wildcard are present, the one with
shorter destination IP address wildcard is compared first.
3 If the lengths of their destination IP address wildcards are the same, the one configured
first is compared prior to the other.
For example, the rule with the source IP address wildcard 0.0.0.255 is compared prior to
the rule with the source IP address wildcard 0.0.255.255.
1 Sort rules first by the mask length of source MAC address, with the one configured with
longer mask length being compared first.
2 When two rules with the same source MAC address mask length are present, the one
with shorter destination MAC address mask length is compared prior to the other.
3 If the lengths of their destination MAC address masks are the same, the one configured
first is compared prior to the other.
For example, the rule with MAC address mask FFFF-FFFF-0000 is compared prior to the
rule with the source MAC address mask FFFF-0000-0000.
The display acl command displays ACL rules in their match order rather than the
configuration order.
The comparison of a packet against an ACL stops once a match is found. The packet is
then processed as per the rule.
IP Fragments Filtering Traditionally, ACL does not check all IP fragments but first ones. All non-first fragments
with IPv4 ACL are handled the way the first fragments are handled. This causes security risk as attackers
may fabricate non-first fragments to attack your network.
Note that ACL rules configured with the fragment keyword only apply to non-first
fragments, and those configured without the keyword apply to all packets (including first
fragments) but non-first fragments.
Among these rules, the first and the third rules only apply to non-first fragments while
the second and the fourth apply to all packets but non-first fragments.
IPv4 ACL 383
IPv4 ACL Creation An IPv4 ACL consists of a set of rules. Before you can configure ACL rules, you must first
create an IPv4 ACL.
CAUTION: On the Switch 4500G, the start time of an absolute time range cannot be
earlier than 1970/1/1 00:00 and the end time of an absolute time range cannot be later
than 2100/12/31 24:00.
If only a periodic time section is defined in a time range, the time range is active only
within the defined periodic time section.
If only an absolute time section is defined in a time, the time range is active only within
the defined absolute time section.
386 CHAPTER 40: IPV4 ACL CONFIGURATION
If both a periodic time section and an absolute time section are defined in a time range,
the time range is active only when the periodic time range and the absolute time range
are both matched. Assume that a time range defines an absolute time section from
00:00 January 1, 2004 to 23:59 December 31, 2004, and a periodic time section from
12:00 to 14:00 every Wednesday. This time range is active only from 12:00 to 14:00
every Wednesday in 2004.
If the start time is specified, the time range starts on the current date and ends on the
end date.
If the end date is note specified, the time range is from the date of configuration till the
largest date available in the system.
Configuration
Example
1 Create a time range that spans from 8:00 to 18:00 every working day.
<3Com> system-view
[3Com] time-range test 8:00 to 18:00 working-day
[3Com] display time-range test
Current time is 13:27:32 4/16/2005 Saturday
Time-range : test ( Inactive )
08:00 to 18:00 working-day
2 Create an absolute time range that spans from 15:00 2000/1/28 to 15:00 2004/1/28.
<3Com> system-view
[3Com] time-range test from 15:00 2000/1/28 to 15:00 2004/1/28
[3Com] display time-range test
Current time is 13:27:32 4/16/2005 Saturday
Time-range : test ( Inactive )
from 15:00 1/28/2000 to 15:00 1/28/2004
Configuring a Basic IPv4 ACL 387
Configuring a Basic Basic IPv4 ACLs filter packets based on source IP address. They are numbered in the
IPv4 ACL range 2000 to 2999.
Configuration If you want to reference a time range to a rule, define it with the time-range
Prerequisites command first.
■ If you do not specify a rule ID, a new rule will be defined and created, and the system
will automatically assign the following ID to the rule: the smallest multiple of
step-value that is greater than the largest ID of existing rules. For example, suppose
the step-value is 5 and the largest ID of existing rules is 28; if you do not specify an ID
when defining a rule, the system will automatically assign ID 30 to the rule.
■ The system will insert a newly created rule between existing rules in depth-first order,
without changing the ID of any rule.
CAUTION:
■ You can modify the match order of an ACL only when it does not contain any rules.
■ You can use the rule comment command only for existing ACL rules.
Configuration
Example
1 Create IPv4 ACL 2000 to deny the packets with the source address 1.1.1.1 to pass.
<3Com> system-view
[3Com] acl number 2000
[3Com-acl-basic-2000] rule deny source 1.1.1.1 0
2 Verify the configuration.
[3Com-acl-basic-2000] display acl 2000
Basic ACL 2000, 1 rule,
Acl’s step is 5
rule 0 deny source 1.1.1.1 0 (0 times matched)
Configuring an Advanced IPv4 ACLs filter packets based on source IP address, destination IP address,
Advanced IPv4 ACL upper protocol carried on IP, and other protocol header fields, such as the TCP/UDP
source port, TCP/UDP destination port, TCP flag, ICMP message type, and ICMP message
code.
In addition, advanced ACLs allow you to filter packets based on three priority criteria:
type of service (ToS), IP precedence, and differentiated services codepoint (DSCP) priority.
Advanced ACLs are numbered in the range 3000 to 3999. Compared to basic ACLs, they
allow of more flexible and accurate filtering.
■ When you configure both IP priority and ToS priority for a rule, both priorities are
valid.
■ When you configure both IP/ToS priority and DSCP for a rule, only DSCP is valid.
Configuration If you want to reference a time range to a rule, define it with the time-range
Prerequisites command first.
Configuring an Advanced IPv4 ACL 389
■ The system will insert a newly created rule between existing rules in depth-first order,
without changing the ID of any rule.
CAUTION:
■ You can modify the match order of an ACL only when it does not contain any rules.
■ You can use the rule comment command only for existing ACL rules.
Configuration
Example
1 Create IPv4 ACL 3000 to permit TCP packets with port number 80 sent from 129.9.0.0
to 202.38.160.0.
<3Com> system-view
[3Com] acl number 3000
[3Com-acl-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255
destination 202.38.160.0 0.0.0.255 destination-port eq 80
2 Verify the configuration.
[3Com-acl-adv-3000] display acl 3000
Advanced ACL 3000, 1 rule,
Acl’s step is 5
rule 0 permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0
0.0.0.255 destination-port eq www (0 times matched)
Configuring an Ethernet frame header ACLs filter packets based on Layer 2 protocol header fields such
Ethernet Frame as source MAC address, destination MAC address, 802.1p priority, and link layer protocol
Header ACL type. They are numbered in the range 4000 to 4999.
Configuration If you want to reference a time range to a rule, define it with the time-range
Prerequisites command first.
CAUTION:
■ You can modify the match order of an ACL only when it does not contain any rules.
■ You can use the rule comment command only for existing ACL rules.
Configuration
Example
1 Create IPv4 ACL 4000 to deny frames with the 802.1p priority of 3.
<3Com> system-view
[3Com] acl number 4000
[3Com-acl-ethernetframe-4000] rule deny cos 3
2 Verify the configuration.
[3Com-acl-ethernetframe-4000] display acl 4000
Ethernet frame ACL 4000, 1 rule,
Acl’s step is 5
rule 0 deny cos excellent-effort(0 times matched)
392 CHAPTER 40: IPV4 ACL CONFIGURATION
Displaying and
Table 281 Displaying and Maintaining IPv4 ACLs
Maintaining IPv4
ACLs To do... Use the command Remarks
Display information about a display acl { all | acl-number Available in any view
specified or all IPv4 ACLs }
Display the configuration and display time-range { all |
state of a specified or all time time-name }
ranges
Clear the statistics about the reset acl counter { all | Available in user view
specified or all ACLs acl-number }
IPv4 ACL
Configuration
Example
Network Different departments of an enterprise are interconnected on the intranet through the
Requirements ports of a switch. The IP address of the wage query server is 192.168.1.2. Devices of the
R&D department are connected to the GigabitEthernet1/0/1 port of the switch. Apply an
ACL to deny requests sourced from the R&D department and destined for the wage
server during the working hours (8:00 to 18:00).
To a router
Salary server
192.168.1.2
#3
#2
#1
Switch
R&D Department
Configuration
Procedure
1 Create a time range for office hours
a Create a periodic time range spanning 8:00 to 18:00 in working days.
<3Com> system-view
[3Com] time-range trname 8:00 to 18:00 working-day
2 Define an ACL to control accesses to the salary server
a Create and enter the view of advanced IPv4 ACL 3000.
[3Com] acl number 3000
b Create a rule to control accesses of the R&D Department to the salary server.
[3Com-acl-adv-3000] rule 0 deny ip source any destination 192.168.1.2
0.0.0.0 time-range trname
[3Com-acl-adv-3000] quit
IPv4 ACL Configuration Example 393
Introduction Quality of Service (QoS) is a concept generally existing in occasions where service
supply-demand relations exist. QoS measures the ability to meet the service needs of
customers. Generally, the evaluation is not to give precise grading. The purpose of the
evaluation is to analyze the conditions where the services are good and the conditions
where the services still need to be improved, so that specific improvements can be
implemented.
In Internet, QoS measures the ability of the network to deliver packets. The evaluation on
QoS can be based on different aspects because the network provides diversified services.
Generally speaking, QoS is the evaluation on the service ability to support the critical
indexes such as delay, delay jitter and packet loss rate in packet delivery.
Traditional Packet The traditional IP network treats all the packets equally. The switch adopts the first in first
Delivery Service out (FIFO) policy in packet processing and assigns resources necessary for packet
forwarding according to the arrival time of the packet. All the packets share the network
and router resources. The resources that the packet can get depend completely on the
chance at packets arrival.
This service policy is called Best-Effort. The switch makes its best effort to deliver the
packets to the destination but it cannot provide any guarantee for delay, delay jitter,
packet loss rate, and reliability in packet delivery.
The traditional Best-Effort service policy is only applicable to services such as WWW, FTP,
and E-mail, which are not sensitive to the bandwidth and the delay performance.
New Requirements With the fast development of computer networks, more and more networks are
Brought forth by connected into Internet. Internet extends very quickly in scale, coverage and the number
New Services of users. More and more users use the Internet as a platform for data transmission and
develop various applications on it.
Besides traditional applications such as WWW, E-mail, and FTP, Internet users also try to
develop new services on Internet, such as tele-education, tele-medicine, video phones,
video conferencing, and video on demand (VOD). Enterprise users also hope to connect
their branch offices in different locations through the VPN technology to develop some
transaction applications, such as to access to the database of the company or to manage
remote switches through Telnet.
396 CHAPTER 41: QOS OVERVIEW
The new services have one thing in common: they all have special requirements for
delivery performances such as bandwidth, delay, and delay jitter. For example, video
conferencing and VOD require the guarantee of high bandwidth, low delay and low
delay jitter. Some key services such as the transaction handling and the Telnet do not
necessarily require high bandwidth but they are highly dependent on low delay and need
to be processed preferentially in case of congestion.
The emergence of new services brings forward higher requirements for the service
capability of the IP network. In the delivery process, users hope to get better services,
such as dedicated bandwidth for users, reduced packet loss rate, management and
avoidance of network congestion, control of network traffic, provision of packet priority,
and so on, instead of just having packets delivered to the destination. To meet these
requirements, the network service capability need to be further improved.
Occurrence and QoS issues that traditional networks face are mainly caused by congestion. Congestion
Influence of means reduced service rate and extra delay introduced because of relatively insufficient
Congestion and the resource provisioned.
Countermeasures
100M
1000M 100M
100M 100M
100M
7UDIILFFRQJHVWLRQRQLQWHUIDFHV
RIGLIIHUHQWUDWHV
7UDIILFFRQJHVWLRQRQLQWHUIDFHV
RIWKHVDPHUDWHV
1 Packets enter a router over a high-speed link and are forwarded out over a low-speed
link.
2 Packets enter a router through multiple interfaces of the same rate at the same time and
are forwarded out on an interface of the same rate.
If the traffic arrives at the wire speed, the traffic will encounter the bottleneck of
resources and congestion occurs.
Besides bandwidth bottleneck, any insufficiency of resources for packet forwarding, such
as insufficiency of assignable processor time, buffer size, and memory resources can
cause congestion. In addition, congestion will also occur if the traffic that arrives within a
certain period of time is improperly controlled and the traffic goes beyond the assignable
network resources.
Major Traffic Management Techniques 397
Countermeasures Increasing network bandwidth is a direct way to solve the problem of resource
insufficiency, but it cannot solve all the problems that cause network congestion.
A more effective way to solve network congestion problems is to enhance the function
of the network layer in traffic control and resource assignment, to provide differentiated
services for different requirements, and to assign and utilize resources correctly. In the
process of resource assignment and traffic control, the direct or indirect factors that may
cause network congestion must be properly controlled so as to reduce the probability of
congestion. When congestion occurs, the resource assignment should be balanced
according to the features and requirements of all the services to minimize the influence
of congestion on QoS.
Major Traffic Traffic classification, traffic policing (TP), traffic shaping (TS), congestion management,
Management and congestion avoidance are the foundation for providing differentiated services. Their
Techniques main functions are as follows:
■ Traffic classification: Identifies packets according to certain match rules. Traffic
classification is the prerequisite of providing differentiated services.
■ TP: Monitors and controls the specifications of specific traffic entering the device.
When the traffic exceeds the threshold, restrictive or punitive measures can be taken
to protect the business interests and network resources of the operator from being
damaged.
■ Congestion management: Congestion management is necessary for solving resource
competition. Congestion management is generally to cache packets in the queues
and arrange the forwarding sequence of the packets based on a certain scheduling
algorithm.
■ Congestion avoidance: Excessive congestion will impair the network resources.
Congestion avoidance is to supervise the network resource usage. When it is found
that congestion is likely to become worse, the congestion avoidance mechanism will
drop packets and regulate traffic to solve the overload of the network.
■ TS: TS is a traffic control measure to regulate the output rate of the traffic actively. TS
regulates the traffic to match the network resources that can be provided by the
downstream devices so as to avoid unnecessary packet loss and congestion.
398 CHAPTER 41: QOS OVERVIEW
Among the traffic management techniques, traffic classification is the basis because it
identifies packets according to certain match rules, which is the prerequisite of providing
differentiated services. TP, TS, congestion management, and congestion avoidance
control network traffic and assigned resources from different approaches, and are the
concrete ways of providing differentiated services.
■ Traffic classification
■ Access control
■ TP
■ Congestion management
Traffic Classification Traffic classification is to identify packets conforming to certain characters according to
certain rules. It is the basis and prerequisite for proving differentiated services.
A traffic classification rule can use the precedence bits in the type of service (ToS) field of
the IP packet header to identify traffic with different precedence characteristics. A traffic
classification rule can also classify traffic according to the traffic classification policy set by
the network administrator, such as the combination of source addresses, destination
addresses, MAC addresses, IP protocol or the port numbers of the applications. Traffic
classification is generally based on the information in the packet header and rarely based
on the content of the packet. The classification result is unlimited in range. They can be a
small range specified by a quintuplet (source address, source port number, protocol
number, destination address, and destination port number), or all the packets to a certain
network segment.
Generally, the precedence of bits in the ToS field of the packet header is set when
packets are classified on the network border. Thus, IP precedence can be used directly as
the classification criterion inside the network. Queue techniques can also process packets
differently according to IP precedence. The downstream network can either accept the
classification results of the upstream network or re-classify the packets according to its
own criterion.
As shown in the figure above, the ToS field in the IP header contains 8 bits, which are
described as follows:
RFC2474 re-defines the ToS field in the IP packet header, and it is called the DS field. The
first six bits in the DS field indicate DSCP precedence, in the value rang of 0 to 63. The
last two bits (bit6 and bit7) are reserved.
2 2802.1p priority
802.1p priority lies in the layer 2 packet header. It is suitable for occasions where it is not
necessary to analyze the Layer 3 packet headers and QoS is needed in Layer 2.
Figure 111 The format of an Ethernet frame with an 802.1Q tag header
As shown in the figure above, each host supporting 802.1Q protocol adds a 4-bit
802.1Q tag header after the source address in the original Ethernet frame header when
sending a packet.
The 4-bit 802.1Q tag header contains a 2-bit Tag Protocol Identifier (TPID) whose value is
8100 and a 2-bit Tag Control Information (TCI). TPID is a new type defined by IEEE to
indicate a packet with a 802.1Q tag. The following figure shows the detailed contents of
an 802.1Q tag header.
In the figure above, the 3-bit Priority field in the TCI byte is the 802.1p priority, in the
value range of 0 to 7.These three bits represent the priority of the frame. There are a
total of eight priority levels to determine which packet is to be sent in priority when
congestion occurs to the switch. These precedence levels fall in 802.1p priority because
the applications related to these precedence levels are all defined in detail in the 802.1p
specification.
Introduction to TP If the traffic from users is not limited, a large amount of continuous burst packets will
result in worse network congestion. The traffic of users must be limited in order to make
better use of the limited network resources and provide better service for more users. For
example, if a traffic flow obtains only the resources committed to it within a certain
period of time, network congestion due to excessive burst traffic can be avoided.
TP is traffic control policies to limit the traffic and its resource usage through supervision
of the traffic specification. The regulation policy is implemented according to the
evaluation result on the premise of the awareness of whether the traffic exceeds the
specification when TP is implemented. Generally, the token bucket algorithm is adopted
for the evaluation of traffic specification.
Packet sent
to bevia
sent
this
oninterface
this interface
Continue to send
Classify
Token bucket
Drop
The evaluation of the traffic specification is based on whether the number of tokens in
the bucket can meet the need of packet forwarding. If the number of tokens in the
bucket is enough for forwarding the packets, the traffic is compliant with the
specification; otherwise the traffic is incompliant with, or in excess of, the specification.
Major Traffic Management Techniques 401
■ Average rate: The rate at which tokens are put into the bucket, namely, the average
rate of permitted traffic flows. It is typically set to the committed information rate
(CIR).
■ Burst size: The capacity of the token bucket, namely, the maximum traffic size that is
permitted in each burst. It is typically set to the committed burst size (CBS). The set
burst size must be bigger than the maximum packet length.
TP
A typical application of TP is to supervise the specification of a certain traffic flow into the
network and limit the specification within a reasonable range, or to punish the traffic in
excess. Thus, the network resources and the interests of the carriers are protected. For
example, you can limit the bandwidth usage of HTTP packets to 50% of the network
bandwidth. If the traffic of a certain connection is in excess, TP can choose either to drop
packets or to reset the priority of the packets.
TP is widely used in policing the traffic into the network of Internet service provider (ISP).
In addition, TP can classify the policed traffic and perform pre-defined policing actions
according to different evaluation results. These actions include:
Introduction to LR
You can use line rate (LR) to limit the total rate of sending packets (including emergent
packets) on a physical interface.
LR also uses token buckets for traffic control. If LR is enabled on a certain interface of the
device, all packets sent via this interface must be firstly processed in the token bucket of
LR. If the token bucket has enough tokens, the packets can be sent. Otherwise, packets
will enter QoS queues for congestion management. Thus, traffic via this physical
interface is controlled.
402 CHAPTER 41: QOS OVERVIEW
Buffer
Because the token bucket is adopted for traffic control, when the token bucket has
tokens, burst transmission of packets is allowed; when the token bucket does not have
tokens, packets cannot be sent until new tokens are created in the token bucket. Thus,
the traffic of packets cannot be bigger than the rate of creating tokens, so the traffic is
limited and burst traffic is permitted.
Compared with TP, LR controls packets sent via physical interfaces. When you just want
to limit the rate of all packets, LR is simpler than TP.
LR Configuration
LR Configuration Configuring LR is to limit the rate of inbound packets or outbound packets via physical
Procedure interfaces.
Overview QoS policy includes the following three elements: class, traffic behavior and policy. You
can bind the specified class to the specified traffic behavior through QoS policies to
facilitate the QoS configuration.
Class
Class is used for identifying traffic.
The elements of a class include the class name and classification rules.
You can use commands to define a series of rules to classify packets. Additionally, you
can use commands to define the relationship among classification rules: and and or.
■ and: The devices considers a packet to be of a specific class when the packet matches
all the specified classification rules.
■ or: The device considers a packet be of a specific class when the packet matches one
of the specified classification rules.
Traffic behavior
Traffic behavior is used to define all the QoS actions performed on packets.
The elements of a QoS behavior include traffic behavior name and actions defined in
traffic behavior.
Policy
Policy is used to bind the specified class to the specified traffic behavior.
The elements of a policy include the policy name and the name of the
classification-to-behavior binding.
Introducing Each
Table 283 Introduce each QoS policy
QoS Policy
Policy Class Command
Accounting Use the if-match match-criteria accounting
command to define a required class
CAR (traffic policing) Use the if-match match-criteria car
command to define a required class
Traffic filtering Use the if-match match-criteria filter
command to define a required class
Traffic mirroring Use the if-match match-criteria mirror-to
command to define a required class
Traffic redirection Use the if-match match-criteria redirect
command to define a required class
Priority remark Use the if-match match-criteria remark
command to define a required class
Configuring QoS
Policy
Configuration ■ The class name and classification rules are specified in the policy.
Prerequisites ■ The traffic behavior name and the actions in the traffic behavior are specified.
■ The policy name is specified.
■ Where and how to apply the policy is specified.
Defining a Class Create a class name first and then configure match rules in this class view.
Configuration procedure
Table 284 Define a class
match-criteria: Match rule for a class, see Table 285 for its range.
Table 285 The value range of the match rule for a class
Value Description
acl access-list-number Defines an ACL rule. The value of the
access-list-number argument is in the range of
2,000 to 4,999.
any Defines a rule to match all packets
customer-vlan-id vlan-id-list Defines a rule to match VLAN IDs of the user
network. The vlan-id-list argument is the list of
VLAN IDs in the range of 1 to 4,094.
destination-mac mac-address Defines a rule to match destination MAC
addresses
dot1p Defines a rule to match 802.1p protocol. The
dot1p-list argument is the list of COS values in the
range of 0 to 7.
dscp dscp-list Defines a rule to match DSCP precedence. The
dscp-list argument is the list of DSCP values in the
range of 0 to 63.
ip-precedence ip-precedence-list Defines a rule to match IP precedence. The
ip-precedence-list argument is the list of IP
precedence values in the range of 0 to 7.
service-vlan-id vlan-id-list Defines a rule to match VLAN IDs of the operator’s
network. The vlan-id-list argument is the list of
VLAN IDs in the range of 1 to 4,094.
source-mac mac-address Defines a rule to match source MAC addresses
Please obey the following restrictions when defining a match rule; otherwise, you will fail
to apply the policies.
■ If the customer-vlan-id, dot1p, dscp, ip-precedence or
service-vlan-id is to be matched, do not configure multiple values in a rule at
the same time when you use the if-match command to define match rules.
■ When you specify the logic relationship as and, you can configure only one ACL rule.
Configuration example
1 Network requirements
Configure a class named “test” and define a rule to match packets whose IP precedence
is 6.
2 Configuration procedure
a Enter system view.
<3Com> system-view
b Define the class and enter class mapping view
[3Com] traffic classifier test
c Configure classification rules.
[3Com-classifier-test] if-match ip-precedence 6
Defining a Traffic To define a traffic behavior, create a traffic behavior name first and then configure its
Behavior features in this traffic behavior view.
408 CHAPTER 42: QOS POLICY CONFIGURATION
Configuration procedure
Table 286 Define a traffic behavior
The red action keyword in the traffic behavior car defines some actions for the packet
not conforming to committed access rate (CAR). The actions include:
CAUTION: Please obey the following restrictions when defining traffic behaviors;
otherwise, you will fail to apply the policies.
■ remark dot1p and remark local-precedence cannot be configured at the
same time.
■ filter deny cannot be configured together with any other action except
accounting.
Configuring QoS Policy 409
■ When you configure the car action or accounting action in the traffic behavior, each
rule defined in traffic classification carries out the action defined in the traffic
behavior, rather than all the rules execute the same action. For example, CAR is set to
64 kbps. For a traffic classification including 10 rules, 64 kbps is CAR for packets
matching each rule rather than the total CAR for packets matching all the ten rules.
■ After traffic mirroring, packets will not go through port mirroring, that is, if you
configure the destination port of traffic mirroring as the source port of a port
mirroring group, the destination port in the port mirroring group cannot receive the
packets after traffic mirroring.
■ When you configure the ingress port (it belongs to this VLAN according to the VLAN
policy) of packets as the source port of both traffic mirroring and the port mirroring
group at the same time, port mirroring configuration will be replaced by traffic
mirroring configuration. The packets matching the rule are mirrored to the
destination port of traffic mirroring, whereas the packets that do not match the rule
are mirrored to the destination port of the port mirroring group.
■ Before configuring redirection, you can configure multiple STP instances. If the home
VLAN of the source port for redirection and the home VLAN of the destination port
for redirection belong to different instances, redirection will fail. The packet will be
dropped and will not be forwarded on any port.
Configuration example
1 Network requirements
Configure a traffic behavior named “test”, enable TP, and set committed information
rate (CIR) to 6,400 kbps.
2 Configuration procedure
a Enter system view.
<3Com> system-view
b Define a traffic and enter traffic behavior view
[3Com] traffic behavior test
c Define the classification rule.
[3Com-behavior-test] car cir 6400
Configuring a Policy A policy defines the traffic-behavior–to-class mappings in the policy. Each traffic behavior
consists of a group of QoS actions.
410 CHAPTER 42: QOS POLICY CONFIGURATION
Table 287 Specify the traffic behavior for a class in the policy
CAUTION: When the configured policy is applied to a port group, if the car or
accounting action is not included in the user-defined traffic behavior, the policy of
multiple ports occupies only one share of hardware resource, that is, resource
multiplexing is implemented. If the car action or accounting action is included in the
user-defined traffic behavior, the policy will occupy n shares of hardware resources,
where n is the number of ports in the port group.
Configuration example
1 Network requirements
Configure a policy named “test”. Specify the traffic behavior test_behavior for the
packets belonging to the test_class in the policy and apply the policy on the inbound
direction of GigabitEtherenet1/0/1.
2 Configuration procedure
a Enter system view.
<3Com> system-view
b Define the policy and enter policy view.
[3Com]qos policy test
c Specify the traffic behavior for the class.
[3Com-qospolicy-test] classifier test_class behavior test_behavior
[3Com-qospolicy-test] quit
d Enter Ethernet port view.
[3Com] interface GigabitEthernet 1/0/1
e Apply the policy on the interface.
[3Com-GigabitEthernet1/0/1] qos apply policy test inbound
Displaying QoS After finishing the configurations mentioned above, you can execute the display
Policy command in any view to check the running status of QoS Policy to verify the
configuration.
412 CHAPTER 42: QOS POLICY CONFIGURATION
Overview When the rate at which the packets arrive is higher than the rate at which the packets
are transmitted on an interface, congestion occurs on this interface. If there is not
enough storage space to store these packets, parts of them will be lost. Packet loss may
cause the transmitting device to retransmit the packets because the lost packets time
out, which causes a malicious cycle.
The core of congestion management is how to schedule the resources and determine the
sequence of forwarding packets when congestion occurs.
Congestion Queuing technology is generally adopted to solve the congestion problem. The queuing
Management Policy technology is to classify the traffic according to a specified queue-scheduling algorithm
and then use the specified priority algorithm to forward the traffic. Each queuing
algorithm is used to solve specific network traffic problems and affects the parameters
such as bandwidth allocation, delay and delay jitter.
1 SP queue-scheduling algorithm
normal queue
Sending queue
Classify bottom queue Dequeue
SP queue-scheduling algorithm does have its disadvantage: if packets exist for a long
time in the queues with higher priority levels during congestion, the packets in the
queues with lower priority levels will be “starved to death” because they are not served.
A port of the switch supports eight outbound queues. The WRR queue-scheduling
algorithm schedules all the queues in turn to ensure that every queue can be assigned a
certain service time. Assume there are eight priority queues on the port. The eight weight
values (namely, w 7, w 6, w 5, w 4, w 3, w 2, w 1, and w 0) indicating the proportion of
assigned resources are assigned to the eight queues respectively. On a 100M port, you
can configure the weight values of WRR queue-scheduling algorithm to 50, 30, 10, 10,
50, 30, 10, and 10 (corresponding to w7, w6, w5, w4, w3, w2, w1, and w0
respectively). In this way, the queue with the lowest priority can be assured of 5 Mbps of
bandwidth at least, thus avoiding the disadvantage of SP queue-scheduling algorithm
that packets in low-priority queues are possibly not to be served for a long time. Another
advantage of WRR queue-scheduling algorithm is that though the queues are scheduled
in turn, the service time for each queue is not fixed, that is to say, if a queue is empty, the
next queue will be scheduled immediately. In this way, the bandwidth resources are fully
utilized.
The 3Com Switch 4500G Switches support the following three queue scheduling
algorithms:
Configuring SP SP queues include multiple queues. They correspond to different priorities and are
Queue Scheduling scheduled based on the priorities in descending order.
Configuration
Table 290 Configure SP queue scheduling
Procedure
To do… Use the command Remarks
Enter system view system-view —
Enter port Enter port interface interface-type One of them is required.
view or port view interface-number
In Ethernet port view, the
group view
Enter port port-group { manual following configuration takes
group view port-group-name | effect only on the current port.
aggregation agg-id } In port group view, the
following configuration takes
effect on all the ports in the port
group.
Configure SP qos sp Required
queue-scheduling algorithm
Configuration procedure
1 Enter system view.
<3Com> system-view
2 Configure GigabitEthernet1/0/1 to adopt the SP queue-scheduling algorithm.
[3Com]interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] qos sp
416 CHAPTER 43: CONGESTION MANAGEMENT
Configuring WRR By default, all ports adopt the WRR queue-scheduling algorithm. The queues which are
Queue Scheduling not configured on the port adopt the default WRR priority.
Configuration
Table 291 Configure WRR queue scheduling
Procedure
To do Use the command Remarks
Enter system view system-view —
Enter port Enter port interface interface-type One of them is required.
view or port view interface-number
In Ethernet port view, the
group view
Enter port port-group { manual following configuration takes
group view port-group-name | effect only on the current port. In
aggregation agg-id } port group view, the following
configuration takes effect on all
the ports in the port group.
Enable the WRR queue qos wrr Required
scheduling on the port
Configure WRR queue qos wrr queue-id group 1 Required
scheduling weight schedule-value
Display the configuration of display qos wrr Optional
WRR queue scheduling interface [ You can execute the display
interface-type
command in any view.
interface-number ]
Configuration
Example
1 Network requirements
■ Configure queue 1, queue 3, queue 4 on GigabitEthernet1/0/1 to adopt the WRR
queue-scheduling algorithm, with the weight value of 1, 5, and 10 respectively.
■ Configure queue 5 and queue 6 on GigabitEthernet1/0/1 to adopt the WRR
queue-scheduling algorithm, with the weight value of 2 and 10 respectively.
2 Configuration procedure
a Enter system view.
<3Com> system-view
b Configure WRR queues on GigabitEthernet1/0/1.
[3Com] interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] qos wrr 1 group 1 weight 1
[3Com-GigabitEthernet1/0/1] qos wrr 3 group 1 weight 5
[3Com-GigabitEthernet1/0/1] qos wrr 4 group 1 weight 10
[3Com-GigabitEthernet1/0/1] qos wrr 5 group 1 weight 2
[3Com-GigabitEthernet1/0/1] qos wrr 6 group 1 weight 10
Configuring SP+WRR Queue Scheduling 417
Configuring As required, you can configure part of the queues on the port to adopt the SP
SP+WRR Queue queue-scheduling algorithm and parts of queues to adopt the WRR queue-scheduling
Scheduling algorithm. Through adding the queues on a port to the SP scheduling group and WRR
scheduling group (namely, group 1), the SP+WRR queue scheduling is implemented.
During the queue scheduling process, the queues in the SP scheduling group is
scheduled preferentially. When no packet is to be sent in the queues in the SP scheduling
group, the queues in the WRR scheduling group are scheduled. The queues in the SP
scheduling group are scheduled according to the strict priority of each queue, while the
queues in the WRR queue scheduling group are scheduled according the weight value of
each queue.
Configuration Procedure
Configuration procedure
1 Enter system view.
<3Com> system-view
2 Configure the queues on GigabitEthernet1/0/1 to adopt the SP+WRR queue-scheduling
algorithm.
[3Com] interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] qos wrr 0 group sp
[3Com-GigabitEthernet1/0/1] qos wrr 1 group sp
[3Com-GigabitEthernet1/0/1] qos wrr 2 group 1 weight 2
[3Com-GigabitEthernet1/0/1] qos wrr 3 group 1 weight 7
[3Com-GigabitEthernet1/0/1] qos wrr 4 group 1 weight 10
44 PRIORITY MAPPING
Overview When a packet enters the switch, the switch will assign a series of parameters (including
802.1p priority, local precedence and so on) to it according to the precedence that the
switch supports and corresponding rules. The local precedence is the precedence the
switch assigns to the packet locally, which is corresponding to the outbound queue ID on
the port.
The Switch 4500G switches always trust the packet priority instead of port priority. For
tagged packets, the switch performs dot1p-to-lp mapping according to the 802.1p
priority carried in the tags; for untagged packets, all the packets are tagged with 802.1p
priority after they enter the switch. The 802.1p priority is the port priority, according to
which the dot1p-to-lp mapping is performed.
The switch provides the dot1p-to-lp mapping table, as shown in Table 293.
The 3Com Switch 4500G Switches do not support editing dot1p-to-lp (802.1p
priority-to-local priority) mapping table.
420 CHAPTER 44: PRIORITY MAPPING
Configuring Port An untagged packet is tagged after it enters the switch. Its 802.1p priority is port priority.
Priority You can assign the packet to different outbound queues on the port according to the
port priority to be set. The port priority is in the range of 0 to 7.
The port priority takes effect only on untagged packets instead of tagged packets.
Configuration
Table 294 Configure port priority
Procedure
To do… Use the command Remarks
Enter system view system-view —
Enter the corresponding interface interface-type —
Ethernet port view interface-number
Configure port priority qos priority priority-value Required
By default, the port priority is
10.
Network diagram
To the router
GE1/0/1 GE1/0/2
Switch
Department 1 Department 2
Displaying Priority Mapping Table 421
Configuration procedure
1 Enter system view.
<3Com> system-view
2 Configure the port priority of GigabitEthernet1/0/1 to 3, and map the priorities of
packets from department 1 to local precedence 3.
[3Com] interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] qos priority 3
3 Configure the port priority of GigabitEthernet1/0/2 to 7, and map the priorities of
packets from department 2 to local precedence 7.
[3Com] interface GigabitEthernet 1/0/2
[3Com-GigabitEthernet1/0/2] qos priority 7
Displaying Priority Use the display qos map-table command to display the detailed configuration
Mapping Table information of a priority mapping table.
Table 295 Display and debug a priority mapping table
VLAN-based QoS policies are also known as VLAN policies for short. VLAN policies can
facilitate the application and management of QoS policies on the switch.
VLAN policies are not effective on dynamic VLANs. VLAN policies will not be applied to
dynamic VLANs. For example, the device may create VLANs dynamically when GVRP
protocol is running. In this case, the corresponding VLAN policies are not effective on
dynamic VLANs.
Applying VLAN
Policies
Configuration ■ VLAN polices have been configured. Refer to Chapter 2 QoS Policy Configuration for
Prerequisites how to define policies.
■ The VLAN to which VLAN polices are applied is specified.
Configuration
Table 296 Apply VLAN policies
Procedure
To do… Use the command Remarks
Enter system view system-view —
Apply VLAN policies to the qos vlan-policy Required
specified VLAN policy-name vlan
vlan-id-list: VLAN ID list in the
vlan-id-list inbound
form of vlan-id to vlan-id. You
can enter multiple discontinuous VLAN
IDs. The device allows you to specify
up to eight VLAN IDs at the same time
Display information about display qos Optional
VLAN policies vlan-policy { name You can execute the display
policy-name | vlan [
command in any view
vlan-id ] }
name policy-name: Displays the
VALN policy information about the
VLAN policy name
vlan vlan-id: Displays the VLAN
policy applied to the specified VLAN
424 CHAPTER 45: VLAN POLICY CONFIGURATION
Displaying and After the configuration above, you can execute the display command in any view to
Maintaining VLAN display the running status of VLAN policy and verify the configuration.
Policy
You can execute the reset command in user view to clear the statistics about VLAN
policies.
VLAN Policy
Configuration
Example
Network ■ Configure VLAN policy named test to perform TP for packets matching with ACL
Requirements 2000. CIR is 64.
■ Apply the VLAN policy named test to the inbound direction of VLAN 200, VLAN 300,
VLAN 400, VLAN 500, VLAN 600, VLAN 700, VLAN 800 and VLAN 900.
Overview Traffic mirroring is to replicate the specified packets to the specified destination. It is
generally used for testing and troubleshooting the network. .
Depending on different types of mirroring destinations, there are three types of traffic
mirroring:
■ Mirroring to port: The desired traffic on a mirrored port is replicated and sent to a
destination port (that is, a mirroring port).
■ Mirroring to CPU: The desired traffic on a mirrored port is replicated and sent to the
CPU on the board of the port for further analysis.
■ Mirroring to VLAN: The desired traffic on a mirrored port is replicated and sent to a
VLAN, where the traffic is broadcast and all the ports (if available) in the VLAN will
receive the traffic. If the destination VLAN does not exist, you can still configure the
function, and the function will automatically take effect after the VLAN is created and
a port is added to it.
Currently, the 3Com Switch 4500G Switches only support traffic mirroring to port.
Configuring Traffic Before you can configure traffic mirroring, you should first enter the traffic behavior view
Mirroring to Port of an existing traffic behavior.
Displaying Traffic After the above configuration, you can execute the display command in any view to
Mirroring display the operation status of traffic mirroring and verify your configuration.
Configuration
Table 299 Display traffic mirroring configuration
Traffic Mirroring
Configuration
Example
You must use the server to monitor and analyze all the packets from PC A.
Network Diagram Figure 117 Network diagram for traffic mirroring to port
Switch A
PC A GigabitEthernet1/0/2
GigabitEthernet1/0/1
GigabitEthernet1/0/3
Server
Server
PC B
Traffic Mirroring Configuration Example 427
After the above configuration, you can monitor and analyze all the packets from PC A on
the server.
428 CHAPTER 46: TRAFFIC MIRRORING CONFIGURATION
47 PORT MIRRORING CONFIGURATION
Introduction to Port
Mirroring
Classification of Port There are two kinds of port mirroring: local port mirroring and remote port mirroring.
Mirroring ■ Local port mirroring is to copy packets at one or more ports (source ports) of a device
to a monitor port (destination port) for analysis and monitoring. In this case, the
source ports and the destination port locate at the same device.
■ Remote port mirroring breaks the restriction that source and destination ports should
locate at the same device, and allows them to spread through several network
devices. At present, remote port mirroring can pass through up to 2 layers of
network.
Implementing Port Port mirroring is implemented through mirroring groups, which includes local mirroring
Mirroring groups, remote source mirroring groups and remote destination mirroring groups.
■ Local port mirroring is implemented through local mirroring groups. In this case, the
device copies the packets from mirroring ports and forwards them to monitor ports.
■ Remote port mirroring is implemented through remote source mirroring group and
remote destination mirroring groups. In this case, the device copies the packets from
mirroring ports and broadcasts them to remote mirroring VLAN through reflector
port. When a remote device receives a packet, it will compare the packet’s VLAN
number with remote mirroring VLAN of the remote destination mirroring groups. If
they are identical, then the device will forward them to the monitor ports of the
remote destination mirroring groups.
■ The mirroring group supports monitoring multiple mirroring ports by one monitor
port.
■ You are recommended not to enable STP, MSTP or RSTP on the destination port.
■ A monitor port can’t enable MSTP or RSTP; otherwise it will affect the device’s normal
functions. And vice versa.
■ A monitor port cannot be a member port of the current mirroring group or a trunk
port.
■ You can configure multiple mirroring ports for a mirroring group, but only one
monitor port.
■ A port can be configured under one mirroring group only.
Displaying Port Follow these steps to display and maintain port mirroring:
Mirroring
Table 300 Displaying Port Mirroring
For implementing the demand using local port mirroring, run the following configuration
on Switch C:
Network diagram
Department 1 Switch C
GEthernet1/0/1 GEthernet1/0/3
GEthernet1/0/2
Server
Department 2 Switch B
Configuration procedure
Configuring Switch C:
After finishing the configuration, the user can monitor all the packets received and sent
by Department 1 and Department 2 on the Server.
48 GMP V2 CONFIGURATION
Therefore, GMP V2 is a layer 2 protocol that enables the management of devices without
lay 3 protocol stack or not configured with any IP address.
Cluster Overview By employing GMP V2, a network administrator can manage multiple switches using the
public IP address of a switch known as a management device. The switches under the
management of the management device are member devices. Normally, a cluster
member device is not assigned a public IP address, and the network administrator
manages and maintains member devices through the management device. The
management device, along with the member devices, forms a cluster.Figure 119 shows a
typical cluster implementation.
434 CHAPTER 48: GMP V2 CONFIGURATION
Network
Manag ement
dev ice 69 .110 .1 .1
Cluster
A cluster has one (and only one) management device. Note the following when creating
a cluster:
■ You need to designate the management device first. The management device of a
cluster is the portal of the cluster. That is, any operations performed in external
networks and intended for the member devices of a cluster, such as accessing,
configuring, managing, and monitoring, can be implemented through the
management device only.
■ The management device of a cluster recognizes and controls all the member devices
in the cluster, no matter where they are located on the network or how they are
connected.
■ The management device collects topology information about all the member and
candidate devices to provide useful information for users to build a cluster.
■ A management device manages and monitors the devices in the cluster by collecting
and processing (neighbor discovery protocol) NDP/(neighbor topology discovery
protocol) NTDP packets that carry network topology information.
Switch Roles in a According to their functions and status in a cluster, switches in the cluster play different
Cluster roles. You can specify the role a switch plays. A switch also changes its role according to
specific rules.
The following three switch roles exist in a cluster: management device, member device,
and candidate device.
Introduction to GMP V2 435
Switch Role Changes Figure 120 Rules for switch role changes
in a Cluster
Manag ement dev ice
pe er
d.
gr af t
un ic e
ou
r i ev
st e nt d
De
s
c lu m e
s ig
d
na
pe
t h age
as
te
ou
e
n
d
gr
c lu nt v ic
an m a
e
as
C a an
re
he em e r de
m
f a new
nc age
is
m
d
an
t e ag he
er
els m
ag
ne t he
st
ils
af an ot
de ent
em
c e m an
s i g de
na d as
en
s
na v ic
de ne at e
td
lo
rt
or nat e
t io e
ev
n
t h s ig
n
vi w
ic e
igi
t h s ig
as
De
De
e
e
■ A cluster has one (and only one) management device. After a management device is
designated, it collects NDP/NTDP information to discover and determine candidate
devices, which can be then added to the cluster through manual configurations.
■ A candidate device becomes a member device after being added to a cluster.
■ A member device becomes a candidate device after being removed from the cluster.
436 CHAPTER 48: GMP V2 CONFIGURATION
Introduction to NDP
NDP is the protocol for discovering the information about the adjacent nodes. NDP
operates on the data link layer, so it supports different network layer protocols.
NDP is used to discover the information about directly connected neighbors, including
the device type, software/hardware version, and connecting port of the adjacent devices.
It can also provide the information concerning device ID, port simplex/duplex status,
product version, Bootrom version and so on.
An NDP-enabled device maintains an NDP information table. Each entry in an NDP table
ages with time. You can also clear the current NDP information manually to have
adjacent information collected again.
An NDP-enabled device broadcasts NDP packets regularly to all ports in up state. An NDP
packet carries the holdtime field, which indicates the period for the receiving devices to
keep the NDP data. Receiving devices only store the information carried in the received
NDP packets rather than forward them. The corresponding data entry in the NDP table is
updated when the received information is different from the existing one. Otherwise,
only the holdtime of the corresponding entry is updated.
Introduction to NTDP
NTDP is a protocol for network topology information collection. NTDP provides the
information about the devices that can be added to clusters and collects the topology
information within the specified hops for cluster management.
Based on the NDP information table created by NDP, NTDP transmits and forwards NTDP
topology collection request to collect the NDP information and neighboring connection
information of each device in a specific network range for the management device or the
network administrator to implement needed functions.
Handshake packets
Handshake packets are used primarily to maintain the states of the members in a cluster.
■ After a cluster is built, a member device initiates the handshake process and sends
packets at the default interval of ten seconds. The management device also sends
handshake packets to the member device at the default interval of ten seconds. The
management device and member devices do not respond to the handshake packets
they received but switch to or remain in the Active state.
■ If the management switch receives no handshake packet from a member switch for
three consecutive times, it changes the state of the member device to Connect.
Likewise, if a member device receives no handshake response packet from the
management device for three consecutive times, the state of the member device
changes from Active to Connect.
■ If the member device in the Connect state receives no handshake packet or
management packet within the holdtime (60 seconds by default) that switches its
state to Active, the member device changes to the Disconnect state, and the
management device considers the member to be disconnected. A member device in
the Active or Connect state is connected.
■ In addition, handshake packets are used to notify the management device of topology
changes of neighboring devices.
Management VLAN No device connected to a port not belonging to the management VLAN can join the
cluster. Therefore, the management VLAN of candidate devices needs to be modified
through auto-negotiation if the management device and candidate devices in the cluster
belong to different management VLANs. In this case, the candidate devices must ensure
that the management VLAN exists. If a new VLAN must be created, the device’s limit on
the number of VLANs must be satisfied.
438 CHAPTER 48: GMP V2 CONFIGURATION
The ports in the management VLAN of a device must be configured to permit the
packets of the management VLAN to pass with tags (the packets from VLAN1 can pass
without tags); otherwise, the cluster will not work properly.
You can specify the management VLAN only before building a cluster. You cannot modify
the management VLAN after a device has joined the cluster. To modify the management
VLAN after the cluster is built, delete the cluster configuration on the current device
before designating the new management VLAN and finally building the cluster.
GMP V2
Table 302 GMP V2 configuration task overview
Configuration Task
Overview Operation Description Related section
Configure the Enable NDP globally and for Required Enabling NTDP Globally and on
management specific ports Specific Ports
device
Configure NDP-related Optional Configuring NDP-related
parameters Parameters.
Enable NTDP globally and for Required Enabling NTDP Globally and for
specific ports Specific Ports
Configure NTDP-related Optional Configuring NTDP-related
parameters Parameters
Enable the cluster function Required Enabling the Cluster Function
Build a cluster Required Building a Cluster
Configure cluster Required Configuring Cluster Management.
management
Configure cluster parameters Optional Configuring Cluster Parameters
Configure interaction for the Optional Configuring Interaction for the
cluster Cluster
Configure Enable NDP globally and for Required Enabling NDP Globally and on
member devices specific ports Specific Ports
Enable NTDP globally and for Required Enabling NTDP Globally and on
specific ports Specific Ports
Enable the cluster function Required Enabling the Cluster Function
Configure to add a member Optional Configuring to Add a Candidate
to the cluster Device to the Cluster
Management Device Configuration 439
Management
Device
Configuration
Enabling NDP
Table 303 Enable NDP globally and for specific ports
Globally and for
Specific Ports Operation Command Description
Enter system view system-view —
Enable NDP globally ndp enable Required
By default, NDP is enabled
globally.
Enable NDP for system view ndp enable interface Either is required.
the Ethernet interface-list
By default, NDP is enabled
port
Ethernet port interface interface-type on all ports.
view interface-number
ndp enable
Configuring
Table 304 Configure NDP-related parameters
NDP-related
Parameters Operation Command Description
Enter system view system-view —
Configure the holdtime of ndp timer aging Optional
NDP information aging-time
By default, the aging time of NDP packets is
180 seconds
Configure the interval to ndp timer hello Optional
send NDP packets hello-time
By default, the interval of sending NDP
packets is 60 seconds
Enabling NTDP
Table 305 Enabling NDP globally and for specific ports
Globally and for
Specific Ports Operation Command Description
Enter system view system-view —
Enable NTDP globally ntdp enable Optional
By default, NTDP is enabled
globally.
Enable NTDP for System view ntdp enable Optional
the Ethernet interfaceinterface-list By default, NTDP is enabled
port
Ethernet port interface interface-type on all ports.
view interface-number
ntdp enable
Configuring
Table 306 Configure NTDP parameters
NTDP-related
Parameters Operation Command Description
Enter system view system-view —
Configure the range ntdp hop hop-value Optional
topology information
By default, the hop range for
within which is to be
topology collection is 3 hops
collected
Configure the interval to ntdp timer interval-time Optional
collect topology
By default, the interval of
information
topology collection is 1 minute.
Configure the hop delay ntdp timer hop-delay Optional
to forward time
By default, the delay of the device
topology-collection
is 200 ms
request packets
Configure the port delay ntdp timer port-delay Optional
to forward topology time
By default, the port delay is 20 ms
collection request packets
Quit system view. quit —
Start topology ntdp explore Optional
information collection
The ntdp enable command in cluster management is not compatible with the
bpdu-tunnel enable command in BPDU TUNNEL. You cannot configure these two
commands at the same time. For BPDU TUNNEL, refer to “VLAN VPN Configuration”.
Building a Cluster Before building a cluster, you must configure a private IP address pool available for the
member devices in the cluster. When a candidate device joins the cluster, the
management device dynamically assigns the candidate device a private IP address for
inner-cluster communication. This enables the management device to manage and
maintain member devices.
Management Device Configuration 441
CAUTION:
■ For a non-VLAN1 management VLAN, if the port on the management device that is
connected to member devices are trunk or hybrid port, to implement cluster
management, you must configure the port to permit the packets of management
VLAN to pass with tags. In addition, you cannot manually change its default VLAN to
the management VLAN. If the port on the management device that is connected to
member devices is an access port, to implement cluster management, you must
manually configure the port as a hybrid port and configure the port to permit the
packets of management VLAN to pass with tags. See the VLAN Operation section for
details.
■ When the management VLAN is configured as VLAN1, if the port on the member
device that is connected to the management device permits the packets from the
management VLAN to pass with tags, configure the management device by following
the previous description. If the port on the member device that is connected to
management device permits the packets of management VLAN to pass without tags,
to implement cluster management, you must perform one of the following
configuration tasks: configure the corresponding port on the management device as
the access type, or configure the port as trunk and the default VLAN of the port as
VLAN1, or configure the port as hybrid and the default VLAN of the port as VLAN1
and permits the packets of management VLAN to pass the port without tags. See the
VLAN Operation section for details.
■ You can configure an IP address pool only before the cluster is built. Moreover, you
can perform the configuration on the management device only. You cannot change
the IP address pool for an existing cluster.
442 CHAPTER 48: GMP V2 CONFIGURATION
You can press <CTRL+C> to exit automatic cluster establishment. After this operation, no
new device will be added and the added devices remain in the cluster.
The white list and black list are mutually exclusive: nodes in the white list must not be in
the black list, and vice versa. Note that a topology node can be neither in the white list
nor the black list. These are usually new nodes and need to be authenticated by
administrators.
444 CHAPTER 48: GMP V2 CONFIGURATION
The white list and black list and will not disappear even if the management switch is
powered off. They implement two backup and recovery mechanisms: backups on the FTP
server or the Flash of the management switch. In either backup mode, you need to
restore the white list or blacklist manually. When the management switch restarts or the
cluster management is reconfigured, the management switch restores the white list and
blacklist from the Flash.
Configuring Cluster Cluster parameters include multicast MAC address for cluster management, interval for
Parameters sending multicast packets, device holdtime, and handshake interval.
■ If the interval for the management device to send multicast packets is 0, the
management device does not send multicast packets to any member device in the
cluster.
■ The state of a member device will be shown as "Disconnect" if it receives no message
from another device within the holdtime. After the communication recovers, the
corresponding member device needs to join the cluster again (automatically). If the
fault is removed within the specified holdtime, the member device does not need to
join the cluster again and remains normal.
■ Handshake packets maintain the real-time communication between the management
device and member devices in a cluster. The management device monitors the states
of the members and link states in the cluster by exchanging handshake packets with
member devices.
Management Device Configuration 445
Configuring After building a cluster, you can configure a server, NMS host, and log host universally on
Interaction for the the management device for the cluster. A member device in the cluster will access the
Cluster server configured through the management device.
All logs of the member devices in the cluster will be output to the log host configured:
when member devices output logs, the logs are directly sent to the management device,
which then translates the address of the logs and sends them to the log host configured
for the cluster. Likewise, all Trap messages sent by member devices are output to the
NMS host configured for the cluster.
CAUTION: The log host configured for the cluster takes effect only after you use the
info-center loghost command in system view. For more about the
info-center loghost command, see the "Information Center Commands".
446 CHAPTER 48: GMP V2 CONFIGURATION
Configuring
Member Devices
Enabling NDP
Table 314 Enable NDP globally and on specific ports
Globally and on
Specific Ports Operation Command Description
Enter system view system-view —
Enable NDP globally ndp enable Optional
By default, NDP is enabled
globally.
Enable NDP for In system view ndp enable Either is required
specified ports interfaceinterface-list By default, NDP is enabled
Enter Ethernet interface interface-type on all ports.
port view interface-number
ndp enable
Enabling NTDP
Globally and on Table 315 Enable NTDP globally and on specific ports
Specific Ports
Operation Command Description
Enter system view system-view —
Enable NTDP globally ntdp enable Optional
By default, NTDP is enabled
globally.
Enable NTDP for In system view ntdp enable Optional
specified ports interfaceinterface- By default, NTDP is enabled on all
list
ports.
Enter Ethernet interface
port view interface-type
interface-number
ntdp enable
Configuring to Add a
Table 317 Configure to add a member to the cluster
Candidate Device to
the Cluster Operation Command Description
Enter system view system-view —
Enter cluster view cluster —
Add a candidate device to the administrator-address Optional
cluster mac-address name name
By default, a device is not a
member of any cluster.
Displaying and After the configuration above, you can execute the display command to display the
Maintaining a running status after the cluster configuration. You can verify the configuration effect
Cluster through checking the displayed information.
You can use the reset command in user view to clear NDP statistics.
Operation Command
Display NDP configuration display ndp [ interface port-list ]
Display the global NTDP information display ntdp
Display device information collected display ntdp device-list [ verbose ]
through NTDP
Display state and statistics information display cluster
about a cluster
Display the base topology of the cluster display cluster base-topology [
mac-address mac-address | member-id
member-number ]
Display the current blacklist of the clusterdisplay cluster black-list
Display the information about the display cluster candidates [
candidate devices of a cluster mac-address mac-address | verbose ]
Display the current topology of the cluster display cluster current-topology [
or the topological path between two mac-address mac-address [
nodes to-mac-address mac-address ] | member-id
member-number [ to-member-id
member-number ] ]
Display the information about the cluster display cluster members [
members member-number | verbose ]
Clear the NDP statistics on a port reset ndp statistics [ interface
interface-list ]
448 CHAPTER 48: GMP V2 CONFIGURATION
GMP V2
Configuration
Example
The 4500G switch manages the rest two member devices as the management device.
The detailed information about the cluster is as follows.
Network diagram
Configuration procedure
1 Configure the management device
a Enable NDP globally and for the GigabitEthernet1/0/2 and GigabitEthernet1/0/3 ports.
<3Com> system-view
System View: return to User View with Ctrl+Z.
[3Com] ndp enable
[3Com] interface GigabitEthernet 1/0/2
[3Com-GigabitEthernet1/0/2] ndp enable
[3Com-GigabitEthernet1/0/2] quit
[3Com] interface GigabitEthernet 1/0/3
[3Com-GigabitEthernet1/0/3] ndp enable
[3Com-GigabitEthernet1/0/3] quit
b Configure the holdtime of NDP information to be 200 seconds.
[3Com] ndp timer aging 200
c Configure the interval to send NDP packets to be 70 seconds.
[3Com] ndp timer hello 70
d Enable NTDP globally and for GigabitEthernet1/0/2 and GigabitEthernet1/0/3 ports.
[3Com] ntdp enable
[3Com] interface GigabitEthernet 1/0/2
[3Com-GigabitEthernet1/0/2] ntdp enable
[3Com-GigabitEthernet1/0/2] quit
[3Com] interface GigabitEthernet 1/0/3
[3Com-GigabitEthernet1/0/3] ntdp enable
[3Com-GigabitEthernet1/0/3] quit
e Configure the hop count to collect topology to be 2.
[3Com] ntdp hop 2
f Configure the delay time for topology-collection request packets to be forwarded on
member devices to be 150 ms.
[3Com] ntdp timer hop-delay 150
g Configure the delay time for topology-collection request packets to be forwarded
through the ports of member devices to be 15 ms.
[3Com] ntdp timer port-delay 15
h Configure the interval to collect topology information to be 3 minutes.
[3Com] ntdp timer 3
i Enable the cluster function.
[3Com] cluster enable
j Enter cluster view.
[3Com] cluster
[3Com-cluster]
k Configure an IP address pool for the cluster. The IP address pool contains six IP
addresses, starting from 172.16.0.1.
[3Com-cluster] ip-pool 172.16.0.1 255.255.255.248
l Specify a name for the cluster and create the cluster.
[3Com-cluster] build aaa
[aaa_0.3Com-cluster]
450 CHAPTER 48: GMP V2 CONFIGURATION
Upon the completion of the above configurations, you can execute the cluster
switch-to { member-num | mac-address H-H-H } command on the management
device to switch to member device view to maintain and manage a member device. You
can then execute the cluster switch-to administrator command to resume
the management device view.
49 SNMP CONFIGURATION
SNMP Overview Simple Network Management Protocol (SNMP for short) offers a framework to monitor
network devices through TCP/IP protocol suite. It provides a set of basic operations in
monitoring and maintaining the Internet and has the following characteristics:
■ Automatic network management: SNMP enables network administrators to search
and modify information on any network node, find and diagnose network problems,
plan for network growth, and generate reports.
■ SNMP shields network administrators from the physical differences between various
devices and thus provides automatic management of products from different
manufacturers. SNMP only offers the basic set of functions. With SNMP enabled, the
management tasks and the physical features of the managed devices are not affected
by lower layer network protocols. Thus, SNMP achieves effective management of
devices from different manufactures, especially so in small, fast and low cost network
environments.
SNMP Mechanism An SNMP managed network are comprised of Network Management Station (NMS for
short) and Agent.
■ NMS is a station that runs the SNMP client software. It offers a friendly man-machine
interface, making it easier for network administrators to perform most network
management tasks. Currently, the most commonly used NMS include Quidview, Sun
NetManager, and IBM NetView.
■ Agent is a device that runs the SNMP server software. It can be a PC, a station, a
normal server, or a router.
■ NMS manages an SNMP managed network, whereas agents are managed network
devices. They exchange management information through the SNMP protocol.
■ Get operation: NMS gets the behavior information of Agent through this operation.
■ Set operation: NMS can reconfigure certain values in the Agent MIB by means of this
set operation to make the Agent perform certain tasks
■ Trap operation: Agent sends Trap information to the NMS through this operation.
■ Inform operation: NMS sends Trap information to other NMS through this operation.
452 CHAPTER 49: SNMP CONFIGURATION
SNMP Protocol Currently, 3Com SNMP agents support SNMPv3 and are compatible with SNMPv1 and
Version SNMPv2c.
Overview Management Information Base (MIB for short) is a collection of all the objects that can be
managed by NMS. It defines a set of characteristics of the managed objects, such as the
object identifier (OID for short), access right and data type of the objects.
MIB stores data using a tree structure. The node of the tree is the managed object and
can be uniquely identified by a path starting from the root node. As illustrated in the
following figure, the managed object B can be uniquely identified by a string of numbers
{1.2.1.1}. This string of numbers is the OID of the managed object B.
1 2
1 2
1 2
B
5 6
A
Configuring Basic SNMP Functions 453
Configuring Basic As configurations of SNMPv3 differ substantially from those of SNMPv1 and SNMPv2c,
SNMP Functions their SNMP functionalities will be introduced separately below. See Table 319 and
Table 320 for details.
Trap Configuration SNMP Agent sends Trap messages to NMS to alert the latter of some critical and
important events (such as restart of the managed device).
Displaying and
Table 322 Displaying and Maintaining SNMP
Maintaining SNMP
To do Use the command Remarks
Display SNMP-agent display snmp-agent sys-info Available in any view
system information, [ contact | location | version ]*
including the contact,
location, and version of
the SNMP
Display SNMP packet display snmp-agent
statistics statistics
Display the engine ID of display snmp-agent {
the device local-engineid |
remote-engineid }
Display SNMP group display snmp-agent group [
information group-name ]
Display SNMP user display snmp-agent usm-user
information [ engineid engineid | username
user-name | group group-name ] *
Display SNMP community display snmp-agent
information community [ read | write ]
Display MIB view display snmp-agent mib-view
information [ exclude | include | viewname
view-name ]
NMS
Switch
NMS 129.102.0.1/16
129.102.149.23/16
Ethernet
SNMP Configuration Example 457
Configuration procedure
1 Configure SNMP Agent
a Configure the community the SNMP Agent group, and SNMP Agent user.
<3Com>system-view
[3Com] snmp-agent sys-info version all
[3Com] snmp-agent community read public
[3Com] snmp-agent community write private
[3Com] snmp-agent mib-view included internet 1.3.6.1
[3Com] snmp-agent group v3 managev3group write-view internet
[3Com] snmp-agent usm-user v3 managev3user managev3group
b Specify VLAN interface 2 as the VLAN interface for network management use. Add
the port GigabitEthernet 1/0/3 to VLAN 2. Set the IP address of VLAN 2 interface to
129.102.0.1.
[3Com] vlan 2
[3Com-vlan2] port GigabitGigabitEthernet 1/0/3
[3Com-vlan2] interface Vlan-interface 2
[3Com-Vlan-interface2] ip address 129.102.0.1 255.255.0.0
[3Com-Vlan-interface2] quit
c Configure the ID, contact of the administrator, and the location of the switch.
[3Com] snmp-agent sys-info contact Mr.Wang-Tel:3306
[3Com] snmp-agent sys-info location telephone-closet,3rd-floor
d Enable the device to send Traps to the NMS with an IP address of 129.102.149.23/16,
using public as the community name.
[3Com] snmp-agent trap enable
[3Com] snmp-agent target-host trap address udp-domain 129.102.149.23
udp-port 5000 params securityname public
2 Configure SNMP NMS
SNMPv3 uses the “authentication and privacy” security model. On the NMS, you need to
specify user name and security level, and based on that level, configure the
authentication mode, authentication password, privacy mode, and privacy password. In
addition, the time-out time and number of retries should also be configured. You can
inquire and configure the switch through NMS. For detailed information, refer to the
NMS manuals.
The configurations on the device and the NMS must be consistent before you can
perform related operations
458 CHAPTER 49: SNMP CONFIGURATION
50 RMON CONFIGURATION
When configuring RMON, use the following table to identify where to go for interested
information.
Introduction RMON is implemented based on the simple network management protocol (SNMP) and
is fully compatible with the existing SNMP framework. This is beneficial because it needs
no modification to support the latter.
RMON provides an efficient means of monitoring subnets and allows SNMP to monitor
remote network devices in a more proactive and effective way. It reduces traffic between
network management station (NMS) and agent, facilitating large network management.
RMON comprises two parts: NMSs and agents running on network devices.
■ Each RMON NMS administers the agents within its administrative domain.
■ An RMON agent resides on a network monitor or probe for an interface. It monitors
and gathers information about traffic over the network segment connected to the
interface to provide statistics about packets over a specified period and good packets
sent to a host for example.
■ Using RMON probes. NMSs can obtain management information from RMON probes
directly and control network resources. In this approach, RMON NMSs can obtain all
RMON MIB information.
460 CHAPTER 50: RMON CONFIGURATION
■ Embedding RMON agents in network devices such as routers, switches, and hubs to
provide the RMON probe function. RMON NMSs exchange data with SNMP agents
with basic SNMP commands to gather network management information, which, due
to system resources limitation, may not cover all MIB information but four groups of
information, alarm, event, history, and statistics, in most cases.
By using RMON enabled SNMP agents on network monitors, an NMS can obtain
information about traffic size, error statistics, and performance statistics for network
management.
RMON Groups RMON categorizes objects into groups. This section describes only the major
implemented groups.
Event group
The event group defines event indexes and controls the generation and notifications of
the events triggered by the alarms defined in the alarm group and the private alarm
group. The events can be handled in one of the following ways:
■ Logging events in the event log table
■ Sending traps to NMSs
■ Both logging and sending traps
Alarm group
The RMON alarm group monitors specified alarm variables, such as statistics on a port. If
the monitored variable crosses a threshold, an event is triggered. The event is then
handled as defined in the event group.
The following is how the system handles entries in the RMON alarm table:
If a monitored variable crosses the same threshold multiple times, only the first one can
cause an alarm event.
System handles the prialarm alarm table entry (as defined by the user) in the following
ways:
Note that each value provided by the group is a cumulative sum during a sampling
period.
Unlike values provided by the history control group, each value provided in this group is a
cumulative sum counted starting from the creation of a valid event entry.
462 CHAPTER 50: RMON CONFIGURATION
Configuring RMON
Configuration Before configuring RMON, configure the SNMP agent as described in the “SNMP
Prerequisites Configuration” part.
Configuration
Table 324 Follow these steps to configure RMON:
Procedure
To do… Use the command… Remarks
Enter system view system-view ––
Create an event entry in the rmon event event-entry [ Required
event table description string ] { log | trap
trap-community | log-trap
log-trapcommunity | none } [ owner text ]
Enter Ethernet interface view interface interface-type ––
interface-number
Create an entry in the rmon history entry-number buckets Optional
history table number interval sampling-interval [
owner text-string ]
Create an entry in the rmon statistics entry-number [ Optional
statistics table owner text-string ]
Exist Ethernet interface view quit Required
Create an entry in the alarm rmon alarm entry-number Optional
table alarm-variable sampling-time {
absolute | delta } rising-threshold
threshold-value1 event-entry1
falling-threshold threshold-value2
event-entry2 [ owner text ]
Create an entry in the rmon prialarm entry-number Optional
private alarm table prialarm-formula prialarm-des
sampling-timer { absolute |
changeratio | delta }
rising_threshold threshold-value1
event-entry1 falling_threshold
threshold-value2 event-entry2
entrytype { forever | cycle
cycle-period } [ owner text ]
Displaying and Maintaining RMON 463
Displaying and
Table 325 Displaying and Maintaining RMON
Maintaining RMON
To do… Use the command… Remarks
Display RMON statistics display rmon statistics Available in any view
[interface-type
interface-number]
Display RMON history display rmon history Available in any view
information [interface-type
interface-number ]
Display RMON alarm display rmon alarm [alarm Available in any view
information -entry -number ]
Display RMON prialarm display rmon prialarm Available in any view
information [prialarm-entry -number ]
Display RMON events display rmon event [event Available in any view
-entry -number ]
Display RMON event log display rmon eventlog [ Available in any view
event-number ]
Create an entry in the RMON Ethernet statistics table to gather statistics on an Ethernet
port for NMS query.
Network diagram
NMS
Internet
Agent
Terminal
Network Port
Network port
Console
Console Portport
Agent
Switch
Switch
464 CHAPTER 50: RMON CONFIGURATION
Configuration procedure
1 Configure RMON to gather statistics for interface GigabitEthernet 1/0/1.
<3Com> system-view
[3Com] interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] rmon statistics 1 owner user1-rmon
2 Display RMON statistics for interface GigabitEthernet 1/0/1.
<3Com> display rmon statistics GigabitEthernet 1/0/1
Statistics entry 1 owned by user1-rmon is VALID.
Gathers statistics of interface GigabitEthernet1/0/1. Received:
octets : 270149 , packets : 1954
broadcast packets :1570 , multicast packets :365
undersized packets :0 , oversized packets:0
fragments packets :0 , jabbers packets :0
CRC alignment errors:0 , collisions :0
Dropped packet events (due to lack of resources):0
Packets received according to length (in octets):
64 :644 , 65-127 :518 , 128-255 :688
256-511:101 , 512-1023:3 , 1024-1518:0
51 NTP CONFIGURATION
NTP Overview Defined in RFC 1305, the network time protocol (NTP) synchronizes timekeeping among
distributed time servers and clients. NTP runs over the user datagram protocol (UDP),
using port 123.
The purpose of using NTP is to keep consistent timekeeping among all clock-dependent
devices within the network so that the devices can provide diverse applications based on
the consistent time.
For a local system running NTP, its time can be synchronized by other reference sources
and can be used as a reference source to synchronize other clocks.
Applications of NTP NTP is used when all devices within the network must be consistent in timekeeping, for
example:
■ In analysis of the log information and debugging information collected from different
devices in network management, time must be used as reference basis.
■ All devices must use the same reference clock in a charging system.
■ To implement certain functions, such as scheduled restart of all devices within the
network, all devices must be consistent in timekeeping.
■ When multiple systems process a complex event in cooperation, these systems must
use that same reference clock to ensure the correct execution sequence.
■ For increment backup between a backup server and clients, timekeeping must be
synchronized between the backup server and all the clients.
An administrator can by no means keep synchronized time among all the devices within
a network by changing the system clock on each station, because this is a huge amount
of workload and cannot guarantee the clock precision. NTP, however, allows quick clock
synchronization within the entire network while it ensures a high clock precision.
Advantages of NTP:
■ NTP uses a stratum to describe the clock precision, and is able to synchronize time
among all devices within the network.
■ NTP supports access control and MD5 authentication.
■ NTP can unicast, multicast or broadcast protocol messages.
466 CHAPTER 51: NTP CONFIGURATION
How NTP Works Figure 126 shows the basic work flow of NTP. Device 1 and Device 2 are interconnected
over a network. They have their own independent system clocks, which need to be
automatically synchronized through NTP. For an easy understanding, we assume that:
■ Prior to system clock synchronization between Device 1 and Device 2, the clock of
Device 1 is set to 10:00:00am while that of Device 2 is set to 11:00:00am.
■ Device 2 is used the NTP time server, namely Device 1 synchronizes its clock to that of
Device 2.
■ It takes 1 second for an NTP message to travel from one device to the other.
Network
Network
Device 1 Device 2
1.
NTP
NTPmessage
" " " 10:00:00am
10:00:00 am 11:00:01am
11:00:01 am
Network
Network
Device 1 Device 2
2.
NTPmessage
NTP " " " 10:00:00am
10:00:00 am 11:00:01am
11:00:01 am 11:00:02am
11:00:02 am
Network
Network
3. Device 1 Device 2
Network
Network
4. Device 1 Device 2
Up to now, Device has sufficient information to calculate the following two important
parameters:
Time difference between Device 1 and Device 2: Offset = ((T2-T1) + (T3-T4))/2 = 1 hour.
Based on these parameters, Device 1 can synchronize its own clock to the clock of
Device 2.
NTP Overview 467
This is only a brief description of the work mechanism of NTP. For details, refer to
RFC 1305.
NTP Message Format NTP uses two types of messages, clock synchronization message and NTP control
message. An NTP control message is used in environments where network management
needed. As it is not a must for clock synchronization, it will not be discussed in this
document.
All NTP messages mentioned in this document refer to NTP clock synchronization
messages.
■ LI: 2-bit leap indicator. When set to 11, it warns of an alarm condition (clock
unsynchronized); when set to any other value, it is not to be processed by NTP.
■ VN: 3-bit version number, indicating the version of NTP. The latest version is version 3.
■ Mode: a 3-bit code indicating the work mode of NTP. This field can be set to these
values: 0 – reserved; 1 – symmetric active; 2 – symmetric passive; 3 – client; 4 – server;
5 – broadcast or multicast; 6 – NTP control message; 7 – reserved for private use.
■ Stratum: an 8-bit integer indicating the stratum level of the local clock, with the value
ranging 1 to 16. The clock precision decreases from stratum 1 to stratum 16. A
stratum 1 clock has the highest precision, and a stratum 16 clock is not synchronized
and cannot be used as a reference clock.
■ Poll: 8-bit signed integer indicating the poll interval, namely the maximum interval
between successive messages.
■ Precision: an 8-bit signed integer indicating the precision of the local clock.
■ Root Delay: round-trip delay to the primary reference source.
■ Root Dispersion: the maximum error of the local clock relative to the primary
reference source.
■ Reference Identifier: Identifier of the particular reference source.
■ Reference Timestamp: the local time at which the local clock was last set or corrected.
468 CHAPTER 51: NTP CONFIGURATION
■ Originate Timestamp: the local time at which the request departed the client for the
service host.
■ Receive Timestamp: the local time at which the request arrived at the service host.
■ Transmit Timestamp: the local time at which the reply departed the service host for
the client.
■ Authenticator: authentication information.
Operation Modes of
NTP
■ A network device can get its clock synchronized in one of the following two ways:
Synchronized to the local clock, which as the reference source. Synchronized to
another device on the network in any of the four NTP operation modes previously
described.
■ After the 3Com Switch 4500G has been synchronized, it can work in Symmetric peers
mode, Broadcast server mode and Multicast mode. Devices running NTP can
implement clock synchronization in one of the following modes:
Devices running NTP can implement clock synchronization in one of the following
modes:
Server/client mode
When working in the server/client mode, a client sends a clock synchronization message
to servers, with the Mode field in the message set to 3 (client mode). Upon receiving the
message, the servers automatically work in the server mode and send a reply, with the
Mode field in the messages set to 4 (server mode). Upon receiving the replies from the
servers, the client performs clock filtering and selection, and synchronizes its local clock
to that of the optimal reference source.
In this mode, a client can be synchronized to a server, but not vice versa.
Broadcast mode
In the broadcast mode, a server periodically sends clock synchronization messages to the
broadcast address 255.255.255.255, with the Mode field in the messages set to 5
(broadcast mode). Clients listen to the broadcast messages from servers. After a client
receives the first broadcast message, the client and the server start to exchange
messages, with the Mode field set to 3 (client mode) and 4 (server mode) to calculate the
network delay between client and the server. Then, the client enters the broadcast client
mode and continues listening to broadcast messages, and synchronizes its local clock
based on the received broadcast messages.
Configuring the Operation Modes of NTP 469
Multicast mode
In the multicast mode, a server periodically sends clock synchronization messages to the
user-configured multicast address, or, if no multicast address is configured, to the default
NTP multicast address 224.0.1.1, with the Mode field in the messages set to 5 (multicast
mode). Clients listen to the multicast messages from servers. After a client receives the
first multicast message, the client and the server start to exchange messages, with the
Mode field set to 3 (client mode) and 4 (server mode) to calculate the network delay
between client and the server. Then, the client enters the multicast client mode and
continues listening to multicast messages, and synchronizes its local clock based on the
received multicast messages.
Configuring the Devices can implement clock synchronization in one of the following modes:
Operation Modes ■ Server/client mode
of NTP
■ Symmetric mode
■ Broadcast mode
■ Multicast mode
For the server/client mode or symmetric mode, you need to configure only clients or
symmetric-active peers; for the broadcast or multicast mode, you need to configure both
servers and clients.
A single device can have a maximum of 128 connections at the same time, including
static connections and dynamic connections. A static connection refers to a connection
that a user has manually created by using an NTP command, while a dynamic connection
is a temporary connection created by the system during operation. A dynamic
connection will be removed if the system fails to receive messages from it over a specific
long time. In the server/client mode, for example, when you carry out a command to
synchronize the time to a server, the system will create a static connection, and the server
will just respond passively upon the receipt of a message, rather than creating a
connection (static or dynamic). In the broadcast or multicast mode, static connections
will be created at the server side, and dynamic connections will be created at the client
side.
Configuring NTP For devices working in the server/client mode, you only need to make configurations on
Server/Client Mode the clients, and not on the servers.
■ A device can act as a server to synchronize the clock of other devices only after its
clock has been synchronized. If the clock of a server has a stratum level higher than or
equal to that of a client’s clock, the client will not synchronize its clock to the server’s.
■ You can configuring multiple servers by repeating the ntp-service
unicast-server command. The clients will choose the optimal reference source
Configuring the NTP For devices working in the symmetric mode, you only need to make configurations on
Symmetric Mode the symmetric-active device, and not on symmetric-passive devices.
Configuring NTP For devices working in the broadcast mode, you need to configure both the server and
Broadcast Mode clients. The broadcast server periodically sends NTP broadcast messages to the broadcast
address 255.255.255.255. Because an interface need to be specified on the broadcast
server for sending NTP broadcast messages and an interface also needs to be specified
on each broadcast client for receiving broadcast messages, the NTP broadcast mode can
be configured only in the specific interface view.
A broadcast server can synchronize broadcast clients only after its clock has been
synchronized.
Configuring NTP For devices working in the multicast mode, you need to configure both the server and
Multicast Mode clients. The multicast server periodically sends NTP multicast messages to multicast
clients. The NTP multicast mode must be configured in the specific interface view. You
can configure a maximum of 1,024 multicast clients, among which 128 can take effect
at the same time.
Table 331:
To do... Use the command... Remarks
Enter system view system-view —
Enter interface view interface Required
interface-type
Enter the interface used to send
interface-number
NTP multicast message
Configure the device to work in ntp-service Required
the NTP multicast server mode multicast-server [
ip-address ] [
authentication-keyid
keyid | ttl ttl-number |
version number ]*
472 CHAPTER 51: NTP CONFIGURATION
A multicast server can synchronize broadcast clients only after its clock has been
synchronized.
Configuring
Optional
Parameters of NTP
Configuring the Following these steps to configure the interface used to send NTP messages:
Interface to Send NTP
Messages Table 332 Configuring the Interface to Send NTP Messages
Disabling an Interface Follow these steps to disable an interface from receiving NTP messages:
from Receiving NTP
Messages Table 333 Disabling an Interface from Receiving NTP Messages
Configuring the Follow these steps to configure the allowable maximum number of dynamic sessions:
Allowable Maximum
Number of Dynamic Table 334 Configuring the Allowable Maximum Number of Dynamic Sessions
Sessions To do... Use the command... Remarks
Enter system view system-view —
Configure the allowable ntp-service Required
maximum number of dynamic max-dynamic-sessions 100 by default
sessions number
Configuring Access-Control Rights 473
Configuring With the following command, you can configure the NTP service access-control right to
Access-Control the local device. There are four access-control rights, as follows:
Rights ■ query: control query permitted. This level of right permits the peer device to perform
control query to the NTP service on the local device but does not permit the peer
device to synchronize its clock to the local device. The so-called “control query” refers
to query of some states of the NTP service, including alarm information,
authentication status, clock source information, and so on.
■ synchronization: server access only. This level of right permits the peer device to
synchronize its clock to the local device but does not permit the peer device to
perform control query.
■ server: server access and query permitted. This level of right permits the peer device
to perform synchronization and control query to the local device but does not permit
the local device to synchronize its clock to the peer device.
■ peer: full access. This level of right permits the peer device to perform
synchronization and control query to the local device and also permits the local device
to synchronize its clock to the peer device.
From the highest NTP service access-control right to the lowest one are peer, server,
synchronization, and query. When a device receives an NTP request, it will perform an
access-control right match and will use the first matched right.
Configuration Prior to configuring the NTP service access-control right to the local device, you need to
Prerequisites create and configure an ACL associated with the access-control right.
Configuration Follow these steps to configure the NTP service access-control right to the local device:
Procedure
Table 335 Configure the NTP Service Access-control
Configuring NTP The NTP authentication feature should be enabled for a system running NTP in a network
Authentication where there is a high security demand. This feature enhances the network security by
means of client-server key authentication, which prohibits a client from synchronizing
with a device that has failed authentication.
When configuring the NTP authentication feature, pay attention to the following
principles:
■ In the server/client mode, if the NTP authentication feature has not been enabled for
the client, the client can synchronize with the server regardless the NTP authentication
feature has been enabled for the server or not.
■ For all synchronization modes, when you enable the NTP authentication feature, you
should configure an authentication key and specify it as a trusted key. Namely, the
ntp-service authentication enable command must work together with
the ntp-service authentication-keyid command and the ntp-service
reliable authentication-keyid command.
■ For all synchronization modes, the server side and the client side must be consistently
configured.
■ If the NTP authentication is enabled on a client, the client can be synchronized only to
a server that can provide a trusted authentication key.
■ After you enable the NTP authentication feature for the client, make sure that you
configure for the client an authentication key that is the same as on the server and
specify that the authentication is trusted; otherwise, the client cannot be
synchronized to the server. For the server/client mode or symmetric mode, you need
to associate the specified authentication key on the client (symmetric-active peer if in
the symmetric peers mode) with the corresponding NTP server (symmetric-passive
peer if in the symmetric peers mode). In these two modes, multiple servers may have
been specified on a client, so the authentication key will be used to determine the
server to which the client is to be synchronized.
■ For the broadcast server mode or multicast server mode, you need to associate the
specified authentication key on the broadcast server or multicast server with the
corresponding NTP server.
Displaying and
Table 338 Displaying and Maintaining NTP
Maintaining NTP
To do... Use the command...
View the information of NTP service status display ntp-service status
View the information of NTP sessions display ntp-service sessions [
verbose ]
View the brief information of the NTP servers from display ntp-service trace
the local device back to the primary reference
source
NTP Configuration
Examples
The 3Com Switch 4500G cannot configure the local clock as a reference source for other
devices.
Network diagram
VL AN-interface2 VL AN-interface2
1.0.1.11/24 1.0.1.12/24
Device1 Device2
Configuration procedure
1 Configuration on Device 1:
Specify the local clock as the reference source, with the stratum level of 2.
2 Configuration on Device 2:
a View the NTP status of Device 2 before clock synchronization.
<Device2> display ntp-service status
Clock status: unsynchronized
Clock stratum: 16
Reference clock ID: none
Nominal frequence: 100.0000 Hz
Actual frequence: 100.0000 Hz
Clock precision: 2^18
Clock offset: 0.0000 ms
Root delay: 0.00 ms
Root dispersion: 0.00 ms
Peer dispersion: 0.00 ms
Reference time: 00:00:00.000 UTC Jan 1 1900 (00000000.00000000)
NTP Configuration Examples 477
Network diagram
Figure 129 Network diagram for NTP symmetric peers mode configuration
Device3
VL AN -interface2
3.0.1.31/24
VL AN -interface2 VL AN -interface2
3.0.1.32/24 3.0.1.33/24
Device4 Device5
478 CHAPTER 51: NTP CONFIGURATION
Configuration procedure
1 Configuration on Device 3:
Specify the local clock as the reference source, with the stratum level of 2.
2 Configuration on Device 4:
Specify Device 3 as the NTP server of Device 4.
<Device4> system-view
System View: return to User View with Ctrl+Z.
[Device4] ntp-service unicast-server 3.0.1.31
3 Configuration on Device 5 (after Device 4 is synchronized to Device 3):
Specify the local clock as the reference source, with the stratum level of 1.
4 Configure Device 4 as a symmetric peer after local synchronization.
[Device5] ntp-service unicast-peer 3.0.1.32
In the step above, Device 4 and Device 5 are configured as symmetric peers, with Device
5 in the symmetric-active mode and Device 4 in the symmetric-passive mode. Because
the stratus level of Device 5 is 1 while that of Device 4 is 3, Device 4 is synchronized to
Device 5.
5 View the NTP status of Device 4 after clock synchronization.
[Device4] display ntp-service status
Clock status: synchronized
Clock stratum: 2
Reference clock ID: 3.0.1.33
Nominal frequency: 100.0000 Hz
Actual frequency: 100.0000 Hz
Clock precision: 2^18
Clock offset: -21.1982 ms
Root delay: 15.00 ms
Root dispersion: 775.15 ms
Peer dispersion: 34.29 ms
Reference time: 15:22:47.083 UTC Sep 19 2005 (C6D95647.153F7CED)
As shown above, Device 4 has been synchronized to Device 5, and the clock stratum
level of Device 4 is 2, while that of Device 5 is 1.
6 View the NTP session information of Device 4, which shows that an association has been
set up between Device 4 and Device 5.
[Device4] display ntp-service sessions
source reference stra reach poll now offset delay disper
*************************************************************************
[245] 3.0.1.31 127.127.1.0 2 15 64 24 10535.0 19.6 14.5
[12345] 3.0.1.33 LOCL 1 14 64 27 -77.0 16.0 14.8
note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured
Total associations : 2
NTP Configuration Examples 479
Network diagram
VLAN -interface2
3.0.1.31/24
Device3
VLAN -interface2
1.0.1.11/24
Device1 Device0
VLAN -interface2
3.0.1.32/24
Device4
Configuration procedure
1 Configuration on Device 3:
a Specify the local clock as the reference source, with the stratum level of 2.
b Configure Device 3 to work in the broadcast server mode and send broadcast
messages through VLAN interface 2.
[Device3] interface Vlan-interface 2
[Device3-Vlan-interface2] ntp-service broadcast-server
2 Configuration on Device 4:
Configure Device 4 to work in the broadcast client mode and receive broadcast messages
on VLAN interface 2.
<Device4> system-view
System View: return to User View with Ctrl+Z.
[Device4] interface vlan-interface 2
[Device4-Vlan-interface2] ntp-service broadcast-client
3 Configuration on Device 1:
a Configure Device 1 to work in the broadcast client mode and receive broadcast
messages on VLAN interface 2.
<Device1> system-view
System View: return to User View with Ctrl+Z.
[Device1] interface vlan-interface 2
[Device1-Vlan-interface2] ntp-service broadcast-client
Because Device 1 and Device 3 are on different subnets, Device 1 cannot receive the
broadcast messages from Device 3. Device 4 gets synchronized upon receiving a
broadcast message from Device 3.
480 CHAPTER 51: NTP CONFIGURATION
Network diagram
VLAN -interface2
3.0.1.31/24
Device3
VLAN -interface2
1.0.1.11/24
Device1 Device0
VLAN -interface2
3.0.1.32/24
Device4
NTP Configuration Examples 481
Configuration procedure
1 Configuration on Device 3:
a Specify the local clock as the reference source, with the stratum level of 2.
b Set Device 3 to work in the multicast server mode and send multicast messages
through VLAN interface 2.
<Device0> system-view
System View: return to User View with Ctrl+Z.
[Device3] interface Vlan-interface 2
[Device3-Vlan-interface2] ntp-service multicast-server
2 Configuration on Device 4:
a Set Device 4 to work in the multicast client mode and receive multicast messages on
VLAN interface 2.
<Device4> system-view
System View: return to User View with Ctrl+Z.
[Device4] interface vlan-interface 2
[Device4-Vlan-interface2] ntp-service multicast-client
Because Device 4 and Device 3 are on the same subnet, Device 4 can receive the
multicast messages from Device 3 without being IGMP-enabled and can be synchronized
to Device 3.
b View the NTP status of Device 4 after clock synchronization.
[Device4] display ntp-service status
Clock status: synchronized
Clock stratum: 3
Reference clock ID: 3.0.1.31
Nominal frequency: 100.0000 Hz
Actual frequency: 100.0000 Hz
Clock precision: 2^18
Clock offset: 0.0000 ms
Root delay: 31.00 ms
Root dispersion: 8.31 ms
Peer dispersion: 34.30 ms
Reference time: 16:01:51.713 UTC Sep 19 2005 (C6D95F6F.B6872B02)
As shown above, Device 4 has been synchronized to Device 3, and the clock stratum
level of Device 4 is 3, while that of Device 3 is 2.
c View the NTP session information of Device 4, which shows that an association has
been set up between Device 4 and Device 3.
[Device4] display ntp-service sessions
source reference stra reach poll now offset delay disper
*************************************************************************
[1234] 3.0.1.31 127.127.1.0 2 254 64 62 -16.0 31.0 16.6
note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured
Total associations : 1
482 CHAPTER 51: NTP CONFIGURATION
3 Configuration on Device 0:
Because Device 1 and Device 3 are on different subnets, you must enable IGMP on
Device 1 and Device 0 before Device 1 can receive multicast messages from Device 3.
Network diagram
Figure 132 Network diagram for configuration of NTP server/client mode with authentication
VLAN-interface2 VLAN-interface2
1.0.1.11/24 1.0.1.12/24
Device1 Device2
Configuration procedure
1 Configuration on Device 1:
Specify the local clock as the reference source, with the stratum level of 2.
2 Configuration on Device 2:
<Device2> system-view
System View: return to User View with Ctrl+Z.
a Enable NTP authentication on Device 2.
[Device2] ntp-service authentication enable
b Set an authentication key.
[Device2] ntp-service authentication-keyid 42 authentication-mode md5
aNiceKey
c Specify the key as key as a trusted key.
[Device2] ntp-service reliable authentication-keyid 42
d Specify Device 1 as the NTP server.
[Device2] ntp-service unicast-server 1.0.1.11 authentication-keyid 42
Before Device 2 can synchronize its clock to that of Device 1, you need to enable NTP
authentication for Device 1.
Network diagram
Figure 133 Network diagram for NTP symmetric peers mode configuration with authentication
Device3
VL AN -interface2
3.0.1.31/24
VL AN -interface2 VL AN -interface2
3.0.1.32/24 3.0.1.33/24
Device4 Device5
NTP Configuration Examples 485
Configuration procedure
1 Configuration on Device 3:
a Specify the local clock as the reference source, with the stratum level of 2.
b Configure NTP authentication
<Device3> system-view
System View: return to User View with Ctrl+Z.
c Enable NTP authentication on Device 3.
[Device3] ntp-service authentication enable
d Set an authentication key.
[Device3] ntp-service authentication-keyid 42 authentication-mode md5
aNiceKey
e Specify the key as key as a trusted key.
[Device3] ntp-service reliable authentication-keyid 42
2 Configuration on Device 4:
a Specify Device 3 as the NTP server of Device 4.
<Device4> system-view
System View: return to User View with Ctrl+Z.
[Device4] ntp-service unicast-server 3.0.1.31 authentication-keyid 42
b Enable NTP authentication
[Device4] ntp-service authentication enable
[Device4] ntp-service authentication-keyid 42 authentication-mode md5
aNiceKey
c Specify the key as key as a trusted key.
[Device3] ntp-service reliable authentication-keyid 42
3 Configuration on Device 5 (after Device 4 is synchronized to Device 3):
a Specify the local clock as the reference source, with the stratum level of 1.
b Configure Device 4 as a symmetric peer after local synchronization.
[Device5] ntp-service unicast-peer 3.0.1.32 authentication-keyid 42
c Enable NTP authentication
<Device5> system-view
System View: return to User View with Ctrl+Z.
[Device5] ntp-service authentication enable
[Device5] ntp-service authentication-keyid 42 authentication-mode md5
aNiceKey
d Set an authentication key.
[Device5] ntp-service reliable authentication-keyid 42
In the step above, Device 4 and Device 5 are configured as symmetric peers, with
Device 5 in the symmetric-active mode and Device 4 in the symmetric-passive mode.
Because the stratus level of Device 5 is 1 while that of Device 4 is 3, Device 4 is
synchronized to Device 5.
486 CHAPTER 51: NTP CONFIGURATION
Network diagram
Figure 134 Network diagram for configuration of NTP broadcast mode with authentication
VLAN -interface2
3.0.1.31/24
Device 3
VLAN -interface2
1.0.1.11/24
Device 1 Device 0
VLAN -interface2
3.0.1.32/24
Device 4
NTP Configuration Examples 487
Configuration procedure
1 Configuration on Device 3:
a Specify the local clock as the reference source, with the stratum level of 3.
b Configure NTP authentication
[Device3] ntp-service authentication enable
[Device3] ntp-service authentication-keyid 88 authentication-mode md5
123456
[Device3] ntp-service reliable authentication-keyid 88
c Specify Device 3 as an NTP broadcast server, and specify an authentication key.
[Device3] interface vlan-interface 2
[Device3-Vlan-interface2] ntp-service broadcast-server
authentication-keyid 88
2 Configuration on Device 4:
a Configure NTP authentication
<Device4> system-view
System View: return to User View with Ctrl+Z.
[Device4] ntp-service authentication enable
[Device4] ntp-service authentication-keyid 88 authentication-mode md5
123456
[Device4] ntp-service reliable authentication-keyid 88
b Configure Device 4 to work in the NTP broadcast client mode
[Device4] interface vlan-interface 2
[Device4-Vlan-interface2] ntp-service broadcast-client
Now, Device 4 can receive broadcast messages through VLAN interface 2, and Device
3 can send broadcast messages through VLAN interface 2. Upon receiving a
broadcast message from Device 3, Device 4 synchronizes its clock to that of Device 3.
c View the NTP status of Device 4 after clock synchronization.
[Device4] display ntp-service status
Clock status: synchronized
Clock stratum: 4
Reference clock ID: 3.0.1.31
Nominal frequency: 100.0000 Hz
Actual frequency: 100.0000 Hz
Clock precision: 2^18
Clock offset: 0.0000 ms
Root delay: 31.00 ms
Root dispersion: 8.31 ms
Peer dispersion: 34.30 ms
Reference time: 16:01:51.713 UTC Sep 19 2005 (C6D95F6F.B6872B02)
As shown above, Device 4 has been synchronized to Device 4, and the clock stratum
level of Device 4 is 4, while that of Device 3 is 1.
d View the NTP session information of Device 4, which shows that an association has
been set up between Device 4 and Device 3.
[Device4] display ntp-service sessions
source reference stra reach poll now offset delay disper
*************************************************************************
[1234] 3.0.1.31 127.127.1.0 3 254 64 62 -16.0 32.0 16.6
note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured
Total associations : 1
488 CHAPTER 51: NTP CONFIGURATION
52 DNS CONFIGURATION
When configuring DNS, go to these sections for information you are interested in:
■ DNS Overview
■ Configuring Static Domain Name Resolution
■ Configuring Dynamic Domain Name Resolution
■ Displaying and Maintaining DNS
■ Troubleshooting DNS Configuration
DNS Overview Domain name system (DNS) is a mechanism used for TCP/IP applications such as Telnet to
convert Internet addresses in mnemonic form into the equivalent numeric IP addresses.
There are two types of DNS services, static and dynamic. Each time the DNS Server
receives a name query it checks its static database before using dynamic domain name
resolution. Reduction of the searching time in the dynamic database would increase
efficiency. Some frequently used addresses can be put in the static database.
Static Domain Name The static domain name resolution manually sets up mappings between names and IP
Resolution addresses. IP addresses of the corresponding names can be found in the static domain
name resolution database for applications.
Request Request
User program Resolver
Response Response
Cache
DNS Client
The resolver and cache comprise the DNS Client. The user program can run on the same
machine as the DNS Client, while the DNS Server and the DNS Client must run on
different machines.
Dynamic domain name resolution allows the DNS Client to store latest mappings
between name and IP address in the dynamic domain name cache. There is no need to
send a request to the DNS Server for the same mapping next time. The aged mappings
are removed from the cache after some time, and latest entries are required from the
DNS Server. The DNS Server decides how long a mapping is valid, and the DNS Client
gets the information from the DNS messages.
DNS suffixes
The DNS Client normally holds a list of suffixes which can be defined by the users. It is
used when the name to be resolved is not complete. The resolver can supply the missing
part. For example, a user can configure com as the suffix for aabbcc.com. The user only
needs to type aabbcc to get the IP address of aabbcc.com. The resolver can add the suffix
and delimiter before passing the name to the DNS Server.
■ If there is no dot in the domain name, such as “aabbcc“, the resolver will consider
this as a host name and add the suffix before processing. The original name such as
aabbcc is used if all DNS lookups fail.
■ If there is a dot in the domain name, such as “www.aabbcc“, the resolver will use this
domain name to do DNS lookup first before adding any suffix.
■ If the dot is at the end of the domain name, such as “aabbcc.com.”, the resolver will
consider this as a fully qualified domain name and return the result whether it is a
success or a failure. Hence, the dot (.) is called the terminating symbol.
Currently, the Switch 4500G supports static and dynamic domain name services on the
DNS Client.
Configuring Static Domain Name Resolution 491
Configuring Static Follow these steps to configure static domain name resolution:
Domain Name
Resolution Table 339 Configuring Static Domain Name Resolution
The last IP address you assigned to the host name can overwrite the old one if there is
any.
Configuring
Dynamic Domain
Name Resolution
Network diagram
2.1.1.2/16 1.1.1.2/16
2.1.1.1/16 1.1.1.1/16
D NS C lient host1
D NS Server
492 CHAPTER 52: DNS CONFIGURATION
Configuration procedure
Before doing the following configuration, make sure the route between the router and
host 1 is reachable, and configurations are done on both devices. The IP address of each
interface is shown on Figure 136. Make sure the DNS Server works well and has a
mapping between host 1 and IP address 1.1.1.2/16.
1 Enable dynamic domain name resolution.
[3Com] dns resolve
2 Configure IP address 2.1.1.2 to the DNS Server
[3Com] dns server 2.1.1.2
3 Configure net as the DNS suffix
[3Com] dns domain net
4 Configure com as the DNS suffix
[3Com] dns domain com
Ping host 1 to verify the configuration and the corresponding IP address should be
1.1.1.2.
Displaying and
Table 341 Displaying and Maintaining DNS
Maintaining DNS
To do… Use the command… Remarks
Display static DNS list display ip host Available in any view
Display the DNS Server display dns server [ Available in any view
information dynamic ]
Display the DNS suffixes display dns domain [ Available in any view
dynamic ]
Display the caching information display dns Available in any view
of dynamic domain name dynamic-host
resolution
Reset the caching memory of reset dns Available in user view
dynamic domain name resolution dynamic-host
Troubleshooting
DNS Configuration
Symptom After enabling the dynamic domain name resolution, the user cannot get the IP address
or the IP address is incorrect.
Solution ■ Use the display dns dynamic-host command to check that the specified
domain name is in the cache.
■ If there is no defined domain name, check that dynamic domain name resolution is
enabled and the DNS Client can communicate with the DNS Server.
■ If the specified domain name is in the cache, but the IP address is wrong, make sure
the DNS Client has the correct IP address of the DNS Server.
■ Check the mapping list is correct on the DNS Server.
53 INFORMATION CENTER
Information Center
Overview
Introduction to Acting as the system information hub, information center classifies and manages system
Information Center information. Together with the debugging functionality, information center offers a
powerful support to the network administrators and developers in monitoring network
performance and diagnosing network problems.
The closing set of angel brackets, the space, the forward slash, and the colon are all
required in the above format.
Priority
The priority is calculated using the following format: facility*8+severity-1, in which
facility is local7 by default and the range of severity is 1 to 8. Table 342 details the value
and meaning associated with each severity.
Note that there is no space between the priority and timestamp fields and that the
priority only takes effect when the information has been sent to the log host.
Timestamp
Timestamp records the time when system information is generated to allow users check
and identify system events.
Note that there is a space between the timestamp and sysname (host name) fields.
Sysname
Sysname is the system name of the current host. Users can use the sysname command
to modify the sysname.
Note that there is a space between the sysname and module fields.
Module
The module field represents the name of the module that generates system information.
494 CHAPTER 53: INFORMATION CENTER
Note that there is a forward slash between the module and level (severity) fields.
Level (Severity)
System information falls into three categories: log information, debug information, and
trap information. Each kind of information can be further divided into eight levels based
on its severity, as detailed in Table 342. Note that the smaller the severity value, the
higher the severity.
Information filtering by severity works this way: information with severity value greater
than the configured threshold will not be output during the filtering.
■ If the threshold is set to 1, only information with the severity being emergencies will
be output;
■ If the threshold is set to 8, information of all severities will be output.
Note that there is a forward slash between the level (severity) and digest fields.
Digest
The digest field is a string of up to 32 characters, outlining the system information.
Note that there is a colon between the digest and content fields.
Content
This field provides the content of the system information.
Configurations for the seven output directions function independently and take effect
only after the information center has been enabled.
Configuring to System information can also be output to a monitor terminal, which is a user terminal
Output System that has login connections through the AUX, VTY, or TTY user interface.
Information to a
Monitor Terminal Configuring to output system information to a monitor terminal
Table 346 Configure to output system information to a monitor terminal
Configuring to
Table 348 Configure to output system information to a log host
Output System
Information to a Log To do Use the command Remarks
Host Enter system view system-view —
Enable information center info-center enable Optional
Enabled by default
Name the channel with a info-center channel Optional
specified channel number channel-number name
Refer to Table 343 for
channel-name
default channel names
Specify a log host and info-center loghost Required
configure the channel host-ip [ channel {
Disabled by default with
through which system channel-number | channel-name }
channel 2 as the default
information can be output to | facility local-number |
the log host language { chinese | english channel when enabled
} ]*
Configure the source info-center loghost Required
interface through which log source interface-type No source interface
information can be output to interface-number
configured by default
a log host
Configure the source of the info-center source { Required
output information modu-name | default } channel
{ channel-number | channel-name
} [ debug { level severity |
state state }* | log { level
severity | state state }* | trap
{ level severity | state state
}* ]*
Configure one of the three info-center timestamp Optional
options for system loghost { date | The year information is
information to be output to a no-year-date | none }
included by default
log host:
including year information in;
excluding year information;
not providing any time stamp
information.
498 CHAPTER 53: INFORMATION CENTER
Configuring to
Table 349 Configure to output system information to the trap buffer
Output System
Information to the To do Use the command Remarks
Trap Buffer Enter system view system-view —
Enable information center info-center enable Optional
Enabled by default
Name the channel with a info-center channel Optional
specified channel number channel-number name
Refer to Table 343 for default
channel-name
channel names
Configure the channel through info-center Optional
which system information can be trapbuffer [ size System information is output to
output to a trap buffer and buffersize | channel {
the trap buffer by default with
specify the buffer size channel-number |
channel 3 (known as trapbuffer)
channel-name } ]*
as the default channel and a
default buffer size of 256
Configure the source of the info-center source { Required
output information modu-name | default }
channel {
channel-number |
channel-name } [ debug {
level severity | state
state }* | log { level
severity | state state }* |
trap { level severity |
state state }* ]*
Configure the format of the time info-center Optional
stamp timestamp { log | trap | By default, the time stamp for
debugging } { boot | log and trap information is
date | none } date whereas that for debug
information is boot.
Configuring to
Table 350 Configure to output system information to the log buffer
Output System
Information to the To do Use the command Remarks
Log Buffer Enter system view system-view —
Enable information center info-center enable Optional
Enabled by default
Name the channel with a info-center channel Optional
specified channel number channel-number name
Refer to Table 343 for default
channel-name
channel names
Configuring Information Center 499
Table 350 Configure to output system information to the log buffer (continued)
Configuring to
Table 351 Configure to output system information to the SNMP NMS
Output System
Information to the To do Use the command Remarks
SNMP NMS Enter system view system-view —
Enable information center info-center enable Optional
Enabled by default
Name the channel with a info-center channel Optional
specified channel number channel-number name
Refer to Table 343 for default
channel-name
channel names
Configure the channel through info-center snmp Optional
which system information can channel { System information is output to
be output to the SNMP NMS channel-number |
the SNMP NMS by default with
channel-name }
channel 5 (known as
snmpagent) as the default
channel
Configure the source of the info-center source { Required
output information modu-name | default }
channel {
channel-number |
channel-name } [ debug {
level severity | state
state }* | log { level
severity | state state }*
| trap { level severity |
state state }* ]*
Configure the format of the info-center Optional
timestamp timestamp { log | trap | By default, the time stamp for
debugging } { boot | log and trap information is
date | none } date whereas that for debug
information is boot.
500 CHAPTER 53: INFORMATION CENTER
To ensure that system information can be output to the SNMP NMS, you need to make
the necessary configurations on the SNMP agent and the NMS. For detailed information
on SNMP&RMON, refer to SNMP Configuration.
Configuring Synchronous information output refers to the feature that if the user’s input is
Synchronous interrupted by system output such as log, trap, or debug information, then after the
Information Output completion of system output the system will display a command line prompt (in
command editing mode a prompt, or a [Y/N] string in interaction mode) and the user’s
input so far.
This command is intended for the scenarios when the user’s input is interrupted by a
large amount of system output. With this feature enabled, the user can continue their
operations from where they were stopped.
■ If no information is input from the user following the current command line prompt,
the system will not display any command line prompt after system information
output.
■ In the interaction mode, the user is prompted for some information input. If the input
is interrupted by system output, no system prompt will be made, rather only the
user’s input will be displayed in a new line.
Displaying and
Table 353 Display and maintain information center
Maintaining
Information Center To do… Use the command… Remarks
Display channel display channel [ channel-number Available in any view
information for a | channel-name ]
specified channel
Display the display info-center Available in any view
configurations for all
information channels
except channel 6 to 8.
Display the state of the display logbuffer [ level Available in any view
log buffer and the log severity | size buffersize ]* [ | {
information recorded begin | exclude | include } text ]
Display a summary of display logbuffer summary [ Available in any view
the log buffer level severity ]
Display the state of the display trapbuffer [ size Available in any view
trap buffer and the trap buffersize ]
information recorded
Reset the log buffer reset logbuffer Available in user view
Reset the trap buffer reset trapbuffer Available in user view
Information Center Configuration Example 501
Information Center
Configuration
Example
Network diagram
Figure 137 Network diagram for outputting log information to a Unix log host
Network
1.1.0.1/16
1.2.0.1/16
Switch PC
Configuration Procedure
1 Configuring the device
a Enable information center.
<3Com> system-view
System View: return to User View with Ctrl+Z.
[3Com] info-center enable
% Information center is enabled
b Specify the channel to output log information to the log host (loghost by default,
optional).
[3Com] info-center loghost 1.2.0.1 channel loghost
c Disable the output of log, trap, and debug information of all modules to the log host.
[3Com]info-center source default channel loghost debug state off log
state off trap state off
CAUTION: As the default system configurations for different channels vary, ensure that
the outputting of log, trap, and debug information for the specified channel (loghost in
this example) of all modules is disabled before the system information can be output to
meet the current network requirements.
d Set the host with an IP address of 1.2.0.1/16 to be the log host, set the severity to
informational, the output language to English, and the source modules to ARP and
CMD.
[3Com] info-center loghost 1.2.0.1 facility local4 language english
[3Com] info-center source arp channel loghost log level informational
[3Com] info-center source cmd channel loghost log level informational
2 Configuring the log host
The following configurations were made on SunOS 4.0 which has similar configurations
to the Unix operating systems implemented by other vendors.
After the above configurations, the system will be able to keep log information in the
related file.
Network diagram
Figure 138 Network diagram for outputting log information to a Linux log host
Network
1.1.0.1/16
1.2.0.1/16
Switch PC
Configuration Procedure
1 Configuring the device
a Enable information center.
<3Com> system-view
System View: return to User View with Ctrl+Z.
[3Com] info-center enable
% Information center is enabled
b Specify the channel to output log information to the log host (optional, loghost by
default).
[3Com] info-center loghost 1.2.0.1 channel loghost
c Disable the output of log, trap, and debug information of all modules to the log host.
[3Com] info-center source default channel loghost debug state off log
state off trap state off
CAUTION: As the default system configurations for different channels vary, ensure that
the output of log, trap, and debug information for the specified channel (loghost in this
example) of all modules is disabled before the system information can be output to meet
the current network requirements.
d Set the host with an IP address of 1.2.0.1/16 to be the log host, set the severity to
informational, the output language to English, and the source modules to be all
modules.
[3Com] info-center loghost 1.2.0.1 facility local7 language english
[3Com] info-center source default channel loghost log level
informational
2 Configuring the log host
a issue the following commands as a root user.
# mkdir /var/log/3Com
# touch /var/log/3Com/information
b Edit the file /etc/syslog.conf as a root user and add the following selector/action pair.
# 3Com configuration messages
local7.info /var/log/3Com/information
504 CHAPTER 53: INFORMATION CENTER
Ensure that the syslogd process is started with the –r option on a Linux log host.
After the above configurations, system will be able to keep log information in the related
file.
Network diagram
Figure 139 Network diagram for sending log information to the console
console
3& Switch
Configuration Procedure
1 Enable information center.
<3Com> system-view
System View: return to User View with Ctrl+Z.
[3Com] info-center enable
% Information center is enabled
2 Specify the channel to output log information to the console (optional, console by
default).
[3Com] info-center console channel console
Information Center Configuration Example 505
3 Disable the output of log, trap, and debug information of all modules to the log host.
[3Com] info-center source default channel console debug state off log
state off trap state off
CAUTION: As the default system configurations for different channels vary, ensure that
the output of log, trap, and debug information for the specified channel (console in this
example) of all modules is disabled before the system information can be output to meet
the current network requirements.
When configuring Network Quality Analyzer (NQA), go to these sections for information
you are interested in:
■ NQA Overview
■ Configuring NQA Tests
■ Configuring Optional Parameters for NQA Tests
■ Displaying and Maintaining NQA
Introduction to NQA Ping can use only the Internet control message protocol (ICMP) to test the reachability of
the destination host and the round-trip time of a packet to the destination. NQA is an
enhanced Ping tool used for testing the performance of protocols running on networks.
Besides the Ping functions, NQA can provide the following functions:
■ Detecting the availability and the response time of DHCP, FTP, HTTP, and SNMP
services.
■ Testing the delay jitter of the network.
■ Verifying the availability of TCP, UDP, and DLSw packets.
Different from Ping, NQA does not display the round-trip time or time-out time of each
packet on the console terminal in a realtime way. In this case, you have to carry out the
display nqa results command to view NQA test results. In addition, NQA can help
you to set parameters for various tests and start these tests through the network
management system (NMS).
NQA Server and NQA In most NQA test systems, you only need to configure an NQA client. However, when
Client you perform a TCP, UDP, or jitter test, you need to configure an NQA server.Figure 140
shows the relationship between an NQA client and an NQA server.
IP Networ k
Switch A Sw itch B
NQA Client NQA Server
508 CHAPTER 54: NQA CONFIGURATION
The NQA server listens to test requests originated by the NQA client and makes a
response to these requests. The NQA server can respond to requests originated by the
NQA client only when the NQA server is enabled and the corresponding destination
address and port number are configured on the server. The IP address and port number
specified for a listening service on the server must be consistent with those on the client.
You can create multiple TCP or UDP listening services on the NQA server, with each
listening service corresponding to a specified destination address and port number.
NQA Test Operation NQA can test multiple protocols. A test group must be created for each type of NQA test.
Each test group can be related to only one type of NQA test. Each test group has an
administrator name and an operation tag. The administrator name and the operation tag
uniquely identify a test group.
After you create a test group and enter test group view, you can configure related test
parameters. Test parameters vary with the test type. For details, see the configuration
procedure below.
After you enable the NQA client, you can create multiple test groups to perform tests. In
this way, you do not need to enable the NQA client repeatedly.
Configuring NQA
Tests ■ You need to configure the NQA server only for jitter, TCP-Private, TCP-Public,
UDP-Private, and UDP-Public tests.
■ You are recommended not to use a known port for NQA Jitter/UDP/TCP test.
Otherwise, NQA probe may fail or the service paired with the known port may
become unavailable.
Configuring the ICMP The ICMP test is mainly used to test whether packets from an NQA client can reach a
Test specified destination and test the round-trip time of packets.
Configuration procedure
Follow these steps to configure the ICMP test:
Configuration example
1 Network requirements
Use the NQA ICMP function to test whether packets from the NQA client (SwitchA) can
reach the specified destination (SwitchB) and test the round-trip time of packets.
■ SwitchB serves as the object that is to be pinged from SwitchA and the IP address is
10.2.2.2/16.
2 Network diagram
IP Netw ork
10.1.1.1/16 10.2.2.2/16
Switch A S witchB
NQA Client
3 Configuration procedure
Perform the following configurations on SwitchA:
a Enable the NQA client, create an ICMP test group, and configure related test
parameters.
<3Com> system-view
[3Com] nqa-agent enable
[3Com] nqa admin icmp
[3Com-nqa-admin-icmp] test-type icmp
[3Com-nqa-admin-icmp] destination-ip 10.2.2.2
b Configure optional parameters.
c [3Com-nqa-admin-icmp] count 10
d [3Com-nqa-admin-icmp] timeout 5
e Enable the ICMP test.
[3Com-nqa-admin-icmp] test-enable
f View the test results.
[3Com-nqa-admin-icmp] display nqa results admin icmp
Configuring the DHCP The DHCP test is mainly used to test the existence of a DHCP server on the network as
Test well as the time necessary for the DHCP server to respond to a client request and assign
an IP address to the client.
Configuration prerequisites
The specified source interface in the source-interface command must be up, that is
to say, an IP address is configured for the source interface. The IP address can be
configured manually or obtained dynamically.
Before the DHCP test, you need to perform some configurations on the DHCP server. For
example, you need to enable the DHCP service and configure an address pool. If the
NQA (DHCP) client and DHCP server are in different network segments, you need
configure DHCP relay also. For detailed configurations, refer to DHCP Operation.
Configuring NQA Tests 511
Configuration procedure
Follow these steps to configure the DHCP test:
Table 355 Configuring the DHCP Test
Configuration example
1 Network requirements
Configure SwitchB as a DHCP server and use the NQA DHCP function to test the time
necessary for SwitchA to obtain an IP address from SwtichB.
2 Network diagram
vlan3
10.1.1.1/16 IP Network
10.2.2.2/16
Switch
SwitchA SwitchB
NQA Client DHCP Server
3 Configuration procedure
Perform the following configurations on SwitchA:
a Enable the NQA client, create a DHCP test group, and configure related test
parameters.
<3Com> system-view
[3Com] nqa-agent enable
[3Com] nqa admin dhcp
[3Com-nqa-admin-dhcp] test-type dhcp
[3Com-nqa-admin-dhcp] source-interface Vlan-interface 3
b Enable the DHCP test.
[3Com-nqa-admin-dhcp] test-enable
c View the test results.
[3Com-nqa-admin-dhcp] display nqa results admin dhcp
512 CHAPTER 54: NQA CONFIGURATION
Configuring the FTP The FTP test is mainly used to test the connection with a specified FTP server and the time
Test necessary for the FTP client to transfer a file to the FTP server.
Configuration prerequisites
Before the FTP test, you need to perform some configurations on the FTP server. For
example, you need to configure the username and password used to log in to the FTP
server. For the FTP server configurations.
Configuration procedure
Follow these steps to configure the FTP test:
■ Transfer a small file for the FTP test. If the file is too large, the test may fail because of time-out.
■ When you perform a put operation, a file-name file with a fixed size and contents will be created on
the FTP server, but the uploaded file will not be saved.
■ When you perform a get operation, the file obtained from the FTP server will not be saved on the
device, either. If there is no such file-name file on the FTP server, the FTP test will fail.
Configuring NQA Tests 513
Configuration example
1 Network requirements
Use the NQA FTP function to test the connection with a specified FTP server and the time
necessary for the FTP client to upload a file to the FTP server. The login username is
admin, the login password is nqa, and the file to be transferred to the FTP server is
config.txt.
2 Network diagram
1 0 .1 . 1. 1 /1 6 IP N etw o rk
1 0 .2 .2 .2 /1 6
S witc h A S w it c h B
N Q A C lie n t F TP Se r v er
3 Configuration procedure
■ Perform the following configurations on SwitchA:
a Enable the NQA client, create an FTP test group, and configure related test
parameters.
<3Com> system-view
[3Com] nqa-agent enable
[3Com] nqa admin ftp
[3Com-nqa-admin-ftp] test-type ftp
[3Com-nqa-admin-ftp] destination-ip 10.2.2.2
[3Com-nqa-admin-ftp] source-ip 10.1.1.1
[3Com-nqa-admin-ftp] ftp-operation put
[3Com-nqa-admin-ftp] username admin
[3Com-nqa-admin-ftp] password nqa
[3Com-nqa-admin-ftp] filename config.txt
b Enable the FTP test.
[3Com-nqa-admin-ftp] test-enable
c View the test results.
[3Com-nqa-admin-ftp] display nqa results admin ftp
514 CHAPTER 54: NQA CONFIGURATION
Configuring the HTTP The HTTP test is mainly used to test the connection with a specified HTTP server and the
Test time required to obtain data from the HTTP server.
Configuration procedure
Follow these steps to configure the HTTP test:
Table 357 Configuring the HTTP Test
Configuration example
1 Network requirements
Use the HTTP function to test the connection with a specified HTTP server and the time
required to obtain data from the HTTP server.
2 Network diagram
IP Network
10.1.1.1/16 10.2.2.2/16
Switch A SwitchB
NQA Client HTTP Server
Configuring NQA Tests 515
3 Configuration procedure
a Enable the NQA client, create an HTTP test group, and configure related test
parameters.
<3Com> system-view
[3Com] nqa-agent enable
[3Com] nqa admin http
[3Com-nqa-admin-http] test-type http
[3Com-nqa-admin-http] destination-ip 10.2.2.2
[3Com-nqa-admin-http] http-operation get
[3Com-nqa-admin-http] http-string /index.htm HTTP/1.0
b Enable the HTTP test.
[3Com-nqa-admin-http] test-enable
c View the test results.
[3Com-nqa-admin-http] display nqa results admin http
The jitter test is used to make statistics of delay jitter of UDP packet transmission. Delay
jitter refers to the difference between the interval of receiving two packets consecutively
and the interval of sending these two packets. During the test, the source port sends
data packets to the destination port at regular intervals. The destination port affixes a
time stamp to each packet that it receives and then sends it back to the source port.
After the source port receives the data packet, the delay jitter can be calculated.
To improve the accuracy of the statistics results, you must send multiple test packets
when you perform a test. The more test packets are sent, the more accuracy the statistics
results are. However, it takes a longer time to complete the test. You can quicken a jitter
test by reducing the interval of sending test packets. Doing so will cause an impact on
the network.
The error in the statistics results of a jitter test is big since there is a delay in both sending
and receiving data packets.
A jitter test requires cooperation between the NQA server and the NQA client. You must
configure the UDP listening function on the NQA server, and a destination address and a
destination port on the NQA client, and ensure that the destination address and
destination port on the NQA client are respectively the listening IP address and port on
the NQA server.
516 CHAPTER 54: NQA CONFIGURATION
Configuration procedure
1 Configure the NQA server.
Follow these steps to configure the NQA server for a jitter test:
Follow these steps to configure the NQA client for a jitter test:
The number of probes made in a jitter test depends on the count command, while the
number of test packets sent in each probe depends on the jitter-packetnum
command.
Configuration example
1 Network requirements
Use the NQA jitter function to test the delay jitter of packet transmission between the
local port (SwitchA) and the specified destination port (SwitchB).
2 Network diagram
IP Network
10.1.1.1/16 10.2.2.2/16
Switch A SwitchB
NQA Client NQA Server
Configuring SNMP The SNMP query test is mainly used to test the time the NQA client takes to send an
Query Test SNMP query packet to the SNMP agent and then receive a response packet.
Configuration prerequisites
The SNMP agent function must be enabled on the device serving as an SNMP agent.
Configuration procedure
Follow these steps to configure the SNMP query test:
Configuration example
1 Network requirements
Use the NQA SNMP query function to test the time it takes SwitchA to send an SNMP
query packet to SwitchB and receive a response packet.
2 Network diagram
I P Net work
10. 1.1.1 /16
10. 2.2.2 /16
S w itc h A S w itc hB
N Q A C lien t S N M P A g en t
Configuring NQA Tests 519
3 Configuration procedure
Perform the following configurations on SwitchB which serves as the SNMP agent.
a Enable the SNMP agent service and set the SNMP version to V2C, the read community
to public, and the community write to private.
<3Com> system-view
[3Com] snmp-agent sys-info version v2c
[3Com] snmp-agent community read public
[3Com] snmp-agent community write private
■ The SNMP must be enabled on the device specified by the destination address.
Otherwise, no response packet will be received.
■ In this example, the configuration is based on the SNMP V2C. If the SNMP of other
versions is enabled, the configuration may be different. For details, refer to SNMP
&RMON Operation.
■ Perform the following configurations on SwitchA:
b Enable the NQA client, create an SNMP query test group, and configure related test
parameters.
<3Com> system-view
[3Com] nqa-agent enable
[3Com] nqa admin snmp
[3Com-nqa-admin-snmp] test-type snmpquery
[3Com-nqa-admin-snmp] destination-ip 10.2.2.2
c Enable the SNMP query test.
[3Com-nqa-admin-snmp] test-enable
d View the test results.
[3Com] display nqa results admin snmp
The TCP test is mainly used to test the TCP connection between the client and the
specified server and the setup time for the connection.
The TCP test includes TCP-Public test and TCP-Private test. The differences between the
TCP-Public test and the TCP-Private test are as follows:
■ For the TCP-Public test, a connection setup request is permanently initiated to TCP
port 7 of the destination address, no destination port needs to be configured on the
client, but TCP port 7 used for listening needs to be configured on the server. Even if
a port is configured on the client, the port does not take effect.
■ For the TCP-Private test, a connection setup request is initiated to the specified port of
the destination address.
520 CHAPTER 54: NQA CONFIGURATION
Configuration procedure
1 Configure the NQA server.
Follow these steps to configure the NQA server for the TCP test:
Table 361 Configuring the TCP Test
Follow these steps to configure NQA client for the TCP test:
Configuration example
1 Network requirements
Use the NQA TCP-Private function to test the setup time for the TCP connection between
the local port (SwitchA) and the specified destination port (SwitchB). The port number
used is 9000.
2 Network diagram
10.1.1.1/16 IP Network
10.2.2.2/16
Switch A SwitchB
NQA Client NQA Server
3 Configuration procedure
■ Configure SwitchB.
a Enable the NQA server and configure the listening IP address and port number.
<3Com> system-view
[3Com] nqa-server enable
[3Com] nqa-server tcpconnect 10.2.2.2 9000
■ Configure SwitchA.
b Enable the NQA client, create a TCP test group, and configure related test parameters.
<3Com> system-view
[3Com] nqa-agent enable
[3Com] nqa admin tcpprivate
[3Com-nqa-admin-tcpprivate] test-type tcpprivate
[3Com-nqa-admin-tcpprivate] destination-ip 10.2.2.2
[3Com-nqa-admin-tcpprivate] destination-port 9000
c Enable the TCP test.
[3Com-nqa-admin-tcpprivate] test-enable
d View the test results.
[3Com] display nqa results admin tcpprivate
522 CHAPTER 54: NQA CONFIGURATION
The UDP test is mainly used to test the round-trip time of a UDP packet from the client to
the specified server.
The UDP test includes UDP-Public test and TCP-Private test. The differences between the
UDP-Public test and the UDP-Private test are as follows:
■ For the UDP-Public test, a connection setup request is permanently initiated to UDP
port 7 of a destination address, no port needs to be configured on the client, but port
7 for listening needs to be configured on the server. Even if a port is configured on
the client, the port does not take effect.
■ For the UDP-Private test, a connection setup request is initiated to the specified port
of the destination address.
Configuration procedure
1 Configure the NQA server.
Follow these steps to configure the NQA server for the UDP test:
Follow these steps to configure the NQA client for the UDP test:
Configuration example
1 Network requirements
Use the NQA UDP-Private function to test the setup time for the UDP connection
between the local port (SwitchA) and the specified destination port (SwitchB). The port
number used is 8000.
2 Network diagram
1 0.1.1.1/16 IP Network
1 0.2.2.2/16
S witch A S witchB
NQ A Client NQA Serve r
524 CHAPTER 54: NQA CONFIGURATION
3 Configuration procedure
■ Configure SwitchB.
a Enable the NQA server and configure the listening IP address and port number.
<3Com> system-view
[3Com] nqa-server enable
[3Com] nqa-server udpecho 10.2.2.2 8000
■ Configure SwitchA.
b Enable the NQA client, create a UDP test group, and configure related test
parameters.
<3Com> system-view
[3Com] nqa-agent enable
[3Com] nqa admin udpprivate
[3Com-nqa-admin-udpprivate] test-type udpprivate
[3Com-nqa-admin-udpprivate] destination-ip 10.2.2.2
[3Com-nqa-admin-udpprivate] destination-port 8000
c Enable the TCP test.
[3Com-nqa-admin-udpprivate] test-enable
d View the test results.
[3Com] display nqa results admin udpprivate
Configuring the The DLSw test is mainly used to test the response time of the DLSw device.
DLSw Test
Configuration prerequisites
Before the DLSw test, a TCP connection can be set up between the NQA client and the
specified device and the DLSw function must be enabled on the specified device.
Configuration procedure
Follow these steps to configure the DLSw test:
Configuration example
1 Network requirements
Use the NQA DLSw function to test the response time of the DLSw device.
2 Network diagram
IP Netwo rk
10.1.1.1/1 6 10.2.2.2/16
S witch A S wit chB
NQ A C lient DL Sw
3 Configuration procedure
a Enable the NQA client, create a DLSw test group, and configure related test
parameters.
<3Com> system-view
[3Com] nqa-agent enable
[3Com] nqa admin dlsw
[3Com-nqa-admin-dlsw] test-type dlsw
[3Com-nqa-admin-dlsw] destination-ip 10.2.2.2
b Enable the DLSw test.
[3Com-nqa-admin-dlsw] test-enable
c View the test results.
[3Com-nqa-admin-dlsw] display nqa results admin dlsw
Configuring Unless otherwise specified, the following parameters are applicable to all test types and
Optional they can be configured according to the actual conditions. Optional parameters common
Parameters for NQA to NQA are valid for all NQA tests, while those common to an NQA test group are valid
Tests only for tests in this test group.
Configuring Optional Follow these steps to configure optional parameters common to NQA:
Parameters Common
to NQA Table 366 Configuring Optional Parameters Common to NQA
Configuring Optional Follow these steps to configure the optional parameters common to an NQA test group:
Parameters Common
to an NQA Test Group Table 367 Configuring Optional Parameters Common to an NQA Test Group
Table 367 Configuring Optional Parameters Common to an NQA Test Group (continued)
Configuring Trap A trap message is generated no matter whether an NQA test succeeds or fails. You can
Delivery set a switch to control the delivery of the trap message to the network management
server.
Displaying and
Table 369 Displaying and Maintaining NQA
Maintaining NQA
To do… Use the command… Remarks
Display history information of tests. display nqa history [ Available in any view
admin-name operation-tag ]
Display the results of the last NQA display nqa jitter [ Available in any view
jitter test. admin-name operation-tag ]
Display the results of the last test. display nqa results [ Available in any view
admin-name operation-tag ]
55 SSH TERMINAL SERVICE
When configuring SSH, go to these sections for information you are interested in:
■ SSH Overview
■ Configuring the SSH Server
■ Configuring the SSH Client
■ Configuring the Device as an SSH Client
■ Displaying and Maintaining the SSH Protocol
■ SSH Configuration Example
■ SSH Client Configuration Example
SSH Overview Secure shell (SSH) offers an approach to securely logging into a remote device. It can
protect devices against attacks such as IP spoofing and plain text password interception.
In a typical SSH scenario, a device running SSH server works as an SSH server and accepts
connections from SSH clients, which run SSH client. The connections are called SSH
connections and can be established either on the local network or over WANs, as shown
in Figure 150 and Figure 151.
Worksta tion
E thernet
L aptop SSH Cl ie nt
Server
530 CHAPTER 55: SSH TERMINAL SERVICE
Remote router
PC Laptop Server
At the beginning, the server opens port 22 to wait for connection requests from clients,
while the client sends a TCP connection request to the server and interacts with the
server to establish a TCP connection. Then, the server and the client go through the
following five phases to establish an SSH connection:
If the server and the client reach agreement, they continue with the key algorithm
negotiation phase. Otherwise, the server tears down the TCP connection.
Through the above steps, the server and the client get the same session key, which is to
be used to encrypt and decrypt data exchanged between the server and the client later.
■ The client encrypts the username and password, encapsulates them into a password
authentication request, and sends the request to the server.
■ Upon receiving the request, the server decrypts the username and password,
compares them against those it maintains, and then informs the client of the
authentication result.
The client sends RSA request and its own public key modulus to the server. Then the
server performs validity check on the received information. If the information is not valid,
the server sends failure message to the client. Otherwise, a 32-byte random number is
generated, and an MP (multiple precision) integer is derived from the number in the MSB
(most significant bit) first order. The server encrypts the integer with the public key of the
client and sends a challenge to the client. When the client receives the challenge
message, it decrypts it to obtain the MP integer. The client uses the integer and session
ID to generate the MD5 value, then encrypts the 16-byte MD5 value and sends it to the
server. (The session ID is generated in the key-algorithm negotiation phase, session
ID=MD5 (host public key modulus || server public key modulus || 8-byte cookie, where || is
a connector)). After the server receives the message, it decrypts the message to get the
MD5 value and compares the MD5 value with that calculated by itself. If the two MD5
values are the same, the authentication succeeds and the server sends the success
message; otherwise it sends the failure message.
Besides password authentication and RSA authentication, SSH2.0 provides another two
authentication methods:
■ password-publickey: Performs both password authentication and RSA
authentication of the client. A client running SSH1 client only needs to pass either
type of the two, while a client running SSH2 client must pass both of them to log in.
■ all: Performs either password authentication or RSA authentication. The client tries
RSA authentication first.
4 Session request
After passing authentication, the client sends a session request to the server, while the
server listens to and processes the request from the client and sends back to the client
the result, which can be an SSH_SMSG_SUCCESS packet for successful processing or an
SSH_SMSG_FAILURE packet if the processing fails or it cannot resolve the request. In the
former case, the server and the client enter the interactive session phase.
5 Interactive session
■ The client encrypts the command to be executed and sends it to the server.
■ The server decrypts and executes the command, and then encrypts and sends the
result to the client.
■ The client decrypts the result and displays the result on the terminal.
532 CHAPTER 55: SSH TERMINAL SERVICE
■ During the interactive session phase, a client user can issue the commands to be
executed by pasting command text on the client. Note that the text must be no more
than 2,000 bytes in length and the commands pasted had better be in the same view;
otherwise, the server may be unable to execute the commands correctly.
■ If the text to be pasted is more than 2,000 bytes in length, the user can put it in a
configuration file, upload the configuration file to the server, and then reboot the
server with this new configuration file.
Configuring the
SSH Server
Configuring the After enabling SSH server, you must configure the device to support the remote SSH
Protocols for the login protocol. By default, the device supports Telnet, and SSH. Note that the
Current User configuration takes effect at next login.
Interface to Support
Follow these steps to configure the protocols for the current user interface to support:
Table 371 Configuring the Protocols for the Current User Interface to Support
CAUTION:
■ If you configure a user interface to support SSH, be sure to configure the
authentication-mode scheme command.
■ For a user interface configured to support SSH, you cannot configure the
authentication-mode password or authentication-mode none
command.
Configuring the SSH Server 533
Follow these steps to create the host key pair and server key pair:
CAUTION: For a successful SSH login, you must generate the host key pair and server
key pair first
CAUTION:
■ For successful SSH login, you must create the RSA key pairs at first.
■ The configuration of the rsa local-key-pair create command can survive a reboot. You
only need to configure it once.
■ If the key pair already exists, the system will ask you whether you want to overwrite it.
■ To choose display the RSA host public key on the screen or export it to a specified file
when exporting the RSA host public key
534 CHAPTER 55: SSH TERMINAL SERVICE
Configuring the You must specify the authentication method for SSH users; otherwise, the users cannot
Authentication log in. The configured authentication method takes effect when the user logs in next
Method for an SSH time.
User
Follow these steps to configure the authentication method for an SSH user:
CAUTION: For a user using RSA authentication, you must configure the username and
public keys on the device. For a user using password authentication, you can configure
the accounting information on the device or remote authentication server.
Specifying the Service Follow these steps to specify the service type of an SSH user:
Type of an SSH User
Table 376 Specifying the Service Type of an SSH User
CAUTION: The service type of an SSH user can only be set to stelnet if the user does not
need SFTP service.
Setting the SSH Setting the server key pair update interval can help secure your SSH connections.
Management
Parameters Setting the SSH user authentication timeout period.
Setting the maximum number of SSH authentication attempts can assist in avoiding
malicious connection requests.
Configuring the SSH Server 535
Configuring the RSA These configurations are required for an SSH user using RSA authentication. For an SSH
Public Key for a User user using password authentication, they are not required.
This configuration task is for configuring the RSA public key of a client with an SSH user.
The RSA private key for the SSH user must be configured on the client. The client key pair
is generated randomly by the SSH2.0 client software.
You can also import an RSA public key from a public key file. When you import a public
key, the system automatically converts the public key in SSH1, SSH2, or OpenSSH format
to a string coded using the PKCS standard. Before importing the public key, you must
upload the public key file to the server through FTP or TFTP.
■ You can use either of the following two ways to configure the RSA public key of an
SSH user.
■ You configure any of these three commands to create an SSH user: ssh user
assign rsa-key, ssh user authentication-type, and ssh user
service-type. Up to 20 SSH users can be created. By default, the authentication
method for an SSH user is RSA and the service type is stelnet.
■ With no SSH users created, when a client logs in, the system performs password
authentication and only the service type of stelnet is supported.
536 CHAPTER 55: SSH TERMINAL SERVICE
Table 379 Importing the RSA Public Key from a Public Key File
Configuring the
SSH Client
Configuring the SSH A variety of SSH client software are available, such as PuTTY and FreeBSD. For an SSH
Client client to establish a connection with an SSH server, you must complete these
configuration tasks:
■ Specifying the IP address of the server.
■ Selecting the protocol for remote connection. Usually, a client can use a variety of
remote connection protocols, such as Telnet, Rlogin, SSH. To establish an SSH
connection, you must select SSH.
■ Selecting the SSH version. Multiple SSH versions are available. However, since the
device supports SSH Server 2.0 now, select 2.0 or lower for the client.
■ Specifying the RSA private key file. The RSA keys for an SSH user include a public key
and a private key, which are generated by the tool accompanied with the client
software. The public key must be configured on the server, while the private key must
be configured on the client.
The following takes the client software of PuTTY as an example to illustrate how to
configure the SSH client:
538 CHAPTER 55: SSH TERMINAL SERVICE
In the [Host Name (or IP address)] text box, enter the IP address of the server, for
example, 10.110.28.10. Note that the IP address can be the IP address of any interface
on the server that has SSH in the state of up and a route to the client.
As shown in Figure 153, select [2] from the [Preferred SSH protocol version] section.
540 CHAPTER 55: SSH TERMINAL SERVICE
From the category on the left of the window, click [Connection/SSH/Auth]. The following
window appears.
Click <Browse> to bring up the file selection window, navigate to the private key file and
click <OK>.
Configuring the SSH Client 541
2 Enter the username and password. The SSH connection should be created.
3 To log out, enter the quit command.
542 CHAPTER 55: SSH TERMINAL SERVICE
Configuring the
Device as an SSH
Client
Configuration Complete the configuration of the SSH server. For detailed configuration information,
Prerequisites refer to Configuring the SSH Server.
When an SSH client tries to access a server whose public host key it does not know for
the first time, the first-time authentication function enables it to access the server and
obtain and save the public host key of the server. When the client accesses the server
later, it can use the locally saved public host key of the server to authenticate the server.
With the first-time authentication function enabled on a client, you do not need to
configure the public host key of a server to be accessed on the client.
Displaying and
Table 381 Displaying and Maintaining the SSH Protocol
Maintaining the
SSH Protocol To do… Use the command… Remarks
Display the public keys of the display rsa Available in any view
host key pair and server key pair local-key-pair
public
Display the peer RSA public keys display rsa Available in any view
peer-public-key [
brief | name keyname ]
Display the source IP address or display sftp client Available in any view
interface currently set for the source
SFTP client
Display the source IP address or display ssh client Available in any view
interface currently set for the source
SFTP server
Display the status information or display ssh server { Available in any view
session information of the SSH status | session }
server
Display the mapping between the display ssh Available in any view
host public key and the SSH server-info
server saved on the client.
Display the information of the display ssh Available in any view
SSH user user-information [
username ]
Network diagram
192.168.0.2/24
Vlan-interface1
192.168.0.1/24 Switch
SSH client
544 CHAPTER 55: SSH TERMINAL SERVICE
Configuration procedure
The configuration procedure varies with login authentication modes. However, you must
complete the following three configuration tasks before any configuration procedure.
First, create an RSA host key pair and server key pair and enable the SSH server.
<3Com> system-view
[3Com] rsa local-key-pair create
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]:
Generating keys...
.....++++++++++++
...++++++++++++
................++++++++
.............++++++++
......Done!
[3Com] ssh server enable
If you have created an RSA host key pair and server key pair, you can skip this step.
Then, you must create a VLAN interface on the switch and assign an IP address, through
which the SSH client will be connected with the switch.
Finally, you must configure an IP address (192.168.0.2) for the SSH client. This IP address
and that of the VLAN interface on the switch must be in the same network segment.
1 Set the authentication mode on the user interface to AAA. (AAA adopts the default ISP
domain system and the default scheme local.)
[3Com] user-interface vty 0 4
[3Com-ui-vty0-4] authentication-mode scheme
2 Set the protocol that a remote user uses to log in to the switch to SSH.
[3Com-ui-vty0-4] protocol inbound ssh
[3Com-ui-vty0-4] quit
3 Create a local user client001.
[3Com] local-user client001
[3Com-luser-client001] password simple aabbcc
[3Com-luser-client001] service-type ssh
[3Com-luser-client001] quit
[3Com] ssh user client001 authentication-type password
The SSH authentication timeout time, number of SSH authentication attempts, and
server key update period can be default values. After the above configurations, run
SSH2.0 on the client to be connected with the switch, and log in to the switch with
username as client001 and password as aabbcc.
Here an RSA key pair (including the public and private keys) needs to be generated
randomly on the SSH2.0 supporting client software. And you should input the RSA
public key (which is a hexadecimal string obtained after using the SSHKEY.EXE software
to perform the PKCS coding) to the public key specified by the rsa
peer-public-key command on the SSH server in the following way.
On the client, you need to specify the corresponding RSA private key of the RSA public
key for the SSH user client001.
By now, you can run SSH2.0 on the terminal containing the RSA private key and perform
corresponding configuration to establish an SSH connection.
546 CHAPTER 55: SSH TERMINAL SERVICE
Network diagram
Vlan-interface1
Switch A
10.165.87.137/24
SS H client
PC
Configuration procedure
1 Configuration on Switch B
a Create an RSA host key pair and server key pair and enable the SSH server.
<3Com> system-view
[3Com] rsa local-key-pair create
[3Com] ssh server enable
If you have created an RSA host key pair and server key pair, you can skip this step.
b Create a VLAN interface on Switch B and assign an IP address, through which the SSH
client will be connected with the switch.
[3Com] interface Vlan-interface 1
[3Com-Vlan-interface1] ip address 10.165.87.136 255.255.255.0
[3Com-Vlan-interface1] quit
c Set the authentication mode on the user interface to AAA. (AAA adopts the default
ISP domain system and the default scheme local.)
[3Com] user-interface vty 0 4
[3Com-ui-vty0-4] authentication-mode scheme
d Set the protocol that a remote user uses to log in to the switch to SSH.
[3Com-ui-vty0-4] protocol inbound ssh
[3Com-ui-vty0-4] quit
e Create a local user client001.
[3Com] local-user client001
[3Com-luser-client001] password simple aabbcc
[3Com-luser-client001] service-type ssh
[3Com-luser-client001] quit
SSH Client Configuration Example 547
f Set the SSH authentication mode to password. The SSH authentication timeout time,
number of SSH authentication attempts and server key update period can be default
values.)
[3Com] ssh user client001 authentication-type password
If you set the SSH authentication mode to RSA, you need to configure a host public key
of Switch A. For the specific configuration, refer to SSH Configuration Example
2 Configuration on Switch A
a Configure an IP address (10.165.87.137) for the VLAN interface on Switch A.
This IP address and that of the VLAN interface on Switch B must be in the same
network segment.
<3Com> system-view
[3Com] interface Vlan-interface 1
[3Com-Vlan-interface1] ip address 10.165.87.137 255.255.255.0
[3Com-Vlan-interface1] quit
b Configure the client so that the server will not perform the first authentication for the
client.
[3Com] ssh client first-time
c Adopt the password authentication and enable the authentication according to the
default algorithm.
[3Com] ssh2 10.165.87.136
Username: client001
Trying 10.165.87.136
Press CTRL+K to abort
Connected to 10.165.87.136...
The Server is not autherncated.Do you continue access it?[Y/N]:y
Do you want to save the server’s public key?[Y/N]:y
Enter password:
*********************************************************
* All rights reserved (1997-2005) *
* Without the owner’s prior written consent, *
*no decompiling or reverse-engineering shall be allowed.*
*********************************************************
<3Com>
548 CHAPTER 55: SSH TERMINAL SERVICE
56 SFTP SERVICE
When configuring SFTP, go to these sections for information you are interested in:
■ SFTP Overview
■ Configuring the SFTP Server
■ Configuring the SFTP Client
■ SFTP Configuration Example
SFTP Overview The secure file transfer protocol (SFTP) is a new feature in SSH 2.0.
SFTP is established on SSH connections to provide secured data transfer. The device can
serve as both SFTP server and SFTP client. A remote user can log in to the SFTP server
securely to manage and transfer files for system upgrade. In addition, a user can log in to
a remote device to transfer files in a secure way.
Configuring the
SFTP Server
Configuration ■ You have configured the SSH server. For the detailed configuration procedure, refer to
Prerequisites Configuring the SSH Server.
■ You have used the ssh user service-type command to set the service type of
SSH users to sftp or all.
Enabling the FTP This configuration task is to enable the SFTP service so that clients can log in to the SFTP
Server server in an SFTP mode.
Configuring the SFTP After the SFTP connection idle timeout time exceeds the threshold, the system will
Connection Idle automatically disconnect the SFTP user.
Timeout Time
Follow these steps to configure the SFTP connection idle timeout time:
Configuring the
SFTP Client
Specifying a Source IP Follow these steps to specify a source IP address or interface for the SFTP client:
Address or Interface
for the SFTP Client Table 384 Specifying a Source IP Address or Interface for the SFTP Client
Establishing a This configuration task is to enable the SFTP client to establish a connection with the
Connection with the remote SFTP server and enter SFTP client view.
SFTP Server
Follow these steps to enable the SFTP client:
Displaying Help This configuration task is to display the help information about related commands, such
Information as command format and parameter configuration.
Follow these steps to display the help information about client commands:
Disabling the SFTP This configuration task is to disable the SFTP client.
Client
Follow these steps to disable the SFTP client:
Network diagram
Vlan-interface 1
Switch A
11.111.27.92/24
SFTP client
PC
Configuration procedure
1 Configuration on the SFTP server (Switch B)
a Create an RSA host key pair and server key pair and enable the SSH server.
<3Com> system-view
[3Com] rsa local-key-pair create
[3Com] ssh server enable
If you have created an RSA host key pair and server key pair, you can skip this step.
b Create a VLAN interface on Switch B and assign an IP address, through which the SSH
client will be connected with the switch.
[3Com] interface Vlan-interface 1
[3Com-Vlan-interface1] ip address 11.111.27.91 255.255.255.0
[3Com-Vlan-interface1] quit
c Set the authentication mode on the user interface to AAA. (AAA adopts the default
ISP domain system and the default scheme local.)
[3Com] user-interface vty 0 4
[3Com-ui-vty0-4] authentication-mode scheme
d Set the protocol that a remote user uses to log in to the switch to SSH.
[SwitchB-ui-vty0-4] protocol inbound ssh
[SwitchB-ui-vty0-4] quit
e Create a local user client001.
[3Com] local-user client001
[3Com-luser-client001] password simple aabbcc
[3Com-luser-client001] service-type ssh
[3Com-luser-client001] quit
SFTP Configuration Example 555
f Set the SSH authentication mode to password. The SSH authentication timeout time,
number of SSH authentication attempts and server key update period can be default
values.
[3Com] ssh user client001 authentication-type password
If you set the SSH authentication mode to RSA, you need to configure a host public key
of Switch A. For the specific configuration, refer section “SFTP Configuration Example”.
g Enable the SFTP server.
<3Com> system-view
[3Com] sftp server enable
h Specify the service type of the user as SFTP.
[3Com] ssh user client001 service-type sftp
2 Configuration on the SFTP client (Switch A)
a Configure an IP address (11.111.27.92) for the VLAN interface on Switch A.
This IP address and that of the VLAN interface on Switch B must be in the same
network segment.
<3Com> system-view
[3Com] interface Vlan-interface 1
[3Com-Vlan-interface1] ip address 11.111.27.92 255.255.255.0
[SwitchA-Vlan-interface1] quit
b Establish a connection with the remote SFTP server and enter SFTP client view.
[3Com] sftp 11.111.27.91
Input Username: client001
Trying 11.111.27.91 ...
Press CTRL+K to abort
Connected to 11.111.27.91 ...
Enter password:
sftp-client>
c Display the current directory on the server, delete the z file, and check that the file is
deleted successfully.
sftp-client> dir
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1
drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new
-rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub
-rwxrwxrwx 1 noone nogroup 0 Sep 01 08:00 z
sftp-client> delete z
The following File will be deleted:
/z
Are you sure to delete it?(Y/N):y
This operation may take a long time.Please wait...
When configuring UDP Helper, go to these sections for information you are interested in:
■ Introduction to UDP Helper
■ Configuring UDP Helper
■ Displaying and Maintaining UDP Helper
■ UDP Helper Configuration Example
By default, the Switch 4500G Family of Ethernet switches do not forward IP broadcast
packets. To ensure that UDP Helper is available, you must use the ip
forward-broadcast command in system view first.
Introduction to UDP UDP Helper functions as a relay that converts UDP broadcast packets into unicast packets
Helper and forwards them to a specified server.
With UDP Helper enabled, the device decides whether to forward a received UDP
broadcast packet according to the port number of the packet. If the packet needs to be
forwarded, the device modifies the destination IP address in the IP header and then sends
the packet to the specified destination server. Otherwise, the device sends the packet to
its upper layer.
When relaying BOOTP/DHCP broadcast packets, the device broadcasts a response packet
if the client specifies that it needs to receive a broadcast response; otherwise, the device
unicasts a response packet.
With UDP Helper enabled, the device relays broadcast packets of six default UDP ports by
default. The default UDP ports are listed in.Table 390
CAUTION:
■ The dns, netbios-ds, netbios-ns, tacacs, tftp, and time keywords
correspond to the six default ports. You can configure the default ports by specifying
port numbers or the corresponding parameters. For example, udp-helper port
53 and udp-helper port dns specify the same port.
■ When you view the configuration information by using the display
current-configuration command, the default UDP port numbers will not be
displayed. A port number shows only when it is disabled to use UDP Helper.
■ The configuration of all UDP ports (including the default ports) is removed if you
disabled UDP Helper.
■ The device supports up to 256 UDP ports of which UDP packets are to be forwarded.
■ An interface corresponds to a maximum of 20 destination servers.
■ If the destination server is configured on a VLAN interface, the broadcast packets
from a VLAN port to a specific UDP port will be unicast to the destination server
configured on that VLAN interface after UDP Helper is enabled.
Displaying and
Table 392 Displaying and Maintaining UDP Helper
Maintaining UDP
Helper To do… Use the command… Remarks
Display the information of the display udp-helper Available in any view
destination server and the server [ interface
number of packets forwarded by interface-type
UDP relay interface-number ]
Clear statistics about packets reset udp-helper packet Available in user view
forwarded by UDP relay
UDP Helper Configuration Example 559
Network diagram
Server
10 .110 .0.0/16 202 .38.1 .2/24
Ethernet
10.110 .1.1/16
VLAN- Interface1
Internet Ethernet
Configuration procedure
The following configuration assumes that the port connecting to the Internet belongs to
VLAN1, and the route to network segment 202.38.1.0/24 is up.
1 Enable UDP Helper.
<3Com> system-view
System View: return to User View with Ctrl+Z.
[3Com] udp-helper enable
2 Specify to forward the broadcast packets with destination UDP port being 55.
[3Com] udp-helper port 55
3 Specify the server with the IP address of 202.38.1.2 as the destination server to which
UDP packets are to be forwarded.
[3Com] interface vlan 1
[3Com-Vlan-interface1] ip address 10.110.1.1 16
[3Com-Vlan-interface1] udp-helper server 202.38.1.2
560 CHAPTER 57: UDP HELPER CONFIGURATION
58 SSL CONFIGURATION
When configuring SSL, go to these sections for information you are interested in:
■ SSL Overview
■ Configuring SSL Server Policy
■ Configuring SSL Client Policy
■ Displaying and Maintaining SSL
■ Troubleshooting SSL Configuration
SSL Overview SSL (Secure Socket Layer) is a security protocol providing secure connection for
TCP-based application layer protocols. The secure connection provided by SSL can
implement the following:
■ Confidentiality: SSL encrypts data using symmetric encryption algorithm with the key
generated during handshake phase.
■ Authentication: SSL performs certificate-based authentication on both the server and
the client, and the authentication on the client is optional.
■ Reliability: SSL uses key-based MAC (message authentication code) to verify the
integrity of messages.
SSL protocol includes two layers: SSL record protocol at the lower layer and handshake
protocol, SSL password change protocol and SSL alert protocol at the upper layer.
■ SSL record protocol: It fragments, compresses and computes data from the upper
layer and then adds MAC to the data and encrypts the data, and in turn transmits the
records to the peer end.
■ SSL handshake protocol: A session is initiated between the client and the server with
the handshake protocol. The session includes a group of parameters as session ID,
peer certificate, cipher suite (including key exchange algorithm, data encryption
algorithm and MAC algorithm), compression algorithm and main key. An SSL session
can be shared by multiple connections to reduce session negotiation cost.
■ SSL password change protocol: The client and the server inform each other of the
password change through password change protocol. The packets will be protected
and transmitted with the newly negotiated encryption suite and key pair.
■ SSL alert protocol: Permits one entity to report alert message containing the alert level
and description to the other.
562 CHAPTER 58: SSL CONFIGURATION
Configuring an SSL SSL server policy is SSL parameters used when the server is started, which can be valid
Server Policy only when associated with an application layer protocol (for example, HTTP protocol).
Configuration Before configuring the SSL server policy you should configure PKI (public key
Prerequisites infrastructure) domain. For the details of PKI domain configuration, see PKI
Configuration module .
Network diagram
IP Network
Device
Host
HTTPS Server
HTTPS Client
Configuration procedure
1 Configure SSL server policy.
<3Com> system
[3Com] ssl server-policy myssl
[3Com-ssl-server-policy-myssl] pki-domain 1
[3Com-ssl-server-policy-myssl] close-mode wait
[3Com-ssl-server-policy-myssl] quit
2 Configure the SSL policy adopted by the HTTPS server as myssl.
[3Com] ip https ssl-server-policy myssl
3 Enable HTTPS service.
[3Com] ip https enable
564 CHAPTER 58: SSL CONFIGURATION
Configuring an SSL SSL client policy is SSL parameters used by the client being connected with the server,
Client Policy which can be valid only when associated with an application layer protocol (for example,
HTTP protocol).
Configuration Before configuring the SSL client policy you should configure PKI domain first.
Prerequisites
Displaying and
Table 395 Displaying and Maintaining SSL
Maintaining SSL
To do... Use the command... Remarks
Display SSL server policy information display ssl Available in any view
server-policy {
policy-name | all }
Display SSL client policy information display ssl
client-policy {
policy-name | all }
Troubleshooting SSL Configuration 565
Troubleshooting
SSL Configuration
SSL Handshake
Failure
Symptom When the device works as the SSL server, its handshake with the SSL client fails.
Solution
1 Use the ping command to check the network connection.
2 Use the debugging ssl command to view the debugging information:
■ If the SSL server certificate does not exist, apply one for it.
■ If the server certificate cannot be trusted, on the SSL client install a CA server root
certificate that issues the certificate to the SSL server, or enable the server to reapply a
certificate from the CA server trusted by the SSL client.
■ If the server is configured as that it must authenticate the client, but the certificate of
the SSL client does not exist or cannot be trusted, apply and install a certificate for the
client.
3 Use the display ssl server-policy command to view the encryption suite supported
by the SSL server policy. If the encryption suite supported by the SSL server does not
match that by the client, use the ciphersuite command to modify the encryption suite
supported by the SSL server.
566 CHAPTER 58: SSL CONFIGURATION
59 HTTPS SERVER CONFIGURATION
When configuring HTTPS server, go to these sections for information you are interested
in:
HTTPS Server The HTTP Security (HTTPS) server refers to the HTTP server that support the Security
Overview Socket Layer (SSL) protocol.
In addition to the two security measures provided by the HTTP server, the HTTPS further
enhances the security of the HTTP server in the following aspects:
■ Use the SSL protocol to ensure that the legal clients to access the HTTPS server
securely and prohibit the illegal clients;
■ Encrypt the data exchanged between the HTTPS client and the HTTPS server to ensure
the data security and integrity, thus realizing the security management of the device;
■ Defines certificate attribute-based access control policy for the HTTPS server to control
the access right of the client, in order to further avoid the attack of illegal clients.
The total number of HTTP connections and HTTPS connections on a device cannot
exceed ten.
568 CHAPTER 59: HTTPS SERVER CONFIGURATION
Associating HTTPS Associate the HTTPS server with an SSL server-end policy before enabling functions of the
Server with SSL HTTPS server.
Server-end Policy
Follow these steps to associate the HTTPS server with an SSL server-end policy:
Enabling the Before configuring the HTTPS server, make sure that the functions of the HTTPS server
Functions of HTTPS are enabled. Otherwise, other related configurations cannot take effect.
Server
Follow these steps to enable the functions of the HTTPS server:
To enable the functions of the HTTPS server will trigger an SSL handshake negotiation
process. During the process, if a local certificate of the device already exists, the SSL
negotiation is successfully performed, and the HTTPS server can be started normally. If no
local certificate exists, a certificate application process will be triggered by the SSL
negotiation. Since the application process takes much time, the SSL negotiation often
fails and the HTTPS server cannot be started normally. Therefore, the ip https
enable command must be executed for multiple times to ensure normal startup of the
HTTPS server.
Associating HTTPS Server with Certificate Access Control Policy 569
Associating HTTPS Associating the HTTPS server with the client certificate access control policy helps control
Server with the access right of the client, thus to provide the server with enhanced security.
Certificate Access
Control Policy Follow these steps to associate the HTTPS server with a certificate access control policy:
Table 398 Associating HTTPS Server with Certificate Access Control Policy
Associating HTTPS By associating the HTTPS server with an ACL, requests from some clients can be filtered
Server with ACL out. Only the clients that pass ACL filtering are allowed to access the server.
Follow these steps to associate the HTTPS server with and ACL:
If the ip https acl command is executed repeatedly, the HTTPS server is only
associated with the last ACL having been configured.
Displaying and After completing the above configurations, execute the display command in any view
Maintaining HTTPS to display the operation status after the HTTPS server has been configured, and view the
Server effect of information authentication configuration.
Configuration
Examples for HTTPS
Server
When a server running Windows operating system is used as the CA, the Simple
Certificate Enrollment Protocol plug-in is required. In this case, you need to specify the
entity to apply for the certificate from RA by using the certificate request from ra
command when configuring the PKI domain.
The Simple Certificate Enrollment Protocol plug-in is not needed when RSA Keon
software is used. In this case, you need to specify the entity to apply for the certificate
from CA by using the certificate request from ca command when configuring the PKI
domain.
Network requirements
■ The HTTPS client logs on to the HTTPS server to access the device through Web
network management and control the device.
■ CA (Certificate Authority) issues certificate to the HTTPS server.
Network diagram
1 0 . 1 . 1 .1 / 2 4 10 . 1 .2 .1 / 24
H T T P S C lien t CA
1 0 .1 .1 .2 / 2 4 1 0 . 1 . 2 . 2 /2 4
Configuration procedure
Perform the following configurations on the HTTPS server:
1 Apply for a certificate for the HTTPS server.
a Configure a PKI (Public Key Interface) entity.
<3Com> system-view
[3Com] pki entity en
[3Com-pki-entity-en] common-name http-server1
[3Com-pki-entity-en] fqdn ssl.security.com
[3Com-pki-entity-en] quit
b Configure a PKI domain.
[3Com] pki domain 1
[3Com-pki-domain-1] ca identifier ca1
Configuration Examples for HTTPS Server 571
When configuring PKI, go to these sections for information you are interested in:
■ Introduction to PKI
■ Introduction to PKI Configuration Task
■ PKI Certificate Request Configuration
■ PKI Certificate Validation Configuration
■ Display and Debug
■ Typical Configuration Examples
■ Troubleshooting
Introduction to PKI
The term “router” in this document refers a Layer 3 switch running routing protocols. To
improve readability, this will not be noted additionally in the document.
Overview Public key infrastructure (PKI) is a system which uses public key technology and digital
certificate to ensure system security and authenticate digital certificate users. It provides
a whole set of security mechanism by combining software/hardware systems and security
policies together. PKI uses certificates to manage public keys: It binds user public keys
with other identifying information through a trustworthy association, so that online
authentication is possible. PKI provides safe network environment and enables an easy
use of encryption and digital signature technologies under many application
environments, to assure confidentiality, integrity and validity of online data.
Confidentiality means that the data are accessible only to authorized parties during data
transmission. Integrity means that only authorized parties can modify the data. Validity
means that the data are available to authorized parities when needed.
A PKI system consists of public key algorithm, certificate authority, registration authority,
digital certificate, and PKI repository.
PKI application
Digital certificate
CA RA PKI repository
574 CHAPTER 60: PKI CONFIGURATION
Terminology ■ Public key algorithm: Key algorithm that involves different encryption key and
decryption key. The keys are generated for users in pairs: One is publicized as public
key; the other is reserved as private key. The information encrypted by one key has to
be decrypted by the other; the key pair therefore is generally used in signature and
authentication. In communication, if the sender signs with its private key, the receiver
needs to authenticate this signature with the sender’s public key. If the sender encrypt
the information with the receiver’s public key, then only the receiver’s private is
capable of decryption.
■ Certificate authority (CA): Trustworthy entity issuing certificates to persons, PCs or
any other entities. CA deals with certificate requests, and checks applicant
information according to certificate management policy. Then it signs the certificate
with its private key and issues the certificate.
■ Registration authority (RA): Extension of CA. It forwards the entities' certificate
requests to CA, and digital certificates and certificate revocation list to directory
server, for directory browsing and query.
■ Light-weight directory access protocol (LDAP) server: LDAP provides a means to access
PKI repository, with the purpose of accessing and managing PKI information. LDAP
server supports directory browsing and enlists the user information and digital
certificates from a RA server. Then the user can get his or others’ certificates when
accessing the LDAP server.
■ Certificate revocation list (CRL): A certificate has its lifetime, but CA can revoke a
certificate before its expiration date if the private key leaks or if the service ends. Once
a certificate is revoked, a CRL is released to announce its invalidity, where lists a set of
serial numbers of invalid certificates. CRL, stored in LDAP server, provides an effective
way to check the validity of certificates, and offers centralized management of user
notification and other applications.
Applications PKI includes a set of security services provided using the technologies of public key and
X.509 certification in distributed computing systems. It can issue certificates for various
purposes, such as Web user identity authentication, Web server identity authentication,
secure Email using S/MIME (secure/multipurpose internet mail extensions), virtual private
network (VPN), IP Security, Internet key exchange (IKE), and secure sockets
layer/transaction layer security (SSL/TLS). One CA can issue certificates to another CA, to
establish certification hierarchies.
Introduction to PKI Configuration Task 575
Introduction to PKI The purpose to configure PKI is to apply a local certificate from CA for the specified
Configuration Task device, so as to enable the device to check the validity of the certificate.
Configuring PKI Certificate request is a process when an entity introduces itself to CA. The identity
Certificate Request information the entity provides will be contained in the certificate issued later. CA uses a
set of criteria to check applicant creditability, request purpose and identity reliability, to
ensure that certificates are bound to correct identity. Offline and non-auto out-of-band
(phone, storage disk and Email, for example) identity checkup may be required in this
process. If this process goes smooth, CA issues a certificate to the user and displays it
along with some public information on the LDAP server for directory browsing. The user
can then download its own public-key digital certificate from the notified position, and
obtain those of others through the LDAP server.
Entering PKI Domain A PKI domain resides in local device and is invisible to CA and other devices. It does not
View interfere with the relationship between user management and the multi users. The
purpose of using PKI domain is to provide other applications with easy reference to PKI
configuration (such as IKE and SSL).
Typically, a device may belong to two or more PKI domains. Then independent
configuration information is required for each domain. Parameter configuration in PKI
domain view is for this purpose. But currently, one device supports only two PKI domain,
Such being the case that one device have belonged to two PKI domains. you need to
delete the existing domain first if you wan to use a new one.
Configuring a Trustworthy CAs function to provide registration service and issue certificates for entities.
Trustworthy CA They are essential to PKI. Only when a CA trusted by everyone is available, can users
enjoy the security services with public key technology.
The standard set CA uses in request processing, certificate issuing and revoking, and CRL
releasing is called CA policy. In general, CA uses files, called certification practice
statements (CPS), to advertise its policy. CA policy can be obtained in out-of-band or
other mode. You should understand CA policies before choosing a CA, for different CAs
may use different methods to authenticate the public key -- subject binding.
You need CA identifiers only when obtaining CA certificates but not when applying for
local certificates.
Configuring PKI Certificate Request 577
An entity is required for certificate request; it is used to prove the identity to the CA. For
information about the entity-name argument, refer to “Configuring Entity Name Space”.
The registration server location (that is, URL) needs to be specified. Then entities can
present to this server the certificate request using simple certification enrollment protocol
(SCEP, a protocol to communicate with certification authority).
Storage of entity certificates and CRL information is essential to a PKI system. Usually, this
is done using a LDAP directory server.
When receiving the identity certificate from the CA, the router needs to use the root
certificate of the CA to verify the authenticity and validity of the identify certificate.
When receiving the root certificate from the CA, the router needs to authenticate the
fingerprint of the CA root certificate, which is a unique hashed value of the content of
the root certificate. If the fingerprint of the CA root certificate is not identical to the one
configured by using the command described here, the router rejects the root certificate.
578 CHAPTER 60: PKI CONFIGURATION
Configuring Entity Entity name space specifies the set of name available to entities. Each CA details about
Name Space an entity with the information it considers important. A unique identifier (also called
DN-distinguished name) can be used to identify an entity. It consists of several parts, such
as user common name, organization, country and owner name. It must be unique
among the network.
Entity configuration information must comply with CA certificate issue policy, for
example, in determining mandatory and optional parameters. Otherwise, certificate
request may be rejected.
The entity name must be consistent with that specified by registration organization using
the certificate request entity entity-name command. Otherwise, the
certificate request fails. name-str is just for the convenience in referencing, and appears
not as a certificate field.
Windows 2000 CA server has some restrictions on data length of certificates. If the
configured entity length goes beyond certain limit, the Windows 2000 CA server does
not respond to certificate requests.
Configuring PKI Certificate Request 579
Fully qualified domain name (FQDN) is the unique identifier of the entity among the
network, for example, Email address. It is often in the format of user domain and can be
resolved to IP address. FQDN is equivalent to IP address in function. This configuration is
optional.
Country code uses two standard characters, for example, CN for China and US for the
United States.
Creating a Local A key pair is generated during certificate request: one public and the other private. The
Public – Private Key private key is held by the user, while the public key and other information are transferred
Pair to CA center for signature and then the generation of the certificate. Each CA certificate
has a lifetime that is determined by the issuing CA. When the private key leaks or the
current certificate is about to expire, you have to delete the old key pair. Then another
key pair can be generated for a new certificate.
If an RSA key pair already exists when you create a local key pair, the system prompts
whether to replace it.The minimum length of a host key is 512 bits and the maximum
length is 2048 bits.
For detailed configuration, see the related commands in the SSH Terminal Service
module.
CAUTION:
■ If a local certificate already exists, do not create another key pair. To ensure
consistency between key pair and existing certificate, first delete the existing
certificate and then create a new key pair.
■ If a local RSA key pair exists, the newly-generated key pair will overwrite the existing
one.
■ The key pairs are originally for the use in SSH. Local server regularly updates local
server key pair. However, the host key pair we use in certificate request remains
unchanged.
580 CHAPTER 60: PKI CONFIGURATION
Configuring Polling If CA examines certificate request in manual mode, then a long time may be required
Interval and Count before the certificate is issued. In this period, you need to query the request status
periodically, so that you may get the certificate right after it is issued.
Configuring Request mode can be manual or auto. Auto mode enables the automatic request for a
Certificate Request certificate through SCEP when there is none and for a new one when the old one is
Mode about to expire. For manual mode, all the related configuration and operation need to be
carried out manually.
Delivering a A certificate request completes with user public key and other registered information. All
Certificate Request configured, you can deliver the certificate request to a PKI RA.
Manually
Follow these steps to deliver a certificate request:
Retrieving a Certificate retrieval serves two purposes: store locally the certificate related to local
Certificate Manually security domain to improve query efficiency; prepare for certificate validation.
When downloading a digital certificate, select the local keyword for a local certificate
and ca keyword for a CA certificate.
CAUTION:
■ If a CA certificate already exists locally, CA certificate request operation is disallowed
to eliminate inconsistency between certificate and registration information resulted
from configuration change. To request a new certificate, you should first delete the
existing CA and local certificates using the pki delete-certificate command.
■ This operation will not be saved.
Importing a In out-of-band mode, you can import an existing local certificate of CA certificate by
Certificate performing the following configuration.
Configuring PKI At every stage of data communication, both parties should verify the validity of
Certificate corresponding certificates, including issue time, issuer and certificate validity. The core is
Validation to verify the signature of CA and to make sure the certificate is still valid. It is believed
that CA never issues fake certificates, so every certificate with an authentic CA signature
will pass the verification. For example, if you receive an E-mail containing a certificate
with a public key. The mail is encrypted using the public key, and is signed with the
private key. You need verify the validity of this certificate, to determine whether it is valid
and trustworthy.
CRL update period refers to the interval to download CRLs from CRL access server to a
local machine. CRL update period configured manually takes priority over that specified
in CRLs.
The purpose of downloading CRL is to verify the validity of the certificates on a local
device. This operation will not be saved in configuration.
You can verify the validity of a local certificate using the parameter “local” or a CA
certificate using the parameter “ca”.
Configuring a
Table 415 Configure a certificate attribute-based access control policy
Certificate
Attribute Access To do… Use the command… Remarks
Control Policy Enter system view system-view —
Create a certificate pki certificate Required
attribute group and enter attribute-group By default, no certificate attribute
certificate attribute group group-name
group is created.
view
Configure the attribute attribute id { Optional
rule for certificate issuer alt-subject-name { fqdn | By default, there is no rule for
name, subject name of the ip } | { issuer-name | certificate issuer name, subject
certificate, and alternate subject-name } { dn | fqdn | name of the certificate, or
subject name of the ip } } { ctn | equ | nctn | alternate subject name of the
certificate nequ} attribute-value certificate.
Quit to system view quit —
Create a certificate pki certificate Required
attribute access control access-control-policy By default, no certificate attribute
policy and enter certificate policy-name
access control policy is created.
attribute access control
policy view
Create a certificate rule [ id ] { permit | deny } Optional
attribute control rule group-name
By default, no certificate attribute
control rule is created.
CAUTION: Alternate certificate subject name attribute is not displayed in the form of
domain name; therefore, the dn keyword is not available when you configure the
alternate certificate subject name attribute.
When creating a certificate attribute control rule by using the rule command, make
sure the certificate attribute group identified by the group-name argument exists.
584 CHAPTER 60: PKI CONFIGURATION
Certificate format and fields comply with X.509 standard. All kinds of identifying
information about user and CA are included, such as user email address; public key of the
certificate holder; issuer, serial number, and validity (period) of the certificate, etc.
CRL complies with X.509 standard, covering version, signature (algorithm), issuer name,
this update, next update, user public key, signature value, serial number, and revocation
date, etc.
Typical CAUTION:
Configuration ■ When a server running Windows operating system is used as the CA, the Simple
Examples Certificate Enrollment Protocol plug-in is required. In this case, you need to specify
the entity to apply for the certificate from RA by using the certificate request
from ra command when configuring the PKI domain.
■ The Simple Certificate Enrollment Protocol plug-in is not needed when RSA Keon
software is used. In this case, you need to specify the entity to apply for the certificate
from CA by using the certificate request from ca command when
configuring the PKI domain.
■ This section assumes RSA Keon software is used on the CA server.
Network diagram
Configuration procedure
1 Configure entity name space.
<SysnameCA> system-view
[SysnameCA] pki entity torsa
[SysnameCA-pki-entity-torsa] common-name 1
[SysnameCA-pki-entity-torsa] quit
2 Configure parameters for PKI domain (The URLs of registration organization servers for
certificate requests vary depending on the CA servers used. The configuration mentioned
here is used as an example only. Perform configuration based on actual conditions).
[SysnameCA] pki domain torsa
[SysnameCA-pki-domain-torsa] ca identifier rsa
[SysnameCA-pki-domain-torsa] certificate request url
http://4.4.4.133:446/6953bf7fb5b1cf514376243ce67ebed1209c292a
[SysnameCA-pki-domain-torsa] certificate request from ca
[SysnameCA-pki-domain-torsa] certificate request entity torsa
[SysnameCA-pki-domain-torsa] crl url
http://4.4.4.133:447/security_rsa.crl
[SysnameCA-pki-domain-torsa] quit
3 Create a local key pair by using RSA.
[SysnameCA] rsa local-key-pair create
4 Request for a certificate.
[SysnameCA] pki retrieval-certificate ca domain torsa
[SysnameCA] pki retrieval-crl domain torsa
[SysnameCA] pki request-certificate domain torsa challenge-word
Networking diagram
IP Network
Device
Host
HTTPS Server
HTTPS Client
586 CHAPTER 60: PKI CONFIGURATION
Configuration procedure
■ For SSL configuration, refer to SSL Configuration.
■ For HTTPS configuration, refer to “HTTPS Server Configuration”.
1 Configure HTTPS server
a Configure the SSL policy used by the HTTPS server. The PKI domain to be referred must
be already created.
<SysnameCA> system-view
[SysnameCA] ssl server-policy myssl
[SysnameCA-ssl-server-policy-myssl] pki-domain 1
[SysnameCA-ssl-server-policy-myssl] close-mode wait
[SysnameCA-ssl-server-policy-myssl] client-verify enable
[SysnameCA-ssl-server-policy-myssl] quit
2 Configure the certificate attribute group
a Configure the certificate attribute group mygroup1 and create two attribute rules. The
first rule defines that the DN of the subject name includes the string aabbcc, and the
second rule defines that the IP address of the certificate issuer is 10.0.0.1.
[SysnameCA] pki certificate attribute-group mygroup1
[SysnameCA-pki-cert-attribute-group-mygroup1] attribute 1 subject-name
dn ctn aabbcc
[SysnameCA-pki-cert-attribute-group-mygroup1] attribute 2 issuer-name
ip equ 10.0.0.1
[SysnameCA-pki-cert-attribute-group-mygroup1] quit
b Configure the certificate attribute group mygroup2 and create two attribute rules. The
first rule defines that the FQDN of the subject name does not include the string apple,
and the second rule defines that the DN of the certificate issuer name includes the
string aabbcc.
[SysnameCA] pki certificate attribute-group mygroup2
[SysnameCA-pki-cert-attribute-group-mygroup2] attribute 1
alt-subject-name fqdn nctn apple
[SysnameCA-pki-cert-attribute-group-mygroup2] attribute 2 issuer-name
dn ctn aabbcc
[SysnameCA-pki-cert-attribute-group-mygroup2] quit
3 Configure the certificate ACL policy
Configure the certificate attribute group myacp and create two ACL rules.
[SysnameCA] pki certificate access-control-policy myacp
[SysnameCA-pki-cert-acp-myacp] rule 1 deny mygroup1
[SysnameCA-pki-cert-acp-myacp] rule 2 permit mygroup2
[SysnameCA-pki-cert-acp-myacp] quit
4 Configure the HTTPS server to relate with corresponding policies, and start the HTTPS
server.
a Configure the SSL policy specifying HTTPS server as myssl.
[SysnameCA] ip https ssl-server-policy myssl
b Configure the certificate ACL specifying HTTPS as myacp.
[SysnameCA] ip https certificate access-control-policy myacp
c Start the HTTPS server.
[SysnameCA] ip https enable
Troubleshooting 587
Troubleshooting
Failed to Retrieve a Troubleshooting: If you fail to obtain a CA certificate, the reasons might include:
CA Certificate
1 Software problems
■ No trustworthy CA is specified.
■ Verify that the Simple Certificate Enrollment Protocol) SCEP is installed.
■ Server URL for the certificate request through SCEP is not correct or not configured.
You can check if the server is well connected by using the ping command.
■ No RA is specified.
■ System clock is not correct.
2 Hardware problems
■ Network connection faults, such as broken network cable and loose interface.
Failed to Request a Troubleshooting: If you fail to request a local certificate when the router has finished the
Local Certificate configuration of PKI domain parameters and entity DN, and has created a new RSA key
pair, the reasons might include:
1 Software problems
■ No CA/RA certificate has been retrieved.
■ No key pair is created, or the current key pair has had a certificate.
■ No trustworthy CA is specified.
■ Verify that the Simple Certificate Enrollment Protocol) SCEP is installed.
■ Server URL for the certificate request through SCEP is not correct or not configured.
You can check if the server is well connected by using the ping command.
■ No certificate authority is configured.
■ The necessary attributes of entity DN are not configured. You can configure the
relevant attributes by checking CA/RA authentication policy.
2 Hardware problems
■ Network connection faults, such as broken network cable and loose interface.
Failed to Retrieve a Troubleshooting: If you fail to retrieve a CRL, the reasons might include:
CRL
1 Software problems
■ The devices are not synchronized to the CA server.
■ No local certificate exists when you try to retrieve a CRL.
■ IP address of LDAP server is not configured.
■ CRL distribution point location is not configured.
■ LDAP server version is wrong.
2 Hardware problems
■ Network connection faults, such as broken network cable and loose interface.
588 CHAPTER 60: PKI CONFIGURATION
61 POE CONFIGURATION
PoE Overview
Introduction to PoE Power over Ethernet (PoE) means that power sourcing equipment (PSE) supplies power
to powered devices (PD) such as IP telephone, wireless LAN access point, and web
camera from Ethernet interfaces through twisted pair cables.
Advantages
■ Reliable: Power is supplied in a centralized way so that it is very convenient to provide
a backup power supply.
■ Easy to connect: A network terminal requires only one Ethernet cable, but no external
power supply.
■ Standard: In compliance with IEEE 802.3af, a globally uniform power interface is
adopted.
■ Promising: It can be applied to IP telephones, wireless LAN access points, portable
chargers, card readers, web cameras, and data collectors.
Composition
A PoE system consists of PoE power, PSE, and PD.
■ PoE power
The whole PoE system is powered by the PoE power, which includes external PoE power
and internal PoE power.
The support for the PoE power type depends on the device model.
■ PSE
PSE is a card or subcard. PSE manages its own PoE interfaces independently. PSE
examines the Ethernet cables connected to PoE interfaces, searches for the devices that
comply with the specification, classifies them, and supplies power to them. When
detecting a PD is unplugged, the PSE stops supplying the power to the PD.
An Ethernet interface with the PoE capability is called PoE interface. Currently, a PoE
interface can be an FE or GE interface.
■ PD
A PD is a device accepting power from the PSE. There are standard PDs and nonstandard
PDs. A standard PD refers to the one that complies with IEEE 802.3af. The PD that is
being powered by the PSE can be connected to other power supply unit for redundancy
backup.
590 CHAPTER 61: POE CONFIGURATION
Task Remarks
Configuring the PoE Interface Required
Configuring PoE Power Management Optional
Configuring a Power Alarm Threshold for the PSE Optional
Upgrading PSE Processing Software Online Optional
Configuring a PD Disconnection Detection Mode Optional
Enabling the PSE to Detect Nonstandard PDs Optional
Configuring the PoE You can configure a PoE interface in either of the following two ways:
Interface ■ Adopt the command line.
■ Configure a PoE configuration file and apply the file to the specified PoE interface(s).
Usually, you can adopt the command line to configure a single PoE interface, and adopt
a PoE configuration file to batch configure PoE interfaces.
You can adopt either mode to configure, modify, or delete a PoE configuration
parameter under the same PoE interface.
The PSE applies power to a PoE interface in two modes. For a device with only signal
cables, power is supplied over signal cables. For a device with spare cables and signal
cables, power can be supplied over spare cables or signal cables.
To clearly identify the PD connected to a PoE interface, you can give a PD description.
Configuring the PoE Interface 591
Configuring a PoE Follow these steps to configure a PoE interface through the command line:
Interface through the
Command Line Table 418 Configuring a PoE Interface through the Command Line
Configuring PoE A PoE configuration file is used to batch configure PoE interfaces with the same
Interfaces through a attributes to simplify operations. This configuration method is a supplement to the
PoE Configuration common command line configuration.
File
Commands in a PoE configuration file are called configurations.
592 CHAPTER 61: POE CONFIGURATION
Follow these steps to configure PoE interfaces through a PoE configuration file:
■ After a PoE configuration file is applied to a PoE interface, other PoE configuration
files can not take effect on this PoE interface.
■ If a PoE configuration file is already applied to a PoE interface, you must execute the
undo apply poe-profile command to remove the application to the interface
before deleting or modifying the PoE configuration file.
■ If you have configured a PoE interface through the command line, you cannot
configure it through a PoE configuration file again. If you want to reconfigure the
interface through a PoE configuration file, you must first remove the command line
configuration on the PoE interface.
■ You must use the same mode (command line or PoE configuration file) to configure
the poe max-power max-power and poe priority { critical | high | low }
commands.
Configuring PD Power Management 593
Configuring PD The power priority of a PD depends on the priority of the PoE interface. The priority levels
Power of PoE interfaces include critical, high and low in descending order. Power supply to a PD
Management is subject to PD power management policies.
All PSEs implement the same PD power management policies. When the PSE supplies
power to a PD,
If the guaranteed remaining PSE power (maximum PSE power – power allocated to the
critical PoE interface, regardless of whether PoE is enabled for the PoE interface) is lower
than the maximum power of the PoE interface, you will fail to set the priority of the PoE
interface to critical. Otherwise, you can succeed in setting the priority to critical, this
PoE interface will preempt the power of other PoE interfaces with a lower priority level.
In the latter case, the PoE interfaces whose power is preempted will be powered off, but
their configurations will remain unchanged. When you change the priority of a PoE
interface from critical to a lower level, the PDs connecting to other PoE interfaces will
have an opportunity of seizing power.
Configuration prerequisites
Enable PoE for PoE interfaces.
Configuration procedure
Follow these steps to configure PD power management:
Configuring a ■ When the current power utilization of the PSE is above or below the alarm threshold
Power Alarm for the first time, the system will send a Trap message.
Threshold for the ■ When the PSE starts or stops supplying power to a PD, the system will send a Trap
PSE message, too.
Follow these steps to configure a power alarm threshold for the PSE:
Upgrading PSE You can upgrade the PSE processing software online in either of the following modes:
Processing ■ Refresh mode
Software Online
Normally, you can upgrade the PSE processing software in the Refresh mode through the
command line.
■ Full mode
When an exception, such as interruption (power failure) or error, occurs during the
upgrade in Refresh mode, you can upgrade the PSE processing software in Full mode.
When the PSE processing software is damaged (in this case, you can execute none of PoE
commands successfully), you can upgrade the PSE software processing software in Full
mode to restore the PSE function. Online PSE processing software upgrade may be
unexpectedly interrupted (for example, an error results in device reboot). If you fail to
upgrade the PSE processing software in Full mode after reboot, you can power off the
device and restart it before upgrading it again. After upgrade, restart the device
manually to make the original PoE configurations take effect. The support for this
upgrade method depends on the device model.
Configuring a PD To detect the PD connection with PSE, PoE provides two detection modes: AC detection
Disconnection and DC detection. The AC detection mode is energy saving relative to the DC detection
Detection Mode mode.
If you adjust the PD disconnection detection mode when the device is running, the
connected PDs will be powered off. Therefore, be cautious to do so!
Enabling the PSE to There are standard PDs and nonstandard PDs. Usually, the PSE can detect only standard
Detect Nonstandard PDs and supply power to them. The PSE can detect nonstandard PDs and supply power
PDs to them only after the PSE is enabled to detect nonstandard PDs.
Displaying and
Table 425 Displaying and Maintaining PoE
Maintaining PoE
To do Use the command Remarks
Display the mapping between display poe device Available in any view
ID, module, and slot of all PSEs.
Display the power state and display poe interface [ Available in any view
information of the specified PoE interface-type
interface interface-number ]
Display the power information of display poe interface Available in any view
a PoE interface(s) power [ interface-type
interface-number ]
Display the information of PSE display poe pse [ pse-id ] Available in any view
Display the power state and display poe interface [ Available in any view
information of PoE interfaces interface-type
connected with the PSE interface-number ]
Display the power of all PoE display poe interface Available in any view
interfaces connected with the power [ interface-type
PSE interface-number ]
Display all information of the display poe-profile [ Available in any view
configurations and applications index index | name
of the PoE configuration file profile-name ]
Display all information of the display poe-profile Available in any view
configurations and applications interface interface-type
of the PoE configuration file interface-number
applied to the specified PoE
interface
Network diagram
Network
GigabitEthernet1/0/1 GigabitEthernet1/0/5
IP Phone AP
Configuration procedure
1 Enable PoE on GigabitEthernet1/0/1, GigabitEthernet1/0/2, GigabitEthernet1/0/5, and
GigabitEthernet1/0/6.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] poe enable
[Sysname-GigabitEthernet1/0/1]quit
[Sysname] interface gigabitethernet 1/0/2
[Sysname-GigabitEthernet1/0/2] poe enable
[Sysname-GigabitEthernet1/0/2]quit
[Sysname] interface gigabitethernet 1/0/5
[Sysname-GigabitEthernet1/0/5] poe enable
[Sysname-GigabitEthernet1/0/5]quit
[Sysname] interface gigabitethernet 1/0/6
[Sysname-GigabitEthernet1/0/6] poe enable
2 Set the power priority level of GigabitEthernet1/0/2 to critical.
<Sysname> system view
[Sysname] interface gigabitethernet 1/0/2
[Sysname-GigabitEthernet1/0/2] poe priority critical
3 Set the maximum power of GigabitEthernet1/0/5 to 9,000 milliwatts.
[Sysname] interface gigabitethernet 1/0/5
[Sysname-GigabitEthernet1/0/5] poe max-power 9000
598 CHAPTER 61: POE CONFIGURATION
Analysis: ■ The guaranteed remaining power of the PSE is lower than the maximum power of the
PoE interface.
■ The priority of the PoE interface is already set.
Solution: ■ In the former case, you can solve the problem by increasing the maximum PSE power,
or by reducing the maximum power of the PoE interface when the guaranteed
remaining power of the PSE cannot be modified.
■ In the latter case, you should first remove the priority already configured.
Analysis: ■ Some configurations in the PoE configuration file are already configured.
■ Some configurations in the PoE configuration file do not meet the configuration
requirements of the PoE interface.
■ Another PoE configuration file is already applied to the PoE interface.
Solution: ■ In case 1, you can solve the problem by removing the original configurations of those
configurations.
■ In case 2, you need to need to modify some configurations in the PoE configuration
file.
■ In case 3, you need to remove the application of the undesired PoE configuration file
to the PoE interface.
Symptom: Provided that parameters are valid, configuring an AC input under-voltage threshold
fails.
Analysis: The AC input under-voltage threshold is greater than or equal to the AC input
over-voltage threshold.
Solution: You can drop the AC input under-voltage threshold below the AC input over-voltage
threshold.