3Com Switch 4500G Family Configuration Guide

3Com® Switch 4500G Family Configuration Guide

4500G 24-Port (3CR17761-91)4500G 48-Port (3CR17762-91)4500G 24-Port PWR (3CR17771-91)4500G 48-Port PWR (3CR17772-91)

www.3Com.com Part Number: 10014900 Rev. ACPublished: February 2008

http://www.3com.com

3Com Corporation 350 Campus Drive Marlborough, MA USA 01752-3064

Copyright © 2006, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corporation.

3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of 3Com Corporation to provide notification of such revision or change.

3Com Corporation provides this documentation without warranty, term, or condition of any kind, either implied or expressed, including, but not limited to, the implied warranties, terms or conditions of merchantability, satisfactory quality, and fitness for a particular purpose. 3Com may make improvements or changes in the product(s) and/or the program(s) described in this documentation at any time.

If there is any software on removable media described in this documentation, it is furnished under a license agreement included with the product as a separate document, in the hard copy documentation, or on the removable media in a directory file named LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy, please contact 3Com and a copy will be provided to you.

UNITED STATES GOVERNMENT LEGEND

If you are a United States government agency, then this documentation and the software described herein are provided to you subject to the following:

All technical data and computer software are commercial in nature and developed solely at private expense. Software is delivered as “Commercial Computer Software” as defined in DFARS 252.227-7014 (June 1995) or as a “commercial item” as defined in FAR 2.101(a) and as such is provided with only such rights as are provided in 3Com’s standard commercial license for the Software. Technical data is provided with limited rights only as provided in DFAR 252.227-7015 (Nov 1995) or FAR 52.227-14 (June 1987), whichever is applicable. You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in, or delivered to you in conjunction with, this User Guide.

Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not be registered in other countries.

3Com and the 3Com logo are registered trademarks of 3Com Corporation.

Cisco is a registered trademark of Cisco Systems, Inc.

Funk RADIUS is a registered trademark of Funk Software, Inc.

Aegis is a registered trademark of Aegis Group PLC.

Intel and Pentium are registered trademarks of Intel Corporation. Microsoft, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Novell and NetWare are registered trademarks of Novell, Inc. UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd.

IEEE and 802 are registered trademarks of the Institute of Electrical and Electronics Engineers, Inc.

All other company and product names may be trademarks of the respective companies with which they are associated.

ENVIRONMENTAL STATEMENT

It is the policy of 3Com Corporation to be environmentally-friendly in all operations. To uphold our policy, we are committed to:

Establishing environmental performance standards that comply with national legislation and regulations.

Conserving energy, materials and natural resources in all operations.

Reducing the waste generated by all operations. Ensuring that all waste conforms to recognized environmental standards. Maximizing the recyclable and reusable content of all products.

Ensuring that all products can be recycled, reused and disposed of safely.

Ensuring that all products are labelled according to recognized environmental standards.

Improving our environmental record on a continual basis.

End of Life Statement

3Com processes allow for the recovery, reclamation and safe disposal of all end-of-life electronic components.

Regulated Materials Statement

3Com products do not contain any hazardous or ozone-depleting material.

CONTENTS

ABOUT THIS GUIDE

Organization of the Manual 15Intended Readership 16Conventions 16Related Documentation 17

1 LOGGING INTO AN ETHERNET SWITCH

Logging into an Ethernet Switch 19Introduction to the User Interface 19

2 LOGGING IN THROUGH THE CONSOLE PORT

Introduction 23Setting up the Connection to the Console Port 23Console Port Login Configuration 26Console Port Login Configuration with Authentication Mode Being None 28Console Port Login Configuration with Authentication Mode Being Password 31Console Port Login Configuration with Authentication Mode Being Scheme 34

3 LOGGING IN THROUGH TELNET

Introduction 39Telnet Configuration with Authentication Mode Being None 41Telnet Configuration with Authentication Mode Being Password 44Telnet Configuration with Authentication Mode Being Scheme 47Telnet Connection Establishment 51

4 LOGGING IN USING MODEM

Introduction 55Configuration on the Administrator Side 55Configuration on the Switch Side 55Modem Connection Establishment 56

5 LOGGING IN THROUGH WEB-BASED NETWORK MANAGEMENT SYSTEM

Introduction 59HTTP Connection Establishment 59Web Server Shutdown/Startup 61

4 CONTENTS

6 LOGGING IN THROUGH NMSIntroduction 63Connection Establishment Using NMS 63

7 CONTROLLING LOGIN USERS

Introduction 65Controlling Telnet Users 65Controlling Network Management Users by Source IP Addresses 68Controlling Web Users by Source IP Address 70

8 BASIC SYSTEM CONFIGURATION AND MAINTENANCE

Command Line Feature 73Basic System Configuration 80Displaying the System Status 85

9 SYSTEM MAINTENANCE AND DEBUGGING

System Maintenance and Debugging Overview 87System Maintenance and Debugging Configuration 89System Maintenance Example 90

10 DEVICE MANAGEMENT

Introduction to Device Management 91BootROM and Host Software Loading 91Device Management Configuration 104Displaying the Device Management Configuration 106Remote Switch Update Configuration Example 106

11 FILE SYSTEM MANAGEMENT

File System Management 109Configuration File Management 111FTP Configuration 116TFTP Configuration 122

12 VLAN CONFIGURATION

VLAN Overview 125Basic VLAN Configuration 126Basic VLAN Interface Configuration 127Port-Based VLAN Configuration 127Displaying VLAN Configuration 131VLAN Configuration Example 132

13 VOICE VLAN CONFIGURATION

Voice VLAN Overview 133

CONTENTS 5

Voice VLAN Configuration 135Displaying and Maintaining Voice VLAN 137Voice VLAN Configuration Example 138

14 GVRP CONFIGURATION

Introduction to GARP 141Configuring GVRP 144Displaying and Maintaining GVRP 145GVRP Configuration Example 145

15 ETHERNET INTERFACE CONFIGURATION

General Ethernet Interface Configuration 151Maintaining and Displaying an Ethernet Interface 159

16 LINK AGGREGATION CONFIGURATION

Link Aggregation Overview 161Approaches to Link Aggregation 163Configuring Link Aggregation 166Displaying and Maintaining Link Aggregation 168Link Aggregation Configuration Example 169

17 PORT ISOLATION CONFIGURATION

Port Isolation Overview 171Port Isolation Configuration 171Displaying Port Isolation Configuration 171Port Isolation Configuration Example 172

18 MAC ADDRESS TABLE MANAGEMENT

Introduction to Managing MAC Address Table 173Configuring the MAC Address Table 174Displaying and Maintaining the MAC Address Table 176MAC Address Table Management Configuration Example 176

19 MSTP CONFIGURATION

MSTP Overview 179Configuring the Root Bridge 192Configuring Leaf Nodes 204Performing mCheck 208MSTP Configuration Example 212

20 IP ADDRESSING CONFIGURATION

Configuring IP Addresses 219Displaying IP Addressing 220

6 CONTENTS

21 IP PERFORMANCE CONFIGURATION

Introduction to IP performance 221Configuring TCP attributes 221Configuring sending ICMP error packets 222Permitting Receiving and Forwarding of Directed Broadcast Packets 224Displaying and maintaining IP performance 226

22 IPV4 ROUTING OVERVIEW

IP Routing and Routing Table 227Routing Protocol Overview 229Displaying and Maintaining a Routing Table 231

23 CONFIGURING IPV6IPv6 Overview 233Configuring Basic IPv6 Functions 242Configuring IPv6 NDP 243Configuring PMTU Discovery 246Configuring IPv6 TCP Properties 247Configuring the Maximum Number of IPv6 ICMP Error Packets Sent within a Specified Time 248Configuring IPv6 DNS 248Displaying and Maintaining IPv6 249IPv6 Configuration Example 250

24 CONFIGURING IPV6 APPLICATIONS

Introduction to IPv6 Application 255Ping IPv6 255Traceroute IPv6 255FTP Configuration 256TFTP Configuration 256IPv6 Telnet 257Examples of Typical IPv6 Application Configurations 258Troubleshooting IPv6 Application 260

25 STATIC ROUTING CONFIGURATION

Introduction 263Configuring Static Route 264Displaying and Maintaining Static Routes 265Example of Static Routes Configuration 265

26 RIP CONFIGURATION

RIP Overview 269RIP Basic Configuration 273RIP Route Control 275RIP Configuration Optimization 278

CONTENTS 7

Displaying and Maintaining RIP 280RIP Configuration Example 281Troubleshooting RIP Configuration 282

27 ROUTING POLICY CONFIGURATION

Introduction to Routing Policy 285Defining Filtering Lists 287Configuring a Routing Policy 287Displaying and Maintaining the Routing Policy 290Routing Policy Configuration Example 290Troubleshooting Routing Policy Configuration 292

28 802.1X CONFIGURATION

802.1x Overview 293Configuring 802.1x 302Configuring GuestVlan 304Displaying and Maintaining 802.1x 304802.1x Configuration Example 305Typical GuestVlan Configuration Example 307

29 HABP CONFIGURATION

Introduction to HABP 311HABP Server Configuration 311HABP Client Configuration 312Displaying HABP 312

30 MAC AUTHENTICATION CONFIGURATION

MAC Authentication Overview 313Configuring MAC Authentication 313Displaying and Maintaining MAC Authentication 314MAC Authentication Configuration Example 315

31 AAA, RADIUS, AND TACACS+ CONFIGURATION

Overview 317Configuration Tasks 326AAA Configuration 328RADIUS Configuration 335TACACS+ Configuration 342Displaying and Maintaining AAA & RADIUS & TACACS+ Information 346AAA & RADIUS & TACACS+ Configuration Example 347Troubleshooting AAA & RADIUS & TACACS+ Configuration 353

32 IGMP SNOOPING CONFIGURATION

IGMP Snooping Overview 355

8 CONTENTS

IGMP Snooping Configuration Tasks 358Configuring Basic Functions of IGMP Snooping 359Configuring Port Functions 361Configuring IGMP-Related Functions 364Configuring a Multicast Group Policy 367Displaying and Maintaining IGMP Snooping 370IGMP Snooping Configuration Examples 371Troubleshooting IGMP Snooping Configuration 374

33 MULTICAST VLAN CONFIGURATION

Multicast VLAN 377

34 ARP CONFIGURATION

ARP Overview 381Configuring ARP 382Configuring Gratuitous ARP 384Displaying and Maintaining ARP 385

35 PROXY ARP CONFIGURATION

Proxy ARP Overview 387Enabling Proxy ARP 387Displaying and Maintaining Proxy ARP 388

36 DHCP OVERVIEW

Introduction to DHCP 389DHCP Address Allocation 389DHCP Message Format 391Protocols and Standards 392

37 DHCP RELAY AGENT CONFIGURATION

Introduction to DHCP Relay Agent 393Configuring the DHCP Relay Agent 394Displaying and Maintaining the DHCP Relay Agent Configuration 400DHCP Relay Agent Configuration Example 401Troubleshooting DHCP Relay Agent Configuration 402

38 DHCP CLIENT CONFIGURATION

Introduction to DHCP Client 403Enabling the DHCP Client on an Interface 403Displaying the DHCP Client 404DHCP Client Configuration Example 404

CONTENTS 9

39 DHCP SNOOPING CONFIGURATION

DHCP Snooping Overview 405Configuring DHCP Snooping 406Displaying DHCP Snooping 406DHCP Snooping Configuration Example 406

40 BOOTP CLIENT CONFIGURATION

Introduction to BOOTP Client 409Configuring an Interface to Dynamically Obtain an IP Address through BOOTP 410Displaying BOOTP Client Configuration 410

41 ACL OVERVIEW

ACL Overview 411Time-Based ACL 411IPv4 ACL 411

42 IPV4 ACL CONFIGURATION

Creating a Time Range 415Configuring a Basic IPv4 ACL 417Configuring an Advanced IPv4 ACL 418Configuring an Ethernet Frame Header ACL 420Displaying and Maintaining IPv4 ACLs 422IPv4 ACL Configuration Example 422

43 QOS OVERVIEW

Introduction 425Traditional Packet Delivery Service 425New Requirements Brought forth by New Services 425Occurrence and Influence of Congestion and the Countermeasures 426Major Traffic Management Techniques 427LR Configuration 432

44 QOS POLICY CONFIGURATION

Overview 435Configuring QoS Policy 435Introducing Each QoS Policy 436Configuring QoS Policy 436Displaying QoS Policy 441

45 CONGESTION MANAGEMENT

Overview 443Congestion Management Policy 443Configuring SP Queue Scheduling 445

10 CONTENTS

Configuring WRR Queue Scheduling 446Configuring SP+WRR Queue Scheduling 447

46 PRIORITY MAPPING

Overview 449Configuring Port Priority 450Displaying Priority Mapping Table 451

47 VLAN POLICY CONFIGURATION

Overview 453Applying VLAN Policies 453Displaying and Maintaining VLAN Policy 454VLAN Policy Configuration Example 454

48 TRAFFIC MIRRORING CONFIGURATION

Overview 455Configuring Traffic Mirroring to Port 455Displaying Traffic Mirroring Configuration 456Traffic Mirroring Configuration Example 456

49 PORT MIRRORING CONFIGURATION

Introduction to Port Mirroring 459Configuring Local Port Mirroring 460Displaying Port Mirroring 460Examples of Typical Port Mirroring Configuration 461

50 GMP V2 CONFIGURATION

Introduction to GMP V2 463GMP V2 Configuration Task Overview 468Management Device Configuration 469Configuring Member Devices 476Displaying and Maintaining a Cluster 477GMP V2 Configuration Example 478

51 SNMP CONFIGURATION

SNMP Overview 481Configuring Basic SNMP Functions 483Trap Configuration 485Displaying and Maintaining SNMP 486SNMP Configuration Example 486

52 RMON CONFIGURATION

RMON Overview 489

CONTENTS 11

Configuring RMON 492Displaying and Maintaining RMON 493RMON Configuration 493

53 NTP CONFIGURATION

NTP Overview 495Configuring the Operation Modes of NTP 499Configuring Optional Parameters of NTP 502Configuring Access-Control Rights 503Configuring NTP Authentication 504Displaying and Maintaining NTP 506NTP Configuration Examples 506

54 DNS CONFIGURATION

DNS Overview 519Configuring Static Domain Name Resolution 521Configuring Dynamic Domain Name Resolution 521Displaying and Maintaining DNS 522Troubleshooting DNS Configuration 522

55 INFORMATION CENTER

Information Center Overview 523Configuring Information Center 524Displaying and Maintaining Information Center 530Information Center Configuration Example 531

56 NQA CONFIGURATION

NQA Overview 537Configuring NQA Tests 538Configuring Optional Parameters for NQA Tests 555Displaying and Maintaining NQA 558

57 SSH TERMINAL SERVICE

SSH Overview 559Configuring the SSH Server 562Configuring the SSH Client 567Configuring the Device as an SSH Client 572Displaying and Maintaining the SSH Protocol 573SSH Configuration Example 573SSH Client Configuration Example 576

58 SFTP SERVICE

SFTP Overview 579Configuring the SFTP Server 579

12 CONTENTS

Configuring the SFTP Client 580SFTP Configuration Example 584

59 UDP HELPER CONFIGURATION

Introduction to UDP Helper 587Configuring UDP Helper 588Displaying and Maintaining UDP Helper 588UDP Helper Configuration Example 589

60 SSL CONFIGURATION

SSL Overview 591Configuring an SSL Server Policy 592Configuring an SSL Client Policy 594Displaying and Maintaining SSL 594Troubleshooting SSL Configuration 595

61 HTTPS SERVER CONFIGURATION

HTTPS Server Overview 597Enabling the Functions of HTTPS Server 598Associating HTTPS Server with Certificate Access Control Policy 599Associating HTTPS Server with ACL 599Displaying and Maintaining HTTPS Server 599Configuration Examples for HTTPS Server 600

62 PKI CONFIGURATION

Introduction to PKI 603Introduction to PKI Configuration Task 605Configuring PKI Certificate Request 605Configuring PKI Certificate Validation 612Configuring a Certificate Attribute Access Control Policy 613Displaying and Maintaining PKI 614Typical Configuration Examples 614Troubleshooting 617

63 POE CONFIGURATION

PoE Overview 619PoE Configuration Tasks 620Configuring the PoE Interface 620Configuring PD Power Management 623Configuring a Power Alarm Threshold for the PSE 624Upgrading PSE Processing Software Online 624Configuring a PD Disconnection Detection Mode 625Enabling the PSE to Detect Nonstandard PDs 625Displaying and Maintaining PoE 626PoE Configuration Example 626

CONTENTS 13

Troubleshooting PoE 628

14 CONTENTS

ABOUT THIS GUIDE

This guide provides information about configuring your network using the commands supported on the 3Com® Switch 4500G Family.

The descriptions in this guide applies to the Switch 4500G.

Organization of the Manual

The Switch 4500G Family Configuration Guide consists of the following chapters:

■ Logging In—Provides information on the different ways to log into the switch.

■ Basic System Configuration and Maintenance Operation—Details the basic configuration and maintenance of a switch.

■ File System Management—Details how to manage storage devices.

■ VLAN Operation—Details VLAN, including Voice VLANS and GVRP configuration.

■ Port Correlation Configuration—Details Ethernet interface, link aggregation and port isolation configuration.

■ MAC Address Table Management—Details MAC address table configuration.

■ MSTP—Details multiple spanning tree protocol configuration.

■ IP Address and Performance Operation—Details how to assign IP addresses to interfaces and to adjust the parameters for the best IP performance.

■ IPV4 Routing Operation—Details IPV4 routing operation, static routing and policy configuration and RIP configuration

■ 802.1x HABP MAC Authorization Operation—Details HABP, 802.1x and MAC Authentication Configuration.

■ AAA &RADIUS—Details AAA and RADIUS configuration.

■ Multicast Protocol—Details multicast protocol configuration.

■ ARP—Details address resolution protocol table configuration.

■ DHCP—Details dynamic host configuration protocol.

■ ACL Configuration—Details ACL configuration.

■ QoS—Details quality of service configuration.

■ Port Mirroring—Details local and remote port mirroring configuration.

■ Clustering—Details clustering configuration.

■ SNMP—Details simple network management protocol configuration.

■ RMON—Details remote monitoring configuration.

■ NTP—Details network time protocol configuration.

16 ABOUT THIS GUIDE

■ DNS—Details domain name system configuration.

■ Information Center—Details information center configuration.

■ NQA—Details network quality analyzer configuration.

■ SSH—Details secure shell authentication.

■ UDP—Details UDP helper configuration.

■ SSL—Details secure socket layer configuration.

■ PKI—Details public key infrastructure configuration.

■ PoE—Details power over Ethernet configuration.

Intended Readership The manual is intended for the following readers:

■ Network administrators

■ Network engineers

■ Users who are familiar with the basics of networking

Conventions This manual uses the following conventions:

Table 1 Icons

Icon Notice Type Description

Information note Information that describes important features or instructions.

Caution Information that alerts you to potential loss of data or potential damage to an application, system, or device.

Warning Information that alerts you to potential personal injury.

Table 2 Text conventions

Convention Description

Screen displays

This typeface represents text as it appears on the screen.

Keyboard key names

If you must press two or more keys simultaneously, the key names are linked with a plus sign (+), for example:

Press Ctrl+Alt+Del

The words “enter” and “type”

When you see the word “enter” in this guide, you must type something, and then press Return or Enter. Do not press Return or Enter when an instruction simply says “type.”

Fixed command text

This typeface indicates the fixed part of a command text. You must type the command, or this part of the command, exactly as shown, and press Return or Enter when you are ready to enter the command.

Example: The command display history-command must be entered exactly as shown.

Variable command text

This typeface indicates the variable part of a command text. You must type a value here, and press Return or Enter when you are ready to enter the command.

Example: in the command super level, a value in the range 0 to 3 must be entered in the position indicated by level.

Related Documentation 17

Related Documentation

In addition to this guide, the Switch 4500G documentation set includes the following:

■ 3Com Switch 4500G Family Quick Reference Guide

This guide contains:

■ a list of the features supported by the switch.

■ a summary of the command line interface commands for the switch. This guide is also available under the Help button on the web interface.

■ 3Com Switch 4500G Family Command Reference Guide

This guide provides detailed information about the web interface and command line interface that enable you to manage the switch. It is supplied in PDF format on the CD-ROM that accompanies the switch.

■ 3Com Switch 4500G Family Getting Started Guide

This guide provides preliminary information about hardware installation and communication interfaces.

■ Release notes

These notes provide information about the current software release, including new features, modifications, and known problems. The release notes are supplied in hard copy with the switch.

{ x | y | … } Alternative items, one of which must be entered, are grouped in braces and separated by vertical bars. You must select and enter one of the items.

Example: in the command flow-control { hardware | none | software }, the braces and the vertical bars combined indicate that you must enter one of the parameters. Enter either hardware, or none, or software.

[ ] Items shown in square brackets [ ] are optional.

Example 1: in the command display users [ all ], the square brackets indicate that the parameter all is optional. You can enter the command with or without this parameter.

Example 2: in the command user-interface [ type ] first-number [ last-number ] the square brackets indicate that the parameters [ type] and [ last-number ] are both optional. You can enter a value in place of one, both or neither of these parameters.

Alternative items, one of which can optionally be entered, are grouped in square brackets and separated by vertical bars.

Example 3: in the command header [ shell | incoming | login ] text, the square brackets indicate that the parameters shell, incoming and login are all optional. The vertical bars indicate that only one of the parameters is allowed.

Table 2 Text conventions (Continued)

Convention Description

18 ABOUT THIS GUIDE

1 LOGGING INTO AN ETHERNET SWITCH

Logging into an Ethernet Switch

You can log into a Switch 4500G Ethernet switch in one of the following ways:

■ Log in locally through the Console port

■ Telnet locally or remotely to an Ethernet port

■ Telnet to the Console port using a modem

■ Log into the Web-based network management system

■ Log in through NMS (network management station)

Introduction to the User Interface

Supported User Interfaces

Switch 4500G Family Ethernet switch supports two types of user interfaces: AUX and VTY.

As the AUX port and the Console port of a 3Com Switch 4500G Family series switch are the same one, you will be in the AUX user interface if you log in through this port.

User Interface Number

Two kinds of user interface index exist: absolute user interface index and relative user interface index.

1 The absolute user interface indexes are as follows:

■ AUX user interface: 0

■ VTY user interfaces: Numbered after AUX user interfaces and increases in the step of 1

2 A relative user interface index can be obtained by appending a number to the identifier of a user interface type. It is generated by user interface type. The relative user interface indexes are as follows:

■ AUX user interface: AUX 0

■ VTY user interfaces: VTY 0, VTY 1, VTY 2, and so on.

Table 3 Description on user interface

User interface Applicable user Port used Description

AUX Users logging in through the Console port

Console port Each switch can accommodate one AUX user.

VTY Telnet users and SSH users

Ethernet port Each switch can accommodate up to five VTY users.

20 CHAPTER 1: LOGGING INTO AN ETHERNET SWITCH

Common User Interface

Configuration

Table 4 Common User Interface Configuration

To do… Use the command… Remarks

Lock the current user interface

lock Optional

Execute this command in user view.

A user interface is not locked by default.

Specify to send messages to all user interfaces/a specified user interface

send { all | number | type number }

Optional


Disconnect a specified user interface

free user-interface [ type ] number

Optional


Enter system view system-view –

Set the banner header { incoming | legal | login | shell | motd } text

Optional

Set a system name for the switch

sysname string Optional

Enter user interface view user-interface [ type ] first-number [ last-number ]

–

Define a shortcut key for aborting tasks

escape-key { default | character }

Optional

The default shortcut key combination for aborting tasks is < Ctrl+C >.

Set the history command buffer size

history-command max-size value

Optional

The default history command buffer size is 10. That is, a history command buffer can store up to 10 commands by default.

Set the timeout time for the user interface

idle-timeout minutes [ seconds ]

Optional

The default timeout time of a user interface is 10 minutes.

With the timeout time being 10 minutes, the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes.

You can use the idle-timeout 0 command to disable the timeout function.

Set the maximum number of lines the screen can contain

screen-length screen-length

Optional

By default, the screen can contain up to 24 lines.

You can use the screen-length 0 command to disable the function to display information in pages.

Make terminal services available

shell Optional

By default, terminal services are available in all user interfaces.

Introduction to the User Interface 21

Set the display type of a terminal

terminal type { ansi | vt100 }

Optional

By default, the terminal display type is ANSI. The device must use the same type of display as the terminal. If the terminal uses VT 100, the device should also use VT 100.

Display the information about the current user interface/all user interfaces

display users [ all ] You can execute this command in any view.

Display the physical attributes and configuration of the current/a specified user interface

display user-interface [ type number | number ] [ summary ]

You can execute this command in any view.

Display the information about the current web users

display web users You can execute this command in any view.

Table 4 Common User Interface Configuration (continued)


22 CHAPTER 1: LOGGING INTO AN ETHERNET SWITCH

2 LOGGING IN THROUGH THE CONSOLE PORT

Introduction To log in through the Console port is the most common way to log into a switch. It is also the prerequisite to configure other login methods. By default, you can log into a Switch 4500G Family Ethernet switch through its Console port only.

To log into an Ethernet switch through its Console port, the related configuration of the user terminal must be in accordance with that of the Console port.

Table 5 lists the default settings of a Console port.

After logging into a switch, you can perform configuration for AUX users. Refer to “Console Port Login Configuration” for more.

Setting up the Connection to the Console Port

■ Connect the serial port of your PC/terminal to the Console port of the switch, as shown in Figure 1.

Figure 1 Diagram for setting the connection to the Console port

■ If you use a PC to connect to the Console port, launch a terminal emulation utility (such as Terminal in Windows 3.X or HyperTerminal in Windows 9X/Windows 2000/Windows XP) and perform the configuration shown in Figure 2 through Figure 4 for the connection to be created. Normally, the parameters of a terminal are configured as those listed in Table 5.

Table 5 The default settings of a Console port

Setting Default

Baud rate 19,200 bps

Flow control Off

Check mode No check bit

Stop bits 1

Data bits 8

Console port

RS-232 port

Configuration cable

Console port

RS-232 port

Configuration cableConsole cable

24 CHAPTER 2: LOGGING IN THROUGH THE CONSOLE PORT

Figure 2 Create a connection

Figure 3 Specify the port used to establish the connection

Setting up the Connection to the Console Port 25

Figure 4 Set port parameters terminal window

■ Turn on the switch. The user will be prompted to press the Enter key if the switch successfully completes POST (power-on self test). The prompt (such as <4200G>) appears after the user presses the Enter key, as shown in Figure 5.

Figure 5 The terminal window

■ You can then configure the switch or check the information about the switch by executing commands. You can also acquire help by type the ? character. Refer to the following chapters for information about the commands.


Console Port Login Configuration

Common Configuration

Table 6 lists the common configuration of Console port login.

CAUTION: Changing of Console port configuration terminates the connection to the Console port. To establish the connection again, you need to modify the configuration of the termination emulation utility running on your PC accordingly. Refer to “Setting up the Connection to the Console Port” for more information.

Table 6 Common configuration of Console port login

Configuration Description

Console port configuration

Baud rate Optional

The default baud rate is 19200 bps.

Check mode Optional

By default, the check mode of the Console port is set to “none”, which means no check bit.

Stop bits Optional

The default stop bits of a Console port is 1.

Data bits Optional

The default data bits of a Console port is 8.

AUX user interface configuration

Define a shortcut key for starting terminal sessions

Optional

By default, pressing Enter key starts the terminal session.

Configure the command level available to the users logging into the AUX user interface

Optional

By default, commands of level 3 are available to the users logging into the AUX user interface.

Terminal configuration


Optional



Optional

By default, terminal services are available in all user interfaces


Optional


Set history command buffer size

Optional

By default, the history command buffer can contain up to 10 commands.

Set the timeout time of a user interface

Optional

The default timeout time is 10 minutes.

Console Port Login Configuration 27

Console Port Login Configurations for

Different Authentication

Modes

Table 7 lists Console port login configurations for different authentication modes.

Changes of the authentication mode of Console port login will not take effect unless you exit and enter again the CLI.

Table 7 Console port login configurations for different authentication modes

Authentication mode Console port login configuration Description

None Perform common configuration

Perform common configuration for Console port login

Optional

Refer to “Common Configuration” for more.

Password Configure the password

Configure the password for local authentication

Required

Perform common configuration


Optional


Scheme Specify to perform local authentication or RADIUS authentication

AAA configuration specifies whether to perform local authentication or RADIUS authentication

Optional

Local authentication is performed by default.

Refer to the “AAA, RADIUS, and TACACS+ Configuration” chapter for more.

Configure user name and password

Configure user names and passwords for local/remote users

Required

■ The user name and password of a local user are configured on the switch.

■ The user name and password of a remote user are configured on the DADIUS server. Refer to user manual of RADIUS server for more.

Manage AUX users

Set service type for AUX users

Required



Optional



Console Port Login Configuration with Authentication Mode Being None

Configuration Procedure Table 8 Configuration Procedure

To… Use the command… Remarks


Enter AUX user interface view user-interface aux 0

–

Configure not to authenticate users

authentication-mode none

Required

By default, users logging in through the Console port are not authenticated.

Configure the Console port

Set the baud rate

speed speed-value Optional

The default baud rate of an AUX port (also the Console port) is 9,600 bps.

Set the check mode

parity { even | mark | none | odd | space }

Optional

By default, the check mode of a Console port is set to none, that is, no check bit.

Set the stop bits stopbits { 1 | 1.5 | 2 } Optional

The stop bits of a Console port is 1.

Set the data bits databits { 5 | 6 | 7 | 8 } Optional


Configure the command level available to users logging into the user interface

user privilege level level

Optional

By default, commands of level 3 are available to users logging into the AUX user interface.


activation-key character

Optional




Optional


Make terminal services available shell Optional


Console Port Login Configuration with Authentication Mode Being None 29

Note that the command level available to users logging into a switch depends on both the authentication-mode none command and the user privilege level level command, as listed in the following table.

Configuration Example

Network requirements

Perform the following configuration for users logging in through the Console port:

■ Do not authenticate users logging in through the Console port.

■ Commands of level 2 are available to users logging into the AUX user interface.

■ The baud rate of the Console port is 19,200 bps.

■ The screen can contain up to 30 lines.

■ The history command buffer can contain up to 20 commands.

■ The timeout time of the AUX user interface is 6 minutes.



Optional





Optional




Optional




Table 9 Determine the command level (A)

Scenario

Command levelAuthentication mode User type Command

None (authentication- mode none)

Users logging in through Console ports

The user privilege level level command not executed

Level 3

The user privilege level level command already executed

Determined by the level argument

Table 8 Configuration Procedure (continued)



Network diagram

Figure 6 Network diagram for AUX user interface configuration (with the authentication mode being none)

Configuration procedure

1 Enter system view.

<3Com> system-view

2 Enter AUX user interface view.

[3Com] user-interface aux 0

3 Specify not to authenticate users logging in through the Console port.

[3Com-ui-aux0] authentication-mode none

4 Specify commands of level 2 are available to users logging into the AUX user interface.

[3Com-ui-aux0] user privilege level 2

5 Set the baud rate of the Console port to 19,200 bps.

[3Com-ui-aux0] speed 19200

6 Set the maximum number of lines the screen can contain to 30.

[3Com-ui-aux0] screen-length 30

7 Set the maximum number of commands the history command buffer can store to 20.

[3Com-ui-aux0] history-command max-size 20

8 Set the timeout time of the AUX user interface to 6 minutes.

[3Com-ui-aux0] idle-timeout 6

Console port

Console cable

RS-232

Console port

Console cable

RS-232

Console Port Login Configuration with Authentication Mode Being Password 31

Console Port Login Configuration with Authentication Mode Being Password

Table 10 Configuration Procedure


Enter system view system-view —

Enter AUX user interface view

user-interface aux 0

—

Configure to authenticate users using the local password

authentication-mode password

Required

By default, users logging in through the Console port are not authenticated.

Set the local password set authentication password { cipher | simple } password

Required


Set the baud rate


The default baud rate of an AUX port (also the Console port) is 9,600 bps.

Set the check mode


Optional


Set the stop bits

stopbits { 1 | 1.5 | 2 }

Optional


Set the data bits

databits { 5 | 6 | 7 | 8 }

Optional




Optional




Optional




Optional


Make terminal services available to the user interface

shell Optional



Configuration Procedure

Note that the level the commands of which are available to users logging into a switch depends on both the authentication-mode password and the user privilege level level command, as listed in the following table.




■ Authenticate users logging in through the Console port using the local password.

■ Set the local password to 123456 (in plain text).

■ The commands of level 2 are available to users logging into the AUX user interface.



■ The history command buffer can store up to 20 commands.




Optional





Optional




Optional






Table 11 Determine the command level (B)

Scenario


Local authentication (authentication-mode password)

Users logging into the AUX user interface

The user privilege level level command not executed

Level 3



Console Port Login Configuration with Authentication Mode Being Password 33

Network diagram

Figure 7 Network diagram for AUX user interface configuration (with the authentication mode being password)



<3Com> system-view



3 Specify to authenticate users logging in through the Console port using the local password.

[3Com-ui-aux0] authentication-mode password

4 Set the local password to 123456 (in plain text).

[3Com-ui-aux0] set authentication password simple 123456

5 Specify commands of level 2 are available to users logging into the AUX user interface.

[3Com-ui-aux0] user privilege level 2









Console port

Console cable

RS-232

Console port

Console cable

RS-232


Console Port Login Configuration with Authentication Mode Being Scheme




Configure the authentication mode

Enter the default ISP domain view

domain Domain name Optional

By default, the local AAA scheme is applied. If you specify to apply the local AAA scheme, you need to perform the configuration concerning local user as well.

If you specify to apply an existing scheme by providing the radius-scheme-name argument, you need to perform the following configuration as well:

■ Perform AAA & RADIUS configuration on the switch. (Refer to the “AAA, RADIUS, and TACACS+ Configuration” chapter for more.)

■ Configure the user name and password accordingly on the AAA server. (Refer to the user manual of AAA server.)

Specify the AAA scheme to be applied to the domain

authentication default { hwtacacs- scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

Quit to system view

quit

Create a local user (Enter local user view.)

local-user user-name

Required

No local user exists by default.

Set the authentication password for the local user

password { simple | cipher } password

Required

Specify the service type for AUX users

service-type terminal [ level level ]

Required

Quit to system view quit —

Enter AUX user interface view

user-interface aux 0

—

Configure to authenticate users locally or remotely

authentication-mode scheme [ command- authorization ]

Required

The specified AAA scheme determines whether to authenticate users locally or remotely.

Users are authenticated locally by default.

Console Port Login Configuration with Authentication Mode Being Scheme 35

Note that the level the commands of which are available to users logging into a switch depends on the authentication-mode scheme [ command-authorization ] command, the user privilege level level command, and the service-type terminal [ level level ] command, as listed in Table 13.


Set the baud rate


The default baud rate of the AUX port (also the Console port) is 9,600 bps.

Set the check mode


Optional


Set the stop bits

stopbits { 1 | 1.5 | 2 } Optional


Set the data bits

databits { 5 | 6 | 7 | 8 }

Optional




Optional




Optional




Optional


Make terminal services available to the user interface

shell Optional




Optional





Optional




Optional










■ Configure the name of the local user to be “guest”.

■ Set the authentication password of the local user to 123456 (in plain text).

■ Set the service type of the local user to Terminal.

■ Configure to authenticate users logging in through the Console port in the scheme mode.

■ The commands of level 2 are available to users logging into the AUX user interface.





Table 13 Determine the command level

Scenario


authentication-mode scheme [ command- authorization ]

Users logging into the Console port and pass AAA&RADIUS or local authentication

The user privilege level level command is not executed, and the service-type terminal [ level level ] command does not specify the available command level.

Level 0

The user privilege level level command is not executed, and the service-type terminal [ level level ] command specifies the available command level.

Determined by the service-type terminal [ level level ] command

The user privilege level level command is executed, and the service-type terminal [ level level ] command does not specify the available command level.

Level 0

The user privilege level level command is executed, and the service-type terminal [ level level ] command specifies the available command level.

Determined by the service-type terminal [ level level ] command

Console Port Login Configuration with Authentication Mode Being Scheme 37

Network diagram

Figure 8 Network diagram for AUX user interface configuration (with the authentication mode being scheme)



<3Com> system-view

2 Create a local user named guest and enter local user view.

[3Com] local-user guest

3 Set the authentication password to 123456 (in plain text).

[3Com-luser-guest] password simple 123456

4 Set the service type to Terminal, Specify commands of level 2 are available to users logging into the AUX user interface.

[3Com-luser-guest] service-type terminal level 2[3Com-luser-guest] quit



6 Configure to authenticate users logging in through the Console port in the scheme mode.

[3Com-ui-aux0] authentication-mode scheme









Console port

Console cable

RS-232

Console port

Console cable

RS-232


3 LOGGING IN THROUGH TELNET

Introduction You can telnet to a remote switch to manage and maintain the switch. To achieve this, you need to configure both the switch and the Telnet terminal properly.

Common Configuration

Table 15 lists the common Telnet configuration.

Table 14 Requirements for Telnet to a switch

Item Requirement

Switch The management VLAN of the switch is created and the route between the switch and the Telnet terminal is available. (Refer to the VLAN module for more.)

The authentication mode and other settings are configured. Refer to Table 15 and Table 16.

Telnet terminal Telnet is running.

The IP address of the management VLAN of the switch is available.

Table 15 Common Telnet configuration

Configuration Description

VTY user interface configuration

Configure the command level available to users logging into the VTY user interface

Optional

By default, commands of level 0 is available to users logging into a VTY user interface.

Configure the protocols the user interface supports

Optional

By default, Telnet and SSH protocol are supported.

Set the command that is automatically executed when a user logs into the user interface

Optional

By default, no command is automatically executed when a user logs into a user interface.

VTY terminal configuration


Optional


Make terminal services available Optional

By default, terminal services are available in all user interfaces


Optional


Set history command buffer size Optional

By default, the history command buffer can contain up to 10 commands.

Set the timeout time of a user interface

Optional

The default timeout time is 10 minutes.

40 CHAPTER 3: LOGGING IN THROUGH TELNET

CAUTION:

■ The auto-execute command command may cause you unable to perform common configuration in the user interface, so use it with caution.

■ Before executing the auto-execute command command and save your configuration, make sure you can log into the switch in other modes and cancel the configuration.

Telnet Configurations for Different

Authentication Modes

Table 16 lists Telnet configurations for different authentication modes.

Table 16 Telnet configurations for different authentication modes

Authentication mode Telnet configuration Description

None Perform common configuration

Perform common Telnet configuration

Optional

Refer to Table 15.

Password Configure the password

Configure the password for local authentication

Required



Optional

Refer to Table 15.

Scheme Specify to perform local authentication or RADIUS authentication

AAA configuration specifies whether to perform local authentication or RADIUS authentication

Optional

Local authentication is performed by default.

Refer to the “AAA, RADIUS, and TACACS+ Configuration” chapter for more information.

Configure user name and password

Configure user names and passwords for local/remote users

Required

The user name and password of a local user are configured on the switch.

The user name and password of a remote user are configured on the DADIUS server. Refer to user manual of RADIUS server for more.

Manage VTY users Set service type for VTY users

Required



Optional

Refer to Table 15.

Telnet Configuration with Authentication Mode Being None 41

Telnet Configuration with Authentication Mode Being None




Enter one or more VTY user interface views

user-interface vty first-number [ last-number ]

–

Configure not to authenticate users logging into VTY user interfaces

authentication-mode none

Required

By default, VTY users are authenticated after logging in.

Configure the command level available to users logging into VTY user interface


Optional

By default, commands of level 0 are available to users logging into VTY user interfaces.

Configure the protocols to be supported by the VTY user interface

protocol inbound { all | ssh | telnet }

Optional

By default, both Telnet protocol and SSH protocol are supported.


auto-execute command text

Optional




Optional



shell Optional




Optional





Optional



Note that if you configure not to authenticate the users, the command level available to users logging into a switch depends on both the authentication-mode none command and the user privilege level level command, as listed in Table 18.



Perform the following configuration for Telnet users logging into VTY 0:

■ Do not authenticate users logging into VTY 0.

■ Commands of level 2 are available to users logging into VTY 0.

■ Telnet protocol is supported.



■ The timeout time of VTY 0 is 6 minutes.

Set the timeout time of the VTY user interface


Optional




Table 18 Determine the command level when users logging into switches are not authenticated

Scenario


None (authentica-tion-mode none)

VTY users The user privilege level level command not executed

Level 0





Telnet Configuration with Authentication Mode Being None 43

Network diagram

Figure 9 Network diagram for Telnet configuration (with the authentication mode being none)



<3Com> system-view

2 Enter VTY 0 user interface view.

[3Com] user-interface vty 0

3 Configure not to authenticate Telnet users logging into VTY 0.

[3Com-ui-vty0] authentication-mode none

4 Specify commands of level 2 are available to users logging into VTY 0.

[3Com-ui-vty0] user privilege level 2

5 Configure Telnet protocol is supported.

[3Com-ui-vty0] protocol inbound telnet


[3Com-ui-vty0] screen-length 30


[3Com-ui-vty0] history-command max-size 20

8 Set the timeout time to 6 minutes.

[3Com-ui-vty0] idle-timeout 6

User PC running Telnet

Ethernet


GigabitEthernet1/0/1Ethernet


Ethernet




Telnet Configuration with Authentication Mode Being Password






–

Configure to authenticate users logging into VTY user interfaces using the local password

authentication-mode password

Required

Set the local password set authentication password { cipher | simple } password

Required



Optional

By default, commands of level 0 are available to users logging into VTY user interface.

Configure the protocol to be supported by the user interface


Optional

By default, both Telnet protocol and SSH protocol are supported.



Optional




Optional



shell Optional


Telnet Configuration with Authentication Mode Being Password 45

Note that if you configure to authenticate the users in the password mode, the command level available to users logging into a switch depends on both the authentication-mode password command and the user privilege level level command, as listed in Table 20.




■ Authenticate users logging into VTY 0 using the local password.

■ Set the local password to 123456 (in plain text).

■ Commands of level 2 are available to users logging into VTY 0.

■ Telnet protocol is supported.






Optional





Optional


Set the timeout time of the user interface


Optional




Table 20 Determine the command level when users logging into switches are authenticated in the password mode

Scenario


Password (authentica-tion-mode password)

VTY users The user privilege level level command not executed

Level 0






Network diagram

Figure 10 Network diagram for Telnet configuration (with the authentication mode being password)



<3Com> system-view



3 Configure to authenticate users logging into VTY 0 using the local password.

[3Com-ui-vty0] authentication-mode password

4 Set the local password to 123456 (in plain text).

[3Com-ui-vty0] set authentication password simple 123456

5 Specify commands of level 2 are available to users logging into VTY 0.

[3Com-ui-vty0] user privilege level 2










Ethernet




Ethernet



Telnet Configuration with Authentication Mode Being Scheme 47

Telnet Configuration with Authentication Mode Being Scheme




Configure the authentication scheme

Enter the default ISP domain view

domain Domain name Optional

By default, the local AAA scheme is applied. If you specify to apply the local AAA scheme, you need to perform the configuration concerning local user as well.

If you specify to apply an existing scheme by providing the radius-scheme-name argument, you need to perform the following configuration as well:

Perform AAA & RADIUS configuration on the switch. (Refer to the “AAA, RADIUS, and TACACS+ Configuration” chapter for more information.

Configure the user name and password accordingly on the AAA server. (Refer to the user manual of the AAA server.)

Configure the AAA scheme to be applied to the domain

authentication default { hwtacacs-scheme hwtacacs-scheme- name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

Quit to system view

quit

Create a local user and enter local user view


The admin, manager, and monitor users exist by default.

Set the authentication password for the local user

password { simple | cipher } password

Required

Specify the service type for VTY users

service-type telnet [ level level ]

Required

Quit to system view quit –



–

Configure to authenticate users locally or remotely

authentication-mode scheme

Required

The specified AAA scheme determines whether to authenticate users locally or remotely.

Users are authenticated locally by default.



Optional

By default, commands of level 0 are available to users logging into the VTY user interfaces.

Configure the supported protocol


Optional

Both Telnet protocol and SSH protocol are supported by default.


Note that if you configure to authenticate the users in the scheme mode, the command level available to users logging into a switch depends on the authentication-mode scheme [ command-authorization ] command, the user privilege level level command, and the service-type { ftp [ ftp-directory directory ] | lan-access | { ssh | telnet | terminal }* [ level level ] } command, as listed in Table 22.



Optional




Optional



shell Optional

Terminal services are available in all use interfaces by default.



Optional





Optional




Optional






Telnet Configuration with Authentication Mode Being Scheme 49

Refer to the corresponding chapters in this guide for information about AAA, RADIUS, TACACS+, and SSH.

Table 22 Determine the command level when users logging into switches are authenticated in the scheme mode

Scenario


Scheme (authentication-mode scheme [ command-authorization ])

VTY users that are AAA&RADIUS authenticated or locally authenticated

The user privilege level level command is not executed, and the service-type command does not specify the available command level.

Level 0

The user privilege level level command is not executed, and the service-type command specifies the available command level.

Determined by the service-type command

The user privilege level level command is executed, and the service-type command does not specify the available command level.

Level 0

The user privilege level level command is executed, and the service-type command specifies the available command level.


VTY users that are authenticated in the RSA mode of SSH


Level 0



Determined by the user privilege level level commandThe user privilege level level

command is executed, and the service-type command specifies the available command level.

VTY users that are authenticated in the password mode of SSH


Level 0




Level 0

The user privilege level level command is executed, and the service-type command specifies the available command level.






■ Configure the name of the local user to be “guest”.

■ Set the authentication password of the local user to 123456 (in plain text).

■ Set the service type of VTY users to Telnet.

■ Configure to authenticate users logging into VTY 0 in scheme mode.

■ The commands of level 2 are available to users logging into VTY 0.

■ Telnet protocol is supported in VTY 0.




Network diagram

Figure 11 Network diagram for Telnet configuration (with the authentication mode being scheme)



<3Com> system-view

2 Create a local user named “guest” and enter local user view.

[3Com] local-user guest

3 Set the authentication password of the local user to 123456 (in plain text).

[3Com-luser-guest] password simple 123456

4 Set the service type to Telnet, Specify commands of level 2 are available to users logging into VTY 0.

[3Com-luser-guest] service-type telnet level 2



6 Configure to authenticate users logging into VTY 0 in the scheme mode.

[3Com-ui-vty0] authentication-mode scheme


Ethernet




Ethernet



Telnet Connection Establishment 51









Telnet Connection Establishment

Telneting to a Switch from a Terminal

In order to Telnet to the switch, you need to configure an IP address on a VLAN interface. Use the following procedure to establish a Telnet connection to a switch through the management VLAN:

1 Log into the switch through the Console port and assign an IP address to the management VLAN interface of the switch.

■ Connect to the Console port. Refer to the chapter “Setting up the Connection to the Console Port”.

■ Execute the following commands in the terminal window to assign an IP address to the management VLAN interface of the switch.

<3Com> system

a Enter management VLAN interface view.

[3Com] interface Vlan-interface 1

b Remove the existing IP address of the management VLAN interface.

[3Com-Vlan-interface1] undo ip address

c Configure the IP address of the management VLAN interface to be 202.38.160.92.

[3Com-Vlan-interface1] ip address 202.38.160.92 255.255.255.0

2 Configure the user name and password for Telnet on the switch. See the sections entitled “Telnet Configuration with Authentication Mode Being None”,“Telnet Configuration with Authentication Mode Being Password”, and “Telnet Configuration with Authentication Mode Being Scheme” for additional information.

3 Connect your PC to the Switch, as shown in Figure 12. Make sure the Ethernet port to which your PC is connected belongs to the management VLAN of the switch and the route between your PC and the switch is available.


Figure 12 Network diagram for Telnet connection establishment

4 Launch Telnet on your PC, with the IP address of the management VLAN interface of the switch as the parameter, as shown in the following figure.

Figure 13 Launch Telnet

5 Enter the password when the Telnet window displays “Login authentication” and prompts for login password. The CLI prompt (such as <3Com>) appears if the password is correct. If all VTY user interfaces of the switch are in use, you will fail to establish the connection and receive the message that says “All user interfaces are used, please try later!”. A 3Com Switch 4500G Family Ethernet switch can accommodate up to five Telnet connections at same time.

6 After successfully Telneting to a switch, you can configure the switch or display the information about the switch by executing corresponding commands. You can also type ? at any time for help. Refer to the following chapters for the information about the commands.

■ A Telnet connection will be terminated if you delete or modify the IP address of the VLAN interface in the Telnet session.

■ By default, commands of level 0 are available to Telnet users authenticated by password. Refer to the Basic System Configuration and Maintenance module for information about command hierarchy.

Workstation

WorkstationServer PC w ith Telnet running on it (used to configure the switch)

Ethernet portEthernet

Workstation

WorkstationServer PC w ith Telnet running on it (used to configure the switch)

Ethernet portEthernet

Telnet Connection Establishment 53

Telneting to Another Switch from the Current Switch

You can Telnet to another switch from the current switch. In this case, the current switch operates as the client, and the other operates as the server. If the interconnected Ethernet ports of the two switches are in the same LAN segment, make sure the IP addresses of the two management VLAN interfaces to which the two Ethernet ports belong to are of the same network segment, or the route between the two VLAN interfaces is available.

As shown in Figure 14, after Telneting to a switch (labeled as Telnet client), you can Telnet to another switch (labeled as Telnet server) by executing the telnet command and then to configure the later.

Figure 14 Network diagram for Telneting to another switch from the current switch

1 Configure the user name and password for Telnet on the switch operating as the Telnet server. Refer to the sections entitled “Telnet Configuration with Authentication Mode Being None”, “Telnet Configuration with Authentication Mode Being Password”, and “Telnet Configuration with Authentication Mode Being Scheme” for more information.

2 Telnet to the switch operating as the Telnet client.

3 Execute the following command on the switch operating as the Telnet client:

<3Com> telnet xxxx

Where xxxx is the IP address or the host name of the switch operating as the Telnet server. You can use the ip host to assign a host name to a switch.

4 Enter the password. If the password is correct, the CLI prompt (such as <3Com>) appears. If all VTY user interfaces of the switch are in use, you will fail to establish the connection and receive the message that says “All user interfaces are used, please try later!”.

5 After successfully Telneting to the switch, you can configure the switch or display the information about the switch by executing corresponding commands. You can also type ? at any time for help. Refer to the following chapters for the information about the commands.

Telnet clientPC Telnet serverTelnet clientPC Telnet server


4 LOGGING IN USING MODEM

Introduction The administrator can log into the Console port of a remote switch using a modem through PSTN (public switched telephone network) if the remote switch is connected to the PSTN through a modem to configure and maintain the switch remotely. When a network operates improperly or is inaccessible, you can log into the switches in the network in this way to configure these switches, to query logs and warning messages, and to locate problems.

To log into a switch in this way, you need to configure the terminal and the switch properly, as listed in the following table.

Configuration on the Administrator Side

The PC can communicate with the modem connected to it. The modem is properly connected to PSTN. And the telephone number of the switch side is available.

Configuration on the Switch Side

Modem Configuration

Perform the following configuration on the modem directly connected to the switch:

AT&F ----------------------- Restore the factory settingsATS0=1-----------------------Configure to answer automatically after the first ringAT&D ----------------------- Ignore DTR signalAT&K0 ----------------------- Disable flow controlAT&R1 ----------------------- Ignore RTS signalAT&S0 ----------------------- Set DSR to high level by forceATEQ1&W----------------------- Disable the modem from returning command response and the result, save the changes

Table 23 Requirements for logging into a switch using a modem

Item Requirement

Administrator side The PC can communicate with the modem connected to it.

The modem is properly connected to PSTN.

The telephone number of the switch side is available.

Switch side The modem is connected to the Console port of the switch properly.

The modem is properly configured.

The modem is properly connected to PSTN and a telephone set.

The authentication mode and other related settings are configured on the switch. Refer to Table 7.

56 CHAPTER 4: LOGGING IN USING MODEM

You can verify your configuration by executing the AT&V command.

The above configuration is unnecessary to the modem on the administrator side.

The configuration commands and the output of different modems may differ. Refer to the user manual of the modem when performing the above configuration.

Switch Configuration

After logging into a switch through its Console port by using a modem, you will enter the AUX user interface. The corresponding configuration on the switch is the same as those when logging into the switch locally through its Console port except that:

■ When you log in through the Console port using a modem, the baud rate of the Console port is usually set to a value lower than the transmission speed of the modem. Otherwise, packets may get lost.

■ Other settings of the Console port, such as the check mode, the stop bits, and the data bits, remain the default.

The configuration on the switch depends on the authentication mode the user is in. Refer to Table 7 for the information about authentication mode configuration.

Configuration on switch when the authentication mode is noneRefer to “Console Port Login Configuration with Authentication Mode Being None”.

Configuration on switch when the authentication mode is password

Refer to “Console Port Login Configuration with Authentication Mode Being Password”.

Configuration on switch when the authentication mode is scheme

Refer to “Console Port Login Configuration with Authentication Mode Being Scheme”.

Modem Connection Establishment

1 Configure the user name and password on the switch. Refer to “Console Port Login Configuration with Authentication Mode Being None”, “Console Port Login Configuration with Authentication Mode Being Password”, and “Console Port Login Configuration with Authentication Mode Being Scheme” for more information.

2 Perform the following configuration on the modem directly connected to the switch.

AT&F ----------------------- Restore the factory settingsATS0=1------------------- Configure to answer automatically after the first ringAT&D ----------------------- Ignore DTR signalAT&K0 ----------------------- Disable flow controlAT&R1 ----------------------- Ignore RTS signalAT&S0 ----------------------- Set DSR to high level by forceATEQ1&W----------------------- Disable the modem from returning command response and the result, save the changes

You can verify your configuration by executing the AT&V command.

Modem Connection Establishment 57

■ The configuration commands and the output of different modems may differ. Refer to the user manual of the modem when performing the above configuration.

■ Set the baud rate of the AUX port (also the Console port) to a value lower than the transmission speed of the modem. Otherwise, packets may get lost.

3 Connect your PC, the modems, and the switch, as shown in the following figure.

Figure 15 Establish the connection by using modems

4 Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch, as shown in Figure 16 and Figure 17. Note that you need to set the telephone number to that of the modem directly connected to the switch.

Figure 16 Set the telephone number

Modem

Telephone lineModem

Serial cable

Telephone number: 82882285Console port

PSTN

PC

Modem

Telephone lineModem

Serial cable

Telephone number: 82882285Console port

PSTN

PC

58 CHAPTER 4: LOGGING IN USING MODEM

Figure 17 Call the modem

5 Provide the password when prompted. If the password is correct, the prompt (such as <3Com>) appears. You can then configure or manage the switch. You can also enter the character ? at anytime for help. Refer to the following chapters for information about the configuration commands.

If you perform no AUX user-related configuration on the switch, the commands of level 3 are available to modem users. Refer to the Basic System Configuration and Maintenance module for information about command level.

5 LOGGING IN THROUGH WEB-BASED NETWORK MANAGEMENT SYSTEM

Introduction A Switch 4500G Series switch has a Web server built in. You can log into a Switch 4500G series switch through a Web browser and manage and maintain the switch intuitively by interacting with the built-in Web server.

To log into an Switch 4500G through the built-in Web-based network management system, you need to perform the related configuration on both the switch and the PC operating as the network management terminal.

HTTP Connection Establishment

1 Log into the switch through the Console port and assign an IP address to the management VLAN interface of the switch.

■ Connect to the Console port. Refer to “Setting up the Connection to the Console Port”.

■ Execute the following commands in the terminal window to assign an IP address to the management VLAN interface of the switch.

<3Com> system

a Enter management VLAN interface view.

[3Com] interface Vlan-interface 1

b Remove the existing IP address of the management VLAN interface.

[3Com-Vlan-interface1] undo ip address

c Configure the IP address of the management VLAN interface to be 10.153.17.82.

[3Com-Vlan-interface1] ip address 10.153.17.82 255.255.255.0

Table 24 Requirements for logging into a switch through the Web-based network management system

Item Requirement

Switch The management VLAN of the switch is configured. The route between the switch and the network management terminal is available. (Refer to the VLAN module for more.)

The user name and password for logging into the Web-based network management system are configured.

PC operating as the network management terminal

IE is available.

The IP address of the management VLAN interface of the switch is available.

60 CHAPTER 5: LOGGING IN THROUGH WEB-BASED NETWORK MANAGEMENT SYSTEM

2 Configure the user name and the password for the Web-based network management system.

a Configure the user name to be admin.

[3Com] local-user admin

b Set the user level to level 3.

[3Com-luser-admin] service-type telnet level 3

c Set the password to admin.

[3Com-luser-admin] password simple admin

3 Establish an HTTP connection between your PC and the switch, as shown in the following figure.

Figure 18 Establish an HTTP connection between your PC and the switch

4 Log into the switch through IE. Launch IE on the Web-based network management terminal (your PC) and enter the IP address of the management VLAN interface of the switch (here it is http://10.153.17.82). (Make sure the route between the Web-based network management terminal and the switch is available.)

5 When the login interface (shown in Figure 19) appears, enter the user name and the password configured in step 2 and click <Login> to bring up the main page of the Web-based network management system.

Figure 19 The login page of the Web-based network management system

PC

HTTP Connection

Sw itch

PC

HTTP Connection

PC

HTTP Connection

Sw itch

PC

HTTP connection

PC

HTTP Connection

Sw itch

PC

HTTP Connection

PC

HTTP Connection

Sw itch

PC

HTTP connection

Web Server Shutdown/Startup 61

Web Server Shutdown/Startup

You can shut down or start up the Web server.

The Web server is started by default.

Table 25 Web Server Shutdown/Startup


Shut down the Web server

ip http enable Required

Execute this command in system view.

Start the Web server undo ip http enable Required

Execute this command in system view.

62 CHAPTER 5: LOGGING IN THROUGH WEB-BASED NETWORK MANAGEMENT SYSTEM

6 LOGGING IN THROUGH NMS

Introduction You can also log into a switch through an NMS (network management station), and then configure and manage the switch through the agent module on the switch.

■ The agent here refers to the software running on network devices (switches) and as the server.

■ SNMP (simple network management protocol) is applied between the NMS and the agent.

To log into a switch through an NMS, you need to perform related configuration on both the NMS and the switch.

Connection Establishment Using NMS

Figure 20 Network diagram for logging in through an NMS

Table 26 Requirements for logging into a switch through an NMS

Item Requirement

Switch The management VLAN of the switch is configured. The route between the NMS and the switch is available. (Refer to the VLAN module for more.)

The basic SNMP functions are configured. (Refer to the SNMP-RMON module for more.)

NMS The NMS is properly configured. (Refer to the user manual of your NMS for more.)

Switch

PC

HTTP Connection

Switch

PC

HTTP Connection

64 CHAPTER 6: LOGGING IN THROUGH NMS

7 CONTROLLING LOGIN USERS

Introduction A switch provides ways to control different types of login users, as listed in Table 27.

Controlling Telnet Users

Prerequisites The controlling policy against Telnet users is determined, including the source and destination IP addresses to be controlled and the controlling actions (permitting or denying).

Table 27 Ways to control different types of login users

Login mode Control method Implementation Related section

Telnet By source IP addresses

Through basic ACLs Controlling Telnet Users by Source IP Addresses

By source and destination IP addresses

Through advanced ACLs

Controlling Telnet Users by Source and Destination IP Addresses

By source MAC addresses

Through Layer 2 ACLs Controlling Telnet Users by Source MAC Addresses

SNMP

WEB

By source IP addresses

Through basic ACLs Controlling Network Management Users by Source IP Addresses

By source IP addresses

Through basic ACLs Controlling Web Users by Source IP Addresses

Disconnect Web users by force

By executing commands in CLI

Disconnecting a Web User by Force

66 CHAPTER 7: CONTROLLING LOGIN USERS

Controlling Telnet Users by Source IP

Addresses

Controlling Telnet users by source IP addresses is achieved by applying basic ACLs, which are numbered from 2000 to 2999.

Controlling Telnet Users by Source and

Destination IP Addresses

Controlling Telnet users by source and destination IP addresses is achieved by applying advanced ACLs, which are numbered from 3000 to 3999. Refer to the ACL module for information about defining an ACL.

Table 28 Controlling Telnet Users by Source IP Addresses



Create a basic ACL or enter basic ACL view

acl number acl-number [ match-order { config | auto } ]

As for the acl number command, the config keyword is specified by default.

Define rules for the ACL

rule [ rule-id ] { permit | deny } [ source { sour-addr sour-wildcard | any } | time-range time-name | fragment | logging ]*

Required


Enter user interface view

user-interface [ type ] first-number [ last-number ]

—

Apply the ACL to control Telnet users by source IP addresses

acl acl-number { inbound | outbound }

Required

The inbound keyword specifies to filter the users trying to Telnet to the current switch.

The outbound keyword specifies to filter users trying to Telnet to other switches from the current switch.

Table 29 Controlling Telnet Users by Source and Destination IP Addresses



Create an advanced ACL or enter advanced ACL view



Define rules for the ACL rule [ rule-id ] { permit | deny } rule-string

Required

You can define rules as needed to filter by specific source and destination IP addresses.


Enter user interface view user-interface [ type ] first-number [ last-number ]

—

Apply the ACL to control Telnet users by specified source and destination IP addresses

acl acl-number { inbound | outbound }

Required


The outbound keyword specifies to filter users trying to Telnet to other switches from the current switch.

Controlling Telnet Users 67

Controlling Telnet Users by Source MAC

Addresses

Controlling Telnet users by source MAC addresses is achieved by applying Layer 2 ACLs, which are numbered from 4000 to 4999. Refer to the ACL module for information about defining an ACL.



Only the Telnet users sourced from the IP address of 10.110.100.52 and 10.110.100.46 are permitted to log into the switch.

Network diagram

Figure 21 Network diagram for controlling Telnet users using ACLs


1 Define a basic ACL.

<3Com> system-view[3Com] acl number 2000 match-order config[3Com-acl-basic-2000] rule 1 permit source 10.110.100.52 0[3Com-acl-basic-2000] rule 2 permit source 10.110.100.46 0[3Com-acl-basic-2000] rule 3 deny source any[3Com-acl-basic-2000] quit

2 Apply the ACL.

[3Com] user-interface vty 0 4[3Com-ui-vty0-4] acl 2000 inbound

Table 30 Controlling Telnet Users by Source MAC Addresses






Define rules for the ACL

rule [ rule-id ] { permit | deny } rule-string

Required

You can define rules as needed to filter by specific source MAC addresses.


Enter user interface view

user-interface [ type ] first-number [ last-number ]

—

Apply the ACL to control Telnet users by source MAC addresses

acl acl-number inbound Required


Internet

Sw itch

Internet

Sw itch


Controlling Network Management Users by Source IP Addresses

You can manage a Switch 4500G Series Ethernet switch through network management software. Network management users can access switches through SNMP.

You need to perform the following two operations to control network management users by source IP addresses.

■ Defining an ACL

■ Applying the ACL to control users accessing the switch through SNMP

Prerequisites The controlling policy against network management users is determined, including the source IP addresses to be controlled and the controlling actions (permitting or denying).

Controlling Network Management Users

by Source IP Addresses

Controlling network management users by source IP addresses is achieved by applying basic ACLs, which are numbered from 2000 to 2999.

You can specify different ACLs while configuring the SNMP community name, the SNMP group name and the SNMP user name.

Table 31 Controlling Network Management Users by Source IP Addresses






Define rules for the ACL rule [ rule-id ] { permit | deny } [ source { sour-addr sour-wildcard | any } | time-range time-name | fragment | logging ]*

Required


Apply the ACL while configuring the SNMP community name

snmp-agent community { read | write } community-name [ mib-view view-name | acl acl-number ]*

Optional

Apply the ACL while configuring the SNMP group name

snmp-agent group { v1 | v2c } group-name [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ]

snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ]

Optional

Apply the ACL while configuring the SNMP user name

snmp-agent usm-user { v1 | v2c } user-name group-name [ acl acl-number ]

snmp-agent usm-user v3 user-name group-name [ authentication-mode { md5 | sha } auth-password ] [ privacy-mode des56 priv-password ] [ acl acl-number ]

Optional

Controlling Network Management Users by Source IP Addresses 69

As SNMP community name is a feature of SNMPv1 and SNMPv2c, the specified ACLs in the command that configures SNMP community names (the snmp-agent community command) take effect in the network management systems that adopt SNMPv1 or SNMPv2c.

Similarly, as SNMP group name and SNMP user name are features of SNMPv2c and the higher SNMP versions, the specified ACLs in the commands that configure SNMP group names (the snmp-agent group command and the snmp-agent group v3 command) and SNMP user names (the snmp-agent usm-user command and the snmp-agent usm-user v3 command) take effect in the network management systems that adopt SNMPv2c or higher SNMP versions. If you configure both the SNMP group name and the SNMP user name and specify ACLs in the two operations, the switch will filter network management users by both SNMP group name and SNMP user name.



Only SNMP users sourced from the IP addresses of 10.110.100.52 and 10.110.100.46 are permitted to access the switch.

Network diagram

Figure 22 Network diagram for controlling SNMP users using ACLs



<3Com> system-view[3Com] acl number 2000 match-order config[3Com-acl-basic-2000] rule 1 permit source 10.110.100.52 0[3Com-acl-basic-2000] rule 2 permit source 10.110.100.46 0[3Com-acl-basic-2000] rule 3 deny source any[3Com-acl-basic-2000] quit

2 Apply the ACL to only permit SNMP users sourced from the IP addresses of 10.110.100.52 and 10.110.100.46 to access the switch.

[3Com] snmp-agent community read 3com acl 2000[3Com] snmp-agent group v2c 3comgroup acl 2000[3Com] snmp-agent usm-user v2c 3comuser 3comgroup acl 2000

Internet

Sw itch

Internet

Sw itch


Controlling Web Users by Source IP Address

You can manage a Switch 4500G Series Ethernet switch remotely through Web. Web users can access a switch through HTTP connections.

You need to perform the following two operations to control Web users by source IP addresses.

■ Defining an ACL

■ Applying the ACL to control Web users

Prerequisites The controlling policy against Web users is determined, including the source IP addresses to be controlled and the controlling actions (permitting or denying).

Controlling Web Users by Source IP

Addresses

Controlling Web users by source IP addresses is achieved by applying basic ACLs, which are numbered from 2000 to 2999.

Disconnecting a Web User by Force

The administrator can disconnect a Web user by force using the related command.



Only the users sourced from the IP address of 10.110.100.46 are permitted to access the switch.

Table 32 Controlling Web Users by Source IP Addresses






Define rules for the ACL rule [ rule-id ] { permit | deny } [ source { sour-addr sour-wildcard | any } | time-range time-name | fragment | logging ]*

Required


Apply the ACL to control Web users

ip http acl acl-number Optional

Table 33 Disconnecting a Web User by Force


Disconnect a Web user by force

free web-users { all | user-id user-id | user-name user-name }

Required


Controlling Web Users by Source IP Address 71

Network diagram

Figure 23 Network diagram for controlling Web users using ACLs



<3Com> system-view[3Com] acl number 2030 match-order config[3Com-acl-basic-2030] rule 1 permit source 10.110.100.46 0[3Com-acl-basic-2030] rule 2 deny source any

2 Apply the ACL to only permit the Web users sourced from the IP address of 10.110.100.46 to access the switch.

[3Com] ip http acl 2030

Internet

Sw itch

Internet

Sw itch


8 BASIC SYSTEM CONFIGURATION AND MAINTENANCE

Command Line Feature

Command Line Interface Overview

Switch 4500G Family provides a series of configuration commands and command line interface for you to configure and maintain the Ethernet switches. The command line interface is featured by the following:

■ Configure the command levels to make sure that unauthorized users cannot use related commands to configure a switch.

■ You can enter <?> at any time to get the online help.

■ Provide network test commands, such as tracert, and ping, to help you to diagnose the network.

■ Provide plenty of detail debugging information to help you to diagnose and locate the network failures.

■ Provide a function similar to Doskey to execute a history command.

■ Adopt the partial match method to search for the keywords of a command line. You only need to enter a non-conflicting keyword to execute the command correctly.

Online Help of Command Line

The command line interface provides the following online help modes.

■ Full help

■ Partial help

You can get the help information through these online help commands, which are described as follows.

1 Input “?” in any view to get all the commands in it and corresponding descriptions.

<Sysname> ?User view commands: backup Backup next startup-configuration file to TFTP server boot-loader Set boot loader bootrom Update/read/backup/restore bootrom cd Change current directory clock Specify the system clock cluster Run cluster command copy Copy from one file to another debugging Enable system debugging functions delete Delete a file dir List files on a file system display Show running system information <Omit>

74 CHAPTER 8: BASIC SYSTEM CONFIGURATION AND MAINTENANCE

2 Input a command with a “?” separated by a space. If this position is for keywords, all the keywords and the corresponding brief descriptions will be listed.

<Sysname> language-mode ? chinese Chinese environment english English environment

3 Input a command with a “?” separated by a space. If this position is for parameters, all the parameters and their brief descriptions will be listed.

<Sysname>system-viewSystem View: return to User View with Ctrl+Z. [Sysname] interface vlan-interface ? <1-4094> VLAN interface number[Sysname] interface vlan-interface 1 ? <cr>

<cr> indicates no parameter in this position. The next command line repeats the command, you can press <Enter> to execute it directly.

4 Input a character string with a “?”, then all the commands with this character string as their initials will be listed.

<Sysname>pi?ping

5 Input a command with a character string and “?”, then all the key words with this character string as their initials in the command will be listed.

<Sysname> display ver? version

6 Input the first letters of a keyword of a command and press <Tab> key. If no other keywords are headed by this letters, then this unique keyword will be displayed automatically. If other keywords headed by this letter exist, press <Tab> key repeatedly to display these keywords

7 To switch to the Chinese display for the above information, perform the language-mode command.

Displaying Characteristics of

Command Line

Command line interface provides the following display characteristics:

■ For users’ convenience, the instruction and help information can be displayed in both English and Chinese.

■ For the information to be displayed exceeding one screen, pausing function is provided. In this case, users can have three choices, as shown in the table below.

Table 34 Functions of displaying

Key or Command Function

Press <Ctrl+C> when the display pauses Stop displaying and executing command.

Enter a space when the display pauses Continue to display the next screen of information.

Press <Enter> when the display pauses Continue to display the next line of information.

CTRL_E Move the cursor to the end of current line

Command Line Feature 75

History Command of Command Line

Command line interface provides the function similar to that of DosKey. The CLI can automatically save the commands that have been entered. You can invoke and repeatedly execute them as needed. By default, the CLI can save up to ten commands for each user. Table 35 lists the operation that you can perform.

Cursor keys can be used to retrieve the history commands in Windows 3.X Terminal and Telnet. However, in Windows 9X HyperTerminal, the cursor keys ? and ? do not work, because Windows 9X HyperTerminal defines the two keys differently. In this case, use the combination keys <Ctrl+P> and <Ctrl+N> instead for the same purpose.

Common Command Line Error Messages

The commands are executed only if they have no syntax error. Otherwise, error information is reported. Table 36 lists some common errors.

Table 35 Retrieve history command

Operation Key Result

Display history command display history-command Display history command by user inputting

Retrieve the previous history command

Up cursor key <?> or <Ctrl+P>

Retrieve the previous history command, if there is any.

Retrieve the next history command

Down cursor key <?> or <Ctrl+N>

Retrieve the next history command, if there is any.

Table 36 Common command line error messages

Error messages Causes

Unrecognized command Cannot find the command.

Cannot find the keyword.

Wrong parameter type.

The value of the parameter exceeds the range.

Incomplete command The input command is incomplete.

Wrong parameter Enter Wrong parameter


Editing Characteristics of

Command Line

Command line interface provides the basic command editing function and supports to edit multiple lines. A command cannot longer than 256 characters. See the table below.

Command Line view

Different command views are implemented according to different requirements. They are related to one another. For example, after logging in the switch, you will enter user view, in which you can only use some basic functions such as displaying the running state and statistics information. In user view, key in system-view to enter system view, in which you can key in different configuration commands and enter the corresponding views.

The command line provides the following views:

■ User view

■ System view

■ Ethernet Port view

■ NULL interface view

■ VLAN view

■ VLAN interface view

■ LoopBack interface view

■ Local-user view

■ User interface view

■ FTP Client view

■ MST region view

■ IGMP-Snooping view

■ Traffic classifier view

■ Traffic behavior view

■ QoS policy view

■ Cluster view

Table 37 Editing functions

Key Function

Common keys Insert from the cursor position and the cursor moves to the right, if the edition buffer still has free space.

Backspace Delete the character preceding the cursor and the cursor moves backward.

Leftwards cursor key <?> or <Ctrl+B>

Move the cursor a character backward

Rightwards cursor key <?> or <Ctrl+F>

Move the cursor a character forward

Up cursor key <?> or <Ctrl+P>

Down cursor key <?> or <Ctrl+N>

Retrieve the history command.

<Tab> Press <Tab> after typing the incomplete key word and the system will execute the partial help: If the key word matching the typed one is unique, the system will replace the typed one with the complete key word and display it in a new line; if there is not a matched key word or the matched key word is not unique, the system will do no modification but display the originally typed word in a new line.


■ Port group view

■ HWping view

■ TACACS+ scheme view

■ RSA public key view

■ RSA key code view

■ Route policy view

■ Basic ACL view

■ Advanced ACL view

■ Layer 2 ACL view

■ RADIUS scheme view

■ RIP view

■ RIPng view

■ ISP domain view

The following table describes the function features of different views and the ways to enter or quit.

Table 38 Command view function list

Command view Function Prompt Command to enter

Command to exit

User view Show the basic information about operation and statistics

<Sysname> Enter right after connecting the switch

quit disconnects to the switch

System view Configure system parameters

[Sysname] Key in system-view in user view

quit or return returns to user view

Ethernet Port view

Configure Ethernet port parameters

[Sysname- GigabitEthernet1/0/1]

GigabitEthernet port view

Key in interface gigabitethernet 1/0/1 in system view

quit returns to system view

return returns to user view

NULL interface view

Configure NULL interface parameters

[Sysname-NULL0] Key in interface null 0 in system view



VLAN view Configure VLAN parameters

[Sysname-vlan1] Key in vlan 1 in system view




VLAN interface view

Configure IP interface parameters for a VLAN or a VLAN aggregation

[Sysname-Vlan- interface1]

Key in interface vlan-interface 1 in system view



LoopBack interface view

Configure LoopBack interface parameters

[Sysname- LoopBack0]

Key in interface loopback 0 in system view



Local-user view Configure local user parameters

[Sysname-luser- user1]

Key in local-user user1 in system view



User interface view

Configure user interface parameters

[Sysname-ui0] Key in user-interface 0 in system view



FTP Client view Configure FTP Client parameters

[ftp] Key in ftp in user view quit returns to user view

MST region view

Configure MST region parameters

[Sysname-mst- region]

Key in stp region-configuration in system view



IGMP-Snooping view

Configure IGMP–Snooping protocol parameters

[Sysname-igmp- snooping]

Key in igmp-snooping in system view



Traffic classifier view

Configure traffic classifier related parameters

[Sysname-classifier- test]

Key in traffic classifier test in system view



Traffic behavior view

Configure traffic behavior related parameters

[Sysname-behavior- test]

Key in traffic behavior test in system view



Table 38 Command view function list (continued)


Command to exit


QoS policy view

Configure QoS policy related parameters

[Sysname-qospolicy- test]

Key in qos policy test in system view



Cluster view Configure cluster parameters

[Sysname-cluster] Key in cluster in system view



Port group view

Configure manual port group parameters

[Sysname-port-group- manual-test]

Key in port-group manual test in system view



Configure aggregate port group parameters

[Sysname-port-group- aggregation-1]

Key in port-group aggregation 1 in system view

HWping view Configure HWping test group parameters

[Sysname-hwping- admin-test]

Key in hwping admin test in system view



TACACS scheme view

Configure TACACS+ parameters

[Sysname-hwtacacs- test]

Key in hwtacacs scheme test in system view



RSA public key view

Configure RSA public key of SSH user

[Sysname-rsa-public- key]

Key in rsa peer-public-key 003 in system view

peer-public-key end returns to system view

RSA key code view

Edit RSA public key of SSH user

[Sysname-rsa-key- code]

Key in public-key-code begin in RSA public key view

public-key-code end returns to RSA public key view

Route policy view

Configure route policy

[Sysname-route-policy]

Key in route-policy policy1 permit node 10 in system view



Basic ACL view Define the sub rule of the basic ACL (in the range of 2,000 to 2,999)

[Sysname-acl-basic- 2000]

Key in acl number 2000 in system view





Command to exit


Basic System Configuration

Entering System View from User View

When logging in to the switch, you are in the user view, and the corresponding prompt is <Sysname>. Follow these operations and you can enter or exit the system view.

Advanced ACL view

Define the sub rule of the advanced ACL (in the range of 3,000 to 3,999)

[Sysname-acl-adv- 3000]




Layer 2 ACL view

Define the sub rule of the Layer 2 ACL (in the range of 4,000 to 4,999)

[Sysname-acl- ethernetframe-4000]




RADIUS scheme view

Configure RADIUS parameters

[Sysname-radius-1] Key in radius scheme 1 in system view



RIP view Configure RIP parameters

[Sysname-rip-1] Key in rip in system view



RIPng view Configure RIPng parameters

[Sysname-ripng-1] Key in ripng 1 in system view



ISP domain view

Configure ISP domain parameters

[Sysname-isp- aabbcc.net]

Key in domain aabbcc.net in system view





Command to exit

Table 39 Enter or exit system view


Enter system view from user view system-view –

Exit user view from system view quit –

Basic System Configuration 81

Use the quit command to return from current view to lower level view. Use the return command to return from current view to user view. The composite key <Ctrl+Z> has the same effect with the return command.

Setting the CLI Language Mode

The switch can give prompt information either in Chinese or English. You can use the following command to change the language.

Setting the System Name of the Switch

You can define the system name, which corresponds to the prompts in CLI. For example, if you define the system name, then the prompt for user view is <3Com>.

Setting the Date and Time of the System

To ensure the coordination of the switch with other devices, you need to set correct system time as follows:

Table 40 Set the CLI language mode


Set the CLI language mode language-mode { chinese | english }

Optional

By default, the command line interface (CLI) language mode is English.

Table 41 Set the system name of the switch



Set the system name of the switch

sysname sysname Optional

By default, the name is 3Com.

Table 42 Set the date and time of the system


Set the current date and time of the system

clock datetime time date Optional

Set the local time zone clock timezone zone-name { add | minus } time

Optional

Set the name and time range of the summer time

clock summer-time zone_name one-off start-time start-date end-time end-date offset-time

clock summer-time zone_name repeating { start-time start-date end-time end-date | start-time start-year start-month start-week start-day end-time end-year end-month end-week end-day } offset-time

Optional


Set banner

Specifying Shortcut Keys for Command

Lines

The system provides five shortcut keys for you to simplify the operating of common used commands. As long as you enter the corresponding shortcut key, the system will execute the corresponding command.

By default, the system specifies the corresponding command line for CTRL_G, CTRL_L, and CTRL_O. The other two shortcut keys CTRL_T, and CTRL_U default to NULL.

■ CTRL_G corresponds to the display current-configuration command (display the current configuration).

■ CTRL_L corresponds to the display ip routing-table command (display information about IPv4 routing table).

■ CTRL_O corresponds to the undo debugging all command (disable the debugging for all modules).

Table 43 Set banner



Sets the login banner for users that log in through modems.

header incoming text Optional

Sets the authentication banner header legal text Optional

Sets the login banner. header login text Optional

Sets the session banner, which appears after a session is established.

header shell text Optional

Sets the login banner. header motd text Optional

Table 44 Specify shortcut keys for command lines



Specify shortcut keys for command lines

hotkey [ CTRL_G | CTRL_L | CTRL_O | CTRL_T | CTRL_U ] command

Optional

By default, the system specifies the corresponding command line for CTRL_G, CTRL_L, and CTRL_O.

Display the shortcut key allocation information

display hotkey You can execute the command in any view. Refer to Table 45 for the shortcut keys reserved by the system.

Table 45 Shortcut keys reserved by the system

Shortcut key Function

CTRL_A Moves the cursor to the beginning of the current line

CTRL_B Moves the cursor one character left

CTRL_C Stops the current command function

CTRL_D Deletes the character in the cursor position

CTRL_E Moves the cursor to the end of the current line

CTRL_F Moves the cursor one character right

Basic System Configuration 83

The above shortcut keys are defined by the system of the device. When you use terminal software on the device, these shortcut keys may be defined as other instructions in the terminal software. In this case, the shortcut keys defined in the terminal software take effect.

User Level and Command Level

Configuration

All the commands are defaulted to different views and categorized into four levels: visit, monitor, system, and manage, identified respectively by 0 through 3. If a user wants to acquire a higher privilege, he must switch to a higher user level, and it requires password to do so for the security’s sake.

The following table describes the default level of the commands.

CTRL_H Deletes the character left of the cursor

CTRL_K Terminates an outgoing connection.

CTRL_N Displays the next command from the history command buffer.

CTRL_P Displays the previous command from the history command buffer.

CTRL_R Redisplays the current line.

CTRL_V Pastes the content from the clipboard.

CTRL_W Deletes the word left of the cursor.

CTRL_X Deletes all the characters up to the cursor

CTRL_Y Deletes all the characters after the cursor

CTRL_Z Returns to user view

CTRL_] Terminates an incoming connection or a redirect connection

ESC_B Moves the cursor one word back.

ESC_D Deletes remainder of word.

ESC_F Moves the cursor one word forward.

ESC_N Moves the cursor one line down (effective before the Enter key is hit)

ESC_P Moves the cursor one line up (effective before the Enter key is hit)

ESC_< Specifies the cursor position as the beginning of clipboard.

ESC_> Specifies the cursor position as the end of clipboard.

Table 45 Shortcut keys reserved by the system (continued)

Shortcut key Function

Table 46 Command level by default

Level Name Command

0 Visit Ping, tracert, telnet and so on

1 Monitor Refresh, reset, send and so on

2 System All configuration command (except Manage level)

3 Manage file system commands, FTP commands, TFTP commands and XMODEM commands


User level determines which commands users can use after login. For example, if the user level is defined as 3 and the command level for the VTY 0 user interface, the user can use level 3 commands or lower levels when logging into the switch from VTY 0.

CAUTION: If you do not specify user level in the super password command, the password is set for switching to the level 3 user.

Table 47 User level and command level configuration


Switch user level super [ level ] Optional


Password configuration super password [ level user-level ] { simple | cipher } password

Optional

Command privilege level configuration

command-privilege level level view view command

Optional

Displaying the System Status 85

Displaying the System Status

You can use the following display commands to check the status and configuration information about the system.

■ Only the display commands related to global configurations are listed here. For the display commands about protocols and interfaces, refer to the corresponding contents.

■ If the switch boots without using any configuration file, nothing will be displayed when you use the display saved-configuration command; if you have save the configuration after system booting, the command display saved-configuration displays the configurations you saved last time.

Displaying Operating Information about

System

When your Ethernet switch is in trouble, you may need to view a lot of operating information to locate the problem. Each functional module has its own operating information display command(s). You can use the command here to display the current operating information about the modules (settled when this command is designed) in the system for troubleshooting your system.

Perform the following operation in any view:

■ The display diagnostic-information command displays all the configurations you defined with the following commands:

■ display clock

■ display version

■ display device

■ display current-configuration

■ display saved-configuration

Table 48 System display commands

To… Use the command…

Display the version of the system display version

Display the current date and time of the system display clock

Display the information about user terminal interfaces

display users [ all ]

View the configuration files in the flash memory of Ethernet Switch.

display saved-configuration [ by-linenum ]

Display the currently effective configuration parameters of the switch.

display current-configuration [ interface interface-type [ interface-number ] | configuration [ configuration-type ] ] | [ by-linenum ] | [ | { begin | include | exclude } text ] ]

display the running configuration of the current view

display this [ by-linenum ]

Display clipboard information. display clipboard

Display memory information. display memory

Table 49 Display the current operation information about the modules in the system.

To… Use the command…

Display the current operation information about the modules in the system.

display diagnostic-information


■ display interface

■ display fib

■ display ip interface

■ display ip statistics

■ display memory

■ display logbuffer

■ display history-command

9 SYSTEM MAINTENANCE AND DEBUGGING

System Maintenance and Debugging Overview

System Maintenance Overview

You can use the ping command and the tracert command to verify the current network connectivity.

The ping command

Users can use the ping command to verify whether a device with a specified address is reachable, and to examine the network connectivity.

Take the following steps when using the ping command:

1 The source device sends ICMP ECHO-REQUEST packets to the destination device.

2 If the network is functioning properly, the destination device will respond by sending the source device ICMP ECHO-REPLY packets after receiving the ICMP ECHO-REQUEST packets.

3 If there is network failure, the source device will display information indicating that the address is unreachable.

4 Display the relative statistics after execution of the ping command.

Output of the ping command includes:

■ Information on how the destination device responds towards each ICMP ECHO-REQUEST packet: if the source device has received the ICMP ECHO-REPLY packet within the time-out timer, it will display the number of bytes of the ECHO-REPLY packet, the packet sequence number, Time To Live (TTL), and the response time.

■ If within the period set by the time-out timer, the destination device has not received the response packets, it will display the “Request time out.” information.

■ The ping command applies to the name and IP address of a destination device, if the device name is unknown, the “Error: Ping: Unknown host host-name” information will be displayed.

■ The statistics from execution of the command, which include number of sent packets, number of received ECHO-REPLY packets, percentage of packets that were not received, the minimum, average, and maximum response time.

For a low-speed network, set a larger value for the time-out timer (indicated by the -t parameter in the command) when configuring the ping command.

88 CHAPTER 9: SYSTEM MAINTENANCE AND DEBUGGING

The tracert command

Users can use the tracert command to trace the routers used while forwarding packets from the source to the destination device. In the event of network failure, users can identify the failed node(s) in this way.

Take the following steps when using the tracert command:

1 The source device sends a packet with a TTL value of 1 to the destination device.

2 The first hop (the router that has received the packet first) responds by sending a TTL-expired ICMP message with its IP address encapsulated to the source. In this way, the source device can get the address of the first router.

3 The source device sends a packet with a TTL value of 2 to the destination device.

4 The second hop responds with a TTL-expired ICMP message, which gives the source device the address of the second router.

5 The above process continues until the ultimate destination device is reached. In this way, the source device can trace the addresses of all the routers that have been used to get to the destination device.

System Debugging Overview

3Com Switch 4500G Family provides various ways for debugging most of the supported protocols and functions and for you to diagnose and locate the problems.

The following switches control the outputs of the debugging information.

■ Protocol debugging switch controls the debugging output of a protocol.

■ Terminal debugging switch controls the debugging output on a specified user screen.

Figure 24 illustrates the relationship between the two switches.

Figure 24 Debugging output

1 2 3

Protocol debuggingswitch

ON ONOFF

ONOFF

1 3 1 3

Screen output switch

1 3

Debugginginformation

System Maintenance and Debugging Configuration 89

System Maintenance and Debugging Configuration

System Maintenance Configuration

System Debugging Configuration

■ The debugging commands are normally used when the administrator is diagnosing network failure.

■ Output of the debugging information may reduce system efficiency, especially during execution of the debugging all command.

■ After the debugging is completed, users may use the undo debugging all command to disable all the debugging functions simultaneously.

■ Use the command debuggingterminal debugging and display debugging the debug information will display on the screen.

Table 50 System Maintenance Configuration


check the network connection

ping [ ip ] [ -a source-ip | -c count | -f | -h ttl | -i interface-type interface-number | -m interval | -n | -p pad | -q | -r | -s packet-size | -t timeout | -tos tos | -v] * { ip-address | hostname }

Any view

The tracert command

tracert [ -a source-ip | -f first-ttl | -m max-ttl | -p port | -q packet-num | -w timeout ] * { ip-address | hostname }

Table 51 System debugging configuration


Enable specified module debugging

debugging { all [ timeout time ] | module-name [ option ] }

User view

Enable terminal debugging terminal debugging

view the enabled debugging process

display debugging [ interface interface-type interface-number ] [ module-name ]

Any view

90 CHAPTER 9: SYSTEM MAINTENANCE AND DEBUGGING

System Maintenance Example


The destination IP address is 10.1.1.4.

Display the route from the source to the destination.

Network diagram (omitted here)

Configuration procedure<3Com> tracert nis.nsf.nettraceroute to nis.nsf.net (10.1.1.4) 30 hops max, 40 bytes packet1 128.3.112.1 19 ms 19 ms 0 ms2 128.32.216.1 39 ms 39 ms 19 ms3 128.32.136.23 39 ms 40 ms 39 ms4 128.32.168.22 39 ms 39 ms 39 ms5 128.32.197.4 40 ms 59 ms 59 ms6 131.119.2.5 59 ms 59 ms 59 ms7 129.140.70.13 99 ms 99 ms 80 ms8 129.140.71.6 139 ms 239 ms 319 ms9 129.140.81.7 220 ms 199 ms 199 ms10 10.1.1.4 239 ms 239 ms 239 ms

10 DEVICE MANAGEMENT

You can define the file path and filename of .btm file.app file or .cfg file in the following forms:

■ Path + filename. It is a full filename, a string of 1 to 63 characters, standing for the file in the specified path.

■ Filename. It has only a filename, string of 1 to 56 characters, standing for the file in the current path.

■ Those file (.btm file.app file or .cfg file) can only be stored in the root directory in Flash memory.

Introduction to Device Management

Through the device management function, you can view the current working state of devices, configure operation parameters, and perform daily device maintenance and management.

Currently, the following device management functions are available:

■ Rebooting a device

■ Specifying a scheduled device reboot.

■ Specifying an .app file for the next device reboot

■ Upgrading a BootROM file.

BootROM and Host Software Loading

Traditionally, the loading of switch software is accomplished through a serial port. This approach is slow, inconvenient, and cannot be used for remote loading. To resolve these problems, the TFTP and FTP modules are introduced into the switch. With these modules, you can load/download software/files conveniently to the switch through an Ethernet port.

This chapter introduces how to load BootROM and host software to a switch locally and how to do this remotely.

Introduction to Loading Approaches

You can load software locally by using:

■ XMODEM through Console port

■ TFTP through Ethernet port

■ FTP through Ethernet port

You can load software remotely by using:

■ FTP

■ TFTP

92 CHAPTER 10: DEVICE MANAGEMENT

The BootROM software version should be compatible with the host software version when you load the BootROM and host software.

Local Software Loading

If your terminal is directly connected to the switch, you can load the BootROM and host software locally.

Before loading the software, make sure that your terminal is correctly connected to the switch to insure successful loading.

The loading process of the BootROM software is the same as that of the host software, except that during the former process, you should press <Ctrl+U> and <Enter> after entering the Boot Menu and the system gives different prompts. The following text mainly describes the BootROM loading process.

Boot MenuStarting...... *********************************************************** * * * 3Com Switch 4500G Family BOOTROM, Version 106 * * * *********************************************************** Copyright(c) 2004-2006 3Com Corporation. Creation date : May 10 2006, 15:59:18 CPU Clock Speed : 264MHz BUS Clock Speed : 33MHz Memory Size : 128MB Mac Address : 00e0fc005502

Press Ctrl-B to enter Boot Menu... 5 Press <Ctrl+B>. The system displays:Password :

To enter the Boot Menu, you should press <Ctrl+B> within five seconds after the information Press Ctrl-B to enter Boot Menu... appears. Otherwise, the system starts to decompress the program; and if you want to enter the Boot Menu at this time, you will have to restart the switch.

Input the correct BootROM password (no password is need by default). The system enters the Boot Menu:

BOOT MENU

1. Download application file to flash 2. Select application file to boot 3. Display all files in flash 4. Delete file from flash 5. Modify bootrom password 6. Enter bootrom upgrade menu 7. Skip current configuration file 8. Set bootrom password recovery

BootROM and Host Software Loading 93

9. Set switch startup mode0. Reboot

Enter your choice(0-9):

Loading Software Using XMODEM through Console Port

XMODEM is a file transfer protocol that is widely used due to its simplicity and good performance. XMODEM transfers files through the console port. It supports two types of data packets (128 bytes and 1 KB), two check methods (checksum and CRC), and multiple attempts of error packet retransmission (generally the maximum number of retransmission attempts is ten).

The XMODEM transmission procedure is completed by a receiving program and a sending program: The receiving program sends negotiation characters to negotiate a packet checking method. After the negotiation, the sending program starts to transmit data packets. When receiving a complete packet, the receiving program checks the packet using the agreed method. If the check succeeds, the receiving program sends an acknowledgement character and the sending program proceeds to send another packet; otherwise, the receiving program sends a negative acknowledgement character and the sending program retransmits the packet.

1 Loading BootROM software

a At the prompt "Enter your choice (0-9):" in the Boot Menu, press <6> or <Ctrl+U>, and then press <Enter> to enter the BootROM update menu shown below:

Bootrom update menu:1. Set TFTP protocol parameter2. Set FTP protocol parameter3. Set XMODEM protocol parameter0. Return to boot menu Enter your choice(0-3):

b Enter 3 in the above menu to download the BootROM software using XMODEM. The system displays the following download baud rate setting menu:

Please select your download baudrate: 1.* 96002. 192003. 384004. 576005. 1152000. Return Enter your choice (0-5):

c Choose an appropriate download baud rate. For example, if you enter 5, the baud rate 115200 bps is chosen and the system displays the following information:

Download baudrate is 115200 bps Please change the terminal's baudrate to 115200 bps and select XMODEM protocol Press enter key when ready

If you have chosen 9600 bps as the download baud rate, you need not modify the HyperTerminal’s baud rate, and therefore you can skip step d and step e below and proceed to step f directly. In this case, the system will not display the above information.

Following are configurations on PC. Take the Hyperterminal using Windows operating system as example.


d Choose [File/Properties] in HyperTerminal, click <Configure> in the pop-up dialog box, and then select the baud rate of 115200 bps in the Console port configuration dialog box that appears, as shown in Figure 25, Figure 26.

Figure 25 Properties dialog box

Figure 26 Console port configuration dialog box


e Click the <Disconnect> button to disconnect the HyperTerminal from the switch and then click the <Connect> button to reconnect the HyperTerminal to the switch, as shown in Figure 27.

Figure 27 Connect and disconnect buttons

The new baud rate takes effect only after you disconnect and reconnect the HyperTerminal program.

f Press <Enter> to start downloading the program. The system displays the following information:

Now please start transfer file with XMODEM protocol.If you want to exit, Press <Ctrl+X>.Loading ...CCCCCCCCCC

g Choose [Transfer/Send File] in the HyperTerminal’s window, and click <Browse> in pop-up dialog box, as shown in Figure 28. Select the software you need to download, and set the protocol to XMODEM.

Figure 28 Send file dialog box

h Click <Send>. The system displays the page, as shown in Figure 29.


Figure 29 Sending file page

i After the download completes, the system displays the following information:

Loading ...CCCCCCCCCC done!

j Reset HyperTerminal’s baud rate to 9600 bps (refer to step d and step e). Then, press any key as prompted. The system will display the following information when it completes the loading.

Bootrom updating.....................................done!

■ If the HyperTerminal’s baud rate is not reset to 9600 bps, the system prompts "Your baudrate should be set to 9600 bps again! Press enter key when ready".

■ You need not reset the HyperTerminal’s baud rate and can skip the last step if you have chosen 9600 bps. In this case, the system upgrades BootROM automatically and prompts Bootrom updating now.....................................done!.

2 Loading host software

Follow these steps to load the host software:

a Select <1> in Boot Menu and press <Enter>. The system displays the following information:

1. Set TFTP protocol parameter 2. Set FTP protocol parameter 3. Set XMODEM protocol parameter 0. Return to boot menuEnter your choice(0-3):

b Enter 3 in the above menu to download the host software using XMODEM.

The subsequent steps are the same as those for loading the BootROM software, except that the system gives the prompt for host software loading instead of BootROM loading.


Loading Software Using TFTP through Ethernet Port

TFTP, one protocol in TCP/IP protocol suite, is used for trivial file transfer between client and server. It uses UDP to provide unreliable data stream transfer service.


Figure 30 Local loading using TFTP

a As shown in Figure 30, connect the switch through an Ethernet port to the TFTP server, and connect the switch through the Console port to the configuration PC.

You can use one PC as both the configuration device and the TFTP server.

b Run the TFTP server program on the TFTP server, and specify the path of the program to be downloaded.

CAUTION: TFTP server program is not provided with the 3Com Switch 4500G Family Ethernet Switches.

c Run the HyperTerminal program on the configuration PC. Start the switch. Then enter the Boot Menu.

At the prompt "Enter your choice(0-9):" in the Boot Menu, press <6> or <Ctrl+U>, and then press <Enter> to enter the BootROM update menu shown below:

Bootrom update menu:1. Set TFTP protocol parameter2. Set FTP protocol parameter3. Set XMODEM protocol parameter0. Return to boot menuEnter your choice(0-3):

d Enter 1 to in the above menu to download the BootROM software using TFTP. Then set the following TFTP-related parameters as required:

Load File name :4500G.btmSwitch IP address :1.1.1.2Server IP address :1.1.1.1

e Press <Enter>. The system displays the following information:

Are you sure to update your bootrom? Yes or No(Y/N)

f Enter Y to start file downloading or N to return to the Bootrom update menu. If you enter Y, the system begins to download and update the BootROM software. Upon completion, the system displays the following information:

Loading........................................doneBootrom updating..........done!

Switch

PC

Console port Ethernet port

TFTP server

Switch

PC


Switch

PC


TFTP client

Switch

PC


Switch

PC


TFTP server

Switch

PC


Switch

PC


TFTP client

Switch

PC





1. Set TFTP protocol parameter2. Set FTP protocol parameter3. Set XMODEM protocol parameter0. Return to boot menuEnter your choice(0-3):

b Enter 1 in the above menu to download the host software using TFTP.

The subsequent steps are the same as those for loading the BootROM program, except that the system gives the prompt for host software loading instead of BootROM loading.

CAUTION: When loading BootROM and host software using Boot menu, you are recommended to use the PC directly connected to the device as TFTP server to promote upgrading reliability.

Loading Software Using FTP through Ethernet Port

FTP is an application-layer protocol in the TCP/IP protocol suite. It is used for file transfer between server and client, and is widely used in IP networks.

You can use the switch as an FTP client or a server, and download software to the switch through an Ethernet port. The following is an example.


Figure 31 Local loading using FTP client

a As shown in Figure 31, connect the switch through an Ethernet port to the FTP server, and connect the switch through the Console port to the configuration PC.

You can use one computer as both configuration device and FTP server.

b Run the FTP server program on the FTP server, configure an FTP user name and password, and copy the program file to the specified FTP directory.

c Run the HyperTerminal program on the configuration PC. Start the switch. Then enter the Boot Menu.

At the prompt "Enter your choice(0-9):" in the Boot Menu, press <6> or <Ctrl+U>, and then press <Enter> to enter the BootROM update menu shown below:

Bootrom update menu:

1. Set TFTP protocol parameter2. Set FTP protocol parameter3. Set XMODEM protocol parameter0. Return to boot menuEnter your choice(0-3):

FTP client

Switch

PC


FTP server

Switch

PC


Switch

PC


Switch

PC


FTP client

Switch

PC


FTP server

Switch

PC


Switch

PC


Switch

PC



d Enter 2 in the above menu to download the BootROM software using FTP. Then set the following FTP-related parameters as required:

Load File name :4500G.btmSwitch IP address :10.1.1.2Server IP address : 10.1.1.1FTP User Name :4500GFTP User Password :abc

e Press <Enter>. The system displays the following information:

Are you sure to update your bootrom?Yes or No(Y/N)

f Enter Y to start file downloading or N to return to the Bootrom update menu. If you enter Y, the system begins to download and update the program. Upon completion, the system displays the following information:

Loading........................................doneBootrom updating..........done!


Follow these steps to load the host software:


1. Set TFTP protocol parameter 2. Set FTP protocol parameter 3. Set XMODEM protocol parameter 0. Return to boot menuEnter your choice(0-3):

b Enter 2 in the above menu to download the host software using FTP.

The subsequent steps are the same as those for loading the BootROM program, except for that the system gives the prompt for host software loading instead of BootROM loading.

When loading BootROM and host software using Boot menu, you are recommended to use the PC directly connected to the device as TFTP server to promote upgrading reliability.

Remote Software Loading

If your terminal is not directly connected to the switch, you can telnet to the switch, and use FTP or TFTP to load BootROM and host software remotely.

Remote Loading Using FTP

1 Loading Process Using FTP Client

As shown in Figure 32, a PC is used as both the configuration device and the FTP server. You can telnet to the switch, and then execute the FTP commands to download the BootROM program 4500G.btm from the remote FTP server (with an IP address 10.1.1.1) to the switch.


Figure 32 Remote loading using FTP

a Download the software to the switch using FTP commands.

<3Com> ftp 10.1.1.1Trying ... Press CTRL+K to abort Connected. 220 FTP service ready. User(none):abc331 Password required for abc.Password:230 User logged in.[ftp] get 4500G.btm 200 Port command okay.150 Opening ASCII mode data connection for 4500G.btm.........226 Transfer complete.FTP: 184108 byte(s) received in 10.067 second(s) 18.00K byte(s)/sec. [ftp] bye221 Server closing.

When using different FTP server software on PC, different information will be output to the switch.

b Update the BootROM program on the switch.

<3Com> bootrom update file 4500G.btm This will update BootRom file ,Continue? [Y/N] y Upgrading BOOTROM, please wait... Upgrade BOOTROM succeeded!

c Restart the switch.

<3Com> reboot

Before restarting the switch, make sure you have saved all other configurations that you want, so as to avoid losing configuration information.

Loading the host software is the same as loading the BootROM program, except for that the file to be downloaded is the host software file, and that you need to use the boot-loader command to select the host software at reboot of the switch.

After the above operations, the BootROM and host software loading is completed.

FTP Client

Switch

PC

Gigabit

FTP Server 10.1.1.1

Internet

FTP Client

Switch

PC

Ethernet port

FTP Server 10.1.1.1

Internet

FTP Client

Switch

PC

Gigabit

FTP Server 10.1.1.1

Internet

FTP Client

Switch

PC

Ethernet port

FTP Server 10.1.1.1

Internet


Pay attention to the following:

■ The loading of BootROM and host software takes effect only after you restart the switch with the reboot command.

■ If the space of the Flash memory is not enough, you can delete the useless files in the Flash memory before software downloading.

■ No power-down is permitted during software loading.

2 Loading Process Using FTP Server

As shown in Figure 33, the switch is used as the FTP server. You can telnet to the switch, and then execute the FTP commands to download the BootROM program 4500G.btm from the switch.

Figure 33 Remote loading using FTP server

a As shown in Figure 33, connect the switch through an Ethernet port to the PC (with IP address 10.1.1.1)

b Configure the IP address of VLAN1 on the switch to 192.168.0.39, and subnet mask to 255.255.255.0.

You can configure the IP address for any VLAN on the switch for FTP transmission. However, before configuring the IP address for a VLAN interface, you have to make sure whether the IP addresses of this VLAN and PC can be routed.

<3Com> system-viewSystem View: return to User View with Ctrl+Z.[3Com] interface Vlan-interface 1[3Com-Vlan-interface1] ip address 192.168.0.39 255.255.255.0

c Enable FTP service on the switch, configure the FTP user name to test and password to pass.

[3Com-Vlan-interface1] quit[3Com] ftp server enable[3Com] local-user testNew local user added.[3Com-luser-test] password simple pass[3Com-luser-test] service-type ftp

Switch

PC

Ethernet port

10.1.1.1

Internet

Switch

PC

10.1.1.1

Internet

192.168.0.39

Switch

PC

10.1.1.1

Internet

Switch

PC

Gigabit

10.1.1.1

Internet

192.168.0.39

Switch

PC

Ethernet port

10.1.1.1

Internet

Switch

PC

10.1.1.1

Internet

192.168.0.39

Switch

PC

10.1.1.1

Internet

FTP Server

Switch

PC

Gigabit

FTP Client 10.1.1.1

Internet

192.168.0.39

Switch

PC

Ethernet port

10.1.1.1

Internet

Switch

PC

10.1.1.1

Internet

192.168.0.39

Switch

PC

10.1.1.1

Internet

Switch

PC

Gigabit

10.1.1.1

Internet

192.168.0.39

Switch

PC

Ethernet port

10.1.1.1

Internet

Switch

PC

Ethernet port

10.1.1.1

Internet

Switch

PC

10.1.1.1

Internet

192.168.0.39

Switch

PC

10.1.1.1

Internet

Switch

PC

Gigabit

10.1.1.1

Internet

192.168.0.39

Switch

PC

Ethernet port

10.1.1.1

Internet

Switch

PC

10.1.1.1

Internet

192.168.0.39

Switch

PC

10.1.1.1

Internet

FTP Server

Switch

PC

Gigabit

FTP Client 10.1.1.1

Internet

192.168.0.39


d Enable FTP client software on PC. Refer to Figure 34 for the command line interface in Windows operating system.

Figure 34 Command line interface

e Enter cd in the interface to switch to the path that the BootROM upgrade file is to be stored, and assume the name of the path is D:\Bootrom, as shown in Figure 35.

Figure 35 Switch to BootROM


f Enter ftp 192.168.0.39 and enter the user name test, password pass, as shown in Figure 36, to log on the FTP server.

Figure 36 Log on the FTP server

g Use the put command to upload the file 4500G.btm to the switch, as shown in Figure 37.

Figure 37 Upload file 4500G.btm to the switch

h Configure 4500G.btm to be the BootROM at reboot, and then restart the switch.

<3Com> bootrom update file 4500G.btm This will update Bootrom on unit 1. Continue? [Y/N] y Upgrading Bootrom, please wait... Upgrade Bootrom succeeded! <3Com> reboot


When rebooting the switch, use the file 4500G.btm as BootROM to finish BootROM loading.

Loading the host software is the same as loading the BootROM program, except for that the file to be downloaded is the host software file, and that you need to use the boot-loader command to select the host software at reboot of the switch.

■ The steps listed above are performed in the Windows operating system, if you use other FTP client software, refer to the corresponding user’s guide before operation.

■ Only the configurations steps concerning loading are illustrated here, for detailed description on the corresponding configuration commands, refer to the chapter File System Management .

Remote Loading Using TFTP

The remote loading using TFTP is similar to that using FTP. The only difference is that TFTP is used instead off FTP to load software to the switch, and the switch can only act as a TFTP client.

Device Management Configuration

Rebooting an Ethernet Switch

When a fault occurs to a running device, you can remove the fault by rebooting it, depending on the actual situation. You can also set a time at which the device can automatically reboot.

The precision of switch timer is 1 minute. That is, with the timing reboot function enabled, a switch reboots in one minute after the rebooting time is due.

CAUTION: The reboot, schedule reboot at and schedule reboot delay commands all cause system rebooting and service interruption. Cautions should be taken when using these commands.

Table 52 Reboot an Ethernet switch

To... Use the command Remarks

Reboot an Ethernet switch reboot Optional

Enable the timing reboot function for the switch and set the time and date

schedule reboot at hh:mm [ date ]

Optional

By default, the timing reboot function for the switch disabled.

Enable the timing reboot function for the switch and set the delay period

schedule reboot delay { hh:mm | mm }

Check the timing reboot configuration

display schedule reboot

Optional

Any view

Device Management Configuration 105

Specifying the App File to be Used for

the Next Startup

If multiple .app files reside in the Flash, you can specify the one to be used for the next startup by performing the operation listed in Table 53.

Upgrading BootROM During the operation of the device, you can use the Bootrom programs in the FLASH to upgrade the running Bootrom programs.

Since the BootROM files of switching processing units (SRPUs) and line processing units (LPUs) vary with devices, users are easily confused to make serious mistakes when upgrading BootROM files. After the validity check function is enabled, the device will strictly check the BootROM upgrade files for correctness and version configuration information to ensure a successful upgrade. You are recommended to enable the validity check function before upgrading BootROM files.

Clearing the Unused 16-Bit Interface Index in the Current System

In real network, network management software requires the device to provide the unified and stable 16-bit interface indexes, that is, it is best to keep one interface name match one interface index on a device.

To ensure the stability of the interface index, the system will keep the 16-bit interface index for the interface even if the logical interface or the card is removed from the system. In this way, the interface index keeps unchanged when the interface is created again.

Repeated insertion and removal of different sub cards or interface cards, or creating or deleting large amount of logical interfaces of different types may use up the interface indexes. If so, you may fail to create an interface. To avoid this, you can perform the following configuration in user view to clear the saved but unused 16-bit interface indexes in the current system.

After the configuration:

■ For new created interface, its new index cannot be ensured to be identical with the original one.

■ For the existing interface, its interface index will not be changed.

Table 53 Specify the .app file to be used for the next startup


Specify the .app file to be used for the next startup

boot-loader file file-url { main | backup }

Required

Table 54 Upgrade BootROM



Enable file validity check for upgrading

bootrom-update security-check enable

Optional

By default, the file validity check function is not enabled.

Return user view quit –

Upgrade BootROM bootrom update file file-url

Required

By default, all Boot ROM file contents will be upgraded.


CAUTION: Your conformation is needed when the command is executed. If you do not confirm during 30 seconds, or input N, the operation will be canceled.

Displaying the Device Management Configuration

After the above configurations, you can execute the display command in any view to display the operating status of the device management to verify the configuration effects.

Remote Switch Update Configuration Example


■ Configure an FTP user, whose name and password are switch and hello respectively. Authorize the user with the read-write right of the Switch directory on the PC.

■ Make appropriate configuration so that the IP address of a VLAN interface on the switch is 1.1.1.1, the IP address of the PC is 2.2.2.2, and the switch and the PC is reachable to each other.

■ Telnet to the switch from a PC remotely and download applications from the FTP server to the Flash memory of the switch to remotely update the switch software by using the device management commands through CLI.

Table 55 Clear the unused 16-bit interface index in the current system

To... Use the command

Clear the unused 16-bit interface index in the current system

reset unused porttag

Table 56 Display the operating status of the device management


Display the .app to be adopted at reboot

display boot-loader Any view

Display the statistics of CPU usage

display cpu-usage [ number [ offset ] [ verbose ] [ from-device ] ]

Display subslot information of device

display device [ subslot subslot-no | verbose ]

Display environment information

display environment

Display the operating status of the fan

display fan [ fan-id ]

Display memory state display memory

Display the operating status of the power supply

display power [ power-id ]

Display reboot time display schedule reboot

Remote Switch Update Configuration Example 107

Network diagram

Figure 38 Network diagram of FTP configuration


1 Configure the FTP-Server

■ Set the FTP username to aaa and password to hello.

■ Configure users to have access to the directory.

2 Configure the switch as follows:

CAUTION: If the Flash memory of the switch is not sufficient, delete the original applications in it before downloading the new ones.

1 Execute the telnet command on the PC to log into the switch.

<3Com> ftp 2.2.2.2 Trying ... Press CTRL+K to abort Connected. 220 FTP service ready. User(none):switch 331 Password required for switch. Password: 230 User logged in. [ftp]

2 Enter the authorized path on the FTP server.

[ftp] cd switch

3 Execute the get command to download the switch.app and boot.btm files on the FTP server to the Flash memory of the switch.

[ftp] get switch.app[ftp] get boot.btm

4 Execute the quit command to terminate the FTP connection and return to user view.

[ftp] quit<3Com>

5 Enter system view

<3Com> system-view System View: return to User View with Ctrl+Z.

Switch

Network

SwitchSwitch

User

Network

FTP ClientFTP Server

Telnet

Switch

Network

SwitchSwitch

User

Network

FTP ClientFTP Server

Telnet


6 Enable file validity check for upgrading.

[3Com] bootrom-update security-check enable[3Com] quit

7 Update the BootROM.

<3Com> bootrom update file boot.btm

8 Specified the application for next time.

<3Com> boot-loader file switch.app

9 Restart the switch to update the host software of the switch.

<3Com> reboot

11 FILE SYSTEM MANAGEMENT

Throughout this document, a filename can be entered as either of the following:

■ A fully qualified filename with the path included to indicate a file under a specific path. The filename can be 1 to 135 characters in length.

■ A short filename with the path excluded to indicate a file in the current path. The filename can be 1 to 91 characters in length.

File System Management

Overview A major function of the file system is to manage storage devices. It allows you to perform operations such as directory create and delete, and file copy and display.

If an operation, delete or overwrite for example, may cause problems such as data loss or corruption, the file system will ask you to confirm the operation by default.

Depending on the managed object, file system operations fall into directory operations, file operations, storage device operations, and file system prompt mode setting.

Directory Operations Directory operations include create, delete, display the current directory, display files or subdirectories in a specific directory as shown in Table 57.

File Operations File operations include delete (removing files into the recycle bin), restore the deleted, permanently delete (deleting files from the recycle bin), display, rename, copy, and move as shown in Table 58.

CAUTION: You can create a file by using operations such as copy, download or save.

Table 57 Directory operations


Create a directory mkdir directory Optional

Available in user view

Remove a directory rmdir directory Optional


Display the current directory pwd Optional


Display files or directories dir [ /all ] [ file-url ] Optional


Change the current directory cd directory Optional


110 CHAPTER 11: FILE SYSTEM MANAGEMENT

CAUTION:

■ Empty the recycle bin timely with the reset recycle-bin command to save memory space.

■ As the delete /unreserved file-url command deletes a file permanently and the action cannot be undone, use it with caution.

■ You can only move a file on the same device. The move command fails if you try to move a file to another device.

Storage Device Operations

Storage device operations include disk fix and format as shown in Table 59. You may use these two commands when some space of a storage device becomes inaccessible as the result of some abnormal operations for example.

CAUTION: Use caution when formatting the storage device (usually the Flash) where the configuration file is stored, as the operation can destroy all data on the storage device and the action cannot be undone.

Table 58 File operations


Remove a file to the recycle bin or delete it permanently

delete [ /unreserved ] file-url

Optional


Restore a file from the recycle bin undelete file-url Optional


Empty the recycle bin reset recycle-bin [ file-url ] [ /force ]

Optional


Display the contents of a file more file-url Optional


So far, this command is valid only for txt files.

Rename a file rename fileurl-source fileurl-dest

Optional


Copy a file copy fileurl-source fileurl-dest

Optional


Move a file move fileurl-source fileurl-dest

Optional


Display files or directories dir [ /all ] [ file-url ] Optional


Execute the batch file execute filename Optional

Available in system view

Table 59 Storage device operations

To do Use the command Remarks

Restore the space of a storage device

fixdisk device Optional


Format a storage device format device Optional


Configuration File Management 111

File System Prompt Mode Setting

The file system provides the following two prompt modes:

■ Alert, where the system warns you about operations that may bring undesirable consequence such as file corruption or data loss.

■ Quiet: where the system does not do that in any cases. To prevent undesirable consequence resulted from mis-operations, the alert mode is preferred.

File System Operations Example

1 Display the files under the root directory.

<3Com> dirDirectory of flash:/

0 -rw- 6648612 Jan 01 2006 00:00:00 aabbcc.bin 1 -rw- 31181 Apr 27 2000 11:41:08 config.cfg 2 -rw- 234823 Apr 28 2000 12:50:32 default.diag 3 -rw- 31126 Apr 27 2000 11:25:14 test.txt 4 drw- - Apr 27 2000 13:00:10 test15240 KB total (8449 KB free)

2 Create a new folder called mytest under the test directory.

<3Com> cd test<3Com> mkdir mytest.%Created dir flash:/test/mytest.

3 Display the files under the test directory.

<3Com> dirDirectory of flash:/test/ 0 drw- - Apr 27 2000 13:01:04 mytest15240 KB total (8448 KB free)

4 Return to the upper directory.

<3Com> cd ..

Configuration File Management

Overview Configuration type

The configuration of a device falls into two types:

■ Startup configuration, which is used for initialization. If no startup configuration is available, the default parameters are used.

■ Running configuration, which takes effect during system operation and temporarily saved in the RAM but cannot survive a reboot if not saved.

Table 60 File system prompt mode setting


Set the operation prompt mode of the file system

file prompt { alert | quiet }

Optional

The default is alert.


Configuration file format

Configuration files are saved as text files for consulting convenience. They:

■ Save configuration in the form of commands.

■ Save only non-default configuration settings.

■ List commands in sections by view in this view order: system, physical interface, logical interface, routing protocol, and so on. Sections are separated with one or multiple blank lines or comment lines that start with a pound sign (#).

■ End with a return.

■ The operating interface provided by the configuration file management function is user-friendly. With it, you can easily manage your configuration files.

Main/backup attributes

The main and backup attributes allow configuration files that are of the corresponding attributes. When the main configuration file is corrupted or gets lost, the backup configuration files can be used to start or configure the device. Compared with the systems supporting only one type of configuration file, the main/backup configuration file mechanism enhances the security and reliability of the file system. The main keyword represents the main attributes of the configuration file, and the backup keyword represents the backup attribute of the configuration file. You can use corresponding commands to configure the main/backup attributes of a configuration file. A configuration file can be configured with both the main attribute and the backup attribute at the same time. However, a device can have only one configuration file that is of a specific attribute at a time.

The main and backup attributes are mainly used as follows in file system.

■ You can specify the main/backup/common attribute of the configuration file when saving the current configuration.

■ You can specify to erase the main configuration file or the backup configuration file when you erase the configuration file in the device. For the configuration file with both the main attribute and the backup attribute, you can specify to erase the main attribute or backup attribute of the configuration file.

■ You can specify the main/backup attribute of a configuration file when you specify the configuration file to be used the next time.

Selection sequence of configuration files

Configuration files are selected according to the following rules when a device starts.

1 If the main configuration file exists, it is used to initialize the configuration.

2 If the backup configuration file exists while the main configuration file does not exist, the backup configuration file is used to initialize the configuration.

3 If neither the main configuration file nor the backup configuration file exists, the following selection sequence is adopted:

■ If the default configuration file exists, it is used to initialize the configuration.

■ If the default configuration file does not exist, the system is started without loading any configuration.


Saving Running Configuration

You can modify running configuration on your device at the command line interface (CLI). To use it at next startup, you need to save it to the startup configuration file before rebooting the system with the save command.

You can save the current configuration files in one of the following two ways:

Ways of saving the configuration files

■ Fast mode: If the safely keyword is not provided, the system saves the configuration files in the fast mode. In this mode, the configuration files are saved fast. However, the configuration files will be lost if the device is restarted or the power is off when the configuration files are being saved.

■ Safe mode: If the safely keyword is provided, the system saves the configuration files in the safe mode. In this mode, the configuration files are saved slowly. However, the configuration files will be saved in the Flash if the device is restarted or the power is off when the configuration files are being saved.

Attributes of the saved configuration files

■ The main attribute. When the save [ [ safely ] [ main ] command is used to save the current configuration into a configuration file, the attribute of the configuration file is “main.” If the configuration file is an existing configuration file with the backup attribute, the configuration file will posses both the main attribute and the backup attribute at the same time. If a main configuration file is existing in the system, the main attribute of the existing configuration file will be replaced by the new one, so that there is only one main configuration file in the system.

■ The backup attribute. When the save [ [ safely ] [ backup ] command is used to save the current configuration into a configuration file, the attribute of the configuration file is “backup.” If the configuration file is an existing configuration file with the main attribute, the configuration file will posses both the main attribute and the backup attribute at the same time. If a backup configuration file exists in the system, the backup attribute of the existing configuration file will be replaced by the new one, so that there is only one backup configuration file in the system.

■ The common attribute. When the save cfgfile command is used to save the current configuration into a configuration file, if the configuration file named cfgfile does not exist, the saved configuration file possesses neither the main attribute nor the backup attribute; if the configuration file cfgfile exists, the attribute of the new configuration file is determined by its attribute before the saving operation.

■ You are recommended to adopt the fast saving mode in the conditions of stable power and adopt the safe mode in the conditions of unstable power or remote maintenance.

■ The extension of a configuration file must be cfg.

Table 61 Saving running configuration


Save running configuration save [ cfgfile | [ safely ] [ main | backup ] ]

Available in any view


Erasing the Startup Configuration File

You may erase the startup configuration file by using the command showed in Table 62 . If no startup configuration is available, the default parameters are used.

You may need to erase the startup configuration file for one of these reasons:

■ After you upgrade software, the old configuration file does not match the new software.

■ The startup configuration file is destroied or not the one you needed.

When you erase a configuration file, the following cases may occur:

■ If you use the reset saved-configuration [ main ] command to erase a configuration file, if the configuration file possesses only the main attribute, the configuration file will be removed completely; if the configuration file possesses both the main attribute and the backup attribute, only the main attribute of the configuration file is removed.

■ If you use the reset saved-configuration backup command to erase a configuration file, if the configuration file possesses only the backup attribute, the configuration file will be removed completely; if the configuration file possesses both the main attribute and the backup attribute, only the backup attribute of the configuration file is removed.

Specifying a Configuration File for

Next Startup

You can set the main/backup attributes of a configuration file. The attribute of an configuration file is generated in two ways, as described below.

Set the main attribute of the startup configuration file

■ When the current configuration is saved into the main configuration file, the system will automatically adopt the main configuration file as the main startup configuration file.

■ Use the startup saved-configuration cfgfile [ main ] command to set a configuration file as the main startup configuration file.

Set the backup attribute of the startup configuration file

■ When the current configuration is saved into the backup configuration file, the system will automatically adopt the backup configuration file as the backup startup configuration file.

■ Use the startup saved-configuration cfgfile backup command to set a configuration file as the backup startup configuration file.

Table 62 Erasing the startup configuration file


Erase the startup configuration file from the storage device

reset saved-configuration [ main | backup ]


Table 63 Specifying a configuration file for next startup


Specify a configuration file for next startup

startup saved-configuration cfgfile [ main| backup ]



CAUTION: This operation can delete the configuration file from the device permanently, so be careful to perform this operation..

Backing Up/Restoring the Configuration File

for Next Startup

Feature overview

Through this feature, you can back up and restore the configuration file for next startup through the command line. TFTP is used to transmit data between the device and the server. You can back up the configuration file for next startup to the TFTP server, and download the configuration file saved on the TFTP server to the device and configure it as the configuration file for next startup.

You can only back up and restore the main configuration file.

Backing up the configuration file for next startupT

Before backing up the configuration file:

■ Make sure that the route between the device and the server is reachable, TFTP is enabled at the server end, and the client on which you will perform the backup and restoration operations obtains the corresponding read/write right.

■ Use the display startup command in user view to check whether the configuration file for next startup is configured, and then use the dir command to check whether the configuration file for next startup exists. If the configuration file is configured as NULL or the configuration file does not exist, the backup operation will fail.

Restoring the configuration file for next startup

■ Before restoring the configuration file, make sure that the route between the device and the server is reachable, TFTP is enabled at the server end, and the client on which you will perform the backup and restoration operations obtains the corresponding read/write right.

■ After the command is executed successfully, use the display startup command in user view to check whether the name of the configuration file for next startup is consistent with the filename argument, and then use the dir command to check whether the restored configuration file for next startup exists.

Table 64 Back up the configuration file for next startup


Back up the configuration file for next startup

backup startup-configuration to dest-addr [ filename ]

Required

This operation can be executed only in user view

Table 65 Restore the configuration file for next startup


Restore the configuration file for next startup

restore startup-configuration from src-addr filename

Required

This operation can be executed only in user view


Displaying and Maintaining Device

Configuration

Configuration files are displayed in the same format in which they are saved.

FTP Configuration

Overview FTP (file transfer protocol) is commonly used in IP-based networks to transmit files. Before World Wide Web comes into being, files are transferred through command lines, and the most popular application is FTP. At present, although E-mail and Web are the usual methods for file transmission, FTP still has its strongholds.

An Ethernet switch can act as an FTP client or the FTP server in FTP-employed data transmission:

■ FTP server

An Ethernet switch can operate as an FTP server to provide file transmission services for FTP clients. You can log into a switch operating as an FTP server by running an FTP client program on your PC to access files on the FTP server. Before you log into the FTP server, the administrator must configure an IP address for it.

■ FTP client

A switch can operate as an FTP client, through which you can access files on FTP servers. In this case, you need to establish a connection between your PC and the switch through a terminal emulation program or Telnet and then execute the ftp command on your PC.

Figure 39 Network diagram for FTP

Table 66 Displaying and maintaining device configuration


Display the contents of the startup configuration file

display saved-configuration [ by-linenum ]


Display the configuration file used for this and next startup

display startup Available in any view

Display the running configuration in current view

display this [ by-linenum ]


Display running configuration display current-configuration [ configuration [ configuration-type ] | interface [ interface-type ] [ interface-number ] ] [ by-linenum ] [ | { begin | include | exclude } text ]


FTP Configuration 117

The configurations needed when a switch operates as an FTP client are showed in Table 67.

The configurations needed when a switch operates as an FTP server are showed in Table 68.

CAUTION: The FTP-related functions require that the route between a FTP client and the FTP server is reachable.

Configuring the FTP Client

Table 69 lists the operations that can be performed on an FTP client.

Table 67 Configurations needed when a switch operates as an FTP client

Device Configuration Default Description

Switch Run the ftp command to log into a remote FTP server directly

– To log into a remote FTP server and operates files and directories on it, you need to obtain a user name and password first.

FTP server Enable the FTP server and configure the corresponding information including user names, passwords, and user authorities

– –

Table 68 Configurations needed when a switch operates as an FTP server


Switch Enable the FTP server function

The FTP server function is disabled by default

You can run the display ftp-server command to view the FTP server configuration on the switch.

Configure the authentication information on the FTP server

– Configure user names and passwords.

Configure the connection idle time

The default idle time is 30 minutes.

–

PC Log into the switch through an FTP client application.

– –

Table 69 Configurations on an FTP client


Enter FTP Client view ftp [ ftp-server [ port ] [ -a source-ip ] ]

Required

Use either command

The FTP client will build a connection with a remote FTP server first before entering FTP Client view if ftp-server exists in this command.

Connect to a remote FTP server in FTP Client view

open ftp-server [ port ] [ -a source-ip ]

Optional

Display the on-line help information

remotehelp [ protocol-command ]

Optional

Enable verbose function verbose Optional

The verbose function is enabled by default.


CAUTION: FTP-based file transmission is performed in the following two modes: Binary mode for program file transfer and ASCII mode for text file transfer.

■ The ls command can just query the name of all files and directories, while the dir command can query the details of all files and directories.

Log into the FTP server again using another username

user username [ password ] Optional

Specify to transfer files in ASCII characters

ascii Optional

By default, files are transferred in ASCII characters.

Specify to transfer files in binary streams

binary Optional

By default, files are transferred in ASCII characters.

Change the work directory on the remote FTP server

cd pathname Optional

Change the work directory to be the parent directory

cdup Optional

Query the details of all files and directories

dir [remotefile [ localfile ] ]

Optional

Query the name of all files and directories

ls [remotefile [ localfile ] ]

Optional

Download a remote file get remotefile [ localfile ]

Optional

Upload a local file to the remote FTP server

put localfile [ remotefile ]

Optional

Display the work directory on the FTP server

pwd Optional

Get the local work path on the FTP client

lcd Optional

Create a directory on the remote FTP server

mkdir pathname Optional

Set the data transfer mode to passive

passive Optional

By default, the passive mode is adopted.

Delete a specified file delete remotefile Optional

Remove a directory on the remote FTP server

rmdir pathname Optional

Terminate the current FTP connection without exiting FTP client view

disconnect Optional

Terminate the current FTP connection without exiting FTP client view

close Optional

Terminate the current FTP control connection and data connection

bye Optional

Terminate the current FTP connection and quit to user view

quit Optional

It is equivalent to bye command under FTP Client view.

Table 69 Configurations on an FTP client (continued)



Configuring the FTP Server

Configuring FTP server operating parameters

Follow these steps to configure the FTP server:

Configuring Parameters for FTP Users

To allow an FTP user to access certain directories on the FTP server, you need to create an account for the user, authorizing access to the directories and associating the username and password with the account.

Follow these steps to make configuration for an FTP user:

For more information about authentication and authorization commands, refer to the AAA-RADIUS-TACACS+ chapter of this manual.

Table 70 Basic FTP Configurations as an FTP server



Enable the FTP server ftp server enable Required

Disabled by default.

Configure the idle-timeout timer ftp timeout minutes Optional

The default is 30 minutes.

Set the FTP update mode ftp update { fast | normal }

Optional

Normal update is used by default.

Table 71 Configuring parameters for FTP users



Enter or create a local user view local-user user-name Required

No local user exists by default.

Assign a password to the user password { simple | cipher } password

Required

Assign the FTP service to the local user

service-type ftp Required

Not assigned by default.

Authorize the FTP user’s access to a directory

service-type ftp [ ftp-directory directory]

Optional

Enter ISP domain view domain [isp-name ] [ default { disable | enable isp-name } ]

Optional

Reference an authentication scheme to the domain

authentication { radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }

Optional

Reference an authorization scheme to the domain

authorization { hwtacacs-scheme hwtacacs-scheme-name | none }

Optional


Displaying and Maintaining the FTP Server

FTP Client Configuration

Example


Use your device as an FTP client to download an application file (APP file, .bin file) for upgrading purpose from the FTP server with the IP address 10.1.1.1/16.

On the FTP server, an FTP user account has been created for the FTP client, with the username being abc and the password being pwd.

Network diagram

Figure 40 Network diagram for FTPing a startup file from an FTP Server


1 Check files on your device. Remove those redundant to ensure adequate space for the APP file to be downloaded.

<3Com> dirDirectory of flash:/ 0 drw- - Dec 07 2005 10:00:57 filename 1 drw- - Jan 02 2006 14:27:51 logfile 2 -rw- 1216 Jan 02 2006 14:28:59 config.cfg 3 -rw- 1216 Jan 02 2006 16:27:26 backup.cfg 4 -rw- 184108 May 26 2006 18:02:16 aaa.bin15240 KB total (2511 KB free)<3Com> delete flash:/backup.cfg

2 Download the APP file from the server.

<3Com> ftp 10.1.1.1Trying 10.1.1.1...Press CTRL+K to abortConnected to 10.1.1.1.220 FTP service ready.User(10.1.1.1:(none)):abc331 Password required for abc.Password:230 User logged in. [ftp] binary200 Type set to I[ftp] get aaa.bin bbb.bin

Table 72 Displaying and maintaining the FTP server


Display the configuration of the FTP server

display ftp-server Available in any view

Display information about logged-in FTP users

display ftp-user Available in any view

cablecablecable


200 Port command okay.150 Opening BINARY mode data connection for aaa.bin......226 Transfer complete.FTP: 184108 byte(s) received in 5.461 second(s) 33.00K byte(s)/sec.[ftp] bye 221 Server closing.

3 Specify the main APP file for next startup with the boot-loader command.

<3Com> boot-loader file bbb.bin main<3Com> reboot

The APP file for next startup specified by boot-loader command must be saved under the root directory. You can use copy or move operation to change its path.

FTP Server Configuration

Example


Use your device as an FTP server. Create a user account for an FTP user on it, setting the username to abc and the password to pwd.

Upload an APP file from a PC to the FTP server.

Network diagram

Figure 41 Network diagram for FTPing a startup file to the FTP server


1 Configure the Ethernet Switch

a Create an FTP user account, setting its username and password.

<3Com> system-view[3Com] local-user abc[3Com-luser-abc] service-type ftp[3Com-luser-abc] password simple pwd

b Authorize the access of the user account to certain directory.

[3Com-luser-abc] service-type ftp ftp-directory flash:/

c Validate the authorized directory.

[3Com-luser-abc] quit[3Com] domain system[3Com-isp-system] authorization login local

d Enable FTP server.

[3Com] ftp server enable[3Com] quit


e Check files on your device. Remove those redundant to ensure adequate space for the APP file to be uploaded.

<3Com> dirDirectory of flash:/ 0 drw- - Dec 07 2005 10:00:57 filename 1 drw- - Jan 02 2006 14:27:51 logfile 2 -rw- 1216 Jan 02 2006 14:28:59 config.cfg 3 -rw- 1216 Jan 02 2006 16:27:26 back.cfg 4 drw- - Jan 02 2006 15:20:21 ftp 5 -rw- 184108 May 26 2006 18:02:16 aaa.bin15240 KB total (2511 KB free)<3Com> delete flash:/back.cfg

2 Configure the PC

a Upload the APP file to the FTP server.

c:\> ftp 1.1.1.1ftp> put aaa.bin bbb.bin

■ When upgrading the configuration file with FTP, put the new file on under the root directory.

■ When upgrading the Boot ROM program with FTP remotely, you must perform the bootrom update command after the file transfer is completed.

b Specify the main APP file for next startup with the boot-loader command.

<3Com> boot-loader file bbb.bin main<3Com> reboot

CAUTION: The APP file for next startup must be saved under the root directory.

TFTP Configuration

Overview The trivial file transfer protocol (TFTP) provides functions similar to those provided by FTP, but it is not as complex as FTP in interactive access interface and authentication. Therefore, it is more suitable where complex interaction is not needed between client and server.

TFTP uses the UDP service for data delivery. In TFTP, file transfer is initiated by the client.

In a normal file downloading process, the client sends a read request to the TFTP server, receives data from the server, and then sends the acknowledgement to the server.

In a normal file uploading process, the client sends a write request to the TFTP server, sends data to the server, and receives the acknowledgement from the server.

TFTP transfers files in two modes: binary for programming files and ASCII for text files.

Before performing TFTP-related configurations, you need to configure IP addresses for the TFPT client and the TFTP server, and make sure the route between the two is reachable.

A switch can only operate as a TFTP client.

TFTP Configuration 123

Figure 42 Network diagram for TFTP configuration

Table 73 describes the operations needed when a switch operates as a TFTP client.

Configuring the TFTP Client

Follow these steps to configure the TFTP client:

TFTP Client Configuration

Example


Use a PC as the TFTP server and your device as the TFTP client.

As shown in the following figure,

■ PC uses IP address 1.2.1.1/16 and a TFTP working directory has been defined for the client.

■ On your device, VLAN interface 1 is assigned an IP address 1.1.1.1/16, making that the port connected to PC belongs to the same VLAN.

■ TFTP an APP file from PC for upgrading and a configuration file to PC for backup.

Table 73 Configurations needed when a switch operates as a TFTP client


Switch Configure an IP address for the VLAN interface of the switch so that it is reachable for TFTP server.

You can log into a TFTP server directly for file accessing through TFTP commands

– TFTP applies to networks where client-server interactions are comparatively simple. It requires the routes between TFTP clients TFTP servers are reachable.

TFTP server The TFTP server is started and the TFTP work directory is configured.

– –

Table 74 Configurations on an TFTP client



Reference an ACL to control access to the TFTP server

tftp-server acl acl-number Optional

Back to user view quit –

Download a file from a TFTP server

tftp tftp-server get source-file [ dest-file | -a source-ip ]*

Required

Download a file from a TFTP server in secure mode

tftp tftp-server sget source-file [ dest-file | -a source-ip ]*

Optional

Upload a file to a TFTP server tftp tftp-server put source-file [ dest-file | -a source-ip ]*

Optional


Network diagram

Figure 43 Network diagram for TFTP client configuration


1 On PC

Enable TFTP server and configure a TFTP working directory for the TFTP client.

2 On Device

CAUTION: If available space on the Flash memory of the switch is not enough to hold the file to be uploaded, you need to delete files from the Flash memory to make room for the new file.

a Enter system view.

<Sysname> system-view

b Assign VLAN interface 1 an IP address 1.1.1.1/16, making sure that the port connected to PC belongs to the same VLAN.

[Sysname] interface vlan-interface 1[Sysname-vlan-interface1] ip address 1.1.1.1 255.255.0.0[Sysname-vlan-interface1] return

c Download an application file aaa.bin from the TFTP server. (Before that, make sure that adequate memory is available.)

<Sysname> tftp 1.2.1.1 get aaa.bin bbb.bin

d Upload a configuration file config.cfg to the TFTP server.

<Sysname> tftp 1.2.1.1 put config.cfg config.cfg

e Specify the APP file for next startup with the boot-loader command.

<Sysname> boot-loader file bbb.bin<Sysname> reboot

CAUTION: The APP file for next startup must be saved under the root directory. You can use copy or move operation to change its path.

12 VLAN CONFIGURATION

VLAN Overview

Introduction to VLAN The virtual local area network (VLAN) technology is developed for switches to control broadcast operations in LANs.

By creating VLANs in a physical LAN, you can divide the LAN into multiple logical LANs, each of which has a broadcast domain of its own. Hosts in the same VLAN communicate with each other as if they are in a LAN. However, hosts in different VLANs cannot communicate with each other directly. In this way, broadcast packets are confined within a VLAN. Figure 44 illustrates a VLAN implementation.

Figure 44 A VLAN implementation

A VLAN can span across multiple switches, or even routers. This enables hosts in a VLAN to be dispersed in a more loose way. That is, hosts in a VLAN can belong to different physical network segments.

VLAN enjoys the following advantages.

■ Broadcasts are confined to VLANs. This decreases bandwidth utilization and improves network performance.

■ Network security is improved. VLANs cannot communicate with each other directly. That is, hosts in different VLANs cannot communicate with each other directly. To enable communications between different VLANs, network devices operating on Layer 3 (such as routers or Layer 3 switches) are needed.

■ Configuration workload is reduced. VLAN can be used to group specific hosts. When the physical position of a host changes, no additional network configuration is required if the host still belongs to the same VLAN

VLAN A

VLAN B

VLAN A

VLAN B

VLAN A

VLAN B

LAN Switch

LAN Switch

Router

126 CHAPTER 12: VLAN CONFIGURATION

VLAN Classification Depending on how VLANs are established, VLANs fall into the following six categories:

■ Port-based VLAN

■ MAC-based VLAN

■ Protocol-based VLAN

■ IP sub network-based VLAN

■ Policy-based VLAN

■ Other VLAN

3Com Switch 4500G Ethernet Switch supports the port-based VLAN. This chapter focuses on the port-based VLAN.

Basic VLAN Configuration Table 75 Basic VLAN configuration



Create VLAN vlan { vlan-id1 [ to vlan-id2 ] }

Optional

This command is mainly used to create multiple VLANs

Enter VLAN view vlan vlan-id Required

If the specified VLAN does not exist, this command will first create the VLAN, and then enter VLAN view.

Specify the description string of the VLAN

description text Optional

By default, the description string of a VLAN is its VLAN ID, such as “VLAN 0001”.

Exit VLAN view quit –

Basic VLAN Interface Configuration 127

Basic VLAN Interface Configuration

VLAN interface is a virtual interface in Layer 3 mode, and mainly used in realizing the Layer 3 connectivity between different VLANs.

Before creating a VLAN interface, the corresponding VLAN must exist. Otherwise, you cannot create the VLAN interface successfully.

Port-Based VLAN Configuration

Introduction of Port-Based VLAN

Port-based VLAN is the simplest and most effective VLAN division method. It defines its VLAN members according to the ports of a switch. After a specified port is added into a specified VLAN, the port can forward the packets of the specified VLAN.

Link Type of the Ethernet Port

According to the different port-to-VLAN binding mode, the link type of the Ethernet port falls into the following three ones:

■ Access port. An access port carries one VLAN only, used for connecting to the user’s computer.

■ Trunk port. A trunk port can belong to more than one VLAN and receive/send the packets on multiple VLANs, used for connection between the switches.

■ Hybrid port. A hybrid port can also carry more than one VLAN and receive/send the packets on multiple VLANs, used for connecting both the switches and user’s computers.

Table 76 Configure a VLAN interface



Enter VLAN interface view interface vlan-interface vlan-interface-id

Required

If the specified VLAN interface does not exist, this command will create it first and then enter VLAN interface view.

Configure IP address of VLAN interface

ip address ip-address { mask | mask-length }

Optional

By default, the IP address of VLAN interface is null

Specify the description string for the current VLAN interface


By default, the description string of a VLAN interface is the name of this VLAN interface, such as “Vlan-interface1 interface”.

Enable the VLAN Interface undo shutdown Optional

By default, if all the ports under the VLAN interface are down, the VLAN interface is down; if one or more ports under the VLAN interface are up, the VLAN interface is up.


The difference between the hybrid port and the trunk port is that:

■ A hybrid port allows the packets from multiple VLANs to be sent without tags.

■ A trunk port only allows the packets from the default VLAN to be sent without tags.

Default VLAN

You can configure some VLANs allowed to pass through a port. In additional, you can also configure a default VLAN for the port. By default, the default VLAN of all the ports is VLAN 1. But you can configure it as needed.

■ An access port can only belong to one VLAN, so that its default VLAN is the VLAN it belongs to, and it is not necessary for you to configure it.

■ Both of the trunk port and hybrid port allow multiple VLANs to pass through. You can configure the default VLAN for them.

■ After you delete the default VLAN of a port through the undo vlan command, for an access port, its default VLAN restore to VLAN 1; for a trunk or a hybrid port, its default VLAN configuration remain unchanged, that is, a trunk port or hybrid port can use the presently nonexistent VLAN as the default VLAN.

After the default VLAN is configured, a port receives and sends packets in different ways. Refer to the following table for details:

Table 77 Receive and send packets

Port type

Receive packets

Send packets

When the received packets are without tag

When the received packets are with tag

Access port Normally add the default VLAN tag to the packets

Receive the packet when the VLAN ID (recorded in the tag) is the same with the default VLAN ID.

Drop the packet when the VLAN ID is different with the default VLAN ID.

Send the packet directly for the VLAN ID is just the default VLAN ID.

Trunk port Receive the packet when the VLAN ID (recorded in the tag) is the same with the default VLAN ID.

Receive the packet when the VLAN ID is different with the default VLAN ID but is allowed to pass through the port.

Drop the packet when the VLAN ID is different with the default ID and is not allowed to pass through the port.

When the VLAN ID is the same with the default VLAN ID, remove the tag of the packet first and then send the packet.

When the VLAN ID is different with the default VLAN ID, keep the original tag and send the packet.

Hybrid port When the VLAN ID is the same with the default VLAN ID, remove the tag of the packet first and then send the packet.

When the VLAN ID is different with the default VLAN ID, send the packet, and you can configure whether the sent packet is with the tag or not through the port hybrid vlan vlan-id-list { tagged | untagged } command.

Port-Based VLAN Configuration 129

Configuring an Access Port-Based

VLAN

You can add an access port to a specified VLAN in two ways: configure it in VLAN view, or configure it in Ethernet port view/port group view.

You must add an access port to an existing VLAN.

Table 78 Configure an access port-based VLAN (in VLAN view)



Enter VLAN view vlan vlan-id Required

If the specified VLAN does not exist, this command will create the VLAN first and then enter VLAN view of the VLAN.

Add an Ethernet port to a specified VLAN

port interface-list Required

By default, the system adds all ports to VLAN 1.

Table 79 Configure an access port-based VLAN (in Ethernet port view or port group view)



Enter Ethernet port view or port group view

Enter Ethernet port view

interface interface-type interface-number

Use either command

Configured in Ethernet port view, the following settings are effective on the current port only; configured in port group view, the following settings are effective on all ports in the port group

Enter port group view

port-group { manual port-group-name | aggregation agg-id }

Configure a port as an access port

port link-type access Optional

By default, a port is an access port.

Add the current access port to a specified VLAN

port access vlan vlan-id

Optional

By default, the system adds all ports to VLAN 1.


Configuring a Trunk Port-Based VLAN

A trunk port allows multiple VLANs to pass, but you can only configure it in Ethernet port view/port group view.

■ A trunk port and a hybrid port cannot switch to each other directly but must be configured as an access port first. For example, a trunk port cannot be configured to be a hybrid port directly; you must specify it as an access port first, and then specify it as a hybrid port.

■ The default VLAN ID of the trunk port on the local switch must be the same as that of the trunk port on the opposite switch. Otherwise, the packets cannot be transmitted correctly.

Table 80 Configure a trunk port-based VLAN






Use either command




Configure a port as a trunk port port link-type trunk Required

Add the current trunk port to specified VLANs

port trunk permit vlan { vlan-id-list | all }

Required

By default, all trunk ports only allow VLAN 1 to pass.

Set the default VLAN for the trunk port

port trunk pvid vlan vlan-id

Optional

By default, the default VLAN of the trunk port is VLAN 1

Displaying VLAN Configuration 131

Configuring a Hybrid Port-Based VLAN

A hybrid port allows multiple VLANs to pass, but you can only configure it in Ethernet port view/port group view.

■ A trunk port and a hybrid port cannot switch to each other directly but must be configured as an access port first. For example, a trunk port cannot be configured to be a hybrid port directly. You must specify it as an access port first, and then specify it to a hybrid port.

■ The VLANs configured to be permitted to pass through a hybrid port must exist.

■ The default VLAN ID of the hybrid port on the local switch must be the same as that of the hybrid on the opposite switch. Otherwise, the packets cannot be transmitted correctly.

Displaying VLAN Configuration

After the above configuration, you can execute the display command in any view to view the running of the VLAN configuration, and to verify the effect of the configuration.

Table 81 Configure a hybrid port-based VLAN






Use either command




Configure a port as a Hybrid port

port link-type hybrid Required

Add the current hybrid port to specified VLANs

port hybrid vlan vlan-id-list { tagged | untagged }

Required

You can configure a hybrid port to or not to add a tag to specified VLAN packets when it sends packets.

Set the default VLAN for the hybrid port.

port hybrid pvid vlan vlan-id

Optional

By default, the default VLAN of the hybrid port is VLAN 1

Table 82 Display the information about specified VLANs


Display the information about specified VLANs

display vlan [ vlan-id1 [ to vlan-id2 ] | all | static | dynamic | reserved ]


Display the information about specified VLAN interface

display interface vlan-interface [ vlan-interface-id ]


VLAN Configuration Example

Network Requirements

■ Switch A connects with Switch B through the trunk port GigabitEthernet1/0/1.

■ The default VLAN ID of the port is 100.

■ The port permits the packets from VLAN 2, VLAN 6 through 50, and VLAN 100 to pass.

Network Diagram Figure 45 Configure packets to pass through the default VLAN


1 Configure Switch A

a Create VLAN 2, VLAN 6 through VLAN 50 and VLAN 100.

<3Com> system-viewSystem View: return to User View with Ctrl+Z. [3Com] vlan 2[3Com-vlan2] vlan 100[3Com-vlan100] vlan 6 to 50Please wait... Done.

b Enter Ethernet port view of GigabitEthernet1/0/1.

[3Com] interface GigabitEthernet 1/0/1

c Configure GigabitEthernet1/0/1 as a trunk port, and configure its default VLAN ID as VLAN 100.

[3Com-GigabitEthernet1/0/1] port link-type trunk[3Com-GigabitEthernet1/0/1] port trunk pvid vlan 100

d Configure GigabitEthernet1/0/1 to permit the packets from VLAN 2, VLAN 6 through 50, and VLAN 100 to pass.

[3Com-GigabitEthernet1/0/1] port trunk permit vlan 2 6 to 50 100Please wait... Done.

2 Configuration on Switch B is the same as that on Switch A.

Switch BSwitch A

GigabitEthernet1/0/1

Switch BSwitch BSwitch A


13 VOICE VLAN CONFIGURATION

Voice VLAN Overview

Voice VLANs are VLANs configured specially for voice data stream. By adding the ports with voice devices attached to voice VLANs, you can perform QoS (quality of service)-related configuration for voice data, ensuring the transmission priority of voice data stream and voice quality.

The Switch 4500G determines whether a received packet is a voice packet by checking its source MAC address. If the source MAC addresses of packets comply with the organizationally unique identifier (OUI) addresses configured by the system, the packets are determined as voice packets and transmitted in voice VLAN.

You can configure an OUI address for voice packets or specify to use the default OUI address.

The following table shows the five default OUI addresses of a switch.

■ An OUI address is a globally unique identifier assigned to a vendor by IEEE. You can determine which vendor a device belongs to according to the OUI address which forms the first 24 bits of a MAC address.

■ You can add or delete the default OUI address manually.

Automatic Mode and Manual Mode of

Voice VLAN

A voice VLAN can operate in two modes: automatic mode and manual mode. You can configure the operation mode for a voice VLAN according to data stream passing through the ports of the voice VLAN.

■ In automatic mode, the system identifies the source MAC address contained in the untagged packet sent when the IP phone is powered on and matches it against the OUI addresses. If a match is found, the system will automatically add the port into the Voice VLAN and send ACL rules to ensure the packet precedence. An aging time can be configured on the device. The system will remove a port from the voice VLAN if no voice packets are received from it within the aging time. The adding and deleting of ports are automatically realized by the system.

Table 83 Default OUI addresses preset by the switch

Number OUI Address Vendor

1 0003-6b00-0000 Cisco phone

2 000f-e200-0000 3Com Aolynk phone

3 00d0-1e00-0000 Pingtel phone

4 00e0-7500-0000 Polycom phone

5 00e0-bb00-0000 3com phone

134 CHAPTER 13: VOICE VLAN CONFIGURATION

■ In manual mode, administrators add the IP phone access port directly to the voice VLAN. It then identifies the source MAC address contained in the packet, matches it against the OUI addresses, and decides whether to forward the packet in the voice VLAN. The administrators send ACL rules while adding or deleting a port from the voice VLAN. In this mode, the adding or deleting of ports is realized by the administrators.

■ Both modes forward tagged packets in the same manner: forward them based on the VLAN ID contained in the packets.

The above two working modes are only configured under Ethernet interface view. The working modes for different voice VLAN vary and different ports can be configured to work in different modes.

The following table lists the co-relation between the working modes of a voice VLAN, the voice traffic type of an IP phone, and the interface modes of a VLAN interface.

Table 84 Port modes and voice stream types

Port voice VLAN mode

Voice stream type Port type Supported or not

Automatic mode

Tagged voice stream

Access Not supported

Trunk Supported

Make sure the default VLAN of the port exists and is not a voice VLAN. And the access port permits the packets of the default VLAN.

Hybrid Supported

Make sure the default VLAN of the port exists and is in the list of the tagged VLANs whose packets are permitted by the access port.

Untagged voice stream

Access Not supported., because the default VLAN of the port must be a voice VLAN and the access port is in the voice VLAN. To do so, you can also add the port to the voice VLAN manually.

Trunk

Hybrid

Manual mode Tagged voice stream

Access Not supported

Trunk Supported

Make sure the default VLAN of the port exists and is not a voice VLAN. And the access port permits the packets of the default VLAN.

Hybrid Supported

Make sure the default VLAN of the port exists and is in the list of the tagged VLANs whose packets are permitted by the access port.

Untagged voice stream

Access Supported

Make sure the default VLAN of the port is a voice VLAN.

Trunk Supported

Make sure the default VLAN of the port is a voice VLAN and the port permits the packets of the VLAN.

Hybrid Supported

Make sure the default VLAN of the port is a voice VLAN and is in the list of untagged VLANs whose packets are permitted by the port.

Voice VLAN Configuration 135

CAUTION:

■ If the voice stream transmitted by your IP phone is with VLAN tag and the port which the IP phone is attached to is enabled with 802.1x authentication and 802.1x guest VLAN, assign different VLAN IDs for the voice VLAN, the default VLAN of the port, and the 802.1x guest VLAN to ensure the two functions to operate properly.

■ If the voice stream transmitted by the IP phone is without VLAN tag, the default VLAN of the port which the IP phone is attached can only be configured as a voice VLAN for the voice VLAN function to take effect. In this case, 802.1x authentication is unavailable.

■ The default VLAN of all ports is VLAN 1. You can use the corresponding command to specify a default VLAN for a port, and allow certain VLAN to pass through the port. Relate command “1.4 Port-Based VLAN”.

■ Use the display interface command to display the VLANs allowed to pass through a port and the default VLAN of the port.

Security Mode and Ordinary Mode of

Voice VLAN

Voice VLAN works in security mode or ordinary mode according to the packet filtering rule of the port enabled with voice VLAN function.

■ In security mode, the port with the voice VLAN function enabled allow only the voice packets with source MAC address being recognizable OUI address. Other packets are discarded (including some authentication packets, like 802.1x authentication packets).

■ In ordinary mode, the port with voice VLAN function enabled allow both voice packets and other types of packets to pass. Voice packets comply with the filtering rule of the voice VLAN and other types of packets comply with the filtering rule of the ordinary VLAN.

You are recommended not to transmit voice data and other service data in a voice VLAN simultaneously. If you need to do so, make sure you have disabled the security mode of the voice VLAN.

Voice VLAN Configuration

Configuration Prerequisites

■ Create the corresponding VLAN before configuring a voice VLAN.

■ VLAN 1 is the default VLAN and do not need to be created. But VLAN 1 does not support the voice VLAN function.


Configuring a Voice VLAN to Operate in

Automatic Mode

Execute the voice vlan security enable command and the undo voice vlan security enable command before you enabled the voice VLAN function globally. Otherwise, the two commands will not take effect.

Configuring a Voice VLAN to Operate in

Manual Mode

Table 85 Configure a voice VLAN to operate in automatic mode



Set the aging time for the voice VLAN

voice vlan aging minutes

Optional

The default aging time is 1,440 minutes, and only effective for the port in automatic mode.

Enable the voice VLAN security mode

voice vlan security enable

Optional

By default, the voice VLAN security mode is enabled.

Set an OUI address that can be identified by the voice VLAN

voice vlan mac-address oui mask oui-mask [ description text ]

Optional

A voice VLAN has five default OUI addresses.

Enable the voice VLAN function globally

voice vlan vlan-id enable

Required

Enter port view interface interface-type interface-number

–

Set the voice VLAN operation mode to automatic mode

voice vlan mode auto Optional

The default voice VLAN operation mode is automatic mode.

Enable the voice VLAN function for the port

voice vlan enable Required

Table 86 Configure a voice VLAN to operate in manual mode



Set aging time for the voice VLAN

voice vlan aging minutes

Optional

The default aging time is 1,440 minutes, and only effective for the port in automatic mode.

Enable the voice VLAN security mode

voice vlan security enable

Optional

By default, the voice VLAN security mode is enabled.

Set an OUI address to be one that can be identified by the voice VLAN

voice vlan mac-address oui mask oui-mask [ description text ]

Optional

If you do not set the address, the default OUI address is used.

Enable the voice VLAN function globally

voice vlan vlan-id enable

Required

Enter port view interface interface-type interface-number

–

Displaying and Maintaining Voice VLAN 137

■ You can enable the voice VLAN function for only one VLAN on a switch at a time.

■ You cannot enable the voice VLAN function for a port if it has been enabled with the link aggregation control protocol (LACP).

■ A dynamic VLAN will be changed to a static VLAN after the VLAN is enabled with the voice VLAN function.

■ Execute the voice vlan security enable command and the undo voice vlan security enable command before you enabled the voice VLAN function globally. Otherwise, the two commands will not take effect.

Displaying and Maintaining Voice VLAN

After the above configurations, you can execute the display command in any view to view the running status and verify the configuration effect.

Set voice VLAN operation mode to manual mode

undo voice vlan mode auto

Required

The default voice VLAN operation mode is automatic mode.

Add a manual mode port to a voice VLAN

Refer to Port-Based VLAN Configuration

Required

Specify the voice VLAN as the default VLAN of a port

Refer to Port-Based VLAN Configuration

Required

Enable the voice VLAN function for the port

voice vlan enable Required

By default, the voice VLAN function is disabled on a port.

Table 86 Configure a voice VLAN to operate in manual mode (continued)


Table 87 Display and debug a voice VLAN

To... Use the command... Remarks

Display the voice VLAN state display voice vlan state


Display the OUI addresses currently supported by system

display voice vlan oui


Voice VLAN Configuration Example


Example (Automatic Mode)


■ Create VLAN 2 and configure it as a voice VLAN with an aging time of 100 minutes.

■ Configure GigabitEthernet1/0/1 port as a trunk port, with VLAN 6 as the default port.

■ The device allows voice packets from GigabitEthernet 1/0/1 with an OUI address of 0011-2200-0000 and a mask of ffff-ff00-0000 to be forwarded through the voice VLAN.


1 Create VLAN 2, VLAN 6.

<3Com> system-viewSystem View: return to User View with Ctrl+Z.[3Com] vlan 2[3Com-vlan2] quit[3Com] vlan 6[3Com-vlan6] quit

2 Set aging time for the voice VLAN

[3Com] voice vlan aging 100

3 Set 0011-2200-0000 to be one that can be identified by the voice VLAN

[3Com] voice vlan mac-address 0011-2200-0000 mask ffff-ff00-0000 description test

4 Enable the global voice VLAN feature.

[3Com] voice vlan 2 enable

5 Set the voice VLAN operation mode of GigabitEthernet1/0/1 to automatic mode.(It default to automatic mode)

[3Com] interface GigabitEthernet 1/0/1[3Com-GigabitEthernet1/0/1] voice vlan mode auto

6 Specify port GigabitEthternet1/0/1 as a Trunk port.

[3Com-GigabitEthernet1/0/1] port link-type trunk

7 Set the default VLAN of the port to VLAN 6, and the port permits VLAN 6 to pass.

[3Com-GigabitEthernet1/0/1] port trunk permit vlan 6[3Com-GigabitEthernet1/0/1] port trunk pvid vlan 6

8 Enable the voice VLAN function for the port.

[3Com-GigabitEthernet1/0/1] voice vlan enable

Voice VLAN Configuration Example 139


Example (Manual Mode)


■ Create VLAN 2 and configure it as a voice VLAN.

■ Set aging time for the voice VLAN to 100 minutes.

■ The voice stream transmitted by the IP phone is untagged, and the port which the IP phone is attached to is a Hybrid port GigabitEthernet1/0/1.

■ GigbitEthernet1/0/1 works in manual mode, and only permits the voice packets with the following features to pass: OUI address is 0011-2200-0000; network mask is ffff-ff00-0000 and description string is test.

Network diagram

None


1 Set the voice VALN to work in security mode to permit the legal voice packets to pass (optional, defaults to security mode).

<3Com> system-view[3Com] voice vlan security enable

2 Set aging time for the voice VLAN

[3Com] voice vlan aging 100

3 Set 0011-2200-0000 to be one that can be identified by the voice VLAN

[3Com] voice vlan mac-address 0011-2200-0000 mask ffff-ff00-0000 description test

4 Create VLAN 2, and enable the voice VLAN function for it.

[3Com] vlan 2[3Com-vlan2] quit[3Com] voice vlan 2 enable

5 Set GigabitEthernet1/0/1 to work in the manual mode.

[3Com] interface GigabitEthernet 1/0/1[3Com-GigabitEthernet1/0/1] undo voice vlan mode auto

6 Configure GigabitEthernet1/0/1 as a Hybrid port.

[3Com-GigabitEthernet1/0/1] port link-type hybrid

7 Configure the voice VLAN as the default VLAN of port GigabitEthernet1/0/1.

[3Com-GigabitEthernet1/0/1] port hybrid pvid vlan 2

8 Manually add Hybrid port GigabitEthernet1/0/1 in the untagged format to the voice VLAN.

[3Com-GigabitEthernet1/0/1] port hybrid vlan 2 untagged

9 Enable the voice VLAN function for the port GigabitEthernet1/0/1.

[3Com-GigabitEthernet1/0/1] voice vlan enable


Displaying and verification

1 display the currently supported OUI addresses and the related information.

<3Com> display voice vlan ouiOui Address Mask Description0003-6b00-0000 ffff-ff00-0000 Cisco phone000f-e200-0000 ffff-ff00-0000 3Com Aolynk phone0011-2200-0000 ffff-ff00-0000 test00d0-1e00-0000 ffff-ff00-0000 Pingtel phone00e0-7500-0000 ffff-ff00-0000 Polycom phone00e0-bb00-0000 ffff-ff00-0000 3com phone

2 Display current voice vlan state.

<3Com> display voice vlan stateVoice VLAN status: ENABLEVoice VLAN ID: 2Voice VLAN configuration mode: MANUALVoice VLAN security mode: SecurityVoice VLAN aging time: 100 minutesVoice VLAN enabled port and its mode:PORT MODE--------------------------------GigabitEthernet1/0/1 MANUAL

14 GVRP CONFIGURATION

Introduction to GARP

Introduction to GARP The generic attribute registration protocol (GARP), provides a mechanism that allows participants in a GARP application to distribute, propagate, and register with other participants in a bridged LAN the attributes specific to the GARP application, such as the VLAN or multicast address attribute.

■ GARP-compliant application entities are called GARP applications. One example is GVRP. When a GARP application entity is present on a port on your device, this port is regarded a GARP application entity.

GARP messages and timers

1 GARP messages

GARP participants, which can be endstations or bridges, exchange attributes primarily by sending the following three types of messages:

■ Join to announce the willingness to register attributes with other participants.

■ Leave to announce the willingness to deregister with other participants. Together with Join messages, Leave messages guarantee attribute reregistration and deregistration.

■ LeaveAll to deregister all attributes. A LeaveAll message is sent upon expiration of a LeaveAll timer which starts upon the startup of a GARP application entity.

Through message exchange, all attribute information that needs registration propagates to all GARP participants throughout a bridged LAN.

2 GARP timers

GARP sets interval for sending GARP messages by using these four timers:

■ Hold timer –– When a GARP application entity receives the first registration request, it starts a hold timer and collects succeeding requests. When the timer expires, the entity sends all these requests in one Join message. This can thus help you save bandwidth.

■ Join timer –– Each GARP application entity sends a Join message twice for reliability sake and uses a join timer to set the sending interval.

■ Leave timer –– Starts upon receipt of a Leave message. When this timer expires, the GARP application entity removes attribute information as requested.

■ Leaveall timer –– Starts when a GARP application entity starts. When this timer expires, the entity sends a LeaveAll message so that other entities can re-register its attribute information. Then, a leaveall timer starts again.

142 CHAPTER 14: GVRP CONFIGURATION

■ The settings of GARP timers apply to all GARP applications, such as GVRP, running on a LAN.

■ Unlike other three timers which are set on a port basis, the leaveall timer is set in system view and takes effect globally.

■ A GARP application entity may send LeaveAll messages at the interval set by its LeaveAll timer or the leaveall timer of another GARP application entity on the network, whichever is smaller.

Operating mechanism of GARP

The GARP mechanism allows the configuration of a GARP participant to propagate throughout a LAN quickly. In GARP, a GARP participant registers or deregisters its attributes with other participants by making or withdrawing declarations of attributes and at the same time, based on received declarations or withdrawals handles attributes of other participants.

GARP application entities send protocol data units (PDU) with a particular multicast MAC address as destination. Based on this address, a device can identify to which GVRP application, GVRP for example, should a GARP PDU be delivered.

GARP message format

The following figure illustrates the GARP message format.

Figure 46 GARP message format

Introduction to GARP 143

The following table describes the GARP message fields.

Introduction to GVRP GVRP enables a device to propagate local VLAN registration information to other participant devices and dynamically update the VLAN registration information from other devices to its local database. It thus ensures that all GVRP participants on a bridged LAN maintain the same VLAN registration information. The VLAN registration information propagated by GVRP includes both manually configured local static entries and dynamic entries from other devices.

GVRP provides the following three registration types on a port:

■ Normal –– Enables a port to dynamically register and deregister VLANs, and to propagate both dynamic and static VLAN information.

■ Fixed –– Disables the port to dynamically register/deregister VLANs or propagate dynamic VLAN information, but allows the port to propagate static VLAN information. A trunk port with fixed registration type thus allows only manually configured VLANs to pass through even though it is configured to carry all VLANs.

■ Forbidden –– Disables the port to dynamically register/deregister VLANs, and to propagate VLAN information except for VLAN 1. A trunk port with forbidden registration type thus allows only VLAN 1 to pass through even though it is configured to carry all VLANs.

Protocols and Standards

IEEE 802.1Q specifies GVRP.

Table 88 Description on the GARP message fields

Field Description Value

Protocol ID Protocol identifier for GARP 1

Message One or multiple messages, each containing an attribute type and an attribute list

–

Attribute Type Defined by the concerned GARP application 0x01 for GVRP, indicating the VLAN ID attribute

Attribute List Consists of one or multiple attributes –

Attribute Consists of an Attribute Length, an Attribute Event, and an Attribute Value. If the Attribute Event is LeaveAll, Attribute Value is omitted

–

Attribute Length Number of octets occupied by an attribute, inclusive of the attribute length field

2 to 255 in bytes

Attribute Event Event described by the attribute 0: LeaveAll

1: JoinEmpty

2: JoinIn

3: LeaveEmpty

4: LeaveIn

5: Empty

Attribute Value Attribute value VLAN ID for GVRP

End Mark Indicates the end of PDU –


Configuring GVRP When configuring GVRP, you need to configure timers, enable GVRP, and configure GVRP registration mode.


Use the port link-type trunk command to set the link type of the port on which you want to use GVRP to trunk.


Follow these steps to configure GVRP on a trunk port:

On the port, BPDU TUNNEL is not compatible with GVRP.

Setting GARP Timer




Enable GVRP globally gvrp Required

Disabled by default

Enter Ethernet interface view or port-group view

Enter Ethernet interface view


Perform either of the commands.

Depending on the view you accessed, the subsequent configuration takes effect on a port or all ports in a port-group.

Enter port-group view


Enable GVRP on the port gvrp Required

Disabled by default

Configure GVRP registration mode on the port

gvrp registration { normal | fixed | forbidden }

Optional

The default is normal

Table 90 Set GARP timer

To do … Use the command… Remarks


Set GARP LeaveAll timer garp timer leaveall timer-value

Optional

By default, the LeaveAll timer is set to 1,000 centiseconds.

Enter Ethernet interface view or port-group view



Perform either of the commands.

Depending on the view you accessed, the subsequent configuration takes effect on a port or all ports in a port-group.

Enter port-group view


Set GARP Hold timer, Join timer and Leave timer

garp timer { hold | join | leave } timer-value

Optional

By default, the Hold, Join, and Leave timers are set to 10, 20, and 60 centiseconds respectively.

Displaying and Maintaining GVRP 145

When configuring GARP timers, note that their values are dependent on each other and must be a multiplier of five centiseconds. If the value range for a timer is not desired, you may change it by tuning the value of another timer as shown in the following table:

Displaying and Maintaining GVRP

GVRP Configuration Example

Example 1 Network requirements

Configure GVRP for dynamic VLAN information registration and update among devices.

Network diagram

Figure 47 Network diagram for GVRP configuration

Table 91 Dependencies of GARP timers

Timer Lower limit Upper limit

Hold 10 centiseconds Not greater than half of the join timer setting

Join Not less than two times the hold timer setting

Less than half of the leave timer setting

Leave Greater than two times the join timer setting

Less than the leaveall timer setting

Leaveall Greater than the leave timer setting 32,765 centiseconds

Table 92 Display and Maintain GVRP


Display statistics about GARP

display garp statistics [ interface interface-list ]


Display GARP timers for all or specified ports

display garp timer [ interface interface-list ]

Display statistics about GVRP

display gvrp statistics [ interface interface-list ]

Display the global GVRP state

display gvrp status

Clear the GARP statistics reset garp statistics [ interface interface-list ]


Switch A Switch BSwitch A Switch B

GE1/0/1

Switch B

GE1/0/2

Switch BSwitch A Switch BSwitch A Switch B

GE1/0/1

Switch B

GE1/0/2


GE1/0/1

Switch B

GE1/0/2


GE1/0/1

Switch B

GE1/0/2


GE1/0/1

Switch B

GE1/0/2


GE1/0/1

Switch B

GE1/0/2

Switch B




a Enable GVRP globally.

<3Com> system-view[3Com] gvrp

b Configure port GigabitEthernet 1/0/1 as trunk, allowing all VLANs to pass.

[3Com] interface GigabitEthernet 1/0/1[3Com-GigabitEthernet1/0/1] port link-type trunk[3Com-GigabitEthernet1/0/1] port trunk permit vlan all

c Enable GVRP on GigabitEthernet 1/0/1.

[3Com-GigabitEthernet1/0/1] gvrp

d Display static VLAN2.

[3Com] vlan 2

2 Configure Switch B


<3Com> system-view[3Com] gvrp

b Configure port GigabitEthernet 1/0/2 as trunk, allowing all VLANs to pass.


c Enable GVRP on GigabitEthernet 1/0/2.


d Configure static VLAN3.

[3Com] vlan 3

e Display dynamic VLAN on Switch A.

[3Com] display vlan dynamic Now, the following dynamic VLAN exist(s): 3

f Display dynamic VLAN on Switch B


Example 2 Network requirements

Enable GVRP on devices and configure the port registration mode as fixed to realize dynamic registration and update of some VLAN information between devices.

GVRP Configuration Example 147

Network diagram





<3Com> system-viewSystem View: return to User View with Ctrl+Z. [3Com] gvrp

b Configure port GigabitEthernet1/0/1 as trunk, allowing all VLANs to pass.


c Enable GVRP on GigabitEthernet1/0/1


d Configure the GVRP registration mode as fixed.

[3Com-GigabitEthernet1/0/1] gvrp registration fixed

e Create static VLAN 2.

[3Com] vlan 2



<3Com> system-viewSystem View: return to User View with Ctrl+Z. [3Com] gvrp

b Configure port GigabitEthernet1/0/2 as trunk, allowing all VLANs to pass.


c Enable GVRP on GigabitEthernet1/0/2


d Create static VLAN 3.

[3Com] vlan 3

3 Display the configuration

a Display the dynamic VLAN information on Switch A

[3Com] display vlan dynamic No dynamic vlans exist!


GE1/0/1

Switch B

GE1/0/2


GE1/0/1

Switch B

GE1/0/2


GE1/0/1

Switch B

GE1/0/2


GE1/0/1

Switch B

GE1/0/2


GE1/0/1

Switch B

GE1/0/2


GE1/0/1

Switch B

GE1/0/2

Switch B


b Display the dynamic VLAN information on Switch B.


GVRP Configuration Examples


Enable GVRP on devices and configure the port registration mode as forbidden to forbid dynamic registration and update of VLAN information between devices.

Network diagram





<3Com > system-viewSystem View: return to User View with Ctrl+Z. [3Com] gvrp

b Configure GigabitEthernet1/0/1 as a trunk port, allowing all VLANs to pass.


c Enable GVRP on the trunk port.


d Configure the GVRP registration mode as forbidden.

[3Com-GigabitEthernet1/0/1] gvrp registration forbidden

e Create static VLAN 2.

[3Com] vlan 2



<3Com > system-viewSystem View: return to User View with Ctrl+Z. [3Com] gvrp

b Configure GigabitEthernet1/0/2 as a trunk port, allowing all VLANs to pass.



GE1/0/1

Switch B

GE1/0/2


GE1/0/1

Switch B

GE1/0/2


GE1/0/1

Switch B

GE1/0/2


GE1/0/1

Switch B

GE1/0/2


GE1/0/1

Switch B

GE1/0/2


GE1/0/1

Switch B

GE1/0/2

Switch B

GVRP Configuration Example 149

c Enable GVRP on the trunk port.


d Create static VLAN 3.

[3Com] vlan 3

3 Display the configuration

a Display dynamic VLAN information on Switch A


b Display dynamic VLAN information on Switch B.



15 ETHERNET INTERFACE CONFIGURATION

General Ethernet Interface Configuration

Combo Port Configuration

Introduction to Combo port

A Combo port refers to two Ethernet interfaces in a device panel (normally one is an optical port and the other is an electrical port). Inside the device there is only one forwarding interface. Combo port and its corresponding electrical port work in a TX/SFP mode. Users can choose one to use depending on the actual network requirements, but not two simultaneously. When one port is working, the other is disabled, and vice versa.

A Combo port is a logical port with two physical connections, one is called optical port, the other electrical port. The Combo port corresponds to a single forwarding port inside the device. Only one port can be active at a time. When one is active, the other is automatically deactivated.

For ease of management, a Combo port can be categorized into one of the two following types:

■ Single Combo port: the two Ethernet interfaces in the device panel correspond to only one interface view, in which the state on the two interfaces can be realized. A single Combo port can be a Layer 2 Ethernet interface or a Layer 3 Ethernet interface.

■ Double Combo port: the two Ethernet interfaces in the device panel correspond to two interface views. The state switchover can be realized in user’s own interfaces view. A double Combo port can only be a layer 2 Ethernet interface.

Currently, the Switch 4500G Family series support double combo ports.

152 CHAPTER 15: ETHERNET INTERFACE CONFIGURATION

Configuring Combo port state

Follow these steps to configure a double Combo port state:

Basic Ethernet Interface

Configuration

Three types of duplex modes exist for Ethernet interfaces:

■ Full-duplex mode (full): in this mode, the sending and receiving of data packets happen simultaneously;

■ Half-duplex mode (half): in this mode, at a particular time, either the sending or receiving of data packets is allowed, but not both;

■ Autonegotiation mode (auto): in this mode, the transmission mode is negotiated between peer Ethernet interfaces.

If you configure the transmission rate for an Ethernet interface to be auto, then the rate will be automatically negotiated between peer Ethernet interfaces.

Follow these steps to make basic Ethernet interface configurations:

Table 93 Configuring Combo port state



Enter Ethernet interface view interface interface-type interface-number

–

Enable a specified double Combo port

undo shutdown Optional

By default, out of the two ports in a Combo port, the one with a smaller port ID is enabled.

The port with the smaller port ID is of electrical type.

Table 94 Basic Ethernet Interface Configuration




–

Enable an Ethernet interface undo shutdown Optional

Enabled by default. Use the shutdown command to disable a port.

Configure the description for an Ethernet interface


Default to the current interface name followed by the interface string.

Configure the duplex mode for an Ethernet interface

duplex { auto | full | half }

Optional

Default to auto.

Configure the transmission rate for an Ethernet interface

speed { 10 | 100 | 1000 | auto }

Optional

Default to auto.

General Ethernet Interface Configuration 153

■ For the double combo port, the optical port goes up when you use the undo shutdown command on it, and the electrical port in pair goes down, and vice versa.

■ The mdi and virtual-cable-test commands are not available on the optical combo port.

■ The optical combo port cannot work in half-duplex mode, only supports two speed options: 1000 Mbps and auto.

■ When the port works at 1000 Mbps, you cannot configure it in half-duplex mode, and vice versa.

Configuring Flow Control on an

Ethernet Interface

When flow control is turned on between peer Ethernet interfaces, if traffic congestion occurs at the ingress interface, it will send a Pause frame notifying the egress interface to temporarily suspend the sending of packets. The egress interface is expected to stop sending any new packets when it receives the Pause frame. In this way, flow controls helps to avoid the dropping of packets. Note that only after both the ingress and the egress interfaces have turned on their flow control will this be possible.

Follow these steps to configure flow control on an Ethernet interface:

Currently, the Switch 4500G Family series only support flow control in inbound direction.

Configuring Loopback Testing on

an Ethernet Interface

You can enable loopback testing to check whether the Ethernet interface is functioning properly. Note that no data packets can be forwarded during the testing. Loopback testing falls into the following two categories:

■ Internal loopback testing: The packets from an interface go inside the switch and then back to the original interface. If the internal loopback test succeeds, the interface is OK.

■ External loopback testing: a loopback plug needs to be plugged into an Ethernet interface, if data packets sent from the interface is received by the same interface through the loopback plug, the external loopback testing is successful indicating that the interface is functioning properly.

Table 95 Configuring Flow Control on an Ethernet Interface




–

Turn on flow control on an Ethernet interface

flow-control Required

Turned off by default


Follow the following steps to configure Ethernet interface loopback testing:

■ The loopback testing is not applicable when the interface is in a shutdown state;

■ The speed, duplex, mdi, and shutdown commands are not applicable during a loopback testing;

■ Loopback testing is not supported on certain interfaces. Performing a loopback testing on these interfaces will trigger a system prompt indicating as such.

Configuring a Port Group

To make the configuration task easier for users, certain devices allow users to configure on a single port as well as on multiple ports in a port group. In port group view, the user only needs to input the configuration command once on one port and that configuration will apply to all ports in the port group. This effectively reduces redundant configurations.

A Port group could belong to one of the following two categories:

■ Manual port group: manually created by users. Multiple Ethernet interfaces can be added to the same port group;

■ Dynamic port group: dynamically created by system, currently mainly applied in link aggregation port groups. A link aggregation port group is automatically created together with the creation of a link aggregation group and cannot be created by users through command line input. Adding or deleting of ports in a link aggregation port group can only be achieved through operations on the link aggregation group.

Follow the following steps to enter port group view:

Table 96 Configuring Loopback Testing on an Ethernet Interface




–

Configure to enable loopback testing

loopback { external | internal }

Optional

Disabled by default

Table 97 Configuring a Port Group




Enter manual port group view

port-group manual port-group-name

–

Enter aggregation port group view

port-group aggregation agg-id

–


Follow the following steps to configure manual port group:

■ For details on configuring link aggregation port group, refer to Link Aggregation.

■ The manual port groups cannot survive a system rebooting.

Configuring Storm Suppression Ratio on an Ethernet Interface

You can use the following commands to suppress the broadcast/multicast/unknown unicast flow.

Traffic that has exceeded the configured threshold will be discarded so that it remains below the configured threshold. This effectively prevents storms, avoids network congestion, and ensures that the network functions properly.

Configure storm suppression ratio on an Ethernet interface:

Table 98 Configure Manual Port Group



Create a manual port group, and enter manual port group view

port-group manual port-group-name

Required

Add an Ethernet interface to a specified manual port group

group-member interface-list Required

Display information for a specified port group or all manual port groups

display port-group manual [all | name port-group-name ]


Table 99 Configuring Storm Suppression Ratio on an Ethernet Interface



Enter Ethernet interface view or port group view



At least one required;

Configurations made under Ethernet interface view apply to the current port only whereas configurations made under port group view apply to all ports in the group.



Configure broadcast storm suppression ratio

broadcast-suppression { ratio | pps pps }

Optional

Default to 100%, that is, broadcast traffic is not suppressed by default

Configure multicast storm suppression ratio

multicast-suppression { ratio | pps pps }

Optional

Default to 100%, that is, multicast traffic is not suppressed by default

Configure unknown unicast storm suppression ratio

unicast-suppression { ratio | pps pps }

Optional

Default to 100%, that is, unknown unicast traffic is not suppressed by default


Copying Configurations from

a Specified Port to Other Ports

Using the copy configuration command you can easily copy configurations from a specified Ethernet interface to other Ethernet interfaces provided that they all work in Layer 2 mode.

Configurations that can be copied include VLAN, QoS, STP, and port configurations, as illustrated below:

■ VLAN configurations: VLANs that are allowed to pass through the port, default VLAN ID;

■ QoS configurations: rate limiting, port priority, default 802.1p priorities;

■ STP configuration: STP enabled/disabled, link types (point-to-point or not), STP priority, route cost, rate limit, looping, root protection, edge ports or not.

■ Port configuration: link type, rate, duplex mode.

Follow the following steps to copy configurations from a specified port to other ports:

Enabling the Forwarding of Jumbo

Frames

Due to tremendous amount of traffic occurred in Ethernet, it is likely that some frames might have a frame size greater than the standard Ethernet frame size. By allowing such frames (called jumbo frames) to pass through Ethernet interfaces, you can forward frames with a size greater than the standard Ethernet frame size and yet still within the specified size range.

Follow the following steps to enable the forwarding of jumbo frames

Configuring an Ethernet Interface to

Perform Loopback Detection

The purpose of loopback detection is to detect loopbacks on an interface.

When loopback detection is enabled on an Ethernet interface, the device will routinely check whether the ports have any external loopback. If it detects a loopback on a port, the device will turn that port under loopback detection mode.

Table 100 Copying Configurations from a Specified Port to Other Ports



Copy configurations on a specified Layer 2 Ethernet interface to other Layer 2 Ethernet interfaces

copy configuration source interface-type interface-number destination interface-list

Required

Table 101 Enabling the Forwarding of Jumbo Frames



Enable the forwarding of jumbo frames

Enable the forwarding on port group ports


At least one required

jumboframe enable

Enable the forwarding on a specified port


jumboframe enable


■ If an Access port has been detected with loopbacks, it will be shutdown. A Trap message will be sent to the terminal and the corresponding MAC address forwarding entries will be deleted.

■ If a Trunk port or Hybrid port has been detected with loopbacks, a Trap messag loopback detection control feature is enabled on them. In addition, a Trap message will be sent to the terminal and the corresponding MAC address forwarding entries will be deleted.

Follow the following steps to configure loopback detection:

CAUTION:

■ Loopback detection on a given port is enabled only after the loopback-detection enable command has been issued in both system view and the interface view of the port.

■ Loopback detection on all ports will be disabled after the issuing of the undo loopback-detection enable command under system view.

Table 102 Configuring an Ethernet Interface to Perform Loopback Detection



Enable global loopback detection

loopback-detection enable

Required

Disabled by default

Configure time interval for external loopback detection

loopback-detection interval-time time

Optional

Default to 30 seconds


–

Enable loopback detection on a specified port

loopback-detection enable

Required

Disabled by default

Enable loopback detection control feature on the current trunk or hybrid port

loopback-detection control enable

Optional

Disabled by default

Enable loopback detection in all VLANs with Trunk ports or Hybrid ports

loopback-detection per-vlan enable

Optional

Enabled only in the default VLAN(s) with Trunk port or Hybrid ports

Display loopback detection information on a port

display loopback-detection



Configuring Cable Type on an Ethernet

Interface

Ethernet interfaces use two types of cable: cross-over cable and straight-through cable. The former is normally used in connecting data terminal equipment (DTE) and Data communication equipment (DCE) while the latter connects DTEs only.

Follow the following steps to configure cable type on Ethernet Interface:

■ The mdi command is not supported in a Combo optical port.

■ For the mdi command, only auto mode can be successfully implemented on the Switch 4500G Family series.

Ethernet Interface Cable Testing

Follow the following steps to test the current working state of Ethernet interface cables. System will return the testing result within five seconds, indicating the receiving direction (RX), the transmit direction (TX), any short cut or open cut, and the length of failed cables.

The virtual-cable-test command is not supported in a Combo optical port.

Table 103 Configuring Cable Type on an Ethernet Interface




–

Configure the cable type for an Ethernet interface

mdi { across | auto | normal }

Optional

Defaults to auto, that is, system automatically detects the type of cable in use.

Table 104 Ethernet Interface Cable Testing




–

Test the current working state of Ethernet interface cables

virtual-cable-test Required

Maintaining and Displaying an Ethernet Interface 159

Maintaining and Displaying an Ethernet Interface

Table 105 Maintaining and Displaying an Ethernet Interface


Display the current state of a specified interface and related information

display interface [ interface-type [ interface-number ] ]


Display a summary of a specified interface

display brief interface [ interface-type [ interface-number ] ] [ | { begin | include | exclude} regular-expression ]


Reset the statistics of a specified interface

reset counters interface [ interface-type [ interface-number ] ]


Display the current ports of a specified type

display port { hybrid | trunk I combo }



16 LINK AGGREGATION CONFIGURATION

Link aggregation aggregates multiple physical Ethernet ports into one logical link, also called a logical group, to increase reliability and bandwidth.

When configuring this feature, use the following table to identify where to go for interested information:

Link Aggregation Overview

Link aggregation is used to group multiple Ethernet ports together to form an aggregate group. An upper layer entity adopting link aggregation service considers multiple physical links in an aggregation group as one logical link.

Link aggregation allows you to increase bandwidth by distributing incoming/outgoing traffic on the member ports in an aggregation group. In addition, it provides reliable connectivity because these member ports can dynamically back up each other.

To get more information about link aggregation, go to these topics:

■ Consistency Considerations for Ports in an Aggregation

■ LACP

■ Approaches to Link Aggregation

■ Load Sharing in a Link Aggregation Group

■ Aggregation Port Group

LACP The link aggregation control protocol (LACP) is defined in IEEE 802.3ad. Link aggregation control protocol data unit (LACPDU) is used for exchanging information among LACP-enabled devices.

Table 106 Information

If you need to… Go to…

Know how link aggregation functions, what protocol is involved, and what approaches are adopted to link aggregation

Link Aggregation Overview

Configure link aggregation Configuring Link Aggregation

Consult the display and reset commands available for verifying and maintaining link aggregation configuration

Displaying and Maintaining Link Aggregation

See how to configure link aggregation in typical scenarios

Link Aggregation Configuration Example

162 CHAPTER 16: LINK AGGREGATION CONFIGURATION

LACP is enabled automatically after the port is added to a static link aggregation group. The port sends LACPDUs to notify the remote system of its system LACP priority, system MAC address, port LACP priority, port number, and operational key. Upon receipt of an LACPDU, the remote system compares the received information with the information received on other ports to determine the ports that can operate as selected ports. This allows the two systems to reach agreement on the states of the related ports

When aggregating ports, link aggregation control automatically assigns each port an operational key based on its rate, duplex mode, and other basic configurations. In an aggregation group, the selected ports share the same operational key.

Consistency Considerations for

Ports in an Aggregation

To participate in traffic sharing, member ports in an aggregation must use consistent configurations with respect to STP, QoS, BPDU TUNNEL, GVRP, VLAN, and port attribute, as shown in the following table.

Item Considerations

STP Enable/disable state of port-level STP

Attribute of the link (point-to-point or otherwise) connected to the port

Port rout metrics

STP priority

Maximum transmission rate

Enable/disable state of loop protection

Enable/disable state of root protection

Whether the port is an edge port

QoS Rate limiting

Default 802.1p priority

Bandwidth assurance

Congestion avoidance

Traffic policing, SP queueing, WRR queue scheduling, packet priority trust mode, traffic-template

GVRP GVRP enable/disable state, GVRP registration type, GVRP timer value

VLAN VLANs carried on the port

Default VLAN ID on the port

Link type of the port, which can be trunk, hybrid, or access

Tagged VLAN packet or not

Port attribute Port rate

Duplex mode

Up/down state of the link

Inside the isolate group or not

Broadcast/Multicast/Unicast suppression ration

Jumbo frame enable/disable state

MAC address learning Whether limit the number of the MAC address learning

Approaches to Link Aggregation 163

Approaches to Link Aggregation

Manual aggregations are created manually. Member ports in a manual aggregation are LACP-disabled.

Port states in a manual aggregation

group

In a manual aggregation group, ports can be selected or unselected, where selected ports can receive and transmit data frames whereas unselected ones cannot.

The port in the Selected state and with the least port ID is the master port of the aggregation group, and other ports in the aggregation group are member ports.

When setting the state of the ports in a manual aggregation group, the system performs the following:

■ When ports in up state are present in the group, select a master port in the order of full duplex/high speed, full duplex/low speed, half duplex/high speed, and half duplex/low speed, with the full duplex/high speed being the most preferred. When two ports with the same duplex mode/speed pair are present, the one with the lower port number wins out. Then, place those ports with the same speed/duplex pair, link state and basic configuration in selected state and others in unselected state.

■ When all ports in the group are down, select the port with the lowest port number as the master port and set all ports (including the master) in unselected state.

■ Place the ports that cannot aggregate with the master in unselected state.

Manual aggregation limits the number of selected ports in an aggregation group. When the limit is exceeded, the system changes the state of selected ports with greater port numbers to unselected until the number of selected ports drops under the limit.

In addition, to ensure the ongoing service on current selected ports, a port that joins the group after the limit is reached will not be placed in selected state as it should be in normal cases.

In addition, unless the master port should be selected, a port that joins the group after the limit is reached will not be placed in selected state even if it should be in normal cases. This is to prevent the ongoing service on selected ports from being interrupted. You need to avoid the situation however as the selected/unselected state of a port may become different after a reboot.

Port Configuration Considerations in

manual aggregation

As mentioned above, in a manual aggregation group, only ports with configurations consistent with those of the master port can become selected. These configurations include port rate, duplex mode, link state and other basic configurations described in section “Consistency Considerations for Ports in an Aggregation” on page 162.

You need to maintain the basic configurations of these ports manually to ensure consistency. As one configuration change may involve multiple ports, this can become troublesome if you need to do that port by port. As a solution, you may add the ports into as described in “Aggregation Port Group” on page 165, where you can make configuration for all member ports.

When the configuration of some port in a manual aggregation group changes, the system does not remove the aggregation as it does in an aggregation group; instead, it resets the selected/unselected state of the member ports and re-selects a master port.


Note:

■ Currently the Switch 4500G series switches support up to twelve valid aggregation groups, each contains up to eight GE ports or two 10GE ports in Selected condition.

■ An aggregation group can be valid only when the number of selected member ports is more than one.

Static LACP link aggregation

Static aggregations are created manually. After you add a port to a static aggregation, LACP is enabled on it automatically.

Port states in a static aggregation group

In a static aggregation group, ports can be selected or unselected, where both can receive and transmit LACPDUs but only selected ports can receive and transmit data frames. The selected port with the lowest port number is the master port as mentioned in “Consistency Considerations for Ports in an Aggregation” on page 162.

All member ports that cannot aggregate with the master are placed in unselected state. These ports include those using the basic configurations different from the master port.

Member ports in up state can be selected if they have the configuration same as that of the master port. The number of selected ports however, is limited in a static aggregation group. When the limit is exceeded, the local and remote systems negotiate the state of their ports as follows:

1 Compare the actor and partner system IDs that each comprises a two-byte system LACP priority plus a six-byte system MAC address as follow:

■ First compare the system LACP priorities.

■ If they are the same, compare the MAC addresses. The system with the smaller ID has higher priority.

2 Compare the port IDs that each comprises a two-byte port LACP priority and a two-byte port number on the system with higher ID as follows:

■ Compare the port LACP priorities

■ If two ports with the same port LACP priority are present, compare their port numbers. The state of the ports with higher IDs then changes to unselected, so does the state of the corresponding remote ports.

Port configuration considerations in static aggregation

Like in a manual aggregation group, in a static LACP aggregation group, only ports with configurations consistent with those of the master port can become selected. These configurations include port rate, duplex mode, link state and other basic configurations described in “Consistency Considerations for Ports in an Aggregation” on page 162.

You need to maintain the basic configurations of these ports manually to ensure consistency. As one configuration change may involve multiple ports, this can become troublesome if you need to do that port by port. As a solution, you may add the ports into an Aggregation Port Group where you can make configuration for all member ports.

When the configuration of some port in a static aggregation group changes, the system does not remove the aggregation as it does in a aggregation group; instead, it re-sets the selected/unselected state of the member ports and re-selects a master port.

Approaches to Link Aggregation 165

Note:

■ Currently, the Switch 4500G Ethernet switches support up to 12 valid aggregation groups, each supporting up to eight GE ports or two 10 GE ports to be in selected state. When there are more than 12 aggregation groups, the device will select 12 valid aggregation groups by the aggregation group IDs.

■ An aggregation group takes effect only when there are more than one member ports that are in selected state.

Load Sharing in a Link Aggregation Group

Link aggregation groups fall into load sharing aggregation groups and non-load sharing aggregation groups depending on their support to load sharing.

Link aggregation groups perform load sharing depending on availability of hardware resources. When hardware resources are available, link aggregation groups created containing at least two ports perform load sharing; and link aggregation groups created with only one port perform non-load sharing. After hardware resources become depleted, link aggregation groups work in non-load sharing mode.

Note:

■ When only one single port is left in an aggregation group, the group will be become non-load sharing.

■ A load-sharing aggregation group contains at least two selected ports, but a non-load-sharing aggregation group can only have one selected port at most, while others are unselected ports.

■ The newly created aggregation group will be non-load sharing one when the valid aggregation groups more than twelve.

■ When you delete an existing valid aggregation group, a new valid aggregation group may be created automatically from the non-load sharing ones according to the port speed and duplex, and the Selected ports in this aggregation group may be chosen again.

■ Currently Switch 4500G series switches support up to twelve valid aggregation groups.

Aggregation Port Group

As mentioned earlier, in a manual or static aggregation group, a port can be selected only when its configuration is the same as that of the master port in terms of duplex/speed pair, link state, and other basic configurations. Their configuration consistency requires administrative maintenance, which is troublesome after you change some configuration.

To simplify configuration, port-groups are provided allowing you to configure for all ports in individual groups at one time. One example of port-groups is aggregation port group.

Upon creation or removal of a link aggregation group, an aggregation port-group which cannot be administratively created or removed is automatically created or removed. In addition, you can only assign/remove a member port to/from an aggregation port-group by assigning/removing it from the corresponding link aggregation group.

For more information about port-groups, refer to the “Configuring a Port Group” on page 154.


Configuring Link Aggregation

CAUTION:

■ When you change the configurations for a member port of an aggregation group in the port view, the change will not be synchronized to other member ports of the group; to realize configuration synchronization, you must make configuration in port group view.

■ For two connected ports, they must both in the aggregation group.

Configuring a Manual Link Aggregation

Group

Follow these steps to configure a manual aggregation group:

You may create a manual aggregation group by changing the type of a static or dynamic aggregation group that has existed. If the specified group contains ports, its group type changes to manual with LACP disabled on its member ports; if not, its group type directly changes to manual.

When you create an aggregation group, consider the following:

■ The aggregation group type is changed to the new type you configured if there is no port in the group.

■ If there are ports in the aggregation group, you can only change the static aggregation group to the manual one.

When assigning an Ethernet port to a manual aggregation group, consider the following:

■ An aggregation group cannot include monitor ports in mirroring, ports with static MAC addresses, or 802.1x-enabled ports.

■ You can remove all ports in a manual aggregation group by removing the group. If this group contains only one port, you can remove the port only by removing the group.

Note: To guarantee a successful aggregation, ensure that the ports at the two ends of each link to be aggregated, are consistent in selected/unselected state.

Table 107 Configuring a Manual Link Aggregation Group



Create a manual aggregation group

link-aggregation group agg-id mode manual

Required


–

Assign the Ethernet port to the aggregation group

port link-aggregation group agg-id

Required

Configuring Link Aggregation 167

Configuring a Static LACP Link

Aggregation Group

Follow these steps to configure a static aggregation group:

You may create a static aggregation group by changing the type of an existing link aggregation group.

When assigning an Ethernet port to a static aggregation group, consider the following:

■ An aggregation group cannot include ports with static MAC addresses, or 802.1x-enabled ports.

■ After you assign an LACP-disabled port to a static aggregation group, its LACP is enabled.

■ For a LACP aggregation group that contains only one port, you can remove the port from the aggregation group only by removing the aggregation group.

Note: When creating a configuration, be aware that after a load-balancing aggregation group changes to a non-load balancing group due to resources exhaustion, either of the following may happen:

■ Forwarding anomaly resulted from inconsistency of the two ends in the number of selected ports.

■ Some protocols such as GVRP malfunction because the state of the remote port connected to the master port is unselected.

Configuring an Aggregation Group

Name

Follow these steps to configure a name for an aggregation group:

Table 108 Configuring a Static LACP Link Aggregation Group



Configure the system LACP priority

lacp system-priority system-priority-value

Optional

32768 by default

Create a static LACP aggregation group

link-aggregation group agg-id mode static

Required


–

Configure the port LACP priority lacp port-priority port-priority-value

Optional

32768 by default

Assign the Ethernet port to the aggregation group

port link-aggregation group agg-id

Required

Table 109 Configuring an Aggregation Group Name



Configure a name for a link aggregation group

link-aggregation group agg-id description agg-name

Required

None is configured by default.


Note:

■ When configuring a name or description for a link aggregation group, make sure that the group exists. You may check for existing link aggregation groups with the display link-aggregation summary command or the display link-aggregation interface command.

■ If you save the current configuration using the save command, the manual/static aggregation configuration (including aggregation groups created and aggregation group names) remain valid even if the device restarts.

Entering Aggregation Port Group View

In aggregation port group view, you can configure for all the member ports in a link aggregation group at one time.

Follow these steps to enter aggregation port group view:

CAUTION: In aggregation port group view, you can configure aggregation related settings such as STP, VLAN, QoS, GVRP, multicast, but cannot add or remove member ports.

Displaying and Maintaining Link Aggregation

Table 110 Entering Aggregation Port Group View



Enter aggregation port group view

port-group aggregation agg-id

–

Table 111 Displaying and Maintaining Link Aggregation

To do… Use the command Remarks

Display the local system ID display lacp system-id Available in any view

Display detailed information on link aggregation for the specified port or ports

display link-aggregation interface interface-type interface-number [ to interface-type interface-number ]

Display summaries for all link aggregation groups

display link-aggregation summary

Display detailed information about specified or all link aggregation groups

display link-aggregation verbose [ agg-id ]

Clear the statistics about LACP for specified or all ports

reset lacp statistics [ interface interface-type interface-number [ to interface-type interface-number ] ]


Link Aggregation Configuration Example 169

Link Aggregation Configuration Example


Switch A aggregates ports GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to form one link connected to Switch B, achieving load sharing among these ports.

Network diagram

Figure 50 Network diagram for link aggregation


This example only describes how to configure on Switch A. To achieve link aggregation, do the same on Switch B.

1 In manual aggregation approach

a Create manual aggregation group 1.

<3Com> system-view[3Com] sysname SwitchA[SwitchA] link-aggregation group 1 mode manual

b Assign ports GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to the group.

[SwitchA] interface GigabitEthernet 1/0/1[SwitchA-GigabitEthernet1/0/1] port link-aggregation group 1[SwitchA-GigabitEthernet1/0/1] quit[SwitchA] interface GigabitEthernet 1/0/2[SwitchA-GigabitEthernet1/0/2] port link-aggregation group 1[SwitchA-GigabitEthernet1/0/2] quit[SwitchA] interface GigabitEthernet 1/0/3[SwitchA-GigabitEthernet1/0/3] port link-aggregation group 1

2 In static aggregation approach

a Create static aggregation group 1.

<SwitchA> system-view[SwitchA] link-aggregation group 1 mode static

b Assign ports GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to the group.

[SwitchA] interface GigabitEthernet 1/0/1[SwitchA-GigabitEthernet1/0/1] port link-aggregation group 1[SwitchA-GigabitEthernet1/0/1] quit[SwitchA] interface GigabitEthernet 1/0/2[SwitchA-GigabitEthernet1/0/2] port link-aggregation group 1[SwitchA-GigabitEthernet1/0/2] quit[SwitchA] interface GigabitEthernet 1/0/3[SwitchA-GigabitEthernet1/0/3] port link-aggregation group 1

Switch A

Switch B

Link aggregation


The three ports can form one dynamic aggregation group only when they share the same basic configuration.

17 PORT ISOLATION CONFIGURATION

Port Isolation Overview

Through the port isolation feature, you can add the ports to be controlled into an isolation group to isolate the Layer 2 and Layer 3 data between each port in the isolation group. Thus, you can improve the network security and network in a more flexible way.

Currently, you can configure only one isolation group on a switch. The number of Ethernet ports an isolation group can accommodate is not limited.

The port isolation function is independent of VLAN configuration.

Port Isolation Configuration

Figure 51 lists the operations to add an Ethernet port to an isolation group

Displaying Port Isolation Configuration

After the above configuration, you can execute the display command in any view to display the running state after port isolation configuration. You can verify the configuration effect through checking the displayed information.

Table 112 Configure port isolation

Operation Command Description


Enter Ethernet interface view or port group view



At least one required;

Configurations made under Ethernet interface view apply to the current port only whereas configurations made under port group view apply to all ports in the group.



Add the Ethernet port to the isolation group

port-isolate enable Required

By default, an isolation group contains no port.

Table 113 Display port isolation configuration


Display the information about the Ethernet ports added to the isolation group

display port-isolate group

You can execute the display command in any view

172 CHAPTER 17: PORT ISOLATION CONFIGURATION

Port Isolation Configuration Example


■ PC 2, PC 3 and PC 4 are connected to GigabitEthernet1/0/2, GigabitEthernet1/0/3, and GigabitEthernet1/0/4 ports.

■ The switch connects to the Internet through GigabitEthernet1/0/1 port.

■ It is desired that PC 2, PC 3 and PC 4 cannot communicate with each other.

Network diagram

Figure 51 Network diagram for port isolation configuration


1 Add GigabitEthernet1/0/2, GigabitEthernet1/0/3, and GigabitEthernet1/0/4 ports to the isolation group.

<3Com> system-viewSystem View: return to User View with Ctrl+Z.[3Com] interface GigabitEthernet1/0/2[3Com-GigabitEthernet1/0/2] port-isolate enable[3Com-GigabitEthernet1/0/2] quit[3Com] interface GigabitEthernet1/0/3[3Com-GigabitEthernet1/0/3] port-isolate enable[3Com-GigabitEthernet1/0/3] quit[3Com] interface GigabitEthernet1/0/4[3Com-GigabitEthernet1/0/4] port-isolate enable

2 Display the information about the ports in the isolation group.

<3Com> display port-isolate groupPort-isolate group information:Uplink port support: NOGroup ID: 1 GigabitEthernet1/0/2 GigabitEthernet1/0/3 GigabitEthernet1/0/4

Internet

PC2 PC3 PC4

Switch

Internet

GE1/0/2 GE1/0/4

GE1/0/1

PC2 PC3 PC4

GE1/0/3

Internet

PC2 PC3 PC4

Switch

Internet

GE1/0/2 GE1/0/4

GE1/0/1

PC2 PC3 PC4

GE1/0/3

18 MAC ADDRESS TABLE MANAGEMENT

Introduction to Managing MAC Address Table

A Ethernet switch needs to maintain a MAC address table to speed up packet forwarding. A table entry includes the MAC address of a device connected to the Ethernet switch, the interface number and VLAN ID of the Ethernet switch connected to the device. A MAC address table includes both static and dynamic address entries. The static entries are manually configured by users whereas the dynamic entries can be manually configured by users, or dynamically learned by the Ethernet switch. The static entries will not be aged whereas the dynamic entries can be aged (if the entry has its aging time configured as aging, it will be aged; if it is configured as no-aging, it will not be aged).

A Ethernet switch learns a MAC address in the following way: after receiving a data frame from a port (assumed as port A), the Ethernet switch analyzes its source MAC address (assumed as MAC-SOURCE) and considers that the packets destined for MAC-SOURCE can be forwarded through port A. If the table contains the MAC-SOURCE, the Ethernet switch will update the corresponding entry, otherwise, it will add the new MAC address and the related forwarding port as a new entry to the table.

During MAC address learning, static MAC addresses that are manually configured by users will not be overwritten by dynamic MAC addresses. However, the latter can be overwritten by the former.

The Ethernet switch forwards packets whose destination MAC addresses can be found in the MAC address table and broadcasts those whose destination MAC addresses are not in the table. Upon receipt of the broadcast packet, the destination network device sends a response packet back which contains the MAC address of the device. The Ethernet switch learns and adds this new MAC address to the MAC address table of the device. The consequent packets destined for the same MAC address can be forwarded directly thereafter.

174 CHAPTER 18: MAC ADDRESS TABLE MANAGEMENT

Figure 52 A Ethernet switch forwards packets according to the MAC address tab

The Ethernet switch also provides the function of MAC address aging. If the Ethernet switch does not receive a packet from a network device within a period of time, it will delete the corresponding entry from the MAC address table.

You can configure (add or modify) the MAC address entries manually according to the actual network environment. The entries can be static ones or dynamic ones.

Configuring the MAC Address Table

Configuring MAC Address Table Entries

Administrators can manually add, modify, or delete the entries in a MAC address table according to actual needs.

MAC AddressPort

MACA 1

MACB 1

MACC 2

MACD 2

MACD MACA ......

Port 1

MACD MACA ......

Port 2

Table 114 Configure MAC Address Table Entries



Add/modify an address entry mac-address { blackhole | dynamic | static } mac-address interface interface-type interface-number vlan vlan-id

Required

Enter the interface view of a specified interface


–

Add/modify address entries under the specified interface view

mac-address { blackhole | dynamic | static } mac-address vlan vlan-id

Required

Configuring the MAC Address Table 175

Configuring MAC Address Aging Time

for the System

Setting the aging time too long results in a large number of outdated table entries being kept in the MAC address table, and thereby exhausting the MAC address table resources and making it impossible for the Ethernet switch to update the MAC address table according to the network change. On the other hand, if the aging time is set too short, valid MAC address table entries may be deleted by the the Ethernet switch, resulting in flooding a large number of data packets and degrades the switch performance. Therefore, it is important that subscribers set an appropriate aging time according to the actual network environment in order to implement MAC address aging effectively.

This command takes effect on all ports. However, the address aging only functions on the dynamic addresses (the learned or configured as age entries by the user).

Configuring the Maximum MAC

Addresses that an Ethernet Port or a

Port Group Can Learn

Use the following commands, users can set an amount limit on MAC address table entries maintained by the Ethernet switch. Setting the number too big may degrade the forwarding performance. If the maximum number of MAC address is set to count, then after the number of learned MAC addresses has reached to count, the interface will no longer learn any more MAC addresses.

Table 115 Configure MAC address aging time for the system



Configure the dynamic MAC address aging time

mac-address timer { aging seconds | no-aging }

Optional

300 seconds by default

Table 116 Configuring the maximum MAC addresses that an Ethernet port or a port group can learn



Enter the interface view of a port or port group view of a port group

Enter the interface view of a specified port



The consequent configurations apply to the current interface only after entering its interface view; the consequent configurations apply to all ports in a port group after entering the port group view

Enter the port group view of a specified port group

port-group { maual port-group-name | aggregation agg-id }

Configure the maximum MAC addresses that can be learned by an Ethernet port. Configure whether to forward packets when the number of MAC addresses has reached count.

mac-address max-mac-count count

Required

By default, the Maximum MAC Addresses that an Ethernet Port or a Port Group Can Learn is not configured


Displaying and Maintaining the MAC Address Table

MAC Address Table Management Configuration Example


The user logs on the switch through the Console port. Configure the MAC address table management function. Configure the aging time for dynamic table entries to be 500 seconds. Add a static address table entry “00e0-fc35-dc71” to the interface Gigabit Ethernet 1/0/7 in VLAN 1.

Network diagram Figure 53 Typical configuration of address table management

Table 117 Display and maintain the MAC address table

To... Use the command… Remarks

Display the information in the address table

display mac-address [ mac-address [ vlan vlan-id ] | [ blackhole | dynamic | static ] [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] ]


Display the aging time of dynamic address table entries

display mac-address aging-time


Console Port

Network Port

Switch

Internet

MAC Address Table Management Configuration Example 177


1 Enter the system view of the switch.

<3Com> system-view

2 Add a static MAC address (specify the native VLAN, port, and state).

[3Com] mac-address static 00e0-fc35-dc71 interface GigabitEthernet 1/0/7 vlan 1

3 Configure the aging time for dynamic MAC address table entries to be 500 seconds.

[3Com] mac-address timer aging 500

4 Display the MAC address configurations under any view.

[3Com] display mac-address interface gigabitEthernet 1/0/7MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)

00e0-fc35-dc71 1 Config static GigabitEthernet 1/0/7 NOAGED

--- 1 mac address(es) found ---


19 MSTP CONFIGURATION

MSTP Overview

Introduction to STP Functions of STP

The spanning tree protocol (STP) is a protocol used to eliminate loops in a local area network (LAN). Devices running this protocol detects any loop in the network by exchanging information with one another and eliminate the loop by properly blocking certain ports until the loop network is pruned into a loop-free tree, thereby avoiding proliferation and infinite recycling of packets in a loop network.

Basic concepts in STP

1 Root bridge

A tree network must have a root; hence the concept of “root bridge” has been introduced in STP.

There is one and only one root bridge in the entire network, and the root bridge can change alone with changes of the network topology. Therefore, the root bridge is not fixed.

Upon network convergence, the root bridge generates and sends out at a certain interval a BPDU and other devices just forward this BPDU. This mechanism ensures the topological stability.

2 Root port

On a non-root bridge device, the root port is the port with the lowest path cost to the root bridge. The root port is responsible for forwarding data to the root bridge. A non-root-bridge device has one and only one root port. The root bridge has no root port.

3 Designated bridge and designated port

Refer to the following table for the description of designated bridge and designated port.

Table 118 Description of designated bridge and designated port

Classification Designated bridge Designated port

For a device The device directly connected with this device and responsible for forwarding BPDUs

The port through which the designated bridge forwards BPDUs to this device

For a LAN The device responsible for forwarding BPDUs to this LAN segment

The port through which the designated forwards BPDUs to this LAN segment

180 CHAPTER 19: MSTP CONFIGURATION

Figure 54 shows designated bridges and designated ports. In the figure, AP1 and AP2, BP1 and BP2, and CP1 and CP2 are ports on Switch A, Switch B, and Switch C respectively.

■ If Switch A forwards BPDUs to Switch B through AP1, the designated bridge for Switch B is Switch A, and the designated port is the port AP1 on Switch A.

■ Two devices are connected to the LAN: Switch B and Switch C. If Switch B forwards BPDUs to the LAN, the designated bridge for the LAN is Switch B, and the designated port is the port BP2 on Switch B.

Figure 54 A schematic diagram of designated bridges and designated ports

All the ports on the root bridge are designated ports.

How STP works STP identifies the network topology by transmitting configuration BPDUs between network devices. Configuration BPDUs contain sufficient information for network devices to complete the spanning tree computing. Important fields in a configuration BPDU include:

■ Root bridge ID: consisting of root bridge priority and MAC address.

■ Root path cost: the cost of the shortest path to the root bridge.

■ Designated bridge ID: designated bridge priority plus MAC address.

■ Designated port ID, designated port priority plus port name.

■ Message age: age of the configuration BPDU

■ Max age: maximum age of the configuration BPDU.

■ Hello time: configuration BPDU interval.

■ Forward delay: forward delay of the port.

Switch A

Switch CSwitch B

CP2BP2

CP1BP1

AP2AP1

LAN

Switch A

Switch CSwitch B

CP2BP2

CP1BP1

AP2AP1

LAN

MSTP Overview 181

For the convenience of description, the description and examples below involve only four parts of a configuration BPDU:

■ Root bridge ID (in the form of device priority)

■ Root path cost

■ Designated bridge ID (in the form of device priority)

■ Designated port ID (in the form of port name)

1 Specific computing process of the STP algorithm

■ Initial state

Upon initialization of a device, each port generates a BPDU with itself as the root, in which the root path cost is 0, designated bridge ID is the device ID, and the designated port is the local port.

■ Selection of the optimum configuration BPDU

Each device sends out its configuration BPDU and receives configuration BPDUs from other devices.

The process of selecting the optimum configuration BPDU is as follows:

Principle for configuration BPDU comparison:

■ The configuration BPDU that has the lowest root bridge ID has the highest priority.

■ If all the configuration BPDUs have the same root bridge ID, they will be compared for their root path costs. If the root path cost in a configuration BPDU plus the path cost corresponding to this port is S, the configuration BPDU with the smallest S value has the highest priority.

■ If all configuration BPDU have the same root path cost, they will be compared for their designated bridge IDs, then their designated port IDs, and then the IDs of the ports on which they are received. The smaller the ID, the higher message priority.

■ Selection of the root bridge

At network initialization, each STP-compliant device on the network assumes itself to be the root bridge, with the root bridge ID being their own device ID. By exchanging configuration BPDUs, the devices compare one another’s root bridge ID. The device with the smallest root bridge ID is elected as the root bridge.

Table 119 Selection of the optimum configuration BPDU

Step Description

1 Upon receiving a configuration BPDU on a port, the device performs the following processing:

■ If the received configuration BPDU has a lower priority than that of the configuration BPDU generated by the port, the device will discard the received configuration BPDU without doing any processing on the configuration BPDU of this port.

■ If the received configuration BPDU has a higher priority than that of the configuration BPDU generated by the port, the device will replace the content of the configuration BPDU generated by the port with the content of the received configuration BPDU.

2 The device compares the configuration BPDUs of all the ports and chooses the optimum configuration BPDU.


■ Selection of the root port and designated ports

The process of selecting the root port and designated ports is as follows:

When the network topology is stable, only the root port and designated ports forward traffic, while other ports are all in the blocked state – they only receive STP packets but do not forward user traffic.

Once the root bridge, the root port on each non-root bridge and designated ports have been successfully elected, the entire tree-shaped topology has been constructed.

The following is an example of how the STP algorithm works. The specific network diagram is shown in Figure 55. In the feature, the priority of Switch A is 0, the priority of Switch B is 1, the priority of Switch C is 2, and the path costs of these links are 5, 10 and 4 respectively.

Figure 55 Network diagram for STP algorithm

Table 120 Selection of the root port and designated ports

Step Description

1 The root port is the port on which the optimum configuration BPDU was received.

2 Based on the configuration BPDU and the path cost of the root port, the device calculates a designated port configuration BPDU for each of the rest ports.

■ The root bridge ID is replaced with that of the configuration BPDU of the root port.

■ The root path cost is replaced with that of the configuration BPDU of the root port plus the path cost corresponding to the root port.

■ The designated bridge ID is replaced with the ID of this device.

■ The designated port ID is replaced with the ID of this port.

3 The device compares the computed configuration BPDU with the configuration BPDU on the corresponding port, and performs processing accordingly based on the comparison result:

■ If the configuration BPDU is superior, the device will block this port without changing its configuration BPDU, so that the port will only receive BPDUs, but not send any, and will not forward data.

■ If the computed configuration BPDU is superior, this port will serve as the designated port, and the configuration BPDU on the port will be replaced with the computed configuration BPDU, which will be sent out periodically.

Switch A优先级为0

Switch C优先级为2

Switch B优先级为1

CP2BP2

CP1

BP1

AP2AP1

4

105

Switch A with priority 0

CP2BP2

CP1

BP1

AP2AP1

4

105

Switch B with priority 1

Switch C with priority 2




CP2BP2

CP1

BP1

AP2AP1

4

105


CP2BP2

CP1

BP1

AP2AP1

4

105



MSTP Overview 183

■ Initial state of each device

The following table shows the initial state of each device.

■ Comparison process and result on each device

Table 121 Initial state of each device

Device Port name BPDU of port

Switch A AP1 {0, 0, 0, AP1}

AP2 {0, 0, 0, AP2}

Switch B BP1 {1, 0, 1, BP1}

BP2 {1, 0, 1, BP2}

Switch C CP1 {2, 0, 2, CP1}

CP2 {2, 0, 2, CP2}


The following table shows the comparison process and result on each device.

Table 122 Comparison process and result on each device

Device Comparison process BPDU of port after comparison

Switch A ■ Port AP1 receives the configuration BPDU of Switch B {1, 0, 1, BP1}. Switch A finds that the configuration BPDU of the local port {0, 0, 0, AP1} is superior to the configuration received message, and discards the received configuration BPDU.

■ Port AP2 receives the configuration BPDU of Switch C {2, 0, 2, CP1}. Switch A finds that the BPDU of the local port {0, 0, 0, AP2} is superior to the received configuration BPDU, and discards the received configuration BPDU.

■ Switch A finds that both the root bridge and designated bridge in the configuration BPDUs of all its ports are Switch A itself, so it assumes itself to be the root bridge. In this case, it does not make any change to the configuration BPDU of each port, and starts sending out configuration BPDUs periodically.

AP1: {0, 0, 0, AP1}

AP2: {0, 0, 0, AP2}

Switch B ■ Port BP1 receives the configuration BPDU of Switch A {0, 0, 0, AP1}. Switch B finds that the received configuration BPDU is superior to the configuration BPDU of the local port {1, 0,1, BP1}, and updates the configuration BPDU of BP1.

■ Port BP2 receives the configuration BPDU of Switch C {2, 0, 2, CP2}. Switch B finds that the configuration BPDU of the local port {1, 0, 1, BP2} is superior to the received configuration BPDU, and discards the received configuration BPDU.

BP1: {0, 0, 0, AP1}

BP2: {1, 0, 1, BP2}

■ Switch B compares the configuration BPDUs of all its ports, and determines that the configuration BPDU of BP1 is the optimum configuration BPDU. Then, it uses BP1 as the root port, the configuration BPDUs of which will not be changed.

■ Based on the configuration BPDU of BP1 and the path cost of the root port (5), Switch B calculates a designated port configuration BPDU for BP2 {0, 5, 1, BP2}.

■ Switch B compares the computed configuration BPDU {0, 5, 1, BP2} with the configuration BPDU of BP2. If the computed BPDU is superior, BP2 will act as the designated port, and the configuration BPDU on this port will be replaced with the computed configuration BPDU, which will be sent out periodically.

Root port BP1:

{0, 0, 0, AP1}

Designated port BP2:

{0, 5, 1, BP2}

MSTP Overview 185

Switch C ■ Port CP1 receives the configuration BPDU of Switch A {0, 0, 0, AP2}. Switch C finds that the received configuration BPDU is superior to the configuration BPDU of the local port {2, 0, 2, CP1}, and updates the configuration BPDU of CP1.

■ Port CP2 receives the configuration BPDU of port BP2 of Switch B {1, 0, 1, BP2} before the message was updated. Switch C finds that the received configuration BPDU is superior to the configuration BPDU of the local port {2, 0, 2, CP2}, and updates the configuration BPDU of CP2.

CP1: {0, 0, 0, AP2}

CP2: {1, 0, 1, BP2}

By comparison:

■ The configuration BPDUs of CP1 is elected as the optimum configuration BPDU, so CP1 is identified as the root port, the configuration BPDUs of which will not be changed.

■ Switch C compares the computed designated port configuration BPDU {0, 10, 2, CP2} with the configuration BPDU of CP2, and CP2 becomes the designated port, and the configuration BPDU of this port will be replaced with the computed configuration BPDU.

Root port CP1:

{0, 0, 0, AP2}

Designated port CP2:

{0, 10, 2, CP2}

■ Next, port CP2 receives the updated configuration BPDU of Switch B {0, 5, 1, BP2}. Because the received configuration BPDU is superior to its old one, Switch C launches a BPDU update process.

■ At the same time, port CP1 receives configuration BPDUs periodically from Switch A. Switch C does not launch an update process after comparison.

CP1: {0, 0, 0, AP2}

CP2: {0, 5, 1, BP2}

By comparison:

■ Because the root path cost of CP2 (9) (root path cost of the BPDU (5) + path cost corresponding to CP2 (4)) is smaller than the root path cost of CP1 (10) (root path cost of the BPDU (0) + path cost corresponding to CP2 (10)), the BPDU of CP2 is elected as the optimum BPDU, and CP2 is elected as the root port, the messages of which will not be changed.

■ After comparison between the configuration BPDU of CP1 and the computed designated port configuration BPDU, port CP1 is blocked, with the configuration BPDU of the port remaining unchanged, and the port will not receive data from Switch A until a spanning tree computing process is triggered by a new condition, for example, the link from Switch B to Switch C becomes down.

Blocked port CP2:

{0, 0, 0, AP2}

Root port CP2:

{0, 5, 1, BP2}

Table 122 Comparison process and result on each device (continued)

Device Comparison process BPDU of port after comparison


After the comparison processes described in the table above, a spanning tree with Switch A as the root bridge is stabilized, as shown in Figure 56

Figure 56 The final computed spanning tree

To facilitate description, the spanning tree computing process in this example is simplified, while the actual process is more complicated.

2 The BPDU forwarding mechanism in STP

■ Upon network initiation, every switch regards itself as the root bridge, generates configuration BPDUs with itself as the root, and sends the configuration BPDUs at a regular interval of hello time.

■ If it is the root port that received the configuration BPDU and the received configuration BPDU is superior to the configuration BPDU of the port, the device will increase message age carried in the configuration BPDU by a certain rule and start a timer to time the configuration BPDU while it sends out this configuration BPDU through the designated port.

■ If the configuration BPDU received on the designated port has a lower priority than the configuration BPDU of the local port, the port will immediately sends out its better configuration BPDU in response.

■ If a path becomes faulty, the root port on this path will no longer receive new configuration BPDUs and the old configuration BPDUs will be discarded due to timeout. In this case, the device will generate a configuration BPDU with itself as the root and sends out the BPDU. This triggers a new spanning tree computing process so that a new path is established to restore the network connectivity.

However, the newly computed configuration BPDU will not be propagated throughout the network immediately, so the old root ports and designated ports that have not detected the topology change continue forwarding data through the old path. If the new root port and designated port begin to forward data as soon as they are elected, a temporary loop may occur. For this reason, STP uses a state transition mechanism. Namely, a newly elected root port or designated port requires twice the forward delay time before transitioning to the forwarding state, when the new configuration BPDU has been propagated throughout the network.




CP2BP2

BP1

AP1

4

5


CP2BP2

BP1

AP1

4

5






CP2BP2

BP1

AP1

4

5


CP2BP2

BP1

AP1

4

5



MSTP Overview 187

Introduction to MSTP Why MSTP

1 Disadvantages of STP and RSTP

STP does not support rapid state transition of ports. A newly elected root port or designated port must wait twice the forward delay time before transitioning to the forwarding state, even if it is a port on a point-to-point link or it is an edge port, which directly connects to a user terminal rather than to another device or a shared LAN segment.

The rapid spanning tree protocol (RSTP) is an optimized version of STP. RSTP allows a newly elected root port or designated port to enter the forwarding state much quicker under certain conditions than in STP. As a result, it takes a shorter time for the network to reach the final topology stability.

■ In RSTP, a newly elected root port can enter the forwarding state rapidly if this condition is met: The old root port on the device has stopped forwarding data and the upstream designated port has started forwarding data.

■ In RSTP, a newly elected designated port can enter the forwarding state rapidly if this condition is met: The designated port is an edge port or a port connected with a point-to-point link. If the designated port is an edge port, it can enter the forwarding state directly; if the designated port is connected with a point-to-point link, it can enter the forwarding state immediately after the device undergoes handshake with the downstream device and gets a response.

Although RSTP support rapid network convergence, it has the same drawback as STP does: All bridges within a LAN share the same spanning tree, so redundant links cannot be blocked based on VLANs, and the packets of all VLANs are forwarded along the same spanning tree.

2 Features of MSTP

The multiple spanning tree protocol (MSTP) overcomes the shortcomings of STP and RSTP. In addition to support for rapid network convergence, it also allows data flows of different VLANs to be forwarded along their own paths, thus providing a better load sharing mechanism for redundant links.

MSTP features the following:

■ MSTP supports mapping VLANs to MST instances by means of a VLAN-to-instance mapping table.

■ MSTP divides a switched network into multiple regions, each containing multiple spanning trees that are independent of one another.

■ MSTP prunes loop networks into a loop-free tree, thus avoiding proliferation and endless recycling of packets in a loop network. In addition, it provides multiple redundant paths for data forwarding, thus supporting load balancing of VLAN data in the data forwarding process.

■ MSTP is compatible with STP and RSTP.


Some concepts in MSTP

As shown in Figure 57 there are four multiple spanning tree (MST) regions, each made up of four switches running MSTP. In light with the diagram, the following paragraphs will present some concepts of MSTP.

Figure 57 Basic concepts in MSTP

1 MST region

An MST region is composed of multiple devices in a switched network and network segments among them. These devices have the following characteristics:

■ All are MSTP-enabled,

■ They have the same region name,

■ They have the same VLAN-to-instance mapping configuration,

■ They have the same MSTP revision level configuration, and

■ They are physically linked with one another.

In area A0 in Figure 57, for example, all the device have the same MST region configuration: the same region name, the same VLAN-to-instance mapping (VLAN1 is mapped to MST instance 1, VLAN2 to MST instance 2, and the rest to the command and internal spanning tree (CIST). CIST refers to MST instance 0), and the same MSTP revision level (not shown in the figure).

Multiple MST regions can exist in a switched network. You can use an MSTP command to group multiple devices to the same MST region.

2 VLAN-to-instance mapping table

As an attribute of an MST region, the VLAN-to-instance mapping table describes the mapping relationships between VLANs and MST instances. In Figure 57, for example, the VLAN-to-instance mapping table of region A0 describes that the same region name, the same VLAN-to-instance mapping (VLAN1 is mapped to MST instance 1, VLAN2 to MST instance 2, and the rest to CIST.

C

A

B

D

BPDU BPDU

BPDU

Region A0VLAN 1 mapped to instance 1VLAN 2 mapped to instance 2Other VLANs mapped CIST

CSTC

A

B

D

Region B0VLAN 1 mapped to instance 1 VLAN 2 mapped to instance 2 Other VLANs mapped CISTRegion C0

VLAN 1 mapped to instance 1 VLANs 2 and 3 mapped to instance 2Other VLANs mapped CIST

Region D0VLAN 1 mapped to instance 1, B as regional root bridgeVLAN 2 mapped to instance 2, C as regional root bridgeOther VLANs mapped CIST

MSTP Overview 189

3 IST

Internal spanning tree (IST) is a spanning tree that runs in an MSTP region, with the instance number of 0. ISTs in all MST regions the common spanning tree (CST) jointly constitute the common and internal spanning tree (CIST) of the entire network. An IST is a section of the CIST in an MST region. In Figure 57, for example, the CIST has a section is each MST region, and this section is the IST in each MST region.

4 CST

The CST is a single spanning tree that connects all MST regions in a switched network. If you regard each MST region as a “device”, the CST is a spanning tree computed by these devices through MSTP. For example, the red lines in Figure 57 describe the CST.

5 CIST

Jointly constituted by ISTs and the CST, the CIST is a single spanning tree that connects all devices in a switched network. In Figure 57, for example, the ISTs in all MST regions plus the inter-region CST constitute the CIST of the entire network.

6 MSTI

Multiple spanning trees can be generated in an MST region through MSTP, one spanning tree being independent of another. Each spanning tree is referred to as a multiple spanning tree instance (MSTI). In Figure 57, for example, multiple spanning tree can exist in each MST region, each spanning tree corresponding to a VLAN. These spanning trees are called MSTIs.

7 Regional root bridge

The root bridge of the IST or an MSTI within an MST region is the regional root bridge of the MST or that MSTI. Based on the topology, different spanning trees in an MST region may have different regional roots. For example, in region D0 in Figure 57, the regional root of instance 1 is device B, while that of instance 2 is device C.

8 Common root bridge

The root bridge of the CIST is the common root bridge. In Figure 57, for example, the common root bridge is a device in region A0.

9 Boundary port

A boundary port is a port that connects an MST region to another MST configuration, or to a single spanning-tree region running STP, or to a single spanning-tree region running RSTP.

During MSTP computing, a boundary port assumes the same role on the CIST and on MST instances. Namely, if a boundary port is master port on the CIST, it is also the master port on all MST instances within this region. In Figure 57, for example, if a device in region A0 is interconnected with the first port of a device in region D0 and the common root bridge of the entire switched network is located in region A0, the first port of that device in region D0 is the boundary port of region D0.


10 Roles of ports

In the MSTP computing process, port roles include designated port, root port, master port, alternate port, backup port, and so on.

■ Root port: a port responsible for forwarding data to the root bridge.

■ Designated port: a port responsible for forwarding data to the downstream network segment or device.

■ Master port: A port on the shortest path from the entire region to the common root bridge, connect the MST region to the common root bridge.

■ Alternate port: The standby port for a root port or master port. If a root port or master port is blocked, the alternate port becomes the new root port or master port.

■ Backup port: If a loop occurs when two ports of the same device are interconnected, the device will block either of the two ports, and the backup port is that port to be blocked.

A port can assume different roles in different MST instances.

Figure 58 Port roles

Figure 58 helps understand these concepts. Where,

■ Devices A, B, C, and D constitute an MST region.

■ Port 1 and port 2 of device A connect to the common root bridge.

■ Port 5 and port 6 of device C form a loop.

■ Port 3 and port 4 of device D connect downstream to other MST regions.

MSTP Overview 191

How MSTP works

MSTP divides an entire Layer 2 network into multiple MST regions, which are interconnected by a computed CST. Inside an MST region, multiple spanning trees are generated through computing, each spanning tree called a MST instance. Among these MST instances, instance 0 is the IST, while all the others are MSTIs. Similar to RSTP, MSTP uses configuration BPDUs to compute spanning trees. The only difference between the two protocols being in that what is carried in an MSTP BPDU is the MSTP configuration on the device from which this BPDU is sent.

1 CIST computing

By comparison of “configuration BPDUs”, one device with the highest priority is elected as the root bridge of the CIST. MSTP generates an IST within each MST region through computing, and, at the same time, MSTP regards each MST region as a single device and generates a CST among these MST regions through computing. The CST and ISTs constitute the CIST of the entire network.

2 MSTI computing

Within an MST region, MSTP generates different MSTIs for different VLANs based on the VLAN-to-instance mappings.

MSTP performs a separate computing process, which is similar to spanning tree computing in STP, for each spanning tree. For details, refer to “How STP works”.

In MSTP, a VLAN packet is forwarded along the following paths:

■ Within an MST region, the packet is forwarded along the corresponding MSTI.

■ Between two MST regions, the packet is forwarded along the CST.

Implementation of MSTP on devices

MSTP is compatible with STP and RSTP. STP and RSTP protocol packets can be recognized by devices running MSTP and used for spanning tree computing.

In addition to basic MSTP functions, many management-facilitating special functions are provided, as follows:

■ Root bridge hold

■ Root bridge backup

■ Root guard

■ BPDU guard

■ Loop guard

■ Support for hot swapping of interface cards and active/standby changeover.


Configuring the Root Bridge

Configuration Tasks Before configuring the root bridge, you need to know the position of each device in each MST instances: root bridge or leave node. In each instance, one, and only one device acts as the root bridge, while all others as leaf nodes. Complete these tasks to configure a device that acts as the root bridge:

If both GVRP and MSTP are enabled on a device at the same time, GVRP packets will be forwarded along the CIST. Therefore, if both GVRP and MSTP are running on the same device and you wish to advertise an certain VLAN within the network through GVRP, make sure that this VLAN is mapped to the CIST (instance 0) when configuring the VLAN-to-instance mapping table.

Table 123 Configuration Tasks

Task Remarks

Configuring an MST Region Required

Specifying the Root Bridge or a Secondary Root Bridge Optional

Configuring the Work Mode of MSTP Optional

Configuring the Priority of the Current Device Optional

Configuring the Maximum Hops of an MST Region Optional

Configuring the Network Diameter of a Switched Network Optional

Configuring Timers of MSTP Optional

Configuring the Timeout Factor Optional

Configuring the Maximum Transmission Rate of Ports Optional

Configuring Ports as Edge Ports Optional

Configuring Whether Ports Connect to Point-to-Point Links Optional

Configuring the MSTP Packet Format for Ports Optional

Enabling the MSTP Feature Required

Configuring the Root Bridge 193

Configuring an MST Region


Follow these steps to configure an MST region:

CAUTION: Two device belong to the same MST region only if they are configure to have the same MST region name, the same VLAN-to-instance mapping entries in the MST region and the same MST region revision level, and they are interconnected via a physical link.

Your configuration of MST region–related parameters, especially the VLAN-to-instance mapping table, will cause MSTP to launch a new spanning tree computing process, which may result in network topology instability. To reduce the possibility of topology instability caused by configuration, MSTP will not immediately launch a new spanning tree computing process when processing MST region–related configurations; instead, such configurations will take effect only if you:

■ activate the MST region–related parameters suing the active region-configuration command, or

■ enable MSTP using the stp enable command.

Configuration example

1 Configure the MST region name to be “info”, the MSTP revision level to be 1, and VLAN 2 through VLAN 10 to be mapped to instance 1 and VLAN 20 through VLAN 30 to instance 2.

<3Com> system-view[3Com] stp region-configuration[3Com-mst-region] region-name info[3Com-mst-region] instance 1 vlan 2 to 10[3Com-mst-region] instance 2 vlan 20 to 30[3Com-mst-region] revision-level 1[3Com-mst-region] active region-configuration

Table 124 Configuring an MST Region



Enter MST region view stp region-configuration –

Configure the MST region name

region-name name Required

The MST region name is the MAC address by default

Configure the VLAN-to-instance mapping table

instance instance-id vlan vlan-list

Use either command

All VLANs in an MST region are mapped to MST instance 0 vlan-mapping modulo modulo

Configure the MSTP revision level of the MST region

revision-level level Optional

0 by default

Activate MST region configuration manually

active region-configuration

Required

Display all the configuration information of the MST region

check region-configuration

Optional

Display the currently effective MST region configuration information

display stp region-configuration

The display command can be executed in any view


Specifying the Root Bridge or a Secondary

Root Bridge

MSTP can determine the root bridge of a spanning tree through MSTP computing. Alternatively, you can specify the current device as the root bridge using the commands provided by the system.

Specifying the current device as the root bridge of a specific spanning tree

Follow these steps to specify the current device as the root bridge of a specific spanning tree:

Specifying the current device as a secondary root bridge of a specific spanning tree

Follow these steps to specify the current device as a secondary root bridge of a specific spanning tree:

Note that:

■ Upon specifying the current device as the root bridge or a secondary root bridge, you cannot change the priority of the device.

■ You can configure the current device as the root bridge or a secondary root bridge of an MST instance, which is specified by instance instance-id in the command. If you set instance-id to 0, the current device will be the root bridge or a secondary root bridge of the CIST.

■ The current device has independent roles in different instances. It can act as the root bridge or a secondary root bridge of one instance while it can also act as the root bridge or a secondary root bridge of another instance. However, the same device cannot be the root bridge and a secondary root bridge in the same instance at the same time.

■ You can specify the current device as the root bridge of different MST instances, but you cannot specify two or more root bridges for the same instance at the same time. Namely, do not use the same command on two or more devices to specify root bridges for the same instance.

■ You can specify multiple secondary root bridges for the same instance. Namely, you can specify secondary root bridges for the same instance on two or more than two device.

Table 125 Specifying the current device as the root bridge of a specific spanning tree



Specify the current device as the root bridge of a specific spanning tree

stp [ instance instance-id ] root primary [ bridge-diameter bridge-number ] [ hello-time centi-seconds ]

Required

Table 126 Specifying the current device as a secondary root bridge of a specific spanning tree



Specify the current device as a secondary root bridge of a specific spanning tree

stp [ instance instance-id ] root secondary [ bridge-diameter bridge-number ] [ hello-time centi-seconds ]

Required


■ When the root bridge of an instance fails or is shut down, the secondary root bridge (if you have specified one) can take over the role of the instance. However, if you specify a new root bridge for the instance at this time, the secondary root bridge will not become the root bridge. If you have specified multiple secondary root bridges for an instance, when the root bridge fails, MSTP will select the secondary root bridge with the lowest MAC address as the new root bridge.

■ When specifying the root bridge or a secondary root bridge, you can specify the network diameter and hello time. However, these two options are effective only for MST instance 0, namely the CIST. If you include these two options in your command for any other instance, your configuration can succeed, but they will not actually work. For the description of network diameter and hello time, refer to “Configuring the Network Diameter of a Switched Network” and “Configuring Timers of MSTP”.

■ Alternatively, you can also specify the current device as the root bridge by setting by priority of the device to 0. For the device priority configuration, refer to “Configuring the Priority of the Current Device”.


1 Specify the current device as the root bridge of MST instance 1 and a secondary root bridge of MST instance 2.

<3Com> system-view[3Com] stp instance 1 root primary[3Com] stp instance 2 root secondary

Configuring the Work Mode of

MSTP Device

MSTP and RSTP can recognize each other’s protocol packets, so they are mutually compatible. However, STP is unable to recognize MSTP packets. For hybrid networking with legacy STP devices and full inter operability with RSTP-compliant devices, MSTP supports three work modes: STP-compatible mode, RSTP mode, and MSTP mode.

■ In STP-compatible mode, all ports of the device send out STP BPDUs,

■ In RSTP mode, all ports of the device send out RSTP BPDUs. If the device detects that it is connected with a legacy STP device, the port connecting with the legacy STP device will automatically migrate to STP-compatible mode.

■ In MSTP mode, all ports of the device send out MSTP BPDUs. If the device detects that it is connected with a legacy STP device, the port connecting with the legacy STP device will automatically migrate to STP-compatible mode.


Follow these steps to configure the MSTP work mode:


1 Configure MSTP to work in STP-compatible mode.

<3Com> system-view[3Com] stp mode stp

Table 127 Configuring the Work Mode of MSTP Device



Configure the work mode of MSTP

stp mode { stp | rstp | mstp } Optional

MSTP mode by default


Configuring the Priority of the

Current Device

The priority of a device determines whether it can be elected as the root bridge of a spanning tree. A lower value indicates a higher priority. By setting the priority of a device to a low value, you can specify the device as the root bridge of spanning tree. An MSTP-compliant device can have different priorities in different MST instances.


Follow these steps to configure the priority of the current device:

CAUTION:

■ Upon specifying the current device as the root bridge or a secondary root bridge, you cannot change the priority of the device.

■ During root bridge selection, if all devices in a spanning tree have the same priority, the one with the lowest MAC address will be selected as the root bridge of the spanning tree.


1 Set the device priority in MST instance 1 to 4096.

<3Com> system-view[3Com] stp instance 1 priority 4096

Configuring the Maximum Hops of

an MST Region

By setting the maximum hops of an MST region, you can restrict the region size. The maximum hops setting configured on the regional root bridge will be used as the maximum hops of the MST region.

After a configuration BPDU leaves the root bridge of the spanning tree in the region, its hop count is decremented by 1 whenever it passes a device. When its hop count reaches 0, it will be discarded by the device that has received it. As a result, devices beyond the maximum hops are unable to take part in spanning tree computing, and thereby the size of the MST region is restricted.


Follow these steps to configure the maximum hops of the MST region

A larger maximum hops setting means a larger size of the MST region. Only the maximum hops configured on the regional root bridge can restrict the size of the MST region.

Table 128 Configuring the Priority of the Current Device



Configure the priority of the current device

stp [ instance instance-id ] priority priority

Optional

32768 by default

Table 129 Configuring the Maximum Hops of an MST Region



Configure the maximum hops of the MST region

stp max-hops hops Optional

20 by default



1 Set the maximum hops of the MST region to 30.

<3Com> system-view[3Com] stp max-hops 30

Configuring the Network Diameter of a Switched Network

Any two stations in a switched network are interconnected through specific paths, which are composed of a series of devices. Represented by the number of devices on a path, the network diameter is the path that comprises more devices than any other among these paths.


Follow these steps to configure the network diameter of the switched network:

CAUTION: Network diameter is a parameter that indicates network size. A bigger network diameter represents a larger network size.

■ Based on the network diameter you configured, MSTP automatically sets an optimal hello time, forward delay, and max age for the device.

■ The configured network diameter is effective for the CIST only, and not for MSTIs.


1 Set the network diameter of the switched network to 6.

<3Com> system-view[3Com] stp bridge-diameter 6

Configuring Timers of MSTP

MSTP involves three timers: forward delay, hello time and max age.

■ Forward delay: the time a device will wait before changing states. A link failure can trigger a spanning tree computing process, and the spanning tree structure will change accordingly. However, as a new configuration BPDU cannot be propagated throughout the network immediately, if the new root port and designated port begin to forward data as soon as they are elected, a temporary loop may occur. For this reason, the protocol uses a state transition mechanism. Namely, a newly elected root port or designated port must wait twice the forward delay time before transitioning to the forwarding state, when the new configuration BPDU has been propagated throughout the network.

■ Hello time is sued to detect whether a link is faulty. A device sends a hello packet to the devices around it at a regular interval of hello time to check whether any link is faulty.

■ Max time is a used for determining whether a configuration BPDU has “expired”. A BPDU that has “expired” will be discarded by the device.

Table 130 Configuring the Network Diameter of a Switched Network



Configure the network diameter of the switched network

stp bridge-diameter bridge-number

Optional

7 by default



Follow these steps to configure the timers of MSTP:

These three timers set on the root bridge of the CIST apply on all the devices on the entire switched network.

CAUTION:

■ The length of the forward delay time is related to the network diameter of the switched network. Typically, the larger the network diameter is, the longer the forward delay time should be. Note that if the forward delay setting is too small, temporary redundant paths may be introduced; if the forward delay setting is too big, it may take a long time for the network to resume connectivity. We recommend that you use the default setting.

■ An appropriate hello time setting enables the device to timely detect link failures on the network without using excessive network resources. If the hello time is set too long, the device will take packet loss on a link for link failure and trigger a new spanning tree computing process; if the hello time is set too short, the device will send repeated configuration BPDUs frequently, which adds to the device burden and causes waste of network resources. We recommend that you use the default setting.

■ If the max age time setting is too small, the network devices will frequently launch spanning tree computing and may take network congestion to a link failure; if the max age setting is too large, the network may fail to timely detect link failures and fail to timely launch spanning tree computing, thus reducing the auto-sensing capability of the network. We recommend that you use the default setting.

The setting of hello time, forward delay and max age must meet the following formulae; otherwise network instability will frequently occur.

■ 2 × (forward delay – 1 second) ƒ max age

■ Max age ƒ 2 × (hello time + 1 second)

We recommend that you specify the network diameter in the stp root primary command and let MSTP automatically calculate an optimal setting of these three timers.

Table 131 Configuring Timers of MSTP



Configure the forward delay timer

stp timer forward-delay centiseconds

Optional

1,500 centiseconds (15 seconds) by default

Configure the hello time timer

stp timer hello centiseconds

Optional

200 centiseconds (2 seconds) by default

Configuring the max age timer

stp timer max-age centiseconds

Optional

2,000 centiseconds (20 seconds) by default



1 Set the forward delay to 1,600 centiseconds, hello time to 300 centiseconds, and max age to 2,100 centiseconds.

<3Com> system-view[3Com] stp timer forward-delay 1600[3Com] stp timer hello 300[3Com] stp timer max-age 2100

Configuring the Timeout Factor

A device sends a BPDU to the devices around it at a regular interval of hello time to check whether any link is faulty. Typically, if a device does not receive a BPDU from the upstream device within nine times the hello time, it will assume that the upstream device has failed and start a new spanning tree computing process.

In a very stable network, this kind of spanning tree computing may occur because the upstream device is busy. In this case, you can avoid such unwanted spanning tree computing by lengthening the timeout time.


Follow these steps to configure the timeout factor:

■ Timeout time = timeout factor × 3 × hello time.

■ Typically, we recommend that you set the timeout factor to 5, or 6, or 7 for a stable network.


1 Set the timeout factor to 6.

<3Com> system-view[3Com] stp timer-factor 6

Configuring the Maximum

Transmission Rate of Ports

The maximum transmission rate of a port refers to the maximum number of MSTP packets that the port can send within each hello time.

The maximum transmission rate of an Ethernet port is related to the physical status of the port and the network structure. You can make your configuration based on the actual networking condition.

Table 132 Configuring the Timeout Factor



Configure the timeout factor of the device

stp timer-factor number Optional

3 by default



Following these steps to configure the maximum transmission rate of a port or a group of ports:

If the maximum transmission rate setting of a port is too big, the port will send a large number of MSTP packets within each hello time, thus using excessive network resources. We recommend that you use the default setting.


1 Set the maximum transmission rate of port GigabitEthernet 1/0/1 to 5.

<3Com> system-view[3Com] interface GigabitEthernet 1/0/1[3Com-GigabitEthernet1/0/1] stp transmit-limit 5

Configuring Ports as Edge Ports

If a port directly connects to a user terminal rather than another device or a shared LAN segment, this port is regarded as an edge port. When the network topology changes, an edge port will not cause a temporary loop. Therefore, if you specify a port as an edge port, this port can transition rapidly from the blocked state to the forwarding state without delay.


Following these steps to specify a port or a group of ports as edge port(s):

Table 133 Configuring the Maximum Transmission Rate of Port






User either command

Configured in Ethernet port view, the setting is effective on the current port only; configured in port group view, the setting is effective on all ports in the port group



Configure the maximum transmission rate of the port(s)

stp transmit-limit packet-number

Optional

3 by default

Table 134 Configuring Ports as Edge Ports






User either command




Configure the port(s) as edge port(s)

stp edged-port enable

Required

All Ethernet ports are non-edge ports by default


■ With BPDU guard disabled, when a port set as an edge port receives a BPDU from another port, it will become a non-edge port again. In this case, you must reset the port before you can configure it to be an edge port again.

■ If a port directly connects to a user terminal, configure it to be an edge port and enable BPDU guard for it. This enables the port to transition to the forwarding state while ensuring network security.


1 Configure GigabitEthernet1/0 /1to be an edge port.

<3Com> system-view[3Com] interface GigabitEthernet 1/0/1[3Com-GigabitEthernet1/0/1] stp edged-port enable

Configuring Whether Ports Connect to

Point-to-Point Links

A point-to-point link is a link directly connecting with two devices. If the two ports across a point-to-point link are root ports or designated ports, the ports can rapidly transition to the forwarding state by transmitting synchronization packets.


Following these steps to configure whether a port or a group of ports connect to point-to-point links:

■ As for aggregated ports, all ports can be configured as connecting to point-to-point links. If a port works in auto-negotiation mode and the negotiation result is full duplex, this port can be configured as connecting to a point-to-point link.

■ If a port is configured as connecting to a point-to-point link, the setting takes effect for the port in all MST instances. If the physical link to which the port connects is not a point-to-point link and you force it to be a point-to-point link by configuration, your configuration may incur a temporary loop.


1 Configure port GigabitEthernet 1/0/1 as connecting to a point-to-point link.

<3Com> system-view[3Com] interface GigabitEthernet 1/0/1[3Com-GigabitEthernet1/0/1] stp point-to-point force-true

Table 135 Configuring Whether Ports Connect to Point-to-Point Links






User either command




Configure whether the port(s) connect to point-to-point links

stp point-to-point { force-true | force-false | auto }

Optional

The default setting is auto; namely the device automatically detects whether an Ethernet port connects to a point-to-point link


Configuring the MSTP Packet

Format for Ports

A port support two types of MSTP packets:

■ 02.1s-compliant standard format

■ Compatible format

The default packet format setting is auto, namely a port recognizes the two MSTP packet formats automatically. You can configure the MSTP packet format to be used by a port on your command line. After your configuration, when working in MSTP mode, the port sends and receives only MSTP packets of the format you have configured.


Follow these steps to configure the MSTP packet format for a port or a group of ports:

■ If the port is configured not to detect the packet format automatically while it works in the MSTP mode, and if it receives a packet in the format other than as configured, that port will become a designated port, and the port will remain in the discarding state to prevent the occurrence of a loop.

■ If a port receives MSTP packets of different formats frequently, this means that the MSTP packet formation configuration contains error. In this case, if the port is working in MSTP mode, it will be disabled for protection. Those ports closed thereby can be restored only by the network administers.


1 Configure port GigabitEthernet 1/0/1 to receive and send standard-format MSTP packets.

<3Com> system-view[3Com] interface GigabitEthernet 1/0/1[3Com-GigabitEthernet1/0/1] stp compliance dot1s

Table 136 Configuring the MSTP Packet Format for Ports






User either command




Configure the MSTP packet format for the port(s)

stp compliance { auto | dot1s | legacy }

Optional

auto by default


Enabling the MSTP Feature


Follow these steps to enable the MSTP feature:

You must enable MSTP for the device before any other MSTP-related configuration can take effect.


1 Enable MSTP for the device and disable MSTP for port GigabitEthernet 1/0/1.

<3Com> system-view[3Com] stp enable[3Com] interface GigabitEthernet 1/0/1[3Com-GigabitEthernet1/0/1] stp disable

Table 137 Enabling the MSTP Feature



Enable the MSTP feature for the device

stp enable Required

Whether a device is MSTP-enabled by default depends on the specific device model.




User either command




Enable the MSTP feature for the port(s)

stp enable Optional

By default, MSTP is enabled for all ports after it is enabled for the device globally

Disable the MSTP feature for the port(s)

stp disable

or undo stp

Optional

To control MSTP flexibly, you can disable the MSTP feature for certain Ethernet ports so that these ports will not take part in spanning tree computing and thus to save the device’s CPU resources


Configuring Leaf Nodes

Configuration Tasks Before configuring the root bridge, you need to know the position of each device in each MST instances: root bridge or leaf node. In each instance, one and only one device acts as the root bridge, while all others as leaf nodes. Complete these tasks to configure a device that acts as a leaf node:

If both GVRP and MSTP are enabled on a device, GVRP packets will be forwarded along the CIST. Therefore, if both GVRP and MSTP are running on the same device and you wish to advertise an certain VLAN within the network through GVRP, make sure that this VLAN is mapped to the CIST (instance 0) when configuring the VLAN-to-instance mapping table.

Configuring an MST Region

Refer to section “Configuring an MST Region”.

Configuring the Work Mode of MSTP

Refer to section “Configuring the Work Mode of MSTP Device”.

Configuring the Timeout Factor

Refer to section “Configuring the Timeout Factor”.

Configuring the Maximum

Transmission Rate of Ports

Refer to section “Configuring the Maximum Transmission Rate of Ports”.

Configuring Ports as Edge Ports

Refer to section “Configuring Ports as Edge Ports”.

Configuring Path Costs of Ports

Path cost is a parameter related to the rate of port-connected links. On an MSTP-compliant device, ports can have different priorities in different MST instances. Setting an appropriate path cost allows VLAN traffic flows to be forwarded along different physical links, thus to enable per-VLAN load balancing.

Table 138 Configuring Leaf Nodes

Task Remarks

Configuring an MST Region Required

Configuring the Work Mode of MSTP Optional

Configuring the Timeout Factor Optional

Configuring the Maximum Transmission Rate of Ports Optional

Configuring Ports as Edge Ports Optional

Configuring Path Costs of Ports Optional

Configuring Port Priority Optional

Configuring Whether Ports Connect to Point-to-Point Links Optional

Configuring the MSTP Packet Format for Ports Optional

Enabling the MSTP Feature Required

Configuring Leaf Nodes 205

The device can automatically calculate the default path cost; alternatively, you can also configure the path cost for ports.

Specifying a standard that the device uses when calculating the default path cost

You can specify a standard for the device to use in automatic calculation for the default path cost. The device supports the following standards:

■ dot1d-1998: The device calculates the default path cost for ports based on IEEE 802.1D-1998.

■ dot1t: The device calculates the default path cost for ports based on IEEE 802.1t.

■ legacy: The device calculates the default path cost for ports based on a private standard.

Follow these steps to specify a standard for the device to use when calculating the default path cost:

Table 139 Specifying a standard that the device uses when calculating the default path cost



Specify a standard for the device to use when calculating the default path cost of the link connected with the device

stp pathcost-standard { dot1d-1998 | dot1t | legacy }

Optional

The default standard used by the device depends on the specific device model.

Table 140 Link speed vs. path cost

Link speed Duplex state 802.1D-1998 802.1tPrivate standard

0 — 65535 200,000,000 200,000

10Mbit/s Half-Duplex/Full-Duplex

Aggregated Link 2 Ports



100

100

100

100

2,000,000

1,000,000

666,666

500,000

2,000

1,800

1,600

1,400

100Mbit/s Half-Duplex/Full-Duplex




19

19

19

19

200,000

100,000

66,666

50,000

200

180

160

140

1000Mbit/s Full-Duplex




4

4

4

4

20,000

10,000

6,666

5,000

20

18

16

14

10Gbit/s Full-Duplex




2

2

2

2

2,000

1,000

666

500

2

1

1

1


In the calculation of the path cost value of an aggregated link, 802.1D-1998 does not take into account the number of ports in the aggregated link. Whereas, 802.1T takes the number of ports in the aggregated link into account. The calculation formula is: Path Cost = 200,000,000/link speed in 100 kbps, where link speed is the sum of the link speed values of the non-blocked ports in the aggregated link.

Configuring Path Costs of Ports

Follow these steps to configure the path cost of ports:

CAUTION:

■ If you change the standard that the device uses in calculating the default path cost, the port path cost value set through the stp cost command will be out of effect.

■ When the path cost of a port is changed, MSTP will re-compute the role of the port and initiate a state transition. If you use 0 as instance-id, you are setting the path cost of the CIST.

Configuration example(1)

1 Set the path cost of GigabitEthernet 1/0/1 in MST instance 1 to 2000.

<3Com> system-view[3Com] interface GigabitEthernet 1/0/1[3Com-GigabitEthernet1/0/1] stp instance 1 cost 2000

Configuration example (2)

1 Configure the path cost of GigabitEthernet 1/0/1 in MST instance 1 to be calculated by MSTP as per IEEE 802.1D-1998.

<3Com> system-view[3Com] interface GigabitEthernet 1/0/1[3Com-GigabitEthernet1/0/1] undo stp instance 1 cost[3Com-GigabitEthernet1/0/1] quit[3Com] stp pathcost-standard dot1d-1998

Configuring Port Priority

The priority of a port is an import basis that determines whether the port can be elected as the root port of device. If all other conditions are the same, the port with the highest priority will be elected as the root port.

Table 141 Configuring Path Costs of Ports






User either command




Configure the path cost of the port(s)

stp [ instance instance-id ] cost cost

Required

By default, MSTP automatically calculates the path cost of each port

Configuring Leaf Nodes 207

On an MSTP-compliant device, a port can have different priorities in different MST instances, and the same port can play different roles in different MST instances, so that data of different VLANs can be propagated along different physical paths, thus implementing per-VLAN load balancing. You can set port priority values based on the actual networking requirements.


Follow these steps to configure the priority of a port or a group of ports:

■ When the priority of a port is changed, MSTP will re-compute the role of the port and initiate a state transition.

■ Generally, a lower configured value priority indicates a higher priority of the port. If you configure the same priority value for all the Ethernet ports on the a device, the specific priority of a port depends on the index number of that port. Changing the priority of an Ethernet port triggers a new spanning tree computing process.


1 Set the priority of port GigabitEthernet 1/0/1 to 16 in MST instance 1.

<3Com> system-view[3Com] interface GigabitEthernet 1/0/1[3Com-GigabitEthernet1/0/1] stp instance 1 port priority 16

Configuring Whether Ports Connect to

Point-to-Point Links

Refer to “Configuring Whether Ports Connect to Point-to-Point Links”.

Configuring the MSTP Packet Format

for Ports

Refer to “Configuring the MSTP Packet Format for Ports”.

Enabling the MSTP Feature

Refer to “Enabling the MSTP Feature”.

Table 142 Configuring Port Priority






User either command




Configure port priority stp [ instance instance-id ] port priority priority

Optional

128 for all Ethernet ports by default


Performing mCheck Ports on an MSTP-compliant device have three working modes: STP compatible mode, RSTP mode, and MSTP mode.

In a switched network, if a port on the device running MSTP (or RSTP) connects to a device running STP, this port will automatically migrate to the STP-compatible mode. However, if the device running STP is removed, this will not be able to migrate automatically to the MSTP (or RSTP) mode, but will remain working in the STP-compatible mode. In this case, you can perform an mCheck operation to force the port to migrate to the MSTP (or RSTP) mode.

You can perform mCheck on a port through two approaches, which lead to the same result.

Configuration prerequisites

MSTP has been correctly configured on the device.

Performing mCheck globally

Follow these steps to perform mCheck:

Performing mCheck in Ethernet port view

Follow these steps to perform mCheck in Ethernet port view:

CAUTION: The stp mcheck command is meaningful only when the device works in the MSTP (or RSTP) mode, not in the STP-compatible mode.


1 Perform mCheck on port GigabitEthernet 1/0/1.

a Method 1: Perform mCheck globally.

<3Com> system-view[3Com] stp mcheck

b Method 2: Perform mCheck in Ethernet port view

<3Com> system-view[3Com] interface GigabitEthernet 1/0/1[3Com-GigabitEthernet1/0/1] stp mcheck

Table 143 Performing mCheck globally



Perform mCheck stp mcheck Required

Table 144 Performing mCheck in Ethernet port view



Enter Ethernet port view interface interface-type interface-number

–

Perform mCheck stp mcheck Required

Performing mCheck 209

Configuring Protection Functions

An MSTP-compliant device supports the following protection functions:

■ BPDU guard

■ Root guard

■ Loop guard

■ TC-BPDU attack guard

Among loop guard, root guard and edge port setting, only one function can take effect on the same port at the same time.

The purposes of these protection functions are as follows:

■ BPDU guard

For access layer devices, the access ports generally connect directly with user terminals (such as PCs) or file servers. In this case, the access ports are configured as edge ports to allow rapid transition of these ports. When these ports receive configuration BPDUs, the system will automatically set these ports as non-edge ports and starts a new spanning tree computing process. This will cause network topology instability. Under normal conditions, these ports should not receive configuration

BPDUs. However, if someone forges configuration BPDUs maliciously to attack the devices, network instability will occur.

MSTP provides the BPDU guard function to protect the system against such attacks. With the BPDU guard function enabled on the devices, when edge ports receive configuration BPDUs, the system will close these ports and notify the NMS that these ports have been closed by MSTP.Those ports closed thereby can be restored only by the network administers.

■ Root guard

The root bridge and secondary root bridge of a panning tree should be located in the same MST region. Especially for the CIST, the root bridge and secondary root bridge are generally put in a high-bandwidth core region during network design. However, due to possible configuration errors or malicious attacks in the network, the legal root bridge may receive a configuration BPDU with a higher priority. In this case, the current root bridge will be superseded by another device, causing undesired change of the network topology. As a result of this kind of illegal topology change, the traffic that should go over high-speed links is drawn to low-speed links, resulting in network congestion.

To prevent this situation from happening, MSTP provides the root guard function to protect the root bridge. If the root guard function is enabled on a port, this port will keep playing the role of designated port on all MST instances. Once this port receives a configuration BPDU with a higher priority from an MST instance, it immediate sets that instance port to the listening state, without forwarding the packet (this is equivalent to disconnecting the link connected with this port). If the port receives no BPDUs with a higher priority within a sufficiently long time, the port will revert to its original state.


■ Loop guard

By keeping receiving BPDUs from the upstream device, a device can maintain the state of the root port and other blocked ports. However, due to link congestion or unidirectional link failures, these ports may fail to receive BPDUs from the upstream device. In this case, the downstream device will reselect the port roles: those ports failed to receive upstream BPDUs will become designated ports and the blocked ports will transition to the forwarding state, resulting in loops in the switched network. The loop guard function can suppress the occurrence of such loops.

If a loop guard–enabled port fails to receive BPDUs from the upstream device, and if the port took part in STP computing, all the instances on the port, no matter what roles they play, will be set to, and stay in, the Discarding state.

■ TC-BPDU attack guard

When receiving a TC-BPDU packet (a packet used as notification of topology change), the device will delete the corresponding MAC address entry and ARP entry. If someone forges TC-BPDUs to attack the device, the device will receive a larger number of TC-BPDUs within a short time, and frequent deletion operations bring a big burden to the device and hazard network stability.

With the TC-BPDU guard function enabled, the device performs a deletion operation only once within a certain period of time (typically 10 seconds) after it receives a TC-BPDU, and monitors whether a new TC-BPDU is received within that period of time. If a new TC-BPDU is received within that period of time, the device will perform another deletion operation after that period of time elapses. This prevents frequent deletion of MAC address entries and ARP entries.


MSTP has been correctly configured on the device.

Enabling BPDU Guard

■ The support for this feature depends on the specific device model.

■ We recommend that you enable BPDU guard if your device supports this function.


Following these steps to enable BPDU guard:


1 Enable BPDU protection.

<3Com> system-view[3Com] stp bpdu-protection

Table 145 Enabling BPDU Guard



Enable the BPDU guard function for the device

stp bpdu-protection Required

Disabled by the default

Performing mCheck 211

Enabling Root Guard


■ We recommend that you enable root guard if your device supports this function.


Follow these steps to enable root guard:


1 Enable the root guard function for port GigabitEthernet 1/0/1.

<3Com> system-view[3Com] interface GigabitEthernet 1/0/1[3Com-GigabitEthernet1/0/1] stp root-protection

Enabling Loop Guard


■ We recommend that you enable loop guard if your device supports this function.


Follow these steps to enable loop guard:

Table 146 Enabling Root Guard






User either command




Enable the root guard function for the ports(s)

stp root-protection Required


Table 147 Enabling Loop Guard






User either command




Enable the loop guard function for the ports(s)

stp loop-protection Required




1 Enable the loop guard function for port GigabitEthernet 1/0/1.

<3Com> system-view[3Com] interface GigabitEthernet 1/0/1[3Com-GigabitEthernet1/0/1] stp loop-protection

Enabling TC-BPDU Attack Guard


Follow these steps to enable TC-BPDU attack guard

We recommend that this function should not be disabled.


1 Enable the TC-BPDU attack guard function.

<3Com> system-view[3Com] stp tc-protection enable

Displaying and Maintaining MSTP

MSTP Configuration Example


Configure MSTP so that packets of different VLANs are forwarded along different spanning trees. The specific configuration requirements are as follows:

■ All devices on the network are in the same MST regions.

■ Packets of VLAN 10 are forwarded along MST region 1, those of VLAN 30 are forwarded along MST instance 3, those of VLAN 40 are forwarded along MST instance 4, and those of VLAN 20 are forwarded along MST instance 0.

■ Switch A and Switch B are convergence layer devices, while Switch C and Switch D are access layer devices. VLAN 10 and VLAN 30 are terminated on the convergence layer devices, and VLAN 40 is terminated on the access layer devices, so the root bridges of MST instance 1 and MST instance 3 are Switch A and Switch B respectively, while the root bridge of MST instance 4 is Switch C.

Table 148 Enabling TC-BPDU Attack Guard



Enable the TC-BPDU attack guard function

stp tc-protection enable

Optional

Enabled by the default

Table 149 Displaying and Maintaining MSTP


View the status information and statistics information of MSTP

display stp [ instance instance-id ] [ interface interface-list | slot slot-number ] [ brief ]


View the MST region configuration information that has taken effect

display stp region-configuration


Clear the statistics information of MSTP

reset stp [ interface interface-list ]


MSTP Configuration Example 213

Network diagram

Figure 59 Network diagram for MSTP configuration

“Permit:“ beside each link in the figure is followed by the VLANs the packets of which are permitted to pass this link.


1 Configuration on Switch A

a Configure an MST region.

<3Com> system-view[3Com] stp region-configuration[3Com-mst-region] region-name example[3Com-mst-region] instance 1 vlan 10[3Com-mst-region] instance 3 vlan 30[3Com-mst-region] instance 4 vlan 40[3Com-mst-region] revision-level 0

b Activate MST region configuration manually.

[3Com-mst-region] active region-configuration

c Define Switch A as the root bridge of MST instance 1.

[3Com] stp instance 1 root primary

d View the MST region configuration information that has taken effect.

[3Com] display stp region-configuration Oper configuration Format selector :0 Region name :example Revision level :0

Instance Vlans Mapped 0 1 to 9, 11 to 29, 31 to 39, 41 to 4094 1 10 3 30 4 40

Switch A

Switch C

Switch B

Switch D

Permit :VLAN 10, 20

Permit :VLAN 10, 20

Permit :VLAN 20, 30

Permit :VLAN 20, 30

Permit :all VLAN

Permit :VLAN 20, 40

Switch A

Switch C

Switch B

Switch D

Permit :VLAN 10, 20

Permit :VLAN 10, 20

Permit :VLAN 20, 30

Permit :VLAN 20, 30

Permit :all VLAN

Permit :VLAN 20, 40


2 Configuration on Switch B





c Define Switch B as the root bridge of MST instance 3.





3 Configuration on Switch C


<3Com> system-view[3Com] stp region-configuration[3Com-mst-region] region-name example[3Com-mst-region] instance 1 vlan 10[3Com-mst-region] instance 3 vlan 30[3Com-mst-region] instance 4 vlan 40 [3Com-mst-region] revision-level 0



c Define Switch C as the root bridge of MST instance 4.


MSTP Configuration Example 215




4 Configuration on Switch D





c View the MST region configuration information that has taken effect.




20 IP ADDRESSING CONFIGURATION

IP addressing uses a 32-bit address to identify each host on the network.

This chapter tells you how to assign IP addresses to interfaces on your device. When doing that, use the following table to identify where to go for interested information.

IP Addressing Overview

To get more information about IP addressing, go to these topics:

■ IP Address Classes

■ Subnetting and Masking

IP Address Classes IP addresses are represented in dotted decimal notation, each being four octets in length, for example, 10.1.1.1.

Each IP address breaks down into two parts:

■ Net-id, the first several bits of the IP address defining a network, also known as class bits.

■ Host-id, identifies a host on a network.

For administration sake, IP addresses are divided into five classes. Which class an IP address belongs to depends on the first one to four bits of the net-id, as shown in the following figure.



Know how IP addresses are expressed and classified, how subnetting works, and what IP unnumbered is

IP Addressing Overview

Assign IP addresses to interfaces Configuring IP Addresses

Consult the display commands available for verifying IP addressing configuration

Displaying and Maintaining IP Addressing

218 CHAPTER 20: IP ADDRESSING CONFIGURATION

Figure 60 IP address classes

The following table describes the address ranges of these five classes.

Subnetting and Masking

In 1980s, subnetting was developed to address the risk of IP address exhaustion resulted from fast expansion of the Internet. The idea is to break a network down into smaller networks called subnets by using some bits of the host-id to create a subnet-id. To identify the boundary between the net-id and the host-id, masking is used.

Each subnet mask comprises 32 bits related to the corresponding bits in an IP address. In a mask, the part containing consecutive ones identifies the net-id whereas the part containing consecutive zeros identifies the host-id.

Figure 61 shows how a Class B address is subnetted.

Figure 61 Subnetting a Class B address

Table 151 IP address classes

Class Address range Description

A 0.0.0.0 to 127.255.255.255 Addresses starting with 127 are reserved for loopback test. Packets destined to these addresses are processed internally as input packets rather than sent to the line.

B 128.0.0.0 to 191.255.255.255 —

C 192.0.0.0 to 223.255.255.255 —

D 224.0.0.0 to 239.255.255.255 Unlike Class A, B, and C addresses, Class D addresses are used for multicast addressing.

E 240.0.0.0 to 255.255.255.255 Reserved for future use except for the broadcast address 255.255.255.255

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

0

1 0

1 1 0

1 1 1 0

1 1 1 1 0

Net-id

Net-id

Net-id

Multicast address

Reserved address

Host-id

Host-id

Host-id

Class A

Class B

Class C

Class D

Class E

Net-id Host-id

Net-id

0 7 15 21 31

Class B address

1 1111111 1 1111111 1 0011111 0 0000000

1 1111111 1 1111111 0 0000000 0 0000000

Subneting

Mask

Mask

Subnet-id Host-id

Configuring IP Addresses 219

While allowing you to create multiple logical networks within a single Class A, B, or C network, subnetting is transparent to the rest of the Internet. All these networks still appear as one. As subnetting adds an additional level, subnet-id, to the two-level hierarchy with IP addressing, IP routing now involves three steps: delivery to the site, delivery to the subnet, and delivery to the host.

Subnetting is a trade-off between subnets and accommodated hosts. For example, a Class B network can accommodate 65,534 hosts before being subnetted. After you break it down into 64 subnets by using the first 6 bits of the host-id for the subnet, you have only 10 bits for the host-id and thus have only 1022 (210 – 2) hosts in each subnet. The maximum number of hosts is thus 65,408 (64 x 1022), 126 less after the network is subnetted.

Class A, B, and C networks, before being subnetted, use these default masks (also called natural masks): 255.0.0.0, 255.255.0.0, and 255.255.255.0 respectively.

Configuring IP Addresses

For a VLAN interface, an IP address can be obtained in one of the three ways:

■ Manually configured by using the IP address configuration command

■ Allocated by the BOOTP server

■ Allocated by the DHCP server

The three methods are mutually exclusive and the use of a new method will result in the IP address obtained by the old method being released. For example, if you obtain an IP address by using the IP address configuration command, and then use the ip address bootp-alloc command to apply for an IP address, the originally configured IP address is deleted and a new IP address will be allocated by BOOTP for the VLAN interface.

This chapter only covers how to assign an IP address manually.

This chapter only introduces how to configure an IP address manually. For the other two methods of obtaining IP addresses, refer to the DHCP module.

This section includes:

■ Assigning an IP Address to an Interface

■ IP Addressing Configuration Example

Assigning an IP Address to an

Interface

Follow these steps to assign an IP address to an interface:

Table 152 Assigning an IP Address to an Interface



Enter interface view interface interface-type interface-number

—

Assign an IP address to the Interface

ip address ip-address { mask | mask-length }

Required

No IP address is assigned by default.

220 CHAPTER 20: IP ADDRESSING CONFIGURATION

You can configure IP addresses for VLAN interface and Loopback interface on Switch 4500G Switches.

IP Addressing Configuration

Example


Set the IP address and subnet mask of VLAN interface 1 to 129.2.2.1 and 255.255.255.0 respectively.

Network diagram

Figure 62 IP address configuration


Configure an IP address for VLAN interface 1.

<3Com> system-view[3Com] interface Vlan-interface 1[3Com-Vlan-interface1] ip address 129.2.2.1 255.255.255.0

Displaying IP Addressing

Console cable

Sw itchPC

Console cable

Sw itchPC

Table 153 Displaying IP Addressing


Display detailed information about the IP configuration of a specified interface

display ip interface [ interface-type interface-number ]


Display brief information about the basic IP configuration of a specified or all interfaces

display ip interface brief [ interface-type interface-number ]


21 IP PERFORMANCE CONFIGURATION

Introduction to IP performance

In some network environments, you need to adjust the parameters for the best IP performance. IP performance configuration includes:

■ TCP timer

■ Size of TCP receiving/sending buffer

■ Sending ICMP error packets

■ Permitting Receiving and Forwarding of Directed Broadcast Packets

Configuring TCP attributes

TCP attributes that can be configured include:

■ synwait timer: Before sending a SYN packet, TCP starts the synwait timer. If no response packets are received before synwait timeout, TCP connection is not successfully created.

■ finwait timer: When the TCP connection is in FIN_WAIT_2 state, finwait timer will be started. If no FIN packets are received before the timer timeouts, the TCP connection will be terminated. If FIN packets are received, the TCP connection state changes to TIME_WAIT, and it recounts time from receiving the last non-FIN packet until the connection is broken after the timer timeouts.

■ Size of TCP receiving/sending buffer

Table 154 Configuring TCP attributes



Configure TCP synwait timer’s timeout value

tcp timer syn-timeout time-value

Optional

By default, the timeout value is 75 seconds.

Configure TCP finwait timer’s timeout value

tcp timer fin-timeout time-value

Optional

By default, the timeout value is 675 seconds.

Configure the size of TCP receiving/sending buffer

tcp window window-size Optional

By default, the buffer is 8k bytes.

222 CHAPTER 21: IP PERFORMANCE CONFIGURATION

Configuring sending ICMP error packets

Sending error packets is a major function of ICMP protocol. ICMP packets are typically sent by protocols on the network or transfer layer to notify corresponding devices so as to facilitate control and management.

Advantage of sending ICMP error packets

There are three kinds of ICMP error packets: redirection packets, timeout packets and destination unreachable packets. Their sending conditions and functions are as follows.

1 Sending ICMP redirect packets

It may have only one default route to the default gateway in the routing table when the host starts. The default gateway will send ICMP redirect packets to the source host and notify it to reselect a correct router for the next hop in order to send the following packets, if the following conditions are satisfied:

■ The device finds that the receiving and sending interfaces are the same while forwarding data packets.

■ The selected router has not been created or modified by ICMP redirect packets.

■ The selected router is not the default router of the host.

■ The source IP address of the data packets and the next hop’s IP address in the selected router belong to the same network section.

You can use ICMP redirect packets to simplify host administration and find out the best routing by establishing a sound routing table for hosts with little routing information.

2 Sending ICMP timeout packets

Sending ICMP timeout packet will enable the device to drop the data packet and send an ICMP error packet to the source when there is a timeout error after a device received an IP data packet.

The device will send an ICMP timeout packet under the following conditions:

■ If a device finds the destination of the packet is not local after receiving a data packet whose TTL field is 1, it will send a “TTL timeout” ICMP error message.

■ When the device receives the first fragment IP packets whose destination address is local, it will start the timer. If the timer timeouts before receiving all the fragments, the device will send a “reassembly timeout” ICMP error packets.

3 Sending ICMP destination unreachable packets

Sending ICMP destination unreachable packet means when there happens a destination timeout error after a device received an IP data packet, the device will drop the data packet and send an ICMP error packet to the source.

The device will send an ICMP destination unreachable packet under the following conditions:

■ When forwarding a packet, if the device finds no corresponding forward route and default route in the routing table, it will send a “network unreachable” ICMP error packets.,

Configuring sending ICMP error packets 223

■ When receiving a data packet whose destination address is local, if the transfer layer protocol is unavailable for the device, then the device sends a “protocol unreachable” ICMP error packets.

■ When receiving a data packet with the destination address as local and transfer layer as UDP, if the packet’s port number does not match with the running process, the device will send source a “port unreachable” ICMP error packet.

■ When sending packets using “strict source routing", if the intermediate finds that the source point to a device not directly connected to the network, it will send source a “source routing fails” ICMP error packets.

■ When forwarding a packet, if the MTU of the forward interface is smaller than the packet but the packet has been set unfragmentable, the device sends the source a “fragmenting is required but unavailable” ICMP error packet.

Disadvantage of sending ICMP error packets

Although sending ICMP error packets facilitate control and management, it still has the following disadvantage:

■ Sending a lot of ICMP packets will increase network traffic.

■ If the device receives a lot of malicious packets that sends much ICMP error packets, it will reduce the device's performance.

■ As redirecting increases a host’s routing, it will reduce the host’s performance if there is a great increase in the hosting.

■ As ICMP destination unreachable packets are unreachable to users' process, if there are malicious attacks, end users may be affected.

In order to prevent such phenomena, you can disable the device sending ICMP error packets to reduce network flows and avoid malicious attacks.

■ The device stops sending “network unreachable” and “source route unsuccessful” ICMP error packets after sending ICMP destination unreachable packets is disabled. But other destination unreachable packets will be sent normally.

■ The device stops sending “TTL timeout” ICMP error packets after sending ICMP timeout packets is disabled. But “reassembly timeout” error packets will be sent normally.

Table 155 Disable sending ICMP error packets



Disable sending ICMP redirect packets

undo ip redirects Required

Sending a device’s ICMP redirection packet is enabled by default

Disable sending ICMP timeout packets

undo ip ttl-expires

Required

Sending a device’s ICMP timeout packet is enabled by default.

Disable sending ICMP destination unreachable packets

undo ip unreachables

Required

Sending a device’s ICMP destination unreachable packet is enabled by default


Permitting Receiving and Forwarding of Directed Broadcast Packets

Permitting Receiving and Forwarding of Directed Broadcast

Packets

Directed broadcasts packets include: network directed broadcast packets, subnetwork directed broadcast packets and all-subnetwork directed broadcast packets. As specified in RFC 2644, the device can receive and forward directed broadcast packets by default. However, hackers can use such packets to attack the network system, thus bringing forth great potential dangers to the network.

Switch 4500G series switches do not receive and forward directed broadcast packets by default. You can configure to permit Switch 4500G series switches to receive and forward directed broadcast packets.

If ACL rules are configured when VLAN interfaces are enabled to forward directed broadcast packets, the directed broadcast packets to be forwarded must be filtered by the configured ACL rule. The directed broadcast packets which do not match the ACL rule will be dropped.

CAUTION: If the ip forward-broadcast [ acl acl-number ] command is configured on one interface repeatedly, the latest configured acl-number argument will replace these configured previously. If the acl-number argument is not provided in this command, the acl-number arguments configured previously will be disabled.



As shown in Figure 63, PC1 and PC2 are in the same network segment 1.1.1.0/24 with VLAN-interface 1 of Switch A, while VLAN-interface 2 of Switch A and VLAN-interface 2 of Switch B are in the network segment 2.2.2.0/24. Static routes are configured on Switch B. As a result, both PC 1 and PC 2 are reachable to Switch B.

Table 156 Configure to permit the receiving and forwarding of directed broadcast packets



Enable the switch to receive directed broadcast packets

ip forward-broadcast Optional

By default, directed broadcast packets are not received.

Enter VLAN interface view interface Vlan-interface vlan-id

—

Enable the specified VLAN interface to forward directed broadcast packets

ip forward-broadcast [ acl-number ]

Optional

By default, directed broadcast packets are not forwarded on VLAN interfaces.

Permitting Receiving and Forwarding of Directed Broadcast Packets 225

Configure Switch A and Switch B with the purpose that:

■ When the ping 2.2.2.255 command is executed on PC 1, PC 1 can receive response packets from both Switch A and Switch B.

■ When the ping 2.2.2.255 command is executed on PC 2, PC 2 can receive response packets from only Switch A.

Network diagram

Figure 63 Network diagram for permitting receiving and forwarding of directed broadcast packets



a Permit the receiving of directed broadcast packets.

<3Com> system-view[3Com] ip forward-broadcast

b Define ACL 2000.

[3Com] acl number 2000[3Com-acl-basic-2000] rule permit source 1.1.1.1 0[3Com-acl-basic-2000] rule deny source any

c Configure to permit VLAN-interface 2 to forward directed broadcast packets matching ACL 2000.

[3Com] interface vlan-interface 2[3Com-Vlan-interface2] ip forward-broadcast acl 2000


a Permit the receiving of directed broadcast packets.

<3Com> system-view[3Com] ip forward-broadcast

After this configuration, use the ping command on PC 1 to ping the broadcast address 2.2.2.255 of the subnetwork segment where VLAN-interface 2 of Switch A resides, as a result, PC 1 receives response packets from both Switch A and Switch B; use the ping command on PC 2 to ping the broadcast address 2.2.2.255 of the subnetwork segment where VLAN-interface 2 of Switch A resides, as a result, PC 2 receives response packets from only Switch A.

1.1.1.2/24

Switch A Switch B

VLAN22.2.2.2/24

VLAN1

1.1.1.3/24

VLAN22.2.2.1/241.1.1.2/24

Switch A Switch B

VLAN22.2.2.2/24

VLAN1

1.1.1.1/24

VLAN22.2.2.1/24

PC

PCPC

1.1.1.2/24

Switch A Switch B

VLAN22.2.2.2/24

VLAN1

1.1.1.3/24

VLAN22.2.2.1/241.1.1.2/24

Switch A Switch B

VLAN22.2.2.2/24

VLAN1

1.1.1.1/24

VLAN22.2.2.1/24

PC1

PCPCPCPC2

1.1.1.2/24

Switch A Switch B

VLAN22.2.2.2/24

VLAN1

1.1.1.3/24

VLAN22.2.2.1/241.1.1.2/24

Switch A Switch B

VLAN22.2.2.2/24

VLAN1

1.1.1.1/24

VLAN22.2.2.1/24

PC

PCPC

1.1.1.2/24

Switch A Switch B

VLAN22.2.2.2/24

VLAN1

1.1.1.3/24

VLAN22.2.2.1/241.1.1.2/24

Switch A Switch B

VLAN22.2.2.2/24

VLAN1

1.1.1.1/24

VLAN22.2.2.1/24

PC1

1.1.1.2/24

Switch A Switch B

VLAN22.2.2.2/24

VLAN1

1.1.1.3/24

VLAN22.2.2.1/241.1.1.2/24

Switch A Switch B

VLAN22.2.2.2/24

VLAN1

1.1.1.1/24

VLAN22.2.2.1/24

PC

PCPC

1.1.1.2/24

Switch A Switch B

VLAN22.2.2.2/24

VLAN1

1.1.1.3/24

VLAN22.2.2.1/241.1.1.2/24

Switch A Switch B

VLAN22.2.2.2/24

VLAN1

1.1.1.1/24

VLAN22.2.2.1/24

PC1

PCPCPCPC2


Displaying and maintaining IP performance

After finishing the configuration, run the display command in any view to display running status and configuration effect of the IP performance.

In user view, you can run the reset command to clear statistics of IP, TCP and UDP flows.

Table 157 Displaying and maintaining IP performance

To do… Use the command…

Display current TCP connection state display tcp status

Display statistics of TCP connection display tcp statistics

Display statistics of UDP flows display udp statistics

Display statistics of IP packets display ip statistics

Display statistics of ICMP flows display icmp statistics

Display current socket information of the system

display ip socket [ socktype sock-type ] [ task-id socket-id ]

Display FIB forward information display fib [ | { begin | include | exclude } text | acl number | ip-prefix listname ]

Display FIB forward information matching the specified destination IP address

display fib ip-address1 [ { mask1 | mask-length1 } [ ip-address2 { mask2 | mask-length2 } | longer ] | longer ]

Display statistics about the FIB items display fib statistics

Clear statistics of IP packets reset ip statistics

Clear statistics of TCP flows reset tcp statistics

Clear statistics of UDP flows reset udp statistics

22 IPV4 ROUTING OVERVIEW

Go to these sections for information about IP routing that you are interested in:

■ IP Routing and Routing Table

■ Routing Protocol Overview

■ Displaying and Maintaining a Routing Table

A router in this chapter refers to a generic router or a Layer 3 switch running routing protocols. To improve readability, this will not be described in the present manual again.

IP Routing and Routing Table

Routing Routing in the Internet is achieved through routers. Upon receiving a packet, a router identifies an optimal route based on the destination address and forwards the packet to the next router in the path until the packet reaches the last router, which forwards the packet to the intended destination host.

Routing Through a Routing Table

Routing table

Routing table plays a key role in allowing routers to forward packets. Each router maintains a routing table, and each entry in the table specifies which physical interface a packet destined for a certain destination should go out to reach the next hop (the next router) or the directly connected destination.

Routes in a routing table can be divided into three categories by origin:

■ Direct routes: Routes discovered by data link protocols, also known as interface routes.

■ Static routes: Routes that are manually configured.

■ Dynamic routes: Routes that are discovered dynamically by routing protocols.

Contents of a routing table

A routing table includes the following key items:

■ Destination address: Indicates the destination address or destination network of an IP packet.

■ Network mask: Specifies, in company with the destination address, the address of the destination network. A logical AND operation between the destination address and the network mask yields the address of the destination network. For example, if the destination address is 129.102.8.10 and the mask 255.255.0.0, the address of the destination network is 129.102.0.0. A network mask is made of a certain number of consecutive 1s. It can be expressed in dotted decimal format or by the number of the 1s.

228 CHAPTER 22: IPV4 ROUTING OVERVIEW

■ Outbound interface: Specifies the interface through which the IP packets are to be forwarded.

■ IP address of the next hop: Specifies the address of the next router on the route. If only the outbound interface is configured, its address will be the IP address of the next hop.

■ Priority for the route. Multiple routes may exist to the same destination, each of which has a different next hop and may be generated by various routing protocols or be manually configured. The optimal route is the one with the highest priority (with the smallest metric).

Routes can be divided into two categories by destination:

■ Subnet routes: The destination is a subnet.

■ Host routes: The destination is a host.

Based on whether the destination is directly connected to a given router, routes can be divided into:

■ Direct routes: The destination is directly connected to the router.

■ Indirect routes: The destination is not directly connected to the router.

To prevent the routing table from getting too large, you can configure a default route. All packets with no matching entry in the routing table will be forwarded through the default route.

In Figure 64, the IP address on each cloud represents the address of the network. Router R8 resides in three networks and therefore has three IP addresses for its three physical interfaces. Its routing table is shown on the right of the network topology.

Figure 64 A sample routing table

Routing Protocol Overview 229

Routing Protocol Overview

Static Routing and Dynamic Routing

Static routing is easy to configure and requires less system resources. It works well in small, stable networks with simple topologies. Its major drawback is that you must perform routing configuration again whenever the network topology changes; it cannot adjust to network changes by itself.

Dynamic routing, on the other hand, is based on dynamic routing protocols, which can detect network topology changes and recalculate the routes accordingly. Therefore, dynamic routing is suitable for large networks. Its disadvantages are that it is complicated to configure, and that it not only imposes higher requirements on the system, but also eats away a certain amount of network resources.

Classification of Dynamic Routing

Protocols

Dynamic routing protocols can be classified based on the following standards:

Operational scope

■ Interior gateway protocols (IGPs): Work within an autonomous system, typically includes RIP, OSPF, and IS-IS.

■ Exterior gateway protocols (EGPs): Work between autonomous systems. The most popular one is BGP.

An autonomous system refers to a group of routers that share the same routing policy and work under the same administration.

Routing algorithm

■ Distance-vector protocols: Includes mainly RIP and BGP. BGP is also considered a path-vector protocol.

■ Link-state protocols: Includes mainly OSPF and IS-IS.

The main differences between the above two types of routing algorithms lie in the way routes are discovered and calculated.

Type of the destination address

■ Unicast routing protocols: Includes RIP, OSPF, BGP, and IS-IS.

■ Multicast routing protocols: Includes PIM-SM and PIM-DM.

This chapter focuses on unicast routing protocols. For information on multicast routing protocols, refer to “Multicast Configuration”.

Routing Protocols and Routing Priority

Different routing protocols may find different routes to the same destination. However, not all of those routes are optimal. In fact, at a particular moment, only one protocol can uniquely determine the current optimal routing to the destination. For the purpose of route selection, every route (including static routes) is assigned a priority according to its origin. The route with the highest priority is preferred.


The following table lists some routing protocols and the default priorities for routes found by them:

■ The smaller the priority value, the higher the priority.

■ The priority for a direct route is always 0, which you cannot change. Any other type of routes can have their priorities manually configured.

■ Each static route can be configured with a different priority.

Load Balancing and Route Backup

Load Balancing

In multi-route mode, multiple routes from the same routing protocol may exist to the same destination. These routes have the same priority and will all be used to accomplish load balancing if there is no other route with a higher priority available.

A given routing protocol may find several routes with the same metric to the same destination, and if this protocol has the highest priority among all the active protocols, then all its routes will be regarded as valid current routes. Therefore, realizes load balancing of network traffic.

In current implementations, routing protocols supporting load balancing are RIP, OSPF, and IS-IS. In addition, load balancing is also supported for static routes.

The number of routes for load balancing varies by device.

Route backup

Route backup can help in improving network reliability. With route backup, you can configure multiple routes to the same destination, expecting the one with the highest priority to be the main routes and all the rest backup routes.

Under normal circumstances, packets are forwarded through the main route. When the main route goes down, the route with the highest priority among the backup routes is selected to forward packets. When the main route recovers, the route selection process is performed again and the main route is selected again to forward packets.

Table 158 Routing Protocols and Routing Priority

Routing approach Priority

DIRECT 0

OSPF 10

IS-IS 15

STATIC 60

RIP 100

OSPF ASE 150

OSPF NSSA 150

IBGP 256

EBGP 256

UNKNOWN 255

Displaying and Maintaining a Routing Table 231

Sharing of Routing Information

As different routing protocols use different algorithms to calculate routes, they may find different routes. In a large network with multiple routing protocols, routing protocols must share their routing information. Each routing protocol has its own route redistribution mechanism. For detailed information, refer to “IP Routing Configuration”.

Displaying and Maintaining a Routing Table

Table 159 Displaying and Maintaining a Routing Table


Display summary information about the active routes in the routing table

display ip routing-table Available in any view

Display detailed information about the specified routes in the routing table

display ip routing-table ip-address [ mask ] [ longer-match ] [ verbose ]| | { begin | exclude | include } regular-expression]


Display information about routes to the specified destination

display ip routing-table ip-address [ mask-length | mask ] [ longer-match ] [ verbose ]


Display information about routes with destination addresses in the specified range

display ip routing-table ip-address1 { mask-length | mask } ip-address2 { mask-length | mask } [ verbose ]


Display information about routes permitted by a specified basic ACL

display ip routing-table acl acl-number [ verbose ]


Display information about routes selected by a specified prefix list

display ip routing-table ip-prefix ip-prefix-name [ verbose ]


Display protocol specific routes display ip routing-table protocol protocol [ inactive | verbose ]


Display statistics about the routing table

display ip routing-table statistics


Clear statistics for the routing table

reset ip routing-table statistics protocol { all | protocol }



23 CONFIGURING IPV6

The descriptions and examples in the text applies to both switches and routers, unless there is a warning.

IPv6 Overview Internet protocol version 6 (IPv6), also called IP next generation (IPng), was designed by the Internet Engineering Task Force (IETF) as the successor to Internet protocol version 4 (IPv4).The significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits.

IPv6 Features IPv6 provides the following features:

■ Header Format Simplification—IPv6 cuts down some IPv4 header fields or move them to extension headers to reduce the load of basic IPv6 headers, thus making IPv6 packet handling simple and improving the forwarding efficiency.Although the IPv6 address size is four times that of IPv4 addresses, the size of basic IPv6 headers is only twice that of IPv4 headers (excluding the Options field).

Figure 65 Comparison between IPv4 header format and IPv6 header format

■ Adequate Address Space—The source IPv6 address and the destination IPv6 address are both 128 bits (16 bytes) long.IPv6 can provide 3.4 x 1038 addresses to completely meet the requirements of hierarchical address division as well as allocation of public and private addresses.

■ Hierarchical Address Structure—IPv6 adopts the hierarchical address structure to quicken route search and reduce the system source occupied by the IPv6 routing table by means of route aggregation.

■ Automatic address configuration—To simplify the host configuration, IPv6 supports stateful address configuration and stateless address configuration.Stateful address configuration means that a host acquires an IPv6 address and related information from the server (for example, DHCP server). Stateless address

Ver Trafficclass

Flow label

Payload length Nextheader

Hop limit

Source address128 bits

Destination address128 bits

Ver IHL Total length

Identification F Fragment offset

TTL

Source address (32 bits)

TOS

Header checksum

Destination address (32 bits)

Protocol

IPv4 header

IPv6 header

Options Padding

0 7 15 31 0 7 15 31

234 CHAPTER 23: CONFIGURING IPV6

configuration means that the host automatically configures an IPv6 address and related information based on its own link-layer address and the prefix information issued by the router.In addition, a host can generate a link-local address based on its own link-layer address and the default prefix (FE80::/64) to communicate with other hosts on the link.

■ Built-in security—IPv6 uses IPSec as its standard extension header to provide end-to-end security.This feature provides a standard for network security solutions and improves the interoperability between different IPv6 applications.

■ Support for QoS—The Flow Label field in the IPv6 header allows the device to label packets in a flow and provide special handling for these packets.

■ Enhanced neighbor discovery mechanism—The IPv6 neighbor discovery protocol means a group of Internet control message protocol version 6 (ICMPv6) messages manages the interaction between neighbor nodes (nodes on the same link).The group of ICMPv6 messages takes the place of address resolution protocol (ARP), Internet control message protocol version 4 (ICMPv4), and ICMPv4 redirection messages to provide a series of other functions.

■ Flexible extension headers—IPv6 cancels the Options field in IPv4 packets but introduces multiple extension headers. In this way, IPv6 enhances the flexibility greatly to provide scalability for IP while improving the processing efficiency.The Options field in IPv4 packets contains only 40 bytes, while the size of IPv6 extension headers is restricted by that of IPv6 packets.

Introduction to IPv6 Address

IPv6 address format

An IPv6 address is represented as a series of 16-bit hexadecimals, separated by colons.An IPv6 address is divided into eight groups, 16 bits of each group are represented by four hexadecimal numbers which are separated by colons, for example, 2001:0000:130F:0000:0000:09C0:876A:130B.

To simplify the representation of IPv6 addresses, zeros in IPv6 addresses can be handled as follows:

■ Leading zeros in each group can be removed. For example, the above-mentioned address can be represented in shorter format as 2001:0:130F:0:0:9C0:876A:130B.

■ If an IPv6 address contains two or more consecutive groups of zeros, they can replaced by the double-colon :: option. For example, the above-mentioned address can be represented in the shortest format as 2001:0:130F::9C0:876A:130B.

Caution: The double-colon :: can be used only once in an IPv6 address. Otherwise, the device is unable to determine how many zeros the double-colon represents when converting it to zeros to restore the IPv6 address to a 128-bit address.

An IPv6 address consists of two parts: address prefix and interface ID.The address prefix and the interface ID are respectively equivalent to the network ID to the host ID in an IPv4 address.

An IPv6 address prefix is written in IPv6-address/prefix-length notation,where IPv6-address is an IPv6 address in any of the notations and prefix-length is a decimal number indicating how many bits from the utmost left of an IPv6 address are the address prefix.

IPv6 Overview 235

IPv6 address classification

The type of an IPv6 address is designated by the first several bits called format prefix. Table 160 lists the mapping between major address types and format prefixes.

IPv6 addresses mainly fall into three types: unicast address, multicast address and anycast address.

■ Unicast address: An identifier for a single interface, similar to an IPv4 unicast address.A packet sent to a unicast address is delivered to the interface identified by that address.

■ Multicast address: An identifier for a set of interfaces (typically belonging to different nodes), similar to an IPv4 multicast address.A packet sent to a multicast address is delivered to all interfaces identified by that address.

■ Anycast address: An identifier for a set of interfaces (typically belonging to different nodes).A packet sent to an anycast address is delivered to one the interfaces identified by that address (the nearest one, according to the routing protocols' measure of distance).

There are no broadcast addresses in IPv6. Their function is superseded by multicast addresses.

Unicast address

There are several forms of unicast address assignment in IPv6, including aggregatable global unicast address, link-local address, and site-local address.

■ The aggregatable global unicast address, equivalent to an IPv4 public address, is used for aggregatable links and provided for network service providers.The structure of such a type of address allows efficient routing aggregation to restrict the number of global routing entries.

■ The link-local address is used for communication between link-local nodes in neighbor discovery and stateless autoconfiguration.Routers must not forward any packets with link-local source or destination addresses to other links.

■ IPv6 unicast site-local addresses are similar to private IPv4 addresses.Routers must not forward any packets with site-local source or destination addresses outside of the site (equivalent to a private network).

■ Loopback address: The unicast address 0:0:0:0:0:0:0:1 (represented in shorter format as ::1) is called the loopback address and may never be assigned to any physical

Table 160 Mapping between address types and format prefixes

Type Format prefix (binary) IPv6 prefix ID

Unicast address

Unassigned address 00...0 (128 bits) ::/128

Loopback address 00...1 (128 bits) ::1/128

Link-local address 1111111010 FE80::/10

Site-local address 1111111011 FEC0::/10

Global unicast address other forms -

Multicast address 11111111 FF00::/8

Anycast address Anycast addresses are taken from unicast address space and are not syntactically distinguishable from unicast addresses.


interface.Like the loopback address in IPv4, it may be used by a node to send an IPv6 packet to itself.

■ Unassigned address: The unicast address :: is called the unassigned address and may not be assigned to any node.Before acquiring a valid IPv6 address, a node may fill this address in the source address field of an IPv6 packet, but may not use it as a destination IPv6 address.

Multicast address

Multicast addresses listed in Table 161 are reserved for special purpose.

Besides, there is another type of multicast address: solicited-node address.The solicited-node multicast address is used to acquire the link-layer addresses of neighbor nodes on the same link and is also used for duplicate address detection.Each IPv6 unicast or anycast address has one corresponding solicited-node address.The format of a solicited-node multicast address is as follows:

FF02:0:0:0:0:1:FFXX:XXXX

Where, FF02:0:0:0:0:1:FF is permanent and consists of 104 bits, and XX:XXXX is the last 24 bits of an IPv6 address.

Interface identifier in IEEE EUI-64 format

Interface identifiers in IPv6 unicast addresses are used to identify interfaces on a link and they are required to be unique on that link.Interface identifiers in IPv6 unicast addresses are currently required to be 64 bits long.An interface identifier is derived from the link-layer address of that interface.Interface identifiers in IPv6 addresses are 64 bits long, while MAC addresses are 48 bits long. Therefore, the hexadecimal number FFFE needs to be inserted in the middle of MAC addresses (behind the 24 high-order bits).To ensure the interface identifier obtained from a MAC address is unique, it is necessary to set the universal/local (U/L) bit (the seventh high-order bit) to "1".Thus, an interface identifier in EUI-64 format is obtained.

Table 161 Reserved IPv6 multicast addresses

Address Application

FF01::1 Node-local scope all-nodes multicast address

FF02::1 Link-local scope all-nodes multicast address

FF01::2 Node-local scope all-routers multicast address

FF02::2 Link-local scope all-routers multicast address

FF05::2 Site-local scope all-routers multicast address

IPv6 Overview 237

Figure 66 Convert a MAC address into an EUI-64 address

Introduction to IPv6 Neighbor Discovery

Protocol

The IPv6 neighbor discovery protocol (NDP) uses five types of ICMPv6 messages to implement the following functions:

■ Address resolution

■ Neighbor unreachability detection

■ Duplicate address detection

■ Router/prefix discovery and address autoconfiguration

■ Redirection

Table 162 lists the types and functions of ICMPv6 messages used by the NDP.

00000000 00010010 00110100 00000000 10101011 11001101

00000000 00010010 00110100 11111111 11111110 00000000 10101011 11001101

0012-3400-ABCD

00000010 00010010 00110100 11111111 11111110 00000000 10101011 11001101

0212:34FF:FE00:ABCD

MAC address:

Represented in binary:

Insert FFFE

Set U/L bit:

EUI-64 address:

Table 162 Types and functions of ICMPv6 messages

ICMPv6 message Function

Neighbor solicitation (NS) message Used to acquire the link-layer address of a neighbor

Used to verify whether the neighbor is reachable

Used to perform a duplicate address detection

Neighbor advertisement (NA) message Used to respond to a neighbor solicitation message

When the link layer changes, the local node initiates a neighbor advertisement message to notify neighbor nodes of the node information change.

Router solicitation (RS) message After started, a host sends a router solicitation message to request the router for an address prefix and other configuration information for the purpose of autoconfiguration.


The NDP mainly provides the following functions:

Address resolution

Similar to the ARP function in IPv4, a node acquires the link-layer address of neighbor nodes on the same link through NS and NA messages. Figure 67 shows how node A acquires the link-layer address of node B.

Figure 67 Address resolution

The address resolution procedure is as follows:

1 Node A multicasts an NS message.The source address of the NS message is the IPv6 address for the interface of node A and the destination address is the solicited-node multicast address of node B. The NS message contains the link-layer address of node A.

2 After receiving the NS message, node B judges whether the destination address of the packet is the corresponding solicited-node multicast address of its own IPv6 address.If yes, node B returns an NA message containing the link-layer address of node B.

3 Node A acquires the link-layer address of node B fro the NA message.After that, node A and node B can communicate.

Router advertisement (RA) message Used to respond to a router solicitation message

With the RA message suppression disabled, the router regularly sends a router advertisement message containing information such as address prefix and flag bits

Redirect message When a certain condition is satisfied, the default gateway sends a redirect message to the source host so that the host can reselect a correct next hop router to forward packets.

Table 162 Types and functions of ICMPv6 messages

ICMPv6 message Function

NS

NA

ICMP Type = 135Src = ADst = solicited-node multicast of B

NS

NA

Data = link-layer address of A ICMP Type = 136Src = BDst = AData = link-layer address of B

A B

IPv6 Overview 239

Neighbor unreachability detection

After node A acquires the link-layer address of its neighbor node B, node A can verify whether node B is reachable according to NS and NA messages.

1 Node A sends an NS message whose destination address is the IPv6 address of node B.

2 If node A receives an NA message from node B, node A considers that node B is reachable. Otherwise, node B is unreachable.

Duplicate address detection

After node A acquires an IPv6 address, it should perform the duplicate address detection to determine whether the address is being used by other nodes (similar to the gratuitous ARP function).The duplication address detection is accomplished through NS and NA messages. Figure 68 shows the duplicate address detection procedure.

Figure 68 Duplicate address detection

The duplicate address detection procedure is as follows:

1 Node A sends an NS message whose source address is the unassigned address :: and destination address is the corresponding solicited-node multicast address of the IPv6 address to be detected. The NS message contains the IPv6 address.

2 If node B uses this IPv6 address, node B returns an NA message.The NA message contains the IPv6 address of node B.

3 Node A learns that the IPv6 address is being used by node B after receiving the NA message from node B.Otherwise, node B is not using the IPv6 address and node A can use it.

Router/prefix discovery and address autoconfiguration

Router/prefix discovery means that a host acquires the neighbor router, the prefix of the network where the router is located, and other configuration parameters from the received RA message.

Stateless address autoconfiguration means that a host automatically configure an IPv6 address according to the information obtained through router/prefix discovery.

NS

NA

ICMP Type = 135Src = ::Dst = FF02::1:FF00:1

NS

NA

Data = 2000::1 ICMP Type = 136Src = 2000::1Dst = FF02::1Target Address = 2000::1

A B


The router/prefix discovery and address autoconfiguration is implemented through RS and RA messages.The router/prefix discovery and address autoconfiguration procedure is as follows:

1 After started, a host sends an RS message to request the router for the address prefix and other configuration information for the purpose of autoconfiguration.

2 The router returns an RA message containing information such as address prefix and flag bits. (The router also regularly sends an RA message.)

3 The host automatically configures an IPv6 address and other information for its interface according to the address prefix and other configuration parameters in the RA message.

Redirection

When a host is started, its routing table may contain only the default route to the gateway.When certain conditions are satisfied, the gateway sends an ICMPv6 redirect message to the source host so that the host can select a better next hop router to forward packets (similar to the ICMP redirection function in IPv4).

The gateway will send an IPv6 ICMP redirect message when the following conditions are satisfied:

■ The receiving interface and the forwarding interface are the same.

■ The selected route itself is not created or modified by an IPv6 ICMP redirect message.

■ The selected route is not the default route.

■ The forwarded IPv6 packet does not contain any extension header carrying the routing information of intermediate nodes on the forwarding path.

IPv6 PMTU Discovery The links that a packet passes from the source to the destination may have different MTUs.In IPv6, when the packet size exceeds the MTU of a link, the packet will be fragmented at the source so as to reduce the processing pressure of the forwarding device and utilize network resources rationally.

The path MTU (PMTU) discovery mechanism is to find the minimum MTU on the path from the source to the destination. Figure 69 shows the working procedure of the PMTU discovery.

Figure 69 Working procedure of the PMTU discovery

MTU=1500 MTU=1500 MTU=1350 MTU=1400

Packet with MTU=1500

ICMP error:packet too big;use MTU=1350

Packet with MTU=1350

Packet received

IPv6 Overview 241

The working procedure of the PMTU discovery is as follows:

1 The source host uses its MTU to fragment packets and then sends them to the destination host.

2 If the MTU supported by the packet forwarding interface is less than the size of a packet, the forwarding device will discard the packet and return an ICMPv6 error packet containing the interface MTU to the source host.

3 After receiving the ICMPv6 error packet, the source host uses the returned MTU to fragment the packet again and then sends it.

4 Step 2 to step 3 are repeated until the destination host receives the packet. In this way, the minimum MTU on the path from the source host to the destination host is determined.

Introduction to IPv6 DNS

In the IPv6 network, a domain name system (DNS) supporting IPv6 converts domain names into IPv6 addresses.Different from an IPv4 DNS, an IPv6 DNS converts domain names into IPv6 addresses, instead of IPv4 addresses.

However, just like an IPv4 DNS, an IPv6 DNS also covers static domain name resolution and dynamic domain name resolution.The function and implementation of these two types of domain name resolution are the same as those of an IPv4 DNS.For details, refer to DNS module.

Usually, the DNS server connecting IPv4 and IPv6 networks contain not only A records (IPv4 addresses) but also AAAA records (IPv6 addresses). The DNS server can convert domain names into IPv4 addresses or IPv6 addresses.In this way, the DNS server has the functions of both IPv6 DNS and IPv4 DNS.

Protocol Specifications

Protocol specifications related to IPv6 include:

■ RFC 1881: IPv6 Address Allocation Management

■ RFC 1887: An Architecture for IPv6 Unicast Address Allocation

■ RFC 1981: Path MTU Discovery for IP version 6

■ RFC 2375: IPv6 Multicast Address Assignments

■ RFC 2460: Internet Protocol, Version 6 (IPv6) Specification.

■ RFC 2461: Neighbor Discovery for IP Version 6 (IPv6)

■ RFC 2462: IPv6 Stateless Address Autoconfiguration

■ RFC 2463: Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification

■ RFC 2464: Transmission of IPv6 Packets over Ethernet Networks

■ RFC 2526: Reserved IPv6 Subnet Anycast Addresses

■ RFC 3307: Allocation Guidelines for IPv6 Multicast Addresses

■ RFC 3513: Internet Protocol Version 6 (IPv6) Addressing Architecture

■ RFC 3596: DNS Extensions to Support IP Version 6


Configuring Basic IPv6 Functions

Configuring the IPv6 Packet Forwarding

Function

Before IPv6-related configurations, you must enable the IPv6 packet forwarding function for an interface.Otherwise, the interface cannot forward IPv6 packets even if an IPv6 address is configured, resulting in interworking failures in the IPv6 network.

Follow the steps in Table 163 to configure the IPv6 packet forwarding function.

Configuring an IPv6 Unicast Address

IPv6 site-local addresses and aggregatable global unicast addresses can be configured in either of the following ways:

■ EUI-64 format: When the EUI-64 format is adopted to form IPv6 addresses, the IPv6 address prefix of an interface is the configured prefix and the interface identifier is derived from the link-layer address of the interface.

■ Manual configuration: IPv6 site-local addresses or aggregatable global unicast addresses are configured manually.

IPv6 link-local addresses can be acquired in either of the following ways:

■ Automatic generation: The device automatically generates a link-local address for an interface according to the link-local address prefix (FE80::/64) and the link-layer address of the interface.

■ Manual assignment: IPv6 link-local addresses can be assigned manually.

■ After an IPv6 site-local address or aggregatable global unicast address is configured for an interface, a link-local address will be generated automatically.The automatically generated link-local address is the same as the one generated by using the ipv6 address auto link-local command. If a link-local address is manually assigned to an interface, this link-local address takes effect.If the manually assigned link-local address is deleted, the automatically generated link-local address takes effect.

■ The manual assignment takes precedence over the automatic generation. That is, if you first adopt the automatic generation and then the manual assignment, the manually assigned link-local address will overwrite the automatically generated one. If you first adopt the manual assignment and then the automatic generation, the automatically generated link-local address will not take effect and the link-local address of an interface is still the manually assigned one. You must delete the manually assigned link-local address before adopting the automatic generation.

■ You must issue the ipv6 address auto link-local command before you issue the undo ipv6 address auto link-local command. However, if an IPv6 site-local address or aggregatable global unicast address is already configured for an interface, the interface still has a link-local address because the system automatically generates one for the interface. If no IPv6 site-local address or aggregatable global unicast address is configured, the interface has no link-local address.

Table 163 Configuring the IPv6 packet forwarding function


Enter system view system-view -

Enable the IPv6 packet forwarding function

ipv6 Required


Configuring IPv6 NDP 243

Follow the steps in Table 164 to configure an IPv6 link-local address:

Only one aggregatable global unicast address or site-local address can be configured on an interface at a time.

Configuring IPv6 NDP

Configuring a Static Neighbor Entry

The IPv6 address of a neighbor node can be resolved into a link-layer address dynamically through NS and NA messages or statically through manual configuration.

The device uniquely identifies a static neighbor entry according to the IPv6 address and the layer 3 interface ID.

Configure the corresponding IPv6 address and link-layer address for a layer 3 interface.

Follow the steps in Table 165 to configure a static neighbor entry.

Table 164 Configuring an IPv6 link-local address




—

Configure an IPv6 aggregatable global unicast address or site-local address

Manually assign an IPv6 address

ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }

Alternative

By default, no site-local address or aggregatable global unicast address is configured for an interface.

Note that the prefix length specified by the prefix-length argument cannot be greater than 64.

Adopt the EUI-64 format to form an IPv6 address

ipv6 address ipv6-address/prefix-length eui-64

Configure an IPv6 link-local address

Automatically generate a link-local address

ipv6 address auto link-local

Optional

By default, after an IPv6 site-local address or aggregatable global unicast address is configured for an interface, a link-local address will be generated automatically.

Manually assign a link-local address for an interface.

ipv6 address ipv6-address link-local

Table 165 Configuring a static neighbor entry



Configure a static neighbor entry

ipv6 neighbor ipv6-address mac-address { vlan-id port-type port-number | interface interface-type interface-number }

Required


Configuring the Maximum Number of

Neighbors Dynamically Learned

The device can dynamically acquire the link-layer address of a neighbor node through NS and NA messages.Too large a neighbor table from which neighbor entries can be dynamically acquired may lead to the forwarding performance degradation of the device.Therefore, you can restrict the size of the neighbor table by setting the maximum number of neighbors that an interface can dynamically learn.When the number of dynamically learned neighbors reaches the threshold, the interface will stop learning neighbor information.

Follow the steps in Table 166 to configure the maximum number of neighbors dynamically learned.

Configuring Parameters Related

to an RA Message

You can configure whether the interface sends an RA message, the interval for sending RA messages, and parameters in RA messages.After receiving an RA message, a host can use these parameters to perform corresponding operations. Table 167 lists the configurable parameters in an RA message and their descriptions.

Table 166 Configuring the maximum number of neighbors dynamically learned




-

Configure the maximum number of neighbors dynamically learned by an interface

ipv6 neighbors max-learning-num number

Optional

The default value is 1024

Table 167 Parameters in an RA message and their descriptions

Parameters Description

Cur hop limit When sending an IPv6 packet, a host uses the value of this parameter to fill the Hop Limit field in IPv6 headers.Meanwhile, the value of this parameter is equal to the value of the Cur Hop Limit field in response messages of the device.

Prefix information options

After receiving the prefix information, the hosts on the same link can perform stateless autoconfiguration operations.

M flag This field determines whether hosts use the stateful autoconfiguration to acquire IPv6 addresses.

If the M flag is set to 1, hosts use the stateful autoconfiguration to acquire IPv6 addresses. Otherwise, hosts use the stateless autoconfiguration to acquire IPv6 addresses, that is, hosts configure IPv6 addresses according to their own link-layer addresses and the prefix information issued by the router.

O flag This field determines whether hosts use the stateful autoconfiguration to acquire information other than IPv6 addresses.

If the O flag is set to 1, hosts use the stateful autoconfiguration (for example, DHCP server) to acquire information other than IPv6 addresses. Otherwise, hosts use the stateless autoconfiguration to acquire information other than IPv6 addresses.

Configuring IPv6 NDP 245

The values of the retrans timer field and the reachable time field configured for an interface are sent to hosts via RA messages. Furthermore, the interface sends NS messages at intervals of the value of the retrans timer field and considers a neighbor reachable in the time of the value of the reachable time field.

Follow the steps in Table 168 to configure parameters related to an RA message:

Router lifetime This field is used to set the lifetime of the router that sends RA messages to serve as the default router of hosts.According to the router lifetime in the received RA messages, hosts determine whether the router sending RA messages can serve as the default router of hosts.

Retrans timer If a node fails to receive a response message within the specified time after sending an NS message, the node will retransmit it.

Reachable time After the neighbor unreachability detection shows that a neighbor is reachable, a node considers the neighbor is reachable within the reachable time. If the node needs to send a packet to a neighbor after the reachable time expires, the node will again confirm whether the neighbor is reachable.

Table 168 Configuring parameters related to an RA message



Configure the current hop limit

ipv6 nd hop-limit value Optional

64 by default.


-

Disable the RA message suppression.

undo ipv6 nd ra halt Optional

By default, RA messages are suppressed.

Configure the interval for sending RA messages

ipv6 nd ra interval max-interval-value min- interval-value

Optional

The device issues RA messages at intervals of a random value between the maximum interval and the minimum interval.

By default, the maximum interval for sending RA messages is 600 seconds, and the minimum interval is 200 seconds.

Configure the prefix information options in RA messages

ipv6 nd ra prefix { ipv6-address prefix-length | ipv6-address/prefix-length } valid-lifetime preferred-lifetime [ no-autoconfig | off-link ]*

Optional

By default, no prefix information is configured in RA messages and the IPv6 address of the interface sending RA messages is used as the prefix information.

Set the M flag to 1 ipv6 nd autoconfig managed-address-flag

Optional

By default, the M flag bit is set to 0, that is, hosts acquire IPv6 addresses through stateless autoconfiguration.

Table 167 Parameters in an RA message and their descriptions

Parameters Description


Caution:The maximum interval for sending RA messages should be less than or equal to the router lifetime in RA messages.

Configuring the Attempts to Send an

NS Message for Duplicate Address

Detection

The device sends a neighbor solicitation (NS) message for duplicate address detection. If the device does not receive a response within a specified time (set by the ipv6 nd ns retrans-timer value command), the device continues to send an NS message. If the device still does not receive a response after the number of attempts to send an NS message reaches the maximum, the device judges the acquired address is available

Follow the steps in Table 169 to configure the attempts to send an NS message for duplicate address detection:

Configuring PMTU Discovery

Configuring a Static PMTU for a Specified

IPv6 Address

You can configure a static PMTU for a specified IPv6 address.When forwarding packets, an interface compares the MTU of the interface with the static PMTU of the specified destination IPv6 address, and uses the smaller one to fragment packets.

Set the O flag bit to 1. ipv6 nd autoconfig other-flag Optional

By default, the O flag bit is set to 0, that is, hosts acquire other information through stateless autoconfiguration.

Configure the router lifetime in RA messages

ipv6 nd ra router-lifetime value Optional

1,800 seconds by default.

Set the retrans timer ipv6 nd ns retrans-timer value Optional

By default, the local interface sends NS messages at intervals of 1,000 milliseconds and the Retrans Timer field in RA messages sent by the local interface is equal to 0.

Set the reachable time ipv6 nd nud reachable-time value

Optional

By default, the neighbor reachable time on the local interface is 30,000 milliseconds and the Reachable Timer field in RA messages is 0.

Table 168 Configuring parameters related to an RA message


Table 169 Configuring the attempts to send an NS message for duplicate address detection




-

Configure the attempts to send an NS message for duplicate address detection

ipv6 nd dad attempts value Optional

1 by default. When the value argument is set to 0, the duplicate address detection is disabled.

Configuring IPv6 TCP Properties 247

Follow the steps in Table 170 to configure a static PMTU for a specified address:

Configuring the Aging Time for PMTU

After the MTU of the path from the source host to the destination host is dynamically determined, the source host uses this MTU to send subsequent packets to the destination host.After the aging time expires, the dynamically determined PMTU is deleted and the source host re-determines the MTU to send packets according to the PMTU mechanism.

The aging time is invalid for static PMTU.

Follow the steps Table 171 to configure the aging time for PMTU:

Configuring IPv6 TCP Properties

The IPv6 TCP properties you can configure include:

■ synwait timer: When a SYN packet is sent, the synwait timer is triggered. If no response packet is received before the synwait timer expires, the IPv6 TCP connection establishment fails.

■ finwait timer: When the IPv6 TCP connection status is FIN_WAIT_2, the finwait timer is triggered. If no packet is received before the finwait timer expires, the IPv6 TCP connection is terminated. If FIN packets are received, the IPv6 TCP connection status becomes TIME_WAIT. If other packets are received, the finwait timer is reset from the last packet and the connection is terminated after the finwait timer expires.

■ Size of the IPv6 TCP buffer.

Follow the steps in Table 172 to configure IPv6 TCP properties:

Table 170 Configuring a static PMTU for a specified address



Configure a static PMTU for a specified IPv6 address

ipv6 pathmtu ipv6-address [ value ]

Required

By default, no static PMTU is configured.

Table 171 Configuring the aging time for PMTU



Configure the aging time for PMTU ipv6 pathmtu age age-time Optional

10 minutes by default.

Table 172 Configuring IPv6 TCP properties




Configuring the Maximum Number of IPv6 ICMP Error Packets Sent within a Specified Time

If too many IPv6 ICMP error packets are sent within a short time in a network, network congestion may occur.To avoid network congestion, you can control the maximum number of IPv6 ICMP error packets sent within a specified time. Currently, the token bucket algorithm is adopted.

You can set the capacity of a token bucket, namely, the number of tokens in the bucket. In addition, you can set the update period of the token bucket, namely, the interval for updating the number of tokens in the token bucket to the configured capacity.One token allows one IPv6 ICMP error packet to be sent. Each time an IPv6 ICMP error packet is sent, the number of tokens in a token bucket decreases by 1.If the number of IPv6 ICMP error packets successively sent exceeds the capacity of the token bucket, the subsequent IPv6 ICMP error packets cannot be sent out until the number of tokens in the token bucket is updated and new tokens are added to the bucket.

Follow the steps in Table 173 to configure the maximum number of IPv6 ICMP error packets sent within a specified time period:

Configuring IPv6 DNS

Configuring Static IPv6 DNS

You can establish the mapping between host name and IPv6 address through the following configuration.You can directly use a host name when applying telnet applications and the system will resolve the host name into an IPv6 address.Each host name can correspond to eight IPv6 addresses at most.

Set the finwait timer of IPv6 TCP packets

tcp ipv6 timer fin-timeout wait-time

Optional


Set the synwait timer of IPv6 TCP packets

tcp ipv6 timer syn-timeout wait-time

Optional


Set the size of the IPv6 TCP buffer tcp ipv6 window size Optional

8 kB by default

Table 172 Configuring IPv6 TCP properties


Table 173 Configuring the maximum number of IPv6 ICMP error packets sent within a specified time period



Configure the capacity of the token bucket controlling the number of IPv6 ICMP error packets sent within a specified time as well as the update period

ipv6 icmp-error { bucket bucket-size | ratelimit interval }*

Optional

By default, the capacity of a token bucket is 10 and the update period to 100 milliseconds. That is, at most 10 IPv6 ICMP error packets can be sent within 100 milliseconds.

Displaying and Maintaining IPv6 249

Follow the steps in Table 174 to configure a host name and the corresponding IPv6 address:

Configuring Dynamic IPv6 DNS

If you want to use the dynamic domain name function, you can use the following command to enable the dynamic domain name resolution function. In addition, you should configure a DNS server so that a query request message can be sent to the correct server for resolution.The system can support at most six DNS servers.

You can configure a domain name suffix so that you only need to enter some fields of a domain name and the system automatically adds the preset suffix for address resolution.The system can support at most 10 domain name suffixes.

Follow the steps Table 175 to configure dynamic IPv6 DNS:

The dns resolve and dns domain commands are the same as those of IPv4 DNS.

Displaying and Maintaining IPv6

Use the commands in Table 176 to display and maintain IPv6 information.

Table 174 Configuring a host name and the corresponding IPv6 address

To … Use the command… Remarks


Configure a host name and the corresponding IPv6 address

ipv6 host hostname ipv6-address Required

Table 175 Configuring dynamic IPv6 DNS



Enable the dynamic domain name resolution function

dns resolve Required


Configure an IPv6 DNS server

dns server ipv6 ipv6-address [ interface-type interface-number ]

Required

Configure the domain suffix.

dns domain domain-name Required

By default, no domain name suffix is configured, that is, the domain name is resolved according to the input information.

Table 176 Displaying and maintaining IPv6 information


Display DNS domain name suffix information

display dns domain [ dynamic ] Any view

Display IPv6 dynamic domain name cache information.

display dns ipv6 dynamic-host Any view

Display DNS server information display dns server [ dynamic ] Any view

Display the FIB entries display ipv6 fib [ ipv6-address ] Any view

Display the mapping between host name and IPv6 address

display ipv6 host Any view


The display dns domain and display dns server commands are the same as those of the IPv4 DNS. For details about the commands, refer to DNS module.

IPv6 Configuration Example


Two switches are directly connected through two GigabitEthernet ports. The GigabitEthernet ports belong to VLAN1. Different types of IPv6 addresses are configured for the VLAN 1 interface to verify the connectivity between two switches. The aggregatable global unicast address of Switch A is 3001::1/64, and the aggregatable global unicast address of Switch B is 3001::2/64.

Display the brief IPv6 information of an interface

display ipv6 interface [ interface-type interface-number | brief ]

Any view

Display neighbor information display ipv6 neighbors [ ipv6-address | all | dynamic | interface interface-type interface-number | static | vlan vlan-id ] [ | { begin | exclude | include } text ]

Any view

Display the total number of neighbor entries satisfying the specified conditions

display ipv6 neighbors { all | dynamic | static | interface interface-type interface-number | vlan vlan-id } count

Any view

Display the PMTU information of an IPv6 address

display ipv6 pathmtu { ipv6-address | all | dynamic | static }

Any view

Display information related to a specified socket

display ipv6 socket [ socktype socket-type ] [ task-id socket-id ]

Any view

Display the statistics of IPv6 packets and IPv6 ICMP packets

display ipv6 statistics Any view

Display the statistics of IPv6 TCP packets

display tcp ipv6 statistics Any view

Display the IPv6 TCP connection status

display tcp ipv6 status Any view

Display the statistics of IPv6 UDP packets

display udp ipv6 statistics Any view

Clear IPv6 dynamic domain name cache information

reset dns ipv6 dynamic-host In user view

Clear IPv6 neighbor information reset ipv6 neighbors [ all | dynamic | interface interface-type interface-number | static ]

In user view

Clear the corresponding PMTU reset ipv6 pathmtu { all | static | dynamic} In user view

Clear the statistics of IPv6 packets

reset ipv6 statistics In user view

Clear the statistics of all IPv6 TCP packets

reset tcp ipv6 statistics In user view

Clear the statistics of all IPv6 UDP packets

reset udp ipv6 statistics In user view

Table 176 Displaying and maintaining IPv6 information


IPv6 Configuration Example 251

Network diagram

Figure 70 Network diagram for IPv6 address configuration


1 Configure Switch A.

# Enable the IPv6 packet forwarding function on Switch A.

<SwitchA> system-view[SwitchA] ipv6

# Configure an automatically generated link-local address for the VLAN 1 interface.

[SwitchA] interface vlan-interface 1[SwitchA-Vlan-interface1] ipv6 address auto link-local

# Configure an aggregatable global unicast address for the VLAN 1 interface.

[SwitchA-Vlan-interface1] ipv6 address 3001::1/64

2 Configure Switch B.

# Enable the IPv6 packet forwarding function.

<SwitchB> system-view[SwitchB] ipv6

# Configure an automatically generated link-local address for the VLAN 1 interface.

[SwitchB] interface vlan-interface 1[SwitchB-Vlan-interface1] ipv6 address auto link-local

# Configure an aggregatable global unicast address for the VLAN 1 interface.

[SwitchB-Vlan-interface1] ipv6 address 3001::2/64

Verification

# Display the brief IPv6 information of an interface on Switch A.

<SwitchA> display ipv6 interface vlan-interface 1Vlan-interface1 current state :UPLine protocol current state :UPIPv6 is enabled, link-local address is FE80::7D6C:0:5C0C:1 Global unicast address(es): 3001::1, subnet is 3001::/64 Joined group address(es): FF02::1:FF0C:1 FF02::1:FF00:1 FF02::2 FF02::1 MTU is 1500 bytes

VLAN 1 Interface

Switch A Switch B

VLAN 1 interface


ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 millisecondsND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses

# Display the brief IPv6 information of the interface on switch B.

<SwitchB> display ipv6 interface vlan-interface 1Vlan-interface1 current state :UPLine protocol current state :UPIPv6 is enabled, link-local address is FE80::E525:0:F01D:1 Global unicast address(es): 3001::2, subnet is 3001::/64 Joined group address(es): FF02::1:FF00:2 FF02::1:FF1D:1 FF02::2 FF02::1 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 millisecondsND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses

# On Switch A, ping the link-local address and aggregatable global unicast address of Switch B.If the configurations are correct, the above two types of IPv6 addresses can be pinged.

Caution: When you ping the link-local address, you should use the "-i" parameter to specify the interface for a link-local address.

<SwitchA> ping ipv6 FE80::E525:0:F01D:1 -i vlan-interface 1 PING FE80::E525:0:F01D:1 : 56 data bytes, press CTRL_C to break Reply from FE80::E525:0:F01D:1 bytes=56 Sequence=1 hop limit=255 time = 80 ms Reply from FE80::E525:0:F01D:1 bytes=56 Sequence=2 hop limit=255 time = 60 ms Reply from FE80::E525:0:F01D:1 bytes=56 Sequence=3 hop limit=255 time = 60 ms Reply from FE80::E525:0:F01D:1 bytes=56 Sequence=4 hop limit=255 time = 70 ms Reply from FE80::E525:0:F01D:1 bytes=56 Sequence=5 hop limit=255 time = 60 ms

--- FE80::E525:0:F01D:1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 60/66/80 ms

<SwitchA> ping ipv6 3001::2 PING 3001::2 : 56 data bytes, press CTRL_C to break Reply from 3001::2 bytes=56 Sequence=1 hop limit=255 time = 50 ms Reply from 3001::2 bytes=56 Sequence=2 hop limit=255 time = 60 ms Reply from 3001::2 bytes=56 Sequence=3 hop limit=255 time = 60 ms

IPv6 Configuration Example 253

Reply from 3001::2 bytes=56 Sequence=4 hop limit=255 time = 70 ms Reply from 3001::2 bytes=56 Sequence=5 hop limit=255 time = 60 ms

--- 3001::2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 50/60/70 ms


24 CONFIGURING IPV6 APPLICATIONS

Introduction to IPv6 Application

IPv6 has become widely used as it is developing with time. Most of IPv6 application are the same as those of IPv4, including:

■ Ping

■ Traceroute

■ FTP

■ TFTP

■ Telnet

Ping IPv6 To ping IPv6, use the following command(which is available in any view):

ping ipv6 [ -a source-ipv6-address | -c echonum | -m interval | -s bytenum | -t timeout ]* { destination-ipv6-address | hostname } [ -i interface-type interface-number ]

Caution: You must specify the -i parameter when the destination address is a link local address or multicast address.

Traceroute IPv6 Traceroute IPv6 is used to record the route of IPv6 packets from source to destination, so as to check whether the link is available and determine the point of trouble.

Figure 71 Tracerout process

As Figure 71 shows, the traceroute process is as follows:

■ The source sends a IP datagram with TTL as 1 (the UDP port number of the carrier UDP packet is a port number that is not available to any application in the destination.

RTA RTBHop Limit = 1

Hop Limit = n

UDP port unreachable

RTC

RTD

TTL exceeded

Hop Limit = 2TTL exceeded

256 CHAPTER 24: CONFIGURING IPV6 APPLICATIONS

■ If the first device receiving the datagram reads the TTL as 1, it will discard the packet and return a ICMP timeout error message. Thus, the source can get the first device's address in the route.

■ The source sends a datagram with TTL as 2 and the second hop device returns a ICMP timeout error message. And the source gets the second device's address in the route.

■ This process continues until the datagram reaches the destination host. As there is no application using the UDP port, the destination returns a "port unreachable" ICMP error message.

■ The source receives the "port unreachable" ICMP error message and understands that the packet has reached the destination, thus determines the route of the packet from source to destination.

To traceroute IPv6, iussue the following command (which is available in any view):

tracert ipv6 [ -f first-hop-limit | -m max-hop-limit | -p port-number | -q probenum | -w wait-time ]* { ipv6-address | hostname }

FTP Configuration IPv6 supports file transfer protocol (FTP) applications. You can log into the switch (serving as an FTP client) by running the terminal emulation program on your PC or by using Telnet. Then, you can use the ftp command to connects the switch to a remote FTP server and access the files on the remote FTP server.


The FTP server is started, with the related parameters, such as username, password, and user rights, configured. Refer to File System Management module for detailed procedures.

FTP Configuration You can perform the following configuration task on an authorized directory when the device serves as an FTP client

Caution: Make sure you use the -i keyword to specify the interface for a link-local address.

TFTP Configuration IPv6 supports TFTP (Trival File Transfer Protocol). As a client, the device can download files from or upload files to a TFTP server.

Configuration Preparation

Start the TFTP server and specify the route to download or upload files. Refer to TFTP server configuration specifications for specific instructions.

Table 177 Configure FTP


Establish a control connection with a remote FTP server

ftp ipv6 [ [ { ipv6-address | hostname } [ port-number ] ] [ -a source-ipv6 ] [ -i interface-type interface-number ] ]

Required

Use this command in user view.

IPv6 Telnet 257

TFTP Configuration Manage users' access to TFTP servers

Follow the steps in Table 178 to configure the ACL for the TFTP application.

Download files

Following the following steps to download files from TFTP servers

Caution: Make sure to specify the -i parameter when the destination address is a link local address.

Upload files

Follow the following steps to upload files to TFTP servers:

To do…Use the command…Remarks

Upload files to TFTP serverstftp ipv6 { tftp-server-ipv6-address | hostname } [-i interface-type interface-number ] put source-filename [ destination-filename ]Required


Caution: Make sure to specify the -i parameter when the destination address is a link local address.

IPv6 Telnet Telnet protocol belongs to application layer protocols of the TCP/IP protocol suite, and is used to provide remote login and virtual terminals. The device can be used either as a Telnet client or a Telnet server.

As the following figure shows, the Host is running Telnet client application of IPv6 to set up an IPv6 Telnet connection with Device A, which serves as the Telnet server. If Device A again connects to Device B through Telnet, the Device A is the Telnet client and Device B is the Telnet server.

Table 178 Configuring the ACL for the TFTP application



Configure the ACL for the TFTP application to enable or disable access to a specific TFTP server

tftp-server ipv6 acl acl-number

Required

ACL is not related to TFTP application by default.

Table 179


Download files from TFTP server

tftp ipv6 { ipv6-address | hostname } [ -i interface-type interface-number ] get source-filename [ destination-filename ]

Required



Figure 72 Providing Telnet services


Telnet has three kinds of authentications: None, Password and Scheme, with the default as Password. Refer to Login module for specific instructions.

Setting up IPv6 Telnet Connections

Follow the following steps to set up IPv6 Telnet connections:


Perform the Telnet command at the Telnet client to login and manage other devicestelnet ipv6 { ipv6-address | hostname } [ -i interface-type interface-name] [ port-number ]Required


Caution: Make sure you specify the -i parameter when the destination address is a link local address.

Displaying and Maintaining IPv6

Telnet

Follow the following steps to display and debug IPv6 Telnet:


Display the use information of the user's interfacedisplay users [ all ]Available in any view

Examples of Typical IPv6 Application Configurations


In Figure 73, SWA, SWB and SWC represent three switchs in the public domain. In the same LAN, there is a Telnet server and a TFTP server for providing Telnet service and TFTP service to the switch respectively.

Telnet Client

Telnet Client

Telnet Client Telnet ServerTelnet Server

HostDevice A Device B

Examples of Typical IPv6 Application Configurations 259

Network diagram Figure 73 IPv6 application network diagram


Configure the IPv6 address at the switch's and server's interfaces and ensure that the route between the switch and the server is accessible before the following configuration.

# Ping SWB's IPv6 address from SWA.

<SWA> ping ipv6 3003::1 PING 3003::1 : 56 data bytes, press CTRL_C to break Reply from 3003::1 bytes=56 Sequence=1 hop limit=255 time = 2 ms Reply from 3003::1 bytes=56 Sequence=2 hop limit=255 time = 2 ms Reply from 3003::1 bytes=56 Sequence=3 hop limit=255 time = 2 ms Reply from 3003::1 bytes=56 Sequence=4 hop limit=255 time = 2 ms Reply from 3003::1 bytes=56 Sequence=5 hop limit=255 time = 2 ms

--- 3003::1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/2/2 ms

# Trace the IPv6 route from SWA to SWC.

<SWA> tracert ipv6 3002::1 traceroute to 3002::1 30 hops max,60 bytes packet 1 3003::1 30 ms 0 ms 0 ms 2 3002::1 10 ms 10 ms 0 ms

# SWC download a file from TFTP server 3001::3.

<SWC> tftp ipv6 3001::3 get filetoget flash:/filegothere Transfer file in binary mode.

Telnet_Server 3001::2 TFTP_Server

3001::3

SWA

SWB

SWC 3001::4 /64

3002::1/64 3002::2/64

3003::1/64

3003::2 /64


3001::3

SWA

SWB

SWC 3001::4 /64

3002::1/64 3002::2/64

3003::1/64

3003::2 /64


3001::3

SWA

SWB

SWC 3001::4 /64

3002::1/64 3002::2/64

3003::1/64

3003::2 /64


Now begin to download file from remote tftp server, please wait for a while... TFTP: 11369 bytes received in 1 seconds. File downloaded successfully.

# Connect to Telnet server 3001::2.

<SWA> telnet ipv6 3001::2Trying 3001::2...Press CTRL+K to abortConnected to 3001::2 ...Telnet Server>

# Set up a Telnet connection from SWA to SWC.

<SWA> telnet ipv6 3002::1Trying 3002::1 ...Press CTRL+K to abortConnected to 3002::1 ...********************************************************************** Copyright(c) 2007-2008 3Com Corporation.* Without the owner's prior written consent, ** no decompiling or reverse-engineering shall be allowed. **********************************************************************

<SWC>

Troubleshooting IPv6 Application

Unable to Ping a Remote Destination

Symptom

Unable to Ping a remote destination and return an error message.

Solution

■ Use the display ipv6 interface command to determine the interfaces of the source and the destination and the link-layer protocol between them are in the up state.

■ Use the display current-configuration command to check whether the IPv6 forward function is enabled. If not, enable it with the ipv6 command.

■ Use the ping ipv6 -t timeout { destination-ipv6-address | hostname } [ -i interface-type interface-number ] command to increase the timeout time limit, so as to determine whether it is due to the timeout limit is too small.

■ Use the debugging ipv6 icmpv6 command to enable ICMPv6 debugging and check the request and response packets.

Unable to Run Traceroute

Symptom

Unable to trace the route by performing Traceroute operations.

Solution

■ Determine whether you can Ping the destination host.

Troubleshooting IPv6 Application 261

■ If yes, check whether the UDP port used by Traceroute has the required application in the destination host If yes again, specify a UDP port that is unreachable in the tracert ipv6 command.

■ Use the debugging udp ipv6 packet command to enable UDP packet debugging to send and receive UDP packets.

■ Use the debugging ipv6 icmpv6 command to check the ICMPv6 packets received from different devices.

Unable to Run TFTP Symptom

Unable to download and upload files by performing TFTP operations.

Solution

■ Determine that the ACL configured for the TFTP server does not block the connection to the TFTP server.

■ Determine that the file system of the device is usable. You can check it by running the dir command under the user view.

■ Use the debugging udp ipv6 packet command to enable UDP packet debugging to send and receive UDP packets under the user view.

Unable to Run Telnet Symptom

Unable to login to Telnet server by performing Telnet operations.

Solution

■ Determine the Telnet server application is running on the server. Check the configuration allows the server reachable.

■ Run the debugging telnet command to debug Telnet under the user view.

■ Run the debugging tcp ipv6 packet command to check the packet information under the user view.


25 STATIC ROUTING CONFIGURATION

A router in this chapter refers to a generic router or a Layer 3 switch running routing protocols. To improve readability, this will not be described in the present manual again.

Introduction

Static Routing A static route is a special route that is manually configured by the network administrator. If a network is relatively simple, you only need to configure static routes for the network to work normally. The proper configuration and usage of static routes can improve a network’s performance and ensure bandwidth for important network applications.

The disadvantage of static routing is that, if a fault or a topological change occurs to the network, the route will be unreachable and the network breaks. In this case, the network administrator has to modify the configuration manually.

Default Routes A default route is another special route generated from a static route or some dynamic routes, such as OSPF and IS-IS.

Generally, a router selects the default route only when it cannot find any matching entry in the routing table. In a routing table, the default route is in the form of the route to the network 0.0.0.0 (with the mask 0.0.0.0). You can check whether a default route has been configured by running the display ip routing-table command.

If the destination address of a packet fails to match any entry in the routing table, the router selects the default route to forward the packet. If there is no default route and the destination address of the packet is not in the routing table, the packet will be discarded and an ICMP packet is sent to the source reporting that the destination or the network is unreachable.

Application Environment of Static

Routing

Switch 4500G Family supports general static routing.

You need to be familiar with the following contents while configuring static routes:

1 Destination address and masks

In the ip route-static command, the IPv4 address is in dotted decimal format and the mask can be in either dotted decimal format or the mask length (the digits of consecutive 1s in the mask).

2 Output interface and the next hop address

While configuring static routes, you can specify either the output interface or next hop address. Whether you should specify the output interface or the next hop address depends on the specific occasion.

264 CHAPTER 25: STATIC ROUTING CONFIGURATION

In fact, all the route entries must specify the next hop address. While forwarding a packet, the corresponding route is determined by searching the routing table for the packet’s destination address. Only after the next hop address is specified, the corresponding link-layer address can be found for the link-layer to forward the packet.

3 Other attributes

You can configure different preferences for different static routes for the purpose of easy routing management policy. For example, while configuring multiple routes to the same destination, using identical preference allows for load sharing while using different preference allows for routing backup.

While running the ip route-static command to configure static, configuring all-zero destination address and mask specifies using the default route.

Switch 4500G Family does not support load sharing.

Configuring Static Route


Before configuring a static route, you need to finish the following tasks:

■ Configuring the physical parameters for relative interfaces

■ Configuring the link-layer attribute for relative interfaces

■ Configuring the IP address for relative interfaces

Configuring Static Routes

Follow these steps to configure a static route:

■ While configuring a static route, it will use the default preference if no value is specified. After resetting the default preference, it is valid only for the newly created static route.

■ The description text can describe the usage and function of some specific routes, thus make it easy for you to classify and manage different static routes.

■ You can easily control the routes by using the tag set in the routing policy.

Table 180 Configuring Static Routes



Configure a static route ip route-static ip-address { mask | mask-length } { [ vlan-interface vlan-id ] nexthop-address | NULL interface-number } [ preference preference | description description-info | tag tag-value ]*

Required

Configure the default preference for a static route

ip route-static default-preference default-preference-value

Optional

The preference is 60 by default.

Displaying and Maintaining Static Routes 265

Displaying and Maintaining Static Routes

After the configuration, you can run the display command in any view to display the running status and configuration effect of the static route configuration.

You can use the delete command in the system view to delete all the static routes configured.

Follow these steps to display and maintain a static route:

You can use the undo ip route-static demand in the system view to delete a static route, and use the delete state-routes all demand in the system view to delete all the static routes configured (including the default IPv4 routes configured manually) at the same time.

Example of Static Routes Configuration


The switches’ interfaces and the hosts’ IP addresses and masks are shown in the following figure. It requires static routes to connect the hosts for inter-communication.

Network diagram

Figure 74 Network diagram for static routes

Table 181 Displaying and Maintaining Static Routes

Operation Command

Display the current configuration display current-configuration

Display the summary of the IP routing table display ip routing-table

Display the details of the IP routing table display ip routing-table verbose

Display the information of a static route display ip routing-table protocol static [ inactive | verbose ]

Delete all static routes delete static-routes all

PC11.1.1.2/24

SwitchA

SwitchB

SwitchC

Vlan-interface2001.1.1.1/24







PC21.1.2.2/24

PC31.1.3.2/24



1 Configuring the interfaces’ IP addresses

Omitted.

2 Configuring the static route

a Configure a default route on Switch A.

[Switch A] ip route-static 0.0.0.0 0.0.0.0 1.1.4.2

b Configure two static routes on Switch B.

[Switch B] ip route-static 1.1.1.0 255.255.255.0 1.1.4.1[Switch B] ip route-static 1.1.3.0 255.255.255.0 1.1.4.6

c Configure a default route on Switch C.

[Switch B] ip route-static 0.0.0.0 0.0.0.0 1.1.4.5

3 Configure the hosts

The default gateways for the three hosts PC1, PC2 and PC3 are configured as 1.1.1.1, 1.1.2.1 and 1.1.3.1 respectively.

4 Display the configuration result

a Display the IP route table of Switch A.

[Switch A]display ip routing-tableRouting Tables: Public Destinations : 7 Routes : 7

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/0 Static 60 0 1.1.4.2 Vlan1001.1.1.0/24 Direct 0 0 1.1.1.1 Vlan2001.1.1.1/32 Direct 0 0 127.0.0.1 InLoop01.1.4.0/30 Direct 0 0 1.1.4.1 Vlan1001.1.4.1/32 Direct 0 0 127.0.0.1 InLoop0127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

b Use the ping command to check the connectivity.

[Switch A] ping 1.1.3.1 PING 1.1.3.1: 56 data bytes, press CTRL_C to break Reply from 1.1.3.1: bytes=56 Sequence=1 ttl=254 time=62 ms Reply from 1.1.3.1: bytes=56 Sequence=2 ttl=254 time=63 ms Reply from 1.1.3.1: bytes=56 Sequence=3 ttl=254 time=63 ms Reply from 1.1.3.1: bytes=56 Sequence=4 ttl=254 time=62 ms Reply from 1.1.3.1: bytes=56 Sequence=5 ttl=254 time=62 ms

--- 1.1.3.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 62/62/63 ms

Example of Static Routes Configuration 267

c Use the tracert command to check the connectivity.

[Switch A] tracert 1.1.3.1 traceroute to 1.1.3.1(1.1.3.1) 30 hops max,40 bytes packet 1 1.1.4.2 31 ms 32 ms 31 ms 2 1.1.4.6 62 ms 63 ms 62 ms


26 RIP CONFIGURATION

The term "router" in this document refers to a router in a generic sense or a Layer 3 switch. To improve readability, this will not be described in the present manual again.

RIP Overview RIP is a simple Interior Gateway Protocol (IGP), which is mainly used in small-size networks, such as academic networks and simple structured LANs.

RIP is still widely used in practical networking due to its simple implementation, and easier configuration and maintenance than OSPF and IS-IS.

RIP Mechanism Basic concept of RIP

RIP is a distance-vector-based routing protocol, using UDP messages for exchanging information on port 520.

RIP uses a routing metric (Hop Count) to measure the distance to the destination. The Hop Count value of a router to its directly connected network is 0. Networks which are reachable through one other router are one hop etc. To reduce the convergence time, RIP limits the metric value from 0 to 15. It is considered infinity if the value is equal or larger than 16, which means the destination network is unreachable. That is why RIP cannot be used in large scale networks.

RIP prevents routing loops by implementing Split Horizon and Poison Reverse functions.

RIP routing table

Each RIP router has a routing table, containing routing entries of all reachable destinations.

■ Destination address: the IP address of a host or a network.

■ Next hop: IP address of the adjacent router to the destination network.

■ Interface: The interface for forwarding

■ Metric: Cost from the local router to the destination

■ Routing time: The amount of time since the entry was last updated. The time is reset to 0 when the routing entry is updated every time.

■ Route change tag: Indicates that the information about this route has changed.

RIP timers

RIP uses four timers to control its operation. They are Update, Timeout, Suppress, and Garbage-Collect.

■ Update timer triggers sending new update messages periodically.

270 CHAPTER 26: RIP CONFIGURATION

■ Timeout timer controls the validity of a route. A route is considered as unreachable when the RIP router does not receive update messages within the aged time from any neighbor.

■ Suppress timer. A route changes to the suppress status when no updated messages are send within the timeout-value or the metric value reaches 16. In the suppress status, the router only accepts update messages with the metric value less than 16 and from the same neighbor to replace the unreachable route.

■ Garbage-Collect timer. The period from the metric value of a route reaches 16 to the route is purged from the table is defined as the garbage collection time in RFC. During the Garbage-Collect time, RIP keeps advertising the route with a metric value of 16. Once the Garbage-Collect time expires and the route is not updated, the route is deleted from the table.

RIP initialization and running procedure

Following procedures describe how RIP works.

1 After enabling RIP, the router sends Request messages to neighboring routers. Neighboring routers return Response messages including all information about the routing table.

2 The router updates its local routing table, and broadcasts the routing updates to its neighbors with triggered updating messages. All routers on the network do the same to keep the latest routing table.

In RIP, the routing table on each router is updated upon receipt of RIP messages periodically advertised by neighboring routers. The aged routes are deleted to make sure routes are always valid. The procedure is as follows: RIP periodically advertises the local routing table to neighboring routers, which update their local routes upon receipt of the packets. This procedure repeats on all RIP-enabled routers.

Routing loops prevention

RIP is a D-V based routing protocol. Each router calculates the distance to a destination based on the routing information from its neighbors. When a connection to a destination goes down, there is no way for the router on that connection to notify the others about its metric changes. The other routers still use the old routing information to calculate the distance to that destination. Therefore, routing loops can occur in this case.

RIP uses the following mechanisms to prevent routing loops.

■ Counting to infinity. The metric value of 16 is defined as infinity. When a routing loop occurs, the route is considered as unreachable when the metric value reaches 16.

■ Split Horizon. The router does not send the routing table to neighboring routers via the same interface on which it receives. Split Horizon can definitely prevent routing loops and save the bandwidth.

■ Poison Reverse. The router sends routing tables through the same interface from which the tables are received with a metric value of 16 (means infinite). This method can remove useless information in routing tables of neighboring routers.

■ Triggered Updates. Each router sends out its new routing table as long as it receives an update, rather than waiting until the usual update period expires. This can speed up the network convergence.

RIP Overview 271

RIP Version RIP has two versions: RIP-1 and RIP-2.

RIP-1, a Classful Routing Protocol, supports broadcasting protocol messages. RIP-1 protocol messages do not carry mask information, which means it can only recognize routing information on segments with natural addresses such as Class A, B, and C. That is why RIP-1 does not support routing convergence and Discontiguous Subnet.

RIP-2 is a Classless Routing Protocol. Compared with RIP-1, RIP-2 has the following advantages.

■ Supports Route Tag. The Route Tag is intended to differentiate the internal RIP routes from the external RIP routes.

■ Supports masks, route summarization and CIDR (Classless Inter-Domain Routing).

■ Supports next hop, which must be directly reachable on the broadcast network.

■ Supports multicasting to reduce unnecessary load on hosts that do not need to listen to RIP-2 messages.

■ Supports authentication to enhance security. Plain text authentication and MD5 (Message Digest 5) are two authentication methods.

RIP-2 has two types of message transmission: broadcasting and multicasting. Multicasting is the default type using 224.0.0.9 as the multicast address. The interfaces running RIP-2 broadcasting can also receive RIP-1 messages.

RIP Message Format RIP-1 message format

A RIP message consists of Header and Route Entries which can be up to 25.

The format of RIP-1 message is shown in Figure 75.

Figure 75 RIP-1 Message Format

■ Command: The type of message. 1 indicates Request, 2 indicates Response.

■ Version: The version of RIP. RIP-1 is 0x01.

■ AFI (Address Family Identifier): The family of protocol. 2 is for IP.

■ IP Address: IP address of the destination. Only natural addresses are acceptable here.

■ Metric: The cost of the route.

metric

0 7 15 31command

address family identifier

IP address

must be zeroversion

must be zero

must be zero

must be zero

RouteEntries

Header


RIP-2 message format

The format of RIP-2 message is similar with RIP-1, as shown in Figure 76.

Figure 76 RIP-2 Message Format

The differences from RIP-1 are stated as following.

■ Version: The version of RIP. For RIP-2 the value is 0x02.

■ Route Tag: An attribution to indicate from where the routes are imported.

■ IP Address: The destination IP address. It could be a natural address, subnet address or host address.

■ Subnet Mask: Mask of the destination address.

■ Next Hop: The address of the best next hop. 0.0.0.0 indicates that the originator of the route is the best next hop.

RIP-2 authentication

RIP-2 supports plain text authentication, which uses the first Route Entry for authentication. The value of 0xFFFF indicates that the entry is authentication information rather than routing information. See Figure 77

Figure 77 RIP-2 Authentication Message

■ Authentication Type: 2 represents plain text authentication, while 3 represents MD5.

■ Authentication: The actual authentication data. It includes the password information when using plain text authentication.

FC 1723 only defines plain text authentication. For information about MD5 authentication, see RFC2082 “RIP-2 MD5 Authentication”.

RIP Feature Supported

Currently, Comware 5.0 supports the following RIP features.

■ RIP-1

■ RIP-2

Metric

0 7 15 31Command

Address Family Identifier

IP Address

unusedVersion

Next Hop

Subnet Mask

Route Tag

RouteEntries

Header

0 7 15 31command

0xFFFF

Authentication (16 octets)

unusedversion

Authentication Type

RIP Basic Configuration 273

RIP Related RFC ■ RFC 1058: Routing Information Protocol

■ RFC 1723: RIP Version 2 - Carrying Additional Information

■ RFC 1721: RIP Version 2 Protocol Analysis

■ RFC 1722: RIP Version 2 Protocol Applicability Statement

■ RFC 1724: RIP Version 2 MIB Extension

■ RFC 2082: RIP-2 MD5 Authentication

RIP Basic Configuration

In this section, you are presented with the information needed to configure the basic RIP features.


Before configuring RIP features, please first configure IP address on each interface, and make sure all routers are reachable.

Configuring RIP Basic Function

Enabling RIP and specify networks

Follow these steps to enable RIP:

■ If you perform some RIP configurations in interface view before enabling RIP, those configurations will take effect after RIP is enabled.

■ The router does not send, receive or forward any routing information if you do not enable RIP on that network.

■ You can enable RIP on all interfaces of the network by using the network 0.0.0.0 command.

Table 182 Configuring RIP Basic Function


Enter system view system-view ––

Enable RIP and enter RIP view rip [ process-id ] ––

Enable RIP on specified network network network-address Required

Disabled by default


Configuring the interface behavior

Follow these steps to configure interface behavior:

Stopping routing updates means that the router receives routing updates without forwarding them.

Configuring the RIP version

Follow these steps to configure the RIP version:

If the RIP version specified on the interface and the global RIP version are inconsistent, the RIP version specified on the interface is used.

If no RIP version is specified on the interface, the global RIP version is used.

Table 183 Configuring the interface behavior



Enter RIP view rip [ process-id ] ––

Stop routing updates on all interfaces

silent-interface all Optional

All interfaces can receive routing updates by defaultStop routing updates on one

interfacesilent-interface interface-type interface-number


––

Configure an interface to receive routing updates

rip input Optional

By default, the router receives and send RIP messagesConfigure an interface to

send routing updatesrip output

Table 184 Configuring the RIP version




Specify a global RIP version version { 1 | 2 } Optional

RIP-1 by default


––

Specify a RIP version on the interface

rip version { 1 | 2 [ broadcast | multicast ] }

Optional

By default, the router receives RIP-1 and RIP-2 messages, but only sends RIP-1 messages. If the RIP version is 2, you can specify the message is broadcast or multicast.

RIP Route Control 275

RIP Route Control In some complex network environments, you need to make the RIP configuration more precise.

This section covers the following topics:

■ Configuring additional routing metrics to affect routing options.

■ Configuring the route summarization to reduce the size of routing tables.

■ Configuring host routes to reduce the size of routing tables

■ Configuring default routes

■ Configuring filtering policies

■ Configuring the protocol priority

■ Redistributing routes

Before configuring RIP routing information, finish the following tasks first:

■ Configure IP address on each interface, and make sure all routers are reachable.

■ Configure basic RIP functions

Configuring RIP Route Control

Configuring additional routing metric

To increase the value of routing metrics, you can add a value to the incoming or outgoing routing metric learned by RIP.

Follow these steps to configure additional routing metrics:

rip metricout is only applied to its own routing and those learned by RIP. For those imported from other routing protocols, this command is not applicable.

Configuring route summarization

The route summarization is that subnet routes in a natural network are summarized until the whole network is advertised as a single natural mask route. This function can reduce the size of the routing tables so that to reduce the network load.

RIP-1 does not support route summarization. So when RIP-2 is running, you need to disable the route summarization function if you want to advertise all subnet routes.

Table 185 Configuring RIP Route Control




––

Define an additional routing metric for incoming routes

rip metricin value Optional

0 by default

Define an additional routing metric for outgoing routes

rip metricout value Optional

1 by default


Follow these steps to configure RIP route summarization:

Disabling the receiving of host routes

In some cases, the router can get lots of routing information from the same network hosts, which are not helpful for routing but taking large of the network resources. After disabling the host route function, the router discards the host route information.

Follow these steps to configure host route:

Configuring default route

Follow these steps to configure RIP default route:

Table 186 Configuring route summarization




Enable RIP-2 automatic route summarization

summary Optional

Enabled by default


––

Assign an IP address and network mask for the summarized routes to be advertised

rip summary-address network-address network-mask

Optional

Table 187 Disabling the receiving of host routes




Disabling the receiving of host routes

undo host-route Optional

Enabled by default

Table 188 Configuring default rout




Configure a RIP default route default-route originate cost value

Required

RIP Route Control 277

Configuring route filtering

Route filtering is supported by the router. You can filter incoming and outgoing routes by setting the inbound and outbound filter policies in the access list and IP address prefixes list. You can also specify the incoming routes from particular neighbors.

Follow these steps to configure route filtering:

Configuring protocol priority

Follow these steps to configure protocol priorities:

Redistributing route

Follow these steps to import exterior route:

Table 189 Configuring route filtering




Define the filtering policy filter-policy { acl-number | ip-prefix ip-prefix-name [ gateway ip-prefix-name ] } import [ interface-type interface-number ]

Required

Table 190 Configuring protocol priority




Set the protocol priority preference [ route-policy route-policy-name ] value

Optional

100 by default

Table 191 Redistributing route




Define a value for the default cost of the imported route

default-cost value Optional

If no value is set during importing, use this default value as the route cost.

Import a route import-route protocol [ process-id ] [ cost cost-value | route-policy route-policy-name | tag tag-value ]*

Required

Define the filtering policy for the redistributed route

filter-policy { acl-number | ip-prefix ip-prefix-name } export [ protocol [ process-id ] | interface-type interface-number ]

Optional


When advertising routing information, you can set the protocol parameter to filter those routing information imported from other protocols. If the no protocol parameter is set, all routing information including RIP routes (directly connected routes) and imported routes are advertised.

RIP Configuration Optimization

In special network environment, you need to configure some other RIP features to optimize the network performance.

This section covers the following topics:

■ Configuring RIP timer

■ Configuring split horizon and poison reverse

■ Configuring RIP updating message validation

■ Configuring RIP-2 message authentication

■ Configuring RIP peer

Finish the following tasks before starting RIP optimization.

■ Configure network addresses on interfaces, make sure neighboring nodes are reachable

■ Configure RIP basic functions.


Configuring RIP timer

Follow these steps to configure the RIP timer:

When configuring the values of RIP timers, you should take network performance into consideration and perform consistent configuration on all routers running RIP to avoid unnecessary network traffic and network route oscillation.

Table 192 Configuring RIP timer




Assign a value to each timer

timers { garbage-collect garbage-collect-value | suppress suppress-value | timeout timeout-value | update update-value }

Optional

By default, 30s for update timer, 180s for timeout timer, 180s for Suppress timer, 240s for Garbage-collect timer

RIP Configuration Optimization 279

Configuring split horizon and poison reverse

Follow these steps to configure split horizon and poison reverse:

Configuring RIP updating message validation

Follow these steps to configure RIP updating message check

■ Some fields in RIP-1 message must be zero, which is called zero fields. The RIP-1 message is not processed if the value in the zero field is not zero. As a RIP-2 packet has no zero fields, this configuration is invalid for RIP-2.

■ The RIP router checks the source address when receiving messages. For messages received on the Ethernet interface, if the source address and the router’s interface address are not in the same network, the router discards the message.

■ Disable the source address validation when RIP is not running on the neighboring routers.

Configuring RIP-2 message authentication

RIP-2 supports two authentication modes: plain text and MD5.

In plain text authentication, the authentication information is sent with the RIP message, which cannot provide high security guarantee.

Follow these steps to configure RIP-2 message authentication

Table 193 Configuring split horizon and poison reverse




––

Enable split horizon rip split-horizon If both are enabled, routers only use poison reverse

Enable poison reverse rip poison-reverse

Table 194 Configuring RIP updating message validation




Configure zero field check for RIP-1 message

checkzero Optional

Enabled by default

Configure source address validation

validate-source-address

Optional

Enabled by default


Configuring RIP peer

Follow these steps to configure RIP peer:

Displaying and Maintaining RIP

Table 195 Configuring RIP-2 message authentication




––

Configure RIP-2 authentication mode

rip authentication-mode { simple password | md5 { rfc2082 password key-id | rfc2453 password } }

If the authentication mode is MD5, you must specify the message type defined in either RFC 2453 or RFC 2082.

Table 196 Configuring RIP peer




Configure RIP peer peer ip-address Required

Usually, RIP broadcast or multicast messages

Disable source address validation

undo validate-source-address

Required if neighboring routers which are defined by peer command are not directly connected with the local router.

Enabled by default

Table 197 Displaying and Maintaining RIP


Display RIP current status and configuration information

display rip [ process-id | Available in any view

Display RIP database display rip process-id database

Display RIP interface information display rip process-id interface [ interface-type interface-number ]

Display active and inactive RIP routes

display rip process-id route

Display RIP routing table display rip process-id route [ statistics | ip-address mask | peer ip-address ]

Clear statistic data maintained by certain RIP processes

reset rip process-id statistics


RIP Configuration Example 281

RIP Configuration Example

Configuring RIP Version


As shown in Figure 78, enable RIP-2 on all interfaces on Switch A and Switch B.

Network diagram

Figure 78 Network diagram for RIP configuration


1 Configure IP address for each interface (only the VLAN configuration procedures are given in the following examples)

a Configure Switch A.

<Switch A> system-view[Switch A] vlan 100[Switch A-vlan100]quit[Switch A]interface GigabitEthernet 1/0/1[Switch A-GigabitEthernet1/0/1]port access vlan 100[Switch A-GigabitEthernet1/0/1]quit[Switch A] interface vlan-interface 100[Switch A-Vlan-interface100] ip-address 192.168.1.1 24

b Configure Switch B.

<Switch B> system-view[Switch B] vlan 100[Switch B-vlan100]quit[Switch B]interface GigabitEthernet 1/0/1[Switch B-GigabitEthernet1/0/1]port access vlan 100[Switch B-GigabitEthernet1/0/1]quit[Switch B] interface vlan-interface 100[Switch B-Vlan-interface100] ip-address 192.168.1.2 24

2 Configure basic RIP function

a Configure Switch A.

<Switch A> system-view[Switch A] rip[Switch A-rip-1] network 192.168.1.0[Switch A-rip-1] network 172.16.0.0[Switch A-rip-1] network 172.17.0.0

b Configure Switch B.

<Switch B> system-view[Switch B] rip[Switch B-rip-1] network 192.168.1.0[Switch B-rip-1] network 10.0.0.0

Sw itchA Sw itchB



Loopback0172.16.1.1/24

Loopback1172.17.1.1/24

Loopback110.2.1.1/24


GE 1/0/1

GE 1/0/1

Sw itchA Sw itchB



Loopback0172.16.1.1/32

Loopback1172.17.1.1/32



GE 1/0/1

GE 1/0/1

Sw itchA Sw itchB



Loopback0172.16.1.1/24

Loopback1172.17.1.1/24



GE 1/0/1

GE 1/0/1

Sw itchA Sw itchB



Loopback0172.16.1.1/32

Loopback1172.17.1.1/32



GE 1/0/1

GE 1/0/1


c Display routing table of Switch A.

<Switch A> display rip 1 route Route Flags: R - RIP, T - TRIP P - Permanent, A - Aging, S - Suppressed, G - Garbage-collect ---------------------------------------------------------------------- Peer 192.168.1.2 on Vlan-interface100 Destination/Mask Nexthop Cost Tag Flags Sec 10.0.0.0/8 192.168.1.2 1 0 RA 15From the routing table, you can see RIP-1 use natural mask.

3 Configure RIP version

a Configure RIP-2 of Switch A.

<Switch A> system-view[Switch A] rip[Switch A-rip-1] version 2

b Configure RIP-2 on Switch B.

<Switch B> system-view[Switch B] rip[Switch B-rip-1] version 2[Switch B-rip-1] undo summary

c Display routing table on Switch A.

<Switch A> display rip 1 route Route Flags: R - RIP, T - TRIP P - Permanent, A - Aging, S - Suppressed, G - Garbage-collect --------------------------------------------------------------------- Peer 192.168.1.2 on Vlan-interface100 Destination/Mask Nexthop Cost Tag Flags Sec 10.2.1.0/24 192.168.1.2 1 0 RA 15 10.1.1.0/24 192.168.1.2 1 0 RA 15

From the routing table, you can see RIP-2 use classless subnet mask.

Due to the long aging time of the routing information, RIP-1 routing information can exist in the routing table after RIP-2 is configured.

Troubleshooting RIP Configuration

Symptom 1 The device cannot get any RIP updating messages with all connections are alive.

Analysis: After enabling RIP, make sure you use the network command to enable corresponding interfaces. If the interface behavior is configured, make sure you do not disable the interface or forbid receiving and forwarding RIP messages.

If RIP messages are multicast on the other end of the router, multicast should be used on the local router as well.

Solution ■ Use the display current-configuration command to check RIP configuration.

■ Use the display rip command to check the interface is enabled.

Troubleshooting RIP Configuration 283

Symptom 2 With all connections alive, route shaking happens, which means that sometimes you cannot see some of the routes in the routing table.

Analysis In the RIP network, make sure all timers within the whole network are set to coordinate each other. For example, the timeout value should be greater than the update value.

Solution ■ Use the display rip command to check the configuration of RIP timers

■ Use the timers command to adjust timers where appropriate.


27 ROUTING POLICY CONFIGURATION

A routing policy is used on the router for route inspection, filtering, attributes modifying when routes are received, advertised, or redistributed.

When configuring routing policy, go to these sections for information you are interested in:

■ Introduction to Routing Policy

■ Defining Filtering Lists

■ Configuring a Routing Policy

■ Displaying and Maintaining the Routing Policy

■ Routing Policy Configuration Example (on routers)

■ Routing Policy Configuration Example (on switches)

■ Troubleshooting Routing Policy Configuration

The term router in this document refers to a router in a generic sense or a Layer 3 switch. To improve readability, this will not be described in the present manual again.

Introduction to Routing Policy

Routing Policy and Policy Routing

By modifying route attributes (including reachability), routing policy is adopted to change routing paths for network traffic.

Policy routing is used to direct packet forwarding.

When distributing or receiving routing information, a router can apply some policy to filter routing information, for example, a router handles only routing information that matches some rules, or a routing protocol redistributes from other protocols only routes matching some rules and modifies some attributes of these routes to satisfy its needs.

To implement routing policy, first define the features of routing information, namely, a set of matching rules. You can make definitions according to attributes in routing information, such as destination address, advertising router’s address. The matching rules can be set beforehand and then apply them to a routing policy for route distribution, reception and redistribution.

Filters Routing protocols can use three filters: ACL, IP prefix list and route policy.

ACL

When defining an ACL, you can specify IP addresses and subnet segments for matching destinations or next hops of routing information.

286 CHAPTER 27: ROUTING POLICY CONFIGURATION

For ACL configuration, refer to “IPv4 ACL Configuration”.

IP prefix list

IP-prefix list plays a role similar to ACL, but it is more flexible than ACL and easier to understand. When IP-prefix list is applied for routing information filtering, its matching object is the destination address information field of routing information. Moreover, you can specify the gateway option to specify that only routing information advertised by certain routers will be received.

An IP-prefix list is identified by the IP-prefix list name. Each IP-prefix list can comprise multiple items, and each item, which is identified by an index number, can specify a matching range in network prefix format. The index number indicates the matching sequence in the IP-prefix list.

During matching, a router checks list items identified by index number in ascending order. If an item is matched, the IP-prefix list filtering is passed, without the need of matching the next item.

Routing policy

A routing policy is used for matching some attributes in given routing information and modifying the attributes of the information if matching conditions are satisfied. A routing policy can utilize the above filters to define its own matching rules.

A routing policy can comprise multiple nodes, which are in logic OR relationship. Each node is a matching unit, and the system checks nodes in the order of node sequence number. Once the matching test of a node is passed, the route-policy is passed without needing to match other nodes.

Each node comprises a set of if-match and apply clauses. The if-match clauses define the matching rules. The matching objects are some attributes of routing information. The different if-match clauses on the same node is in logic AND relationship. Only when the matching conditions specified by all the if-match clauses on a node are satisfied, can routing information passes the matching test of the node. The apply clauses specify the actions performed after the node matching test passed, concerning the attribute settings for the routing information.

Routing Policy Application

Routing policy applies in two ways:

■ When redistributing routes from other routing protocols, a routing protocol redistributes only routes matching rules defined in a routing policy.

■ When receiving or advertising routing information, a routing protocol uses a routing policy to filter routing information.

Defining Filtering Lists 287

Defining Filtering Lists


Before configuring this task, prepare the following data:

■ IP-prefix list name

■ Matching address range

Defining IPv4 Prefix List

Identified by name, each IPv4 prefix list can comprise multiple items. Each item specifies a matching address range in the form of network prefix, which is identified by index number. For example, the following IPv4 prefix list named abcd:

ip ip-prefix abcd index 10 permit 1.0.0.0 8ip ip-prefix abcd index 20 permit 2.0.0.0 8

During matching, the system checks list items identified by index number in the ascending order. If one item matched, IP-prefix list filtering is passed, without needing to match other items.

To define an IPv4 prefix list, use the following commands:

If all items are set to the deny mode, no route can pass the IPv4 prefix list. In order to allow other IPv4 routing information to pass, define the permit 0.0.0.0 0 less-equal 32 item following multiple deny mode items.

If more than one ip-prefix item is defined, the match mode of at least one item should be the permit mode.

Configuring a Routing Policy

Routing policy is used to match attributes in given routing information, and modify some attributes of the routing information after rules satisfied. Matching rules can be configured using filters above mentioned.

A routing policy can comprise multiple nodes, each node contains:

■ if-match clauses: define the matching rules routing information must satisfy. The matching objects are some attributes of routing information.

■ apply clauses: specifies the actions performed after specified matching rules satisfied, concerning attribute settings for passed routing information.

Table 198 Defining IPv4 Prefix List



Define an IPv4 prefix list ip ip-prefix ip-prefix-name [ index index-number ] { permit | deny } network-address len [ greater-equal greater-equal | less-equal less-equal ]

Required

Not defined by default



Before configuring this task, you have completed:

■ Filtering list configuration

■ Routing protocol configuration

You also need to decide on:

■ Name of routing policy, node sequence numbers

■ Matching rules

■ Attributes to be modified

Creating a Routing Policy

To create a routing policy, use the following commands:

■ If a node is specified as permit mode using permit, routing information meeting the node’s conditions will be handled using the apply clauses of this node, without needing to match the next node. If routing information does meet the node’s conditions, it will go to the next node for matching.

■ If a node specified as deny mode using deny, the apply clauses of the node will not be executed. When routing information meets all if-match clauses, it cannot pass the node, nor can it go to the next node. If route information cannot meet some if-match clause of the node, it will go to the next node for matching.

■ When a routing policy defined with more than one node, at least one node should be configured using the permit keyword. If the routing policy is applied for filtering routing information, routing information that does not meet any node’s conditions cannot pass the routing policy. If all nodes of the routing policy are set using the deny keyword, no routing information can pass it.

Table 199 Creating a Routing Policy



Create a routing policy and enter its view

route-policy route-policy-name { permit | deny } node node-number

Required

Not created by default

Configuring a Routing Policy 289

Defining if-match Clauses for the Routing Policy

To define if-match clauses for a route-policy, use the following commands:

■ The if-match clauses of a route-policy are in logic AND relationship, namely, routing information has to satisfy all if-match clauses before executed with apply clauses.

■ If no if-match clause specified, all routing information can pass the node.

■ You can specify no if-match clause or multiple if-match clauses for a node.

Defining apply Clauses for the Routing Policy

To define apply clauses for a route-policy, use the following commands:

Table 200 Defining if-match Clauses for the Routing Policy





Required


Match route cost of routing information

if-match cost value Optional

Not configured by default

Match outbound interface of routing information

if-match interface { interface-type interface-number }

Optional


Define if-match clauses to match IPv4 routing information (source/destination address, next hop)

if-match ip { next-hop | route-source } { acl acl-number | ip-prefix ip-prefix-name }

Optional


Match the tag of RIP route if-match tag value Optional


Table 201 Defining apply Clauses for the Routing Policy





Required


Set the cost of routing information

apply cost [ + | - ] value Optional

Not set by default

Set the next hop

for IPv4 routing information

apply ip-address next-hop ip-address

Optional

Not set by default

The next hop set using the apply ip-address next-hop command does not take effect for route redistribution.

Set routing protocol preference apply preference preference

Optional

Not set by default

Set the tag field of routing information

apply tag value Optional


Displaying and Maintaining the Routing Policy

Routing Policy Configuration Example

Applying Routing Policy When

Redistributing IPv4 Routes


■ Switch A and Switch B communicate with each other, both using RIP.

■ Configure RIP process and static routes on Switch A.

■ Apply a routing policy when redistributing static routes, redistributing routes in 20.0.0.0/8 and 40.0.0.0/8 and filtering routes in 30.0.0.0/8

■ Display RIP routing table information on Switch B to verify the configuration.

Network diagram

Figure 79 Network diagram for routing policy application to route redistribution


1 Configure Switch A.

a Configure IP addresses for interfaces.

[Switch A] interface vlan-interface 100[Switch A-Vlan-interface100] ip address 10.0.0.1 255.0.0.0[Switch A-Vlan-interface100] quit[Switch A] interface vlan-interface 200[Switch A-Vlan-interface200] ip address 12.0.0.1 255.0.0.0[Switch A-Vlan-interface200] quit

b Configure three static routes.

[Switch A] ip route-static 20.0.0.1 255.0.0.0 12.0.0.2[Switch A] ip route-static 30.0.0.1 255.0.0.0 12.0.0.2[Switch A] ip route-static 40.0.0.1 255.0.0.0 12.0.0.2

Table 202 Displaying and Maintaining the Routing Policy


Display IPv4 prefix list statistics display ip ip-prefix [ ip-prefix-name ]

Available in all views

Display routing policy information display route-policy [ route-policy-name ]

Clear IPv4 prefix list statistics reset ip ip-prefix [ ip-prefix-name ]


static 20.0.0.0/830.0.0.0/840.0.0.0/8


Switch A Switch B



static 20.0.0.0/830.0.0.0/840.0.0.0/8


Switch A Switch B



Routing Policy Configuration Example 291

c Enable RIP.

[Switch A] rip[Switch A-rip-1]network 10.0.0.0[Switch A-rip-1] quit

d Configure an ACL.

[Switch A] acl number 2000[Switch A-acl-basic-2000] rule deny source 30.0.0.0 0.255.255.255[Switch A-acl-basic-2000] rule permit source any[Switch A-acl-basic-2000] quit

e Configure a routing policy.

[Switch A] route-policy ospf permit node 10[Switch A-route-policy] if-match acl 2000[Switch A-route-policy] quit

f Apply the routing policy for static route redistribution.

[Switch A] rip[Switch A-rip-1] import-route static route-policy rip


a Configure IP addresses for interfaces.

<Switch B> system-view[Switch B] interface vlan-interface 100[Switch B-Vlan-interface100] ip address 10.0.0.2 255.0.0.0[Switch B-Vlan-interface100] quit

b Enable RIP.

[Switch B] rip[Switch B-rip-1] network 10.0.0.0

c Display RIP routing table information to verify the configuration on Switch B.

<Switch B>display rip 1 route Route Flags: R - RIP, T - TRIP P - Permanent, A - Aging, S - Suppressed, G - Garbage-collect ---------------------------------------------------------------------- Peer 10.0.0.1 on Vlan-interface100 Destination/Mask Nexthop Cost Tag Flags Sec 40.0.0.0/8 10.0.0.1 1 0 RA 29 20.0.0.0/8 10.0.0.1 1 0 RA 29


Troubleshooting Routing Policy Configuration

IPv4 Routing Information Filtering

Failed

Symptom

Filtering routing information failed, while routing protocol runs normally.

Analysis

At least one item of the IP prefix list should be configured as permit mode, and at least one node in the Route-policy should be configured as permit mode.

Processing procedure

1 Use the display ip ip-prefix command to display IP prefix list.

2 Use the display route-policy command to display route policy information.

28 802.1X CONFIGURATION

The 802.1x protocol was proposed by IEEE802 LAN/WAN committee for security problems on wireless LANs (WLAN). Currently, it is used on Ethernet as a common port access control mechanism.

When configuring 802.1x, use the following table to identify where to go for interested information:

802.1x Overview 802.1x is a port-based access control protocol. It authenticates and controls accessing devices at the level of port. A device connecting to an 802.1x-enabled port of an access device can access the resources behind only after passing authentication. A user failing the authentication is physically disconnected.

To get more information about 802.1x, go to these topics:

■ Architecture of 802.1x

■ Operation of 802.1x

■ EAP Encapsulation over LANs

■ EAP Encapsulation over RADIUS

■ Authentication Process of 802.1x

■ 802.1x Timers

■ Implementation of 802.1x

■ Features Working Together with 802.1x



Get familiar with the basic concepts involved in 802.1x, its architecture, how it operates, and how it authenticate users

802.1x Overview

Know how to configure 802.1x Configuring 802.1x

Consult the display commands available for verifying 802.1x configuration

Displaying and Maintaining 802.1x

See how to configure 802.1x in typical scenarios 802.1x Configuration Example

294 CHAPTER 28: 802.1X CONFIGURATION

Architecture of 802.1x

802.1x operates in the typical client/server model and defines three entities: supplicant system, authenticator system, and authentication server system, as shown in Figure 80.

Figure 80 Architecture of 802.1x

■ Supplicant system: A system at one end of the LAN segment, which is authenticated by the system at the other end. A supplicant system is usually a user-end device and initiates 802.1x authentication through 802.1x client software supporting the EAP over LANs (EAPOL) protocol.

■ Authenticator system: A system at one end of the LAN segment, which authenticates the system at the other end. An authenticator system is usually an 802.1x-enabled network device and provides ports (physical or logical) for supplicants to access the LAN.

■ Authentication server system: The system providing authentication, authorization, and accounting services for the authenticator system.

The above systems involve three basic concepts: PAE, controlled port, control direction.

PAE

Port access entity (PAE) refers to the entity on a given port of a device that performs the 802.1x algorithm and protocol operations. The authenticator PAE uses the authentication server to authenticate the supplicant trying to access the LAN and controls the status of the controlled port (authorized or unauthorized) according to the authentication result. The supplicant PAE responds to the authentication request of the authenticator PAE and provides authentication information. The supplicant PAE can also send authentication requests and logoff requests to the authenticator.

Controlled port

An authenticator provides ports for supplicants to access the LAN. Each of the ports can be regarded as two virtual ports: a controlled port and an uncontrolled port.

■ The uncontrolled port is always open in both the inbound and outbound directions to allow EAPOL protocol frames to pass, guaranteeing that the supplicant can always send or receive authentication frames.

■ The controlled port is open to allow normal traffic to pass only when it is in the authorized state.

■ The controlled port and uncontrolled port are two parts of the same port. Any frames arriving at the port are visible to both of them.

SupplicantPAE

Supplicantsystem

Authenticationserver

Authenticationserver system

Services offered byAuthenticator system

AuthenticatorPAE

Authenticatorsystem

Controlledport Port

unauthorized

Uncontrolledport

LAN/WLAN

802.1x Overview 295

Control direction

In the unauthorized state, the controlled port can be set to deny traffic to and from the supplicant or just the traffic from the supplicant. Currently, Devices support only denying the traffic from the supplicant.

Operation of 802.1x The 802.1x authentication system employs the extensible authentication protocol (EAP) to support authentication information exchange between the supplicant PAE, authenticator PAE, and authentication server.

Figure 81 Operation of 802.1x

■ Between the supplicant PAE and authenticator PAE, EAP protocol packets are encapsulated using EAPOL and transferred over LANs.

■ Between the authenticator PAE and authentication server, EAP protocol packets can be encapsulated using the EAP attributes of RADIUS and then relayed to the RADIUS server, or terminated at the authenticator PAE, repackaged in the PAP or CHAP attributes of RADIUS, and then transferred to the RADIUS server. The former is referred to as EAP relay mode, and the latter as EAP termination mode.

■ The authentication server is usually a RADIUS server. It maintains information about users, such as the account, password, VLAN to which the user belongs, CAR parameters, priority level, and ACL.

■ After a user passes the authentication, the authentication server passes information about the user to the authenticator, which controls the status of the controlled port according to the instruction of the authentication server.

EAP Encapsulation over LANs

EAPOL frame format

EAPOL, defined by 802.1x, is intended to carry EAP protocol packets between supplicants and authenticators over LANs. Figure 82 shows the EAPOL frame format.

Figure 82 EAPOL frame format

PAE Ethernet Type: Protocol type. It takes the value 0x888E.

Protocol version: Version of the EAPOL protocol supported by the EAPOL frame sender.

Type: Type of the packet. The following types are defined:

■ EAP-Packet (a value of 0x00), frame for carrying authentication information.

■ EAPOL-Start (a value of 0x01), frame for initiating authentication.

■ EAPOL-Logoff (a value of 0x02), frame for logoff request.

■ EAPOL-Key (a value of 0x03), frame for carrying key information.

SupplicantPAE

AuthenticatorPAE

Authenticationserver

EAPOL RADIUS

PAE Ethernet type Protocol version Length

0 2 3 4Packet body

6 NType

bytes


■ EAPOL-Encapsulated-ASF-Alert (a value of 0x04), frame for carrying alerting information conforming to Alert Standard Forum (ASF).

Length: Length of the data, that is, length of the Packet body field, in bytes. If the value of this field is 0, no subsequent data field is present.

Packet body: The format of this field varies with the value of the Type field.

A frame with a type of EAPOL-Start, EAPOL-Logoff, or EAPOL-Key exists between a supplicant and an authenticator. A frame with a type of EAP-Packet is repackaged and transferred over RADIUS to get through complex networks to reach the authentication server. A frame with a type of EAPOL-Encapsulated-ASF-Alert encapsulates network management-related information (for example, various warning messages) and is terminated at the authenticator.

EAP packet format

An EAPOL frame with a type of EAP-Packet carries an EAP packet in its Packet body field. The structure of the EAP packet is shown in Figure 83.

Figure 83 EAP packet format

Code: Type of the EAP packet, which can be Request, Response, Success, or Failure.

Identifier: Allows matching of responses with requests.

Length: Length of the EAP packet, including the Code, Identifier, Length, and Data fields.

Data: This field is zero or more bytes and its format is determined by the Code field.

An EAP packet of the type of Success or Failure has no Data field, and has a length of 4. An EAP packet of the type of Request or Response is in the format shown in Figure 84

Figure 84 Format of the EAP request/response packet

Type: EAP authentication type. A value of 1 represents Identity, indicating that the packet is for querying the identity of the supplicant. A value of 4 represents MD5-Challenge, which corresponds closely to the PPP CHAP protocol.

EAP Encapsulation over RADIUS

Two attributes of RADIUS are intended for supporting EAP authentication: EAP-Message and Message-Authenticator. For information about RADIUS packet format, refer to the RADIUS overview section in the“AAA, RADIUS, and TACACS+ Configuration” chapter.

EAP-Message

The EAP-Message attribute is used to encapsulate EAP packets. Figure 85 shows its encapsulation format. The value of the Type field is 79. The String field can be up to 253 bytes. If the EAP packet is longer than 253 bytes, it can be fragmented and encapsulated into multiple EAP-Message attributes.

Code Identifier Length Data

0 1 2 4 N by

Type Type data

802.1x Overview 297

Figure 85 Encapsulation format of the EAP-Message attribute

Message-Authenticator

The Message-Authenticator attribute is used to prevent access requests from being snooped during EAP authentication. It must be included in any packet with the EAP-Message attribute; otherwise, the packet will be considered invalid and get discarded. Figure 86 shows the encapsulation format of the Message-Authenticator attribute.

Figure 86 Encapsulation format of the Message-Authenticator attribute

Authentication Process of 802.1x

802.1x authentication can be initiated by either a user or the authenticator system. A user initiates authentication by launching the 802.1x client software to send an EAPOL-Start frame to the authenticator system, while the authenticator system sends an EAP-Request/Identity frame to an unauthenticated user when detecting that the user is trying to login. An 802.1x authenticator system communicates with a remotely located RADIUS server in two modes: EAP relay and EAP termination. The following description takes the first case as an example to show the 802.1x authentication process.

EAP relay

EAP relay is an IEEE 802.1x standard mode. In this mode, EAP packets are carried in a high layer protocol, such as RADIUS, so that they can go through complex networks and reach the authentication server. Generally, EAP relay requires that the RADIUS server support the EAP attributes of EAP-Message and Message-Authenticator. See Figure 87 for the message exchange procedure.

Type Length String...

0 1 2

EAP-Packets

bytes

Type=80 Length =18 S tring. ..

0 1 2 18 bytes


Figure 87 Message exchange in EAP relay mode

3 When a user launches the 802.1x client software and enters the registered username and password, the 802.1x client software generates an EAPOL-Start frame and sends it to the authenticator to initiate an authentication process.

4 Upon receiving the EAPOL-Start frame, the authenticator responds with an EAP-Request/Identity packet for the identity of the supplicant.

5 When the supplicant receives the EAP-Request/Identity packet, it encapsulates the identity information in an EAP-Response/Identity packet and sends the packet to the authenticator.

6 Upon receiving the EAP-Response/Identity packet, the authenticator relays the packet in a RADIUS Access-Request packet to the authentication server.

7 When receiving the RADIUS Access-Request packet, the authentication server compares the identify information against its user information table to obtain the corresponding password information. Then, it encrypts the password information using a randomly generated challenge, and sends the challenge information through a RADIUS Access-Challenge packet to the authenticator.

8 After receiving the RADIUS Access-Challenge packet, the authenticator relays the contained EAP-Request/MD5 Challenge packet to the supplicant.

9 When receiving the EAP-Request/MD5 Challenge packet, the supplicant uses the offered challenge to encrypt the password part (this process is not reversible), creates an EAP-Response/MD5 Challenge packet, and then sends the packet to the authenticator.

SupplicantPAE

AuthenticatorPAE RADIUS server

EAPOL EAPOR

EAPOL-Start

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/MD5 Challenge

EAP-Success

EAP-Response/MD5 Challenge

RADIUS Access-Request(EAP-Response/Identity)

RADIUS Access-Challenge(EAP-Request/MD5 Challenge)

RADIUS Access-Accept(EAP-Success)

RADIUS Access-Request(EAP-Response/MD5 Challenge)

Portauthorized

The handshaketimer expires.

Handshake request[EAP-Request/Identity]

Handshake response[EAP-Response/Identity]

EAPOL-Logoff......

Port unauthorized

802.1x Overview 299

10 After receiving the EAP-Response/MD5 Challenge packet, the authenticator relays the packet in a RADIUS Access-Request packet to the authentication server.

11 When receiving the RADIUS Access-Request packet, the authentication server compares the password information encapsulated in the packet with that generated by itself. If the two are identical, the authentication server considers the user valid and sends to the supplicant a RADIUS Access-Accept packet, instructing the authenticator to open the port to permit the access request of the supplicant.

12 After the supplicant gets online, the authenticator periodically sends EAP-Request/Identity packets to the supplicant to check whether the supplicant is still online. By default, if two consecutive handshake attempts end up with failure, the authenticator concludes that the supplicant has gone offline and performs the necessary operations, guaranteeing that the authenticator always knows when a supplicant goes offline.

13 The supplicant can also sends an EAPOL-Logoff frame to the authenticator to terminate the authenticated status. In this case, the authenticator changes the status of the port from authorized to unauthorized.

EAP termination

In EAP termination mode, EAP packets are terminated at the authenticator and then repackaged into the PAP or CHAP attributes of RADIUS and transferred to the RADIUS server for authentication, authorization, and accounting. See Figure 88 for the message exchange procedure.


Figure 88 Message exchange in EAP termination mode

Different from the authentication process in EAP relay mode, it is the authenticator that generates the random challenge for encrypting the user password information in EAP termination authentication process. Consequently, the authenticator sends the challenge together with the username and encrypted password information from the supplicant to the authentication server for authentication.

802.1x Timers Several timers are used in the 802.1x authentication process to guarantee that the accessing users, the authenticators, and the RADIUS server interact with each other in a reasonable manner. The following are the major 802.1x timers:

■ Identity request timeout timer (tx-period): Once an authenticator sends an EAP-Request/Identity frame to a supplicant, it starts this timer. If this timer expires but it receives no response from the supplicant, it retransmits the request.

■ Password request timeout timer (supp-timeout): Once an authenticator sends an EAP-Request/MD5 Challenge frame to a supplicant, it starts this timer. If this timer expires but it receives no response from the supplicant, it retransmits the request.

■ Authentication server timeout timer (server-timeout): Once an authenticator sends a RADIUS Access-Request packet to the authentication server, it starts this timer. If this timer expires but it receives no response from the server, it retransmits the request.

■ Handshake timer (handshake-period): After a supplicant passes authentication, the authenticator sends to the supplicant handshake requests at this interval to check

SupplicantPAE

AuthenticatorPAE RADIUS server

EAPOL RADIUS

EAPOL-Start

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/MD5 Challenge

EAP-Success

EAP-Response/MD5 Challenge

RADIUS Access-Request(CHAP-Response/MD5 Challenge)

RADIUS Access-Accept(CHAP-Success)

Portauthorized

The handshaketimer expires.Handshake request

[EAP-Request/Identity]

Handshake response[EAP-Response/Identity]

EAPOL-Logoff......

Portunauthorized

802.1x Overview 301

whether the supplicant is online. If the authenticator receives no response after sending the allowed maximum number of handshake requests, it considers that the supplicant is offline.

■ Quiet timer (quiet-period): When a supplicant fails the authentication, the authenticator refuses further authentication requests from the supplicant in this period of time.

Implementation of 802.1x

Devices extend and optimize the mechanism that the 802.1x protocol specifies by:

■ Allowing multiple users to access network services through the same physical port.

■ Supporting two authentication methods: portbased and macbased. With the portbased method, after the first user of a port passes authentication, all other users of the port can access the network without authentication, and when the first user goes offline, all other users get offline at the same time. With the macbased method, each user of a port must be authenticated separately, and when an authenticated user goes offline, no other users are affected.

These extensions can help improve network security and manageability dramatically.

Features Working Together with 802.1x

VLAN Assignment (Auto VLAN)

After an 802.1x supplicant passes authentication, the authentication server sends authorization information to the authenticator. If the authorization information contains VLAN authorization information, the authenticator adds the port connecting the supplicant to the assigned VLAN. This neither changes nor affects the configurations of the port. The only result is that the assigned VLAN takes precedence over the manually configured one, that is, the assigned VLAN takes effect.

For information on how to configure CAMS or Windows 2000 Server for VLAN assignment, refer to the configuration guides for CAMS or Windows 2000 server.

Auto VLAN requires three attributes to be returned by the RADIUS server to dynamically assign VLSN(s) to a port as the user logs in .

Table 204 Auto VLAN

For the Switch 4500G, currently the VLAN assignment function is available only for the ports whose link type is ACCESS.

GuestVlan

If you fail to pass authentication for many reasons such as there is no proprietary authentication Client or lower Client version, you will be added into GuestVlan. GuestVlan is a default VLAN that you can access it without authentication. You can access the resources in the VLAN, like Client download and upgrade. After installing or upgrading the authentication Client, with these resources, you can carry out the authentication procedure so as to access network resources.

Auto VLAN Return String Comment

Tunnel-Medium-type 802

Tunnel-Private-Group-ID 2 VLAN value

Tunnel-Type VLAN


After 802.1x is enabled and GuestVlan is configured correctly, the switch sends authentication-triggering packet (EAP-Request/identity) through a port. The port will be added in GuestVlan when the switch sends authentication-triggering packet (EAP-Request/Identity) beyond the maximum times before it receives no response packet.

At this point, you initiate an authentication. If you fail to pass the authentication, the port is still in GuestVlan. If you pass the authentication, there are two following cases:

■ The authentication server delivers a VLAN. In this case, the port leaves from GuestVlan and joins the delivered VLAN. After you disconnect the Internet, the port first returns back to the configured VLAN (the one where the port locates before it joins GuestVlan, i.e. “original VLAN”).

■ The authentication server does not deliver a VLAN. In this case, the port leaves from GuestVLan and joins the configured VLAN. After you disconnect the Internet, the port is still in the configured VLAN.

Configuring 802.1x Except the configuration of enabling 802.1x globally or on ports, other configurations of 802.1 x are optional. You can perform these configurations as required. For specific parameters and parameter meanings, see 802.1x-HABP-MAC Authentication Command Manual.


802.1x provides a user identity authentication scheme. However, 802.1x cannot implement the authentication scheme solely by itself. RADIUS or local authentication must be configured to work with 802.1x:

■ For remote RADIUS authentication, the username and password information must be configured on the RADIUS server and the relevant configurations must be performed on the authenticator.

■ For local authentication, the username and password information must be configured on the authenticator and the service type must be set to lan-access.

For details about these configuration tasks, refer to “AAA, RADIUS, and TACACS+ Configuration”.


Follow these steps to configure 802.1x:




Enable 802.1x globally dot1x Required

Disabled by default

Enable 802.1x for specified ports

dot1x interface interface-list

Required

Disabled by defaultIn Ethernet interface view, use


dot1x

quit

Configuring 802.1x 303

CAUTION:

■ 802.1x must be enabled both globally in system view and definitely for the intended ports in system view or Ethernet interface view. Otherwise, it does not function.

■ Some 802.1x timers are configurable. This makes sense in some special or extreme network environments. Normally, leave the defaults unchanged.

■ With 802.1x enabled on a port, you cannot configure the maximum number of MAC addresses that the port can learn (by using the mac-address max-mac-count command), and vice versa.

■ 802.1x-related configurations can all be performed in system view. Enable 802.1x ,Port access control mode, port access method, and the maximum number of accessing users can also be configured in port view.

■ If you perform a configuration in system view and do not specify the interface-list argument, the configuration applies to all ports. Configurations performed in

Set the port access control mode for specified or all ports

dot1x port-control { authorized-force | unauthorized-force | auto } [ interface interface-list ]

Optional

auto by default

Set the port access control method for specified or all ports

dot1x port-method { macbased | portbased } [ interface interface-list ]

Optional

macbased by default

Set the maximum number of accessing users for specified or all ports

dot1x max-user user-number [ interface interface-list ]

Optional

256 per port by default

Set the 802.1x authentication method

dot1x authentication-method { chap | pap | eap }

Optional

CHAP by default

Set the maximum number of attempts for sending authentication requests to the supplicant

dot1x retry max-retry-value

Optional

2 by default

Set timers dot1x timer { handshake-period handshake-period-value | quiet-period quiet-period-value | tx-period tx-period-value | supp-timeout supp-timeout-value | server-timeout server-timeout-value }

Optional

The defaults are as follows:

15 seconds for the handshake timer,

60 seconds for the quiet timer,

30 seconds for the identity request timeout timer,

30 seconds for the password request timeout timer,

100 seconds for the authentication server timeout timer.

Enable the quiet timer dot1x quiet-period Optional

Disabled by default

Enter Ethernet interface view interface interface-type interface-num

—

Enable online user handshake dot1x handshake Optional

Enabled by default




Ethernet port view apply to the current Ethernet port only and the interface-list argument is not needed in this case.

■ If EAP authentication is used for 802.1x users, the contents you enter on the client will be directly sent to the server after encapsulation. In this case, the configuration with the user-name-format command is invalid.

■ If version number included is configured on the client or you enter a username with a blank character included, you cannot search or release user connections by username. However, you can search or release user connections in other ways, such as using IP addresses or connection indexes.

■ If 802.1x is enabled on a port, the port cannot be added in an aggregation group. If a port is added into an aggregation group, you cannot enable 802.1x on the port.

■ 802.1x cannot block cluster handshake packets.

■ Currently 10GE ports of the Switch 4500G does not support 802.1x.

Configuring GuestVlan


■ Enable 802.1x.

■ Configure the way of access control on the port as portbased.

■ Configure the mode of access control on the port as auto.

■ Configure the link type of the port as access.

■ A VLAN is already created, which will be configured as GuestVlan.

Configuring GuestVlan

Follow these steps to configure GuestVlan

Displaying and Maintaining 802.1x

Figure 89 Configuring GuestVlan

Operation Command Remarks


Configure GuestVlan of the specified port

dot1x guest-vlan vlan-id [ interface interface-list ]

Required

By default, GuestVlan is not configured on the port.

Table 206 Displaying and Maintaining 802.1x


Display 802.1x session information, statistics, or configuration information of specified or all ports

display dot1x [ sessions | statistics ] [ interface interface-list ]


Clear 802.1x statistics reset dot1x statistics [ interface interface-list ]


802.1x Configuration Example 305

802.1x Configuration Example


■ As shown in Figure 90, a host is connected to port GigabitEthernet1/0/1 on the switch.

■ The access control method of macbased is required on the port to control accessing users.

■ All AAA accessing users belong to default domain aabbcc.net, which can accommodate up to 30 users. For authentication, RADIUS authentication is performed at first, and then local authentication when no response from the RADIUS server is received. For accounting, get a user offline if the RADIUS accounting fails. Whenever a user remains idle for over 20 minutes, tear down the connection.

■ A server group with two RADIUS servers is connected to the switch. The IP addresses of the servers are 10.11.1.1 and 10.11.1.2 respectively. Use the former as the primary authentication/secondary accounting server, and the latter as the secondary authentication/primary accounting server.

■ Set the shared key for the device to exchange packets with the authentication server as name, and that for the device to exchange packets with the accounting server as money.

■ Specify the device to try up to five times at an interval of 5 seconds in transmitting a packet to the RADIUS server until it receives a response from the server, and to send real time accounting packets to the accounting server every 15 minutes.

■ Specify the device to remove the domain name from the username before passing the username to the RADIUS server.

■ Set the username of the 802.1x user as localuser and the password as localpass and specify to use clear text mode. Enable the idle cut function.

Network diagram

Figure 90 Network diagram for 802.1x configuration

Supplicant

Authentication Servers(RADIUS Server Cluster

IP Address: 10.11.1.110.11.1.2)

Internet

Authenticator

Switch

Supplicant


IP Address: 10.11.1.110.11.1.2)

Internet

Authenticator

Switch

Supplicant


IP Address: 10.11.1.110.11.1.2)

Internet

Authenticator

SwitchGigabitEthernet1/0/1

Supplicant


IP Address: 10.11.1.110.11.1.2)

Internet

Authenticator

Switch

Supplicant


IP Address: 10.11.1.110.11.1.2)

Internet

Authenticator

Switch



The following configuration procedure covers most AAA/RADIUS configuration commands for the authenticator, while configuration on the supplicant and RADIUS server are omitted.

For information about AAA/RADIUS configuration commands, refer to the “AAA, RADIUS, and TACACS+ Configuration” chapter.

1 Enable 802.1x globally.

<3Com> system-view[3Com] dot1x

2 Enable 802.1x for port GigabitEthernet1/0/1.

[3Com] dot1x interface GigabitEthernet 1/0/1

3 Set the port access control method. (Optional. The default answers the requirement.)

[3Com] dot1x port-method macbased interface GigabitEthernet 1/0/1

4 Create RADIUS scheme radius1 and enter its view.

[3Com] radius scheme radius1

5 Configure the IP addresses of the primary authentication and accounting RADIUS servers.

[3Com-radius-radius1] primary authentication 10.11.1.1[3Com-radius-radius1] primary accounting 10.11.1.2

6 Configure the IP addresses of the secondary authentication and accounting RADIUS servers.

[3Com-radius-radius1] secondary authentication 10.11.1.2[3Com-radius-radius1] secondary accounting 10.11.1.1

7 Specify the shared key for the device to exchange packets with the authentication server.

[3Com-radius-radius1] key authentication name

8 Specify the shared key for the device to exchange packets with the accounting server.

[3Com-radius-radius1] key accounting money

9 Set the interval for the device to retransmit packets to the RADIUS server and the maximum number of transmission attempts.

[3Com-radius-radius1] timer response-timeout 5[3Com-radius-radius1] retry 5

10 Set the interval for the device to send real time accounting packets to the RADIUS server.

[3Com-radius-radius1] timer realtime-accounting 15

11 Specify the device to remove the domain name of any username before passing the username to the RADIUS server.

[3Com-radius-radius1] user-name-format without-domain[3Com-radius-radius1] quit

12 Create default user domain aabbcc.net and enter its view.

[3Com] domain aabbcc.net[3Com-isp-aabbcc.net] quit[3Com] domain default enable aabbcc.net[3Com] domain aabbcc.net

Typical GuestVlan Configuration Example 307

13 Set radius1 as the RADIUS scheme for users of the domain and specify to use local authentication as the secondary scheme.

[3Com-isp-aabbcc.net] authentication default radius-scheme radius1 local[3Com-isp-aabbcc.net] authorization default radius-scheme radius1 local[3Com-isp-aabbcc.net] accounting default radius-scheme radius1 local

14 Set the maximum number of users for the domain as 30.

[3Com-isp-aabbcc.net] access-limit enable 30

15 Enable the idle cut function and set the idle interval.

[3Com-isp-aabbcc.net] idle-cut enable 20[3Com-isp-aabbcc.net] quit

16 Add local access user localuser, Enable the idle cut function and set the idle interval.

[3Com] local-user localuser[3Com-luser-localuser] service-type lan-access[3Com-luser-localuser] password simple localpass[3Com-luser-localuser] attribute idle-cut 20

Typical GuestVlan Configuration Example

Network requirement

As shown in Figure 91, a PC connects to the network through 802.1x authentication. The authentication server is radius server. GigabitEthernet1/0/3 of the Supplicant access switch belongs to VLAN 1; Authentication Server belongs to VLAN 2; Update Server belongs to VLAN 10 which is used for Client download and upgrade; GigabitEthernet1/0/8 through which the switch accesses the Internet belongs to VLAN 5.

Figure 91 Typical network diagram

InternetInternet

Authentication Server

Internet

VLAN 2


Internet

SupplicantSupplicantSupplicantSupplicantSupplicant

Internet

Update Server

VLAN 5 GigabitEthernet1/0/8

VLAN 1

VLAN 10GigabitEthernet1/0/5

InternetInternet


Internet

VLAN 2


Internet

SupplicantSupplicantSupplicantSupplicantSupplicantSupplicantSupplicantSupplicantSupplicantSupplicant

Internet

Update Server


VLAN 1



As shown in Figure 92, enable 802.1x and GuestVlan 10 on GigabitEthernet1/0/3. When the switch transmits authentication-triggering packet (EAP-Request/Identity) through the port beyond the maximum times before it receives any response packet, GigabitEthernet1/0/3 is added in GuestVlan 10. In this case, Supplicant and Update Server belong to VLAN 10. So Supplicant can access Update Server and download 1x Client.

Figure 92 Enable GuestVlan

InternetInternet


Internet

VLAN 2


Internet


Internet

Update Server


Guest VL AN 10

VLAN 10GigabitEthernet1/0/5VLAN 10

InternetInternet


Internet

VLAN 2


Internet


Internet

Update Server


Guest VL AN 10

VLAN 10GigabitEthernet1/0/5VLAN 10

Typical GuestVlan Configuration Example 309

As shown in Figure 93, Authentication Server delivers Vlan 5 after you pass authentication and access the Internet . In this case, Supplicant and GigabitEthernet1/0/8 belong to VLAN 5. Supplicant can access the Internet.

Figure 93 User online and VLAN delivery


1 Enable 802.1x globally.

<3Com> system-view[3Com] dot1x

2 Enable 802.1x on the specified port. .

[3Com] interface GigabitEthernet 1/0/3[3Com-GigabitEthernet1/0/3] dot1x

3 Configure the way of access control on the port as portbased.

[3Com-ethernet1/0/3] dot port-method portbased

4 Configure the mode of access control on the port as auto.

[3Com-ethernet1/0/3] dot1x port-control auto

5 Configure the link type of the port as access.

[3Com-ethernet1/0/3] port link-type access[3Com-ethernet1/0/3] quit

6 Create VLAN 10.

[3Com] vlan 10[3Com-vlan10] quit

7 Configure GuestVlan of the specified port.

[3Com] dot1x guest-vlan 10 interface GigabitEthernet1/0/3

InternetInternet


Internet

VLAN 2


Internet


Internet

Update Server


下发 VLAN 5


VLAN 5 InternetInternet


Internet

VLAN 2


Internet


Internet

Update Server


下发 VLAN 5


VLAN 5


8 Configure a Radius Scheme.

[3Com] radius scheme 2000[3Com-radius-2000] primary authentication 10.11.1.1 1812[3Com-radius-2000] primary accouting 10.11.1.1 1813[3Com-radius-2000] key authorcation nec[3Com-radius-2000] key accouting nec[3Com-radius-2000] user-name-format without-domain[3Com-radius-2000] quit

9 Configure a domain which uses the just configured Radius Scheme.

[3Com] domaim system[3Com-isp-system] authentication default radius-scheme 2000[3Com-isp-system] authorization default radius-scheme 2000[3Com-isp-system] accounting default radius-scheme 2000

Use the display current-configuration or display interface GigabitEthernet1/0/3 command to display GuestVlan configuration. In some cases such as you disconnect the Internet or fail to pass authentication, when the switch transmits authentication-triggering packet (EAP-Request/Identity) beyond the maximum times you set, you can use the display vlan 10 command to view whether the GuestVlan configured on the specified port takes effect.

29 HABP CONFIGURATION

Introduction to HABP

With 802.1x (or MAC authentication) enabled, a switch authenticates 802.1x-enabled (or MAC authentication-enabled) ports. Packets can be forwarded only by authorized ports. If ports connected to the switch are not authenticated, their received packets will be filtered.

This means that users can no longer manage the attached switches. To address this problem, authentication bypass protocol (HABP) has been developed.

An HABP packet carries the MAC addresses of the attached switches with it. It can bypass the 802.1x authentications or MAC authentications when traveling between HABP-enabled switches, through which management devices can obtain the MAC addresses of the attached switches and thus the management of the attached switches is feasible.

HABP is implemented by HABP server and HABP client. Normally, an HABP server sends HABP request packets regularly to HABP clients to collect the MAC addresses of the attached switches. HABP clients respond to the HABP request packets and forward the HABP request packets to lower-level switches. HABP servers usually reside on management devices and HABP clients usually on attached switches.

For ease of switch management, enable HABP for 802.1x-enabled (or MAC authentication-enabled) switches.

HABP Server Configuration

With the HABP server launched, a management device sends HABP request packets regularly to the attached switches to collect their MAC addresses. You need also to configure the interval on the management device for an HABP server to send HABP request packets.

Table 207 Configure an HABP server



Enable HABP habp enable Optional

HABP is enabled by default.

Configure the current switch to be an HABP server

habp server vlan vlan-id Required

By default, a switch operates as an HABP client after you enable HABP on the switch.

Configure the interval to send HABP request packets.

habp timer interval-time Optional

The default interval for an HABP server to send HABP request packets is 20 seconds.

312 CHAPTER 29: HABP CONFIGURATION

HABP Client Configuration

HABP clients reside on switches attached to HABP servers. After you enable HABP for a switch, the switch operates as an HABP client by default. So you only need to enable HABP on a switch to make it an HABP client.

Displaying HABP After performing the above configuration, you can display and verify your HABP-related configuration by execute the display command in any view.

Table 208 Configure an HABP client



Enable HABP habp enable Optional

HABP is enabled by default. And a switch operates as an HABP client after you enable HABP for it.

Set the current switch to be an HABP Client

undo apb server Optional

by default. And a switch operates as an HABP client

Table 209 Display HABP


Display HABP configuration and status information

display habp You can execute the display command in any view

Display the MAC address table maintained by HABP

display habp table

Display statistics on HABP traffic display habp traffic

30 MAC AUTHENTICATION CONFIGURATION

MAC authentication is a method for authenticating users based on port and MAC address.

When configuring MAC authentication, use the following table to identify where to go for interested information:

MAC Authentication Overview

MAC authentication controls user network access based on port and MAC address. It does not require users to have any supplicant system software installed. The MAC address of the host is used as the user name and password for authentication. Once a switch detects a new MAC address, it initiates the authentication process.

Ethernet switches support remote RADIUS authentication and local authentication:

■ With RADIUS authentication, the switch serves as a RADIUS client. It forwards a detected user MAC address to the RADIUS server as the user name and password for authentication and, if the user passes authentication, permits the user to access the network.

■ With local authentication, MAC addresses of users must be manually configured on the switch to be used as user names and passwords for authentication.

Configuring MAC Authentication


■ Create and configure the ISP domain.

■ For local authentication, create a local user and configure the password.

■ For RADIUS authentication, ensure that the switch and the RADIUS server can reach each other.



Get an overall idea of MAC authentication MAC Authentication Overview

Know the normal procedure to configure MAC authentication

Configuring MAC Authentication

Learn how to display and maintain MAC authentication

Displaying and Maintaining MAC Authentication

See an example of how to configure MAC authentication

MAC Authentication Configuration Example

314 CHAPTER 30: MAC AUTHENTICATION CONFIGURATION

CAUTION: For local authentication:

■ The MAC address to be used as the user name and password of a local user must be in the format of HHH.

■ The service type of the local user must be configured as lan-access.


Follow these steps to configure MAC authentication:

CAUTION:

■ You can enable MAC authentication for specified ports or set MAC authentication parameters before enabling MAC authentication globally. However, your configuration takes effect only after you enable MAC authentication globally.

■ MAC authentication cannot coexist with 802.1x authentication on the same port.

■ If MAC authentication is enabled on a port, you cannot configure the maximum number of MAC addresses to be learned on the port. You can use the mac-address max-mac-count command to configure the maximum number of MAC addresses to be learned on the port. If the maximum number of MAC addresses to be learned is configured on a port, you cannot enable MAC authentication on the port.

Displaying and Maintaining MAC Authentication

Table 211 Configuring MAC Authentication



Enable MAC authentication globally

mac-authentication Required

Disabled by default

Enable MAC authentication for specified ports

mac-authentication interface interface-list

Required

Disabled by default

Specify the ISP domain for MAC authentication

mac-authentication domain isp-name

Optional

The default ISP domain is used by default

Set the offline-detect timer mac-authentication timer offline-detect offline-detect-value

Optional


Set the quiet timer mac-authentication timer quiet quiet-value

Optional

1 minute by default

Set the server timeout timer mac-authentication timer server-timeout server-timeout-value

Optional


Table 212 Displaying and Maintaining MAC Authentication


Display the global MAC authentication information or the MAC authentication information about specified interfaces

display mac-authentication [ interface interface-list ]


MAC Authentication Configuration Example 315

MAC Authentication Configuration Example

■ For local authentication, you configure the MAC address of a host as the user name and password on the switch.

■ For RADIUS authentication, you configure the MAC address of a host as the user name and password on the RADIUS server.


As shown in Figure 94, a user is connected to the switch through port GigabitEthernet 1/0/1.

■ MAC authentication is required on every port to control user access to the Internet.

■ All users belong to domain aabbcc.net.

■ Set the offline-detect timer to 180 seconds and the quiet timer to 3 minutes.

■ Configure the switch to perform local authentication.

Network diagram

Figure 94 Network diagram for MAC authentication


1 Add a local user.

<3Com> system-view[3Com] local-user 00e0fc010101[3Com-luser-00e0fc010101] password simple 00e0fc010101[3Com-luser-00e0fc010101] service-type lan-access[3Com-luser-00e0fc010101] quit

2 Configure ISP domain aabbcc.net, and specify to perform local authentication.

[3Com] domain aabbcc.net[3Com-isp-aabbcc.net] authentication lan-access local[3Com-isp-aabbcc.net] quit

3 Enable MAC authentication globally.

[3Com] mac-authentication

4 Enable MAC authentication on port GigabitEthernet 1/0/1.

[3Com] mac-authentication interface GigabitEthernet 1/0/1

5 Specify the ISP domain for centralized MAC authentication.

[3Com] mac-authentication domain aabbcc.net

Internet

Authenticator

Switch

Internet

Authenticator

Internet

Authenticator

GigabitEthernet 1/0/1 Internet

AuthenticatorPC

Internet

Authenticator

Internet

Authenticator

Switch

Internet

Authenticator

Internet

Authenticator

GigabitEthernet 1/0/1 Internet

AuthenticatorPC

Internet

Authenticator

316 CHAPTER 30: MAC AUTHENTICATION CONFIGURATION

6 Set the MAC authentication timers.

[3Com] mac-authentication timer offline-detect 180[3Com] mac-authentication timer quiet 3

31 AAA, RADIUS, AND TACACS+ CONFIGURATION

Overview

Introduction to AAA AAA is shortened from the three security functions: authentication, authorization and accounting. It provides a uniform framework for you to configure the three security functions to implement the network security management.

The network security mentioned here mainly refers to access control. It mainly controls:

■ Which users can access the network,

■ Which services the users can have access to,

■ How to charge the users who are using network resources.

■ Accordingly, AAA provides the following services:

Authentication

AAA supports the following authentication methods:

■ None authentication: Users are trusted and are not authenticated. Generally, this method is not recommended.

■ Local authentication: User information (including user name, password, and attributes) is configured on this device. Local authentication is fast and requires lower operational cost. But the information storage capacity is limited by device hardware.

■ Remote authentication: Users are authenticated remotely through the RADIUS protocol or TACACS+ protocol. This device (for example, a 3Com series switch) acts as the client to communicate with the RADIUS server or TACACS server. For RADIUS protocol, both standard and extended RADIUS protocols can be used.

Authorization

AAA supports the following authorization methods:

■ Direct authorization: Users are trusted and directly authorized. Users have the default rights now.

■ Local authorization: Users are authorized according to the related attributes configured for their local accounts on the device.

■ RADIUS authorization: Users are authorized after they pass the RADIUS authentication. The authentication and authorization of RADIUS protocol are bound together, and you cannot perform RADIUS authorization alone without RADIUS authentication.

■ TACACS+ authorization: Users are authorized by TACACS server.

318 CHAPTER 31: AAA, RADIUS, AND TACACS+ CONFIGURATION

Accounting

AAA supports the following accounting methods:

■ None accounting: No accounting is performed for users.

■ Remote accounting: User accounting is performed on the remote RADIUS server or TACACS server.

■ Local accounting: This function can count the accessed users, for a purpose of limiting access of local users.

Generally, AAA adopts the client/server structure, where the client acts as the managed resource and the server stores user information. This structure has good scalability and facilitates the centralized management of user information. AAA can be based on multiple protocols, and currently RADIUS or TACACS+ is used.

Introduction to ISP Domain

An Internet service provider (ISP) domain is a group of users who belong to the same ISP. For a user name in the format of userid@isp-name, the isp-name following the @ character is the ISP domain name. The access device uses userid as the user name for authentication, and isp-name as the domain name.

In a multi-ISP environment, the users connected to the same access device may belong to different domains. Since the users of different ISPs may have different attributes (such as different compositions of user name and password, different service types/rights), it is necessary to distinguish the users by setting ISP domains.

You can configure a set of ISP domain attributes (including AAA policy, RADIUS scheme, and so on) for each ISP domain independently in ISP domain view.

Introduction to RADIUS

AAA is a management framework. It can be implemented by not only one protocol. But in practice, the most commonly used protocol for AAA is RADIUS.

What is RADIUS

RADIUS (remote authentication dial-in user service) is a distributed information exchange protocol in client/server structure. It can prevent unauthorized access to the network and is commonly used in network environments where both high security and remote user access service are required.

The RADIUS service involves three components:

■ Protocol: Based on the UDP/IP layer, RFC 2865 and 2866 define the frame format and message transfer mechanism of RADIUS, and define 1812 as the authentication port and 1813 as the accounting port.

■ Server: The RADIUS server runs on a computer or workstation at the center. It stores and maintains the information on user authentication and network service access.

■ Client: The RADIUS clients run on the dial-in access server device. They can be deployed anywhere in the network.

RADIUS is based on client/server model. Acting as a RADIUS client, the switch passes user information to a designated RADIUS server, and makes processing (such as connecting/disconnecting users) depending on the responses returned from the server. The RADIUS server receives user's connection requests, authenticates users, and returns all required information to the switch.

Overview 319

Generally, the RADIUS server maintains the following three databases (as shown in Figure 95):

■ Users: This database stores information about users (such as user name, password, adopted protocol and IP address).

■ Clients: This database stores the information about RADIUS clients (such as shared keys).

■ Dictionary: This database stores the information used to interpret the attributes and attribute values of the RADIUS protocol.

Figure 95 Databases in RADIUS server

In addition, the RADIUS server can act as the client of some other AAA server to provide the authentication or accounting proxy service.

Basic message exchange procedure of RADIUS

The messages exchanged between a RADIUS client (a switch, for example) and the RADIUS server are verified by using a shared key. This enhances the security. The RADIUS protocol combines the authentication and authorization processes together by sending authorization information in the authentication response message. Figure 96 depicts the message exchange procedure between user, switch and RADIUS server.


Figure 96 Basic message exchange procedure of RADIUS

The basic message exchange procedure of RADIUS is as follows:

1 The user enters the user name and password.

2 The RADIUS client receives the user name and password, and then sends an authentication request (Access-Request) to the RADIUS server.

3 The RADIUS server compares the received user information with that in the Users database to authenticate the user. If the authentication succeeds, the RADIUS server sends back an authentication response (Access-Accept), which contains the information of user’s rights, to the RADIUS client. If the authentication fails, it returns an Access-Reject response.

4 The RADIUS client accepts or denies the user depending on the received authentication result. If it accepts the user, the RADIUS client sends a start-accounting request (Accounting-Request, with the Status-Type filed set to “start”) to the RADIUS server.

5 The RADIUS server returns a start-accounting response (Accounting-Response).

6 The user starts to access the resources.

7 The RADIUS client sends a stop-accounting request (Accounting-Request, with the Status-Type field set to “stop”) to the RADIUS server.

8 The RADIUS server returns a stop-accounting response (Accounting-Response).

9 The resource access of the user is ended.

Overview 321

RADIUS packet structure

RADIUS uses UDP to transmit messages. It ensures the correct message exchange between RADIUS server and client through the following mechanisms: timer management, retransmission, and backup server. Figure 97 depicts the structure of the RADIUS packets.

Figure 97 RADIUS packet structure

1 The Code field decides the type of the RADIUS packet, as shown in Table 213.

2 The Identifier field (one byte) identifies the request and response packets. It is subject to the Attribute field and varies with the received valid responses, but keeps unchanged during retransmission.

Code Identifier Length

Authenticator

Attribute

Table 213 Description on major values of the Code field

Code Packet type Packet description

1 Access-Request Direction: client->server.

The client transmits this packet to the server to determine if the user can access the network.

This packet carries user information. It must contain the User-Name attribute and may contain the following attributes: NAS-IP-Address, User-Password and NAS-Port.

2 Access-Accept Direction: server->client.

The server transmits this packet to the client if all the attribute values carried in the Access-Request packet are acceptable (that is, the user passes the authentication).

3 Access-Reject Direction: client->server.

The client transmits this packet to the server to determine if the user can access the network.

This packet carries user information. It must contain the User-Name attribute and may contain the following attributes: NAS-IP-Address, User-Password and NAS-Port.

4 Accounting-Request Direction: client->server.

The client transmits this packet to the server to request the server to start or end the accounting (whether to start or to end the accounting is determined by the Acct-Status-Type attribute in the packet).

This packet carries almost the same attributes as those carried in the Access-Request packet.

5 Accounting-Response Direction: server->client.

The server transmits this packet to the client to notify the client that it has received the Accounting-Request packet and has correctly recorded the accounting information.


3 The Length field (two bytes) specifies the total length of the packet (including the Code, Identifier, Length, Authenticator and Attribute fields). The bytes beyond the length will be regarded as padding bytes and are ignored upon receiving the packet. If the received packet is shorter than the value of this field, it will be discarded.

4 The Authenticator field (16 bytes) is used to verify the packet returned from the RADIUS server; it is also used in the password hiding algorithm. There are two kinds of authenticators: Request and Response.

5 The Attribute field contains special authentication, authorization, and accounting information to provide the configuration details of a request or response packet. This field is represented by a field triplet (Type, Length and Value):

■ The Type field (one byte) specifies the type of the attribute. Its value ranges from 1 to 255. Table 214 lists the attributes that are commonly used in RADIUS authentication and authorization.

■ The Length field (one byte) specifies the total length of the Attribute field in bytes (including the Type, Length and Value fields).

■ The Value field (up to 253 bytes) contains the information about the attribute. Its content and format are determined by the Type and Length fields.

The RADIUS protocol takes good scalability. Attribute 26 (Vender-Specific) defined in this protocol allows a device vendor to extend RADIUS to implement functions that are not defined in standard RADIUS.

Table 214 RADIUS attributes

Value of the Type field Attribute type

Value of the Type field Attribute type

1 User-Name 23 Framed-IPX-Network

2 User-Password 24 State

3 CHAP-Password 25 Class

4 NAS-IP-Address 26 Vendor-Specific

5 NAS-Port 27 Session-Timeout

6 Service-Type 28 Idle-Timeout

7 Framed-Protocol 29 Termination-Action

8 Framed-IP-Address 30 Called-Station-Id

9 Framed-IP-Netmask 31 Calling-Station-Id

10 Framed-Routing 32 NAS-Identifier

11 Filter-ID 33 Proxy-State

12 Framed-MTU 34 Login-LAT-Service

13 Framed-Compression 35 Login-LAT-Node

14 Login-IP-Host 36 Login-LAT-Group

15 Login-Service 37 Framed-AppleTalk-Link

16 Login-TCP-Port 38 Framed-AppleTalk-Network

17 (unassigned) 39 Framed-AppleTalk-Zone

18 Reply-Message 40-59 (reserved for accounting)

19 Callback-Number 60 CHAP-Challenge

20 Callback-ID 61 NAS-Port-Type

21 (unassigned) 62 Port-Limit

22 Framed-Route 63 Login-LAT-Port

Overview 323

Figure 98 depicts the structure of attribute 26. The Vendor-ID field representing the code of the vendor occupies four bytes. The first byte is 0, and the other three bytes are defined in RFC1700. Here, the vendor can encapsulate multiple customized sub-attributes (containing Type, Length and Value) to obtain extended RADIUS implementation.

Figure 98 Part of the RADIUS packet containing extended attribute

Introduction to TACACS+

What is TACACS+

Terminal Access Controller Access Control System Plus (TACACS+) is an enhanced security protocol based on TACACS. Similar to the RADIUS protocol, it implements AAA for different types of users (such as PPP/VPDN login users and terminal users) through communications with TACACS servers in the Client-Server mode. Switch 4500G switches support authentication, authorization, and accounting for telnet, FTP, Aux, and SSH users.

Compared with RADIUS, TACACS+ provides more reliable transmission and encryption, and therefore is more suitable for security control. Table 215 lists the primary differences between TACACS+ and RADIUS protocols.

Table 215 Comparison between TACACS+ and RADIUS

TACACS+ RADIUS

Adopts TCP, providing more reliable network transmission.

Adopts UDP.

Encrypts the entire packet except the TACACS+ header.

Encrypts only the password field in an authentication packets.

Separates authentication from authorization. For example, you can provide authentication and authorization on different TACACS servers.

Brings together authentication and authorization.

Suitable for security control. Suitable for accounting.

Supports to authorize the use of configuration commands.

Not support.


In a typical TACACS+ application, a dial-up or terminal user needs to log in to the device for operations. As the client of TACACS+ in this case, the switch sends the username and password to the TACACS server for authentication. After passing authentication and being authorized, the user can log in to the switch to perform operations, as shown in Figure 99.

Figure 99 Network diagram for a typical TACACS+ application

TACACS server

ISDN /PSTN

Dial - up user HWTACACS client

Terminal user

TACACS server

ISDN/PSTN


Terminal user

TACACS server

ISDN /PSTN


Terminal user

TACACS server

ISDN/PSTN

Dial - up user

129.7.66.66

Terminal user

TACACS serverTACACS serverTACACS serverTACACS server

129.7.66.67

TACACS server

ISDN /PSTN


Terminal user

TACACS server

ISDN /PSTN

Dial - up user

Terminal user

TACACS server

ISDN/PSTN

Dial - up user

129.7.66.66

Terminal user

TACACS serverTACACS serverTACACS serverTACACS serverTACACS serverTACACS serverTACACS serverTACACS server

129.7.66.67

Overview 325

Basic message exchange procedure in TACACS+

For example, use TACACS+ to implement authentication, authorization, and accounting for a telnet user. Figure 100 illustrates the basic message exchange procedure:

Figure 100 The AAA implementation procedure for a telnet user

The basic message exchange procedure is as follows:

1 A user requests access to the switch; the TACACS client sends an authentication start request packet to TACACS server upon receipt of the request.

2 The TACACS server sends back an authentication response requesting for the username; the TACACS client asks the user for the username upon receipt of the response.

3 The TACACS client sends an authentication continuance packet carrying the username after receiving the username from the user.

4 The TACACS server sends back an authentication response, requesting for the password. Upon receipt of the response, the TACACS client requests the user for the login password.

5 After receiving the login password, the TACACS client sends an authentication continuance packet carrying the login password to the TACACS server.

U s e r H W T A C A C SC lie n t

H W T A C A C SS e rv e r

U s e r lo g s in A u th e n tic a ti o n S t a r t R e q u e s t p a c k e tA u th e n tic a ti o n r e s p o n s e p a c k e t, r e q u e s ti n g f o r th e u s e r n a m e

R e q u e s t U s e r fo r th e u s e r n a m e

U s e r e n t e r s t h e u s e r n a m e A u th e n tic a ti o n c o n tin u a n c e p a c k e tc a r ry in g th e u s e r n a m e

A u th e n tic a ti o n r e s p o n s e p a c k e t, r e q u e s ti n g f o r th e p a s s w o r d

R e q u e s t U s e r fo r th e p a s s w o r dU s e r e n t e r s t h e p a s s w o r d A u th e n tic a ti o n c o n tin u a n c e p a c k e t

c a r ry in g th e p a s s w o r d

A u th e n tic a ti o n s u c c e s s p a c k e t

A u th o r iz a ti o n r e q u e s t p a c k e t

A u th o r iz a ti o n s u c c e s s p a c k e tU s e r is p e rm i tt e d

A c c o u n tin g s t a r t re q u e s t p a c k e t

A c c o u n tin g s t a r t r e s p o n s e p a c k e t

U s e r q u its A c c o u n tin g s t o p p a c k e t

A c c o u n tin g s t o p r e s p o n s e p a c k e t

U s e r H W T A C A C SC lie n t

H W T A C A C SS e rv e r

U s e r lo g s in A u th e n tic a ti o n S t a r t R e q u e s t p a c k e tA u th e n tic a ti o n r e s p o n s e p a c k e t, r e q u e s ti n g f o r th e u s e r n a m e

R e q u e s t U s e r fo r th e u s e r n a m e

U s e r e n t e r s t h e u s e r n a m e A u th e n tic a ti o n c o n tin u a n c e p a c k e tc a r ry in g th e u s e r n a m e

A u th e n tic a ti o n r e s p o n s e p a c k e t, r e q u e s ti n g f o r th e p a s s w o r d

R e q u e s t U s e r fo r th e p a s s w o r dU s e r e n t e r s t h e p a s s w o r d A u th e n tic a ti o n c o n tin u a n c e p a c k e t

c a r ry in g th e p a s s w o r d

A u th e n tic a ti o n s u c c e s s p a c k e t

A u th o r iz a ti o n r e q u e s t p a c k e t

A u th o r iz a ti o n s u c c e s s p a c k e tU s e r is p e rm i tt e d

A c c o u n tin g s t a r t re q u e s t p a c k e t

A c c o u n tin g s t a r t r e s p o n s e p a c k e t

U s e r q u its A c c o u n tin g s t o p p a c k e t

A c c o u n tin g s t o p r e s p o n s e p a c k e t

TACACS+Client

TACACS+Server


6 The TACACS server sends back an authentication response indicating that the user has passed the authentication.

7 The TACACS client sends the user authorization request packet to the TACACS server.

8 The TACACS server sends back the authorization response, indicating that the user has passed the authorization.

9 Upon receipt of the response indicating an authorization success, the TACACS client pushes the configuration interface of the switch to the user.

10 The TACACS client sends an accounting start request packet to the TACACS server.

11 The TACACS server sends back an accounting response, indicating that it has received the accounting start request.

12 The user logs out; the TACACS client sends an accounting stop request to the TACACS server.

13 The TACACS server sends back an accounting stop packet, indicating that the accounting stop request has been received.

Configuration TasksTable 216 Configuration tasks

Operation Description Related section

AAA configuration

Create an ISP domain Required Creating an ISP Domain

Configure the attributes of the ISP domain

Optional Configuring the Attributes of an ISP Domain

Configuring the authentication scheme for the ISP domain

Required If local authentication is adopted. Refer to “Configuring the Attributes of a Local User”.

If RADIUS authenticati on is adopted, refer to “RADIUS Configuration”.

If HWTACAC authentication is adopted, refer to “TACACS+ Configuration”.

Configuring AAA Authentication of an ISP Domain

Configure an AAA authorization scheme for the ISP domain

Optional Configuring AAA Authorization of an ISP Domain

Configure an AAA accounting scheme for the ISP domain

Optional Configuring AAA Accounting of an ISP Domain

Configure the attributes of a local user

Optional Configuring the Attributes of a Local User

Cut down user connections forcibly

Optional Cutting Down User Connections Forcibly

Configuration Tasks 327

RADIUS configuration

Create a RADIUS scheme

Required Creating a RADIUS Scheme

Configure RADIUS authentication/authorization servers

Required Configuring RADIUS Authen-tication/Authorization Servers

Configure RADIUS accounting servers

Required Configuring RADIUS Accounting Servers

Configure shared keys for RADIUS packets

Required Configuring Shared Keys for RADIUS Packets

Configure the maximum number of transmission attempts of RADIUS requests

Optional Configuring the Maximum Number of Transmission Attempts of RADIUS Requests

Configure the supported RADIUS server type

Optional Configuring the Supported RADIUS Server Type

Configure the status of RADIUS servers

Optional Configuring the Status of RADIUS Servers

Configure the attributes for data to be sent to RADIUS servers

Optional Configuring the Attributes for Data to be Sent to RADIUS Servers

Configure a local RADIUS authentication server

Optional Configuring a Local RADIUS Authentication Server

Configure the timers for RADIUS servers

Optional Configuring the Timers of RADIUS Servers

TACACS+

configuration

Create a TACAS+ scheme

Required Creating a TACACS+ Scheme

Configure TACACS+ authentication servers

Required Configuring TACACS+ Authentication Servers

Configure TACACS+ authorization servers

Required Configuring TACACS+ Authorization Servers

Configure TACACS+ accounting servers

Optional Configuring TACACS+ Accounting Servers

Configure shared keys for RADIUS packets

Optional Configuring Shared Keys for RADIUS Packets

Configure the attributes for data to be sent to TACACS servers

Optional Configuring the Attributes for Data to be Sent to TACACS+ Servers

Configure the timers of TACACS servers

Optional Configuring the Timers of TACACS Servers

Table 216 Configuration tasks (continued)



AAA Configuration The goal of AAA configuration is to protect network devices against unauthorized access and at the same time provide network access services to authorized users. If you need to use ISP domains to implement AAA management on access users, you need to configure the ISP domains.


If you want to adopt remote AAA method, you must create a RADIUS or TACACS+ scheme.

■ RADIUS scheme (radius-scheme): You can reference a configured RADIUS scheme to implement AAA services. For the configuration of RADIUS scheme, refer to section “RADIUS Configuration”.

■ TACACS+ scheme (tacacs+-scheme): You can reference a configured TACACS+ scheme to implement AAA services. For the configuration of TACACS+ scheme, refer to section “TACACS+ Configuration”.

Creating an ISP Domain

To remove the default ISP domain you define, you must first use the domain default disable command.

Configuring the Attributes of an ISP

Domain

Table 217 Create an ISP domain


Enter system view system-view —Create an ISP domain and enter its view, enter the view of an existing ISP domain,

domain isp-name Required


configure the default ISP domain domain default { disable |enable isp-name}

Optional

The default ISP domain is "system".

Table 218 Configure the attributes of an ISP domain



Create an ISP domain or enter the view of an existing ISP domain


Activate/deactivate the ISP domain

state { active | block } Optional

By default, once an ISP domain is created, it is in the active state and all the users in this domain are allowed to access the network.

AAA Configuration 329

The self-service server location function must cooperate with a self-service-supported RADIUS server (such as CAMS). Through self-service, users can manage and control their accounts or card numbers by themselves. A server installed with the self-service software is called a self-service server.

Configuring AAA Authentication of an

ISP Domain

Authentication, authorization and accounting are three independent service procedures in AAA. Authentication fulfills interactive authentication of user name/password/user profile to meet individual access or service requests. It neither delivers authorization message to the users who make service requests nor triggers accounting. In AAA, you can use only authentication rather than authorization or accounting. Without any configuration, by default the authentication of the domain is local. You can configure authentication according to the following three steps:

1 To use RADIUS solution for authentication, you first need to configure a RADIUS scheme to cite; to use local or none solution for authentication, you do not need to configure a scheme.

2 Determine the access ways or service types to configure. You can configure authentication based on different access ways and service types, and restrict the authentication protocols available for access through configuration.

3 Determine whether to configure a default authentication for all access ways or service types.

Set the maximum number of access users that can be contained in the ISP domain

access-limit { disable | enable max-user-number }

Optional

After an ISP domain is created, the number of access users it can contain is unlimited by default.

Set the user idle-cut function idle-cut { disable | enable minute flow

Optional

By default, user idle-cut function is disabled.

Set the self-service server location function

self-service-url { disable | enable url-string }

Optional

By default, the self-service server location function is disabled.

Table 218 Configure the attributes of an ISP domain



■ There are three types of users for AAA: login, command authorization, and lan-access. You can configure authentication/authorization/accounting policy independently according to the real requirements of users.

■ The authentication configured by the authentication default command is applicable to all users. That is, the configuration takes effect for all users. But its priority is lower than that configured in the specified access mode.

■ If you have configured RADIUS as the solution for authentication, AAA only receives authentication results from RADIUS Server. Although it is carried in the packet responded for authentication success, but RADIUS authorization information is not handled in the process of authentication response.

■ If you have configured the radius-scheme radius-scheme-name local command, or hwtacacs-scheme hwtacacs-scheme-name local command, local is used as the alternative authentication when the RADIUS Server or TACACS server fails. That is, the local authentication is used only when the RADIUS Server or TACACS server does not work.

■ In the case of that local or none is used as the first solution for authentication, you can only use the local authentication or unauthentication. You cannot use RADIUS solution simultaneously.

Configuring AAA Authorization of an

ISP Domain

Authorization is an independent procedure at the same level as authentication and accounting in AAA, which is responsible for sending authorization requests to the configured authorization server and delivering relevant authorization messages to users after authorization. It is optional in the AAA configuration of an ISP domain.

Table 219 Configure AAA authentication of an ISP domain



Create an ISP domain or enter the created ISP domain view


Configure authentication for all users

authentication default { radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }

Optional

By default, local authentication is used.

Configure authentication for login user

authentication login { radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }

Optional

Configure authentication for lan-access user

authentication lan-access { radius-scheme radius-scheme-name [ local ] | local | none }

Optional


By fault, the authorization scheme for an ISP domain is local. If you configure the authorization scheme as none, no authorization is required. In this case, the authenticated users have only default right. For example, by default ECEC users (for instance, Telnet users) have the lowest visit right. And FTP users are authorized to use the root directory. You can configure authorization according to the following three steps:

1 If you choose TACACS+ authorization scheme, you should first define the TACACS+ scheme to be used. For RADIUS authorization, it takes effect only when the RADIUS scheme of authentication and authorization are configured similarly.

2 Determine the access ways or service types to configure. You can configure authorization based on different access ways and service types, and restrict the authorization protocols available for access through configuration.

3 Determine whether to configure a default authorization for all access ways or service types.

■ The authorization configured by the authorization default command is applicable to all users. That is, the configuration takes effect for all users. But its priority is lower than that configured in the specified access mode.

■ RADIUS authorization, a special procedure, takes effect as long as the RADIUS scheme of authentication and authorization are similar. In case of failure to RADIUS authorization, the reason returned to NAS is that the server does not respond.

■ If the radius-scheme radius-scheme-name local or hwtacacs-scheme hwtacacs-scheme-name local command is configured, the local is used as the alternative authorization when the RADIUS Server or TACACS server fails. That is, the local authorization is used only when the RADIUS Server or TACACS server does not work.

Table 220 Configure AAA authorization of an ISP Domain



Configure default authorization for all users



authorization default { radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }

Optional

Configure authorization for login users

authorization login{ radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme hwtacacs-scheme-name

[ local ] | local | none }

Optional

Configure authorization for lan-access users

authorization lan-access { radius-scheme radius-scheme-name [ local ] | local | none }

Optional

Configure authorization for CLI users

authorization command hwtacacs-schemehwtacacs-scheme-name

Optional


■ In the case of that local or none is used as the first solution for authorization, you can only use the local authorization or unauthorization. You cannot use RADIUS solution simultaneously.

■ Since the authorization information of the RADIUS server is transmitted to the RADIUS client together with the authentication response packet, if you specify both authentication and authorization schemes as RADIUS scheme, you must ensure that the RADIUS authorization server and the RADIUS authentication server run on the same device; otherwise the system will give an error prompt.

Configuring AAA Accounting of an ISP

Domain

Accounting is an independent procedure at the same level as authentication and authorization in AAA, which sends a request of starting/updating/ending accounting to the configured accounting server. Accounting is not required in the AAA configuration of an ISP domain. Without accounting, users accessing the domain do not need to go the accounting procedure. You can configure accounting according to the following three procedures:

1 To use RADIUS or TACACS+ solution for accounting, you need to first configure the RADIUS scheme or TACACS+ scheme to cite; to use local or none solution for accounting, you do need to configure a scheme.

2 Determine the access ways or service types to configure. You can configure accounting based on different access ways and service types, and restrict the accounting protocols available for access through configuration.

3 Determine whether to configure a default accounting for all access ways or service types.

Table 221 Configure AAA accounting of an ISP domain




domain isp-name —

Open/close the accounting-optional switch

accounting-optional Optional

By default, once an ISP domain is created, the accounting-optional switch is closed.

Configure accounting for all users

accounting default { radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }

Optional

Configure accounting for login users

accounting login { radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme hwtacacs-scheme-name [ local ] |

local | none }

Optional

Configure accounting for lan-access users

accounting lan-access { radius-scheme radius-scheme-name [ local ] |local | none }

Optional


■ When charging a user, if the system does not find any available accounting server or fails to communicate with any accounting server, it will not disconnect the user as long as the accounting optional command has been executed.

■ The accounting configured by the accounting default command is applicable to all users. That is, the configuration takes effect for users. But its priority is lower than that configured in the specified access mode.

■ Local accounting is only used to manage the connections of local users. It has no real statistics function. The management of local connections only has effect to local accounting, not local authentication and authorization.

■ If the radius-scheme radius-scheme-name local or hwtacacs-scheme hwtacacs-scheme-name local command is configured, the local is used as the alternative accounting when the RADIUS Server or TACACS server fails. That is, the local accounting is used only when the RADIUS Server or TACACS server does not work.

■ In the case of that local or none is used as the first solution for accounting, you can only use the local accounting or no accounting. You cannot use RADIUS or TACACS+ solution simultaneously.

■ FTP does not support accounting for login.

Configuring the Attributes of a Local

User

When local scheme is chosen as the AAA scheme, you should create local users on the switch and configure the relevant attributes.

The local users are users set on the switch, with each user uniquely identified by a user name. To make a user who is requesting network service pass through the local authentication, you should add an entry in the local user database on the switch for the user.

Table 222 Configure the attributes of a local user



Set the password display mode of all local users

local-user password-display-m ode { cipher-force auto }

Optional

By default, the password display mode of all access users is auto, indicating the passwords of access users are displayed in the modes set with the password command.

Add a local user and enter local user view


Required

By default, there is no local user in the system.

Set a password for the specified user password { simple | cipher } password

Optional

Set the state of the specified user state { active | block }

Optional

By default, the local users are in the active state once they are created, that is, they are allowed to request network services.


■ After the local-user password-display-mode cipher-force command is executed, all passwords will be displayed in cipher mode even through you specify to display user passwords in plain text by using the password command.

■ If the configured authentication method (local or RADIUS) requires a user name and a password, the command level that a user can access after login is determined by the priority level of the user. For SSH users, when they use RSA shared keys for authentication, the commands they can access are determined by the levels set on their user interfaces.

■ If the configured authentication method is none or requires a password, the command level that a user can access after login is determined by the level of the user interface.

■ If a user is not authorized with any service type, he or she cannot pass the authentication of a specific service type. By default, no service type is authorized to users.

Authorize the user to access the specified type(s) of service(s)

configure the service type

service-type { lan-access | { telnet | ssh | terminal } * [ level level ] }

Required

By default, the system does not authorize the user to access any service.

configure the FTP service type and accessible directories for users

service-type ftp [ ftp-directory directory]

Optional

By default, anonymous users cannot access the switch using FTP or are not authorized with any FTP service; authorized FTP users can only access the root directory.

Set the priority level of the user level level Optional

By default, the priority level of the user is 0.

Set the attributes of the user whose service type is lan-access

attribute { ip ip-address | mac mac-address | idle-cut minute | access-limit max-user-number | vlan vlan-id | location { nas-ip ip-address port portnum | port portnum } } *

Optional

If the user is bound to a remote port, you must specify the nas-ip parameter (the following ip-address is 127.0.0.1 by default, representing this device). If the user is bound to a local port, you do not need to specify the nas-ip parameter.

Table 222 Configure the attributes of a local user (continued)


RADIUS Configuration 335

Cutting Down User Connections Forcibly

RADIUS Configuration

The RADIUS protocol configuration is performed on a RADIUS scheme basis. In an actual network environment, you can either use a single RADIUS server or two RADIUS servers (primary and secondary servers with the same configuration but different IP addresses) in a RADIUS scheme. After creating a new RADIUS scheme, you should configure the IP address and UDP port number of each RADIUS server you want to use in this scheme. These RADIUS servers fall into two types: authentication/authorization, and accounting. And for each kind of server, you can configure two servers in a RADIUS scheme: primary server and secondary server. A RADIUS scheme has the following attributes: IP addresses of the primary and secondary servers, shared keys, and types of the RADIUS servers.

Actually, the RADIUS protocol configuration only defines the parameters used for information exchange between the switch and the RADIUS servers. To make these parameters take effect, you must reference the RADIUS scheme configured with these parameters in an ISP domain view. For specific configuration commands, refer to section “AAA Configuration”.

Creating a RADIUS Scheme

The RADIUS protocol configuration is performed on a RADIUS scheme basis. You should first create a RADIUS scheme and enter its view before performing other RADIUS protocol configurations.

A RADIUS scheme can be referenced by multiple ISP domains simultaneously.

Table 223 Cut down user connection forcibly



Cut down user

connections forcibly

cut connection { all |access-type { dot1x |mac-authentication } | domain domain-name | interface interface-type interface-number | ip ip-address | mac mac-address | vlan vlan-id | ucibindex ucib-index | user-name user-name }

Required

This command is only available for service-type of lan-access

Table 224 Create a RADIUS scheme



Create a RADIUS scheme and enter its view

radius scheme radius-scheme-name

Required

By default, a RADIUS scheme named "system" has already been created in the system.


Configuring RADIUS Authentication/Auth

orization Servers

■ The authentication response sent from the RADIUS server to the RADIUS client carries the authorization information. Therefore, no separate authorization server can be specified.

■ In an actual network environment, you can either specify two RADIUS servers as the primary and secondary authentication/authorization servers respectively, or specify only one server as both the primary and secondary authentication/authorization servers.

■ The IP address and port number of the primary authentication server used by the default RADIUS scheme "system" are 127.0.0.1 and 1645.

■ You are not allowed to assign the same IP address to both primary and secondary authentication/authorization servers; otherwise, unsuccessful operation is prompted

Table 225 Configure RADIUS authentication/authorization server





Required


Set the IP address and port number of the primary RADIUS authentication/authorization server

primary authentication ip-address [ port-number ]

Required

By default, the IP address and UDP port number of the primary server are 0.0.0.0 and 1812 respectively.

Set the IP address and port number of the secondary RADIUS authentication/authorization server

secondary authentication ip-address [ port-number ]

Optional

By default, the IP address and UDP port number of the secondary server are 0.0.0.0 and 1812 respectively.


Configuring RADIUS Accounting Servers

■ In an actual network environment, you can either specify two RADIUS servers as the primary and secondary accounting servers respectively, or specify only one server as both the primary and secondary accounting servers. In addition, because RADIUS adopts different UDP ports to transceive authentication/authorization packets and the accounting packets, you must set a port number for accounting different from that set for authentication/authorization.

■ Stop-accounting requests are critical to billing and will eventually affect the charges of the users; they are important for both the users and the ISP. Therefore, the switch should do its best to transmit them to the RADIUS accounting server. If the RADIUS server does not respond to such a request, the switch should first buffer the request on itself, and then retransmit the request to the RADIUS accounting server until it gets a response, or the maximum number of transmission attempts is reached (in this case, it discards the request).

■ You can set the maximum number of real-time accounting request attempts in the case that the accounting fails. If the switch makes all the allowed real-time accounting request attempts but fails to perform accounting, it cuts down the connection of the user.

Table 226 Configure RADIUS accounting server





Required


Set the IP address and port number of the primary RADIUS accounting server

primary accounting ip-address [ port-number ]

Required

By default, the IP address and UDP port number of the primary accounting server are 0.0.0.0 and 1813.

Set the IP address and port number of the secondary RADIUS accounting server

secondary accounting ip-address [ port-number ]

Optional

By default, the IP address and UDP port number of the secondary accounting server are 0.0.0.0 and 1813.

Enable stop-accounting packet buffering

stop-accounting-buffer enable

Optional

By default, stop-accounting packet buffering is enabled.

Enable stop-accounting packet retransmission and set the maximum number of transmission attempts of the buffered stop-accounting packets

retry stop-accountingretry-times

Optional

By default, the system tries at most 500 times to transmit a buffered stop-accounting request.

Set the maximum

number of

real-time

accounting request

attempts

retry realtime-accounting retry-times

Optional

By default, the maximum number of real-time accounting request attempts is 5. After that, the user connection is cut down.


■ The IP address and the port number of the default primary accounting server "system" are 127.0.0.1 and 1646.

■ Currently, RADIUS does not support the accounting of FTP users.

■ You are not allowed to assign the same IP address to both primary and secondary accounting servers; otherwise, unsuccessful operation is prompted

Configuring Shared Keys for RADIUS

Packets

The RADIUS client and server adopt MD5 algorithm to encrypt the RADIUS packets exchanged with each other. The two parties verify the validity of the exchanged packets by using the shared keys that have been set on them, and can accept and respond to the packets sent from each other only if both of them have the same shared keys.

Configuring the Maximum Number of

Transmission Attempts of RADIUS

Requests

The communication in RADIUS is unreliable because this protocol adopts UDP packets to carry data. Therefore, it is necessary for the switch to retransmit a RADIUS request if it gets no response from the RADIUS server after the response timeout timer expires. If the maximum number of transmission attempts is reached and the switch still receives no answer, the switch considers that the request fails.

The product of the retry-times here and the seconds of the timer response-timeout command can be greater than 75.

Table 227 Configure shared keys for RADIUS packets





Required


Set a shared key for the RADIUS authentication/authorization packets

key authentication string

Required

By default, no key is set for any RADIUS server.

Set a shared key for the RADIUS accounting packets

key accounting string Required

By default, no key is set for any RADIUS server.

Table 228 Configure the maximum transmission attempts of RADIUS request





Required


Set the maximum number of transmission attempts of RADIUS requests

retry retry-times Optional

By default, the system tries three times to transmit a RADIUS request.


Configuring the Supported RADIUS

Server Type

Configuring the Status of RADIUS

Servers

For the primary and secondary servers (authentication/authorization servers, or accounting servers) in a RADIUS scheme:

When the switch fails to communicate with the primary server due to some server trouble, the switch will actively exchange packets with the secondary server.

After the time the primary server keeps in the block state exceeds the time set with the timer quiet command, the switch will try to communicate with the primary server again when it receives a RADIUS request. If the primary server recovers, the switch immediately restores the communication with the primary server instead of communicating with the secondary server, and at the same time restores the status of the primary server to the active state while keeping the status of the secondary server unchanged.

When both the primary and secondary servers are in active or block state, the switch sends packets only to the primary server.

Table 229 Configure the supported RADIUS server type





Required


Specify the type of RADIUS server supported by the switch

server-type { extended | standard }

Optional

By default, the switch supports the standard type of RADIUS server. The type of RADIUS server in the default RADIUS scheme "system" is extended.

Table 230 Set the status of RADIUS servers





Required


Set the status of the primary RADIUS authentication/authorization server

state primary authentication { block | active }

Optional

By default, all the RADIUS servers in a customized RADIUS scheme are in the active state

Set the status of the primary RADIUS accounting server

state primary accounting { block |active }

Set the status of the secondary RADIUS authentication/aut horization server

state secondary authentication { block | active }

Set the status of the secondary RADIUS accounting server

state secondary accounting { block | active }


Configuring the Attributes for Data to

be Sent to RADIUS Servers

■ Generally, the access users are named in the userid@isp-name format. Where, isp-name behind the @ character represents the ISP domain name, by which the device determines which ISP domain it should ascribe the user to. However, some old RADIUS servers cannot accept the user names that carry ISP domain names. In this case, it is necessary to remove the domain names carried in the user names before sending the user names to the RADIUS server. For this reason, the user-name-format command is designed for you to specify whether or not ISP domain names are carried in the user names sent to the RADIUS server.

■ For a RADIUS scheme, if you have specified that no ISP domain names are carried in the user names, you should not adopt this RADIUS scheme in more than one ISP domain. Otherwise, such errors may occur: the RADIUS server regards two different users having the same name but belonging to different ISP domains as the same user (because the usernames sent to it are the same).

■ In the default RADIUS scheme "system", no ISP domain names are carried in the user names by default.

■ The nas-ip command in RADIUS scheme view only takes effect for the current RADIUS scheme, while that in system view is for all RADIUS schemes. The former one takes priority in implementation.

Table 231 Configure the attributes for data to be sent to the RADIUS servers




radius schemeradius-scheme-name

Required


Set the format of the user names to be sent to RADIUS servers

user-name-format{ with-domainwithout-domain }

Optional

By default, the user names sent from the switch to RADIUS servers carry ISP domain names.

Set the units of measure for data flows sent to RADIUS servers

data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega- packet | one-packet } }*

Optional

By default, in a RADIIUS scheme, the unit of measure for data is byte and that for packets is one-packet.

Set the source IP address used by the switch to send RADIUS packets

RADIUS scheme view nas-ip ip-address

Optional

By default, no source IP address is specified; and the IP address of the outbound interface is used as the source IP address.

System view

radius nas-ip ip-address


Configuring a Local RADIUS


■ When you use the local RADIUS authentication server function, the UDP port number for the authentication/authorization service must be 1645, the UDP port number for the accounting service is 1646, and the IP addresses of the servers must be set to the addresses of the switch.

■ The packet encryption key set by the local-server command with the key password parameter must be identical with the authentication/authorization packet encryption key set by the key authentication command in RADIUS scheme view.

■ The switch supports up to 16 local RADIUS authentication servers (including the default local RADIUS authentication server).

Configuring the Timers of RADIUS

Servers

If the switch gets no response from the RADIUS server after sending out a RADIUS request (authentication/authorization request or accounting request) and waiting for a period of time, it should retransmit the packet to ensure that the user can obtain the RADIUS service. This wait time is called response timeout time of RADIUS servers; and the timer in the switch system that is used to control this wait time is called the response timeout timer of RADIUS servers.

The product of the retry-times of retry command and the seconds of the timer response-timeout command can be greater than 75.

Table 232 Configure local RADIUS authentication server



Create a local RADIUS authentication server

local-server nas-ip ip-address key password

Required

By default, a local RADIUS authentication server, with NAS-IP 127.0.0.1, has already been created.

Table 233 Set the timers of RADIUS server





Required


Set the response timeout time of RADIUS servers

timer response-timeout seconds

Optional

By default, the response timeout timer of RADIUS servers expires in three seconds.

Set the wait time for the primary server to restore the active state

timer quiet minutes Optional

By default, the primary server waits five minutes before restoring the active state.

Set the real-time accounting interval

timer realtime-accounting minutes

Optional

By default, the real-time accounting interval is 12 minutes.


TACACS+ Configuration

Creating a TACACS+ Scheme

TACACS+ protocol is configured scheme by scheme. Therefore, you must create a TACACS+ scheme and enter TACACS+ view before you perform other configuration tasks.

The system supports up to 16 TACACS+ schemes. You can only delete the schemes that are not being used.

Configuring TACACS+ Authentication

Servers

■ The primary and secondary authentication servers cannot use the same IP address. Otherwise, the system will prompt unsuccessful configuration.

■ You can remove a server only when it is not used by any active TCP connection for sending authentication packets.

Table 234 Create a TACACS+ scheme



Create a TACACS+ scheme and enter TACACS+ view

hwtacacs scheme hwtacacs-scheme-name

Required

By default, no TACACS+ scheme exists.

Table 235 Configure TACACS+ authentication servers



Create a TACACS+ scheme and enter its view


Required


Set the IP address and port number of the primary TACACS+ authentication server

primary authentication ip-address [ port ]

Required

By default, the IP address of the primary authentication server is 0.0.0.0, and the port number is 49

Set the IP address and port number of the secondary TACACS+ authentication server

secondary authentication ip-address [ port ]

Required

By default, the IP address of the secondary authentication server is 0.0.0.0, and the port number is 49.

TACACS+ Configuration 343

Configuring TACACS+ Authorization Servers

■ The primary and secondary authorization servers cannot use the same IP address. Otherwise, the system will prompt unsuccessful configuration.

■ You can remove a server only when it is not used by any active TCP connection for sending authorization packets.

Configuring TACACS+ Accounting Servers

Table 236 Configure TACACS+ authorization servers





Required


Set the IP address and port number of the primary TACACS+ authorization server

primary authorization ip-address [ port ]

Required

By default, the IP address of the primary authorization server is 0.0.0.0, and the port number is 49

Set the IP address and port number of the secondary TACACS+ authorization server

secondary authorizationip-address [ port ]

Required

By default, the IP address of the secondary authorization server is 0.0.0.0, and the port number is 49.

Table 237 Configure TACACS+ accounting servers





Required


Set the IP address and port number of the primary TACACS+ accounting server

primary accounting ip-address [ port ]

Required

By default, the IP address of the primary accounting server is 0.0.0.0, and the port number is 49.

Set the IP address and port number of the secondary TACACS+ accounting server

secondary accounting ip-address [ port ]

Required

By default, the IP address of the secondary accounting server is 0.0.0.0, and the port number is 49.

enable the switch to buffer the stop-accounting requests that bring no response.

stop-accounting-buffer enable

Optional

By default, the switch is enabled to buffer the stop-accounting requests that bring no response.

Enable the stop-accounting packets retransmission function and set the maximum number of attempts

retry stop-accounting retry-times

Optional

By default, the stop-accounting packets retransmission function is enabled and the system can transmit a stop-accounting request for 100 times.


■ The primary and secondary accounting servers cannot use the same IP address. Otherwise, the system will prompt unsuccessful configuration.

■ You can remove a server only when it is not used by any active TCP connection for sending accounting packets.

■ Currently, RADIUS and TACACS+ does not support the accounting of FTP users

Configuring Shared Keys for RADIUS

Packets

When using a TACACS+ server as an AAA server, you can set a key to improve the communication security between the router and the TACACS+ server.

The TACACS+ client and server adopt MD5 algorithm to encrypt the exchanged TACACS+ packets. The two parties verify the validity of the exchanged packets by using the shared keys that have been set on them, and can accept and respond to the packets sent from each other only if both of them have the same shared keys.

Configuring the Attributes for Data to

be Sent to TACACS+ Servers

Table 238 Configure shared keys for TACACS+ packets





Required


Set a shared key for the TACACS+ accounting/authentication/authorization packets

key { accounting | authorization | authentication } string

Required

By default, the TACACS server does not have a key.

Table 239 Configure the attributes for data to be sent to TACACS servers





Required


Set the format of the user names to be sent to TACACS servers

user-name-format { with-domain | without-domain }

Optional

By default, the user names sent from the switch to TACACS servers carry ISP domain names.

Set the units of measure for data flows sent to TACACS servers

data-flow-format data { byte | giga-byte | kilo-byte | ega-byte } m

Optional

By default, in a TACACS scheme, the unit of measure for data is byte and that for packets is one-packet.data-flow-format

packet { giga-packet | kilo-packet | mega-packet | one-packet }

Set the source IP address used by the switch to send TACACS+ packets

TACACS+ view

nas-ip ip-addressOptional

By default, no source IP address is specified; the IP address of the outbound interface is used as the source IP address.

System view

hwtacacs nas-ip ip-address

TACACS+ Configuration 345

■ Generally, the access users are named in the userid@isp-name format. Where, isp-name behind the @ character represents the ISP domain name. If the TACACS server does not accept the user name carrying isp domain name, it is necessary to remove the domain name from the user names before they are sent to the TACACS server.

■ The nas-ip command in TACACS+ scheme view only takes effect for the current TACACS+ scheme, while that in system view is for all TACACS+ schemes. The former one takes priority in implementation.

Configuring the Timers of TACACS

Servers

■ The setting of real-time accounting interval is indispensable to real-time accounting. After an interval value is set, the device transmits the accounting information of online users to the TACACS accounting server at intervals of this value. Even if the server does not respond, the device does not cut down the online user.

■ The interval must be a multiple of 3.

■ The setting of real-time accounting interval somewhat depends on the performance of the device and the TACACS server: A shorter interval requires higher device performance.

Table 240 Configure the timers of TACACS servers





Required


Set the response timeout time of TACACS servers

timer response-timeout seconds

Optional

By default, the response timeout time is five seconds.

Set the wait time for the primary server to restore the active state

timer quiet minutes Optional

By default, the primary server waits five minutes before restoring the active state.

Set the real-time accounting interval

timer realtime-accounting minutes

Optional

By default, the real-time accounting interval is 12 minutes.


Displaying and Maintaining AAA & RADIUS & TACACS+ Information

After the above configurations, you can execute the display commands in any view to view the operation of AAA, RADIUS and TACACS+ and verify your configuration.

You can use the reset command in user view to clear the corresponding statistics.

Table 241 Display AAA information


Display the configuration information about one specific or all ISP domains

display domain [ isp-name ] You can execute the display command in any view

Display the information about user connections

display connection [ access-type { dot1x | mac-authentication } | domain domain-name | interface interface-type interface-number | ip ip-address | mac mac-address | vlan vlan-id | ucibindex ucib-index | user-name user-name ]

Display the information about local users

display local-user [ domain isp-name | idle-cut { disable | enable } | vlan vlan-id | service-type { lan-access | telnet | ssh | terminal | ftp } | state { active | block } | user-name user-name ]

Table 242 Display and maintain RADIUS protocol information


Display the statistics about local RADIUS authentication server

display local-server statistics


Display the configuration information about one specific or all RADIUS schemes

display radius scheme [ radius-scheme-name ]

Display the statistics about RADIUS packets

display radius statistics

Display the buffered no-response stop-accounting request packets

display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }

Delete the buffered no-response stop-accounting request packets

reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }

You can execute the reset command in user view

Clear the statistics about the RADIUS protocol

reset radius statistics

AAA & RADIUS & TACACS+ Configuration Example 347

AAA & RADIUS & TACACS+ Configuration Example

Remote RADIUS Authentication of Telnet/SSH Users

■ The configuration procedure for the remote authentication of SSH users through RADIUS server is similar to that of Telnet users. The following description only takes the remote authentication of Telnet users as example.

■ Currently, RADIUS and TACACS+ does not support the accounting of FTP users.


In the network environment shown in Figure 101, you are required to configure the switch so that the Telnet users logging into the switch are authenticated by the RADIUS server.

■ A RADIUS server with IP address 10.110.91.164 is connected to the switch. This server will be used as the authentication server.

■ On the switch, set the shared key that is used to exchange packets with the authentication RADIUS server to "expert".

Table 243 Display and maintain TACACS+ protocol information


Display the configuration or statistic information about one specific or all TACACS+ schemes

display hwtacacs [ hwtacacs-scheme-name [ statistics] ]


Display the buffered stop-accounting request packets that are not responded to

display stop-accounting-buffer { hwtacacs-scheme hwtacacs-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }

Clear the statistics about the TACACS protocol

reset hwtacacs statistics { accounting | authentication | authorization | all }

You can execute the reset command in user view

Delete the buffered stop-accounting request packets that are not responded to

reset stop-accounting-buffer { hwtacacs-scheme hwtacacs-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }


You can use a CAMS server as the RADIUS server. If you use a third-party RADIUS server, you can select standard or extended as the server type in the RADIUS scheme. When you use a CAMS server, you should select extended for server-type in the RADIUS scheme.

On the RADIUS server:

■ Set the shared key it uses to exchange packets with the switch to "expert".

■ Set the port number for authentication.

■ Add Telnet user names and login passwords.

The Telnet user name added to the RADIUS server must be in the format of userid@isp-name if you have configure the switch to include domain names in the user names to be sent to the RADIUS server.

Network diagram

Figure 101 Remote RADIUS authentication of Telnet users



<3Com> system-view[3Com]

2 Adopt AAA authentication for Telnet users.

[3Com] user-interface vty 0 4[3Com-ui-vty0-4] authentication-mode scheme[3Com-ui-vty0-4] quit

3 Configure an ISP domain.

[3Com] domain cams[3Com-isp-cams] access-limit enable 10[3Com-isp-cams] quit

4 Configure optional accounting. This configuration is required if the CAMS server also serves as the RADIUS severer, since the CAMS server does not respond to accounting packets. If independent RADIUS server, Windows 2000 for example, is used, this configuration is not required.

[3Com-isp-cams] accounting optional[3Com-isp-cams] quit


5 Configure a RADIUS scheme.

[3Com] radius scheme cams[3Com-radius-cams] primary authentication 10.110.91.164 1812[3Com-radius-cams] primary accounting 10.110.91.164 1813[3Com-radius-cams] key authentication expert[3Com-radius-cams] key accounting expert[3Com-radius-cams] server-type extended[3Com-radius-cams] user-name-format with-domain[3Com-radius-cams] quit

6 Configure AAA scheme for the domain. If authentication, authorization and accounting all are required, you need to configure authentication scheme, authorization scheme and accounting scheme. If only one or two types of services are required, you just configure the corresponding items accordingly.

[3Com] domain cams[3Com-isp-cams] authentication login radius-scheme cams[3Com-isp-cams] authorization login radius-scheme cams[3Com-isp-cams] accounting login radius-scheme cams

7 Configure default AAA scheme, in which user type is not check.

[3Com] domain cams[3Com-isp-cams] authentication default radius-scheme cams[3Com-isp-cams] authorization default radius-scheme cams[3Com-isp-cams] accounting default radius-scheme cams

Local Authentication, Authorization and

Accounting for FTP/Telnet of Users

For FTP users, no accounting is required and their local authentication and authorization are the same as those of Telnet users. Therefore, the following only describes the configurations for Telnet users.


Make local authentication, authorization and accounting schemes on the switch for Telnet users.

Networking diagram

Figure 102 Local authentication, authorization and accounting configuration for Telnet users

telnet user

Internet

telnet user

Internet



1 Method 1: Using local authentication, authorization and accounting.

a Set Telnet users to use AAA scheme.

<3Com> system-view[3Com] user-interface vty 0 4[3Com-ui-vty0-4] authentication-mode scheme[3Com-ui-vty0-4] quit

b Create local user telnet.

[3Com] local-user telnet[3Com-luser-telnet] service-type telnet[3Com-luser-telnet] password simple 3Com[3Com-luser-telnet] attribute idle-cut 5 access-limit 5[3Com-luser-telnet] quit[3Com] domain system[3Com-isp-system] authentication login local[3Com-isp-system] authorization login local[3Com-isp-system] accounting login local

c Configure default AAA schemes, in which user type is not checked.

[3Com-isp-system] authentication default local[3Com-isp-system] authorization default local[3Com-isp-system] accounting default local

The user enters the username userid @system, to use the authentication of the system domain.

2 Method 2: using a local RADIUS server

This method is similar to the remote authentication method described in section “Remote RADIUS Authentication of Telnet/SSH Users” . You only need to change the server IP address, the authentication password, and the UDP port number for authentication service in configuration step "Configure a RADIUS scheme" in section “Remote RADIUS Authentication of Telnet/SSH Users”to 127.0.0.1, 3Com, and 1645 respectively, and configure local users

TACACS Authentica-tion/Authorization and Accounting of

Telnet Users


You are required to configure the switch so that the Telnet users logging in to the TACACS server are authenticated, authorized and accounted. Configure the switch to A TACACS server with IP address 10.110.91.164 is connected to the switch. This server is used as the AAA server. On the switch, set the shared key that is used to exchange packets with the AAA TACACS server to "expert". Configure the switch to strip off the domain name in the user name to be sent to the TACACS server.

Configure the shared key to “expert” on the TACACS server for exchanging packets with the switch.


Networking diagram

Figure 103 Remote TACACS authentication authorization and accounting of Telnet users


1 Set Telnet users to use AAA scheme


2 Configure TACACS+ scheme

[3Com] hwtacacs scheme hwtac[3Com-hwtacacs-hwtac] primary authentication 10.110.91.164 49[3Com-hwtacacs-hwtac] primary authorization 10.110.91.164 49[3Com-hwtacacs-hwtac] primary accounting 10.110.91.164 49[3Com-hwtacacs-hwtac] key authentication expert[3Com-hwtacacs-hwtac] key authorization expert[3Com-hwtacacs-hwtac] key accounting expert[3Com-hwtacacs-hwtac] user-name-format without-domain[3Com-hwtacacs-hwtac] quit

3 Configure AAA scheme for the domain

[3Com] domain hwtacacs[3Com-isp-hwtacacs] authentication login hwtacacs-scheme hwtac[3Com-isp-hwtacacs] authorization login hwtacacs-scheme hwtac[3Com-isp-hwtacacs] accounting login hwtacacs-scheme hwtac

4 Configure default AAA schemes, in which user type is not checked.

[3Com] domain hwtacacs[3Com-isp-hwtacacs] authentication default hwtacacs-scheme hwtac[3Com-isp-hwtacacs] authorization default hwtacacs-scheme hwtac[3Com-isp-hwtacacs] accounting default hwtacacs-scheme hwtac


Local Authentication, TACACS+

Authorization and RADIUS Accounting

of Telnet users


Set the switch to perform local authentication, TACACS+ authorization and RADIUS accounting. The username and password both are telnet.

Configure the switch to A TACACS server with IP address 10.110.91.165 is connected to the switch. This server will be used as the Accounting server. On the switch, set the shared key that is used to exchange packets with the Accounting TACACS server to "expert".

For the AAA applications of users of other access types, their AAA configurations on the domain are similar to those of Telnet users, except different access types.

Networking diagram

Figure 104 Local authentication, TACACS+ authorization and RADIUS accounting of Telnet users


1 Set Telnet users to use AAA scheme


2 Configure a TACACS+ scheme.

[3Com] hwtacacs scheme hwtac[3Com-hwtacacs-hwtac] primary authorization 10.110.91.164 49[3Com-hwtacacs-hwtac] key authorization expert[3Com-hwtacacs-hwtac] user-name-format without-domain[3Com-hwtacacs-hwtac] quit

3 Configure a RADIUS scheme.

[3Com] radius scheme cams[3Com-radius-cams] primary accounting 10.110.91.165 1813[3Com-radius-cams] key accounting expert[3Com-radius-cams] server-type extended[3Com-radius-cams] user-name-format with-domain[3Com-radius-cams] quit

4 Create local user telnet.

[3Com] local-user telnet[3Com-luser-telnet] service-type telnet[3Com-luser-telnet] password simple telnet

Troubleshooting AAA & RADIUS & TACACS+ Configuration 353

5 Configure AAA scheme for the domain

[3Com] domain test[3Com-isp-test] authentication login local[3Com-isp-test] authorization login hwtacacs-scheme hwtac[3Com-isp-test] accounting login radius-scheme cams

6 Configure default AAA schemes, in which user type is not checked.

[3Com] domain test[3Com-isp-test] authentication default local[3Com-isp-test] authorization default hwtacacs-scheme hwtac[3Com-isp-test] accounting default radius-scheme cams

Troubleshooting AAA & RADIUS & TACACS+ Configuration

Troubleshooting the RADIUS Protocol

The RADIUS protocol is at the application layer in the TCP/IP protocol suite. This protocol prescribes how the switch and the RADIUS server of the ISP exchange user information with each other.

Symptom 1 User authentication/authorization always fails.

Possible reasons and solutions

■ The user name is not in the userid@isp-name format, or no default ISP domain is specified on the switch - Use the correct user name format, or set a default ISP domain on the switch.

■ The user is not configured in the database of the RADIUS server - Check the database of the RADIUS server, make sure that the configuration information about the user exists.

■ The user input an incorrect password - Be sure to input the correct password.

■ The switch and the RADIUS server have different shared keys - Compare the shared keys at the two ends, make sure they are identical.

■ The switch cannot communicate with the RADIUS server (you can determine by pinging the RADIUS server from the switch) - Take measures to make the switch communicate with the RADIUS server normally.

Symptom 2 RADIUS packets cannot be sent to the RADIUS server.


■ The communication links (physical/link layer) between the switch and the RADIUS server is disconnected/blocked - Take measures to make the links connected/unblocked.

■ None or incorrect RADIUS server IP address is set on the switch - Be sure to set a correct RADIUS server IP address.

■ One or all AAA UDP port settings are incorrect - Be sure to set the same UDP port numbers as those on the RADIUS server.

Symptom 3 The user passes the authentication and gets authorized, but the accounting information cannot be transmitted to the RADIUS server.



■ The accounting port number is not properly set - Be sure to set a correct port number for RADIUS accounting.

■ The switch requests that both the authentication/authorization server and the accounting server use the same device (with the same IP address), but in fact they are not resident on the same device - Be sure to configure the RADIUS servers on the switch according to the actual situation.

Troubleshooting the TACACS+ Protocol

See the previous section if you encounter a TACACS+ fault.

32 IGMP SNOOPING CONFIGURATION

IGMP Snooping Overview

Internet Group Management Protocol Snooping (IGMP Snooping) is a multicast constraining mechanism that runs on Layer 2 devices to manage and control multicast groups.

Principle of IGMP Snooping

By analyzing received IGMP messages, a Layer 2 device running IGMP Snooping establishes mappings between ports and MAC multicast groups and forwards multicast data based on these mappings.

As shown in Figure 105, when IGMP Snooping is not running, multicast packets are broadcast to all devices at Layer 2. When IGMP Snooping runs, multicast packets for known multicast groups are multicast to the receivers at Layer 2.

Figure 105 Multicast forwarding before and after IGMP Snooping runs

Basic Concepts in IGMP Snooping

IGMP Snooping related ports

As shown in Figure 106, Router A connects to the multicast source, IGMP Snooping runs on Switch A and Switch B, Host A and Host C are receiver hosts (namely, multicast group members).

Source

Host A

Layer 2 EthernetSwitch

Host B ReceiverHost C

Multicast Router

Multicast packet transmission without IGMP Snooping

Multicast packet transmission when IGMP Snooping runs

Multicast Packets

Source

Host A

Host B ReceiverHost C

Multicast Router

Layer 2 EthernetSwitch

Receiver Receiver

356 CHAPTER 32: IGMP SNOOPING CONFIGURATION

Figure 106 IGMP Snooping related ports

Ports involved in IGMP Snooping, as shown in Figure 106, are described as follows:

■ Router port: On an Ethernet switch, a router port connects the switch to a multicast router. In the figure, GigabitEthernet1/0/1 of Switch A and GigabitEthernet1/0/1 of Switch B are router ports. A switch registers all its local router ports in its router port list.

■ Member port: On an Ethernet switch, a member port (also known as multicast group member port) connects the switch to a multicast group member. In the figure, GigabitEthernet1/0/2 and GigabitEthernet1/0/3 of Switch A and GigabitEthernet1/0/2 of Switch B are member ports.

Whenever mentioned in this document, a router port is a router-connecting port on a switch, rather than a port on a router.

Port aging timers in IGMP Snooping and related messages and actions

Table 244 Port aging timers in IGMP Snooping and related messages and actions

Timer Description Message before expiry Action after expiry

Router port aging timer

For each router port, the switch sets a timer initialized to the aging time of the route port

IGMP general query or PIM hello message

The switch removes this port from its router port list

Member port aging timer

When a port joins an multicast group, the switch sets a timer for the port, which is initialized to the member port aging time

IGMP report message The switch removes this port from the multicast group forwarding table

Source

Receiver

Host ARouter A Switch A

Host BReceiver

Host C

Host D

Switch B

Multicast Packets

Router Port

Member Port

GigabitEthernet

GigabitEthernet

GigabitEthernet

GigabitEthernet


1/0/2

1/0/3

1/0/21/0/1

IGMP Snooping Overview 357

Work Mechanism of IGMP Snooping

A switch running IGMP Snooping processes IGMP messages as follows:

IGMP general queries

The IGMP periodically sends IGMP general queries to all hosts and routers on the local subnet to find out whether multicast group members exist on the subnet.

Upon receiving an IGMP general query, the switch forwards it to all ports in the VLAN except the receiving port and performs the following to the receiving port:

■ If the receiving port is a router port existing in its router port list, the switch resets the aging timer of this router port.

■ If the receiving port is not a router port existing in its router port list, the switch adds it into its router port list and sets an aging timer for this router port.

IGMP reports

A host sends an IGMP report to the multicast router in the following circumstances:

■ Upon receiving an IGMP query, a multicast group member host responds with an IGMP report.

■ When intended to join a multicast group, a host sends an IGMP report to the multicast router to announce that it is to join the multicast group.

Upon receiving the IGMP report, the switch forwards it to all the router ports in the VLAN and performs the following to the receiving port:

■ Resolves the address of the multicast group that the host is to join and add a forwarding entry for this port in the forwarding table.

■ Sets or resets a member port aging timer for this port.

A switch will not an IGMP report to a non-router port in the VLAN for the following reason: When IGMP report suppression is enabled, if member hosts of that multicast group still exist under other non-router ports, the switch will stop sending IGMP reports when it receives the message. Thus, the switch will not know that members of that multicast group are still attached to these ports.

IGMP leave messages

When an IGMPv1 host leaves an multicast group, the host does not send an IGMP leave message, so the switch cannot know immediately that the host has left the multicast group. However, as the host stops sending IGMP reports as soon as it leaves a multicast group, the switch deletes the forwarding entry for the member port corresponding to the host from the forwarding table when its aging timer expires.

When an IGMPv2 or IGMPv3 host leaves a multicast group, the host sends an IGMP leave message to the multicast router to announce that it has leaf the multicast group.

Upon receiving an IGMP leave message, a switch forwards it to all router ports in the VLAN. Because the switch does not know whether any other member hosts of that multicast group still exists under the port to which the IGMP leave message arrived, the switch does not immediately delete the forwarding entry corresponding to that port from the forwarding table; instead, it resets the aging timer of the member port.


IGMP group-specific queries

Upon receiving the IGMP leave message from a host, the IGMP determines the address of the multicast group that the host just left, and sends an IGMP group-specific query to that multicast group through the port from which it received the leave message.

Upon receiving the IGMP group-specific query, a switch forwards it to all the router ports in the VLAN and all member ports of that multicast group, and performs the following to the receiving port:

■ If a response to an IGMP report from that multicast group is arrives to the member port before its aging timer expires, this means that some other members of that multicast group still exist under that port: the switch resets the aging timer of the member port.

■ If no IGMP report from that multicast group arrives to this member port before its aging timer expires as a response to the IGMP group-specific query , this means that no members of that multicast group still exist under the port: the switch deletes the forwarding entry corresponding to the port from the forwarding table when the aging timer expires.

IGMP Snooping Configuration Tasks

Complete these tasks to configure IGMP Snooping:

■ Configurations performed in IGMP Snooping view are effective for all VLANs, while configurations made in VLAN view are effective only for ports belonging to the current VLAN. However, configurations made in VLAN view override the corresponding configurations made in IGMP Snooping view.

■ Configurations performed in IGMP Snooping view are globally effective; configurations performed in port view are effective only for the current port;

Table 245 IGMP Snooping Configuration Tasks

Task Remarks

Configuring Basic Functions of IGMP Snooping

Enabling IGMP Snooping Required

Configuring the Version of IGMP Snooping Optional

Configuring Port Aging Timers Optional

Configuring Port Functions Configuring Static Ports Optional

Enabling Simulated Host Joining Optional

Enabling Port Fast Leave Optional

Configuring IGMP Report Suppression Optional

Configuring IGMP-Related Functions

Enabling IGMP Querier Optional

Configuring IGMP Timers Optional

Configuring Source IP Address of IGMP Queries

Optional

Configuring the Function of Dropping Unknown Multicast Data

Optional

Configuring a Multicast Group Policy

Configuring a Multicast Group Filter Optional

Configuring Multicast Source Port Filtering Optional

Configuring Maximum Multicast Groups that Can Pass Ports

Optional

Configuring Multicast Group Replacement Optional

Configuring Basic Functions of IGMP Snooping 359

configurations performed in port group view are effective only for all the ports in the current port group.

■ The system gives priority to configurations made in port view or port group view. Configurations made in IGMP Snooping view are used only if the corresponding configurations have not been carried out in port view or port group view.

Configuring Basic Functions of IGMP Snooping


Before configuring the basic functions of IGMP Snooping, complete the following tasks:

■ Configure the corresponding VLANs

■ Configure the corresponding port groups

Before configuring the basic functions of IGMP Snooping, prepare the following data:

■ Version of IGMP Snooping

■ Aging time of router ports

■ Aging timer of member ports

Enabling IGMP Snooping

Follow these steps to enabling IGMP Snooping:

■ Before enabling IGMP Snooping in a VLAN, be sure to enable IGMP Snooping globally in system view; otherwise the IGMP Snooping setting will not take effect.

■ If you enable IGMP Snooping in a specified VLAN, this function takes effect for Ethernet ports in this VLAN only.

Configuring the Version of IGMP

Snooping

By configuring the IGMP Snooping version, you are actually configuring the version of IGMP messages that can be analyzed and processed by IGMP Snooping.

■ If the current version is 2, IGMP Snooping can analyze and process IGMPv1 and IGMPv2 messages, but cannot analyze and process IGMPv3 messages: in this case, IGMPv3 messages will be broadcast in the VLAN.

■ If the current is 3, IGMP Snooping can analyze and process IGMPv1, IGMPv2 and IGMPv3 messages.

Table 246 Enabling IGMP Snooping



Enable IGMP Snooping globally and enter IGMP Snooping view

igmp-snooping Required

Not globally enabled by default

Exit IGMP Snooping view quit —

Enter VLAN view vlan vlan-id —

Enable IGMP Snooping in the VLAN

igmp-snooping enable Required

Not enabled in a VLAN by default


Follow these steps to configure the version of IGMP Snooping:

CAUTION: If you switch IGMP Snooping from version 3 to version 2, the system will automatically delete all the IGMP Snooping entries and re-effectuate the valid static configurations.

Configuring Port Aging Timers

If the switch does not receive an IGMP general query or an PIM hello message before the aging timer of a router port expires, the switch deletes this router port from the router port list when the aging timer times out.

If the switch does not receive an IGMP report from a multicast group before the aging timer of a member port expires, the switch deletes this member port from the forwarding table for that multicast group when the aging timers times out.

If multicast group memberships change frequently, you can set a relatively small value for the member port aging timer, and vice versa.

Configuring port aging timers globally

Follow these steps to configure port aging timers globally:

Configuring port aging timers in a VLAN

Follow these steps to configure port aging timers in a VLAN:

Table 247 Configuring the Version of IGMP Snooping




Configure the version of IGMP Snooping

igmp-snooping version version-number

Optional

Version 2 by default

Table 248 Configuring port aging timers globally



Enter IGMP Snooping view igmp-snooping —

Configure router port aging time router-aging-time seconds

Optional


Configure member port aging time

host-aging-time seconds

Optional


Table 249 Configuring port aging timers in a VLAN




Configure router port aging time igmp-snooping router-aging-time seconds

Optional


Configure member port aging time

igmp-snooping host-aging-time seconds

Optional


Configuring Port Functions 361

Configuring Port Functions


Before configuring port functions, complete the following tasks:

■ Enable IGMP Snooping in the VLAN or enable IGMP on the desired VLAN interface

Before configuring port functions, prepare the following data:

■ Multicast group and multicast source addresses

■ Whether to enable port fast leave function

■ Whether to enabled IGMP report suppression

Configuring Static Ports

If the host attached to a port needs to receive multicast data addressed to a particular multicast group or from a particular multicast source/group, you can configure this port to be a static member port of that multicast group or multicast source/group.

In a network with a stable topology structure, you can configure router ports of a switch into static router ports, through which the switch can receive IGMP messages from routers or Layer 3 switches.

Follow these steps to configure static ports:

■ The function of static joining to a multicast source/group is available only for IGMP Snooping version 3.

■ When you configure or remove a port as a static member port of a multicast group or multicast source/group, the port will not initiate an IGMP report or an IGMP leave message.

■ Static member ports and static router ports never age out. To delete such a port, you need to use the corresponding command.

Enabling Simulated Host Joining

Generally, a host running IGMP responds to IGMP queries from a multicast router. If a host fails to respond due to some reasons, the multicast router will deem that no member of this multicast group exists on the network segment, and therefore will remove the corresponding forwarding path.

Table 250 Configuring Static Ports



Enter the corresponding view



Use either command



Configure a static member port

igmp-snooping static-group group-address [ source-ip source_address ] vlan vlan-id

Required

Disabled by default

Configuring a static router port

igmp-snooping static-router-port vlan vlan-id

Required

Disabled by default


To avoid this situation from happing, you can configure a port of the switch as a member of the multicast group. When an IGMP query arrives, that member port will give a response. As a result, the switch can continue receive multicast data.

A simulated host can implement the following multicast functions of a real host:

■ When simulated host joining is enabled on an Ether port, the simulated sends an IGMP report to this port.

■ When receiving an IGMP general query, the simulated host responds with an IGMP report.

■ When simulated host joining is disabled on an Ether port, the simulated sends an IGMP leave message to this port.

Follow these steps to enable simulated host joining:

■ Each simulated host is equivalent to an independent host. For example, when receiving an IGMP query, the simulated host corresponding to each configuration responds respectively.

■ The IGMP version of the simulated host is the same as the IGMP Snooping version current running on the device.

Enabling Port Fast Leave

By default, when receiving an IGMP leave message from host announcing its leaving a multicast group, the switch sends an IGMP group-specific query message through the receiving port rather than directly deleting the port from the multicast forwarding table. If the switch receives no response within a certain period of waiting time, it deletes the port from the forwarding table.

With the port fast leave function enabled, when the switch receive an IGMP leave message from a host announcing its leaving a multicast group, the switch directly deletes this port from the forwarding table. From then on, when receiving an IGMP query specific to that multicast group, the switch will not forward the IGMP message to that port.

Table 251 Enabling Simulated Host Joining






Use either command



Enable simulated host joining to a multicast group or multicast source/group

igmp-snooping host-join group-address [ source-ip source_address ] vlan vlan-id

Required

Disabled by default

Configuring Port Functions 363

Configuring port fast leave globally

Follow these steps to configure port fast leave globally:

Configuring fast leave on a port or a group ports

Follow these steps to configure fast leave on a port or a group ports:

Configuring IGMP Report Suppression

When a Layer 2 device receives an IGMP report from a multicast group member, the switch forwards the message to the Layer 3 device directly connected with it. Thus, when multiple members belonging to a multicast group exit on the Layer device, the Layer 3 device directly connected with it will receive identical IGMP reports from the multiple members of the same group.

With the IGMP report suppression function enabled, within a query interval, the Layer 2 device forwards only the first IGMP report of a multicast group to the Layer device and discards the rest IGMP reports from the same multicast group.

Follow these steps to configure IGMP report suppression:

Table 252 Configuring port fast leave globally




Enable port fast leave fast-leave [ vlan vlan-list ] Required

Disabled by default

Table 253 Configuring fast leave on a port or a group ports






Use either command



Enable port fast leave igmp-snooping fast-leave [ vlan vlan-list ]

Required

Disabled by default

Table 254 Configuring IGMP Report Suppression




Enable IGMP report suppression report-aggregation Optional

Enabled by default


Configuring IGMP-Related Functions


Before configuring IGMP-related functions, complete the following tasks:

■ Enable IGMP Snooping in the VLAN

Before configuring IGMP-related functions, prepare the following data:

■ IGMP general query interval

■ IGMP last-member query interval

■ Maximum response time for IGMP general queries

■ Source address of IGMP general queries

■ Source address of IGMP group-specific queries

■ Whether to enable the function of dropping unknown multicast data

Enabling IGMP Snooping Querier

On a multicast network running IGMP, a Layer 3 multicast device may exist that serves as an IGMP querier responsible for sending IGMP query messages.

On a network without Layer 3 multicast device, however, no IGMP querier-related function can be implemented because a Layer 2 device does not support IGMP. To address this issue, you can enable an IGMP Snooping querier on a Layer 2 device so that the device can generate and maintain multicast forwarding entries at data link layer, thereby implementing IGMP querier-related functions.

Follow these steps to configure IGMP Snooping querier:

CAUTION:

■ An IGMP Snooping querier does not take part in IGMP querier election.

■ Configuring an IGMP Snooping querier on a multicast network running IGMP makes no sense. Moreover, IGMP querier election may be affected adversely because of the source IP address of the IGMP general query messages sent by the IGMP Snooping querier configured is too small.

Table 255 Enabling IGMP Snooping Query




Enable the IGMP Snooping querier in the VLAN

igmp-snooping querier

Required

Disabled by default

Configuring IGMP-Related Functions 365

Configuring IGMP Timers

You can tune the IGMP general query interval based on actual condition of the network.

Upon receiving an IGMP query (general query or group-specific query), a host starts a timers for each multicast group it has joined. This timer is initialized to a random value in the range of 0 to the maximum response time (the host obtains the value of the maximum response time from the Max Response Time field in the IGMP query it received). When the timer value comes down to 0, the host sends an IGMP report to the corresponding multicast group.

An appropriate setting of the maximum response time for IGMP queries allows hosts to respond to queries quickly and avoids burstiness of IGMP traffic on the network caused by reports simultaneously sent by a large number of hosts when corresponding timers expires simultaneously.

■ For IGMP general queries, you can configure the maximum response time to fill their Max Response time field.

■ For IGMP group-specific queries, you can configure the IGMP last-member query interval to fill their Max Response time field. Namely, for IGMP group-specific queries, the maximum response time equals to the IGMP last-member query interval.

Configuring IGMP timers globally

Follow these steps to configure IGMP timers globally:

Configuring IGMP timers in a VLAN

Follow these steps to configure IGMP timers in a VLAN:

CAUTION: In the configuration, make sure that the IGMP general query interval is larger than the maximum response time for IGMP general queries.

Table 256 Configuring IGMP timers globally




Configure the maximum response time for IGMP general queries

max-response-time seconds

Optional


Configure the IGMP last-member query interval

last-member-query-interval seconds

Optional

1 second by default

Table 257 Configuring IGMP timers in a VLAN




Configure IGMP general query interval

igmp-snooping query-interval seconds

Optional

60 second by default

Configure the maximum response time for IGMP general queries

igmp-snooping max-response-time seconds

Optional


Configure the IGMP last-member query interval

igmp-snooping last-member-query-interval seconds

Optional

1 second by default


Configuring Source IP Address of IGMP

Queries

We recommend that you configure a valid IP address as the source IP address of IGMP queries to prevent some switches from automatically dropping messages whose source IP address is 0.0.0.0.

Follow these steps to configure source IP address of IGMP queries:

CAUTION: The source address of IGMP query messages may affect IGMP querier selection within the segment.

Configuring the Function of Dropping

Unknown Multicast Data

Unknown multicast data refers to multicast data whose forwarding entries do not exist in the corresponding multicast forwarding table.

Follow these steps to configure the function of dropping unknown multicast data in a VLAN:

Table 258 Configuring Source IP Address of IGMP Queries




Configure the source address of IGMP general queries

igmp-snooping general-query source-ip { current-interface | ip-address }

Optional

0.0.0.0 by default

Configure the source IP address of IGMP group-specific queries

igmp-snooping special-query source-ip { current-interface | ip-address }

Optional

0.0.0.0 by default

Table 259 Configuring the Function of Dropping Unknown Multicast Data




Enable the function of dropping unknown multicast data

igmp-snooping drop-unknown

Required

Disabled by default

Configuring a Multicast Group Policy 367

Configuring a Multicast Group Policy


Before configuring a multicast group filtering policy, complete the following tasks:

■ Enable IGMP Snooping in the VLAN or enable IGMP on the desired VLAN interface

Before configuring a multicast group filtering policy, prepare the following data:

■ ACL rule for multicast group filtering

■ Whether to enable multicast source port filtering

■ The maximum number of multicast groups that can pass the ports

■ Whether to enable multicast group replacement

Configuring a Multicast Group Filter

On an IGMP Snooping–enabled switch, the configuration of a multicast group allows the service provider to define limits of multicast programs available to different users, so that different video on demand (VOD) users can be differentiated based on different program groups.

In actual application, when a user requests a multicast program, the user’s host initiates an IGMP report. After the message reaches the switch, the switch checks the report against the ACL rule configured on the receiving port. If this port can join this multicast group, the switch adds this port to the IGMP Snooping multicast group list; otherwise the switch drops this report message. Thus, the multicast data will not be sent to this port. In this way, the service provider can control the VOD programs provided for multicast users.

Configuring a multicast group filter globally

Follow these steps to configure a multicast group filter globally:

Table 260 Configuring a multicast group filter globally




Configure a multicast group filter

group-policy acl-number [ vlan vlan-list ]

Required

No filter configured by default


Configuring a multicast group filter on a port or a group ports

Follow these steps to configuring a multicast group filter on a port or a group ports:

Configuring Multicast Source Port Filtering

When enabled to filter multicast based on the source ports, the switch filters multicast data received on the router ports.

Configuring multicast source port filtering globally

Follow these steps to configure multicast source port filtering globally:

Configuring multicast source port filtering on a port or a group ports

Follow these steps to configure multicast source port filtering on a port or a group ports:

Configuring Maximum Multicast

Groups that Can Pass Ports

By configuring the maximum number of multicast groups that can pass a port or a group of ports, you can limit the number of number of multicast programs available to VOD users, thus to control the port bandwidth.

When the number of multicast groups an Ethernet port has joined exceeds the maximum number configured, the system deletes all IGMP Snooping entries related to that port and restarts to add new entries to the IGMP Snooping multicast group list.

Table 261 Configuring a multicast group filter on a port or a group ports






Use either command



Configure a multicast group filter

igmp-snooping group-policy acl-number [ vlan vlan-list ]

Required

No filter configured by default

Table 262 Configuring multicast source port filtering globally




Enable multicast source port filtering

source-deny port interface-list

Required

Disabled by default

Table 263 Configuring multicast source port filtering on a port or a group ports






Use either command



Enable multicast source port filtering

igmp-snooping source-deny Required

Disabled by default

Configuring a Multicast Group Policy 369

Follow these steps to configure the maximum number of multicast groups that can pass the port(s):

If you have configured a port to be as static member port or enabled simulated host joining, the system deletes all IGMP Snooping entries related to that port and re-effectuate these configurations, until the number of multicast groups the has joined exceeds the maximum number configured.

Configuring Multicast Group Replacement

For some special reasons, the number of multicast groups passing through a switch or Ethernet port may exceed the number configured for the switch or the port. To address this situation, you can enable the multicast group replacement function on the switch or certain Ethernet ports. When the number of multicast groups an Ethernet port has joined exceeds the limit,

■ If the multicast group replacement is enabled, the newly joined multicast group automatically replaces an existing multicast group with the lowest address.

■ If the multicast group replacement is not enabled, new IGMP reports will be automatically discarded.

Configuring multicast group replacement globally

Follow these steps to configure multicast group replacement globally:

Table 264 Configuring Maximum Multicast Groups that Can Pass Ports





interface interface-type interface-number Use either command



Configure the maximum number of multicast groups that can pass the port(s)

igmp-snooping group-limit limit [ vlan vlan-list ]

Optional

128 by default

Table 265 Configuring multicast group replacement globally




Configure multicast group replacement

overflow-replace [ vlan vlan-list ]

Required

Disabled by default


Configuring multicast group replacement on a port or a group port

Follow these steps to configure multicast group replacement on a port or a group ports:

Displaying and Maintaining IGMP Snooping

The reset igmp-snooping group command works only on an IGMP Snooping–enabled VLAN, but not on a VLAN with IGMP enabled on its VLAN interface.

Table 266 Configuring multicast group replacement on a port or a group port






Use either command



Configure multicast group replacement

igmp-snooping overflow-replace [ vlan vlan-list ]

Required

Disabled by default

Table 267 Displaying and Maintaining IGMP Snooping


View the information of multicast groups learned by IGMP Snooping

display igmp-snooping group [ vlan vlan-id ] [ verbose ]


View the statistics information of IGMP messages learned by IGMP Snooping

display igmp-snooping statistics


Clear IGMP Snooping entries reset igmp-snooping group { group-address | all } [ vlan vlan-id ]


Clear the statistics information of all kinds of IGMP messages learned by IGMP Snooping

reset igmp-snooping statistics


IGMP Snooping Configuration Examples 371

IGMP Snooping Configuration Examples

Simulated Host Joining


After the configuration, Host A and Host B, regardless of whether they have joined the multicast group 224.1.1.1, can receive multicast data from the multicast group 224.1.1.1 to the multicast group 1.1.1.1/24.

Network diagram

Figure 107 Network diagram for simulated host joining configuration


1 Configuring a VLAN

a Create VLAN 100.

<SwitchA> system-view[SwitchA] vlan 100

b Add ports GigabitEthernet1/01 through GigabitEthernet1/0/4 into VLAN 100.

[SwitchA-vlan100] port GigabitEthernet 1/0/1 to GigabitEthernet1/0/4[SwitchA-vlan100] quit

2 Enabling simulated host joining to a multicast source/group

a Enable IGMP Snooping in VLAN 100, and set its version to 3.

[SwitchA] igmp-snooping[SwitchA-igmp-snooping] quit[SwitchA] vlan 100[SwitchA-vlan100] igmp-snooping enable[SwitchA-vlan100] igmp-snooping version 3[SwitchA-vlan100] quit

Source

Multicast Packets

Host A

Host BSwitch A

Router A

Receiver1.1.1.1/24

Receiver

Host C

GigabitEthernet 1/0/4GigabitEthernet

GigabitEthernet


1/0/2

1/0/3


b Enable the simulated host to join the multicast source/group on GigabitEthernet1/0/3.

[SwitchA] interface GigabitEthernet1/0/3[SwitchA- GigabitEthernet1/0/3] igmp-snooping host-join 224.1.1.1 source-ip 1.1.1.1 vlan 100[SwitchA- GigabitEthernet1/0/3] quit[SwitchA] interface GigabitEthernet 1/0/4[SwitchA- GigabitEthernet 1/0/4] igmp-snooping host-join 224.1.1.1 source-ip 1.1.1.1 vlan 100[SwitchA- GigabitEthernet 1/0/4] quit

3 Verifying the configuration

a View the detailed information of the multicast group in VLAN 100.

[SwitchA] display igmp-snooping group vlan 100 verbose Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s).

Port flags: D-Dynamic port, S-Static port, A-Aggregation port, C-Copy port

Subvlan flags: R-Real VLAN, C-Copy VLAN Vlan(id):100. Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 1 port.

GigabitEthernet 1/0/1 (D) ( 00:01:30 )

IP group(s):the following ip group(s) match to one mac group. IP group address:224.1.1.1 (1.1.1.1, 224.1.1.1): Attribute: Host Port Host port(s):total 2 port.

GigabitEthernet 1/0/3 (D) ( 00:03:23 ) GigabitEthernet 1/0/4 (D) ( 00:03:23 )

MAC group(s): MAC group address:0100-5e01-0101 Host port(s):total 2 port. GigabitEthernet 1/0/3 GigabitEthernet 1/0/4

IGMP Snooping Configuration Examples 373

Static Router Port Configuration


No multicast protocol is running on Router B. After the configuration, Switch A should be able to forward multicast data to the router.

Network diagram

Figure 108 Network diagram for static router port configuration


1 Configuring a VLAN

a Create VLAN 100.

<SwitchA> system-view[SwitchA] vlan 100

b Add ports GigabitEthernet1/0/1 through GigabitEthernet1/0/4 into VLAN 100.

[SwitchA-vlan100] port GigabitEthernet1/0/1 to GigabitEthernet1/0/4[SwitchA-vlan100] quit

2 Configuring a static router port

a Enable IGMP Snooping in VLAN 100.

[SwitchA] igmp-snooping[SwitchA-igmp-snooping] quit[SwitchA] vlan 100[SwitchA-vlan100] igmp-snooping enable[SwitchA-vlan100] quit

b Configure GigabitEthernet1/0/4 to be a static router port.

[SwitchA] interface GigabitEthernet1/0/4[SwitchA- GigabitEthernet1/0/4] igmp-snooping static-router-port vlan 100[SwitchA- GigabitEthernet1/0/4] quit

3 Verifying the configuration

a View the detailed information of the multicast group in VLAN 100.

[SwitchA] display igmp-snooping group vlan 100 verbose Total 1 IP Group(s).

Source

Multicast PacketsHost A

Host B

Switch A

Router A

Router B

Receiver

1.1.1.1/24

GigabitEthernet

GigabitEthernet

GigabitEthernet

GigabitEthernet

1/0/3

1/0/2

1/0/1

1/0/4


Total 1 IP Source(s). Total 1 MAC Group(s).

Port flags: D-Dynamic port, S-Static port, A-Aggregation port, C-Copy port Subvlan flags: R-Real VLAN, C-Copy VLAN Vlan(id):100. Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 2 port.

GigabitEthernet1/0/1 (D) ( 00:01:30 )

GigabitEthernet1/0/4 (S) ( 00:01:30 ) IP group(s):the following ip group(s) match to one mac group. IP group address:224.1.1.1 (1.1.1.1, 224.1.1.1): Attribute: Host Port Host port(s):total 1 port. GigabitEthernet1/0/3 (D) ( 00:03:23 ) MAC group(s): MAC group address:0100-5e01-0101 Host port(s):total 1 port. GigabitEthernet1/0/3

Troubleshooting IGMP Snooping Configuration

Switch Fails in Layer 2 Multicast Forwarding

Symptom A switch fails to implement Layer 2 multicast forwarding.

Analysis IGMP Snooping is not enabled.

Solution

1 Enter the display current-configuration command to view the running status of IGMP Snooping.

2 If IGMP Snooping is not enabled, use the igmp-snooping command to enable IGMP Snooping globally and then use igmp-snooping enable command to enable IGMP Snooping in VLAN view.

3 If IGMP Snooping is disabled only for the corresponding VLAN, just use the igmp-snooping enable command in VLAN view to enable IGMP Snooping in the corresponding VLAN.

Troubleshooting IGMP Snooping Configuration 375

Configured Multicast Group Policy Fails to

Take Effect

Symptom Although a multicast group policy has been configured to allow hosts to join specific multicast groups, the hosts can still receive multicast data from other groups than these multicast groups.

Analysis ■ The ACL rule is incorrectly configured

■ The multicast group policy is not applied

■ The function of dropping unknown multicast data is not enabled, so unknown multicast data is broadcast

■ Certain ports have been configured as static member ports of multicast groups, and this configuration conflicts with the configured multicast group policy.

Solution

1 Use the display acl command to check the configured ACL rule. Make sure that the ACL rule conforms to the multicast group policy to be implemented.

2 Use the display this command to whether the multicast group policy has been applied. If not, use the igmp-snooping group-policy command to apply the multicast group policy.

3 Use the display current-configuration command to whether the function of dropping unknown multicast data is enabled. If not, use the drop-unknown or igmp-snooping drop-unknown command to enable the function of dropping unknown multicast data.

4 Use the display igmp-snooping group command to check whether any port has been configured as a static member port of any multicast group. If so, check whether this configuration conflicts with the configured multicast group policy. If any conflict exists, remove the configuration.


33 MULTICAST VLAN CONFIGURATION

Multicast VLAN Based on the current multicast-on-demand mode, when users in different VLANs request the service, a multicast flow is duplicated in each VLAN. This mode causes waste of a great deal of bandwidth.

By configuring multicast VLAN, you can add switch ports to a multicast VLAN and enable IGMP Snooping to allow users in different VLANs to share the same multicast VLAN, with the multicast flow transferred in only one multicast VLAN, thus saving bandwidth.

As multicast VLAN is isolated from user VLANs, this guarantees both data security and enough bandwidth. Therefore, the multicast VLAN function ensures continuous transmission of multicast information flow to users.

Configuring Multicast VLAN

Multicast VLAN configuration tasks include:

■ Create VLAN

■ Globally enable IGMP-Snooping.

■ Enable multicast VLAN.

■ Configure the relationship between a multicast VLAN and multicast sub-VLANs.

To delete a configuration, use the corresponding undo command.

CAUTION:

■ You cannot configure a multicast VLAN as a multicast sub-VLAN.

■ You cannot configure a multicast sub-VLAN as a multicast VLAN.

■ A multicast sub-VLAN can correspond to only one multicast VLAN.

■ If you have enabled multicast routing in the system by means of the multicast-routing-enable command, you cannot configure the multicast VLAN function.

Table 268 Configure multicast VLAN



Enable IGMP-Snooping in the system

igmp-snooping enable Required

Multicast VLAN is disabled by default.

In system view, configure the correspondence between a multicast VLAN and multicast sub-VLANs.

multicast-vlan vlan-id subvlan vlan-list

Required

A multicast VLAN does not have a sub-VLAN by default.

378 CHAPTER 33: MULTICAST VLAN CONFIGURATION

Multicast VLAN Configuration

Example


The following table lists the devices to be configured in the network. Suppose port types, VLAN division, and so on, have been configured.

Network diagram

Figure 109 Network diagram for multicast VLAN

Table 269 Network devices to be configured

Device IDDevice type Port to configure

Device connected to the port Description

Router A Router Ethernet0/0/0 Switch B Ethernet0/0/0 belongs to VLAN1024. Enable PIM SM and IGMP on Ethernet0/0/0.

Switch B Layer 3 switch




Router A

Switch C

Switch D

GigabitEthernet1/0/1 belongs to VLAN1024.

Configure GigabitEthernet1/0/2 as a TRUNK port belonging to VLAN1 through VLAN3.

Configure GigabitEthernet1/0/3 as a TRUNK port belonging to VLAN4 through VLAN6.

Switch C Layer 2 switch

— — Connected to users belonging to VLAN1 through VLAN3, and configured to support IGMP-Snooping

Switch D Layer 2 switch

— — Connected to users belonging to VLAN4 through VLAN6, and configured to support IGMP-Snooping

Layer 3 Switch Switch B

Layer 2 SwitchSwitch C

Host A(VLAN 1)

Host B(VLAN 2)

Ethernet 0/0/0

VLAN 1024

Layer 2 SwitchSwitch D

Host C(VLAN 3)

Host C(VLAN 4)

Host C(VLAN 5)

Host C(VLAN 6)

VLAN 1~VLAN 3GigabitEther net 1/0/3VLAN 4~VLAN 6

Router A

Layer 3 Switch Switch B

Layer 2 SwitchSwitch C

Host A(VLAN 1)

Host B(VLAN 2)

Ethernet 0/0/0

GigabitEther net 1/0/1

VLAN 1024

Layer 2 SwitchSwitch D

Host C(VLAN 3)

Host C(VLAN 4)

Host C(VLAN 5)

Host C(VLAN 6)

GigabitEther net 1/0/2VLAN 1~VLAN 3 VLAN 4~VLAN 6

Router A

Multicast VLAN 379


1 Configure Router A.

<Router-A> system-viewEnter system view, return to user view with Ctrl+Z[Router-A] multicast routing-enable[Router-A] interface Ethernet0/0/0[Router-A-Ethernet0/0/0] pim sm[Router-A-Ethernet0/0/0] igmp enable[Router-A-Ethernet0/0/0] quit[Router-A]


<3Com> system-viewEnter system view, return to user view with Ctrl+Z[3Com] igmp-snooping enable[3Com] vlan 1024[3Com-vlan1024] multicast-vlan enable[3Com-vlan1024] quit[3Com] multicast-vlan 1024 subvlan 1 to 6

380 CHAPTER 33: MULTICAST VLAN CONFIGURATION

34 ARP CONFIGURATION

When configuring ARP, go to these sections for information you are interested in:

■ ARP Overview

■ Configuring ARP

■ Configuring Gratuitous ARP

■ Displaying and Maintaining ARP

ARP Overview Address resolution protocol (ARP) is used for resolution from IP address to MAC address. For a host on an Ethernet to send an IP packet to another host, it must know the MAC address of the latter. This is where ARP comes into play.

With ARP, each host on an Ethernet maintains an ARP mapping table to keep the IP addresses and the corresponding MAC addresses of the hosts that it recently communicated with. This table is empty whenever the host boots up.

As shown in Figure 110, the ARP protocol resolves an IP address in the following steps:

Figure 110 ARP process

Host A

192 .168 .1 .1

0002 -6779 -0f 4 c

Host B

192 . 168 .1 .2

00 a0 -2470 - febd

Source MAC address

0002 - 6779 -0 f 4c 192 .168 .1 .1

00 a0 -2470 - febd 192 .168 .1 .2 0002 -6779 -0 f4 c 192 .168 . 1 .1

192 .168 . 1. 200 a 0 -2470 -febd

Source IP address Destination MAC address Destination IP address

Source MAC address Source IP address Destination MAC address Destination IP address

Host A

192 .168 .1 .1

0002 -6779 -0f 4 c

Host B

192 . 168 .1 .2

00 a0 -2470 - febd

Source MAC address

0002 - 6779 -0 f 4c 192 .168 .1 .1

00 a0 -2470 - febd 192 .168 .1 .2 0002 -6779 -0 f4 c 192 .168 . 1 .1

192 .168 . 1. 200 a 0 -2470 -febd

Source IP address Destination MAC address Destination IP address

Source MAC address Source IP address Destination MAC address Destination IP address

382 CHAPTER 34: ARP CONFIGURATION

1 When Host A wants to send an IP packet to Host B on the same segment, it looks in its ARP mapping table to see whether there is a mapping entry for Host B. If it finds the entry, it uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame and sends the frame to Host B.

2 If Host A finds no entry for Host B, it pushes the packet to the ARP outbound waiting queue and creates an ARP request, which contains the IP address of Host B and the IP address and MAC address of Host A. Then, it broadcasts the request on the Ethernet. Since the ARP request is broadcast, all hosts on the Ethernet except for Host A will receive the request. However, only the requested host (Host B) responds to the request.

3 Upon receiving the ARP request from Host A, Host B saves the IP address and MAC address of Host A into its ARP mapping table, encapsulates its MAC address into an ARP response, and unicasts the response to Host A.

4 After receiving the ARP response, Host A adds the MAC address and IP address of Host B into its ARP mapping table, and sends all data packets for Host B in the waiting queue out to Host B.

Normally, ARP dynamically resolves IP addresses to MAC addresses automatically without the interference of an administrator.

Configuring ARP ARP entries fall into two categories: dynamic and static.

1 A dynamic entry is automatically created and maintained by the ARP protocol. It can get aged, be updated by a new ARP packet, or be overwritten by a static ARP entry. When the aging timer expires, the interface goes down, or the VLAN interface goes down, the corresponding dynamic ARP entries will be removed.

2 A static ARP entry is configured and maintained manually. It can be permanent or non-permanent.

■ A permanent static ARP entry can be directly used to forward data and never gets aged or overwritten by a dynamic ARP entry. When configuring a permanent static ARP entry, you must configure the IP address and MAC address, as well as the VLAN and outbound interface for the entry.

■ A non-permanent static ARP entry is initially in the state of unresolved and cannot be directly used to forward data. When configuring a non-permanent static ARP entry, you only need to configure the IP address and MAC address; the VLAN and outbound interface will be dynamically resolved by ARP packets. A resolved non-permanent static ARP entry can be used to forward data and does not get aged. When the interface or VLAN interface goes down, or something like that occurs, the entry becomes unresolved again. Non-permanent static ARP entries are used primarily when IP and MAC binding is required.

By default, the ARP mapping table of a device is empty and ARP entries are added by automatically the ARP protocol. The ARP mapping table is usually maintained by the dynamic ARP protocol and requires manual configuration only in some special cases. In addition, the ARP mapping table is used within a LAN, and address resolution on a WAN depends on other configurations or methods, such as reverse address resolution of frame relay.

Configuring ARP 383

Adding a Static ARP Entry

Follow these steps to add a static ARP entry:

■ A static ARP mapping is effective when the device works normally. However, when the VLAN or VLAN interface to which an ARP entry of a switch corresponds is deleted, the entry is deleted accordingly.

■ The default active time of a dynamic ARP entry is 20 minutes.

■ The vlan-id argument is used to configure ARP entries on Ethernet switches and must be the ID of an existing VLAN interface. In addition, the Ethernet interface following the argument must belong to that VLAN.

Setting the Maximum Number of ARP

Entries for a VLAN Interface

Follow these steps to set the maximum number of ARP entries that a VLAN interface can learn:

Setting the Aging Time for Dynamic

ARP Entries

Follow these steps to set the aging time for dynamic ARP entries:

Table 270 Adding a Static ARP Entry

To do… Use the … Remarks


Configure a permanent static ARP entry

arp static ip-address mac-address vlan-id interface-type interface-number

Required

No permanent static ARP entry is configured by default

Configure a non-permanent static ARP entry

arp static ip-address mac-address

Required

No non-permanent static ARP entry is configured by default

Table 271 Setting the Maximum Number of ARP Entries for a VLAN Interface


Enter system view system-view

Enter VLAN interface view interface Vlan-interface vlan-id

Set the maximum number of ARP entries that an interface can learn

arp max-learning-num number

Optional

2048 by default

Table 272 Setting the Aging Time for Dynamic ARP Entries



Set the aging time for dynamic ARP entries

arp timer aging aging-time

Optional

20 minutes by default


Enabling ARP Entry Checking

The ARP entry checking function can prevent the device from learning multicast MAC addresses.

Follow these steps to enable ARP entry checking:

Configuring Gratuitous ARP

Introduction to Gratuitous ARP

Gratuitous ARP means that the device sends gratuitous ARP packets. Gratuitous ARP packets are a kind of special packets. The source IP address and destination IP address carried in such packets are both the address of the local device, the source MAC address is the MAC address of the local device, and the destination MAC address is the broadcast address.

With gratuitous ARP, a device can implement the following functions by sending gratuitous ARP packets:

■ Determining whether its IP address is already used by another node.

■ Informing other nodes about the change of its MAC address so that they can update their cached ARP entries with its new MAC address in time. This occurs when, for example, the device is turned off, has its interface card replaced, and is then turned on.

Through learning gratuitous ARP packets, the device implements the following functions:

When the device receives a gratuitous ARP packet, it will add the information carried in the gratuitous ARP packet into the local dynamic ARP mapping table if no ARP entry in the cache is corresponding to the packet.

Configuring Gratuitous ARP

Follow these steps to configure gratuitous ARP:

Table 273 Enabling ARP Entry Checking



Enable ARP entry checking arp check enable Optional

Enabled by default

Table 274 Configuring Gratuitous ARP



Enable the gratuitous ARP packet sending function

gratuitous-arp-sending enable

Optional

A device cannot send gratuitous ARP packets by default

Enable the gratuitous ARP packet learning function

gratuitous-arp-learning enable

Required

Disabled by default

Displaying and Maintaining ARP 385

Displaying and Maintaining ARP Table 275 Displaying and Maintaining ARP


Display information about ARP entries in the ARP mapping table

display arp { { all | static | dynamic } | vlan vlan-id | interface interface-type interface-number } [ [ | { begin | include | exclude } text ] | count ]


Display the ARP entries corresponding to the specified IP address

display arp ip-address [ | { begin | include | exclude } text ]


Display the aging time for dynamic ARP entries

display arp timer aging Available in any view

Clear ARP entries from the ARP mapping table

reset arp { all | dynamic | static | interface interface-type interface-number }



35 PROXY ARP CONFIGURATION

When configuring proxy ARP, go to these sections for information you are interested in:

■ Proxy ARP Overview

■ Enabling Proxy ARP

■ Displaying and Maintaining Proxy ARP

Proxy ARP Overview

If a host in a network sends an ARP request to another host in the same network segment but not in the same physical network, the proxy-ARP-enabled device connecting the two hosts can respond to this ARP request. This process is named proxy ARP.

Proxy ARP includes normal proxy ARP and local proxy ARP.

In the same network segment, the hosts connected to different VLAN interfaces of the device can use the normal proxy ARP function of the device to interwork with each other through forwarding on Layer 3.

In the following case, the local proxy ARP function must be enabled to interwork interfaces on Layer 3.

Interfaces belonging to the same VLAN are isolated on Layer 2.

Enabling Proxy ARP Follow these steps to enable proxy ARP:

Through configuring the proxy-arp enable command, you can enable hosts connected to different VLAN interfaces of the device to interwork with each other through forwarding on Layer 3.

Table 276 Enabling Proxy ARP



Enter Ethernet interface view or VLAN interface view


Required

Enable proxy ARP proxy-arp enable Required

Disabled by default

Enable local proxy ARP local-proxy-arp enable

Required

Disabled by default

388 CHAPTER 35: PROXY ARP CONFIGURATION

By configuring the local-proxy-arp enable command, you can enable a switch to check the received ARP request to see whether the outbound interface is the same one as the inbound interface and, if this is the case, allow the device to respond to the request.

Displaying and Maintaining Proxy ARP

Table 277 Displaying and Maintaining Proxy ARP


Display whether proxy ARP is enabled

display proxy-arp [ interface interface-type interface-number ]


Display whether local proxy ARP is enabled

display local-proxy-arp [ interface interface-type interface-number ]


36 DHCP OVERVIEW

Introduction to DHCP

The fast expansion and growing complexity of networks result in scarce IP addresses assignable to hosts. Meanwhile, with the wide application of the wireless network, the frequent movement of laptops across the network requires that the IP addresses be changed accordingly. Therefore, related configurations on hosts become more complex. Dynamic host configuration protocol (DHCP) was introduced to ease network configuration by providing a framework for passing configuration information to hosts on a TCP/IP network.

DHCP is built on a client-server model, in which the client sends a configuration request and then the server returns a reply to send configuration parameters such as an IP address to the client.

A typical DHCP application, as shown in Figure 111, includes a DHCP server and multiple clients (PCs and laptops).

Figure 111 A typical DHCP application

DHCP Address Allocation

Allocation Mechanisms

DHCP supports three mechanisms for IP address allocation.

■ Manual allocation: The network administrator assigns an IP address to a client like a WWW server, and DHCP conveys the assigned address to the client.

■ Automatic allocation: DHCP assigns a permanent IP address to a client.

■ Dynamic allocation: DHCP assigns an IP address to a client for a limited period of time, which is called a lease. Most clients obtain their addresses in this way.

LAN

DHCP Server

DHCP Client DHCP Client


LAN

DHCP Server



LAN

DHCP Server



390 CHAPTER 36: DHCP OVERVIEW

Dynamic IP Address Allocation Procedure

For dynamic allocation, a DHCP client obtains an IP address from a DHCP server via four steps:

1 The client broadcasts a DHCP-DISCOVER message to locate a DHCP server.

2 A DHCP server offers configuration parameters such as an IP address to the client in a DHCP-OFFER message.

3 If several DHCP servers send offers to the client, the client accepts the first received offer, and broadcasts it in a DHCP-REQUEST message to formally request the IP address.

4 All DHCP servers receive the DHCP-REQUEST message, but only the server to which the client sent a formal request for the offered IP address returns a DHCP-ACK message to the client confirming that the IP address has been allocated to the client, or returns a DHCP-NAK unicast message denying the IP address allocation.

■ If the client receives the DHCP-ACK message, it will probe the IP address using gratuitous ARP with destination address as the IP address assigned by the server to check whether the IP address is in use. If the client receives no response within the specified time, the client can use this IP address.

■ If there are multiple DHCP servers in the network, the IP addresses offered by other DHCP servers are still assignable to other clients.

IP Address Lease Extension

The IP address dynamically allocated by a DHCP server to a client has a lease. After the lease duration elapses, the IP address will be reclaimed by the DHCP server. If the client wants to use the IP address again, it has to extend the lease duration.

After the half lease duration elapses, the DHCP client will send the DHCP server a DHCP-REQUEST unicast message to extend the lease duration. Upon availability of the IP address, the DHCP server returns a DHCP-ACK unicast confirming that the client’s lease duration has been extended, or a DHCP-NAK unicast denying the request.

If the client receives the DHCP-NAK message, it will broadcast another DHCP-REQUEST message for lease extension after 7/8 lease duration elapses. The DHCP server will handle the request as above mentioned.

DHCP Message Format 391

DHCP Message Format

The figure below gives the DHCP message format, which is based on the BOOTP message format and involves eight types. These types of messages have the same format except that some fields have different values. The numbers in parentheses indicate the size of each field in octets

Figure 112 .DHCP Message Format

■ op: Message type defined in option field. 1 = REQUEST, 2 = REPLY

■ htype, hlen: Hardware address type and length of a DHCP client.

■ hops: Number of relay agents a request message traveled.

■ xid: Transaction ID, a 32 bit random number chosen by the client to identify an IP address allocation.

■ secs: Filled in by the client, the number of seconds elapsed since the client began address acquisition or renewal process. Currently this field is reserved and set to 0.

■ flags: The leftmost bit is defined as the BROADCAST (B) flag. If this flag is set to 1, the DHCP server sent a reply back by broadcast. The remaining bits of the flags field are reserved for future use. Currently, the BROADCAST flag is always set to 1.

■ ciaddr: Client IP address.

■ yiaddr: 'your' (client) IP address, assigned by the server.

■ siaddr: Server IP address, from which the clients obtained configuration parameters.

■ giaddr: The first relay agent IP address a request message traveled.

■ chaddr: Client hardware address.

■ sname: The server host name, from which the client obtained configuration parameters.

■ file: Bootfile name and routing information, defined by the server to the client.

■ options: Optional parameters field that is variable length; parameters include the message type, lease, DNS IP address, WINS IP address and so forth.

392 CHAPTER 36: DHCP OVERVIEW


■ RFC2131: Dynamic Host Configuration Protocol

■ RFC2132: DHCP Options and BOOTP Vendor Extensions

■ RFC1542: Clarifications and Extensions for the Bootstrap Protocol

■ RFC3046: DHCP Relay Agent Information Option

37 DHCP RELAY AGENT CONFIGURATION

When configuring the DHCP relay agent, go to these sections for information you are interested in:

■ Introduction to DHCP Relay Agent

■ Configuring the DHCP Relay Agent

■ Displaying and Maintaining the DHCP Relay Agent Configuration

■ DHCP Relay Agent Configuration Example

■ Troubleshooting DHCP Relay Agent Configuration

Please note the following:

■ The DHCP relay agent configuration is supported only on VLAN interface.

■ DHCP Snooping must be disabled on the DHCP relay agent.

Introduction to DHCP Relay Agent

Application Environment

Since DHCP clients request IP addresses via broadcast messages, the DHCP sever and clients must be on the same subnet. Therefore, a DHCP server must be available on each subnet. It is not practical.

DHCP relay agent solves the problem. Via a relay agent, DHCP clients communicate with a DHCP server on another subnet to obtain configuration parameters. Thus, DHCP clients on different subnets can contact the same DHCP server for ease of centralized management and cost reduction.

Fundamentals A typical application of the DHCP relay agent is shown below.

394 CHAPTER 37: DHCP RELAY AGENT CONFIGURATION

Figure 113 DHCP relay agent application

No matter whether a relay agent exists or not, the DHCP server and client interact with each other in a similar way (see Dynamic IP Address Allocation Procedure). The following describes the forwarding process on the DHCP relay agent.

■ The DHCP client broadcasts the DHCP-DISCOVER or DHCP-REQUEST packet. After receiving the packet, the DHCP relay-enabled network device unicasts the packet to a specified DHCP server based on the configuration.

■ The DHCP server returns an IP address to the relay agent, which conveys it to the client via broadcast.

Configuring the DHCP Relay Agent

Configuration Task List

In order to configure the DHCP relate agent, complete the following tasks.

Enabling DHCP Enable DHCP before performing other DHCP-related configurations.

Ethernet Internet

DHCP client

DHCP clientDHCP client

DHCP client

Switch ( DHCP Relay)

DHCP Server

Ethernet Internet

DHCP client

DHCP clientDHCP client

DHCP client

Switch ( DHCP Relay)

DHCP Server

Table 278 Configuration Task List

Task Remarks

Enabling DHCP Required

Enabling the DHCP Relay Agent on Interfaces Required

Correlating a DHCP Server Group with Relay Agent Interfaces Required

Configuring the DHCP Relay Agent to Send the IP Address Release Request Optional

Configuring the DHCP Relay Agent Security Functions Optional

Configuring the DHCP Relay Agent to Support Option 82 Optional

Table 279 Enabling DHCP



Enable DHCP dhcp enable Required

Disabled by default

Configuring the DHCP Relay Agent 395

Enabling the DHCP Relay Agent on

Interfaces

With this task completed, upon receiving a DHCP request from an enabled interface, the relay agent will forward the request to an outside DHCP server for address allocation.

To enable the DHCP relay agent on interfaces, use the following commands:

When a DHCP client obtains an IP address from a DHCP server through the DHCP relay, an IP address pool with the same network segment (network number and mask) as that of the IP address of the DHCP relay interface connecting the client must has already been configured on the DHCP server. Otherwise, the DHCP client cannot obtain a correct IP address.

Correlating a DHCP Server Group with

Relay Agent Interfaces

To improve reliability, you can specify several DHCP servers as a group on the DHCP relay agent and correlate a relay agent interface with the server group. When the interface receives requesting messages from clients, the relay agent will forward them to all the DHCP servers of the group.

To correlate a DHCP server group with relay agent interfaces, use the following commands:

■ You can specify up to twenty DHCP server groups on the relay agent.

■ You can configure up to eight DHCP servers for a server group.

■ The IP address of any DHCP server in a DHCP server group cannot be on the same network segment with that of a DHCP relay interface connecting with DHCP clients; otherwise, the DHCP clients may not be able to obtain IP addresses.

■ A DHCP server group can correlate with one or multiple DHCP relay agent interfaces, while a relay agent interface can only correlate with one DHCP server group. Using the dhcp relay server-select command repeatedly overwrites the previous configuration. However, if the specified DHCP server group does not exist, the interface still uses the previous correlation.

■ The group-id in the dhcp relay server-select command was specified by the dhcp relay server-group command.

Table 280 Enabling the DHCP Relay Agent on Interfaces



Enable the DHCP relay agent on the current interface

dhcp select relay Required

Not enabled by default

Table 281 Correlating a DHCP Server Group with Relay Agent Interfaces



Specify a DHCP server group number and servers in the group

dhcp relay server-group group-id ip ip-address

Required

Not specified by default


—

Correlate the DHCP server group with the current interface

dhcp relay server-select group-id

Required

Not correlated by default


Configuring the Relay Agent to Forward a

DHCP-Release Request

Sometimes, you need to release a client’s IP address manually on the DHCP relay agent. With this task completed, the DHCP relay agent can actively send a DHCP-RELEASE request that contains the client’s IP address to the DHCP server. The DHCP server then releases the IP address for the client.

Configure the release of a client’s IP address through the DHCP relay (in system view)

In system view, when you configure to release a client's IP address through DHCP relay, if you do not specify the IP address of the DHCP server, the DHCP relay will send a DHCP-RELEASE request to the DHCP servers of DHCP server groups that correspond to all interfaces working in the DHCP relay mode.

Configure to release a client’s IP address through the DHCP relay (in interface view)

In interface view, when you configure to release a client's IP address through DHCP relay, if you do not specify a DHCP server, the DHCP relay will send a DHCP-RELEASE request to all the DHCP servers of DHCP server group that correspond to the interface. If you specify a DHCP server, the DHCP relay will send the DHCP-RELEASE request to the specified DHCP server only.

Configuring the DHCP Relay Agent Security

Functions

Creating static bindings and enabling invalid IP addresses check

The DHCP relay agent can dynamically record IP-to-MAC bindings after clients got IP addresses. You can also create static bindings on the DHCP relay agent.

For avoidance of invalid IP address configuration, you can configure the DHCP relay agent to check whether a requesting client's IP and MAC addresses match a binding on it (both dynamic and static bindings). If not, the client cannot access outside networks via the DHCP relay agent.

To create a static binding and enable invalid IP address check, use the following commands:

Table 282 Configure to release a client’s IP address through the DHCP relay (in system view)



Request DHCP server to release the IP address applied and used by a client

dhcp relay release client-ip client-mac [ server-ip ]

Required

Table 283 Configure to release a client’s IP address through the DHCP relay (in interface view)




—

Request DHCP server to release the IP address applied and used by a client

dhcp relay release client-ip client-mac [ server-ip ]

Required


■ The dhcp relay address-check command is independent of other commands of the DHCP relay agent. That is, the invalid address check takes effect when this command is executed, regardless of whether other commands are used.

■ Before executing the dhcp relay address-check enable command on the DHCP relay interface connected to the DHCP server, you need to configure the static binding between the IP address and MAC address of the DHCP server. Otherwise, the DHCP client will fail to obtain an IP address.

Configuring dynamic binding update interval

Via the DHCP relay agent, a DHCP client sends a DHCP-RELEASE unicast message to the DHCP server to relinquish its IP address. In this case the DHCP relay agent simply conveys the message to the DHCP server, thus it does not remove the IP address from its bindings. To solve this, system provides for refreshing relay agent binding entries at a specified interval.

The DHCP relay agent regularly sends a DHCP-REQUEST message using its own MAC address and a client’s IP address to the DHCP server. If the server returns a DHCP-ACK message, which means the client’s IP address is assignable now, the DHCP relay agent will refresh its bindings by aging out the binding entry of the client’s IP address. If the server returns a DHCP-NAK message, which means the IP address is still in use, the relay agent will not age out it.

To configure dynamic binding refreshing interval, use the following commands:

Table 284 Creating static bindings and enabling invalid IP addresses check



Create a static binding dhcp relay security static ip-address mac-address

Optional



—

Enable invalid IP address check

dhcp relay address-check { disable | enable}

Required

Disabled by default

Table 285 Configuring dynamic binding refreshing interval



Configure binding refreshing interval

dhcp relay security tracker { interval | auto }

Optional

auto by default (auto interval is calculated by the relay agent according to the number of bindings)


Enabling pseudo DHCP servers detection

There are illegal DHCP servers on networks, which reply DHCP clients with wrong IP addresses. These illegal DHCP servers are pseudo DHCP servers.

With this task completed, upon receiving a DHCP-REQUEST message from a client, the DHCP relay agent will record from the message the IP addresses of servers that have ever offered IP addresses to the client and the receiving interface address. The administrator can use this information to check out any DHCP pseudo servers.

To enable pseudo DHCP server detection, use the following commands:

With pseudo DHCP server detection enabled, the device puts a record once for each DHCP server. The administrator needs to find pseudo DHCP servers from the records.

Configuring the DHCP Relay Agent to

Support Option 82

Introduction to option 82

Option 82 is the relay agent option in the Options field of the DHCP message. It involves 255 sub-options. At least one sub-option must be defined. Now the DHCP relay agent supports two sub-options: sub-option 1 and sub-option 2.

Option 82 has no unified definition. Its padding formats vary with venders. Currently the device supports two padding formats: normal and verbose.

The padding contents for sub-options in the normal padding format are:

■ sub-option 1: padded with the number of the port that receives the DHCP client's request, and the number of the VLAN where the port belongs.

■ sub-option 2: padded with the MAC address of the interface that received the client's request.

The padding contents for sub-options in the verbose padding format are:

■ sub-option 1: padded with specified access node identifier, the type and number of the port that receives the DHCP client's request, and the number of the VLAN where the port belongs.

■ sub-option 2: padded with the MAC address of the interface that received the client's request.

Handling strategies for option 82 on the relay agent

If the DHCP relay agent supports option 82, it will handle a client’s requesting message according to the contents defined in option 82, if any. The handling strategies are described in the table below.

If a reply returned by the DHCP server contains option 82, the DHCP relay agent will remove the option 82 before forwarding the reply to the client.

Table 286 Enabling pseudo DHCP servers detection



Enable pseudo DHCP server detection

dhcp relay server-detect

Required



PrerequisitesYou need to complete the following tasks before configuring the DHCP relay agent to support option 82

■ Enabling DHCP

■ Enabling the DHCP relay agent on the specified interface

■ Configure network parameters for DHCP relay agent to ensure the route between the DHCP relay and the DHCP server is reachable

Configuring the DHCP relay agent to support option 82

Use the following commands for this configuration:

Table 287 Handling strategies for option 82 on the relay agent

If a client’s requesting message has

Handling strategy

Padding format The DHCP relay agent will

Option 82 Drop — Drop the message.

Keep — Forward the message without changing Option 82.

Replace Normal Forward the message after replacing the original Option 82 with the Option 82 padded in normal format.

Verbose Forward the message after replacing the original Option 82 with the Option 82 padded in verbose format.

no option 82 — Normal Forward the message after adding the Option 82 padded in normal format.

— Verbose Forward the message after adding the Option 82 padded in verbose format.

Table 288 Configure the DHCP relay agent to support option 82




—

Enable the relay agent to support option 82

dhcp relay information enable

Required

Disabled by default

Configure the handling strategy for requesting messages containing option 82

dhcp relay information strategy { drop | keep | replace }

Optional

replace by default

Configure the padding format for option 82

dhcp relay information format { normal | verbose [ node-identifier { mac | sysname | user-defined node-identifier } ] }

Optional

normal by default


■ To support option 82, you must perform related configurations on both the DHCP server and relay agent. Since the DHCP server configuration varies with devices, it is not mentioned here.

■ If the handling strategy of the DHCP relay agent is configured as replace, you need to configure a padding format for option 82. If the handling strategy is keep or drop, you need not configure any padding format.

Displaying and Maintaining the DHCP Relay Agent Configuration

Table 289 Displaying and Maintaining the DHCP Relay Agent


Display information about DHCP server groups correlated to a specified interface or all interfaces

display dhcp relay { all | interface interface-type interface-number }


Display information about bindings of DHCP relay agents

display dhcp relay security [ ip-address | dynamic | static ]

Display statistics information about bindings of DHCP relay agents

display dhcp relay security statistics

Display information about the refreshing interval for entries of dynamic IP-to-MAC bindings

display dhcp relay security tracker

Display information about the configuration of a specified or all DHCP server groups

display dhcp relay server-group { group-id | all }

Display packet statistics on relay agent

display dhcp relay statistics [ server-group { group-id | all } ]


Clear packet statistics from relay agent

reset dhcp relay statistics [ server-group group-id ]


DHCP Relay Agent Configuration Example 401

DHCP Relay Agent Configuration Example


Vlan-interface1 on the DHCP relay agent (a switch) connects to the network where DHCP clients reside. The IP address of Vlan-interface1 is 10.10.1.1/24 and IP address of Vlan-interface2 is 10.1.1.2/24 that communicates with the DHCP server 10.1.1.1/24. As shown in the figure below, the DHCP relay agent forwards messages between DHCP clients and the DHCP server.

Network diagram

Figure 114 Network diagram for DHCP relay agent


1 Enable DHCP.

<Sysname> system-view[Sysname] dhcp enable

2 Enable the DHCP relay agent on Vlan-interface1.

[Sysname] interface vlan-interface 1[Sysname-Vlan-interface1] dhcp select relay[Sysname-Vlan-interface1] quit

3 Configure the DHCP server group 1 with the DHCP server 10.1.1.1, and correlate the DHCP server group 1 to Vlan-interface1.

[Sysname] dhcp relay server-group 1 ip 10.1.1.1[Sysname] interface vlan-interface 1[Sysname-Vlan-interface1] dhcp relay server-select 1

■ Performing the configuration on the DHCP server is also required to guarantee the client-to-server communication via the relay agent. Since the DHCP server configuration varies with devices, it is not mentioned here.

■ In this example, the DHCP relay agent and server are on the same subnet. If they are on different subnets, the routes in between must be reachable.

E th e rn e t

IP n e tw o rk

D H C P c l ie n t D H C P c lie n t

D H C P re la y

D H C Ps e rve r

1 0 .1 .1 .1 /2 41 0 .1 0 .1 .1 /2 4Vla n -in te rfa ce 1

E th e rn e t1 0 .1 .1 .2 /2 4

Vla n -in te rfa ce 2


Troubleshooting DHCP Relay Agent Configuration

Symptom DHCP clients cannot obtain any configuration parameters via the DHCP relay agent.

Analysis Some problems may occur with the DHCP relay agent or server configuration. Enable debugging and execute the display command on the DHCP relay agent to view the debugging information and interface state information for locating the problem.

Solution Verify that:

■ The DHCP is enabled on the DHCP server and relay agent.

■ The address pool on the same subnet where DHCP clients reside is available on the DHCP server.

■ The routes between the DHCP server and DHCP relay agent are reachable.

■ The relay agent interface connected to DHCP clients is correlated with correct DHCP server group and IP addresses for the group members are correct.chapter title (24 pt.)

38 DHCP CLIENT CONFIGURATION

When configuring the DHCP client, go to these sections for information you are interested in:

■ Introduction to DHCP Client

■ Enabling the DHCP Client on an Interface

■ Displaying and Maintaining the DHCP Client

■ DHCP Client Configuration Example

■ The DHCP client configuration is supported only on VLAN interfaces.

■ When multiple VLAN interfaces with the same MAC address use DHCP for IP address acquisition via a relay agent, the DHCP server cannot be a Windows 2000 Server or Windows 2003 Server.

■ DHCP Snooping must be disabled on the DHCP client.

Introduction to DHCP Client

With the DHCP client enabled on an interface, the interface will use DHCP to obtain configuration parameters such as an IP address from the DHCP server.

Enabling the DHCP Client on an Interface

Follow these steps to enable the DHCP client on an interface:

■ An interface can be configured to acquire an IP address in multiple ways, but these ways are exclusive. The IP address obtained in a new way overwrites the IP address obtained in the previous way.

■ After the DHCP client is enabled on an interface, no secondary IP address is configurable for the interface

Table 290 Configuring DHCP Snooping




—

Enable the DHCP client on the interface

ip address dhcp-alloc [ client-identifier mac interface-type interface-number ]

Required

Disabled by default

404 CHAPTER 38: DHCP CLIENT CONFIGURATION

Displaying the DHCP Client

DHCP Client Configuration Example


On a LAN, the DHCP client (4500G) contacts the DHCP server through the Vlan-interface1 to obtain an IP address.

Figure 115 A DHCP network (4500G as the DHCP client)


The following is the configuration on the client switch shown in Figure 115.

1 Enable the DHCP client on Vlan-interface1.

<Sysname> system-view[Sysname] interface vlan-interface 1[Sysname-Vlan-interface1] ip address dhcp-alloc

To implement the DHCP client-server model, you need to perform related configuration on the DHCP server. Since the DHCP server configuration varies with devices, it is not mentioned here.

Table 291 Displaying DHCP Client


Display the specified configuraiton information

display dhcp client [ verbose ] [ interface interface-type interface-number ]


DHCP Server

VLAN-interface110.1.1.1/25

VLAN-interface1

LAN

WINS Server

DNS Server

Client

Client

DHCP Server

LAN

DNS Server

Client

Client

DHCP ServerDHCP Server


VLAN-interface1

LAN

WINS Server

DNS Server

Client

Client

DHCP Server

LAN

DNS Server

Client

Client

DHCP ServerDHCP Server


VLAN-interface1

LAN

WINS Server

DHCP Server


VLAN-interface1

LAN

WINS Server

DNS Server

Client

Client

DHCP Server

DNS Server

Client

Client

DHCP Server

LANLAN

DNS Server

Client

Client

DHCP Server

39 DHCP SNOOPING CONFIGURATION

When configuring DHCP snooping, refer to these sections for information:

■ DHCP Snooping Overview

■ Configuring DHCP Snooping

■ Displaying and Maintaining DHCP Snooping

■ DHCP Snooping Configuration Example

■ The DHCP Snooping supports no link aggregation. If an Ethernet port is added into an aggregation group, DHCP Snooping configuration on it will not take effect. When the port is removed from the group, DHCP Snooping can take effect.

■ The DHCP snooping enabled device does not work if it is between the DHCP relay agent and DHCP server, and it can work when it is between the DHCP client and relay agent or between the DHCP client and server.

■ The DHCP Snooping enabled device cannot be a DHCP server, DHCP relay agent, DHCP client, or BOOTP client. Therefore, DHCP Snooping must be disabled on a DHCP server, relay agent, DHCP relay agent, DHCP client, and BOOTP client.

DHCP Snooping Overview

Function of DHCP Snooping

DHCP snooping is a DHCP security feature for preventing DHCP clients from receiving IP addresses provided by untrusted DHCP servers. It allows a device to:

■ Drop DHCP responses received on untrusted ports, preventing DHCP clients from receiving IP addresses provided by untrusted DHCP servers.

■ Listen to DHCP-REQUEST and DHCP-ACK messages, record and maintain binding information about MAC addresses of DHCP clients and the obtained IP addresses, so that network administrators can easily see which IP addresses are assigned to the DHCP clients.

How Does DHCP Snooping Work

On a network, DHCP servers fall into two categories: valid and invalid. With DHCP snooping, the ports of a device can be differentiated by whether they are trusted or untrusted:

■ Trusted: A trusted port is connected to a valid DHCP server directly or indirectly. It forwards DHCP messages normally, guaranteeing that DHCP clients can obtain valid IP addresses.

■ Untrusted: An untrusted port is connected to an invalid DHCP server. The DHCP-ACK or DHCP-OFFER packets received from the port are discarded, preventing DHCP clients from receiving invalid IP addresses.

406 CHAPTER 39: DHCP SNOOPING CONFIGURATION

Configuring DHCP Snooping

Follow these steps to configure DHCP snooping:

You must specify the ports connected to the valid DHCP servers as trusted to ensure that DHCP clients can obtain valid IP addresses. The trusted port and the port connected to the DHCP client must be in the same VLAN.

Displaying DHCP Snooping

DHCP Snooping Configuration Example


■ A device is connected to a DHCP server through GigabitEthernet1/0/1, and to two DHCP clients through GigabitEthernet1/0/2 and GigabitEthernet1/0/3.

■ GigabitEthernet1/0/1 forwards DHCP server responses while the other two do not.

Figure 116 Network diagram for DHCP snooping configuration

Table 292 Configuring DHCP Snooping



Enable DHCP snooping dhcp-snooping Required

Disabled by default

Enter Ethernet port view interface interface-type interface-number

—

Specify the port as trusted dhcp-snooping trust Required

Untrusted by default.

Table 293 Displaying DHCP Snooping


Display DHCP snooping address binding information

display dhcp-snooping Available in any view

Display information about trusted ports

display dhcp-snooping trust


DH CP C lient

D HC P S nooping

DH CP Serve r

GE 1/0/3

GE 1/0/1

D HC P C lient

GE 1/0/2

DH CP C lient

D HC P S nooping

DH CP Serve r

GE 1/0/3

GE 1/0/1

D HC P C lient

GE 1/0/2

DHCP Snooping Configuration Example 407


1 Enable DHCP snooping.

<Sysname> system-view[Sysname] dhcp-snooping

2 Specify GigabitEthernet1/0/1 as trusted.

[Sysname] interface GigabitEthernet1/0/1[Sysname-GigabitEthernet1/0/1] dhcp-snooping trust

All of the DHCP clients and DHCP servers must be configured for the DHCP clients to obtain IP addresses. The configuration details, varying with the device type, are omitted here.

408 CHAPTER 39: DHCP SNOOPING CONFIGURATION

40 BOOTP CLIENT CONFIGURATION

While configuring a bootstrap protocol (BOOTP) client, go to these sections for information you are interested in:

■ Introduction to BOOTP Client

■ Configuring an Interface to Dynamically Obtain an IP Address through BOOTP

■ Displaying and Maintaining BOOTP Client Configuration

■ BOOTP client configuration only applies to VLAN interfaces.

■ If several VLAN interfaces sharing the same MAC address obtain IP addresses through a BOOTP relay agent, the BOOTP server cannot be a Windows 2000 Server or Windows 2003 Server.

■ DHCP Snooping must be disabled on the BOOTP client.

Introduction to BOOTP Client

This section covers these topics:

■ BOOTP Application

■ Obtaining an IP address dynamically

■ Protocols and Standards

BOOTP Application After you specify an interface of the device as a BOOTP client, the interface can use BOOTP to get information (such as IP address) from the BOOTP server, which simplifies your configuration.

Before using BOOTP, an administrator needs to configure a BOOTP parameter file for each BOOTP client on the BOOTP server. The parameter file contains information such as MAC address and IP address of a BOOTP client. When a BOOTP client originates a request to the BOOTP server, the BOOTP server will search for the BOOTP parameter file and return the corresponding configuration information.

Because you need to configure a parameter file for each client on the BOOTP server, BOOTP usually runs under a relatively stable environment. If the network changes frequently, dynamic host configuration protocol (DHCP) can be applied. For an introduction to DHCP, refer to Chapter 1 DHCP Overview

Because a DHCP server can interact with a BOOTP client, you can use the DHCP server to configure IP address for the BOOTP client without any BOOTP server.

410 CHAPTER 40: BOOTP CLIENT CONFIGURATION

Obtaining an IP Address Dynamically

A DHCP server can take the place of the BOOTP server in the following dynamic IP address acquisition.

A BOOTP client dynamically obtains an IP address from a BOOTP server in the following ways:

1 The BOOTP client broadcasts a BOOTP request, which contains its own the BOOTP client’s MAC address.

2 The BOOTP server receives the request and searches the configuration file for the corresponding IP address according to the MAC address of the BOOTP client. The BOOTP server then returns a BOOTP response to the BOOTP client.

3 The BOOTP client obtains the IP address from the received response.


Some protocols and standards related to BOOTP include:

■ RFC 951: Bootstrap Protocol (BOOTP)

■ RFC 2132: DHCP Options and BOOTP Vendor Extensions

■ RFC 1542: Clarifications and Extensions for the Bootstrap Protocol

Configuring an Interface to Dynamically Obtain an IP Address through BOOTP

Follow these steps to configure an interface to dynamically obtain an IP address:

Displaying BOOTP Client Configuration

Table 294 Configuring an Interface to Dynamically Obtain IP Address through BOOTP Protocol




—

Configure an interface to dynamically obtain IP address through BOOTP

ip address bootp-alloc Required

By default, an interface does not use BOOTP to obtain an IP address.

Table 295 Displaying BOOTP Client Configuration


Display related information on a BOOTP client

display bootp client [ interface interface-type interface-number ]


41 ACL OVERVIEW

ACL Overview An access control list (ACL) is used primarily to identify traffic flows. In order to filter data packets, a series of match rules must be configured on the network device to identify the packets to be filtered. After the specific packets are identified, and based on the predefined policy, the network device can permit/prohibit the corresponding packets to pass.

ACLs classify packets based on a series of match conditions, which can be the source addresses, destination addresses and port numbers carried in the packets.

The packet match rules defined by ACLs can be referenced by other functions that need to differentiate traffic flows, such as the definition of traffic classification rules in QoS.

Time-Based ACL A time range-based ACL enables you to implement ACL control over packets by differentiating the time ranges.

A time range can be specified in each rule in an ACL. If the time range specified in a rule is not configured, the system will give a prompt message and allow such a rule to be successfully created. However, the rule does not take effect immediately. It takes effect only when the specified time range is configured and the system time is within the time range. If you remove the time range of an ACL rule, the ACL rule becomes invalid the next time the ACL rule timer refreshes.

IPv4 ACL This section covers these topics:

■ IPv4 ACL Classification

■ IPv4 ACL Match Order

■ IP Fragments Filtering with IPv4 ACL

IPv4 ACL Classification

IPv4 ACLs are numbered ACLs. Depending on the header fields used for filtering, they fall into the following three types:

■ Basic ACL, based on source IP address.

■ Advanced ACL, based on source IP address, destination IP address, upper layer protocol carried on IP, and other Layer 3 or Layer 4 protocol header fields.

■ Ethernet frame header ACL, based on Layer 2 protocol header fields such as source MAC address, destination MAC address, 802.1p priority, and link layer protocol type.

IPv4 ACL Match Order Each ACL is a sequential collection of rules defined with different matching criteria. The order in which a packet is matched against the rules may thus affect how the packet is handled.

412 CHAPTER 41: ACL OVERVIEW

At present, the following two match orders are available:

■ config: where rules are compared against in the order in which they are configured.

■ auto: where depth-first match is performed.

In a basic or advanced IPv4 ACL, depth-first match works as follows:

1 Sort rules first by the wildcard length of source IP address, with the one configured with shorter wildcard being compared first.

2 When two rules with the same source IP address wildcard are present, the one with shorter destination IP address wildcard is compared first.

3 If the lengths of their destination IP address wildcards are the same, the one configured first is compared prior to the other.

For example, the rule with the source IP address wildcard 0.0.0.255 is compared prior to the rule with the source IP address wildcard 0.0.255.255.

In an Ethernet frame header ACL, depth-first match works as follows:

1 Sort rules first by the mask length of source MAC address, with the one configured with longer mask length being compared first.

2 When two rules with the same source MAC address mask length are present, the one with shorter destination MAC address mask length is compared prior to the other.

3 If the lengths of their destination MAC address masks are the same, the one configured first is compared prior to the other.

For example, the rule with MAC address mask FFFF-FFFF-0000 is compared prior to the rule with the source MAC address mask FFFF-0000-0000.

The display acl command displays ACL rules in their match order rather than the configuration order.

The comparison of a packet against an ACL stops once a match is found. The packet is then processed as per the rule.

IP Fragments Filtering with IPv4 ACL

Traditionally, ACL does not check all IP fragments but first ones. All non-first fragments are handled the way the first fragments are handled. This causes security risk as attackers may fabricate non-first fragments to attack your network.

Note that ACL rules configured with the fragment keyword only apply to non-first fragments, and those configured without the keyword apply to all packets (including first fragments) but non-first fragments.

Look at the following commands:

[3Com-basic-2000] rule 1 deny source 202.101.1.0 0.0.0.255 fragment[3Com-basic-2000] rule 2 permit source 202.101.2.0 0.0.0.255[3Com-adv-3001] rule 3 permit ip destination 171.16.23.1 0 fragment[3Com-adv-3001] rule 4 deny ip destination 171.16.23.2 0

Among these rules, the first and the third rules only apply to non-first fragments while the second and the fourth apply to all packets but non-first fragments.

IPv4 ACL 413

IPv4 ACL Creation An IPv4 ACL consists of a set of rules. Before you can configure ACL rules, you must first create an IPv4 ACL.

When creating an IPv4 ACL:

■ You must specify an ACL number (numeric type), and

■ You can optionally specify the match order of the IPv4 ACL.

After an IPv4 ACL is created, the IPv4 ACL view is displayed.

414 CHAPTER 41: ACL OVERVIEW

42 IPV4 ACL CONFIGURATION

This chapter covers these topics:

■ Creating a Time Range

■ Configuring a Basic IPv4 ACL

■ Configuring an Advanced IPv4 ACL

■ Configuring an Ethernet Frame Header ACL

■ Configuring a User-Defined IPv4 ACL

■ Displaying and Maintaining IPv4 ACLs

■ IPv4 ACL Configuration Example

Creating a Time Range

Three types of time ranges are available:

■ Periodic time range, which recurs periodically on the day or days of the week.

■ Absolute time range, which takes effect only in a period of time and does not recur.

■ Compound time range, which recurs on the day or days of the week within a period.

CAUTION: On the Switch 4500G, the start time of an absolute time range cannot be earlier than 1970/1/1 00:00 and the end time of an absolute time range cannot be later than 2100/12/31 24:00.


Follow these steps to create a time range:

If only a periodic time section is defined in a time range, the time range is active only within the defined periodic time section.

If only an absolute time section is defined in a time, the time range is active only within the defined absolute time section.

Table 296 Creating a Time Range



Create a time range time-range time-name { start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 }

Required

Display the configuration and state of a specified or all time ranges

display time-range { all | time-name }

Optional


416 CHAPTER 42: IPV4 ACL CONFIGURATION

If both a periodic time section and an absolute time section are defined in a time range, the time range is active only when the periodic time range and the absolute time range are both matched. Assume that a time range defines an absolute time section from 00:00 January 1, 2004 to 23:59 December 31, 2004, and a periodic time section from 12:00 to 14:00 every Wednesday. This time range is active only from 12:00 to 14:00 every Wednesday in 2004.

If the start time is specified, the time range starts on the current date and ends on the end date.

If the end date is note specified, the time range is from the date of configuration till the largest date available in the system.


1 Create a time range that spans from 8:00 to 18:00 every working day.

<3Com> system-view[3Com] time-range test 8:00 to 18:00 working-day[3Com] display time-range testCurrent time is 13:27:32 4/16/2005 SaturdayTime-range : test ( Inactive ) 08:00 to 18:00 working-day

2 Create an absolute time range that spans from 15:00 2000/1/28 to 15:00 2004/1/28.

<3Com> system-view[3Com] time-range test from 15:00 2000/1/28 to 15:00 2004/1/28[3Com] display time-range testCurrent time is 13:27:32 4/16/2005 SaturdayTime-range : test ( Inactive )from 15:00 1/28/2000 to 15:00 1/28/2004

Configuring a Basic IPv4 ACL 417

Configuring a Basic IPv4 ACL

Basic IPv4 ACLs filter packets based on source IP address. They are numbered in the range 2000 to 2999.


If you want to reference a time range to a rule, define it with the time-range command first.


Follow these steps to configure a basic IPv4 ACL:

When configuring a rule, note that:

1 In case the match order is config

■ If you specify a rule ID but a rule with the same rule ID already exists, the existing rule will be displayed and you can edit the rule.

■ If you specify a rule ID and no existing rule has the same rule ID, a new rule will be defined and created.

■ The content of the rule you are editing or defining cannot be identical with that of any existing rule. Otherwise, the editing or creating operation will fail, and the system will prompt that the rule already exists.

■ If you do not specify a rule ID, a new rule will be defined and created, and the system will automatically assign the following ID to the rule: the smallest multiple of step-value that is greater than the largest ID of existing rules. For example, suppose the step-value is 5 and the largest ID of existing rules is 28; if you do not specify an ID when defining a rule, the system will automatically assign ID 30 to the rule.

2 In case the match order is auto

■ You can add a new rule, delete an existing rule. But you are not allowed to edit an existing rule (if you do this, an error will be prompted).

■ A newly defined rule cannot be identical with any existing rule, otherwise the rule cannot be successfully created (the system will prompt the rule already exists)


Table 297 Configuring a Basic IPv4 ACL



Create and enter a basic IPv4 ACL view


Required

The default match order is config.

Create or modify a rule rule [ rule-id ] { permit | deny } [ rule-string ]

Required

To create multiple rules, repeat this step.

Set a rule numbering step step step-value Optional

The default step is 5.

Create an ACL description description text Optional

Create a rule description rule rule-id comment text Optional

Display information about a specified or all IPv4 ACLs

display acl { all | acl-number } Optional




■ The system will insert a newly created rule between existing rules in depth-first order, without changing the ID of any rule.

CAUTION:

■ You can modify the match order of an ACL only when it does not contain any rules.

■ You can use the rule comment command only for existing ACL rules.


1 Create IPv4 ACL 2000 to deny the packets with the source address 1.1.1.1 to pass.

<3Com> system-view[3Com] acl number 2000[3Com-acl-basic-2000] rule deny source 1.1.1.1 0

2 Verify the configuration.

[3Com-acl-basic-2000] display acl 2000Basic ACL 2000, 1 rule,Acl's step is 5 rule 0 deny source 1.1.1.1 0 (0 times matched)

Configuring an Advanced IPv4 ACL

Advanced IPv4 ACLs filter packets based on source IP address, destination IP address, upper protocol carried on IP, and other protocol header fields, such as the TCP/UDP source port, TCP/UDP destination port, TCP flag, ICMP message type, and ICMP message code.

In addition, advanced ACLs allow you to filter packets based on three priority criteria: type of service (ToS), IP precedence, and differentiated services codepoint (DSCP) priority.

Advanced ACLs are numbered in the range 3000 to 3999. Compared to basic ACLs, they allow of more flexible and accurate filtering.

■ When you configure both IP priority and ToS priority for a rule, both priorities are valid.

■ When you configure both IP/ToS priority and DSCP for a rule, only DSCP is valid.



Configuring an Advanced IPv4 ACL 419


Follow these steps to configure an advanced IPv4 ACL:












Table 298 Configuring an Advanced IPv4 ACL



Create and enter an advanced IPv4 ACL view


Required


Create or modify a rule rule [ rule-id ] { permit | deny } protocol [ rule-string ]

Required





Create a rule description rule rule-id comment text

Optional


display acl { all | acl-number }

Optional




CAUTION:




1 Create IPv4 ACL 3000 to permit TCP packets with port number 80 sent from 129.9.0.0 to 202.38.160.0.

<3Com> system-view[3Com] acl number 3000[3Com-acl-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80


[3Com-acl-adv-3000] display acl 3000Advanced ACL 3000, 1 rule,Acl's step is 5 rule 0 permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq www (0 times matched)

Configuring an Ethernet Frame Header ACL

Ethernet frame header ACLs filter packets based on Layer 2 protocol header fields such as source MAC address, destination MAC address, 802.1p priority, and link layer protocol type. They are numbered in the range 4000 to 4999.




Follow these steps to configure an Ethernet frame header ACL:

Table 299 Configuring an Ethernet Frame Header ACL



Create and enter an Ethernet frame header ACL view


Required


Create or modify a rule rule [ rule-id ] { permit | deny } [ rule-string ]

Required





Create a rule description rule rule-id comment text

Optional



Optional


Configuring an Ethernet Frame Header ACL 421













CAUTION:




1 Create IPv4 ACL 4000 to deny frames with the 802.1p priority of 3.

<3Com> system-view[3Com] acl number 4000[3Com-acl-ethernetframe-4000] rule deny cos 3


[3Com-acl-ethernetframe-4000] display acl 4000Ethernet frame ACL 4000, 1 rule,Acl's step is 5rule 0 deny cos excellent-effort(0 times matched)


Displaying and Maintaining IPv4 ACLs

IPv4 ACL Configuration Example


Different departments of an enterprise are interconnected on the intranet through the ports of a switch. The IP address of the wage query server is 192.168.1.2. Devices of the R&D department are connected to the GigabitEthernet1/0/1 port of the switch. Apply an ACL to deny requests sourced from the R&D department and destined for the wage server during the working hours (8:00 to 18:00).

Network Diagram Figure 117 Network diagram for ACL configuration


1 Create a time range for office hours

a Create a periodic time range spanning 8:00 to 18:00 in working days.

<3Com> system-view [3Com] time-range trname 8:00 to 18:00 working-day

2 Define an ACL to control accesses to the salary server

a Create and enter the view of advanced IPv4 ACL 3000.

[3Com] acl number 3000

b Create a rule to control accesses of the R&D Department to the salary server.

[3Com-acl-adv-3000] rule 0 deny ip source any destination 192.168.1.2 0.0.0.0 time-range trname[3Com-acl-adv-3000] quit

Table 300 Displaying and Maintaining IPv4 ACLs





Display the configuration and state of a specified or all time ranges

display time-range { all | time-name }

Clear the statistics about the specified or all ACLs

reset acl counter { all | acl-number }


R&D Department

Salary server192.168.1.2

Switch#1

#3

To a router

#2

R&D Department

Salary server192.168.1.2

Switch#1

#3

To a router

#2

IPv4 ACL Configuration Example 423

3 Apply the ACL

Apply IPv4 ACL 3000 to the inbound direction of interface GigabitEthernet1/0/1.

[3Com] traffic classifier test[3Com-classifier-test] if-match acl 3000[3Com-classifier-test] quit[3Com] traffic behavior test[3Com-behavior-test] filter deny[3Com-behavior-test] quit[3Com] qos policy test[3Com-qospolicy-test] classifier test behavior test[3Com-qospolicy-test] quit[3Com] interface GigabitEthernet 1/0/1[3Com-GigabitEthernet1/0/1] qos apply policy test inbound


43 QOS OVERVIEW

Introduction Quality of Service (QoS) is a concept generally existing in occasions where service supply-demand relations exist. QoS measures the ability to meet the service needs of customers. Generally, the evaluation is not to give precise grading. The purpose of the evaluation is to analyze the conditions where the services are good and the conditions where the services still need to be improved, so that specific improvements can be implemented.

In Internet, QoS measures the ability of the network to deliver packets. The evaluation on QoS can be based on different aspects because the network provides diversified services. Generally speaking, QoS is the evaluation on the service ability to support the critical indexes such as delay, delay jitter and packet loss rate in packet delivery.

Traditional Packet Delivery Service

The traditional IP network treats all the packets equally. The switch adopts the first in first out (FIFO) policy in packet processing and assigns resources necessary for packet forwarding according to the arrival time of the packet. All the packets share the network and router resources. The resources that the packet can get depend completely on the chance at packets arrival.

This service policy is called Best-Effort. The switch makes its best effort to deliver the packets to the destination but it cannot provide any guarantee for delay, delay jitter, packet loss rate, and reliability in packet delivery.

The traditional Best-Effort service policy is only applicable to services such as WWW, FTP, and E-mail, which are not sensitive to the bandwidth and the delay performance.

New Requirements Brought forth by New Services

With the fast development of computer networks, more and more networks are connected into Internet. Internet extends very quickly in scale, coverage and the number of users. More and more users use the Internet as a platform for data transmission and develop various applications on it.

Besides traditional applications such as WWW, E-mail, and FTP, Internet users also try to develop new services on Internet, such as tele-education, tele-medicine, video phones, video conferencing, and video on demand (VOD). Enterprise users also hope to connect their branch offices in different locations through the VPN technology to develop some transaction applications, such as to access to the database of the company or to manage remote switches through Telnet.

426 CHAPTER 43: QOS OVERVIEW

The new services have one thing in common: they all have special requirements for delivery performances such as bandwidth, delay, and delay jitter. For example, video conferencing and VOD require the guarantee of high bandwidth, low delay and low delay jitter. Some key services such as the transaction handling and the Telnet do not necessarily require high bandwidth but they are highly dependent on low delay and need to be processed preferentially in case of congestion.

The emergence of new services brings forward higher requirements for the service capability of the IP network. In the delivery process, users hope to get better services, such as dedicated bandwidth for users, reduced packet loss rate, management and avoidance of network congestion, control of network traffic, provision of packet priority, and so on, instead of just having packets delivered to the destination. To meet these requirements, the network service capability need to be further improved.

Occurrence and Influence of Congestion and the Countermeasures

QoS issues that traditional networks face are mainly caused by congestion. Congestion means reduced service rate and extra delay introduced because of relatively insufficient resource provisioned.

Occurrence of Congestion

Congestion is very common in a complicated environment of packet switching on Internet. The diagram below gives two examples:

Figure 118 Traffic congestion

1 Packets enter a router over a high-speed link and are forwarded out over a low-speed link.

2 Packets enter a router through multiple interfaces of the same rate at the same time and are forwarded out on an interface of the same rate.

If the traffic arrives at the wire speed, the traffic will encounter the bottleneck of resources and congestion occurs.

Besides bandwidth bottleneck, any insufficiency of resources for packet forwarding, such as insufficiency of assignable processor time, buffer size, and memory resources can cause congestion. In addition, congestion will also occur if the traffic that arrives within a certain period of time is improperly controlled and the traffic goes beyond the assignable network resources.

1000M 100M

100M

100M 100M

100M

Traffic congestion on interfaces

of different rates

Traffic congestion on interfaces of the same rates

1000M 100M

100M

100M 100M

100M

Traffic congestion on interfaces

of different rates

Traffic congestion on interfaces of the same rates

Major Traffic Management Techniques 427

Influence of Congestion

Congestion may cause a series of negative influences:

■ Congestion increases delay and delay jitter in packet delivery.

■ Excessively high delay will cause retransmission of packets.

■ Congestion decreases the effective throughput of the network and the utilization of the network resources.

■ Aggravated congestion will consume a large amount of network resources (especially memory resources), and unreasonable resource assignment will even lead to system resource deadlock and cause the system breakdown.

It is obvious that congestion is the root of service performance declination because congestion makes traffic unable to get resources timely. However, congestion is common in a complicated environment where packet switching and multi-user services coexist. Therefore, congestion must be treated carefully.

Countermeasures Increasing network bandwidth is a direct way to solve the problem of resource insufficiency, but it cannot solve all the problems that cause network congestion.

A more effective way to solve network congestion problems is to enhance the function of the network layer in traffic control and resource assignment, to provide differentiated services for different requirements, and to assign and utilize resources correctly. In the process of resource assignment and traffic control, the direct or indirect factors that may cause network congestion must be properly controlled so as to reduce the probability of congestion. When congestion occurs, the resource assignment should be balanced according to the features and requirements of all the services to minimize the influence of congestion on QoS.

Major Traffic Management Techniques

Traffic classification, traffic policing (TP), traffic shaping (TS), congestion management, and congestion avoidance are the foundation for providing differentiated services. Their main functions are as follows:

■ Traffic classification: Identifies packets according to certain match rules. Traffic classification is the prerequisite of providing differentiated services.

■ TP: Monitors and controls the specifications of specific traffic entering the device. When the traffic exceeds the threshold, restrictive or punitive measures can be taken to protect the business interests and network resources of the operator from being damaged.

■ Congestion management: Congestion management is necessary for solving resource competition. Congestion management is generally to cache packets in the queues and arrange the forwarding sequence of the packets based on a certain scheduling algorithm.

■ Congestion avoidance: Excessive congestion will impair the network resources. Congestion avoidance is to supervise the network resource usage. When it is found that congestion is likely to become worse, the congestion avoidance mechanism will drop packets and regulate traffic to solve the overload of the network.

■ TS: TS is a traffic control measure to regulate the output rate of the traffic actively. TS regulates the traffic to match the network resources that can be provided by the downstream devices so as to avoid unnecessary packet loss and congestion.


Among the traffic management techniques, traffic classification is the basis because it identifies packets according to certain match rules, which is the prerequisite of providing differentiated services. TP, TS, congestion management, and congestion avoidance control network traffic and assigned resources from different approaches, and are the concrete ways of providing differentiated services.

Switch 4500G Switches support the following functions:

■ Traffic classification

■ Access control

■ TP

■ Congestion management

Traffic Classification Traffic classification is to identify packets conforming to certain characters according to certain rules. It is the basis and prerequisite for proving differentiated services.

A traffic classification rule can use the precedence bits in the type of service (ToS) field of the IP packet header to identify traffic with different precedence characteristics. A traffic classification rule can also classify traffic according to the traffic classification policy set by the network administrator, such as the combination of source addresses, destination addresses, MAC addresses, IP protocol or the port numbers of the applications. Traffic classification is generally based on the information in the packet header and rarely based on the content of the packet. The classification result is unlimited in range. They can be a small range specified by a quintuplet (source address, source port number, protocol number, destination address, and destination port number), or all the packets to a certain network segment.

Generally, the precedence of bits in the ToS field of the packet header is set when packets are classified on the network border. Thus, IP precedence can be used directly as the classification criterion inside the network. Queue techniques can also process packets differently according to IP precedence. The downstream network can either accept the classification results of the upstream network or re-classify the packets according to its own criterion.

The purpose of traffic classification is to provide differentiated services, so traffic classification is significant only when it is associated with a certain traffic control or resource assignment action. The specific traffic control action to be adopted depends on the phase and the current load status. For example, when the packets enter the network, TP is performed on the packets according to CIR; before the packets flow out of the node, TS is performed on the packets; when congestion occurs, queue scheduling is performed on the packets; when congestion get worse, congestion avoidance is performed on the packets.


Precedence The following describes several types of precedence:

1 IP precedence, ToS precedence and DSCP precedence

Figure 119 DS field and ToS byte

As shown in the figure above, the ToS field in the IP header contains 8 bits, which are described as follows:

The first three bits indicate IP precedence, in the value range of 0 to 7.

Bit 3 to bit 6 indicate ToS precedence, in the value range of 0 to 15.

RFC2474 re-defines the ToS field in the IP packet header, and it is called the DS field. The first six bits in the DS field indicate DSCP precedence, in the value rang of 0 to 63. The last two bits (bit6 and bit7) are reserved.

2 2802.1p priority

802.1p priority lies in the layer 2 packet header. It is suitable for occasions where it is not necessary to analyze the Layer 3 packet headers and QoS is needed in Layer 2.

Figure 120 The format of an Ethernet frame with an 802.1Q tag header

As shown in the figure above, each host supporting 802.1Q protocol adds a 4-bit 802.1Q tag header after the source address in the original Ethernet frame header when sending a packet.

The 4-bit 802.1Q tag header contains a 2-bit Tag Protocol Identifier (TPID) whose value is 8100 and a 2-bit Tag Control Information (TCI). TPID is a new type defined by IEEE to indicate a packet with a 802.1Q tag. The following figure shows the detailed contents of an 802.1Q tag header.

Figure 121 The format of an 802.1Q tag header


In the figure above, the 3-bit Priority field in the TCI byte is the 802.1p priority, in the value range of 0 to 7.These three bits represent the priority of the frame. There are a total of eight priority levels to determine which packet is to be sent in priority when congestion occurs to the switch. These precedence levels fall in 802.1p priority because the applications related to these precedence levels are all defined in detail in the 802.1p specification.

Introduction to TP If the traffic from users is not limited, a large amount of continuous burst packets will result in worse network congestion. The traffic of users must be limited in order to make better use of the limited network resources and provide better service for more users. For example, if a traffic flow obtains only the resources committed to it within a certain period of time, network congestion due to excessive burst traffic can be avoided.

TP is traffic control policies to limit the traffic and its resource usage through supervision of the traffic specification. The regulation policy is implemented according to the evaluation result on the premise of the awareness of whether the traffic exceeds the specification when TP is implemented. Generally, the token bucket algorithm is adopted for the evaluation of traffic specification.

Traffic Evaluation and Token Bucket

The features of the token bucket

The token bucket can be considered as a container with a certain capacity to hold tokens. The system puts tokens into the bucket at the set rate. When the token bucket is full, the tokens in excess will overflow and the number of tokens in the bucket stops increasing, as shown in Figure 122.

Figure 122 Evaluate the traffic with the token bucket

Evaluate the traffic with the token bucket

The evaluation of the traffic specification is based on whether the number of tokens in the bucket can meet the need of packet forwarding. If the number of tokens in the bucket is enough for forwarding the packets, the traffic is compliant with the specification; otherwise the traffic is incompliant with, or in excess of, the specification.

需由此接口发送的包继续发送

令牌桶

按规定的速率向桶内放置令牌

分类

丢弃

Packet to be sent on this interfaceContinue to send

Token bucket

Put tokens into the bucket at the set rate

Classify

Drop


令牌桶


分类

丢弃



令牌桶


分类

丢弃

Packet sent via this interfaceContinue to send

Token bucket


Classify

Drop


令牌桶


分类

丢弃



令牌桶


分类

丢弃


Token bucket


Classify

Drop


令牌桶


分类

丢弃



令牌桶


分类

丢弃

Packet sent via this interfaceContinue to send

Token bucket


Classify

Drop


The parameters of token bucket for traffic evaluation include:

■ Average rate: The rate at which tokens are put into the bucket, namely, the average rate of permitted traffic flows. It is typically set to the committed information rate (CIR).

■ Burst size: The capacity of the token bucket, namely, the maximum traffic size that is permitted in each burst. It is typically set to the committed burst size (CBS). The set burst size must be bigger than the maximum packet length.

An evaluation is performed on the arrival of each packet. In each evaluation, if the bucket has enough tokens for use, the traffic is controlled within the specification and a number of tokens equivalent to the packet forwarding authority must be taken out; otherwise, this means too many tokens have been used — the traffic is in excess of the specification.

TP

A typical application of TP is to supervise the specification of a certain traffic flow into the network and limit the specification within a reasonable range, or to punish the traffic in excess. Thus, the network resources and the interests of the carriers are protected. For example, you can limit the bandwidth usage of HTTP packets to 50% of the network bandwidth. If the traffic of a certain connection is in excess, TP can choose either to drop packets or to reset the priority of the packets.

TP is widely used in policing the traffic into the network of Internet service provider (ISP). In addition, TP can classify the policed traffic and perform pre-defined policing actions according to different evaluation results. These actions include:

■ Forward: Forward the packets whose evaluation result is “compliant”.

■ Drop: Drop the packets whose evaluation result is “incompliant”.

■ Modify the precedence and forward: Modify the precedence of the packets whose evaluation result is “partially compliant” and forward them.

Introduction to LR

You can use line rate (LR) to limit the total rate of sending packets (including emergent packets) on a physical interface.

LR also uses token buckets for traffic control. If LR is enabled on a certain interface of the device, all packets sent via this interface must be firstly processed in the token bucket of LR. If the token bucket has enough tokens, the packets can be sent. Otherwise, packets will enter QoS queues for congestion management. Thus, traffic via this physical interface is controlled.


Figure 123 LR processing procedure

Because the token bucket is adopted for traffic control, when the token bucket has tokens, burst transmission of packets is allowed; when the token bucket does not have tokens, packets cannot be sent until new tokens are created in the token bucket. Thus, the traffic of packets cannot be bigger than the rate of creating tokens, so the traffic is limited and burst traffic is permitted.

Compared with TP, LR controls packets sent via physical interfaces. When you just want to limit the rate of all packets, LR is simpler than TP.

LR Configuration

LR Configuration Procedure

Configuring LR is to limit the rate of inbound packets or outbound packets via physical interfaces.

Packets to be sent via this interfacePackets sent

Token bucket


Classify

Buffer

Queue

Packets to be sent via this interfacePackets sent

Token bucket


Classify

Buffer

Queue

Table 301 LR configuration procedure



Enter interface view or port group view

Enter port view


Enter either view.

For Ethernet interface view, the following configuration takes effect only on the current interface. For entering port group view, the following configuration takes effect on all the ports.



Set LR qos lr { inbound | outbound } cir committed-information-rate [ cbs committed-burst-size ]

Required

Display the LR configuration and statistics of an interface

display qos lr interface [ interface-type interface-number ]

You can execute the display command in any view.

LR Configuration 433

LR Configuration Example

Limit the outbound rate of GigabitEthernet1/0/1 to 640 kbps.

a Enter system view

<3Com> system-view

b Enter interface view


c Configure LR parameter and limit the outbound rate to 640 kbps

[3Com-GigabitEthernet1/0/1] qos lr outbound cir 640


44 QOS POLICY CONFIGURATION

Overview QoS policy includes the following three elements: class, traffic behavior and policy. You can bind the specified class to the specified traffic behavior through QoS policies to facilitate the QoS configuration.

Class

Class is used for identifying traffic.

The elements of a class include the class name and classification rules.

You can use commands to define a series of rules to classify packets. Additionally, you can use commands to define the relationship among classification rules: and and or.

■ and: The devices considers a packet to be of a specific class when the packet matches all the specified classification rules.

■ or: The device considers a packet be of a specific class when the packet matches one of the specified classification rules.

Traffic behavior

Traffic behavior is used to define all the QoS actions performed on packets.

The elements of a QoS behavior include traffic behavior name and actions defined in traffic behavior.

You can use commands to define multiple actions in a traffic behavior.

Policy

Policy is used to bind the specified class to the specified traffic behavior.

The elements of a policy include the policy name and the name of the classification-to-behavior binding.

Configuring QoS Policy

The procedure for configuring QoS policy is as follows:

1 Define a class and define a group of traffic classification rules in class view.

2 Define a traffic behavior and define a group of QoS actions in traffic behavior view.

3 Define a policy and specify a traffic behavior corresponding to the class in policy view.

4 Apply the QoS policy in Ethernet port view.

436 CHAPTER 44: QOS POLICY CONFIGURATION

Introducing Each QoS Policy

Configuring QoS Policy


■ The class name and classification rules are specified in the policy.

■ The traffic behavior name and the actions in the traffic behavior are specified.

■ The policy name is specified.

■ Where and how to apply the policy is specified.

Defining a Class Create a class name first and then configure match rules in this class view.


Table 302 Introduce each QoS policy

Policy Class Command

Accounting Use the if-match match-criteria command to define a required class

accounting

CAR (traffic policing) Use the if-match match-criteria command to define a required class

car

Traffic filtering Use the if-match match-criteria command to define a required class

filter

Traffic mirroring Use the if-match match-criteria command to define a required class

mirror-to

Traffic redirection Use the if-match match-criteria command to define a required class

redirect

Priority remark Use the if-match match-criteria command to define a required class

remark

Table 303 Define a class



Define a class and enter class mapping view

traffic classifier tcl-name [ operator { and | or } ]

Required

The operator is and by default, that is, the relationship among all the match rules is logic and.

Define a rule to match all packets

if-match match-criteria

Required

Display the information about the class

display traffic classifier user-defined [ tcl-name ]

Optional


Configuring QoS Policy 437

match-criteria: Match rule for a class, see Table 304 for its range.

Please obey the following restrictions when defining a match rule; otherwise, you will fail to apply the policies.

■ If the customer-vlan-id, dot1p, dscp, ip-precedence or service-vlan-id is to be matched, do not configure multiple values in a rule at the same time when you use the if-match command to define match rules.

■ When you specify the logic relationship as and, you can configure only one ACL rule.


1 Network requirements

Configure a class named “test” and define a rule to match packets whose IP precedence is 6.

2 Configuration procedure


<3Com> system-view

b Define the class and enter class mapping view

[3Com] traffic classifier test

c Configure classification rules.

[3Com-classifier-test] if-match ip-precedence 6

Defining a Traffic Behavior

To define a traffic behavior, create a traffic behavior name first and then configure its features in this traffic behavior view.

Table 304 The value range of the match rule for a class

Value Description

acl access-list-number Defines an ACL rule. The value of the access-list-number argument is in the range of 2,000 to 4,999.

any Defines a rule to match all packets

customer-vlan-id vlan-id-list Defines a rule to match VLAN IDs of the user network. The vlan-id-list argument is the list of VLAN IDs in the range of 1 to 4,094.

destination-mac mac-address Defines a rule to match destination MAC addresses

dot1p Defines a rule to match 802.1p protocol. The dot1p-list argument is the list of COS values in the range of 0 to 7.

dscp dscp-list Defines a rule to match DSCP precedence. The dscp-list argument is the list of DSCP values in the range of 0 to 63.

ip-precedence ip-precedence-list Defines a rule to match IP precedence. The ip-precedence-list argument is the list of IP precedence values in the range of 0 to 7.

service-vlan-id vlan-id-list Defines a rule to match VLAN IDs of the operator’s network. The vlan-id-list argument is the list of VLAN IDs in the range of 1 to 4,094.

source-mac mac-address Defines a rule to match source MAC addresses



The red action keyword in the traffic behavior car defines some actions for the packet not conforming to committed access rate (CAR). The actions include:

■ discard: Drops the packet.

■ pass: Forwards the packet.

■ remark-dscp-pass new-dscp: Remarks the DSCP precedence of the packet and forwards the packet to the destination address. The DSCP precedence is in the range of 0 to 63.

CAUTION: Please obey the following restrictions when defining traffic behaviors; otherwise, you will fail to apply the policies.

■ remark dot1p and remark local-precedence cannot be configured at the same time.

■ filter deny cannot be configured together with any other action except accounting.

Table 305 Define a traffic behavior



Define a traffic behavior and enter traffic behavior view

traffic behavior behavior-name

Required

behavior-name: Traffic behavior name

Configure the accounting action accounting Required

You can configure corresponding traffic behaviors as required

Configure to use TP car cir committed-information-rate [ cbs committed-burst-size ] [ red action ]

Configure the traffic filtering action

filter { deny | permit }

Configure the traffic mirror action

mirror-to interface-type interface-number

Configure the traffic redirect action

redirect interface interface-type interface-number

Mark the 802.1p priority of the packet

remark dot1p dot1p

Mark the DSCP precedence of the packet

remark dscp dscp-value

Mark the IP precedence of the packet

remark ip-precedence ip-precedence-value

Mark the local precedence of the packet

remark local-precedence local-precedence

Display the traffic behavior information

display traffic behavior user-defined [ behavior-name ]

Optional


Configuring QoS Policy 439

■ When you configure the car action or accounting action in the traffic behavior, each rule defined in traffic classification carries out the action defined in the traffic behavior, rather than all the rules execute the same action. For example, CAR is set to 64 kbps. For a traffic classification including 10 rules, 64 kbps is CAR for packets matching each rule rather than the total CAR for packets matching all the ten rules.

■ After traffic mirroring, packets will not go through port mirroring, that is, if you configure the destination port of traffic mirroring as the source port of a port mirroring group, the destination port in the port mirroring group cannot receive the packets after traffic mirroring.

■ When you configure the ingress port (it belongs to this VLAN according to the VLAN policy) of packets as the source port of both traffic mirroring and the port mirroring group at the same time, port mirroring configuration will be replaced by traffic mirroring configuration. The packets matching the rule are mirrored to the destination port of traffic mirroring, whereas the packets that do not match the rule are mirrored to the destination port of the port mirroring group.

■ Before configuring redirection, you can configure multiple STP instances. If the home VLAN of the source port for redirection and the home VLAN of the destination port for redirection belong to different instances, redirection will fail. The packet will be dropped and will not be forwarded on any port.



Configure a traffic behavior named “test”, enable TP, and set committed information rate (CIR) to 6,400 kbps.



<3Com> system-view

b Define a traffic and enter traffic behavior view

[3Com] traffic behavior test

c Define the classification rule.

[3Com-behavior-test] car cir 6400

Configuring a Policy A policy defines the traffic-behavior–to-class mappings in the policy. Each traffic behavior consists of a group of QoS actions.


Applying a Policy Configuration procedure

Use the qos apply policy command to map a policy to the specified port. A policy mapping can be applied to multiple ports or port groups.

Table 306 Specify the traffic behavior for a class in the policy



Define a policy and enter policy view

qos policy policy-name —

Specify the traffic behavior for a class in the policy

classifier tcl-name behavior behavior-name

Required

tcl-name: Class name. The class must be a defined class, either system-defined or user-defined.

behavior-name: Traffic behavior name. The traffic behavior must be a defined traffic behavior, either system-defined or user-defined

Display the configuration information of the specified classes in the specified policy and the configuration information of traffic behaviors associated with these classes.

display qos policy user-defined [ policy-name ] [ classifier tcl-name ]

Optional


Table 307 Apply a policy on the port



Enter port view or port group view

Enter port view


One of them is required.

In Ethernet port view, the following configuration takes effect only on the current port. In port group view, the following configuration takes effect on all the ports in the port group.



Apply the associated policy

qos apply policy policy-name inbound

Required

Display the configuration information and running status of the policy on the specified port or all the ports

display qos policy interface [ interface-type interface-number ] [ inbound ]

Optional


Display the configuration information of the specified class or all classes in the specified policy or all policies and the configuration information of the behavior(s) associated with the class(es)

display qos policy user-defined [ policy-name ] [ classifier tcl-name ]

Displaying QoS Policy 441

CAUTION: When the configured policy is applied to a port group, if the car or accounting action is not included in the user-defined traffic behavior, the policy of multiple ports occupies only one share of hardware resource, that is, resource multiplexing is implemented. If the car action or accounting action is included in the user-defined traffic behavior, the policy will occupy n shares of hardware resources, where n is the number of ports in the port group.



Configure a policy named “test”. Specify the traffic behavior test_behavior for the packets belonging to the test_class in the policy and apply the policy on the inbound direction of GigabitEtherenet1/0/1.



<3Com> system-view

b Define the policy and enter policy view.

[3Com]qos policy test

c Specify the traffic behavior for the class.

[3Com-qospolicy-test] classifier test_class behavior test_behavior[3Com-qospolicy-test] quit

d Enter Ethernet port view.


e Apply the policy on the interface.

[3Com-GigabitEthernet1/0/1] qos apply policy test inbound

Displaying QoS Policy

After finishing the configurations mentioned above, you can execute the display command in any view to check the running status of QoS Policy to verify the configuration.


Table 308 Display QoS Policy


Display the configuration information of the specified class or all classes in the specified policy or all policies and the configuration information of the behavior associated with the class or all classes

display qos policy user-defined [ policy-name [ classifier tcl-name ] ]


Display the configuration information and running status of the policy on the specified port or all ports

display qos policy interface [ interface-type interface-number ] [ inbound ]

Display the configured traffic behavior information


Display the configured class information

display traffic classifier user-defined [ tcl-name ]

45 CONGESTION MANAGEMENT

Overview When the rate at which the packets arrive is higher than the rate at which the packets are transmitted on an interface, congestion occurs on this interface. If there is not enough storage space to store these packets, parts of them will be lost. Packet loss may cause the transmitting device to retransmit the packets because the lost packets time out, which causes a malicious cycle.

The core of congestion management is how to schedule the resources and determine the sequence of forwarding packets when congestion occurs.

Congestion Management Policy

Queuing technology is generally adopted to solve the congestion problem. The queuing technology is to classify the traffic according to a specified queue-scheduling algorithm and then use the specified priority algorithm to forward the traffic. Each queuing algorithm is used to solve specific network traffic problems and affects the parameters such as bandwidth allocation, delay and delay jitter.

The following paragraphs describe strict-priority (SP) queue-scheduling algorithm, and weighted round robin (WRR) queue-scheduling algorithm.

1 SP queue-scheduling algorithm

Figure 124 Diagram for SP queues

The SP queue-scheduling algorithm is specially designed for critical service applications. An important feature of critical services is that they demand preferential service in congestion in order to reduce the response delay. Assume that there are four output queues on the port and the four output queues on the port are classified into four classes, which are high queue, middle queue, normal queue and bottom queue (namely, queue 3, queue 2, queue 1 and queue 0). Their priority levels decrease in order.

Packet sent via this interface

high queue

middle queue

Classify

Packet sent

normal queue

bottom queueSending queue

Dequeue

Packet sent via this interface

high queue

middle queue

Classify

Packet sent

normal queue

bottom queueSending queue

Dequeue

444 CHAPTER 45: CONGESTION MANAGEMENT

During queue scheduling, the SP algorithm sends packets in higher-priority queues strictly following the high-to-low priority order. When the queues with higher priority levels are empty, packets in the queues with lower priority levels are sent. You can put packets of critical service into the queues with higher priority levels and put packets of non-critical services (such as E-mail) into the queues with lower priority levels, so that packets of critical services are sent in priority and packets of non-critical services are sent when packets of critical services are not sent.

SP queue-scheduling algorithm does have its disadvantage: if packets exist for a long time in the queues with higher priority levels during congestion, the packets in the queues with lower priority levels will be “starved to death” because they are not served.

2 WRR queue-scheduling algorithm

A port of the switch supports eight outbound queues. The WRR queue-scheduling algorithm schedules all the queues in turn to ensure that every queue can be assigned a certain service time. Assume there are eight priority queues on the port. The eight weight values (namely, w 7, w 6, w 5, w 4, w 3, w 2, w 1, and w 0) indicating the proportion of assigned resources are assigned to the eight queues respectively. On a 100M port, you can configure the weight values of WRR queue-scheduling algorithm to 50, 30, 10, 10, 50, 30, 10, and 10 (corresponding to w7, w6, w5, w4, w3, w2, w1, and w0 respectively). In this way, the queue with the lowest priority can be assured of 5 Mbps of bandwidth at least, thus avoiding the disadvantage of SP queue-scheduling algorithm that packets in low-priority queues are possibly not to be served for a long time. Another advantage of WRR queue-scheduling algorithm is that though the queues are scheduled in turn, the service time for each queue is not fixed, that is to say, if a queue is empty, the next queue will be scheduled immediately. In this way, the bandwidth resources are fully utilized.

The 3Com Switch 4500G Switches support the following three queue scheduling algorithms:

■ All the queues are scheduled through the SP algorithm.

■ All the queues are scheduled through the WRR algorithm.

■ Some queues are scheduled through the SP algorithm, while other queues are scheduled through the WRR algorithm.

Configuring SP Queue Scheduling 445

Configuring SP Queue Scheduling

SP queues include multiple queues. They correspond to different priorities and are scheduled based on the priorities in descending order.




Configure GigabitEthernet1/0/1 to adopt the SP queue-scheduling algorithm.



<3Com> system-view

2 Configure GigabitEthernet1/0/1 to adopt the SP queue-scheduling algorithm.

[3Com]interface GigabitEthernet 1/0/1[3Com-GigabitEthernet1/0/1] qos sp

Table 309 Configure SP queue scheduling




Enter port view






Configure SP queue-scheduling algorithm

qos sp Required


Configuring WRR Queue Scheduling

By default, all ports adopt the WRR queue-scheduling algorithm. The queues which are not configured on the port adopt the default WRR priority.




■ Configure queue 1, queue 3, queue 4 on GigabitEthernet1/0/1 to adopt the WRR queue-scheduling algorithm, with the weight value of 1, 5, and 10 respectively.

■ Configure queue 5 and queue 6 on GigabitEthernet1/0/1 to adopt the WRR queue-scheduling algorithm, with the weight value of 2 and 10 respectively.



<3Com> system-view

b Configure WRR queues on GigabitEthernet1/0/1.

[3Com] interface GigabitEthernet 1/0/1[3Com-GigabitEthernet1/0/1] qos wrr 1 group 1 weight 1[3Com-GigabitEthernet1/0/1] qos wrr 3 group 1 weight 5[3Com-GigabitEthernet1/0/1] qos wrr 4 group 1 weight 10[3Com-GigabitEthernet1/0/1] qos wrr 5 group 1 weight 2[3Com-GigabitEthernet1/0/1] qos wrr 6 group 1 weight 10

Table 310 Configure WRR queue scheduling




Enter port view






Enable the WRR queue scheduling on the port

qos wrr Required

Configure WRR queue scheduling

qos wrr queue-id group 1 weight schedule-value

Required

Display the configuration of WRR queue scheduling

display qos wrr interface [ interface-type interface-number ]

Optional


Configuring SP+WRR Queue Scheduling 447

Configuring SP+WRR Queue Scheduling

As required, you can configure part of the queues on the port to adopt the SP queue-scheduling algorithm and parts of queues to adopt the WRR queue-scheduling algorithm. Through adding the queues on a port to the SP scheduling group and WRR scheduling group (namely, group 1), the SP+WRR queue scheduling is implemented. During the queue scheduling process, the queues in the SP scheduling group is scheduled preferentially. When no packet is to be sent in the queues in the SP scheduling group, the queues in the WRR scheduling group are scheduled. The queues in the SP scheduling group are scheduled according to the strict priority of each queue, while the queues in the WRR queue scheduling group are scheduled according the weight value of each queue.




■ SP+WRR queue scheduling algorithm is adopted on GigabitEthernet1/0/1.

■ Queue 0 and queue 1 on GigabitEthernet1/0/1 belong to the SP scheduling group.

■ Queue 2, queue 3 and queue 4 on GigabitEthernet1/0/1 belong to the WRR scheduling group, with the weight value of 2, 7 and 10 respectively. Other queues are scheduled by the WRR queue-scheduling algorithm according to the default weight values.

Table 311 Configure the SP+WRR queue scheduling




Enter port view






Enable the WRR queue-scheduling on the port

qos wrr Required

Configure SP queue scheduling

qos wrr queue-id group sp

Required

Configure WRR queue scheduling

qos wrr queue-id group 1 weight schedule-value

Required

Display the configuration of WRR queue scheduling

display qos wrr interface [ interface-type interface-number ]

Optional





<3Com> system-view

2 Configure the queues on GigabitEthernet1/0/1 to adopt the SP+WRR queue-scheduling algorithm.

[3Com] interface GigabitEthernet 1/0/1[3Com-GigabitEthernet1/0/1] qos wrr 0 group sp[3Com-GigabitEthernet1/0/1] qos wrr 1 group sp[3Com-GigabitEthernet1/0/1] qos wrr 2 group 1 weight 2[3Com-GigabitEthernet1/0/1] qos wrr 3 group 1 weight 7[3Com-GigabitEthernet1/0/1] qos wrr 4 group 1 weight 10

46 PRIORITY MAPPING

Overview When a packet enters the switch, the switch will assign a series of parameters (including 802.1p priority, local precedence and so on) to it according to the precedence that the switch supports and corresponding rules. The local precedence is the precedence the switch assigns to the packet locally, which is corresponding to the outbound queue ID on the port.

The Switch 4500G switches always trust the packet priority instead of port priority. For tagged packets, the switch performs dot1p-to-lp mapping according to the 802.1p priority carried in the tags; for untagged packets, all the packets are tagged with 802.1p priority after they enter the switch. The 802.1p priority is the port priority, according to which the dot1p-to-lp mapping is performed.

The switch provides the dot1p-to-lp mapping table, as shown in Table 312.

The 3Com Switch 4500G Switches do not support editing dot1p-to-lp (802.1p priority-to-local priority) mapping table.

Table 312 The default dot1p-to-lp mapping

802.1p priority (dot1p) Local precedence (LP)

0 2

1 0

2 1

3 3

4 4

5 5

6 6

7 7

450 CHAPTER 46: PRIORITY MAPPING

Configuring Port Priority

An untagged packet is tagged after it enters the switch. Its 802.1p priority is port priority. You can assign the packet to different outbound queues on the port according to the port priority to be set. The port priority is in the range of 0 to 7.

The port priority takes effect only on untagged packets instead of tagged packets.


The port priority of each port is specified.




■ Department 1 and department 2 of the company are interconnected through Ethernet switches.

■ The switch generates different local precedence values for the packets from department 1 and department 2 through mapping according to the priorities of the access ports.

Network diagram

Figure 125 Network diagram for port priority

Table 313 Configure port priority



Enter the corresponding Ethernet port view


—

Configure port priority qos priority priority-value Required

By default, the port priority is 10.

GE1/0/2

Department 2

To the router

Department 1

Switch

GE1/0/1 GE1/0/2GE1/0/2

Switch

GE1/0/1 GE1/0/2GE1/0/2

Department 2

GE1/0/2

Department 2

To the router

Department 1

To the router

Department 1

Switch

GE1/0/1

Switch

GE1/0/1 GE1/0/2GE1/0/2GE1/0/2GE1/0/2

Switch

GE1/0/1

Switch

GE1/0/1 GE1/0/2

Displaying Priority Mapping Table 451



<3Com> system-view

2 Configure the port priority of GigabitEthernet1/0/1 to 3, and map the priorities of packets from department 1 to local precedence 3.

[3Com] interface GigabitEthernet 1/0/1[3Com-GigabitEthernet1/0/1] qos priority 3

3 Configure the port priority of GigabitEthernet1/0/2 to 7, and map the priorities of packets from department 2 to local precedence 7.

[3Com] interface GigabitEthernet 1/0/2[3Com-GigabitEthernet1/0/2] qos priority 7

Displaying Priority Mapping Table

Use the display qos map-table command to display the detailed configuration information of a priority mapping table.

Table 314 Display and debug a priority mapping table


Display the detailed information of the specified priority mapping table

display qos map-table [ dot1p-lp ]


452 CHAPTER 46: PRIORITY MAPPING

47 VLAN POLICY CONFIGURATION

Overview QoS polices support the following application modes:

■ Port-based application: QoS policies are effective for inbound packets on a port.

■ VLAN-based application: QoS policies are effective for inbound traffic on a VLAN.

VLAN-based QoS policies are also known as VLAN policies for short. VLAN policies can facilitate the application and management of QoS policies on the switch.

VLAN policies are not effective on dynamic VLANs. VLAN policies will not be applied to dynamic VLANs. For example, the device may create VLANs dynamically when GVRP protocol is running. In this case, the corresponding VLAN policies are not effective on dynamic VLANs.

Applying VLAN Policies


■ VLAN polices have been configured. Refer to Chapter 2 QoS Policy Configuration for how to define policies.

■ The VLAN to which VLAN polices are applied is specified.

Configuration Procedure Table 315 Apply VLAN policies



Apply VLAN policies to the specified VLAN

qos vlan-policy policy-name vlan vlan-id-list inbound

Required

vlan-id-list: VLAN ID list in the form of vlan-id to vlan-id. You can enter multiple discontinuous VLAN IDs. The device allows you to specify up to eight VLAN IDs at the same time

Display information about VLAN policies

display qos vlan-policy { name policy-name | vlan [ vlan-id ] }

Optional


name policy-name: Displays the VALN policy information about the VLAN policy name

vlan vlan-id: Displays the VLAN policy applied to the specified VLAN

454 CHAPTER 47: VLAN POLICY CONFIGURATION

Displaying and Maintaining VLAN Policy

After the configuration above, you can execute the display command in any view to display the running status of VLAN policy and verify the configuration.

You can execute the reset command in user view to clear the statistics about VLAN policies.

VLAN Policy Configuration Example


■ Configure VLAN policy named test to perform TP for packets matching with ACL 2000. CIR is 64.

■ Apply the VLAN policy named test to the inbound direction of VLAN 200, VLAN 300, VLAN 400, VLAN 500, VLAN 600, VLAN 700, VLAN 800 and VLAN 900.


<3Com> system-view[3Com] traffic classifier cl1 operator or[3Com-classifier-cl1] if-match acl 2000[3Com-classifier-cl1] quit[3Com] traffic behavior be1[3Com-behavior-be1] car cir 64[3Com-behavior-be1] quit[3Com] qos policy test[3Com-qospolicy-test] classifier cl1 behavior be1[3Com-qospolicy-test] quit[3Com] qos vlan-policy test vlan 200 300 400 500 600 700 800 900 inbound

Table 316 Display and maintain VLAN policy

To do Use the command

Display VLAN policy information display qos vlan-policy { name policy-name | vlan [ vlan-id ] }

Clear the statistics about VLAN policies reset qos vlan-policy [ vlan vlan-id ]

48 TRAFFIC MIRRORING CONFIGURATION

Overview Traffic mirroring is to replicate the specified packets to the specified destination. It is generally used for testing and troubleshooting the network. .

Depending on different types of mirroring destinations, there are three types of traffic mirroring:

■ Mirroring to port: The desired traffic on a mirrored port is replicated and sent to a destination port (that is, a mirroring port).

■ Mirroring to CPU: The desired traffic on a mirrored port is replicated and sent to the CPU on the board of the port for further analysis.

■ Mirroring to VLAN: The desired traffic on a mirrored port is replicated and sent to a VLAN, where the traffic is broadcast and all the ports (if available) in the VLAN will receive the traffic. If the destination VLAN does not exist, you can still configure the function, and the function will automatically take effect after the VLAN is created and a port is added to it.

Currently, the 3Com Switch 4500G Switches only support traffic mirroring to port.

Configuring Traffic Mirroring to Port

Before you can configure traffic mirroring, you should first enter the traffic behavior view of an existing traffic behavior.

Table 317 Configure traffic mirroring to port



Enter traffic behavior view traffic behavior behavior-name

Required

Configure a destination mirroring port for the traffic behavior

mirror-to interface interface-type interface-number

Required

456 CHAPTER 48: TRAFFIC MIRRORING CONFIGURATION

Displaying Traffic Mirroring Configuration

After the above configuration, you can execute the display command in any view to display the operation status of traffic mirroring and verify your configuration.

Traffic Mirroring Configuration Example


The network connection is as follows:

■ PC A is connected to GigabitEthernet 1/0/1 on Switch A.

■ The server is connected to GigabitEthernet 1/0/2 on Switch A.

You must use the server to monitor and analyze all the packets from PC A.

Network Diagram Figure 126 Network diagram for traffic mirroring to port

Table 318 Display traffic mirroring configuration


Display the configuration information of one or all user-defined traffic behaviors



Display the configuration information of one or all user-defined QoS policies

display qos policy user-defined [ policy-name ]

Server


Server


Server

Switch A

Server


Server

PC A

Server

PC B

Server


Server


Server


Server


Server

Switch A

Server

Switch A

Server


Server


ServerServer

PC A

Server

PC B

Traffic Mirroring Configuration Example 457


Configure Switch A:


<3Com> system-view

b Configure ACL 2000 to permit all packets.

[3Com] acl number 2000[3Com-acl-basic-2000] rule 1 permit[3Com-acl-basic-2000] quit

c Configure a traffic classification rule to use ACL 2000 for traffic classification.

[3Com] traffic classifier 1[3Com-classifier-1] if-match acl 2000[3Com-classifier-1] quit

d Configure a traffic behavior to define the action of mirroring traffic to GigabitEthernet 1/0/2.

[3Com] traffic behavior 1[3Com-behavior-1] mirror-to interface GigabitEthernet 1/0/2[3Com-behavior-1] quit

e Configure a QoS policy to adopt traffic behavior 1 for traffic classification rule 1.

[3Com] qos policy 1[3Com-policy-1] classifier 1 behavior 1[3Com-policy-1] quit

f Apply the QoS policy to the inbound direction of GigabitEthernet 1/0/1.

[3Com] interface GigabitEthernet 1/0/1[3Com-GigabitEthernet1/0/1] qos apply policy 1 inbound

After the above configuration, you can monitor and analyze all the packets from PC A on the server.

458 CHAPTER 48: TRAFFIC MIRRORING CONFIGURATION

49 PORT MIRRORING CONFIGURATION

Introduction to Port Mirroring

Classification of Port Mirroring

There are two kinds of port mirroring: local port mirroring and remote port mirroring.

■ Local port mirroring is to copy packets at one or more ports (source ports) of a device to a monitor port (destination port) for analysis and monitoring. In this case, the source ports and the destination port locate at the same device.

■ Remote port mirroring breaks the restriction that source and destination ports should locate at the same device, and allows them to spread through several network devices. At present, remote port mirroring can pass through up to 2 layers of network.

Implementing Port Mirroring

Port mirroring is implemented through mirroring groups, which includes local mirroring groups, remote source mirroring groups and remote destination mirroring groups.

Port Mirroring can be implemented as follows:

■ Local port mirroring is implemented through local mirroring groups. In this case, the device copies the packets from mirroring ports and forwards them to monitor ports.

■ Remote port mirroring is implemented through remote source mirroring group and remote destination mirroring groups. In this case, the device copies the packets from mirroring ports and broadcasts them to remote mirroring VLAN through reflector port. When a remote device receives a packet, it will compare the packet’s VLAN number with remote mirroring VLAN of the remote destination mirroring groups. If they are identical, then the device will forward them to the monitor ports of the remote destination mirroring groups.

■ The mirroring group supports monitoring multiple mirroring ports by one monitor port.

Switch 4500G Switches only support local port mirroring.

460 CHAPTER 49: PORT MIRRORING CONFIGURATION

Configuring Local Port Mirroring

Follow these steps to configure a local port mirroring:

■ You are recommended not to enable STP, MSTP or RSTP on the destination port.

■ A monitor port can’t enable MSTP or RSTP; otherwise it will affect the device’s normal functions. And vice versa.

■ A monitor port cannot be a member port of the current mirroring group or a trunk port.

■ You can configure multiple mirroring ports for a mirroring group, but only one monitor port.

■ A port can be configured under one mirroring group only.

Displaying Port Mirroring

Follow these steps to display and maintain port mirroring:



Create local mirroring group mirroring-group groupid local

Required

Configure mirroring port for the mirroring group

Configure mirroring port under system view

mirroring-group groupid mirroring-port mirroring-port-list { inbound | outbound | both }


You can configure multiple mirroring ports at the same time under system view, or configure a mirroring port under a specific interface view.

Configure mirroring port under interface view


[ mirroring-group groupid ] mirroring-port { inbound | outbound | both }

quit

Configure monitor port for the mirroring group

Configure monitor port under system view

mirroring-group groupid monitor-port monitor-port-id


The two ways of configuration are the same.

Configure monitor port under interface view


[ mirroring-group groupid ] monitor-port

Display the configuration information of local mirroring group

display mirroring-group { groupid | local }

Optional

The display command can be used under any view

Table 319 Displaying Port Mirroring


Display the configuration information of port mirroring group

display mirroring-group { groupid | local }

Examples of Typical Port Mirroring Configuration 461

Examples of Typical Port Mirroring Configuration


The user’s network is described as follows:

■ The packets of Department 1 are connected to Switch C through port GigabitEthernet1/0/1.

■ The packets of Department 2 are connected to Switch C through port GigabitEthernet1/0/2.

■ The Server is connected to Switch C through port GigabitEthernet1/0/3.

The demand is to monitor packets of Department 1 and Department 2 through the Server.

For implementing the demand using local port mirroring, run the following configuration on Switch C:

■ Configure GigabitEthernet1/0/1 and GigabitEthernet1/0/2 as the mirroring port.

■ Connect the Server’s port GigabitEthernet1/0/3 as the monitor port.

Network diagram

Figure 127 Configuring Local Port Mirroring Network Diagram


Configuring Switch C:


<3Com> system-view

2 Create local mirroring group

[3Com] mirroring-group 1 local

3 Configure mirroring and monitor ports for local mirroring group.

[3Com] mirroring-group 1 mirroring-port GigabitEthernet 1/0/1 to GigabitEthernet 1/0/2 both[3Com] mirroring-group 1 monitor-port GigabitEthernet 1/0/3

Switch A

Switch BDepartment 2

Server

GEthernet1/0/3

GEthernet1/0/2

GEthernet1/0/1Switch CDepartment 1

Switch A


Server

Switch CDepartment 1

Switch A


Server

GEthernet1/0/3

GEthernet1/0/2

GEthernet1/0/1

Switch A


Server

GEthernet1/0/3

GEthernet1/0/2

GEthernet1/0/1Switch CDepartment 1

Switch A



Switch A


Server


462 CHAPTER 49: PORT MIRRORING CONFIGURATION

4 Display configuration information of mirroring group 1.

[3Com] display mirroring-group 1mirroring-group 1: type: local status: active mirroring port: GigabitEthernet1/0/1 both GigabitEthernet1/0/2 both monitor port: GigabitEthernet1/0/3

After finishing the configuration, the user can monitor all the packets received and sent by Department 1 and Department 2 on the Server.

50 GMP V2 CONFIGURATION

Introduction to GMP V2

Group Management Protocol (GMP) V2 is communications protocol that enables a management process to manage proxy processes centrally and control Layer 2 multicast/broadcast. It comprises a management process that manages multiple proxy processes at the same time, with GMP V2 running on the management process and the proxy processes.

Therefore, GMP V2 is a layer 2 protocol that enables the management of devices without lay 3 protocol stack or not configured with any IP address.

GMP V2 offers the following advantages:

■ The procedures to configure multiple switches remarkably simplified. When the management device is assigned a public IP address, you can configure/manage a specific member device on the management device instead of logging into it in advance.

■ Functions of topology discovery and display provided, which assist network monitoring and debugging

■ Software upgrading and parameter configuring can be performed simultaneously on multiple switches.

■ Free of topology and distance limitations

■ Saving IP address resource

Cluster Overview By employing GMP V2, a network administrator can manage multiple switches using the public IP address of a switch known as a management device. The switches under the management of the management device are member devices. Normally, a cluster member device is not assigned a public IP address, and the network administrator manages and maintains member devices through the management device. The management device, along with the member devices, forms a cluster.Figure 128 shows a typical cluster implementation.

464 CHAPTER 50: GMP V2 CONFIGURATION

Figure 128 Typical cluster implementation

A cluster has one (and only one) management device. Note the following when creating a cluster:

■ You need to designate the management device first. The management device of a cluster is the portal of the cluster. That is, any operations performed in external networks and intended for the member devices of a cluster, such as accessing, configuring, managing, and monitoring, can be implemented through the management device only.

■ The management device of a cluster recognizes and controls all the member devices in the cluster, no matter where they are located on the network or how they are connected.

■ The management device collects topology information about all the member and candidate devices to provide useful information for users to build a cluster.

■ A management device manages and monitors the devices in the cluster by collecting and processing (neighbor discovery protocol) NDP/(neighbor topology discovery protocol) NTDP packets that carry network topology information.

Switch Roles in a Cluster

According to their functions and status in a cluster, switches in the cluster play different roles. You can specify the role a switch plays. A switch also changes its role according to specific rules.

The following three switch roles exist in a cluster: management device, member device, and candidate device.

Network

Managementdev ice

Member dev ice

Member dev ice

Member dev ice

Cluster

69 .110 .1.1

69 .110 .1 .100

Network management dev ice

Candidate dev ice

Network

Managementdev ice

Member dev ice

Member dev ice

Member dev ice

Cluster

69 .110 .1.1

69 .110 .1 .100

Network management dev ice

Candidate dev ice

Introduction to GMP V2 465

Switch Role Changes in a Cluster

Figure 129 Rules for switch role changes

■ A cluster has one (and only one) management device. After a management device is designated, it collects NDP/NTDP information to discover and determine candidate devices, which can be then added to the cluster through manual configurations.

■ A candidate device becomes a member device after being added to a cluster.

■ A member device becomes a candidate device after being removed from the cluster.

Table 320 Switch roles in the cluster

Role Configuration Description

Management device Configured with a public IP address.

Receive management commands that a user sends through the public network and process the received commands

Provide management interfaces for all switches in the cluster

Manage member devices by redirecting commands, that is, forward the commands to the intended member devices for processing

Provide the following functions, including neighbor discovery, topology information collection, cluster management, and cluster state maintenance, and support all types of FTP servers and SNMP host proxies

Member device Normally, a member device is not configured with a public IP address

Member in the cluster

Neighbor discovery, being managed by the management device, running commands forwarded by proxies, and failure/log reporting

Candidate device Normally, a member device is not configured with a public IP address

A candidate device is a switch that does not belong to any cluster, although it can be added to a cluster

Management dev ice

Member dev ice Candidate dev ice

Design

ated

as

the

new

man

agem

ent d

evice

afte

r

the

origi

nal o

ne f a

ils a

nd th

e clu

ster i

s un

grou

ped.

Designated as managem

ent dev ice

Remov ed f rom the cluster

Joins the cluster

Design

ates

ano

ther

dev

ice a

s

the

new

man

agem

ent

dev i

ce af

ter t

he cl

uste

r is re

grou

ped

，

Cancels designation as

managem

ent dev ice

Management dev ice

Member dev ice Candidate dev ice

Design

ated

as

the

new

man

agem

ent d

evice

afte

r

the

origi

nal o

ne f a

ils a

nd th

e clu

ster i

s un

grou

ped.

Designated as managem

ent dev ice

Remov ed f rom the cluster

Joins the cluster

Design

ates

ano

ther

dev

ice a

s

the

new

man

agem

ent

dev i

ce af

ter t

he cl

uste

r is re

grou

ped

，

Cancels designation as

managem

ent dev ice


Cluster Principle and Implementation

Procedure of building a cluster

■ Network neighbor discovery: It uses NDP to discover the information about the directly connected neighbor devices.

■ Network topology discovery. It uses NTDP to collect the information about the network topology, including device connections and candidate device information in the network. The hop range for topology discovery can be adjusted manually.

■ Member recognition: The management device recognizes each member in the cluster by locating each member and then distributes configuration and management commands to the members.

■ Member management: The following events are managed through the management device: adding/removing a member, the member’s authentication on the management device, and handshake interval.

Introduction to NDP

NDP is the protocol for discovering the information about the adjacent nodes. NDP operates on the data link layer, so it supports different network layer protocols.

NDP is used to discover the information about directly connected neighbors, including the device type, software/hardware version, and connecting port of the adjacent devices. It can also provide the information concerning device ID, port simplex/duplex status, product version, Bootrom version and so on.

An NDP-enabled device maintains an NDP information table. Each entry in an NDP table ages with time. You can also clear the current NDP information manually to have adjacent information collected again.

An NDP-enabled device broadcasts NDP packets regularly to all ports in up state. An NDP packet carries the holdtime field, which indicates the period for the receiving devices to keep the NDP data. Receiving devices only store the information carried in the received NDP packets rather than forward them. The corresponding data entry in the NDP table is updated when the received information is different from the existing one. Otherwise, only the holdtime of the corresponding entry is updated.

Introduction to NTDPNTDP is a protocol for network topology information collection. NTDP provides the information about the devices that can be added to clusters and collects the topology information within the specified hops for cluster management.

Based on the NDP information table created by NDP, NTDP transmits and forwards NTDP topology collection request to collect the NDP information and neighboring connection information of each device in a specific network range for the management device or the network administrator to implement needed functions.

Upon detecting a change occurred on a neighbor, a member device informs the management device of the change through handshake packets. The management device then collects the specified topology information through NTDP. Such a mechanism enables topology changes to be tracked in time.

Introduction to GMP V2 467

Handshake packets

Handshake packets are used primarily to maintain the states of the members in a cluster.

Figure 130 Cluster state machine

■ After a cluster is built, a member device initiates the handshake process and sends packets at the default interval of ten seconds. The management device also sends handshake packets to the member device at the default interval of ten seconds. The management device and member devices do not respond to the handshake packets they received but switch to or remain in the Active state.

■ If the management switch receives no handshake packet from a member switch for three consecutive times, it changes the state of the member device to Connect. Likewise, if a member device receives no handshake response packet from the management device for three consecutive times, the state of the member device changes from Active to Connect.

■ If the member device in the Connect state receives no handshake packet or management packet within the holdtime (60 seconds by default) that switches its state to Active, the member device changes to the Disconnect state, and the management device considers the member to be disconnected. A member device in the Active or Connect state is connected.

■ In addition, handshake packets are used to notify the management device of topology changes of neighboring devices.

Management VLAN No device connected to a port not belonging to the management VLAN can join the cluster. Therefore, the management VLAN of candidate devices needs to be modified through auto-negotiation if the management device and candidate devices in the cluster belong to different management VLANs. In this case, the candidate devices must ensure that the management VLAN exists. If a new VLAN must be created, the device’s limit on the number of VLANs must be satisfied.


The ports in the management VLAN of a device must be configured to permit the packets of the management VLAN to pass with tags (the packets from VLAN1 can pass without tags); otherwise, the cluster will not work properly.

You can specify the management VLAN only before building a cluster. You cannot modify the management VLAN after a device has joined the cluster. To modify the management VLAN after the cluster is built, delete the cluster configuration on the current device before designating the new management VLAN and finally building the cluster.

GMP V2 Configuration Task Overview

Table 321 GMP V2 configuration task overview


Configure the management device

Enable NDP globally and for specific ports

Required Enabling NTDP Globally and on Specific Ports

Configure NDP-related parameters

Optional Configuring NDP-related Parameters.

Enable NTDP globally and for specific ports

Required Enabling NTDP Globally and for Specific Ports

Configure NTDP-related parameters

Optional Configuring NTDP-related Parameters

Enable the cluster function Required Enabling the Cluster Function

Build a cluster Required Building a Cluster

Configure cluster management

Required Configuring Cluster Management.

Configure cluster parameters Optional Configuring Cluster Parameters

Configure interaction for the cluster

Optional Configuring Interaction for the Cluster

Configure member devices

Enable NDP globally and for specific ports

Required Enabling NDP Globally and on Specific Ports

Enable NTDP globally and for specific ports

Required Enabling NTDP Globally and on Specific Ports

Enable the cluster function Required Enabling the Cluster Function

Configure to add a member to the cluster

Optional Configuring to Add a Candidate Device to the Cluster

Management Device Configuration 469

Management Device Configuration

Enabling NDP Globally and for

Specific Ports

CAUTION: NDP works only if it is enabled globally and on the ports.

Configuring NDP-related Parameters

Enabling NTDP Globally and for

Specific Ports

CAUTION: NTDP works only if it is enabled globally and on the ports.

Table 322 Enable NDP globally and for specific ports



Enable NDP globally ndp enable Required

By default, NDP is enabled globally.

Enable NDP for the Ethernet port

system view ndp enable interface interface-list

Either is required.

By default, NDP is enabled on all ports.Ethernet port

viewinterface interface-type interface-number

ndp enable

Table 323 Configure NDP-related parameters



Configure the holdtime of NDP information

ndp timer aging aging-time

Optional

By default, the aging time of NDP packets is 180 seconds

Configure the interval to send NDP packets

ndp timer hello hello-time

Optional

By default, the interval of sending NDP packets is 60 seconds

Table 324 Enabling NDP globally and for specific ports



Enable NTDP globally ntdp enable Optional

By default, NTDP is enabled globally.

Enable NTDP for the Ethernet port

System view ntdp enable interfaceinterface-list

Optional

By default, NTDP is enabled on all ports.Ethernet port

viewinterface interface-type interface-number

ntdp enable


Configuring NTDP-related

Parameters

Enabling the Cluster Function

The ntdp enable command in cluster management is not compatible with the bpdu-tunnel enable command in BPDU TUNNEL. You cannot configure these two commands at the same time. For BPDU TUNNEL, refer to “VLAN VPN Configuration”.

Building a Cluster Before building a cluster, you must configure a private IP address pool available for the member devices in the cluster. When a candidate device joins the cluster, the management device dynamically assigns the candidate device a private IP address for inner-cluster communication. This enables the management device to manage and maintain member devices.

Table 325 Configure NTDP parameters



Configure the range topology information within which is to be collected

ntdp hop hop-value Optional

By default, the hop range for topology collection is 3 hops

Configure the interval to collect topology information

ntdp timer interval-time Optional

By default, the interval of topology collection is 1 minute.

Configure the hop delay to forward topology-collection request packets

ntdp timer hop-delay time

Optional

By default, the delay of the device is 200 ms

Configure the port delay to forward topology collection request packets

ntdp timer port-delay time

Optional

By default, the port delay is 20 ms

Quit system view. quit —

Start topology information collection

ntdp explore Optional

Table 326 Enable the cluster function



Enable the cluster function globally

cluster enable Optional

By default, the cluster function is enabled


Configuring cluster parameters manually

CAUTION:

■ For a non-VLAN1 management VLAN, if the port on the management device that is connected to member devices are trunk or hybrid port, to implement cluster management, you must configure the port to permit the packets of management VLAN to pass with tags. In addition, you cannot manually change its default VLAN to the management VLAN. If the port on the management device that is connected to member devices is an access port, to implement cluster management, you must manually configure the port as a hybrid port and configure the port to permit the packets of management VLAN to pass with tags. See the VLAN Operation section for details.

■ When the management VLAN is configured as VLAN1, if the port on the member device that is connected to the management device permits the packets from the management VLAN to pass with tags, configure the management device by following the previous description. If the port on the member device that is connected to management device permits the packets of management VLAN to pass without tags, to implement cluster management, you must perform one of the following configuration tasks: configure the corresponding port on the management device as the access type, or configure the port as trunk and the default VLAN of the port as VLAN1, or configure the port as hybrid and the default VLAN of the port as VLAN1 and permits the packets of management VLAN to pass the port without tags. See the VLAN Operation section for details.

■ You can configure an IP address pool only before the cluster is built. Moreover, you can perform the configuration on the management device only. You cannot change the IP address pool for an existing cluster.

Table 327 Configuring cluster parameters manually



Specify the management VLAN management-vlan vlan-id Optional

By default, VLAN1 is the management VLAN.

Enter cluster view Cluster —

Configure a private IP address pool on the device to be used as the management device for the member devices in the cluster

ip-pool administrator-ip-address { ip-mask | ip-mask-length }

Required

Do not configure the IP addresses of the VLAN interfaces of the management device and member devices on the same network segment. Otherwise, the cluster will not work.

Set the current device as the management device and assign a cluster name

build name Required

By default, a device is not the management device.


Building a cluster automatically

Besides allowing you to build a cluster manually, the system also enables a cluster to be built automatically. You can build a cluster by using the following commands on the management device and following the steps prompted.

■ First, the system prompts you to enter a name for the cluster.

■ Then, the system lists the candidate devices discovered within the specified hop range and asks you to confirm whether to add these devices to the cluster.

■ After you confirm, the system adds all listed candidate devices to the cluster built.

You can press <CTRL+C> to exit automatic cluster establishment. After this operation, no new device will be added and the added devices remain in the cluster.

Configuring Cluster Management

Configuring member management

Member management covers the following:

■ You can manually designate the candidate device to join a cluster or manually remove the designated member device from the cluster. You must add/remove a member on the management device; otherwise, an error message will be returned.

■ If a member device fails due to incorrect configuration, you can control the member device remotely by using the remote control function of the management device. For example, you can delete the start configuration file and reboot the member device to recover the normal communication between the management device and member devices.

■ Blacklist management

■ Device location based on MAC address or IP address

■ On the management device, you can configure and manage the specified member device by switching to the view of the member device. After the configuration is complete, you can switch back to the management device from the member device.

Table 328 Building a cluster automatically



Specify the management VLAN management-vlan vlan-id

Optional

By default, VLAN1 is the management VLAN.

Enter cluster view cluster —

Configure an IP address pool for the cluster

ip-pool administrator-ip-address { ip-mask | ip-mask-length }

Required

Do not configure the IP addresses of the VLAN interfaces of the management device and member devices on the same network segment. Otherwise, the cluster will not work.

Build a cluster automatically auto-build [ recover ] Required


Configuring topology management

White lists and black lists provide basis for topology management. Their meanings are described as follows:

■ White list for topology management: Correct network topology confirmed to be correct by network administrators. The information of nodes and their relationship with their neighbors at any give moment can be extracted from the current network topology. Meanwhile, the white list can be maintained based on the current network topology, such as adding, removing, and modifying nodes.

■ Blacklist for topology management: Any device in the blacklist is not allowed to join a cluster automatically. The network Administrator needs blacklist a device manually, including device MAC address. If a device is blacklisted and connected to the network through another device not blacklisted, the access device’s information and the access port will be automatically recorded.

The white list and black list are mutually exclusive: nodes in the white list must not be in the black list, and vice versa. Note that a topology node can be neither in the white list nor the black list. These are usually new nodes and need to be authenticated by administrators.

Table 329 Configure member management




Add a candidate device to a cluster

add-member [ member-number ] mac-address mac-address [ password password ]

Optional

Generally, member numbers are assigned sequentially. The original numbers of the members with the same MAC address are recorded by the management device.

Remove a member device from the cluster

delete-member member-number [ to-black-list ]

Optional

Reboot a specified member device

reboot member { member-number | mac-address mac-address } [ eraseflash ]

Optional

Return to system view quit —

Return to user view quit —

Switch between the management device view and a member device view

cluster switch-to { member-number | mac-address mac-address | administrator }

Optional

At present, before using this command, you need to enable "telnet server" on the peer device and avoid ring switching.


The white list and black list and will not disappear even if the management switch is powered off. They implement two backup and recovery mechanisms: backups on the FTP server or the Flash of the management switch. In either backup mode, you need to restore the white list or blacklist manually. When the management switch restarts or the cluster management is reconfigured, the management switch restores the white list and blacklist from the Flash.

Configuring Cluster Parameters

Cluster parameters include multicast MAC address for cluster management, interval for sending multicast packets, device holdtime, and handshake interval.

■ If the interval for the management device to send multicast packets is 0, the management device does not send multicast packets to any member device in the cluster.

■ The state of a member device will be shown as "Disconnect" if it receives no message from another device within the holdtime. After the communication recovers, the corresponding member device needs to join the cluster again (automatically). If the fault is removed within the specified holdtime, the member device does not need to join the cluster again and remains normal.

■ Handshake packets maintain the real-time communication between the management device and member devices in a cluster. The management device monitors the states of the members and link states in the cluster by exchanging handshake packets with member devices.

Table 330 Configure member management




Blacklist a device black-list add-mac mac-address

Optional

Remove a device from the backlist black-list delete-mac { all | mac-address }

Optional

Confirm the current topology of the cluster and save it as base topology

topology accept { all [ save-to { ftp-server | local-flash } ] | mac-address mac-address | member-id member-number }

Optional

Save the base topology information to the FTP server or the local Flash

topology save-to { ftp-server | local-flash }

Optional

Restore the topology from the base topology information on the FTP server or in the local Flash

topology restore-from { ftp-server | local-flash }

Optional

Ensure the original topology is correct because the device cannot process incorrect base topology saved.


Configuring Interaction for the

Cluster

After building a cluster, you can configure a server, NMS host, and log host universally on the management device for the cluster. A member device in the cluster will access the server configured through the management device.

All logs of the member devices in the cluster will be output to the log host configured: when member devices output logs, the logs are directly sent to the management device, which then translates the address of the logs and sends them to the log host configured for the cluster. Likewise, all Trap messages sent by member devices are output to the NMS host configured for the cluster.

CAUTION: The log host configured for the cluster takes effect only after you use the info-center loghost command in system view. For more about the info-center loghost command, see the "Information Center Commands".

Table 331 Configure cluster parameters




Configure the holdtime for a device

holdtime seconds Optional

By default, the holdtime is 60 seconds.

Configure a handshake interval

timer interval-time Optional

By default, the handshake interval 10 seconds.

Table 332 Configure interaction for the cluster




Configure the public FTP server for the cluster

ftp-server ip-address [ user-name username password { simple | cipher } password ]

Optional

By default, the cluster has no public FTP server.

Configure the TFTP server for the cluster

tftp-server ip-address Optional

By default, the cluster has no public TFTP server.

Configure the log host for the cluster

logging-host ip-address Optional

By default, the cluster has no public log host.

Configure the SNMP host for the cluster

snmp-host ip-address [ community-string read string1 write string2 ]

Optional

By default, the cluster has no SNMP host.

Configure the network management (NM) interface for the cluster

nm-interface vlan-interface vlan-id

Optional


Configuring Member Devices

Enabling NDP Globally and on

Specific Ports

Enabling NTDP Globally and on

Specific Ports

Enabling the Cluster Function

Table 333 Enable NDP globally and on specific ports



Enable NDP globally ndp enable Optional

By default, NDP is enabled globally.

Enable NDP for specified ports

In system view ndp enable interfaceinterface-list

Either is required

By default, NDP is enabled on all ports.Enter Ethernet

port viewinterface interface-type interface-number

ndp enable

Table 334 Enable NTDP globally and on specific ports



Enable NTDP globally ntdp enable Optional

By default, NTDP is enabled globally.

Enable NTDP for specified ports

In system view ntdp enable interfaceinterface-list

Optional

By default, NTDP is enabled on all ports.



ntdp enable

Table 335 Enable the cluster function



Enable the cluster function cluster enable Optional

By default, the cluster function is enabled.

Displaying and Maintaining a Cluster 477

Configuring to Add a Candidate Device to

the Cluster

Displaying and Maintaining a Cluster

After the configuration above, you can execute the display command to display the running status after the cluster configuration. You can verify the configuration effect through checking the displayed information.

You can use the reset command in user view to clear NDP statistics.

Table 336 Configure to add a member to the cluster




Add a candidate device to the cluster

administrator-address mac-address name name

Optional

By default, a device is not a member of any cluster.

Table 337 Display and maintain cluster configurations

Operation Command

Display NDP configuration display ndp [ interface port-list ]

Display the global NTDP information display ntdp

Display device information collected through NTDP

display ntdp device-list [ verbose ]

Display state and statistics information about a cluster

display cluster

Display the base topology of the cluster display cluster base-topology [ mac-address mac-address | member-id member-number ]

Display the current blacklist of the cluster display cluster black-list

Display the information about the candidate devices of a cluster

display cluster candidates [ mac-address mac-address | verbose ]

Display the current topology of the cluster or the topological path between two nodes

display cluster current-topology [ mac-address mac-address [ to-mac-address mac-address ] | member-id member-number [ to-member-id member-number ] ]

Display the information about the cluster members

display cluster members [ member-number | verbose ]

Clear the NDP statistics on a port reset ndp statistics [ interface interface-list ]


GMP V2 Configuration Example


Three switches form a cluster, in which:

■ The management device is an Switch 4500G series switch.

■ The rest are member devices.

The 4500G switch manages the rest two member devices as the management device. The detailed information about the cluster is as follows.

■ The two member devices are connected to GigabitEthernet1/0/2 and GigabitEthernet1/0/3 ports of the management device.

■ The management device is connected to the external network through its GigabitEthernet1/0/1 port.

■ GigabitEthernet1/0/1 port of the management device belongs to VLAN2, whose interface IP address is 163.172.55.1.

■ All the devices in the cluster use the same FTP server and TFTP server.

■ The FTP server and TFTP server share one IP address: 63.172.55.1.

■ The SNMP site and log host share one IP address: 69.172.55.4.

■ Blacklist the device whose MAC address is 00e0-fc01-0013.

Network diagram

Figure 131 Network diagram for GMP cluster configuration

GMP V2 Configuration Example 479


1 Configure the management device

a Enable NDP globally and for the GigabitEthernet1/0/2 and GigabitEthernet1/0/3 ports.

<3Com> system-viewSystem View: return to User View with Ctrl+Z.[3Com] ndp enable[3Com] interface GigabitEthernet 1/0/2[3Com-GigabitEthernet1/0/2] ndp enable[3Com-GigabitEthernet1/0/2] quit[3Com] interface GigabitEthernet 1/0/3[3Com-GigabitEthernet1/0/3] ndp enable[3Com-GigabitEthernet1/0/3] quit

b Configure the holdtime of NDP information to be 200 seconds.

[3Com] ndp timer aging 200

c Configure the interval to send NDP packets to be 70 seconds.

[3Com] ndp timer hello 70

d Enable NTDP globally and for GigabitEthernet1/0/2 and GigabitEthernet1/0/3 ports.

[3Com] ntdp enable[3Com] interface GigabitEthernet 1/0/2[3Com-GigabitEthernet1/0/2] ntdp enable[3Com-GigabitEthernet1/0/2] quit[3Com] interface GigabitEthernet 1/0/3[3Com-GigabitEthernet1/0/3] ntdp enable[3Com-GigabitEthernet1/0/3] quit

e Configure the hop count to collect topology to be 2.

[3Com] ntdp hop 2

f Configure the delay time for topology-collection request packets to be forwarded on member devices to be 150 ms.

[3Com] ntdp timer hop-delay 150

g Configure the delay time for topology-collection request packets to be forwarded through the ports of member devices to be 15 ms.

[3Com] ntdp timer port-delay 15

h Configure the interval to collect topology information to be 3 minutes.

[3Com] ntdp timer 3

i Enable the cluster function.

[3Com] cluster enable

j Enter cluster view.

[3Com] cluster[3Com-cluster]

k Configure an IP address pool for the cluster. The IP address pool contains six IP addresses, starting from 172.16.0.1.

[3Com-cluster] ip-pool 172.16.0.1 255.255.255.248

l Specify a name for the cluster and create the cluster.

[3Com-cluster] build aaa[aaa_0.3Com-cluster]


m Configure the holdtime of the member device information to be 100 seconds.

[aaa_0.3Com-cluster] holdtime 100

n Configure the interval to send handshake packets to be 10 seconds.[aaa_0.3Com-cluster] timer 10

o Configure the FTP Server, TFTP Server, Log host and SNMP host for the cluster.[aaa_0.3Com-cluster] ftp-server 63.172.55.1[aaa_0.3Com-cluster] tftp-server 63.172.55.1[aaa_0.3Com-cluster] logging-host 69.172.55.4[aaa_0.3Com-cluster] snmp-host 69.172.55.4

p Blacklist the device whose MAC address is 00e0-fc01-0013.[aaa_0.Switch-cluster] black-list add-mac 00e0-fc01-0013

2 Configure the member devices (taking one member as an example)

a Enable NDP globally and for GigabitEthernet1/0/1.

<3Com> system-view[3Com] ndp enable[3Com] interface GigabitEthernet 1/0/1[3Com-GigabitEthernet1/0/1] ndp enable[3Com-GigabitEthernet1/0/1] quit

b Enable NTDP globally and for GigabitEthernet1/0/1.

[3Com] ntdp enable[3Com] interface GigabitEthernet 1/0/1[3Com-GigabitEthernet1/0/1] ntdp enable[3Com-GigabitEthernet1/0/1] quit

c Enable the cluster function.

[3Com] cluster enable

Upon the completion of the above configurations, you can execute the cluster switch-to { member-num | mac-address H-H-H } command on the management device to switch to member device view to maintain and manage a member device. You can then execute the cluster switch-to administrator command to resume the management device view.

51 SNMP CONFIGURATION

SNMP Overview Simple Network Management Protocol (SNMP for short) offers a framework to monitor network devices through TCP/IP protocol suite. It provides a set of basic operations in monitoring and maintaining the Internet and has the following characteristics:

■ Automatic network management: SNMP enables network administrators to search and modify information on any network node, find and diagnose network problems, plan for network growth, and generate reports.

■ SNMP shields network administrators from the physical differences between various devices and thus provides automatic management of products from different manufacturers. SNMP only offers the basic set of functions. With SNMP enabled, the management tasks and the physical features of the managed devices are not affected by lower layer network protocols. Thus, SNMP achieves effective management of devices from different manufactures, especially so in small, fast and low cost network environments.

SNMP Mechanism An SNMP managed network are comprised of Network Management Station (NMS for short) and Agent.

■ NMS is a station that runs the SNMP client software. It offers a friendly man-machine interface, making it easier for network administrators to perform most network management tasks. Currently, the most commonly used NMS include Quidview, Sun NetManager, and IBM NetView.

■ Agent is a device that runs the SNMP server software. It can be a PC, a station, a normal server, or a router.

■ NMS manages an SNMP managed network, whereas agents are managed network devices. They exchange management information through the SNMP protocol.

SNMP provides the following four basic operations:

■ Get operation: NMS gets the behavior information of Agent through this operation.

■ Set operation: NMS can reconfigure certain values in the Agent MIB by means of this set operation to make the Agent perform certain tasks

■ Trap operation: Agent sends Trap information to the NMS through this operation.

■ Inform operation: NMS sends Trap information to other NMS through this operation.

482 CHAPTER 51: SNMP CONFIGURATION

SNMP Protocol Version

Currently, 3Com SNMP agents support SNMPv3 and are compatible with SNMPv1 and SNMPv2c.

SNMPv1 and SNMPv2c perform authentication by means of community name, which defines the relationship between an SNMP NMS and an SNMP Agent. SNMP packets with community names that are not acceptable to the device will simply be discarded. A community name performs a similar role as a key word and can be used to regulate access from an NMS to the Agent.

SNMPv3 offers an authentication mechanism that is implemented with a User-Based Security Model (USM for short), which can be authentication with privacy, authentication without privacy, or no authentication no privacy. USM regulates the access from an NMS to the Agent in a more efficient way.

Overview Management Information Base (MIB for short) is a collection of all the objects that can be managed by NMS. It defines a set of characteristics of the managed objects, such as the object identifier (OID for short), access right and data type of the objects.

MIB stores data using a tree structure. The node of the tree is the managed object and can be uniquely identified by a path starting from the root node. As illustrated in the following figure, the managed object B can be uniquely identified by a string of numbers {1.2.1.1}. This string of numbers is the OID of the managed object B.

Figure 132 MIB tree

A

2

6

1

5

21

1

2

1

B

Configuring Basic SNMP Functions 483

Configuring Basic SNMP Functions

As configurations of SNMPv3 differ substantially from those of SNMPv1 and SNMPv2c, their SNMP functionalities will be introduced separately below. See Table 338 and Table 339 for details.

Table 338 Follow these steps to configure SNMPv3



Enable SNMP Agent snmp-agent Optional

Disabled by default

You can enable SNMP Agent through this command or any commands that begin with snmp-agent.

Configure SNMP Agent system information

snmp-agent sys-info { contact sys-contact | location sys-location | version { all | { v1 | v2c | v3 }* } }

Optional


3Com Corporation for contact,

Marlborough, MA for location,

v3 for the version.

Configure an SNMP group snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ]

Required

Add a new user to an SNMP agent group

snmp-agent usm-user v3 user-name group-name [ authentication-mode { md5 | sha } auth-password [ privacy-mode des56 priv-password ] ] [ acl acl-number ]

Required

Configure the maximum size of an SNMP packet that can be received or sent by an SNMP agent

snmp-agent packet max-size byte-count

Optional

1,500 bytes by default

Configure the engine ID for an SNMP agent

snmp-agent local-engineid engineid

Optional

Company ID and device ID by default

Create or update the MIB view information for an SNMP agent

snmp-agent mib-view { included | excluded } view-name oid-tree [ mask mask-value ]

Optional

By default, MIB view name is ViewDefault. NMS is allowed to access the nodes below the MIB subtree iso, except for snmpUsmMIB, snmpVacmMIB, and snmpModules.18


This device does not support the remote-engineid function.:

Table 339 Follow these steps to configure SNMPv1 and SNMPv2c:



Enable SNMP Agent snmp-agent Optional

Disabled by default

You can enable SNMP Agent through this command or any commands that begin with snmp-agent.

Configure SNMP Agent system information

snmp-agent sys-info { contact sys-contact | location sys-location | version { { v1 | v2c | v3 }* | all } }

Required


R&D Hangzhou, 3Com Technologies Co., Ltd. for contact,

Hangzhou China for location.

Config-ure SNMP NMS access right

Direct configuration

Configure a community name

snmp-agent community { read | write } community-name [ acl acl-number | mib-view view-name ]*

Required

Both commands can be used to configure SNMP NMS access rights. The second command was introduced for compatibility with SNMPv3.


Config-ure indi-rectly

Configure an SNMP group

snmp-agent group { v1 | v2c } group-name [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ]

Add a new user to an SNMP group

snmp-agent usm-user { v1 | v2c } user-name group-name [ acl acl-number ]

Configure the maximum size of an SNMP packet that can be received or sent by an ANMP agent

snmp-agent packet max-size byte-count

Optional

1,500 bytes be default

Configure the engine ID for an SNMP agent

snmp-agent local-engineid engineid

Optional

Company ID and device ID by default

Create or update MIB view information

snmp-agent mib-view { included | excluded } view-name oid-tree [ mask mask-value ]

Optional

ViewDefault by default. NMS is allowed to access the nodes below the MIB subtreee iso, except for snmpUsmMIB, snmpVacmMIB, and snmpModules.18.

Trap Configuration 485

Trap Configuration SNMP Agent sends Trap messages to NMS to alert the latter of some critical and important events (such as restart of the managed device).


Basic SNMP configurations have been completed.


Follow these steps to configure Trap:

Table 340 Trap Configuration



Enable device Traps snmp-agent trap enable [configuration | flash | standard [ authentication | coldstart | linkdown | linkup | warmstart ]* | system ]

Optional

All types of Traps are enabled by default

Enable port Traps

Enter Interface view


Enable port Traps enable snmp trap updown

Return to system view

quit

Configure target host address for Trap messages

snmp-agent target-host trap address udp-domain { ip-address } [ udp-port port-number ] params securityname security-string [ v1 | v2c | v3 {authentication | privacy } ]

Required

Configure the source address for Trap messages

snmp-agent trap source { interface-type interface-number } [ subinterface-type ]

Optional

Configure the size of Trap queue

snmp-agent trap queue-size size

Optional

100 by default

Configure the life time of Traps snmp-agent trap life seconds

Optional



Displaying and Maintaining SNMP

SNMP Configuration Example


■ The NMS is connected with a switch, witch serves as an SNMP agent, through an Ethernet

■ The IP address of the NMS is 129.102.149.23/16.

■ The IP address of VLAN interface on the switch is 129.102.0.1/16.

■ On the switch, configure the following: community name, access right, administrator ID, and contact information, location, and enable Traps Network diagram

Figure 133 Network diagram for SNMP configuration

Table 341 Displaying and Maintaining SNMP


Display SNMP-agent system information, including the contact, location, and version of the SNMP

display snmp-agent sys-info [ contact | location | version ]*


Display SNMP packet statistics

display snmp-agent statistics

Display the engine ID of the device

display snmp-agent { local-engineid | remote-engineid }

Display SNMP group information

display snmp-agent group [ group-name ]

Display SNMP user information

display snmp-agent usm-user [ engineid engineid | username user-name | group group-name ] *

Display SNMP community information

display snmp-agent community [ read | write ]

Display MIB view information

display snmp-agent mib-view [ exclude | include | viewname view-name ]

Ethernet

NMS

Ethernet

NMS

129.102.0.1/16

Switch

Ethernet

NMS

Ethernet

NMS

129.102.0.1/16129.102.149.23/16

Switch

Ethernet

NMS

Ethernet

NMS

129.102.0.1/16

Switch

Ethernet

NMS

EthernetEthernet

NMS

Ethernet

NMS

129.102.0.1/16

Switch

Ethernet

NMS

Ethernet

NMS

129.102.0.1/16129.102.149.23/16

Switch

SNMP Configuration Example 487


1 Configure SNMP Agent

a Configure the community the SNMP Agent group, and SNMP Agent user.

<3Com>system-view[3Com] snmp-agent sys-info version all[3Com] snmp-agent community read public[3Com] snmp-agent community write private[3Com] snmp-agent mib-view included internet 1.3.6.1[3Com] snmp-agent group v3 managev3group write-view internet[3Com] snmp-agent usm-user v3 managev3user managev3group

b Specify VLAN interface 2 as the VLAN interface for network management use. Add the port GigabitEthernet 1/0/3 to VLAN 2. Set the IP address of VLAN 2 interface to 129.102.0.1.

[3Com] vlan 2[3Com-vlan2] port GigabitGigabitEthernet 1/0/3[3Com-vlan2] interface Vlan-interface 2[3Com-Vlan-interface2] ip address 129.102.0.1 255.255.0.0[3Com-Vlan-interface2] quit

c Configure the ID, contact of the administrator, and the location of the switch.

[3Com] snmp-agent sys-info contact Mr.Wang-Tel:3306[3Com] snmp-agent sys-info location telephone-closet,3rd-floor

d Enable the device to send Traps to the NMS with an IP address of 129.102.149.23/16, using public as the community name.

[3Com] snmp-agent trap enable[3Com] snmp-agent target-host trap address udp-domain 129.102.149.23 udp-port 5000 params securityname public

2 Configure SNMP NMS

SNMPv3 uses the “authentication and privacy” security model. On the NMS, you need to specify user name and security level, and based on that level, configure the authentication mode, authentication password, privacy mode, and privacy password. In addition, the time-out time and number of retries should also be configured. You can inquire and configure the switch through NMS. For detailed information, refer to the NMS manuals.

The configurations on the device and the NMS must be consistent before you can perform related operations


52 RMON CONFIGURATION

Remote Network Monitoring (RMON) is a type of IETF-defined MIB. It is the most important enhancement to the MIB II standard. It allows you to monitor traffic on network segments and even the entire network.

When configuring RMON, use the following table to identify where to go for interested information.

RMON Overview This section covers these topics:

■ Introduction

■ RMON Groups

Introduction RMON is implemented based on the simple network management protocol (SNMP) and is fully compatible with the existing SNMP framework. This is beneficial because it needs no modification to support the latter.

RMON provides an efficient means of monitoring subnets and allows SNMP to monitor remote network devices in a more proactive and effective way. It reduces traffic between network management station (NMS) and agent, facilitating large network management.

RMON comprises two parts: NMSs and agents running on network devices.

■ Each RMON NMS administers the agents within its administrative domain.

■ An RMON agent resides on a network monitor or probe for an interface. It monitors and gathers information about traffic over the network segment connected to the interface to provide statistics about packets over a specified period and good packets sent to a host for example.

RMON allows multiple monitors. It provides two ways of data gathering:

■ Using RMON probes. NMSs can obtain management information from RMON probes directly and control network resources. In this approach, RMON NMSs can obtain all RMON MIB information.



Get familiar with RMON RMON Overview

Configure RMON Configuring RMON

Consult the display commands available for verifying RMON configuration

Displaying and Maintaining RMON

See how to configure RMON on a switch RMON Configuration Example (on a Switch)

See how to configure RMON on a router RMON Configuration Example (on a Router)

490 CHAPTER 52: RMON CONFIGURATION

■ Embedding RMON agents in network devices such as routers, switches, and hubs to provide the RMON probe function. RMON NMSs exchange data with SNMP agents with basic SNMP commands to gather network management information, which, due to system resources limitation, may not cover all MIB information but four groups of information, alarm, event, history, and statistics, in most cases.

By using RMON enabled SNMP agents on network monitors, an NMS can obtain information about traffic size, error statistics, and performance statistics for network management.

RMON Groups RMON categorizes objects into groups. This section describes only the major implemented groups.

Event group

The event group defines event indexes and controls the generation and notifications of the events triggered by the alarms defined in the alarm group and the private alarm group. The events can be handled in one of the following ways:

■ Logging events in the event log table

■ Sending traps to NMSs

■ Both logging and sending traps

Alarm group

The RMON alarm group monitors specified alarm variables, such as statistics on a port. If the monitored variable crosses a threshold, an event is triggered. The event is then handled as defined in the event group.

The following is how the system handles entries in the RMON alarm table:

1 Sample the alarm variables at the specified interval.

2 Compare the sampled values with the predefined threshold and trigger events if all triggering conditions are met.

If a monitored variable crosses the same threshold multiple times, only the first one can cause an alarm event.

Private alarm group

The private alarm group calculates the sampled values of alarm variables and compares the result with the defined threshold, thereby realizing a more comprehensive alarming function.

System handles the prialarm alarm table entry (as defined by the user) in the following ways:

■ Periodically takes statistical samples on the defined prialarm alarm variables as defined in the prialarm formula.

■ Calculate the sampled values based on the prialarm formula.

■ Compare the result with the defined threshold and generate an appropriate event.

RMON Overview 491

History control group

The history control group controls the periodic statistical sampling of data, such as bandwidth utilization, number of errors, and total number of packets.

Note that each value provided by the group is a cumulative sum during a sampling period.

Ethernet statistics group

The statistics group monitors port utilization and records errors. It provides statistics about network collisions, CRC alignment errors, undersize/oversize packets, broadcasts, multicasts, bytes received, packets received, and so on.

Unlike values provided by the history control group, each value provided in this group is a cumulative sum counted starting from the creation of a valid event entry.


Configuring RMON


Before configuring RMON, configure the SNMP agent as described in the “SNMP Configuration” part.

Configuration Procedure Table 343 Follow these steps to configure RMON:



Create an event entry in the event table

rmon event event-entry [ description string ] { log | trap trap-community | log-trap log-trapcommunity | none } [ owner text ]

Required


––

Create an entry in the history table

rmon history entry-number buckets number interval sampling-interval [ owner text-string ]

Optional

Create an entry in the statistics table

rmon statistics entry-number [ owner text-string ]

Optional

Exist Ethernet interface view quit Required

Create an entry in the alarm table

rmon alarm entry-number alarm-variable sampling-time { absolute | delta } rising-threshold threshold-value1 event-entry1 falling-threshold threshold-value2 event-entry2 [ owner text ]

Optional

Create an entry in the private alarm table

rmon prialarm entry-number prialarm-formula prialarm-des sampling-timer { absolute | changeratio | delta } rising_threshold threshold-value1 event-entry1 falling_threshold threshold-value2 event-entry2 entrytype { forever | cycle cycle-period } [ owner text ]

Optional

Displaying and Maintaining RMON 493

Displaying and Maintaining RMON

RMON Configuration


A monitored switch is connected to a configuration terminal through its console port and to a remote NMS across the Internet.

Create an entry in the RMON Ethernet statistics table to gather statistics on an Ethernet port for NMS query.

Network diagram

Figure 134 Network diagram for RMON (on a switch)

Table 344 Displaying and Maintaining RMON


Display RMON statistics display rmon statistics [interface-type interface-number]


Display RMON history information

display rmon history [interface-type interface-number ]


Display RMON alarm information

display rmon alarm [alarm -entry -number ]


Display RMON prialarm information

display rmon prialarm [prialarm-entry -number ]


Display RMON events display rmon event [event -entry -number ]


Display RMON event log display rmon eventlog [ event-number ]


Console PortNetwork Port

Switch

Internet

NMS

Agent


Agent

Internet

NMS

Terminal


Switch

Internet

NMS

Agent


Agent

Internet

NMS

Terminal


Switch

Internet

NMS

Agent

Console portNetwork port

Switch

Internet

NMS

Terminal


Switch

Internet

NMS

Agent


Agent

Internet

NMS

Terminal


Switch

Internet

NMS

Agent


Agent

Internet

NMS

Terminal


Switch

Internet

NMS

Agent

Console portNetwork port

Switch

Internet

NMS

Terminal



1 Configure RMON to gather statistics for interface GigabitEthernet 1/0/1.

<3Com> system-view[3Com] interface GigabitEthernet 1/0/1[3Com-GigabitEthernet1/0/1] rmon statistics 1 owner user1-rmon

2 Display RMON statistics for interface GigabitEthernet 1/0/1.

<3Com> display rmon statistics GigabitEthernet 1/0/1Statistics entry 1 owned by user1-rmon is VALID. Gathers statistics of interface GigabitEthernet1/0/1. Received: octets : 270149 , packets : 1954 broadcast packets :1570 , multicast packets :365 undersized packets :0 , oversized packets:0 fragments packets :0 , jabbers packets :0 CRC alignment errors:0 , collisions :0 Dropped packet events (due to lack of resources):0 Packets received according to length (in octets): 64 :644 , 65-127 :518 , 128-255 :688 256-511:101 , 512-1023:3 , 1024-1518:0

53 NTP CONFIGURATION

NTP Overview Defined in RFC 1305, the network time protocol (NTP) synchronizes timekeeping among distributed time servers and clients. NTP runs over the user datagram protocol (UDP), using port 123.

The purpose of using NTP is to keep consistent timekeeping among all clock-dependent devices within the network so that the devices can provide diverse applications based on the consistent time.

For a local system running NTP, its time can be synchronized by other reference sources and can be used as a reference source to synchronize other clocks.

Applications of NTP NTP is used when all devices within the network must be consistent in timekeeping, for example:

■ In analysis of the log information and debugging information collected from different devices in network management, time must be used as reference basis.

■ All devices must use the same reference clock in a charging system.

■ To implement certain functions, such as scheduled restart of all devices within the network, all devices must be consistent in timekeeping.

■ When multiple systems process a complex event in cooperation, these systems must use that same reference clock to ensure the correct execution sequence.

■ For increment backup between a backup server and clients, timekeeping must be synchronized between the backup server and all the clients.

An administrator can by no means keep synchronized time among all the devices within a network by changing the system clock on each station, because this is a huge amount of workload and cannot guarantee the clock precision. NTP, however, allows quick clock synchronization within the entire network while it ensures a high clock precision.

Advantages of NTP:

■ NTP uses a stratum to describe the clock precision, and is able to synchronize time among all devices within the network.

■ NTP supports access control and MD5 authentication.

■ NTP can unicast, multicast or broadcast protocol messages.

496 CHAPTER 53: NTP CONFIGURATION

How NTP Works Figure 135 shows the basic work flow of NTP. Device 1 and Device 2 are interconnected over a network. They have their own independent system clocks, which need to be automatically synchronized through NTP. For an easy understanding, we assume that:

■ Prior to system clock synchronization between Device 1 and Device 2, the clock of Device 1 is set to 10:00:00am while that of Device 2 is set to 11:00:00am.

■ Device 2 is used the NTP time server, namely Device 1 synchronizes its clock to that of Device 2.

■ It takes 1 second for an NTP message to travel from one device to the other.

Figure 135 Basic work flow of NTP

The process of system clock synchronization is as follows:

■ Device 1 sends Device 2 an NTP message, which is timestamped when it leaves Device 1. The time stamp is 10:00:00am (T1).

■ When this NTP message arrives at Device 2, it is timestamped by Device 2. The timestamp is 11:00:01am (T2).

■ When the NTP message leaves Device 2, Device 2 timestamps it. The timestamp is 11:00:02am (T3).

■ When Device 1 receives the NTP message, the local time of Device 1 is 10:00:03am (T4).

Up to now, Device has sufficient information to calculate the following two important parameters:

■ The round-trip delay of NTP message: Delay = (T4–T1) – (T3-T2) = 2 seconds.

Time difference between Device 1 and Device 2: Offset = ((T2-T1) + (T3-T4))/2 = 1 hour.

Based on these parameters, Device 1 can synchronize its own clock to the clock of Device 2.

Network

Network

NTP ? ? ? 10:00:00am

Network

Network

11:00:01am

NTP ? ? ? 10:00:00am 11:00:01am 11:00:02am

NTP ? ? ? 10:00:00am

1.

2.

3.

4.

Device 1 Device 2Network

Network

NTP ? ? ? 10:00:00am

Network

Network

11:00:01am

NTP ? ? ? 10:00:00am 11:00:01am 11:00:02am

NTP 10:00:00am

Network

Network

10:00:00 am

Network

Network

11:00:01 am

10:00:00am 11:00:01 am 11:00:02am

NTP message 10:00:00 am

NTP message received at 10:00:03 am

NTP message

Device 2

Device 2

Device 2

Device 1

Device 1

Device 1

NTP message

NTP Overview 497

This is only a brief description of the work mechanism of NTP. For details, refer to RFC 1305.

NTP Message Format NTP uses two types of messages, clock synchronization message and NTP control message. An NTP control message is used in environments where network management needed. As it is not a must for clock synchronization, it will not be discussed in this document.

All NTP messages mentioned in this document refer to NTP clock synchronization messages.

A clock synchronization message is encapsulated in a UDP message, in the format shown in Figure 136.

Figure 136 Clock synchronization message format

Main fields are described as follows:

■ LI: 2-bit leap indicator. When set to 11, it warns of an alarm condition (clock unsynchronized); when set to any other value, it is not to be processed by NTP.

■ VN: 3-bit version number, indicating the version of NTP. The latest version is version 3.

■ Mode: a 3-bit code indicating the work mode of NTP. This field can be set to these values: 0 – reserved; 1 – symmetric active; 2 – symmetric passive; 3 – client; 4 – server; 5 – broadcast or multicast; 6 – NTP control message; 7 – reserved for private use.

■ Stratum: an 8-bit integer indicating the stratum level of the local clock, with the value ranging 1 to 16. The clock precision decreases from stratum 1 to stratum 16. A stratum 1 clock has the highest precision, and a stratum 16 clock is not synchronized and cannot be used as a reference clock.

■ Poll: 8-bit signed integer indicating the poll interval, namely the maximum interval between successive messages.

■ Precision: an 8-bit signed integer indicating the precision of the local clock.

■ Root Delay: round-trip delay to the primary reference source.

■ Root Dispersion: the maximum error of the local clock relative to the primary reference source.

■ Reference Identifier: Identifier of the particular reference source.

■ Reference Timestamp: the local time at which the local clock was last set or corrected.

Precision

Transmit Timestamp (64 octets)

VN

Authenticator (optional) (96 octets)

Reference Timestamp (64 octets)

0 7 15 31

Root Delay (32 octets)

Root Dispersion (32 octets)

PollStratum

Originate Timestamp (64 octets)

Reference Identifier (32 octets)

Receive Timestamp (64 octets)

LI Mode


■ Originate Timestamp: the local time at which the request departed the client for the service host.

■ Receive Timestamp: the local time at which the request arrived at the service host.

■ Transmit Timestamp: the local time at which the reply departed the service host for the client.

■ Authenticator: authentication information.

Operation Modes of NTP

■ A network device can get its clock synchronized in one of the following two ways: Synchronized to the local clock, which as the reference source. Synchronized to another device on the network in any of the four NTP operation modes previously described.

■ After the 3Com Switch 4500G has been synchronized, it can work in Symmetric peers mode, Broadcast server mode and Multicast mode. Devices running NTP can implement clock synchronization in one of the following modes:

Devices running NTP can implement clock synchronization in one of the following modes:

Server/client mode

When working in the server/client mode, a client sends a clock synchronization message to servers, with the Mode field in the message set to 3 (client mode). Upon receiving the message, the servers automatically work in the server mode and send a reply, with the Mode field in the messages set to 4 (server mode). Upon receiving the replies from the servers, the client performs clock filtering and selection, and synchronizes its local clock to that of the optimal reference source.

In this mode, a client can be synchronized to a server, but not vice versa.

Symmetric peers mode

A device working in the symmetric active mode periodically sends clock synchronization messages, with the Mode field in the message set to 1 (symmetric active); the device that receives this message automatically enters the symmetric passive mode and sends a reply, with the Mode field in the message set to 2 (symmetric passive). By exchanging messages, the symmetric peers mode is established between the two devices. Then, the two devices can synchronize, or be synchronized by, each other. If the clocks of both devices have been already synchronized, the device whose local clock has a lower stratum level will synchronize the clock of the other device.

Broadcast mode

In the broadcast mode, a server periodically sends clock synchronization messages to the broadcast address 255.255.255.255, with the Mode field in the messages set to 5 (broadcast mode). Clients listen to the broadcast messages from servers. After a client receives the first broadcast message, the client and the server start to exchange messages, with the Mode field set to 3 (client mode) and 4 (server mode) to calculate the network delay between client and the server. Then, the client enters the broadcast client mode and continues listening to broadcast messages, and synchronizes its local clock based on the received broadcast messages.

Configuring the Operation Modes of NTP 499

Multicast mode

In the multicast mode, a server periodically sends clock synchronization messages to the user-configured multicast address, or, if no multicast address is configured, to the default NTP multicast address 224.0.1.1, with the Mode field in the messages set to 5 (multicast mode). Clients listen to the multicast messages from servers. After a client receives the first multicast message, the client and the server start to exchange messages, with the Mode field set to 3 (client mode) and 4 (server mode) to calculate the network delay between client and the server. Then, the client enters the multicast client mode and continues listening to multicast messages, and synchronizes its local clock based on the received multicast messages.

Configuring the Operation Modes of NTP

Devices can implement clock synchronization in one of the following modes:

■ Server/client mode

■ Symmetric mode

■ Broadcast mode

■ Multicast mode

For the server/client mode or symmetric mode, you need to configure only clients or symmetric-active peers; for the broadcast or multicast mode, you need to configure both servers and clients.

A single device can have a maximum of 128 connections at the same time, including static connections and dynamic connections. A static connection refers to a connection that a user has manually created by using an NTP command, while a dynamic connection is a temporary connection created by the system during operation. A dynamic connection will be removed if the system fails to receive messages from it over a specific long time. In the server/client mode, for example, when you carry out a command to synchronize the time to a server, the system will create a static connection, and the server will just respond passively upon the receipt of a message, rather than creating a connection (static or dynamic). In the broadcast or multicast mode, static connections will be created at the server side, and dynamic connections will be created at the client side.

Configuring NTP Server/Client Mode

For devices working in the server/client mode, you only need to make configurations on the clients, and not on the servers.

Follow these steps to configure an NTP client:

■ In the ntp-service unicast-server command, ip-address must be a host address, rather than a broadcast address, a multicast address or the IP address of the local clock.

Table 345 Configuring NTP Server/Client Mode



Specify an NTP server for the device

ntp-service unicast-server { ip-address | server-name } [ version number | authentication-keyid keyid | source-interface interface-type interface-number | priority ] *

Required


■ A device can act as a server to synchronize the clock of other devices only after its clock has been synchronized. If the clock of a server has a stratum level higher than or equal to that of a client’s clock, the client will not synchronize its clock to the server’s.

■ You can configuring multiple servers by repeating the ntp-service unicast-server command. The clients will choose the optimal reference source

Configuring the NTP Symmetric Mode

For devices working in the symmetric mode, you only need to make configurations on the symmetric-active device, and not on symmetric-passive devices.

Following these steps to configure a symmetric-active device:

■ In the ntp-service unicast-peer command, ip-address must be a host address, rather than a broadcast address, a multicast address or the IP address of the local clock.

■ Typically, at least one of the symmetric-active and symmetric-passive peers has been synchronized; otherwise the clock synchronization will not proceed.

■ You can configure multiple symmetric-passive peers by repeating the ntp-service unicast-peer command.

Configuring NTP Broadcast Mode

For devices working in the broadcast mode, you need to configure both the server and clients. The broadcast server periodically sends NTP broadcast messages to the broadcast address 255.255.255.255. Because an interface need to be specified on the broadcast server for sending NTP broadcast messages and an interface also needs to be specified on each broadcast client for receiving broadcast messages, the NTP broadcast mode can be configured only in the specific interface view.

Configuring a broadcast client

Follow these steps to configure an NTP broadcast client:

Table 346 Configuring the NTP Symmetric Mode



Specify an symmetric-passive peer for the device

ntp-service unicast-peer { ip-address | peer-name } [ version number | authentication-keyid keyid | source-interface interface-type interface-number | priority ] *

Required

Table 347 Configuring a broadcast client




Required

Enter the interface used to receive NTP broadcast messages

Configure the device to work in the NTP broadcast client mode

ntp-service broadcast-client

Required

Configuring the Operation Modes of NTP 501

Configuring the broadcast server

Follow these steps to configure the NTP broadcast server:

A broadcast server can synchronize broadcast clients only after its clock has been synchronized.

Configuring NTP Multicast Mode

For devices working in the multicast mode, you need to configure both the server and clients. The multicast server periodically sends NTP multicast messages to multicast clients. The NTP multicast mode must be configured in the specific interface view. You can configure a maximum of 1,024 multicast clients, among which 128 can take effect at the same time.

Configuring a multicast client

Follow these steps to configure an NTP multicast client:

Configuring the multicast server

Follow these steps to configure the NTP multicast server:

Table 348 Configuring the broadcast server




Required

Enter the interface used to send NTP broadcast messages

Configure the device to work in the NTP broadcast server mode

ntp-service broadcast-server [ authentication-keyid keyid | version number ]*

Required

Table 349 Configuring a multicast client




Required

Enter the interface used to receive NTP multicast messages

Configure the device to work in the NTP multicast client mode

ntp-service multicast-client [ ip-address ]

Required

Table 350:




Required

Enter the interface used to send NTP multicast message

Configure the device to work in the NTP multicast server mode

ntp-service multicast-server [ ip-address ] [ authentication-keyid keyid | ttl ttl-number | version number ]*

Required


A multicast server can synchronize broadcast clients only after its clock has been synchronized.

Configuring Optional Parameters of NTP

Configuring the Interface to Send NTP

Messages

Following these steps to configure the interface used to send NTP messages:

CAUTION: If you have specified an interface in the ntp-service unicast-server or ntp-service unicast-peer command, this interface will be used for sending NTP messages.

Disabling an Interface from Receiving NTP

Messages

Follow these steps to disable an interface from receiving NTP messages:

Configuring the Allowable Maximum Number of Dynamic

Sessions

Follow these steps to configure the allowable maximum number of dynamic sessions:

Table 351 Configuring the Interface to Send NTP Messages



Configure the interface used to send NTP messages

ntp-service source-interface interface-type interface-number

Required

Table 352 Disabling an Interface from Receiving NTP Messages




—

Disable the interface from receiving NTP messages

ntp-service in-interface disable

Required

An interface is enabled to receive NTP messages by default

Table 353 Configuring the Allowable Maximum Number of Dynamic Sessions



Configure the allowable maximum number of dynamic sessions

ntp-service max-dynamic-sessions number

Required

100 by default

Configuring Access-Control Rights 503

Configuring Access-Control Rights

With the following command, you can configure the NTP service access-control right to the local device. There are four access-control rights, as follows:

■ query: control query permitted. This level of right permits the peer device to perform control query to the NTP service on the local device but does not permit the peer device to synchronize its clock to the local device. The so-called “control query” refers to query of some states of the NTP service, including alarm information, authentication status, clock source information, and so on.

■ synchronization: server access only. This level of right permits the peer device to synchronize its clock to the local device but does not permit the peer device to perform control query.

■ server: server access and query permitted. This level of right permits the peer device to perform synchronization and control query to the local device but does not permit the local device to synchronize its clock to the peer device.

■ peer: full access. This level of right permits the peer device to perform synchronization and control query to the local device and also permits the local device to synchronize its clock to the peer device.

From the highest NTP service access-control right to the lowest one are peer, server, synchronization, and query. When a device receives an NTP request, it will perform an access-control right match and will use the first matched right.


Prior to configuring the NTP service access-control right to the local device, you need to create and configure an ACL associated with the access-control right.


Follow these steps to configure the NTP service access-control right to the local device:

The access-control right mechanism provides only a minimum degree of security protection for the system running NTP. A more secure method is identity authentication.

Table 354 Configure the NTP Service Access-control



Configure the NTP service access-control right to the local device

ntp-service access { query | synchronization | server | peer } acl-number

Required

peer by default


Configuring NTP Authentication

The NTP authentication feature should be enabled for a system running NTP in a network where there is a high security demand. This feature enhances the network security by means of client-server key authentication, which prohibits a client from synchronizing with a device that has failed authentication.


The configuration NTP authentication involves configuration tasks to be implemented on the client and on the server.

When configuring the NTP authentication feature, pay attention to the following principles:

■ In the server/client mode, if the NTP authentication feature has not been enabled for the client, the client can synchronize with the server regardless the NTP authentication feature has been enabled for the server or not.

■ For all synchronization modes, when you enable the NTP authentication feature, you should configure an authentication key and specify it as a trusted key. Namely, the ntp-service authentication enable command must work together with the ntp-service authentication-keyid command and the ntp-service reliable authentication-keyid command.

■ For all synchronization modes, the server side and the client side must be consistently configured.

■ If the NTP authentication is enabled on a client, the client can be synchronized only to a server that can provide a trusted authentication key.


Configuring NTP Authentication for a Client

Follow these steps to configure NTP authentication for a client:

Table 355 Configuring NTP Authentication for a Client



Enable NTP authentication ntp-service authentication enable

Required

Disabled by default

Configure an NTP authentication key

ntp-service authentication-keyid keyid authentication-mode md5 value

Required

No NTP authentication key by default

Configure the key as a trusted key

ntp-service reliable authentication-keyid keyid

Required

No authentication key is configured to be trusted by default

Associate the specified key with an NTP server

Server/client mode:

ntp-service unicast-server { ip-address | server-name } authentication-keyid keyid

Required

Symmetric peers mode:

ntp-service unicast-peer { ip-address | peer-name } authentication-keyid keyid

Configuring NTP Authentication 505

■ After you enable the NTP authentication feature for the client, make sure that you configure for the client an authentication key that is the same as on the server and specify that the authentication is trusted; otherwise, the client cannot be synchronized to the server. For the server/client mode or symmetric mode, you need to associate the specified authentication key on the client (symmetric-active peer if in the symmetric peers mode) with the corresponding NTP server (symmetric-passive peer if in the symmetric peers mode). In these two modes, multiple servers may have been specified on a client, so the authentication key will be used to determine the server to which the client is to be synchronized.

■ For the broadcast server mode or multicast server mode, you need to associate the specified authentication key on the broadcast server or multicast server with the corresponding NTP server.

Configuring NTP Authentication for a Server

Follow these steps to configure NTP authentication for a server:

The procedure of configuring NTP authentication on a server is the same as that on a client, and the same authentication key must be configured on both the server and client sides.

Table 356 Configuring NTP Authentication for a Server



Enable NTP authentication ntp-service authentication enable

Required

Disabled by default

Configure an NTP authentication key

ntp-service authentication-keyid keyid authentication-mode md5 value

Required

No NTP authentication key by default

Configure the key as a trusted key

ntp-service reliable authentication-keyid keyid

Required

No authentication key is configured to be trusted by default


—

Associate the specified key with an NTP server

Broadcast server mode:

ntp-service broadcast-server authentication-keyid keyid

Required

Multicast server mode:

ntp-service multicast-server authentication-keyid keyid


Displaying and Maintaining NTP

NTP Configuration Examples

The 3Com Switch 4500G cannot configure the local clock as a reference source for other devices.



The local clock of Device 1 is to be used as a reference source, with the stratum level of 2. Device 1 is to be used as the NTP server of Device 2, with Device 2 as the client.

Network diagram

Figure 137 Network diagram for NTP server/client mode configuration


1 Configuration on Device 1:

Specify the local clock as the reference source, with the stratum level of 2.


a View the NTP status of Device 2 before clock synchronization.

<Device2> display ntp-service statusClock status: unsynchronizedClock stratum: 16Reference clock ID: noneNominal frequence: 100.0000 HzActual frequence: 100.0000 HzClock precision: 2^18Clock offset: 0.0000 msRoot delay: 0.00 msRoot dispersion: 0.00 msPeer dispersion: 0.00 msReference time: 00:00:00.000 UTC Jan 1 1900 (00000000.00000000)

Table 357 Displaying and Maintaining NTP

To... Use the command...

View the information of NTP service status display ntp-service status

View the information of NTP sessions display ntp-service sessions [ verbose ]

View the brief information of the NTP servers from the local device back to the primary reference source

display ntp-service trace

1.0.1.12/241.0.1.11/24


VLAN-interface2

Device1 Device2

1.0.1.12/241.0.1.11/24VLAN-interface2

1.0.1.12/24VLAN-interface2

NTP Configuration Examples 507

b Specify Device 1 as the NTP server of Device 2 so that Device 2 is synchronized to Device 1.

<Device2> system-viewSystem View: return to User View with Ctrl+Z. [Device2] ntp-service unicast-server 1.0.1.11

c View the NTP status of Device 2 after clock synchronization.

[Device2] display ntp-service statusClock status: synchronizedClock stratum: 3Reference clock ID: 1.0.1.11Nominal frequence: 100.0000 HzActual frequence: 100.0000 HzClock precision: 2^18Clock offset: 0.0000 msRoot delay: 31.00 msRoot dispersion: 1.05 msPeer dispersion: 7.81 msReference time: 14:53:27.371 UTC Sep 19 2005 (C6D94F67.5EF9DB22)As shown above, Device 2 has been synchronized to Device 1, and the clock stratum level of Device 2 is 3, while that of Device 1 is 2.

d View the NTP session information of Device 2, which shows that an association has been set up between Device 2 and Device 1.

[Device2] display ntp-service sessionssource reference stra reach poll now offset delay disper************************************************************************[12345] 1.0.1.11 127.127.1.0 2 63 64 3 -75.5 31.0 16.5note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configuredTotal associations : 1



The local clock of Device 3 is to be configured as a reference source, with the stratum level of 2. Device 3 is to be used as the NTP server of Device 4, with Device 4 as the client. At the same time, Device 4 will act as peer of Device 5, Device 5 in the symmetric-active mode while Device 4 in the symmetric-passive mode.

Network diagram

Figure 138 Network diagram for NTP symmetric peers mode configuration

3.0.1.32/24 3.0.1.33/24

Device5

3.0.1.31/24

3.0.1.32/24 3.0.1.33/24

VLAN-interface2

VLAN-interface2 VLAN -interface23.0.1.32/24 3.0.1.33/24

Device3

Device4

3.0.1.31/24

3.0.1.32/24 3.0.1.33/24

VLAN-interface2

VLAN-interface2 VLAN -interface2






Specify Device 3 as the NTP server of Device 4.

<Device4> system-viewSystem View: return to User View with Ctrl+Z. [Device4] ntp-service unicast-server 3.0.1.31

3 Configuration on Device 5 (after Device 4 is synchronized to Device 3):


4 Configure Device 4 as a symmetric peer after local synchronization.

[Device5] ntp-service unicast-peer 3.0.1.32

In the step above, Device 4 and Device 5 are configured as symmetric peers, with Device 5 in the symmetric-active mode and Device 4 in the symmetric-passive mode. Because the stratus level of Device 5 is 1 while that of Device 4 is 3, Device 4 is synchronized to Device 5.

5 View the NTP status of Device 4 after clock synchronization.

[Device4] display ntp-service statusClock status: synchronized Clock stratum: 2 Reference clock ID: 3.0.1.33 Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz Clock precision: 2^18Clock offset: -21.1982 ms Root delay: 15.00 ms Root dispersion: 775.15 ms Peer dispersion: 34.29 ms Reference time: 15:22:47.083 UTC Sep 19 2005 (C6D95647.153F7CED)

As shown above, Device 4 has been synchronized to Device 5, and the clock stratum level of Device 4 is 2, while that of Device 5 is 1.

6 View the NTP session information of Device 4, which shows that an association has been set up between Device 4 and Device 5.

[Device4] display ntp-service sessions source reference stra reach poll now offset delay disper*************************************************************************[245] 3.0.1.31 127.127.1.0 2 15 64 24 10535.0 19.6 14.5[12345] 3.0.1.33 LOCL 1 14 64 27 -77.0 16.0 14.8note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configuredTotal associations : 2


Configuring NTP Broadcast Mode


Device 3’s local clock is to be used as a reference source, with the stratum level of 2, and Device 3 sends out broadcast messages from VLAN interface 2. Device 4 and Device 1 receive broadcast messages through their respective VLAN interface 2.

Network diagram

Figure 139 Network diagram for NTP broadcast mode configuration



a Specify the local clock as the reference source, with the stratum level of 2.

b Configure Device 3 to work in the broadcast server mode and send broadcast messages through VLAN interface 2.

[Device3] interface Vlan-interface 2[Device3-Vlan-interface2] ntp-service broadcast-server


Configure Device 4 to work in the broadcast client mode and receive broadcast messages on VLAN interface 2.

<Device4> system-viewSystem View: return to User View with Ctrl+Z. [Device4] interface vlan-interface 2 [Device4-Vlan-interface2] ntp-service broadcast-client


a Configure Device 1 to work in the broadcast client mode and receive broadcast messages on VLAN interface 2.

<Device1> system-viewSystem View: return to User View with Ctrl+Z. [Device1] interface vlan-interface 2 [Device1-Vlan-interface2] ntp-service broadcast-client

Because Device 1 and Device 3 are on different subnets, Device 1 cannot receive the broadcast messages from Device 3. Device 4 gets synchronized upon receiving a broadcast message from Device 3.

3.0.1.32/24

3.0.1.31/24

1.0.1.11/24

VLAN -interface2

VLAN -interface2

VLAN -interface2

Device1 Device0

Device4

Device3

3.0.1.32/24

3.0.1.31/24

1.0.1.11/24

VLAN -interface2

VLAN -interface2

VLAN -interface2

3.0.1.32/24

3.0.1.31/24

1.0.1.11/24

VLAN -interface2

VLAN -interface2

VLAN -interface2

Device1 Device0

Device4

Device3

3.0.1.32/24

3.0.1.31/24

1.0.1.11/24

VLAN -interface2

VLAN -interface2

VLAN -interface2


b View the NTP status of Device 4 after clock synchronization.

[Device4] display ntp-service statusClock status: synchronized Clock stratum: 3 Reference clock ID: 3.0.1.31 Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz Clock precision: 2^18 Clock offset: 0.0000 ms Root delay: 31.00 ms Root dispersion: 8.31 ms Peer dispersion: 34.30 ms Reference time: 16:01:51.713 UTC Sep 19 2005 (C6D95F6F.B6872B02)


c View the NTP session information of Device 4, which shows that an association has been set up between Device 4 and Device 3.

[Device4] display ntp-service sessions source reference stra reach poll now offset delay disper*************************************************************************[1234] 3.0.1.31 127.127.1.0 2 254 64 62 -16.0 32.0 16.6note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configuredTotal associations : 1

Configuring NTP Multicast Mode


Device 3’s local clock is to be used as a reference source, with the stratum level of 2, and Device 3 sends out multicast messages from VLAN interface 2. Device 4 and Device 1 receive multicast messages through their respective VLAN interface 2.

Network diagram

Figure 140 Network diagram for NTP multicast mode configuration

3.0.1.32/24

3.0.1.31/24

1.0.1.11/24

VLAN -interface2

VLAN -interface2

VLAN -interface2

Device0

Device4

Device3

3.0.1.32/24

3.0.1.31/24

1.0.1.11/24

VLAN -interface2

VLAN -interface2

VLAN -interface2

Device1

3.0.1.32/24

3.0.1.31/24

1.0.1.11/24

VLAN -interface2

VLAN -interface2

VLAN -interface2

Device0

Device4

Device3

3.0.1.32/24

3.0.1.31/24

1.0.1.11/24

VLAN -interface2

VLAN -interface2

VLAN -interface2

Device1





b Set Device 3 to work in the multicast server mode and send multicast messages through VLAN interface 2.

<Device0> system-viewSystem View: return to User View with Ctrl+Z. [Device3] interface Vlan-interface 2[Device3-Vlan-interface2] ntp-service multicast-server


a Set Device 4 to work in the multicast client mode and receive multicast messages on VLAN interface 2.

<Device4> system-viewSystem View: return to User View with Ctrl+Z. [Device4] interface vlan-interface 2 [Device4-Vlan-interface2] ntp-service multicast-client

Because Device 4 and Device 3 are on the same subnet, Device 4 can receive the multicast messages from Device 3 without being IGMP-enabled and can be synchronized to Device 3.

b View the NTP status of Device 4 after clock synchronization.

[Device4] display ntp-service statusClock status: synchronized Clock stratum: 3 Reference clock ID: 3.0.1.31 Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz Clock precision: 2^18 Clock offset: 0.0000 ms Root delay: 31.00 ms Root dispersion: 8.31 ms Peer dispersion: 34.30 ms Reference time: 16:01:51.713 UTC Sep 19 2005 (C6D95F6F.B6872B02)


c View the NTP session information of Device 4, which shows that an association has been set up between Device 4 and Device 3.




Because Device 1 and Device 3 are on different subnets, you must enable IGMP on Device 1 and Device 0 before Device 1 can receive multicast messages from Device 3.

Enable IP multicast routing and IGMP.

<Device0> system-viewSystem View: return to User View with Ctrl+Z. [Device0] multicast routing-enable[Device0] interface vlan-interface 2[Device0-Vlan-interface2] pim dm[Device0-Vlan-interface2] quit[Device0] interface vlan-interface 3[Device0-Vlan-interface3] pim dm[Device0-Vlan-interface3] igmp enable

4 Configuration on Device 1

a Enable IP multicast routing and IGMP.

<Device1> system-viewSystem View: return to User View with Ctrl+Z. [Device1] multicast routing-enable[Device1] interface vlan-interface 2[Device1-Vlan-interface2] igmp enable[Device1-Vlan-interface2] igmp static-group 224.0.1.1

b Configure Device 1 to work in the multicast client mode and receive multicast messages on VLAN interface 2.

[Device1-Vlan-interface2] ntp-service multicast-client


[Device1-Vlan-interface2] display ntp-service statusClock status: synchronized Clock stratum: 3 Reference clock ID: 3.0.1.31 Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz Clock precision: 2^18 Clock offset: 0.0000 ms Root delay: 40.00 ms Root dispersion: 10.83 ms Peer dispersion: 34.30 ms Reference time: 16:02:49.713 UTC Sep 19 2005 (C6D95F6F.B6872B02)



[Device1-Vlan-interface2] display ntp-service sessionssource reference stra reach poll now offset delay disper*************************************************************************[1234] 3.0.1.31 127.127.1.0 2 255 64 26 -16.0 40.0 16.6note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configuredTotal associations : 1

Refer to “Multicast Protocol” volume for how to configure IGMP.



with Authentication


The local clock of Device 1 is to be configured as a reference source, with the stratum level of 2. Device 1 is to be used as the NTP server of Device 2, with Device 2 as the client. NTP authentication is to be enabled for Device 1 and Device 2 at the same time.

Network diagram

Figure 141 Network diagram for configuration of NTP server/client mode with authentication





<Device2> system-view System View: return to User View with Ctrl+Z.

a Enable NTP authentication on Device 2.

[Device2] ntp-service authentication enable

b Set an authentication key.

[Device2] ntp-service authentication-keyid 42 authentication-mode md5 aNiceKey

c Specify the key as key as a trusted key.

[Device2] ntp-service reliable authentication-keyid 42

d Specify Device 1 as the NTP server.

[Device2] ntp-service unicast-server 1.0.1.11 authentication-keyid 42

Before Device 2 can synchronize its clock to that of Device 1, you need to enable NTP authentication for Device 1.

Perform the following configuration on Device 1:

e Enable NTP authentication.


f Set an authentication key.


g Specify the key as key as a trusted key.


Device1

1.0.1.12/241.0.1.11/24

VLAN-interface2

1.0.1.12/24

VLAN-interface2

1.0.1.12/241.0.1.11/24

VLAN-interface2

1.0.1.12/24

VLAN-interface2

Device2


h View the NTP status of Device 2 after clock synchronization.

[Device2] display ntp-service statusClock status: synchronizedClock stratum: 3Reference clock ID: 1.0.1.11Nominal frequence: 100.0000 HzActual frequence: 100.0000 HzClock precision: 2^18Clock offset: 0.0000 msRoot delay: 31.00 msRoot dispersion: 1.05 msPeer dispersion: 7.81 msReference time: 14:53:27.371 UTC Sep 19 2005 (C6D94F67.5EF9DB22)


i View the NTP session information of Device 2, which shows that an association has been set up Device 2 and Device 1.

[Device2] display ntp-service sessionssource reference stra reach poll now offset delay disper*************************************************************************[12345] 1.0.1.11 127.127.1.0 2 63 64 3 -75.5 31.0 16.5note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configuredTotal associations : 1


with Authentication


The local clock of Device 3 is to be configured as a reference source, with the stratum level of 2. Device 3 is to be used as the NTP server of Device 4, with Device 4 as the client. At the same time, Device 4 will act as peer of Device 5, Device 5 in the symmetric-active mode while Device 4 in the symmetric-passive mode, with NTP authentication enabled on every peer.

Network diagram

Figure 142 Network diagram for NTP symmetric peers mode configuration with authentication

3.0.1.32/24 3.0.1.33/24

Device5

3.0.1.31/24

3.0.1.32/24 3.0.1.33/24

VLAN-interface2

VLAN-interface2 VLAN -interface23.0.1.32/24 3.0.1.33/24

Device3

Device4

3.0.1.31/24

3.0.1.32/24 3.0.1.33/24

VLAN-interface2

VLAN-interface2 VLAN -interface2





b Configure NTP authentication

<Device3> system-viewSystem View: return to User View with Ctrl+Z.

c Enable NTP authentication on Device 3.


d Set an authentication key.


e Specify the key as key as a trusted key.



a Specify Device 3 as the NTP server of Device 4.

<Device4> system-viewSystem View: return to User View with Ctrl+Z. [Device4] ntp-service unicast-server 3.0.1.31 authentication-keyid 42

b Enable NTP authentication

[Device4] ntp-service authentication enable[Device4] ntp-service authentication-keyid 42 authentication-mode md5 aNiceKey

c Specify the key as key as a trusted key.


3 Configuration on Device 5 (after Device 4 is synchronized to Device 3):


b Configure Device 4 as a symmetric peer after local synchronization.

[Device5] ntp-service unicast-peer 3.0.1.32 authentication-keyid 42

c Enable NTP authentication

<Device5> system-viewSystem View: return to User View with Ctrl+Z. [Device5] ntp-service authentication enable[Device5] ntp-service authentication-keyid 42 authentication-mode md5 aNiceKey

d Set an authentication key.


In the step above, Device 4 and Device 5 are configured as symmetric peers, with Device 5 in the symmetric-active mode and Device 4 in the symmetric-passive mode. Because the stratus level of Device 5 is 1 while that of Device 4 is 3, Device 4 is synchronized to Device 5.


e View the NTP status of Device 4 after clock synchronization.

[Device4] display ntp-service statusClock status: synchronized Clock stratum: 2 Reference clock ID: 3.0.1.33 Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz Clock precision: 2^18Clock offset: -21.1982 ms Root delay: 15.00 ms Root dispersion: 775.15 ms Peer dispersion: 34.29 ms Reference time: 15:22:47.083 UTC Sep 19 2005 (C6D95647.153F7CED)


f View the NTP session information of Device 4, which shows that an association has been set up between Device 4 and Device 5.

[Device4] display ntp-service sessions source reference stra reach poll now offset delay disper*************************************************************************[245] 3.0.1.31 127.127.1.0 2 15 64 24 10535.0 19.6 14.5[12345] 3.0.1.33 LOCL 1 14 64 27 -77.0 16.0 14.8note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configuredTotal associations : 2

Configuring NTP Broadcast Mode with

Authentication


Device 3’s local clock is to be used as a reference source, with the stratum level of 2, and Device 3 sends out broadcast messages from VLAN interface 3. Device 4 is to receive broadcast client through VLAN interface 2, with NTP authentication enabled on both the server and client.

Network diagram

Figure 143 Network diagram for configuration of NTP broadcast mode with authentication

3.0.1.32/24

3.0.1.31/24

1.0.1.11/24

VLAN -interface2

VLAN -interface2

VLAN -interface2

Device 0

Device 43.0.1.32/24

3.0.1.31/24

1.0.1.11/24

VLAN -interface2

VLAN -interface2

VLAN -interface2

Device 1

Device 3

3.0.1.32/24

3.0.1.31/24

1.0.1.11/24

VLAN -interface2

VLAN -interface2

VLAN -interface2

Device 0

Device 43.0.1.32/24

3.0.1.31/24

1.0.1.11/24

VLAN -interface2

VLAN -interface2

VLAN -interface2

Device 1

Device 3





b Configure NTP authentication

[Device3] ntp-service authentication enable[Device3] ntp-service authentication-keyid 88 authentication-mode md5 123456[Device3] ntp-service reliable authentication-keyid 88

c Specify Device 3 as an NTP broadcast server, and specify an authentication key.

[Device3] interface vlan-interface 2[Device3-Vlan-interface2] ntp-service broadcast-server authentication-keyid 88


a Configure NTP authentication

<Device4> system-viewSystem View: return to User View with Ctrl+Z. [Device4] ntp-service authentication enable[Device4] ntp-service authentication-keyid 88 authentication-mode md5 123456[Device4] ntp-service reliable authentication-keyid 88

b Configure Device 4 to work in the NTP broadcast client mode

[Device4] interface vlan-interface 2[Device4-Vlan-interface2] ntp-service broadcast-client

Now, Device 4 can receive broadcast messages through VLAN interface 2, and Device 3 can send broadcast messages through VLAN interface 2. Upon receiving a broadcast message from Device 3, Device 4 synchronizes its clock to that of Device 3.


[Device4] display ntp-service statusClock status: synchronized Clock stratum: 4 Reference clock ID: 3.0.1.31Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz Clock precision: 2^18 Clock offset: 0.0000 ms Root delay: 31.00 ms Root dispersion: 8.31 ms Peer dispersion: 34.30 ms Reference time: 16:01:51.713 UTC Sep 19 2005 (C6D95F6F.B6872B02)





54 DNS CONFIGURATION

When configuring DNS, go to these sections for information you are interested in:

■ DNS Overview

■ Configuring Static Domain Name Resolution

■ Configuring Dynamic Domain Name Resolution

■ Displaying and Maintaining DNS

■ Troubleshooting DNS Configuration

DNS Overview Domain name system (DNS) is a mechanism used for TCP/IP applications such as Telnet to convert Internet addresses in mnemonic form into the equivalent numeric IP addresses.

There are two types of DNS services, static and dynamic. Each time the DNS Server receives a name query it checks its static database before using dynamic domain name resolution. Reduction of the searching time in the dynamic database would increase efficiency. Some frequently used addresses can be put in the static database.

Static Domain Name Resolution

The static domain name resolution manually sets up mappings between names and IP addresses. IP addresses of the corresponding names can be found in the static domain name resolution database for applications.

Dynamic Domain Name Resolution

Resolving procedure

The 3Com router supports the following dynamic domain name resolution procedures. The relationships of the user program, DNS Client and DNS Server are shown in Figure 144.

1 A user program sends a name query to the resolver in the DNS Client.

2 The DNS resolver looks up its cache for a match. If one is found, it sends the corresponding IP address back. If not, it sends a query to the DNS Server.

3 The DNS Server looks up its database for a match. If no match is found, it sends a query to its parent DNS Server. If the parent DNS Server does not have the information, it sends the query to yet another server. This process continues until a result is found, either successful or fail.

4 The DNS Client performs the next operation according to the result.

520 CHAPTER 54: DNS CONFIGURATION

Figure 144 Dynamic domain name resolution

The resolver and cache comprise the DNS Client. The user program can run on the same machine as the DNS Client, while the DNS Server and the DNS Client must run on different machines.

Dynamic domain name resolution allows the DNS Client to store latest mappings between name and IP address in the dynamic domain name cache. There is no need to send a request to the DNS Server for the same mapping next time. The aged mappings are removed from the cache after some time, and latest entries are required from the DNS Server. The DNS Server decides how long a mapping is valid, and the DNS Client gets the information from the DNS messages.

DNS suffixes

The DNS Client normally holds a list of suffixes which can be defined by the users. It is used when the name to be resolved is not complete. The resolver can supply the missing part. For example, a user can configure com as the suffix for aabbcc.com. The user only needs to type aabbcc to get the IP address of aabbcc.com. The resolver can add the suffix and delimiter before passing the name to the DNS Server.

■ If there is no dot in the domain name, such as “aabbcc“, the resolver will consider this as a host name and add the suffix before processing. The original name such as aabbcc is used if all DNS lookups fail.

■ If there is a dot in the domain name, such as “www.aabbcc“, the resolver will use this domain name to do DNS lookup first before adding any suffix.

■ If the dot is at the end of the domain name, such as “aabbcc.com.”, the resolver will consider this as a fully qualified domain name and return the result whether it is a success or a failure. Hence, the dot (.) is called the terminating symbol.

Currently, the Switch 4500G supports static and dynamic domain name services on the DNS Client.

User program Resolver

Cache

Request

Response

Save Read DNS Server

DNS Client

Request

ResponseUser program Resolver

Cache

Request

Response

Save Read DNS Server

DNS Client

Request

Response

Configuring Static Domain Name Resolution 521

Configuring Static Domain Name Resolution

Follow these steps to configure static domain name resolution:

The last IP address you assigned to the host name can overwrite the old one if there is any.

You may create up to 50 entries for the domain name resolution.

Configuring Dynamic Domain Name Resolution


Follow these steps to configure dynamic domain name resolution:

You may configure up to 6 DNS Servers and 10 DNS suffixes.

DNS Configuration Example


As shown in Figure 145, a router is used as a DNS Client with dynamic domain name resolution to visit host 1 with IP address 1.1.1.2/16. The DNS Server has IP address 2.1.1.2/16. The DNS suffixes are com and net.

Network diagram

Figure 145 Network diagram for dynamic domain name resolution

Table 358 Configuring Static Domain Name Resolution



Create a hostname to IP address mapping entry

ip host hostname ip-address

Required

No IP address is assigned to the host name by default.

Table 359 Configuring Dynamic Domain Name Resolution


Enter the system view system-view —

Enable dynamic domain name resolution

dns resolve Required

Disabled by default

Configure an IP address to the DNS Server

dns server ip-address Required

No IP address is assigned by default.

Configure DNS suffixes dns domain domain-name Optional

No DNS suffix by default

DNS C lientDNS Server

2.1.1.2/16

2.1.1.1/16 1.1.1.1/16

1.1.1.2/16

host1DNS C lientDNS Server

2.1.1.2/16

2.1.1.1/16 1.1.1.1/16

1.1.1.2/16

host1

522 CHAPTER 54: DNS CONFIGURATION


Before doing the following configuration, make sure the route between the router and host 1 is reachable, and configurations are done on both devices. The IP address of each interface is shown on Figure 145. Make sure the DNS Server works well and has a mapping between host 1 and IP address 1.1.1.2/16.

1 Enable dynamic domain name resolution.

[3Com] dns resolve

2 Configure IP address 2.1.1.2 to the DNS Server

[3Com] dns server 2.1.1.2

3 Configure net as the DNS suffix

[3Com] dns domain net

4 Configure com as the DNS suffix

[3Com] dns domain com

Ping host 1 to verify the configuration and the corresponding IP address should be 1.1.1.2.

Displaying and Maintaining DNS

Troubleshooting DNS Configuration

Symptom After enabling the dynamic domain name resolution, the user cannot get the IP address or the IP address is incorrect.

Solution ■ Use the display dns dynamic-host command to check that the specified domain name is in the cache.

■ If there is no defined domain name, check that dynamic domain name resolution is enabled and the DNS Client can communicate with the DNS Server.

■ If the specified domain name is in the cache, but the IP address is wrong, make sure the DNS Client has the correct IP address of the DNS Server.

■ Check the mapping list is correct on the DNS Server.

Table 360 Displaying and Maintaining DNS


Display static DNS list display ip host Available in any view

Display the DNS Server information

display dns server [ dynamic ]


Display the DNS suffixes display dns domain [ dynamic ]


Display the caching information of dynamic domain name resolution

display dns dynamic-host


Reset the caching memory of dynamic domain name resolution

reset dns dynamic-host


55 INFORMATION CENTER

Information Center Overview

Introduction to Information Center

Acting as the system information hub, information center classifies and manages system information. Together with the debugging functionality, information center offers a powerful support to the network administrators and developers in monitoring network performance and diagnosing network problems.

System Information Format

System information has the following format:

<priority>timestamp sysname module/level/digest:content

The closing set of angel brackets, the space, the forward slash, and the colon are all required in the above format.

Below is the format of log information to be output to a log host:

<188>Sep 28 15:33:46:235 2005 3Com SHELL/5/LOGIN: Console login from con0

What follows is a detailed explanation of the fields involved:

Priority

The priority is calculated using the following format: facility*8+severity-1, in which facility is local7 by default and the range of severity is 1 to 8. Table 361 details the value and meaning associated with each severity.

Note that there is no space between the priority and timestamp fields and that the priority only takes effect when the information has been sent to the log host.

Timestamp

Timestamp records the time when system information is generated to allow users check and identify system events.

Note that there is a space between the timestamp and sysname (host name) fields.

Sysname

Sysname is the system name of the current host. Users can use the sysname command to modify the sysname.

Note that there is a space between the sysname and module fields.

Module

The module field represents the name of the module that generates system information.

524 CHAPTER 55: INFORMATION CENTER

Note that there is a forward slash between the module and level (severity) fields.

Level (Severity)

System information falls into three categories: log information, debug information, and trap information. Each kind of information can be further divided into eight levels based on its severity, as detailed in Table 361. Note that the smaller the severity value, the higher the severity.

Information filtering by severity works this way: information with severity value greater than the configured threshold will not be output during the filtering.

■ If the threshold is set to 1, only information with the severity being emergencies will be output;

■ If the threshold is set to 8, information of all severities will be output.

Note that there is a forward slash between the level (severity) and digest fields.

Digest

The digest field is a string of up to 32 characters, outlining the system information.

Note that there is a colon between the digest and content fields.

Content

This field provides the content of the system information.

Configuring Information Center

Information center has the following characteristics:

■ Supports information output to the console, the monitor, the log host, the trap buffer, the log buffer, and the SNMP agent. A default channel is allocated to each individual output direction, as illustrated in Table 362.

■ System information is classified into eight categories according to severity and filtered by severity;

■ System information is categorized and filtered by source module;

■ The output information can be in English or Chinese.

Table 361 Severity Description

Severity Severity Value Description

emergencies 1 The most emergent errors

alerts 2 Errors that demand prompt correction

critical 3 Critical errors

errors 4 Errors that are not critical but demand attention

warnings 5 Warnings that suggest possible errors

notifications 6 Normal errors with important prompts

informational 7 Normal prompts

debugging 8 Debugging prompts

Configuring Information Center 525

Configurations for the seven output directions function independently and take effect only after the information center has been enabled.

Configuring to Output System

Information to the Console

Configuring to Output System Information to the Console

Table 362 Information channels for different output directions

Output direction Information channel No. Default channel name

Console 0 console

Monitor terminal 1 monitor

Log host 2 loghost

Trap buffer 3 trapbuffer

Log buffer 4 logbuffer

SNMP NMS 5 snmpagent

Note: NMS = Network Management Station

Table 363 Configure to output system information to the console



Enable information center info-center enable Optional

Enabled by default

Name the channel with a specified channel number

info-center channel channel-number name channel-name

Optional

Refer to Table 362 for default channel names

Configure the channel through which system information can be output to the console

info-center console channel { channel-number | channel-name }

Optional

System information is output to the console by default with channel 0 as the default channel

Configure the source of the output information

info-center source { modu-name | default } channel { channel-number | channel-name } [ debug { level severity | state state }* | log { level severity | state state }* | trap { level severity | state state }* ]*

Required

Configure the format of the time stamp

info-center timestamp { log | trap | debugging } { boot | date | none }

Optional

By default, the time stamp for log and trap information is date whereas that for debug information is boot.


Enabling the display of system information on the console

After configuring to output system information to the console, you need to enable the associated display function in order to display the output information on the console.

Perform the following configurations in user view:


Information to a Monitor Terminal

System information can also be output to a monitor terminal, which is a user terminal that has login connections through the AUX, VTY, or TTY user interface.

Configuring to output system information to a monitor terminal

Table 364 Enable the display of system information on the console


Enable the monitoring of system information on the console

terminal monitor Optional

Enabled by default

Enable the display of debug information on the console

terminal debugging Optional

Disabled by default

Enable the display of log information on the console

terminal logging Optional

Enabled by default

Enable the display of trap information on the console

terminal trapping Optional

Enabled by default

Table 365 Configure to output system information to a monitor terminal




Enabled by default



Optional


Configure the channel through which system information can be output to a monitor terminal

info-center monitor channel { channel-number | channel-name }

Optional

System information is output to the monitor terminal by default with channel 1 as the default channel



Required



Optional



Enabling the display of system information on a monitor terminal

After configuring to output system information to a monitor terminal, you need to enable the associated display function in order to display the output information on the monitor terminal.


Information to a Log Host

Table 366 Enable the display of system information on a monitor terminal


Enable the monitoring of system information on a monitor terminal

terminal monitor Required

Disabled by default

Enable the display of debug information on a monitor terminal

terminal debugging Optional

Disabled by default

Enable the display of log information on a monitor terminal

terminal logging Optional

Enabled by default

Enable the display of trap information on a monitor terminal

terminal trapping Optional

Enabled by default

Table 367 Configure to output system information to a log host




Enabled by default



Optional


Specify a log host and configure the channel through which system information can be output to the log host

info-center loghost host-ip [ channel { channel-number | channel-name } | facility local-number | language { chinese | english } ]*

Required

Disabled by default with channel 2 as the default channel when enabled

Configure the source interface through which log information can be output to a log host

info-center loghost source interface-type interface-number

Required

No source interface configured by default



Required

Configure one of the three options for system information to be output to a log host:

including year information in; excluding year information; not providing any time stamp information.

info-center timestamp loghost { date | no-year-date | none }

Optional

The year information is included by default



Information to the Trap Buffer


Information to the Log Buffer

Table 368 Configure to output system information to the trap buffer




Enabled by default



Optional


Configure the channel through which system information can be output to a trap buffer and specify the buffer size

info-center trapbuffer [ size buffersize | channel { channel-number | channel-name } ]*

Optional

System information is output to the trap buffer by default with channel 3 (known as trapbuffer) as the default channel and a default buffer size of 256



Required



Optional


Table 369 Configure to output system information to the log buffer




Enabled by default



Optional




Information to the SNMP NMS

Configure the channel through which system information can be output to the log buffer and specify the buffer size

info-center logbuffer [ channel { channel-number | channel-name } | size buffersize ]*

Optional

System information is output to the log buffer by default with channel 4 (known as logbuffer) as the default channel and a default buffer size of 512.



Required

Configure the format of the timestamp


Optional


Table 369 Configure to output system information to the log buffer (continued)


Table 370 Configure to output system information to the SNMP NMS




Enabled by default



Optional


Configure the channel through which system information can be output to the SNMP NMS

info-center snmp channel { channel-number | channel-name }

Optional

System information is output to the SNMP NMS by default with channel 5 (known as snmpagent) as the default channel



Required

Configure the format of the timestamp


Optional



To ensure that system information can be output to the SNMP NMS, you need to make the necessary configurations on the SNMP agent and the NMS. For detailed information on SNMP&RMON, refer to SNMP Configuration.

Configuring Synchronous

Information Output

Synchronous information output refers to the feature that if the user’s input is interrupted by system output such as log, trap, or debug information, then after the completion of system output the system will display a command line prompt (in command editing mode a prompt, or a [Y/N] string in interaction mode) and the user’s input so far.

This command is intended for the scenarios when the user’s input is interrupted by a large amount of system output. With this feature enabled, the user can continue their operations from where they were stopped.

■ If no information is input from the user following the current command line prompt, the system will not display any command line prompt after system information output.

■ In the interaction mode, the user is prompted for some information input. If the input is interrupted by system output, no system prompt will be made, rather only the user’s input will be displayed in a new line.

Displaying and Maintaining Information Center

Table 371 Configuring Synchronous Information Output



Enable synchronous information output

info-center synchronous Required

Disabled by default

Table 372 Display and maintain information center


Display channel information for a specified channel

display channel [ channel-number | channel-name ]


Display the configurations for all information channels except channel 6 to 8.

display info-center Available in any view

Display the state of the log buffer and the log information recorded

display logbuffer [ level severity | size buffersize ]* [ | { begin | exclude | include } text ]


Display a summary of the log buffer

display logbuffer summary [ level severity ]


Display the state of the trap buffer and the trap information recorded

display trapbuffer [ size buffersize ]


Reset the log buffer reset logbuffer Available in user view

Reset the trap buffer reset trapbuffer Available in user view

Information Center Configuration Example 531

Information Center Configuration Example

Configuration Example 1 –

Outputting Log Information to a Unix

Log Host


■ Send log information to a Unix log host;

■ The log host has an IP address of 1.2.0.1/16;

■ Log information with severity higher than informational will be output to the log host;

■ The log information is in English and the source modules are ARP and CMD.

Network diagram

Figure 146 Network diagram for outputting log information to a Unix log host


1 Configuring the device

a Enable information center.

<3Com> system-viewSystem View: return to User View with Ctrl+Z.[3Com] info-center enable% Information center is enabled

b Specify the channel to output log information to the log host (loghost by default, optional).

[3Com] info-center loghost 1.2.0.1 channel loghost

c Disable the output of log, trap, and debug information of all modules to the log host.

[3Com]info-center source default channel loghost debug state off log state off trap state off

CAUTION: As the default system configurations for different channels vary, ensure that the outputting of log, trap, and debug information for the specified channel (loghost in this example) of all modules is disabled before the system information can be output to meet the current network requirements.

Use the display channel command to display the state of a channel.

Switch PC

Network

SwitchSwitch PC

Network

1.2.0.1/16

1.1.0.1/16

Switch PC

Network

SwitchSwitch PC

Network

Switch PC

Network

SwitchSwitch PC

Network

1.2.0.1/16

1.1.0.1/16


d Set the host with an IP address of 1.2.0.1/16 to be the log host, set the severity to informational, the output language to English, and the source modules to ARP and CMD.

[3Com] info-center loghost 1.2.0.1 facility local4 language english[3Com] info-center source arp channel loghost log level informational[3Com] info-center source cmd channel loghost log level informational

2 Configuring the log host

The following configurations were made on SunOS 4.0 which has similar configurations to the Unix operating systems implemented by other vendors.

a issue the following commands as a root user.

# mkdir /var/log/3Com# touch /var/log/3Com/information

b Edit the file /etc/syslog.conf as a root user and add the following selector/action pair.

# 3Com configuration messageslocal4.info /var/log/3Com/information

Be aware of the following issues while editing the /etc/syslog.conf file:

■ Comments must be on a separate line and must begin with the # sign.

■ The selector/action pair must be separated with a tab key, rather than a space.

■ No redundant spaces are allowed in the file name.

■ The device name and the accepted severity of log information specified by the /etc/syslog.conf file must match those on the device using the info-center loghost host-ip [ channel { channel-number | channel-name } | facility local-number | language { chinese | english } ]*command, otherwise the log information may not be output properly to the log host.

c after the log file information has been created and the configuration file /etc/syslog.conf has been modified, ensure that the configuration file /etc/syslog.conf is reread:

# ps -ae | grep syslogd147# kill -HUP 147# syslogd -r &

After the above configurations, the system will be able to keep log information in the related file.


Outputting Log Information to a

Linux Log Host


■ Send log information to a Linux log host; the log host has an IP address of 1.2.0.1/16;

■ Log information with severity higher than informational will be output to the log host;

■ The log information is in English and all modules can output information.


Network diagram

Figure 147 Network diagram for outputting log information to a Linux log host


1 Configuring the device

a Enable information center.


b Specify the channel to output log information to the log host (optional, loghost by default).

[3Com] info-center loghost 1.2.0.1 channel loghost

c Disable the output of log, trap, and debug information of all modules to the log host.

[3Com] info-center source default channel loghost debug state off log state off trap state off

CAUTION: As the default system configurations for different channels vary, ensure that the output of log, trap, and debug information for the specified channel (loghost in this example) of all modules is disabled before the system information can be output to meet the current network requirements.


d Set the host with an IP address of 1.2.0.1/16 to be the log host, set the severity to informational, the output language to English, and the source modules to be all modules.

[3Com] info-center loghost 1.2.0.1 facility local7 language english[3Com] info-center source default channel loghost log level informational

2 Configuring the log host

a issue the following commands as a root user.

# mkdir /var/log/3Com# touch /var/log/3Com/information

b Edit the file /etc/syslog.conf as a root user and add the following selector/action pair.

# 3Com configuration messageslocal7.info /var/log/3Com/information

Switch PC

Network

SwitchSwitch PC

Network

1.2.0.1/16

1.1.0.1/16

Switch PC

Network

SwitchSwitch PC

Network

Switch PC

Network

SwitchSwitch PC

Network

1.2.0.1/16

1.1.0.1/16


Be aware of the following issues while editing the /etc/syslog.conf file:

■ Comments must be on a separate line and must begin with the # sign.

■ The selector/action pair must be separated with a tab key, rather than a space.

■ No redundant spaces are allowed in the file name.

■ The facility name and the accepted severity of the log information specified by the /etc/syslog.conf file must match those on the device using the info-center loghost host-ip [ channel { channel-number | channel-name }| facility local-number | language { chinese | english } ]* command, otherwise the log information may not be output properly to the log host.

c after the log file information has been created and the /etc/syslog.conf file has been modified, issue the following commands to display the process ID of syslogd, terminate a syslogd process, and to restart syslogd using the –r option.

# ps -ae | grep syslogd147# kill -9 147# syslogd -r &

Ensure that the syslogd process is started with the –r option on a Linux log host.

After the above configurations, system will be able to keep log information in the related file.


Outputting Log Information to the

Console


■ Log information with a severity higher than informational will be output to the console;

■ The source modules are ARP and CMD.

Network diagram

Figure 148 Network diagram for sending log information to the console


1 Enable information center.


2 Specify the channel to output log information to the console (optional, console by default).

[3Com] info-center console channel console

console

PC Switch

console

PC Switch

console

PC Switch

console

PC Switch


3 Disable the output of log, trap, and debug information of all modules to the log host.

[3Com] info-center source default channel console debug state off log state off trap state off

CAUTION: As the default system configurations for different channels vary, ensure that the output of log, trap, and debug information for the specified channel (console in this example) of all modules is disabled before the system information can be output to meet the current network requirements.


4 Enable system information output for the ARP and CMD modules, with information severity ranging from emergencies to informational.

[3Com] info-center source ARP channel console log level informational[3Com] info-center source cmd channel console log level informational[3Com] quit

5 Enable the display of log information on a monitor terminal.

<3Com> terminal monitor% Current terminal monitor is on<3Com> terminal logging% Current terminal logging is on


56 NQA CONFIGURATION

When configuring Network Quality Analyzer (NQA), go to these sections for information you are interested in:

■ NQA Overview

■ Configuring NQA Tests

■ Configuring Optional Parameters for NQA Tests

■ Displaying and Maintaining NQA

NQA Overview This section covers these topics:

■ Introduction to NQA

■ NQA Server and NQA Client

■ NQA Test Operation

Introduction to NQA Ping can use only the Internet control message protocol (ICMP) to test the reachability of the destination host and the round-trip time of a packet to the destination. NQA is an enhanced Ping tool used for testing the performance of protocols running on networks. Besides the Ping functions, NQA can provide the following functions:

■ Detecting the availability and the response time of DHCP, FTP, HTTP, and SNMP services.

■ Testing the delay jitter of the network.

■ Verifying the availability of TCP, UDP, and DLSw packets.

Different from Ping, NQA does not display the round-trip time or time-out time of each packet on the console terminal in a realtime way. In this case, you have to carry out the display nqa results command to view NQA test results. In addition, NQA can help you to set parameters for various tests and start these tests through the network management system (NMS).

NQA Server and NQA Client

In most NQA test systems, you only need to configure an NQA client. However, when you perform a TCP, UDP, or jitter test, you need to configure an NQA server.Figure 149 shows the relationship between an NQA client and an NQA server.

Figure 149 Relationship between NQA client and NQA server

Switch Sw itch B

IP Network

Switch Sw itch B

IP Network

SwitchNQA ClientSwitch A Sw itch B

IP Network

Sw itch BNQA Server

IP Network

Switch Sw itch B

IP Network

Switch Sw itch B

IP Network

SwitchNQA ClientSwitch A Sw itch B

IP Network

Sw itch BNQA Server

IP Network

538 CHAPTER 56: NQA CONFIGURATION

The NQA server listens to test requests originated by the NQA client and makes a response to these requests. The NQA server can respond to requests originated by the NQA client only when the NQA server is enabled and the corresponding destination address and port number are configured on the server. The IP address and port number specified for a listening service on the server must be consistent with those on the client.

You can create multiple TCP or UDP listening services on the NQA server, with each listening service corresponding to a specified destination address and port number.

NQA Test Operation NQA can test multiple protocols. A test group must be created for each type of NQA test. Each test group can be related to only one type of NQA test. Each test group has an administrator name and an operation tag. The administrator name and the operation tag uniquely identify a test group.

After you create a test group and enter test group view, you can configure related test parameters. Test parameters vary with the test type. For details, see the configuration procedure below.

For optional parameters common to different types of tests, refer to “Configuring Optional Parameters for NQA Tests” .

To perform an HW test successfully, proceed as follows:

1 Enable the NQA client.

2 Create a test group and configure test parameters according to the test type.

3 Perform the NQA test through the related enable command.

4 View the test results through the related display or debugging command.

After you enable the NQA client, you can create multiple test groups to perform tests. In this way, you do not need to enable the NQA client repeatedly.

Configuring NQA Tests

■ You need to configure the NQA server only for jitter, TCP-Private, TCP-Public, UDP-Private, and UDP-Public tests.

■ You are recommended not to use a known port for NQA Jitter/UDP/TCP test. Otherwise, NQA probe may fail or the service paired with the known port may become unavailable.


■ Configuring the ICMP Test

■ Configuring the DHCP Test

■ Configuring the FTP Test

■ Configuring the HTTP Test

■ Configuring the Jitter Test

■ Configuring SNMP Query Test

■ Configuring the TCP Test

Configuring NQA Tests 539

■ Configuring the UDP Test

■ Configuring the DLSw Test

Configuring the ICMP Test

The ICMP test is mainly used to test whether packets from an NQA client can reach a specified destination and test the round-trip time of packets.


Follow these steps to configure the ICMP test:



Use the NQA ICMP function to test whether packets from the NQA client (SwitchA) can reach the specified destination (SwitchB) and test the round-trip time of packets.

■ SwitchA serves as the NQA client and the IP address is 10.1.1.1/16.

Table 373 Configuring the ICMP Test



Enable the NQA client nqa-agent enable Required

Create an NQA test group and enter test group view

nqa admin-name operation-tag

—

Set the test type to ICMP test-type icmp Optional

ICMP by default.

Configure a destination address

destination-ip ip-address

Required

Equivalent to a destination address in the Ping command.

Configure the size of test packets

datasize size Optional

56 bytes by default.

Configure a string of fill characters of a test packet

datafill text Optional

No string of fill characters by default.

Configure the source interface of a test request packet

source-interface interface-type interface-number

Optional

If you want to send a test request packet from a specified outbound interface, you need to configure this interface. Otherwise, the outbound interface will be determined by routes.

The interface in the command must be a VLAN interface. In addition, the interface must be up and directly connected with the destination. Otherwise, the test will fail.

Configure common optional parameters

Refer to “Configuring Optional Parameters for NQA Tests”.

Optional

Enable the NQA test test-enable Required

View the test results display nqa results [ admin-name operation-tag ]

Required

You can carry out the command in any view.


■ SwitchB serves as the object that is to be pinged from SwitchA and the IP address is 10.2.2.2/16.

2 Network diagram

Figure 150 Network diagram for the ICMP test


Perform the following configurations on SwitchA:

a Enable the NQA client, create an ICMP test group, and configure related test parameters.

<3Com> system-view[3Com] nqa-agent enable[3Com] nqa admin icmp[3Com-nqa-admin-icmp] test-type icmp[3Com-nqa-admin-icmp] destination-ip 10.2.2.2

b Configure optional parameters.

c [3Com-nqa-admin-icmp] count 10

d [3Com-nqa-admin-icmp] timeout 5

e Enable the ICMP test.

[3Com-nqa-admin-icmp] test-enable

f View the test results.

[3Com-nqa-admin-icmp] display nqa results admin icmp

Configuring the DHCP Test

The DHCP test is mainly used to test the existence of a DHCP server on the network as well as the time necessary for the DHCP server to respond to a client request and assign an IP address to the client.


The specified source interface in the source-interface command must be up, that is to say, an IP address is configured for the source interface. The IP address can be configured manually or obtained dynamically.

Before the DHCP test, you need to perform some configurations on the DHCP server. For example, you need to enable the DHCP service and configure an address pool. If the NQA (DHCP) client and DHCP server are in different network segments, you need configure DHCP relay also. For detailed configurations, refer to DHCP Operation.

Switch ANQA Client

IP Netw ork10.2.2.2/16

SwitchBSwitch A

10.1.1.1/16IP Netw ork

SwitchBSwitch A


SwitchBSwitch A


SwitchBSwitch ANQA Client


SwitchBSwitch A


SwitchBSwitch A


SwitchBSwitch A




SwitchBSwitch A


SwitchBSwitch A


SwitchBSwitch A


SwitchB



Follow these steps to configure the DHCP test:



Configure SwitchB as a DHCP server and use the NQA DHCP function to test the time necessary for SwitchA to obtain an IP address from SwtichB.

2 Network diagram

Figure 151 Network diagram for the DHCP test


Perform the following configurations on SwitchA:

a Enable the NQA client, create a DHCP test group, and configure related test parameters.

<3Com> system-view[3Com] nqa-agent enable[3Com] nqa admin dhcp[3Com-nqa-admin-dhcp] test-type dhcp[3Com-nqa-admin-dhcp] source-interface Vlan-interface 3

b Enable the DHCP test.

[3Com-nqa-admin-dhcp] test-enable

c View the test results.

[3Com-nqa-admin-dhcp] display nqa results admin dhcp

Table 374 Configuring the DHCP Test





nqa admin-name operation-tag Required

Set the test type to DHCP test-type dhcp Required

Configure the source interface of a test request packet

source-interface interface-type interface-number

Required

The interface in the command must be a VLAN interface.


Refer to “Configuring Optional Parameters for NQA Tests”

Optional



Required


Switch

IP Network10.2.2.2/16

SwitchBDHCP Server

Switch

vlan3IP Network

SwitchBDHCP Server

Switch

IP Network

SwitchBDHCP Server

Switch

vlan3IP Network

SwitchBDHCP Server

Switch10.1.1.1/16 IP Network

SwitchBDHCP Server

Switch

vlan3IP Network

SwitchBDHCP Server

Switch

IP Network

SwitchBDHCP Server

Switch

vlan3IP Network

SwitchBDHCP Server

Switch


SwitchBDHCP Server

Switch

vlan3IP Network

SwitchBDHCP Server

Switch

IP Network

SwitchBDHCP Server

Switch

vlan3IP Network

SwitchBDHCP Server


SwitchBDHCP Server

Switch

vlan3IP Network

SwitchBDHCP Server

Switch

IP Network

SwitchBDHCP Server

SwitchNQA Client

vlan3IP Network

SwitchBDHCP Server

Switch


SwitchBDHCP Server

Switch

vlan3IP Network

SwitchBDHCP Server

Switch

IP Network

SwitchBDHCP Server

Switch

vlan3IP Network

SwitchBDHCP Server


SwitchBDHCP Server

Switch

vlan3IP Network

SwitchBDHCP Server

Switch

IP Network

SwitchBDHCP Server

Switch

vlan3IP Network

SwitchBDHCP Server

Switch


SwitchBDHCP Server

Switch

vlan3IP Network

SwitchBDHCP Server

Switch

IP Network

SwitchBDHCP Server

Switch

vlan3IP Network

SwitchBDHCP Server


SwitchBDHCP Server

Switch

vlan3IP Network

SwitchBDHCP Server

Switch

IP Network

SwitchBDHCP Server

SwitchANQA Client

vlan3IP Network

SwitchBDHCP Server

Switch


SwitchBDHCP Server

Switch

vlan3IP Network

SwitchBDHCP Server

Switch

IP Network

SwitchBDHCP Server

Switch

vlan3IP Network

SwitchBDHCP Server


SwitchBDHCP Server

Switch

vlan3IP Network

SwitchBDHCP Server

Switch

IP Network

SwitchBDHCP Server

Switch

vlan3IP Network

SwitchBDHCP Server

Switch


SwitchBDHCP Server

Switch

vlan3IP Network

SwitchBDHCP Server

Switch

IP Network

SwitchBDHCP Server

Switch

vlan3IP Network

SwitchBDHCP Server


SwitchBDHCP Server

Switch

vlan3IP Network

SwitchBDHCP Server

Switch

IP Network

SwitchBDHCP Server

SwitchNQA Client

vlan3IP Network

SwitchBDHCP Server

Switch


SwitchBDHCP Server

Switch

vlan3IP Network

SwitchBDHCP Server

Switch

IP Network

SwitchBDHCP Server

Switch

vlan3IP Network

SwitchBDHCP Server


SwitchBDHCP Server

Switch

vlan3IP Network

SwitchBDHCP Server

Switch

IP Network

SwitchBDHCP Server

Switch

vlan3IP Network

SwitchBDHCP Server

Switch


SwitchBDHCP Server

Switch

vlan3IP Network

SwitchBDHCP Server

Switch

IP Network

SwitchBDHCP Server

Switch

vlan3IP Network

SwitchBDHCP Server


SwitchBDHCP Server

Switch

vlan3IP Network

SwitchBDHCP Server

Switch

IP Network

SwitchBDHCP Server

SwitchANQA Client

vlan3IP Network

SwitchBDHCP Server


Configuring the FTP Test

The FTP test is mainly used to test the connection with a specified FTP server and the time necessary for the FTP client to transfer a file to the FTP server.


Before the FTP test, you need to perform some configurations on the FTP server. For example, you need to configure the username and password used to log in to the FTP server. For the FTP server configurations.


Follow these steps to configure the FTP test:

■ Transfer a small file for the FTP test. If the file is too large, the test may fail because of time-out.

■ When you perform a put operation, a file-name file with a fixed size and contents will be created on the FTP server, but the uploaded file will not be saved.

■ When you perform a get operation, the file obtained from the FTP server will not be saved on the device, either. If there is no such file-name file on the FTP server, the FTP test will fail.

Table 375 Configuring the FTP Test






Required

Set the test type to FTP test-type ftp Required



Required

Equivalent to a destination address in the Ping command. Here it is the IP address of the FTP server.

Configure the source IP address of a test request packet

source-ip ip-address Required

The source IP address must be that of an interface on the device and the interface must be up. Otherwise, the test will fail.

Configure the operation type

ftp-operation { get | put }

Optional

get by default

Configure a login username

username name Required

Configure a login password

password password Required

Specify a file to be transferred between the FPT server and the FTP client.

filename file-name Required


Refer to Configuring Optional Parameters for NQA Tests

Optional



Required





Use the NQA FTP function to test the connection with a specified FTP server and the time necessary for the FTP client to upload a file to the FTP server. The login username is admin, the login password is nqa, and the file to be transferred to the FTP server is config.txt.

2 Network diagram

Figure 152 Network diagram for the FTP test


■ Perform the following configurations on SwitchA:

a Enable the NQA client, create an FTP test group, and configure related test parameters.

<3Com> system-view[3Com] nqa-agent enable[3Com] nqa admin ftp[3Com-nqa-admin-ftp] test-type ftp[3Com-nqa-admin-ftp] destination-ip 10.2.2.2[3Com-nqa-admin-ftp] source-ip 10.1.1.1[3Com-nqa-admin-ftp] ftp-operation put[3Com-nqa-admin-ftp] username admin[3Com-nqa-admin-ftp] password nqa[3Com-nqa-admin-ftp] filename config.txt

b Enable the FTP test.

[3Com-nqa-admin-ftp] test-enable


[3Com-nqa-admin-ftp] display nqa results admin ftp

S witch AN Q A C lie n t

1 0 .1 .1.1 /16 IP Netwo rk1 0 .2 .2 .2 /16

S witchBF TP Se rver

S witch A

IP Netwo rk

S w itchBF TP Se rver

S witch A

IP Netwo rk


S witch A

IP Netwo rk


S witch A

1 0 .1 .1.1 /16 IP Netwo rk1 0 .2 .2 .2 /16


S witch A

IP Netwo rk


S witch A

IP Netwo rk


S witch A

IP Netwo rk


S witch AN Q A C lie n t

1 0 .1 .1.1 /16 IP Netwo rk1 0 .2 .2 .2 /16


S witch A

IP Netwo rk


S witch A

IP Netwo rk


S witch A

IP Netwo rk


S witch A

1 0 .1 .1.1 /16 IP Netwo rk1 0 .2 .2 .2 /16


S witch A

IP Netwo rk


S witch A

IP Netwo rk


S witch A

IP Netwo rk



Configuring the HTTP Test

The HTTP test is mainly used to test the connection with a specified HTTP server and the time required to obtain data from the HTTP server.


Follow these steps to configure the HTTP test:



Use the HTTP function to test the connection with a specified HTTP server and the time required to obtain data from the HTTP server.

2 Network diagram

Figure 153 Network diagram for the HTTP test

Table 376 Configuring the HTTP Test






Required

Set the test type to HTTP test-type http Required


destination-ip ip-address Required

Equivalent to a destination address in the Ping command. Here it is the IP address of the HTTP server.

Configure the HTTP operation type

http-operation { get | post }

Optional

get by default

Configure an HTTP operation string

http-string string version Required



Optional



Required


SwitchANQA Client

10.1.1.1/16 IP Network10.2.2.2/16

SwitchBHTTP Server

SwitchA

IP Network

SwitchBHTTP Server

SwitchA

IP Network

SwitchBHTTP Server

SwitchA

IP Network

SwitchBHTTP Server

SwitchA

10.1.1.1/16 IP Network10.2.2.2/16

SwitchBHTTP Server

SwitchA

IP Network

SwitchBHTTP Server

SwitchA

IP Network

SwitchBHTTP Server

SwitchA

IP Network

SwitchBHTTP Server

SwitchANQA Client

10.1.1.1/16 IP Network10.2.2.2/16

SwitchBHTTP Server

SwitchA

IP Network

SwitchBHTTP Server

SwitchA

IP Network

SwitchBHTTP Server

SwitchA

IP Network

SwitchBHTTP Server

SwitchA

10.1.1.1/16 IP Network10.2.2.2/16

SwitchBHTTP Server

SwitchA

IP Network

SwitchBHTTP Server

SwitchA

IP Network

SwitchBHTTP Server

SwitchA

IP Network

SwitchBHTTP Server



Perform the following configurations on SwtichA:

a Enable the NQA client, create an HTTP test group, and configure related test parameters.

<3Com> system-view[3Com] nqa-agent enable[3Com] nqa admin http[3Com-nqa-admin-http] test-type http[3Com-nqa-admin-http] destination-ip 10.2.2.2[3Com-nqa-admin-http] http-operation get[3Com-nqa-admin-http] http-string /index.htm HTTP/1.0

b Enable the HTTP test.

[3Com-nqa-admin-http] test-enable


[3Com-nqa-admin-http] display nqa results admin http

Configuring the Jitter Test

You are recommended not to use a known port for NQA Jitter test. Otherwise, NQA probe may fail or the service paired with the known port may become unavailable.

The jitter test is used to make statistics of delay jitter of UDP packet transmission. Delay jitter refers to the difference between the interval of receiving two packets consecutively and the interval of sending these two packets. During the test, the source port sends data packets to the destination port at regular intervals. The destination port affixes a time stamp to each packet that it receives and then sends it back to the source port. After the source port receives the data packet, the delay jitter can be calculated.

To improve the accuracy of the statistics results, you must send multiple test packets when you perform a test. The more test packets are sent, the more accuracy the statistics results are. However, it takes a longer time to complete the test. You can quicken a jitter test by reducing the interval of sending test packets. Doing so will cause an impact on the network.

The error in the statistics results of a jitter test is big since there is a delay in both sending and receiving data packets.

A jitter test requires cooperation between the NQA server and the NQA client. You must configure the UDP listening function on the NQA server, and a destination address and a destination port on the NQA client, and ensure that the destination address and destination port on the NQA client are respectively the listening IP address and port on the NQA server.



1 Configure the NQA server.

Follow these steps to configure the NQA server for a jitter test:

2 Configure the NQA client.

Follow these steps to configure the NQA client for a jitter test:

Table 377 Configuring the Jitter Test



Enable the NQA server nqa-server enable Required

Disabled by default

Configure the UDP listening function on the NQA server

nqa-server udpecho ip-address port-number

Required

The listening IP address and port number must be the same as the destination IP address and port on the NQA client.

Table 378 Configure the NQA Client






Required

Set the test type to jitter test-type jitter Required



Required

Equivalent to a destination address in the Ping command. The destination address is the listening IP address on the NQA server.

Configure a destination port

destination-port port-number

Required

The destination port is the listening port on the NQA server.

Configure the number of jitter test packets sent in a probe

jitter-packetnum number

Optional

10 by default.

Configure the interval of sending jitter test packets

jitter-interval interval

Optional

20 ms by default.


Refer to Configuring Optional Parameters for NQA Tests .

Optional


The number of probes made in a jitter test depends on the count command, while the number of test packets sent in each probe depends on the jitter-packetnum command.



Use the NQA jitter function to test the delay jitter of packet transmission between the local port (SwitchA) and the specified destination port (SwitchB).

2 Network diagram

Figure 154 Network diagram for the jitter test

3 Configuration procedure for SwitchB

a Enable the NQA server and configure the listening IP address and port number.

<3Com> system-view[3Com] nqa-server enable[3Com] nqa-server udpecho 10.2.2.2 9000Configure SwtichA.

b Enable the NQA client, create a jitter test group, and configure related test parameters.

<3Com> system-view[3Com] nqa-agent enable[3Com] nqa admin jitter[3Com-nqa-admin-jitter] test-type jitter[3Com-nqa-admin-jitter] destination-ip 10.2.2.2[3Com-nqa-admin-jitter] destination-port 9000

c Enable the jitter test.

[3Com-nqa-admin-jitter] test-enable



Required


View the recorded delay jitter of UDP packet transmission in the last NQA jitter test

display nqa jitter [ admin-name operation-tag ]

Optional

You can carry out the command in any view. The information displayed by carrying out the display nqa results command contains all information displayed by carrying out the display nqa jitter command.

Table 378 Configure the NQA Client (continued)


Switch ANQA Client

10.1.1.1/16IP Network

10.2.2.2/16SwitchBSwitch A

IP Network

SwitchBSwitch A10.1.1.1/16


SwitchBNQA Server

Switch A

IP Network


10.1.1.1/16IP Network

10.2.2.2/16SwitchBSwitch A

IP Network

SwitchBSwitch A10.1.1.1/16


SwitchBNQA Server

Switch A

IP Network

SwitchB


d View the test results.

[3Com-nqa-admin-jitter] display nqa results admin jitter[3Com-nqa-admin-jitter] display nqa jitter admin jitter

Configuring SNMP Query Test

The SNMP query test is mainly used to test the time the NQA client takes to send an SNMP query packet to the SNMP agent and then receive a response packet.


The SNMP agent function must be enabled on the device serving as an SNMP agent.


Follow these steps to configure the SNMP query test:



Use the NQA SNMP query function to test the time it takes SwitchA to send an SNMP query packet to SwitchB and receive a response packet.

2 Network diagram

Figure 155 Network diagram for the SNMP query test

Table 379 Configuring SNMP Query Test





nqa admin-name operation-tag Required

Set the test type to SNMP query

test-type snmpquery Required






Optional



Required


Switch ANQ A C lien t

10.1.1.1 /16 IP Network10.2.2.2 /16

Sw itchBSNMP Ag en t

Sw itch A

IP Network


Sw itch A10.1.1.1 /16 IP Network

10.2.2.2 /16Sw itchB

SNMP Ag en tSw itch A

IP Network


Sw itch ANQ A C lien t

10.1.1.1 /16 IP Network10.2.2.2 /16


Sw itch A

IP Network


Sw itch A10.1.1.1 /16 IP Network

10.2.2.2 /16Sw itchB

SNMP Ag en tSw itch A

IP Network




Perform the following configurations on SwitchB which serves as the SNMP agent.

a Enable the SNMP agent service and set the SNMP version to V2C, the read community to public, and the community write to private.

<3Com> system-view[3Com] snmp-agent sys-info version v2c[3Com] snmp-agent community read public[3Com] snmp-agent community write private

■ The SNMP must be enabled on the device specified by the destination address. Otherwise, no response packet will be received.

■ In this example, the configuration is based on the SNMP V2C. If the SNMP of other versions is enabled, the configuration may be different. For details, refer to SNMP &RMON Operation.

■ Perform the following configurations on SwitchA:

b Enable the NQA client, create an SNMP query test group, and configure related test parameters.

<3Com> system-view[3Com] nqa-agent enable[3Com] nqa admin snmp[3Com-nqa-admin-snmp] test-type snmpquery[3Com-nqa-admin-snmp] destination-ip 10.2.2.2

c Enable the SNMP query test.

[3Com-nqa-admin-snmp] test-enable


[3Com] display nqa results admin snmp

Configuring the TCP Test

You are recommended not to use a known port fro NQA TCP test. Otherwise, NQA probe may fail or the service paired with the known port may become unavailable.

The TCP test is mainly used to test the TCP connection between the client and the specified server and the setup time for the connection.

The TCP test includes TCP-Public test and TCP-Private test. The differences between the TCP-Public test and the TCP-Private test are as follows:

■ For the TCP-Public test, a connection setup request is permanently initiated to TCP port 7 of the destination address, no destination port needs to be configured on the client, but TCP port 7 used for listening needs to be configured on the server. Even if a port is configured on the client, the port does not take effect.

■ For the TCP-Private test, a connection setup request is initiated to the specified port of the destination address.




Follow these steps to configure the NQA server for the TCP test:


Follow these steps to configure NQA client for the TCP test:

Table 380 Configuring the TCP Test




Disabled by default

Configure the TCP listening function on the NQA server

nqa-server tcpconnect ip-address port-number

Required

The listening IP address and port number must be the same as the destination IP address and port on the NQA client. If the test type is TCP-Public, the port number must be set to 7.

Table 381 Configure the NQA Client.






Required

Set the test type to TCP test-type { tcpprivate | tcppublic }

Required



Required

Equivalent to a destination address in the Ping command. The destination address must be the same as the listening IP address on the NQA server.

Configure a destination port destination-port port-number

If the test type is TCP-Public, no port needs to be configured. If the test type is TCP-Private, a port must be configured and it must be the same as the listening port configured on the NQA server.


1.3 Configuring Optional Parameters for NQA Tests

Optional



Required





Use the NQA TCP-Private function to test the setup time for the TCP connection between the local port (SwitchA) and the specified destination port (SwitchB). The port number used is 9000.

2 Network diagram

Figure 156 Network diagram for the TCP-Private test


■ Configure SwitchB.


<3Com> system-view[3Com] nqa-server enable[3Com] nqa-server tcpconnect 10.2.2.2 9000

■ Configure SwitchA.

b Enable the NQA client, create a TCP test group, and configure related test parameters.

<3Com> system-view[3Com] nqa-agent enable[3Com] nqa admin tcpprivate[3Com-nqa-admin-tcpprivate] test-type tcpprivate[3Com-nqa-admin-tcpprivate] destination-ip 10.2.2.2[3Com-nqa-admin-tcpprivate] destination-port 9000

c Enable the TCP test.

[3Com-nqa-admin-tcpprivate] test-enable


[3Com] display nqa results admin tcpprivate

Switch ANQA Client


SwitchBNQA Server

Switch A

10.1.1.1/16 IP Network

SwitchBSwitch A


SwitchBSwitch A




SwitchBNQA Server

Switch A


SwitchBSwitch A


SwitchBSwitch A




SwitchBNQA Server

Switch A


SwitchBSwitch A


SwitchBSwitch A


SwitchB


Configuring the UDP Test

You are recommended not to use a known port for NQA UDP test. Otherwise, NQA probe may fail or the service paired with the known port may become unavailable.

The UDP test is mainly used to test the round-trip time of a UDP packet from the client to the specified server.

The UDP test includes UDP-Public test and TCP-Private test. The differences between the UDP-Public test and the UDP-Private test are as follows:

■ For the UDP-Public test, a connection setup request is permanently initiated to UDP port 7 of a destination address, no port needs to be configured on the client, but port 7 for listening needs to be configured on the server. Even if a port is configured on the client, the port does not take effect.

■ For the UDP-Private test, a connection setup request is initiated to the specified port of the destination address.



Follow these steps to configure the NQA server for the UDP test:

Table 382 Configuring the UDP Test




Disabled by default

Configure the UDP listening function on the NQA server

nqa-server udpecho ip-address port-number

Required

The listening IP address and port number must be the same as the destination IP address and port on the NQA client. If the test type is UDP-Public, the port number must be set to 7.



Follow these steps to configure the NQA client for the UDP test:



Use the NQA UDP-Private function to test the setup time for the UDP connection between the local port (SwitchA) and the specified destination port (SwitchB). The port number used is 8000.

2 Network diagram

Figure 157 Network diagram for the UDP-Private test

Table 383 Configure the NQA Client






Required

Set the test type to UDP test-type { udpprivate | udppublic }

Required



Equivalent to a destination address in the Ping command. The destination address must be the listening IP address configured on the NQA server.

Configure a destination port

destination-port port-number

If the test type is UDP-Public, no port needs to be configured. If the test type is UDP-Private, a port must be configured and it must be the listening port configured on the NQA server.

Configure the size of test packets

datasize size Optional

100 bytes by default.

Configure a string of fill characters of a test packet

datafill text Optional

No string of fill characters by default.


Refer to section 1.3 “Configuring Optional Parameters for NQA Tests”

Optional



Required


Switch ANQ A Client


SwitchBNQA Serve r

Switch A


SwitchBSwitch A


SwitchBSwitch A


SwitchBSwitch ANQ A Client


SwitchBNQA Serve r

Switch A


SwitchBSwitch A


SwitchBSwitch A


SwitchBSwitch ANQ A Client


SwitchBNQA Serve r

Switch A


SwitchBSwitch A


SwitchBSwitch A


SwitchB



■ Configure SwitchB.


<3Com> system-view[3Com] nqa-server enable[3Com] nqa-server udpecho 10.2.2.2 8000

■ Configure SwitchA.

b Enable the NQA client, create a UDP test group, and configure related test parameters.

<3Com> system-view[3Com] nqa-agent enable[3Com] nqa admin udpprivate[3Com-nqa-admin-udpprivate] test-type udpprivate[3Com-nqa-admin-udpprivate] destination-ip 10.2.2.2[3Com-nqa-admin-udpprivate] destination-port 8000

c Enable the TCP test.

[3Com-nqa-admin-udpprivate] test-enable


[3Com] display nqa results admin udpprivate

Configuring the DLSw Test

The DLSw test is mainly used to test the response time of the DLSw device.


Before the DLSw test, a TCP connection can be set up between the NQA client and the specified device and the DLSw function must be enabled on the specified device.


Follow these steps to configure the DLSw test:

Table 384 Configuring the DLSw Test






Required

Set the test type to DLSw test-type dlsw Required



Required



Refer to “Configuring Optional Parameters for NQA Tests”

Optional



Required


Configuring Optional Parameters for NQA Tests 555



Use the NQA DLSw function to test the response time of the DLSw device.

2 Network diagram

Figure 158 Network diagram for the DLSw test


a Enable the NQA client, create a DLSw test group, and configure related test parameters.

<3Com> system-view[3Com] nqa-agent enable[3Com] nqa admin dlsw[3Com-nqa-admin-dlsw] test-type dlsw[3Com-nqa-admin-dlsw] destination-ip 10.2.2.2

b Enable the DLSw test.

[3Com-nqa-admin-dlsw] test-enable


[3Com-nqa-admin-dlsw] display nqa results admin dlsw

Configuring Optional Parameters for NQA Tests

Unless otherwise specified, the following parameters are applicable to all test types and they can be configured according to the actual conditions. Optional parameters common to NQA are valid for all NQA tests, while those common to an NQA test group are valid only for tests in this test group.


■ Configuring Optional Parameters Common to NQA

■ Configuring Optional Parameters Common to an NQA Test Group

■ Configuring Trap

Configuring Optional Parameters Common

to NQA

Follow these steps to configure optional parameters common to NQA:

Switch ANQ A C lient

10.1.1.1/1 6 IP Netwo rk10.2.2.2/16

SwitchBDL Sw

Switch A

IP Netwo rk

SwitchBDL Sw

Switch A

10.1.1.1/1 6 IP Netwo rk10.2.2.2/16

SwitchBDL Sw

A

IP Netwo rk

SwitchBDL Sw

Switch ANQ A C lient

10.1.1.1/1 6 IP Netwo rk10.2.2.2/16

SwitchBDL Sw

Switch A

IP Netwo rk

SwitchBDL Sw

Switch A

10.1.1.1/1 6 IP Netwo rk10.2.2.2/16

SwitchBDL Sw

A

IP Netwo rk

SwitchBDL Sw

Table 385 Configuring Optional Parameters Common to NQA



Configure the maximum number of tests that the NQA client can simultaneously perform

nqa-agent max-requests number

Optional

5 by default


Configuring Optional Parameters Common

to an NQA Test Group

Follow these steps to configure the optional parameters common to an NQA test group:

Table 386 Configuring Optional Parameters Common to an NQA Test Group



Enter NQA test group view nqa admin-name operation-tag

Required

Configure a descriptive string for a test group


No descriptive string by default.

Configure the interval of performing a cyclic test

frequency interval Optional

0 seconds by default. That is, the test isn’t cycled.

This command is invalid for the DHCP test.

Configure the number of probes in a test

count times Optional

1 by default. For the TCP test, a probe means a connection. For the jitter test, the number of test packets sent in a probe is determined by the jitter-packetnum command. For the SNMP protocol, three test packets are sent in a probe. For the other tests, one test packet is sent in a probe.

Configure the NQA probe time-out time

timeout time Optional

3 seconds by default. If no response packet is received within the time-out time of a request packet, the probe fails.

Configure the maximum number of history records that can be saved in a test group

history-records number

Optional

50 by default If the number of history records exceeds this value, the earliest test results are discarded.

Configure the maximum number of hops a test request packet traverses in the network

ttl number Optional

20 by default.


Configure the type of service, namely, the ToS field in an IP packet header

tos value Optional

0 by default.


Configuring Optional Parameters for NQA Tests 557

Configure the source IP address of a test request packet

source-ip ipaddress This command is required for the FTP test but optional for the other tests.

You can specify an IP address as the source IP address of a test request packet. Otherwise, the IP address most approximate to the destination address serves as the source IP address of the test request packet.

The source IP address in the command must be the IP address of an interface on the device and the interface must be up. Otherwise, the test will fail.


Configure the source port of a test request packet

source-port port-number

Optional

You can specify a port as the source port of a test request packet. Otherwise, the system automatically assign a port to serve as the source port of the test request packet.

This command is invalid for the ICMP, DHCP, TCP-Public, TCP-Private, DLSw, FTP, and HTTP tests.

Enable the routing table bypass function

sendpacket passroute

Optional

Disabled by default. If you want to test the connectivity between the local address and the destination address, you can enable this function. After this function is enabled, the routing table will not be searched, and the packet is directly sent to the destination in the directly connected network. If the destination is not in the directly connected network, an error will be prompted.


Table 386 Configuring Optional Parameters Common to an NQA Test Group (continued)



Configuring Trap Delivery

A trap message is generated no matter whether an NQA test succeeds or fails. You can set a switch to control the delivery of the trap message to the network management server.

Follow these steps to configure Trap:

Displaying and Maintaining NQA

Table 387 Configuring Trap Delivery





Required

Enable trap debugging to send a trap message to the network management server

send-trap { all | { probefailure | testcomplete | testfailure }* }

Optional

No trap message is sent to the network management server by default.

Configure the minimum number of probe failures in an NQA test before a test failure trap message is sent

test-failtimes times Optional

1 by default.

Configure the number of consecutive probe failures in an NQA test before a trap message is sent to indicate a probe failure

probe-failtimes times Optional

1 by default.

Table 388 Displaying and Maintaining NQA


Display history information of tests. display nqa history [ admin-name operation-tag ]


Display the results of the last NQA jitter test.

display nqa jitter [ admin-name operation-tag ]


Display the results of the last test. display nqa results [ admin-name operation-tag ]


57 SSH TERMINAL SERVICE

When configuring SSH, go to these sections for information you are interested in:

■ SSH Overview

■ Configuring the SSH Server

■ Configuring the SSH Client

■ Configuring the Device as an SSH Client

■ Displaying and Maintaining the SSH Protocol

■ SSH Configuration Example

■ SSH Client Configuration Example

SSH Overview Secure shell (SSH) offers an approach to securely logging into a remote device. It can protect devices against attacks such as IP spoofing and plain text password interception.

In a typical SSH scenario, a device running SSH server works as an SSH server and accepts connections from SSH clients, which run SSH client. The connections are called SSH connections and can be established either on the local network or over WANs, as shown in Figure 159 and Figure 160.

Figure 159 SSH channel on the local network

ServerSSH Cl ient

Worksta tion

Laptop

Ethernet

SSH Server

ServerSSH Cl ient

Worksta tion

Laptop

Ethernet

SSH Server

560 CHAPTER 57: SSH TERMINAL SERVICE

Figure 160 SSH channel over a WAN

At the beginning, the server opens port 22 to wait for connection requests from clients, while the client sends a TCP connection request to the server and interacts with the server to establish a TCP connection. Then, the server and the client go through the following five phases to establish an SSH connection:

1 Version number negotiation

If the server and the client reach agreement, they continue with the key algorithm negotiation phase. Otherwise, the server tears down the TCP connection.

2 Key algorithm negotiation

■ The server and the client send key algorithm negotiation packets to each other, which include the supported server-side public key algorithm list, encryption algorithm list, MAC algorithm list, and compression algorithm list.

■ Based on the received algorithm negotiation packets, the server and the client figure out the algorithms to be used. For information about the algorithms, refer to the SSH draft.

■ The server and the client use the DH key exchange algorithm to generate the session key.

Through the above steps, the server and the client get the same session key, which is to be used to encrypt and decrypt data exchanged between the server and the client later.

3 Authentication method negotiation

■ The client sends to the server an authentication request, which includes the username and authentication method.

■ If the server is configured not to perform authentication of the client, the server and the client enter the session request phase. Otherwise, the server initiates a process to authenticate the client.

■ The server authenticates the client until the client passes authentication or gets disconnected due to timeout.

ServerSSH client

Workstation

Laptop

Local Ethernet

WAN

Workstation

Laptop

Remote Ethernet

PC Server

Local router

Remote router

SSH sever

ServerSSH client

Workstation

Laptop

Local Ethernet

WAN

Workstation

Laptop

Remote Ethernet

PC Server

Local router

Remote router

SSH sever

SSH Overview 561

SSH provides two authentication methods: password authentication and RSA authentication.

For password authentication:

■ The client encrypts the username and password, encapsulates them into a password authentication request, and sends the request to the server.

■ Upon receiving the request, the server decrypts the username and password, compares them against those it maintains, and then informs the client of the authentication result.

For RSA authentication:

The client sends RSA request and its own public key modulus to the server. Then the server performs validity check on the received information. If the information is not valid, the server sends failure message to the client. Otherwise, a 32-byte random number is generated, and an MP (multiple precision) integer is derived from the number in the MSB (most significant bit) first order. The server encrypts the integer with the public key of the client and sends a challenge to the client. When the client receives the challenge message, it decrypts it to obtain the MP integer. The client uses the integer and session ID to generate the MD5 value, then encrypts the 16-byte MD5 value and sends it to the server. (The session ID is generated in the key-algorithm negotiation phase, session ID=MD5 (host public key modulus || server public key modulus || 8-byte cookie, where || is a connector)). After the server receives the message, it decrypts the message to get the MD5 value and compares the MD5 value with that calculated by itself. If the two MD5 values are the same, the authentication succeeds and the server sends the success message; otherwise it sends the failure message.

Besides password authentication and RSA authentication, SSH2.0 provides another two authentication methods:

■ password-publickey: Performs both password authentication and RSA authentication of the client. A client running SSH1 client only needs to pass either type of the two, while a client running SSH2 client must pass both of them to log in.

■ all: Performs either password authentication or RSA authentication. The client tries RSA authentication first.

4 Session request

After passing authentication, the client sends a session request to the server, while the server listens to and processes the request from the client and sends back to the client the result, which can be an SSH_SMSG_SUCCESS packet for successful processing or an SSH_SMSG_FAILURE packet if the processing fails or it cannot resolve the request. In the former case, the server and the client enter the interactive session phase.

5 Interactive session

The server and the client exchanges data in this way:

■ The client encrypts the command to be executed and sends it to the server.

■ The server decrypts and executes the command, and then encrypts and sends the result to the client.

■ The client decrypts the result and displays the result on the terminal.


■ During the interactive session phase, a client user can issue the commands to be executed by pasting command text on the client. Note that the text must be no more than 2,000 bytes in length and the commands pasted had better be in the same view; otherwise, the server may be unable to execute the commands correctly.

■ If the text to be pasted is more than 2,000 bytes in length, the user can put it in a configuration file, upload the configuration file to the server, and then reboot the server with this new configuration file.

Configuring the SSH Server

Enabling SSH Server Follow these steps to enable SSH server:

Configuring the Protocols for the

Current User Interface to Support

After enabling SSH server, you must configure the device to support the remote SSH login protocol. By default, the device supports Telnet, and SSH. Note that the configuration takes effect at next login.

Follow these steps to configure the protocols for the current user interface to support:

CAUTION:

■ If you configure a user interface to support SSH, be sure to configure the authentication-mode scheme command.

■ For a user interface configured to support SSH, you cannot configure the authentication-mode password or authentication-mode none command.

Table 389 Enabling SSH Server



Enable SSH server ssh server enable Required

Disabled by default

Table 390 Configuring the Protocols for the Current User Interface to Support



Enter single-user interface view or multi-user interface view

user-interface [ type-keyword ] number [ ending-number ]

Required

Set the login authentication method

authentication-mode scheme [ command-authorization ]

Required

Specify the protocols for the user interfaces to support


Optional

All of the two are supported by default

Configuring the SSH Server 563

Creating/Destroying/Exporting RSA Keys

Creating RSA keys

The length of a server/host key must be in the range 512 to 2048 bits. After you enter the rsa local-key-pair create command, the system prompts you to enter the length of the key:

■ In SSH1.x, the length of a key ranges from 512 to 2048 bits.

■ In SSH2.0, the length of a key ranges from 512 to 2048 bits. However, some clients require that the keys generated by the server must be at least or more than 768 bits.

Follow these steps to create the host key pair and server key pair:

CAUTION: For a successful SSH login, you must generate the host key pair and server key pair first

Destroying RSA keys

Follow these steps to destroy the host key pair and server key pair:

Displaying/exporting the public host key

Once created, the public host key can be displayed on the screen or exported to a specified file.

Follow these steps to export the host key pair:

CAUTION:

■ For successful SSH login, you must create the RSA key pairs at first.

■ The configuration of the rsa local-key-pair create command can survive a reboot. You only need to configure it once.

■ If the key pair already exists, the system will ask you whether you want to overwrite it.

■ To choose display the RSA host public key on the screen or export it to a specified file when exporting the RSA host public key

Table 391 Creating RSA Keys



Create the RSA host key pair and server key pair

rsa local-key-pair create

Required

Table 392 Destroying RSA Keys



Destroy the RSA host key pair and server key pair

rsa local-key-pair destroy

Required

Table 393 Exporting RSA Keys


Display the RSA host public key on the screen or export it to a specified file

rsa local-key-pair export { ssh1 | ssh2 | openssh } [ filename ]

Required

You can configure the command in any view.


Configuring the Authentication

Method for an SSH User

You must specify the authentication method for SSH users; otherwise, the users cannot log in. The configured authentication method takes effect when the user logs in next time.

Follow these steps to configure the authentication method for an SSH user:

CAUTION: For a user using RSA authentication, you must configure the username and public keys on the device. For a user using password authentication, you can configure the accounting information on the device or remote authentication server.

Specifying the Service Type of an SSH User

Follow these steps to specify the service type of an SSH user:

CAUTION: The service type of an SSH user can only be set to stelnet if the user does not need SFTP service.

Setting the SSH Management

Parameters

Setting the server key pair update interval can help secure your SSH connections.

Setting the SSH user authentication timeout period.

Setting the maximum number of SSH authentication attempts can assist in avoiding malicious connection requests.

Table 394 Configuring the Authentication Method for an SSH User



Specify the authentication method for an SSH user

ssh user username authentication-type { password | rsa | password-publickey | all }

Required

RSA authentication by default

Table 395 Specifying the Service Type of an SSH User



Specify the service types of an SSH user

ssh user username service-type { stelnet | sftp | all }

Optional

stelnet by default

Configuring the SSH Server 565

Follow these steps to set the SSH management parameters:

Configuring the RSA Public Key for a User

These configurations are required for an SSH user using RSA authentication. For an SSH user using password authentication, they are not required.

This configuration task is for configuring the RSA public key of a client with an SSH user. The RSA private key for the SSH user must be configured on the client. The client key pair is generated randomly by the SSH2.0 client software.

You can also import an RSA public key from a public key file. When you import a public key, the system automatically converts the public key in SSH1, SSH2, or OpenSSH format to a string coded using the PKCS standard. Before importing the public key, you must upload the public key file to the server through FTP or TFTP.

■ You can use either of the following two ways to configure the RSA public key of an SSH user.

■ You configure any of these three commands to create an SSH user: ssh user assign rsa-key, ssh user authentication-type, and ssh user service-type. Up to 20 SSH users can be created. By default, the authentication method for an SSH user is RSA and the service type is stelnet.

■ With no SSH users created, when a client logs in, the system performs password authentication and only the service type of stelnet is supported.

Table 396 Setting the SSH Management Parameters



Enable the SSH server to work with SSH1.x clients

ssh server compatible-ssh1x enable

Optional

By default, the SSH server can work with SSH1.x clients.

Set the server key pair update interval

ssh server rekey-interval hours

Optional

By default, that is, the server key pair is not updated.

Set the SSH user authentication timeout period

ssh server authentication-timeout time-out-value

Optional


Set the maximum number of SSH authentication attempts

ssh server authentication-retries times

Optional

3 by default


Configuring the RSA public key manually

Follow these steps to configure the RSA public key manually:

Importing the RSA public key from a public key file

Follow these steps to import the RSA public key from a public key file:

Table 397 Configuring the RSA Public Key Manually



Enter public key view rsa peer-public-key keyname

Required

Enter public key code view public-key-code begin

Spaces and carriage returns are allowed between the PKCS-coded characters that comprises the key.

Configuring the RSA public key To enter the contents of the RSA public key


Return from public key code view to public key view

public-key-code end When you exit public key code view, the system automatically saves the public key.

Return from public key view to system view

peer-public-key end —

Assign a public key to a user ssh user username assign rsa-key keyname

Required

The public key must exist. If the user has already a public key, the new public key overwrites the old one.

Table 398 Importing the RSA Public Key from a Public Key File



Import the RSA public key from a public key file

rsa peer-public-key keyname import sshkey filename

Required

Configuring the SSH Client 567

Configuring the SSH Client

Configuring the SSH Client

A variety of SSH client software are available, such as PuTTY and FreeBSD. For an SSH client to establish a connection with an SSH server, you must complete these configuration tasks:

■ Specifying the IP address of the server.

■ Selecting the protocol for remote connection. Usually, a client can use a variety of remote connection protocols, such as Telnet, Rlogin, SSH. To establish an SSH connection, you must select SSH.

■ Selecting the SSH version. Multiple SSH versions are available. However, since the device supports SSH Server 2.0 now, select 2.0 or lower for the client.

■ Specifying the RSA private key file. The RSA keys for an SSH user include a public key and a private key, which are generated by the tool accompanied with the client software. The public key must be configured on the server, while the private key must be configured on the client.

The following takes the client software of PuTTY as an example to illustrate how to configure the SSH client:


Specifying the IP address of the server

Launch PuTTY. The following window appears.

Figure 161 SSH client interface 1

In the [Host Name (or IP address)] text box, enter the IP address of the server, for example, 10.110.28.10. Note that the IP address can be the IP address of any interface on the server that has SSH in the state of up and a route to the client.

Selecting the protocol for remote connection

As shown in Figure 161, select the [SSH] option from the [Protocol] section.


Selecting the SSH version

From the category on the left of the window, click [Connection/SSH]. The following window appears.


As shown in Figure 162, select [2] from the [Preferred SSH protocol version] section.


Specifying the RSA private key file

If the client needs to use RSA authentication, you must specify the RSA private key file. If the client needs to use password authentication, this is not required.

From the category on the left of the window, click [Connection/SSH/Auth]. The following window appears.


Click <Browse> to bring up the file selection window, navigate to the private key file and click <OK>.


Initiating an SSH connection

1 Click <Open>. The following SSH client interface appears. If the connection is normal, you will be prompted to enter the username and password, as shown in Figure 164.


2 Enter the username and password. The SSH connection should be created.

3 To log out, enter the quit command.


Configuring the Device as an SSH Client


Complete the configuration of the SSH server. For detailed configuration information, refer to Configuring the SSH Server.


Follow these steps to configure the device as an SSH server:

Table 399 Configuring the Device as an SSH Client



Disable the first-time authentication function

undo ssh client first-time

Optional

Enabled by default

Enter public key view rsa peer-public-key keyname

Optional

Enter public key code view public-key-code begin


Return from public key code view to public key view

public-key-code end When you exit public key code view, the system automatically saves the public key.

Return from public key view to system view

peer-public-key end —

Configure the host public key of the server so that the client can determine whether the server is reliable

ssh client authentication server { server-ip | server-name } assign rsa-key keyname

Optional

Specify the source IP address or source interface of the SSH client

Specify the source IPv4 address or source interface of the SSH client

ssh client source { ip ip-address | interface interface-type interface-number }

Optional

IP address or interface specified by the route by default

Initiate a connection to an SSH server and specify the preferred key exchange algorithm, encryption algorithms, and HMAC algorithms of the client and the server

Initiate a connection between the SSH client and an IPv4 server, and specify the preferred key exchange algorithm, encryption algorithm, and HMAC algorithm of the client and the server

ssh2 { host-ip | host-name } [ port-num ] [ prefer_kex { dh_group1 | dh_exchange_group } | prefer_ctos_cipher { des | aes128 | 3des } | prefer_stoc_cipher { des | aes128 | 3des } | prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } | prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ]*

—

Displaying and Maintaining the SSH Protocol 573

When an SSH client tries to access a server whose public host key it does not know for the first time, the first-time authentication function enables it to access the server and obtain and save the public host key of the server. When the client accesses the server later, it can use the locally saved public host key of the server to authenticate the server. With the first-time authentication function enabled on a client, you do not need to configure the public host key of a server to be accessed on the client.

Displaying and Maintaining the SSH Protocol

SSH Configuration Example


As shown in Figure 165, a local connection is established between the configuration terminal (SSH client) and the Switch. Users log in to the switch via the SSH protocol to ensure that data is exchanged in a secure way. The username of the SSH client is client001 and the password is aabbcc.

Network diagram

Figure 165 Network diagram for SSH configuration

Table 400 Displaying and Maintaining the SSH Protocol


Display the public keys of the host key pair and server key pair

display rsa local-key-pair public


Display the peer RSA public keys display rsa peer-public-key [ brief | name keyname ]


Display the source IP address or interface currently set for the SFTP client

display sftp client source


Display the source IP address or interface currently set for the SFTP server

display ssh client source


Display the status information or session information of the SSH server

display ssh server { status | session }


Display the mapping between the host public key and the SSH server saved on the client.

display ssh server-info


Display the information of the SSH user

display ssh user-information [ username ]


SSH client Switch

192.168.0.2/24




The configuration procedure varies with login authentication modes. However, you must complete the following three configuration tasks before any configuration procedure.

First, create an RSA host key pair and server key pair and enable the SSH server.

<3Com> system-view[3Com] rsa local-key-pair createThe range of public key size is (512 ~ 2048).NOTES: If the key modulus is greater than 512, It will take a few minutes.Input the bits in the modulus[default = 512]:Generating keys........++++++++++++...++++++++++++................++++++++.............++++++++......Done! [3Com] ssh server enable

If you have created an RSA host key pair and server key pair, you can skip this step.

Then, you must create a VLAN interface on the switch and assign an IP address, through which the SSH client will be connected with the switch.

[3Com] interface Vlan-interface 1[3Com-Vlan-interface1] ip address 192.168.0.1 255.255.255.0[3Com-Vlan-interface1] quit

Finally, you must configure an IP address (192.168.0.2) for the SSH client. This IP address and that of the VLAN interface on the switch must be in the same network segment.

Set the SSH authentication mode to password

1 Set the authentication mode on the user interface to AAA. (AAA adopts the default ISP domain system and the default scheme local.)

[3Com] user-interface vty 0 4[3Com-ui-vty0-4] authentication-mode scheme

2 Set the protocol that a remote user uses to log in to the switch to SSH.

[3Com-ui-vty0-4] protocol inbound ssh[3Com-ui-vty0-4] quit

3 Create a local user client001.

[3Com] local-user client001[3Com-luser-client001] password simple aabbcc[3Com-luser-client001] service-type ssh[3Com-luser-client001] quit[3Com] ssh user client001 authentication-type password

The SSH authentication timeout time, number of SSH authentication attempts, and server key update period can be default values. After the above configurations, run SSH2.0 on the client to be connected with the switch, and log in to the switch with username as client001 and password as aabbcc.

Set the SSH authentication mode to RSA

SSH Configuration Example 575

4 Set the authentication mode on the user interface to AAA.


5 Set the protocol that a remote user uses to log in to the switch to SSH.


6 Set the SSH user authentication mode to RSA on the switch.

[3Com] ssh user client001 authentication-type RSA

Here an RSA key pair (including the public and private keys) needs to be generated randomly on the SSH2.0 supporting client software. And you should input the RSA public key (which is a hexadecimal string obtained after using the SSHKEY.EXE software to perform the PKCS coding) to the public key specified by the rsa peer-public-key command on the SSH server in the following way.

7 Set the RSA keys on the switch.

[3Com] rsa peer-public-key Switch001 [3Com-rsa-public-key] public-key-code begin[3Com-rsa-key-code]30818602 818078C4 32AD7864 BB0137AA 516284BB 3F55F0E3[3Com-rsa-key-code]F6DD9FC2 4A570215 68D2B3F7 5188A1C3 2B2D40BE D47A08FA[3Com-rsa-key-code]CF41AF4E 8CCC2ED0 C5F9D1C5 22FC0625 BA54BCB3 D1CBB500[3Com-rsa-key-code]A177E917 642BE3B5 C683B0EB 1EC041F0 08EF60B7 8B6ED628[3Com-rsa-key-code]9830ED46 0BA21FDB F55E7C81 5D1A2045 54BFC853 5358E5CF[3Com-rsa-key-code]7D7DDF25 03C44C00 E2F49539 5C4B0201 25[3Com-rsa-key-code] public-key-code end[3Com-rsa-public-key] peer-public-key end

8 Directly import the public key of the client if it is stored in the format of a file named Switch001 on the server.

[3Com] rsa peer-public-key Switch001 import sshkey Switch001

9 Specify a public key Switch001 for the user client001.

[3Com] ssh user client001 assign rsa-key Switch001

On the client, you need to specify the corresponding RSA private key of the RSA public key for the SSH user client001.

By now, you can run SSH2.0 on the terminal containing the RSA private key and perform corresponding configuration to establish an SSH connection.


SSH Client Configuration Example


As shown in Figure 166, Switch A serves as the SSH client and is connected to Switch B through the SSH protocol. The username of the SSH client is client001 and the password is aabbcc.

Network diagram

Figure 166 Network diagram for SSH client configuration


1 Configuration on Switch B

a Create an RSA host key pair and server key pair and enable the SSH server.

<3Com> system-view[3Com] rsa local-key-pair create[3Com] ssh server enable


b Create a VLAN interface on Switch B and assign an IP address, through which the SSH client will be connected with the switch.


c Set the authentication mode on the user interface to AAA. (AAA adopts the default ISP domain system and the default scheme local.)


d Set the protocol that a remote user uses to log in to the switch to SSH.


e Create a local user client001.

[3Com] local-user client001[3Com-luser-client001] password simple aabbcc[3Com-luser-client001] service-type ssh[3Com-luser-client001] quit

PC

SSH server

SSH client

Switch B

Switch A



SSH Client Configuration Example 577

f Set the SSH authentication mode to password. The SSH authentication timeout time, number of SSH authentication attempts and server key update period can be default values.)

[3Com] ssh user client001 authentication-type password

If you set the SSH authentication mode to RSA, you need to configure a host public key of Switch A. For the specific configuration, refer to SSH Configuration Example

2 Configuration on Switch A

a Configure an IP address (10.165.87.137) for the VLAN interface on Switch A. This IP address and that of the VLAN interface on Switch B must be in the same network segment.

<3Com> system-view[3Com] interface Vlan-interface 1[3Com-Vlan-interface1] ip address 10.165.87.137 255.255.255.0[3Com-Vlan-interface1] quit

b Configure the client so that the server will not perform the first authentication for the client.

[3Com] ssh client first-time

c Adopt the password authentication and enable the authentication according to the default algorithm.

[3Com] ssh2 10.165.87.136Username: client001Trying 10.165.87.136Press CTRL+K to abortConnected to 10.165.87.136...The Server is not autherncated.Do you continue access it?[Y/N]:yDo you want to save the server's public key?[Y/N]:yEnter password: ********************************************************** All rights reserved (1997-2005) ** Without the owner's prior written consent, **no decompiling or reverse-engineering shall be allowed.**********************************************************<3Com>


58 SFTP SERVICE

When configuring SFTP, go to these sections for information you are interested in:

■ SFTP Overview

■ Configuring the SFTP Server

■ Configuring the SFTP Client

■ SFTP Configuration Example

SFTP Overview The secure file transfer protocol (SFTP) is a new feature in SSH 2.0.

SFTP is established on SSH connections to provide secured data transfer. The device can serve as both SFTP server and SFTP client. A remote user can log in to the SFTP server securely to manage and transfer files for system upgrade. In addition, a user can log in to a remote device to transfer files in a secure way.

Configuring the SFTP Server


■ You have configured the SSH server. For the detailed configuration procedure, refer to Configuring the SSH Server.

■ You have used the ssh user service-type command to set the service type of SSH users to sftp or all.

Enabling the FTP Server

This configuration task is to enable the SFTP service so that clients can log in to the SFTP server in an SFTP mode.

Follow these steps to enable the SFTP server:

Table 401 Enabling the FTP Server



Enable the SFTP server sftp server enable Required

By default, the SFTP server is disabled.

580 CHAPTER 58: SFTP SERVICE

Configuring the SFTP Connection Idle

Timeout Time

After the SFTP connection idle timeout time exceeds the threshold, the system will automatically disconnect the SFTP user.

Follow these steps to configure the SFTP connection idle timeout time:

Configuring the SFTP Client

Specifying a Source IP Address or Interface

for the SFTP Client

Follow these steps to specify a source IP address or interface for the SFTP client:

Establishing a Connection with the

SFTP Server

This configuration task is to enable the SFTP client to establish a connection with the remote SFTP server and enter SFTP client view.

Follow these steps to enable the SFTP client:

Table 402 Configuring the SFTP Connection Idle Timeout Time



Configure the SFTP connection idle timeout time

sftp server idle-timeout time-out-value

Required

By default, the SFTP connection idle timeout time is 10 minutes.

Table 403 Specifying a Source IP Address or Interface for the SFTP Client



Specify a source IP address or interface for the SFTP client

Specify the source IPv4 address or source interface of the SFTP client

sftp client source { ip ip-address | interface interface-type interface-number }

Optional

By default, the SFTP client uses the port address specified by the route of the device to access the SFTP server.

Table 404 Establishing a Connection with the SFTP Server



Initiate a connection to a remote SFTP server and enter SFTP client view

Initiate a connection to a remote IPv4 SFTP server and enter SFTP client view

sftp { host-ip | host-name } [ port-num ] [ prefer_kex { dh_group1 | dh_exchange_group } | prefer_ctos_cipher { des | aes128 | 3des } | prefer_stoc_cipher { des | aes128 | 3des } | prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } | prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ]*

Either is required.

Configuring the SFTP Client 581

Operating the SFTP Directories

SFTP directory operations include:

■ Changing or displaying the current working directory

■ Creating or deleting a directory

■ Displaying files under a specified directory or the directory information

■ Changing the name of a specified directory on the server

Follow these steps to operate the SFTP directories:

Table 405 Operating the SFTP Directories



Establish a connection with the remote SFTP server and enter SFTP client view.


Required

Change the specified working directory on the server

cd [ remote-path ] Optional

You unnecessarily follow this sequence to carry out the commands. The dir command functions as the ls command does.

Return to the upper-level directory

cdup

Display the current working directory on the server

pwd

Display the file list under a specified directory

dir [ remote-path ]

ls [ remote-path ]

Change the name of a specified directory on the server

rename oldname newname

Create a new directory on the server

mkdir remote-path

Delete a directory from the server

rmdir remote-path


Operating SFTP Files SFTP file operations include:

■ Changing a file name

■ Downloading a file

■ Uploading a file

■ Displaying the file list

■ Deleting a file

Follow these steps to operate SFTP files:

Table 406 Operating SFTP Files





Required

Change the name of a specified file on the server

rename old-name new-name

Optional

You unnecessarily follow this sequence to carry out the commands. The dir and ls commands functions in the same way. So do the delete and remove commands.

Download a file from the remote server

get remote-file [ local-file ]

Upload a file to the remote server

put local-file [ remote-file ]

Display the file list under a specified directory

dir [ remote-path ]

ls [ remote-path ]

Delete a file from the server delete remote-file

remove remote-file

Configuring the SFTP Client 583

Displaying Help Information

This configuration task is to display the help information about related commands, such as command format and parameter configuration.

Follow these steps to display the help information about client commands:

Disabling the SFTP Client

This configuration task is to disable the SFTP client.

Follow these steps to disable the SFTP client:

Table 407 Displaying Help Information





Required

Display the help information about client commands

help [ all | command-name ] Optional

Table 408 Disabling the SFTP Client





—

Disable the SFTP client bye Required. Use any command.

These three commands function in the same way.

exit

quit


SFTP Configuration Example


As shown in Figure 167, an SSH connection is established between Switch A and Switch B. Switch A, an SFTP client uses the username client001 and password aabbcc to log in to Switch B for file management and file transfer.

Network diagram

Figure 167 Network diagram for SFTP configuration


1 Configuration on the SFTP server (Switch B)

a Create an RSA host key pair and server key pair and enable the SSH server.

<3Com> system-view[3Com] rsa local-key-pair create[3Com] ssh server enable


b Create a VLAN interface on Switch B and assign an IP address, through which the SSH client will be connected with the switch.


c Set the authentication mode on the user interface to AAA. (AAA adopts the default ISP domain system and the default scheme local.)


d Set the protocol that a remote user uses to log in to the switch to SSH.

[SwitchB-ui-vty0-4] protocol inbound ssh[SwitchB-ui-vty0-4] quit

e Create a local user client001.

[3Com] local-user client001[3Com-luser-client001] password simple aabbcc[3Com-luser-client001] service-type ssh[3Com-luser-client001] quit

PC

SFTP server

SFTP client

Switch B

Switch A



SFTP Configuration Example 585

f Set the SSH authentication mode to password. The SSH authentication timeout time, number of SSH authentication attempts and server key update period can be default values.

[3Com] ssh user client001 authentication-type password

If you set the SSH authentication mode to RSA, you need to configure a host public key of Switch A. For the specific configuration, refer section “SFTP Configuration Example”.

g Enable the SFTP server.

<3Com> system-view[3Com] sftp server enable

h Specify the service type of the user as SFTP.

[3Com] ssh user client001 service-type sftp

2 Configuration on the SFTP client (Switch A)

a Configure an IP address (11.111.27.92) for the VLAN interface on Switch A. This IP address and that of the VLAN interface on Switch B must be in the same network segment.

<3Com> system-view[3Com] interface Vlan-interface 1[3Com-Vlan-interface1] ip address 11.111.27.92 255.255.255.0[SwitchA-Vlan-interface1] quit

b Establish a connection with the remote SFTP server and enter SFTP client view.

[3Com] sftp 11.111.27.91Input Username: client001Trying 11.111.27.91 ...Press CTRL+K to abortConnected to 11.111.27.91 ...Enter password:

sftp-client>

c Display the current directory on the server, delete the z file, and check that the file is deleted successfully.

sftp-client> dir-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new-rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub-rwxrwxrwx 1 noone nogroup 0 Sep 01 08:00 zsftp-client> delete zThe following File will be deleted:/zAre you sure to delete it?(Y/N):yThis operation may take a long time.Please wait...

File successfully Removedsftp-client> dir-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new-rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub


d Add the new1 directory and check that it is created successfully.

sftp-client> mkdir new1New directory createdsftp-client> dir-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new-rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pubdrwxrwxrwx 1 noone nogroup 0 Sep 02 06:30 new1

e Change the directory name from new1 to new2 and check that the directory name is changed successfully.

sftp-client> rename new1 new2File successfully renamedsftp-client> dir-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new-rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pubdrwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2

f Download the pubkey2 file from the server and save it as public.

sftp-client> get pubkey2 publicRemote file:/pubkey2 ---> Local file: publicDownloading file successfully ended

g Upload the pu file to the server, save it as puk, and check the file is uploaded successfully.

sftp-client> put pu pukLocal file:pu ---> Remote file: /pukUploading file successfully endedsftp-client> dir-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 newdrwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2-rwxrwxrwx 1 noone nogroup 283 Sep 02 06:35 pub-rwxrwxrwx 1 noone nogroup 283 Sep 02 06:36 puksftp-client>

h Exit from the SFTP.

sftp-client> quitBye[3Com]

59 UDP HELPER CONFIGURATION

When configuring UDP Helper, go to these sections for information you are interested in:

■ Introduction to UDP Helper

■ Configuring UDP Helper

■ Displaying and Maintaining UDP Helper

■ UDP Helper Configuration Example

By default, the Switch 4500G Family of Ethernet switches do not forward IP broadcast packets. To ensure that UDP Helper is available, you must use the ip forward-broadcast command in system view first.

Introduction to UDP Helper

UDP Helper functions as a relay that converts UDP broadcast packets into unicast packets and forwards them to a specified server.

With UDP Helper enabled, the device decides whether to forward a received UDP broadcast packet according to the port number of the packet. If the packet needs to be forwarded, the device modifies the destination IP address in the IP header and then sends the packet to the specified destination server. Otherwise, the device sends the packet to its upper layer.

When relaying BOOTP/DHCP broadcast packets, the device broadcasts a response packet if the client specifies that it needs to receive a broadcast response; otherwise, the device unicasts a response packet.

With UDP Helper enabled, the device relays broadcast packets of six default UDP ports by default. The default UDP ports are listed in.Table 409

Table 409 List of default UDP ports

Protocol UDP port number

TFTP (trivial file transfer protocol) 69

DNS (domain name system) 53

Time service 37

NetBIOS-NS (NetBIOS name service) 137

NetBIOS-DS (NetBIOS datagram service) 138

TACACS (terminal access controller access control system) 49

588 CHAPTER 59: UDP HELPER CONFIGURATION

Configuring UDP Helper

Follow these steps to configure UDP Helper:

CAUTION:

■ The dns, netbios-ds, netbios-ns, tacacs, tftp, and time keywords correspond to the six default ports. You can configure the default ports by specifying port numbers or the corresponding parameters. For example, udp-helper port 53 and udp-helper port dns specify the same port.

■ When you view the configuration information by using the display current-configuration command, the default UDP port numbers will not be displayed. A port number shows only when it is disabled to use UDP Helper.

■ The configuration of all UDP ports (including the default ports) is removed if you disabled UDP Helper.

■ The device supports up to 256 UDP ports of which UDP packets are to be forwarded.

■ An interface corresponds to a maximum of 20 destination servers.

■ If the destination server is configured on a VLAN interface, the broadcast packets from a VLAN port to a specific UDP port will be unicast to the destination server configured on that VLAN interface after UDP Helper is enabled.

Displaying and Maintaining UDP Helper

Table 410 Configuring UDP Helper



Enable UDP Helper udp-helper enable Required

Disabled by default

Specify a UDP port udp-helper port { port | dns | netbios-ds | netbios-ns | tacacs | tftp | time }

Optional

By default, the UDP helper enabled device converts and forwards broadcast packets of ports 69, 53, 37, 137, 138, and 49.


—

Configure the destination server to which the UDP packets are to be forwarded

udp-helper server ip-address

Required

No destination server is configured by default.

Table 411 Displaying and Maintaining UDP Helper


Display the information of the destination server and the number of packets forwarded by UDP relay

display udp-helper server [ interface interface-type interface-number ]


Clear statistics about packets forwarded by UDP relay

reset udp-helper packet Available in user view

UDP Helper Configuration Example 589

UDP Helper Configuration Example


The VLAN interface of a device has an IP address of 10.110.1.1/16, connecting to network segment 10.110.0.0/16. Specify to forward broadcast packets with destination UDP port 55 to destination server 202.38.1.2/24.

Network diagram

Figure 168 Network diagram for UDP Helper configuration


The following configuration assumes that the port connecting to the Internet belongs to VLAN1, and the route to network segment 202.38.1.0/24 is up.

1 Enable UDP Helper.

<3Com> system-viewSystem View: return to User View with Ctrl+Z.[3Com] udp-helper enable

2 Specify to forward the broadcast packets with destination UDP port being 55.

[3Com] udp-helper port 55

3 Specify the server with the IP address of 202.38.1.2 as the destination server to which UDP packets are to be forwarded.

[3Com] interface vlan 1[3Com-Vlan-interface1] ip address 10.110.1.1 16[3Com-Vlan-interface1] udp-helper server 202.38.1.2

Ethernet

Ethernet

Internet

Switch ( UDP Helper )

10.110.0.0/16

Server202.38.1.2/24

10.110.1.1/16VLAN-Interface1

202.38.1.0/24

590 CHAPTER 59: UDP HELPER CONFIGURATION

60 SSL CONFIGURATION

When configuring SSL, go to these sections for information you are interested in:

■ SSL Overview

■ Configuring SSL Server Policy

■ Configuring SSL Client Policy

■ Displaying and Maintaining SSL

■ Troubleshooting SSL Configuration

SSL Overview SSL (Secure Socket Layer) is a security protocol providing secure connection for TCP-based application layer protocols. The secure connection provided by SSL can implement the following:

■ Confidentiality: SSL encrypts data using symmetric encryption algorithm with the key generated during handshake phase.

■ Authentication: SSL performs certificate-based authentication on both the server and the client, and the authentication on the client is optional.

■ Reliability: SSL uses key-based MAC (message authentication code) to verify the integrity of messages.

SSL protocol includes two layers: SSL record protocol at the lower layer and handshake protocol, SSL password change protocol and SSL alert protocol at the upper layer.

■ SSL record protocol: It fragments, compresses and computes data from the upper layer and then adds MAC to the data and encrypts the data, and in turn transmits the records to the peer end.

■ SSL handshake protocol: A session is initiated between the client and the server with the handshake protocol. The session includes a group of parameters as session ID, peer certificate, cipher suite (including key exchange algorithm, data encryption algorithm and MAC algorithm), compression algorithm and main key. An SSL session can be shared by multiple connections to reduce session negotiation cost.

■ SSL password change protocol: The client and the server inform each other of the password change through password change protocol. The packets will be protected and transmitted with the newly negotiated encryption suite and key pair.

■ SSL alert protocol: Permits one entity to report alert message containing the alert level and description to the other.

592 CHAPTER 60: SSL CONFIGURATION

Configuring an SSL Server Policy

SSL server policy is SSL parameters used when the server is started, which can be valid only when associated with an application layer protocol (for example, HTTP protocol).


Before configuring the SSL server policy you should configure PKI (public key infrastructure) domain. For the details of PKI domain configuration, see PKI Configuration module .

Configuring an SSL Server Policy

Follow these steps to configure an SSL server policy

Configuration Example for SSL

Server Policy


■ A device works as the HTTPS server.

■ A host works as the client interacting with the HTTP server through SSL-based HTTP protocol.

Table 412 Configuring an SSL Server Policy



Create an SSL server policy and enter its view

ssl server-policy policy-name

Required

Configure the PKI domain to which the SSL server policy belongs

pki-domain domain-name Required

Configure the cipher suite supported by the SSL server policy

ciphersuite [ rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha ] *

Optional

An SSL server policy supports six types of cipher suite by default.

Configure handshake timeout time for the SSL server

handshake timeout time Optional

3600 seconds by default.

Configure close mode for SSL connection

close-mode wait Optional

The close mode for SSL connection is non wait by default.

Configure the maximum number and timeout time of buffered sessions

session { cachesize size | timeout time } *

Optional

The maximum number is 500 and the timeout time is 3600 seconds by default.

Enable certificate-based SSL client authentication

client-verify enable Optional


Configuring an SSL Server Policy 593

Network diagram

Figure 169 Network diagram for SSL server policy


1 Configure SSL server policy.

<3Com> system[3Com] ssl server-policy myssl[3Com-ssl-server-policy-myssl] pki-domain 1[3Com-ssl-server-policy-myssl] close-mode wait[3Com-ssl-server-policy-myssl] quit

2 Configure the SSL policy adopted by the HTTPS server as myssl.

[3Com] ip https ssl-server-policy myssl

3 Enable HTTPS service.

[3Com] ip https enable

IP Network

HostHTTPS Client

DeviceHTTPS Server


Configuring an SSL Client Policy

SSL client policy is SSL parameters used by the client being connected with the server, which can be valid only when associated with an application layer protocol (for example, HTTP protocol).


Before configuring the SSL client policy you should configure PKI domain first.

Configuring an SSL Client Policy

Follow these steps to configure an SSL client policy:

If the server needs to perform certificate-based authentication to the client, a local certificate for the SSL client must be acquired in the client’s PKI domain.

Displaying and Maintaining SSL

Table 413 Configuring an SSL Client Policy



Create an SSL client policy and enter its view

ssl client -policy policy-name Required

Configure the PKI domain to which the SSL client policy belongs

pki-domain domain-name Required

Configure the preferred encryption suite for the SSL client policy

prefer-cipher { rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha }

Optional

The preferred encryption suite is rsa_rc4_128_md5 by default.

Configure the SSL protocol version adopted by the SSL client policy

version { ssl3.0 | tls1.0 } Optional

The SSL protocol version is TLS1.0 by default.

Table 414 Displaying and Maintaining SSL


Display SSL server policy information display ssl server-policy { policy-name | all }


Display SSL client policy information display ssl client-policy { policy-name | all }

Troubleshooting SSL Configuration 595

Troubleshooting SSL Configuration

SSL Handshake Failure

Symptom When the device works as the SSL server, its handshake with the SSL client fails.

Analysis SSL handshake failure may result from the following:

■ Network connection fault, for example a broken cable or interface looseness.

■ SSL server certificate does not exist, or the certificate cannot be trusted.

■ The server is configured as that it must authenticate the client, but the certificate of the SSL client does not exist or cannot be trusted.

■ The encryption suite supported by the SSL server and client does not match.

Solution

1 Use the ping command to check the network connection.

2 Use the debugging ssl command to view the debugging information:

■ If the SSL server certificate does not exist, apply one for it.

■ If the server certificate cannot be trusted, on the SSL client install a CA server root certificate that issues the certificate to the SSL server, or enable the server to reapply a certificate from the CA server trusted by the SSL client.

■ If the server is configured as that it must authenticate the client, but the certificate of the SSL client does not exist or cannot be trusted, apply and install a certificate for the client.

3 Use the display ssl server-policy command to view the encryption suite supported by the SSL server policy. If the encryption suite supported by the SSL server does not match that by the client, use the ciphersuite command to modify the encryption suite supported by the SSL server.


61 HTTPS SERVER CONFIGURATION

When configuring HTTPS server, go to these sections for information you are interested in:

HTTPS Server Overview

Associating HTTPS Server with SSL Server-end Policy

Enabling the Functions of HTTPS Server

Associating HTTPS Server with Certificate Access Control Policy

Associating HTTPS Server with ACL

Displaying and Maintaining HTTPS Server

Configuration Examples for HTTPS Server

HTTPS Server Overview

The HTTP Security (HTTPS) server refers to the HTTP server that support the Security Socket Layer (SSL) protocol.

In addition to the two security measures provided by the HTTP server, the HTTPS further enhances the security of the HTTP server in the following aspects:

■ Use the SSL protocol to ensure that the legal clients to access the HTTPS server securely and prohibit the illegal clients;

■ Encrypt the data exchanged between the HTTPS client and the HTTPS server to ensure the data security and integrity, thus realizing the security management of the device;

■ Defines certificate attribute-based access control policy for the HTTPS server to control the access right of the client, in order to further avoid the attack of illegal clients.

The total number of HTTP connections and HTTPS connections on a device cannot exceed ten.

598 CHAPTER 61: HTTPS SERVER CONFIGURATION

Associating HTTPS Server with SSL

Server-end Policy

Associate the HTTPS server with an SSL server-end policy before enabling functions of the HTTPS server.

Follow these steps to associate the HTTPS server with an SSL server-end policy:

■ If the ip https ssl-server-policy command is executed repeatedly, the HTTPS server is only associated with the last SSL server-end policy having been configured.

■ When the functions of the HTTPS server are disabled, to enable them again, you need to re-associate the HTTPS server with an SSL server-end policy.

■ When the functions of the HTTPS server are enabled, any modification of its associated SSL server-end policy will not take effect.

Enabling the Functions of HTTPS Server

Before configuring the HTTPS server, make sure that the functions of the HTTPS server are enabled. Otherwise, other related configurations cannot take effect.

Follow these steps to enable the functions of the HTTPS server:

To enable the functions of the HTTPS server will trigger an SSL handshake negotiation process. During the process, if a local certificate of the device already exists, the SSL negotiation is successfully performed, and the HTTPS server can be started normally. If no local certificate exists, a certificate application process will be triggered by the SSL negotiation. Since the application process takes much time, the SSL negotiation often fails and the HTTPS server cannot be started normally. Therefore, the ip https enable command must be executed for multiple times to ensure normal startup of the HTTPS server.

Table 415 Associating HTTPS Server with SSL Server-end Policy



Associate the HTTPS server with an SSL server-end policy

ip https ssl-server-policy policy-name

Required

The HTTPS server is not associated with an SSL server-end policy by default.

Table 416 Enabling the Functions of HTTPS Server



Enable functions of the HTTPS server

ip https enable Optional

The functions of the HTTPS server are disabled by default.

Associating HTTPS Server with Certificate Access Control Policy 599

Associating HTTPS Server with Certificate Access Control Policy

Associating the HTTPS server with the client certificate access control policy helps control the access right of the client, thus to provide the server with enhanced security.

Follow these steps to associate the HTTPS server with a certificate access control policy:

■ If the ip https certificate access-control-policy command is executed repeatedly, the HTTPS server is only associated with the last certificate access control policy having been configured.

■ If the HTTPS server is associated with a certificate access control policy, the client-verify enable command must be configured in the SSL server-end policy associated with the HTTPS server. Otherwise, the client cannot log onto the server.

Associating HTTPS Server with ACL

By associating the HTTPS server with an ACL, requests from some clients can be filtered out. Only the clients that pass ACL filtering are allowed to access the server.

Follow these steps to associate the HTTPS server with and ACL:

If the ip https acl command is executed repeatedly, the HTTPS server is only associated with the last ACL having been configured.

Displaying and Maintaining HTTPS Server

After completing the above configurations, execute the display command in any view to display the operation status after the HTTPS server has been configured, and view the effect of information authentication configuration.

Follow these steps to display and maintain the HTTPS server:

Table 417 Associating HTTPS Server with Certificate Access Control Policy



Associate the HTTPS server with a certificate access control policy

ip https certificate access-control-policy policy-name

Optional

The HTTPS server is not associated with a certificate access control policy by default.

Table 418 Associating HTTPS Server with ACL



Associate the HTTPS server with an ACL

ip https acl acl-number Optional

The HTTPS server is not associated with an ACL by default.

Table 419 Displaying and Maintaining HTTPS Server


Display the status information about the HTTPS server display ip https


Configuration Examples for HTTPS Server

When a server running Windows operating system is used as the CA, the Simple Certificate Enrollment Protocol plug-in is required. In this case, you need to specify the entity to apply for the certificate from RA by using the certificate request from ra command when configuring the PKI domain.

The Simple Certificate Enrollment Protocol plug-in is not needed when RSA Keon software is used. In this case, you need to specify the entity to apply for the certificate from CA by using the certificate request from ca command when configuring the PKI domain.

This section assumes Windows operating system is used on the CA server.


■ The HTTPS client logs on to the HTTPS server to access the device through Web network management and control the device.

■ CA (Certificate Authority) issues certificate to the HTTPS server.

Network diagram

Figure 170 Network diagram for HTTPS configuration


Perform the following configurations on the HTTPS server:

1 Apply for a certificate for the HTTPS server.

a Configure a PKI (Public Key Interface) entity.

<3Com> system-view[3Com] pki entity en[3Com-pki-entity-en] common-name http-server1[3Com-pki-entity-en] fqdn ssl.security.com[3Com-pki-entity-en] quit

b Configure a PKI domain.

[3Com] pki domain 1[3Com-pki-domain-1] ca identifier ca1

C A1 0 . 1 .2 .2 /2 4

H T T P S S erver

1 0 . 1 . 1 . 1 / 2 4

H T T P S C lien t 1 0 . 1 . 1 . 2 / 2 4

1 0 . 1 .2 .1 / 2 4

C A1 0 . 1 .2 .2 /2 4

H T T P S S erver

1 0 . 1 . 1 . 1 / 2 4

H T T P S C lien t 1 0 . 1 . 1 . 2 / 2 4

1 0 . 1 .2 .1 / 2 4

Configuration Examples for HTTPS Server 601

[3Com-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll[3Com-pki-domain-1] certificate request from ra[3Com-pki-domain-1] certificate request entity en[3Com-pki-domain-1] quit

c Generate a key pair locally by using the RSA (Revest-Shamir-Adleman) algorithm.

[3Com] rsa local-key-pair create

d Obtain a server certificate from CA.

[3Com] pki retrieval-certificate ca domain 1

e Request for a local certificate.

[3Com] pki request-certificate domain 1

2 Configure a SSL server-end policy associated with the HTTPS server.

a Create a server-end policy named “myssl”.

[3Com] ssl server-policy myssl

b Configure the name of the PKI domain at the server end to 1.

[3Com-ssl-server-policy-myssl] pki-domain 1

c Configure that the server requires client authentication.

[3Com-ssl-server-policy-myssl] client-verify enable[3Com-ssl-server-policy-myssl] quit

3 Configure the SSL server-end policy referenced by the HTTPS server.

Specify the SSL server-end policy used in the HTTPS server policy.

[3Com] ip https ssl-server-policy myssl

4 Enable functions of the HTTPS server.

[3Com] ip https enable

■ For details of PKI commands, refer to PKI module

■ For details of the rsa local-key-pair create command, refer to SSH Terminal Service module


62 PKI CONFIGURATION

When configuring PKI, go to these sections for information you are interested in:

■ Introduction to PKI

■ Introduction to PKI Configuration Task

■ PKI Certificate Request Configuration

■ PKI Certificate Validation Configuration

■ Display and Debug

■ Typical Configuration Examples

■ Troubleshooting

Introduction to PKI

The term “router” in this document refers a Layer 3 switch running routing protocols. To improve readability, this will not be noted additionally in the document.

Overview Public key infrastructure (PKI) is a system which uses public key technology and digital certificate to ensure system security and authenticate digital certificate users. It provides a whole set of security mechanism by combining software/hardware systems and security policies together. PKI uses certificates to manage public keys: It binds user public keys with other identifying information through a trustworthy association, so that online authentication is possible. PKI provides safe network environment and enables an easy use of encryption and digital signature technologies under many application environments, to assure confidentiality, integrity and validity of online data.

Confidentiality means that the data are accessible only to authorized parties during data transmission. Integrity means that only authorized parties can modify the data. Validity means that the data are available to authorized parities when needed.

A PKI system consists of public key algorithm, certificate authority, registration authority, digital certificate, and PKI repository.

Figure 171 PKI components block diagram

PKI application

CA RA PKI repository

Digital certificate

604 CHAPTER 62: PKI CONFIGURATION

Certificate authority issues and manages certificates. Registration authority authenticates user identity and manages certificate revocation list. PKI repository stores and manages such information as certificates and logs, and provides query function. Digital certificate, also called Public Key Certificate (PKC), underlies the security of PKI system and the trust in application. Adopting an authentication technology based on public key technology, it is a file duly signed by certificate authority that contains public key and owner information. It can be used as an identity proof for online information exchange and commercial activities. A certificate has its lifetime, which is specified in issuing. Of course, certificate authority can revoke a certificate before its expiration date.

Terminology ■ Public key algorithm: Key algorithm that involves different encryption key and decryption key. The keys are generated for users in pairs: One is publicized as public key; the other is reserved as private key. The information encrypted by one key has to be decrypted by the other; the key pair therefore is generally used in signature and authentication. In communication, if the sender signs with its private key, the receiver needs to authenticate this signature with the sender’s public key. If the sender encrypt the information with the receiver’s public key, then only the receiver’s private is capable of decryption.

■ Certificate authority (CA): Trustworthy entity issuing certificates to persons, PCs or any other entities. CA deals with certificate requests, and checks applicant information according to certificate management policy. Then it signs the certificate with its private key and issues the certificate.

■ Registration authority (RA): Extension of CA. It forwards the entities' certificate requests to CA, and digital certificates and certificate revocation list to directory server, for directory browsing and query.

■ Light-weight directory access protocol (LDAP) server: LDAP provides a means to access PKI repository, with the purpose of accessing and managing PKI information. LDAP server supports directory browsing and enlists the user information and digital certificates from a RA server. Then the user can get his or others’ certificates when accessing the LDAP server.

■ Certificate revocation list (CRL): A certificate has its lifetime, but CA can revoke a certificate before its expiration date if the private key leaks or if the service ends. Once a certificate is revoked, a CRL is released to announce its invalidity, where lists a set of serial numbers of invalid certificates. CRL, stored in LDAP server, provides an effective way to check the validity of certificates, and offers centralized management of user notification and other applications.

Applications PKI includes a set of security services provided using the technologies of public key and X.509 certification in distributed computing systems. It can issue certificates for various purposes, such as Web user identity authentication, Web server identity authentication, secure Email using S/MIME (secure/multipurpose internet mail extensions), virtual private network (VPN), IP Security, Internet key exchange (IKE), and secure sockets layer/transaction layer security (SSL/TLS). One CA can issue certificates to another CA, to establish certification hierarchies.

Introduction to PKI Configuration Task 605

Introduction to PKI Configuration Task

The purpose to configure PKI is to apply a local certificate from CA for the specified device, so as to enable the device to check the validity of the certificate.

Configuring PKI Certificate Request

Certificate request is a process when an entity introduces itself to CA. The identity information the entity provides will be contained in the certificate issued later. CA uses a set of criteria to check applicant creditability, request purpose and identity reliability, to ensure that certificates are bound to correct identity. Offline and non-auto out-of-band (phone, storage disk and Email, for example) identity checkup may be required in this process. If this process goes smooth, CA issues a certificate to the user and displays it along with some public information on the LDAP server for directory browsing. The user can then download its own public-key digital certificate from the notified position, and obtain those of others through the LDAP server.

Entering PKI Domain View

A PKI domain resides in local device and is invisible to CA and other devices. It does not interfere with the relationship between user management and the multi users. The purpose of using PKI domain is to provide other applications with easy reference to PKI configuration (such as IKE and SSL).

Follow these steps to enter PKI domain view:

Table 420 Introduction to PKI Configuration Task

Configuration Task Remarks

Configure a PKI certificate request

Entering PKI Domain View Required

Configuring a Trustworthy CA Required

Configuring Parameters for PKI Domain

Required

Configuring Entity Name Space Required

Creating a Local Public – Private Key Pair

Required

Configuring Polling Interval and Count

Optional

Configuring Certificate Request Mode

Optional

Delivering a Certificate Request Manually

Optional

Retrieving a Certificate Manually Optional

Importing a Certificate Optional

Deleting a Certificate Optional

Configure PKI certificate validation Optional

Configure a certificate attribute access control policy Optional

Table 421 Entering PKI Domain View



Specify a PKI domain name and enter domain view

pki domain name Optional

No PKI domain name is specified by default.


Typically, a device may belong to two or more PKI domains. Then independent configuration information is required for each domain. Parameter configuration in PKI domain view is for this purpose. But currently, one device supports only two PKI domain, Such being the case that one device have belonged to two PKI domains. you need to delete the existing domain first if you wan to use a new one.

Configuring a Trustworthy CA

Trustworthy CAs function to provide registration service and issue certificates for entities. They are essential to PKI. Only when a CA trusted by everyone is available, can users enjoy the security services with public key technology.

Follow these steps to configure a trustworthy CA:

The standard set CA uses in request processing, certificate issuing and revoking, and CRL releasing is called CA policy. In general, CA uses files, called certification practice statements (CPS), to advertise its policy. CA policy can be obtained in out-of-band or other mode. You should understand CA policies before choosing a CA, for different CAs may use different methods to authenticate the public key -- subject binding.

You need CA identifiers only when obtaining CA certificates but not when applying for local certificates.

Table 422 Configuring a Trustworthy CA




pki domain name —

Specify a trustworthy CA ca identifier name Optional

No trustworthy CA is specified by default.

Configuring PKI Certificate Request 607

Configuring Parameters for PKI

Domain

Follow these steps to configure the certificate request server:

An entity is required for certificate request; it is used to prove the identity to the CA. For information about the entity-name argument, refer to “Configuring Entity Name Space”.

Registration management is often implemented by an independent registration authority (RA), which is responsible for coping with certificate request, examining entity qualification and determining for CA whether or not to issue the digital certificate. It does not issue the certificate, as is performed by CA. Sometimes no independent RA is set. It doesn't mean that registration function of PKI is disabled, since CA takes over the registration management.

The registration server location (that is, URL) needs to be specified. Then entities can present to this server the certificate request using simple certification enrollment protocol (SCEP, a protocol to communicate with certification authority).

Storage of entity certificates and CRL information is essential to a PKI system. Usually, this is done using a LDAP directory server.

When receiving the identity certificate from the CA, the router needs to use the root certificate of the CA to verify the authenticity and validity of the identify certificate. When receiving the root certificate from the CA, the router needs to authenticate the fingerprint of the CA root certificate, which is a unique hashed value of the content of the root certificate. If the fingerprint of the CA root certificate is not identical to the one configured by using the command described here, the router rejects the root certificate.

Table 423 Configuring Parameters for PKI Domain




pki domain name —

Specify the entity for certificate request

certificate request entity entity-name

Required

By default, no entity is specified for certificate request.

Choose between CA and RA as the registration organization

certificate request from { ca | ra }

Required

By default, no registration organization is specified.

Specify the location of a registration server

certificate request url url-string

Required

By default, no registration server location is specified.

Specify the IP address of an LDAP server

ldap-server ip ip-address [ port port-number ] [ version version-number ]

Optional

By default, no IP address or port is specified for LDAP server. Currently it is LDAP version2.

Configure the fingerprint for authenticating the root certificate

root-certificate fingerprint { md5 | sha1 } string

Optional

By default, no fingerprint is configured for authenticating the root certificate.


Configuring Entity Name Space

Entity name space specifies the set of name available to entities. Each CA details about an entity with the information it considers important. A unique identifier (also called DN-distinguished name) can be used to identify an entity. It consists of several parts, such as user common name, organization, country and owner name. It must be unique among the network.

Entity configuration information must comply with CA certificate issue policy, for example, in determining mandatory and optional parameters. Otherwise, certificate request may be rejected.

Follow these steps to configure an entity name:

The entity name must be consistent with that specified by registration organization using the certificate request entity entity-name command. Otherwise, the certificate request fails. name-str is just for the convenience in referencing, and appears not as a certificate field.

Windows 2000 CA server has some restrictions on data length of certificates. If the configured entity length goes beyond certain limit, the Windows 2000 CA server does not respond to certificate requests.

Table 424 Configuring Entity Name Space



Specify an entity name and enter the entity view

pki entity name —

Specify the FQDN name for an entity

fqdn name-str Optional

By default, no entity FQDN is specified.

Specify the IP address for an entity

ip ip-address Optional

By default, no IP address is specified.

Specify the country code for an entity

country country-code-str

Optional

By default, no country code is specified.

Specify the state or province for an entity

state state-name Optional

By default, no state name is specified.

Specify the geographic locality for an entity

locality locality-name Optional

By default, no locality name is specified.

Specify the organization name for an entity

organization org-name Optional

By default, no organization is specified.

Specify the unit name for an entity

organization-unit org-unit-name

Optional

By default, no unit name is specified.

Specify the common name for an entity

common-name name Optional

By default, no common name is specified.


Fully qualified domain name (FQDN) is the unique identifier of the entity among the network, for example, Email address. It is often in the format of user domain and can be resolved to IP address. FQDN is equivalent to IP address in function. This configuration is optional.

Country code uses two standard characters, for example, CN for China and US for the United States.

Creating a Local Public – Private Key

Pair

A key pair is generated during certificate request: one public and the other private. The private key is held by the user, while the public key and other information are transferred to CA center for signature and then the generation of the certificate. Each CA certificate has a lifetime that is determined by the issuing CA. When the private key leaks or the current certificate is about to expire, you have to delete the old key pair. Then another key pair can be generated for a new certificate.

If an RSA key pair already exists when you create a local key pair, the system prompts whether to replace it.The minimum length of a host key is 512 bits and the maximum length is 2048 bits.

Follow these steps to create a local RSA key pair:

Follow these steps to destroy a local RSA key pair:

For detailed configuration, see the related commands in the SSH Terminal Service module.

CAUTION:

■ If a local certificate already exists, do not create another key pair. To ensure consistency between key pair and existing certificate, first delete the existing certificate and then create a new key pair.

■ If a local RSA key pair exists, the newly-generated key pair will overwrite the existing one.

■ The key pairs are originally for the use in SSH. Local server regularly updates local server key pair. However, the host key pair we use in certificate request remains unchanged.

Table 425 Create a Local RSA key Pair



Create an RSA key pair rsa local-key-pair create

Required

By default, there is no existent local RSA key pair.

Table 426 Destroy a Local RSA Key Pair



Destroy an RSA key pair rsa local-key-pair destroy

Optional


Configuring Polling Interval and Count

If CA examines certificate request in manual mode, then a long time may be required before the certificate is issued. In this period, you need to query the request status periodically, so that you may get the certificate right after it is issued.

Follow these steps to configure polling interval and count:

Configuring Certificate Request

Mode

Request mode can be manual or auto. Auto mode enables the automatic request for a certificate through SCEP when there is none and for a new one when the old one is about to expire. For manual mode, all the related configuration and operation need to be carried out manually.

Follow these steps to configure certificate request mode:

Delivering a Certificate Request

Manually

A certificate request completes with user public key and other registered information. All configured, you can deliver the certificate request to a PKI RA.

Follow these steps to deliver a certificate request:

Table 427 Configuring Polling Interval and Count



Specify PKI domain name and enter domain view

pki domain name Required

By default, no PKI domain name is specified.

Configure polling interval and count

certificate request polling { interval minutes | count count }

Optional

By default, the request polling message is sent for 50 times at an interval of 20 minutes.

Table 428 Configuring Certificate Request Mode




pki domain name —

Configure certificate request mode

certificate request mode { manual | auto [ key-length key-length | password { simple | cipher } password ]* }

Optional

By default, manual mode is selected.

Table 429 Delivering a Certificate Request Manually



Deliver a certificate request. pki request-certificate domain domain-name [ password ] [ pkcs10 [ filename filename ] ]

Required


CAUTION: If a local certificate already exists, certificate request operation is disallowed to eliminate inconsistency between certificate and registration information resulted from configuration change. To request a new certificate, you should first delete the existing local certificate and all the CA certificates locally stored using the pki delete-certificate command.

■ If you cannot send certificate request to CA using SCEP, you can select the parameter pkcs10 to print out the request information, copy it and send one to CA in out-of-band mode.

■ Before you deliver the certificate request, make sure the clocks of entity and CA are synchronous. Otherwise, fault occurs to the certificate validation period.

■ This operation will not be saved.

Retrieving a Certificate Manually

Certificate retrieval serves two purposes: store locally the certificate related to local security domain to improve query efficiency; prepare for certificate validation.

When downloading a digital certificate, select the local keyword for a local certificate and ca keyword for a CA certificate.

Follow these steps to retrieve a certificate:

CAUTION:

■ If a CA certificate already exists locally, CA certificate request operation is disallowed to eliminate inconsistency between certificate and registration information resulted from configuration change. To request a new certificate, you should first delete the existing CA and local certificates using the pki delete-certificate command.

■ This operation will not be saved.

Importing a Certificate

In out-of-band mode, you can import an existing local certificate of CA certificate by performing the following configuration.

Follow these steps to import a certificate:

Table 430 Retrieving a Certificate Manually



Retrieve a certificate and download it locally

pki retrieval-certificate { local | ca } domain domain-name

Required

Table 431 Importing a Certificate



Import a certificate pki import-certificate { local | ca } domain domain-name { der | p12 | pem } [ filename filename ]

Required


Deleting a Certificate You can delete an existing local certificate or CA certificate.

Follow these steps to delete a certificate:

Configuring PKI Certificate Validation

At every stage of data communication, both parties should verify the validity of corresponding certificates, including issue time, issuer and certificate validity. The core is to verify the signature of CA and to make sure the certificate is still valid. It is believed that CA never issues fake certificates, so every certificate with an authentic CA signature will pass the verification. For example, if you receive an E-mail containing a certificate with a public key. The mail is encrypted using the public key, and is signed with the private key. You need verify the validity of this certificate, to determine whether it is valid and trustworthy.

Follow these steps to configure PKI certificate validation:

Table 432 Deleting a Certificate



Delete a certificate pki delete-certificate { local | ca } domain domain-name

Required

Table 433 Configuring PKI Certificate Validation




pki domain name —

Specify CRL distribution point location

crl url url-string Required

By default, no CRL distribution point location is specified.

Specify CRL update period crl update period hours

Optional

By default, CRLs are updated according to their validity period.

Enable/disable CRI check crl check { enable | disable }

Optional

By default, CRL check is enabled.

Exit to system view quit —

Retrieve a CRL and download it locally

pki retrieval-crl domain domain-name

Optional

Verify the validity of a local certificate

pki validate-certificate { local | ca } domain domain-name

Optional

Configuring a Certificate Attribute Access Control Policy 613

CRL update period refers to the interval to download CRLs from CRL access server to a local machine. CRL update period configured manually takes priority over that specified in CRLs.

Similar to certificate validity, CRL validity is a field in a CRL file.

The purpose of downloading CRL is to verify the validity of the certificates on a local device. This operation will not be saved in configuration.

You can verify the validity of a local certificate using the parameter “local” or a CA certificate using the parameter “ca”.

The CRL file is not saved in the configuration.

Configuring a Certificate Attribute Access Control Policy

CAUTION: Alternate certificate subject name attribute is not displayed in the form of domain name; therefore, the dn keyword is not available when you configure the alternate certificate subject name attribute.

When creating a certificate attribute control rule by using the rule command, make sure the certificate attribute group identified by the group-name argument exists.

Table 434 Configure a certificate attribute-based access control policy



Create a certificate attribute group and enter certificate attribute group view

pki certificate attribute-group group-name

Required

By default, no certificate attribute group is created.

Configure the attribute rule for certificate issuer name, subject name of the certificate, and alternate subject name of the certificate

attribute id { alt-subject-name { fqdn | ip } | { issuer-name | subject-name } { dn | fqdn | ip } } { ctn | equ | nctn | nequ} attribute-value

Optional

By default, there is no rule for certificate issuer name, subject name of the certificate, or alternate subject name of the certificate.


Create a certificate attribute access control policy and enter certificate attribute access control policy view

pki certificate access-control-policy policy-name

Required

By default, no certificate attribute access control policy is created.

Create a certificate attribute control rule

rule [ id ] { permit | deny } group-name

Optional

By default, no certificate attribute control rule is created.


Displaying and Maintaining PKI

Follow these steps to display and maintain PKI:

Certificate format and fields comply with X.509 standard. All kinds of identifying information about user and CA are included, such as user email address; public key of the certificate holder; issuer, serial number, and validity (period) of the certificate, etc.

CRL complies with X.509 standard, covering version, signature (algorithm), issuer name, this update, next update, user public key, signature value, serial number, and revocation date, etc.

Typical Configuration Examples

CAUTION:

■ When a server running Windows operating system is used as the CA, the Simple Certificate Enrollment Protocol plug-in is required. In this case, you need to specify the entity to apply for the certificate from RA by using the certificate request from ra command when configuring the PKI domain.

■ The Simple Certificate Enrollment Protocol plug-in is not needed when RSA Keon software is used. In this case, you need to specify the entity to apply for the certificate from CA by using the certificate request from ca command when configuring the PKI domain.

■ This section assumes RSA Keon software is used on the CA server.

PKI Certificate Request to CA


The device is connected to the CA server through an IP network and is configured to request for a certificate from RSA CA.

Network diagram

Figure 172 Network datagram for PKI certificate request to CA

Table 435 Displaying and Maintaining PKI


Display certificates display pki certificate { { ca | local } domain domain-name | request-status }


Display CRLs display pki crl domain domain-name


Display a certificate attribute group

display pki certificate attribute-group { group-name | all }


Display a certificate attribute access control policy

display pki certificate access-control-policy { policy-name | all }


Typical Configuration Examples 615


1 Configure entity name space.

<SysnameCA> system-view[SysnameCA] pki entity torsa[SysnameCA-pki-entity-torsa] common-name 1[SysnameCA-pki-entity-torsa] quit

2 Configure parameters for PKI domain (The URLs of registration organization servers for certificate requests vary depending on the CA servers used. The configuration mentioned here is used as an example only. Perform configuration based on actual conditions).

[SysnameCA] pki domain torsa[SysnameCA-pki-domain-torsa] ca identifier rsa[SysnameCA-pki-domain-torsa] certificate request url http://4.4.4.133:446/6953bf7fb5b1cf514376243ce67ebed1209c292a[SysnameCA-pki-domain-torsa] certificate request from ca[SysnameCA-pki-domain-torsa] certificate request entity torsa[SysnameCA-pki-domain-torsa] crl url http://4.4.4.133:447/security_rsa.crl[SysnameCA-pki-domain-torsa] quit

3 Create a local key pair by using RSA.

[SysnameCA] rsa local-key-pair create

4 Request for a certificate.

[SysnameCA] pki retrieval-certificate ca domain torsa[SysnameCA] pki retrieval-crl domain torsa[SysnameCA] pki request-certificate domain torsa challenge-word

ACL Policy Based on Certificate Attribute


■ Clients accessing the device remotely with HTTP Security (HTTPS) protocol

■ Ensuring authorized clients login to HTTPS server securely with SSL protocol

■ Creating ACL policy based on certificate attribute for HTTPS server to restrict access of the clients

Networking diagram

Figure 173 Networking diagram of ACL policy based on certificate attribute

IP Network

HostHTTPS Client

DeviceHTTPS Server



■ For SSL configuration, refer to SSL Configuration.

■ For HTTPS configuration, refer to “HTTPS Server Configuration”.

1 Configure HTTPS server

a Configure the SSL policy used by the HTTPS server. The PKI domain to be referred must be already created.

<SysnameCA> system-view[SysnameCA] ssl server-policy myssl[SysnameCA-ssl-server-policy-myssl] pki-domain 1[SysnameCA-ssl-server-policy-myssl] close-mode wait[SysnameCA-ssl-server-policy-myssl] client-verify enable[SysnameCA-ssl-server-policy-myssl] quit

2 Configure the certificate attribute group

a Configure the certificate attribute group mygroup1 and create two attribute rules. The first rule defines that the DN of the subject name includes the string aabbcc, and the second rule defines that the IP address of the certificate issuer is 10.0.0.1.

[SysnameCA] pki certificate attribute-group mygroup1[SysnameCA-pki-cert-attribute-group-mygroup1] attribute 1 subject-name dn ctn aabbcc[SysnameCA-pki-cert-attribute-group-mygroup1] attribute 2 issuer-name ip equ 10.0.0.1[SysnameCA-pki-cert-attribute-group-mygroup1] quit

b Configure the certificate attribute group mygroup2 and create two attribute rules. The first rule defines that the FQDN of the subject name does not include the string apple, and the second rule defines that the DN of the certificate issuer name includes the string aabbcc.

[SysnameCA] pki certificate attribute-group mygroup2[SysnameCA-pki-cert-attribute-group-mygroup2] attribute 1 alt-subject-name fqdn nctn apple[SysnameCA-pki-cert-attribute-group-mygroup2] attribute 2 issuer-name dn ctn aabbcc[SysnameCA-pki-cert-attribute-group-mygroup2] quit

3 Configure the certificate ACL policy

Configure the certificate attribute group myacp and create two ACL rules.

[SysnameCA] pki certificate access-control-policy myacp[SysnameCA-pki-cert-acp-myacp] rule 1 deny mygroup1[SysnameCA-pki-cert-acp-myacp] rule 2 permit mygroup2[SysnameCA-pki-cert-acp-myacp] quit

4 Configure the HTTPS server to relate with corresponding policies, and start the HTTPS server.

a Configure the SSL policy specifying HTTPS server as myssl.

[SysnameCA] ip https ssl-server-policy myssl

b Configure the certificate ACL specifying HTTPS as myacp.

[SysnameCA] ip https certificate access-control-policy myacp

c Start the HTTPS server.

[SysnameCA] ip https enable

Troubleshooting 617

Troubleshooting

Failed to Retrieve a CA Certificate

Troubleshooting: If you fail to obtain a CA certificate, the reasons might include:

1 Software problems

■ No trustworthy CA is specified.

■ Verify that the Simple Certificate Enrollment Protocol) SCEP is installed.

■ Server URL for the certificate request through SCEP is not correct or not configured. You can check if the server is well connected by using the ping command.

■ No RA is specified.

■ System clock is not correct.

2 Hardware problems

■ Network connection faults, such as broken network cable and loose interface.

Failed to Request a Local Certificate

Troubleshooting: If you fail to request a local certificate when the router has finished the configuration of PKI domain parameters and entity DN, and has created a new RSA key pair, the reasons might include:

1 Software problems

■ No CA/RA certificate has been retrieved.

■ No key pair is created, or the current key pair has had a certificate.

■ No trustworthy CA is specified.

■ Verify that the Simple Certificate Enrollment Protocol) SCEP is installed.

■ Server URL for the certificate request through SCEP is not correct or not configured. You can check if the server is well connected by using the ping command.

■ No certificate authority is configured.

■ The necessary attributes of entity DN are not configured. You can configure the relevant attributes by checking CA/RA authentication policy.

2 Hardware problems


Failed to Retrieve a CRL

Troubleshooting: If you fail to retrieve a CRL, the reasons might include:

1 Software problems

■ The devices are not synchronized to the CA server.

■ No local certificate exists when you try to retrieve a CRL.

■ IP address of LDAP server is not configured.

■ CRL distribution point location is not configured.

■ LDAP server version is wrong.

2 Hardware problems



63 POE CONFIGURATION

PoE Overview

Introduction to PoE Power over Ethernet (PoE) means that power sourcing equipment (PSE) supplies power to powered devices (PD) such as IP telephone, wireless LAN access point, and web camera from Ethernet interfaces through twisted pair cables.

Advantages

■ Reliable: Power is supplied in a centralized way so that it is very convenient to provide a backup power supply.

■ Easy to connect: A network terminal requires only one Ethernet cable, but no external power supply.

■ Standard: In compliance with IEEE 802.3af, a globally uniform power interface is adopted.

■ Promising: It can be applied to IP telephones, wireless LAN access points, portable chargers, card readers, web cameras, and data collectors.

Composition

A PoE system consists of PoE power, PSE, and PD.

■ PoE power

The whole PoE system is powered by the PoE power, which includes external PoE power and internal PoE power.

The support for the PoE power type depends on the device model.

■ PSE

PSE is a card or subcard. PSE manages its own PoE interfaces independently. PSE examines the Ethernet cables connected to PoE interfaces, searches for the devices that comply with the specification, classifies them, and supplies power to them. When detecting a PD is unplugged, the PSE stops supplying the power to the PD.

An Ethernet interface with the PoE capability is called PoE interface. Currently, a PoE interface can be an FE or GE interface.

■ PD

A PD is a device accepting power from the PSE. There are standard PDs and nonstandard PDs. A standard PD refers to the one that complies with IEEE 802.3af. The PD that is being powered by the PSE can be connected to other power supply unit for redundancy backup.

620 CHAPTER 63: POE CONFIGURATION

Protocol Specification The protocol specification related to PoE is IEEE 802.3af.

PoE Configuration Tasks

Complete these tasks to configure PoE:

Configuring the PoE Interface

You can configure a PoE interface in either of the following two ways:

■ Adopt the command line.

■ Configure a PoE configuration file and apply the file to the specified PoE interface(s).

Usually, you can adopt the command line to configure a single PoE interface, and adopt a PoE configuration file to batch configure PoE interfaces.

You can adopt either mode to configure, modify, or delete a PoE configuration parameter under the same PoE interface.

The PSE applies power to a PoE interface in two modes. For a device with only signal cables, power is supplied over signal cables. For a device with spare cables and signal cables, power can be supplied over spare cables or signal cables.

To clearly identify the PD connected to a PoE interface, you can give a PD description.

Table 436 PoE Configuration Tasks

Task Remarks

Configuring the PoE Interface Required

Configuring PoE Power Management Optional

Configuring a Power Alarm Threshold for the PSE Optional

Upgrading PSE Processing Software Online Optional

Configuring a PD Disconnection Detection Mode Optional

Enabling the PSE to Detect Nonstandard PDs Optional

Configuring the PoE Interface 621

Configuring a PoE Interface through the

Command Line

Follow these steps to configure a PoE interface through the command line:

Configuring PoE Interfaces through a

PoE Configuration File

A PoE configuration file is used to batch configure PoE interfaces with the same attributes to simplify operations. This configuration method is a supplement to the common command line configuration.

Commands in a PoE configuration file are called configurations.

Table 437 Configuring a PoE Interface through the Command Line



Enter PoE interface view interface interface-type interface-number

—

Enable PoE poe enable Required

By default, PoE is disabled on the PoE interface.

Configure the maximum power for the PoE interface

poe max-power max-power Optional

By default, the maximum power on the PoE interface is 15,400 milliwatts.

Configure the PoE mode for the PoE interface

poe mode signal Optional

By default, the PoE mode is signal (power over signal cables).

Configure a description for the PD connected to the PoE interface

poe pd-description string

Optional


Follow these steps to configure PoE interfaces through a PoE configuration file:

■ After a PoE configuration file is applied to a PoE interface, other PoE configuration files can not take effect on this PoE interface.

■ If a PoE configuration file is already applied to a PoE interface, you must execute the undo apply poe-profile command to remove the application to the interface before deleting or modifying the PoE configuration file.

■ If you have configured a PoE interface through the command line, you cannot configure it through a PoE configuration file again. If you want to reconfigure the interface through a PoE configuration file, you must first remove the command line configuration on the PoE interface.

■ You must use the same mode (command line or PoE configuration file) to configure the poe max-power max-power and poe priority { critical | high | low } commands.

Table 438 Configuring PoE Interfaces through a PoE Configuration File



Create a PoE configuration file and enter PoE configuration file view

poe-profile profile-name [ index ]

Required

Enable PoE for the PoE interface poe enable Required

By default, PoE is disabled on a PoE interface.

Configure the maximum power for the PoE interface

poe max-power max-power Optional

By default, the maximum power on the PoE interface is 15,400 milliwatts.

Configure the PoE mode for the PoE interface

poe mode signal Optional

By default, the PoE mode is signal (power over signal cables).

Return to system view quit —

Apply the PoE configuration file to the PoE interface(s)

Apply the PoE configuration file to one or more PoE interfaces

apply poe-profile { index index | name profile-name } interface interface-range

Use either approach

Apply the PoE configuration file to the current PoE interface in PoE interface view


apply poe-profile { index index | name profile-name }

Configuring PD Power Management 623

Configuring PD Power Management

The power priority of a PD depends on the priority of the PoE interface. The priority levels of PoE interfaces include critical, high and low in descending order. Power supply to a PD is subject to PD power management policies.

All PSEs implement the same PD power management policies. When the PSE supplies power to a PD,

■ By default, no power will be supplied to a new PD if the PSE power is overloaded.

■ Under the control of a priority policy, the PD with a lower priority is first powered off to guarantee the power supply to the new PD with a higher priority when the PSE power is overloaded.

If the guaranteed remaining PSE power (maximum PSE power – power allocated to the critical PoE interface, regardless of whether PoE is enabled for the PoE interface) is lower than the maximum power of the PoE interface, you will fail to set the priority of the PoE interface to critical. Otherwise, you can succeed in setting the priority to critical, this PoE interface will preempt the power of other PoE interfaces with a lower priority level. In the latter case, the PoE interfaces whose power is preempted will be powered off, but their configurations will remain unchanged. When you change the priority of a PoE interface from critical to a lower level, the PDs connecting to other PoE interfaces will have an opportunity of seizing power.


Enable PoE for PoE interfaces.


Follow these steps to configure PD power management:

Table 439 Configuring PD Power Management



Configure the power priority for a PoE interface.

Configure the power priority for the PoE interface in PoE interface view


poe priority { critical | high | low }

Use either approach.

By default, the power priority of a PoE interface is low.

Configure the power priority for the PoE interface in PoE configuration file view

poe-profile profile-name [ index ]

poe priority { critical | high | low }

Configure a PD power management priority policy

poe pd-policy priority Optional

By default, no PD power management priority policy is configured.


Configuring a Power Alarm Threshold for the PSE

■ When the current power utilization of the PSE is above or below the alarm threshold for the first time, the system will send a Trap message.

■ When the PSE starts or stops supplying power to a PD, the system will send a Trap message, too.

Follow these steps to configure a power alarm threshold for the PSE:

Upgrading PSE Processing Software Online

You can upgrade the PSE processing software online in either of the following modes:

■ Refresh mode

Normally, you can upgrade the PSE processing software in the Refresh mode through the command line.

■ Full mode

When an exception, such as interruption (power failure) or error, occurs during the upgrade in Refresh mode, you can upgrade the PSE processing software in Full mode.

When the PSE processing software is damaged (in this case, you can execute none of PoE commands successfully), you can upgrade the PSE software processing software in Full mode to restore the PSE function. Online PSE processing software upgrade may be unexpectedly interrupted (for example, an error results in device reboot). If you fail to upgrade the PSE processing software in Full mode after reboot, you can power off the device and restart it before upgrading it again. After upgrade, restart the device manually to make the original PoE configurations take effect. The support for this upgrade method depends on the device model.

Follow these steps to upgrade the PSE processing software online:

Table 440 Configuring a Power Alarm Threshold for the PSE



Configure a power alarm threshold for the PSE

poe utilization-threshold utilization-threshold-value

Optional

By default, the power alarm threshold for the PSE is 80%.

Table 441 Upgrading PSE Processing Software Online



Upgrade the PSE processing software online

poe update { full | refresh } filename

Optional

Configuring a PD Disconnection Detection Mode 625

Configuring a PD Disconnection Detection Mode

To detect the PD connection with PSE, PoE provides two detection modes: AC detection and DC detection. The AC detection mode is energy saving relative to the DC detection mode.

Follow these steps to configure a PD disconnection detection mode:

If you adjust the PD disconnection detection mode when the device is running, the connected PDs will be powered off. Therefore, be cautious to do so!

Enabling the PSE to Detect Nonstandard PDs

There are standard PDs and nonstandard PDs. Usually, the PSE can detect only standard PDs and supply power to them. The PSE can detect nonstandard PDs and supply power to them only after the PSE is enabled to detect nonstandard PDs.

Follow these steps to enable the PSE to detect nonstandard PDs:

Table 442 Configuring a PD Disconnection Detection Mode



Configure a PD disconnection detection mode

poe disconnect { ac | dc } Optional

The default PD disconnection detection mode depends on the device model.

Table 443 Enabling the PSE to Detect Nonstandard PDs



Enable the PSE to supply power to the detected nonstandard PDs

poe legacy enable Optional

By default, the PSE is disabled from supplying power to the detected nonstandard PDs.


Displaying and Maintaining PoE

PoE Configuration Example


■ GigabitEthernet1/0/1 and GigabitEthernet1/0/2 are connected to IP telephones.

■ GigabitEthernet1/0/5 and GigabitEthernet1/0/6 are connected to access point (AP) devices.

■ The power priority of GigabitEthernet1/0/2 is critical.

■ The power of the AP device connected to GigabitEthernet1/0/5 does not exceed 9,000 milliwatts.

Table 444 Displaying and Maintaining PoE


Display the mapping between ID, module, and slot of all PSEs.

display poe device Available in any view

Display the power state and information of the specified PoE interface

display poe interface [ interface-type interface-number ]


Display the power information of a PoE interface(s)

display poe interface power [ interface-type interface-number ]


Display the information of PSE display poe pse [ pse-id ] Available in any view

Display the power state and information of PoE interfaces connected with the PSE

display poe interface [ interface-type interface-number ]


Display the power of all PoE interfaces connected with the PSE

display poe interface power [ interface-type interface-number ]


Display all information of the configurations and applications of the PoE configuration file

display poe-profile [ index index | name profile-name ]


Display all information of the configurations and applications of the PoE configuration file applied to the specified PoE interface

display poe-profile interface interface-type interface-number


PoE Configuration Example 627

Network diagram

Figure 174 Network diagram for PoE


1 Enable PoE on GigabitEthernet1/0/1, GigabitEthernet1/0/2, GigabitEthernet1/0/5, and GigabitEthernet1/0/6.

<Sysname> system-view[Sysname] interface gigabitethernet 1/0/1[Sysname-GigabitEthernet1/0/1] poe enable[Sysname-GigabitEthernet1/0/1]quit[Sysname] interface gigabitethernet 1/0/2[Sysname-GigabitEthernet1/0/2] poe enable[Sysname-GigabitEthernet1/0/2]quit[Sysname] interface gigabitethernet 1/0/5[Sysname-GigabitEthernet1/0/5] poe enable[Sysname-GigabitEthernet1/0/5]quit[Sysname] interface gigabitethernet 1/0/6[Sysname-GigabitEthernet1/0/6] poe enable

2 Set the power priority level of GigabitEthernet1/0/2 to critical.

<Sysname> system view[Sysname] interface gigabitethernet 1/0/2[Sysname-GigabitEthernet1/0/2] poe priority critical

3 Set the maximum power of GigabitEthernet1/0/5 to 9,000 milliwatts.

[Sysname] interface gigabitethernet 1/0/5[Sysname-GigabitEthernet1/0/5] poe max-power 9000

IP Phone

IP Phone

AP

APIP Phone

AP

AP


IP Phone

AP

AP

Network Network

GigabitEthernet1/0/2 GigabitEthernet1/0/6


IP Phone

IP Phone

AP

APIP Phone

AP

APIP Phone

AP

AP

Network Network

IP Phone

IP Phone

AP

APIP Phone

AP

AP


IP Phone

AP

AP

Network Network

GigabitEthernet1/0/2 GigabitEthernet1/0/6


IP Phone

IP Phone

AP

APIP Phone

AP

APIP Phone

AP

AP

Network Network


Troubleshooting PoE

Symptom: Setting the priority of a PoE interface to critical fails.

Analysis: ■ The guaranteed remaining power of the PSE is lower than the maximum power of the PoE interface.

■ The priority of the PoE interface is already set.

Solution: ■ In the former case, you can solve the problem by increasing the maximum PSE power, or by reducing the maximum power of the PoE interface when the guaranteed remaining power of the PSE cannot be modified.

■ In the latter case, you should first remove the priority already configured.

Symptom: Applying a PoE configuration file to a PoE interface fails.

Analysis: ■ Some configurations in the PoE configuration file are already configured.

■ Some configurations in the PoE configuration file do not meet the configuration requirements of the PoE interface.

■ Another PoE configuration file is already applied to the PoE interface.

Solution: ■ In case 1, you can solve the problem by removing the original configurations of those configurations.

■ In case 2, you need to need to modify some configurations in the PoE configuration file.

■ In case 3, you need to remove the application of the undesired PoE configuration file to the PoE interface.

Symptom: Provided that parameters are valid, configuring an AC input under-voltage threshold fails.

Analysis: The AC input under-voltage threshold is greater than or equal to the AC input over-voltage threshold.

Solution: You can drop the AC input under-voltage threshold below the AC input over-voltage threshold.

Documents

3Com Switch 4500G Family Configuration Guide