3ComメーカーWX3000の使用説明書/サービス説明書
ページ先へ移動 of 715
3Com WX3000 Series Unified Switches Switching Engine Operation Manual Manual Version: 6W100 www.3com.com 3Com Corporation 350 Campus Drive, Marlborou gh, MA, USA 01752 3064.
Copyright © 2009, 3Com Corporatio n. All rights reserved. No part of this documentation may be reprodu ced in any form or by any means or used to make any de riva tive work (such as translation, transform ation, or adaptation) without written permiss ion from 3Com Corporation.
About This Manual Organization 3Com WX3000 Serie s Unified Switches consist s of three models: the WX3024 , the WX301 0 and the WX3008. 3Com WX3000 Series Unified Switche s Switching Engi ne Ope ratio.
Part Contents 24 SNMP-RMON Introduces the configuratio n for network mana gement through SNMP and RMON 25 Multicast Introduces IGMP snooping and the relate d configuration. 26 NTP Introduces NTP and the related co nfiguration. 27 SSH Introduces SSH2.0 and the related co nfiguration.
Convention Description &<1-n> The argument(s) befo re the ampersa nd (&) sign can be entered 1 to n times. # A line starting with the # sign is comments. GUI conventions Convention Description Boldface Window names, button names, field names, and me nu items are in Boldface.
Manual Description 3Com WX3000 Series Unified Switch es Web-Based Configuration Manual Introduces the Web-b ased functions of the access control engine of WX300 0 se ries unified switches access controller engines. Obtaining Documentation You can access the most u p -to-date 3Com product documentation on the Wo rld Wide Web at this URL: http://www.
i Table of Contents 1 CLI Config uration ···············································································.
1-1 1 CLI Configuration The sample output inform ation in this manual wa s created on the WX3024. The output information on your device may vary. Introduction to the CLI A command line interface (CLI) is a user interface to interact with a device.
1-2 z Manage level (level 3): Command s at this level are associated with the basic operation mod ules and support modules of the system. Th ese comman ds provide su pport for services. Comma nds concerning file system, FT P/TFTP/XModem downloading, user management, and level setting are at this level.
1-3 Configuration example After a general user telnet s to the device, his/her user level is 0. Now , the network admi nist rator want s to allow general users to switch to level 3, so that they are able to configure the device. # A level 3 user sets a swit ching passwo rd for u ser level 3.
1-4 # Change the tftp g e t command in user view (sh ell) from level 3 to level 0. (Originally , only level 3 user s can change the level of a comm and.) <device> system-view [device] command-privilege level 0 view shell tftp [device] command-privilege level 0 view shell tftp 192.
1-5 View Available operation Prompt example Enter method Quit method 1000 Mbps Ethernet port view: [device-Gi gabitEth ernet1/0/1] Execute the interface gigabitethernet command in system view.
1-6 View Available operation Prompt example Enter method Quit method Edit the RSA public key for SSH users [device-rsa-key- co de] Public key editing view Edit the RSA or DSA public key for SSH users [device-peer-key-c ode] Execute the public-key-code begin command in public key view.
1-7 View Available operation Prompt example Enter method Quit method QinQ view Configure QinQ parameters [device-Gi gabitEth ernet1/0/1-vid-20] Execute the vlan-vpn vid command in Ethernet port view. The vlan-vpn enable command should be first executed.
1-8 timezone Configure time zone If the question mark (?) is at an argument positio n in the command, the descripti on of the argument will be displayed on your terminal.
1-9 By default, the CLI can store up to 10 latest ex e cuted commands for each user . Y ou can view the command history by performing the operations listed i n T able 1-3 .
1-10 Table 1-5 Edit operations Press… To… A common key Insert the corresponding characte r at the cursor po sition and move the cursor one character to the right if the comm and is shorter than 254 characters. Backspace key Delete the chara cter o n the left of the cursor a nd mo ve the cursor one character to the left.
i Table of Contents 1 Logging In to the Switching Engine ·······································································.
ii Configuring Source IP Address for Telnet Service Packets ··································································· 6-1 D.
1-1 1 Logging In to the Switching Engine The sample output inform ation in this manual wa s created on the WX3024. The output information on your device may vary.
1-2 User Interface Index T wo kinds of user interface index exist: absolute user interface index and relative user interfac e index. 1) The absolute user interface indexes are as follo ws: z The absolute AUX user interfa ces is nu mbered 0. z VTY user interface indexes follow AUX user interf ace indexes.
1-3 To do… Use the command… Remarks Display the information about the current user interface/all user inte rfaces display users [ all ] Display the physical attributes and configuration of the cur.
2-1 2 Logging In Through OAP OAP Overview As an open sof tware and hardware system, Ope n App lication Architecture (OAA) provides a set of complete st andard sof tware and hardware inte rf aces. The third party vendors can develop product s with special functions.
2-2 Therefore, when you use the NMS to manage the a ccess control engin e and the switching e ngine on the same interface, you must first obtain the m anagement IP addresses of the two SNMP agents and obtain the link rel ationship between them, and t hen you can a ccess the two agent s.
2-3 Resetting the OAP Software System If the operating system works abnorm all y or is un der other anom ali es, you ca n reset the OAP sof tware system.
3-1 3 Logging In Through Telnet Introduction The device support s T elnet. Y ou can manage and mainta in the switching engine remotely by T elnetting to the switching engine. T o log in to the switching engine through T elnet, the corresponding configu ration is required on both the switching engine and the T elnet terminal.
3-2 Configuration Description Make terminal s ervices availa ble Optional By default, terminal services are available in all user interfaces Set the maximum number of lines the screen can contai n Optional By default, the screen can contain up to 24 lines.
3-3 To improve security and prevent attacks to the unus ed Sockets, TCP 23 and TCP 22, ports for Telnet and SSH services respectively, will be enable d or di sabled after correspondi ng configu rations. z If the authentication mode is none , TCP 23 will be enabled, and T CP 22 will be disabled.
3-4 To do… Use the command… Remarks Set the history command buffer size history-command max-size value Optional The default history command buffer size is 10.
3-5 # S pecify co mmand s of level 2 are available to users logging in through VTY 0. [device-ui-vty0] user privilege level 2 # Configure T elnet protocol is supported. [device-ui-vty0] protocol inbound telnet # Set the maximum number of lines the screen can cont ain to 30.
3-6 To do… Use the command… Remarks Set the history command buffer size history-command max-size value Optional The default history command buffer size is 10.
3-7 [device-ui-vty0] authentication-mode password # Set the local password to 12345 6 (in plain text). [device-ui-vty0] set authentication password simple 123456 # S pecify co mmand s of level 2 are available to users logging in to VTY 0. [device-ui-vty0] user privilege level 2 # Configure T elnet protocol is supported.
3-8 To do… Use the command… Remarks Enter one or more VTY user interface views user-inter face vty first - number [ last-num ber ] — Configure to authenticate users locally or remotely authentication-m ode scheme [ command- authorization ] Required The specified AAA scheme determines whether to authenticate users locally or remotely.
3-9 Table 3-4 Determine the command l evel whe n users logging in to the switching engi ne a re authenticated in the scheme mode Scenario Authentication mode User type Command Command level The user privilege level level command is not executed, and the service-ty pe command does not specify the available command level.
3-10 Refer to AAA Operation and SSH Operation of this manual for inform ation about AAA, RADIUS, and SSH. Configuration Example Network requirements As shown in Figure 3-3 , assume a curre nt user logs in using the oap connect slot 0 command and the user level is set to the manage level (level 3).
3-11 [device-ui-vty0] protocol inbound telnet # Set the maximum number of lines the screen can cont ain to 30. [device-ui-vty0] screen-length 30 # Set the maximum number of commands the hi story command buf fer can store to 20. [device-ui-vty0] history-command max-size 20 # Set the timeout time to 6 minutes.
3-12 z Perform the following operations i n the terminal window to assi gn IP address 202.38.160.9 0/24 to VLAN–interface 1 of the access cont rol engine. <device> system-view [device] interface Vlan-interface 1 [device-Vlan-interface1] ip address 202.
3-13 Figure 3-7 Launch Telnet 5) If the password authentication mode is specified, enter the password when the Telnet wi ndow displays “Login authentication” and prompt s fo r login password. The CLI prompt (su ch as <System_LSW>) appears if the passw ord is correct.
3-14 1) Perform Teln et-related configur ation on the switchin g engine opera ting as the Telnet server. For details, refer to Telnet Configuration with Authentication Mode Bei ng None , Telnet Configuration with Authentication Mode Being Password , and Telnet Configuration with Authenticatio n Mode Being Scheme .
4-1 4 Logging In from the Web-Based Network Management System When logging in from the W eb-based network manag ement system, go to these sections fo r information you are interested in: z Introductio.
4-2 Setting Up a Web Configuration Environment Your WX series a ccess controller products were del ivered with a factory default configuration. This configuration allows you to log into the b uilt-in We b-based management sy stem of the access controller product from a Web browse r on a PC by inputting http ://192.
4-3 Figure 4-1 Web interface of the access cont roller engine 3) Set up a Web configuration environment, as shown in Figure 4-2 . Figure 4-2 Set up a Web configuration environment 4) Log in to the switching engine through IE. Launch IE on the Web-based network management terminal (your PC) and enter h ttp://192.
4-4 configured by the header command, a user logging in throu gh Web directly enters the user login authentication page. Follow these steps to co nfigure the login banner: To do… Use the command… .
4-5 Figure 4-5 Banner page displayed when a user lo gs in to the switching engin e through Web Click Continue to enter u ser login authe ntication p age. Y ou will enter the main page of the W eb-based network management syst em if the authentication su cceeds.
5-1 5 Logging In from NMS Introduction Y ou can also log in to the switching engine fr om a network management st ation (NMS), and then configure and manage the swit ching engine through the agent module on the switch. Simple network management protocol (SNMP) is applie d between the NMS and the agent.
6-1 6 Configuring Source IP Address for Telnet Service Packets Overview Y ou can configure source IP address or source interf ace for the T elnet server and T elnet client.
6-2 To do… Use the command… Remarks Specify a source interface for Telnet client telnet source-interface interface-type interface-number Optional When configuring a source IP addre ss fo r Telnet packets, ensure that: z The source IP address m ust be one on the local device.
7-1 7 User Control Refer to the ACL part for information about ACL. Introduction The switching engine provides ways to control di f ferent types of login users, as listed in T able 7-1 .
7-2 To do… Use the command… Remarks Enter syst e m view system-vie w — Create a basic ACL or enter basic ACL view acl number acl-number [ match-order { config | auto } ] As for the acl number command, the config keyword is specified by default.
7-3 Controlling Telnet Users by Source MAC Addresses Controlling T elnet users by source MAC addresses is achi eved by applying Layer 2 ACLs, which are numbered from 4000 to 4999.
7-4 Controlling Network Management Users by Source IP Addresses Y ou can manage the device through network ma nagement sof tware. Network m anagement users can access switching engines throu gh SNMP . Y ou need to perform the following two operations to control net work managem ent users by source IP addresses.
7-5 You can specify different ACLs while co nfiguri ng the SNMP comm unity name, SNMP group name, and SNMP user name. As SNMP co mmunity name is a feature of SNMPv1 and SNMPv2c, the specified ACLs in .
7-6 z Applying the ACL to control Web users Prerequisites The controlling policy against W eb users is deter mined, includ ing the source IP addresses to be controlled and the cont rolling actions (p ermitting o r denying).
7-7 Configuration procedure # Define a basic ACL. <device> system-view [device] acl number 2030 [device-acl-basic-2030] rule 1 permit source 10.110.100.52 0 [device-acl-basic-2030] quit # Apply ACL 2030 to only permit the Web users sou rce d from the IP addre ss of 10.
i Table of Contents 1 Configuration F ile Management ·········································································.
1-1 1 Configuration File Management The sample output inform ation in this manual wa s created on the WX3024. The output information on your device may vary. Introduction to Configuration File A configuration file records and store s user conf igurations performed to the device.
1-2 can configure a file to have both main a nd backup attribute, but only one file of either main or backup attribute is allowed on a device. The following three situations a re con cerned with the main/ba ckup attributes: z When saving the current configuration, you can spe cify the file to be a main or backup or normal configuration file.
1-3 z Safe mode. This is the mode when yo u use the save command with the safely keyword. The mode saves the file slower but can retain the original configuration file in t he device even if the device reboots or the power fails during the proce ss.
1-4 To do… Use the command… Remarks Erase the startup configuration file from the storage device reset saved-configuration [ backup | main ] Required Available in user view Y ou may need to erase the configuration file for one of these reasons: z After you upgrade software, the old configurat ion file d oes not match the new software.
1-5 The configuration file must use “. cfg” as its extension name and the st artup configuration file must be saved at the root directory of the device.
i Table of Contents 1 VLAN Ov erview ·················································································.
1-1 1 VLAN Overview z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024.
1-2 of network layer devices , such as routers and Layer 3 switch es. Figure 1-1 illustrates a VLAN implementation. Figure 1-1 A VLAN implementation Sw itch Rou te r Sw i t ch VL AN A VLAN B VLA N A VLANB VLAN A VL AN B Advantages of VLANs Compared wi th the traditional Ethernet, VLAN enjoys the followin g advant ages.
1-3 Figure 1-2 Encapsulation format of traditional Ethernet frames Ty pe Dat a DA & SA In Figure 1-2 DA refers to the destination MAC address, SA refers to the sou rce MAC address, and T ype refers to the upper layer protocol type of the packe t. IEEE 802.
1-4 After VLANs are configu red on a switch, the MAC addr ess learni ng of the switch has the following two modes. z Shared VLAN learning (SVL): the switch records all the MAC addre ss entries learnt by ports in all VLANs to a shared MAC address fo rwarding table.
1-5 The link type of a port on the device can be one of the fo llowing: access, trunk, and hybrid. For the three types of ports, the pro cess of being added into a VLAN and the way of forwarding p ackets are dif ferent. For details, re fer to the “Port Basic C onfi guration” part of the manua l.
1-6 The switch identifies whether a packet is an Ethern et II packet or an 80 2.2/802.3 packet according to the ranges of the two fields. Extended encapsulation formats of 802.2/802.3 packets 802.2/802.3 packet s have the following th re e extended encap sul ation formats: z 802.
1-7 Procedure for the Switch to Judge Packet Protocol Figure 1-9 Procedure for the switch to judge packet protocol Receive packet s Type (Length) field Ethernet II encaps ulat ion Match th e ty pe va lu e Inval id packe ts that ca nn ot be matched 802.
1-8 The protocol template is the st andard to determine th e protocol to which a p acket belongs. Protocol templates include st andard templates and user-define d template s: z The standard template adopts the RFC-defined packe t encap sul ation formats a nd values of som e specific fields as the matching criteria.
2-1 2 VLAN Configuration VLAN Configuration Configuration Task List Complete the following ta sks to configure VLAN: Task Remarks Basic VLAN Configuration Req uired Basic VLAN Interface Configuration .
2-2 Basic VLAN Interface Configuration Configuration prerequisites Before configuring a VLAN interfac e, create the corre sponding VLAN. Configuration procedure Follow these steps to ma ke basi c VLAN.
2-3 Configuring a Port-Based VLAN Configuring a Port-Based VLAN Configuration prerequisites Create a VLAN before configuring a po rt-ba sed VLAN. Configuration procedure Follow these steps to co nfigu.
2-4 Configuration procedure z Configure Switch A. # Create VLAN 101, specify it s descriptive string as “DMZ”, and add GigabitEthernet 1/0/1 to V LAN 101.
2-5 For the command of configuri ng a port l ink type ( port link-ty pe ) and the command of allowing packets of certain VLANs to pass t hrough a port ( por t trunk permit ), refer to the se ction of configuring Ethernet ports in the “Port Basic Configuration” part of this do cument.
2-6 z Because the IP protocol is cl osely asso ciated with the ARP protocol, you are recommended to configure the ARP protocol type when configur ing the IP protocol ty pe and associate the two protoc.
2-7 For the operation of adding a hybrid port to a VLAN in the untag ged way (when forwarding a packet, the port removes the VLAN tag of the packet), refer to t he section of configuring Ethernet ports in the “Port Basic Configuration” pa rt of this manu al.
2-8 Configuration procedure # Create VLAN 100 an d VLAN 200, and add Gi gabi tEthernet 1/0/1 1 and GigabitEthernet 1/0/12 to VLAN 100 and VLAN 200 respectively .
2-9 VLAN ID Protocol-Index Protocol-Type 100 0 ip 100 1 ethernetii etype 0x0806 200 0 at The above output information indi cates that Giga bitEthernet 1/0/10 has already been associated with the corresponding protocol templates of VLAN 100 and VLAN 200.
i Table of Contents 1 Auto Detect Configuration ············································································.
1-1 1 Auto Detect Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024.
1-2 Auto Detect Configuration Complete the following t a sks to configure auto detect: Task Remarks Auto Detect Basic Configuration Required Auto Detect Implementation in Static Routing Optional Auto .
1-3 Auto Detect Implementation in Static Routing Y ou can bind a static route with a detected g rou p. The Auto Detect function will then detect the reachability of the static ro ute through the p ath specif ied in the detected group. z The static route is valid if the detected group is reachable .
1-4 To do… Use the command… Remarks Enter syst e m view system-vie w — Enter VLAN interface view interface Vlan-interface vlan - id — Enable the auto detect function to implement VLAN interface backup standby detect-grou p group-number Required This operation is only needed on the secondary VLAN interface.
1-5 <SwitchC> system-view # Configure a static route to Switch A. [SwitchC] ip route-static 192.168.1.1 24 10.1.1.3 Configuration Example for Auto Detect Implementation in VLAN Interface Backup .
i Table of Contents 1 Voice VLAN Co nfiguration ············································································.
1-1 1 Voice VLAN Configuration The sample output inform ation in this manual wa s created on the WX3024. The output information on your device may vary.
1-2 Figure 1-1 Network diagram for IP phones DHCP Server1 DHCP Server2 Call agent IP Phone ② ① ③ As shown in Figure 1-1 , the IP phone n eeds to wo rk in conjun ction with the DHCP server a nd the NCP to establish a path for voice data tran smission.
1-3 3) After the IP phone acquires the IP addre ss assigned by DHCP Serv er2, the IP phone establishes a connection to the NCP specified by DHCP Server 1 and do wnloads correspondi ng software. After that, the IP phone can communicate pr ope rly. z An untagged packet carries no VLAN tag.
1-4 Processing mode of untagged packets sent by IP voice devices z Automatic mode. A WX3000 device automatically add s a port connecting an IP voice devi ce to the voice VLAN by learning the source M AC address in the untagged packet sent by the IP voice device when it is powered on.
1-5 Table 1-2 Matching relationshi p between po rt types and voice traffic types Port voice VLAN mode Voice traffic type Port type Supported or not Access Not supported Trunk Supported Make sure the default VLAN of the port exists and is not a voice VLAN.
1-6 Voice VLAN Configuration Configuration Prerequisites z Create the correspondi ng VLAN before configuring a voice VLAN. z VLAN 1 (the default VLAN) cannot be configured a s a voice VLAN.
1-7 When the voice VLAN is working normally, if the devic e restarts, in ord er to make the established voice connections work no rmally, the system does not need to be triggered by the voice traffic to add the port in automatic mode to the local devices of the voice VLAN but do es so immedi ately after the restart.
1-8 To do… Use the command… Remarks Enter VLAN view vlan vlan-id Access port Add the port to the VLAN port interface-list Enter port view interface interface-type interface-num Add the port to the VLAN port trunk permit vlan vlan-id port hybrid vlan vlan-id { tagged | untagged } Required By default, all the ports belong to VLAN 1.
1-9 Displaying and Maintaining Voice VLAN To do… Use the command… Remarks Display the information about ports on which voice VLAN configuration fails display voice vlan error-info Display the voic.
1-10 [DeviceA] voice vlan aging 100 # Add a user-defined OUI address 001 1-2200-000 an d set the descri ption string to “test”. [DeviceA] voice vlan mac-address 0011-2200-0000 mask ffff-ff00-0000 description test # Enable the voice VLAN function globa lly .
1-11 <DeviceA> system-view [DeviceA] voice vlan security enable # Add a user-defined OUI address 001 1-2200-000 an d set the descri ption string to “test”. [DeviceA] voice vlan mac-address 0011-2200-0000 mask ffff-ff00-0000 description test # Create VLAN 2 and configure it as a voice VLA N.
i Table of Contents 1 GVRP Conf iguration ···············································································.
1-1 1 GVRP Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024.
1-2 Leave messages, LeaveAll messa ges, together with Jo in message s ensure attribute information can be deregistered and re-regist ered. Through message exch ange, all the attribute information to be regi stered can be propag ated to all the GARP-enabled switches in the sam e LAN.
1-3 Figure 1-1 Format of GARP packets Et her net F ram e PDU DA DA le ng t h DSA P Ctrl SSAP Protoc ol ID Message 1 Mes s age N ... End Mar k 1 3 N Attr ibu t e T ype Attr ibut e List 12 N At t r ibu t e 1 Att r ibu te N .
1-4 GVRP As an implement ation of GARP , GARP VLAN registration protocol (GVRP) m aintains dyna mic VLAN registration information a nd propagates t he in formation to the other devices through GARP .
1-5 Configuration procedure Follow these steps to ena b le GVRP on a n Ethernet po rt: To do… Use the com mand… Remarks Enter syst e m view system-view — Enable GVRP globally gvrp Required By default, GVRP is disabled globally.
1-6 Table 1-2 Relations between the timers Timer Lower threshold Upper threshold Hold 10 centiseconds This upper threshold is le ss than or equal to one-half of the timeout time of the Join timer. You can change the thre sh old by changing the timeout time of the Join timer.
1-7 GVRP Configuration Example GVRP Configuration Example Network requirements z Enable GVRP on all the switches in the network so that the VLAN configurations on Switch C and Switch E can be applied to all switches i n the network, thus implementing dynami c VLAN information registration and refre sh, as shown in Figu re 1-2 .
1-8 [SwitchA-GigabitEthernet1/0/3] port trunk permit vlan all # Enable GVRP on GigabitEthernet 1/0/3. [SwitchA-GigabitEthernet1/0/3] gvrp [SwitchA-GigabitEthernet1/0/3] quit 2) Configure Switch B # The configuration p ro ced ure of Switch B is sim ilar to that of Switch A and is thus omitted.
1-9 [SwitchE-GigabitEthernet1/0/1] gvrp registration fixed # Display the VLAN information dynamically registe r ed on Switch A. [SwitchA] display vlan dynamic Total 3 dynamic VLAN exist(s). The following dynamic VLANs exist: 5, 7, 8, # Display the VLAN information dynamically register ed on Swit ch B.
i Table of Contents 1 Basic Port Co nfiguration ············································································.
1-1 1 Basic Port Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024.
1-2 Link Types of Ethernet Ports An Ethernet port of the devic e can operate in one of the following three link types: z Access: An access port can belong to only one VL AN, and is generally used to connect user PCs. z Trunk: A trunk port can bel ong to more than one VLA N .
1-3 Table 1-3 Processing of incoming/outgoing p acket s Processing of an incoming packet Port ty pe If the p acket does not carry a VLAN tag If the packet carries a VLAN tag Processing of an outgoing packet Access z If the VLAN ID is just the default VLAN ID, receive the packet.
1-4 To do… Use the command… Remarks Enter syst e m view system-v iew — Enter Ethernet port view interface interface-type interface-number — Enable the Ethernet port undo shutdown By default, the port is enabled. Use the shutdo wn command to disable the port.
1-5 To do… Use the command… Remarks Configure the available auto-negotiation speed(s) for the port speed auto [ 10 | 100 | 1000 ]* Optional By default, the port speed is auto-negotiated. z Only ports on the front panel of the device suppor t the auto-negotiation speed configuration feature.
1-6 To do… Use the command… Remarks Enter syst e m view system-v iew — Enter Ethernet port view interface interface-type interface-number — Enable flow control on the Ethernet port flow-control Required By default, flow control is not enabled on a port.
1-7 To do… Use the command… Remarks Enter syst e m view Sy stem-view — Enter Ethernet port view interface interface-type interface-number — Set the link type for the port as trunk port link-type trunk Required Set the default VLAN ID for the trunk port port trunk pvid vlan vlan-id Optional By default, the VLAN of a trunk port is VLAN 1.
1-8 <device> system-view [device] interface GigabitEthernet 1/0/1 [device-GigabitEthernet1/0/1] shutdown [device-GigabitEthernet1/0/1] %Apr 2 08:11:14:220 2000 device L2INF/5/PORT LINK STATUS CH.
1-9 configuration command on ce on one port and that con figuration will apply to all p ort s in the port grou p. This effe ctively redu ces redundant configurations. A Port group coul d be manually created by users. Mult iple Ethernet ports can b e added to the same port group but one Ethernet port can only be added to on e port group.
1-10 To do… Use the command… Remarks Configure the system to run loopback detection on all VLANs for the trunk and hybrid ports loopback-detection per-v l an enable Optional By default, the system runs loopback detection only on the default VLAN for the trunk and hybrid ports.
1-11 Enabling the System to Test Connected Cable Y ou can enable the system to test the cable connected to a specif ic port. The test result will be returned in five minutes. The system can test these attributes of the cable: Receive and tran smit directions (RX and TX), short circuit/open circuit or n o t, the length of the faulty cable.
1-12 Displaying and Maintaining Ethernet Ports To do… Use the command… Remarks Display port configuration information display interface [ interface-type | interface-type interface-num ber ] Displa.
1-13 [device] vlan 100 # Configure the default VLAN ID of GigabitEthernet 1/0/1 as 100. [device-GigabitEthernet1/0/1] port trunk pvid vlan 100 Troubleshooting Ethernet Port Configuration Symptom : Default VLAN ID configuration failed. Solution : T ake the following steps.
i Table of Contents 1 Link Aggregati on Configur ation ········································································.
1-1 1 Link Aggregation Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024.
1-2 Operation Key An operation key of an aggregation po rt is a conf iguration combination gen erated by system depending on the configurations of the port (rate, duplex mode, other basi c configuration, and management key) when the port is aggregated.
1-3 For an aggregation grou p: z When the rate or duplex mode of a port in the aggregation group changes, packet loss may o ccur on this port; z When the rate of a port decreases, if the port belongs .
1-4 Dynamic LACP Aggregation Group Introduction to dynamic LACP aggregation group A dynamic LA CP aggregati on group is automatically created and removed by th e system. Users cann ot add/remove ports to/from it. A port can particip at e in dynamic link aggregation only when it is LACP-enabled.
1-5 Changing the system pri ority of a device may cha nge the preferred device betw een the two parties, and may further change the states (sel ected or unsele cted) of the member ports of dynamic agg regation groups.
1-6 A load-sharing aggregation gro up contains at least two selected port s, but a non-load-sharing aggregation group ca n only have one selected port at most, while others are un selected ports.
1-7 To do… Use the command… Remarks Configure a description for the aggregation group link-aggregation group agg-i d description agg-name Optional By default, an aggregation group has no description.
1-8 To do… Use the command… Remarks Configure a description for the aggregation group link-aggregation group a gg-id description agg-name Optional By default, an aggregation group has no description.
1-9 To do… Use the command… Remarks Enable LACP on the port lacp enable Required By default, LACP is disabled on a port. Configure the port priority lacp port - priority port-priority Optional By default, the port priority is 32,768.
1-10 Figure 1-1 Network diagram for link aggregatio n co nfiguration Switch A Link aggregation Switch B Configuration procedure 1) Adopting manual aggregation mode # Create manual aggregation group 1.
1-11 Note that, the three LACP-enabled ports ca n be aggregated into a dyn amic aggregation group to implement load sharing only when they have the same basic co nfiguration (such as rate and duplex mode and so on).
i Table of Contents 1 Port Isolation Configuration ··········································································.
1-1 1 Port Isolation Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024.
1-2 z When a member port of an agg regation group i s added to an i solation grou p, the other po rts in the same aggregation group are added to the isol ation group automatically.
1-3 <device> system-view System View: return to User View with Ctrl+Z. [device] interface GigabitEthernet1/0/2 [device-GigabitEthernet1/0/2] port isolate [device-GigabitEthernet1/0/2] quit [devi.
i Table of Contents 1 Port Security Configuration ···········································································.
1-1 1 Port Security Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024.
1-2 Port Security Modes T able 1-1 describes the available port security modes. Table 1-1 Description of port security mode s Security mode Description Feature noRestriction Port security is disabled on the port and access to the port is not restricted.
1-3 Security mode Description Feature userLoginSecure In this mode, a port pe rforms 802.1x au thenticatio n of users and services only one user passing 802. 1x authentication at a time. userLoginSecure Ext In this mode, a port performs 802.1x authentication of users and services users passi n g 802.
1-4 Port Security Configuration Complete the following tasks to configure port security: Task Remarks Enabling Port Security Required Setting the Maximum Number of MAC Addresse s Allowed on a Port Opt.
1-5 Setting the Maximum Number of MAC Addresses Allowed on a Port Port security allows more than one user to be authenticated on a port. The number of authenticated users allowed, howeve r , ca nnot exceed the configured uppe r limit.
1-6 To do… Use the command… Remarks Enter Ethernet port view interface interface-type interface-number — Set the port security mode port-security port-mode { autolearn | mac-and-userlogin-secu r.
1-7 The WX3000 series devices do not supp ort the ntko nly NTK feature. Configuring intrusion protection Follow these steps to co nfigure t he intrusion protection feature: To do… Use the command….
1-8 To do… Use the command… Remarks Enter syst e m view system-vie w — Enable sending trap s for the specified type of event port-security trap { addresslearned | intrusi on | dot1xlogon | dot1xlogoff | dot1xlogfailure | ralmlogon | ralmlogoff | ralmlogfailure } Required By default, no trap is sent.
1-9 The security MAC addresses manually configured are written to the config uratio n file; they will not get lost when the port is up or down. As long as the c onfig uration file is saved, the secu rity MAC addresses can be restored after the device reboots.
1-10 z To ensure that Host can access the netwo rk, add the MAC address 0001 -0002-0003 of Host as a security MAC address to the port in VLAN 1. z After the number of security MAC addresses reache s 80, the port stops learning MAC addresses.
2-1 2 Port Binding Configuration Port Binding Overview Introduction Port binding enables th e network administrator to bin d the MAC address and IP address of a user to a specific port.
2-2 Port Binding Configuration Example Network requirements As shown in Figure 2-1 , it is required to bind the MAC and IP addresses of Ho st 1 to GigabitEthernet 1/0/1 on switch A, so as to prevent malicious users from using the IP address they steal from Host 1 to access the net work.
i Table of Contents 1 DLDP Conf iguration ···············································································.
1-1 1 DLDP Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024.
1-2 Figure 1-2 Fiber correct conne ction/disconnection in one dire ction GE1/0/10 SwitchA GE1/0/11 GE1/0/10 SwitchB GE1/0/11 PC DLDP provid es the following features: z As a link layer protocol, it works together with the physical layer protocol s to monitor the link status of a device.
1-3 Status Description Probe DHCP sends packets to check if it is a unidirectio nal link. It enables the probe sending timer and an echo waiting timer for each target neighbor. Disable DLDP detects a unidirectional link, or finds (in enhanced mod e) that a neighbor disap pears.
1-4 Timer Des cription Enhanced timer In enhanced mode, if no packet is received from the neigh bor when the entry aging timer expires, DLDP enable s the enhan ced timer for the neighbor.
1-5 Table 1-4 Types of packets sent by DLDP DLDP status Packet types Active Advertisement packets, incl uding tho se with or without RSY tags Advertisement Advertisement packets Probe Probe packets 2).
1-6 DLDP neighbor state A DLDP neighbor ca n be in one of these two st ates: two way and u nkn own. Y ou can check the state of a DLDP neig hbor by using the display dld p command. Table 1-7 Description on the two DLDP neig hbor states DLDP neighbor state Description two way The link to the neighbor operates properly.
1-7 To do… Use the command… Remarks Set the delaydown timer dldp delaydown-timer delaydown-tim e Optional By default, the delaydown timer expires after 1 second it is triggered. Set the DLDP handling mode wh en an unidirectional link is dete ct ed dldp unidirectional-shutdown { auto | manual } Optional.
1-8 To do… Use the command… Remarks Enter syst e m view system-v iew Reset the DLDP status of the system dldp reset Enter Ethernet port view interface interface-type interface-number Reset the DLDP status of a port dldp reset Optional This command only applies to the ports i n DLDP down status.
1-9 [SwitchA-GigabitEthernet1/0/11] duplex full [SwitchA-GigabitEthernet1/0/11] speed 1000 [SwitchA-GigabitEthernet1/0/11] quit # Enable DLDP globally [SwitchA] dldp enable DLDP is enabled on all fiber ports except fabric ports.
i Table of Contents 1 MAC Address Tabl e Management··········································································.
1-1 1 MAC Address Table Management z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024.
1-2 1) As shown in Figure 1-1 , User A and User B are both in VLAN 1. When User A communicates with User B, the packet from User A needs to be transmi tted to GigabitEthernet 1/0/1.
1-3 Figure 1-4 MAC address learning diag ram (3) Geth 1/0/1 Geth 1/0/3 Geth 1/0/4 User A User B User C 4) At this time, the MAC address table of the device in cludes two forwarding entri es shown in Figure 1-5 .
1-4 Aging timer only takes effect on dynamic MAC address e ntries. Entries in a MAC address table Entries in a MAC address t able fall into the following categories according to their characteri stics and configuration methods: z Static MAC address entry: Also known as perma n ent MAC address entry.
1-5 Configuring a MAC Address Entry Y ou can add, modify , or remove a MAC address entry , remove all MAC address entries concerning a specific port, or remove specific type of MAC addre ss entries (dyn amic or st at ic MAC addre ss entries). Y ou can add a MAC address entry in either system view or Ethernet port view .
1-6 Setting the Aging Time of MAC Address Entries Setting aging time properly helps ef fective utilization of MAC address aging. The aging time that is too long or too short af fects the performance of the device. z If the aging time is too long, excessive invalid MA C address entries maintained by the device may fill up the MAC address table.
1-7 To do… Use the comm and… Remarks Set the maximum number of MAC addresses the port can learn mac-add ress max-mac-count count Required By default, the number of the MAC addresses a port can learn is not limited.
1-8 Displaying and Maintaining MAC Address Table To do… Use the command… Remarks Display information about the MAC address table display mac-address [ display-option ] Display the aging time of the dynamic MAC address entries in the MAC address table display mac-address aging-time The display command can be executed in any view.
i Table of Contents 1 MSTP Conf iguration ···············································································.
ii Configuring R oot Guard·······················································································.
1-1 1 MSTP Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024.
1-2 Upon network convergence, the root bridge gen erat es and sends out configu ration BPDUs periodically . Other devices just forward the configura tion BPDUs received. This mechanism e nsures the topologica l stability . 2) Root port On a non-root bridge devi ce, the root port is the po rt with the lowest path cost to the root bridge.
1-3 4) Path cost Path cost is a value used for measuring link cap acity . By comparing the p ath costs of dif ferent links, STP select s the most robu st links and blocks the ot her links to prune the netwo rk into a tree. How STP works STP identifie s the network topology by transmi tting config uration BPDUs between network devices.
1-4 Step Description 2 The device compares the config uration BPDUs of all the ports and choose s the optimum configuration BPDU. Principle for configuration BPDU com parison: z The configuration BPDU that has the lowe st root bridge ID has the highest priori ty.
1-5 When the network top ology is stable, only the root port and design ated ports forward traffic, while other ports are all in the blocked state – they only re ce ive STP packets but do not forward user traffic.
1-6 Table 1-5 Comparison proce ss and result on each device Device Comparison process BPDU of por t after comparison Device A z Port AP1 receives the configuration BPDU of Device B {1, 0, 1, BP1}.
1-7 Device Comparison process BPDU of por t after comparison z Port CP1 receives the con figur ation BPDU of Devi ce A {0, 0, 0, AP2}. Device C finds that the received configuration BPDU is superior to the configurat ion BPDU of the local port {2, 0, 2, CP1}, and updates the configuratio n BPDU of CP1.
1-8 Figure 1-3 The final calculated spanning tree AP 1 A P 2 D e vi ce A Wi th p ri ori ty 0 Dev i c e B D e vi ce C BP 1 BP 2 CP 2 5 4 Wi th p ri ori ty 1 Wi th p ri o r i ty 2 To facilitate description, the sp anning tree calculation process in this example is simplified, while the actual process is more complicated.
1-9 For this reason, the protocol use s a state transitio n me chanism. Namely , a newly elected root port and the designated port s must go through a peri od, which is twice the forward delay time, before they transit to the forwarding state. The peri od allows the ne w configuration BPDUs to be propag ated throughout the entire network.
1-10 z MSTP supports mapping VLANs to MST instance s by means of a VLAN-to-instan ce mapping table. MSTP introduces “instance” (inte grates multiple VLANs int o a set) and can bind multiple VLA Ns to an instance, thus saving communication over head and improving re source utilization.
1-11 MSTI A multiple spanning tree instance (MSTI) refers to a spanning tree i n an MST region. Multiple spanning trees ca n be establis hed in one MST region. These spannin g trees are independent of each other . For example, each region in Figu re 1-4 contain s multiple spanning trees known as MSTIs.
1-12 z A region edge port is locat ed on the edge of an MST region and is used to conne ct one MST region to another MST region, an STP-enabled region or an RSTP-enabled regi on z An alternate port is a seconda ry port of a root port or master po rt and is used for rapid transition.
1-13 z Forwarding state. Ports in this state can forw ard user packets and receive/ send BPDU packets. z Learning state. Ports in this st ate can receive/send B PDU packets. z Discarding state. Ports in this st ate can only receive BPDU packet s. Port roles and port st ates are not mutually dependent.
1-14 For MSTP , CIST configuration informatio n is generally expre ssed as follows: (Root bridge ID, External path cost, Ma ster bridge ID, Internal path cost, Desi gnated bridge ID, ID of sending por.
1-15 z BPDU guard z Loop guard z TC-BPDU attack guard z BPDU packet drop STP-related Standards STP-related standa rds include the following. z IEEE 802.
1-16 In a network containing de vices with both GVRP and MSTP enabled, GVRP pa ckets are forwarded along the CIST. If you want to advertise packets of a specific VLAN through GV RP, be sure to map the VLAN to the CIST when configuring the MSTP VLAN mapping table (the CIST of a network is spanning tree instance 0).
1-17 Configuring MST region-related p arameters (especially the VLAN mapping t able) result s in spanning tree recalculation and network topolo gy jitter .
1-18 To do… Use the command… Remarks Enter syst em view system-vie w — Specify the current device as the root bridge of a spanning tree stp [ instance instance -id ] root primary [ bridge-diamet.
1-19 z You can configure a device as th e root bridges of multiple spanni ng tree instan ces. But you cannot configure two or more root bridge s for one span ning tree instance. So, do not configure root bridges for the sam e spanning tree instance on two or mo re devices using the stp root pri mary command.
1-20 Configuration example # Set the bridge priority of the current de vice to 4,096 in sp anning tree inst ance 1. <device> system-view [device] stp instance 1 priority 4096 Configuring the Mode a Port R ecognizes and Sends MSTP Packets A port can be configured to recognize and send MSTP packet s in the following mode s.
1-21 To do… Use the command… Remarks Enter syste m view system-v iew — Enter Ethernet port view interface interface-type interface-number — Configure the mode a port recognizes and send s MSTP packets stp compliance { auto | dot1s | legacy } Required By default, a port recognizes and sends MSTP packets i n the automatic mode.
1-22 Configuration example # S pecify the MSTP operation mode as STP-co mpatible. <device> system-view [device] stp mode stp Configuring the Maximum Hop Count of an MST Region The maximum hop count configured on the region root is also the maximum hops of the MST region.
1-23 To do… Use the command… Remarks Enter syst em view system-vie w — Configure the network di ameter of the switched network stp bridge-diameter bridgenumber Required The default network diame ter of a network is 7. The network diameter parameter indicates the size of a network.
1-24 z The forward delay para meter and the netwo rk diameter a re correlated. Normally , a large network diameter corresponds to a large forward delay.
1-25 Configuration procedure Follow these steps to co nfigur e the timeout time factor: To do… Use the command… Remarks Enter syst em view system-vie w — Configure the timeout time factor for the device stp timer-factor number Required The timeout time factor defaults to 3.
1-26 Configuration example # Set the maximum transmitting speed of GigabitEthernet 1/0/1 to 15. 1) Configure the maximum transmitting speed in system view <device> system-view [device] stp inter.
1-27 You are recommended to configure the Ethernet ports connected directly to terminal s as edge ports and enable the BPDU guard function at the sa me time. This not only enables these ports to turn to the forwarding state rapidly bu t also secures your netwo rk.
1-28 To do… Use the command… Remarks Specify whether the link connected to a port is a point-to-point link stp point-to-point { force-true | force-false | auto } Required The auto keywo rd is adopted by default. z Among aggregated ports, you can onl y configu re the links of master ports as point-to-poi nt links.
1-29 To do… Use the command… Remar ks Enter syst em view system-vie w — Enable MSTP stp enable Required MSTP is disabled by default. Enter Ethernet port view interface interface-type interface-number — Disable MSTP on the port stp disable Optional By default, MSTP is enabled on all ports after you enable MSTP in system view.
1-30 Task Remarks Configuring the Mode a Port Re cognizes and Sends MSTP Packet s Optional Configuring the Timeout Time Factor Optional Configuring the Maximum Transmitting Speed on the Current Port Optional The default value is recom mended.
1-31 Configuring the Path Cost for a Port The path co st parameter reflect s the rate of the link con nected to the port. For a port on an MSTP-enabled device, the path cost m ay be differ ent in dif ferent sp anning tree inst ance s.
1-32 When calculating the p ath cost of an aggregat ed link, the 802.1D-1998 st andard does not t ake the number of the port s on the aggregated link into account, whereas the 802.
1-33 [device] stp pathcost-standard dot1d-1998 2) Perform this configuration in Ethernet port view <device> system-view [device] interface GigabitEthernet1/0/1 [device-GigabitEthernet1/0/1] undo.
1-34 [device] stp interface GigabitEthernet1/0/1 instance 1 port priority 16 2) Perform this configuration in Ethernet port view <device> system-view [device] interface GigabitEthernet1/0/1 [dev.
1-35 To do… Use the command… Remarks Enter syst em view system-vie w — Enter Ethernet port view interface interface-type interface-num b er — Perform the mCheck operation stp mcheck Required Configuration Example # Perform the mCheck operation on GigabitEthern et 1/0/1.
1-36 Loop guard A device maintains the st ates of the root port and other blocked por t s by receiving and pr ocessing BPDUs from the upstream device. These BPDUs ma y get lost because of network congestions or unidirectional link failure s.
1-37 Configuration Prerequisites MSTP run s normally on the device. Configuring BPDU Guard Configuration procedure Follow these steps to co nfigure BPDU guard: To do… Use the command… Remarks Enter syst em view system-vie w — Enable the BPDU guard function stp bpdu-protection Required The BPDU guard function is disabled by default.
1-38 2) Perform this configuration in Ethernet port view <device> system-view [device] interface GigabitEthernet1/0/1 [device-GigabitEthernet1/0/1] stp root-protection Configuring Loop Guard Con.
1-39 # Set the maximum times for the device to remove the MAC address t able within 10 se conds to 5. <device> system-view [device] stp tc-protection threshold 5 Configuring BPDU Dropping Follow.
1-40 Configuring Digest Snooping Configure the digest snooping fe ature on a device to enable it to comm unicate with other devices adopting propriet ary protocols to calculate configu r ation digests in the same MST region through MSTIs.
1-41 z When the digest snooping feature is enabled on a por t, the port state turns to the discarding state. That is, the port will not send BPDU packets. The port is not involved in the STP calculation until it receives BPDU packets from the peer port.
1-42 Figure 1-6 The RSTP rapid transition mechanism Figure 1-7 The MSTP rapid transition mechanism The cooperation between MSTP and RSTP is limited in the p rocess of rapid transition.
1-43 Configuring Rapid Transition Configuration prerequisites As shown in Figure 1-8 , a WX3000 series device i s connected to a device of another ven dor . The former operates as the downstre am device, and the latte r operate s as the upst ream device.
1-44 z The rapid transition feature can b e enabled on only root ports or alternate ports. z If you configure the rapid transition feature on a designated port, the feature does not take effect on the port.
1-45 To do… Use the command… Remarks Enter Ethernet port view interface interface-type interface-number Make sure that you enter the Ethernet port view of the port for which you want to enable the VLAN-VPN tunnel function.
1-46 [device] stp portlog all Enabling Trap Messages Conforming to 802.1d Standard The device sends trap messages conforming to 802. 1d standa rd to the network management device in the following two cases: z The device becomes the root bridge of an insta nce.
1-47 MSTP Configuration Example Network requirements Implement MSTP in the network show n in Figure 1-10 to enable p acket s of diff erent VLANs to be forwarded along dif ferent spanning tree i nstances. The det ailed configurations are as follows: z All switches in the network belong to the same MST region.
1-48 [SwitchA] stp instance 1 root primary 2) Configure Switch B # Enter MST regi on view . <SwitchB> system-view [SwitchB] stp region-configuration # Configure the region name, VLAN-to -MSTI mapping table, and revision level f or the MST region.
1-49 VLAN-VPN tunnel Configuration Example Network requirements As shown in Figure 1-1 1 : z The WX3000 series devices operate a s the acce ss devices of the operator’s network, that is, Switch C and Switch D in the network di agram.
1-50 [SwitchC] stp enable # Enable the VLAN-VPN tunnel function. [SwitchC] vlan-vpn tunnel # Add GigabitEthernet 1/0/1 to VLAN 10. [SwitchC] vlan 10 [SwitchC-Vlan10] port GigabitEthernet1/0/1 [SwitchC-Vlan10] quit # Disable STP on GigabitEthernet 1/0/1 and then enable the VLA N VPN function on it.
i Table of Contents 1 802.1x Confi guration ········································································································· ························ 1-1 Introduction to 802.
1-1 1 802.1x Configuration The sample output inform ation in this manual wa s created on the WX3024. The output information on your device may vary. Introduction to 802.1x The 802.1x protocol (802.1x for short) was developed by IEEE802 LAN/W AN committee to address security issues of wi reless LANs.
1-2 z The authenticator sy stem, residing at t he other end of the LAN se gment link, is the entity that authenticates the connected su pplicant system. The authenticato r system is usually an 802.1x-supported network device. It pr ovides ports (phy sical or logical) for the supplicant system to access the LA N.
1-3 The Mechanism of an 802.1x Authentication System IEEE 802.1x authentication uses the ex tensible authenticatio n protocol (EAP) to exchange information between supplicant system s and the authentication servers.
1-4 03: Indicates that the packet is an EAPoL-ke y packet, which carries key informati on. 04: Indicates that the packet is an EAPoL - encapsulat ed-ASF-Alert packe t, which is us ed to suppo rt the alerting messages of ASF (alerting standa rds forum).
1-5 Fields added for EAP authentication T wo fields, EAP-message and Message- authenticator , are added to a RADIUS protocol packet for EAP authentication. (Refer to the Introdu ction to RADIUS protocol se ction in the AAA Operation Manual for information about the format of a RADIUS protocol p acket.
1-6 z EAP-TTLS is a kind of extended EAP-TLS. EAP-TLS implements bidirectional authentication between the client and authentic ation server. EAP-TTLS transm it message using a tunnel established using TLS. z PEAP creates and uses TLS security channels to en sure data integrity and then performs new EAP negotiations to verify supplicant sy stem s.
1-7 password using a randomly -generated key, and se nds the key to the device through an RADIUS access-challenge packet. The device the n sen ds the key to the iNode client.
1-8 Figure 1-9 802.1x authentication procedure (in EA P terminating mode) S uppl icant syst e m PAE Au the n ti c a to r syst e m P A E RA DI US se rve r EAPOL RA DI US EAPOL - Sta r t E A P- R equest.
1-9 z RADIUS server timer ( server-timeout ). This timer sets the server -timeout pe riod. After sending an authentication request packet to the RADIUS server, the device sen d s another authentication request packet if it does not receive the response from the RADI US server when this timer times out.
1-10 This function needs the cooperation of i Node client and a iMC server . z The iNode client needs to cap able of detecting multiple netwo rk ad apters, pr oxies, and IE proxies. z The iMC server is configured to disable the use of multiple network adapte rs, pr oxies, or IE proxies.
1-11 Refer to AAA Operation Ma nual for detailed inform atio n about the dynamic VLAN delivery function. Enabling 802.1x re-authentication 802.1x re-authentication is timer-triggered or p acket -triggered. It re-authe nticates users wh o have passed authentication.
1-12 Figure 1-11 802.1x configuration ISP domai n configuration AA A scheme Local authenticatio n RADIUS scheme 802.1x configuration ISP domain configurati on AAA scheme Local authentication RADIUS scheme 802.1x configuration z An 802.1x user uses the domain name to associ ate with the ISP domain configu red on the device.
1-13 To do… Use the command… Remarks In system view dot1x [ interface interface-list ] interface interface-type interface-numb er dot1x Enable 802.
1-14 z 802.1x configurations take effect only after you enabl e 802.1x both globally and for specified ports. z If you enable 802.1x for a port, you cannot set t he maximum number of MAC addresses that can be learnt for the port.
1-15 To do… Use the command… Remarks Set 802.1x timers dot1x timer { handshake-period handshake-period-valu e | quiet-period quiet-period-value | server-timeout server-timeout-value | supp-timeout supp-timeou t-value | tx-period tx-period-va lue | ver-period v er-period- value } Optional The settings of 802.
1-16 To do… Use the comm and… Remarks In system view dot1x supp-proxy-check { logoff | trap } [ interface interface-list ] interface interface-type interface-number dot1x supp-proxy-check { logoff | trap } Enable proxy checking for a port/specified ports In port view quit Required By default, the 802.
1-17 As for the dot1x version-user command, if you execute it in sy stem view without specifying the interface-list argument, the command a pplies to all ports. You can also execute this command in port view. In this case, this command applie s to the current port only and the interface-list argument is not needed.
1-18 Configuring 802.1x Re -Authentication Follow these steps to ena bl e 802.1x re-authentication: To do… Use the command… Remarks Enter syst e m view system-view — Enable 802.1x globally dot1x Required By default, 802.1x is disabled globally. In system vie w dot1x [ interface interface-list ] Enable 802.
1-19 Follow these steps to co nfigure the re-authentication interval: To do… Use the command… Remarks Enter syst e m view system-view — Configure a re-authentication interval dot1x timer reauth-period reauth-period -value Optional By default, the re-authentication interval is 3,600 seconds.
1-20 Figure 1-12 Network diagram for AAA configurati on with 802.1x and RADIUS enabled Configuration procedure Following configuration covers the major AAA/ RADIUS configuration commands. Refer to AAA Operation Manual for the informatio n about these command s.
1-21 [device-radius-radius1] key accounting money # Set the interval and the number of the retries for th e switch to send p a ckets to the RADIUS servers. [device-radius-radius1] timer 5 [device-radius-radius1] retry 5 # Set the timer for the switch to send real-tim e accounting p acket s to the RADIUS servers.
2-1 2 Quick EAD Deployment Configuration Introduction to Quick EAD Deployment Quick EAD Deployment Overview As an integrated solution, an endpoint admissio n defense (EAD) solution can improve the overall defense power of a network. In real applications , however , deploying EAD clients proves to be time-consuming and incon v enient.
2-2 Configuration Procedure Configuring a free IP range A free IP range is an IP ran ge that users can access before p assing 802.1x authe ntication. Follow these steps to co nfigure a free IP range: .
2-3 Follow these steps to co nfigure the ACL timer: To do… Use the command… Remarks Enter syst e m view system-view — Set the ACL timer dot1x timer acl-timeout acl-timeout-value Required By default, the ACL timeout period is 30 minutes.
2-4 Configuration procedure Before enabling quick EAD deployment, make su re th at: z The Web server is configured properly. z The default gateway of the PC is configured as the IP addre ss of the Layer-3 virtual interface of the VLAN to which the port that is directly co nne cted with the PC belongs.
3-1 3 System-Guard Configuration System-Guard Overview At first, you must determine whether the CPU i s under att ack to implement sy stem guard for the CP U. Y ou should not determine whether the CPU is unde r at tack just accordin g to whether congestion occurs in a queue.
3-2 Displaying and Maintaining System-Guard To do… Use the command… Remarks Display the record of detected attacks display system-guard attack-record Available in any view Display the state of the.
i Table of Contents 1 AAA Ov erview ··················································································.
ii Troublesho oting AAA ························································································.
1-1 1 AAA Overview The sample output inform ation in this manual wa s created on the WX3024. The output information on your device may vary. Introduction to AAA AAA is the acronym for the three security functions: authentication, author ization and acco unting.
1-2 z Local authorization: Users are autho rized according to the related attribute s configured for their local accounts on this device . z RADIUS authorization: Users are autho rized after they pass RADIUS authenticati on.
1-3 z The RADIUS server receives user co nnection request s, authenticates users, and retu rns all required information to the device. Generally , a RADIUS se rver maint ains the followi ng thre e databa ses (see Figure 1-1 ): z Users: This database stores in formation about users (su ch as us er name, password, protocol adopted and IP addres s).
1-4 2) The RADIUS client receiv es the user name and password, and then sends an authentication request (Access-Request) to the RADIUS server. 3) The RADIUS server compares the rece ived user information with that in the Users database to authenticate the user.
1-5 Code Message type Message description 3 Access-Reject Direction: server-> client. The server transmits this message to the client if any attribute value carried in the Access-Request me ssage is unacceptable (that is, the user fails the authentication).
1-6 Type field value Attribute type Type field value Attribute type 8 Framed-IP-Address 30 Called-Station-Id 9 Framed-IP-Netmask 31 Calling-Station-Id 10 Framed-Routing 32 NAS-Identifier 11 Filter-ID .
1-7 Compa red with RADIUS, HWT ACACS provides more reliable transmission and encryption, and therefore is more suit able for secu rity control. T able 1-3 lists the primary dif ferences betwe en HWT ACACS and RADIUS. Table 1-3 Differences between HWTA CACS an d RADIUS HWTACACS RADIUS Adopts TCP, providing more reliable net work transmission.
1-8 Figure 1-6 AAA implementation procedure for a telnet user TACACS s e r v er Us er TAC ACS c lien t Reques ts t o l og in A ut hent icat i on s t art reques t A ut hent i cati on res pons e , reque.
1-9 9) After receivin g the response indicatin g an autho rizati on success, the TA CA CS client pushes the configuration interface of the device to the user.
2-1 2 AAA Configuration AAA Configuration Task List Configuration Introduction Y ou need to configure AAA to provide network acce ss se rvices for l egal users while protectin g network devices and preventing unautho rized a ccess and repudiation b ehavior .
2-2 Task Remarks Creating an ISP Domain and Configuring Its Attributes Required Configuring sepa rate AAA schemes Required Configuring an AAA Scheme for an ISP Domain Required z With separate AAA schemes, you can specify authentication, authorization and accounting schemes respectively.
2-3 To do… Use the command… Remarks Set the accounting-optional switch accounting optional Optional By default, the accounting-optional switch is off. Set the messenger function messenger time { enable limit interval | disable } Optional By default, the messenger function is disabled.
2-4 this way , you cannot specify dif ferent schemes for authenticat ion, authorization and accounting respectively . Follow these steps to co nfigure a com bined AAA scheme: To do… Use the command.
2-5 Y ou can use an arbitrary combination of the above im plement ations for your AAA scheme configuration. 2) For FTP users Only authentication is supported for FTP users.
2-6 upon receiving an integer ID assigned by the RADIUS authentication serv er, the device adds the port to the VLAN whose VLAN ID is equal to the a ssigned integer ID. If no such a VLAN exists, the device first creates a VLAN with the assigned ID, and then adds the port to the newly creat ed VLAN.
2-7 Follow these steps to co nfigure t he attributes of a local user To do… Use the command… Remarks Enter syst e m view system-vie w — Set the password display mod e of all local users local-us.
2-8 z The following characters a re not allowed in the user-name stri ng: /:*?<>. And you cannot input more than one “@” in the string. z After the local-user pass word-display -mode cipher-.
2-9 Complete the following t a sks configure RADIUS fo r the device functioning as a RADIUS client: Task Remarks Creating a RADIUS Scheme Required Configuring RADIUS Authentication/Authori zation Se r.
2-10 secondary servers with the same configuration but dif ferent IP addresses) in a RADIUS sche me. After creating a new RADIUS scheme, you should configu re the IP addr ess and UDP port number of each RADIUS server you want to use in this sche me. These RADIUS se rvers fall into two types: authentication/authorization, and ac counting.
2-11 To do… Use the command… Remarks Enter syst e m view system-vie w — Create a RADIUS scheme and enter its view radius scheme radius-scheme-n ame Required By default, a RADIUS scheme named "system" has alread y been created in the system.
2-12 To do… Use the command… Remarks Set the IP address and port number of the secondary RADIUS accounting serve r secondary accounting ip-address [ port-num ber ] Optional By default, the IP address and UDP port number of the secondary accounting serv er are 0.
2-13 received from each other b y using the shared ke ys that have been set on them, and can accept and respond to the messages only when bo th p arties have the same shared key .
2-14 To do… Use the command… Remarks Enter syst e m view system-vie w — Create a RADIUS scheme and enter its view radius scheme radius-scheme-n ame Required By default, a RADIUS scheme named "system" has alread y been created in the system.
2-15 To do… Use the command… Remarks Set the status of the primary RADIUS authentication/authorization server state primary authentication { block | activ e } Set the status of the primary RADIUS .
2-16 z Generally, the access users are named in the userid@i sp-name or userid.isp-name format. Here, isp-name after the “ @” or “.” character represents the I SP domain name, by which the device determines which ISP domain a user belon gs to.
2-17 z If you adopt the local RADIUS authentication se rv er function, the UDP port number of the authentication/authorization server must be 1645, the UDP po rt number of the accounting server must be 1646, and the IP addresses of the servers m ust be set to the add resses of this device.
2-18 To do… Use the command… Remarks Set the response timeout time of RADIUS servers timer response-timeout seconds Optional By default, the response timeout time of RADIUS servers is thr ee seconds.
2-19 online when the user re-l ogs into the switching en gi ne before the iMC performs online u ser detection, and the user cannot get au thenticated. In this case, the u ser can access the netwo rk again only when the iMC administrator manually remo ves the user's online info rmat ion.
2-20 Task Remarks Creating a HWTACACS Scheme Required Configuring TACACS Authenticatio n Servers Required Configuring TACACS Authori zation Servers Required Configuring TACACS Acco unting Serve rs Opt.
2-21 To do… Use the command… Remarks Set the IP address and port number of the primary TACACS authentication server primary authentication ip-address [ port ] Required By default, the IP address of the primary authentication server is 0.0.0.0, and the port number is 0.
2-22 z You are not allowed to co nfigure the same IP address for both p rimary and secondary autho rization servers. If you do this, the system will prompt that the c onfiguration fails. z You can remove a server only when it is not us ed by any active TCP connection for sending authorization messages.
2-23 The T ACACS client and server adopt MD5 algo rith m to encrypt HWT ACACS messages before they are exchanged between the two p arties. The two p artie s verify the validity of the HWT ACACS messag.
2-24 Generally, the access users a re named in the userid@i sp-name or userid.isp-nam e format. Where, isp-name after the “ @ ” or “.” character rep resents the ISP domain name.
2-25 Displaying and Maintaining AAA Displaying and maintaining AAA information To do… Use the command… Remarks Display configuration information about one specific or all ISP domains displa y doma.
2-26 Displaying and maintaining HWTACACS protocol information To do… Use the command… Remarks Display the configuration or statistic information about one specific or all HWTACACS schemes display .
2-27 Figure 2-1 Remote RADIUS authentication of Telnet users Intern et T elnet us er A ut hent i cati on serv er 10 . 110 . 91 . 164 Configuration procedure # Enter system view . <device> system-view # Adopt AAA authentication for T elnet users.
2-28 Local Authentication of FTP/Telnet Users The configuration procedure for local authentication of FTP users is similar to that for Telnet users. The following text only takes Telnet users as example to describe the configuration procedure for local authentication.
2-29 z Change the server IP address, and the UDP port number of the authent ication server to 127.0.0.1, and 1645 respectively in the co nfiguratio n step "Configure a RADI US scheme" in Rem.
2-30 Troubleshooting AAA Troubleshooting RADIUS Configuration The RADIUS protocol operate s at the application laye r in the TCP/IP protocol suite. This protocol prescribes how the device and the RADIUS server of the ISP exchange u ser information with each other .
3-1 3 EAD Configuration Introduction to EAD Endpoint admission defense (EAD) i s an attack def ens e solution. Using thi s solution, you can enhance the active defense cap ability of network end point.
3-2 After the clien t is patched and complia nt with the re quired security st andard, the security policy se rver reissues an ACL to the device, which then assigns access right to the client so that the client ca n access more network r esources.
3-3 Figure 3-2 EAD configuration GE 1 / 0 / 1 In te r n e t Us e r Secur it y Polic y Ser ver s 10. 110. 9 1. 166 V i ru s P a tc h S erv ers 10. 110. 9 1. 168 Au then ti c ati on Se r v ers 10 . 1 10 . 91.164 Configuration procedure # Configure 802.1x on the device.
i Table of Contents 1 MAC Authen tication Conf iguration········································································.
1-1 1 MAC Authentication Configuration The sample output inform ation in this manual wa s created on the WX3024. The output information on your device may vary.
1-2 included dependi ng on the format configured with the mac-authentication authmode usernameasmacaddress usernamefo r mat co mman d; otherwise, the authentication will fail. z If the username type is fixed username, you need to configure the fixed username and password on the device, which are used by the de vice to authenticate all use rs.
1-3 To do… Use the command… Remarks In system view mac-authentication inter f ace interface-list interface interface-type interface-number mac-authentication Enable MAC authentication for the spec.
1-4 MAC Address Authentication Enhanced Function Configuration MAC Address Authentication Enhanced Function Configuration Tasks Complete the following t a sks to configure MAC address authenti cation .
1-5 z Guest VLANs are implemented in the mode of ad di ng a port to a VLAN. For example, when multiple users are connected to a port, if the first us er fails in the authenticat ion, the other users ca n access only the contents of the Guest VLAN.
1-6 z If more than one client is connected to a port, you ca nnot configure a Guest VLAN for this port . z When a Guest VLAN is configured for a port, only one MAC address authentication user can access the port. Even if you set the limit on th e number of MAC address aut hentication users to more than one, the configur ation does not take effect.
1-7 z If both the limit on the number of MAC address authentication user s and the limit on the numb er of users configured in the p ort security function are configured for a p ort, the smaller value of the two configured limits is adopted as th e maximum numb er of MAC address authenticat ion users allowed to access this port.
1-8 # Add a local user . z Specify the username and password. [device] local-user 00-0d-88-f6-44-c1 [device-luser-00-0d-88-f6-44-c1] password simple 00-0d-88-f6-44-c1 z Set the service type to “lan-access”. [device-luser-00-0d-88-f6-44-c1] service-type lan-access [device-luser-00-0d-88-f6-44-c1] quit # Add an ISP domain named aabbcc.
i Table of Contents 1 IP Addressing Configuration ···········································································.
1-1 z The term switch used throughout this docum ent re fers to a switching device in a generi c sense or the switching engine of the WX30 00 seri es. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary.
1-2 Table 1-1 IP address classe s and ranges Class Address range Remarks A 0.0.0.0 to 127.255.255.255 Address 0.0.0.0 means this host no this netwo rk. This address is used by a host at bootstrap when it does not know its IP address. This address is never a valid destination address.
1-3 adds an additional level, subnet ID, to the two-le vel hierarchy with IP addressing, IP routing now involves three steps: deliv ery to the site, de livery to the subnet, and delivery to the host.
1-4 z You can assign at most two IP address t o an inte rface, among which one is the primary IP address and another is secondary IP addresses. A newly specified primary IP address overwrites the previous one if there is any .
1-5 IP Address Configuration Example II Network requirements As shown in Figure 1-4 , VLAN-interfa ce 1 on Switch is connected to a LAN com prising two segment s: 172.
1-6 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 25/26/27 ms The output information shows that Switch can comm unicate with the host s on the subnet 172.16.1.0/24. # Ping a host on the subnet 172.16.2.0/24 fr om Switch to check the con nectivity .
2-1 2 IP Performance Configuration IP Performance Overview Introduction to IP Performance Configuration In some network e nvironment s, you need to adjust the IP paramete rs to achieve best netwo rk performance.
2-2 To do… Use the comm and… Remarks Enter syst e m view system-view — Configure TCP synwait timer’s timeout value tcp timer syn-timeou t time-value Optional By default, the timeout value is 75 seconds. Configure TCP finwait timer’s timeout value tcp timer fin-timeout time-value Optional By default, the timeout value is 675 seconds.
2-3 Displaying and Maintaining IP Performance Configuration To do… Use the command… Remar ks Display TCP connection status display tcp status Display TCP connection statistics display tcp statisti.
i Table of Contents 1 DHCP Ov erview··················································································.
1-1 z The term switch used throughout this docum ent re fers to a switching device in a generi c sense or the switching engine of the WX30 00 seri es. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary.
1-2 z Manual assignment. Th e administrator configures static IP-to-M AC bindings for some sp ecial clients, such as a WWW server. Then the DHCP server assign s these fixed IP addresses to the clients. z Automatic assignment. The DHCP serv er assigns IP add resses to DHCP cl ients.
1-3 Updating IP Address Lease After a DHCP server dynamically assigns an IP address to a DHCP c lient, the IP address keeps valid only within a specified lease time and will be reclaime d by the DHCP server when the lease expires. If the DHCP cli ent wants to use the IP addres s fo r a longer time, it must update the IP lease.
1-4 z siaddr: IP address of the DHCP server. z giaddr: IP address of the first DHCP relay agent that the DHCP client passes after it sent the request packet. z chaddr: Hardwa re ad dress of the DHCP client. z sname: Name of the DHCP server. z file: Path and name of the boot configuration file that the DHCP server spe cifies for the DHCP client.
2-1 2 DHCP Relay Agent Configuration When configuring the DHCP relay agent, go to these section s for i nformation you are interested in: z Introduction to DHCP Relay Agent z Configuring the DHCP Rel .
2-2 Figure 2-1 Typical DHCP relay agent application In the process of dynamic IP address assignment through the DH CP relay age nt, the DHCP cl ient and DHCP serve r interoperate with each oth er in a similar way as they do without the DHCP relay agent.
2-3 Figure 2-2 Padding contents for sub-o ption 1 of Option 82 Figure 2-3 Padding contents for sub -o ption 2 of Option 82 Mechanism of Option 82 supported on DHCP relay agent The procedure for a DHCP.
2-4 Configuring the DHCP Relay Agent If a device belongs to an I RF fabric, you need to enabl e the UDP Helper function on it before configuring it as a DHCP relay agent.
2-5 To improve security and avoid maliciou s attack to the unused SOCKETs, the device provides the following functions: z UDP 67 and UDP 68 ports used by DHCP are e nabled only when DHCP is ena bled. z UDP 67 and UDP 68 ports are di sabled when DHCP is disable d.
2-6 To do… Use the command… Remarks Enter syst e m view system-view — Create a static IP-to-MAC binding dhcp-security static ip-address mac - address Optional Not created by default. Enter interface view interface interface-type int erface-number — Enable the address checking function address-check enable Required Disabled by default.
2-7 To do… Use the comm and… Remarks Set the interval at which the DHCP relay agent dynamically updates the client address entries dhcp-security tracker { interval | auto } Optional By default, auto is adopted, that is, the interval is automatically calculated.
2-8 To do… Use the command… Remarks Enter syst e m view system-vie w — Enable Option 82 support on the DHCP relay agent dhcp relay information enable Required Disabled by default.
2-9 Figure 2-4 Network diagram for DHCP relay agent Configuration procedure # Create DHCP se rver g roup 1 and configure an IP address of 10.1.1.1 for it. <SwitchA> system-view [SwitchA] dhcp-server 1 ip 10.1.1.1 # Map VLAN-interface 1 to DHCP serve r group 1.
2-10 z Check if an address pool that is o n the same net work seg ment with the D HCP clients is configured on the DHCP server. z Check if a reachable route is configured bet ween the DHCP relay agent and the DHCP serve r. z Check the DHCP relay agent.
3-1 3 DHCP Snooping Configuration After DHCP snooping is enabl ed on a device, client s con nected with the device cann ot obtain IP addresses dynami cally through BO OTP .
3-2 Figure 3-1 Typical network diagram for DHCP snooping ap plication DHCP Cl ie nt Sw itch A (DHCP S noopi ng ) DHCP Cl ie nt DHCP Cl ie nt DHCP Cl i ent Sw itch B ( DHCP Rel ay ) In te r n e t G E 1.
3-3 contents). That is, the circuit ID or remote ID sub-op tion defines the type and l ength of a circuit ID or remote ID. The remote ID type field and circuit ID type field are determined by the option storag e format. They are both set to “0” in the case of HEX format and to “1” in the case of ASCII format.
3-4 Table 3-1 Ways of handling a DHCP packet with Option 82 Handling policy Sub-op tion configuration The DHCP snooping device will… Drop — Drop the packet. Keep — Forward the packet without changing Option 82. Neither of the two sub-options is configured Forward the packet after replacing the original Optio n 82 with the default content.
3-5 z The resources on the serv er are ex hausted, so the server does n ot respond to other requests. z After receiving such type of packets, a device ne eds to send them to the CPU for proce s sing. Too many request packets cause high CP U usage rate.
3-6 To do… Use the command… Remarks Specify the current port as a trusted port dhcp-snoopi ng trus t Required By default, after DHCP snooping is enabled, all po rts of a device are untrusted ports. z You need to specify the ports connected to the va lid DHCP servers as tru sted to ensure that DHCP clients can obtain valid IP addre sses.
3-7 To do… Use the command… Remarks Enter syst e m view system-vie w — Enable DHCP-snooping Option 82 support dhcp-snooping information enable Required By default, DHCP snooping Option 82 support is disabled.
3-8 The dhcp-sn ooping information format command applies only to the default content of the Option 82 field. If you have configured the circuit ID or remote ID sub-option, the format of the sub-option is ASCII, instead of the one specified with the dhcp-s nooping information format comm and.
3-9 To do… Use the command… Remarks Enter syst e m view s ystem-vie w — Configure the remote ID sub-option in sy stem view dhcp-snooping information remote-id { sy sname | string string } Optional By default, the remote ID sub-option is the MAC addre ss of the DHCP snooping device that received the DHCP client’ s request.
3-10 To do… Use the command… Remarks Enable IP filtering ip check source ip-address [ mac-address ] Required By default, this function is disabled. Create an IP static binding entry ip source static binding ip-address ip-addre ss [ mac-address mac-address ] Optional By default, no static binding entry is created.
3-11 Configuration procedure # Enable DHCP sn ooping on Switch. <Switch> system-view [Switch] dhcp-snooping # S pecify Gig abitEthern et 1/0/5 as the trusted port. [Switch] interface gigabitethernet 1/0/5 [Switch-GigabitEthernet1/0/5] dhcp-snooping trust [Switch-GigabitEthernet1/0/5] quit # Enable DHCP-snooping Option 82 su ppo rt.
3-12 Figure 3-7 Network diagram for IP filtering configuration Sw itch DHC P S n ooping GE1 / 0 / 2 Cl i e nt C GE 1 / 0 / 1 DHCP S e r ve r Cl i e n t B Hos t A IP : 1.1.1.1 MA C :0001- 0001-0001 GE1 / 0 / 3 GE1 / 0 / 4 Configuration procedure # Enable DHCP sn ooping on Switch.
3-13 Displaying and Maintaining DHCP Snooping Configuration To do… Use the command… Remarks Display the user IP-MAC address mapping entries recorded b y the DHCP snooping function display dhcp-sno.
4-1 4 DHCP/BOOTP Client Configuration Introduction to DHCP Client After you specify a VL AN interface as a DHCP cli ent, the device can use DHCP to obtain parameters such as IP address dynamically from the DHCP server , which fac ilitates user configuration and management.
4-2 To do… Use the command… Remarks Configure the VLAN interface to obtain IP address through DHCP or BOOTP ip address { bootp-alloc | dhcp-alloc } Required By default, no IP address is configured for the VLAN interface.
4-3 Displaying and Maintaining DHCP/ BOOTP Client Configuration To do… Use the command… Remarks Display related information on a DHCP client displa y dhcp client [ verb os e ] Display related info.
i Table of Contents 1 ACL Confi guration ···············································································.
1-1 1 ACL Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a WX3 000. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary.
1-2 z auto : where rules in an ACL are matched in the order dete rmined by the system, namely the “depth-first” rule. For depth-first rule, there are two case s: Depth-first match order for rules .
1-3 When applying an ACL in this way , you can specify t he order in which the rules in the ACL are matched . The match order cannot be modified once it is determi ned, unless you delete all the rules in the ACL and define the match order .
1-4 Configuration Procedure Follow these steps to co nfigure a time range: To do… Use the command… Remarks Enter syst e m view s ystem-vie w — Create a time range time-range time-nam e { start-t.
1-5 Configuring Basic ACL A basic ACL filters p ackets based on their source IP addresses. A basic ACL can be numbered fro m 200 0 to 2999. Configuration Prerequisites z To configure a time range-based basi c ACL rule, you need to create the corre sponding time range first.
1-6 rule 0 deny source 192.168.0.1 0 Configuring Advanced ACL An advanced ACL can filter p acket s by their sou rce an d destination IP addresse s, the protocols carried by IP , and protocol-specific features such as TCP/UDP source and destinatio n ports, ICMP message type and message code.
1-7 z If the ACL is created with the auto keyword specified, the newly crea ted rules will be inserted in the existent ones by depth-first principle, but the num bers of the existen t rules are unaltered. Configuration Example # Configure ACL 3000 to permit the TCP p acket s so urced from the netwo rk 129.
1-8 Note that: z You can modify any existent rule of the Layer 2 ACL and the unmod ified part of the ACL re main s. z If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically. If the ACL has no rules, the rule is numbered 0; ot herwise, it is the maximum rule number plus one.
1-9 z ACLs assigned globally take prec edence over those t hat are assi gned to VLANs. That is, when a packet matches a rule of a globally assi gned ACL an d a rule of an ACL assigned to a VLAN, the device will perform the acti on defined in the rule of the globally a ssigned ACL if the actions de fined in the two rules conflict.
1-10 To do… Use the command… Remarks Enter syst e m view system-view — Apply an ACL to a VLAN packet-filter vlan vlan-id inbound acl-rule Required For description on the acl -rule argument, refer to ACL Command . Configuration example # Apply ACL 2000 to VLAN 10 to filter the inbound packet s of VLAN 10 on all the port s.
1-11 Assigning an ACL to a Port Configuration prerequisites Before applying ACL rules to a VLAN, you nee d to define the related ACLs. For info rmation about defining an ACL, refe r to Configuring Basic ACL , Configuring Advanced ACL , Con figur ing Layer 2 ACL .
1-12 Examples for Upper-layer Software Referencing ACLs Example for Controlling Telnet Login Users by Source IP Network requirements As shown in Figure 1-1 , apply an ACL to permit users with t he source IP address of 10.1 10.100.52 to telnet to the switching engine.
1-13 Configuration procedure # Define ACL 2001. <device> system-view [device] acl number 2001 [device-acl-basic-2001] rule 1 permit source 10.110.100.46 0 [device-acl-basic-2001] quit # Reference ACL 20 01 to control users loggin g in to the W eb serv er .
1-14 GigabitEthernet 1/0/1 of Switch. Apply an ACL to d eny requests from the R& D department and destin ed for the wage server durin g the working hours (8:00 to 18:00 ). Figure 1-4 Network diagram for advance d ACL configuration GEt h 1/ 0/ 1 Th e R & D Depart ment S witch T o the router W age qu ery s erv er 192.
1-15 <device> system-view [device] time-range test 8:00 to 18:00 daily # Define ACL 4000 to filter p ackets with the sour ce MAC address of 000f-e20f -0101 and the destination MAC address of 000f-e20f-0303.
1-16 # Apply ACL 3000 to VLAN 10. [device] packet-filter vlan 10 inbound ip-group 3000.
i Table of Contents 1 QoS Confi guration ···············································································.
ii Applying a Qo S Profile ······················································································.
1-1 1 QoS Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of the WX 3000 series. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary.
1-2 Video-on -Demand (V oD). Enterprise users expect to connect their regional b ranches together usi ng VPN techniques for coping with daily business, fo r insta nce, accessing datab ases or manage remote equipment s through T elnet.
1-3 information carried in p acket header . Packet paylo ad is rarely adopted for traf fic classification. The identifying rule is unlimited in ra nge. It can be a quin tuplet consisting of sour ce address, source port number , protocol number , destination address, and destination port number .
1-4 z Class selector (CS ) class: This class comes from the IP ToS field and includes ei ght subclasses; z Best Effort (BE) class: This class is a special cl ass without any assurance in the CS class. Th e AF class can be deg raded to the BE clas s if it exceed s the limit.
1-5 As shown in the figure a bove, each host suppo rti ng 802.1Q protoc ol adds a 4-byte 802.1Q t ag header after the source address of the former Et hernet frame header whe n sending p acket s.
1-6 The device does not supp ort marking drop preceden ce for packets. A device can operate in one of the following two priority trust modes when assigning precedence to received packet s: z Packet priority trusted mode z Port priority trusted mode In terms of priority trust mode, the priority mapping pr oce ss is shown in Figure 1-4 .
1-7 The devices provide COS-pre cedence-to-other-pr ecedence, DSCP-precedence-to-othe r-precedence, and DSCP-precedence -to-DSCP- precedence m apping tabl es for priority mapping. T able 1-4 through T able 1-6 list the default settings of these tables.
1-8 Protocol Priority Protocol packet s carry their own priority . Y ou can modi fy the priority of a prot ocol packet to implement QoS. Priority Marking The priority marking function is to use ACL rules i n traf fic classification and reassi gn the priority for the packet s matching the ACL rule s.
1-9 Evaluating the traffic with the token bucket When token bucket is used for traf fic evaluation, the number of the tokens in the token bucket determines the amount of the pa ckets that can be forw arded.
1-10 Figure 1-6 Diagram for traffic shaping Tok en buc k et Dr o p Pa ck et cl a ssif i ca ti o n P ac k et s t o be s ent t h roug h t h i s port Con tin u e to sen d Pu t to k e n s i n th e b u cket a t the set r a te Queu e For example, if the device A sends packet s to the device B.
1-11 1) SP queuing Figure 1-7 Diagram for SP queuing P ac k et s t o be s ent th r o ug h th is po rt Pa cke t cla ssifi ca ti o n Queu e s c heduling Queue 2 w eig ht 2 Queue N - 1 w eight N -1 Queue.
1-12 Figure 1-8 Diagram for WRR queuing P ac k et s t o be s ent t hro ugh t hi s port Packe t cla ssifi ca tio n Queu e s c hedul ing Queue 2 w e ight 2 Queue N -1 w e i g h t N -1 Queue N w eight N .
1-13 Table 1-7 Queue-scheduling sequence of SDWRR Scheduling algorithm Queue-scheduling sequence Des cription WRR 0, 0, 0, 0, 0, 1, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1 SDWRR 0, 1, 0, 1, 0, 1, 0, 0, 1, 0, 1, .
1-14 Task Remarks Enabling the Burst Function Optional Configuring Traffic Mirroring Optional Configuring Priority Trust Mode Refer to Priority T rust Mode for introduction to priority trust mode. Configuration prerequisites z The priority trust mode to be adopted is determi ned.
1-15 Configuration example z Configure to trust port priority on GigabitEthernet 1/0/1 and set the priority of GigabitEthernet 1/0/1 to 7. Configuration procedure: <device> system-view [device] interface GigabitEthernet1/0/1 [device-GigabitEthernet1/0/1] priority 7 z Configure to trust 802.
1-16 To do… Use the command… Remarks Configure COS-precedence-to-DSCP -precedence mapping table qos cos-dscp -map cos0-map-dscp cos1-map-d s cp cos2-map-dscp cos3-map-d s cp cos4-map-dscp cos5-map.
1-17 [device] qos dscp-local-precedence-map 8 9 10 11 12 13 14 15 : 3 [device] qos dscp-local-precedence-map 16 17 18 19 20 21 22 23 : 4 [device] qos dscp-local-precedence-map 24 25 26 27 28 29 30 31 .
1-18 37 : 7 38 : 7 39 : 7 40 : 0 41 : 0 42 : 0 43 : 0 44 : 0 45 : 0 46 : 0 47 : 0 48 : 5 49 : 5 50 : 5 51 : 5 52 : 5 53 : 5 54 : 5 55 : 5 56 : 6 57 : 6 58 : 6 59 : 6 60 : 6 61 : 6 62 : 6 63 : 6 Setting the Priority of Protocol Packets Refer to Protocol Priority for information about priority of protocol p ackets.
1-19 Configuration example z Set the IP precedence of ICMP packets to 3. z Display the configuration. Configuration procedure: <device> system-view [device] protocol-priority protocol-type icmp .
1-20 Follow these step s to mark the priority for packets t hat are of a port group and match specific ACL rules: To do… Use the command… Remarks Enter syst e m view system-vie w — Enter port gr.
1-21 Configuration prerequisites z The ACL rules used for traffic class ifi cation are defined. Refe r to the ACL module of this man ual for information about defining ACL rules. z The rate limit for traffic policing, and the actions for the packets exceeding the rate limit are determined.
1-22 To do… Use the command… Remarks Enter syste m view system-v iew — Enter Ethernet port view interface interface-type interface-numb er — Configure traffic policing traffic-limit inbound acl-rule target-r ate [ conform con-action ] [ exceed exceed-actio n ] [ meter-statistic ] Required By default, traffic policing is disabled.
1-23 Configuration procedure Follow these steps to co nfigure traffic sh aping: To do… Use the com mand… Remarks Enter syst e m view s ystem-vie w — Enter Ethernet port view interface interface-.
1-24 Follow these steps to re direct packet s that ar e of a VLAN and match specific ACL rules: To do… Use the command… Remarks Enter syste m view system-v iew — Configure traffic redirecting tr.
1-25 [device-acl-basic-2000] quit [device] interface GigabitEthernet1/0/1 [device-GigabitEthernet1/0/1] traffic-redirect inbound ip-group 2000 interface GigabitEthernet1/0/7 2) Method II <device> system-view [device] acl number 2000 [device-acl-basic-2000] rule permit source 10.
1-26 Configuration prerequisites The algorithm for queue scheduling to b e used and the related pa rameters are determined. Configuration procedure Follow these steps to co nfigure SP queu e sched uli.
1-27 Configuration example # Configure a device to adopt SP+SDWRR combi nation for queue sch eduling, assigning queu e 3, queue 4, and queue 5 to WRR scheduling gro up 1, wi th the weigh of 20, 20 an d 30; assigning queue 0, queue 1, and queue 2 to WRR scheduling group 2 , with the weight 20, 20, and 40; using SP for scheduling queue 6 and queue 7.
1-28 To do… Use the command… Remarks Collect the statistics on the packets matching specific ACL rules traffic-statistic vl an vlan-id inbound acl-rule Required Clear the statistics on the packets.
1-29 [device] acl number 2000 [device-acl-basic-2000] rule permit source 10.1.1.1 0.0.0.255 [device-acl-basic-2000] quit [device] interface GigabitEthernet1/0/1 [device-GigabitEthernet1/0/1] traffic-s.
1-30 Configuration procedure Y ou can configure traffic mirro ring on all the packet s matching spe cific ACL rules, or on pa ckets that match specific ACL rule s and are of a VLAN, of a port group, or pa ss a p ort.
1-31 Follow these steps to co nfigure traffic mi rroring for a port: To do… Use the command… Remarks Enter syst e m view system-vie w — Enter Ethernet port view of the destination port interface.
1-32 [device] mirrored-to vlan 2 inbound ip-group 2000 monitor-interface Displaying and Maintaining Qo S To do… Use the command… Remarks Display the protocol packet priority configuration display .
1-33 To do… Use the command… Remarks Display VLAN mapping configuration of a port or all the ports display qos-interface { interface-type interface-num ber | unit-id } traffic-remark-v lanid Displ.
1-34 # Create ACL 2000 and enter basi c ACL view to cl assify packet s sourced from the 192.1 68.1.0/24 network segment. <device> system-view [device] acl number 2000 [device-acl-basic-2000] rule permit source 192.
2-1 2 QoS Profile Configuration Overview Introduction to QoS Profile QoS profile is a set of QoS configurations. It provides an easy way for performing and managing QoS configuration.
2-2 QoS Profile Configuration QoS Profile Configuration Task List Complete the following t a sks to configure a QoS profile: Task Remarks Configuring a QoS Profile Required Applying a QoS Profile Opti.
2-3 Configuration procedure Follow these steps to co nfigure to apply a QoS profile dynamically: To do… Use the command… Remarks Enter syst e m view system-vie w — Enter Ethernet port view inter.
2-4 Configuration Example QoS Profile Configuration Example Network requirements As shown in Figure 2-1 , the user name is “someone”, and the auth enticatio n password is “he llo”. It is connected to GigabitEthernet 1/0/1 of the switch and belongs to the test.
2-5 # Create the user domain test.net and specify radiu s 1 as you r RADIUS server group. [device] domain test.net [device-isp-test.net] radius-scheme radius1 [device-isp-test.net] quit # Create ACL 3000 to permit IP packet s destined for any IP address.
i Table of Contents 1 Mirroring Conf iguration ············································································.
1-1 1 Mirroring Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024.
1-2 z VLAN-based mirroring: a device copies packet s of a specified VLAN to the destination port. Local Port Mirroring In local port mirroring, packet s pa ssi ng through one or more source port s of a device are copied to the destination port on the same device for packet analy sis and monitoring.
1-3 Table 1-1 Ports involved in the mirroring operation Sw it ch Ports involved Function Source port Port monitored. It copies packets to the refle ctor po rt through local port mirroring. There can b e more than one source port. Reflector port Receives packets from the sou r ce port and broadcasts the packets in the rem ote-probe VLAN.
1-4 Mirroring Configuration Complete the following t a sks to configure mirroring: Task Remarks Configuring Local Port Mirrorin g Optional Configuring Remote Port Mirro rin g Optional Configuring MAC-.
1-5 Configuring Remote Port Mirroring The device can serve as a source switch, an intermedi ate switch, or a destination switch in a remote port mirroring networking e nvironm ent. Configuration on the device acting as a source switch 1) Configuration prerequisites z The source port, the reflector port, and the remote-probe VLAN a r e determined.
1-6 When configuring the source swit ch, note that: z All ports of a remote source mirroring gro up are on the same device. Each remote sour ce mirroring group can be configured wi th only one re flector port.
1-7 Follow these steps to co nfigure remote port mirroring on the destination switch: To do… Use the command… Remarks Enter syste m view system-v iew — Create a VLAN and enter VLAN view vlan vlan-id v lan-id is the ID of the remote-probe VLAN.
1-8 Configuration prerequisites z The MAC address to be matched is det ermined. z The destination port is det ermined. Configuration procedure Follow these steps to co nfi gure MAC-based mirroring: To.
1-9 Configuration procedure Follow these steps to co nfigure VLAN-b ased mirroring: To do… Use the command… Remarks Enter syst e m view system-vie w — Create a local or remote source mirroring g.
1-10 Use the local port mirroring functio n to meet the requirement. Perform the follo wing configurations on Switch C. z Configure GigabitEthernet 1/0/1 and Gi gabitEt hernet 1/0/2 as mirroring source ports. z Configure GigabitEthernet 1/0/3 as the mirroring de stination po rt.
1-11 z Department 1 is connected to GigabitEthern et 1/0/1 of Switch A. z Department 2 is connected to GigabitEthern et 1/0/2 of Switch A. z GigabitEthernet 1/0/3 of Switch A connects to GigabitE thern et 1/0/1 of Switch B. z GigabitEthernet 1/0/2 of Switch B connects to GigabitE thern et 1/0/1 of Switch C.
1-12 [device] mirroring-group 1 mirroring-port GigabitEthernet 1/0/1 GigabitEthernet 1/0/2 inbound [device] mirroring-group 1 reflector-port GigabitEthernet 1/0/4 [device] mirroring-group 1 remote-probe vlan 10 # Configure GigabitEthernet 1/0/3 as trunk port, allowi ng packet s of VLAN 10 to pass.
1-13 # Configure the destination port and re mote-probe VL AN for the remote destination mirrorin g group. [device] mirroring-group 1 monitor-port GigabitEthernet 1/0/2 [device] mirroring-group 1 remote-probe vlan 10 # Configure GigabitEthernet 1/0/1 as the trun k port, allowing p ackets of VLAN 10 to p ass.
i Table of Contents 1 ARP Confi gurati on···············································································.
1-1 1 ARP Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of the WX 3000 series. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary.
1-2 Figure 1-1 ARP message format Hardwa re t ype (16 bits ) Protocol t yp e (1 6 bi ts) Length o f ha rdware addr ess Length of pr otocol addres s Op erator (16 bits) Hardware addres s o f the s ende.
1-3 Value Description 5 Chaos 6 IEEE802.X 7 ARC netw ork ARP Table In an Ethernet, the MAC addresses of two host s must be available for the two host s to communicate with each other . Each host in an Ethernet main tains an ARP table, where the late st used IP address-to-MAC address mappi ng entries ar e stored.
1-4 mode, all hosts on this su bnet can receive the requ est, but only the requested h ost (namely, Host B) will process the request. 4) Host B compares its own IP address with the des tination IP address in the ARP request.
1-5 After you enable the ARP attack detection function, the device will check the following items of an ARP packet: the source MAC a ddress, source IP addre ss, port number of the port receiving the ARP p acket, and the ID of the VLAN the port resi des.
1-6 To do… Use the command… Remarks Enable the ARP entry checking function (that is, disable the device from learning ARP entries with multicast MAC addresses) arp check enable Optional By default, the ARP entry checking function is enabled. z Static ARP entries are valid as lo ng as the device operates normally.
1-7 To do… Use the command… Remarks Quit to system view quit — Enter VLAN view vlan vlan-id — Enable ARP restricted forwarding a rp rest ricted- forward ing enable Optional By default, the ARP restricted forwarding function is disabled. The device forwards legal ARP packets through all its ports.
1-8 Displaying and Maintaining ARP To do… Use the command… Remarks Display specific ARP mapping table entries display arp [ static | dynam ic | ip-address ] Display the ARP mapping entries related.
1-9 Figure 1-4 ARP attack detection configuration GE1 / 0 / 3 Cl i ent B GE 1 / 0/ 2 Cl i e nt A DHCP S er v er Sw itch A DHCP S noo pin g G E 1/0/1 Configuration procedure # Enable DHCP sn ooping on Switch A.
i Table of Contents 1 SNMP Conf iguration ···············································································.
1-1 1 SNMP Configuration z The term switch used throughout this docum ent re fers to a switching device in a generi c sense or the switching engine of a WX30 00 seri es. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary.
1-2 SNMP NMS and SNMP agent. Comm unity name functions as password. It can limit acce sses made by SNMP NMS to SNMP agent. Y ou can perform the fo llowing community name-related configuration. z Specifying MIB view that a community can access. z Set the permission for a community to access an MIB object to be read-only or read -write.
1-3 MIB attribute MIB content R elated RFC DHCP MIB QACL MIB MSTP MIB VLAN MIB IPV6 ADDRESS MIB MIRRORGROUP MIB QINQ MIB 802.x MIB HGMP MIB NTP MIB Device management Private MIB Interface management .
1-4 To do… Use the command… Remarks Direct configura tion Set a community name snmp-agent community { read | write } community-nam e [ acl acl-number | mib-vie w view-name ]* Set an SNMP group snm.
1-5 To do… Use the command… Remarks Set an SNMP group snmp-agent group v3 group-name [ authentica tion | privacy ] [ read-view read-view ] [ writ e-vi ew write-view ] [ noti fy- view notify-view ].
1-6 To do… Use the command… Remarks Enter syst e m view system-vie w — Enable the device to send Trap messages to NMS snmp-agent trap enable [ configuration | flash | standard [ authentication |.
1-7 Enabling Logging for Network Management Follow these steps to ena b le logging for network managem ent: To do… Use the command… Remarks Enter syst e m view system-vie w — Enable logging for network management snmp-agent log { set-operation | get-operation | all } Optional Disabled by default.
1-8 z Perform the following configuration on Switch A: setting the community name and access permission, administrato r ID, contact and location of Switch A, and enabli ng the device to sent trap messages. Thus, the NMS is able to access Switch A and receive the trap messages sent by Switch A.
1-9 [device] snmp-agent trap enable standard linkdown [device] snmp-agent target-host trap address udp-domain 10.10.10.1 udp-port 5000 params securityname public Configuring the NMS The device support s iMC NMS. SNMPv3 adopt s user name and p assword aut hentication.
2-1 2 RMON Configuration Introduction to RMON Remote monitoring (RMO N) is a kind of management informati on base (MIB) defined by Internet Engineering T ask Force (IETF).
2-2 Commonly Used RMON Groups Event group Event group is used to def ine the indexes of event s and the processing m ethods of the events. The events defined in a n event group are mainly u sed by entries in the alarm group an d extended alarm group to trigger alarms.
2-3 The statistics include the numb er of the following it ems: collisions, packet s with cyclic redund ancy check (CRC) errors, und ersize (or oversize) packe t s, broadcast pa ckets, multicast p ackets, and received bytes and p acket s.
2-4 Displaying and Maintaining RMON To do… Use the command… Remarks Display RMO N st at istics display rmon statistics [ interface-t ype interface-number | unit unit -number ] Display RMON history.
2-5 [device] rmon prialarm 2 (.1.3.6.1.2.1.16.1.1.1.9.1+.1.3.6.1.2.1.16.1.1.1.10.1) test 10 changeratio rising_threshold 50 1 falling_threshold 5 2 entrytype forever owner user1 # Display the RMON extended alarm entry numbere d 2. [device] display rmon prialarm 2 Prialarm table 2 owned by user1 is VALID.
i Table of Contents 1 Multicast Overview ···············································································.
1-1 1 Multicast Overview z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of the WX 3000 series device s. z The sample output information in this ma nual was created on the WX3024.
1-2 Figure 1-1 Information transmission in the unicast mode Sourc e Server Receiver Re ceiv er Receive r Host A Host B Host C Host D Host E Pack ets for Ho st B Packet s for Host D Pack ets for Ho st E Assume that Host s B, D and E need this informati on.
1-3 Figure 1-2 Information transmission in the broadcast mode Sourc e Server Receiver Re cei ver Rece iver Hos t A Host B Host C Host D Hos t E Packet s for all the network Assume that Hosts B, D, a nd E need the information.
1-4 Figure 1-3 Information transmission in the multicast mode Sourc e Server Receiver Re cei ver Rece iver Hos t A Host B Host C Host D Hos t E Packets for the mul ticast group Assume that Host s B, D and E need the inform ation. T o transmit the information to the right users, it is necessary to group Host s B, D and E into a receiver set.
1-5 Table 1-1 An analogy between TV transmission and multicast transmi ssion Step TV transmission Multicast transmission 1 A TV station transmits a TV program through a television channel. A multicast source sends multicast data to a multicast group. 2 A user tunes the TV set to the channel .
1-6 ASM model In the ASM model, any sender can become a multic ast source and send informatio n to a multicast group; numbers of re ceivers can join a multicast grou p identified by a group addre ss and obt ain multicast information addressed to that multicast gr oup.
1-7 As receivers are multiple host s in a multicast group, you should be concerned about the following questions: z What destination should th e informatio n source s end the information to in the multicast mo de? z How to select the destinati on address? These questions are about multicast addressing.
1-8 Class D address range Description 239.0.0.0 to 239.255.255.255 Administratively scoped multicast addresses, which are for specific local use only. As specified by IANA, the IP addre sses ranging from 224.0.0.0 to 224.0.0.255 ar e reserved for network protocols on local networ ks.
1-9 multicast MAC address is used as the destination ad dress because the destin ation is a group with an uncertain number of mem bers. As stipulated by IANA, the high-order 24 bit s of a multicast MAC address are 0x01005e, while the low-order 23 bits of a MAC add ress are the low- ord er 23 bits of the multicast IP address.
1-10 Figure 1-5 Positions of Layer 3 multicast protocols AS 1 A S 2 Sour ce Receiver Re ceiv er Receiver PIM PIM MSDP IGMP IG MP IGMP 1) Multicast management protocols T ypically , the Internet Group Management Protoc ol (IGMP) is used between host s and Layer 3 multicast devices directly conn ected with the hosts.
1-11 Figure 1-6 Positions of Layer 2 multicast protocols So u rce Rece iver R eceiver multic as t pack ets IG M P S noo pi n g 2) IGMP Snooping Running on Layer 2 devices, Internet Group M anagement P.
1-12 2) If the corresponding (S, G) entry exists, but the in terface on which the packet actually arrived is not the incoming interface in the multicast forwardi ng t able, the multicast packet is subject to an RPF check.
1-13 z A multicast packet from Source arrives to VLAN -interface 1 of Switch C, and the corresponding forwarding entry doe s not exist in the mult icast forw arding table of Switch C. Switch C pe rforms an RPF check, and finds in its unicast routing table that the outgoing interfac e to 192.
2-1 2 IGMP Snooping Configuration IGMP Snooping Overview Internet Group Management Protocol Snooping (I GMP Snooping) is a multicast constraini ng mechanism that runs on Layer 2 devices to manage and control multicast groups.
2-2 Figure 2-2 IGMP Snooping related ports Rou ter A Swi tc h A Sw it ch B Et h 1/ 0/ 1 Et h1/0 /2 Et h 1/0/ 3 Et h 1/0/ 1 Et h1/0 /2 Rece ive r Rece ive r Hos t A Hos t B Hos t C Hos t D So u rce Mu .
2-3 When receiving a general query The IGMP qu erier pe riodi cally sen ds IGMP general q ueri es to all h ost s and ro uters on the local su bne t to find out whether active multicast group members exist on the subnet.
2-4 immediately delete the forwarding entry corresponding to that port from the forwarding t able; instead, it reset s the agi ng timer of the membe r port.
2-5 Operation Remarks Configuring a VLAN Tag for Que ry Message s Optional Configuring Multicast VLAN Optional Enabling IGMP Snooping Follow these steps to ena b le IGMP Snooping: To do… Use the com.
2-6 z Before configuring related IGMP Snooping func tions, you must enable IGMP Snooping in the specified VLAN. z Different multicast group addresse s should be conf ig ured for different multicast sources beca use IGMPv3 Snooping cannot distinguish multica st data from different sources to the same multicast group.
2-7 Enabling fast leave processing in Ethernet port view Follow these steps to ena b le fast leave processing in Ethernet view: To do… Use the command… Remarks Enter syst e m view sy stem - view .
2-8 Configuring a multicast group filter in system vie w Follow these steps to co nfigure a mult icast group filter in system view: To do… Use the command… Remarks Enter syst e m view system-view .
2-9 Follow these steps to co nfigure the maximu m number of multicast group s on a port: To do… Use the command… Remarks Enter syst e m view system-view — Enter Ethernet port view interface inte.
2-10 To do… Use the command… Remarks Enable IGMP Snooping querier igmp-snooping querier Required By default, IGMP Snooping querier is disabled. Configure the interval of sending general querie s igmp-snooping query-interval seconds Optional By default, the interval of sending general querie s is 60 seconds.
2-11 In Ethernet port view Follow these steps to co nfigure a static multicast gro up memb er port in Ethernet port view: To do… Use the command… Remarks Enter syst e m view system-vie w — Enter.
2-12 In VLAN view Follow these steps to co nfigure a st ati c router port in VLAN view: To do… Use the command… Remarks Enter syst e m view system-vie w — Enter VLAN view vlan vlan-id — Config.
2-13 z Before configuring a simulated host, enabl e IGMP Snooping in VL AN view first. z The port to be configured must belong to the specified VLAN; otherwise the conf iguration does not take effect. z You can use the source-i p sourc e-address com mand to specify a multicast source address that the port will join as a sim ulated host.
2-14 To do… Use the command… Remarks Enter VLAN interface view interface Vlan-interface vlan-id — Enable IGMP igmp enable Required By default, the IGMP feature is disabled.
2-15 z One port can belong to only one multica st VLAN. z The port connected to a user terminal must be a hy brid port. z The multicast member ports must be in the sa me VLAN with the route r port. Otherwise, the multicast member port cannot receive multica st packets.
2-16 Figure 2-3 Network diagram for IGMP Snooping co nfiguration Mu lticast p acket s So u rc e Route r A Swi tch A Re ceiver Re ceiver Hos t B Hos t A Hos t C 1. 1. 1. 1/ 24 GE1/ 0/ 4 GE1/ 0/ 2 GE 1/ 0/ 3 IG M P querier GE1 / 0/1 GE 1/ 0/ 1 1 0 .1 .1 .
2-17 Total 1 IP Group(s). Total 1 MAC Group(s). Vlan(id):100. Total 1 IP Group(s). Total 1 MAC Group(s). Static Router port(s): Dynamic Router port(s): GigabitEthernet1/0/1 IP group(s):the following ip group(s) match to one mac group. IP group address: 224.
2-18 Configure a multicast VLAN, so that users in VLAN 2 and VLAN 3 can re ceive multicast streams through the multicast VLAN. Figure 2-4 Network diagram for multicast VLAN configuratio n Hos tA Hos tB Wor kSt a tio n Swit chA Sw itchB Vl an - i nt 20 168 .
2-19 # Configure VLAN 10 as the multicast VLAN and enable IGMP Snooping on it. [SwitchB] vlan 10 [SwitchB-vlan10] service-type multicast [SwitchB-vlan10] igmp-snooping enable [SwitchB-vlan10] quit # D.
3-1 3 Common Multicast Configuration Common Multicast Configuration Configuring a Multicast MAC Address Entry In Layer 2 multicast, the system can add multicas t forwarding entries dynami cally through a Layer 2 multicast protocol.
3-2 Configuring Dropping Unknown Multicast Packets Generally , if the multicast address of the multica s t pa cket received on the device i s not registered on the local device, the packet will be flooded in the VLAN.
i Table of Contents 1 NTP Confi guration ···············································································.
1-1 1 NTP Configuration When configuring NTP , go to these secti ons for information you are intere sted in: z Introduction to NTP z NTP Configuration Task Li st z Configuring NTP Implementation Modes.
1-2 z In network management, the an alysis of the log information and debugging i nformation collected from different devices is meani ngful and valid only when netwo rk devices that generate t he information adopts the same time. z The billing system requires that the clocks of all network devices be consi stent.
1-3 Figure 1-1 Implementation principle of NTP IP n e tw o r k IP n e tw o r k IP n e tw o r k IP n e tw o r k D e vi ce B D e vice A D e vi ce B D e vice A D e vi ce B D e vice A D e vi ce B D e vice.
1-4 Server/client mode Figure 1-2 Server/client mode Ser ver Cl oc k sy n c hr oni z atio n re q u e s t R e sp o n se Net wo r k Cl i ent Wo r ks in se r ver m o d e au t o m a t ica l ly a n d send .
1-5 Multicast mode Figure 1-5 Multicast mode Cl i e nt Mu lt ica st clo ck syn ch r o niza t i o n pac k ets pe ri od i c a l l y Net work Se r ver I nitia t es a client /se r ver mo d e r eq uest aft.
1-6 NTP Configuration Task List Complete the following tasks to configure NTP: Task Remarks Configuring NTP Implementation Modes Req uired Configuring Access Control Right Optional Configuring NTP Aut.
1-7 To do… Use the command… Remarks Enter syst e m view system-view — Configure an NTP client ntp-service unicast-s erver { remote-ip | server-name } [ authentic ation-keyid key-id | priority | source-interfac e Vlan-interface vlan-id | versi on number ]* Required By default, the device is not configured to work in the NTP client mode.
1-8 z In the symmetric peer mode, you need to execute the related NTP configuration comm and s (refer to Configuring NTP Implementation M odes for details) to enable NTP on a symmetric-p assive peer; otherwise, the symmetric-passive peer will not process NTP mess ages from the symmetric-active peer.
1-9 Configuring the device to work in the NTP broadcast client mode To do… Use the command… Remarks Enter syst e m view system-vie w — Enter VLAN interface view interface Vlan-in terface vlan-id — Configure the device to work in the NTP broadcast client mode ntp-service broadc ast-client Required Not configured by default.
1-10 Configuring Access Control Right With the following command, you ca n configure the NTP service access-control ri ght to the lo cal device for a peer device.
1-11 synchronized only to that of the serv er that pa sses the authentication. Thi s improves network secu rity . T able 1-2 shows the roles of devices in the NTP auth entication function.
1-12 To do… Use the command… Remarks Configure the NTP authentication key ntp-service authentication-k eyid key-id authentication-m odel md 5 value Required By default, no NTP authentication key is configured.
1-13 To do… Use the command… Remarks Configure on the NTP broadc ast server ntp-service broadcas t-server authentication-k eyid key-id Associate the specified key with the correspondi ng broadcas .
1-14 Configuring the Number of Dynamic Sessions Allowed on the Local Device Follow these steps to co nfigure the number of dynamic sessions all owed on the local device: To do… Use the command… Re.
1-15 Figure 1-6 Network diagram for the NTP se rver/client mode confi guration 1. 0. 1. 11/ 24 1 .0.1. 12/ 24 D e vice A D e vice B Configuration procedure Perform the following configurations on Device B. # View the NTP st atus of Devi ce B before synchronization.
1-16 [12345]1.0.1.11 127.127.1.0 2 1 64 1 350.1 15.1 0.0 note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured Total associations : 1 Configuring NTP Symmetric Peer Mode Network requirements z As shown in Figure 1-7 , the local clock of Device A is set as the NTP master cloc k, with the clock stratum level of 2.
1-17 Reference clock ID: 3.0.1.32 Nominal frequency: 60.0002 Hz Actual frequency: 60.0002 Hz Clock precision: 2^18 Clock offset: 0.66 ms Root delay: 27.47 ms Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Thu Sep 7 2006 (BF422AE4.
1-18 Configuration procedure 1) Configure Device C. # Enter system view . <DeviceC> system-view # Set Device C as the broadca st server , which sends broadcast messages throu gh Vlan-i nterface2. [DeviceC] interface Vlan-interface 2 [DeviceC-Vlan-interface2] ntp-service broadcast-server 2) Configure Device A.
1-19 Configuring NTP Multicast Mode Network requirements z As shown in Figure 1-9 , the local clo ck of Device C i s set as the NTP mast er clock, with a clock stratum level of 2. Configure Device C to work in the NTP multicast server mode and advertise multicast NTP messages through Vlan -i nterface2.
1-20 Clock status: synchronized Clock stratum: 3 Reference clock ID: 3.0.1.31 Nominal frequency: 60.0002 Hz Actual frequency: 60.0002 Hz Clock precision: 2^18 Clock offset: 198.7425 ms Root delay: 27.47 ms Root dispersion: 208.39 ms Peer dispersion: 9.
1-21 # Configure an MD5 authentication key , with the key ID being 42 and the key being aNiceKey . [DeviceB] ntp-service authentication-keyid 42 authentication-mode md5 aNiceKey # S pecify the key 42 a s a trusted key . [DeviceB] ntp-service reliable authentication-keyid 42 [DeviceB] ntp-service unicast-server 1.
i Table of Contents 1 SSH Confi guration ···············································································.
1-1 1 SSH Configuration z The term switch used throughout this docum ent re fers to a switching device in a generi c sense or the switching engine of a WX30 00 seri es.
1-2 Figure 1-1 Encryption and decryption En cr yp ti o n Ke y D e cr yp tio n Ciph er t ex t Pla in text Ke y P l ai n t ex t En cr yp ti o n Ke y D e cr yp tio n Ciph er t ex t Pla in text Ke y P l ai n t ex t Key-based algorithm is usually classifie d into sy mmetric key algori thm and asymmetric key algorithm.
1-3 Version negotiation z The server opens port 22 to listen to connection requ ests from clie nts. z The client sends a TCP connection request to the server.
1-4 z In password authentication, the c lient encrypts the use rname an d password, encapsulates them into a password authentication request, and sends t he reque st to the server.
1-5 SSH Server Configuration Tasks Complete the following tasks to configure SSH server: Task Remark Configuring the Protocol Suppo rt for the User Interface Required Generating/Destroying a RSA or DS.
1-6 z If you have configured a user interface to s upport SSH protocol, you must configure AAA authentication for the user interface by using the authentica tion-mode schem e command to ensure successful login.
1-7 Exporting the RSA or DSA Public Key Y ou can display the generated RSA or DSA key pair on the scree n in a specified format, or export it to a specified file for configuring the key at a remote end.
1-8 z For pass word authentication type, the username argument must be consistent with the valid user name defined in AAA; for publickey authentication, the username argument is the SSH local use r name, so that there is no need to configure a local user in AAA.
1-9 To do… Use the command… Remarks Enter syst e m view system-vie w — Set SSH authentication timeout time ssh server timeout seconds Optional By default, the timeout time is 60 seconds. Set SSH authentication retry times ssh server authentication-re tries times Optional By default, the number of retry times is 3.
1-10 To do… Use the command… Remarks Enter public key edit view public-key-code begin — Configure a public key for the client Enter the content of the public key When you input the key data, spa.
1-11 Follow these steps to impo rt the RSA public key from a public key file: To do… Use the command… Remarks Enter syst e m view system-vie w — Import the RSA public key from a public key file .
1-12 Follow these steps to sp ecify a source IP address/interface for the S SH server: To do… Use the command… Remarks Enter syst e m view system-vie w — Specify a source IP address for the SSH server ssh-server source-ip ip-address Required By default, the system determines the IP address for clients to access.
1-13 z Selecting the protocol for remote con nection as SSH. Usually, a client can use a variety of remote connection protocols, such as Telnet, Rlogin, and SSH. To establish an SSH connection, you must select SSH z Selecting the SSH version. Since the device suppor ts SSH Server 2 .
1-14 Figure 1-3 Generate the client keys (2) After the key pai r is generated, click Save public key and enter the name of the file for saving th e public key ( public in this case) to save the public key .
1-15 Likewise, to save the priv ate key , click Sav e private key . A warning window pop s up to prompt you whether to save the private key witho ut any precaution. Cli ck Ye s and enter the name of the file for saving the private key (“pri vate” in this case ) to save the private key .
1-16 Figure 1-7 SSH client configuration interface 1 In the Host Name (or IP address) text box, enter the IP address of t he server . Note that there must be a route available between the IP addres s of the server and the client. Select a protocol for remote connection As shown in Figure 1-7 , select SSH under Protocol .
1-17 Figure 1-8 SSH client configuration interface 2 Under Protocol options , sele ct 2 from Preferred SSH protocol version . Some SSH client software, for example, Tectia c lient software, supports the DES algorithm only when the ssh1 version is selected.
1-18 Figure 1-9 SSH client configuration interface 3 Click Browse… to bring up the file selection window , navigate to the private key file and click Open to enter the following SSH client interface. If the connection is normal, a user will be prompted for a username.
1-19 Open an SSH connection with passw ord authentication From the window shown in Figure 1-9 , click Open. The following SSH client interface appears. If the connection is normal, you will be prompted to ent er the usern ame and password, as shown in Figure 1-1 1 .
1-20 Follow these steps to ena ble the device to support first-time authent ication: To do… Use the command… Remarks Enter syst e m view system-vie w — Enable the device to support first-time authentication ssh client first-time enable Optional By default, the client is enabled to run initial authentication.
1-21 When logging into the SSH server usi ng public key authentication, an SSH client needs to read the local private key for authentication. As two algor ithms (RS A or DSA) are available, the identity-key keyword must be used to specify one algorithm in orde r to get the correct private key.
1-22 SSH Configuration Examples When the Device Acts as the SSH Server a nd the Authentication Type is Password Network requirements As shown in Figure 1-12 , est ablish an SSH conne ction between the host (SSH Client) and the device (SSH Server) for secure data exch ange.
1-23 T ake SSH client software “Putty” (version 0.58) as an example: 1) Run PuTTY.exe to enter the fo llowing configuration interface. Figure 1-13 SSH client configuration interface In the Host Name (or IP addres s) text box, enter the IP address of the SSH server .
1-24 Figure 1-14 SSH client interface When the Device Acts as an SSH Server a nd the Authentication Type is Publickey Network requirements As shown in Figure 1-15 , establish an SSH connection between t he host (SSH client) and the device (SSH Server) for secure data excha nge.
1-25 <device> system-view [device] interface vlan-interface 1 [device-Vlan-interface1] ip address 192.168.0.1 255.255.255.0 [device-Vlan-interface1] quit # Generate RSA and DSA key p airs. [device] public-key local create rsa [device] public-key local create dsa # Set the authentication mode for the user interfaces to AAA.
1-26 Figure 1-16 Generate a cl ient key pai r (1) While generating the key pair, you m ust move the mouse continuously and keep the m ouse off the green process b ar shown in Figure 1-17 . Otherwise, the process b ar stops moving and the key pair generating process is sto p ped.
1-27 Figure 1-17 Generate a cl ient key pai r (2) After the key pai r is generated, click Save public key and enter the name of the file for saving th e public key (“public” in this case).
1-28 Likewise, to save the priv ate key , click Sav e private key . A warning window pop s up to prompt you whether to save the private ke y without any protection. Click Ye s and enter the name of the file for saving the private key (“pri vate” in this case ).
1-29 Figure 1-21 SSH client configuration interface (2 ) Click Browse… to bring up the file selection window , navigate to the private key file and click OK . 3) From the window shown in Figure 1-21 , click Ope n . The following SSH client interface appears.
1-30 When the Switch Acts as an SSH Client and the Authentication Type is Password Network requirements As shown in Figure 1-23 , est ablish an SSH conne ction between Switch A (SSH Client) and Switch B (SSH Server) for secure dat a exchange. The user name for login is client001 a nd the SSH server ’s IP address is 10.
1-31 [device-Vlan-interface1] ip address 10.165.87.137 255.255.255.0 [device-Vlan-interface1] quit # Establish a con nection to the server 10.165.87.136. [device] ssh2 10.165.87.136 Username: client001 Trying 10.165.87.136 ... Press CTRL+K to abort Connected to 10.
1-32 <device> system-view [device] interface vlan-interface 1 [device-Vlan-interface1] ip address 10.165.87.136 255.255.255.0 [device-Vlan-interface1] quit # Generate RSA and DSA key p airs. [device] public-key local create rsa [device] public-key local create dsa # Set the authentication mode for the user interfaces to AAA.
1-33 After the key pair is generated, you need to upload the pubic key file to the server through FTP or TFTP and complete the server end configuratio n bef ore you continue to configure the client. # Establish an SSH con ne ction to the server 10.165.
1-34 [device-Vlan-interface1] quit # Generate RSA and DSA key p airs. [device] public-key local create rsa [device] public-key local create dsa # Set AAA authentication on user interfaces. [device] user-interface vty 0 4 [device-ui-vty0-4] authentication-mode scheme # Configure the user interfaces to support SSH.
1-35 [device-Vlan-interface1] ip address 10.165.87.137 255.255.255.0 [device-Vlan-interface1] quit # Generate a DSA key pair [device] public-key local create dsa # Export the generated DSA key pair to a file named Switch001.
i Table of Contents 1 File System Manage ment Confi guration ·····································································.
1-1 1 File System Management Configuration The sample output inform ation in this manual wa s created on the WX3024. The output information on your device may vary.
1-2 z Displaying the current work directo ry, or content s in a specified directory Follow these steps to pe rfo rm director y-related operations in user view: To do… Use the command… Remarks Crea.
1-3 To do… Use the command… Remarks Enter syst e m view system-vie w — Execute the specified batch file execute filename Optional This command sho uld be executed in system view. z For deleted files who se names are the same, only the latest del eted file is kept in the recycle bin and can be restored.
1-4 Follow these steps to pe rform configur ation on p rompt mode of file system: To do… Use the command… Remarks Enter syst e m view system-vie w — Configure the prompt mode of the file system file prompt { alert | quiet } Required By default, the prompt mode of the file system is alert .
1-5 <device> dir unit1>flash:/test/ Directory of unit1>flash:/test/ 1 -rw- 1443 Apr 02 2000 02:45:13 1.cfg 6858 KB total (6841 KB free) (*) -with main attribute (b) -with backup attribute .
1-6 attribute. If you download a valid file with t he same name as the deleted file to the flash memory , the file will possess the ma in attribute. Configuring File Attributes Y ou can configure and .
i Table of Contents 1 FTP and SFTP Configur ation ···········································································.
1-1 1 FTP and SFTP Configuration z The term switch used throughout this docum ent re fers to a switching device in a generi c sense or the switching engine of a WX30 00 seri es. z The sample output information in this ma nual was created on the WX3024.
1-2 Introduction to SFTP Secure FTP (SFTP) is establish ed based on an SSH2 con nec tion. It allows a remote user to log in to the switching eng ine to manage and transmit files, prov iding a securer guarante e for data transmissi on.
1-3 Enabling an FTP server Follow these steps to ena b le an FTP se rver: To do… Use the command… Remarks Enter syst e m view system-vie w — Enable the FTP server function ftp server enable Required Disabled by default. z Only one user can access the device at a given ti me whe n the latter op erate s as an FTP server.
1-4 Source interface refers to the existing V LAN inte rface or Loopback interface on the device. Source IP address refers to the IP a ddress configured for the i nterface on the device.
1-5 With the device acting as the FTP se rver, if a network administrator atte mpts to disconnect a user that is uploading/downloading d ata to/from the FTP server the d evice will disconnect the use r after the data transmission is complet e d.
1-6 To do… Use the command… Remarks Configure a shell banner header shell text Use either command o r both. By default, no banner is configured. For details about the header comman d, refer to the Login part of the manual.
1-7 To do… Use the command… Remarks Change the worki ng directory on the remote FTP server cd pathn ame Change the worki ng directory to be the parent directory cdup Get the local working path on .
1-8 Specifying the source interface and source IP address for an FTP client Y ou can specify the source interface and source IP address for the device acting as an FTP client, so that it can connect to a remote FTP server .
1-9 saved-configuration com mand to specify config.cfg as the main configuration file for next startup and then reboot the device. z Create a user account on the FTP server with t he user name “switch” an d password “hello”. z The IP addresses 1.
1-10 200 Port command okay. 150 Opening ASCII mode data connection for config.cfg. 226 Transfer complete. This example uses the command lin e window tool pr ovided by Windows. When you log in to the FTP server through another FTP client, refer to the corresponding instruction s for o p eration description.
1-11 Figure 1-4 Network diagram for FTP banner di spl ay configuration Net work Switch PC FTP S e r ver FTP C lie n t Vlan-I nt 1 1.1. 1. 1 / 8 2. 2 . 2.
1-12 Figure 1-5 Network diagram for FTP configurations: the device operating a s an FTP client Switch A FTP Cl i e nt FTP S er ve r Vlan -I nt 1 1. 1. 1.
1-13 <device> # After downloadi ng the file, use the st artup sav ed-configuration command to sp ecify the downloaded configuration file as th e main configuration file for next st artup, and then rest art the device. <device>startup saved-configuration config.
1-14 To do… Use the command… Remarks Enter syste m view system-v iew — Configure the connection idle time for the SFTP server ftp timeout time-out-value Optional 10 minutes by default Supported SFTP client software The device operating as an SFTP server can intero perate with SFTP client sof tware, including SSH T ectia Client v4.
1-15 To do… Use the command… Remarks Enter SFTP client view sftp { host-ip | host-name } [ port-num ] [ identity-key { dsa | rsa } | prefer_kex { dh_group1 | dh_exchange_group } | prefer_ctos_ciph.
1-16 If you specify to authenticate a client th rough public key on the server, the client need s to read the lo cal private key when logging in to the SFTP server.
1-17 # Create a VLAN interface on the device and assign to it an IP address, which is used as the destination address for the client to conne ct to the SFTP server . [device] interface vlan-interface 1 [device-Vlan-interface1] ip address 192.168.0.1 255.
1-18 sftp-client> # Display the current directory of the server . Delete the file z and verify the result. sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.
1-19 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2 Received status: End of file Received status: Success # Download the file pubkey2 from the server a nd ren ame it as public.
2-1 2 TFTP Configuration Introduction to TFTP Compared with FTP , TFTP (trivial file transfer protocol ) features simple interactive access interface and no authentication control. Therefore, TFT P is appli cabl e in the networks where c lient-server interaction s are relatively simple.
2-2 Task Remarks TFTP server configuration For details, see the corresponding manual — TFTP Configuration: The Device Operating as a TFTP Client Basic configurations on a TFTP client By default the device can operate as a T FTP client.
2-3 To do… Use the command… Remarks Specify an interface as the source interface a TFTP client uses every time it connects to a TFTP server tftp source-interfac e interface-type interface-n umber .
2-4 Configuration procedure 1) Configure the TFTP server (PC) S t art the TFT P server and configure the working directory on the PC. 2) Configure the TFTP client (switch). # Log in to the switching engine. (Y ou can log in to the switching engine through the console port or by telnetting the device.
i Table of Contents 1 Informatio n Cent er···············································································.
1-1 1 Information Center z The term switch used throughout this docum ent re fers to a switching device in a generi c sense or the switching engine of a WX30 00 seri es. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary.
1-2 Severity Sev erity v alue Description informational 7 Informational information to be recorded debugging 8 Information generated duri ng debugging Information filtering by severity works this way: information with the seve ri ty value greater than the configured threshold is not output during the filtering.
1-3 Configurations for the six output directions function independe ntly and take effect only after the information center is enabled. Outputting system information by source module The system information ca n be classified by source module and t hen filtered.
1-4 Module name Description NTP Network time protocol module PKI Public key infrastructure module RDS Radius module RMON Rem ote monitor module RSA Revest, Shamir and Adleman encryption mod ule SHELL .
1-5 Priority The priority is calculated using the followi ng formula: facility*8+severity-1, in which z facility (the device name) defaults to local7 with the value being 23 (the value of local6 is 22, that of local5 is 21, and so on). z severity (the information level) ranges from 1 to 8.
1-6 Y ou can use the sysname command to modify the system name. Refer to the System Maintenance an d Debugging p art of this manual for detail s) Note that there is a space betwe en the sysn ame and module fields. Module The module field represent s the n ame of the module t hat gen erates system in formation.
1-7 Task Remarks Setting to Output System Information to the SNMP NMS Optional Configuring Synchronous Information Output Synchronous information output refers to the feature that if the system inform.
1-8 To do… Use the command… Remarks Log host direction info-center timestamp loghost date Set the time stamp format in the output direction of the information center to date Non log host direction.
1-9 Table 1-4 Default output rules for differe nt output dire ction s LOG TRAP DEBUG Output direction Modules allowed Enable d/disab led Severit y Enabled/ disabled Severity Enabled/ disabled Severity.
1-10 Setting to Output System Info rmation to a Monitor Terminal System information can also be output to a monitor te rminal, whi ch is a user terminal that has login connections through the AUX, VTY , or TTY user interf ace.
1-11 Follow these steps to ena b le the display of system information on a monitor termi nal: To do… Use the command… Remarks Enable the debugging/log/trap information terminal display function te.
1-12 To do… Use the command… Remarks Set the format of the time stamp to be sent to the log host info-center timestamp loghost { date | no-y ear-date | none } Optional By default, the time stamp format of the information output to the log host is date .
1-13 To do… Use the command… Remarks Enable information output to the log buffer info-center logbuffer [ channel { channel - number | channel - name } | size buffersize ]* Optional By default, the device uses information channel 4 to output log information to the log buffer, which can holds up to 512 items by default.
1-14 Displaying and Maintaining Information Center To do… Use the command… Remarks Display information on an information channel display channel [ channel - number | channel - name ] Display the o.
1-15 # Configure the host whose IP address is 202.3 8.1.1 0 as the log host. Permit ARP and IP modules to output information with severity level higher than informational to the log ho st.
1-16 Through combined configuration of the device name (facility), informatio n severity level threshold (severity), module name (filter) and the fil e “syslog.
1-17 Note the following items when you edit file “/etc/syslo g.conf”. z A note must start in a new line, starting with a “#" sign. z In each pair, a tab should be used a s a separator instead of a space. z No space is permitted at the end of the file name.
1-18 [Switch] info-center enable # Disable the function of outputting in formation to the console ch an nels. [Switch] undo info-center source default channel console # Enable log information output to the console. Pe rm it ARP and IP modules to output log informatio n with severity level higher than informatio nal to the con sole.
i Table of Contents 1 Host Configurat ion File Loading ········································································.
1-1 1 Host Configuration File Loading z The term switch used throughout this docum ent re fers to a switching device in a generi c sense or the switching engine of a WX30 00 seri es. z The sample output information in this ma nual was created on the WX3024.
1-2 Connected to OAP! <device_LSW> ftp 192.168.0.100 Trying ... Press CTRL+K to abort Connected. 220 3Com 3CDaemon FTP Server Version 2.0 User(none):admin 331 User name ok, need password Password: 230 User logged in [ftp]get config.cfg config.cfg 227 Entering passive mode (192,168,0,100,5,95) 125 Using existing data connection .
1-3 Figure 1-2 Remote loading using FTP server Sw i tch PC Et hernet p ort In te r n e t F T P Ser ve 10 .1 . 1.1 FTP S erv e r 192 . 16 8 . 0.51 S tep 1: As shown in Figure 1-2 , connect Switch through an Ethernet por t to the PC (whose IP address is 10.
1-4 S tep 6: Enter f tp 192.168.0.51 and enter the user name test , p assword pas s to log on to the FTP server . C:Documents and SettingsAdministrator>d: D:>cd update D:Update>ftp 192.168.0.51 Connected to 192.168.0.51. 220 FTP service ready.
1-5 z The steps listed ab ove are performed in the Windows operating system, if you use other F TP client software, refer to the corresponding user guid e before ope ration.
2-1 2 Basic System Configuration and Debugging Basic System Configuration Follow these steps to pe rform basic system configuration: To do… Use the command… Remarks Set the current date and time of the system clock datetime HH:MM:SS { YYYY/MM/DD | MM/DD/YYYY } Required Execute this command in user view.
2-2 Displaying the System Status To do… Use the command… Remarks Display the current date and time of the system display clock Display the version of the system di sp l ay ve rs i on Display the i.
2-3 Y ou can use the following commands to enable the two settings. Follow these steps to ena ble debugging and termi nal display for a specific module: To do… Use the command… Remarks Enable system debugging for specific module debugging module-name [ debugging - option ] Required Disabled for all modules by default.
3-1 3 Network Connectivity Test Network Connectivity Test ping Y ou can use the ping command to check the network connectivity and the reachability of a host.
4-1 4 Device Management Introduction to Device Management Device Management includes the following: z Reboot the device z Configure real-time monitoring of t he running status of the system z Specify .
4-2 Scheduling a Reboot on the Device After you schedule a reb oot on the device, t he device will reboot at the specified time. Follow these steps to sche dul e a reboot on the device: To do… Use t.
4-3 Follow the step below to specify the main configuration file to be used at rebo ot: To do… Use the command… Remarks Specify the main configuration file to be used at next reboot startup sav ed.
4-4 Follow these steps to ident ify pluggable transceivers: To do… Use the command… Remarks Display main parameters of the pluggable transceiver(s) display transceiver interfac e [ interface-type .
i Table of Contents 1 VLAN-VPN C onfigurat ion ············································································.
1-1 1 VLAN-VPN Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024.
1-2 Figure 1-2 Structure of packets with double-laye r VLAN tag s Des ti na ti o n MA C addres s 0 31 Dat a Sour ce MA C ad dr ess 15 Inn er VLAN T a g O uter VLAN T ag Compared wi th MPLS-based Layer 2 VPN, VLAN-VPN ha s the followin g features: z It provides Layer 2 VPN tunnels that are simple r.
1-3 As the position of the TPID field in an Ethernet packe t is the same as that of the upper-layer protocol type field in a packet without VLAN T ag, to avoid confusion in the process of receiving/forwardin g a packet, the TPID value cannot be any of the protocol type value listed in T able 1-1 .
1-4 TPID Adjusting Configuration Configuration Prerequisites z To change the global TPID value 0x8100, you need to specify a port on the device as a VLAN VPN uplink port.
1-5 VLAN-VPN Configuration Example Transmitting User Packets through a Tunnel in the Public Network by Using VLAN-VPN Network requirements z As shown in Figure 1-4 , both Switch A and Switch B are the WX3000 series device s. They connect the users to the servers th rough the publ ic network.
1-6 # Set the global TPID value of Switch A to 0x9200 and configure GigabitEthernet 1/0/12 a s a VLAN VPN uplink port, so that Switch A can interco mmunicate with devices in the public net work.
1-7 1) As GigabitEthernet 1/0/11 of Switch A is a VLAN-VPN port, when a packet from the custo mer’s network side reaches this port, it is tagged with the default VLAN tag of the port (VLAN 1040).
2-1 2 Selective QinQ Configuration Selective QinQ Overview Selective QinQ Overview Selective QinQ is an enhanced appli cation of the VLAN -VPN feature. With the selective QinQ feature, you can configure inner-to- outer VLAN t ag mapping, according to whi ch you can add dif ferent outer VLAN tags to the p acket s with dif ferent inner VLAN t ags.
2-2 In this way , you can configure dif ferent forwarding polici es for dat a of differ ent type of users, thus improving the flexibility of network management. On the other hand, network resources are well utilized, and users of the same type are also isolated by thei r inner VLAN t ags.
2-3 You are recommended not to configure both the DHCP snooping and selective Q-in-Q function on the device, which may result in the DH CP snooping to function abno rm ally.
2-4 Figure 2-2 Network diagram for select ive QinQ configuration Pu b l i c N e tw o r k VL AN 1 0 0 0 / VLAN 12 0 0 PC Us er VLAN 10 0 ~ 1 08 IP Phone User VLA N 200~ 2 30 G E1/0/3 GE1 / 0 / 5 Fo r P.
2-5 [SwitchA-GigabitEthernet1/0/3] vlan-vpn enable # Enable the selective QinQ featur e on GigabitEthernet 1/0/3 to tag pa ckets of VLAN 100 through VLAN 108 with the tag of VLAN 1 000 as the outer VLAN tag, and tag p ackets of VLAN 200 thro ugh VLAN 230 with the tag of VLAN 1200 as the oute r VLAN tag.
2-6 T o make the packets fro m the servers be transmit ted to the client s in the same way , you need to configure the selective QinQ feature on GigabitEthernet 1/0/ 12 and GigabitEthernet 1/0/13. The configuration on Switch B is similar to that on Switch A and is thus omitted.
i Table of Contents 1 HWPing Conf iguration ··············································································.
1-1 1 HWPing Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a WX3 000. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary.
1-2 Figure 1-1 HWPing illustration Sw itc h A Switch B HW P i ng Cl i en t I P net work H WPing Ser ver Test Types Supported by HWPing Table 1-1 Test types supported by HWPing Supported test types Des.
1-3 Test parameter Description Source interface ( source-interfac e ) z For DHCP test, you must spe cify a source interface, which will be used by HWPing client to send DHCP requests. If no source interfac e is specified for a DHCP test, the test will not succeed.
1-4 Test parameter Description File name for FTP operation ( filename ) Name of a file to be transferred between HWPing client and FTP server Number of jitter test packets to be se nt per probe ( jitt.
1-5 HWPing server configuration The following t able describes the configuration on HW Ping server , which is the same for HWPing test types that need to configure HWPing server .
1-6 To do… Use the command… Remarks Configure the number of probes per test count times Optional By default, each test makes one probe. Configure the packet size datasize size Optional By default, the packet size is 56 bytes.
1-7 To do… Use the command… Remarks Configure the source interface source-interface interface-type interface-number Required You can only configure a VLAN interface as the source interface. By default, no source interface is configured. Configure the test type test-type dhcp Required By default, the test type is ICMP.
1-8 To do… Use the comm and… Remarks Configure the number of probes per test count times Optional By default, each test makes one probe. Configure the maximum number of history records that can be s aved history-records number Optional By default, the maximum number is 50.
1-9 To do… Use the command… Remarks Configure the destination IP address destination-ip ip-address Required You can configure an IP address or a host name.
1-10 5) Configuring jitter test on HWPing client Follow these steps to co nfigur e jitter test on HWPing client: To do… Use the command… Remarks Enter syst e m view system-vie w — Enable the HWPing client function hwping-agent enable Required By default, the HWPing client function is disabled.
1-11 To do… Use the command… Remarks Configure the probe timeout time timeout time Optional By default, a probe times out in three second s. Configure the type of service tos value Optional By default, the service type is zero.
1-12 To do… Use the command… Remarks Configure the maximum number of history records that can be s aved history-records number Optional By default, the maximum number is 50. Configure the automatic test interval frequency interval Optional By default, the automatic test interval is zero se conds, indicating no automatic test will be made.
1-13 To do… Use the command… Remarks Configure the destination port destination -port port-number Required in a Tcpprivate test A Tcppublic test is a TCP connection test on port 7. Use the hwping-server tcpconnect ip-a ddress 7 command on the server to configure the listening service port; otherwise the test will fail.
1-14 To do… Use the command… Remarks Enter syste m view system-v iew — Enable the HWPing client function hwping-agent enable Required By default, the HWPing client function is disabled. Create a HWPing test group and enter its view h w ping administrator-name operation- tag Required By default, no test group is configured.
1-15 To do… Use the command… Remarks Configure the automatic test interval frequency interval Optional By default, the automatic test interval is zero se conds, indicating no automatic test will be made. Configure the probe timeout time timeout time Optional By default, a probe times out in three second s.
1-16 To do… Use the command… Remarks Configure the probe timeout time timeout time Optional By default, a probe times out in three second s. Configure the type of service tos value Optional By default, the service type is zero.
1-17 Displaying and Maintaining HWPing To do… Use the command… Remarks Display test history display hwping history [ administrator-nam e opera tion-tag ] Display the results of the latest test dis.
1-18 # Display test results. [device-hwping-administrator-icmp] display hwping results administrator icmp HWPing entry(admin administrator, tag icmp) test result: Destination ip address:10.
1-19 # Create a HWPing test group, setting the admini strator name to "administrator" and test t ag to "DHCP". [device] Hwping administrator dhcp # Configure the test type as dhcp . [device-hwping-administrator-dhcp] test-type dhcp # Configure the source interfa ce, which must be a VLAN interface.
1-20 FTP Test Network requirements As shown in Figure 1-4 , both the HWPing client and the FTP server are WX3000 se ries devices. Perform a HWPing FTP test between the two devices to test the connectivity to the specified FTP server and the time required to uploa d a file to the serv er after the connection is est ablished.
1-21 [device-hwping-administrator-ftp] count 10 # Set the probe timeout time to 30 seconds. [device-hwping-administrator-ftp] timeout 30 # Configure the source IP address [device-hwping-administrator-ftp] source-ip 10.
1-22 HTTP Test Network requirements As shown in Figure 1-5 , Switch serves as the HWPing client, and a PC serves as the HTTP server . Perform a HWPing HTTP test betwe en Switch and the H TTP se rver to test the connectivity and the time required to download a file from the HT TP server af ter the conn ection to the server is established.
1-23 SD Maximal delay: 0 DS Maximal delay: 0 Packet lost in test: 0% Disconnect operation number: 0 Operation timeout number: 0 System busy operation number: 0 Connection fail number: 0 Operation sequ.
1-24 Network diagram Figure 1-6 Network diagram for the Jitter test Sw itc h A Sw itc h B HW Pi ng Cl i en t I P net w ork 10.1 .1 .1/8 10 . 2.2.2/ 8 HWP in g S e r v er Configuration procedure z Configure HWPing Server (Switch B): # Enable the HWPing server an d co nfigure the IP ad dress and port to listen on.
1-25 Packet lost in test: 0% Disconnect operation number: 0 Operation timeout number: 0 System busy operation number: 0 Connection fail number: 0 Operation sequence errors: 0 Drop operation number: 0 .
1-26 Network diagram Figure 1-7 Network diagram for the SNMP test Sw itc h A Sw it ch B HW Pi ng Cl i en t IP n e tw o rk 10.1 .1.1 /8 10.2 .2 .2/ 8 SN MP Agen t Configuration procedure z Configure SN.
1-27 [device-hwping-administrator-snmp] test-enable # Display test results [device-hwping-administrator-snmp] display hwping results administrator snmp HWPing entry(admin administrator, tag snmp) test result: Destination ip address:10.
1-28 Configuration procedure z Configure HWPing Server (Switch B): # Enable the HWPing server an d co nfigure the IP ad dress and port to listen on. <device> system-view [device] hwping-server enable [device] hwping-server tcpconnect 10.2.2.2 8000 z Configure HWPing Client (Switch A): # Enable the HWPing client.
1-29 Index Response Status LastRC Time 1 4 1 0 2000-04-02 08:26:02.9 2 5 1 0 2000-04-02 08:26:02.8 3 4 1 0 2000-04-02 08:26:02.8 4 5 1 0 2000-04-02 08:26:02.7 5 4 1 0 2000-04-02 08:26:02.7 6 5 1 0 2000-04-02 08:26:02.6 7 6 1 0 2000-04-02 08:26:02.6 8 7 1 0 2000-04-02 08:26:02.
1-30 [device-hwping-administrator-udpprivate] destination-ip 10.2.2.2 # Configure the destination port on the HWPi ng server . [device-hwping-administrator-udpprivate] destination-port 8000 # Configure to make 10 probes per test. [device-hwping-administrator-udpprivate] count 10 # Set the probe timeout time to 5 seconds.
1-31 Network diagram Figure 1-10 Network diagram for the DNS test Swit ch HW P i ng Cl i en t IP n e tw o r k 10.1 .1. 1/8 10 . 2.2.2 /8 DN S Se r ver Configuration procedure z Configure DNS Server: Use Windows 2003 Serv er as the DNS server . For DNS server configuration, refer to the related instruction on Windows 2003 Serve r co nfiguration.
1-32 System busy operation number: 0 Connection fail number: 0 Operation sequence errors: 0 Drop operation number: 0 Other operation errors: 0 Dns result: DNS Resolve Current Time: 10 DNS Resolve Min .
i Table of Contents 1 DNS Confi gurati on···············································································.
1-1 1 DNS Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of the WX 3000 series. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary.
1-2 Figure 1-1 Dynamic domain name resolution Req ue s t Response Re sp o n se Requ est Save Read DNS c lient DNS se rv e r Res olver Cac he Use r pr o gr a m Figure 1-1 shows the relationship betwe en user p rogram, DNS client, and DNS se rver . The resolver and ca che comprise th e DNS client.
1-3 To do… Use the command… Remarks Enter syst e m view system-view — Configure a mapping between a host name and an IP address ip host hostnam e ip-address Required No IP address is assigned to a host name by default. The IP address you assign to a host name last time will overwrite the previous one if there i s any.
1-4 Figure 1-2 Network diagram for stat ic DNS configuration 1 0 . 1 . 1 .1 /2 4 10 . 1. 1 . 2 / 24 hos t . c om Ho s t Sw it ch Configuration procedure # Configure a mapping betwee n ho st name host.com and IP address 10.1.1.2. <device> system-view [device] ip host host.
1-5 Configuration procedure Before doing the following configuration, make sure that: z The routes between the DNS server, Switch, an d Host are reachable. z Necessary configurations are don e on the devices. For the IP addresses of the interfaces, see the figure above.
1-6 Displaying and Maintaining DNS To do… Use the com mand… Remarks Display static DNS database display ip host Display the DNS server information display dns server [ dy nam ic ] Display the DNS .
i Table of Contents 1 Smart Link C onfigurat ion ···········································································.
1-1 1 Smart Link Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024.
1-2 Master port The master port can be either an Ethernet port or a manually-configured or st atic LACP aggregation group. For example, you can configure GigabitEtherne t 1/0/1 of switch A in Figure 1-1 as the mas ter port through the comman d line.
1-3 Operating Mechanism of Smart Link Figure 1-2 Network diagram of Smart Link operatin g mechani sm BLOC K Switch A Switch B GE 1/ 0 / 1 GE1 / 0/ 2 Switc h C Switc h D Switch E GE1 /0/1 GE1 /0/2 GE 1.
1-4 Task Remarks Create a Smart Link group Add member ports to the Smart Link group Configuring a Smart Link Device Enable the function of sending flush messages in the specified control VLAN Required.
1-5 To do… Use the command… Remarks Enable the function of sending flush messages in the spe cified control VLAN flush enable control-vl an vlan-id Optional By default, no control VLAN for sending flush messages i s specified.
1-6 z When you copy a port, the Smart Link/Monitor Li nk group member informatio n configured on the port will not be copied to other ports. z If a single port is specifie d as a member of a Sm art Li.
1-7 Figure 1-3 Network diagram for Smart Link configuration Sw itch A G E 1 / 0 /1 G E 1 /0 /2 Swit ch C Ser ve r GE1/ 0/ 1 GE1/ 0/ 2 GE 1/ 0/ 2 PC Sw i t ch D Swi tch E GE 1/0 / 3 GE 1/ 0/ 2 GE 1/0 / 1 Configuration procedure 1) Configure a Smart Link group on Switch A and conf igure member ports for it.
1-8 # Enable the function of processing flu sh messages received from VLAN 1 on GigabitEthernet 1/0/2. <SwitchC> smart-link flush enable control-vlan 1 port GigabitEthernet 1/0/2 3) Enable the function of processing flush me ssages received from VLAN 1 on Swi tch D.
2-1 2 Monitor Link Configuration Introduction to Monitor Link Monitor Link is a collaborat ion scheme introduced to compleme nt for Smart Link. It is used to monitor uplink and to perfect the backup fun ction of Smart Link. A monitor Li nk consist s of an uplink port and on e or multiple downlink port s.
2-2 How Monitor Link Works Figure 2-2 Network diagram for a Monitor Link group implem ent ation BLOC K Switch A Switch B GE 1/ 0 / 1 GE1 / 0/ 2 Switc h C Switc h D Switch E GE1 /0/1 GE1 /0/2 GE 1/ 0 /.
2-3 Configuring Monitor Link Before configuring a Monitor Link grou p, you mu st create a Monitor Link group and configure member ports for it. A Monitor Link gro up consists of an uplin k port and one or multipl e downlink port s.
2-4 To do… Use the command… Remarks Configure the specified link aggregation group as the uplink port of the Monitor Link group link-aggregation group group-id uplink Configure the specified Smart.
2-5 z A Smart Link/Monitor Link group with members cannot be deleted. A Smart Link group as a Monitor Link group member ca nnot be deleted. z The Smart Link/Monitor Link fun ction and the remote port mirrori ng function are incompatible with each other.
2-6 Figure 2-3 Network diagram for Monitor Link configuration BLOC K Swi tc h A Swi tc h B GE1 / 0/1 GE 1 / 0 / 2 Sw i tch C Switch D Sw itch E GE1 / 0 / 1 GE1 / 0 / 2 GE1 / 0/3 Se r ver GE 1/ 0/ 2 GE.
2-7 2) Enable Monitor Link on Switch C and Switch D and enable the function of proces sing flush messages received from VLAN 1. Perform the fo llowing configu ration on Switch C. The operation procedure on Switch D is the same a s that performe d on Switch C.
i Table of Contents 1 PoE Confi guration ···············································································.
1-1 1 PoE Configuration When configuring PoE, go to these secti ons fo r inform ation you are interested in: z PoE Overview z PoE Configuration z PoE Configuration Example The terms switching engine a.
1-2 PoE Features Supported by the Device Table 1-1 Power supply param eters of PoE device Device Input power supply Number of electrical ports supplying power Maximum PoE distance Maximum power provided by each electrical port Total Maximum PoE output power DC input 600 W WX3024 AC input 24 100 m (328.
1-3 Task Remarks Enabling the PoE Feature on a Port Required Setting the Maximum Output Power on a Port Optional Setting PoE Management Mode and PoE Priority of a Port Optional Setting the PoE Mode on.
1-4 Setting PoE Management Mode a nd PoE Priority of a Port When the device is close to it s full load in suppl ying power , you can adjust the power supply of the device through the cooperation of the PoE mana gement mode and the po rt PoE priority settings.
1-5 To do… Use the command… Remarks Set the PoE mode on the port to signal poe mode signal Optional signal by default. Configuring the PD Compat ibility Detection Function After the PD com patibility detection function is enabled, the devi ce can det ect the PDs that do not conform to the 802.
1-6 z In the case that the PSE processi ng software is damaged (that is, no PoE command can be executed successfully), use the full upd ate mode to upgrade and thus restore th e software.
1-7 Figure 1-1 Network diagram for PoE Sw it ch A Net w or k GE 1/ 0 / 2 GE1 /0/ 1 GE1 / 0/ 8 Sw it ch B AP AP Configuration procedure # Upgrade the PSE processing software online.
2-1 2 PoE Profile Configuration Introduction to PoE Profile On a large-sized network or a n etwork with mobil e u sers, to help netwo rk admi nistrators to monitor the PoE features of the device, the dev ice provides the PoE profile featur es. A PoE profile is a set of PoE configurations, including multiple PoE features.
2-2 To do… Use the command… Remarks In system vie w apply poe-profile profile-n ame interface interface-type interface-number [ to interface-type interface-number ] Enter Ethernet port view interf.
2-3 PoE Profile Configuration Example PoE Profile Application Example Network requirements As shown in Figure 2-1 , Switch A supports PoE. GigabitEthernet 1/0/1 through GigabitEthernet 1/0/10 of Switch A are used by users of group A, who have the following requirem ent s: z The PoE function can be enabled on all port s in use.
2-4 [SwitchA-poe-profile-Profile1] poe enable [SwitchA-poe-profile-Profile1] poe mode signal [SwitchA-poe-profile-Profile1] poe priority critical [SwitchA-poe-profile-Profile1] poe max-power 3000 [SwitchA-poe-profile-Profile1] quit # Display detailed configu r ation inform ation for Profile1.
i Table of Contents 1 IP Routing Prot ocol Overview ··········································································.
ii Filters ······························································································.
1-1 1 IP Routing Protocol Overview Go to these sections for information you are inte re sted in: z Introduction to IP Route and Routing Ta ble z Routing Protocol Overview z Displaying and Maintaining a Routing T a ble The term router in this cha pter refers to a router in a g eneric sense or a WX3000 serie s device running a routing protocol.
1-2 host or router resides. For exam ple, if the destination address is 129.102.8.10 and the mask is 255.255.0.0, the address of the network segment where the desti nation ho st or router resides is 129.
1-3 Routing Protocol Overview Static Routing and Dynamic Routing S t atic routing is easy to configu re and requires le s s system resourc es. It works well in s mall, st able networks with simple topolo gies.
1-4 each routing protocol (including st atic routes) is assigned a pri ority . The route found by the routing protocol with the highest priority is preferred.
1-5 routing information. Each routin g protocol shares routin g information discovered by oth er routing protocols through a route redist ribution mechanism.
2-1 2 Static Route Configuration When configuring a st atic route, go to these sections for information you are interested in: z Introduction to Static Route z Static Route Configuration z Displaying .
2-2 Default Route T o avoid too large a routing table, you can configure a default ro ute. When the destination address of a p acket fails to match any entry in the routing t able, z If there is default route in the routing table, the default route will be selected to forward the packet.
2-3 Displaying and Maintaining Static Routes To do... Use the command... Remarks Display the current configuration information display current-configuration Display the brief information of a routing .
2-4 Configuration procedure When only one interface of the device is interc onnected with another network se gment, you can implement network communication by configuri ng either a static route or default route. 1) Perform the following conf igurations on the device.
3-1 3 RIP Configuration When configuring RIP , go to these secti ons for information you are intere sted in: z RIP Overview z RIP Configuration Task List z RIP Configuration Example z Troubleshooting RIP Configuration The term router in this cha pter refers to a router in a g eneric sense or a WX3000 serie s device running a routing protocol.
3-2 z Interface: Outbound interface on thi s router, th rough which IP packets shoul d be forwarded to reach the destination. z Metric: Cost from the local router to the destination. z Route time: Time elapsed si nce the routing entry was last updated.
3-3 RIP Configuration Task List Complete the following tasks to configure RIP: Task Remarks Enabling RIP on the interfaces attached to a spe cified network segment Req uired Setting the RIP operating .
3-4 z Related RIP commands configured in interfa ce view can take effect only after RIP is enabled. z RIP operates on the interfaces attached to a spe cified netwo rk segment. Whe n RIP is disabled o n an interface, it does not operate on the interface, that is, it neit her receives/sends routes on the interface, nor forwards any interface route.
3-5 z Set the preference of RIP to change the preference ord er of routing protocols. This orde r makes sense when more th an one route to the same des tination is d iscovered by multiple routing protocols. z Redistribute external route s in an envi ro n ment with multiple ro uting protocols.
3-6 Follow these steps to co nfigur e RIP route summarizat ion: To do... Use the command... Remarks Enter syste m view system-v iew — Enter RIP view rip — Enable RIP-2 automatic route summarizatio.
3-7 z The filter-polic y import command filters the RIP ro utes receiv ed from neigh bors, and the ro utes being filtered out will neither be added to the routing table no r be advertised to any neighbors.
3-8 Configuration Prerequisites Before adjusting RIP , perform the following tasks: z Configuring the network l ayer addresses of interfaces so that adjace nt nodes are reachable to each other at the network layer z Configuring basi c RIP functions Configuration Tasks Configuring RIP timers Follow these steps to co nfigure RIP timers: To do.
3-9 To do... Use the command... Remarks Enter syste m view system-v iew — Enter RIP view rip — Enable the check of the must be zero field in RIP-1 packets checkzero Required Enabled by default Some fields in a RIP-1 packet mu st be 0, and they are known a s must be zero field.
3-10 To do... Use the command... Remarks Configure RIP to unicast RIP packets peer ip-address Required When RIP runs on the link that does not support b roadcast or multicast, you must configure RIP to unicast RIP packets. Displaying and Maintaining RIP Configuration To do.
3-11 Configuration procedure Only the configuration related to RIP is listed below. Before the follo wing configuration, make sure the Ethernet link layer works normally and the IP addres se s of VLAN interfaces are configured correctly. 1) Configure Switch A: # Configure RIP .
4-1 4 IP Route Policy Configuration When configuring an IP route policy , go to thes e sections for inform ation you are intere sted in: z IP Route Policy Overview z IP Route Policy Configuration Task.
4-2 For ACL configuration, refer to the p art discussing ACL. Route policy A route policy is used to match some attributes with given routing information and the attributes of the information will be set if the conditions are satisfied. A route poli cy can comprise multiple nodes.
4-3 z Match conditions z Route attributes to be changed Defining a Route Policy Follow these steps to defin e a route p olicy: To do... Use the command.
4-4 To do... Use the command... Remarks Define a rule to match the next-hop address of routing information if-match ip next-hop acl acl-number Optional By default, no matching is performed on the next-hop address of routing information.
4-5 Figure 4-1 Network diagram Device Interface IP address Switch A Vlan-int 2 2.2.2.1/8 Vlan-int 3 3.3.3.254/8 Vlan-int 10 1.1.1.254/8 Switch B Vlan-int 3 3.3.3.253/8 Vlan-int 6 6.6.6.5/8 Vlan-int 10 1.1.1.253/8 Switch C Vlan-int 1 192.168.0.39/24 Vlan-int 2 2.
4-6 [SwitchA-rip] network 2.0.0.0 [SwitchA-rip] network 3.0.0.0 2) Configure Switch B. # Create VLANs and co nfigure IP addresse s for the VLAN interfaces. The conf iguration procedure is omitted. # Configure RIP . <SwitchB> system-view [SwitchB] rip [SwitchB-rip] network 1.
4-7 # Create node 40 with the matching mode bein g permit in the route policy . Define if-match clauses. Apply the cost 5 to routes matching the outgoi n g interface VLAN-in terface 6 and ACL 2001.
4-8 Precautions 1) When you configure the apply cost co mmand in a route policy: z The new cost should be greater than the original one to prevent RIP from generati ng routing loop in the case that a loop exists in the topology. z The cost will become 16 if you try to set it to a value greater than 16.
i Table of Contents 1 UDP Helper C onfigurat ion ···········································································.
1-1 1 UDP Helper Configuration When configuring UDP helper , go to these sections for information you are intere sted in: z Introduction to UDP Helper z Configuring UDP Helper z Displaying and Maintai.
1-2 Protocol UDP port number Time Service 37 Configuring UDP Helper Follow these steps to co nfigure UDP He lper: To do… Use the command… Remarks Enter syst e m view system-vie w — Enable UDP Helper udp-helper enable Required Disabled by default.
1-3 Displaying and Maintaining UDP Helper To do… Use the command… Remarks Display the UD P broadcast r elay forwarding information of a specified VLAN interface on the device display udp-helper se.
i Table of Contents Appendix A Acronyms ················································································.
A-1 Appendix A Acronyms A AAA Authentication, Authorization and Accounting ABR Area Border Router ACL Access Control List ARP Address Resolution Protocol AS Autonomous System ASBR Autonomous System Bo.
A-2 L LSA Link State Advertisement LSDB Link State Da taBase M MAC Medium Access Control MIB Management Information B ase N NBMA Non Broadca st MultiAcc ess NIC Network Information Center NMS Network .
デバイス3Com WX3000の購入後に(又は購入する前であっても)重要なポイントは、説明書をよく読むことです。その単純な理由はいくつかあります:
3Com WX3000をまだ購入していないなら、この製品の基本情報を理解する良い機会です。まずは上にある説明書の最初のページをご覧ください。そこには3Com WX3000の技術情報の概要が記載されているはずです。デバイスがあなたのニーズを満たすかどうかは、ここで確認しましょう。3Com WX3000の取扱説明書の次のページをよく読むことにより、製品の全機能やその取り扱いに関する情報を知ることができます。3Com WX3000で得られた情報は、きっとあなたの購入の決断を手助けしてくれることでしょう。
3Com WX3000を既にお持ちだが、まだ読んでいない場合は、上記の理由によりそれを行うべきです。そうすることにより機能を適切に使用しているか、又は3Com WX3000の不適切な取り扱いによりその寿命を短くする危険を犯していないかどうかを知ることができます。
ですが、ユーザガイドが果たす重要な役割の一つは、3Com WX3000に関する問題の解決を支援することです。そこにはほとんどの場合、トラブルシューティング、すなわち3Com WX3000デバイスで最もよく起こりうる故障・不良とそれらの対処法についてのアドバイスを見つけることができるはずです。たとえ問題を解決できなかった場合でも、説明書にはカスタマー・サービスセンター又は最寄りのサービスセンターへの問い合わせ先等、次の対処法についての指示があるはずです。