HP 1920-24G-PoE+ User's Manual
Contents
1. EA ars DHCP DISCOVER unicast DHCP OFFER unicast DHCP REQUEST unicast DHCP ACK unicast Recommended configuration procedure Task Enabling DHCP and configuring advanced parameters for the DHCP relay agent Creating a DHCP server group Enabling the DHCP relay agent on an interface Configuring and displaying clients IP to MAC bindings Remarks Required Enable DHCP globally and configure advanced DHCP parameters By default global DHCP is disabled Required To improve reliability you can specify several DHCP servers as a group on the DHCP relay agent and correlate a relay agent interface with the server group When the interface receives requesting messages from clients the relay agent forwards them to all the DHCP servers of the group Required Enable the DHCP relay agent on an interface and correlate the interface with a DHCP server group IMPORTANT The DHCP relay agent works on interfaces with IP addresses manually contigured only Optional Create a static IP to MAC binding and view static and dynamic bindings The DHCP relay agent can dynamically record clients IP 4o MAC bindings after clients get IP addresses It also supports static bindings that is you can manually configure IP 4o MAC bindings on the DHCP relay agent so that users can access external network using fixed IP addresses By default no static binding is created 298 Enabli2. ID Description 1 VLAN 0004 Modify VLAN description Note you can do this later on the Modify VLAN page Modify the description of the selected VLAN ID Description Pott Chars Contigure GigabitEthernet 1 0 1 as a hybrid port a Select Device gt Port Management from the navigation tree b Click the Setup tab c Select Hybrid trom the Link Type list d Select GigabitEthernet 1 0 1 from the chassis front panel e Click Apply 164 Figure 155 Configuring GigabitEthernet 1 0 1 as a hybrid port Summary Detail Basic Configuration Port State No Change r Speed No Change a Duplex No Change Link Type Hybrid E PVD 1 4094 Description Chars 1 80 Advanced Configuration Flow TEE I MDI No Change ee No Change ae Max MAC Power Save No Change Coumi No Change 0 8192 Storm Suppression J i r Y ri Y i r Broadcast No Change Multicast No Change Unicast nll Suppression Suppression Suppression pps range 1 148810 for a 100 Mbps port 1 260000 for a GE port and 1 260000 for a 10GE port _ kbps range 1 100000 for a 100 Mbps port 1 180000 for a GE port and 1 180000 for a 10GE port _ Select All Select None Unit Selected Ports p e It may take some time if vou apply the above settings to multiple ports Apply Cancel 3 Configure the voice VLAN function globally a Select Network gt Voice VLAN from the navigation tree b Click the Setup tab c Select Enable in the Voice VLAN security lis
3. 267 Timer Description before the timer Message received Action after the timer expires expires Dynamic member switch starts or resets an aging port aging timer timer for the port When the When a port dynamically joins an IPv6 multicast group the The switch removes this port from the MLD snooping forwarding timer expires the dynamic table member port ages out MLD membership report NOTE In MLD snooping only dynamic ports age out How MLD snooping works The ports in this section are dynamic ports MLD messages include general query MLD report and done message An MLD snooping enabled switch performs differently depending on the MLD message General query The MLD querier periodically sends MLD general queries to all hosts and routers on the local subnet to check whether any active IPv6 multicast group members exist on the subnet The destination IPv6 address of MLD general queries is FFO2 1 After receiving an MLD general query the switch forwards the query to all ports in the VLAN except the receiving port The switch also performs one of the following actions MLD report If the receiving port is a dynamic router port in the router port list the switch restarts the aging timer for the router port If the receiving port is not in the router port list the switch adds the port as a dynamic router port to the router port list and starts an aging timer for the port A host sends an MLD report t
4. Dynamic LACP Enabled sie EE EE link aggregation interface Select port s for the link aggregation interface i 7 ai E1 EN ET El Select All select None Selected Ports Unselected Ports Memebers of the link aggregation interface to be EE ideas pis ie se ae ei ee be Created Members of existing link aggregation interfaces Summary Aggregation Interface ID Member Ports Aggregation Interface Type 1 Static Apply Cancel 3 Configure a link aggregation group as described in Table 64 4 Click Apply Table 64 Configuration items liem Description Enter Link Aggregation Assign an ID to the link aggregation group to be created Intertace ID You can view the result in the Summary area at the bottom of the page Set the type of the link aggregation interface to be created Specity Interface Type e Static LACP is disabled e Dynamic LACP is enabled Select one or multiple ports to be assigned to the link aggregation group from Select port s for the link the chassis front panel aggregation interface l l You can view the result in the Summary area at the bottom of the page Displaying aggregate interface information 1 From the navigation tree select Network gt Link Aggregation The detault Summary tab appears The list on the upper part of the page displays information about all the aggregate interfaces 209 2 Choose an aggregate interface from the list The list on the lower part of the pa
5. 3 The CA verifies the digital signature approves the application and issues a certificate 385 A The RA receives the certificate from the CA sends it to the LDAP server to provide directory navigation service and notifies the entity that the certificate is successfully issued 5 The entity retrieves the certificate With the certificate the entity can communicate with other entities sately through encryption and digital signature 6 The entity makes a request to the CA when it needs to revoke its certificate The CA approves the request updates the CRLs and publishes the CRLs on the LDAP server PKI applications The PKI technology can satisty the security requirements of online transactions As an infrastructure PKI has a wide range of applications Here are some application examples e VPN A VPN is a private data communication network built on the public communication infrastructure A VPN can leverage network layer security protocols for example IPSec in conjunction with PK based encryption and digital signature technologies to achieve confidentiality e Secure email Emails require confidentiality integrity authentication and non repudiation PKI can address these needs The secure email protocol that is developing rapidly is S MIME which is based on PKI and allows for transfer of encrypted mails with signature e Web security For Web security two peers can establish an SSL connection first for transparent an
6. Configuring AAA Overview AAA Authentication Authorization and Accounting AAA provides a uniform framework for implementing network access management It provides the following security functions e Authentication ldentifies users and determines whether a user is valid e Authorization Grants user rights and controls user access to resources and services For example a user who has successfully logged in to the device can be granted read and print permissions to the files on the device e Accounting Records all network service usage information including service type start time and trattic The accounting function provides information required for charging and allows for network security surveillance application AAA typically uses a client server model as shown in Figure 334 The client runs on the network access server NAS which is also called the access device The server maintains user information centrally In an AAA network the NAS is a server for users but a client for AAA servers Figure 334 AAA application scenario Internet Network RADIUS server 1 RADIUS server 2 The NAS uses the authentication server to authenticate any user who tries to log in use network resources or access other networks The NAS transparently transmits authentication authorization and accounting information between the user and the servers The RADIUS protocol detines how a NAS and a remote server exchange user
7. Specifies the variables for example interface status and CPU usage maintained by the SNMP agent for the SNMP manager to read and set Figure 99 Relationship between an NMS agent and MIB MIB Get Set requests o de Get Set responses NMS and Traps Agent A MIB stores variables called nodes or objects in a tree hierarchy and identifies each node with a unique OID An OID is a string of numbers that describes the path from the root node to a leaf node For example the object B in Figure 100 is uniquely identitied by the OID 1 2 1 1 Figure 100 MIB tree Root SNMP provides the following basic operations e Get The NMS retrieves SNMP object nodes in an agent MIB 111 Set The NMS modities the value of an object node in an agent MIB Notifications Includes traps and informs SNMP agent sends traps or informs to report events to the NMS The difference between these two types of notification is that informs require acknowledgement but traps do not The device supports only traps SNMP protocol versions HP supports SNMPv1 SNMPv2c and SNMPv3 An NMS and an SNMP agent must use the same SNMP version to communicate with each other SNMPv1 Uses community names for authentication To access an SNMP agent an NMS must use the same community name as set on the SNMP agent If the community name used by the NMS is ditferent trom the community name set on the agent the NMS cannot establish an
8. 179 Step Descri ption Based on the configuration BPDU and the path cost of the root port the device calculates a designated port configuration BPDU for each of the other ports e The root bridge ID is replaced with that of the configuration BPDU of the root port 2 e The root path cost is replaced with that of the configuration BPDU of the root port plus the path cost of the root port e The designated bridge ID is replaced with the ID of this device e The designated port ID is replaced with the ID of this port The device compares the calculated configuration BPDU with the configuration BPDU on the port whose port role will be determined and acts depending on the result of the comparison e If the calculated configuration BPDU is superior the device considers this port as the 3 designated port replaces the configuration BPDU on the port with the calculated configuration BPDU and periodically sends the calculated configuration BPDU e If the configuration BPDU on the port is superior the device blocks this port without updating its configuration BPDU The blocked port can receive BPDUs but it cannot send BPDUs or forward any data When the network topology is stable only the root port and designated ports forward user traffic Other ports are all in the blocked state to receive BPDUs but not to forward BPDUs or user traffic Table 54 Selecting the optimum configuration BPDU Step Actions Upon receiving a configuration
9. 459 NMM RMON configuration 93 QoS policy configuration 466 QoS priority map table 475 QoS token bucket 473 QoS traffic class configuration 479 QoS traffic classification 468 QoS traffic evaluation 473 QoS traffic mirroring contiguration 481 QoS traffic redirecting configuration 481 transmitting LLDP frames 221 trap port security feature 421 type IP subnet VLAN 134 MAC address VLAN 134 policy VLAN 134 port type VLAN 154 protocol VLAN 134 U UDP AAA RADIUS packet format 365 RADIUS configuration 363 374 unicast IP routing configuration IPv4 278 IP routing configuration IPv6 278 MAC address table configuration 173 174 175 MAC address table multiport unicast entry 174 security 802 1X unicast trigger mode 324 upgrading device software 52 uploading Web device file 68 user security ARP user validity check 250 user account security MAC authentication user account policies 404 532 user level Web user level 8 user management AAA management by ISP domains 353 V validity check security ARP packet 250 security ARP user 250 VCT configuration 91 viewing device diagnostic information 54 device electronic label 54 Virtual Cable Test Use VCT Virtual Local Area Network Use VLAN VLAN assignment 802 1 X 329 assignment MAC authentication 405 Auth Fail 802 1 X 330 configuration 133 145 contiguration guidelines 149 contiguring 133 145 contiguring 802 1X Auth Fa
10. A wildcard mask also called an inverse mask is a 32 bit binary and represented in dotted decimal notation In contrast to a network mask the O bits in a wildcard mask represent do care bits while the 1 bits represent don t care bits If the do care bits in an IP address identical to the do care bits in an IP address criterion the IP address matches the criterion All don t care bits are ignored The Os and 1s in a wildcard mask can be noncontiguous For example 0 255 0 255 is a valid wildcard mask Rule numbering ACL rules can be manually numbered or automatically numbered This section describes how automatic ACL rule numbering works Rule numbering step If you do not assign an ID to the rule you are creating the system automatically assigns it a rule ID The rule numbering step sets the increment by which the system automatically numbers rules For example the default ACL rule numbering step is 5 If you do not assign IDs to rules you are creating they are automatically numbered O 5 10 15 and so on The wider the numbering step the more rules you can insert between two rules By introducing a gap between rules rather than contiguously numbering rules you have the flexibility of inserting rules in an ACL This feature is important for a contig order ACL where ACL rules are matched in ascending order of rule ID Automatic rule numbering and renumbering The ID automatically assigned to an ACL rule takes
11. Enter the IP address 192 168 1 2 and enter the port number 1812 Enter name in both the Key field and the Confirm Key field c Click Apply Figure 425 Configuring the RADIUS authentication server Add RADIUS Server Server Type Primary Authenticatio IP Address IPyd IPv6 192 168 1 2 Port 1612 1 65535 Default 1812 Key aas 1 64 Chars Confirm Key TT 1 64 Chars Apply Cancel Configure the primary accounting server in the RADIUS scheme a In the RADIUS Server Configuration area click Add b Configure the primary accounting server Select the server type Primary Accounting Enter the IP address 192 168 1 2 and enter the port number 1813 Enter money in both the Key field and the Confirm Key field 434 Figure 426 Configuring the RADIUS accounting server Add RADIUS Serer Server Type Primary Accounting IP Address IPv4 IPv amp 192 168 1 2 Port 1613 1 65535 Default 1813 Key mz ii 1 64 Chars Confirm Key TILT 1 64 Chars Apply Cancel c Click Apply The RADIUS Server Configuration area displays the servers you have configured as shown in Figure 427 Figure 427 Configuring the RADIUS scheme Add RADIUS Scheme scheme Name system 1 32 Chars Common Configuration Server Type Extended Username Format Without domain name Advanced RADIUS Server Configuration Server Type IF Address Port Operati on Pri mary Authenticatio
12. GEL EE te ec ee Te 111 NA elit EA AA OE OE RE EE cer 111 EE ELE EG 112 Recommended configuration procedure EE ESE EE ER aaaeuees 112 Enabling SNMP agent rss EG 113 Configuring EEN EE 115 er ELE VLEES 115 Adding rules to EN TYE esse eseeeseeaeeeeeeeuneeuens 116 Configuring an SNMP community Sic te gta E A EE EE OE AE EE N 117 Configuring an SNMP Tes EE EE 118 Configuring EN VET ee 120 Configuring SNMP trap TE ET ee ee 121 Displaying SNMP packet RT 123 SNMPv1 v2c configuration example ssssssssessessssssseesssssesecsssseecssssseesssssscsssnecesssisecssssnsscessnnsssssnusecsssnnneesssnnees 124 SNMPV3 configuration example ssssssssssssesssesssessesssseeesssssesessssseessssssseesssuseessssuseccsssusecsssusesesssnnsscssssusscesssuneessnnnses 127 Displaying interface STATISTICS eeeeeeereeeererreereereereeeeeecereseeseercereereseeseesreseeresecsreseeseercsrcsreseeseercereereseeseesceseereseeseeseeseeeeee 132 Configuring VLANs rssssssssesessssssessessssssenssesnscssncssnecssneesanecsasecsnsessnscssnscsaneceaneceanecsasecensecansceansccensecansceanseeansesnaseen 133 E AE NENA ENA E ee E E AA A E oe EE 133 EE D A E OE EE E 133 VLAN types sssssssssssessssessesssseeesssssscessssseseessssecesssssscsssssssessssssesssssssesssssssscesssusesesssusesssssseseessnssccessassecssaneseesssneseesssen 134 Pan OE EN EE EE EE EN 135 Recommended VLAN configuration procedures EE EE 137 Recommended configuration procedure for assigning an access port to a VLAN eers ee see se
13. L Check Fragment L Check Logging Source IP Address 10 1 1 Source Wildcard 0 0 0 0 LITime Rande Add Rule ID Operation Description Time Range 3 Configure authorized IP b From the navigation tree select Security gt Authorized IP Click Setup The authorized IP configuration page appears Select 2001 for IPv4 ACL in the Telnet field and select 2001 for IPv4 ACL in the Web HTTP field Click Apply 445 Figure 443 Configuring authorized IP summary ER S OSOS IPv4 ACL 2001 ha IPVBACL NoChange Web HTTP Py4ACL 2001 ha Apply Rule ID Operation Description Time Range 446 Configuring loopback detection A loop occurs when a port receives a packet sent by itself Loops might cause broadcast storms The purpose of loopback detection is to detect loops on ports With loopback detection enabled on an Ethernet port the device periodically checks for loops on the port If the device detects a loop on the port it operates on the port according to the preconfigured loopback detection actions When the device detects a loop on an access port it disables the port from forwarding data packets sends a trap message to the terminal and deletes the corresponding MAC address forwarding entry When the device detects a loop on a trunk port or a hybrid port it sends a trap message to the terminal If loopback detection control is also enabled on the port the device disables the port from forwarding
14. Mirroring Group ID Select Group ID v Port Type Monitor Port Stream Orientation both Select port s Ee Ee n da En En Er Er En Er EnEn AAAAAAAABEEFEEIEIEE N Port s B Available for Selection Selected Port s Note 1 Selected Port s Configured member port s 2 NotAvailable for Selection All the member ports of mirroring group on the device except Selected Port s 3 Configure ports for the mirroring group as described in Table 17 4 Click Apply A progress dialog box appears 5 After the success notification appears click Close Table 17 Configuration items ltem Description ID of the mirroring group to be configured Mirroring Group ID The available groups were added previously Select a Local mirroring group ID to configure ports for the local mirroring group Configure ports for a local mirroring group Port Type e Monitor Port Configures the monitor ports for the local mirroring group e Mirror Port Configures mirroring ports for the local mirroring group Set the direction of the traffic monitored by the monitor port of the mirroring group Stream e both Mirrors both received and sent packets on mirroring ports Orientation e inbound Mirrors only packets received by mirroring port e outbound Mirrors only packets sent by mirroring ports Click the ports to be configured on the chassis front panel If aggregate interfaces are configured on the device the page displays a list of agg
15. Slave Configuration guidelines When you configure a stack follow these guidelines e If a device is already configured as the master device of a stack you cannot modify the private IP address pool on the device e fa device is already configured as a member device of a stack the Global Settings area on the member device is not available 46 Displaying system and device information Displaying system intormation Select Summary from the navigation tree to enter the System Information page to view the basic system information system resource state and recent system logs Figure 36 System information Device Information System Resource State CPU Usage 2 HP 1920 24G Switch JG924A Temperature oc Product Information HP 1920 24G Switch Software Time Level Description Device Location Apr 26 13 06 51 083 2000 Information as MAA N EL User Command is summary ei Contact Information DO OE Eventindex 1 CommandSource 2 ConfigSource 4 da Anni a i EE ConfigDestination 2 Configuration is changed N SerialNum Apr 26 12 18 11 009 2000 Notification Console logged out from aux0 219801A08WM08B00007B Apr 26 12 18 10 428 2000 Notification Exit from configuration mode by Software Version Apr 26 12 08 58 091 2000 Warning admin logged in from 192 168 1 27 5 20 99 Alpha 1101 O Hardware Version More Logs On DeviceMore REV A amp Bootrom Version Refresh Period Manual v Refresh 109 g Running Time 0 days 4 hours 1 mi
16. The following table shows how ports of different link types handle frames Actions Access Trunk Hybrid in the inbound Checks whether the PVID is permitted on the port Tags the frame with the direction for an PVID tag e If yes tags the frame with the PVID tag untagged frame e If not drops the frame e Receives the frame if its VLAN ID is the In the inbound same as the PVID direction for a tagged frame Receives the frame if its VLAN is permitted on the port Drops the frame if its e Drops the frame if its VLAN is not permitted on the port VLAN ID is different from the PVID e Removes the tag and sends the frame if the frame carries Sends the frame if its VLAN is permitted on the port The Removes the VLAN tag and sends the frame In the outbound direction the PVID tag and the port belongs to the PVID Sends the frame without removing the tag if its VLAN is carried on the port but is different from the PVID 136 frame is sent with the VLAN tag removed or intact depending on your contiguration with the port hybrid vlan command This is true of the PVID Recommended VLAN configuration procedures Recommended contiguration procedure for assigning an access port to a VLAN Step Remarks Required 1 Creating VLANs Create one or multiple VLANs Optional 2 Configuring the link type of a port Configure the link type of the port as access By default the link type of a port is acces
17. User Group Add Local User o User name 1 55 Chars Password 1 63 Chars Confirm 1 63 Chars Password Encryption Reversible Irreversible Group system r User type Common User d Level Visitor ii service ype Web FIP Telnet LAN access SSH Expire time VLAN 1 4094 ACL 2000 4999 User profile 1 32 Chars Items marked with an asterisk are required Cancel Configure the local user as described in Table 118 Click Apply Table 118 Configuration items ltem Description Username Specify a name for the local user Specify and confirm the password of the local user Password l l The settings of these two fields must be the same Confirm Do not specify a password starting with spaces because the spaces will be ignored Password Encryption Select a password encryption method Reversible or Irreversible Select a user group for the local user Group ee ii For information about user group configuration see Configuring a user group Select a user type for the local user Common User Security Log Administrator or User type Guest Administrator Only the Common User option takes effect on this software version Select an authorization level for the local user Visitor Monitor Configure or Level Management in ascending order of priority This option takes effect on only Web FTP Telnet and SSH users Select the service types for the local user to use including Web FTP Telnet LAN access Ethernet acces
18. a server Group ID w Search Advanced Search Serer Group IO IF Address Operation Add Interface Contig A Interface Name Search Advanced Search Interface Mame DHCP Relay State Operation vlar interfacel Disabled vVlan interface2 Disabled ES User Information User Information 2 Configure a DHCP server group In the Server Group area click Add and then pertorm the following operations as shown in Figure 281 Enter 1 for Server Group ID Enter 10 1 1 1 for IP Address Click Apply Figure 281 Adding a DHCP server group DHCP Snooping server Group ID 1 0 19 IF Address 10 1 1 1 tems marked with an asterisk are required Apply Cancel 304 3 Enable the DHCP relay agent on VLAN interface 1 a In the Interface Config field click the El icon of VLAN interface 1 and then perform the following operations as shown in Figure 282 b Select the Enable option next to DHCP Relay c Select 1 for Server Group ID d Click Apply Figure 282 Enabling the DHCP relay agent on an interface and correlate it with a server group DHCP Snooping Interface Mame Vilan interface DHCP Relay Enable Disable Address Match Check Enable Disable Apply Cancel Because the DHCP relay agent and server are on different subnets you need to configure a static route or dynamic routing protocol to make them reachable to each other 305 Configuring DHCP snooping DHCP snoopi
19. as shown in Figure 459 Figure 459 WRR queuing Queue 1 Weight 1 Packets to be sent through this port Queue 2 Weight 2 Sent packets t Interface JA seseees I uY v Queue Sending queue scheduling 472 A typical switch provides eight output queues per port WRR assigns each queue a weight value represented by w7 w w5 w4 w3 w2 w1 or wO to decide the proportion of resources assigned to the queue On a 100 Mbps port you can set the weight values of WRR queuing to 25 25 15 15 5 5 5 and 5 corresponding to w7 w w5 w4 w3 w2 wl and wO respectively In this way the queue with the lowest priority is assured of at least 5 Mbps of bandwidth and the disadvantage of SP queuing that packets in low priority queues might fail to be served for a long time is avoided Another advantage of WRR queuing is that while the queues are scheduled in turn the service time for each queue is not fixed If a queue is empty the next queue will be scheduled immediately This improves bandwidth resource use efficiency Basic WRR queuing contains multiple queues You can configure the weight percentage or byte count for each queue and WRR schedules these queues based on the user defined parameters in a round robin manner You can implement SP WRR queue scheduling on a port by assigning some queues on the port to the SP scheduling group when you configure WRR Packets in the SP scheduling group are scheduled pr
20. d Click Apply 501 Figure 493 Configuring the PoE ports supplying power to the IP telephones Summary PSE Setup Select Port HHE COCE OOCL Select AIl Select None Note The Select All and the Select None are only applied to current unit E Selected E Power Supplied Power Enabled Power Disabled Not Supported Power State Enable v E Power Max 1000 40000 milliwatts step 100 Power Prority High v Selected Ports GE1 0 1 GE1 0 2 Power Fault Apply Cancel 2 Enable PoE on GigabitEthernet 1 0 11 and set the maximum power of the port to 9000 milliwatts a Click the Setup tab b On the tab click to select port GigabitEthernet 1 0 11 from the chassis front panel select Enable from the Power State list and select the box before Power Max and enter 9000 c Click Apply Figure 494 Configuring the PoE port supplying power to AP Summary PSE Setup Select Port DACA AMAA eee BROOD QCOO0O PARA Hi EI H H Select All Select None Note The Select All and the Select None are only applied to current unit E Selected Power Supplied E Power Enabled Power Disabled Not Supported Power Fault Power State Enable v v Power Max 9000 1000 40000 milliwatts step 100 Power Prority No change v Selected Ports GE1 0 11 Apply Cancel After the configuration takes effect the IP telephones and AP are powered and can operate correctly 5
21. 177 190 199 configuration global 192 configuration port specific 195 device implementation 189 features 185 how it works 189 MSTI calculation 189 MSTP information display on port 197 protocols and standards 190 relationship to RSTP and STP 185 STP basic concepts 178 VLAN to instance mapping table 187 multicast configuring IGMP snooping 260 displaying IGMP snooping multicast forwarding entries 259 enabling IGMP snooping globally 256 enabling IGMP snooping in a VLAN 257 IGMP snooping configuration 252 IGMP snooping port function configuration 258 security 802 1X multicast trigger mode 324 multiport unicast entry MAC address table 174 N NAS AAA application 352 AAA contiguration 352 network ACL contiguration advanced 456 463 ACL contiguration basic 455 462 ACL configuration Ethernet frame header 459 ACL contiguration IPv4 454 ACL configuration IPv6 461 ACL packet fragment filtering 452 all operation parameters for a port 74 ARP dynamic table entry 244 ARP message format 242 ARP operation 242 ARP static entry creation 245 ARP static table entry 244 ARP table 243 CLI configuration 20 configuring client s IP to MAC bindings 302 configuring DHCP relay agent advanced parameters 299 configuring DHCP snooping functions on interface 309 creating DHCP server group 300 device idle timeout period configuration 50 device system name configuration 50 d
22. 178 STP root port 178 route FIB table optimal routes 278 static creation IPv4 280 static creation IPv6 281 static route 2 8 static routing configuration IPv4 283 static routing configuration IPv6 287 static routing default route 279 router 528 IGMP snooping router port 252 MLD snooping router port 266 routing ACL configuration 450 ACL contiguration advanced 456 463 ACL contiguration basic 455 462 ACL configuration Ethernet frame header 459 ACL configuration IPv4 454 ACL configuration IPv6 461 contiguring IGMP snooping 260 contiguring MLD snooping 274 DHCP snooping configuration 306 displaying IGMP snooping multicast forwarding entries 259 displaying MLD snooping multicast forwarding entries 2 3 enabling IGMP snooping globally 256 enabling IGMP snooping in a VLAN 257 enabling MLD snooping globally 270 enabling MLD snooping in a VLAN 270 IGMP snooping configuration 252 IGMP snooping port function configuration 258 MLD snooping configuration 266 MLD snooping port function configuration 272 port based VLAN configuration 135 QoS priority mapping 4 4 security 802 1X authentication contiguration 336 security 802 1X configuration 321 VLAN type 134 RSTP rule network convergence 184 STP basic concepts 178 ACL auto match order sort 450 ACL automatic rule numbering 451 451 ACL automatic rule renumbering 451 ACL contig match order sort
23. 2 Configure extended attributes Atter contiguring the basic attributes contigure the parameters on the Jurisdiction Configuration page of the CA server This includes selecting the proper extension protiles enabling the SCEP autovetting function and adding the IP address list for SCEP autovetting 3 Configure the CRL publishing behavior After completing the configuration perform CRL related configurations In this example select the local CRL publishing mode of HTTP and set the HTTP URL to http 4 4 4 133 447 myca crl After the contiguration make sure the system clock of the switch is synchronous to that of the CA so that the switch can request certificates and retrieve CRLs properly 399 Configuring the switch 1 Create a PKI entity From the navigation tree select Authentication gt Certificate Management The PKI entity list page is displayed by default Click Add Enter aaa as the PKI entity name enter ac as the common name and click Apply Figure 382 Creating a PKI entity Domain Certificate CRL Add PKI Entity Entity Name 1 15 Chars Common Name 1 31 Chars IP Address FQDN 1 127 Chars Country Region name symbol two characters Country Region Code compliant to I5O 3166 standard State 1 31 Chars Locality 1 31 Chars Organization 1 21 Chars Organization Unit 1 31 Chars tems marked with an asterisk are required Apply Cancel Create a PKI dom
24. 450 ACL match order 450 ACL numbering step 451 running status S NMM RMON displaying 96 saving Web device configuration 65 searching Web search function 17 Web sort function 19 security 802 1X authentication configuration 336 AAA configuration 352 359 ACL configuration 450 ACL configuration advanced 456 463 ACL configuration basic 455 462 ACL configuration Ethernet frame header 459 ACL configuration IPv4 454 ACL configuration IPv6 461 ACL packet fragment filtering 452 ARP detection configuration 250 ARP packet validity check 250 ARP user validity check 250 DHCP snooping configuration 306 308 enabling DHCP snooping 309 MAC authentication ACL assignment 411 MAC authentication configuration 404 406 408 MAC authentication methods 404 MAC authentication timers 405 MAC authentication user account policies 404 MAC local authentication configuration 408 port See port security protocols and standards RADIUS 368 RADIUS configuration 363 374 RADIUS scheme contiguration 368 seleting VLAN 142 server security 802 1X authentication configuration 336 security 802 1X configuration 321 332 security 802 1X configuration global 332 security 802 1X configuration port specitic 333 service QoS policy configuration 466 service management FIP service 314 HTTP service 314 HTTPS service 314 SFTP service 314 SSH service 314 Telnet service 314 setting 529 buffer cap
25. 6 24 MB Capacity 28 42 MB a File Size KB Boot File Type Operation F flash test_old_2126d002 bin 11 184 Backup T 7 flash default diag 94 433 a l flash system xml 0 147 flash startup cfg 1 288 F flash _startup_bak cfg 1 272 D F flash fest bin 11 214 Main l M flash ogfile logfile log 208 504 D 7 records 20 per page page 1 1 record 1 7 First Nexi 1 GO Download File Remove File Set as Main Boot File Upload File Please select disk flash v File Browse e Note Do not perform any operation when upload is in process Apply 2 Select a medium from the Please select disk list Two categories of information are displayed o Medium information including the used space the free space and the capacity of the medium o File information including all files on the medium the file sizes and the boot tile types Main or Backup The boot tile type is only displayed for an application file bin or app file that will be used as the main or backup boot file Downloading a file 1 Select Device gt File Management from the navigation tree to enter the file management page see Figure 57 2 From the Please select disk list select the medium where the file to be downloaded resides 3 Select the file from the list Only one file can be downloaded at a time 67 4 5 Click Download File The File Download dialog box appears Open the file or save the file to a path Uploading a file D IMPO
26. 89 MAC address table configuration 173 174 175 MAC authentication configuration global 406 MAC authentication configuration port specific 408 MAC based 802 1X configuration 336 MSTP configuration 177 190 199 NMM local port mirroring configuration 83 NMM port mirroring configuration 79 NMM RMON configuration 93 105 NMM SNMP configuration 111 ping 31 7 PoE contiguration 497 501 521 PoE power 497 port isolation contiguration 441 port management 69 5 port security advanced control configuration 428 port security advanced mode configuration 433 port security basic control configuration 425 port security basic mode configuration 430 port security configuration 421 423 430 port security configuration global 424 port security permitted OUls configuration 429 port based VLAN configuration 135 QoS configuration 489 QoS policy configuration 466 QoS priority mapping 4 4 QoS traftic mirroring contiguration 481 QoS traffic redirecting configuration 481 RADIUS configuration 363 374 RADIUS scheme configuration 368 security 802 1X authentication configuration 336 security 802 1X configuration 321 332 security 802 1X configuration global 332 security 802 1X configuration port specitic 333 security ARP attack protection configuration 250 security MAC authentication ACL assignment 411 security MAC authentication configuration 404 406 408 security MAC local authenti
27. A user does not need to enter a username and password for network access The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication enabled port If the MAC address passes authentication the user can access authorized network resources If the authentication fails the device marks the MAC address as a silent MAC address drops the packet and starts a quiet timer The device drops all subsequent packets from the MAC address within the quiet time This quiet mechanism avoids repeated authentication during a short time If the MAC address that has failed authentication is a static MAC address or a MAC address that has passed any security authentication the device does not mark the MAC address as a silent address User account policies MAC authentication supports the following user account policies e One MAC based user account for each user The access device uses the source MAC addresses in packets as the usernames and passwords of users for MAC authentication This policy is suitable for an insecure environment e One shared user account for all users You specify one username and password which are not necessarily a MAC address for all MAC authentication users on the access device This policy is suitable for a secure environment Authentication methods You can perform MAC authentication on the access device local authentication or through a RADIUS server Local aut
28. Basic Setup Configure a rule for a basic IPv6 ACL Contigure Advanced ane Configure a rule for an advanced IPv6 ACL Configure Remove Delete an IPv ACL or its rules Configure Summary Display the queue information about a port Monitor Queue Setup Configure a queue on a port Configure Summary Display line rate configuration information Monitor Line Rate Setup Configure the line rate Configure Summary Display classifier configuration information Monitor Create Create a dlass Configure Classifier Setup Configure the classification rules for a class Configure Remove Delete a class or its classification rules Configure Summary Display traffic behavior configuration information Monitor Create Create a traffic behavior Configure Tr Setup Configure actions for a traffic behavior Configure ee Contigure traffic mirroring and traffic redirecting Eeue for a traffic behavior Remove Delete a traffic behavior Configure Summary Display QoS policy configuration information Monitor Create Create a QoS policy Configure QoS Policy ote Contigure the classifier behavior associations for a ede QoS policy ed Delete a QoS policy or its classifier behavior N me associations Summary Display the QoS policy applied to a port Monitor Port Policy Setup Apply a QoS policy to a port Configure Remove Remove the QoS policy from the port Configure Priority Priority Display priority mapping table information Monitor Mapping Mapping Modify the priority mappi
29. Display information about stack members Optional Display the control panels of stack members IMPORTANT Before viewing the control panel of a member device you must make sure the username password and access right you used to log on to the master device are the same with those contigured on the member device otherwise the control panel of the member device cannot be displayed Optional Log in to the Web network management interface of a member device from the master device IMPORTANT Before logging in to a member device you must make sure the username password and access right you used to log on to the master device are the same with those configured on the member device Otherwise you cannot log in to the member device You can configure them by selecting Device and then clicking Users from the navigation tree Contiguring global parameters of a stack Select Stack from the navigation tree to enter the page shown in Figure 26 You can contigure global parameters of a stack in the Global Settings area 40 Figure 26 Setting up Topology Summary Device Summary Global Settings Private Net IP Mask Build Stack Disable v Apply Port Settings Port Name v Search Advanced Search Port Name Port Status GigabitEthernet1 0 1 not stack port GigabitEthernet1 0 2 not stack port GigabitEthernet1 0 3 not stack port GigabitEthernet1 0 4 not stack port GigabitEthernet1 0 5 not stack port 28 records 5
30. Kel filtering are permitted to use the FTP service You can view this configuration item by clicking the expanding button in front of FTP aise Enable Telnet Enable or disable the Telnet service service The Telnet service is disabled by default ser Enable SSH Enable or disable the SSH service service The SSH service is disabled by default Enable or disable the SFTP service En Enable SFTP The SFTP service is disabled by default ies IMPORTANT When you enable the SFTP service the SSH service must be enabled Tem Enable HTTP Enable or disable the HTTP service service The HTTP service is enabled by default 315 ltem Description Set the port number for HTTP service You can view this configuration item by clicking the expanding button in front of HTTP Port Number IMPORTANT When you modify a port make sure the port is not used by any other service Associate the HTTP service with an ACL Only the clients that pass the ACL filtering are permitted to use the HTTP service ACL You can view this configuration item by clicking the expanding button in front of HTTP Enable HTTPS Enable or disable the HTTPS service service The HTTPS service is disabled by default Select a local certificate for the HTTPS service from the Certificate dropdown list You can configure the certificates available in the dropdown list in Authentication gt Certificate Management For more information see Certiticate Managing certifi
31. LAN access Auth Name Secondary Method El Login AuthZ Name Secondary Method PPP Auth Name Secondary Method Portal Authz Name Secondary Method Command Auth Name d Click Apply e After the contiguration process is complete click Close Configure AAA accounting method for the ISP domain a Click the Accounting tab b Select test trom the Select an ISP domain list c Select Accounting Optional and select Enable from the list d Select Default Accounting select the accounting method RADIUS and select the accounting scheme system from the Name list e Click Apply 347 Figure 328 Configuring the AAA accounting method for the ISP domain Domain Setup Authentication Authorization Accounting Configuration of AAA Select an ISP domain test E Accounting Optional Disable Default Accounting RADIUS Name system Secondary Method E LAN access Accounting Name Secondary Method E Login Accounting Name Secondary Method PFF Accounting Name Secondary Method Fortal Accounting Name secondary Method f After the configuration process is complete click Close Configuring an ACL 1 From the navigation tree select QoS gt ACL IPv4 2 Click the Add tab 3 Enter the ACL number 3000 and click Apply Figure 329 Creating ACL 3000 Summary Basic Setup Advanced Setup Link Layer Setup Remove ACL Number S000 2000 2999 for basic ACLS 3000 3994 for advanced ACLS Match Order 4000 4999 for Ethernet frame heade
32. Max F Fort Murmber of HE n Outbound Restriction Operation rite Protection Add Del Selected F Secure MAC Address List Advanced Port Security Configuration gt Ports Enabled With Advanced Features Permitted GUIs tor ports working in the mode of 02 1 MAC Based Or oul Configure advanced port security control a In the Advanced Port Security Configuration area click Ports Enabled With Advanced Features and then click Add b Select GigabitEthernet1 0 1 from the Port list and select 802 1X MAC Based Or OUI from the Security Mode list c Click Apply Figure 433 Configuring advanced port security control settings on GigabitEthernet 1 0 1 Apply Advanced Port Security Configuration Port GigabitEthernet1 0 1 v Security Mode 802 1X MAC Based Or OUI v Enable Intrusion Protection Disable Port Temporarily Enable Outbound Restriction Only MAC Known Unicasts L ignore Authorization Apply Cancel Add permitted OUls a In the Advanced Port Security Configuration area click Permitted OUls b Enter 1234 0100 0000 in the OUI Value field c Click Add 438 Figure 434 Configuring permitted OUI values Advanced Port Security Configuration Ports Enabled with Advanced Features YFermited QWs for ports working in the mode of 802 14 MAL Based Or oul OUI value 1234 0100 0000 Add kin the format H H H Only the first 24 bits make sense OJI Value Operation d Repeat previous three steps to add the OUI values
33. OFLZ76E5 4F15995 C 1066544 CEAZEDES AFBCSIAE A1EBS1A3 0643F930 AABSFB1N 4R69E524 Back Table 124 Field description Field Description Version CRL version number Signature Algorithm Signature algorithm that the CRL uses CA that issued the CRL Issuer 398 Field Description Last Update Last update time Next Update Next update time X509v3 CRL Number CRL sequence number X509v3 Authority Key Identifier smee the CA that issued the certificate and the certificate version Pubic key identifier keyid A CA might have multiple key pairs and this field identifies which key pair is used for the CRL signature No Revoked Certificates No certificates are revoked PKI configuration example Network requirements As shown in Figure 381 configure the switch working as the PKI entity so that e The switch submits a local certificate request to the CA server which runs the RSA Keon software e The switch retrieves CRLs for certificate verification Figure 381 Network diagram PKI entity Internet Host Switch CA server Configuring the CA server 1 Create a CA server named myca In this example first contigure the basic attributes of Nickname and Subject DN on the CA server the nickname is the name of the trusted CA and the subject DN is the DN attributes of the CA including the common name organization unit organization and country Leave the default values of the other attributes
34. Options include primary authentication Server Type server primary accounting server secondary authentication server and secondary accounting server Specify the IPv4 or IPv address of the RADIUS server The IP addresses of the primary and secondary servers for a scheme must be different IP Address l Otherwise the configuration fails RADIUS server addresses in the same scheme must use the same IP version Port Specity the UDP port of the RADIUS server Key Specity the shared key for communication with the RADIUS server Confirm Key If no shared key is specified the shared key specified in the common configuration part is used RADIUS configuration example Network requirements As shown in Figure 354 an 802 1X user logs in to the switch from the host Configure the switch to implement RADIUS authentication and accounting for the 802 1X user RADIUS accounting records the online duration of the 802 1X user Configure RADIUS servers on CAMS or IMC to use the default port for authentication and accounting The 802 1X user s username and password and the shared key expert are configured for packet exchange with the switch On the switch contigure the shared key for packet exchange with the RADIUS server as expert and configure the system to remove the domain name of a username before sending it to the RADIUS server On the switch enable the Telnet server function and configure the switch to use AAA for authentication
35. Please select the ISP domains Domain Name Default Domain 360 Configure the ISP domain to use local authentication a b c d Select Authentication gt AAA from the navigation tree Click the Authentication tab Select the domain test Select Login AuthN and select the authentication method Local Figure 342 Configuring the ISP domain to use local authentication Domain Setup Authorization Accounting Authentication Configuration of AAA e f Select an ISP domain test E Default Authn Local Name E LAN access AuthN Name Login AuthN Name PPP Auth Name Portal Auth Name Apply Click Apply secondary Method Secondary Method Secondary Method secondary Method secondary Method A configuration progress dialog box appears as shown in Figure 343 After the configuration process is complete click Close Figure 343 Configuration progress dialog box Current Configuration Seting Login Auth OK Configure the ISP domain to use local authorization a b C Select Authentication gt AAA from the navigation tree Click the Authorization tab Select the domain test Select Login AuthZ and select the authorization method Local Click Apply A configuration progress dialog box appears 361 f After the configuration progress is complete click Close Figure 344 Configuring the ISP domain to use local authorization Domain Setup Authentication Accounting Authorizatio
36. Priority level 3 4 Click the Statistics Information tab to display the LLDP statistics 233 Figure 204 The statistic information tab Local Information Neighbor Information Status Information LLDP statistics information of port 4 GigabitEfhernet1 0 4 The number of LLDP frames transmitted 2677 The number of LLDP frames received 2676 The number of LLDP frames discarded 70 The number of LLDP error frames 70 The number of LLDP TLVs discarded 70 The number of LLDP TLVs unrecognized 70 The number of LLDP neighbor information aged out 0 The number of CDP frames transmitted 70 The number of CDP frames received 70 The number of CDP frames discarded 70 The number of CDP error frames 70 5 Click the Status Information tab to display the LLDP status information Figure 205 The status information tab Local Information Neighbor Information Statistic Information Port 4 GigabitEthernet1 0 4 Port status of LLDP Enable Admin status TE Rx Trap flag No Polling interval Os Number of neighbors 1 Number of MED neighbors N Number of CDP neighbors 70 Number of sent optional TLV 23 Number of received unknown TLV 0 Displaying global LLDP intormation 1 From the navigation tree select Network gt LLDP 2 Click the Global Summary tab to display global local LLDP information and statistics Table 79 describes the fields 234 Figure 206 The global summary tab Port Setup Global Setup Neighbor Summary L
37. Rule ID Operation Description Time Fiat 3 Configure a rule for a basic IPv4 ACL 4 Click Add 455 Table 139 Configuration items ltem Description het Select the basic IPv4 ACL for which you want to configure rules Available ACLs are basic IPv4 ACLs Select the Rule ID box and enter a number for the rule Rule ID If you do not specify the rule number the system will assign one automatically If the rule number you specify already exists the following operations modify the configuration of the rule Select the action to be performed for IPv4 packets matching the rule Action e Permit Allows matched packets to pass e Deny Drops matched packets Select this box to apply the rule to only non tirst fragments Check Fragment If you do no select this box the rule applies to all fragments and non fragments Select this box to keep a log of matched IPv4 packets A log entry contains the ACL rule number operation for the matched packets Check Logging protocol number source destination address source destination port number and number of matched packets This function is not supported Source IP Address Select the Source IP Address box and enter a source Pv4 address and a Source Wildcard wildcard mask in dotted decimal notation Time Range Select the time range during which the rule takes effect Configuring a rule for an advanced IPv4 ACL 1 Select QoS gt ACL IPv4 from the navigation tree 2 Click t
38. Select ports for the link aggregation interface Select All Select None Selected Ports Unselected Ports el aca ca re Not a member of any link aggregation interface created Members of existing link aggregation interfaces Summary Aggregation Interface ID Member Ports Aggregation Interface Type 1 GE TV O 1 GET1 0 3 Dynamic Apply Cancel Contiguration guidelines When you configure a link aggregation group follow these guidelines In an aggregation group a Selected port must have the same port attributes and class two configurations as the reference port To keep these configurations consistent you should configure the port manually Choose a reference port from the member ports that are in up state and with the same class two configurations as the aggregate interface The candidate ports are sorted in the following order o Full duplex high speed o Full duplex low speed o Half duplex high speed o half duplex low speed If two ports have the same duplex mode speed pair the one with the lower port number is chosen Port attribute configuration includes the contiguration of the port rate duplex mode and link state For more information about class two configurations see Configuration classes To guarantee a successtul static aggregation make sure the ports at the two ends of each link to be aggregated are in the same aggregation state To guarantee a successful dynamic aggregation make sure the pee
39. SelectanAcl Help Configure an Ethernet frame header ACL C Rule ID ss 8 655 34 Ifno ID is entered the system will specify one MAC Address Filter Format of MAC address and mask is H H H COS O21p priority None Type Filter Time Range Rule ID Operation Description Time Rar 3 Configure a rule for an Ethernet frame header IPv4 ACL as described in Table 141 4 Click Add Table 141 Configuration items ltem Description Select the Ethernet frame header IPv4 ACL for which you want to configure ACL rules Available ACLs are Ethernet frame header IPv4 ACLs Select the Rule ID box and enter a number for the rule If you do not specify the rule number the system will assign one Rule ID automatically If the rule number you specify already exists the following operations modify the configuration of the rule Select the action to be performed for packets matching the rule Action e Permit Allows matched packets to pass e Deny Drops matched packets 460 ltem Description Source MAC Address MAC Source Mask Address Filter Destination MAC Address Destination Mask COS 802 1p priority LSAP Type LSAP Mask Type Filter protocol Type Protocol Mask Time Range Select the Source MAC Address box and enter a source MAC address and a mask Select the Destination MAC Address box and enter a destination MAC address and a mask Specify the 802 1p priority for the rule Select t
40. TCP Connection establishing and maintaining TCP connections Established These items are available only when you select 6 TCP trom the Protocol list Operator Select the operators and enter the source port numbers and Source Don destination port numbers as reguired or These items are available only when you select 6 TCP or 17 UDP Operator from the Protocol list Different operators have different configuration requirements for the port number fields TCP UDP Port e Not Check The following port number fields cannot be Destination so Port e Range The following port number fields must be configured to define a port range e Other values The first port number field must be configured and the second must not Only Not Check and Other values are supported DSCP Specify the DSCP value If you specify the ToS precedence or IP precedence Precedence TOS Specify the ToS preference when you specify the DSCP Filter value the specitied TOS or IP Precedence Specify the IP precedence precedence does not take effect Time Range Select the time range during which the rule takes effect Configuring a rule for an Ethernet frame header ACL 1 Select QoS gt ACL IPv4 from the navigation tree 2 Click the Link Layer Setup tab The rule configuration page for an Ethernet frame header IPv4 ACL appears 459 Figure 449 Configuring a rule for an Ethernet frame header ACL Summar Add Basic Setup Advanced Setup Remove ACL
41. The parameters mainly include the IP addresses of the servers the shared keys and the RADIUS server type By default no RADIUS scheme exists To configure a RADIUS scheme 1 Select Authentication gt RADIUS from the navigation tree Figure 350 RADIUS scheme list Scheme Server sername Primary Primary L Mame Type Format Authentication Serer Accounting Server el C system Standard Without domain Ee il name Add Del Selected 2 Click Add 368 Figure 351 RADIUS scheme configuration page Add RADIUS Scheme Scheme Name 1 32 Chars Common Configuration Server Type Standard kd Username Format Without domain name F Advanced RADIUS Server Configuration Server Type IP Address Port Operation Add Items marked with an asterisk are required Apply Cancel 3 Configure the parameters as described in Table 1 14 4 Click Apply Table 114 Configuration items ltem Descri ption Scheme Name Enter a name for the RADIUS scheme Configure the common parameters for the RADIUS scheme including the server type the username format and the shared keys for authentication and accounting packets For more information about common configuration see Configuring common parameters Common Configuration Configure the parameters of the RADIUS authentication servers and RADIUS Server Configuration accounting servers For more information about RADIUS server configuration see Adding RADIUS servers Contigu
42. To view the configuration and power information click a port on the chassis front panel Figure 491 PoE summary with GigabitEthernet 1 0 1 selected PSE Setup Port Setup PSE Summary PSE ID Location State Max Power VV Average Power W Peak Power W Available Power W 1 slot 1 subslot 0 on 415 0 0 415 Ports Power Display Pepe qe AAAO EI OAAR OE EIE EES fia ter Selected E Power Supplied m Power Enabled C Power Disabled C Not Supported C Power Fault Port Power State Port State Priority Max Power mvy Average Power mW Peak Power mW Free Power mvy 500 PoE contiguration example Network requirements As shown in Figure 492 GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 are connected to IP telephones GigabitEthernet 1 0 11 is connected to AP whose maximum power does not exceed 9000 milliwatts The IP telephones have a higher power supply priority than the AP so the PSE supplies power to the IP telephones first if the PSE power is overloaded Figure 492 Network diagram GE1 0 11 Phone Phone2 AP Configuring PoE 1 Enable PoE on GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 and set their power supply priority to critical a Select PoE gt PoE from the navigation tree b Click the Setup tab c On the tab click to select ports GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 from the chassis front panel select Enable from the Power State list and select Critical from the Power Priority list
43. authorization and accounting of Telnet users Figure 354 Network diagram Vlan int2 192 168 1 1 24 GE1 0 1 Telnet user Switch RADIUS server 192 168 1 10 24 10 110 91 146 24 Configuration prerequisites Enable 802 1X globally and on the specified port Configure network access control based on MAC addresses Details not shown Configuring a RADIUS scheme 1 Select Authentication gt RADIUS from the navigation tree 2 Click Add to add a RADIUS scheme a Enter system as the scheme name b Select Extended as the server type 374 c Select Without domain name for the username format 3 In the RADIUS Server Configuration area click Add to configure the primary authentication server a Select Primary Authentication as the server type b Enter 10 110 91 146 as the IP address c Enter 1812 as the port d Enter expert as the key and enter expert again to confirm the key e Click Apply Figure 355 RADIUS authentication server configuration page Add RADIUS Server Server Type Primary Authenticatio IP Address IPv4 IPv6 10 110 91 146 Port 1812 1 65535 Default 1812 Key TILLI 1 64 Chars Confirm Key TETTI 1 64 Chars Apply Cancel 4 In the RADIUS Server Configuration area click Add again to configure the primary accounting server a Select Primary Accounting as the server type b Enter 10 110 91 146 as the IP address c Enter 1813 as the port d Enter expert as the key and e
44. the system refreshes system information only when you click the Refresh button Displaying device information Select Summary from the navigation tree and click the Device Information tab to enter the page that displays information about the device ports Hover the cursor over a port and the port details appear including the port name type speed utilization and status as shown in Figure 37 The aggregation group number is also displayed if the port is added to an aggregation group For the description about the port number and its color see Figure 37 48 Figure 37 Device information System Information levice Information Port GigabitEthernett 0 2 Type 1000BASE T Speed 1000M Full Duplex Utilization 0 Status Disabled Refresh Period 30 Seconds Refresh Description of port number color Unconnected Port Connected port El Portthat has been set to inactive by user or protocol Port that has been selected by user E Fort or Module has failed POST or module is not recognized Description on port numbers Common number Number of the port BnAddto a Layer 2 aggregation group n represents the aggregation group number RmAdd to a Layer 3 aggregation group n represents the aggregation group number To set the interval for refreshing device information select one of the following options from the Refresh Period list e Ifyou select a certain period the system refreshes device informati
45. 0 1 a Select Device gt RMON from the navigation tree The Statistics tab page appears b Click Add The page in Figure 92 appears c Select GigabitEthernet1 0 1 from the Interface Name list type user1 in the Owner field and click Apply 105 Figure 92 Adding a statistics entry Statistics History Alarm Event Log Add a Statistic Group Interface Name GigabitEthernet1 0 1 Owner user Chars 1 127 Only one statistics group can be created on one interface tems marked with an asterisk are required Apply Cancel Display RMON statistics tor GigabitEthernet 1 0 1 a Click the icon s corresponding to GigabitEthernet 1 0 1 b Display this information as shown in Figure 93 Figure 93 Displaying RMON statistics DERT History Alarm Event Log Statistic Group Detail Current interface Gigabtcthemet tio Statistic Item Slatistic Valve Number of Received Bytes 34375 Humber of Racaved Packets Ad Number of Received Broadcasting Packets 180 Number of Recenved Multicast Packets 117 Number af Racead Packets With ORC Check Failed i Number of Recened Packets Smaller Than 64 Byles 0 Number of Receved Farkeis Larger Than 1518 Bytes LT Number of Received Packets Smaller Than 64 Bytes And FCS Check Failed 0 Number of Receved Packets Larger Than 1518 Bytas And FCS Check Failed O Number of Hatwark Conflicts 0 Number of Parke Discarding Events 0 Number of Racemved 64 Bytes Packets 116 Number of Received 65 to 127 Byles Pa
46. 1 Summary re Modify Remove Enter Link Aggregation Interface ID 1 8 Specify Interface Type Static LACP Disabled Note The type ofthe link aggregation interface set here o overwrites the existing LACP settings ofthe ports in the Dynamic LACP Enabled link aggregation interface Sel ect portis for the link aggregation interface Select All Select None Selected Ports Unselected Ports Mienie Der vi a Bnk eee Hd EE Hi be a Not a member of any link aggregation interface created Members of existing link aggregation interfaces Summary Aggregation Interface ID Member Ports Aggregation Interface Type 1 GE1 04N GE1 0 3 Static Apply Cancel Method 2 Create dynamic link aggregation group 1 From the navigation tree select Network gt Link Aggregation 2 Click Create 3 Configure dynamic aggregation group 1 a Enter link aggregation intertace ID 1 b Select Dynamic LACP Enabled for aggregate interface type c Select GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 on the chassis front panel 4 Click Apply 214 Figure 194 Creating dynamic link aggregation group 1 Summary Modify Remove Enter Link Aggregation Interface ID 1 8 Specify Interface Type Static LACP Disabled Note The type of the link aggregation interface set here ae AE overwrites the existing LACP settings of the ports in the Dynamic LACP Enabled link aggregation interface
47. 1 GigabitEthernet1 0 1 user Active sl Add Del Selected 2 Click Add Figure 81 Adding a statistics entry History Alarm Event Log Add a Statistic Group Interface Name GigabitEthemet1 0 2 Owner Chars 1 127 e Only one statistics group can be created on one interface tems marked with an asterisk are required Apply Cancel p Configure a statistic entry as described in Table 24 Click Apply Table 24 Configuration items ltem Description Select the name of the interface on which the statistics entry is created Interface Name Only one statistics entry can be created on one interface Owner Set the owner of the statistics entry Contiguring a history entry 1 Select Device gt RMON from the navigation tree 2 Click the History tab Figure 82 History entry Statistics Alarm Event Log f Index v Search Advanced Search Index Interface Name Buckets Buckets Interval Sec Owner Status Operation se ER VR Reguested Granted OE i j 1 GigabitEthernet1 0 1 10000 10 360 user Active ss Add Del Selected 3 Click Add Figure 83 Adding a history entry Statistics Alarm Event Log Add a History Group Interface Name GigabitEthernet1 0 1 Buckets Granted 1 65535 Interval Seconds 5 3600 Owner Chars 1 127 tems marked with an asterisk are required Apply Cancel Configure a history entry as described in Table 25 5 Click Apply Table 25 Configuration items ltem Description Interface Na
48. 131 0 0 0 0 0 o 134041 Back Retesh 103 Table 29 Field description Field Description Number of the entry in the system buffer NO Statistics are numbered chronologically when they are saved to the system buffer Time Time at which the information is saved Dropped packets during the sampling period corresponding to the MIB PrpE EIE node etherHistoryDropEvents ER Number of octets received during the sampling period corresponding to the MIB node etherHistoryOctets Pkts Number of packets received during the sampling period corresponding to the MIB node etherHistoryPkts Number of broadcasts received during the sampling period corresponding Pie to the MIB node etherHistoryBroadcastPkts ME sepies Number of multicasts received during the sampling period corresponding to the MIB node etherHistoryMulticastPkts Number of packets received with CRC alignment errors during the sampling EENDE period corresponding to the MIB node etherHistoryCRCAlignErrors Number of undersize packets received during the sampling period UndersizePkts corresponding to the MIB node etherHistoryUndersizePkts Number of oversize packets received during the sampling period OversizePkts corresponding to the MIB node etherHistoryOversizePkts Number of fragments received during the sampling period corresponding to ieder the MIB node etherHistoryFragments Number of jabbers received during the sampling period corresponding to Jab
49. 2 of device A are connected to the common root bridge port 5 and port 6 of device C form a loop and port 3 and port 4 of device D are connected downstream to the other MST regions 187 Figure 177 Port roles Connecting to the Common root bridge MST region Master port Designated port MSTP calculation involves the following port roles e Root port Forwards data for a non root bridge to the root bridge The root bridge does not have any root port e Designated port Forwards data to the downstream network segment or device e Master port Serves as a port on the shortest path from the local MST region to the common root bridge The master port is not always located on the regional root It is a root port on the IST or CIST and still a master port on the other MSTIs e Alternate port Serves as the backup port for a root port or master port When the root port or master port is blocked the alternate port takes over e Backupport Serves as the backup port of a designated port When the designated port is invalid the backup port becomes the new designated port A loop occurs when two ports of the same spanning tree device are connected so the device blocks one of the ports The blocked port acts as the backup e Boundary port Connects an MST region to another MST region or to an STP RSTP running device In MSTP calculation a boundary port s role on an MSTI is consistent with its role on the CIST But tha
50. 20 or up to 8 entries Customer VLAN like 3 5 7 ACL IPv4 3000 ACL IPv Rule Type Rule Value d Click Apply A progress dialog box appears as shown in Figure 482 e Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds 493 Figure 482 Configuration progress dialog box Current Configuration Setting ACL IPv4 OK Add a trattic behavior a Select QoS gt Behavior from the navigation tree b Click the Add tab c Enter the behavior name behavior d Click Add Figure 483 Adding a traffic behavior Summar Setup Fort Setup Remove Behavior Name behavior 1 31 Chars Add Configure actions for the traffic behavior a Click the Setup tab b Select behavior in the list c Select the Filter box and then select Deny in the following list d Click Apply A progress dialog box appears e Click Close when the progress dialog box prompts that the configuration succeeds 494 Figure 484 Configuring actions for the behavior Summary Add Port Setup Remove Please select a behavior behaviori v E CAR Enable Disable CIR kbps 16 1000000 it must be a multiple of 16 CBS byte 0 4294967294 Red Discard Pass Remark IP Precedence 0 F Dottip 0 Local Precedence 0 DSCP 0 default Queue EF Max Bandwidth KDps 8 1000000 CBS byte 32 2000000 Percent 1 100 CBS Ratio 25 500 AF Max Bandwidth kbps 8 1000000
51. 300 Default 100 Authentication ISP Domain agabbec net Authentication Information Format MAC without hyphen MAC as 0000000 MAC with hyphen MAC as N AOOAKOOE E Fixed Username Chars 1 55 E Password Apply Forts With MAC Authentication Enabled El Part Auth Fail WLAN Add Del Selected 2 Configure MAC authentication for GigabitEthernet 1 0 1 a In the Ports With MAC Authentication Enabled area click Add b Select GigabitEthernet1 0 1 from the Port list and click Apply Figure 395 Enabling MAC authentication for port GigabitEthernet 1 0 1 Enable MAC Authentication Port GigabitEthernet1 0 1 v F Enable MAC VLAN Only hybrid ports support this configration Items marked with an asterisk are required Apply Cancel ACL assignment configuration example Network requirements Chars 1 63 Operation As shown in Figure 396 the switch uses RADIUS servers to perform authentication authorization and accounting Configure MAC authentication on port GigabitEthernet 1 0 1 to control Internet access Make sure an authenticated user can access the Internet but not the FTP server at 10 0 0 1 Use MAC based user accounts for MAC authentication users The MAC addresses are not hyphenated 411 Figure 396 Network diagram RADIUS servers Auth 10 1 1 1 Acct 10 1 1 2 Internet Host Switch FTP server 192 168 1 10 10 0 0 1 Configuring IP addresses Assign an IP address to
52. 369 configuring RADIUS scheme 368 contiguring rate limit 477 configuring secure MAC addresses 427 configuring security 802 1X 332 configuring security 802 1X global 332 configuring security 802 1X portspecific 333 configuring security 802 1 X authentication 336 contiguring security ARP detection 250 configuring security MAC authentication 406 408 configuring security MAC authentication ACL assignment 411 configuring security MAC local authentication 408 contiguring SNMP community 117 configuring SNMP group 118 configuring SNMP trap function 12 configuring SNMP user 120 configuring SNMP view 115 configuring SNMPv1 124 configuring SNMPv2c 124 configuring SNMPv3 127 contiguring stack 43 configuring stack global parameters 40 configuring stack ports 4 contiguring static routing IPv4 283 contiguring static routing IPv6 287 contiguring statistics entry 97 configuring system parameters 34 configuring system time by using NTP 57 58 contiguring system time manually 56 configuring user group 382 contiguring VLAN interface 150 creating ARP static entry 245 creating DHCP server group 300 creating Ethernet link aggregation group 208 creating SNMP view 115 creating static route IPv4 280 creating static route IPv6 281 creating VLAN 139 526 creating VLAN interface 150 displaying active route table IPv4 279 displaying active route table IPv6 281 displaying all
53. 499 enabling SNMP agent 113 entering configuration wizard homepage 34 finishing configuration wizard 37 identifying node failure with traceroute 319 logging in to member device from master 42 logging in to Web interface through HTTP 6 logging out of Web interface 7 managing port 69 75 moditying port 144 modifying VLAN 143 modifying VLAN interface 152 NMM port mirroring 80 removing IP services ARP entry 245 removing Web device file 68 resetting Web device configuration 66 restoring Web device configuration 64 saving Web device configuration 65 selecting VLAN 142 setting butfer capacity and refresh interval 63 setting configuration environment 20 setting LLDP parameters for a single port 224 setting LLDP parameters for ports in batch 227 setting log host 62 setting MAC address table dynamic aging timer 1 5 setting port operation parameters 69 setting refresh period 48 setting terminal parameter 21 setting Web device super password 87 specitying Web device main boot file 68 switching to Web device management level 88 testing cable status 91 testing connectivity with ping 318 uploading Web device file 68 viewing port traffic statistics 92 protocols and standards DHCP 296 DHCP overview 292 IGMP snooping 255 LLDP 222 MLD snooping 269 MSTP 190 NMM SNMP configuration 111 RADIUS 363 368 SNMP versions 112 STP protocol packets 177 PSE detect nonstandard PDs 499 PVID con
54. A Source MLD querier Receiver Configuration procedure Configuring Router A Enable IPv multicast routing assign an IPv6 address to each interface enable IPv PIM DM on each intertace and enable MLD on GigabitEthernet 1 0 1 Details not shown Configuring Switch A 1 Create VLAN 100 a Select Network gt VLAN from the navigation tree b Click the Create tab c Enter 100 as the VLAN ID d Click Apply 274 Figure 248 Creating VLAN 100 Select VLA Port Detail Detail bodite WYLAN Modity Part Remove Create Examble 3 5 10 Create D Description 1 VLAN 0001 Modity VLAN description Note you can do this later on the Modity VLAN page Modify the description ofthe selected LAN IL Description ite Chats Assign GigabitEthernet 1 0 1 through GigabitEthernet 1 0 3 to VLAN 100 a Click the Modify Port tab b Select GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 in the Select Ports area c Select Untagged for Select membership type d Enter 100 as the VLAN ID e Click Apply 275 Figure 249 Assigning ports to VLAN 100 Select VLAN Create Port Detail Detail Modify VLAN C Remove Select Ports HEHEH mane Select All Select None C Not avaliable for selection Tagged E NotA Member Link Type PVID Enter VLAN IDs to which the port is to be assigned VLAN IDs 100 Example 1 3 5 10 Selected ports Apply Cancel Enable M
55. Configure the default accounting method and secondary accounting method for all types of users Options include HWTACACS HWTACACS accounting You must specify the HWTACACS scheme to be used Local Local accounting None No accounting RADIUS RADIUS accounting You must specify the RADIUS scheme to be used Not Set The device uses the default accounting setting which is local accounting Configure the accounting method and secondary accounting method for LAN access users Options include Local Local accounting None No accounting RADIUS RADIUS accounting You must specify the RADIUS scheme to be used Not Set The device uses the settings in the Default Accounting area for LAN access users 358 ltem Descri ption Configure the accounting method and secondary accounting method for login users Options include e HWTACACS HWTACACS accounting You must specify the HWTACACS Login Accounting scheme to be used Name e Local Local accounting Secondary Method e None No accounting e RADIUS RADIUS accounting You must specity the RADIUS scheme to be used e Not Set The device uses the settings in the Default Accounting area for login users AAA configuration example Network requirements As shown in Figure 339 configure the switch to perform local authentication authorization and accounting for Telnet users Figure 339 Network diagram Vlan int2 192 168 1 1 24
56. Description IP Address Enter an IP address for the static ARP entry MAC Address Enter a MAC address for the static ARP entry VLAN ID Enter a VLAN ID and specify a port for the static ARP entry Advanced IMPORTANT Opti Po Port The VLAN ID must be the ID of the VLAN that has already been created and the port must belong to the VLAN The corresponding VLAN interface must have been created Removing ARP entries 1 From the navigation tree select Network gt ARP Management The detault ARP Table page appears as shown in Figure 218 2 Remove ARP entries o To remove specific ARP entries select the boxes of target ARP entries and click Del Selected o To remove all static and dynamic ARP entries click Delete Static and Dynamic o To remove all static ARP entries click Delete Static o To remove all dynamic ARP entries click Delete Dynamic 245 Contiguring gratuitous ARP From the navigation tree select Network gt ARP Management 2 Click the Gratuitous ARP tab Figure 220 Gratuitous Configuring ARP page ARP Table Gratuitous ARP Disable gratuitous ARP packets learning function Send gratuitous ARP packets when receiving ARP requests from another network segment Apply 3 Configure gratuitous ARP as described in Table 81 4 Click Apply Table 81 Configuration items ltem Description Disable gratuitous ARP packets Disable learning of ARP entries from gratuitous ARP packets learning function Grat
57. Device A finds that the BPDU of the local port 0 O O AP2 is superior to the received configuration BPDU and it discards the received configuration BPDU Device A finds that both the root bridge and designated bridge in the configuration BPDUs of all its ports are itself so it assumes itself to be the root bridge It does not make any change to the configuration BPDU of each port and it starts sending out configuration BPDUs periodically Port BP1 receives the configuration BPDU of Device A 0 O O AP1 Device B finds that the received configuration BPDU is superior to the configuration BPDU of the local port 1 O 1 BP1 and it updates the configuration BPDU of BP1 Port BP2 receives the configuration BPDU of Device C 2 O 2 CP2 Device B finds that the configuration BPDU of the local port 1 0 1 BP2 is superior to the received contiguration BPDU and it discards the received contiguration BPDU Device B compares the configuration BPDUs of all its ports and determines that the configuration BPDU of BP1 is the optimum configuration BPDU Then it uses BP1 as the root port the configuration BPDUs of which will not be changed Based on the configuration BPDU of BP1 and the path cost of the root port 5 Device B calculates a designated port configuration BPDU for BP2 0 5 1 BP2 Device B compares the calculated configuration BPDU 0 5 1 BP2 with the configuration BPDU of BP2 If the calculated BPDU is s
58. EED E EN 156 Ulad re ce wre erase secs EE sees cee emcee ces ce A O EE E T T E 156 Voice VLAN assignment modes sssssssssssssssessseesesssseesssssseessssnssesssssescsssnscssssnssscsssnescsssnesssseesnieessnneseessste 156 Security mode and normal mode of voice VLANs ssssssssssssssssessseseesssesssssseesssssseeesssssesesssnneessssnnsessnnnnses 158 Recommended voice VLAN configuration procedure re EE EE ED 159 Configuring voice VLAN globally ED a a OO TE EA 160 Configuring voice VLAN on OF S SaaS 161 Adding OUI addresses to the OUI listeeeeeseesseeseeeseeeseesseeseeeseesseeseeseeeseeeseesseoseeeseeeseesseoseroseeseeeseesereseseeseeserosereseeeseeseeesee 162 Voice VLAN configuration examples RE EO EE EE 163 Configuring voice VLAN on a port in automatic voice VLAN assignment mode reer seer se seer se ee se se ee ee ee ee 163 Configuring a voice VLAN on a port in manual voice VLAN assignment mode weeer 167 Configuration guidelines EE EE EE ER O 172 Contiguring the MAC address table EER EE EE EE RE EE EE EO EA ER EE ER AE ER RE ER EE RR ER EE Ee ee EER RE EER Re EE Ee EE ee ee 173 E TAN E E E EE E T E EE OE N 173 How a MAC address entry is Created sssssssssssesssesssesssessessssssesssnssesssssecesssssesesssssssesssnssseessssecssssnsssssessssssesssnness 173 Types of MAC address en rjeseeeeeeeeeeeteeeeterertteeertereettsseettssettrsseetessetrseetessttesseet esseet erett EER RRReeeRRRRReeeRR 174 Displaying and configuring MAC address entries ss esse ees see E
59. Enabled area click Add Figure 389 Configuring MAC authentication on a port Enable MAC Authentication Port GigabitEthernet1 0 1 be F Enable MAC VLAN Only hybrid ports support this configration Items marked with an asterisk are required Apply Cancel 3 Configure MAC authentication for a port as described in Table 126 and then click Apply Table 126 Configuration items liem Description Port Selects a port on which you want to enable MAC authentication Specifies whether to enable MAC based VLAN on the port Enable MAC VLAN CD IMPORTANT You can enable MAC authentication only on hybrid ports Specifies an existing VLAN as the MAC authentication Auth Fail VLAN IMPORTANT e The MAC authentication Auth Fail VLAN has a lower priority than the 802 1X guest VLAN on a port that performs MAC based access control If a user fails both types of authentication the access port adds the user to the 802 1X guest VLAN For more information about Auth Fail VLAN 802 1X guest VLANs see Configuring 802 1 X e The MAC authentication Auth Fail VLAN function has higher priority than the quiet function of MAC authentication e The MAC authentication Auth Fail VLAN function has higher priority than the block MAC action but it has lower priority than the shutdown port action of the port intrusion protection feature For more information about port intrusion protection see Configuring port security MAC authentication
60. Figure 25 Stacking devices Stack port Master device device Slave device Slave Slave device device device To set up a stack for a group of connected devices you must log in to one device to create the stack This device is the master device for the stack You configure and monitor all member devices on the master device The ports that connect the stack member devices are called stack ports Contiguration task list Perform the tasks in Table 5 to configure a stack Table 5 Stack configuration task list Task Remarks Configuring the master device of a stack Required Configure a private IP address pool for a stack and establish the stack and meantime the device becomes the master device of the Configuring global parameters of a stack seels By default no IP address pool is configured for a stack and no stack is established Required Configure the ports of the master device that connect to member Configuring stack port AE EE a devices as stack ports By default a port is not a stack port 39 Task Configuring member devices of a stack Configuring stack ports Displaying topology summary of a stack Displaying device summary of a stack Logging in to a member device from the master Remarks Required Configure a port of a member device that connects to the master device or another member device as a stack port By default a port is not a stack port Optional
61. GET OM Telnet user Switch 192 168 1 12 24 Internet Configuration procedure 1 Enable the Telnet server function and configure the switch to use AAA for Telnet users Details not shown Configure IP addresses for the interfaces Details not shown 3 Configure a local user a Select Device gt Users from the navigation tree Click the Create tab Enter the username telnet i Select the access level Management Enter the password abed and confirm the password Select the password encryption method Irreversible Select the service type Telnet Service Click Apply gt a mp ao 359 Figure 340 Configuring a local user summary Super Password Modify Remove Switch To Management Create User Username telnet 1 55 Chars Access Level Management Password TT 1 63 Chars Confirm Password TT Password Encryption Reversible Irreversible Service Type Web J FTP Telnet Summary Username Access Level Service Type admin Management Web Note Username cannot contain Chinese characters and any of the following characters B 2 lt gt amp amp Configure ISP domain test a Select Authentication gt AAA from the navigation tree The domain contiguration page appears b Enter the domain name test c Click Apply Figure 341 Configuring ISP domain test Authentication Authorization Accounting ISP Domain Domain Name test JY 24 chars Default Domain Apply
62. ID ID of the VLAN to which the entry belongs Source Address Multicast source address If no multicast sources are specified this field displays 0 0 0 0 Group Address Multicast group address Router Port s All router ports Member Port s All member ports IGMP snooping contiguration example Network requirements As shown in Figure 234 IGMPv2 runs on Router A and IGMPv2 snooping runs on Switch A Router A acts as the IGMP querier Pertorm the configuration so Host A can receive the multicast data addressed to the multicast group 224 1 1 1 260 Figure 234 Network diagram 1 1 1 1 24 Router A Source IGMP guerier Contiguration procedure Configuring Router A Enable IP multicast routing globally enable PIM DM on each interface and enable IGMP on GigabitEthernet 1 0 1 Details not shown Configuring Switch A 1 Create VLAN 100 a From the navigation tree select Network gt VLAN b Click the Create tab c Enter 100 as the VLAN ID d Click Apply 261 Figure 235 Creating VLAN 100 Select VLAN Port Detail Detail Modifr VLAN Modify Port Remove Create VLAN IDs Example s 5 10 Create ID Description 1 VLAN 000 Modif VLAN description Mote you can do this later on the Modity VLAN page Modif the description ofthe selected VLAN IL Description tte Char Assign GigabitEthernet 1 0 1 through GigabitEthernet 1 0 3 to VLAN 100 a Click the Modify Port tab b Select GigabitEtherne
63. LACP Click Setup 3 In the Set LACP enabled port s parameters area set the port priority and select the ports in the chassis front panel 4 Click Apply in the area Figure 190 Setting the LACP priority Summary Select LACP enabled portis parameters Port Priority 0 65535 Default 32768 Select port s to apply Port Priority Select All Select None Note Click a portto toggle its state Selected LACP Enabled LACP Disabled Petween enabled and disabled Cancel Set global LACP parameters System Priority 0 65535 Default 32768 Apply Cancel Table 66 Configuration items ltem Descri ption Port Priority Set a port LACP priority Select port s to Choose the ports where the port LACP priority you set will apply on the chassis front panel 5 6 apply Port Priority You can set LACP priority on both LACP enabled ports and LACP disabled ports In the Set global LACP parameters area set the system priority Click Apply in the area Displaying LACP enabled port intormation 1 From the navigation tree select Network gt LACP The default Summary tab appears The upper part of the page displays a list of all LACP enabled ports on the device and information about them Table 67 describes the fields Select a port on the port list Click View Details 211 Detailed information about the peer port appears on the lower part of the page Table 68 describes the fields Figure 191 Displaying
64. Layer 2 device so that the device can generate and maintain IPv6 multicast forwarding entries at data link layer providing MLD querier functions Query interval Configure the MLD general query interval General Query Source Address Specify the source IPv address of MLD general queries Special Query Source 7 i l f I Address Specify the source IPv address of MLD multicast address specitic queries 271 Contiguring MLD snooping port functions Select Network gt MLD snooping from the navigation tree 2 Click the Advanced tab Figure 245 Configuring MLD snooping port functions Basic Port Configuration o Port Please select a pot VLAN ID 1 4094 example 3 5 10 Up to 10 VLAN ranges can be specified Multicast Group Limit 1 510 Default 510 Fast Leave Enable Disable tems marked with an asterisk are required Apply F VLAN ID Search Advanced Search VLAN ID Multicast Group Limit Fast Leave Operation Refresh 3 Configure the parameters as described in Table 87 4 Click Apply Table 87 Configuration items ltem Descri ption Select the port on which advanced MLD snooping features will be configured The port can be an GigabitEthernet port or Layer 2 aggregate interface After a port is selected advanced features configured on this port are displayed at the lower part of this page oa STIP Advanced MLD snooping features configured on a Layer 2 aggregate interface do not interfere with configu
65. MAC address table is fully populated Manually configuring MAC address entries With dynamic MAC address learning a device does not distinguish between illegitimate and legitimate frames For example when a hacker sends frames with a forged source MAC address to a port different from the one with which the real MAC address is associated the device creates an entry for the forged MAC address and forwards frames destined for the legal user to the hacker instead To improve port security you can manually add MAC address entries to the MAC address table of the device to bind specitic user devices to the port 173 Types of MAC address entries A MAC address table can contain the following types of entries e Static entries Manually added and never age out e Dynamic entries Manually added or dynamically learned and might age out e Blackhole entries Manually configured and never age out They are configured for filtering out frames with specitic source or destination MAC addresses For example to block all frames destined for a specific user for security concerns you can configure the MAC address of this user as a blackhole MAC address entry A static or blackhole MAC address entry can overwrite a dynamic MAC address entry but not vice versa Displaying and contiguring MAC address entries 1 Select Network gt MAC from the navigation tree The MAC tab automatically appears which shows all the MAC address entries on the
66. MLD snooping multicast forwarding entries Select Network gt MLD snooping from the navigation tree 2 Click Show Entries to display information about MLD snooping multicast forwarding entries Table 88 Displaying entry information Show Entries RO VLAN ID Search Advanced Search VLAN ID SOUrCe Group Operation 100 FF1E 101 ol 3 To view detailed information about an entry click the icon for the entry Figure 246 Detailed information about an MLD snooping multicast entry Advanced Entry Details VLAN ID 100 source Address Group Address FFIE 101 Router Port s GigabitEthemett 0A Member Fotis GigabitEfnernet1 0 3 Back Table 89 Field description Field Description VLAN ID ID of the VLAN to which the entry belongs Saree E Multicast source address If no IPv6 multicast sources are specified this field displays Group Address Multicast group address Router Ports All router ports 273 Field Description Member Ports All member ports MLD snooping contiguration example Network requirements As shown in Figure 247 MLDv1 runs on Router A and MLDv1 snooping runs on Switch A Router A acts as the MLD querier Perform the configuration so that Host A can receive the IPv6 multicast packets destined for the IPv6 multicast group FF1E 101 Figure 247 Network diagram VLAN 100 GE1 0 2 GE1 0 1 1 2 64 ApS 2001 1 64 GE1 0 1 GE1 0 3 EL Router A Switch A Host
67. O AADA example 3 5 10 Up to 10 WYLAN ranges can be specified Multicast Group Limit O A55 Fast Leave Enable Disable tems marked with an asterisk are required Apply z VLAN ID wi Search Advanced Search VLAN ID Multicast Group Limit Fast Leave Operation 3 Configure the parameters as described in Table 84 4 Click Apply 258 Table 84 Configuration items ltem Description Port Select the port on which advanced IGMP snooping features will be configured The port can be an GigabitEthernet port or Layer 2 aggregate interface After a port is selected advanced features configured on this port are displayed at the lower part of this page Qnr The advanced IGMP snooping configurations on a Layer 2 aggregate interface do not interfere with configurations on its member ports nor do they participate in aggregation calculations The configuration on a member port of the aggregate group does not take effect until the port leaves the aggregate group Specify the ID of the VLAN in which the port functions are to be configured VLAN ID The configurations made in a VLAN take effect on the ports only in this VLAN Configure the maximum number of multicast groups on a port With this feature you can limit multicast traffic on the port IMPORTANT Group Limit Fast Leave If the number of multicast groups on a port exceeds the limit that you are setting the system removes all the for
68. OUI Add by voice VIAN Configure Remove the address of an OUI that can be PREMOG identified by voice VLAN a Display MAC address information Monitor MAC LT LE MAC Create and remove MAC addresses Configure Setup Display and configure MAC address aging time Configure Display information about MST regions Monitor Region Modify MST regions Configure MSTP Global Set global MSTP parameters Configure Port Summary Display the MSTP information about ports Monitor Port Setup Set MSTP parameters on ports Configure Sunma Display information about link aggregation Mgao groups Link Aggregatio Create Create link aggregation groups Configure i Modify Modify link aggregation groups Contigure Remove Remove link aggregation groups Configure 1 Function menu Description User level Display information about LACP enabled ports and LACP summary their partner ports Range Setup Set LACP priorities Configure Display the LLDP configuration information local information neighbor information statistics Monitor Port Setup intormation and status information about a port Modify LLDP configuration on a port Configure Display global LLDP configuration information Monitor LLDP Global Setup Configure global LLDP parameters Configure Shae Display global LLDP local information and statistics Monitor Summary Neighbor Summary Display global LLDP neighbor information Monitor Display ARP table information Monitor ARP Table EE pe a EL EE E
69. Option 82 N E aeeding dime an interface is untrusted and DHCP snooping does not support functions on an interface IMPORTANT You need to specify the ports connected to the authorized DHCP servers as trusted to make sure DHCP clients can obtain valid IP addresses The trusted port and the port connected to the DHCP client must be in the same VLAN 308 Task Remarks Displaying clients IP4o MAC Optional bindings Display clients IP to MAC bindings recorded by DHCP snooping Enabling DHCP snooping e From the navigation tree select Network gt DHCP Click the DHCP Snooping tab to enter the page shown in Figure 285 a Select the Enable option next to DHCP Snooping to enable DHCP Snooping Figure 285 DHCP snooping configuration page DHCP Relay DHCP Snooping Enable Disable Interface Config po Interface Name Search Advanced Search Interface Name Interface State Operation GigabitEthernet1 0 1 Untrust A GigabitEthernet1 0 2 Untrust ES GigabitEthernet1 0 3 Untrust A GigabitEthernet1 0 4 Untrust A GigabitEthernet1 0 5 Untrust ES GigabitEthernet1 0 6 Untrust A GigabitEthernet1 0 7 Untrust A GigabitEthernet1 0 8 Untrust A GigabitEthernet1 0 9 Untrust a GigabitEthernet1 0 10 Untrust A GigabitEthernet1 0 11 Untrust ES GigabitEthernet1 0 12 Untrust A GigabitEthernet1 0 13 Untrust A GigabitEthernet1 0 14 Untrust A GigabitEthernet1 0 15 Untrust A 28 records 15 v per page page 1 2 record 1 15 Firs
70. SNMP session to access the agent or receive traps and notifications from the agent SNMPv2c Uses community names for authentication SNMPv2c is compatible with SNMPv1 but supports more operation modes data types and error codes SNMPv3 Uses a user based security model USM to secure SNMP communication You can contigure authentication and privacy mechanisms to authenticate and encrypt SNMP packets for integrity authenticity and contidentiality Recommended configuration procedure SNMPv3 differs from SNMPv1 and SNMPv2c in many ways Their configuration procedures are described in separate sections Table 31 SNMPv1 or SNMPv2c configuration task list Task Remarks Required The SNMP agent function is disabled by default IMPORTANT If SNMP agent is disabled all SNMP agent related configurations are removed Enabling SNMP agent Optional Configuring an SNMP view Atter creating SNMP views you can specify an SNMP view for an SNMP community to limit the MIB objects that can be accessed by the SNMP community Configuring an SNMP community Required Optional Allows you to configure that the agent can send SNMP traps to the NMS and configure information about the target host usually the Configuring SNMP trap function NMS of the SNMP traps The SNMP agent sends traps to inform the NMS of important events such as a reboot By default an agent is allowed to send SNMP traps to the NMS Displaying SNMP p
71. STP compatible mode when detecting that it is connected with a device running STP e MSTP Each port on a device sends out MSTP BPDUs and automatically migrates to STP compatible mode when detecting that it is connected with a device running STP Sets the maximum number of hops in an MST region to restrict the region size Max Hops The setting can take effect only when it is configured on the regional root bridge Specities the standard for path cost calculation It can be Legacy IEEE Patn Cost Standard g02 1D 1998 or IEEE 802 1T Any two stations in a switched network are interconnected through a specific path composed of a series of devices The bridge diameter or the network diameter is the number of devices on the path composed of the most devices Atter you set the network diameter you cannot set the timers Instead the Bridge Diameter device automatically calculates the forward delay hello time and max age When you configure the bridge diameter follow these guidelines e The configured network diameter is effective on CIST only not on MSTls e The bridge diameter cannot be configured together with the timers Configure the timers e Forward Delay Set the delay for the root and designated ports to transit to the forwarding state e Hello Time Set the interval at which the device sends hello packets to the surrounding devices to make sure the paths are fault free e Max Age Set the maximum length of time
72. TC Protection Threshold 1 255 default 6 Apply Configuring Switch B 1 Configure an MST region on the switch in the same way the MST region is configured on Switch A 2 Configure MSTP globally a From the navigation tree select Network gt MSTP Click the Global tab Select Enable from the Enable STP Globally list Select MSTP from the Mode list Select the box before Instance Set the Instance ID field to 2 Set the Root Type field to Primary Click Apply p gt a me ao 202 Configuring Switch C 1 Configure an MST region on the switch in the same way the MST region is configured on Switch A Configure MSTP globally p mo ao h From the navigation tree select Network gt MSTP Click Global Select Enable from the Enable STP Globally list Select MSTP from the Mode list Select the box before Instance Set the Instance ID field to 3 Set the Root Type field to Primary Click Apply Configuring Switch D 1 Contigure an MST region on the switch in the same way the MST region is configured on Switch A Configure MSTP globally qd b C d From the navigation tree select Network gt MSTP Click Global Select Enable from the Enable STP Globally list Select MSTP from the Mode list Click Apply 203 Figure 187 Configuring MSTP globally on Switch D Region Global Port Summary Port Setup Global MSTP Configuration Path Cost Standard v _ Bridg
73. Web pac Associate the HTTP service with an IPv4 ACL v HTTP To configure the IPv4 ACL to be selected select QoS gt ACL IPv4 443 Authorized IP contiguration example Network requirements In Figure 440 configure Switch to deny Telnet and HTTP requests from Host A and permit Telnet and HTTP requests from Host B Figure 440 Network diagram Host A 10 1 1 2 24 10 1 1 1 24 Switch Host B ps 10 1 1 3 24 Configuration procedure 1 Create an ACL a From the navigation tree select QoS gt ACL IPv4 b Click Create c Enter 2001 for ACL Number d Click Apply Figure 441 Creating an ACL SUMMmar Basic Setup Advanced Setup Link Layer Setup Remove ACL Murmher 2001 2000 2999 for basic ACLS 3000 3999 for advanced ACLS 4000 4999 for Ethernet frame header ACLs Match Order Description Characters 0 1 27 Apply ACL Number Type Humber of Rules Match Order Description 2 Configure an ACL rule to permit Host B 444 a Click Basic Setup C The page for configuring an ACL rule appears Select 2001 from the ACL list select Permit from the Action list select the Source IP Address box and enter 10 1 1 3 and then enter 0 0 0 0 in the Source Wildcard field Click Add Figure 442 Configuring an ACL rule to permit Host B SUmmar Create Advanced Setup Link Layer Setup Remove aot 2001 k Configure a Basic ACL C Fule ID Po 0 65534 If no ID is entered the system will specify one
74. a 4 4 a4 Result Select External or Internal for loopback test type Select an Ethernet interface from the chassis front panel 89 A Click Test After the test is complete the system displays the loopback test result Figure 76 Loopback test result Testing type External Internal Result GigabitEthernet1 D 2 Loop internal succeeded 90 Configuring VCT Overview You can use the Virtual Cable Test VCT function to check the status of the cable connected to an Ethernet port on the device The result is returned in less than 5 seconds The test covers whether short circuit or open circuit occurs on the cable and the length of the faulty cable The fiber port does not support this feature Testing cable status Select Device gt VCT from the navigation tree to enter the page for testing cable status Select the port you want to test on the chassis front panel Click Test The test result is returned within 5 seconds and displayed in the Result field Figure 77 Testing the status of the cable connected to an Ethernet port T tT Test Result GigabitEthernet1 0 2 Cable status abnormal open 1 metre s Pair Impedance mismatch no Pair skew ns Pair swap Pair polarity Insertion loss db Return loss db Near end crosstalk db Note The error of the length detected is 5 meters The result displays the cable status and length The cable status can be normal a
75. a terminal device to advertise its serial number Manufacturer Name Allows a terminal device to advertise its vendor name Model Name Allows a terminal device to advertise its model name Allows a terminal device to advertise its asset ID The typical case is that the Asset ID user specifies the asset ID for the endpoint to facilitate directory management and asset tracking Allows a network device to advertise the appropriate location identitier Location Identification information for a terminal device to use in the context of location based applications For more information about LLDPDU TLVs see the IEEE standard LLDP 802 1AB 2005 and the LLDP MED standard ANSI TIA 1057 Management address The network management system uses the management address of a device to identify and manage the device for topology maintenance and network management The management address is encapsulated in the management address TLV LLDP operating modes LLDP can operate in one of the following modes TxRx mode A port in this mode can send and receive LLDP frames Tx mode A port in this mode can only send LLDP frames Rx mode A port in this mode can only receive LLDP frames Disable mode A port in this mode cannot send or receive LLDP frames Each time the LLDP operating mode of a port changes its LLDP protocol state machine reinitializes A configurable reinitialization delay prevents frequent initializations caused by frequent changes
76. a vendor by the IEEE In this document however OUI addresses are used by the system to determine whether received packets are voice packets and they are the results of the AND operation of a MAC address and a mask For more information see Adding OU addresses to the OUI list You can remove default OUI addresses and if needed add them to the OUI list after their removal Voice VLAN assignment modes A port connected to a voice device an IP phone for example can be assigned to a voice VLAN in one of the following modes e Automatic mode The system matches the source MAC addresses in the protocol packets tagged packets sent by the IP phone upon its power on against the OUI list If a match is found the system 156 automatically assigns the receiving port to a voice VLAN issues ACL rules and configures the packet precedence You can configure an aging timer for the voice VLAN The system will remove the port from the voice VLAN when the aging timer expires if no voice packet is received on the port during the aging timer The system automatically assigns ports to or removes ports from a voice VLAN Automatic mode is suitable for scenarios where PCs and IP phones connected in series access the network through the device and ports on the device simultaneously transmit both voice trattic and data trattic as shown in Figure 148 When the voice VLAN works normally if the system reboots the system reassigns ports in automatic voice VLAN
77. address of the device Chassis ID 231 Field Description Port ID type Port ID type Port ID System capabilities supported System capabilities enabled Auto negotiation supported Auto negotiation enabled OperMau Link aggregation supported Link aggregation enabled Aggregation port ID Maximum frame Size Device class Interface alias Port component MAC address Network address Interface name Agent circuit ID Locally assigned Locally detined port ID type other than those listed above Port ID value Capabilities supported on the system Repeater Bridge Router Capabilities enabled on the system Repeater Bridge Router Indicates whether autonegotiation is supported on the port Indicates whether autonegotiation is enabled on the port Speed and duplex state on the port Indicates whether link aggregation is supported Indicates whether link aggregation is enabled Link aggregation group ID It is O if the neighbor port is not assigned to any link aggregation group Maximum frame size supported on the neighbor port MED device class Connectivity device An intermediate device that provide network connectivity Class I A generic endpoint device All endpoints that require the discovery service of LLDP belong to this category Class II A media endpoint device The class Il endpoint devices support the media stream capabilities and the capabilities of ge
78. and the capabilities of generic endpoint devices Device class e Class II A communication endpoint device The class Ill endpoint devices directly support end users of the IP communication system Providing all capabilities of generic and media endpoint devices Class III endpoint devices are used directly by end users 235 Displaying LLDP information received trom LLDP neighbors 1 From the navigation tree select Network gt LLDP 2 Click the Neighbor Summary tab to display the global LLDP neighbor information as shown in Figure 207 Figure 207 The neighbor summary tab Port Setup Global Setup Global Summary x Update Time Search Advanced Search Update Time Local Port Chassis ID Chassis ID Type Port ID Port ID Type System Name 0 days 0 hours 0 i GigabitEthernet1 0 4 0020 1316 5c00 MAC address Ethernet1 0 1 Interface name 2126 minutes 19 seconds Refresh LLDP configuration example Network requirements As shown in Figure 208 configure LLDP on Switch A and Switch B so that the NMS can determine the status of the link between Switch A and MED and the link between Switch A and Switch B Figure 208 Network diagram Switch A Switch B Configuring Switch A 1 Optional Enable LLDP on GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 By default LLDP is enabled on Ethernet ports 2 Set the LLDP operating mode to Rx on GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 a From the navigation tree select Ne
79. area Allows you to configure and display features Title area On the left displays the path of the current configuration interface in the navigation area on the right provides the Save button to quickly save the current contiguration the Help button to display the Web related help information and the Logout button to log out of the Web interface Web user level Web user levels from low to high are visitor monitor configure and management A user with a higher level has all the operating rights of a user with a lower level Visitor Users of this level can only use the network diagnostic tools ping and Trace Route They can neither access the device data nor configure the device Monitor Users of this level can only access the device data but cannot contigure the device Configure Users of this level can access device data and contigure the device but they cannot upgrade the host software add delete modify users or backup restore contiguration files Management Users of this level can perform any operations to the device Web based NM functions User level in Table 1 indicates that users of this level or users of a higher level can perform the corresponding operations Table 1 Web based NM function description Function menu Description User level Wizard IP Setup Perform quick configuration of the device Management Display global settings and port settings of a stack Configure etup Configure global par
80. assigned an IP address to the DHCP Detect client and the receiving interface The administrator can use this information to check out DHCP unauthorized servers The device puts a record once for each DHCP server The administrator needs to find unauthorized DHCP servers from the log information After the information of recorded DHCP servers is cleared the relay agent re records server information following this mechanism Enable or disable periodic refresh of dynamic client entries and set the refresh interval Dynamic Bindings A DHCP client sends a DHCP RELEASE unicast message to the DHCP server through Refresh the DHCP relay agent to relinquish its IP address In this case the DHCP relay agent simply conveys the message to the DHCP server thus it does not remove the IP address from dynamic client entries To solve this problem the periodic refresh of dynamic client entries feature is introduced With this feature the DHCP relay agent uses the IP address of a client and the MAC address of the DHCP relay agent interface to periodically send a DHCP REQUEST message to the DHCP server e If the server returns a DHCP ACK message or does not return any message within a specitic interval which means that the IP address is assignable now the DHCP Track Timer Interval relay agent ages out the client entry e If the server returns a DHCP NAK message which means the IP address is still in use the relay agent does not age it out If the Au
81. assignment mode to the voice VLAN after the reboot ensuring that existing voice connections can work normally In this case voice trattic streams do not trigger port assignment to the voice VLAN Figure 148 PCs and IP phones connected in series access the network amp S Host IP Phone Device Voice gateway Manual mode You must assign the port to a voice VLAN manually Then the system matches the source MAC addresses in the packets against the OUI addresses If a match is found the system issues ACL rules and configures the packet precedence In this mode you must manually assign ports to or remove ports from a voice VLAN Manual mode is suitable for scenarios where only IP phones access the network through the device and ports on the device transmit only voice traffic as shown in Figure 149 In this mode ports assigned to a voice VLAN transmit voice traftic exclusively which prevents the impact of data trattic on the transmission of voice traftic Figure 149 Only IP phones access the network Voice gateway IP Phone IP Phone Both modes forward tagged packets according to their tags Table 46 and Table 47 list the configurations required for ports of ditferent link types to support tagged or untagged voice traffic sent from IP phones when different voice VLAN assignment modes are configured IP phones send tagged voice traftic 157 Table 46 Required configurations on ports of different link types for them t
82. authentication server to the device after an 802 1X user or MAC authenticated user passes authentication Configuring permitted OUls 1 From the navigation tree select Authentication gt Port Security The Port Security page as shown in Figure 409 appears 2 In the Advanced Port Security Configuration area click Permitted OUls Figure 417 Permitted OUls FPermitted COL Is for ports working in the mode of 802 1 MAC Based Or DUI OUI value Add n the format H H H Only the first 24 bits make sense Ol value Operation 0001 0000 0000 il 1234 0000 0000 j 3 Enter the 48 bit MAC address in the format of H H H in the OUI Value field Click Add The system automatically saves the first 24 bits as an OUI value 429 Port security configuration examples Basic port security mode configuration example Network requirements As shown in Figure 418 configure port GigabitEthernet 1 0 3 of the switch as follows e Allow up to three users to access the port without authentication and permit the port to learn the MAC addresses of the users as secure MAC addresses e After the number of secure MAC addresses reaches 3 the port stops learning MAC addresses If an unknown MAC address frame arrives intrusion protection is triggered and the port is disabled and stays silence for 30 seconds Figure 418 Network diagram GE1 0 3 192 168 1 1 24 Internet wa Host Switch Configuring global port security settings 1 From
83. before re authentication it must also assign a VLAN at re authentication If the authentication server has assigned no VLAN before re authentication it must not assign one at re authentication Violation of either rule can cause the user to be logged off The VLANs assigned to an online user before and after re authentication can be the same or different Specifies an existing VLAN as the guest VLAN Guest VLAN For more information see Configuring an 802 1X guest VLAN Specifies whether to enable MAC based VLAN Required when MAC Based is selected for Port Control Enable MAC VLAN NOTE Only hybrid ports support the feature Specifies an existing VLAN as the Auth Fail VLAN to accommodate users that Auth Fail VLAN have failed 802 1X authentication For more information see Configuring an Auth Fail VLAN Contiguring an 802 1X guest VLAN Configuration prerequisites Create the VLAN to be specitied as the 802 1X guest VLAN If the 802 1 X enabled port performs MAC based access control configure the port as a hybrid port enable MAC based VLAN on the port and assign the port to the 802 1X guest VLAN as an untagged member Configuration guidelines The 802 1X guest VLANs on different ports can be different Assign different IDs to the port VLAN and the 802 1X guest VLAN on a port so the port can correctly process incoming VLAN tagged traffic With 802 1X authentication a hybrid port is always assigned to a VLAN
84. bursty traffic is allowed Priority mapping Concepts When a packet enters a network it is marked with a certain priority to indicate its scheduling weight or forwarding priority Then the intermediate nodes in the network process the packet according to the priority When a packet enters a device the device assigns to the packet a set of predefined parameters including the 802 1p priority DSCP values and local precedence 474 e For more information about 802 1p priority and DSCP values see Packet precedences e Local precedence is a locally significant precedence that the device assigns to a packet A local precedence value corresponds to an output queue Packets with the highest local precedence are processed preferentially The device provides the following priority trust modes on a port e Trust packet priority The device assigns to the packet the priority parameters corresponding to the packet s priority from the mapping table e Trust port priority The device assigns a priority to a packet by mapping the priority of the receiving port You can select one priority trust mode as needed Figure 462 shows the process of priority mapping on a device Figure 462 Priority mapping process Assign to a packet the priority parameters corresponding to the packet priority from the mapping table Assign local precedence to packets by mapping the priority of the receiving port i J Receiving i interfa
85. c Select Untagged for Select membership type d Enter 100 in the VLAN IDs field e Click Apply A configuration process dialog box appears f After the configuration process is complete click Close Figure 223 Adding GigabitEthernet 1 0 1 to VLAN 100 Select VLAN Create Port Detail Detail Modify VLAN Remove Select Ports BODO OCC AEEE Select All Select None C Not avaliable for selection Select membership type Untagged Tagged Not A Member Link Type PVD Enter VLAN IDs to which the port is to be assigned VLAN IDs Example 1 3 5 10 Selected ports Untagged Membership GE1 0 4 Apply Cancel Create VLAN interface 100 a From the navigation tree select Network gt VLAN Interface b Click the Create tab c Enter 100 in the VLAN ID field d Select Configure Primary IPv4 Address e Select Manual f Enter 192 168 1 2 in the IPv4 Address field g Enter 24 or 255 255 255 0 in the Mask Length field h Click Apply 248 Figure 224 Creating VLAN interface 100 SUMMA Ary Modify Remove Input a WYLAN ID 104098 Configure Primary Pwt Address DHCP BOOTP Manual Pua Address 192 168 1 2 Mask Length 255 255 255 0 E configure IPv6 Link Local Address Auto Manual P Address Apply Cancel Create a static ARP entry a From the navigation tree select Network gt ARP Management The detault ARP Table page appears Click Add Enter 192 168 1 1 in the IP Addre
86. class and assign specific IP addresses to the DHCP clients Option 66 TFTP server name option It specifies a TFTP server to be assigned to the client Option 67 Bootfile name option It specifies the bootfile name to be assigned to the client Option 121 Classless route option It specities a list of classless static routes the destination addresses in these static routes are classless that the requesting client should add to its routing table If both Option 33 and Option 121 exist Option 33 is ignored Option 150 TFTP server IP address option It specifies the TFTP server IP address to be assigned to the client For more information about DHCP options see RFC 2132 and RFC 3442 Option 82 Some options such as Option 82 have no unitied definitions in RFC 2132 Option 82 is the relay agent option It records the location information about the DHCP client When a DHCP relay agent or DHCP snooping device receives a client s request it adds Option 82 to the request message and sends it to the server 295 The administrator can use Option 82 to locate the DHCP client and further implement security control and accounting The DHCP server can use Option 82 to provide individual configuration policies for the clients Option 82 can include up to 255 sub options and must have one sub option at least Option 82 supports two sub options sub option 1 Circuit ID and sub option 2 Remote ID Option 82 has no unified definiti
87. configuring MSTP 190 199 contiguring MSTP global 192 configuring MSTP port specitic 195 configuring NMM local port mirroring 83 configuring NMM local port mirroring group 80 contiguring NMM local port mirroring group monitor port 84 contiguring NMM local port mirroring group ports 81 contiguring NMM local port mirroring group source ports 84 configuring NMM RMON 105 configuring NMM RMON alarm function 95 configuring NMM RMON statistics function 95 configuring PoE 501 501 configuring PoE interface power management 498 contiguring PoE ports 498 configuring port isolation 441 configuring port link type 140 configuring port security 423 430 configuring port security global 424 contiguring port security advanced control 428 configuring port security advanced mode 433 configuring port security basic control 425 configuring port security basic mode 430 contiguring port security permitting OUls 429 configuring priority mapping table 477 487 contiguring priority trust mode 478 configuring priority trust mode on port 488 configuring PVID for port 141 contiguring QoS 489 configuring QoS classifier behavior associations 484 configuring QoS policy 476 configuring QoS traffic class 479 configuring QoS traffic mirroring 481 configuring QoS traffic redirecting 481 configuring queue scheduling 477 configuring queue scheduling on port 485 486 configuring RADIUS common parameters
88. considers a packet belongs to a class as long as the packet matches one of the criteria in the class 2 Traffic behavior A traffic behavior identified by a name defines a set of QoS actions for packets 3 Policy You can apply a QoS policy to a port A QoS policy can be applied to only the inbound direction of one port Perform the tasks in Table 150 to configure a QoS policy 476 Table 150 Recommended QoS policy configuration procedure Ste Remarks Required 1 Adding a class Add a class and specify the logical relationship between the match criteria in the class Required 2 Configuring classification rules i Configure match criteria for the class Required Add a traffic behavior m Adding a traffic behavior 4 Configure actions for the behavior o Configuring traffic mirroring and traffic redirecting Use either method for a traffic behavior Configure various actions for the traffic behavior o Configuring other actions for a traffic behavior Required m Adding a policy Radical icy Required Associate the traffic behavior with the class in the 6 Configuring classifier behavior associations for the QoS policy policy A class can be associated with only one traffic behavior in a QoS policy Associating a class already associated with a traffic behavior will overwrite the old association l l Required 7 Applying a policy to a port Apply the QoS policy to a port Recommended queue
89. data packets sends a trap message to the terminal and deletes the corresponding MAC address forwarding entry Recommended configuration procedure Step Remarks Required 1 Configuring loopback detection globally By default loopback detection is disabled globally 2 Configuring loopback detection on a port Required By default loopback detection is disabled on a port NOTE Loopback detection takes effect on a port only after you enable loopback detection both globally and on the port Contiguring loopback detection globally 1 From the navigation tree select Security gt Loopback Detection The System Loopback Detection area appears 447 Figure 444 Loopback detection configuration page System Loopback Detection Loopback Detection Enable loopback detection on the system Interval 30 Seconds 5 300 Default 30 Apply Port Loopback Detection RO Interface Name v Search Advanced Search Interface Name Loopback Detection Detection Control Detection in VLAN GigabitEthernet1 0 1 Disable v Disable GigabitEthernet1 0 2 Disable v Disable GigabitEthernet1 0 3 Disable Disable GigabitEthernet1 0 4 Disable v Disable GigabitEthernet1 0 5 Disable v Disable GigabitEthernet1 0 6 Disable v Disable GigabitEthernet1 0 7 Disable v Disable GigabitEthernet1 0 8 Disable v Disable GigabitEthernet1 0 9 Disable v Disable GigabitEthernet1 0 10 Disable v Disable GigabitEthernet1 0 11 Disable v Disable GigabitEthernet
90. detines two logical ports for the network access port controlled port and uncontrolled port Any packet arriving at the network access port is visible to both logical ports e Controlled port Allows incoming and outgoing traffic to pass through when it is in the authorized state and denies incoming and outgoing trattic when it is in the unauthorized state as shown in Figure 299 The controlled port is set in authorized state if the client has passed authentication and in unauthorized state if the client has failed authentication e Uncontrolled port Is always open to receive and transmit EAPOL frames Figure 299 Authorization state of a controlled port Authenticator system 1 Authenticator system 2 Controlled port Uncontrolled port Controlled port Uncontrolled port Port unauthorized Port authorized In the unauthorized state a controlled port controls traffic in one of the following ways e Performs bidirectional traffic control to deny traffic to and from the client e Performs unidirectional traffic control to deny traffic from the client The device supports only unidirectional traftic control Packet formats EAP packet format Figure 300 shows the EAP packet format Figure 300 EAP packet format 0 7 15 Length 4 Data N 322 e Code Type of the EAP packet Options include Request 1 Response 2 Success 3
91. device Figure 169 The MAC tab Setup R MAC v Search Advanced Search E MAC VLAN ID Type Port Operation F 6431 5045 d29e 1 Learned GigabitEthernet1 0 15 i 001b 2188 86ff 1 Learned GigabitEthernet1 0 24 i Add Refresh Del Selected 2 Click Add in the bottom to enter the page for creating MAC address entries Figure 170 Creating a MAC address entry Setup Add MAC MAC Example 0010 dc28 a4e9 Type static v VLAN 1 Y Port GigabitEthernet1 0 1 v Items marked with an asterisk are required Apply Cancel 3 Configure a MAC address entry as described in Table 52 4 Click Apply Table 52 Configuration items ltem Description MAC Set the MAC address to be added 174 ltem Description Set the type of the MAC address entry e Static Static MAC address entries that never age out e Dynamic Dynamic MAC address entries that will age out e Blackhole Blackhole MAC address entries that never age out Type The MAC tab see Figure 169 displays the following types of MAC address entries e Config static Static MAC address entries manually configured by the users e Blackhole Blackhole MAC address entries e Learned Dynamic MAC address entries learned by the device e Other Other types of MAC address entries VLAN ID Set the ID of the VLAN to which the MAC address belongs Set the port to which the MAC address belongs This port must belong to the specitied Fo VLAN Setting the aging time of MAC addres
92. diagnostic information 54 viewing device electronic label 54 Web based NM functions 8 WRR queuing basic queuing 472 472 group based queuing 472 472 534
93. displaying SNMP packet statistics appears Figure 114 SNMP packet statistics SMMP Statistics count Messages delivered to the SMHMF entity Messages which were for an unsupported version Messages which used a SMMP community name not known Messages which represented an illegal operation forthe community supplied ASH 1 or BER errors in the process of decoding MIB objects retrieved successfully MIB objects altered successtully GethequestPOl accepted and processed GetlextRequestPOW accepted and processed SethequestPOll accepted and processed Messages passed from the SNMP entity SMMP POUs which had toobig errorstatus Maximum packet size 2000 SNMF PLUS which had nosuchMNarme errorstatus SNMF FOs which had hadwvalue errorstatus SMMP POUS which had denErr error status GetrResponse POW accepted and processed D aa OD A A A DIE A A A A DIE DE DO Trap POUs accepted and processed Refresh 123 SNMPv1 v2c contiguration example Network requirements As shown in Figure 115 the NMS at 1 1 1 2 24 uses SNMPv1 or SNMPv2c to manage the switch agent at 1 1 1 1 24 and the switch automatically sends traps to report events to the NMS Figure 115 Network diagram Switch Agent Vlan int2 D 1 1 1 1 24 Yy NMS 1 1 1 2 24 Configuring the agent 1 2 Ena b C ble SNMP Select Device gt SNMP from the navigation tree The SNMP configuration page appears Select the Enable option and select the v1 and v2c options Clic
94. displaying recent system logs 48 displaying system information 47 47 displaying system resource state 48 system time configuration 56 configuration by using NTP 58 configuring system time by using NTP 57 contiguring system time manually 56 displaying current system time 56 T table active route table IPv4 279 active route table IPv6 281 ARP static entry creation 245 IP routing 278 IP services ARP entry configuration 244 IP services ARP entry removal 245 MAC address 173 174 175 MSTP VLAN to instance mapping table 187 Telnet AAA contiguration 359 terminal setting parameters 21 testing cable status 91 time ACL time range configuration 453 Ethernet link aggregation LACP timeout interval 205 time range configuration 453 timer 802 1X 328 IP multicast IGMP snooping dynamic port aging timer 253 IPv6 multicast MLD snooping dynamic port aging timer 26 7 MAC address table dynamic aging timer 175 MAC authentication timers 405 STP forward delay 184 STP hello 184 STP max age 184 TLV LLDPDU basic management types 218 LLDPDU LLDP MED types 218 LLDPDU management address TLV 221 LLDPDU organization specific types 218 token bucket QoS traffic forwarding 473 topology STP TCN BPDU protocol packets 177 traceroute IP address retrieval 317 319 node failure detection 317 319 system maintenance 31 traffic ACL configuration 450 ACL configuration Ethernet frame header
95. each interface Make sure the RADIUS servers host and switch can reach each other Details not shown Configuring the RADIUS servers Add a user account with the host MAC address unhyphenated as both the username and password and specify ACL 3000 as the authorization ACL for the user account Details not shown For information about the RADIUS server contiguration see Configuring RADIUS Configuring a RADIUS scheme for the switch 1 Create a RADIUS scheme a From the navigation tree select Authentication gt RADIUS b Click Add c Enter the scheme name system d Select the server type Extended e Select Without domain name trom the Username Format list f Click Apply 2 Configure the primary authentication server in the RADIUS scheme a In the RADIUS Server Configuration area click Add b Configure the RADIUS authentication server Select Primary Authentication from the Server Type list Enter 10 1 1 1 in the IP Address field and enter the port number 1812 Enter expert in the Key field and the Confirm Key field c Click Apply 412 Figure 397 Configuring a RADIUS authentication server Add RADIUS Server Server Type Primary Authenticatio IP Address IPvd Pv6 10 1 1 1 Port 1612 1 65535 Default 1812 Key seesse S w 4 4 haa Confirm Key TT 1 64 Chars Apply Cancel 3 Configure the primary accounting server in the RADIUS scheme a In the RADIUS
96. entity and configure the identity information A certificate is the binding of a public key and the identity information of an entity where the DN shows the identity information of the entity A CA 1 Creating a PKI entity identifies a certificate applicant uniquely by an entity DN The DN settings of an entity must be compliant to the CA certificate issue policy Otherwise the certificate request might be rejected You must know the policy to determine which entity parameters are mandatory or optional Required Create a PKI domain setting the certificate request mode to Auto Before requesting a PKI certificate an entity needs to be configured with 2 Creating a PKI domain some enrollment information which is called a PKI domain A PKI domain is intended only for convenience of reference by other applications like IKE and SSL and has only local significance Optional AL do Destroy the existing RSA key pair and the corresponding local certificate If the certificate to be retrieved contains an RSA key pair you must destroy the existing key pair Otherwise the retrieving operation will fail 4 Retrieving and displaying a Optional certificate Retrieve an existing certificate 5 Retrieving and displayinga Optional CRL Retrieve a CRL and display its contents Creating a PKI entity 1 From the navigation tree select Authentication gt Certificate Management The PKI entity list page is displayed by default
97. event logs 104 RMON history sampling information 103 RMON statistics 101 SNMP packet statistics 123 specified operation parameter for all ports 73 stack device summary 42 stack topology summary 42 syslogs 61 Web device file 67 Web page display 16 done message IPv multicast MLD snooping 269 downloading 512 Web device file 67 DSCP QoS packet IP precedence and DSCP values 469 dst mac validity check ARP 250 dynamic ARP table entry 244 DHCP address allocation 292 Ethernet link aggregation dynamic mode 207 Ethernet link aggregation mode 206 Ethernet link dynamic aggregation group contiguration 208 IP multicast IGMP snooping dynamic port 253 IPv multicast MLD snooping dynamic port 267 MAC address table dynamic aging timer 175 MAC address table entry 174 Dynamic Host Configuration Protocol See DHCP EAP security 802 1X EAP over RADIUS 323 security 802 1X packet format 322 security 802 1X RADIUS EAP Message attribute 324 security 802 1X RADIUS Message Authentication attribute 324 security 802 1X relay authentication 326 security 802 1X relay termination 327 security 802 1X relay termination authentication mode 325 EAPOL security 802 1X authentication access device initiated 324 security 802 1X authentication client initiated 324 security 802 1X packet format 323 edge port MST 187 emulator terminal parameters 21 enabling DHCP 299 DHCP relay agent on inter
98. field follows e Packet body Content of the packet When the EAPOL packet type is EAP Packet the Packet body field contains an EAP packet EAP over RADIUS RADIUS adds two attributes EAP Message and Message Authenticator for supporting EAP authentication For the RADIUS packet format see Configuring RADIUS 323 EAP Message RADIUS encapsulates EAP packets in the EAP Message attribute as shown in Figure 302 The Type field takes 79 and the Value field can be up to 253 bytes If an EAP packet is longer than 253 bytes RADIUS encapsulates it in multiple EAP Message attributes Figure 302 EAP Message attribute format EAP packets Message Authenticator RADIUS includes the Message Authenticator attribute in all packets that have an EAP Message attribute to check their integrity The packet receiver drops the packet if the calculated packet integrity checksum is different from the Message Authenticator attribute value The Message Authenticator prevents EAP authentication packets from being tampered with during EAP authentication Figure 303 Message Authenticator attribute format 0 1 2 18 bytes Initiating 802 1X authentication Both the 802 1X client and the access device can initiate 802 1X authentication 802 1X client as the initiator The client sends an EAPOLStart packet to the access device to initiate 802 1X authentication The destination MAC address of the packet is the IEEE 802 1X specified multicast addres
99. following parameters a Select the ACL 3000 b Select Rule ID and enter the rule ID 0 417 c Select the action Deny d In the IP Address Filter area select Destination IP Address Enter the destination IP address 10 0 0 1 Enter the destination address wildcard 0 0 0 0 e Click Add Figure 406 Configuring an ACL rule Summary Add Basic Setup Link Layer Setup Remove ACL 3000 w Help Configure an Advanced ACL Rule ID oO fO KOB5534 If no ID is entered the system will specify ane Action C Mor first Fragments Only J Logging IF Address Filter D Source IP Adress O Sowcewndcard Destination IP Address 10 0 0 1 Destination Wildcard 0 0 0 0 ProtorollP w IMP Type ICMP Message cme Twee fey temp code koas TEBILDP Port TCP Connection Established sours perse ee boctnations Oaar Poe Range of Portis 0 65535 Precedence Filter DELF Mot Check TOS Mot Check w Precedence Mot Check al Time Range Add Rule ID Operation Description Time Fiat Configuring MAC authentication 1 Configure MAC authentication globally a From the navigation tree select Authentication gt MAC Authentication 418 b Select Enable MAC Authentication c Click Advanced d Select the authentication ISP domain test select the authentication information format MAC without hyphen and click Apply Figure 407 Configuring MAC authentication globally MAC Authentication Conf
100. how to configure the NMS see the NMS manual Verifying the configuration After the above contiguration an SNMP connection is established between the NMS and the agent The NMS can get and configure the values of some parameters on the agent through MIB nodes Disable or enable an idle interface on the agent and you can see the interface state change traps on the NMS SNMPv3 configuration example Network requirements As shown in Figure 121 the NMS 1 1 1 2 24 uses SNMPv3 to monitor and manage the interface status of the AP the agent at 1 1 1 1 24 and the AP automatically sends traps to report events to the NMS The NMS and the agent perform authentication when they set up an SNMP session The authentication algorithm is MD5 and the authentication key is authkey The NMS and the AP also encrypt the SNMP packets between them by using the DES56 algorithm and the privacy key prikey Figure 121 Network diagram Vlan int2 ai 1 1 1 1 24 Yy Switch NMS Agent 1 1 1 2 24 Configuring the agent 1 Enable SNMP agent a Select Device gt SNMP from the navigation tree The SNMP configuration page appears b Select the Enable option and select the v3 option c Click Apply Figure 122 Configuring the SNMP agent Community Group User Trap View Enable Disable Local Engine ID 3630303036394 13296953 13330303030 40 64 Hex Chars Maximum Packet Size 1500 Bytes 484 17940 Default 1500 Contact 1 200Chars Lo
101. if displayed in pages The PC where you configure the device is not necessarily a Web based network management terminal A Web based network management terminal is a PC used to log in to the Web interface and is required to be reachable to the device After logging in to the Web interface you can select Device gt Users from the navigation tree create a new user and select Wizard or Network gt VLAN interface to configure the IP address of the VLAN interface acting as the management interface For more information see the corresponding configuration guides of these modules Overview The device provides web based configuration interfaces for visual device management and maintenance Figure 4 Web based network management operating environment e Device Logging in to the Web interface You can use the following default settings to log in to the web interface through HTTP e Username admin e Password None e P address of VLAN interface 1 on the device IP address of the device depending on the status of the network where the device resides o If the device is not connected to the network or no DHCP server exists in the subnet where the device resides you can get the IP address of the device on the label on the device IP address is 169 254 xxx xxx If the MAC address is OBOO4EOOO102 the IP address would be 169 254 1 2 o Ifa DHCP server exists in the subnet where the device resides the device will dynamical
102. information The network shown in Figure 334 contains two RADIUS servers You can choose different servers to implement different security functions For example you can use RADIUS server 1 for authentication and authorization and RADIUS server 2 for accounting You can implement any of the three security functions provided by AAA as needed For example if your company wants employees to be authenticated before they access specific resources configure an authentication server If network usage information is needed you must also configure an accounting server 352 AAA can be implemented through multiple protocols The device supports RADIUS which is most often used For more information about RADIUS see Configuring RADIUS Domain based user management A NAS manages users based on ISP domains On a NAS each user belongs to one ISP domain A NAS determines the ISP domain for a user by the username entered by the user at login For a username in the userid isp name format the access device considers the userid part the username for authentication and the isp name part the ISP domain name In a networking scenario with multiple ISPs a NAS can connect users of different ISPs Different ISP users can have different user attributes such as username and password structure different service type and ditferent rights To manage these ISP users you need to create ISP domains and then configure AAA methods and domain attributes for each
103. list Authentication Method list o CHAP Sets the access device to perform EAP termination and use CHAP to communicate with the RADIUS server o PAP Sets the access device to perform EAP termination and use PAP to communicate with the RADIUS server o EAP Sets the access device to relay EAP packets and supports any of the EAP authentication methods to communicate with the RADIUS server When you configure EAP relay or EAP termination consider the following factors 332 o The support of the RADIUS server for EAP packets o The authentication methods supported by the 802 1X client and the RADIUS server 4 Click Advanced to expand the advanced 802 1X configuration area Figure 309 Configuring advanced 802 1X parameters wAdvanced Quiet Enable the Quiet Function Quiet Period 60 seconds 10 120 Default 60 Retry Times 2 1 10 Default 2 Ta Perind 30 seconds 10 120 Default 30 Handshake Period 15 seconds 5 1024 Default 151 Re Authentication Period 3600seconds 60 7200 Default 3600 Supplicant Timeout Time 30 seconds 1 120 Defaultt 30 Server Timeout Time 100 seconds 100 300 Default 100 5 Configure advanced 802 1X settings as described in Table 104 and then click Apply Table 104 Configuration items ltem Description Quiet Sets whether to enable the quiet timer Quiet Period Sets the value of the quiet timer Sets the maximum number of authentication request attempts The network access device
104. number of received packets with 65 to 127 octets Number of Received 65 to 127 Bytes Packets on the interface corresponding to the MIB node etherStatsPkts65to 1 27Octets l Total numker of received packets with 128 to 255 octets MOE a Nae Ryle on the interface corresponding to the MIB node Packets etherStatsPkts 128t02550Octets l Total numker of received packets with 256 to 511 octets A Ned 2 AE BIS on the interface corresponding to the MIB node Packets etherStatsPkts256to5 1 1 Octets Total number of received packets with 512 to 1023 sd of Received 512 to 1023 Bytes octets on the interface corresponding to the MIB node ackels etherStatsPkts5 1 2to 1O23Octets ea Recess NE EE Total number of received packets with 1024 to 1518 y f fi EE ENE j y octets on the interface corresponding to the MIB node ackets etherStatsPkts1024t015180Octets Displaying RMON history sampling information Select Device gt RMON from the navigation tree Click the History tab Click the icon for a history entry Figure 89 RMON history sampling information statistics Alarm Evert Log History Group Detail Current inietace GigabaEthemetliOid Time Search Advanced Search HO Time Oropevents Odes Ps BroadcasiPets MullicasiFidts CROABONEMOrS UndersizePits OversizeFkls Fragments Jabbers Collisions Ubtlization 2000 4 1 26 p 0 0 0 0 0 0 0 0 0 o 132841 2000 4 2 d6 D 0 0 DO D 0 D D 0 123441 2000 4 3 26 0 38668 348 206
105. of MSTP packets that can be sent during each Hello interval The larger the transmit limit is the more network resources will be occupied HP recommends that you use the default value e MSTP Mode Sets whether the port migrates to the MSTP mode In a switched network if a port on an MSTP or RSTP device connects to a device running STP this port will automatically migrate to the STP compatible mode After the device running STP is removed the port on the MSTP or RSTP device might not be able to migrate automatically to the MSTP or RSTP mode but will remain operating in the STP compatible mode You can set this option to enable the port to automatically migrate to the MSTP or RSTP mode Selects one or multiple ports on which you want to configure MSTP on the chassis front panel If aggregate interfaces are configured on the device the page displays a list of aggregate interfaces below the chassis front panel You can select aggregate interfaces from this list Select port s Table 61 Protection types Protection type Description Sets the port as an edge port Some ports of access layer devices are directly connected to PCs or file servers which cannot generate BPDUs You can set these ports as edge ports to achieve Edged Port fast transition for these ports HP recommends that you enable the BPDU guard function in conjunction with the edged port function to avoid network topology changes when the edge ports receiv
106. online status of a client that has passed authentication If the device receives no response after sending the maximum number of handshake requests it considers that the client has logged off For information about how to enable the online user handshake function see Configuring 802 1X on a port e Quiet timer Starts when the access device sends a RADIUS Access Request packet to the authentication server If no response is received when this timer expires the access device retransmits the request to the server e Periodic online user re authentication timer Sets the interval at which the network device periodically re authenticates online 802 1X users For information about how to enable periodic online user re authentication on a port see Configuring 802 1X on a port Using 802 1X authentication with other features VLAN assignment You can contigure the authentication server to assign a VLAN for an 802 1X user that has passed authentication The way that the network access device handles VLANs on an 802 1 X enabled port differs by 802 1X access control mode Access control VLAN manipulation Assigns the VLAN to the port as the port VLAN PVID The authenticated 802 1X eend user and all subsequent 802 1X users can access the VLAN without authentication ort base When the user logs off the previous PVID restores and all other online users are logged off e If the port is a hybrid port with MAC based VLAN enabled the dev
107. option next to Interface State as shown in Figure 290 c Click Apply Figure 290 Configuring DHCP snooping functions on GigabitEthernet 1 0 1 DHCP Relay Interface Name GigabitEthernet1 0 4 Interface State Untrust Option 82 Support Enable Disable Option 82 Strategy Replace Default Replace Apply Cancel Configure DHCP snooping functions on GigabitEthernet 1 0 72 a Click the icon of GigabitEthernet 1 0 2 on the intertace list b Select the Untrust option for Interface State shown in Figure 291 c Select the Enable option next to Option 82 Support d Select Replace tor Option 82 Strategy e Click Apply Figure 291 Configuring DHCP snooping functions on GigabitEthernet 1 0 2 DHCP Relay Interface Name GigabitEthernet1 0 2 Interface State Trust Untrust Option 82 Support Enable Disable Option 82 Strategy Replace v Default Replace Apply Cancel 312 Operation D gt D gt D gt R 2 2 2 RR PR RR DD GO Configure DHCP snooping functions on GigabitEthernet 1 0 3 a b c d e Click the icon of GigabitEthernet 1 0 3 on the intertace list Select the Untrust option for Interface State as shown in Figure 292 Select the Enable option next to Option 82 Support Select Replace for Option 82 Strategy Click Apply Figure 292 Configuring DHCP snooping functions on GigabitEthernet 1 0 3 DHCP Relay Interface Name GigabitEthernet1 0 3 Interface State Trust Untrust Option 82
108. or Failure 4 e dentifier Used for matching Responses with Requests e Length Length in bytes of the EAP packet The length is the sum of the Code Identifier Length and Data fields e Data Content of the EAP packet This field appears only in a Request or Response EAP packet The Data field comprises the request type or the response type and the type data Type 1 Identify and type 4 MD5 challenge are two examples for the type field EAPOL packet format Figure 301 shows the EAPOL packet format Figure 301 EAPOL packet format 0 T 15 PAE Ethernet type 2 Length 6 Packet body N e PAE Ethernet type Protocol type It takes the value Ox888E for EAPOL e Protocol version The EAPOL protocol version used by the EAPOL packet sender e Type Type of the EAPOL packet Table 103 lists the types of EAPOL packets supported by HP implementation of 802 1X Table 103 Types of EAPOL packets Value Type Description The client and the network access device uses EAP Packets to ia ree transport authentication information 0x01 EAPOLStart The client sends an EAPOL Start message to initiate 802 1X authentication to the network access device 0x02 EAPOL Logoff The client sends an EAPOL Logoff message to tell the network access device that it is logging off e Length Data length in bytes or length of the Packet body If packet type is EAPOL Start or EAPOLLogoff this field is set to O and no Packet body
109. organization name for the entity Organization Unit Enter the unit name for the entity Creating a PKI domain From the navigation tree select Authentication gt Certificate Management 2 Click the Domain tab Figure 370 PKI domain list Entity Certificate CRL Domain Mame CA Identifier Entity Mame Requesthlode Operation abcd CA Server entity Manual EI Add 3 Click Add 4 Click Display Advanced Config to display the advanced configuration items 390 Figure 371 PKI domain configuration page Entity Certificate CAL Add PKI Domain Domain Mame 1 15Chars 3 CA Identifier 1 6 3Chars Entity Name entity Institution CAR Requesting URL 1 127 Chars 3 LDAP IP Port 389 Version Request Mode Manual Fingerprint Hash Fingerprint Advanced Configuration B mm Polling Count 1 100 Default 50 Polling Interval 20 minutes 5 168 Default 20 Enable CRL Checking CRL Update Period Hourstl F 20 CEL URL 1 127Chars 1 tems marked with an asteriski are required Apply Cancel 5 Configure the parameters as described in Table 121 6 Click Apply Table 121 Configuration items ltem Description Domain Name Enter the name for the PKI domain Enter the identifier of the trusted CA An entity requests a certificate from a trusted CA The trusted CA takes the responsibility CA Identifi P ale Segue i of certificate registration distribution and revocation and query In o
110. packet to a single RADIUS server If the device does not receive a response to its request from the RADIUS server within the response timeout period it retransmits the RADIUS request If the number of transmission attempts exceeds the limit but the device still does not receive a response from the RADIUS server the device considers the request a failure IMPORTANT The server response timeout time multiplied by the maximum number of RADIUS packet transmission attempts must not exceed 75 Request Transmission Attempts Set the interval for sending real time accounting information The interval must be a multiple of 3 To implement real time accounting the device must send real time accounting packets to the accounting server for online users periodically Realtime Accounting Interval Different real time accounting intervals impose different performance requirements on the NAS and the RADIUS server A shorter interval helps achieve higher accounting precision but requires higher performance Use a longer interval when a large number of users 1000 or more exist For more information about the recommended real time accounting intervals see Configuration guidelines Set the maximum number of attempts for sending a real time accounting Realtime Accounting Attempts request Specify the unit for data flows sent to the RADIUS server which can be e Byte Unit for Data Flows e Kilo byte e Mega byte e Giga byte Specify t
111. page for modifying the VLANs to which a port belongs Select GigabitEthernet 1 0 1 on the chassis front device panel select the Tagged option and enter VLAN IDs 2 6 50 Click Apply A contiguration progress dialog box appears Atter the contiguration process is complete click Close in the dialog box 148 Figure 145 Assigning GigabitEthernet 1 0 1 to VLAN 2 and to VLANs 6 through 50 as a tagged member Select VLAN Create Port Detail Detail Modify VLAN Remove Select Ports AA ep ef eee Te BODE QQE HH je Solod AR Sealed None LJ Not avaliable for selection Select membership type Untagged NotA Member Link Type PVID Enter VLAN IDs to which the portis to be assigned VLAN IDs 2 6 50 Example 1 3 5 10 Selected ports Tagged Membership Cancel Contiguring Switch B Configure Switch B in the same way Switch A is contigured Details not shown Contiguration guidelines When you contigure VLANs follow these guidelines e As the default VLAN VLAN 1 can be neither created nor removed manually e You cannot manually create or remove VLANs reserved for special purposes e Dynamic VLANs cannot be removed on the page for removing VLANs e You cannot remove a VLAN that has referenced a QoS policy 149 Configuring VLAN interfaces Before creating a VLAN interface you must create the corresponding VLAN in Network gt VLAN For more information see Configuring VLANs Overview For host
112. pair EE EE EE OE EE EE EE EE EE EE 304 Retrieving ond displaying a certificape OE ee 304 Reguesting a local certificate eeeeeeeeeeereeerereseeeseeeeeesereseeeseeseeseeeseceseesseesereseceseesseeseceseceseesseoseressceseeseeosereseeeseesereseceseeeseene 306 Retrieving ond displaying ae IE ee 308 PKI configuration example trtee tere seek ee eE RSG R ERGER EE ROER GER gek EER GE GER gee EER GER GER gee GEROER GER GER gee R GER gek ee ReeR GER gek ee Roe ge Reese 399 Configuration guidelines EO EE T 403 Configuring MAC authentication sesse see Ee Ee EE Ee Ee EER ER AE ERGE Ee AE Re Re EE Re Ee ERA ER AE ER AE Re EER ER AE Ee EE Re EE Re EE ee ee 404 OVET ee eee E ee 404 User account policies E EE DE E T 404 Authentication met hodseeeeeeeeeeereeeseeeseereeesereseeeseeseeseeeseeeseesseeseeeseeeseesseosereseessreseeosereseeseeesresereeseeesreseeeseeeseeeseeseeesee 404 MAC authentication timeprs eeeeeeeeeeereeereeeseeseeeeeerereseeeseeeseeseceseeeseeseeeseceseesseeserorcesereseeeseesereseceseeesereseceseeeseesereseeeseee 405 Using MAC ET MR ER NR euros ennea EE EE eee 405 MENEER ESE EE 405 ACL assignment RE EE Ge GE T IG T 405 TA LE a HE MERE RE E AE N 405 Configuration eo 18 0 0 1 Sate 406 Recommended configuration procedure TEE EA SEEE ee 406 Configuring MAC authentication globally EE EE EE E E E EE EO E E INE 406 Configuring MAC authentication on a port mm EE EE RE EE EE 408 MAC authentication configuration examples EE TEE EO EE E T 40
113. port assuming that it is a dynamic member port receives any MLD report in response to the MLD multicast address specific query betore its aging timer expires it means that some host attached to the port is receiving or expecting to receive IPv6 multicast data for that IPv multicast group The switch resets the aging timer for the port If the port receives no MLD report in response to the MLD multicast address specitic query before its aging timer expires it means that no hosts attached to the port are still monitoring that IPv6 multicast group address The switch removes the port from the forwarding entry for the IPv multicast group when the aging timer expires Protocols and standards RFC 4541 Considerations for Internet Group Management Protocol IGMP and Multicast Listener Discovery MLD Snooping Switches Recommended contiguration procedure Step Remarks Enabling MLD snooping Required globally Disabled by default 269 Step Remarks Required Enable MLD snooping in the VLAN and configure the MLD snooping version and querier Configuring MLD snooping in By default MLD snooping is disabled in a VLAN a VLAN When you enable MLD snooping follow these guidelines e Enable MLD snooping globally before you enable it for a VLAN e MLD snooping for a VLAN takes effect only on the member ports in that VLAN Optional Configure the maximum number of IPv multicast groups and fast leave processing on a port of the
114. ports support this configration Auth Fail VLAN 1 4094 Items marked with an asterisk are required Apply Cancel Table 105 describes the configuration items Table 105 Configuration items ltem Descri ption Selects a port where you want to enable 802 1X Only ports not enabled a with 802 1X authentication are available or 802 1X contiguration takes effect on a port only after 802 1X is enabled both globally and on the port Port Control Selects an access control method for the port MAC Based or Port Based Selects a port authorization state for 802 1X e Auto Places the port initially in the unauthorized state to allow only EAPOL packets to pass and after a user passes authentication sets the port in the authorized state to allow access to the network You can use Port Authorization this option in most scenarios e Force Authorized Places the port in the authorized state enabling users on the port to access the network without authentication e Force Unauthorized Places the port in the unauthorized state denying any access requests from users on the port Max Number of Users Sets the maximum number of concurrent 802 1X users on the port Specifies whether to enable the online user handshake function This function enables the network access device to send handshake messages to online users at the interval set by the Handshake Period setting If no response is received from an online user after the maximu
115. scheduling configuration procedure Ste Remarks l Optional 1 Configuring queue scheduling on a port Configure the queue scheduling mode for a port Recommended rate limit configuration procedure Step Remarks Required 1 Configuring rate limit on a port Limit the rate of incoming packets or outgoing packets of a physical port Recommended priority mapping table configuration procedure Ste Remarks 477 Recommended priority trust mode configuration procedure Step Remarks Reguired 1 Configuring priority trust mode on a port Set the priority trust mode of a port Adding a class 1 Select QoS gt Classifier from the navigation tree 2 Click the Add tab to enter the page for adding a class Figure 463 Adding a class Summary Setup Remove Add Classifier Mame Operation Rule Count 3 Add a class as described in Table 151 A Click Add Table 151 Configuration items liem Description Classifier Name Specify a name for the classifier to be added Specify the logical relationship between rules of the classifier e and Specifies the relationship between the rules in a class as logic AND The device considers a packet belongs to a class only when the packet matches all the Operator rules in the class e or Specifies the relationship between the rules in a class as logic OR The device considers a packet belongs to a class as long as the packet matches one of the rules in
116. security level is Auth Priv Privacy Password Set the privacy password when the security level is Auth Priv The confirm privacy password must be the same with the privacy Confirm Privacy Password d password Associate a basic ACL with the user to restrict the source IP address of SNMP packets To allow or prohibit the specified NMS to access the agent by using this user name you can allow or prohibit SNMP packets with a specific source IP address ACL Contiguring SNMP trap function 1 Select Device gt SNMP from the navigation tree 2 Click the Trap tab The Trap tab appears 121 Figure 112 Traps configuration Setup Community Group ser Wiewy 7 Enable SNMP Trap Apply Trap Target Host Destination IP Address Search Advanced Search Destination IP UDP Security Security E EE Pyh PvE Domain Security Mame Pon EE E Operation F 10 1 1 2 Pd useri 152 v3 AUthiF riv fe il Add Delete Selected Select Enable SNMP Trap Click Apply to enable the SNMP trap function Click Add The page for adding a target host of SNMP traps appears Figure 113 Adding a target host of SNMP traps Setup Community Group Iser View Add Trap Target Host ad Destination IP Address IPy4 Damain Fv tt 288hars Security Name Loo Ma aaonars UDF Fort 162 0 65535 Default 162 Security Model y w Security Level tems marked with an asterisk are required Apply Cancel Configure the settings for t
117. server and the secondary accounting server and the RADIUS server at 192 168 1 3 functions as the secondary authentication server and the primary accounting server The shared key for authentication is name and the shared key for accounting is money e All users use the default authentication authorization and accounting methods of ISP domain system e The switch sends usernames without domain names to the RADIUS server Configure port GigabitEthernet 1 0 1 of the switch to perform the following operations e Allow only one 802 1X user to be authenticated e Allow up to three OUI values to be configured and allow one terminal that uses any of the OUI values to access the port Figure 424 Network diagram RADIUS server 192 168 1 2 24 GE1 0 1 192 168 1 1 24 Internet Host Switch 433 NOTE Configurations on the host and RADIUS servers are not shown Configuring a RADIUS scheme 1 3 Create a RADIUS scheme a From the navigation tree select Authentication gt RADIUS b Click Add c On the page that appears configure a RADIUS scheme Enter the scheme name system Select the service type Extended Select Without domain name from the Username Format list d Click Apply Configure the primary authentication server in the RADIUS scheme a In the RADIUS Server Configuration area click Add b Configure the primary authentication server Select the server type Primary Authentication
118. set the device type DHCP server switch or LLDP MED endpoint country code and network device address When you configure the network device address select the address Network Device information type from the list enter the address information in the Address field below and click Add next to the field to add the information to the address information list below To remove an address information entry select the entry from the list and click Delete The civic address information can include language province state country city street house number name postal zip code room number post office box and if necessary additional information 226 Setting LLDP parameters for ports in batch 1 From the navigation tree select Network gt LLDP By default the Port Setup tab is displayed Select one or multiple ports on the port list Click Modify Selected to enter the page for modifying these ports in batch Figure 200 Modifying LLDP settings on ports in batch Global Setup Global Summary Neighbor Summary Interface Name GigabitEthernet1 0 1 GigabitEthernet1 0 2 GigabitEthernet1 0 3 Basic Settings Encapsulation LLDP Operating Mode TxRx TERA ETHII v CDP Operating Mode Disable v LLDP Polling Interval seconds 1 30 LLDP Trapping Disable hd Base TLV Settings Port Description L System Capabilities L System Description System Name T Management Address String v Addtional Settin
119. snooping 2 Click Enable for IGMP snooping 3 Click Apply Figure 229 Enabling IGMP snooping globally Advance IGMP Snooping Enable Disable Apply VLAN Configuration k VLAN ID j Search Advanced Search Uer WYLAN IGMP Drop l General Query Special Query ID Snooping version Unknown auerier ei Source IF Source IP Operation 1 Disabled 2 Disabled Disahled EO 0 0 0 0 0 0 0 0 p 999 Disabled 2 Disabled Disabled 60 0 0 0 0 0 0 0 0 eel Show Entries 256 Contiguring IGMP snooping in a VLAN 1 From the navigation tree select Network gt IGMP snooping 2 Click the icon for the VLAN Figure 230 Configuring IGMP snooping in a VLAN Advanced VLAN Configuration VLAN ID 1 IGMP Snooping Enable Disable Version nD 3 Querier Enable Disable Query Interval Seconds 2 300 Default 60 General Query Source IF IP Address Default 0 0 0 0 Special Query Source IF IP Address Default 0 0 0 0 tems marked with an asterisk are required Apply Cancel 3 Configure the parameters as described in Table 83 4 Click Apply Table 83 Configuration items ltem Description Enable or disable IGMP snooping in the VLAN IGMP snooping You can proceed with the subsequent configurations only if Enable is selected here The default setting is IGMPv2 By configuring an IGMP snooping version you actually configure the versions of IGMP messages that IGMP snooping can process e IGMPv2 sno
120. spanning tree Device A With priority 0 ba Device B With priority 1 Device C With priority 2 183 The configuration BPDU forwarding mechanism of STP The configuration BPDUs of STP are forwarded according to these guidelines e Upon network initiation every device regards itself as the root bridge generates configuration BPDUs with itself as the root and sends the configuration BPDUs at a regular hello interval e Ifthe root port received a configuration BPDU and the received configuration BPDU is superior to the configuration BPDU of the port the device increases the message age carried in the configuration BPDU following a certain rule and it starts a timer to time the configuration BPDU while sending this configuration BPDU through the designated port e Ifthe configuration BPDU received on a designated port has a lower priority than the configuration BPDU of the local port the port immediately sends its own contiguration BPDU in response e fa path becomes faulty the root port on this path no longer receives new configuration BPDUs and the old contiguration BPDUs will be discarded because of timeout The device generates configuration BPDUs with itself as the root and sends the BPDUs and TCN BPDUs This triggers a new spanning tree calculation process to establish a new path to restore the network connectivity However the newly calculated configuration BPDU cannot be propagated throughout the network immedia
121. stack Select Stack from the navigation tree and click the Topology Summary tab to enter the page shown in Figure 27 Figure 27 Topology Summary tab Setup Device Summary Device ID Device Role 1 Slave 0 Master Table 7 Field description Fields Description Member ID of the device in the stack e Value O indicates that the device is the master device of the stack Device ID e A value other than O indicates that the device is a member device and the value is the member ID of the member device in the stack Device Role Role of the device in the stack master or slave Displaying device summary of a stack Select Stack from the navigation tree and click the Device Summary tab to enter the page shown in Figure 28 On this page you can view interfaces on the panel of each stack member by clicking the tab of the corresponding member device Figure 28 Device summary the master device Setup Topology Summary Logging in to a member device trom the master Select Stack from the navigation tree click the Device Summary tab and click the tab of a member device to enter the page shown in Figure 29 Click the Configuring the Device hyperlink you can log in to the Web interface of the member device to manage and maintain the member device directly 42 Figure 29 Device summary a member device Setup Topology Summary Stack contiguration example Network requirements As shown in Figure 30 Switch A Switch B Switch C an
122. starts an aging timer for the port e fa forwarding entry matches the group address and the receiving port is in the forwarding entry for the group the switch restarts the aging timer for the port A switch does not forward an IGMP report through a non router port If the switch forwards a report message through a member port the IGMP report suppression mechanism running on hosts causes all attached hosts that monitor the reported multicast address to suppress their own reports In this case the 254 switch cannot determine whether the reported multicast group still has active members attached to that port Leave message An IGMPv1 host silently leaves a multicast group and the switch is not notified of the leaving However because the host stops sending IGMP reports as soon as it leaves the multicast group the switch removes the port that connects to the host from the forwarding entry for the multicast group when the aging timer for the port expires An IGMPv2 or IGMPv3 host sends an IGMP leave message to the multicast router when it leaves a multicast group When the switch receives an IGMP leave message on a dynamic member port the switch first examines whether a forwarding entry matches the group address in the message and if a match is found whether the forwarding entry for the group contains the dynamic member port e If no forwarding entry matches the group address or if the forwarding entry does not contain the port the
123. status of LLDP Enable Admin status Rx Only Trap flag No Folling interval Os Number of neighbors 0 Number of MED neighbors di Number of CDP neighbors di Number of sent optional TLV 23 Number of received unknown TLV 0 240 LLDP configuration guidelines When you configure LLDP follow these guidelines To make LLDP take effect on a port enable LLDP both globally and on the port To advertise LLDP MED TLVs other than the LLDP MED capabilities TLV include the LLDP MED capabilities TLV To remove the LLDP MED capabilities TLV remove all other LLDP MED TLVs To remove the MAC PHY configuration TLV remove the LLDP MED capabilities set TLV first When the advertising of LLDP MED capabilities TLV and MAC PHY configuration status TLV is disabled if the LLDP MED capabilities set TLV is included the MAC PHY configuration status TLV is included automatically When you contigure LLDP settings for ports in batch if you do not set the TLVs each port uses its own ILV settings 241 Configuring ARP Overview ARP resolves IP addresses into MAC addresses on Ethernet networks ARP message format ARP uses two types of messages ARP request and ARP reply Figure 216 shows the format of the ARP request reply messages Numbers in the figure refer to field lengths Figure 216 ARP message format Hardware address length Protocol address length HardwarelProtocol Sender hardware Sender protocol Target hardware arget pr
124. supported in this release Recommended configuration procedure To contigure basic port security mode Step Remarks Required 1 Configuring global settings for This function enables port security globally and configures intrusion port security protection actions By default port security is disabled globally Required This function configures the basic port security mode maximum secure 2 Configuring basic port security MAC addresses intrusion protection and outbound restriction for a control port By detault port security is disabled on all ports and access to the ports is not restricted Optional Secure MAC addresses never age out or get lost if saved before the device restarts One secure MAC address can be added to only one port in the same VLAN You can bind a MAC address to one port in the same VLAN Secure MAC addresses can be learned by a port in basic port security mode or manually configured in the Web intertace 3 Configuring secure MAC addresses When the maximum number of secure MAC addresses is reached no more can be added The port allows only packets sourced from a secure MAC address to pass through By default no secure MAC addresses are contigured To configure advanced port security mode 423 Step Remarks Required Configuring global settings for This function enables port security globally and configures intrusion port security protection actions By default port se
125. switch directly discards the IGMP leave message e fa forwarding entry matches the group address and the forwarding entry contains the port the switch forwards the leave message to all router ports in the VLAN Because the switch does not know whether any other hosts attached to the port are still listening to that group address the switch does not immediately remove the port from the forwarding entry for that group Instead it restarts the aging timer for the port After receiving the IGMP leave message the IGMP querier resolves the multicast group address in the message and sends an IGMP group specific query to the multicast group through the port that received the leave message After receiving the IGMP group specitic query the switch forwards it through all its router ports in the VLAN and all member ports of the multicast group The switch also performs one of the following actions for the port that received the IGMP leave message e Ifthe port assuming that it is a dynamic member port receives an IGMP report in response to the group specific query before its aging timer expires it means that some host attached to the port is receiving or expecting to receive multicast data for the multicast group The switch restarts the aging timer for the port e Ifthe port receives no IGMP report in response to the group specific query before its aging timer expires it means that no hosts attached to the port are still listening to that group addres
126. system software image at the CL ere EER EER ER ER ER ER ER ER EE ER ER ER ER ER ER ee ees 32 Configuration TEE ee 34 Basic service setup AR EE ARE EE OE EE EE EE 34 Entering the configuration wizard homepage EE RE EE OE EE OE OE EE EE nnv i 34 Configuring system parameters EE TTT 34 Configuring management PERE sees 36 Finishing configuration wizard EE Ee 37 Contiguring ed EE ee 30 VIEW EE ER EE ana E T 39 Configuration TREE OES EO EEOO ESCO Se ere eee reser reeerreeerreeerreerrreerreeer reser recerrreerrretrrreerrreerrreerreeerreeerreesrre 39 Configuring global parameters EET ee AO Configuring stack ports EE TTET A Displaying topology summary OF a SHACK Te A Displaying device summary of a stack eeeeeeeeeeseeeseeeseeeeeesereseeeseesseeseesereseeeseesseeseroseceseeesreseroscesereseeessereseeseeeseesseesereseeeseee 42 Logging in to a member device from the master EER EE EE EE EER EE EER EE EER EE ee EE EER EE ee EER EER ER ee ee ee Re Ee ee ee A Stack configuration example EE EE EE N 43 Configuration guidelines ET E EO RE RE EE T 46 Displaying system and device information EES AE TE We verde N ee AE AA ER O E TEEN ee ve dd ME A7 Displaying system TIER RE ee 47 Displaying basic system PIET ER RT ee eeee estes eseeeeseeneseeseeesceueseeueseeuesceueseeeeseeeeseeeesseuesseuesseueseeuesseeeeeeees A7 Displaying the system resource Slt EG 48 Displaying recent system logs ER EE E ET E EN A8 Setting the refresh period RE RE EE EE EE TT ET 48 Dis
127. the Port Setup tab Select Manual in the Voice VLAN port mode list Select Enable in the Voice VLAN port state list Enter 2 in the VLAN IDs field Select GigabitEthernet 1 0 1 on the chassis front panel Click Apply g mo BP 170 Figure 165 Configuring voice VLAN on GigabitEthernet 1 0 1 Summary Setup OUl Summary OUI Add OUl Remove Voice VLAN port mode Manual Voice VLAN port state Enable Voice VLAN ID Items marked with an asterisk are required Select ports Select All Select None Ports selected for voice VLAN GE1 0 4 Apply Cancel 5 Add OUl addresses to the OUI list a Click the OUI Add tab b Enter OUI address 0011 2200 0000 c Select FFFF FFOO 0000 as the mask d Enter description string test e Click Apply Figure 166 Adding OUI addresses to the OUI list summary Setup Fort Setup OUI Summary OUI Remove Specify an OUl and click Apply to add itto the list There can be 6 entries at most OUI Address 0011 2200 0000 Example 0010 dc28 a4e9 Mask FFFF FF00 0000 Description test tems marked with an asterisk are required Apply Cancel OUI Address Mask Description 0003 6b00 0000 fiff fO0 0000 Cisco phone O0e0 7500 0000 TTOO DODO Polycom phone Verifying the configuration 1 When the preceding configurations are complete the OUI Summary tab is displayed by default as shown in Figure 167 You can view the information about the newly added OUI address 171 Figure
128. the device Description Use ipsetup dhcp to specify VLAN interface 1 to obtain an IPv4 address through DHCP Use ipsetup ip address ip address mask mask length to assign an IPv4 address to VLAN intertace 1 By default the device automatically obtains its IPv4 address through DHCP if fails it uses the assigned IP address If there is no VLAN interface 1 either command creates VLAN interface 1 first and then specifies its IPv4 address Examples Create VLAN interface 1 and specify the interface to obtain an IPv4 address through DHCP lt Sysname gt ipsetup dhcp 25 Create VLAN interface 1 and assign 192 168 1 2 to the interface and specify 192 168 1 1 as the default gateway lt Sysname gt ipsetup ip address 192 168 1 2 24 default gateway 192 168 1 1 ipsetup ipv6 Syntax ipsetup ipv6 auto address jipv address pretix length ipv6 address pretix length default gateway ipv address Parameters auto Enables the stateless address autocontiguration function With this function enabled VLAN intertace 1 can automatically generate a global unicast address and link local address address Enables manual configuration of a global unicast IPv address for VLAN interface 1 ipv address Specifies an IPv6 address pretix length Prefix length in the range of 1 to 128 default gateway ipv address Specifies the IPv6 address of the default gateway With this argument and keyword combination configur
129. the existing Selected ports However the state of link aggregation member ports might change after a reboot Dynamic aggregation mode LACP is enabled on member ports in a dynamic aggregation group In a dynamic aggregation group a Selected port can receive and send LACPDUs An Unselected port can receive and send LACPDUs only when it is up and has the same configurations as the aggregate interface In a dynamic aggregation group the local system the actor negotiates with the remote system the partner to determine the aggregation state of each port in the following steps 1 The systems compare the system IDs A system ID contains the system LACP priority and the system MAC address The lower the LACP priority the smaller the system ID If LACP priority values are the same the two systems compare their system MAC addresses The lower the MAC address the smaller the system ID 2 The system with the smaller system ID chooses the port with the smallest port ID as the reference port A port ID contains a port priority and a port number The port with the lower priority value is chosen If two ports have the same aggregation priority the system compares their port numbers The port with the smaller port number becomes the reference port 3 Ifa port in up state is with the same port attributes and class two configuration as the reference port and the peer port of the port is with the same port attributes and class two configurations
130. the path Ping operation The Web interface does not support IPv ping To perform a ping operation 1 From the navigation tree select Network gt Diagnostic Tools The ping contiguration page appears Figure 294 Ping configuration page Trace Route Destination IP address orhostname a Summar 2 Enter the IP address of the destination device in the Destination IP address or host name field 3 Click Start A View the output in the Summary area 318 Figure 295 Ping operation result Summary FING 192 166 1 16 56 data bytes Reply from 192 168 1 16 bytes 56 Sequence l1 ttl 126 tine 4 ma Reply from 192 168 1 16 bytes 56 Sequence 2 ttl 1265 time 4 ms Reply from 192 166 1 16 bytes 56 Sequence 3 ttl 126 time 3 ma Reply from 192 1668 1 16 bytes 56 Sequence 4 ttl 126 time 3 ms Reply from 192 1668 1 16 bytes 56 Sequence 5 ttl 126 time 3 ma HEHE 192 166 1 16 ping statistics 5 packetis transmitted 5 packet s received 0 005 packet loss round trip bin favg Max 3 3 74 me Traceroute operation The Web interface does not support IPv6 traceroute Betore performing a traceroute operation perform the following tasks e Enable sending of ICMP timeout packets by executing the ip ttl expires enable command on intermediate devices e Enable sending of ICMP destination unreachable packets by executing the ip unreachables enable command on the destination device To perform a traceroute operati
131. them as one The relationship between different VLAN IDs is logical OR ACL IPv4 Define an IPv4 ACLbased rule ACL ACL IPv6 Define an IPv6 ACL based rule Adding a traffic behavior 1 Select QoS gt Behavior from the navigation tree 2 Click the Add tab to enter the page for adding a traffic behavior Figure 465 Adding a traffic behavior Summary Setup Port Setup Remove Add 3 Add a traffic behavior as described in Table 153 A Click Add Table 153 Configuration items ltem Description Behavior name Specify a name for the behavior to be added 480 Configuring traffic mirroring and traffic redirecting tor a trattic behavior 1 Select QoS gt Behavior from the navigation tree 2 Click Port Setup to enter the port setup page for a traffic behavior Figure 466 Port setup page for a traffic behavior Summary Add Setup Remove Please select a behavior Select a behavior E Mirror To Enable Redirect Enable Please selecta port Behavior Detail 3 Configure traffic mirroring and traffic redirecting as described in Table 154 4 Click Apply Table 154 Configuration items liem Description Please select a behavior Select an existing behavior in the list Mirror To Set the action of mirroring traffic to the specified destination port Redirect Set the action of redirecting traffic to the specified destination port Specify the port to be configured as the destination port of traffic mirrori
132. time manually 56 user group 382 VCT 91 VLAN interface 150 Web device configuration management 64 Web device user management 86 Web interface 2 Web service management 314 315 console terminal parameters 21 controlling security 802 1X controlled uncontrolled port 322 cost STP path cost 179 creating ARP static entry 245 DHCP server group 300 Ethernet link aggregation group 208 SNMP view 115 static route IPv4 280 static route IPv6 281 VLAN 139 VLAN interface 150 critical PoE interface power management 498 CST MST region connection 18 D default static route 2 9 designated MST port 187 STP bridge 178 STP port 178 destination NMM port mirroring 79 detecting security ARP detection configuration 250 device basic settings configuration 50 CLI contiguration 20 contiguring MAC authentication global 406 511 contiguring MAC authentication port specitic 408 DHCP overview 292 DHCP relay agent contiguration 303 idle timeout period contiguration 50 LLDP contiguration 217 236 MAC authentication timers 405 NMM local port mirroring configuration 83 NMM local port mirroring group monitor port 84 NMM port mirroring configuration 79 NMM SNMP configuration 111 port management 69 5 security MAC authentication 404 security MAC authentication ACL assignment 411 security MAC authentication configuration 404 406 408 security MAC local authentication co
133. to pass e Deny Drops matched packets Select this box to apply the rule to only non first fragments Non First Fragments Only If you do no select this box the rule applies to all fragments and non fragments Select this box to keep a log of matched packets A log entry contains the ACL rule number operation for the matched packets protocol number source destination address source destination port number and number of matched packets Logging This function is not supported Source IP Address Select the Source IP Address box and enter a source Pv4 address and a source wildcard mask in dotted decimal Source Wildcard mg IP Address Filter Destination IP Address Select the Source IP Address box and enter a source IP address Destnaion Wildcard and a source wildcard mask in dotted decimal notation Select the protocol number If you select 1 ICMP you can configure the ICMP message type Protocol and code If you select 6 TCP or 17 UDP you can configure the TCP or UDP port ICMP Message Specify the ICMP message type and code ICMP Type These items are available only when you select 1 ICMP from the ICMP Type Protocol list If you select Other from the ICMP Message list you need to type ICMP Code values in the ICMP Type and ICMP Code fields Otherwise the two fields will take the default values which cannot be changed 458 ltem Description Select this box to make the rule match packets used for
134. to the current local date configuration and the time setting does not change o Select the year month date and time and then click OK 4 Click Apply on the system time configuration page to save your configuration Contiguring system time by using NTP Select Device gt System Time from the navigation tree 2 Click the Network Time Protocol tab The page for contiguring the system time through NTP appears Figure 47 NTP configuration page System Time Clock status unsynchronized Source Interface HET 1 4294967295 Key String 1 32 Chars Key 2 ID 1 4294967295 Key String 1 32 Chars External Reference Source NTP Server 1 Reference Key ID NTP Server 2 7 Reference Key ID Set System Timezone TimeZone GMT 00 00 Casablanca Monrovia ad Apply 3 Configure the system time as described in Table 11 4 Click Apply 57 Table 11 Configuration items ltem Description Clock status Display the synchronization status of the system clock Source Interface Set the source interface for an NTP message This configuration makes the source IP address in the NTP messages the primary IP address of this interface If the specified source interface is down the source IP address is the primary IP address of the egress interface Q TIP If you do not want the IP address of an interface on the local device to become the destination address of response messages specify the source interface for NTP messag
135. to the same accounting server If you remove the accounting server real time accounting requests and stop accounting requests for the user can no longer be delivered to the server o If you remove an authentication or accounting server in use the communication of the device with the server will soon time out and the device will look for a server in the active state by checking any primary server first and then the secondary servers in the order they are configured o When the primary server and secondary servers are all in the blocked state the device communicates with the primary server If the primary server is available its statues changes to active Otherwise its status remains to be blocked o If one server is in the active state but all the others are in the blocked state the device only tries to communicate with the server in the active state even if the server is unavailable o After receiving an authentication accounting response from a server the device changes the status of the server identitied by the source IP address of the response to active if the current status of the server is blocked Set a proper real time accounting interval based on the number of users Table 117 Recommended real time accounting intervals Number of users Real time accounting interval in minutes 1 to 99 3 100 to 499 6 500 to 999 12 gt 1000 gt 15 379 Configuring users You can configure local users and create groups to m
136. tree 2 Click Show Entries in the basic VLAN configuration page to display information about MLD snooping multicast forwarding entries Figure 252 Displaying MLD snooping multicast forwarding entries Show Entries R VLAN ID Search Advanced Search VLAN ID SOUrCE Group Operation 100 FFIE 101 A 3 Click the icon for the multicast entry FFIE 101 to display detailed information about this entry Figure 253 Displaying detailed information about the entry Advanced Entry Details VLAN ID 100 source Address Group Address FF1E 101 Router Portis GigabitEthemett 0A Member Port s GigabitEthernet1 Di3 Back The output shows that GigabitEthernet 1 0 3 of Switch A is listening to multicast streams destined for IPv multicast group FF1E 101 277 Configuring IPv4 and IPv routing The term router in this chapter refers to both routers and Layer 3 switches Overview A router selects an appropriate route according to the destination address of a received packet and forwards the packet to the next router The last router on the path is responsible for sending the packet to the destination host Routing provides the path information that guides the forwarding of packets Routing table A router selects optimal routes from the routing table and sends them to the forwarding information base FIB table to guide packet forwarding Each router maintains a routing table and a FIB table Routes discovered by
137. v per page page 1 6 record 1 5 Next Last 1 GO Enable Disable Table 6 Configuration items ltem Description Configure a private IP address pool for the stack The master device of a stack must be configured with a private IP address pool to make sure it can automatically allocate an available IP address to a member device l when the device joints the stack Private Net IP Mask IMPORTANT When you configure a private IP address pool for a stack the number of IP addresses in the address pool needs to be equal to or greater than the number of devices to be added to the stack Otherwise some devices might not be able to join the stack automatically for lack of private IP addresses Enable the device to establish a stack After you enable the device to establish a stack the device becomes the master device of the stack and automatically adds the devices connected to its stack ports to Build Stack the stack Q IMPORTANT You can delete a stack only on the master device of the stack The Global Settings area on a member device is grayed out Configuring stack ports Select Stack from the navigation tree to enter the page shown in Figure 26 You can configure stack ports in the Port Settings area e Select the box before a port name and click Enable to configure the port as a stack port e Select the box before a port name and click Disable to configure the port as a non stack port 4 Displaying topology summary of a
138. 0 0 0 GigabitEthernet1 0 12 300 0 0 0 0 0 0 GigabitEthernet1 0 13 300 0 0 0 0 0 0 GigabitEthernet1 0 14 300 0 0 0 0 0 0 GigabitEthernet1 0 15 300 22 145 3334 14900 1 1 28 records 15 v per page page 1 2 record 1 15 First Prey Next Last 1 GO Refresh When the bandwidth utilization is lower than 1 1 is displayed 92 Configuring RMON Overview Remote Network Monitoring RMON is an enhancement to SNMP It enables proactive remote monitoring and management of network devices and subnets An RMON monitor periodically or continuously collects traffic statistics for the network attached to a port on the managed device The managed device can automatically send a notification when a statistic crosses an alarm threshold so the NMS does not need to constantly poll MIB variables and compare the results RMON uses SNMP notifications to notify NMSs of various alarm conditions such as broadcast traffic threshold exceeded In contrast SNMP reports function and interface operating status changes such as link up link down and module failure HP devices provide an embedded RMON agent as the RMON monitor An NMS can perform basic SNMP operations to access the RMON MIB Working mechanism RMON monitors typically take one of the following forms e Dedicated RMON probes NMSS can obtain management information from RMON probes directly and control network resources NMSs can obtain all RAON MIB information by using this method e RMON a
139. 0 0000 Cisco phone O0e0 7500 0000 ff f00 0000 Polycom phone 3 Add an OUI address to the list as described in Table 51 4 Click Apply Table 51 Configuration items ltem Description OUI Address Set the source MAC address of voice traffic Mask Set the mask length of the source MAC address Description Set the description of the OUI address entry 162 Voice VLAN configuration examples Contiguring voice VLAN on a port in automatic voice VLAN assignment mode Network requirements As shown in Figure 153 e Configure VLAN 2 as the voice VLAN allowing only voice traffic to pass through e The IP phone connected to hybrid port GigabitEthernet 1 0 1 sends untagged voice traffic e GigabitfEfhernet 1 0 1 operates in automatic VLAN assignment mode Set the voice VLAN aging timer to 30 minutes e Configure GigabitEthernet 1 0 1 to allow voice packets whose source MAC addresses match the OUI addresses specified by OUI address 0011 2200 0000 and mask ffff f00 0000 The description of the OUI address entry is test Figure 153 Network diagram Switch A Switch B Internet VLAN 2 010 1001 0755 2002 OUI 0011 2200 0000 Mask ffff ff00 0000 Configuring Switch A 1 Create VLAN 2 a Select Network gt VLAN from the navigation tree b Click the Create tab c Enter VLAN ID 2 d Click Create 163 Figure 154 Creating VLAN 2 Select VLAN Port Detail Detail Modify VLAN Modify Port Remove Create Create
140. 0001 AUIS extensions Kalld3 Subject Key Identifier ND IET i Requesting a local certiticate 1 From the navigation tree select Authentication gt Certificate Management 2 Click the Certificate tab 3 Click Request Cert 396 Figure 377 Local certificate reguest page Entity Domain CRL Request Certificate Domain Name Password 1 31 Chars Enable Offline Mode tems marked with an asterisk are required Apply Cancel Contigure the parameters as described in Table 123 Table 123 Configuration items ltem Description Domain Name Select the PKI domain for the certificate Password Enter the password for certificate revocation Enable Offline Mode Select this box to request a certificate in offline mode that is by an out of band means like FTP disk or email Click Apply If you select the online mode the system shows a prompt that the certificate request has been submitted In this case click OK to finish the operation If you select the offline mode the offline certificate request information page appears In this case you must submit the information by an out of band way to the CA to request a local certificate Figure 378 Offline certificate request information page Entity Domain GEL Offline Certificate Request Information MIIEWICBEAIBADALMOSECOTDYOOGERTITDLTIEMMAAGALUEAKMDENFERMIGEMAOGE SAG SIKALOEBADOAAAGMNALCBiOEBdAlICO Vis vol lsryNrtupzEhdllmudEi loeg3 FEEIME wadhd
141. 02 Support and other resources Contacting HP For worldwide technical support information see the HP support website http www hp com support Before contacting HP collect the following information e Product model names and numbers e Technical support registration number if applicable e Product serial numbers e Error messages e Operating system type and revision level e Detailed questions Subscription service HP recommends that you register your product at the Subscriber s Choice for Business website http www hp com go wwalerts After registering you will receive email notitication of product enhancements new driver versions firmware updates and other product resources Related information Documents To find related documents browse to the Manuals page of the HP Business Support Center website http 7 www hp com support manuals e For related documentation navigate to the Networking section and select a networking category e For a complete list of acronyms and their definitions see HP FlexNetwork Technology Acronyms Websites e HP com http www hp com e HP Networking http www hp com go networkin e HP manuals http www hp com support manuals e HP download drivers and software http www hp com support downloads e HP software depot http www software hp com e HP Education http www hp com learn 503 Conventions This section describes the conventions used in this document
142. 03 Bel TEIT ER es ee esses eee esses es eee esas esses es ees esas ees eeeeseseseeseseeeeseseseeseseeeesesees 503 ME NT esse esse esewenesee esse eee eseeeeeeaneeeeeewens 503 GELEE eee ee eteseeeeseeeeeeseseceeeseeeeeeseseeees esse esse esses esses eens eee es esses esas esses es eee es es eee es es eee esas esses es eee eter eeeeseseeeesereeee tes 504 Fats on Eee eee OE N EE erect N rer renter cere E errr ee terre treet te 506 xi Overview The HP 1920 Switch Series can be configured through the command line interface CLI Web interface and SNMP MIB These configuration methods are suitable for different application scenarios e The Web interface supports all 1920 Switch Series configurations e The CLI provides configuration commands to facilitate your operation To perform other configurations not supported by the CLI use the Web interface Configuring the switch in the Web interface Restrictions and guidelines To ensure a successtul login verify that your operating system and Web browser meet the requirements and follow the guidelines in this section Operating system requirements The device supports the following operating systems o Windows XP o Windows 2000 o Windows Server 2003 Enterprise Edition o Windows Server 2003 Standard Edition o Windows Vista o Windows 7 o Linux o MAC OS If you are using a Windows operating system turn off the Windows firewall The Windows firewall limits the number of TCP conn
143. 1 0 12 Disable v Disable GigabitEthernet1 0 13 Disable Disable GigabitEthernet1 0 14 Disable Disable GigabitEthernet1 0 15 Disable v Disable 28 records 15 v per page page 1 2 record 1 15 Next Last 1 GO Apply Enable All Disable All 2 Configure the global loopback detection settings as described in Table 134 and then click Apply Table 134 Configuration items ltem Description Enable loopback detection on the system Sets whether to enable loopback detection globally Loopback Detection Interval Sets the loopback detection interval Contiguring loopback detection on a port 1 From the navigation tree select Security gt Loopback Detection The Port Loopback Detection area appears 2 Configure loopback detection on a port as described on Table 135 and then click Apply Table 135 Configuration items liem Description Loopback Detection Sets whether to enable loopback detection on the target port Sets whether the system disables the target trunk or hybrid port from forwarding Detection Control data packets when the device detects a loop on it This configuration item is available only for a trunk or hybrid port 448 ltem Descri ption Sets whether the system performs loopback detection in all VLANs for the target trunk or hybrid port Detection in VLAN If you select Disable the system performs loopback detection only in the default VLAN of the target trunk or hybrid port This configuration item is av
144. 1 0 9 za gt gt gt gt ARP Packet Validity Check Discard the ARP packet whose sender MAC address is different from the source MAC address in the Ethernet header Discard the ARP packet whose target MAC address is all Os all 1s or inconsistent with the destination MAC address in the Ethernet header Discard the ARP request whose source IP address is all Os all 1s or a multicast address and discard the ARP reply whose source and destination IP addresses are all Os all 1s or multicast addresses Apply 2 Configure ARP detection as described in Table 82 3 Click Apply Table 82 Configuration items ltem Description Select VLANs on which ARP detection is to be enabled To add VLANs to the Enabled VLANs list select one or multiple VLANs from the Disabled VLAN Settings VLANs list and click the lt lt button To remove VLANs from the Enabled VLANs list select one or multiple VLANs from the list and click the gt gt button Select trusted ports and untrusted ports To add ports to the Trusted Ports list select one or multiple ports from the Untrusted Ports list Trusted Ports and click the lt lt button To remove ports from the Trusted Ports list select one or multiple ports from the list and click the gt gt button Select ARP packet validity check modes e Discard the ARP packet whose sender MAC address is different from the source MAC address in the Ethernet header e Discard the ARP pa
145. 1 11 24 1 0 1 12 24 Device A Switch B Configuring the system time 1 Configure the local clock as the reference clock with the stratum of 2 Enable NTP authentication set the key ID to 24 and specify the created authentication key aNiceKey as a trusted key Details not shown 2 On Switch B configure Device A as the NTP server a Select Device gt System Time from the navigation tree b Click the Network Time Protocol tab c Enter 24 in the ID field enter aNiceKey in the Key String field for key 1 enter 1 0 1 11 in the NTP Server 1 field and enter 24 in the Reference Key ID field d Click Apply Figure 49 Configuring Device A as the NTP server of Switch B System Time Clock status unsynchronized Source Interface ID 24 1 4294967295 Key Sting sseseses Key 2 ID 1 4294967295 Key String External Reference Source NTP Severd 10111 Reference KeyID 24 NTP Server Reference Key ID Set System Timezone TimeZone GMT 00 00 Casablanca Monrovia Apply Verifying the configuration 1 32 Chars 1 32 Chars After the configuration verify that Device A and Switch B have the same system time Configuration guidelines When you configure the system time follow these guidelines e A device can act as a server to synchronize the clock of other devices only after its clock has been synchronized If the clock of a server has a stratum level higher than or equal to the level of a client s c
146. 1 Setting the log host Laglist Log Setup Loghost w Pv4 Domain IPv6 Loghost IP Domain 1 255Chars tems marked with an asterisk are required Apply Please select the loghost IP Loghost Pe address Domain IPv6 address Select All Select None Remove Note The maximum number of loghosts that can be configured is 4 3 Configure the log host as described in Table 13 62 A Click Apply Table 13 Configuration items liem Description IPv4 Domain Specify the IPv4 address or domain name Loghost IP Domain of the log host OD IMPORTANT IPv You can specify up to four log hosts Set the IPv address of the log host Pet up 9 Loghost IP Setting buffer capacity and retresh interval Select Device gt Syslog from the navigation tree 2 Click the Log Setup tab The syslog configuration page appears Figure 52 Syslog configuration page Loolist Loghost Buffer Set Buffer Capacity 512 Item s 1 1024 default 512 Refresh set Apply 3 Configure buffer capacity and refresh interval as described in Table 14 4 Click Apply Table 14 Configuration items liem Description Butfer Capacity Set the number of logs that can be stored in the log buffer Set the log refresh interval You can select manual refresh or automatic refresh Retresh Interval e Manual Click Refresh to view the latest log information e Automatic Select to refresh the Web interface every 1 minute 5 minutes or 10
147. 167 Displaying the current OUI list of the device Summary Setup Port Setup DUI Add OUI Remove OUI Address Mask Description 0003 6b500 0000 fiff f00 0000 Cisco phone 0011 2200 0000 T TO0 0000 O0e0 7500 0000 fi f00 0000 Palycom phone 2 Click the Summary tab where you can view the current voice VLAN information Figure 168 Displaying the current voice VLAN information Setup Port Setup DUI Summary OUI Add DUI Remove Voice VLAN security Enabled Voice VLAN aging time 1440 minutes Maximum of voice VLANs 1 Current number of voice VLANs 1 Ports enabled for voice VLAN Port Name Voice VLAN ID Mode GigabitEfnernet1 0 1 2 Manual Contiguration guidelines When you configure the voice VLAN function follow these guidelines e To remove a VLAN functioning as a voice VLAN disable its voice VLAN function first e Only one VLAN is supported and only an existing static VLAN can be configured as the voice VLAN e Do not enable the voice VLAN function on a link aggregation group member port e After you assign a port operating in manual voice VLAN assignment mode to the voice VLAN the voice VLAN takes effect 172 Configuring the MAC address table MAC address configurations related to interfaces apply to Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces only This document covers only the configuration of unicast MAC address entries including static dynamic and blackhole entries Overview To reduce sing
148. 2 GigabitEthernet 1 0 1 of Switch A and GigabitEthernet 1 0 1 of Switch B are router ports A switch records all its local router ports in its router port list Do not confuse the router port in MLD snooping with the routed interface commonly known as the Layer 3 interface The router port in MLD snooping is a Layer 2 interface e Member port Multicast receiverside port As shown in Figure 242 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 of Switch A and GigabitEthernet 1 0 2 of Switch B are member ports A switch records all local member ports in its MLD snooping forwarding table Unless otherwise specitied router ports and member ports in this document include both dynamic and static ports NOTE When MLD snooping is enabled all ports that receive IPv PIM hello messages or MLD general queries with source addresses other than 0 0 are considered dynamic router ports Aging timers for dynamic ports in MLD snooping Timer Description Message received Action after the timer before the timer expires expires When a port receives an MLD general query with the source address other than 0 0 or IPv PIM hello message the switch starts or resets an aging timer When the timer expires the dynamic router port ages out Dynamic router port aging timer MLD general query with the source address other than O O or IPv PIM hello message The switch removes this port from its router port list
149. 20 Network diagram Console cable IP network ae Wire Console port GE1 0 1 PC Switch Gateway TFTP server Configuration procedure 1 Run the TFTP server program on the TFTP server and specify the path of the file to be loaded Omitted 2 Configure the switch Configure the IP address of VLAN interface 1 of the switch as 192 168 1 2 24 and specify the default gateway as 192 168 1 1 lt Switch gt ipsetup ip address 192 168 1 2 24 default gateway 192 168 1 1 Download the software package file Switch1920 bin on the TFTP server to the switch and upgrade the system software image in the package lt Switch gt upgrade 192 168 10 1 Switch1920 bin runtime File will be transferred in binary mode Downloading file from remote TFTP server please wait TETP 10262144 bytes received in 71 second s File downloaded successfully Download the software package file Switch1920 bin on the TFTP server to the switch and upgrade the Boot ROM image lt Switch gt upgrade 192 168 10 1 Switch1920 bin bootrom The file flash Switch1920 bin exists Overwrite it Y N sy Verifying server file 32 Deleting the old file please wait File will be transferred in binary mode Downloading file from remote TFTP server please wait TETP 10262144 bytes received in 61 second s File downloaded successfully BootRom file updating finished Reboot the switch lt Switch gt reboot After getting the new image fi
150. 3 dynamic group configuration 208 dynamic mode 207 group configuration 208 group creation 208 LACP 205 LACP priority 211 LACP enabled port 211 member port state 205 modes 206 operational key 205 port contiguration dlass 206 static group configuration 208 static mode 206 evaluating QoS traffic 473 event NMM RMON event group 94 event eniry configuration 99 extending DHCP IP address lease extension 293 F feature MAC authentication Auth Fail VLAN 405 using 802 1X authentication with other features 329 using MAC authentication with other features 405 FIB IP routing table 278 filtering ACL packet fragments 452 QoS traffic mirroring configuration 481 QoS traffic redirecting configuration 481 finishing configuration wizard 37 flow interval contiguration 92 viewing port traffic statistics 92 format AAA RADIUS packet format 365 ARP message format 242 DHCP message 294 LLDP frame encapsulated in Ethernet Il 217 LLDP frame encapsulated in SNAP format 217 security 802 1X EAP packet format 322 security 802 1X EAPOL packet format 323 security 802 1X packet 322 forwarding ACL configuration 450 ACL configuration advanced 456 463 ACL contiguration basic 455 462 ACL configuration Ethernet frame header 459 ACL configuration IPv4 454 ACL configuration IPv6 461 MST forwarding port state 188 QoS token bucket 473 STP BPDU forwarding 184 STP forward delay timer 184 fragment
151. 388 Figure 368 PKI entity list Domain Certificate CEL Entity Common FODN CountwRegion Organization IF Mame Name Code nit Address entity aaa CN 11110 Bi fj State Locality Organization Operation Add 2 Click Add on the page Figure 369 PKI entity configuration page Domain Certificate CRL Add PKI Entity Entity Name 1 15 Chars Common Name 1 31 Chars IP Address FODN 1 127 Chars Country Region Code m Country Region name symboal two characters compliantto ISO 3166 standard state 1 31 Chars Locality 1 31 Chars Organization 1 31 Chars Organization Unit 1 31 Chars tems marked with an asterisk are required Apply Cancel 3 Configure the parameters as described in Table 120 4 Click Apply Table 120 Configuration items liem Description Entity Name Enter the name for the PKI entity Common Name Enter the common name for the entity IP Address Enter the IP address of the entity Enter the FQDN for the entity An FQDN is a unique identifier of an entity on the network It consists of a host FQDN name and a domain name and can be resolved to an IP address For example www whatever com is an FQDN where www indicates the host name and whatever com the domain name Country Region Code Enter the country or region code for the entity 389 ltem Description State Enter the state or province for the entity Locality Enter the locality for the entity Organization Enter the
152. 6 contiguration 2 configuration wizard 34 contiguring authorized IP 443 444 configuring port link type 140 contiguring PVID for port 141 contiguring VLAN interface 150 creating VLAN 139 creating VLAN interface 150 device basic settings configuration 50 device configuration backup 64 device configuration management 64 device configuration reset 66 device configuration restoration 64 device configuration save 65 device tile displaying 67 device file download 67 device file management 67 device file removing 68 device file upload 68 device idle timeout period configuration 50 device local user adding 86 device main boot file specifying 68 device management 52 device privilege level switching 88 device reboot 53 device software upgrade 52 device stack configuration 39 43 device super password setting 87 device system name configuration 50 device user management 86 displaying interface statistics 132 entering configuration wizard homepage 34 finishing configuration wizard 37 icons on webpage 16 interface 7 intertace HTTP login 6 interface login restrictions 2 interface logout 7 management IP address configuration 36 moditying port 144 moditying VLAN 143 modifying VLAN interface 152 page display functions 16 search function 17 selecting VLAN 142 service management 314 315 sort function 19 system parameters contiguration 34 user level 8 VCT configuration 91 viewing device
153. 7 Retrieving the CRL Entity Domain Certificate Domain Mame Operation torsa Retrieve CELIMIew CRL Verifying the configuration After the configuration select Authentication gt Certificate Management gt Certificate from the navigation tree to view detailed information about the retrieved CA certificate and local certificate or select 402 Authentication Certificate Management CRL from the navigation tree to view detailed information about the retrieved CRL Contiguration guidelines When you contigure PKI follow these guidelines Make sure the clocks of entities and the CA are synchronous Otherwise the validity period of certiticates will be abnormal The Windows 2000 CA server has some restrictions on the data length of a certificate request If the PKI entity identity information in a certiticate request goes beyond a certain limit the server will not respond to the certificate request The SCEP plug in is required when you use the Windows Server as the CA In this case specity RA as the authority for certificate request when you configure the PKI domain The SCEP plug in is not required when you use the RSA Keon software as the CA In this case specify CA as the authority for certificate request when you configure the PKI domain 403 Configuring MAC authentication Overview MAC authentication controls network access by authenticating source MAC addresses on a port It does not require client software
154. 8 Local MAC authentication configuration example TE E E EI ontaIn En 408 ACL assignment configuration example ee Rd Al Configuring port security PE AEAT E eo hi AAE A E EE A E T T A AT E E A E De de A EA 42 Oveni EE EE EE ER RE OE N EE EE EE EE aAA 421 Port security features eeeeeerereereeesereseeeseeeseeserseceseeeseesereseceseeeseeseroseceseeesresereseceseeesesseesereseeeseeosereseeesreseeesereseeeseeseresee 42 Port security EE tere rere t teeter reereeereeer tere rerereer reer rterreerteerreerreerreeereeere 421 Configuration guidelines EE EE EE OE RA OD EE re er ee 423 Recommended configuration procedure AE EE natal 423 Configuring global settings for port security ME EE E EE EE E A E 424 Configuring basic port security TT ee 425 Configuring secure MAC addresses esse EE EE EE EE EE EE EE Oe EER EER Oe EE Ee Ee Re EER Re EE RAAR Ee Re BE EE Oe EE ee EE Ee ee ed AD7 Configuring advanced port security controlssss sesse ees EE EE EE EO GE EERDER SO REGEER ORDE EO Re EE EES Re GEE ROGER Ee Reed 428 Configuring permitted OU 429 Port security configuration examples EE E EEA E AE E E EE A OE EE 430 Basic port security mode configuration example ER EE E EEE 430 Advanced port security mode configuration example a T 433 Configuring port ETE EEEE REESE CTT reer eer reeerreerrcererecrresrrreerrrerreecerecrreerrrecerecereerrreerreerrrecrrreerre AAO Configuring the isolation OrOUD vereer ee ees ee ee EE EE EER RE EE EE EE EE ER ER ER ER EER ER ER ER ER E
155. 8 400 e Data bits 8 e Parity None e Stop bits 1 e Flow control None e Emulation VT100 To set terminal parameters for example on a Windows XP HyperTerminal 1 Select Start gt All Programs gt Accessories gt Communications gt HyperTerminal The Connection Description dialog box appears 2 Enter the name of the new connection in the Name field and click OK Figure 15 Connection description Connection Description KIE ai Hew Connection Enter a name and choose an icon for the connection Name E witcH Ilcon 3 Select the serial port to be used from the Connect using list and click OK 21 Figure 16 Setting the serial port used by the HyperTerminal connection ConnectTo ET 4 Set Bits per second to 38400 Data bits to 8 Parity to None Stop bits to 1 and Flow control to None and click OK Figure 17 Setting the serial port parameters COMI Properties 5 Select File gt Properties in the HyperTerminal window 22 Figure 18 HyperTerminal window Switch HyperTerminal Click the Settings tab set the emulation to VT100 and click OK in the Switch Properties dialog box Figure 19 Setting terminal emulation in Switch Properties dialog box 23 Logging in to the CLI The login process requires a username and password The default username for first time configuration is admin no password is required Usernames and passwords are case sensitive To log in to
156. 9 GigabitEthernet1 0 10 Select All 3 Configure rate limit on a port as described in Table 160 4 Click Apply Table 160 Configuration items ltem Descri ption Please select an interface type Select the types of interfaces to be configured with rate limit 486 ltem Descri ption Rate Limit Enable or disable rate limit on the specified port Select a direction in which the rate limit is to be applied e Inbound Limits the rate of packets received on the specified port Direction e Outbound Limits the rate of packets sent by the specified port e Both Limits the rate of packets received and sent by the specified port CIR Set the committed information rate CIR the average traftic rate Specify the ports to be configured with rate limit Please select port s Click the ports to be configured with rate limit in the port list You can select one or more ports Contiguring priority mapping tables 1 Select QoS gt Priority Mapping from the navigation tree Figure 473 Configuring priority mapping tables Mapping Type CoS to Queue v Input Value Output Value Input Value Output Value Input Value Output Value Input Value Output Value 0 2 v 1 0 v 2 1 3 3 v 4 4 Y 5 5 v 6 6 hd 7 7 v Restore Apply Cancel 2 Configure a priority mapping table as described in Table 161 3 Click Apply Table 161 Configuration items ltem Description Select the priority mapping table to be configured Mappi
157. 97 501 501 PoE interface power management 498 PoE ports 498 port isolation 440 441 port link type 140 port security 421 423 430 port security global 424 port security advanced control 428 port security advanced mode 433 510 port security basic control 425 port security basic mode 430 port security permitted OUls 429 port based VLAN 135 priority mapping table 487 priority trust mode 488 PVID 141 QoS 489 QoS classifier behavior associations 484 QoS policy 466 QoS traffic class 479 QoS traftic mirroring 481 QoS traffic redirecting 481 queue scheduling on port 485 486 RADIUS 363 374 RADIUS common parameter 369 RADIUS scheme 368 secure MAC addresses 427 security 802 1X 321 332 security 802 1X global 332 security 802 1 X port specitic 333 security 802 1X authentication 336 security ARP attack protection 250 security ARP detection 250 security MAC authentication 404 406 408 security MAC authentication ACL assignment 411 security MAC local authentication 408 setting environment 20 SNMP community 117 SNMP group 118 SNMP trap function 121 SNMP user 120 SNMP view 115 SNMPv1 124 SNMPv2c 124 SNMPv3 127 stack 39 43 stack global parameters 40 stack ports 41 static routing IPv4 283 static routing IPv6 287 statistics entry 97 system name 50 system parameters 34 system time 56 system time by using NTP 57 58 system
158. ANs mapped to CIST MST region MSTI A multiple spanning tree region MST region consists of multiple devices in a switched network and the network segments among them All these devices have the following characteristics e A spanning tree protocol enabled e Same region name e Same VLAN to instance mapping configuration e Same MSTP revision level e Physically linked with one another Multiple MST regions can exist in a switched network You can assign multiple devices to the same MST region In Figure 176 the switched network comprises four MST regions MST region AO through MST region DO and all devices in each MST region have the same MST region configuration MSTP can generate multiple independent spanning trees in an MST region and each spanning tree is mapped to a range of VLANs Each spanning tree is referred to as a multiple spanning tree instance MSTI In Figure 176 multiple MSTIs can exist in each MST region each MSTI corresponding to the specified VLANs 186 VLAN to instance mapping table CST IST CIST As an attribute of an MST region the VLAN to instance mapping table describes the mapping relationships between VLANs and MSITIs In Figure 176 the VLAN to instance mapping table of region AO is VLAN 1 is mapped to MSTI 1 VLAN 2 to MSTI 2 and the rest to CIST MSTP achieves load balancing by means of the VLAN fo instance mapping table The common spanning tree CST is a single spanning
159. Access MDI Auto Speed Auto 1000M o Duplex Auto Ful Max MAC Count NoLimit Broadcast Suppression 100 o Multicast Suppression 100 Unicast Suppression 100 Pawer Save Disabled Description GigabitEthernet1 0 3 Interface The table shows the configured values for the selected port while those inside the square brackets are the actual values of the selected port 3 Reselect GigabitEthernet 1 0 3 to refresh its data 30 seconds later Figure 423 shows that the port state is active 432 Figure 423 Displaying port state Summary Setup Select a Port Port State En abled Active E PVID E 1 00 2 Flow Control Disabled Link Type Access MDI Auto Speed Auto 1000M Duplex Auto Full M ax MAC Count Ho Limit Broadcast Suppression 100 Multicast Suppression 100 Unicast Suppression 100 g ooo Power Save Disabled Description GigabitEfhernet1 0 3 Interface The table shows the configured values for the selected port while those inside the square brackets are the actual values ofthe selected port If you remove MAC addresses from the secure MAC address list the port can continue to learn MAC addresses Advanced port security mode contiguration example Network requirements As shown in Figure 424 the switch authenticates the client with a RADIUS server If the authentication succeeds the client is authorized to access the Internet e The RADIUS server at 192 168 1 2 functions as the primary authentication
160. BPDU on a port the device compares the priority of the received configuration BPDU with that of the configuration BPDU generated by the port It takes one of the following actions e If the former priority is lower the device discards the received configuration BPDU and keeps the configuration BPDU the port generated e If the former priority is higher the device replaces the content of the configuration BPDU generated by the port with the content of the received configuration BPDU The device compares the configuration BPDUs of all the ports and chooses the optimum configuration BPDU The following are the principles of contiguration BPDU comparison a The contiguration BPDU with the lowest root bridge ID has the highest priority b If all the configuration BPDUs have the same root bridge ID their root path costs are compared For example the root path cost in a configuration BPDU plus the path cost of a receiving port is S The configuration BPDU with the smallest S value has the highest priority If all configuration BPDUs have the same root bridge ID and S value their designated bridge IDs designated port IDs and the IDs of the receiving ports are compared in sequence The configuration BPDU that contains a smaller designated bridge ID designated port ID or receiving port ID is selected P A tree shape topology forms when the root bridge root ports and designated ports are selected Example of STP calculation Fi
161. C address Type Data LLDPU n bytes Table 70 Fields in a SNAP encapsulated LLDP frame Field Description MAC address to which the LLDP frame is advertised It is fixed to nele ME oa 0x0180 C200 000E a multicast MAC address MAC address of the sending port If the port does not have a MAC n A e address the MAC address of the sending bridge is used A SNAP type for the upper layer protocol It is OxAAAA 0300 0000 88CC for LLDP Data LLDPDU ECS Frame check sequence a 32 bit CRC value used to determine the validity of the received Ethernet frame LLDP uses LLDPDUs to exchange information An LLDPDU comprises multiple TLVs Each TLV carries a type of device information as shown in Figure 197 Figure 197 LLDPDU encapsulation format Chassis ID TLV Port ID TLV Time To Live TLV Optional TLV ae Optional TLV End of LLDPDU TLV An LLDPDU can carry up to 28 types of TLVs Mandatory TLVs include Chassis ID TLV Port ID TLV Time to Live TLV and End of LLDPDU TLV Other TLVs are optional A TLV is an information element that contains the type length and value fields LLDPDU TLVs include the following categories 218 e Basic management TLVs e Organizationally IEEE 802 1 and IEEE 802 3 specific TLVs e LLDP MED media endpoint discovery TLVs Basic management TLVs are essential to device management Organizationally specific TLVs and LLDP MED TLVs are used for improved device management They are de
162. Common Configuration Server Type Extended w Username Format Without domain name FAdvanced Authentication Key esee te Chars Confirm Authentication Key esee tt Chars Accounting Key eseese tt Chars Confirm Accounting Key essee tg Chars Quiet Time htinutesen 258 Default 5 Sever Response Timeout Time 5 kerongstie 0 Default 3 Request Transmission Attempts Bt Default 3 Realtime Accounting Interval 15 Minutesto B0 Default 12 must be a multiple of 3 Realtime Accounting Attempts 1 255 Default 5 Unit for Data Flows Byte Unit far Packets One packet Security Policy Server RADIUS Packet Source IP IPv4 IPv6 it Buffer stop accounting packets Stop Accountind Attempts Co 0 65535 Default 500 Fi Send accounting on packets Attribute J RADIUS Server Configuration Server Type IF Address Operation Primary Authentication Backup Authentication Primary Accounting Backup Accounting Add tems marked with an asteriski are required Apply Cancel Configure the primary authentication server in the RADIUS scheme a In the RADIUS Server Configuration area click Add b Select the server type Primary Authentication c Enter the IP address 10 1 1 1 and enter the port number 1812 399 d Click Apply The RADIUS Server Configuration area displays the primary authentication server you have configured 3 Configure the backup authentication server in the RADIUS schem
163. Create tab c Enter for Destination IP Address select O from the Prefix Length list and enter 4 2 for Next Hop d Click Apply 287 Figure 263 Configuring a default route Summary Remove Destination IP Address Prefix Length _ Preference sd 2858 Default 60 Next Hop 7 CJ nterface tems marked with an asteriski are required Apply Configured Static Route Information Prefix Destination IP Address Length Protocol Preference Mext Hop Interface 2 Configure a static route to Switch A and Switch C on Switch B a Select Network gt IPv Routing from the navigation tree of Switch B b Click the Create tab The page for contiguring a static route appears c Enter 1 for Destination IP Address select 64 trom the Prefix Length list and enter 4 1 for Next Hop d Click Apply 288 Figure 264 Configuring a static route Summary Remove Destination IF Address Prefix Length Preference 288 Default B0 J interface tems marked with an asteriski are required Apply Configured Static Route Information Pretix Destination IP Address Length Protocol Preference Fest Hop Interface e Enter 3 for Destination IP Address select 64 trom the Prefix Length list and enter 5 1 for Next Hop f Click Apply Configure a default route to Switch B on Switch C a Select Network gt IPv Routing from the navigation tree of Switch C b Click the Create tab c Enter for Destination IP Address sel
164. DIUS server authenticates the username and password If the authentication succeeds the server returns an Access Accept message containing the user s authorization information If the authentication fails the server returns an Access Reject message 4 The RADIUS client permits or denies the user according to the returned authentication result It it permits the user it sends a startaccounting request Accounting Request to the RADIUS server The RADIUS server returns an acknowledgement Accounting Response and starts accounting 6 The user accesses the network resources 364 The host requests the RADIUS client to tear down the connection and the RADIUS client sends a stop accounting request Accounting Request to the RADIUS server The RADIUS server returns an acknowledgement Accounting Response and stops accounting for RADIUS packet format RADIUS uses UDP to transmit messages To ensure smooth message exchange between the RADIUS server and the client RADIUS uses a timer management mechanism a retransmission mechanism and a backup server mechanism Figure 348 shows the RADIUS packet format Figure 348 RADIUS packet format 15 31 Authenticator Attributes The following describes the fields of a RADIUS packet The Code field 1 byte long indicates the type of the RADIUS packet Table 112 Main values of the Code field Code Packet type Description From the client to the server A packet of this type carri
165. Description InOctets Total octets of all packets received on the intertace InUcastPkts Number of received unicast packets InNUcastPkts Number of received non unicast packets InDiscards Number of valid packets discarded in the inbound direction InErrors Number of received invalid packets InUnknownProtos Number of received unknown protocol packets OutOctets Total octets of all packets sent through the interface OutUcastPkts Number of unicast packets sent through the interface OutNUcastPkts Number of non unicast packets sent through the interface OutDiscards Number of valid packets discarded in the outbound direction OutErrors Number of invalid packets sent through the interface Last statistics clearing time Last time when the statistics were cleared 132 Configuring VLANs Overview Ethernet is a network technology based on the CSMA CD mechanism As the medium is shared collisions and excessive broadcasts are common on an Ethernet To address the issue virtual LAN VLAN was introduced to break a LAN down into separate VLANs VLANs are isolated from each other at Layer 2 AVLAN is a bridging domain and all broadcast traffic is contained within it as shown in Figure 130 Figure 130 A VLAN diagram VLAN 2 Switch B Router VLAN 5 A VLAN is logically divided on an organizational basis rather than on a physical basis For example all workstations and servers used by a particular workgroup can be assigned to th
166. E EE Oe DE EE ee EE Ee ee ge Ee 336 802 1X configuration examples EE EE EE EE eS 336 MAC based 802 1X configuration example EE TE EE N IT 336 802 X with ACL assignment configuration example EE EE adele anai enter 343 Configuring TYE EE EE EG 359 DEd EE EE EE N Todo eniglustasid ered savedeneset 359 AAA application ee ee ee 359 Domain based user management reer ee Reekse ER ER ER EERS GE Re R EER GE GER gee ee ROER GER GeR gek gee ReE GER gek gee eee ee ee ee Roe Reese 353 Configuration ed DBE EE 353 Recommended configuration procedure EE A T T 353 Configuring ASTE ET 354 Configuring authentication methods for the ISP domainesssssssssssssssseessssssessseeessssssnessesessssnnneesseeeesssnnneessees 355 Configuring authorization methods for the ISP domain ees EER RR RR RE EERRRRR Re EER RR RR RR e ee RR RRRR ee 356 Configuring accounting methods for the ISP domain sesse ese ee ee EE EE ee EE EE eed EE ee ee EE ee ee Ee 357 AAA configuration example Po LE IE OO ee ee ee ee 359 Configuring ND EE EE Ee ee 363 OVE AA AE AA EE 363 Client server model tees se seek ee se ER ER ee Ee ER R Ee Ee RE R ee Ee Ee ER ER ee ERK e Ee be ER ER ee Re EER e Ee Ke ERK ee Ee Ee R ee ee ER ee Re ee ER ee Ee Ee Re R ee ee ee 363 Security and authentication MECHANISMS EE EE EE EE EE EE EE ee EE EE ee ER ER Ee ee ER ee Ee ee Ee Ee ee Ee ee ee 364 Basic RADIUS message exchange process vers ssrstsstssisssssessneesneennesssecntecncenseensecnsennceanecascenssenesanenenceese
167. E EE ie 87 Switching to the management Jeyel erererreseeseeseeseeseeseeeseeroseeseeseeseesseseeeeeeseeseesroseoseeseeseeseesresresresrosseesresresrosroseesressesseeseee 88 Contiguring q loopback TE ee 89 Configuration guidelines EE EER E EE OE EE EE EE 89 Configuration procedure ME ER EE DE EE N OE EE OE OR EE EE 89 Contiguring VCT Ee 9 OVE ee ee 9 Testing ER TT REECE SETS EE OOO OOeeOe Sree eee rerr rere reee reer eeereererecererrreerreerreetereerreerreerreerreerrrerr eer reeereerreseree 9 Contiguring the EET EE esau neues 92 Viewing port ET ETE ET ee 92 Configuring ASTE ee 93 6 EE ee 93 Working mechanism EE REESE OOeeO eee r eee tee etter teeter reer err rerr rere reerreere reer reer reerreerreerreeereeeen 93 Me KETEL EE 93 RMON configuration TREE CORES TOES TO eee Teer reer rere re eeereeereeerreeer reer rece tree eerretertetrrreeerreeerresereee 95 Configuring a statistics entry EE E E E 97 Configuring a history entry ME EE EE EE EE EE EE EE EE OE EE EE 98 Configuring an event entry EE RE T T EA E E E 99 Configuring an alarm entry EE E E EE AE OE 100 Displaying ASTE 101 Displaying RMON history sampling TT ER RE ee eeeeeeeeeeeseeesseseeneeeeceeeasseeesseeenseeeeseeeeseeesceuesseeeeseeees 103 Displaying RMON KLEE EE EE EG 104 RMON configuration example ER LE EE OE E S ness sceeaus 105 Contiguring energy saving OE EE N OE AT EE DO OE EE EE EE N Ee NE EI EO OER ee 109 Configuring energy saving on a port E LE EE EA T E aaaa 109 Configuring Ve 11
168. E ee EE ee EE EE EER EER Oe RE EE ee Ee Re RE EER EER ee EE ee EE Ee ee ed 174 Setting the aging time Of MAC address entries sees see sesse Ee ee GE EE Oe EER ee RE EER EE EE Oe EER Re RE ER Re EE EE Re EER ee EE Ee RE Ee ee 175 MAC address table configuration example EE EE 175 Network reguirements eeeereeeeeee ke eeeRR RR eeERRRReEERRRReEERRRRReeERRRRROeERRRRROeeRRRRReERRRRReeERRRRGeERRRRReeERRRRReeRRRRReeRRRRRegeeeRR Roe 175 Creating a static MAC address entry EE EE OE EE EE EE Ee EE Ee EE 176 Contiguring MSTP EE OE EE ER we nih WAS ea EE ER N aa hewn eos EE IE 177 TE EE EE O EN 177 Introduction SASIE ee 177 STP protocol packets EE EA AR AR RE EE EE EE EE N ER 177 Basic concepts in STP reeeeeee sees EERS REEKSE GER GERS GE GER GERS RGeR GER GER GER GER GER gek gek gek gek gek ge ReeR GER GER GeR GER GER GER ee R GER eek gek ee ee eene 178 Calculation process of the STP algorithm aia aro tend sre aan mw ied OO EEEE EEEE 179 Introduction to NE esse nese esse seue neue nessa eeueeeee nese nese eeeeeeeweeeeeseeeeeee ees 184 Introduction to MS TP ree ee EE EE EE EE EER EE EE EE EE EE EE EER EE EE EE EE EE EE ER RR EER EER EER EE EER EE ER Ee ee EE EE EER nese nese ER ee Ee ee esse ee EE ee ees 185 N SE ER EA EL Ce ee 185 MSTP basic Concepts treer ee EER eE GER GERS Ge GER GERS R GER GER GER GER GER GER ee R ee Ree GER GER Ge GER GeR ee R GER GER Ge RR Ge gee ee ee ee ee ee ee Reese 185 ART SEE EE OE RE EE rr rr re err 189 MSTP implementation EET EE
169. ED ARP Add modify and remove ARP entries Configure Manageme Display the configuration information about nt tous ARP Monitor Gratuitous ARP 9rotuitous ARF Configure gratuitous ARP Configure ARP Display ARP detection configuration information Monitor Aan Aiae ARP Detection nti Attac Configure ARP detection Configure Display global IGMP snooping configuration information or the IGMP snooping configuration Menier Bade information in a VLAN and the IGMP snooping multicast entry information IGMP Snooping Configure IGMP snooping globally or ina VLAN Configure Display the IGMP snooping configuration EDS Advanced information on a port Configure IGMP snooping on a port Configure Display global MLD snooping configuration information or the MLD snooping configuration anita Bake information in a VLAN and the MLD snooping Rea multicast entry information MLD Snooping Configure MLD snooping globally or ina VLAN Configure Display the MLD snooping configuration rd Mavaneea information on a port Configure MLD snooping on a port Contigure Summary Display the IPv4 active route table Monitor IPv4 Routing Create Create an IPv4 static route Configure Remove Delete the selected IPv4 static routes Configure Function menu Description User level Auth entic ation IPv Routing DHCP Service Diagnostic Tools MAC Authenticati on 802 1X Port Security Summary Create Remove DHCP Relay DHCP Snooping Se
170. EO EE EES 59 Configuration guidelines RE EE EE EE EE 59 Configuring syslog ER EE E EE OE T A ER EE E EE RE 61 Displaying syslogs ER EE cia a Ww OE EE nnd EE N EE 6 Setting the log ee 62 Setting buffer capacity and refresh interval ee EE EE EE EER EER EER EER EER ERA ERA EE ee ERA ERA ERA ERA Ee ee 63 Managing the configuration EE EE N EE EI EE EE N EN AE OE E 64 Backing Up the configuration EA OE OE EE EE N EE EE aden anemone arenes 64 Restoring the configuration AA EE EE OE EE AI E EE 64 Saving the configuration EE ER OE OE OE EE OE EE EE ES 65 Resetting the configuration EE EE aes EE EE cee E ER EE 66 Managing AE Ee 67 Displaying files eeeeeeeseeseereeeseeeseeeseesseeseceseeeseeneseesereseceseeeseeseesereseceseeeseesereseresecesreserosereseeeserosereseeesresseesereseeeseeesresereseeeseeeseese 67 Downloading TE IE ee 67 Uploading a file seeeeeseeeeeeseeeseeeseeeseeseeeseeeseeeseeseeeseeseceseenseeseresereseeeseeserosereseeesreseeesereseeeseesereeseceseeseesseesereseeeseeeseesereseeeseeeseese 68 Removing TE Ee 68 Specifying the main boot file eeeeeeeeeseerseeeeeesereseeeseeseeseeeseeeseenseesseeseeeseeeseesseeseesereseeeseessreserosecesesesseeseresreeseesseesereseeeseesseese 68 Managing ports EE EE REE Te OTT Lee EET ES LETTS Te NT OE TEE TTT TET Tee LEC TET OR OT ETT Tee CTT OE Cer CTT TT ree ere 69 Setting operation parameters fora port AE ecu EE EE EE EE EE EE EE 69 Displaying port operation parameters AE EE Ridin owe Adi awd SRS A
171. ET 73 Displaying d specified operation parameter for all ports EE EE EE 73 Displaying all the operation parameters fora port EE OE EE EE EE EE 74 Port management configuration example RE OR RE EN EE OE ER 75 Network requirements EE ER EE EE dba isis cro E EE 75 Configuring thee SWIICh EE esse esses esse esse esse eeew esse seeeeeee ness 75 Configuring port mirroring ER EE RA E EE ER EE E EE T S E OD 79 Terminology EE EE EE EE EE EO EE EE EE ER 79 MEE MEE EG 70 Mirroring REST RE eee eeeeeeeeeeeeeceseeseessenseueseunseueseeeseeeseeeeeeeeee esse eeeeneeueseueseeeeeeeseee nese esau nese eeeueeeeeeeees 79 Mirroring direction eeeeeeeeeeeeeeeeereereereereeeereeereeeeseesreseoseoseeseeseeseesseeseoseesrosresesreseeseeeseesresresrosreesresresresresreseeseeseesreeseeseee 79 Mirroring Qroup EE EG 79 Local port mirroring EE EE N EE OE EE 79 Configuration restrictions and guidelines E E EE 80 Recommended configuration procedures EE EE EE RE EE EE OE EE 80 Contiguring a mirroring Tee EE EE EE 80 Configuring ports for the mirroring OUP EE EE EE EE 8 Local port mirroring configuration example EE EE HE nena EE EO RE EE iaasE 83 Network requirements EE OE RE OO EE EE EE ER EE OE ENEP EVENES SPESSE USSE EE E rE rsss sss isss 83 Configuration procedure ER ER EE OE OR EA EE EE RO EE 83 MEERENSEE EE EE EG 96 Adding a local User ss Ee EE EE EES GE EE SA Re EE A EE RA GER EE EE DO Pe EE EE SA Re EE EE DA ee 86 Setting the super password EE EE OE EE EE EE EE EE EE E
172. F GigabitEthernet1 0 5 Enabled TxRx A F GigabitEthernet1 0 7 Disabled TxRx A E GigabitEthernet1 0 8 Disabled TxRx ES GigabitEthernet1 0 9 Disabled TxRx A F GigabitEthernet1 0 11 Enabled TxRx A F GigabitEthernet1 0 12 Enabled TxRx A F GigabitEthernet1 0 15 Disabled TXRX A 28 records 15 v per page page 1 2 record 1 15 Firsi Next Last 1 GO 19 Configuring the switch at the CLI The HP 1920 Switch Series can be contigured through the CLI Web interface and SNMP MIB among which the Web interface supports all 1920 Switch Series contigurations These configuration methods are suitable for ditferent application scenarios As a supplementary to the Web interface the CLI provides some configuration commands to facilitate your operation which are described in this chapter To perform other configurations not supported by the CLI use the Web interface You will enter user view directly after you log in to the device Commands in the document are all performed in user view Getting started with the CLI As a supplementary to the Web interface the CLI provides some configuration commands to facilitate your operation For example if you forget the IP address of VLAN interface 1 and cannot log in to the device through the Web interface you can connect the console port of the device to a PC and recontigure the IP address of VLAN interface 1 at the CLI This section describes using the CLI to manage the device Setting up the co
173. Fail VLAN You can contigure an Auth Fail VLAN on a port to accommodate MAC authentication users that have failed MAC authentication on the port Users in the Auth Fail VLAN can access a limited set of network resources such as a software server to download anti virus software and system patches If no MAC Auth Fail VLAN is configured the user that fails MAC authentication cannot access any network resources 405 If a user in the Auth Fail VLAN passes MAC authentication it is removed from the Auth Fail VLAN and can access all authorized network resources If not the user is still in the Auth Fail VLAN A hybrid port is always assigned to an Auth Fail VLAN as an untagged member After the assignment do not re configure the port as a tagged member in the VLAN Contiguration prerequisites Before you contigure MAC authentication complete the following tasks 1 Configure an ISP domain and specify an AAA method For more information see Configuring AAA o For local authentication you must also create local user accounts including usernames and passwords and specify the lan access service for local users o For RADIUS authentication make sure the device and the RADIUS server can reach each other and create user accounts on the RADIUS server If you are using MAC based accounts make sure the username and password for each account are the same as the MAC address of each MAC authentication user 2 Make sure the port security
174. Global Setup Global Summary Neighbor Summary Interface Name GigabitEthernet1 0 1 GigabitEthernet1 0 2 Basic Settings s Encapsulation LLDP Operating Mode Rx v TEA ETHII v CDP Operating Mode Disable v LLDP Polling Interval seconds 1 30 LLDP Trapping Disable v Base TLV Settings Port Description System Capabilities System Description System Name Management Address String v Addtional Settings Apply Cancel Enable global LLDP a Click the Global Setup tab as shown in Figure 211 b Select Enable from the LLDP Enable list Click Apply A progress dialog box appears Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds Figure 211 The global setup tab Fort Setup Global Summary Neighbor Summary Global Setup LLDP Enable CDF Compatibility Fast LLDPDU Count 1 10 Default 3 TTL Multiplier 4 2 10 Default 4 Trap Interval 6 Second5 3600 Default 5 Reinit Delay 2 Second 0 Default 2 Tx Delay 2 Seeanatt 8192 Default 2 Tx Interval 30 Serond f 327E8 Default 30 238 Contiguring Switch B 1 Optional Enable LLDP on port GigabitEthernet 1 0 1 By default LLDP is enabled on Ethernet ports Set the LLDP operating mode to Tx on GigabitEthernet 1 0 1 a From the navigation tree select Network gt LLDP By default the Port Setup tab is displayed b Click the flicon for port GigabitEthernet 1 0 1 c Select Tx from the LLDP O
175. HAP t F Advanced Apply Ports With 602 74 Enabled Ziu Max rt Re Guest Auth Fail Port O Port Control Handshake authentication ae VLAN VLAN Authorization PEratlon Add Del Selected 2 Configure 802 1X for GigabitEthernet 1 0 1 a In the Ports With 802 1X Enabled area click Add b Select GigabitEthernet1 0 1 from the Port list c Click Apply Figure 332 Configuring 802 1X for GigabitEthernet 1 0 1 Apply 802 1X Port Configuration Port GigabitEthernet1 0 1 X Port Control MAC Based v Port Authorization Auto T Max Number of Users 256 1 256 Default 256 Fj Enable Handshake Enable Re Authentication Guest VLAN 1 4094 E Enable MAC VLAN Only hybrid ports support this configration Auth Fail VLAN 1 4094 Items marked with an asterisk are required Apply Cancel Verifying the configuration After the user passes authentication and gets online use the ping command to test whether ACL 3000 takes eftect 1 From the navigation tree select Network gt Diagnostic Tools The ping page appears 2 Enter the destination IP address 10 0 0 1 Click Start 350 Figure 333 shows the ping operation summary Figure 333 Ping operation summary Summary FING 10 0 0 1 Request tine Request tine Request time Request time Request time Af out out out out out data bytes 1O O O 1 ping statistics 5 packet 3 transmitted DO packets received 100 00 packet loss 351
176. HP 1920 Gigabit Ethernet Switch Series User Guide Part number 5998 5627 Software version Release 1102 Document version 5W 100 20140620 Legal and notice information Copyright 2014 Hewlett Packard Development Company L P No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett Packard Development Company L P The information contained herein is subject to change without notice HEWLETT PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE Hewlett Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing performance or use of this material The only warranties tor HP products and services are set forth in the express warranty statements accompanying such products and services Nothing herein should be construed as constituting an additional warranty HP shall not be liable for technical or editorial errors or omissions contained herein Contents Cen EE sre ences rarer EE NG enka Configuring the switch in the Web interface Ee EE EE AE EE EE EE EE EE OE EO EER ER AE ER AE Ee RE Ee EER EER EE Re ERA EE ee ee ee ee 2 Restrictions and guidelines TREE ER EE EE een 2 Operating system requirements EA ER EE EE EE EE N OR EE EE 2 Web browser req
177. I Figure 182 The port summary tab Region Global Select a port Fort Setup T par Instance 0 Bort1 GigabitEthernet1 oO 1 DOWN Port Protocol Port Bole Port Priority Port Cost Legacy Daag Bridge Port Port Edged Point to point Instance renabled CIST Disabled Bort 2128 rContig aute Active 200000 rBZ768 00e0 rfco0 3620 128 1 Config enabled Active enebled Conftig auto Active false T Friority 197 Table 62 Field description Field Description FORWARDING The port is in forwarding state so the port learns MAC addresses and forwards user traffic LEARNING The port is in learning state so the port learns MAC addresses but does not forward user traffic DISCARDING The port is in discarding state so the port does not learn MAC addresses or forward user traffic DOWN The port is down Port Protocol Whether STP is enabled on the port Role of the port which can be Alternate Backup Root Designated Master Port Role or Disabled Port Priority Priority of the port Path cost of the port The field in the bracket indicates the standard used for Port Cost Legacy port path cost calculation which can be legacy dot1d 1998 or dott Config indicates the configured value and Active indicates the actual value Designated bridge ID and port ID of the port Desg Bridge Port The port ID displayed is insignificant for a port that does not support port priority
178. IGMP snooping concepts This section lists the basic IGMP snooping concepts IGMP snooping related ports As shown in Figure 228 IGMP snooping runs on Switch A and Switch B Host A and Host C are receivers in a multicast group 252 Figure 228 IGMP snooping related ports Router A Switch A eek A GE1 0 1 SE OE oh ROUTER GE1 0 3 GE1 0 1 6 GE1 0 2 S V GE1 0 2 amp amp gt g Wr Host B Receiver Source Switch B O Router port O Member port gt Multicast packets Host D The following describes the ports involved in IGMP snooping e Router port Layer 3 multicast device side port Layer 3 multicast devices include designated routers and IGMP queriers In Figure 228 GigabitEthernet 1 0 1 of Switch A and GigabitEthernet 1 0 1 of Switch B are router ports A switch records all its local router ports in its router port list Do not contuse the router port in IGMP snooping with the routed interface commonly known as the Layer 3 interface The router port in IGMP snooping is the Layer 2 interface e Member port Multicast receiverside port In Figure 228 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 of Switch A and GigabitEthernet 1 0 2 of Switch B are member ports A switch records all its member ports in the IGMP snooping forwarding table Unless otherwise specitied router ports and member ports in this document include both dynamic and
179. IP to MAC binding as described in Table 97 5 Click Apply Table 97 Configuration items lem Description IP Address Enter the IP address of a DHCP client MAC Address Enter the MAC address of the DHCP client Select the Layer 3 interface connected with the DHCP client IMPORTANT The interface of a static binding entry must be configured as a DHCP relay agent Otherwise address entry conflicts might occur Interface Name 302 DHCP relay agent configuration example Network requirements As shown in Figure 279 VLAN interface 1 on the DHCP relay agent Switch A connects to the network where DHCP clients reside The IP address of VLAN interface 1 is 10 10 1 1 24 and the IP address of VLAN interface 2 is 10 1 1 1 24 VLAN interface 2 is connected to the DHCP server whose IP address is 10 1 1 1 24 The switch forwards DHCP messages between DHCP clients and the DHCP server Figure 279 Network diagram DHCP client DHCP client Vlan int2 10 1 1 2 24 Vlan int1 10 10 1 1 24 Switch A DHCP relay agent DHCP server DHCP client DHCP client Configuring Switch A 1 Enable DHCP a From the navigation tree select Network gt DHCP to enter the default DHCP Relay page b Select the Enable option next to DHCP Service as shown in Figure 280 c Click Apply 303 Figure 280 Enabling DHCP DHCP Snooping DHCP Service Enable Disable Display Advanced Configuration Apply Cancel Sener Group
180. ISP domain On the NAS each user belongs to an ISP domain If a user provides no ISP domain name at login the NAS considers the user belongs to the default ISP domain AAA allows you to manage users based on their access types e LAN users Users on a LAN who must pass 802 1X or MAC address authentication to access the network e Login users Users who want to log in to the device including SSH users Telnet users Web users FTP users and terminal users In addition AAA provides command authorization for login users to improve device security Command authentication enables the NAS to defer to the authorization server to determine whether a command entered by a login user is permitted for the user and allows login users to execute only authorized commands Contiguration prerequisites To deploy local authentication configure local users on the access device See Configuring users To deploy remote authentication authorization or accounting configure the RADIUS schemes to be referenced See Configuring RADIUS Recommended configuration procedure Step Remarks Optional Create ISP domains and specify one of them as the default ISP 1 Configuring an ISP domain domain By detault there is an ISP domain named system which is the default ISP domain Optional 2 Configuring authentication Fel ee i AR Configure authentication methods for various types of users By default all types of users use local authen
181. IUS server EAP packets over LAN EAP packets over RADIUS e E authentication gt In EAP relay mode the client must use the same authentication method as the RADIUS server On the network access device you only need to enable EAP relay Some network access devices provide the EAP server function so you can use EAP relay even if the RADIUS server does not support any EAP authentication method or no RADIUS server is available EAP termination mode In EAP termination mode the network access device terminates the EAP packets received from the client encapsulates the client authentication information in standard RADIUS packets and uses PAP or CHAP to authenticate to the RADIUS server as shown in Figure 305 Figure 305 EAP termination Client Deuce RADIUS server EAP packets over LAN RADIUS EAP authentication gt PAP CHAP authentication gt Comparing EAP relay and EAP termination Packet exchange method Benefits Limitations e Supports various EAP auihanicaionamehods The RADIUS server must support the EAP Message and Message Authenticator attributes and the EAP authentication method used by the client EAP relay e The configuration and processing is simple on the network access device 325 Packet exchange method Benefits Limitations e Supports only MD5 Challenge EAP authentication and the username Works with any RADIUS password EAP authentication in
182. If the check fails a dialog box appears telling you that the current configuration and the saved configuration are inconsistent and the device is not rebooted In this case save the current configuration manually before you can reboot the device o If you do not select the box the system reboots the device directly 53 Electronic label Electronic label allows you to view information about the device electronic label which is also known as the permanent configuration data or archive information The information is written into the storage medium of a device or a card during the debugging and testing processes and includes card name product bar code MAC address debugging and testing dates and manufacture name 1 Select Device gt Device Maintenance from the navigation tree 2 Click the Electronic Label tab to view the electronic label information Figure 42 Electronic label Softaars Upgrade Metso Diagnostic Information I Darcie T earch Advanced Search Li i i diy pil ya Device SoD SubSIMID Name Serial Number MA MES i 1 1 i HP 182N 2A4G Swit Bos PTSD AAA t7 p020 1824 013 84 HP Diagnostic information Each functional module has its own running information Generally you view the output for each module one by one To receive as much information as possible in one operation during daily maintenance or when system failure occurs the diagnostic information module allows you to save the running statistics of multiple fun
183. In EAP termination mode the network access device rather than the authentication server generates an MD5 challenge for password encryption see Step 4 The network access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server 802 1X timers This section describes the timers used on an 802 1X device to guarantee that the client the device and the RADIUS server can interact with each other correctly e Username request timeout timer Starts when the device sends an EAP Request Identity packet to a client in response to an authentication request If the device receives no response before this timer expires it retransmits the request The timer also sets the interval at which the network device sends multicast EAP Request Identity packets to detect clients that cannot actively request authentication e Client timeout timer Starts when the access device sends an EAP Request MD5 Challenge packet to a client If no response is received when this timer expires the access device retransmits the request to the client e Server timeout timer Starts when the access device sends a RADIUS Access Request packet to the authentication server If no response is received when this timer expires the access device retransmits the request to the server 328 e Handshake timer Sets the interval at which the access device sends client handshake requests to check the
184. LAN ModifyPort Remove WYLAN range display select an option to view all available VLANs or a subset of configured VLANs Display all VLANs Mote This option may reduce browser response time 1 100 Display a subset of all configured VLANS example 3 5 10 EE WYLAN Summary ID Description Untagged Memhership Tagged Membership d Click Modify VLAN to enter the page for modifying the ports in a VLAN e Select 100 VLAN 0100 in the Please select a VLAN to modify list select the Untagged option and select GigabitEthernet 1 0 1 on the chassis front device panel f Click Apply 147 A configuration progress dialog box appears g After the contiguration process is complete click Close Figure 144 Assigning GigabitEthernet 1 0 1 to VLAN 100 as an untagged member Select VLAN Create Port Detail Detail Modify Port Remove Please select a VLAN to modify Modify Description optional 100 VLAN 0100 X VLAN 0100 1 32 Chars Apply Select membership type LJ Not avaliable for selection L Untagged i E Tagged E Not A Member Select ports to be modified and assigned to this VLAN ET 00CC CCAA EEHEEHE NOLE Select All Select None Note You can assign multiple ports in different membership types to this VLAN Summary Untagged Membership Tagged Membership GE1 0 4 Apply Cancel Assign GigabitEthernet 1 0 1 to VLAN 2 and VLAN 6 through VLAN 50 as a tagged member b Click Modify Port to enter the
185. LAN the link type of the port is automatically changed into hybrid Modifying ports 1 2 From the navigation tree select Network gt VLAN Click Modify Port to enter the page for modifying ports Figure 139 Modifying ports Select VLAN Create Port Detail Detail Modify VLAN Remove Sel ect Ports Select All Select None Not avaliable for selection Select membership type Untagged Tagged Not A Member Link Type PVD Enter VLAN IDs to which the port is to be assigned VLAN IDs Example 1 3 5 10 Selected ports Untagged Membership Apply Cancel Modify the VLANs of a port as described in Table 42 Click Apply A progress dialog box appears Click Close on the progress dialog box when the dialog box prompts that the configuration succeeds Table 42 Configuration items ltem Description Select Ports Select the ports to be moditied 144 ltem Description Set the member types of the selected ports to be modified in the specitied VLANs e Untagged Contigures the ports to send the traffic of the VLANs after removing the VLAN Select ige Tagged Configures the ports to send the traffic of the VLANs without removing the VLAN tags e Nota Member Removes the ports from the VLANs Set the IDs of the VLANs to or from which the selected ports are to be assigned or removed When you set the VLAN IDs follow these guidelines e You cannot configure an access port as an untagged member
186. LAN IDs for the voice VLAN the PVID of the access port and the 802 1X guest VLAN for the functions to operate normally e f an IP phone sends untagged voice traffic to deliver the voice VLAN function you must configure the PVID of the access port as the voice VLAN As a result 802 1X authentication does not take effect Security mode and normal mode of voice VLANs Depending on their inbound packet filtering mechanisms voice VLAN enabled ports operate in one of the following modes e Normal mode In this mode both voice packets and non voice packets are allowed to pass through a voice VLAN enabled inbound port When receiving a voice packet the port forwards it without checking its source MAC address against the OUI addresses configured for the device If 158 the PVID of the port is the voice VLAN and the port operates in manual VLAN assignment mode the port forwards all received untagged packets in the voice VLAN In normal mode the voice VLANs are vulnerable to traffic attacks Vicious users can forge a large amount of untagged packets and send them to voice VLAN enabled ports to consume the voice VLAN bandwidth affecting normal voice communication e Security mode In this mode only voice packets whose source MAC addresses comply with the recognizable OUI addresses can pass through the voice VLAN enabled inbound port but all other packets are dropped In a sate network you can contigure the voice VLANs to operate in norma
187. LD snooping globally a Select Network gt MLD snooping from the navigation tree b Select Enable c Click Apply Figure 250 Enabling MLD snooping globally Advanced MLD Snooping Enable Disable Apply VLAN Configuration R VLAN ID Search Advanced Search VLAN ID Es Version Querier EED EE General Query Source Address Special Query Source Address Operation eee EE NN N Mad BE 1 Disabled 1 Disabled 125 FEBOC2FFFFEFFFEOI FESOC2FFFFEFFFEOO 1 Ee 100 Disabled 1 Disabled 125 FE amp O 2FF FFFF FEOO 1 FESOC2FF FFFFFEOO 1 E 200 Disabled 1 Disabled 125 FESOC2FF FFFF FEDO1 FESOC2FF FFFF FEOO1 E 300 Disabled 1 Disabled 125 FESO 2FF FFFF FEOO 1 FESO 2FF FFFF FEOX1 ER Show Entries Refresh Enable MLD snooping a Click the icon for VLAN 100 b Select Enable for MLD snooping c Select 1 for Version 276 d Click Apply Figure 251 Enabling MLD snooping in VLAN 100 Advanced VLAN Configuration VLAN ID 100 MLD Snooping Enable Disable Version 4 2 Querier Ei Enable Disable Query Interval 125 Seconds 2 300 Default 125 General Query Source Address FESO 2FF FFFF FE00 1 Pv6 linklocal address Default FE80 2FF FFFF FEQ0 1 Special Query Source Address 9 FESOU2FF FFFF FEOO 1 Pv6 linklocal address Default FE80 2FF FFFF FEQ0 1 Items marked with an asterisk are required Apply Cancel Veritying the contiguration Select Network gt MLD snooping from the navigation
188. LDP operating mode on the port or ports you are contiguring Base ran aver e TxRx Sends and receives LLDP frames Settings me Tx Sends but does not receive LLDP frames e Rx Receives but not does not send LLDP frames e Disable Neither sends nor receives LLDP frames 224 ltem Descri ption Base TLV Settings Encapsulation Format CDP Operating Mode LLDP Polling Interval LLDP Trapping Port Description System Capabilities System Description System Name Management Address Set the encapsulation for LLDP frames e ETHII Encapsulates outgoing LLDP frames in Ethernet Il frames and processes an incoming LLDP frame only if its encapsulation is Ethernet Il e SNAP Encapsulates outgoing LLDP frames in Ethernet Il frames and processes an incoming LLDP frame only if its encapsulation is Ethernet Il LLDP CDP PDUs use only SNAP encapsulation Set the CDP compatibility of LLDP e Disable Neither sends nor receives CDP frames e TxRx Sends and receives CDP frames To enable LLDP to be compatible with CDP on the port you must enable CDP compatibility on the Global Setup tab and set the CDP operating mode on the port to TxRx Enable LLDP polling and set the polling interval If no polling interval is set LLDP polling is disabled With the polling mechanism LLDP periodically detects local configuration changes If a configuration change is detected an LLDP frame is sent to inform the LLDP neigh
189. MS access right e Read only The NMS can perform read only operations to the MIB objects Access Right when it uses this community name to access the agent e Read and write The NMS can perform both read and write operations to the MIB objects when it uses this community name to access the agent Specity the view associated with the community to limit the MIB objects that can be accessed by the NMS View Associate the community with a basic ACL to allow or prohibit the access to ACL the agent from the NMS with the specified source IP address Contiguring an SNMP group Select Device gt SNMP from the navigation tree 2 Click the Group tab The Group tab appears Figure 108 SNMP group Setup Community ser Trap WE search Advanced Search C Group Name Security Level Read view Write View Notify view ACL Operation draup1 MoAUTh OP rivy View Default ViewDefault View Default 2001 ES i Add Delete Selected 118 3 Click Add The Add SNMP Group page appears Figure 109 Creating an SNMP group Setup Community ser Trap WIE Add SHMP Group Group Name tt 20hars 3 Security Level Read View Write View Notify View ACL zn0 2999 tems marked with an asteriski are required Apply Cancel Contigure SNMP group as described in Table 36 5 Click Apply Table 36 Configuration items ltem Description Group Name Set the SNMP group name Select the security level for the SNMP group e NoAuth NoPriv N
190. N and select RADIUS as the authentication mode c Select system from the Name list to use it as the authentication scheme d Click Apply A configuration progress dialog box appears e After the contiguration process is complete click Close Figure 359 Configuring the AAA authentication method for the ISP domain Domain Setup Authorization Accounting Authentication Configuration of AAA Select an ISP domain test Default Auth RADIUS Name system Secondary Method I LAN access AuthN Name Secondary Method E Login Authn Name Secondary Method PPP AuthN Name Secondary Method Portal Auth Name Secondary Method Figure 360 Configuration progress dialog box Current Configuration Setting Default Auth OK Select the Authorization tab to configure the authorization scheme a Select the domain name test b Select Default AuthZ and select RADIUS as the authorization mode c Select system from the Name list to use it as the authorization scheme d Click Apply A contiguration progress dialog box appears e After the contiguration process is complete click Close 377 Figure 361 Configuring the AAA authorization method for the ISP domain Domain Setup Authentication Accounting Authorization Configuration of AAA Select an ISP domain test Default Autnz RADIUS system Secondary Method El LAN access Auth Name Secondary Method El Login AuthZ Name Secondary Method PPP AuthZ Name Secondary Method
191. No authentication This method trusts all users and is not for general use RADIUS RADIUS authentication You must specify the RADIUS scheme to be used Not Set The device uses the settings in the Default AuthN area for LAN access users Configure the authentication method and secondary authentication method for login users Options include Name Secondary Method Login AuthN e Name Secondary Method HWTACACS HWTACACS authentication You must specify the HWTACACS scheme to be used Local Local authentication None No authentication This method trusts all users and is not for general use RADIUS RADIUS authentication You must specify the RADIUS scheme to be used Not Set The device uses the settings in the Default AuthN area for login users Contiguring authorization methods tor the ISP domain 1 Select Authentication gt AAA from the navigation tree 2 Click the Authorization tab Figure 337 Authorization method configuration page Domain Setup Authentication Accounting Authorization Configuration of AAA select an ISP domain system Default Auth Local Name Secondary Method LAN access Authz Name Secondary Method Login Authz Name Secondary Method PPP Auth Name Secondary Method Portal Authz Name Secondary Method Command Authz Name 3 Select the ISP domain and specify authorization methods for the ISP domain as described in Table 110 4 Click Apply 356 Table 110 Configura
192. OSSOSSOSSOSSSOSEESOOSEESOESEESEESE O17 LLDP operating EER EG 272 Working mechanism EE ee 221 Protocols and standards ee see EE EE EE EER EER EE EE EE EE EER EE EE EER EE EE ER ER EE EE EE EE ER Ee EE EE EE ER ER ER ee EE EER ER ER EER ER EE ER ee EE ee ee EE ee ee 222 Recommended LLDP configuration procedure RE AE EE EE EE IE 227 Enabling LLDP on ports eeteeeeetetteeeersetteeeestttteeesttteeessstteeesssttteeesssstteeesssstteeeesssstteeessstteeeseessstteeesssstteeesssnteeeessssteeeent 293 Setting LLDP parameters on ports EE EE EA ER EE EE 224 Setting LLDP parameters for a single port EE E E EE EE A E A 224 Setting LLDP parameters for ports in Dalch EE 207 Configuring LLDP globally RE EE EE EE RE EE EE EE EE tre 227 Displaying LLDP information for a port N EE EE ERR E 229 Displaying global LLDP information ee ee Ee ee ee Ee Ee EER EER EER EER EER EER EER EER EER EE Re EE EER EE Ee ees ee 234 Displaying LLDP information received from LLDP neighbors EE EE OE 236 LLDP configuration example ED OE EE a EE EE EE RE OE EE EE 236 Network requirements EE OE EE EE EE Ee 236 Configuring ETE 236 Configuring ST EE nese seeeeseeeenes 239 Verifying the configuration EE EE EE Gwinn EE OE 239 LLDP configuration guidelines E E E EE RE AE E N ER EE EE 241 Configuring UR ee 242 Overy EE EE RE ENEE ATENEA 242 NEER FEE EE EE 2472 ARP operating mechanism Ke 242 ARP EE EE EE EE EE EE EE 243 ET SE Ee 244 Configuring ETER 244 Displaying EST Te 244 Creating a stat
193. P relay agent EE EE N OE RE EE EE EO EE N 297 EA EE ER EE EE EE OE 207 Recommended configuration procedure EE EE RE N N OE OE OE EE 298 Enabling DHCP and configuring advanced parameters for the DHCP relay agent eers es es es es en ee ee ee sees ee ee ee eng 299 Creating a DHCP server group ELE EE tetett 300 Enabling the DHCP relay agent ON an interface OE 30 Configuring and displaying clients IP4o MAC bindings ssssssssssseessesessseseesssssseessseeessssnnsesseceesssssnnesseeessssnnnesssees 302 DHCP relay agent configuration example ME EE EE OE bm eb EE EE EE EL OE EE EE EE N 303 Configuring DHCP snooping EE AE EE N E E E ENE EE EO A E A EE Ie 306 OTA E E EE EE EE N EE EE er 306 Application of trusted ports ME EE EE OE OE EE IN 306 DHCP snooping support for Option 82 sette sesse sek eek eek gee GER geR Roe R gee Rae R Gee RGER Gee RGER GER gee Roe Rae R GER gee RGeR gee Re ERGER gee tetett 308 Recommended configuration procedure TER RE EE EE EO EA 308 Enabling DHCP snooping EE EE RR TR OE N 309 Configuring DHCP snooping functions on an interface ss rssssrssssessessssssesessseessneessssecssnecesnseessncssaneceaseeessnseeansesen 309 Displaying clients IP to oMAC bindings EE EE EE OE ME DS 310 DHCP snooping configuration example EE EE EE EE EE EE N 311 METER TEE EE EE EG 314 N EE IE TE OE Ee anaes 314 Managing EE EE EE EET 315 Using diagnostic ole ERR ERECT EE EOE eee reer eer eee eee eee reer eer eee reer eererreer eer erreereeererreerer
194. PKI domains Add modify and delete a PKI domain Display the certificate information about PKI domains and the contents of a certificate Generate a key pair destroy a key pair retrieve a certificate request a certificate and delete a certificate Display the contents of the CRL Receive the CRL of a domain Display port isolation group information Configure the ports in an isolation group Display the configurations of authorized IP the associated IPv4 ACL list and the associated IPv6 ACL list Configure authorized IP Display and configure system loopback detection parameters and port loopback detection parameters Display time range configuration information Create a time range Delete a time range Display IPv4 ACL configuration information Create an IPv4 ACL Configure a rule for a basic IPv4 ACL Configure a rule for an advanced IPv4 ACL Monitor Management Management Management Monitor Management Monitor Management Monitor Configure Monitor Configure Monitor Configure Monitor Configure Monitor Configure Management Management Configure Monitor Configure Configure Monitor Configure Configure Configure Function menu Description User level Link Setup Create a rule for a link layer ACL Contigure Remove Delete an IPv4 ACL or its rules Configure Summary Display IPv6 ACL configuration information Monitor Create Create an Pv ACL Contigure ACL IPv
195. PSE You can also connect a PD to a redundant power source for reliability The PSE supplies power over category 3 5 twisted pair cable for a PoE interface in the following two modes e Over signal wires The PSE uses data pairs pins 1 2 and 3 6 to supply DC power to PDs e Over spare wires The PSE uses spare pairs pins 4 5 and 7 8 to supply DC power to PDs A PSE can supply power to a PD only when the selected power supply mode is supported by both the PSE and PD If the PSE and PD support different power supply modes for example the PSE does not support power over spare wires while the PD supports power over spare wires you have to change the order of the lines in the twisted pair cable to supply power to the PD Figure 488 PoE system diagram PoE power PD 497 Contiguring PoE Betore contiguring PoE make sure the PoE power supply and PSE are operating correctly Otherwise either you cannot configure PoE or the PoE configuration does not take effect Contiguring PoE ports 1 Select PoE gt PoE from the navigation tree 2 Click the Port Setup tab Figure 489 Port Setup tab Summary PSE Setup Select Port HD Oe aoe EEIEIEE AE H H HH Select All Select None Note The Select Al and the Select None are only applied to current unit A Selected C Power Supplied ia Power Enabled E Power Disabled C Not Supported C Power Fault Power State No Change v Power Max 1000 40000 milliwa
196. Percent 1 100 WFQ 16 4096 V Filter Deny X Accounting Enable Apply Behavior Detail User Defined Behavior Information Behavior behavior1 none 8 Adda policy a Select QoS gt QoS Policy from the navigation tree b Click the Add tab c Enter the policy name policy d Click Add Figure 485 Adding a policy SUMMA Setup Remove Policy Name policy 1 31 Chars Add 9 Configure classitier behavior associations for the policy 495 10 n n e Click the Setup tab Select policy1 Select class1 from the Classifier Name list Select behavior1 from the Behavior Name list Click Apply Figure 486 Configuring classifier behavior associations for the policy Summary Add Remove Please select a policy policy w Classifier Name class 1 31 Chars Behavior Name 1 31 Chars Apply Classifier Behavior Apply the QoS policy in the inbound direction of interface GigabitEthernet 1 0 1 a 0 Qa g Select QoS gt Port Policy trom the navigation tree Click the Setup tab Select policy1 from the Please select a policy list Select Inbound from the Direction list Select port GigabitEthernet 1 0 1 Click Apply A configuration progress dialog box appears Click Close when the progress dialog box prompts that the contiguration succeeds Figure 487 Applying the QoS policy in the inbound direction of GigabitEthernet 1 0 1 Summary Remove Please
197. Portal Auth Name secondary Method Command Authz Name 5 Select the Accounting tab to configure the accounting scheme a b c d e f Select the domain name test Select Accounting Optional and select Enable from the list Select Default Accounting and select RADIUS as the accounting mode Select system from the Name list to use it as the accounting scheme Click Apply A configuration progress dialog box appears After the configuration process is complete click Close Figure 362 Configuring the AAA accounting method for the ISP domain Domain Setup Authentication Authorization Accounting Configuration of AAA Select an ISP domain test Accounting Optional Enable Default Accounting RADIUS Name system Secondary Method E LAN access Accounting Name Secondary Method E Login Accounting Name Secondary Method PPP Accounting Name Secondary Method Portal Accounting Name secondary Method Contiguration guidelines When you contigure the RADIUS client follow these guidelines e Accounting for FTP users is not supported 378 If you remove the accounting server used for online users the device cannot send real time accounting requests and stop accounting messages for the users to the server and the stop accounting messages are not buffered locally The status of RADIUS servers blocked or active determines which servers the device will communicate with or turn to when the current servers are not availa
198. Ports Enabled With Advanced Features Figure 415 Ports Enabled With Advanced Features area Advanced Port Security Configuration wPorts Enabled With Advanced Features Port Security Mode Intrusion Protection Outbound Restriction gnore Operation Authorizaiton GigabitEthernet1 0 4 MAC Auth Disable A Add Del Selected gt Permitted OUls for ports working in the mode of 802 1X MAC Based Or OUI 3 Click Add The page for configuring advanced port security control appears Figure 416 Configuring advanced port security control Apply Advanced Port Security Configuration Port GigabitEthernet1 0 2 v Security Mode MAC Auth v Enable Intrusion Protection Disable Port Temporaril Enable Outbound Restriction Only MAC Known Unicasts Ignore Authorization Apply Cancel 4 Configure advanced port security control as described in Table 131 5 Click Apply Table 131 Configuration items ltem Description Selects a port where you want to configure port security eae By default port security is disabled on all ports and access to the ports is not restricted Selects a port security mode Security Mode For more information about advanced security modes see Table 127 428 ltem Description Enable Intrusion Protection Enable Outbound Restriction Ignore Authorization Specifies whether to enable intrusion protection and selects an action to be taken upon detection of illegal frames Available actio
199. R ER ER Ee ere AAO Port isolation configuration example EE tes EEE E E E 44 Configuring authorized OE ee 443 Configuration procedure EE EE EE EE EE EN 443 Authorized IP configuration example ER ER 444 ETA ME EE 444 Configuration procedure EE EE DE EE EE Ee eee 444 Contiguring loopback detection eeeeereererrereeseereeeeeeeeeesecseereeseescereeeceeeseeseerceseereseeseoreescercsecsreseoseereeseesrereeresecseeseeseeeeee 447 Recommended configuration procedurer eeeeeeeeeteeerttreerttreeertesserettrsseettrrstttessettessettesset tessen tessetteesneeeerseeen 447 Configuring loopback detection globally AO EE RE AS 447 Configuring loopback detection on a pOr heeeeeereerereereereereereereerrereereereereereereereereereereereereereererresrerrereerreereereereereereereereee 448 Configuring OE EEEECESETeSETeeereeeeerreerreerreerreereeereserecerecrrerreerreer reer reer reer ecerecrrerreerreerreerretrreereerree 450 OE MA EE EE HR 450 ACL categories lt sssssrssssrssesssssessssssecssssssesssseccssnsecsssnscssssscsssssecsssssscessascessnsscesssssessssssesssassccssassesssanscsssneseessnsses 450 ET EE ee TE E A 450 Implementing time based ACL ry egseeeeeeeeseerseeeeeesereseeeseesseeseeeseeeseesseeseeeseceseeeseeseeosereseeeseesseosereseeseeeseesseesereseceseee 452 IPv4 fragments filtering with ACLs eeeeeeeeeeteeeettteeertteeerrtteeertttreseettessentteesentessentersseetererseetteretttesseeteesseeteereen 452 Configuration guidelines E EE EE EE OT ET 452 Recommend ACL
200. RTANT Uploading a file takes some time HP recommends not performing any operation on the Web interface during the upload 1 Select Device gt File Management from the navigation tree to enter the tile management page see Figure 57 In the Upload File area select the medium for saving the file from the Please select disk list Click Browse to navigate to the file to be uploaded Click Apply Removing a file 1 Select Device gt File Management trom the navigation tree to enter the tile management page see Figure 57 Do one of the following o Click the i icon of a file to remove the file o Select a file from the file list and click Remove File To remove multiple files repeat step 2 or select the tiles from the file list and click Remove File Specitying the main boot file 1 Select Device gt File Manage from the navigation tree to enter the tile management page see Figure 57 From the Please select disk list select the medium that holds the application file to be used as the main boot file Select the application file bin or app file from the file list Click Set as Main Boot File 68 Managing poris You can use the port management feature to set and view the operation parameters of a Layer 2 Ethernet port and an aggregate interface e For a Layer 2 Ethernet port these operation parameters include its state speed duplex mode link type PVID description MDI mode flow control sett
201. Required yore MEP alba Enable STP globally and configure MSTP parameters By default STP is enabled globally All MSTP parameters have default values Optional 3 Configuring MSTP on a Enable MSTP on a port and configure MSTP parameters pad By default MSTP is enabled on a port and all MSTP parameters adopt the default values 190 Step Remarks Optional Display MSTP information of a port in MSTI O the MSTI to which the port belongs and the path cost and priority of the port 4 Displaying MSTP information of a port Contiguring an MST region 1 From the navigation tree select Network gt MSTP By default the Region tab is displayed Figure 178 MST region Global Fot Summary Fort Setup Format Selector Region Name Revision Level O OOeDfcO0IG0 g Modify Instance WLAN Mapped O 1 to 4094 2 Click Modify Figure 179 Configuring an MST region Global Port Summary Port Setup Region Name 00e0fc003620 1 32 Chars Manual Modulo Instance DIT sv VLAN ID Fe xampte t 3 5 10 Apply Remove Instance ID VLAN Mapped Activate Cancel 3 Configure the MST region information as described in Table 58 and click Apply 191 Table 58 Configuration items ltem Description MST region name Region Name The MST region name is the bridge MAC address of the device by default Revision Level Revision level of the MST region Manual Instance ID and Manually add VLAN to instance mappings Clic
202. S field Bis 0 123 45 6 7 DS Field for IPv4 ToS octet and for IPv6 Traffic Class octet Class Selector codepoints Currently Unused Differentiated Services Codepoint DSCP RFC 2474 As shown in Figure 455 the ToS field of the IP header contains 8 bits According to RFC 2474 the ToS field of the IP header is redefined as the differentiated services DS field where a differentiated services code point DSCP value is represented by the first 6 bits O to 5 and is in the range of O to 63 The remaining 2 bits 6 and 7 are reserved Table 145 Description on IP Precedence IP Precedence decimal IP Precedence binary Description O 000 Routine 1 001 priority 2 010 immediate 3 011 flash 4 100 flash override 5 101 critical 6 110 internet 7 111 network 469 Table 146 Description on DSCP values DSCP value decimal DSCP value binary Description 46 101110 ef 10 001010 atl 12 001100 of12 14 001110 af13 18 010010 at2 1 20 010100 at22 22 010110 af23 26 011010 af31 28 011100 af32 30 011110 af33 34 100010 at4 36 100100 at42 38 100110 at43 8 001000 cs 16 010000 cs2 24 011000 cs3 32 100000 cs4 40 101000 cs5 48 110000 cs 56 111000 cs O 000000 be default 802 1p priority 802 1p priority lies in Layer 2 packet headers and applies to occasions where Layer 3 header analysis is not needed and QoS must be assured at Layer 2 Figure 456 An Ethernet frame with an 802 1Q tag heade
203. SIEM AAA LAUNCHED Ape 26 120200 243 200 SHELL Information SHELL_ Cup Tas keaurlPAddr ls rsadmin Command is sav Apr 26 120TET 427 M00 SHELL Information SHELL Clip TaskeaubPAjdre Usersaimin Command is qui Apr 26 1201 48 259 2000 SHELL Information SHELL Clip Taskeaul PAj e Lgersaimin Command is dis hh Taska a gare AE Bul Ape 2612014288 2000 SHELL information SHELL SECLOG Ag Re Ag ersadmin Command is authorzalon atinibute ide Apt 26 TAUTU 184 OU SHELL mirengna HELL UHU SKEURE US BESIN COMMAND IE AIS M yi records 15 per page sage 13 tacai 1 15 Mad Last 1 GO View system logs 61 Table 12 Field description Field Description Time Date Displays the time date when the system log was generated Source Displays the module that generated the system log Displays the severity level of the system log The information is classified into eight levels by severity e Emergency The system is unusable e Alert Action must be taken immediately e Critical Critical condition neve e Error Error condition e Warning Warning condition e Notification Normal but significant condition e Information Informational message e Debug Debug level message Digest Displays the brief description of the system log Description Displays the content of the system log Setting the log host Select Device gt Syslog from the navigation tree 2 Click the Loghost tab The log host configuration page appears Figure 5
204. See port security security 802 1X configuration 333 security MAC authentication ACL assignment 411 security MAC authentication configuration 404 406 408 security MAC local authentication contiguration 408 specitied operation parameter for all ports 73 STP designated port 178 STP root port 178 VLAN port link type 135 port isolation configuration 440 441 Ethernet link aggregation class two configuration class 206 port link type configuration 140 port mirroring adding local group 83 configuration 79 configuration restrictions 80 destination 79 direction bidirectional 79 direction inbound 79 direction outbound 79 local 79 local configuration 80 local group monitor port 84 local group port 81 local group source port 84 local mirroring configuration 83 mirroring group 9 recommended procedure 80 source 9 terminology 79 port security 802 1X authentication configuration 336 802 1X authorization status 322 802 1X configuration 321 332 802 1X configuration global 332 802 1X configuration port specitic 333 802 1X controlled uncontrolled 322 advanced control configuration 428 advanced mode configuration 433 authentication modes 421 basic control contiguration 425 basic mode configuration 430 configuration 421 423 430 configuration global 424 contiguration guidelines 423 features 421 intrusion protection feature 421 outbound restriction 421 permitted OUls
205. Server Configuration area click Add b Configure the primary accounting server Select the server type Primary Accounting Enter the IP address 10 1 1 2 and enter the port number 1813 Enter expert in the Key field and the Confirm Key field c Click Apply Figure 398 Configuring a RADIUS accounting server Add RADIUS Server Server Type Primary Accounting IP Address IPyd Pv6 10 1 1 2 Port 1613 R 65535 Default 1813 Key TELLI 1 64 Chars Confirm Key TELIT 1 64 Chars Apply Cancel 4 On the RADIUS configuration page click Apply 413 Figure 399 RADIUS configuration Add RADIUS Scheme Scheme Name 1 32 Chars Common configuration Serer Type Extended ka Username Format Without domain name PAdvanced RADIUS Serer Configuration Server Type IP Address Primary Authentication eae i Operation Primary Accounting 10 1 1 2 i Add tems marked with an asterisk are required Apply Cancel Configuring AAA for the scheme 1 Create an ISP domain a From the navigation tree select Authentication gt AAA b On the Domain Setup page enter test in the Domain Name field and click Apply 414 2 Figure 400 Creating an ISP domain Authentication Authorization Accounting ISP Domain Domain Name test 24 chars Default Dorain Apply Please selectthe ISF domains Domain Mame Default Domain Configure AAA authentication method for the ISP domain a Cl
206. Support Enable D Disable Option 82 Strategy Replace vDefault Replace Cancel 313 Managing services Overview Service management allows you to manage the following types of services FTP Telnet SSH SFTP HTTP and HTTPS You can enable or disable the services modify HTTP and HTTPS port numbers and associate the FTP HTTP or HTTPS service with an ACL to block illegal users FTP service FTP is an application layer protocol for sharing files between server and client over a TCP IP network Telnet service Telnet is an application layer protocol that provides remote login and virtual terminal functions SSH service Secure Shell SSH offers an approach to securely logging in to a remote device By encryption and strong authentication it protects devices against attacks such as IP spoofing and plain text password interception SFTP service The secure file transfer protocol SFTP is a new feature in SSH2 0 SFTP uses the SSH connection to provide secure data transter The device can serve as the SFTP server allowing a remote user to log in to the SFTP server for secure file management and transfer The device can also serve as an SFTP client enabling a user to login from the device to a remote device for secure file transfer HTTP service HTTP is used for transferring webpage information across the Internet It is an application layer protocol in the TCP IP protocol suite You can log in to the device by using the H
207. TTP protocol with HTTP service enabled accessing and controlling the device with Web based network management HTTPS service The Hypertext Transfer Protocol Secure HTTPS refers to the HTTP protocol that supports the Security Socket Layer SSL protocol The SSL protocol of HTTPS enhances the security of the device in the following ways e Uses the SSL protocol to ensure the legal clients to access the device securely and prohibit the illegal clients e Encrypts the data exchanged between the HTTPS client and the device to ensure the data security and integrity e Defines certificate attribute based access control policy for the device to control user access 314 Managing services 1 Select Network gt Service from the navigation tree to enter the service management configuration page as shown in Figure 293 Figure 293 Service management FTF _ Enable FTP service Telnet v Enable Telnet service SSH _ Enable 8H service SFTP _ Enable SFTP service HTTP Enable HTTP service PHTTPS JEnable HTTPS service Certificate tems marked with an asterisk are required Apply Cancel 2 Enable or disable services on the page Table 102 describes the detailed contiguration items 3 Click Apply Table 102 Configuration items ltem Description Enable FTP Enable or disable the FTP service service The FTP service is disabled by default FTP Associate the FTP service with an ACL Only the clients that pass the ACL
208. The rule configuration page for a basic IPv6 ACL appears Figure 451 Configuring a rule for a basic IPv ACL Summary Add Advanced Setup Remove Select Access Control List ACL Selectan ACL Configure a Basic ACL Cl Rule ID fs 0 65534 Ifno ID is entered the system will specify one Operation check Fragment check Logging Source IP Address Source Prefix Time Range Cancel Rule ID Operation Description Time Rat 3 Adda rule for a basic IPv6 ACL A Click Add Table 143 Configuration items ltem Description eri Control Select the basic IPv ACL for which you want to configure rules 462 ltem Description Select the Rule ID box and enter a number for the rule If you do not specify the rule number the system will assign one automatically Rule ID If the rule number you specify already exists the following operations modify the contiguration of the rule Select the operation to be performed for IPv packets matching the rule Operation e Permit Allows matched packets to pass e Deny Drops matched packets Select this box to apply the rule to only non tirst fragments Check Fragment If you do no select this box the rule applies to all fragments and non fragments Select this box to keep a log of matched IPv packets A log entry contains the ACL rule number operation for the matched packets protocol Check Logging number source destination address source des
209. U of the port Indicates the power state control configured on the sending port including the following Power Stateful Control e Power supply mode of the PSE PD e PSE PD priority e PSE PD power The power stateful control TLV is detined in IEEE P802 3at D1 0 The later versions no longer support this TLV HP devices send this type of TLVs only after receiving them LLDP MED TLVs LLDP MED TLVs provide multiple advanced applications for VoIP such as basic configuration network policy contiguration and address and directory management LLDP MED TLVs provide a cost effective and easy to use solution tor deploying voice devices in Ethernet LLDP MED TLVs are shown in Table 74 Table 74 LLDP MED TLVs Type Description LLDP MED Capabilities Allows a network device to advertise the LLDP MED TLVs that it supports Allows a network device or terminal device to advertise the VLAN ID of the Network Policy specific port the VLAN type and the Layer 2 and Layer 3 priorities for specific applications 220 Type Description Extended Allows a network device or terminal device to advertise power supply Power via MDI capability This TLV is an extension of the Power Via MDI TLV Hardware Revision Allows a terminal device to advertise its hardware version Firmware Revision Allows a terminal device to advertise its firmware version Software Revision Allows a terminal device to advertise its software version Serial Number Allows
210. VLANs 134 Port based VLAN Port based VLANs group VLAN members by port A port forwards traffic for a VLAN only after it is assigned to the VLAN Port link type You can configure the link type of a port as access trunk or hybrid The link types use the following VLAN tag handling methods Access port An access port belongs to only one VLAN and sends traffic untagged It is usually used to connect a terminal device unable to identify VLAN tagged packets or when it is unnecessary to separate different VLAN members As shown in Figure 133 Device A is connected to common PCs that cannot recognize VLAN tagged packets and you must configure Device A s ports that connect to the PCs as access ports Trunk port A trunk port can carry multiple VLANs to receive and send traffic for them Except traffic from the port VLAN ID PVID traffic sent through a trunk port will be VLAN tagged Usually ports that connect network devices are contigured as trunk ports As shown in Figure 133 Device A and Device B need to transmit packets of VLAN 2 and VLAN 3 and you must configure the ports interconnecting Device A and Device B as trunk ports and assign them to VLAN 2 and VLAN 3 Hybrid port A hybrid port allows trattic of some VLANs to pass through untagged and trattic of some other VLANs to pass through tagged Usually hybrid ports are configured to connect devices whose support for VLAN tagged packets are uncertain As shown in Figure 133 Devic
211. Whether the port is an edge port Port Edged e Config The configured value e Active The actual value Whether the port is connected to a point to point link Point to point e Config The configured value e Active The actual value Transmit Limit Maximum number of packets sent within each Hello time Protection type on the port e Root Root guard Protection Type e Loop Loop guard e BPDU BPDU guard e None No protection Format of the MST BPDUs that the port can send which can be legacy or MST BPDU Format 802 1s Config indicates the configured value and Active indicates the actual value Port Config Whether digest snooping is enabled on the port Digest Snooping Rapid transition Whether the current port rapidly transits to the forwarding state Num of Vlans Mapped Number of VLANs mapped to the current MSTI 198 Field Description Major parameters for the port e Hello Hello timer e MaxAge Max Age timer ees e FWDly Forward delay timer e MsgAge Message Age timer e Remain Hop Remaining hops BPDU Sent Statistics on sent BPDUs BPDU Received Statistics on received BPDUs Protocol Status Whether MSTP is enabled Protocol Std MSTP standard Version MSTP version CIST Bridge Prio Priority of the current device in the CIST MAC address MAC address of the current device Max age s Maximum age of a configuration BPDU Forward delay s Port state transition delay in seconds Hello
212. a CIST tree is also the process of configuration BPDU comparison During this process the device with the highest priority is elected as the root bridge of the CIST MSTP generates an IST within each MST region through calculation At the same time MSTP regards each MST region as a single device and generates a CST among these MST regions through calculation The CST and ISTs constitute the CIST of the entire network MSTI calculation Within an MST region MSTP generates different MSTIs for different VLANs based on the VLAN to instance mappings For each spanning tree MSTP performs a separate calculation process which is similar to spanning tree calculation in STP RSTP For more information see Calculation process of the STP algorithm In MSTP a VLAN packet is forwarded along the following paths e Within an MST region the packet is forwarded along the corresponding MSTI e Between two MST regions the packet is forwarded along the CST MSTP implementation on devices MSTP is compatible with STP and RSTP STP and RSTP protocol packets can be recognized by devices running MSTP and used for spanning tree calculation In addition to basic MSTP functions the device provides the following functions for ease of management e Root bridge hold e Root bridge backup e Root guard e BPDU guard 189 e Loop guard e TCBPDU a message that notifies the device of topology changes guard e Support for the hot swapping of interface boar
213. a configuration BPDU can be Timers held by the device When you configure timers follow these guidelines e The settings of hello time forward delay and max age must meet a certain formula Otherwise the network topology will not be stable HP recommends you to set the network diameter and then have the device automatically calculate the forward delay hello time and max age e The bridge diameter cannot be configured together with the timers Sets the role of the device in the MSTI or the bridge priority of the device which is one of the factors deciding whether the device can be elected as the root bridge Role of the device in the MSTI Not Set Not set you can set the bridge priority of the device when selecting this role Instance Instance ID Root Type and Bridge Priority e Primary Configure the device as the root bridge you cannot set the bridge priority of the device when selecting this role e Secondary Configure the device as a secondary root bridge you cannot set the bridge priority of the device when selecting this role 194 ltem Description Selects whether to enable TC BPDU guard When receiving topology change TC BPDUs the device flushes its forwarding address entries If someone forges TC BPDUs to attack the device the device will receive a large number of TC BPDUs within a short time and frequently poes on flushes its forwarding address entries This affects network stability Wi
214. acity and refresh interval 63 contiguration environment 20 LACP priority 211 LLDP parameters for a single port 224 LLDP parameters for ports in batch 227 log host 62 MAC address table dynamic aging timer 175 port operation parameters 69 refresh period 48 terminal parameters 21 Web device super password 87 Simple Network Management Protocol Use SNMP SNAP LLDP frame encapsulated in SNAP format 217 SNMP agent 111 agent enabling 113 community configuration 117 configuration 111 group configuration 118 manager 11 mechanism 111 MIB 111 NMM RMON configuration 93 105 packet statistics displaying 123 protocol versions 112 SNMPv1 configuration 124 SNMPv2c configuration 124 SNMPv3 configuration 127 trap function configuration 121 user configuration 120 view configuration 115 view creating 115 SNMP view rules adding 116 SNMPv1 configuration 124 protocol version 112 SNMPv2c configuration 124 protocol version 112 SNMPv3 contiguration 127 protocol version 112 snooping contiguring DHCP snooping functions on interface 309 DHCP snooping Option 82 support 308 sorting ACL auto match order sort 450 ACL contig match order sort 450 source NMM port mirroring 79 security ARP sremac validity check 250 SP queuing classifications 471 471 specifying Web device main boot file 68 stack configuration 43 stack device summary displaying 42 stack ports Web configuration 41 stack topology su
215. acket statistics Optional 112 Table 32 SNMPv3 configuration task list Task 1 Enabling SNMP agent 2 Configuring an SNMP view 3 Configuring an SNMP group 4 Configuring an SNMP user 5 Configuring SNMP trap function 6 Displaying SNMP packet statistics Enabling SNMP agent Remarks Required The SNMP agent function is disabled by default IMPORTANT If SNMP agent is disabled all SNMP agent related configurations are removed Optional After creating SNMP views you can specify an SNMP view for an SNMP group to limit the MIB objects that can be accessed by the SNMP group Required Atter creating an SNMP group you can add SNMP users to the group when creating the users Therefore you can realize centralized management of users in the group through the management of the group Required Before creating an SNMP user you need to create the SNMP group to which the user belongs IMPORTANT Atter you change the local engine ID the existing SNMPv3 users become invalid and you must re create the SNMPv3 users For more information about engine ID see Enabling SNMP agent Optional Allows you to configure that the agent can send SNMP traps to the NMS and configure information about the target host usually the NMS of the SNMP traps The SNMP agent sends traps to inform the NMS of important events such as a reboot By default an agent is allowed to send SNMP traps to the NMS O
216. aging ports To contigure the link type of a port From the navigation tree select Network gt VLAN a EN oe p p Click Apply Click Modify Port Select the port that you want to configure on the chassis front panel Select the Link Type option Set the link type to access hybrid or trunk A progress dialog box appears 7 Click Close on the progress dialog box when the dialog box prompts that the configuration succeeds 140 Figure 135 Modifying ports Select VLAN Create Port Detail Detail Modify VLAN Remove Select Ports Select All Select None L Hot avaliable for selection Select membership type Untagged Tagged E Not A Member Link Type PVID Link Type Access Selected ports Link Type GE1 0M GE1 0 4 Apply Cancel Setting the PVID for a port You can also configure the PVID of a port on the Setup tab of Device gt Port Management For more information see Managing ports To set the PVID for a port 1 2 3 4 From the navigation tree select Network gt VLAN Click Modify Port Select the port that you want to configure on the chassis front panel Select the PVID option The option allows you to modify the PVID of the port Set a PVID for the port By selecting the Delete box you can restore the PVID of the port to the default which is VLAN 1 The PVID of an access port must be an existing VLAN Click Apply A progress dialog box appears Click Clos
217. ail to receive LLDP frames to update information about the device you are configuring before it is aged out Tx Interval Displaying LLDP intormation tor a port 1 From the navigation tree select Network gt LLDP By default the Port Setup tab is displayed 2 On the port list click a port name to display its LLDP information at the lower half of the page 229 By default the Local Information tab is displayed Table 77 describes the fields Figure 202 The local information tab Neighbor Information Statistic Information Status Information LLDP local information of port 4 GigabitEthernef1 0 4T Part ID subtype Interface name Part ID GigabitEfhernet1 O0 d Port description GigabitEfhermet1 Did Interface Management address type ipva Management address 192 168 12 Management address interface type Ifindex Management address interface ID 30 Management address OID 0 Port VLAN ID PVIDY 1 fed Table 77 Field description Field Description Port ID subtype e Interface alias e Port component e MAC address Port ID subtype e Network address e Interface name e Agent circuit ID e Locally assigned Locally defined port ID type other than those listed above PoE port class Power port class e PSE Power sourcing equipment e PD Powered device Power class of the PD e Unknown p e ClassO ort power classification e Class e Class2 e Class3 e Class4 Media policy type e Unknown e Vo
218. ailable only for a trunk or hybrid port 449 Configuring ACLs Unless otherwise stated ACLs refer to both IPv4 and IPv ACLs throughout this document Grayed out options on Web configuration pages cannot be configured Overview An access control list ACL is a set of rules or permit or deny statements for identifying traffic based on criteria such as source IP address destination IP address and port number ACLs are essentially used for packet filtering A packet filter drops packets that match a deny rule and permits packets that match a permit rule ACLs are also widely used by many modules for example QoS and IP routing for traffic identification ACL categories Category ACL number IP version Match criteria IPv4 Source IPv4 address Basic ACLs 2000 to 2999 IPv6 Source Pv address Source destination IPv4 address protocol number oi and other Layer 3 and Layer 4 header fields Advanced ACLs 3000 to 3999 IPv Source destination IPv6 address protocol number and other Layer 3 and Layer 4 header fields EERS Pv4 and Layer 2 header fields such as source and destination ad AG 4000 to 4999 Pye MAC addresses 802 1p priority and link layer protocol type Match order The rules in an ACL are sorted in certain order When a packet matches a rule the device stops the match process and performs the action defined in the rule If an ACL contains overlapping or conflicting rules the matching result and actio
219. ain Click the Domain tab Click Add The page in Figure 383 appears Enter torsa as the PKI domain name enter myca as the CA identitier select aaa as the local entity select CA as the authority for certiticate request enter http 4 4 4 133 446 c95e970f632d27be5e8cbf80e97 1d9c4a9a93337 as the URL for certificate request the URL must be in the format of http host port Issuing Jurisdiction ID where Issuing Jurisdiction ID is the hexadecimal string generated on the CA and select Manual as the certificate request mode Click the collapse button before Advanced Configuration In the advanced contiguration area click the Enable CRL Checking box and enter http 4 4 4 133 447 myca crl as the CRL URL Click Apply A dialog box appears asking Fingerprint of the root certificate not specified No root certificate validation will occur Continue Click OK 400 Figure 383 Creating a PKI domain Entity Certificate ZAL Add PEKI Domain Domain Name 1 15Chars 3 CA Identifier 1 6 3Chars 3 Entity Mame Institution Requesting URL Attp4 4 4 1 33 446co5e9 TO IZAAT he Se rhfe Oe gr 1ddrdadadaaar 1 127 Chars LOAF IF Port 389 Version Request Mode Fingerprint Hash Fingerprint wTAdvanced Configuration Falling Count s50 1 100 Default 50 Folling Interval 20 minutes 5 168 Default 20 Enable CRL Checking CRL Update Period hourstl 7 20 CEL URL hied d d 133 447 myca crl te
220. alidity periods of certificates and revokes certificates as needed by publishing CRLs An RA is an extended part of a CA or an independent authority An RA can implement functions including identity authentication CRL management key pair generation and key pair backup It only examines the qualifications of users It does not sign certificates Sometimes a CA assumes the registration management responsibility and no independent RA exists The PKI standard recommends that an independent RA be used for registration management to achieve higher security of application systems PKI repository A PKI repository can be an LDAP server or a common database It stores and manages information like certificate requests certificates keys CRLs and logs and it provides a simple query function LDAP is a protocol for accessing and managing PKI information An LDAP server stores user information and digital certificates trom the RA server and provides directory navigation service From an LDAP server an entity can retrieve digital certificates of its own and other entities How PKI works In a PKl enabled network an entity can request a local certificate from the CA and the device can check the validity of certiticate The following describes how it works 1 An entity submits a certificate request to the CA 2 The RA verifies the identity of the entity and then sends the identity information and the public key with a digital signature to the CA
221. ame header 459 Packet precedence 469 parameter terminal 21 PD maximum PoE interface power 498 periodic time range ACL 452 periodic time range configuration ACL 453 522 ping address reachability determination 317 318 system maintenance 31 PoE configuration 497 501 501 detect nonstandard PDs enable 499 displaying 500 interface power management configure 498 maximum PoE interface power configure 498 PD 497 PI 497 port contiguration 498 PSE 497 policy QoS policy configuration 466 security MAC authentication user account policies 404 port 802 1X port based access control method 321 all operation parameters for a port 74 configuring energy saving 109 contiguring IGMP snooping 260 contiguring MLD snooping 274 DHCP snooping trusted port 306 DHCP snooping untrusted port 306 Ethernet aggregate interface 205 Ethernet link aggregation aggregate interface 209 Ethernet link aggregation and LACP contiguration 213 Ethernet link aggregation configuration 205 Ethernet link aggregation dynamic mode 207 Ethernet link aggregation group 205 Ethernet link aggregation group contiguration 208 Ethernet link aggregation group creation 208 Ethernet link aggregation LACP 205 Ethernet link aggregation LACP priority 21 Ethernet link aggregation LACP enabled port 211 Ethernet link aggregation member port state 205 Ethernet link aggregation modes 206 Ethernet link aggregation operationa
222. ameters and stack ports Management Stack Topology ed Display the topology summary of a stack Configure als Display the control panels of stack members Configure Summary System Display the basic system information system Mone Information resource state and recent system operation logs Summary Device l l Display the port information about the device Monitor Information System Name Display and configure the system name Configure Basic Web Idle Display and configure the idle timeout period for ia J P Configure Devi Timeout logged in users ce N Software Upload upgrade file from local host and upgrade Managemen Maintenance Upgrade the system software Reboot Reboot the device Management System Time Syslog Configurati on File Manageme nt Port Manageme nt Port Mirroring Users Electronic Label Diagnostic Information System Time Net Time Loglist Loghost Log Setup Backup Restore Save Initialize File Management Summary Detail Setup Summary Add Remove Modify Port Summary Super Password Create Modify Remove Display the electronic label of the device Generate diagnostic information file and view or save the file to local host Display and configure the system date and time Display the synchronization status of the system clock and configure the network time Display and refresh system logs Clear system logs Display and configure
223. anage them A local user represents a set of user attributes configured on a device such as the user password use type service type and authorization attribute and is uniquely identified by the username For a user to pass local authentication you must add an entry for the user in the local user database of the device For more information about local authentication see Configuring AAA A user group consists of a group of local users and has a set of local user attributes You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group All local users in a user group inherit the user attributes of the group However if you configure user attributes for a local user the settings for the local user take precedence over the settings for the user group By default every newly added local user belongs to a user group named system which is created automatically by the system Contiguring a local user 1 Select Authentication gt Users from the navigation tree to enter the Local User tab which displays all local users Figure 363 Local user list User Group R Search Advanced Search User Service ser ser Expire F EE TAE Level VLAN ACL Profile Group User Type Time Operation C admin ad Management system pea EI Add BatchDelete 2 Click Add The page for adding a local user appears 380 3 4 Figure 364 Local user configuration page
224. and extends 802 1X and MAC authentication to provide MAC based network access control It applies networks that require different authentication methods for different users on a port Port security prevents unauthorized access to a network by checking the source MAC address of inbound trattic and prevents access to unauthorized devices by checking the destination MAC address of outbound traffic Port security can control MAC address learning and authentication on a port to make sure the port learns only source trusted MAC addresses A trame is illegal if its source MAC address cannot be learned in a port security mode or if it is from a client that has failed 802 1X or MAC authentication The port security feature automatically takes a predetined action on illegal frames This automatic mechanism enhances network security and reduces human intervention For scenarios that require only 802 1X authentication or MAC authentication HP recommends you contigure 802 1X authentication or MAC authentication rather than port security for simplicity For more information about 802 1X and MAC authentication see Configuring 802 1X and Configuring MAC authentication Port security features Outbound restriction The outbound restriction feature is not supported in this release The outbound restriction feature prevents traffic interception by checking the destination MAC addresses in outbound frames The feature guarantees that frames are sent only t
225. and then import it into the local PKI system By default the retrieved certificate is saved in a file under the root directory of the device and the filename is domain name ca cer for the CA certificate or domain name_local cer for the local certificate To retrieve a certificate 1 From the navigation tree select Authentication gt Certificate Management 2 Click the Certificate tab 3 Click Retrieve Cert 394 Figure 375 PKI certificate retrieval page Entity Domain CRL Retrieve Certificate Domain Name Certificate Type CA C Enable Offline Mode tems marked with an asterisk are required Apply Cancel 4 Configure the parameters as described in Table 122 5 Click Apply Table 122 Configuration items ltem Description Domain Name Select the PKI domain for the certificate Certificate Type Select the type of the certificate to be retrieved which can be CA or local Click this box to retrieve a certificate in offline mode that is by an out of band means like FTP disk or email and then import the certificate into the local PKI system Enable Offline Mode The following configuration items are displayed if this box is selected Get File From Specify the path and name of the certificate file to import Device e If the certificate file is saved on the device select Get File From Device and then specify the path and name of the file on the device If no file is specified the system by default gets t
226. arch function example 2 Advanced Search LLDP Status Equal to Disabled And Or Match Case Search in the result Apply Figure 12 Advanced search function example 3 Ro LLDP Status Search Advanced Search Port Name LLDP Status LLDP Work Mode Operation GigabitEthernet1 0 7 Disabled TXRX A GigabitEthernet1 0 8 Disabled TxRx A GigabitEthernet1 0 9 Disabled TXRX A GigabitEthernet1 0 15 Disabled TxRx A Sort function On some list pages the Web interface provides the sorting function to display the entries in a certain order The Web interface provides you with the sorting functions to display entries in certain orders On a list page you can click the blue heading item of each column to sort the entries based on the heading item you selected After your clicking the heading item is displayed with an arrow beside it as shown in Figure 13 The upward arrow indicates the ascending order and the downward arrow indicates the descending order Figure 13 Sort display BO Port Name v Search Advanced Search Port Name LLDP Status LLDP Work Modet Operation GigabitEthernet1 0 6 Disabled Rx A GigabitEthernet1 0 10 Enabled Rx ES F GigabitEthernet1 0 4 Enabled Tx A F GigabitEthernet1 0 13 Disabled Tx A F GigabitEthernet1 0 14 Enabled Tx A F GigabitEthernet1 0 4 Enabled TXRX A F GigabitEthernet1 0 2 Enabled TxRx ES GigabitEthernet1 0 3 Enabled TxRx A
227. as an untagged member After the assignment do not reconfigure the port as a tagged member in the VLAN Use Table 106 when you contigure multiple security features on a port 335 Table 106 Relationships of the 802 1X guest VLAN and other security features Feature Relationship description Only the 802 1X guest VLAN take effect A user that fails MAC authentication will not be assigned to the MAC authentication guest VLAN MAC authentication guest VLAN on a port that performs MAC based access control 802 1X Auth Fail VLAN on a port that performs MAC based access control The 802 1X Auth Fail VLAN has a higher priority The 802 1X guest VLAN function has higher priority Port intrusion protection on a port that performs than the block MAC action but it has lower priority MAC based access control than the shutdown port action of the port intrusion protection feature Configuring an Auth Fail VLAN Configuration prerequisites Create the VLAN to be specified as the 802 1X Auth Fail VLAN If the 802 1 X enabled port performs MAC based access control configure the port as a hybrid port enable MAC based VLAN on the port and assign the port to the Auth Fail VLAN as an untagged member Configuration guidelines The 802 1X Auth Fail VLANs on different ports can be different Assign different IDs to the port VLAN and the 802 1X Auth Fail VLAN on a port so the port can correctly process VLAN tagged incoming traffic Us
228. as the peer port of the reference port consider the port as a candidate selected port Otherwise the port is placed in the Unselected state The number of Selected ports in an aggregation group is limited When the number of Selected ports is under the limit all the member ports are set to Selected state When the limit is exceeded the system sets the ports with smaller port IDs as the Selected ports and place other ports in the Unselected state At the same time the peer device being aware of the changes sets the aggregation state of local member ports the same as their peer ports The system places the ports that cannot aggregate with the reference port in the Unselected state for example as the result of the inter board aggregation restriction When you contigure static and dynamic aggregation modes follow these guidelines e In an aggregation group a Selected port must have the same port attributes and class two configurations as the reference port To keep these configurations consistent you should configure the port manually e Any port attribute or class two configuration change might affect the aggregation state of all member ports and ongoing traffic If you need to make this change make sure you understand its impact on the live network 207 Contiguration procedures Contiguring a static aggregation group Step Remarks Create a static aggregate interface and configure member 1 Creating a link aggregation gr
229. atable Partner Port State e D The sending system considers the link is synchronized e E The sending system considers the incoming frames are collected e F The sending system considers the outgoing frames are distributed e G The sending system receives frames in the default state e H The sending system receives frames in the expired state Oper Key Operational key of the local port Table 68 Field description Field Description Unit Number of the remote system Port Name of the remote port Partner ID LACP priority and MAC address of the remote system Partner Port Priority LACP priority of the remote port Partner Oper Key Operational key of the remote port Link aggregation and LACP configuration example Network requirements As shown in Figure 192 create a link aggregation group on Switch A and Switch B to load share incoming and outgoing trattic across the member ports Figure 192 Network diagram Switch A Link aggregation Switch B Method 1 Create static link aggregation group 1 1 From the navigation tree select Network gt Link Aggregation 2 Click Create 3 Configure static link aggregation group 1 213 Enter link aggregation intertace ID 1 Select Static LACP Disabled for the aggregate interface type c Select GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 on the chassis front panel 4 Click Apply Figure 193 Creating static link aggregation group
230. atch configuring the port speed Summary Detail Basic Configuration Port State No Change Speed Auto 100 bd Duplex No Change Link Type No Change E PVD 1 4094 Description Chars 1 80 Advanced Configuration MDI No Change EE No Change Power Save No Change Count No Change 0 8192 EEE No Change r Storm Suppression Broadcast No Change Multicast No Change Unicast No Change Suppression Suppression Suppression pps range 1 148810 for a 100 Mbps port 1 260000 for a GE port and 1 260000 for a 10GE port kbps range 1 100000 for a 100 Mbps port 1 180000 for a GE port and 1 180000 for a 10GE port H BO HORE AO heb be PERA H E EER Select All Select None Unit Selected Ports 1 GE1 0 1 GE1 0 3 It may take some time if you apply the above settings to multiple ports Apply Cancel 3 Display the speed settings of ports a Click the Summary tab b Click the Speed button to display the speed information of all ports on the lower part of the page as shown in Figure 64 77 Figure 64 Displaying the speed settings of ports Select Feature Feature Summary GE1 0 5 GE1 0 6 Setup PortState Max MAC Count Flow Control Default VLAN ID PVID Link Type MDI Duplex Broadcast Suppression O Multicast Suppression Unicast Suppression Power Save Description EEE Setting Auto 100M Auto 100M Auto 100M Auto Aut
231. ating link 205 aging MAC address table timer 175 alarm NMM RMON alarm function 95 NMM RMON configuration 93 105 NMM RMON group 94 alarm entry contiguration 100 algorithm STP calculation 179 allocating DHCP IP addresses allocation 292 alternate port MST 187 application AAA application 352 applying QoS policy to port 484 architecture security 802 1X 321 ARP attack protection See ARP attack protection configuration 242 dynamic table entry 244 entry contiguration 244 entry display 244 entry removal 245 gratuitous ARP contiguration 246 gratuitous ARP packet 244 gratuitous ARP packet learning 244 message format 242 operation 242 static configuration 246 static entry configuration 245 static table entry 244 table 243 ARP attack protection configuration 250 detection configuration 250 packet validity check 250 user validity check 250 assigning 802 1X ACL 331 MAC authentication ACL assignment 405 MAC authentication VLAN assignment 405 VLAN 802 1X 329 attribute AAA RADIUS extended attributes 367 local user and user group configuration 380 security 802 1X RADIUS EAP Message 324 security 802 1X RADIUS Message Authentication 324 authenticating AAA configuration 352 359 AAA ISP domain authentication methods configuration 355 contiguring MAC authentication global 406 contiguring MAC authentication port specitic 408 local user and user group configuration 380 local use
232. ation set Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown Italic Italic text represents arguments that you replace with actual values Square brackets enclose syntax choices keywords or arguments that are optional Piet Braces enclose a set of required syntax choices separated by vertical bars from which AR you select one Cota Square brackets enclose a set of optional syntax choices separated by vertical bars from a Nite which you select one or none EE Asterisk marked braces enclose a set of required syntax choices separated by vertical AN bars from which you select at least one ei Asterisk marked square brackets enclose optional syntax choices separated by vertical yy ee bars from which you select one choice multiple choices or none gelas The argument or keyword and argument combination before the ampersand amp sign can be entered 1 to n times A line that starts with a pound sign is comments GUI conventions Convention Description Window names button names field names and menu items are in bold text For Boldface example the New User window appears click OK gt Multi level menus are separated by angle brackets For example File gt Create gt Folder Symbols Convention Description An alert that calls attention to important information that if not understood or followed can A WARNING resu
233. ault each pin has its particular role For example pin 1 and pin 2 are used for transmitting signals and pin 3 and pin 6 are used for receiving signals You can change the pin roles by setting the MDI mode For an Ethernet port in across mode pin 1 and pin 2 are used for transmitting signals and pin 3 and pin 6 are used for receiving signals The pin roles are not changed For an Ethernet port in auto mode the pin roles are decided through autonegotiation For an Ethernet port in normal mode the pin roles are changed Pin 1 and pin 2 are used for receiving signals and pin 3 and pin 6 are used for transmitting signals To enable normal communication you must connect the local transmit pins to the remote receive pins Configure the MDI mode depending on the cable types When you configure the MID mode follow these guidelines Typically use the auto mode The other two modes are used only when the device cannot determine the cable type When straight through cables are used the local MDI mode must be different from the remote MDI mode When crossover cables are used the local MDI mode must be the same as the remote MDI mode or the MDI mode of at least one end must be set to auto 7 ltem Descri ption Enable or disable flow control on the port With flow control enabled at both sides when traffic congestion occurs on the ingress port the ingress port sends a Pause frame notifying the egress port to temporarily su
234. ause the system does not save the current configuration automatically HP recommends that you perform this step to avoid loss of configuration 2 Click Logout in the upper right corner of the Web intertace Web interface The Web interface includes three parts navigation tree title area and body area as shown in Figure 6 Figure 6 Web based configuration interface HP1920 Device Information di Wizard Stack 4 Summary System Resource State mentee CPU Usage 2 network Memory Usage ma 40 wy Device Name Authentication HP 1920 24G Switch JG924A Security biniaz vc A Product Information QoS HP 1920 24G Switch Software Recent System Logs Version Alpha 1101 CD Time Level Description Device Location Apr 26 12 18 11 009 2000 Notification Console logged out from aux0 Apr 26 12 18 10 428 2000 Notification Exit from configuration mode g Contact Information Apr 26 12 08 58 091 2000 Warning admin logged in from 192 168 1 27 EE SERE Apr 26 12 08 57 955 2000 Information so ee ANE oe ee 8 219801A08WM08B00007B Aor 25 120857954200 N EA AA OD Hardware Version More Logs On DeviceMore 2 REV A amp Bootrom Version Refresh Period Manual v Refresh 109 g Running Time 0 days 0 hours 43 minutes 58 seconds 1 Navigation tree 2 Body area 3 Title area 7 Navigation tree Organizes the Web based NM functions as a navigation tree where you can select and configure functions as needed The result is displayed in the body area Body
235. ays for requesting and retrieving a certificate manual online and offline To request a certificate online you must get the root certificate from the CA server first When vou request a certificate offline the requested information will be displayed on the page first Please copy itto the CA server to produce the certificate file offline and then retrieve the file When vou delete the CA certificate the relevant local certificate will also be deleted 3 Click Create Key 4 Set the key length 5 Click Apply 393 Figure 373 Key pair parameter configuration page Entity Domain CRL Add Key Key Length 1024 512 2048 Default 1024 lf there is already a key overwrite it tems marked with an asterisk are required Apply Cancel Destroying the RSA key pair From the navigation tree select Authentication gt Certificate Management Click the Certificate tab Click Destroy Key ppe Click Apply to destroy the existing RSA key pair and the corresponding local certificate Figure 374 Key pair destruction page Entity Domain CRL Destroy Key E This operation will destroy the key and corresponding local certificate Apply Cancel Retrieving and displaying a certificate You can retrieve an existing CA certificate or local certificate from the CA server and save it locally To do so you can use offline mode or online In offline mode you must retrieve a certificate by an out of band means like FTP disk email
236. bers the MIB node etherHistoryJabbers Support for the field depends on the device model Collisions Number of collision packets received during the sampling period corresponding to the MIB node etherHistoryCollisions Utilization Bandwidth utilization during the sampling period corresponding to the MIB node etherHistoryUtilization Displaying RMON event logs 1 Select Device gt RMON from the navigation tree 2 Click the Log tab 104 Figure 90 Log tab Statistics History Alarm Event a Event Index Search Advanced DRAF Event Log SRY Pees Es Log Time Description 2011 5 16 The 1 3 6 1 2 1 16 1 1 1 4 1 defined in alarmEntry 1 uprise 1 1 BAEN 10000000 with alarm value 11779194 Alarm sample type is 16 18 37 absolute Refresh In this example event 1 has generated one log which is triggered because the alarm value 11779194 exceeds the rising threshold 10000000 The sampling type is absolute RMON configuration example Network requirements As shown in Figure 91 create an entry in the RMON Ethernet statistics table to gather statistics on GigabitEthernet 1 0 1 with the sampling interval being 10 seconds Perform corresponding contigurations so that the system logs the event when the number of bytes received on the interface more than 1000 or less than 100 Figure 91 Network diagram Agent GE1 0 1 Internet Server NMS Configuration procedure 1 Configure RMON to gather statistics for GigabitEthernet 1
237. ble In practice you can specify one primary RADIUS server and multiple secondary RADIUS servers with the secondary servers that function as the backup of the primary servers Typically the device chooses servers based on these rules o When the primary server is in the active state the device communicates with the primary server If the primary server fails the device changes the state of the primary server to blocked starts a quiet timer for the server and turns to a secondary server in the active state a secondary server configured earlier has a higher priority If the secondary server is unreachable the device changes the state of the secondary server to blocked starts a quiet timer for the server and continues to check the next secondary server in the active state This search process continues until the device finds an available secondary server or has checked all secondary servers in the active state If the quiet timer of a server expires or an authentication or accounting response is received from the server the status of the server changes back to active automatically but the device does not check the server again during the authentication or accounting process If no server is found reachable during one search process the device considers the authentication or accounting attempt a failure o Once the accounting process of a user starts the device keeps sending the user s real time accounting requests and stop accounting requests
238. bnormal abnormal open abnormal short or failure O O When a cable is normal the cable length displayed is the total length of the cable When a cable is abnormal the cable length displayed is the length between the current port and the location where fault occurs The cable length detected can have an error of up to 5 meters 91 Configuring the flow interval With the flow interval module you can view the number of packets and bytes sent and received by a port and the bandwidth use of the port over the specified interval Viewing port traffic statistics 1 Select Device gt Flow interval from the navigation tree By default the Port Traffic Statistics tab is displayed 2 View the number of packets and bytes sent and received by each port and the bandwidth use of each port over the last interval Figure 78 Port traffic statistics R Interface Name Search Advanced Search Receive Utilization Interface Name Interval Sec Received Packet Sent Packet Received Byte Sent Byte Sent Utilization GigabitEthernet1 0 1 300 0 0 0 0 0 0 GigabitEthernet1 0 2 300 15 15 2652 2652 1 1 GigabitEthernet1 0 3 300 0 0 0 0 0 0 GigabitEthernet1 0 4 300 0 0 0 0 0 0 GigabitEthernet1 0 5 300 0 0 0 0 0 0 GigabitEthernet1 0 6 300 0 0 0 0 0 0 GigabitEthernet1 0 7 300 0 0 0 0 0 0 GigabitEthernet1 0 8 300 0 0 0 0 0 0 GigabitEthernet1 0 9 300 0 0 0 0 0 0 GigabitEthernet1 0 10 300 0 0 0 0 0 0 GigabitEthernet1 0 11 300 0 0 0
239. bors of the change Set the enable status of the LLDP trapping function on the port or ports LLDP trapping is used to report to the network management station critical events such as new neighbor devices detected and link failures To avoid excessive traps from being sent when topology is instable tune the minimum trap transmission interval on the Global Setup tab Select the box to include the port description TLV in transmitted LLDP frames Select the box to include the system capabilities TLV in transmitted LLDP frames Select the box to include the system description TLV in transmitted LLDP frames Select the box to include the system name TLV in transmitted LLDP frames Select the box to include the management address TLV in transmitted LLDP frames and in addition set the management address and its format a numeric or character string in the TLV If no management address is specified the main IP address of the lowest VLAN carried on the port is used If no main IP address is assigned to the VLAN 127 0 0 1 is used 225 lem Description Port VLAN ID Select the box to include the PVID TLV in transmitted LLDP frames Select the box to include port and protocol VLAN ID TLVs in Protocol VLAN ID transmitted LLDP frames and specify the VLAN IDs to be advertised i If no VLAN is specified the lowest protocol VLAN ID is transmitted Setting Select the box to include VLAN name TLVs in transmitted LLDP frames an
240. by selecting Network gt VLAN Interface For more information see Configuring VLAN interfaces Select VLAN Interface 36 ltem Description Enable or disable the VLAN interface When errors occurred in the VLAN interface disable the interface and then enable the port to bring the port to operate correctly By default the VLAN interface is down if no Ethernet ports in the VLAN is up The VLAN is in the up state if one or more ports in the VLAN are up O IMPORTANT Disabling or enabling the VLAN interface does not affect the status of the Ethernet ports in the VLAN That is the port status does not change with the VLAN interface status DHCP Configure how the VLAN interface obtains an IPv4 address BOOTP e DHCP Select the option for the VLAN interface to get an IP address EER through DHCP e BOOTP Select the option for the VLAN intertace to get an IP address Configure IPv4 Manual through BOOTP address e Manual Selec this option to manually specify an IPv4 address and the mask length for the VLAN interface Admin status IPv4 address Specify an IPv4 address and the mask length for the VLAN interface Dotted decimal notation is also allowed for the mask length field MaskLen These two fields are configurable if Manual is selected Auto Configure how the VLAN interface obtains an IPv link local address e Auto Select this option for the device to automatically generate a link local address based on the
241. cal to those of an existing entry in the system After you contigure the RMON statistics function or the alarm function you can view RMON running status and verity the contiguration by performing tasks in Table 23 Table 23 Displaying RMON running status Task Displaying RMON statistics Remarks Display the interface statistics during the period from the time the statistics entry is created to the time the page is displayed The statistics are cleared after the device reboots After you create a history control entry on an interface the system calculates the information of the interface periodically and saves the Displaying RMON history sampling information to the etherHistoryEntry table You can perform this task to information display the entries in this table When you configure the history group the system specifies the number of history sampling records that can be displayed and the history sampling interval 96 Task Remarks If you configure the system to log an event after the event is triggered when you configure the event group the event is recorded in the RMON log Pertorm this task to display the details of the log table Displaying RMON event logs Contiguring a statistics entry 1 Select Device gt RMON from the navigation tree The Statistics tab page appears Figure 80 Statistics entry History Alarm Event Log Index v Search Advanced Search Index Interface Name Owner Status Operation
242. carries only one TLV of this type Indicates whether the device supports protocol VLANs and if so Port And Protocol VLAN ID what VLAN IDs these protocols will be associated with An LLDPDU can carry multiple different TLVs of this type Specifies the textual name of any VLAN to which the port belongs VLAN Name An LLDPDU can carry multiple different TLVs of this type 219 Type Description Indicates protocols supported on the port An LLDPDU can carry Protocol ldentity multiple different TLVs of this type DCBX Data center bridging exchange protocol NOTE HP devices support only receiving protocol identity TLVs IEEE 802 3 organizationally specific TLVs Table 73 IEEE 802 3 organizationally specific TLVs Type Description Contains the rate and duplex capabilities of the sending port support for autonegotiation enabling status of auto negotiation and the current rate and duplex mode MAC PHY Configuration Status Contains the power supply capability of the port e Port class PSE or PD e P ly mode Power Via MDI ee ee e Whether PSE power supply is supported e Whether PSE power supply is enabled e Whether pair selection can be controllable Indicates the support of the port for link aggregation the aggregation Link Aggregation capability of the port and the aggregation status or whether the link is in an aggregation Maximum Frame Size Indicates the supported maximum frame size It is now the MT
243. cates IMPORTANT If no certificate is specified the HTTPS service generates its own certificate HTTPS Set the port number for HTTPS service You can view this configuration item by clicking the expanding button in front of HTTPS Port Number IMPORTANT When you modify a port make sure the port is not used by any other service Associate the HTTPS service with an ACL Only the clients that pass the XG ACL filtering are permitted to use the HTTPS service You can view this configuration item by clicking the expanding button in front of HTTPS 316 Using diagnostic tools This chapter describes how to use the ping and traceroute utilities Ping Use the ping utility to determine if a specific address is reachable A ping operation involves the following steps 1 The source device sends ICMP echo requests to the destination device 2 The destination device responds by sending ICMP echo replies to the source device after receiving the ICMP echo requests 3 The source device displays related statistics after receiving the replies You can ping only the IP address of a device in the current software version If the source device does not receive an ICMP echo reply within the timeout time it displays the following information e A prompt e Ping statistics If the source device receives ICMP echo replies within the timeout time it displays the following information e Number of bytes for each e
244. cation 1 200Chars SNMP Version Note If vou disable SNMP all SNMP related configurations will not be saved Items marked with an asterisk are required Apply Cancel 127 2 Contigure an SNMP view a Click the View tab b Click Add The page for creating an SNMP view appears c Type view in the View Name field d Click Apply Figure 123 Creating an SNMP view 1 Please input the name of the view you want to create view Name view U a2Chars Apply Cancel e On the page that appears select the Included option type the MIB subtree OID interfaces and click Add f Click Apply A configuration progress dialog box appears g Click Close after the configuration process is complete Figure 124 Creating an SNMP view 2 Add View View Blame view Rule Included Excluded MIB Subtree OID 1 255Chars Subtree mask Jaareenas tems marked with an asterisk are required Add Rule MIB Subtree DIL subtree Mask Operation Included interfaces il Apply Cancel Configure an SNMP group a Click the Group tab b Click Add The page in Figure 125 appears c Type group in the Group Name field select view1 from the Read View list select view1 from the Write View list d Click Apply 128 Figure 125 Creating an SNMP group Setup Community Iser Trap MR Add SHMP Group Group Name grup sd 64 32 3 Security Level NoAuthe oP ri w Read View write View tems mar
245. cation configuration 408 SNMPv1 configuration 124 SNMPv2c configuration 124 SNMPv3 configuration 127 static route creation IPv4 280 static route creation IPv6 281 static routing 2 8 static routing configuration IPv4 283 static routing configuration IPv6 287 static routing detault route 279 syslog configuration 61 traceroute 31 VLAN configuration 133 145 Web device configuration management 64 Web device file management 67 Web device management 52 Web device user management 86 Web interface logout 7 Web service management 314 315 Web stack configuration 39 43 Web user level 8 Web based NM functions 8 NMM local port mirroring contiguration 83 local port mirroring group 80 local port mirroring group monitor port 84 local port mirroring group port 81 local port mirroring group source port 84 local port mirroring local group 83 port mirroring contiguration 79 port mirroring recommended procedure 80 RMON configuration 93 105 RMON group 93 SNMP configuration 111 SNMP mechanism 111 SNMP protocol versions 112 SNMPv1 configuration 124 SNMPv2c configuration 124 SNMPv3 configuration 127 system maintenance 31 traceroute 31 NMS NMM RMON configuration 93 105 SNMP protocol versions 112 NTP contiguring system time 57 58 system time configuration 56 numbering ACL automatic rule numbering 451 451 ACL automatic rule renumbering 451 ACL rule numbering step 451 O op
246. ce I Introduction to priority mapping tables The device provides the following types of priority mapping tables e CoS to Queve 802 1 p to local mapping table e DSCP to ueue DSCP to local mapping table which applies to only IP packets Table 148 through Table 149 list the default priority mapping tables Table 148 Default CoS to Queue mapping table Input CoS value Local precedence Queue O 2 O N IO IAIA IO N N IO IAIA O 475 Table 149 Default DSCP to ueue mapping table Input DSCP value Local precedence Queue O to 7 O 8 to 15 16 to 23 2 24 to 31 3 32 to 39 4 40 to 47 5 48 to 55 6 56 to 63 7 Contiguration guidelines When an ACL is referenced by a QoS policy for traffic classification the action permit or deny in the ACL is ignored and the actions in the associated traffic behavior are performed Recommended QoS configuration procedures Recommended QoS policy configuration procedure A QoS policy involves the following components class traftic behavior and policy You can associate a class with a traffic behavior using a QoS policy 1 Class Classes identity traffic A class is identified by a class name and contains some match criteria You can define a set of match criteria to classify packets The relationship between criteria can be and or or o and The device considers a packet belongs to a class only when the packet matches all the criteria in the class o or The device
247. ce creates a mapping between the MAC address of the user and the 802 1X guest VLAN The user can access resources in the guest VLAN A user has not passed 802 1X authentication yet If an 802 1X Auth Fail VLAN is available the device remaps the MAC A user in the 802 1X guest address of the user to the Auth Fail VLAN The user can access only VLAN fails 802 1X resources in the Auth Fail VLAN authentication If no 802 1X Auth Fail VLAN is configured the user is still in the guest VLAN A user in the 802 1X guest The device remaps the MAC address of the user to the authorized VLAN VLAN passes 802 1X If the authentication server assigns no authorized VLAN the device authentication remaps the MAC address of the user to the initial PVID on the port To use the 802 1 X guest VLAN function on a port that performs MAC based access control make sure the port is a hybrid port and enable MAC based VLAN on the port The network device assigns a hybrid port to an 802 1X guest VLAN as an untagged member Auth Fail VLAN You can configure an Auth Fail VLAN to accommodate users that have failed 802 1X authentication because of the failure to comply with the organization security strategy such as using a wrong password Users in the Auth Fail VLAN can access a limited set of network resources such as a software server to download anti virus software and system patches The Auth Fail VLAN does not accommodate 802 1X users that have failed au
248. ce handles VLANs on the port differs by 802 1X access control mode e Ona port that performs port based access control 329 Authentication status VLAN manipulation No 802 1X user has The device assigns the 802 1X guest VLAN to the port as the PVID All performed authentication 802 1X users on this port can access only resources in the guest VLAN within 90 seconds after If no 802 1X guest VLAN is configured the access device does not 802 1X is enabled perform any VLAN operation If an 802 1X Auth Fail VLAN see Auth Fail VLAN is available the A user in the 802 1X guest device assigns the Auth Fail VLAN to the port as the PVID All users on this VLAN fails 802 1X port can access only resources in the Auth Fail VLAN authentication If no Auth Fail VLAN is configured the PVID on the port is still the 802 1X guest VLAN All users on the port are in the guest VLAN e The device assigns the VLAN specified for the user to the port as the PVID and removes the port from the 802 1X guest VLAN After the A user in the 802 1X guest user logs off the user configured PVID restores VLAN passes 802 1X e If the authentication server assigns no VLAN the user configured PVID authentication applies The user and all subsequent 802 1X users are assigned to the vser configured PVID After the user logs off the PVID remains unchanged e Ona port that performs MAC based access control Authentication status VLAN manipulation The devi
249. cho reply e Message sequence number e Time to Live TTL e Response time e Ping statistics Ping statistics include the following information e Number of echo requests sent e Number of echo replies received e Percentage of echo replies not received Minimum average and maximum response time Traceroute Traceroute retrieves the IP addresses of Layer 3 devices in the path to a specific destination You can use traceroute to test network connectivity and identity failed nodes You can traceroute the IP address or the host name of a destination device If the target host name cannot be resolved a prompt appears A traceroute operation involves the following steps 1 The source device sends a packet with a Time to Live TTL value of 1 to the destination device 317 2 The first hop device responds with an ICMP TTL expired message to the source In this way the source device gets the address of the first device 3 The source device sends a packet with a TTL value of 2 to the destination device The second hop responds with an ICMP TTL expired message In this way the source device gets the address of the second device 5 The destination device responds with an ICMP port unreachable message because the packet from the source has an unreachable port number In this way the source device gets the address of the destination device In this way the source device can get the addresses of all Layer 3 devices on
250. cified manually configured IPv site local addresses or global unicast addresses are used EUI 64 154 Contiguration guidelines When you contigure VLAN interfaces follow these guidelines A link local address is automatically generated for an IPv VLAN interface after an IPv site local address or global unicast address is configured for the VLAN interface This generated link local address is the same as the one generated in the Auto mode If a manually assigned link local address is available the manually assigned one takes effect After the manually assigned link local address is removed the automatically generated one takes eftect For an IPv VLAN interface whose IPv link local address is generated automatically after you assign an Pv6 site local address or global unicast address removing the IPv6 site local address or global unicast address also removes the generated IPv6 link local address For IPv6 link local address configuration manual assignment takes precedence over automatic generation If you first adopt the manual assignment and then the automatic generation the automatically generated link local address will not take effect and the link local address of the intertace is still the manually assigned one However if you remove the manually assigned one the one automatically generated takes effect 155 Configuring a voice VLAN Overview The voice technology is developing quickly and more and more
251. cified by OUI address 167 0011 2200 0000 and mask FHFOO OOOO to pass through The description of the OUI address entry is test Figure 161 Network diagram Switch A Switch B Internet VLAN 2 010 1001 0755 2002 OUI 0011 2200 0000 Mask ffff ffOO OOOO Configuring Switch A 1 Create VLAN 2 a Select Network gt VLAN from the navigation tree b Click the Create tab c Enter VLAN ID 2 d Click Create Figure 162 Creating VLAN 2 select VLAN Port Detail Detail Modify VLAN Modify Port Remove Greate Create ID Description 1 VLAN 0001 Modify VLAN description Note you can do this later on the Modify VLAN page Modify the description of the selected VLAN ID Description Po 82 Chars 2 Configure GigabitEthernet 1 0 1 as a hybrid port and configure its PVID as VLAN 2 a Select Device gt Port Management from the navigation tree b Click the Setup tab c Select Hybrid trom the Link Type list 168 d Select the PVID box and enter 2 in the field e Select GigabitEthernet 1 0 1 from the chassis front panel f Click Apply F igure 163 Configuring GigabitEthernet 1 0 1 as a hybrid port Summary Detail Basic Configuration Port State No Change Speed No Change Duplex Link Type Hybrid PVD 2 Description Chars 1 80 Advanced Configuration Flow MDI No Change Control No Change sa Max MAC Power Save No Change Com No Change Storm Suppression ig f F Broadcas
252. cket whose target MAC address is all Os all 1s or inconsistent with the destination MAC address in the Ethernet header Discard the ARP request whose sender IP address is all 1s or a multicast address and discard the ARP reply whose sender and target IP addresses are all 1s or multicast addresses ARP Packet Validity Check If none is selected the system does not check the validity of ARP packets If both ARP packet validity check and user validity check are enabled the system performs the former first and then the latter 251 Configuring IGMP snooping Overview IGMP snooping runs on a Layer 2 switch as a multicast constraining mechanism to improve multicast forwarding efficiency It creates Layer 2 multicast forwarding entries from IGMP packets that are exchanged between the hosts and the router As shown in Figure 227 when IGMP snooping is not enabled the Layer 2 switch floods multicast packets to all hosts When IGMP snooping is enabled the Layer 2 switch forwards multicast packets of known multicast groups to only the receivers of the multicast groups Figure 227 Multicast forwarding before and after IGMP snooping is enabled Multicast packet transmission without IGMP Snooping Multicast packet transmission when IGMP Snooping runs Multicast router Multicast router Source Source Layer 2 switch Layer 2 switch Receiver Receiver Receiver Receiver Host B Host B Multicast packets Basic
253. ckets 128 Number of Recenwed 128 to 255 Bytes Packeis 40 Number of Raceved 256 to 511 Bytes Packets 14 Number of Reoened 512 to 1023 Bytes Packets 6 Humber of Received 1024 in 1578 Bytes Packets 0 Back Refresh Create an event to start logging after the event is triggered a Click the Event tab b Click Add The page in Figure 94 appears c Type userl rmon in the Owner field select the box before Log and click Apply d The page displays the event entry and you can see that the entry index of the new event is 1 as shown in Figure 95 106 Figure 94 Configuring an event group Statistics History Alarm Log Add an Event Group Event Type Log Trap tems marked with an asterisk are required Apply Cancel Figure 95 Displaying the index of an event entry Statistics History Alarm Log R Search Advanced Search Index Description Si pala ada Owner Status Type Trigder Time LE null Log useri Active Add Del Selected 4 Configure an alarm group to sample received bytes on GigabitEthernet 1 0 1 When the received bytes exceed the rising or falling threshold logging is enabled b Click the Alarm tab Click Add The page in Figure 96 appears Select Number of Received Bytes from the Static Item list select GigabitEthernet1 0 1 from the Interface Name list enter 10 in the Interval field select Delta from the Simple Type list enter user in the Owner field enter 1000 in the Rising Threshold field
254. configuration 429 secure MAC address configuration 427 trap feature 421 port based energy saving contiguration 109 port based VLAN contiguration 135 port frame handling 136 port link type 135 PVID 136 power over Ethernet Use PoE power supply priority PoE interface power management 498 precedence QoS priority mapping 4 4 priority Ethernet link aggregation LACP 205 port LACP priority 211 QoS packet 802 1 p priority 470 QoS packet IP precedence and DSCP values 469 QoS scheduling 471 priority mapping map 4 5 procedure adding NMM local port mirroring group 83 adding QoS policy 483 adding QoS traftic class 478 480 adding RADIUS server 373 adding rules to SNMP view 116 adding Web device local user 86 applying QoS policy to port 484 authenticating with security 802 1X EAP relay 326 authenticating with security 802 1X EAP termination 327 backing up Web device contiguration 64 contiguring 802 1X ACL assignment 343 contiguring 802 1X Auth Fail VLAN 336 contiguring 802 1X guest VLAN 335 configuring AAA accounting methods for ISP domain 357 524 configuring AAA authentication methods for ISP domain 355 contiguring AAA authorization methods for ISP domain 356 contiguring AAA ISP domain 354 contiguring ACL 489 contiguring ACL Ethernet frame header 459 configuring advanced ACLs 456 463 contiguring alarm entry 100 contiguring ARP static 246 contiguring authorized IP 443 444 confi
255. configuration examples Local MAC authentication contiguration example Network requirements As shown in Figure 390 contigure local MAC authentication on port GigabitEthernet 1 0 1 to control Internet access as follows 408 e Configure all users to belong to the domain aabbcc net and specify local authentication for users in the domain e Use the MAC address of each user as the username and password for authentication and require that the MAC addresses is hyphenated and in lower case e Configure the access device to detect whether a user has gone offline every 180 seconds When a user fails authentication the device does not authenticate the user within 180 seconds Figure 390 Network diagram Supplicant Authenticator IP network Host Switch MAC 00e0 fc12 3456 Configuring a local user Add a local user Set the username and password as 00 e0 fc 12 34 56 the MAC address of the user Set the service type to LAN access Details not shown Configuring AAA 1 From the navigation tree select Authentication gt AAA 2 On the Domain Setup page enter the domain name aabbcc net and click Apply Figure 391 Creating an ISP domain Authentication Authorization Accounting ISP Domain Domain Name ld 24 Chars Default Domain Apply Please select the ISP domaints Domain Mame Default Domain 3 Click the Authentication tab A Select the ISP domain aabbcc net 5 Select LAN access AuthN and select L
256. configuration procedures EE AE T E 452 Recommended IPv4 ACL configuration procedure eeeeeeeetteeettreeetttreerttsreertrsssettrssetttrssetttresettresenrsseen 452 Recommended IPv ACL configuration procedure sssssssssssssssessssssieeessseessssneesssseesssnseesssnsecsssnseesssnnecsssnnseen 453 Configuring ET RE EE EE Ee A53 Adding an IPVA ACL eers eeeR RR eeER RR eEERRREEERRRGEERRRROEERRRROeERRRRGeERRRReERRRReERRRReERRR KERR RReERRRRRR EER RReeRRRReeRR RR eeeRR Rees A54 Configuring a rule for a basic IPv4 ACLssssssssssssssssssssesssssecssssecsssseesssssscssssecssssscsssssccssassssssssecessnsssssansessssnees 455 Configuring a rule for an advanced IPv4 ACLessssssssssssseessssseeessssecsssseessssecssssssesssasscsssisecsssassesssnssesssnneessin 456 Configuring a rule for an Ethernet frame header ACL eeeeetseeseetseetssetssrssetssseesseesseesseerseerstersterssersteeste 459 Adding an IPv ACL ssssssssssssssssssssssssessssseesssssecssssesessssecsssssecsssascssssscesssscesssssesssasscssnssecssssnsscssnssssssnsscessanseessssses 46 Configuring a rule for a basic IPy6 ACl sesse sesse see see EE Ee EE RE EE Oe EER ee EE EER EER Oe DE EE ORE EER EE EE Oe EER ARE Ee ee ge 462 Configuring a rule for an advanced IPy6 ACl sees ees EE ee EE EE eed EER ee EER ee EE EE ee EE EE ee EER ee ee 463 Configuring QoSssssssssssssssssssnsssnesssssssneessnessnecsssecsnecensesanecsnscsanecsnseeanecanacensccanecsnsccanecenscsanenanesanecaneceanecensetanssnas 466 SARTRE AR EE RE 466 Net
257. configured Priority Set a local precedence value for the port Select a priority trust mode for the port e Untrust Packet priority is not trusted Trust Mode a _ e Dotlp 802 1p priority of the incoming packets is trusted and used for priority mapping e DSCP DSCP value of the incoming packets is trusted and used for priority mapping 488 ACL and QoS configuration example Network requirements As shown in Figure 476 the FTP server 10 1 1 1 24 is connected to the Switch and the clients access the FTP server through GigabitEthernet 1 0 1 of the Switch Configure an ACL and a QoS policy as follows to prevent the hosts from accessing the FTP server from 8 00 to 18 00 every day 1 Add an ACL to prohibit the hosts from accessing the FTP server from 8 00 to 18 00 every day 2 Configure a QoS policy to drop the packets matching the ACL 3 Apply the QoS policy in the inbound direction of GigabitEthernet 1 0 1 Figure 476 Network diagram 10 1 1 1 24 Switch FTP server Configuring Switch 1 Define a time range to cover the time range from 8 00 to 18 00 every day a Select QoS gt Time Range from the navigation tree Click the Add tab Enter the time range name test time Select the Periodic Time Range box Set the Start Time to 8 00 and the End Time to 18 00 Select the options Sun through Sat Click Apply mo ao 489 Figure 477 Defining a time range covering 8 00 to 18 00 every day Sum
258. ctional modules to a file named default diag and then you can locate problems faster by checking this file 1 Select Device gt Device Maintenance from the navigation tree 2 Click the Diagnostic Information tab Figure 43 Diagnostic information Software Upgrade Reboot Electronic Label Create Diagnostic Information File Mote The operation may take along time Do not perform any operation when creating diagnostic information file is in process 3 Click Create Diagnostic Information File The system begins to generate a diagnostic information file 4 Click Click to Download The File Download dialog box appears 5 Select to open this file or save this file to the local host 54 Figure 44 The diagnostic information file is created Software Upgrade Reboot Electronic Label Create Diagnostic Information File Click ta Download Mote The operation may take a long time Do not perform any operation when creating diagnostic information file is in process Creating diagnostic information file succeeded The generation of the diagnostic file takes a period of time During this process do not perform any operation on the Web page After the diagnostic file is generated successtully you can view this file on the page you enter by selecting Device gt File Management or downloading this file to the local host For more information see Managing files 55 Configuring system time Overview You must c
259. curity is disabled globally Required This function configures the advanced port security mode intrusion Configuring advanced port protection action or outbound restriction and selects whether to security control ignore the authorization information from the RADIUS server By default port security is disabled on all ports and access to the ports is not restricted Optional This setting is available only for the 802 1X MAC Based Or OUI mode Configuring permitted OUls You can configure up to 16 permitted OUI values A port in this mode allows only one 802 1X user and one user whose MAC address contains the specified OUI to pass authentication at the same time By default no OUI values are configured Contiguring global settings tor port security From the navigation tree select Authentication gt Port Security Figure 409 Port security configuration page Port Security Configuration Enable Port Security gt Advanced Apply Security Ports And Secure MAC Address List Port Max porting of Intrusion Protection Outbound Restriction Operation GigabitEthernet1 0 3 5 a 5 aA p Add Del Selected gt Secure MAC Address List Advanced Port Security Configuration b Ports Enabled With Advanced Features gt Permitted OUls for ports working in the mode of 802 1X MAC Based Or OUI In the Port Security Configuration area click Advanced 424 di 4 Figure 410 Port security configuration Port Security Configurat
260. d Create a PKI domain setting the certificate request mode to Manual 2 Creating a PKI domain Betore requesting a PKI certificate an entity needs to be contigured with some enrollment information which is called a PKI domain A PKI domain is intended only for convenience of reference by other applications like IKE and SSL and has only local significance Required Generate a local RSA key pair By default no local RSA key pair exists Generating an RSA key pair is an important step in certificate request The 3 Generating an RSA key key pair includes a public key and a private key The private key is kept by the user and the public key is transferred to the CA along with some other pair l l information IMPORTANT If a local certificate already exists you must remove the certificate before generating a new key pair so as to keep the consistency between the key pair and the local certificate Required Certificate retrieval serves the following purposes e Locally store the certificates associated with the local security domain for improved query efficiency and reduced query count 4 Retrieving the CA e Prepare for certificate verification certificate IMPORTANT If a local CA certificate already exists you cannot perform the CA certificate retrieval operation This will avoid possible mismatch between certificates and registration information resulting from relevant changes To retrieve the CA certificate you must re
261. d Del Selected Contigure MAC authentication global settings as described in Table 125 and then click Apply Table 125 Configuration items ltem Description Enable MAC Authentication Specifies whether to enable MAC authentication globally Sets the period that the device waits for traffic from a user before it Offline Detection Period regards the user idle Sets the interval that the device must wait before it can pertorm MAC Quiet T ane oe DI AE authentication for a user that has failed MAC authentication Sets the interval that the device waits for a response from a RADIUS Server Timeout Time i server before it regards the RADIUS server unavailable Specifies the ISP domain for MAC authentication users Authentication ISP Domain If no ISP domain is specified the system default authentication domain is used for MAC authentication users Configures the properties of MAC authentication user accounts e MAC without hyphen Uses MAC based accounts and excludes hyphens from the MAC address for example xxxxxxxxxxxx e MAC with hyphen Uses MAC based accounts and hyphenates the MAC address for example xx xx XX XX XX XX Authentication Information Format e Fixed Uses a shared account You must specify a username and password for the account 407 Contiguring MAC authentication on a port 1 From the navigation tree select Authentication gt MAC Authentication 2 In the Ports With MAC Authentication
262. d Switch D are connected to one another Create a stack where Switch A is the master device and Switch B Switch C and Switch D are member devices An administrator can log in to Switch B Switch C and Switch D through Switch A to perform remote configurations Figure 30 Network diagram Stack Switch B Member device Switch C Member device Switch D Member device Configuration procedure 1 Configure global parameters for the stack on Switch A a Select Stack from the navigation tree of Switch A and then perform the subsequent steps on the Setup tab as shown in Figure 31 b Type 192 168 1 1 in the field of Private Net IP c Type 255 255 255 0 in the field of Mask d Select Enable from the Build Stack list e Click Apply 43 Figure 31 Configuring global parameters for the stack on Switch A Topology Summary Device Summary Global Settings Private Net IP 192 168 1 1 255 255 255 0 Build Stack Enable Apply Por Settings R Port Name v Search Advanced Search Port Name Port Status GigabitEthernet1 0 1 not stack port GigabitEthernet1 0 2 not stack port GigabitEthernet1 0 3 not stack port GigabitEthernet1 0 4 not stack port GigabitEthernet1 0 5 not stack port 28 records 5 v per page page 1 6 record 1 5 First Next Last 1 GO Enable Disable Switch A becomes the master device Configure a stack port on Switch A a In the Port Settings area on the Set
263. d for verifying the CA root certificate After receiving the root certificate of the CA an entity needs to verify the fingerprint of the root certificate namely the hash value of the root certificate content This hash value is unique to every certificate If the fingerprint of the root certificate does not match the one configured for the PKI domain the entity will reject the root certificate e f you specify MD5 as the hash algorithm enter an MD5 fingerprint The fingerprint must a string of 32 characters in hexadecimal notation e If you specify SHA1 as the hash algorithm enter an SHA1 fingerprint The fingerprint must a string of 40 characters in hexadecimal notation Fingerprint e If you do not specify the fingerprint hash do not enter any fingerprint The entity will not verify the CA root certificate and you yourself must make sure the CA server is trusted IMPORTANT The fingerprint must be configured if you specify the certificate request mode as Auto If you specity the certificate request mode as Manual you can leave the fingerprint settings null If you do not configure the fingerprint the entity will not verify the CA root certificate and you yourself must make sure the CA server is trusted Polling Count Set the polling interval and attempt limit for querying the certificate request status After an entity makes a certificate request the CA might need a long period of time if it verifies the certificate request i
264. d in the common configuration part are used only when no corresponding shared keys are configured in the RADIUS server configuration part Set the time the device keeps an unreachable RADIUS server in blocked state If you set the quiet time to O when the device needs to send an authentication or accounting request but finds that the current server is unreachable it does not change the server s status that it maintains It simply sends the request to the next server in the active state As a result when the device needs to send Quiet Time a request of the same type for another user it still tries to send the request to the server because the server is in the active state You can use this parameter to control whether the device changes the status of an unreachable server For example if you determine that the primary server is unreachable because the device s port for connecting the server is out of service temporarily or the server is busy you can set the time to O so that the device uses the primary server as much Set the RADIUS server response timeout time If the device sends a RADIUS request to a RADIUS server but receives no Server Response Timeout Time response in the specified server response timeout time it retransmits the request Setting a proper value according to the network conditions helps in improving the system performance 371 ltem Descri ption Set the maximum number of attempts for transmitting a RADIUS
265. d port recording binding entries record binding entries GigabitEthernet 1 0 3 and ae Es Switch B GigabitEthemet GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 1 0 4 l GigabitEthernet GigabitEthernet 1 0 3 and o Switch C 1 0 1 GigabitEthernet 1 0 4 GigabitEthernet 1 0 2 DHCP snooping support tor Option 82 Option 82 records the location information about the DHCP client so the administrator can locate the DHCP client for security and accounting purposes For more information see Option 82 DHCP snooping uses the same strategies as the DHCP relay agent to handle Option 82 for DHCP request messages as shown in Table 99 If a response returned by the DHCP server contains Option 82 DHCP snooping removes Option 82 before forwarding the response to the client If the response contains no Option 82 DHCP snooping forwards it directly Table 99 Handling strategy If a DHCP request has Handling strategy The DHCP snooping device Drop Drops the message Keep Forwards the message without changing Option 82 Option 82 prion Forwards the message after replacing the original Replace Option 82 with the Option 82 padded in normal format No Option 82 N A Forwards the message after adding the Option 82 padded in normal format Recommended configuration procedure Task Remarks Required Enabling DHCP snooping By default DHCP snooping is disabled Required Specify an interface as trusted and configure DHCP snooping to support
266. d sda 3 Confirm Authentication Password dtd Chars 3 Privacy Mode IESER Privacy Password dtd chars 3 Confirm Privacy Password etd Chars ACL 2 299 tems marked with an asterisk are required Apply Cancel 4 Configure the SNMP user as described in Table 37 5 Click Apply 120 Table 37 Configuration items ltem Description User Name Set the SNMP user name Select the security level for the SNMP group The available security levels are Security Level e NoAuth NoPriv No authentication no privacy e Auth NoPriv Authentication without privacy e Auth Priv Authentication and privacy Select an SNMP group to which the user belongs e When the security level is NoAuth NoPriv you can select an SNMP group with no authentication no privacy e When the security level is Auth NoPriv you can select an SNMP group with no authentication no privacy or authentication without privacy Group Name e When the security level is Auth Priv you can select an SNMP group of any security level Select an authentication mode including MD5 and SHA when the Authentication Mode security level is Auth NoPriv or Auth Priv Authentication Password Set the authentication password when the security level is Auth NoPriv or Auth Priv Confirm Authentication The confirm authentication password must be the same with the Password authentication password Select a privacy mode including DES56 AES128 and 3DES when Privacy Mode the
267. d secure communications at the application layer With PKI SSL enables encrypted communications between a browser and a server Both the communication parties can verify the identity of each other through digital certiticates Recommended contiguration procedures The device supports the following PKI certiticate request modes e Manual In manual mode you need to manually retrieve a CA certificate generate a local RSA key pair and submit a local certificate request for an entity e Auto In auto mode an entity automatically requests a certificate through the SCEP when it has no local certificate or the present certificate is about to expire You can specify the PKI certificate request mode for a PKI domain Different PKI certificate request modes require different contigurations Recommended configuration procedure tor manual request Step Remarks Required Create a PKI entity and configure the identity information A certificate is the binding of a public key and the identity intormation of an 1 Creating a PKI entity entity where the distinguished name DN shows the identity information of the entity A CA identifies a certificate applicant uniquely by an entity DN The DN settings of an entity must be compliant to the CA certificate issue policy Otherwise the certificate request might be rejected You must know the policy to determine which entity parameters are mandatory or optional 386 Step Remarks Reguire
268. d specify the VLAN IDs to be advertised VLAN Name If no VLAN is specified the lowest VLAN carried on the port is advertised Select the box to include the link aggregation TLV in transmitted Link Aggregation LLDP frames MAC PHY Select the box to include the MAC PHY configuration status TLV in DOTS Configuration Status transmitted LLDP frames TLV Setting EE N Select the box to include the maximum frame size TLV in transmitted LLDP frames Select the box to include the power via MDI TLV and power stateful Power via MDI control TLV in transmitted LLDP frames LLDP MED Select the box to include the LLDP MED capabilities TLV in Capabilities transmitted LLDP frames Select the box to include the hardware revision TLV firmware revision TLV software revision TLV serial number TLV manufacturer name TLV model name TLV and asset ID TLV in transmitted LLDP frames Inventory MES Select the box to include the network policy TLV in transmitted LLDP frames Extended l l Select the box to include the extended power via MDI TLV in Power via MDI i transmitted LLDP frames Capability Select the box to encode the emergency call number in the location MED TLV Emergency Number identification TLV in transmitted LLDP frames and set the emergency Setting call number Address Select Address to encode the civic address information of the network connectivity device in the location identification TLV in transmitted LLDP frames In addition
269. ddress of the user to the server assigned A user in the Auth Fail VLAN VLAN passes 802 1X oue ae If the authentication server assigns no VLAN remaps the MAC address of the user to the initial PVID on the port To perform the 802 1 X Auth Fail VLAN function on a port that performs MAC based access control you must ensure that the port is a hybrid port and enable MAC based VLAN on the port The network device assigns a hybrid port to an 802 1X Auth Fail VLAN as an untagged member ACL assignment You can specify an ACL for an 802 1X user to control its access to network resources After the user passes 802 1X authentication the authentication server either the local access device or a RADIUS server assigns the ACL to the port to filter the traffic from this user In either case you must configure the ACL on the access device You can change ACL rules while the user is online Contiguration prerequisites When you configure 802 1X follow these restrictions and guidelines Configure an ISP domain and AAA scheme local or RADIUS authentication for 802 1X users For more information see Configuring AAA and Configuring RADIUS If RADIUS authentication is used create user accounts on the RADIUS server If local authentication is used create local user accounts on the access device and specify the LAN access service for the user accounts For more information see Configuring users 331 Recommended configuration proc
270. different routing protocols are available in a routing table and they can be divided into the following categories by origin Direct routes Routes discovered by data link protocols also known as interface routes Static routes Manually configured routes Static routes are easy to configure and require fewer system resources They work well in small and stable networks but cannot adjust to network changes so you must manually configure the routes again whenever the network topology changes Dynamic routes Routes that are discovered dynamically by routing protocols Each entry in the FIB table specifies a physical interface that packets destined for a certain address should go out to reach the next hop the next router or the directly connected destination A route entry includes the following items Destination IP address Destination IP address or destination network Mask IPv4 prefix length IPv6 Specities together with the destination address the address of the destination network A logical AND operation between the destination address and the network mask pretix length yields the address of the destination network Preference Routes to the same destination might be discovered by various routing protocols or manually configured and routing protocols and static routes have different preferences configured The route with the highest preference the smallest value is optimal Outbound interface Specifies the
271. ding of certificate owner identity information and a public key Users can get certificates use certificates and revoke certificates By leveraging digital certificates and relevant services like certificate and blacklist distribution PKI supports authenticating the entities involved in communication and therefore guarantees the confidentiality integrity and non repudiation of data PKI terms Digital certificate A digital certificate is a file signed by a certificate authority CA that contains a public key and the related user identity information A simplest digital certificate contains a public key an entity name and a digital signature trom the CA Generally a digital certiticate also includes the validity period of the key the name of the CA and the sequence number of the certificate A digital certificate must comply with the international standard of ITU T_X 509 This document involves local certificate and CA certificate A local certiticate is a digital certificate signed by a CA for an entity A CA certificate also known as a root certificate is signed by the CA for itself CRL An existing certificate might need to be revoked when for example the username changes the private key leaks or the user stops the business Revoking a certificate will remove the binding of the public key with the user identity information In PKI the revocation is made through certificate revocation lists CRLs When a certificate is revoked th
272. ds and switchover of the active and standby main boards Protocols and standards MSTP is documented in the following protocols and standards e IEEE 802 1d Spanning Tree Protocol e IEEE 802 1w Rapid Spanning Tree Protocol e IEEE 802 1s Multiple Spanning Tree Protocol Contiguration guidelines When you configure MSTP follow these guidelines e Two or more spanning tree devices belong to the same MST region only if they are configured to have the same MST region name MST region level and the same VLAN to instance mapping entries in the MST region and they are connected through a physical link e Iftwo or more devices are selected as the root bridge in a spanning tree at the same time the device with the lowest MAC address is chosen e If BPDU guard is disabled a port set as an edge port becomes a non edge port again if it receives a BPDU from another port To restore its port role as an edge port you must restart the port e fa port directly connects to a user terminal configure it as an edge port and enable BPDU guard for it This enables the port to quickly transit to the forwarding state when ensuring network security Recommended MSTP configuration procedure Ste Remarks Optional 1 Configuring an MST Contigure the MST region related parameters and VLAN to instance l mappings region By default the MST region related parameters adopt the default values and all VLANS in an MST region are mapped to MSTI O
273. dvanced Search a Port Name LLDP Status LLDP Work Mode Operation GigabitEthernet1 0 6 Disabled Rx A F GigabitEthernet1 0 7 Disabled TxRX A F GigabitEthernet1 0 8 Disabled TXRX A F GigabitEthernet1 0 9 Disabled TXRX A E GigabitEthernet1 0 13 Disabled Tx A E GigabitEthernet1 0 15 Disabled TXRX A 6 records 15 v per page page 1 1 record 1 6 1 GO e Advanced search As shown in Figure 9 you can click the Advanced Search link to open the advanced search area Specify the search criteria and click Apply to display the entries that match the criteria 17 Figure 9 Advanced search Advanced Search Port Name And Or Match Case Search in the result Apply Cancel Take the LLDP table shown in Figure 7 as an example To search for the LLDP entries with LLDP Work Mode TxRx and LLDP Status Disabled 1 Click the Advanced Search link specify the search criteria on the advanced search page as shown in Figure 10 and click Apply The LLDP entries with LLDP Work Mode being TxRx are displayed Figure 10 Advanced search function example 1 Advanced Search LLDP Work Mode Equal to And Or Match Case Search in the result Apply Cancel 2 Click the Advanced Search link specify the search criteria on the advanced search page as shown in Figure 11 and click Apply The LLDP entries with LLDP Work Mode being TxRx and LLDP Status being Disabled are displayed as shown in Figure 12 Figure 11 Advanced se
274. e a In the RADIUS Server Configuration area click Add b Select the server type Backup Authentication c Enter the IP address 10 1 1 2 and enter the port number 1812 d Click Apply The RADIUS Server Configuration area displays the backup authentication server you have configured 4 Configure the primary accounting server in the RADIUS scheme a In the RADIUS Server Configuration area click Add b Select the server type Primary Accounting c Enter the IP address 10 1 1 2 and enter the port number 1813 d Click Apply The RADIUS Server Configuration area displays the accounting server you have configured 5 Configure the secondary accounting server in the RADIUS scheme a In the RADIUS Server Configuration area click Add b Select the server type Backup Accounting c Enter the IP address 10 1 1 1 and enter the port number 1813 d Click Apply The RADIUS Server Configuration area displays the backup accounting server you have configured 6 On the RADIUS configuration page click Apply Configuring AAA for the scheme 1 Create an ISP domain a From the navigation tree select Authentication gt AAA The Domain Setup page appears b Select test from the Domain Name list and select Enable from the Default Domain list c Click Apply 340 Figure 315 Creating an ISP domain Authentication Authorization Accounting ISP Domain Domain Name vl 24 chars Default Domain Apply Please selectthe ISF domain
275. e page 1 6 record 1 5 w Next Last 1 GO Disable Switch B becomes a member device On Switch C configure GigabitEthernet 1 0 1 the port connected to Switch B as a stack port a Select Stack from the navigation tree of Switch C b In the Port Settings area on the Setup tab select GigabitEthernet1 0 1 c Click Enable Figure 34 Configuring a stack port on Switch C Topology Summary Device Summary Global Settings Private Net IP Mask Build Stack Disable X Apply Port Settings R Port Name Search Advanced Search Port Name Port Status J GigabitEthernet1 0 1 not stack port GigabitEthernet1 0 2 not stack port GigabitEthernet1 0 3 not stack port GigabitEthernet1 0 4 not stack port F GigabitEthernet1 0 5 not stack port 28 records 5 vY per page page 1 6 record 1 5 First Prey Next Last 1 GO Disable Switch C becomes a member device On Switch D contigure GigabitEthernet 1 0 1 the port connected to Switch B as a stack port a Select Stack from the navigation tree of Switch D b In the Port Settings area on the Setup tab select GigabitEthernet1 0 1 c Click Enable Switch D becomes a member device 45 Verifying the configuration To verity the stack topology on Switch A 1 Select Stack from the navigation tree of Switch A 2 Click the Topology Summary tab Figure 35 Verifying the configuration Setup Device Summary Member ID Role DO Waster 1 Slave 2 Slave
276. e C connects to a small sized LAN in which some PCs belong to VLAN 2 and other PCs belong to VLAN 3 and Device B is uncertain about whether Device C supports VLAN tagged packets Configure on Device B the port connecting to Device C as a hybrid port to allow packets of VLAN 2 and VLAN 3 to pass through untagged Figure 133 Port link types VLAN 2 VLAN 2 Fe Ds VLAN 3 Device A Device B Device C Access links are reguired Trunk links are reuqired VLAN 3 Hybrid links are required 135 PVID By default VLAN 1 is the PVID for all ports You can change the PVID for a port as required Use the following guidelines when you configure the PVID on a port e An access port can join only one VLAN The VLAN to which the access port belongs is the PVID of the port e A trunk or hybrid port can join multiple VLANs and you can configure a PVID for the port e You can use a nonexistent VLAN as the PVID for a hybrid or trunk port but not for an access port Atter you delete the VLAN that an access port resides in the PVID of the port changes to VLAN 1 However deleting the VLAN specified as the PVID of a trunk or hybrid port does not affect the PVID setting on the port e HP recommends that you set the same PVID for local and remote ports e Make sure a port permits its PVID Otherwise when the port receives frames tagged with the PVID or untagged frames the port drops these frames Frame handling methods
277. e CA publishes one or more CRLs to show all certificates that have been revoked The CRLs contain the serial numbers of all revoked certiticates and provide an effective way for checking the validity of certiticates A CA might publish multiple CRLs when the number of revoked certificates is so large that publishing them in a single CRL might degrade network pertormance CA policy A CA policy is a set of criteria that a CA follows in processing certificate requests issuing and revoking certiticates and publishing CRLs Usually a CA advertises its policy in the form of certification practice statement CPS A CA policy can be acquired through out of band means such as phone disk and email Because different CAs might use different methods to examine the binding of a public key with an entity make sure you understand the CA policy before selecting a trusted CA for certificate request PKI architecture A PKI system consists of entities a CA a registration authority RA and a PKI repository 384 Entity CA Figure 367 PKI architecture Entity PKI user PKI Issue a management authorities Issue a certificate CRL Aioysodal 740 0 An entity is an end user of PKI products or services such as a person an organization a device like a router or a switch or a process running on a computer A CA is a trusted authority responsible for issuing and managing digital certiticates A CA issues certiticates specities the v
278. e Diameter L Timertin centiseconds Forward Delay 400 3000 Must be a multiple of 100 Hello Time 100 1000 Must be a multiple of 100 Max Age 600 4000 Must be a multiple of 100 instance Instance ID Root Type Not Set Bridge Priority 32768 TC Protection Enable v TO Protection Threshold 1 255 default 6 Apply 204 Configuring link aggregation and LACP Overview Ethernet link aggregation bundles multiple physical Ethernet links into one logical link called an aggregate link Link aggregation has the following benetits e Increased bandwidth beyond the limits of any single link In an aggregate link traffic is distributed across the member ports e Improved link reliability The member ports dynamically back up one another When a member port fails its traffic is automatically switched to other member ports Basic concepts Aggregate interface An aggregate interface is a logical interface Aggregation group An aggregation group is a collection of Ethernet interfaces When you create an aggregate interface the switch automatically creates an aggregation group of the same number as the aggregate interface Aggregation states of the member ports in an aggregation group A member port in an aggregation group can be in either of the following states e Selected A Selected port can forward user traffic e Unselected An Unselected port cannot forward user traffic The po
279. e ID of the VLAN interface to be created Before creating a VLAN interface EE make sure the corresponding VLAN exists DHCP Configure the way in which the VLAN interface gets an IPv4 address BOOTP Allow the VLAN interface to get an IP address automatically by selecting the DHCP or BOOTP option Otherwise select the Manual option to manually assign the VLAN interface an IP address Peace tenn Conf Manual After a VLAN interface fails to get an IP address through DHCP are available p ei multiple times the device stops IP address application and configures after you pa the default IP address for the interface select the v Address IPv4 Configure an IPv4 address for the VLAN interface Sonlig Primary IPv4 Address This field is available after you select the Manual option Address box Set the subnet mask length or enter a mask in dotted decimal notation format Mask Length This field is available after you select the Manual option 151 ltem Descri ption Auto Configure the way in which the VLAN interface gets an IPv link local address Select the Auto or Manual option lies ii are available Configure N Auto The device automatically assigns a link local address to the fier you IPv Link Mamua VLAN interface based on the link local address prefix FE80 64 elect the lical and the link layer address of the VLAN interface Configure Address e Manual Reguires manual assignment IPv Link Local Bee Configure an IPv l
280. e SEE EG 966 How MLD snooping works EE EG 268 Protocols and ES ee ee 269 Recommended configuration procedure EE EE EE EE EE OE ER EE OE EE 269 Enabling MLD snooping globally EE EE EE oti EE EE EE EE EE 270 Configuring MLD snooping TERTE 270 Configuring MLD snooping port TERT neste este eeeeeeeeeesceuesceueseeeeseeeeseeueeeueseeueseeueseeueseeeeseeeeeeees 272 Displaying MLD snooping multicast forwarding TE 273 MLD snooping configuration example EE EE A 274 Network requirements AE E A EE EE E E E ENG 274 Configuration procedure EE EE EE ER ENA A EE EN 274 Verifying the configuration EE EE EE E E 277 Configuring IPv4 and IPv6 routing EE EA edi Res RE EE OE EA OE EE T IE 278 iy EE EE EE EE EE EE EI ER OE EE 978 Routing ld ee 278 Static FOUTE TE eens esses esses esas eens esse es eseeseseeeeseseeeeseseeeeseseseeseseeeesereeeesesees 278 BEEN EET nese neseeeneeeeeeeueseeueeeeees 279 Displaying the Pv4 active route table EE EE EE EE EE EE EE ER EE ER EE EE EE EE EE EE EE EE EE EE EER EE ee EER EE EE ER EE Re ER ee ee ee ee 279 Creating an IPV4 static GN Ee 280 Displaying the IPv6 active route table EE EE EE EE EE EE EER EE EE EE EE EE EE EE EE EER EE EE Ee EE EE EE ee EER EE EE ER EE Re Ee ee ee ee 281 Creating an IPVG Static oe 28 IPv4 static route configuration example EE OE EE EE EE EE 283 Network requirements EE EE EE EE EE OE EE ER EE EE E 283 Configuration TEREG ET eee eeeteeeeeteeeeeeeeeeeeeeeeeeeeeesceeeseeeeseeeeseeenseeeseeeeseeueeseu
281. e Table 107 when contiguring multiple security features on a port Table 107 Relationships of the 802 1X Auth Fail VLAN with other features Feature Relationship description MAC authentication guest VLAN on a port that performs MAC based access control The 802 1X Auth Fail VLAN has a high priority The 802 1X Auth Fail VLAN function has higher priority Port intrusion protection on a port that performs than the block MAC action but it has lower priority MAC based access control than the shutdown port action of the port intrusion protection feature 802 1X configuration examples MAC based 802 1X contiguration example Network requirements As shown in Figure 311 the access device performs 802 1X authentication for users that connect to port GigabitEthernet 1 0 1 Implement MAC based access control on the port so the logoff of one user does not affect other online 802 1X users Enable periodic re authentication of online users on the port so that the server can periodically update the authorization information of the users 336 Use RADIUS servers to perform authentication authorization and accounting for the 802 1X users If RADIUS accounting fails the access device logs the user off The RADIUS servers run CAMS or IMC Configure the host at 10 1 1 1 as the primary authentication and secondary accounting servers and the host at 10 1 1 2 as the secondary authentication and primary accounting servers Assign all users to the ISP d
282. e View tab The page in Figure 102 appears 3 Click the icon of the target view The Add rule for the view ViewDefault window appears 116 Figure 105 Adding rules to an SNMP view Add rule for the view ViewDefault Rule Included Excluded MIB Subtree OD Ka asserars Subtree wask a3 2Haxcchars tems marked with an asterisk are required Apply Cancel 4 Configure the parameters as described in Table 34 5 Click Apply NOTE You can also click the 4 icon corresponding to the specified view on the page as shown in Figure 102 and then you can enter the page to modify the view Contiguring an SNMP community 1 Select Device gt SNMP from the navigation tree 2 Click the Community tab The Community tab appears Figure 106 Configuring an SNMP community Setup Group User Trap View Bo Community Name v search Advanced Search F Community Mame oe MIB Vier AGL Operation C community Fead oniy VYiewDetault 2001 Ea i Add Delete Selected 3 Click Add The Add SNMP Community page appears 117 Figure 107 Creating an SNMP Community Setup Group User Trap View Add SHMP Community Community Name i Chars Access Right ACL ecooozag9 tems marked with an asterisk are required Apply Cancel Configure the SNMP community as described in Table 35 5 Click Apply Table 35 Configuration items ltem Description Community Name Set the SNMP community name Configure SNMP N
283. e change traps on the NMS 13 Displaying interface statistics The interface statistics module displays statistics about the packets received and sent through interfaces To display interface statistics select Device gt Interface Statistics from the navigation tree Figure 129 Interface statistics display page F Interface Name Search Advanced Search Last MI Interface Name InOctets InUcastPkts InNUcastPkts InDiscards InErrors InUnknownProtos OutOctets OutUcastPkts OutNUcastPkts OutDiscards OutErrors Er time GigabitEthernet1 0 1 0 0 0 0 0 0 0 0 0 0 0 GigabitEthernet1 0 2 0 0 0 0 0 0 0 0 0 0 0 GigabitEthernet1 0 3 0 0 0 0 0 0 0 0 0 0 0 GigabitEthernet1 0 4 99491 0 586 0 0 0 131906 0 1309 0 0 E GigabitEthernet1 0 5 0 0 0 0 0 0 0 0 0 0 0 GigabitEthernet1 0 6 0 0 0 0 0 0 0 0 0 0 0 GigabitEthernet1 0 7 0 0 0 0 0 0 0 0 0 0 0 GigabitEthernet1 0 8 0 0 0 0 0 0 0 0 0 0 0 GigabitEthernet1 0 9 0 0 0 0 0 0 0 0 0 0 0 GigabitEthernet1 0 10 0 0 0 0 0 0 0 0 0 0 0 F GigabitEthernet1 0 11 0 0 0 0 0 0 0 0 0 0 0 GigabitEthernet1 0 12 0 0 0 0 0 0 0 0 0 0 0 GigabitEthernet1 0 13 0 0 0 0 0 0 0 0 0 0 0 GigabitEthernet1 0 14 0 0 0 0 0 0 0 0 0 0 0 F GigabitEthernet1 0 15 25681 43 144 0 0 0 117705 47 1162 0 0 30 records 15 v per page page 1 2 record 1 15 Next Last 1 GO Reset Selected Reset All Table 39 describes the fields on the page Table 39 Field description Field
284. e contiguration BPDUs 196 Protection type Description Root Protection Loop Protection Enables the root guard function Configuration errors or attacks might result in configuration BPDUs with their priorities higher than that of a root bridge which causes a new root bridge to be elected and network topology change to occur The root guard function is used to address such a problem Enables the loop guard function By keeping receiving BPDUs from the upstream device a device can maintain the state of the root port and other blocked ports These BPDUs might get lost because of network congestion or unidirectional link failures The device will re elect a root port and blocked ports might transit to the forwarding state causing loops in the network The loop guard function is used to address such a problem Displaying MSTP information of a port From the navigation tree select Network gt MSTP 2 Click the Port Summary tab Select a port on the chassis front panel If you have configured aggregate interfaces on the device the page displays a list of aggregate intertaces below the chassis front panel You can select aggregate interfaces from this list The lower part of the page displays the MSTP information of the port in MSTI O when STP is enabled globally or the STP status and statistics when STP is not enabled globally the MSTI to which the port belongs and the path cost and priority of the port in the MST
285. e date fied To n specitie is in the MM DD YYYY format The end time must be greater ee than the start time Adding an Pv4 ACL Select QoS gt ACL IPv4 from the navigation tree 2 Click the Add tab Figure 446 Adding an IPv4 ACL Summary Basic Setup Advanced Setup Link Layer Setup Remove ACL Number Po 2000 2999 for basic ACLS 2000 3999 for advanced ACLs 4000 4999 for Ethernet frame header ACLS Match Order config v Description Gharartersil 127 Apply ACL Mumber Type Number of Rules Match Order Description 3 Add an IPv4 ACL as described in Table 138 A Click Apply 454 Table 138 Configuration items lem Description ACL Number Set the number of the IPv4 ACL Set the match order of the ACL Available values are e Config Packets are compared against ACL rules in the order that the rules are Match Order configured e Auto Packets are compared against ACL rules in the depth first match order Description Set the description for the ACL Contiguring a rule for a basic IPv4 ACL Select QoS gt ACL IPv4 from the navigation tree 2 Click the Basic Setup tab The rule configuration page for a basic IPv4 ACL appears Figure 447 Configuring a basic IPv4 ACL Summary And Advanced Setup Link Layer Setup Remove AcL Selectan ACL Configure a Basit ACL C Rule ID Oooo D 65534 fno ID is entered the system will specify one Action CI Check Fragment C Check Logging Time Range
286. e different priorities in different MSTls and the same port can Port Priority play different roles in different MSTIs so that data of different VLANs can be Auto Path propagated along different physical paths implementing per VLAN load balancing Cost and You can set port priority values based on the actual networking requirements Manual Path e Path cost A parameter related to the rate of a port On an MSTP enabled device a Cost port can have different path costs in different MSTIs Setting appropriate path costs allows VLAN traftic flows to be forwarded along different physical links achieving VLAN based load balancing The device can automatically calculate the default path cost Alternatively you can also manually configure path cost for ports e Point to Point Specifles whether the port is connected to a point to point link o Auto Configures the device to automatically detect whether or not the link type of the port is point to point o Force False The link type for the port is not point to point link o Force True The link type for the port is point to point link If a port is configured as connecting to a point to point link the setting takes effect on the port in all MSTIs If the physical link to which the port connects is not a point to point link and you force it to be a point to point link by configuration the configuration might incur a temporary loop Advanced e Transmit Limit Configures the maximum number
287. e ee ER ER ER Ee eng 137 Recommended configuration procedure for assigning a trunk port to a VLAN reer eers see ee ER ER ER ER ER ER ER Ee ee eng 137 Recommended configuration procedure for assigning a hybrid port to a VLAN eers ER ER ER ER ER ER ER ER Ee ee eng 138 Creating VLANS eerstes eeeeeR RR eeERRRROeERRRRReeERRRRROeERRRRROeERRRRReERRRRReeRRRRReeRRRRReeRRRRReeERRRRReERRR RR eERRRRReERRRRReERRRRReeRRR RR eeeRR Rees 139 Configuring the link type of a RUE EE EE Ee 140 Setting the PVID for a es EE EE 141 Selecting VLANs eerreeeeeee ees eRR RR eEERRRRgeeERRRReEERRRReEERRRReeERRRReeERRRRReeERRRRReeERRRRReeERRRRReeERRRRReERRRRRReERRRReeERRRRReeRRRRReeeRR RR eeeRR Rees 142 Modifying EDT EG 143 Moditying ee ee 144 VLAN configuration example EE oe 145 Network requirements reer eeeeeeR Re eseeR RR geERRR RR geERRRRRgeERRRRRgeERRRRReERRRRReeERRRReeERRRReeERRRRGeERRRRReERRRRReeRRRRReeRRRRReeeeeRR Re 145 Configuring SET ee 145 Configuring Switch NE ee 149 Configuration guidelines EE pw en le etna ee ven E E E EE E TAT 149 Configuring TES SR ee 150 AR RE ET ED OE RE EE 150 Creating a VLAN interface sreereeeree esse eeEER RR eeERRRRRgeERRR RR ERRRRReEERRRReERRRRReeERRRReeERRRRReeERRRReERRRRReERRRRReeRRRRReeRRR RR ee RR Rees 150 Moditying a VLAN interface ee 152 Configuration guidelines EE RE 155 Configuring a voice VLAN eeereeeseeseeeeseseeseeeeseseeseeeeceseeseeseeeecoseeseceesosseseeeeroseeseceereseeseceerosreseeseeeerceereseeseceeeoseeseeeereseese 156 OR E ME E
288. e interface Table 63 Class two configurations Type Considerations Whether a port has joined an isolation group and the isolation group to which the port belongs Permitted VLAN IDs port VLAN ID PVID link type trunk hybrid or access IP VLAN subnetbased VLAN configuration protocol based VLAN configuration and VLAN tagging mode Port isolation MAC address learning capability MAC address learning limit and forwarding of frames with unknown destination MAC addresses after the upper limit of the MAC address table is reached MAC address learning e Class one configurations Include settings that do not affect the aggregation state of the member port even if they are different from those on the aggregate interface For example MSTP can be contigured on aggregate interfaces and member ports However class one contigurations do not take effect in operational key calculation Any class two configuration change might affect the aggregation state of link aggregation member ports and running services To make sure you are aware of the risk the system displays a warning message every time you attempt to change a class two configuration setting on a member port Link aggregation modes Based on the link aggregation procedure link aggregation operates in one of the following modes e Static aggregation mode e Dynamic aggregation mode Static aggregation mode LACP is disabled on the member ports in a static aggr
289. e link type of the port as hybrid To configure a trunk port as a hybrid port first 2 Configuring the link type of a port contigure it as an access port If you configure multiple untagged VLANs for a trunk port at the same time the trunk port automatically becomes a hybrid port By default the link type of a port is access 138 Step Remarks Optional 3 Setting the PVID for a port Contigure the PVID of the hybrid port By default the PVID of a hybrid port is VLAN 1 4 Configure the hybrid port as an untagged member of the specified VLANs a Selecting VLANs Required Specify the range of VLANs available for selection during related operations Configure a subset of all existing VLANs This step is N A required before you perform operations on the c nliguremuliipl Detail Modify VLAN and Modify Port tabs untagged VLANs fora b Modifying a VLAN hybrid port Configure the hybrid port as an untagged member of the specified VLAN A hybrid port can have multiple untagged VLANs Repeat these steps to By default the untagged VLAN of a hybrid port is Configure the VLAN 1 5 Modifying ports untagged VLAN of the hybrid port 6 Configure the hybrid port as a tagged member of the specitied VLAN a Selecting VLANs Specify the range of VLANs available for selection during related operations Configure Required a subset of all existing VLANs This step is N A A hybrid port can have required before you
290. e navigation tree select Authentication gt Port Security The Port Security page appears In the Security Ports And Secure MAC Address List area click Secure MAC Address List The secure MAC address contiguration area displays the secure MAC addresses that have been learned or configured Figure 413 Secure MAC address list Secure MAC Address List RO Pot v Search Advanced Search Port MAC VLAN ID Operation GigabitEthernet1 0 3 001b 2188 85ff 100 il Add Del Selected Click Add The page for adding a secure MAC address appears Figure 414 Adding secure MAC address Add Secure MAC Address Port GigabitEthernet1 0 3 v Select a port with Port Security enabled Secure MAC 2 Address hiisi VLAN ID 1 4094 The VLAN ID should match the port Items marked with an asterisk are required Apply Cancel Configure a secure MAC address as described in Table 128 Click Apply 427 Table 130 Configuration items ltem Description Port Selects a port where the secure MAC address is configured Secure MAC Address Enters the MAC address that you want to configure as a secure MAC address TANTO Enters the ID of the VLAN in which the secure MAC address is configured The VLAN must already exist on the selected port Configuring advanced port security control 1 From the navigation tree select Authentication gt Port Security The Port Security page appears 2 In the Advanced Port Security Configuration area click
291. e on the progress dialog box when the dialog box prompts that the configuration succeeds 141 Figure 136 Modifying the PVID for a port Select VLAN Create Port Detail Detail Modify VLAN Remove Select Ports Select All Select None C Not avaliable for selection Select membership type Untagged Tagged E Not A Member Link Type PVID PVID E Delete Selected ports PVID GE1 0N GE1 0 3 Apply Cancel Selecting VLANs 1 From the navigation tree select Network gt VLAN The Select VLAN tab is displayed by default for you to select VLANs Figure 137 Selecting VLANs Create Port Detail Detail Modity WYLAN Modity Port Remove VLAN range display select an option to view all available VLANs ora subset of configured VLANs Display all vLAMNS Mote This option may reduce browser response time O Display a subset of all configured VLANs example 3 5 10 Select WYLAN Summary ID Description Untagged Membership Tagged Membkership 2 Select the Display all VLANs option to display all VLANs or select the Display a subnet of all configured VLANs option to enter the VLAN IDs to be displayed 3 Click Select 142 Modifying a VLAN From the navigation tree select Network gt VLAN 2 Click Modify VLAN to enter the page for modifying a VLAN Figure 138 Modifying a VLAN Select VLAN Create Port Detail Detail Modify Port Remove Please select a VLAN to modify Modify Description optio
292. e replaced with the calculated configuration BPDU e Then port CP2 receives the updated configuration BPDU of Device B 0 5 1 BP2 Because the received configuration BPDU is superior to its own configuration BPDU Device C launches a BPDU update process e CPI 0 0 0 AP2 e CP2 0 5 1 BP2 e At the same time port CP1 receives periodic configuration BPDUs from Device A Device C does not launch an update process after comparison After comparison e Because the root path cost of CP2 9 root path cost of the BPDU 5 plus path cost corresponding to CP2 4 is smaller than the root path cost of CP1 10 root path cost of the BPDU 0 path cost corresponding to CP2 10 the BPDU of CP2 is elected as the optimum BPDU and CP2 is elected Blocked port CP2 0 as the root port the messages of which will not be changed 0 0 AP2 e After comparison between the configuration BPDU of CP1 Root port CP2 0 5 and the calculated designated port configuration BPDU l BP2 port CP1 is blocked with the configuration BPDU of the port unchanged and the port will not receive data from Device A until a spanning tree calculation process is triggered by a new event for example the link from Device B to Device C going down After the comparison processes described in Table 56 a spanning tree with Device A as the root bridge is established and the topology is as shown in Figure 175 Figure 175 The final calculated
293. e same VLAN regardless of their physical locations VLAN technology delivers the following benefits e Confining broadcast traffic within individual VLANs This reduces bandwidth waste and improves network performance e Improving LAN security By assigning user groups to different VLANs you can isolate them at Layer 2 To enable communication between VLANs routers or Layer 3 switches are required e Flexible virtual workgroup creation As users from the same workgroup can be assigned to the same VLAN regardless of their physical locations network construction and maintenance is much easier and more flexible VLAN fundamentals To enable a network device to identify frames of different VLANs a VLAN tag field is inserted into the data link layer encapsulation The format of VLAN tagged frames is defined in IEEE 802 1 Q 1999 In the header of a traditional Ethernet data frame the field after the destination MAC address and the source MAC address is the Type field indicating the upper layer protocol type as shown in Figure 131 133 Figure 131 Traditional Ethernet frame format IEEE 802 1Q inserts a four byte VLAN tag after the DA amp SA field as shown in Figure 132 Figure 132 Position and format of VLAN tag VLAN Tag A VLAN tag comprises the following fields Tag protocol identifier TPID The 16 bit TPID field indicates whether the frame is VLAN tagged and is 0x8100 by default Priority The 3 bit priority
294. ecimal numbers and separated from its neighboring fields by colon Select the Destination IP Address box and enter a destination IPv address and prefix length The IPv address must be in a format like X X X X An Pv address consists of eight 16 bit long fields each of which is expressed with two hexadecimal numbers and separated from its neighboring fields by colon Select the protocol number If you select 58 ICMPv6 you can configure the ICMP message type and code If you select 6 TCP or 17 UDP you can configure the TCP or UDP specific items Specify the ICMPv message type and code These items are available only when you select 58 ICMPv 6 from the Protocol list If you select Other from the Named ICMPv6 Type list you need to enter values in the ICMPv6 Type and ICMPv Code fields Otherwise the two fields will take the default values which cannot be changed Select the operators and enter the source port numbers and destination port numbers as required These items are available only when you select 6 TCP or 17 UDP from the Protocol list Different operators have different configuration requirements for the port number fields e Not Check The following port number fields cannot be configured e Range The following port number fields must be configured to define a port range e Other values The first port number field must be configured and the second must not Only Not Check and Other va
295. ect 0 from the Prefix Length list and enter 5 2 for Next Hop d Click Apply 289 Figure 265 Configuring a default route Summary Remove Destination IF Address Prefix Length Preference sd 2858 Default Next Hop 5 Cl Interface tems marked with an asterisk are required Configured Static Route Information Prefix Destination IF Address Length Protocol Preference Fest Hop Interface Veritying the contiguration 1 Display the routing table Enter the IPv6 route page of Switch A Switch B and Switch C to verity that the newly configured static routes are displayed as active routes on the pages 2 Ping Host C trom Switch A lt SwitchA gt ping ipv6 3 2 PING 3 2 56 data bytes press CTRL_C to break Reply from 3 2 bytes 56 Sequence 1 hop limit 254 time 63 ms Reply from 3 2 bytes 56 Sequence 2 hop limit 254 time 62 ms Reply from 3 2 bytes 56 Sequence 3 hop limit 254 time 62 ms Reply from 3 2 bytes 56 Sequence 4 hop limit 254 time 63 ms Reply from 3 2 bytes 56 Segquence 5 hop limit 254 time 63 ms sa 3322 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss 290 round trip min avg max 62 62 63 ms Contiguration guidelines When you configure a static route follow these guidelines If you do not specify the preference the default preference will be used Reconfiguration of the default preference applies only to newly created static routes The Web in
296. ections When the limit is reached you cannot log in to the Web interface Web browser requirements HP recommends that you use the following Web browsers o Internet Explorer 6 SP2 or higher o Mozilla Firefox 3 or higher o Google Chrome 2 0 174 0 or higher If you are using a Microsoft Internet Explorer browser you must enable the security settings see Enabling securing settings in a Microsoft Internet Explorer browser including Run ActiveX controls and plug ins Script ActiveX controls marked safe for scripting and Active scripting If you are using a Mozilla Firefox browser you must enable JavaScript see Enabling JavaScript in o Firefox browserEnabling JavaScript in a Firefox browser Enabling securing settings in a Microsoft Internet Explorer browser 1 Z Launch the Internet Explorer and select Tools gt Internet Options from the main menu Select the Security tab and select the content zone where the target Website resides as shown in Figure 1 Figure 1 Internet Explorer settings 1 Internet Options Local intranet Trusted sites Restricted sites Internet This zone contains all Web sites you haven t placed in other zones Security level for this zone Custom Custom settings To change the settings click Custom Level To use the recommended settings click Default Level Custom Level Default Level 3 Click Custom Level 4 Inthe Security Settings dialog box enable Run ActiveX c
297. ed leaf nodes The root bridge is not permanent but can change with changes of the network topology Upon initialization of a network each device generates and periodically sends configuration BPDUs with itself as the root bridge After network convergence only the root bridge generates and periodically sends configuration BPDUs The other devices only forward the BPDUs Root port On a non root bridge the port nearest to the root bridge is the root port The root port communicates with the root bridge Each non root bridge has only one root port The root bridge has no root port Designated bridge and designated port Classification _ Designated bridge Designated port Device directly connected with the local For a device device and responsible for forwarding Ed De wade LES oe oe localdeavice forwards BPDUs to the local device Device responsible for forwarding BPDUs to Port through which the designated bridge For a LAN this LAN segment forwards BPDUs to this LAN segment As shown in Figure 1 3 Device B and Device C are connected to the LAN AP1 and AP2 BP1 and BP2 and CP1 and CP2 are ports on Device A Device B and Device C respectively e If Device A forwards BPDUs to Device B through AP1 the designated bridge for Device B is Device A and the designated port of Device B is port AP1 on Device A e If Device B forwards BPDUs to the LAN the designated bridge for the LAN is Device B and the designated port for the LAN
298. ed the command not only assigns an IPv address to the interface but also specifies a default route for the device Description Use ipsetup ipv6 auto to enable the stateless address autocontiguration function so a global unicast address and link local address can be automatically generated Use ipsetup ipv address ipv address prefix length ipv6 address prefix length default gateway ipv6 address to manually assign an IPv6 address to VLAN interface 1 Examples Create VLAN interface 1 and enable VLAN interface 1 to automatically generate a global unicast IPv address and link local address lt Sysname gt ipsetup ipv6 auto Create VLAN interface 1 and assign 2001 2 to the interface with the pretix length 64 and specify 2001 1 as the default gateway lt Sysname gt ipsetup ipv address 2001 2 64 default gateway 2001 1 password Syntax password Parameters None Description Use password to modity the login password of a user Examples Modify the login password of user admin lt Sysname gt password 26 Change password for user admin Old password Enter new password Retype password The password has been successfully changed ping Syntax ping host Parameters host Destination IPv4 address in dotted decimal notation or host name a string of 1 to 255 characters Description Use ping to ping a specitied destination To terminate a ping operation press Ctrl C Example
299. ed in Table 159 4 Click Apply 485 Table 159 Configuration items ltem Description Enable or disable the WRR queue scheduling mechanism on selected ports The following options are available WRR e Enable Enables WRR on selected ports e Not Set Restores the default queuing algorithm on selected ports Select the queue to be configured Queue The value range for a queue ID is O to 7 WRR Slup Specify the group the current queue is to be assigned to This list is available after you select a queue ID The following groups are available Group for selection e SP Assigns a queue to the SP group e 1 Assigns a queue to WRR group I Set a weight for the current queue Weight This list is available when group 1 is selected Please select port s Click to select ports to be configured with queuing on the chassis front panel Configuring rate limit on a port Select QoS gt Line rate from the navigation tree 2 Click the Setup tab to enter the rate limit configuration page Figure 472 Configuring rate limit on a port Summary Please select an interface type GigabitEthernet L2 Rate Limit Enable v Direction Inbound hd CIR kbps 16 1000000 it must be a multiple of 16 CBS EBS Please select port s GigabitEthernet1 0 1 a GigabitEthernet1 0 2 GigabitEthernet1 0 3 GigabitEthernet1 0 4 GigabitEthernet1 0 5 GigabitEthernet1 0 6 GigabitEthernet1 0 7 GigabitEthernet1 0 8 GigabitEthernet1 0
300. ed network Interface segment are sent out of the interface Creating an Pv6 static route 1 Select Network gt IPv6 Routing from the navigation tree 2 Click the Create tab 281 The page for configuring an IPv static route appears Figure 257 Creating an Pv static route Summar Remove dee EE Address Prefix Length 64 _ Preference ee 1 255 Default 60 tems marked with an asterisk are required Apply Configured Static Route Information Prefix Destination IP Address Length Protocol Preference Mext Hop Interface 3 Create an IPv static route as described in Table 93 4 Click Apply Table 93 Configuration items ltem Description Enter the destination host or network IP address in the X X X X format The 1 28 bit destination IPv6 address is a hexadecimal address with eight parts separated by colons Each part is represented by a 4 digit hexadecimal integer Destination IP Address Prefix Length Enter or select the prefix length of the destination IPv address Set a preference value for the static route The smaller the number the higher the preference Preference For example specifying the same preference for multiple static routes to the same destination enables load sharing on the routes Specifying different priorities for them enables route backup Next Hop Enter the next hop address in the same format as the destination IP address Select the output interface Interface Y
301. edure Step Remarks Required 1 Configuring 802 1X globally This function enables 802 1X authentication globally It also configures the authentication method and advanced parameters By default 802 1X authentication is disabled globally Required This function enables 802 1X authentication on the specitied port and configures 802 1X parameters for the port By default 802 1X authentication is disabled on a port 2 Configuring 802 1X on a port Contiguring 802 1X globally 1 From the navigation tree select Authentication gt 802 1X The 802 1X page appears Figure 308 Configuring 802 1X 802 1X Configuration Enable 802 1X Authentication Method CHAP v wAdvanced Quiet _ Enable the Quiet Function Quiet Period 60 seconds 10 120 Default 60 Retry Times 2 1 10 Default 2 TX Period 30 seconds 10 120 Default 30 Handshake Period 15 seconds 5 1024 Default 15 Re Authentication Period 3600seconds 60 7200 Default 3600 Supplicant Timeout Time 30 seconds 1 120 Default 30 Server Timeout Time 100 seconds 100 300 Default 100 Apply Ports With 802 1X Enabled RE TE Re Max Number et VI AN Auth Fail Port Port Port Control Handshake ME EE GE Guest VLAN VLAN AR Ee G Operation GigabitEthernet1 0 3 MAC Based Enabled Disabled 256 Disabled Disabled Auto A i Add Del Selected In the 802 1X Configuration area select Enable 802 1X Select an authentication method from the Authentication Method
302. ee 189 Protocols and ES ee ee 190 Configuration guidelines E EE E T 190 Recommended MSTP configuration procedure EEEE T 190 Configuring an MST region EE AE N 19 Configuring MSTP globally RE EO A EO EDEN 192 Configuring MSTP on a port EL EE E E 195 Displaying MSTP information of a port EE AA AE AA EE ME EE EE 197 MSTP configuration example EE EO EO EE OE santas 199 Network requirements ARE AE EE OE EE tees 199 Configuration procedure EE EE ER EE 200 Configuring link aggregation EET EE 205 Cy EE ER EE AE IE N EE 205 Basic concepts EE RE N ER EE 205 Link aggregation EE EE EEO OEE OREO eee eee e terre reer reerreerreerr eer tere eetr reer r eer reerretrreerreerreerreerreeere 206 Configuration procedures EE EER SEE EAE E EE OR EER 208 Configuring a static aggregation Tee EE 208 Configuring a dynamic aggregation Tee EE 208 Creating a link aggregation ehe Uo cue ee ee a ee 208 Displaying aggregate Interface informat tijon eeeeeeeeeeeeeeeeeeeeeesereseereeesereseeeseesecesereseeeseesecesereseeeseesecosereseeeseeseeseeesee 209 Setting LACP priority RR EE OE EE 211 Displaying LACP enabled port DUET RT eer Sr err rere rere reerrreerrceerrreerreeerrreerree 211 Link aggregation and LACP configuration example EE EE EE EE 213 Configuration guidelines ER E EE E AO N 215 Configuring LLDP EE EE EE E E NE T L E E A E E E E T T deeded 21 7 OVE ER RE EE ee a E 217 Basic concepts EER ER ES EES EES ESSE ESSESSESSESSESSESSESSESESEOSSESESOSOSSOSSOSSOSSSEESOSEESSESSOSOSSOOS
303. eferentially by SP When the SP scheduling group is empty the other queues are scheduled by WRR Rate limit Rate limit is a traffic control method using token buckets The rate limit of a physical interface specities the maximum rate for forwarding packets including critical packets Rate limit can limit all the packets passing a physical intertace Traffic evaluation and token bucket A token bucket can be considered as a container holding a certain number of tokens The system puts tokens into the bucket at a set rate When the token bucket is full the extra tokens will overflow Figure 460 Evaluate traffic with the token bucket Put tokens in the bucket at the set rate Packets sent through this port il Continue to send The evaluation for the traffic specification is based on whether the number of tokens in the bucket can meet the need of packet forwarding If the number of tokens in the bucket is enough to forward the packets usually one token is associated with a 1 bit forwarding authority the traffic conforms to the 473 specification and the traffic is called conforming traffic Otherwise the traffic does not conform to the specitication and the trattic is called excess traffic A token bucket has the following configurable parameters e Mean rate Rate at which tokens are put into the bucket or the permitted average rate of traffic It is usually set to the committed information rate CIR e Bur
304. egation group In a static aggregation group the system sets the aggregation state of each member port according to the following rules 1 Chooses a reference port from the member ports that are in up state and with the same class two configurations as the aggregate interface The candidate ports are sorted in the following order o Full duplex high speed o Full duplex low speed o Half duplex high speed o Halt duplex low speed If two ports have the same duplex mode speed pair the one with the lower port number is chosen 2 Places the ports in up state with the same port attributes and class two configurations as the reference port in the Selected state and place all others in the Unselected state 3 The number of Selected ports is limited in a static aggregation group When the number of the Selected ports is under the limit all the member ports become Selected ports When the limit is 206 exceeded places the ports with smaller port numbers in the Selected state and those with greater port numbers in the Unselected state Places the member ports in the Unselected state if all the member ports are down 5 Places the ports that cannot aggregate with the reference port in the Unselected state for example as a result of the inter board aggregation restriction After a static aggregation group has reached the limit on Selected ports any port that joins the group is placed in the Unselected state to avoid traffic interruption on
305. elect this option you must enter a percentage in the box below Broadcast e pps Sets the maximum number of broadcast packets that can be forwarded on an Suppression Ethernet port per second When you select this option you must enter a number in the box below e kbps Sets the maximum number of kilobits of broadcast traffic that can be forwarded on an Ethernet port per second When you select this option you must enter a number in the box below Set multicast suppression on the port e ratio Sets the maximum percentage of multicast traffic to the total bandwidth of an Ethernet port When you select this option you must enter a percentage in the box below Multicast e pps Sets the maximum number of multicast packets that can be forwarded on an Suppression Ethernet port per second When you select this option you must enter a number in the box below e kbps Sets the maximum number of kilobits of multicast traffic that can be forwarded on an Ethernet port per second When you select this option you must enter a number in the box below 72 ltem Descri ption Set unicast suppression on the port e ratio Sets the maximum percentage of unicast traffic to the total bandwidth of an Ethernet port When you select this option you must enter a percentage in the box below Unicast e pps Sets the maximum number of unicast packets that can be forwarded on an Suppression Ethernet port per second When you select this optio
306. ely Protocols and standards e IEEE 802 1AB 2005 Station and Media Access Control Connectivity Discovery e ANSI TIA 1057 Link Layer Discovery Protocol for Media Endpoint Devices Recommended LLDP configuration procedure Step Remarks Optional 1 Enabling LLDP on ports 2 Setting LLDP parameters on ports 3 Configuring LLDP globally 4 Displaying LLDP information for a port By default LLDP is enabled on ports Make sure LLDP is also enabled globally because LLDP can work on a port only when it is enabled both globally and on the port Optional LLDP settings include LLDP operating mode packet encapsulation CDP compatibility device information polling trapping and advertisable TLVs By default The LLDP operating mode is TxRx The encapsulation format is Ethernet Il CDP compatibility is disabled Device information polling and trapping are disabled All TL Vs except the Location Identification TLV are advertised Required By default global LLDP is disabled To enable LLDP to work on a port enable LLDP both globally and on the port Optional You can display the local LLDP information neighbor information statistics and status information of a port where The local LLDP information refers to the TLVs to be advertised by the local device to neighbors The neighbor information refers to the TLVs received from neighbors 222 Step Remarks 5 Displaying global LLDP O
307. empts fail the device discards the request Enable or disable the accounting on feature The accounting on feature enables a device to send accounting on packets to RADIUS servers after it reboots making the servers forcedly log out users who logged in through the device before the reboot IMPORTANT When enabling the accounting on feature on a device for the first time you must save the configuration so that the feature takes effect after the device reboots Send accounting on packets Set the interval for sending accounting on packets This field is contigurable A ting On Interval i ER EE OG only after you select the Send accounting on packets box Set the maximum number of accounting on packets transmission attempts Accounting On Attempts This field is configurable only after you select the Send accounting on packets box Attribute Enable or disable the device to interpret the RADIUS class attribute as CAR Interpretation parameters Adding RADIUS servers 1 In the RADIUS Server Configuration area click Add Figure 353 RADIUS server configuration page Add RADIUS Server Server Type Primary Authenticatio IP Address IPv4 IPv6 Part 1 65535 Default 1812 Key 1 64 Chars Confirm Key 1 64 Chars Apply Cancel 2 Configure the parameters as described in Table 116 3 Click Apply a a Table 116 Configuration items ltem Descri ption Select the type of the RADIUS server to be configured
308. enste 364 RADIUS packet format eeeeeeeeeereeereeesereseereereresereseeeseeseeesereseeeseeseeesereseeeseesseoseesereseeeseessresereseeeseeosereseceseeeseesereseeeseee 365 Extended RADIUS attributes sesse sees sees ss ese see ee EER EER EER EER EER ERA ERA ERA EER ERA ERA ERA RA EER EER ERA Ee Ee ee 367 EER and DE ER OE EE EE N EE E 368 Configuring a TONE HEEL EE EE EE 368 Configuring COMMON parameters eeeeeeeeeeererrereereereereereereereereereereereereereereereereereereereereereereereteerereeseeereereereereereereet 369 Adding RADIUS servers teer sees sesse esse eek eek geRgee gee Re EER GER GER gee ee RGeR GER gee REEKSE R GER gee EER GeR GER gee ek ee eER Gee ee GeR gek gee ee ee Rea keerd 373 RADIUS configuration example ER E 374 Configuration guidelines RE EE OD 378 Contiguring TT EE EE Ee ee 380 Contiguring EET ee 380 Configuring ETE EE EG 389 Managing Te ee 384 A EE RE EE N 384 AE AR RE EE ER ED 384 PKI Architecture OE esas esse esse nseueseeeseeaneeaneeeeeeuens 384 TERE EE EE EA AE AE HA AO IR ER 385 PKI applications E A E E Ge Ge Ge Ge EEEE TE ETE EE E E de de Ge T 386 Recommended configuration procedures EE TR ets tories dae rena vey eet epee aalem 386 Recommended configuration procedure for manual redes eer 386 Recommended configuration procedure for automatic request EE EE ested N ER 388 Creating a PKI entity EE EE EE EE EE 388 Creating a EES SS EE EE EE EE EG 300 Generating an RSA key EE EE EE EG 393 Destroying the RSA key
309. ent excessive traps from being sent when topology is instable Set initialization delay for LLDP enabled ports Each time the LLDP operating mode of a port changes its LLDP protocol state machine reinitializes A configurable reinitialization delay prevents frequent initializations caused by frequent changes to the operating mode If you contigure the reinitialization delay a port must wait the specified amount of time to initialize LLDP after the LLDP operating mode changes Reinit Delay Set LLDP frame transmission delay With LLDP enabled a port advertises LLDP frames to its neighbors both periodically and when the local configuration changes To avoid excessive number of LLDP frames caused by frequent local configuration changes an Tx Delay LLDP frame transmission delay is introduced After sending an LLDP frame the port must wait for the specified interval before it can send another one LLDP frame transmission delay must be less than the TTL to make sure the LLDP neighbors can receive LLDP frames to update information about the device you are configuring before it is aged out Set the LLDP frame transmission interval If the product of the TTL multiplier and the LLDP frame transmission interval is greater than 65535 the TTL carried in transmitted LLDP frames takes 65535 seconds The likelihood exists that the LLDP frame transmission interval is greater than TTL You should avoid the situation because the LLDP neighbors will f
310. equired Apply Cancel Enable SNMP traps a Click the Trap tab The Trap tab page appears b Select Enable SNMP Trap c Click Apply 125 Figure 119 Enabling SNMP traps Setup Community Group ser WIE 7 Enable SNMP Trap Apply Trap Target Host Destination IP Address v Search Advanced Search Destination IP UDP Security security l d ae IPA PA Domain Security Mame oe e LN Operation Add Delete Selected 5 Configure a target host SNMP traps a Click Add on the Trap tab page The page for adding a target host of SNMP traps appears b Select the IPv4 Domain option and type 1 1 1 2 in the following field type public in the Security Name field and select v1 from the Security Model list c Click Apply Figure 120 Adding a trap target host Setup Community Group User WE Add Trap Target Host Destination IP Address PydiDomain IPv 1 1 1 2 1 256Chars Security Name public C1 32Chars UDF For 162 0 65535 Default 162 Security Model Y w Security Level tems marked with an asterisk are required Apply Cancel Configuring the NMS The configuration on the NMS must be consistent with that on the agent Otherwise you cannot perform corresponding operations To contigure the NMS 1 Configure the SNMP version for the NMS as v1 or v2c 2 Create a read only community and name it public 3 Create a read and write community and name it private 126 For information about
311. er is overloaded and a PSE power management priority policy is enabled the PSE that has a lower priority is first disconnected to guarantee the power supply to a new PSE that has a higher priority e The guaranteed remaining PoE power is the maximum PoE power minus the power allocated to the critical PSE regardless of whether PoE is enabled for the PSE If this is lower than the maximum power of the PSE you cannot set the power priority of the PSE to critical Otherwise you can set the power priority to critical and this PSE preempts the power of the PSE that has a lower priority level In this case the PSE whose power is preempted is disconnected but its configuration remains unchanged If you change the priority of the PSE from Power Priority critical to a lower level other PSEs have an opportunity to be powered By default the power priority of a PoE port is low IMPORTANT e A guard band of 20 watts is reserved for each PoE interface on the device to prevent a PD from being powering off because of a sudden increase of power If the remaining power of the PSE is lower than 20 watts the PoE interface with higher priority can preempt the power of a PoE interface with lower priority to supply power to a new PD In this way you can ensure normal operation of the PoE interface with higher priority If the power of the PoE interface with lower priority is lower than 20 watts for the PoE interface to operate correctly it supplies power a
312. er page and view the contents on the first previous next and last pages or go to any page that you want to check Figure 7 Content display by pages R Port Name v Search Advanced Search Port Name LLDP Status LLDP Work Mode Operation F GigabitEthernet1 0 1 Enabled TXRX A GigabitEthernet1 0 2 Enabled TXRX A GigabitEthernet1 0 3 Enabled TxRx A GigabitEthernet1 0 4 Enabled Tx A M GigabitEthernet1 0 5 Enabled TXRX A F GigabitEthernet1 0 6 Disabled Rx A F GigabitEthernet1 0 7 Disabled TxRx Ee GigabitEthernet1 0 8 Disabled TxRx A GigabitEthernet1 0 9 Disabled TXRX A IT GigabitEthernet1 0 10 Enabled Rx A F GigabitEthernet1 0 11 Enabled TXRX A F GigabitEthernet1 0 12 Enabled TXRX A F GigabitEthernet1 0 13 Disabled Tx A GigabitEthernet1 0 14 Enabled Tx En GigabitEthernet1 0 15 Disabled TXRX A 28 records 15 v per page page 1 2 record 1 15 Next Last 1 GO Search function The Web interface provides you with the basic and advanced searching functions to display only the entries that match specific searching criteria e Basicsearch As shown in Figure 7 type the keyword in the text box above the list select a search item from the list and click Search to display the entries that match the criteria Figure 8 shows an example of searching for entries with LLDP disabled Figure 8 Basic search function example Disabled LLDP Status v Search A
313. er to the client e options Optional parameters field that is variable in length which includes the message type lease duration subnet mask domain name server IP address and WINS IP address 294 DHCP options DHCP defines the message format as an extension to BOOTP for compatibility DHCP uses the Option field to carry information for dynamic address allocation and to provide additional configuration information to clients Figure 269 DHCP option format 0 7 15 Option type Option length Value variable Common DHCP options The following are common DHCP options Option 3 Router option It specifies the gateway address Option 6 DNS server option It specities the DNS server s IP address Option 33 Static route option It specifies a list of classful static routes the destination addresses in these static routes are classful that a client should add into its routing table If both Option 33 and Option 121 exist Option 33 is ignored Option 51 IP address lease option Option 53 DHCP message type option It identifies the type of the DHCP message Option 55 Parameter request list option It is used by a DHCP client to request specitied contiguration parameters The option includes values that correspond to the parameters requested by the client Option 60 Vendor class identifier option It is used by a DHCP client to identity its vendor and by a DHCP server to distinguish DHCP clients by vendor
314. erational key Ethernet link aggregation 205 optimal FIB table optimal routes 278 option DHCP field 295 Option 121 DHCP 295 Option 150 DHCP 295 Option 3 DHCP Option 003 DHCP 295 Option 33 DHCP Option 033 DHCP 295 Option 51 DHCP Option 051 DHCP 295 Option 53 DHCP Option 053 DHCP 295 Option 55 DHCP Option 055 DHCP 295 Option 6 DHCP Option 006 DHCP 295 Option 60 DHCP Option 060 DHCP 295 Option 66 DHCP Option 066 DHCP 295 Option 67 DHCP Option 067 DHCP 295 Option 82 DHCP Option 082 DHCP relay agent 295 snooping support 308 organization specific LLDPDU TLV types 218 outbound NMM port mirroring 79 outbound restriction port security feature 421 P packet AAA RADIUS packet exchange process 364 AAA RADIUS packet format 365 ACL fragment filtering 452 ACL packet fragment filtering 452 gratuitous ARP packet learning 244 IP routing configuration IPv4 278 IP routing configuration IPv6 278 NMM port mirroring configuration 79 QoS policy configuration 466 QoS priority mapping 4 4 QoS traffic evaluation 473 QoS traffic mirroring configuration 481 QoS traffic redirecting configuration 481 security 802 1X EAP format 322 security 802 1X EAPOL format 323 security 802 1X format 322 security ARP packet validity check 250 STP BPDU protocol packets 177 STP TCN BPDU protocol packets 177 packet filtering ACL configuration 450 ACL configuration Ethernet fr
315. ers the packet and broadcasts an ARP request The payload of the ARP request contains the following information o Sender IP address and sender MAC address Host A s IP address and MAC address o Target IP address Host B s IP address o Target MAC address An allzero MAC address All hosts on this subnet can receive the broadcast request but only the requested host Host B processes the request 3 Host B compares its own IP address with the target IP address in the ARP request If they are the same Host B a Adds the sender IP address and sender MAC address into its ARP table b Encapsulates its MAC address into an ARP reply c Unicasts the ARP reply to Host A 4 After receiving the ARP reply Host A a Adds the MAC address of Host B into its ARP table b Encapsulates the MAC address into the packet and sends the packet to Host B Figure 217 ARP address resolution process Host A Host B 192 168 1 1 192 168 1 2 0002 67 79 Of4c 00a0 2470 febd Sender MAC Sender IP Target MAC Target IP address address address address 0002 6779 0f4c 192 168 1 1 0000 0000 0000 192 168 1 2 If Host A and Host B are on different subnets Host A sends a packet to Host B as follows 1 Host A broadcasts an ARP request to the gateway The target IP address in the ARP request is the IP address of the gateway The gateway responds with its MAC address in an ARP reply to Host A Host A uses the gateway s MAC address to encapsulate
316. ervices such as tele education telemedicine video telephone videoconference and Video on Demand VoD Enterprise users expect to connect their regional branches together with VPN technologies to carry out operational applications for instance to access the database of the company or to monitor remote devices through Telnet These new applications all have special requirements for bandwidth delay and jitter For example videoconference and VoD require high bandwidth low delay and jitter As for mission critical applications such as transactions and Telnet they might not require high bandwidth but do require low delay and preferential service during congestion The emerging applications demand higher service performance of IP networks Better network services during packets forwarding are required such as providing dedicated bandwidth reducing packet loss ratio managing and avoiding congestion and regulating network traffic To meet these requirements networks must provide more improved services 466 Congestion causes impacts and countermeasures Network congestion is a major factor contributed to service quality degrading on a traditional network Congestion is a situation where the forwarding rate decreases due to insufficient resources resulting in extra delay Causes Congestion easily occurs in complex packet switching circumstances in the Internet Figure 453 shows two common cases Figure 453 Traffic congestion cause
317. es Key 1 Set NTP authentication key Key 2 Enable the NTP authentication feature for a system running NTP in a network that requires high security This feature improves the network security by means of client server key authentication and prohibits a client from synchronizing with a device that has failed authentication You can set two authentication keys each of which has a key ID and a key string e ID ID of a key e Key string Character string of the MD5 authentication key External NTP Server Specify the IP address of an NTP server and configure the Reference 1 Reference authentication key ID used for the association with the NTP server The Source Key ID device synchronizes its time to the NTP server only if the key provided NTP Server by the server is the same as the specified key 2 Reference You can configure two NTP servers The clients choose the optimal Key ID reference source IMPORTANT The IP address of an NTP server is a unicast address and cannot be a broadcast or a multicast address or the IP address of the local clock source System time configuration example Network requirements As shown in Figure 48 e The local clock of Device A is set as the reference clock e SwitchB operates in client mode and uses Device A as the NTP server Configure NTP authentication on Device A and Switch B so that Switch B is to be synchronized to Device A 58 Figure 48 Network diagram 23 Sah 1 0
318. es Disable GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 from forwarding DHCP server responses e Configure Switch B to record clients IP to MAC address bindings in DHCP REQUEST messages and DHCP ACK messages received from a trusted port Figure 288 Network diagram Switch A DHCP server GE1 0 1 Switch B DHCP snooping GE1 0 3 DHCP client DHCP client Configuring Switch B 1 Enable DHCP snooping a From the navigation tree select Network gt DHCP b Click the DHCP Snooping tab c As shown in Figure 289 select the Enable option next to DHCP Snooping to enable DHCP snooping 311 Figure 289 Enabling DHCP snooping DHCP Relay DHCP Snooping Enable Disable Interface Config RO Interface Name Search Advanced Search Interface Name Interface State GigabitEthernet1 0 1 Untrust GigabitEthernet1 0 2 Untrust GigabitEthernet1 0 3 Untrust GigabitEthernet1 0 4 Untrust GigabitEthernet1 0 5 Untrust GigabitEthernet1 0 6 Untrust GigabitEthernet1 0 7 Untrust GigabitEthernet1 0 8 Untrust GigabitEthernet1 0 9 Untrust GigabitEthernet1 0 10 Untrust GigabitEthernet1 0 11 Untrust GigabitEthernet1 0 12 Untrust GigabitEthernet1 0 13 Untrust GigabitEthernet1 0 14 Untrust GigabitEthernet1 0 15 Untrust 28 records 15 v per page page 1 2 record 1 15 First Prey Next Last 1 Contigure DHCP snooping functions on GigabitEthernet 1 0 1 a Click the icon of GigabitEthernet 1 0 1 on the intertace list b Select the Trust
319. es of a MAC address change Gratuitous ARP packet learning This feature enables a device to create or update ARP entries by using the sender IP and MAC addresses in received gratuitous ARP packets When this feature is disabled the device uses the received gratuitous ARP packets to update existing ARP entries only Contiguring ARP entries Displaying ARP entries From the navigation tree select Network gt ARP Management The default ARP Table page appears as shown in Figure 218 This page displays all ARP entries Figure 218 ARP Table configuration page Gratuitous ARP k IP Address Search Advanced Search IP Address MAC Address VLAN ID Port Type Operation 192 168 1217 6431 5045 d29e 1 GigabitEthermett 0 15 Dynamic il 192 168 1 27 001b 2188 86ff 1 GigabitEthernett o 24 Dynamic il Add Del Selected Delete Static and Dynamic Delete Static Delete Dynamic Refresh 244 Creating a static ARP entry 1 From the navigation tree select Network gt ARP Management The detault ARP Table page appears as shown in Figure 218 2 Click Add The New Static ARP Entry page appears Figure 219 Add a static ARP entry Gratuitous ARP Mew Static ARP Entry IP Address MAC Address Example 0010 dce28 a4e9 F Advanced Options VLAN ID 1 4094 Fort tems marked with an asterisk are required Apply Hack 3 Configure the static ARP entry as described in Table 80 4 Click Apply Table 80 Configuration items ltem
320. es user information for the server to authenticate the user It must contain the User Name attribute and can optionally contain the attributes of NAS IP Address User Password and NAS Port Access Request From the server to the client If all attribute values carried in the Access Accept Access Request are acceptable the authentication succeeds and the server sends an Access Accept response From the server to the client If any attribute value carried in the Access Reject Access Request is unacceptable the authentication fails and the server sends an Access Reject response From the client to the server A packet of this type carries user information for the server to start or stop accounting for the user The Acct Status Type attribute in the packet indicates whether to start or stop accounting Accounting Request From the server to the client The server sends a packet of this type to Accounting Response notify the client that it has received the Accounting Request and has successtully recorded the accounting information The Identifier field 1 byte long is used to match request packets and response packets and to detect duplicate request packets Request and response packets of the same type have the same identifier 365 The Length field 2 bytes long indicates the length of the entire packet including the Code Identifier Length Authenticator and Attribute fields Bytes beyond this length are considered padding a
321. esesuesseueeeeueseeueeeeueneeweseeuenes 283 Configuration procedure EE RA EE EE aa 283 Verifying the configuration TR ER EE EE ER EA E Aanes moun and aaa Hasan ManDEpas na manUaaEeMApEMeaeNsamubEpHaREREER 286 IPv6 static route configuration example EE EE TETTETETT 287 Network requirements EE EE RE EE ER EE A seas 287 Configuration TEREG ET cette eeeeeeteeeeeeeeeeeeeeeeaeeeeeesceeeseeeeseeeeeseeeeseeseeueseeueseeueseeeeseeuenseueeseueseeueseeweeeeuenes 287 Configuration procedure RE EE RE EE e RASAS 287 Verifying the configuration EE HE EE 290 Configuration guidelines E E E EE ER EE 29 DHCP oer ie rin eeraa AEAEE Ge Den Kan a aiie aA DE aa a as 297 DACP addr aca ona E E E E EN E EE TE E A 209 Allocation mechanisms EE EE EE EE EE EE EE EE EER EE EE EE EE EE EE EE EE EE EE EE EE EER EE EE ER EE EE EE Ee Ee EE EER EE Ee EE EE EE EE ER ER Ee EE ee ee 292 IP address allocation process s sssssssssssssssssesssssessssseessssescsssecssnsecssssecesssecsssscssssscessnsecssasessascssasscssnnseessnneessnees 993 DEE ELE N LAER ER RO EE 993 DHCP message ETE ee ee ee 204 DHCP el EE EE EE EE Ie 205 Common DHCP options trees eek seeks eeR eek GeR EER GER EER GER ERGER ER ROER ee ROER ee R GER ER ReER GER Rae R Gee Rae R gee ReERReeRGeR ee R Gee ee Re RR ee Reen 995 ok EE EE 995 Protocols and standards eeeeeeeeeeseeeeeseeseeseeeeeeeeeseseeseeseeseesseseesseeseeseeseoseeseoseosrosressesseseesroseesresressresresresresrosreseesreseessesseesees 296 Contiguring DHC
322. ess and is often used in network environments that require both high security and remote user access For more information about AAA see Configuring AAA RADIUS uses UDP port 1812 for authentication and UDP port 1813 for accounting RADIUS was originally designed for dial in user access With the addition of new access methods RADIUS has been extended to support additional access methods including Ethernet and ADSL RADIUS provides access authentication authorization and accounting services The accounting function collects and records network resource usage information Client server model RADIUS clients run on NASs located throughout the network NASs pass user information to RADIUS servers and determine to reject or accept user access requests depending on the responses from RADIUS Servers The RADIUS server runs on the computer or workstation at the network center and maintains information related to user authentication and network service access It receives connection requests authenticates users and returns access control information for example rejecting or accepting the user access request to the clients The RADIUS server typically maintains the following databases Users Clients and Dictionary See Figure 346 Figure 346 RADIUS server databases RADIUS servers e Users Stores user information such as usernames passwords applied protocols and IP addresses e Clients Stores information about RADIUS c
323. eters 299 DHCP snooping 306 308 31 DHCP snooping functions on interface 309 energy saving 109 energy saving on port 109 Ethernet link aggregation and LACP 205 213 Ethernet link aggregation group 208 Ethernet link dynamic aggregation group 208 Ethernet link static aggregation group 208 event entry 99 flow interval 92 gratuitous ARP 246 guest VLAN 802 1X 329 history entry 98 idle timeout period 50 IGMP snooping 252 260 IGMP snooping port function 258 IP routing IPv4 278 IP routing IPv6 278 IP services ARP entry 244 isolation group 440 LLDP 217 236 LLDP globally 227 local user 380 local user and user group 380 loopback detection 447 447 loopback detection global 447 loopback detection port specitic 448 loopback test 89 89 MAC address table 173 174 175 MAC authentication global 406 MAC authentication portspecific 408 MAC based 802 1X configuration 336 management IP address 36 maximum PoE interface power 498 MLD snooping 266 2 4 MLD snooping port function 272 MST region 191 MSTP 177 190 199 MSTP global 192 MSTP portspecific 195 NMM local port mirroring 83 NMM local port mirroring group 80 NMM local port mirroring group monitor port 84 NMM local port mirroring group ports 81 NMM local port mirroring group source ports 84 NMM RMON 93 105 NMM RMON alarm function 95 NMM RMON statistics function 95 NMM SNMP 111 PoE 4
324. ever you cannot configure it as the voice VLAN For information about port link types see Managing ports 159 Recommended configuration procedure for a port in automatic voice VLAN assignment mode Step Remarks Optional 1 Configuring voice VLAN globally Configure the voice VLAN to operate in security mode and configure the aging timer Required Configure the voice VLAN assignment mode of a port as automatic 2 Configuring voice VLAN on ports and enable the voice VLAN function on the port By default the voice VLAN assignment mode of a port is automatic and the voice VLAN function is disabled on a port Optional 3 Adding OUI addresses to the The system supports up to 8 OUI addresses OUI list By default the system is configured with two OUI addresses as shown in Table 45 Recommended configuration procedure for a port in manual voice VLAN assignment mode Ste Remarks TRE l Optional 1 Configuring voice VLAN globally Configure the voice VLAN to operate in security mode and configure the aging timer Required 6 aae Configure the voice VLAN assignment mode of a port as manual and enable vor 6 voice VLAN on the port By default the voice VLAN assignment mode of a port is automatic and voice VLAN is disabled on a port aac Optional l eek ithe Oui You can configure up to 8 OUI addresses list By default the system is configured with the two OUI addresses shown in Table 45 Configuri
325. ew window appears Figure 103 Creating an SNMP view 1 Please input the name of the view you want to create viewNamel 82 Chay Apply Cancel Type the view name 5 Click Apply The page in Figure 104 appears 6 Configure the parameters as described in Table 34 7 Click Add to add the rule into the list box at the lower part of the page 115 Repeat steps 6 and 7 to add more rules for the SNMP view 9 Click Apply To cancel the view click Cancel Figure 104 Creating an SNMP view 2 Add View E View Mame view Rule Included Excluded wip subtree OID ceny Subtes Mask Hex chars tems marked with an asterisk are required Add Rule MIB Subtree OID Subtree Wask Operation Apply Cancel Table 34 Configuration items ltem Description View Name Set the SNMP view name Rule Select to exclude or include the objects in the view range determined by the MIB subtree OID and subtree mask Set the MIB subtree OID such as 1 4 5 3 1 or name such as system MIB Subtree OID MIB subtree OID identifies the position of a node in the MIB tree and it can uniquely identity a MIB subtree Set the subtree mask a hexadecimal string lis length must be an even number in the range of 2 to 32 Subtree Mask If no subtree mask is specified the default subtree mask all Fs will be used for mask OID matching Adding rules to an SNMP view Select Device gt SNMP from the navigation tree 2 Click th
326. example if you set the time range to 08 08 to 10 12 the effective time range is 08 10 to 10 10 PoE Disabled Disable PoE on the port 109 ltem Descri ption Set the port to transmit data at the lowest speed Lowest Speed If you configure the lowest speed limit on a port that does not support 10 Mbps the configuration cannot take effect Shut down the port Shutdown An energy saving policy can have all the three energy saving schemes configured of which the shutdown scheme takes the highest priority 110 Configuring SNMP This chapter provides an overview of the Simple Network Management Protocol SNMP and guides you through the configuration procedure Overview SNMP is an Internet standard protocol widely used for a management station to access and operate the devices on a network regardless of their vendors physical characteristics and interconnect technologies SNMP enables network administrators to read and set the variables on managed devices for state monitoring troubleshooting statistics collection and other management purposes SNMP mechanism The SNMP framework comprises the following elements e SNMP manager Works on an NMS to monitor and manage the SNMP capable devices in the network e SNMP agent Works on a managed device to receive and handle requests from the NMS and send traps to the NMS when some events such as interface state change occur e Management Information Base MIB
327. face 301 DHCP snooping 309 IP multicast IGMP snooping globally 256 IP multicast IGMP snooping in a VLAN 257 IPv multicast MLD snooping globally 270 IPv multicast MLD snooping in a VLAN 270 LLDP on ports 223 PSE detect nonstandard PDs 499 SNMP agent 113 encapsulating LLDP frame encapsulated in Ethernet II 217 LLDP frame encapsulated in SNAP format 217 security 802 1X RADIUS EAP Message attribute 324 VLAN frame encapsulation 133 energy saving configuring energy saving 109 port based configuration 109 entering configuration wizard homepage 34 environment setting configuration environment 20 Ethernet ARP configuration 242 ARP static contiguration 246 DHCP snooping configuration 311 gratuitous ARP contiguration 246 link aggregation and LACP 205 LLDP frame encapsulated in Ethernet II 217 loopback detection contiguration 447 447 loopback test configuration 89 89 MAC address table configuration 173 174 175 NMM port mirroring configuration 79 NMM RMON statistics group 93 port isolation configuration 440 441 portbased VLAN configuration 135 security ARP attack protection configuration 250 VLAN configuration 133 145 VLAN frame encapsulation 133 VLAN type 134 Ethernet frame header ACL category 450 configuration 459 Ethernet link aggregation 513 aggregate interface 205 209 aggregation group 205 basic concepts 205 configuration 205 21
328. feature is disabled For more information about port security see Configuring port security Recommended configuration procedure Step Remarks Required This function enables MAC authentication globally and contigures the advanced parameters By default MAC authentication is disabled globally 1 Configuring MAC authentication globally Required This function enables MAC authentication on a port MAC authentication can take effect on a port only when it is enabled globally and on the port You can configure MAC authentication on ports first 2 Configuring MAC authentication on a port By default MAC authentication is disabled on a port Contiguring MAC authentication globally 1 From the navigation tree select Authentication gt MAC Authentication 2 In the MAC Authentication Configuration area click Advanced 406 Figure 388 MAC authentication configuration page MAC Authentication Configuration E Enable MAC Authentication Advanced Offline Detection Period 300 seconds 60 2147483647 Default 300 Quiet Time 60 seconds 1 3600 Default 60 Server Timeout Time 100 seconds 100 300 Default 100 Authentication ISP Domain Authentication Information Format MAC without hyphen MAC as 0000000 5 MAC with hyphen MAC as 50001 1000 Lsernam are Paecewnr hare Fixed Us eel ame Chars Password Chars 1 55 1 63 Ports With MAC Authentication Enabled Port Auth F ail VLAN Operation Ad
329. ffline mode this item is optional In other modes this item is required Select the local PKI entity When submitting a certificate request to a CA an entity needs to show its identity Entity N H at information Available PKI entities are those that have been configured Select the authority for certificate request e CA lndicates that the entity requests a certificate from a CA Institution l T e RA Indicates that the entity requests a certificate from an RA RA is recommended 391 liem Description Enter the URL of the RA The entity will submit the certificate request to the server at this URL through the SCEP protocol The SCEP protocol is intended for communication between an entity and an Requesting URL authentication authority In offline mode this item is optional In other modes this item is required O IMPORTANT This item does not support domain name resolution oe Enter the IP address port number and version of the LDAP server Port In a PKI system the storage of certificates and CRLs is a crucial problem which is usually Version addressed by deploying an LDAP server Request Mode Select the online certificate request mode which can be auto or manual Password Set a password for certificate revocation and re enter it for confirmation Confirm Password The two boxes are available only when the certificate request mode is set to Auto Fingerprint Hash Specify the fingerprint use
330. fic statistics on the interface including network collisions CRC Configuring a statistics entry alignment errors undersize oversize packets broadcasts multicasts bytes received and packets received The statistics are cleared at a reboot IMPORTANT You can create only one statistics entry on one interface Table 21 RMON history group configuration task list Task Remarks Required You can create up to 100 history entries in a history table Atter an entry is created the system periodically samples the number of packets received sent on the current interface It saves the statistics as an Configuring a history entry instance under the leaf node of the etherHistoryEntry table IMPORTANT When you create an entry if the value of the specitied sampling interval is identical to that of the existing history entry the system considers their configurations are the same and the creation fails Configuring the RMON alarm function To send traps to the NMS when an alarm is triggered configure the SNMP agent as described in Configuring SNMP before configuring the RMON alarm function Perform the tasks in Table 22 to configure RMON alarm function Table 22 RMON alarm configuration task list Task Configuring a statistics entry Configuring an event entry Configuring an alarm entry Displaying RMON running status Remarks Reguired You can create up to 100 statistics entries in a statistics table A
331. field indicates the 802 1p priority of the frame Canonical format indicator CFI The 1 bit CFI field specifies whether the MAC addresses are encapsulated in the standard format when packets are transmitted across different media A value of O indicates that MAC addresses are encapsulated in the standard format The value of 1 indicates that MAC addresses are encapsulated in a non standard format The value of the field is O by default VLAN ID The 12 bit VLAN ID field identities the VLAN the frame belongs to The VLAN ID range is O to 4095 As O and 4095 are reserved a VLAN ID actually ranges from 1 to 4094 A network device handles an incoming frame depending on whether the frame is VLAN tagged and the value of the VLAN tag if any The Ethernet II encapsulation format is used in this section In addition to the Ethernet II encapsulation format Ethernet also supports other encapsulation formats including 802 2 LLC 802 2 SNAP and 802 3 raw The VLAN tag fields are added to frames encapsulated in these formats for VLAN identification When a frame carrying multiple VLAN tags passes through the device processes the frame according to its outer VLAN tag and transmits the inner tags as payload VLAN types You can implement VLANs based on the following criteria Port MAC address Protocol IP subnet Policy Other criteria The Web interface is available only for port based VLANs and this chapter introduces only port based
332. figuration 14 PVID port based VLAN 136 Q QoS ACL configuration 450 ACL configuration Ethernet frame header 459 configuration 489 hardware congestion management SP queuing 4 1 471 hardware congestion management WRR queuing 4 2 4 2 Packet precedence 469 policy adding 483 policy configuration 466 policy port application 484 485 486 488 priority mapping 4 4 priority mapping table 475 queue scheduling 471 rate limit 473 token bucket 473 trattic behavior adding 480 trattic class adding 478 trattic class contiguration 479 traffic classification 468 traffic evaluation 473 traffic mirroring configuration 481 traffic redirecting configuration 481 querying IGMP snooping general query 254 MLD snooping general query 268 queuing QoS hardware congestion management SP queuing 4 1 4 1 QoS hardware congestion management WRR queuing 472 472 SP and WRR 471 R RADIUS AAA application 352 527 AAA implementation 363 374 assigning MAC authentication ACL assignment 405 assigning MAC authentication VLAN assignment 405 client server model 363 common parameter configuration 369 configuration 363 374 configuration guidelines 378 extended attributes 367 MAC authentication configuration global 406 MAC authentication configuration port specific 408 packet exchange process 364 packet format 365 protocols and standards 368 scheme configurati
333. figuration 80 local group monitor port 84 local group port 81 local group source port 84 NMM 79 logging member device from master 42 logging in CLI 24 Web interface HTTP login 6 logging out Web interface logout 7 loop 517 MSTP configuration 177 190 199 loopback detection configuration 447 447 configuration global 447 configuration portspecific 448 loopback test configuration 89 89 guidelines 89 low PoE interface power management 498 M MAC 802 1X port based access control method 321 address See MAC address authentication See MAC authentication MAC address ARP configuration 242 ARP static contiguration 246 Ethernet link aggregation MAC address learning configuration class 206 gratuitous ARP 244 gratuitous ARP contiguration 246 gratuitous ARP packet learning 244 MAC authentication ACL assignment 411 MAC authentication configuration global 406 MAC authentication configuration portspecific 408 MAC local authentication configuration 408 security 802 1X authentication access device initiated 324 security 802 1X authentication client initiated 324 security ARP attack protection contiguration 250 security MAC authentication configuration 404 406 408 VLAN frame encapsulation 133 MAC address table address learning 173 configuration 173 174 175 displaying 174 dynamic aging timer 175 entry creation 1 3 entry types 1 4 manual entrie
334. figuration area click Add b Select the server type Primary Accounting c Enter the IP address 10 1 1 2 and enter the port number 1813 d Enter expert in the Key and Confirm Key fields Figure 322 Configuring the RADIUS accounting server Add RADIUS Server IP Address IPy4 IPv8 Port 1813 5535 Default 18133 Key eeeeee it Chars Confirm Key eeeeeee it Chars Apply Cancel e Click Apply The RADIUS Server Configuration area displays the accounting server you have configured as shown in Figure 323 344 Figure 323 Configuring the RADIUS scheme Add RADIUS Scheme Scheme Name 1 32 Chars Common Configuration Serer Type Extended w Username Format Without domain name PAdvanced RADIUS Server Configuration Serer Type IP Address Operation Primary 10411 Authentication Primary Accounting 10 1 1 2 i Add tems marked with an asterisk are required Apply Cancel 4 Click Apply Configuring AAA 1 Create an ISP domain a From the navigation tree select Authentication gt AAA The Domain Setup page appears b Enter test from the Domain Name list and select Enable from the Default Domain list c Click Apply 345 Figure 324 Creating an ISP domain Authentication Authorization Accounting ISP Domain Domain Name est Nt 24 chars Default Domain Apply Please selectthe ISP damaints Domain Name Default Domain Configure AAA authentication method fo
335. figuration file that was used for the next startup The restored configuration takes eftect at the next device startup 64 To restore the contiguration 1 Select Device gt Configuration from the navigation tree 2 Click the Restore tab Figure 54 Restoring the configuration Backup Store Save Initialize Restore the Configuration File the file with the extension cfg Browse the file with the extension xmI Hote This operation replaces the configuration in the startup configuration file with the restored configuration but the restored configuration takes effect at the next startup tems marked with an asterisk are required Apply 3 Click the upper Browse button The tile upload dialog box appears Select the cfg file to be uploaded and click OK 5 Click the lower Browse button The tile upload dialog box appears 6 Select the xml file to be uploaded and click OK Saving the configuration You save the running configuration to both the cdfg configuration file and xml configuration file that will be used at the next startup Saving the configuration takes some time Only one administrator can save the configuration at a moment If you save the configuration while the system is saving the configuration as required by another administrator the system prompts you to try again later You can save the configuration in either of the following modes e Fast mode To save the configu
336. filtering ACL 452 frame MAC address learning 173 MAC address table configuration 173 174 175 portbased VLAN frame handling 136 VLAN frame encapsulation 133 function NMM RMON alarm function 95 NMM RMON statistics function 95 Web search 17 Web sort 19 Web based NM functions 8 G general query IGMP snooping 254 MLD snooping 268 getting started CLI 20 gratuitous ARP contiguration 246 packet learning 244 group Ethernet link aggregation group 205 Ethernet link aggregation group contiguration 208 Ethernet link aggregation group creation 208 Ethernet link aggregation LACP 205 Ethernet link aggregation member port state 205 Ethernet link dynamic aggregation group contiguration 208 Ethernet link static aggregation group contiguration 208 514 NMM local port mirroring group monitor port 84 NMM local port mirroring group port 81 NMM local port mirroring group source port 84 NMM port mirroring group 79 NMM RMON 93 NMM RMON alarm 94 NMM RMON configuration 105 NMM RMON Ethernet statistics 93 NMM RMON event 94 NMM RMON history 94 guest VLAN 802 1X authentication 329 configuring 802 1X 335 guidelines loopback test 89 port security 423 H hardware congestion management SP queuing 4 1 471 WRR queuing 4 2 4 2 hello STP timer 184 history NMM RMON group 94 history entry configuration 98 HTTP Web interface login 6 ICMP ping command 317 icons on webpage 16 IGMP snoopin
337. fined by standardization or other organizations and are optional to LLDPDUs e Basic management TLVs Table 71 lists the basic management TLV types Some of them are mandatory for LLDPDUs Table 71 Basic management TLVs Type Description Remarks Chassis ID Specifies the bridge MAC address of the sending device Specities the ID of the sending port e If the LLDPDU carries LLDP MED TLVs the port ID TLV carries the MAC address of the sending port or the ere bridge MAC in case the port does not have a MAC address Mandatory e Otherwise the port ID TLV carries the port name Specifies the life of the transmitted information on the Time to Live it l receiving device End of LLDPDU Marks the end of the TLV sequence in the LLDPDU Port Description Specifies the port description of the sending port System Name Specifies the assigned name of the sending device System Description Specifies the description of the sending device Identifies the primary functions of the sending device and System Capabilities the enabled primary functions Optional Specities the following elements e The management address used to reach higher level Management Address entities to assist discovery by network management e The interface number and OID associated with the address e IEEE 802 1 organizationally specific TLVs Table 72 IEEE 802 1 organizationally specific TLVs Port VLAN ID Specifies the port s VLAN identifier PVID An LLDPDU
338. first If 802 1X authentication fails MAC authentication is performed MAC Auth Or 802 1X Similar to the MAC Auth Or 802 1X Single Host mode except that it MAC Based supports multiple 802 1X and MAC authentication users on the port This mode is the combination of the MAC Auth and 802 1X Single Host modes with MAC authentication having higher priority MAC Auth Else 802 1X e A port in this mode performs only MAC authentication for non 802 1X Single Host frames MAC Auth Or 802 1X Single Host e For 802 1X frames the port performs MAC authentication and then if MAC authentication fails 802 1X authentication MAC Auth Else 802 1X Similar to the MAC Auth Else 802 1X Single Host mode except that it MAC Based supports multiple 802 1X and MAC authentication users on the port 422 The maximum number of users a port supports equals the maximum number of secure MAC addresses that port security allows or the maximum number of concurrent users the authentication mode in use allows whichever is smaller An OUI is a 24 bit number that uniquely identifies a vendor manufacturer or organization In MAC addresses the first three octets are the OUI Contiguration guidelines When you configure port security follow these restrictions and guidelines e Before you enable port security disable 802 1X and MAC authentication globally e Only one port security mode can be configured on a port e The outbound restriction feature is not
339. formation see Configuring SNMP Set the contact information for users to get in touch with the device vendor for help Syscontact You can also set the contact information in the setup page you enter by selecting Device gt SNMP For more information see Configuring SNMP 35 Configuring management IP address AN CAUTION Modifying the management IP address used for the current login terminates the connection to the device Use the new management IP address to re log in to the system 1 On the system parameter configuration page click Next Figure 23 Management IP address configuration page Management IP Interface configuration Step 3 of 4 Eg The IF address of a VLAN interface can be used as the management F address to access the device Select VLAN Interface 1 w Admin status Up y v con gure IFyd saires DHCP BOOTP Manual Fud address 192 168 1 60 MaskLen 255 255 255 0 go Configure IFv link local address Auto Manual DJA sddrEEE lt Back Next gt Cancel 2 Configure the parameters as described in Table 4 Table 4 Configuration items ltem Description Select a VLAN interface Available VLAN interfaces are those configured in the page that you enter by selecting Network gt VLAN Interface and selecting the Create tab The IP address of a VLAN interface can be used as the management IP address to access the device Configure a VLAN interface and its IP address in the page that you enter
340. from ARP trusted ports It checks ARP packets received from ARP untrusted ports based on the following objects e src mac Checks whether the sender MAC address in the message body is identical to the source MAC address in the Ethernet header If they are identical the packet is forwarded Otherwise the packet is discarded e dstmac Checks the target MAC address of ARP replies If the target MAC address is all zero all one or inconsistent with the destination MAC address in the Ethernet header the packet is considered invalid and discarded e ip Checks the sender and target IP addresses of ARP replies and the sender IP address of ARP requests All one or multicast IP addresses are considered invalid and the corresponding packets are discarded Contiguring ARP detection To check user validity at least one among DHCP snooping entries and 802 1X security entries is available Otherwise all ARP packets received from ARP untrusted ports are discarded 1 From the navigation tree select Network gt ARP Anti Aftack The detault ARP Detection page appears 250 Figure 226 ARP detection configuration page VLAN Settings Trusted Ports Enabled VLANs Disabled VLANs Trusted Ports Untrusted Ports 1 GigabitEthernet1 0 1 2 GigabitEthernet1 0 2 5 GigabitEthernet1 0 3 100 GigabitEthernet1 0 4 GigabitEthernet1 0 5 GigabitEthernet1 0 6 GigabitEthernet1 0 7 GigabitEthernet1 0 8 GigabitEthernet
341. ftware Version 5 20 99 ESS 1101 Copyright c 2010 2014 Hewlett Packard Development Company L P HP 1920 24G Switch uptime is 0 week 0 day 1 hour 25 minutes HP 1920 24G Switch 128M bytes DRAM 32M bytes Flash Memory Config Register points to Flash Hardware Version is VER A Bootrom Version is 109 SubSlot 0 24GE 4SFP Hardware Version is VER A upgrade Syntax upgrade server address source filename bootrom runtime Parameters server address IPv4 address or host name a string of 1 to 20 characters of a TFTP server source filename Software package name on the TFTP server bootrom Specifies the Boot ROM image in the software package file as the startup configuration file runtime Specifies the system software image file in the software package file as the startup configuration file Description Use upgrade server address source filename bootrom to upgrade the Boot ROM image If the Boot ROM image in the downloaded software package file is not applicable the original Boot ROM image is still used as the startup configuration file 30 Use upgrade serveraddress source filename runtime to upgrade the system software image file If the system software image file in the downloaded software package file is not applicable the original system software image file is still used as the startup configuration file To validate the downloaded software package file reboot the device NOTE The HP 1920 Switch Series does n
342. g aging timer for dynamic port 253 basic concepts 252 configuration 252 contiguring 260 contiguring port functions 258 displaying IGMP snooping multicast forwarding entries 259 enable globally 256 enable in a VLAN 257 enabling IGMP snooping globally 256 enabling IGMP snooping in a VLAN 257 general query 254 how it works 254 leave message 255 membership report 254 protocols and standards 255 related ports 252 implementing MSTP device implementation 189 NMM local port mirroring 79 inbound NMM port mirroring 79 initiating security 802 1X authentication 324 325 interface Ethernet aggregate intertace 205 interface statistics displaying 132 Internet NMM SNMP configuration 111 SNMPv1 configuration 124 SNMPv2c configuration 124 SNMPv3 configuration 127 intrusion protection port security feature 421 IP addressing ACL configuration 450 ACL configuration Ethernet frame header 459 ARP configuration 242 ARP dynamic table entry 244 ARP message format 242 ARP operation 242 ARP static contiguration 246 ARP static entry creation 245 ARP static table entry 244 ARP table 243 DHCP address allocation 292 293 DHCP lease extension 293 DHCP message format 294 DHCP snooping configuration 306 308 enabling DHCP snooping 309 gratuitous ARP 244 gratuitous ARP contiguration 246 gratuitous ARP packet learning 244 515 IP services ARP entry configuration 244 IP services ARP entry remo
343. g the super password for non management level users to switch to the management level e Switching to the management level from a lower level Adding a local user 1 Select Device gt Users from the navigation tree 2 Click the Create tab Figure 72 Adding a local user Summary Super Password Modify Remove Switch To Management Create User Username 1 55 Chars Access Level Visitor T Password 1 63 Chars Confirm Password Password Encryption Reversible Irreversible Service Type E Web Z FTP E Telnet Apply Summary Username Access Level Service Type Management Note Username cannot contain Chinese characters and any of the following characters lt gt 8 amp 3 Configure a local user as described in Table 18 4 Click Apply Table 18 Configuration items ltem Description Username Entera username for the user 86 ltem Description Select an access level for the user Users of different levels can perform different operations User levels in order from low to high are as follows e Visitor A visitor level user can perform only ping and traceroute operations They cannot access the data on the device or configure the device Access Level e Monitor A monitor level user can perform ping and traceroute operations and access the data on the device but they cannot configure the device e Configure A configure level user can perform ping and tracer
344. gain e f a sudden increase of the PD power results in PSE power overload power supply to the PD on the PoE interface that has a lower priority is stopped to ensure power supply to the PD that has a higher priority Contiguring non standard PD detection There are standard PDs and nonstandard PDs Usually the PSE can detect only standard PDs and supply power to them The PSE can detect nonstandard PDs and supply power to them only if you enable the PSE to detect nonstandard PDs 1 Select PoE gt PoE from the navigation tree 2 Click the PSE Setup tab The page displays the location of all PSEs and the status of the non standard PD detection function 499 Figure 490 PSE Setup tab Summary Port Setup PSE ID Location Non Standard PD Compatibility 1 slot 1 subslot 0 Disable Apply Enable All Disable All Enabling the non standard PD detection function for a PSE 1 Select Enable in the corresponding Non Standard PD Compatibility column 2 Click Apply Disabling the non standard PD detection function for a PSE 1 Select Disable in the corresponding Non Standard PD Compatibility column 2 Click Apply Enabling the non standard PD detection for all PSEs Click Enable All Disabling the non standard PD detection for all PSEs Click Disable All Displaying information about PSE and PoE ports 1 Select PoE gt PoE from the navigation tree to enter the Summary tab The upper part of the page displays the PSE summary 2
345. ge displays the detailed information about the member ports of the link aggregation group Figure 189 Displaying information of an aggregate interface Create Modify Remove Select port from the table to view port details Aggregation Interface Link Type Farner ID Selected Ports Standby Ports Bridge Aggregation1 Static Member port details Member Fort State Reason for being Unselected GigabitEthernet1 0 1 Unselected The ports physical state down is improper for being attached Table 65 Field description Field Description Type and ID of the aggregate interface Aggregation interface ide Bridge Aggregation indicates a Layer 2 aggregate interface Link Type Type of the aggregate interface static or dynamic Partner ID ID of the remote device including its LACP priority and MAC address Number of Selected ports in each link aggregation group Only Selected ports Selected Ports l can send and receive user data Standby Ports Number of Unselected ports in each link aggregation group Unselected ports cannot send or receive user data Member Por A member port of the link aggregation group corresponding to the target aggregate interface State Aggregation state of a member port Selected or Unselected Reason why the state of a member port is Unselected For a Selected port this Reason for being Unselected field displays a hyphen 210 Setting LACP priority From the navigation tree select Network gt
346. gents embedded in network devices NMSs exchange data with RMON agents by using basic SNMP operations to gather network management information Because this method is resource intensive most RMON agent implementations provide only four groups of MIB information alarm event history and statistics You can configure your device to collect and report traffic statistics error statistics and performance statistics RMON groups Among the RFC 2819 defined RMON groups HP implements the statistics group history group event group and alarm group supported by the public MIB HP also implements a private alarm group which enhances the standard alarm group Ethernet statistics group The statistics group defines that the system collects various traftic statistics on an interface only Ethernet intertaces are supported and saves the statistics in the Ethernet statistics table ethernetStatsTable for future retrieval The interface trattic statistics include network collisions CRC alignment errors undersize oversize packets broadcasts multicasts bytes received and packets received After you create a statistics entry for an interface the statistics group starts to collect traffic statistics on the intertace The statistics in the Ethernet statistics table are cumulative sums 93 History group The history group defines that the system periodically collects traffic statistics on interfaces and saves the statistics in the history reco
347. group Select port s You can click ports on the chassis front panel for selection if aggregate interfaces are configured they will be listed under the chassis panel for selection 440 Port isolation configuration example Network requirements As shown in Figure 436 e Campus network users Host A Host B and Host C are connected to GigabitEthernet 1 0 2 GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 of Switch e Switch is connected to the external network through GigabitEthernet 1 0 1 e GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 belong to the same VLAN Configure Host A Host B and Host C so that they can access the external network but are isolated from one another at Layer 2 Figure 436 Networking diagram HostA Internet Host B Host C Configuring the switch 1 Assign ports GigabitEthernet 1 0 2 GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 to the isolation group a b c d Select Security gt Port Isolate Group from the navigation tree Click the Port Setup tab Select Isolated port for Config Type Select 2 3 4 on the chassis front panel 2 3 4 represent ports GigabitEthernet 1 0 2 GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 respectively 44 Figure 437 Assigning ports to the isolation group Summary Config type N port Select port s H eee ee BEI QARA H k k H Select All Select None Isolated por
348. gs Apply Cancel Set the LLDP settings for these ports as described in Table 75 5 Click Apply A progress dialog box appears Click Close on the progress dialog box when the progress dialog box prompts that the contiguration succeeds Contiguring LLDP globally 1 From the navigation tree select Network gt LLDP 2 Click the Global Setup tab 227 Figure 201 The global setup tab Port Setup Global Summary Meighbor Summary Global Setup LLDP Enable CDP Compatibility FastLLDPDU Count 34 40 Defaut 3 TTL Multiplier 42 10 Default 4 Trap Interval 6 5econd 5 3600 Default 5 Reinit Delay 2 Seeanatt 10 Default 2 Tx Delay 2 Seconaet 31 92 Default 2 Tx Interval 2s Secondt5 32768 Default 30 Apply Set the global LLDP setup as described in Table 76 Click Apply A progress dialog box appears Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds Table 76 Configuration items ltem Description LLDP Enable Select from the list to enable or disable global LLDP Select from the list to enable or disable CDP compatibility of LLDP When you configure CDP compatibility follow these guidelines e To enable LLDP to be compatible with CDP on a port you must set the CDP operating mode on the port to TxRx and enable CDP compatibility on the CDP Compatibility Global Setup tab e Because the maximum TTL allowed by CDP is 255 seconds you must
349. guration 297 298 303 DHCP snooping configuration 311 LLDP configuration 236 NMM port mirroring configuration 79 traceroute 317 traceroute node failure identification 319 learning MAC address 173 MST learning port state 188 lease DHCP IP address lease extension 293 leave message IP multicast IGMP snooping 255 link aggregation 205 link layer discovery protocol See LLDP MSTP configuration 177 190 199 LLDP basic concepts 217 configuration 217 236 configuration guideline 241 displaying for a port 229 displaying global 234 displaying neighbor information 236 enable globally 227 enable on ports 223 how it works 221 LLDP frame format 217 LLDP frame reception 222 LLDP frame transmission 221 LLDPDU management address TLV 221 LLDPDU TLV types 218 LLDPDU TLVs 218 operating mode disable 221 operating mode Rx 221 operating mode Tx 221 operating mode TxRx 221 parameter setting for a single port 224 parameter setting for ports in batch 227 protocols and standards 222 LLDP frame encapsulated in Ethernet Il format 217 encapsulated in SNAP format 217 LLDP contiguration 217 236 receiving 222 transmitting 221 LLDPDU management address TLV 22 TLV basic management types 218 TLV LLDP MED types 218 TLV organization specific types 218 local security MAC authentication 404 security MAC local authentication configuration 408 local port mirroring adding local group 83 con
350. gure 174 provides an example showing how the STP algorithm works 180 Figure 174 STP network Device A With priority 0 Device B With priority 1 Device C With priority 2 As shown in Figure 174 the priority values of Device A Device B and Device C are 0 1 and 2 and the path costs of links among the three devices are 5 10 and 4 respectively 1 Device state initialization In Table 55 each configuration BPDU contains the following fields root bridge ID root path cost designated bridge ID and designated port ID Table 55 Initial state of each device Device Port name BPDU of port AP 10 O O AP1 Device A AP2 10 O O AP2 BP 1 0 1 BP1 Device B BP2 1 0 1 BP2 CP 2 O 2 CP1 Device C CP2 2 O 2 CP2 2 Configuration BPDUs comparison on each device In Table 56 each configuration BPDU contains the following fields root bridge ID root path cost designated bridge ID and designated port ID 181 Table 56 Comparison process and result on each device Device Comparison process Configuration BPDU on orts after comparison Device A Device B Device C Port AP1 receives the configuration BPDU of Device B 1 O 1 BP1 Device A finds that the configuration BPDU of the local port 0 0 0 AP1 is superior to the received configuration BPDU and it discards the received contiguration BPDU Port AP2 receives the configuration BPDU of Device C 2 0 2 CP 1
351. guring basic ACLs 455 462 configuring client s IP to MAC bindings 302 contiguring device idle timeout period 50 contiguring device system name 50 contiguring DHCP relay agent 298 303 configuring DHCP relay agent advanced parameters 299 configuring DHCP snooping 308 311 contiguring DHCP snooping functions on interface 309 configuring energy saving on port 109 contiguring Ethernet link aggregation and LACP 213 contiguring Ethernet link aggregation group 208 contiguring Ethernet link dynamic aggregation group 208 contiguring Ethernet link static aggregation group 208 contiguring event entry 99 contiguring gratuitous ARP 246 contiguring history entry 98 contiguring IGMP snooping 260 contiguring IGMP snooping port function 258 configuring IP services ARP entry 244 contiguring IPv4 ACL 452 configuring IPv ACL 453 contiguring isolation group 440 contiguring LLDP 236 configuring local user 380 configuring local user and user group 380 configuring loopback detection global 447 configuring loopback detection portspecitic 448 configuring MAC address table 175 525 contiguring MAC authentication global 406 contiguring MAC authentication port specitic 408 configuring MAC based 802 1X 336 configuring management IP address 36 contiguring maximum PoE interface power 498 contiguring MLD snooping 274 configuring MLD snooping port function 272 contiguring MST region 19
352. he Advance Setup tab The rule configuration page for an advanced IPv4 ACL appears 456 3 4 Figure 448 Configuring an advanced IPv4 ACL Summary Add Basic Setup Link Layer Setup Remove ACL Selectan ACL Help Configure an Advanced ACL Ll Rule ID eves fno ID is entered the system will specify one C Non first Fragments Only I Lagging IF Address Filter D source iP Adaress 1 soureewildcard O O E pestination address o Destination Wildcard ProtoeolliP 7 IMP Type ICMP hMessade eme Te joss iemPeotel a 289 TERILIDE Fort TCP Connection Established Sous a Poel NL eestnetion a Pol NL Range of Port is 0 65535 Precedence Filter DSCP Not Check ka TOS Mot Check wt Precedence Mot Check wt Time Range Rule ID Operation Description Time Rar Configure a rule for an advanced IPv4 ACL as described in Table 140 Click Add Table 140 Configuration items ltem Description ACL Select the advanced IPv4 ACL for which you want to configure rules Available ACLs are advanced Pv4 ACLs 457 ltem Description Select the Rule ID box and enter a number for the rule If you do not specify the rule numker the system will assign one Rule ID automatically If the rule number you specify already exists the following operations modify the configuration of the rule Select the action to be performed for packets matching the rule Action e Permit Allows matched packets
353. he LSAP Type box and specify the DSAP and SSAP fields in the LLC encapsulation by configuring the following items e LSAP Type Frame encapsulation format e LSAP Mask LSAP mask Select the Protocol Type box and specify the link layer protocol type by configuring the following items e Protocol Type Frame type It corresponds to the type code field of Ethernet_Il and Ethernet_SNAP frames e Protocol Mask Protocol mask Select the time range during which the rule takes effect Adding an IPv ACL Select QoS gt ACL IPv from the navigation tree 2 Click the Add tab The IPv ACL configuration page appears Figure 450 Adding an IPv ACL Summary ACL Sumber Match Order Description ACL Number Type 3 Add an IPv6 ACL 4 Click Apply Basic Setup Advanced Setup Remove 2000 2999 for Basic ACL 3000 3999 for Advanced ACL Charactersf0 12 74 Apply Cancel Humber of Rules Match Order Description 461 Table 142 Configuration items ltem Description ACL Number Enter a number for the IPv6 ACL Select a match order for the ACL Available values are Match Order are compared against ACL rules in the order the rules are e Auto Packets are compared against ACL rules in the depth first match order Description Set the description for the ACL Configuring a rule for a basic IPv6 ACL Select QoS gt ACL IPv from the navigation tree 2 Click the Basic Setup tab
354. he file domain name_ca cer for the CA certificate or Get File Fron PC domain name local cer for the local certificate under the root directory of the device e If the certificate file is saved on a local PC select Get File From PC and then specify the path and name of the file and specify the partition that saves the file Password Enter the password for protecting the private key which was specified when the certificate was exported After retrieving a certificate you can click View Cert corresponding to the certificate from the PKI certificates list to display the contents of the certificate 395 Figure 376 Certificate information Entity Domain View Certificate Details Certificate Data Version 3 O0x2 Serial Number 61l44CCr9 00000000 O014 shalWithks Enecryption Signature Algorithm TSSuer CN CA server Validity Wot Before Wot After i Sub ect C C CMN aaa subject Public Key Info Public Key Algorithm R54 Public Key Modulus OO048566F S69a0oZe TSFECSSD ASESFEGS goog lI Sl TB2C96A4 FSCCFSDA 11FF1409 q3 EFAZSDAL DAE TADDE 61466440 b56214ED SOE FSES4 ASDIAEDD 31550596 B7AFEADG GEL CEz471E6 91569053 SESFIESO FAFD AGED OED1ES 24 AEZATLIE EFZLYT6SD 24eDFO0A5 Now 3 08 10 21 2009 GMT Now 3 O68 20 4 21 2010 GMT tsakncryption 1024 bit 1024 biti EiAT3ZAET7 OadAAzBEl adOEd1GE FLAL7SLF AALEZTE FFDAA1A3 OY LSA1CF BALAAE ZA Exponent 65537 O0x1
355. he network administrator assigns an IP address to a client for example a WWW server and DHCP conveys the assigned address to the client e Automatic allocation DHCP assigns a permanent IP address to a client e Dynamic allocation DHCP assigns an IP address to a client for a limited period of time which is called a lease Most DHCP clients obtain their addresses in this way 292 IP address allocation process Figure 267 Dynamic IP address allocation process DHCP client DHCP server 1 DHCP DISCOVER 2 DHCP OFFER 3 DHCP REQUEST 4 DHCP ACK 1 The client broadcasts a DHCP DISCOVER message to locate a DHCP server 2 A DHCP server offers configuration parameters such as an IP address to the client in a DHCP OFFER message The sending mode of the DHCP OFFER is determined by the flag field in the DHCP DISCOVER message For more information about the DHCP message format see DHCP message format 3 If several DHCP servers send offers to the client the client accepts the first received offer and broadcasts it in a DHCP REQUEST message to request the IP address formally IP addresses offered by other DHCP servers can be assigned to other clients 4 All DHCP servers receive the DHCP REQUEST message but only the server from which the client accepts the offered IP address returns a DHCP ACK message to the client confirming that the IP address has been allocated to the client or a DHCP NAK unicast message denyi
356. he target host as described in Table 38 Click Apply Table 38 Configuration items ltem Description Set the destination IP address Destination IP Address Select the IP address type IPv4 or IPv and then type the corresponding IP address in the field according to the IP address type 122 ltem Description Set the security name which can be an SNMPv1 community name an EA SNMPv2c community name or an SNMPv3 user name Set UDP port number IMPORTANT UDP Port The default port number is 162 which is the SNMP specitied port used for receiving traps on the NMS Generally such as using IMC or MIB Browser as the NMS you can use the default port number To change this parameter to another value you need to make sure the configuration is the same with that on the NMS Select the security model for which you must set the SNMP version For the Security Model NMS to receive notifications make sure the SNMP version is the same with that on the NMS Set the authentication and privacy mode for SNMP traps when the security model is selected as v3 The available security levels are no authentication no Security Level privacy authentication but no privacy and authentication and privacy When the security model is selected as v1 or v2c the security level is no authentication no privacy and cannot be modified Displaying SNMP packet statistics Select Device gt SNMP from the navigation tree The page for
357. he transmission speed of the port Speed Duplex Link Type PVID Description MDI 10 10 Mbps 100 100 Mbps 1000 1000 Mbps Auto Autonegotiation Auto 10 Autonegotiated to 10 Mbps Auto 100 Autonegotiated to 100 Mbps Auto 1000 Autonegotiated to 1000 Mbps Auto 10 100 Autonegotiated to 10 or 100 Mbps Auto 10 1000 Autonegotiated to 10 or 1000 Mbps Auto 100 1000 Autonegotiated to 100 or 1000 Mbps Auto 10 100 1000 Autonegotiated to 10 100 or 1000 Mbps Set the duplex mode of the port Auto Autonegotiation Full Full duplex Half Half duplex Set the link type of the current port which can be access hybrid or trunk For more information see Configuring VLANs To change the link type of a port from trunk to hybrid or vice versa you must first set its link type to access Set the port VLAN ID PVID of the interface For more information about setting the PVID see Configuring VLANs To make sure a link correctly transmits packets the trunk or hybrid ports at the two ends of the link must have the same PVID Set the description of the port Set the MDI mode of the port You can use two types of Ethernet cables to connect Ethernet devices crossover cable and straightthrough cable To accommodate these two types of cables an Ethernet port can operate in one of the following three MDI modes across normal and auto An Ethernet port is composed of eight pins By def
358. he unit for data packets sent to the RADIUS server which can be e One packet Unit for Packets e Kilo packet e Mega packet e Giga packet Security Policy Server Specify the IP address of the security policy server Specify the source IP address for the device to use in RADIUS packets sent to the RADIUS server RADIUS Packet Source IP HP recommends you to use a loopback interface address instead of a physical interface address as the source IP address If the physical interface is down the response packets from the server cannot reach the device Enable or disable buffering of stop accounting requests for which no Buffer stop accounting packets P g P responses are received 3 2 ltem Descri ption Set the maximum number of stop accounting attempts The maximum number of stop accounting attempts together with some other parameters controls how the NAS deals with stop accounting request packets Suppose that the RADIUS server response timeout period is three seconds Stop Accounting Attempts the maximum number of transmission attempts is five and the maximum number of stop accounting attempts is 20 For each stop accounting request if the device receives no response within three seconds it retransmits the request If it receives no responses after retransmitting the request five times it considers the stop accounting attempt a failure buffers the request and makes another stop accounting attempt If 20 consecutive att
359. hentication e If you configure MAC based accounts the access device uses the source MAC address of the packet as the username and password to search its local account database for a match e If you configure a shared account the access device uses the shared account username and password to search its local account database for a match RADIUS authentication e If you configure MAC based accounts the access device sends the source MAC address as the username and password to the RADIUS server for authentication e If you configure a shared account the access device sends the shared account username and password to the RADIUS server for authentication 404 MAC authentication timers MAC authentication uses the following timers e Offline detect timer Sets the interval that the device waits for traffic from a user before it regards the user idle If a user connection has been idle for two consecutive intervals the device logs the user out and stops accounting for the user e Quiet timer Sets the interval that the device must wait before it can perform MAC authentication for a user that has failed MAC authentication All packets from the MAC address are dropped during the quiet time This quiet mechanism prevents repeated authentication from affecting system performance e Server timeout timer Sets the interval that the device waits for a response from a RADIUS server before it regards the RADIUS server unavailab
360. her the client is still online By default if two consecutive handshake attempts fail the device logs off the client Upon receiving a handshake request the client returns a response If the client fails to return a response after a certain number of consecutive handshake attempts two by default the network access device logs off the client This handshake mechanism enables timely release of the network resources used by 802 1X users that have abnormally gone offline The client can also send an EAPOL Logoff packet to ask the network access device for a logoff In response to the EAPOL Logoff packet the network access device changes the status of the controlled port from authorized to unauthorized and sends an EAP Failure packet to the client EAP termination Figure 307 shows the basic 802 1X authentication procedure in EAP termination mode assuming that CHAP authentication is used 327 Figure 307 802 1X authentication procedure in EAP termination mode Client Device Authentication server RADIUS 1 EAPOL Start 2 EAP Request Identity 3 EAP Response Identity 4 EAP Request MD5 challenge 5 EAP Response MD5 challenge PP i 6 RADIUS Access Request CHAP Response MD5 challenge 7 RADIUS Access Accept CHAP Success 8 EAP Success ome me i ee mamma e ee ee ee ee ee 9 EAP Request Identity 10 EAP Response Identity 11 EAPOL Logoff 14 EAP Failure
361. hoseme Specify whether to overwrite the file with the same name name already exists If you do not select the option when a file with the same name exists a dialog box overwrite it without any appears telling you that the file already exists and you cannot continue the prompt upgrade Reboot after the upgrade Specify whether to reboot the device to make the upgraded software take effect finished after the application file is uploaded Device reboot AN CAUTION e Before rebooting the device save the configuration Otherwise all unsaved configuration will be lost after device reboot e When the device reboots re log in to the device 1 Select Device gt Device Maintenance from the navigation tree 2 Click the Reboot tab Figure 41 Device reboot page Software Upgrade Electronic Label Diagnostic Information Device Reboot Any configuration changes that have not been saved are last when the system reboots Check whether the current configuration is saved in the next startup configuration file Reboot Cancel 3 Enable or disable the Check whether the current configuration is saved in the next startup configuration file option Click Reboot A confirmation dialog box appears 5 Click OK o Ifyou select Check whether the current configuration is saved in the next startup configuration file the system will check the configuration betore rebooting the device If the check succeeds the system reboots the device
362. i Next Last 1 GO Configuring DHCP snooping functions on an interface From the navigation tree select Network gt DHCP 2 Click the DHCP Snooping tab to enter the page shown in Figure 285 3 Click the icon of a specitic interface in the Interface Config area to enter the page shown in Figure 286 309 Figure 286 DHCP snooping interface configuration page DHCP Relay Interface Name GigabitEthernet1 0 4 Interface State Trust Untrust Option 82 Support Enable Disable Option 82 Strategy Replace Default Replace Apply Cancel 4 Configure DHCP snooping on the interface as described in Table 100 5 Click Apply Table 100 Configuration items ltem Description Interface Name This field displays the name of a specific interface Interface State Configure the interface as trusted or untrusted Option 82 Support Configure DHCP snooping to support Option 82 or not Select the handling strategy for DHCP requests containing Option 82 The strategies include BEERS ee e Drop The message is discarded if it contains Option 82 ill oe e Keep The message is forwarded without its Option 82 being changed e Replace The message is forwarded after its original Option 82 is replaced with the Option 82 padded in normal format Displaying clients IP to MAC bindings From the navigation tree select Network gt DHCP Click the DHCP Snooping tab to enter the page shown in Figure 285 Click User Information to en
363. ic ARP entry A EE ER AE EE 245 EEUE EE EE 245 Configuring gratuitous ee 246 Static ARP configuration example E E T 246 Configuring ARP attack protection RE EA E EE N E E N EE OE RO EE EE E A 250 8 EE ee eee 250 User validity Te TR Ee 250 ARP packet validity check TE EE EEE TREE COETOSEPeeEPeeereeereeee reer tere teee reer reerreerreereeerteretetrrreerreerreeereerreerreeeree 250 Configuring EE EE neste eeseeneseeneseeceeesceeeseeeesseusseeuesseueseeuesseeeseeueseeueseeueeeweneeweeseuneseueeeeuesseueeseeeseeeeeeeees 250 Configuring IGMP snooping EE EO E E A E E E S 252 OVEN EEE EE EA TE O AE 2572 Basic IGMP snooping Concepts eeeeeeeeeeeertteeeertttereeteteeesrtteesrtteessttteessrtteesssttessneteeesstteeessnteeessserteeesssteeessseeeessnt 252 How IGMP snooping works EE EE EG 254 Protocols and ES Re ee eee eseseseseseee nese eeeeens 255 Recommended configuration procedure EE RE ER EN 255 Enabling IGMP snooping globally EE RE N EA ER RE RE OE 256 Configuring IGMP snooping TERTE 257 Configuring IGMP snooping port TERE Ee 258 Displaying IGMP snooping multicast forwarding TT 259 IGMP snooping configuration example EE EE MEE EE OR EE EE OE EE 260 Network requirements EE OT OT OT ee OT EE em hee RE ET err er eT Te OE 260 Configuration procedure EE EE EE EL EE AE EE ET E E N 261 Verifying the configuration EO OE E E EA E E EE OE RE EE EE 264 Contiguring MLD snooping ER OE OE EE EE RE OE EE EO EK OR T EE N OD NE 266 E By EE RE ER EE EE EE AE EE EN 266 Basic DE e
364. ication 325 authentication access device initiated 324 authentication client initiated 324 authentication configuration 336 authentication initiation 324 Auth Fail VLAN 330 configuration 321 332 configuration global 332 configuration portspecific 333 contiguring Auth Fail VLAN 336 configuring guest VLAN 335 configuring MAC based 802 1X 336 contiguring with ACL assignment 343 controlled uncontrolled port 322 EAP over RADIUS 323 EAP packet format 322 EAP relay authentication 326 EAP relay termination 327 EAP relay termination authentication mode 325 EAP Message attribute 324 EAPOL packet format 323 guest VLAN 329 packet format 322 port authorization status 322 port security advanced control contiguration 428 port security advanced mode configuration 433 port security basic control configuration 425 port security basic mode configuration 430 port security configuration 421 423 430 port security configuration global 424 port security modes 421 port security permitted OUls configuration 429 RADIUS Message Authentication attribute 324 timers 328 using authentication with other features 329 VLAN assignment 329 802 x A 802 1 LLDPDU TLV types 218 802 3 LLDPDU TLV types 218 QoS packet 802 1 p priority 470 AAA contiguration 352 359 ISP domain accounting methods configuration 357 ISP domain authentication methods configuration 355 ISP domain authorizat
365. ice e Voice signaling Media policy type cae N e Guest voice signaling e Soft phone voice e Videoconferencing e Streaming video e Video signaling 230 Field Description PSE power source type POE PSE power source e Primary e Backup PoE power supply priority of PSE ports e Unknown Unknown PSE priority Port PSE priority e Critical Priority level 1 e High Priority level 2 e Low Priority level 3 Click the Neighbor Information tab to display the LLDP neighbor information Table 78 describes the fields Figure 203 The neighbor information tab Local Information Statistic Information Status Information LLDP neighbor information of port 4 GigabitEthernet1 0 4 Neighbor index 1 Update time days 0 hours 0 minutes 19 seconds Chassis type MAC address Chassis ID 0020 1316 5c00 Part ID type Interface name Part ID Efhernet1 0 1 Port description Efiernet1 0 1 Interface System name 52126 System description H3C Switch 52126 Software Version 5 20 99 Release 1103 Copyright cj2004 2014 Hangzhou H3C Tech Co Ltd All rights reserved id Table 78 Field description Field Description Chassis ID type e Chassis component e Interface alias e Port component Chassis type e MAC address e Network address e Interface name e Locally assigned Locally defined chassis type other than those listed above Chassis ID depending on the chassis type which can be a MAC
366. ice maps the MAC address of each user to the VLAN assigned by the authentication server The PVID of the port does not change When a user logs off the MAC to VLAN mapping for the user is removed MAC based e If the port is an access trunk or MAC based VLAN disabled hybrid port the device assigns the first authenticated user s VLAN to the port as the PVID If a different VLAN is assigned to a subsequent user the user cannot pass the authentication To avoid the authentication failure of subsequent users be sure to assign the same VLAN to all 802 1X users on these ports With 802 1X authentication a hybrid port is always assigned to a VLAN as an untagged member After the assignment do not reconfigure the port as a tagged member in the VLAN On a periodic online user re authentication enabled port if a user has been online before you enable the MAC based VLAN function the access device does not create a MAC to VLAN mapping for the user unless the user passes re authentication and the VLAN for the user has changed Guest VLAN You can configure a guest VLAN on a port to accommodate users that have not performed 802 1X authentication so they can access a limited set of network resources such as a software server to download anti virus software and system patches Once a user in the guest VLAN passes 802 1X authentication it is removed from the guest VLAN and can access authorized network resources The way that the network access devi
367. ick the Authentication tab b Select the ISP domain test c Select Default AuthN select the authentication method RADIUS and select the authentication scheme system from the Name list Figure 401 Configuring the authentication method for the ISP domain Domain Setup Authorization Accounting Authentication Configuration of AAA Select an ISF domain test Default AuthN RADIUS Name system Secondary Method z E LAN access AuthN Name Secondary Method E Login Auth Name Secondary Method PPP AuthN Name Secondary Method Portal Authh Name Secondary Method d Click Apply A contiguration progress dialog box appears as shown in Figure 402 415 e Figure 402 Configuration progress dialog box Current Configuration setting Default Auth OK After the configuration process is complete click Close Configure AAA authorization method for the ISP domain a b C d Click the Authorization tab Select the ISP domain test Select Default AuthZ select the authorization mode RADIUS and select the authorization scheme system from the Name list Click Apply Figure 403 Configuring the authorization method for the ISP domain Domain Setup Authentication Accounting Authorization Configuration of AAA Select an IEP domain test e Default Autnz RADIUS Name system Secondary Method E LAN access AuthZ Name Secondary Method Login Au
368. igabitEthernet1 0 3 5 A j Add Del Selected gt Secure MAC Address List Click Add 425 The page for applying port security control appears Figure 412 Configuring basic port security control Apply Port Security Control Port GigabitEthernet1 0 2 v Max Number of MAC 5 1 1024 Default 5 Enable Intrusion Protection Disable Port Temporarily Enable Outbound Restriction Only MAC Known Unicasts Items marked with an asterisk are required Apply Cancel 3 Configure basic port security control settings as described in Table 129 4 Click Apply Table 129 Configuration items ltem Description Selects a port where you want to configure port security Port By default port security is disabled on all ports and access to the ports is not restricted Sets the maximum number of secure MAC addresses on the port The number of authenticated users on the port cannot exceed the specified upper limit You can set the maximum number of MAC addresses that port security allows on a port for the following purposes Max Number of MAC e Control the maximum number of concurrent users on the port e Control the number of secure MAC addresses that can be added with port security NOTE The port security s limit on the maximum number of MAC addresses on a port is independent of the MAC learning limit in MAC address table management Specifies whether to enable intrusion protection and selects an action to be taken on
369. iguration Enable MAC Authentication Advanced Offline Detection Period 300 seconds 60 2147483647 Default 300 Quiet Time 60 seconds 1 3600 Default 60 Server Timeout Time 100 seconds 100 300 Default 100 Authentication ISP Domain test Authentication Information Format MAC without hyphen MAC as 0000000 D MAC with hyphen MAC as WOOO Fixed Username Chars 1 55 EO Password Chars 1 63 Ports With MAC Authentication Enabled E Fort Auth Fail VLAN Operation Add Del Selected 2 Configure MAC authentication for GigabitEthernet 1 0 1 a In the Ports With MAC Authentication Enabled area click Add b Select the port GigabitEthernet1 0 1 and click Apply Figure 408 Enabling MAC authentication for port GigabitEthernet 1 0 1 Enable MAC Authentication Port GigabitEthernet1 0 1 hd E Enable MAC VLAN Only hybrid ports support this configration Items marked with an asterisk are required Apply Cancel Verifying the configuration After the host passes authentication ping the FTP server trom the host to see whether ACL 3000 assigned by the authentication server takes effect Ci ping 10 0 0 1 Pinging 10 0 0 1 With 32 bytes of data Request timed out Request timed out 419 Request timed out Request timed out Ping statistics for 10 0 0 1 Packets Sent 4 Received 0 Lost 4 100 loss 420 Configuring port security Overview Port security combines
370. iguration guidelines When you contigure an ACL follow these guidelines e You cannot add a rule with or modify a rule to have the same permit deny statement as an existing rule in the ACL e You can only modify the existing rules of an ACL that uses the match order of config When moditying a rule of such an ACL you can choose to change just some of the settings in which case the other settings remain the same Recommend ACL contiguration procedures Recommended IPv4 ACL configuration procedure Step Remarks Optional 1 Configuring a time range Add a time range A rule referencing a time range takes effect only during the specitied time range Required 2 Adding an IPv4 ACL Add an IPv4 ACL The category of the added ACL depends on the ACL number that you specify 452 Step Remarks 3 Configuring a rule for a basic IPv4 ACL Required 4 Configuring a rule for an advanced Pv4 ACL Complete one of the following tasks according to 5 Configuring a rule for an Ethernet frame header ACL the ACL category Recommended IPv ACL configuration procedure Step Remarks Optional 1 Configuring a time range Add a time range A rule referencing a time range takes effect only during the specified time range Required 2 Adding an IPv6 ACL Add an IPv ACL The category of the added IPv ACL depends on the ACL number that you specify 3 Configuring a rule for a basic IPv6 ACL Required 4 Configuring a rule f
371. il VLAN 336 configuring 802 1X guest VLAN 335 contiguring IGMP snooping 260 contiguring MLD snooping 274 creation 139 DHCP relay agent configuration 297 298 303 DHCP snooping configuration 311 displaying IGMP snooping multicast forwarding entries 259 displaying MLD snooping multicast forwarding entries 2 3 enabling IGMP snooping in a VLAN 257 enabling MLD snooping in a VLAN 270 Ethernet link aggregation class two configuration class 206 frame encapsulation 133 guest 802 1X 329 IGMP snooping configuration 252 IGMP snooping port function configuration 258 IP subnet type VLAN 134 MAC address type VLAN 134 MAC authentication Auth Fail VLAN 405 MLD snooping configuration 266 MLD snooping port function configuration 272 moditication 143 MSTP VLAN to instance mapping table 187 NMM local port mirroring group monitor port 84 NMM local port mirroring group port 81 NMM local port mirroring group source port 84 NMM port mirroring configuration 79 policy type VLAN 134 port isolation configuration 440 441 port link type 135 port type 134 port type VLAN 134 port based configuration 135 portbased VLAN frame handling 136 protocol type VLAN 134 PVID 136 secure MAC address configuration 427 selection 142 VLAN interface configuration 150 contiguration guidelines 155 creation 150 modification 152 Web 533 buttons on webpage 16 common page features 1
372. illegal frames Available actions e Disable Port Temporarily Disables the port for a period of time The period can be configured in the global settings For more information see Configuring global settings for port security Enable Intrusion Protection Disable Port Permanently Disables the port permanently upon detecting an illegal frame received on the port The port does not come up unless you bring it up manually e Block MAC Adds the source MAC addresses of illegal frames to the blocked MAC addresses list and discards the frames All subsequent frames sourced from a blocked MAC address will be dropped A blocked MAC address is restored to normal state after being blocked for 3 minutes The interval is not user configurable 426 ltem Description Specifies whether to enable outbound traffic control and selects a control method Available control methods e Only MAC Known Unicasts Allows only unicast frames with their destination Paabia Oubound MAC addresses being authenticated to pass through ED EE e Only Broadcasts and MAC Known Unicasts Allows only broadcast and unicast packets with their destination MAC addresses being authenticated to pass through e Only Broadcasts Multicasts and MAC Known Unicasts Allows only broadcast multicast and known unicast packets with their destination MAC addresses being authenticated to pass through Contiguring secure MAC addresses 1 From th
373. in Figure 241 when MLD snooping is not enabled the Layer 2 switch floods IPv6 multicast packets to all hosts When MLD snooping is enabled the Layer 2 switch forwards multicast packets of known IPv6 multicast groups to only the receivers of the multicast groups Figure 241 IPv multicast forwarding before and after MLD snooping is enabled IPv6 multicast packet transmission without MLD Snooping IPv6 multicast packet transmission when MLD Snooping runs Multicast router Multicast router Source Source Layer 2 switch Layer 2 switch Receiver Receiver Receiver Receiver Host B Host B gt I Pv6 multicast packets Basic MLD snooping concepts This section lists the basic MLD snooping concepts MLD snooping related ports As shown in Figure 242 MLD snooping runs on Switch A and Switch B Host A and Host C are receivers in an IPv multicast group 266 Figure 242 MLD snooping related ports Switch A Router A FI GE1 0 1 man gt uN ROUTER N GE1 0 3 GE1 0 1 S V GE1 0 2 wa g w Receiver GE1 0 2 p Source Switch B O Router port O Member port gt Pv6 multicast packets Host D Receiver Host B The following describes the ports involved in MLD snooping e Router port Layer 3 multicast device side port Layer 3 multicast devices include designated routers and MLD queriers As shown in Figure 24
374. inate loops in a physical link redundant network by selectively blocking redundant links and putting them in a standby state The recent versions of STP include the Rapid Spanning Tree Protocol RSTP and the Multiple Spanning Tree Protocol MSTP Introduction to STP STP was developed based on the 802 1d standard of IEEE to eliminate loops at the data link layer in a LAN Networks often have redundant links as backups in case of failures but loops are a very serious problem Devices running STP detect loops in the network by exchanging information with one another and eliminate loops by selectively blocking certain ports to prune the loop structure into a loop free tree structure This avoids proliferation and infinite cycling of packets that would occur in a loop network In the narrow sense STP refers to IEEE 802 1d STP In the broad sense STP refers to the IEEE 802 1d STP and various enhanced spanning tree protocols derived from that protocol STP protocol packets STP uses bridge protocol data units BPDUs also known as configuration messages as its protocol packets This chapter uses BPDUs to represent all types of spanning tree protocol packets STP enabled network devices exchange BPDUs to establish a spanning tree BPDUs contain sufficient information for the network devices to complete spanning tree calculation STP uses the following types of BPDUs e Configuration BPDUs Used for calculating a spanning tree and maintaini
375. ing and Weighted Round Robin WRR queuing are introduced SP queuing SP queuing is designed for mission critical applications which require preferential service to reduce response delay when congestion occurs 471 Figure 458 SP queuing Queue 7 High priority Packets to be sent through this port Sent packets Interface Coce oegool Gn ee O Packet Queue engang queue classification scheduling Low priority A typical switch provides eight queues per port As shown in Figure 458 SP queuing classifies eight queues on a port into eight classes numbered 7 to O in descending priority order SP queuing schedules the eight queues strictly according to the descending order of priority It sends packets in the queue with the highest priority first When the queue with the highest priority is empty it sends packets in the queue with the second highest priority and so on You can assign mission critical packets to the high priority queue to make sure they are always served first and common service such as Email packets to the low priority queues to be transmitted when the high priority queues are empty The disadvantage of SP queuing is that packets in the lower priority queues cannot be transmitted if the higher priority queues have packets This might cause lower priority traffic to starve to death WRR queuing WRR queuing schedules all the queues in turn to make sure every queue can be served for a certain time
376. ing options Red e Discard Drops the exceeding packet e Pass Permits the exceeding packet to pass through Pass This function is not supported in the current software version and it is reserved for future support Configure the packet filtering action After selecting the Filter box select one item in the following list Filter e Permit Forwards the packet e Deny Drops the packet e Not Set Cancels the packet filtering action Adding a policy Select QoS gt QoS Policy from the navigation tree 2 Click the Add tab to enter the page for adding a policy Figure 468 Adding a policy Summary Setup Remove PoliyNamel MM Chars Add 3 Adda policy as described in Table 156 A Click Add 483 Table 156 Configuration items ltem Description Specify a name for the policy to be added Policy Name Some devices have their own system detined policies The policy name you specify cannot overlap with system defined ones The system defined policy is the policy default Contiguring classitier behavior associations for the policy 1 Select QoS gt QoS Policy from the navigation tree 2 Click Setup to enter the page for setting a policy Figure 469 Setting a policy Summary Add Remove Please selecta policy select a policy v Classifier Mame one Chars Classifier Behavior 3 Configure a classifier behavior association for a policy as described in Table 157 4 Click Apply Table 157 Config
377. ings MAC learning limit and storm suppression ratios e Foran aggregate interface these operation parameters include its state link type PVID description and MAC learning limit Setting operation parameters for a port 1 Select Device gt Port Management from the navigation tree 2 Click the Setup tab 69 Figure 58 The Setup tab Summary Detail Me Setup a Basic Configuration Por State No Change Speed No Change Duplex No Change Link Type No Change PYID 1 4094 Description Chars 1 80 A anred Configuration MDI No Change Fone NO Change Power Save No Change Count NoChange 0 8192 EEE No Change Siorm Suppression Broadcast No Change Multicast No Change Unicast No Change Suppression Suppression Suppression pps range 1 146810 for a 100 Mbps port 1 260000 for a GE port and 1 260000 for a 10GE port kbps range 1 100000 for a 100 Mbps port 1 180000 for a GE port and 1 180000 for a 10GE port Select All Seled Home Unit s lected Ports 1 e Amay take some me if vou apply the above sainga to multiple ports Cancel 3 Set the operation parameters for the port as described in Table 15 4 Click Apply Table 15 Configuration items ltem Descri ption Enable or disable the port Port State Sometimes after you modify the operation parameters of a port you must disable and then enable the port to have the modifications take effect 70 ltem Descri ption Set t
378. ining match criteria for classifying traffic you can use IP precedence bits in the type of service ToS field of the IP packet header or other header information such as IP addresses MAC addresses IP protocol field and port numbers You can define a class for packets with the same quintuple source address source port number protocol number destination address and destination port number for example or for all packets to a certain network segment 468 When packets are classified on the network boundary the precedence bits in the ToS field of the IP packet header are generally re set In this way IP precedence can be directly used to classity the packets in the network IP precedence can also be used in queuing to prioritize trattic The downstream network can either use the classification results from its upstream network or classify the packets again according to its own criteria To provide differentiated services traffic classes must be associated with certain traffic control actions or resource allocation actions What traffic control actions to use depends on the current phase and the resources of the network For example CAR polices packets when they enter the network GTS is performed on packets when they flow out of the node Queue scheduling is performed when congestion happens Congestion avoidance measures are taken when the congestion deteriorates Packet precedences IP precedence and DSCP values Figure 455 ToS field and D
379. ink local address for the VLAN interface Address box Address This field is available after you select the Manual option The prefix of the IPv6 link local address you enter must be FE80 64 Modifying a VLAN interface By modifying a VLAN interface you can assign an IPv4 address an IPv6 link local address and an IPv site local address or global unicast address to the VLAN interface and shut down or bring up the VLAN intertace After you modify the IPv4 address and status or the IPv address and status or add an IPv unicast address for a selected VLAN interface on the page for modifying VLAN interfaces you must click the correct Apply button to submit the modification After you change the IP address of the VLAN interface you are using to log in to the device you will be disconnected trom the device You can use the changed IP address to re log in To modify a VLAN interface 1 From the navigation tree select Network gt VLAN Interface 2 Click Modify to enter the page for modifying a VLAN interface 152 Figure 147 Modifying a VLAN interface SUMMary Create Remove select VLAN Interface 1 Modify IPv4 Address Modify IPvb Address Modity Primary IP And Status Modity IPv Link Local Address And Status DHCP BOOTP Manual Auto Manual Admin status Up sl Admin Status Apply Add IPv6 Unicast Address ELI E4 IPv6 Address 3 Modify a VLAN interface as described in Table 44 4 Click Apply Table 44 C
380. interface through which a matching IP packet is to be forwarded Next hop Specifies the address of the next hop router on the path Static route Static routes are manually configured If a network s topology is simple you only need to configure static routes for the network to work correctly 278 Static routes cannot adapt to network topology changes If a fault or a topological change occurs in the network the network administrator must modity the static routes manually Default route A detault route is used to forward packets that do not match any specitic routing entry in the routing table Without a default route packets that do not match any routing entries are discarded You can configure default routes in the Web interface in the following ways e Configure an IPv4 static default route and specify both its destination IP address and mask as 0 0 0 0 e Configure an IPv static default route and specify both its destination IP address and prefix as 0 Displaying the IPv4 active route table Select Network gt IPv4 Routing from the navigation tree to enter the page Figure 254 IPv4 active route table Create Remove Destination Search Advanced Search Destination Mask Protocal Priority Next Hap Interface 127 0 0 0 255 0 0 0 Direct 0 127 0 0 1 InLoopBack0 127 0 0 1 255 255 255 255 Direct 0 127 0 0 1 InLoopBack0 192 168 10 255 255 255 0 Direct 0 192 168 12 Vlan interface100 192 168 12 255 255 255 255 Di
381. ion MDI No Change eel No Change v Power Save No Change v ese No Change 0 8192 Storm Suppression Broadcast No Change Multicast No Change Unicast ME ls Suppression Suppression Suppression pps range 1 148810 for a 100 Mbps port 1 260000 for a GE port and 1 260000 for a 10GE port Kbps range 1 100000 for a 100 Mbps port 1 180000 for a GE port and 1 180000 for a 10GE port HAAA OE EE BUCO 0900 DEERE Select All Select None Unit Selected Ports 1 e lit may take some time if you apply the above settings to multiple ports Apply Cancel Create VLAN 2 VLAN 6 through VLAN 50 and VLAN 100 a From the navigation tree select Network gt VLAN b Click Create to enter the page for creating VLANs c Enter VLAN IDs 2 6 50 100 d Click Apply 146 Figure 142 Creating VLAN 2 VLAN 6 through VLAN 50 and VLAN 100 Select WYLAN Fort Detail Detail Modity WYLAN Modity Port Remove Create VLAN IDs 2 6 50 100 Example 3 5 10 Create ID Description 1 VLAN OOO1 Modity WYLAN description Mote you can do this later on the Modify VLAN page Modify the description of the selected VLAN ID Description 92 ars 3 Assign GigabitEthernet 1 0 1 to VLAN 100 as an untagged member a Click Select VLAN to enter the page for selecting VLANs b Select the option before Display a subnet of all configured VLANs and enter 1 100 in the field c Click Select Figure 143 Setting a VLAN range Create Port Detail Detail Modify V
382. ion Port 1 GigabitEthernet1 0 Port status of LLDP Enable Admin status Tx_Only Trap flag No Palling interval 0s Number of neighbors 0 Number of MED neighbors 70 Number of CDP neighbors 70 Number of sent optional TLV 23 Number of received unknown TLV 0 Display the status information of port GigabitEthernet 1 0 2 on Switch A a Click the GigabitEthernet1 0 2 port name in the port list b Click the Status Information tab at the lower halt of the page The output shows that port GigabitEthernet 1 0 2 is connected to a non MED neighbor device Switch B as shown in Figure 214 Figure 214 The status information tab 2 Local Information Neighbor Information Statistic Information Port 2 GigabitEthernett 0 2 Port status of LLDP Enable Admin status Rx Only Trap flag No Folling interval Os Number of neighbors 1 Number of MED neighbors 70 Number of CDP neighbors 70 Number of sent optional TLV 23 Number of received unknown TLV 0 Tear down the link between Switch A and Switch B Click Refresh to display the status information of port GigabitEthernet 1 0 2 on Switch A The updated status information of port GigabitEthernet 1 0 2 shows that no neighbor device is connected to the port as shown in Figure 215 Figure 215 The status information tab displaying the updated port status information Local Information Neighbor Information Statistic Information Port 2 GigabitEthemett 0 2 Port
383. ion C Enable Port Security wAdvanced Temporarily Disabling Port Time 20 seconds 20 300 Default 20 Traps Switch L1MAC Learned 802 1 Auth Failure 802 1 Logoff 1 802 1 Logon Clintrusion C MAC Auh Failure CI MAC Auth Logoff CI MAC Auth Logon Apply Configure global port security settings as described in Table 128 Click Apply Table 128 Configuration items ltem Descri ption Specifies whether to enable the port security feature globally Enable Port Security By default port security is disabled Configures intrusion protection actions globally Intrusion protection actions e Temporarily Disabling Port Time Sets the time length for how long the port is disabled temporarily upon receiving illegal frames Traps Switch Selects one or more events to trigger trap sending The following is the available events o MAC Learned Advanced o 802 1X Auth Failure o 8021X Logoff o 802 1X Logon o Intrusion o MAC Auth Failure o MAC Auth Logoff o MAC Auth Logon Configuring basic port security control 1 From the navigation tree select Authentication gt Port Security On the Port Security page the Security Ports And Secure MAC Address List area displays the port security control settings as shown in Figure 41 1 Figure 411 Security Ports And Secure MAC Address List area Security Ports And Secure MAC Address List Max Number of Port MAC Intrusion Protection Outbound Restriction Operation G
384. ion methods configuration 356 ISP domain configuration 354 RADIUS implementation 363 374 user management by ISP domains 353 absolute time range ACL 452 absolute time range configuration ACL 453 access control methods 802 1X 321 accounting ACL 506 AAA configuration 352 359 AAA ISP domain accounting methods configuration 357 RADIUS common parameter configuration 369 RADIUS scheme configuration 368 RADIUS server contiguration 373 802 1X assignment 331 advanced configuration 456 463 assignment MAC authentication 405 automatic rule numbering 451 451 automatic rule renumbering 451 basic configuration 455 462 categories 450 configuration 450 489 configuring 802 1X assignment 343 Ethernet frame header configuration 459 match order 450 packet fragment filtering 452 rule numbering step 451 security MAC authentication 411 time range configuration 453 time based ACL rules 452 adding IPv4 ACL 454 IPv ACL 46 NMM local port mirroring local group 83 QoS policy 483 QoS traffic behavior 480 QoS traffic class 478 RADIUS server 373 rules to SNMP view 116 Web device local user 86 address DHCP allocation 292 DHCP lease extension 293 Address Resolution Protocol Use ARP advanced port security advanced mode 421 port security advanced mode configuration 433 advanced ACL category 450 aggregate interface Ethernet link aggregation 209 aggreg
385. is Domain Mame Default Domain Configure AAA authentication method for the ISP domain a Click the Authentication tab b Select test from the Select an ISP domain list c Select Default AuthN select authentication method RADIUS from the Default AuthN list and select the authentication scheme system from the Name list as shown in Figure 316 Figure 316 Configuring AAA authentication method for the ISP domain Domain Setup Authorization Accounting Authentication Configuration of AAA Select an ISP domain test V Default Auth RADIUS Name system Secondary Method LAN access AuthN Name Secondary Method El Login Authn Name Secondary Method PPP Auth Name Secondary Method Portal Auth Name Secondary Method Apply d Click Apply A contiguration progress dialog box appears as shown in Figure 317 34 4 Figure 317 Configuration progress dialog box Curent Configuration Setting Default Authi OK e After the configuration process is complete click Close Configure AAA authorization method for the ISP domain a Click the Authorization tab b Select test from the Select an ISP domain list c Select Default AuthZ select the authorization method RADIUS from the Default AuthZ list and select the authorization scheme system from the Name list as shown in Figure 318 Figure 318 Configuring the AAA authorization method for the ISP domain Domain Setup Authentication Accounting Authorization Configuratio
386. is the port BP2 on Device B 178 Figure 173 Designated bridges and designated ports Device B Path cost Device A Device C Path cost is a reference value used for link selection in STP STP calculates path costs to select the most robust links and block redundant links that are less robust to prune the network into a loop free tree All the ports on the root bridge are designated ports Calculation process of the STP algorithm The spanning tree calculation process described in the following sections is a simplified process for example only Calculation process The STP algorithm uses the following calculation process l Network initialization Upon initialization of a device each port generates a BPDU with the port as the designated port the device as the root bridge O as the root path cost and the device ID as the designated bridge ID Root bridge selection Initially each STP enabled device on the network assumes itself to be the root bridge with its own device ID as the root bridge ID By exchanging configuration BPDUs the devices compare their root bridge IDs to elect the device with the smallest root bridge ID as the root bridge Root port and designated ports selection on the non root bridges Step Description A non root bridge device regards the port on which it received the optimum contiguration BPDU as the root port Table 54 describes how the optimum configuration BPDU is selected
387. isable Query Interval Seconds 2 300 Default 60 General Query Source IF 0 0 0 0 IP Address Default 0 0 0 0 Special Query Source IF 0 0 0 0 IP Address Default 0 0 0 0 items marked with an asterisk are required Apply Cancel Veritying the contiguration From the navigation tree select Network gt IGMP snooping 2 Click Show Entries in the basic VLAN configuration page to display information about IGMP snooping multicast forwarding entries Figure 239 Displaying IGMP snooping multicast forwarding entries Show Entries R VLAN ID v Search Advanced Search WYLAN ID SOuUrCE Group Operation 100 0 0 0 0 224 1 1 1 S 3 Clickthe icon for the multicast entry 0 0 0 0 224 1 1 1 to display detailed information about this entry Figure 240 Displaying detailed information about the entry Advanced Entry Details VLAN ID 100 source Address 0 0 0 0 Group Address 224 1 1 1 Router Portis GigabitEthernet1 0 Member Port s GigabitEthernet1 0 3 Back 264 The output shows that GigabitEthernet 1 0 3 of Switch A is listening to the multicast streams destined for multicast group 224 1 1 1 265 Configuring MLD snooping Overview MLD snooping runs on a Layer 2 switch as an IPv multicast constraining mechanism to improve multicast forwarding efficiency It creates Layer 2 multicast forwarding entries from MLD messages that are exchanged between the hosts and the router As shown
388. isplaying client s IP to MAC bindings 302 310 enabling DHCP 299 enabling DHCP relay agent on interface 301 enabling DHCP snooping 309 Ethernet link aggregation aggregate interface 209 Ethernet link aggregation dynamic mode 207 Ethernet link aggregation LACP 205 Ethernet link aggregation LACP priority 21 520 Ethernet link aggregation LACP enabled port 211 Ethernet link aggregation modes 206 Ethernet link aggregation operational key 205 Ethernet link aggregation static mode 206 gratuitous ARP packet 244 gratuitous ARP packet learning 244 IP services ARP entry configuration 244 IP services ARP entry removal 245 MAC address table dynamic aging timer 175 MAC address table entry types 174 MAC authentication timers 405 MST region configuration 191 NMM local port mirroring group monitor port 84 NMM local port mirroring group port 81 NMM local port mirroring group source port 84 port operation parameters 69 3 port security features 421 port security mode 421 QoS traffic class configuration 479 QoS traffic evaluation 473 RSTP network convergence 184 secure MAC address configuration 427 security 802 1X architecture 32 security 802 1X EAP relay authentication 326 security ARP detection configuration 250 security ARP packet validity check 250 security ARP user validity check 250 security MAC authentication methods 404 specitied operation parameter for all ports 73 stack global parame
389. itiated by EAP termination server that supports PAP or an HP iNode 802 1X client CHAP authentication mad e The processing is complex on the network access device EAP relay Figure 306 shows the basic 802 1X authentication procedure in EAP relay mode assuming that EAP MD5 is used Figure 306 802 1X authentication procedure in EAP relay mode Client Device Authentication server 1 EAPOL Start I 2 EAP Reguest ldentity 3 EAP Response ldentity s 4 RADIUS Access Request EAP Response ldentity 5 RADIUS Access Challenge EAP Request MD5 challenge 6 EAP Request MD5 challenge 7 EAP Response MD5 challenge 8 RADIUS Access Request EAP Response MD5 challenge OO EE EER R 9 RADIUS Access Accept EAP Success 10 EAP Success te am mm mm EE Sm ee 11 EAP Request Identity 12 EAP Response ldentity 7 13 EAPOL Logoff H me m m o au i me ie ee ee 14 EAP Failure gere 1 When a user launches the 802 1X client software and enters a registered username and password the 802 1X client software sends an EAPOL Start packet to the network access device 2 The network access device responds with an Identity EAP Request packet to ask for the client username 3 In response to the Identity EAP Request packet the client sends the username in an Identity EAP Response packet to the network access device 4 The network access device relays the Ide
390. itor Management Management Management Management Loopback VCT Flow Interval RMON Energy Saving SNMP Interface Statistics Switch To Management Loopback VCT Port Traffic Statistics Statistics History Alarm Event Log Energy Saving Setup Community Group User Trap View Interface Statistics Switch the current user level to the management level Perform loopback tests on Ethernet interfaces Check the status of the cables connected to Ethernet ports Display the average rate at which the interface receives and sends packets within a specified time interval Display create modify and clear RMON statistics Display create modify and clear RMON history sampling information Display create modify and clear alarm entries Display create modify and clear event entries Display log information about RMON events Display and configure the energy saving settings of an interface Display and refresh SNMP configuration and statistics information Configure SNMP Display SNMP community information Create modify and delete an SNMP community Display SNMP group information Create modify and delete an SNMP group Display SNMP user information Create modify and delete an SNMP user Display the status of the SNMP trap function and information about target hosts Enable or disable the SNMP trap function create modify and delete a
391. k Apply Figure 116 Configuring the SNMP agent Community Group User Trap View Enable Disable Local Engine ID 3830303036334 132363531333030303C 10 64 Hex Chars Bytes 484 17940 Default 1500 Maximum Packet Size 1500 Contact 1 200Chars Location 1 200Chars SNMP Version Vivi Mivwe Ha Note If you disable SNMP all SNMP related configurations will not be saved Items marked with an asterisk are required Apply Cancel Contigure a read only community b Click the Community tab Click Add The Add SNMP Community page appears Enter public in the Community Name field and select Read only from the Access Right list Click Apply 124 3 4 Figure 117 Configuring an SNMP read only community Setup Group ser Trap ME Add SHMP Community Community Name public MM aachars Access Right Read only w View iewDetault ACL 2000 2999 tems marked with an asterisk are required Apply Cancel Configure a read and write community a Click Add on the Community tab page The Add SNMP Community page appears b Enter private in the Community Name field and select Read and write from the Access Right list c Click Apply Figure 118 Configuring an SNMP read and write community Setup Group User Trap View Add SHMP Community Community Name private t 32Chars Access Right Read and write w View ViewDetault ACL oo laoor seg tems marked with an asterisk are r
392. k Apply to add the VLAN ID VLAN to instance mapping entries to the list The device automatically maps 4094 VLANs to the corresponding MSTls based on the modulo value Modulo A Click Activate Contiguring MSTP globally 1 From the navigation tree select Network gt MSTP 2 Click the Global tab 192 Figure 180 Configuring MSTP globally Region Port Summary Port Setup Global MSTF Configuration BPDU Protection Disable Made Max Hops Path Cost Standard LJ Bridge Diameter Timertin centiseconds Forward Delay 1500 400 3000 Must be a multiple of 100 Hello Time 200 100 4000 Must be a multiple of 100 Max Age 2000s 00 4 000 Must be a multiple of 100 instance Instance ID Root Type Bridge Priority TG Protection Threshold 1 255 default 6 Apply Configure the global MSTP configuration as described in Table 59 and then click Apply Table 59 Configuration items ltem Descri ption Selects whether to enable STP globally Enable STP Globally Other MSTP configurations take effect only after you enable STP globally Selects whether to enable BPDU guard BPDU Guard BPDU guard can protect the device from malicious BPDU attacks making the network topology stable 193 liem Description Sets the operating mode of STP e STP Each port on a device sends out STP BPDUs e RSTP Each port on a device sends out RSTP BPDUs and automatically es migrates to
393. ked with an asterisk are required Apply Cancel 4 Configure an SNMP user a Click the User tab b Click Add The page in Figure 126 appears c Type user in the User Name field select Auth Priv from the Security Level list select group from the Group Name list select MD5 from the Authentication Mode list type authkey in the Authentication Password and Confirm Authentication Password fields select DES56 from the Privacy Mode list and type prikey in the Privacy Password and Confirm Privacy Password fields d Click Apply 129 5 6 Figure 126 Creating an SNMP user Setup Community Group Trap WIE Add SNMP User User Mame lusert 1 32Chars Security Level AuUthiPriv k Group Name group 1 NoAuth MoPriv Authentication Mode MOS vw Authentication Password eessees JH BAChars Confirm Authentication Password eessees JH BAChars Privacy Mode Privacy Password ecseee lH BAChars Confirm Privacy Password essees lH BAChars ACL sl a 2999 tems marked with an asterisk are required Apply Cancel Enable SNMP traps a Click the Trap tab The Trap tab page appears b Select Enable SNMP Trap c Click Apply Figure 127 Enabling SNMP traps Setup Community Group ser MR V Enable SNMP Trap Apply Trap Target Host a Destination IP Address Search Advanced SaaFh Destination IF UDP Security Security l C tade IPFVAIPYE Domain Security Mame Port Model ree Operation Add Delete Selec
394. l Copies packets both received and sent on a mirroring source Mirroring group Port mirroring is implemented through mirroring groups which include local and remote mirroring groups Only local mirroring groups are supported Local port mirroring In local port mirroring the mirroring source and the mirroring destination are on the same device A mirroring group that contains the mirroring source and the mirroring destination on the device is called a local mirroring group 79 Figure 65 Local port mirroring implementation Mirroring process in the device O GE1 0 1 GE1 0 2 GE1 0 1 Data monitoring Host Device device Original packets Source port p Mirrored packets C Monitor port As shown in Figure 65 the source port GigabitEthernet 1 0 1 and monitor port GigabitEthernet 1 0 2 reside on the same device Packets of GigabitEthernet 1 0 1 are copied to GigabitEthernet 1 0 2 which then forwards the packets to the data monitoring device for analysis Contiguration restrictions and guidelines When you configure port mirroring follow these restrictions and guidelines e A local mirroring group can contain multiple source ports but only one monitor port e Do not enable the spanning tree feature on the monitor port e Use a monitor port only for port mirroring to make sure the data monitoring device receives and analyzes only the mirrored traffic rather than a mix of mirrored traffic and
395. l Query Source Address IPv6 linklocal address Default FESO 2FF FFFF FE00 1 Special Query Source Address Pv6 linklocal address Default FEBOC2FF FEFF FEOO 1 Items marked with an asterisk are required Apply Cancel 3 Configure the parameters as described in Table 86 4 Click Apply Table 86 Configuration items ltem Description Enable or disable MLD snooping in the VLAN MLD snooping You can proceed with the subsequent configurations only if Enable is selected here The default setting is MLDv1 By configuring an MLD snooping version you actually configure the versions of MLD messages that MLD snooping can process e MLDv1 snooping can process MLDv1 messages but it floods MLDv2 messages in Veron the VLAN instead of processing them e MLDv2 snooping can process MLDv1 and MLDv2 messages O IMPORTANT If you change the MLDv2 snooping to MLDv1 snooping the system clears all MLD snooping forwarding entries that are dynamically added Enable or disable the MLD snooping querier function In an IPv multicast network that runs MLD a Layer 3 device acts as the MLD querier to send MLD queries and establish and maintain IPv6 multicast forwarding entries ensuring correct IPv6 multicast traffic forwarding at the network layer Querier On an IPv network without Layer 3 multicast devices MLD querier cannot work because a Layer 2 device does not support MLD To address this issue you can enable MLD snooping querier on a
396. l device information as TLV type length and value triplets in LLDP Data Units LLDPDUs to the directly connected devices Local device information includes its system capabilities management IP address device ID port ID and so on The device stores the device information in LLDPDUs from the LLDP neighbors in a standard MIB LLDP enables a network management system to quickly detect and identity Layer 2 network topology changes For more information about MIBs see Configuring SNMP Basic concepts LLDP frame formats LLDP sends device information in LLDP frames LLDP frames are encapsulated in Ethernet Il or SNAP frames e LLDP frames encapsulated in Ethernet II Figure 195 LLDP frame encapsulated in Ethernet II 0 15 31 Destination MAC address Source MAC address Data LLDPU 1500 bytes Table 69 Fields in an Ethernet Il encapsulated LLDP frame Field Description MAC address to which the LLDP frame is advertised It is fixed to Ox0180 C200 O00E a multicast MAC address Source MAC address MAC address of the sending port Destination MAC address Type Ethernet type for the upper layer protocol It is Ox88CC for LLDP 217 LLDPDUS TLVs Field Description Data LLDPDU Frame check sequence a 32 bit CRC value used to determine the validity of the received Ethernet frame FCS e LLDP frames encapsulated in SNAP Figure 196 LLDP frame encapsulated in SNAP 0 15 31 Destination MAC address Source MA
397. l key 205 Ethernet link aggregation port configuration class 206 523 Ethernet link aggregation static mode 206 Ethernet link dynamic aggregation group configuration 208 Ethernet link static aggregation group contiguration 208 IGMP snooping configuration 252 IGMP snooping member port 252 IGMP snooping port function configuration 258 IGMP snooping related ports 252 IGMP snooping router port 252 IP multicast IGMP snooping aging timer for dynamic port 253 IPv multicast MLD snooping aging timer for dynamic port 267 isolation See port isolation LLDP contiguration 217 236 LLDP disable operating mode 221 LLDP enable 223 LLDP frame reception 222 LLDP frame transmission 221 LLDP parameter setting for a single port 224 LLDP parameter setting for ports in batch 227 LLDP Rx operating mode 221 LLDP Tx operating mode 221 LLDP TxRx operating mode 221 loopback detection contiguration 447 447 loopback test configuration 89 89 MAC address learning 173 MAC address table configuration 173 174 175 MAC authentication contiguration 408 management 69 5 mirroring See port mirroring MLD snooping contiguration 266 MLD snooping member port 266 MLD snooping port function configuration 272 MLD snooping related ports 266 MLD snooping router port 266 modification 144 MST port roles 187 MST port states 188 operation parameters 69 3 RSTP network convergence 184 security
398. l mode reducing the consumption of system resources due to source MAC addresses checking HP recommends not transmitting both voice packets and non voice packets in a voice VLAN If you have to first make sure that the voice VLAN security mode is disabled Table 48 How a voice VLAN enable port processes packets in security normal mode Voice VLAN operating mode __ Packet type Packet processing mode Untagged packets If the source MAC address of a packet matches an OUI address configured for the device it is Packets carrying the voice VLAN tag forwarded in the voice VLAN otherwise it is dropped Security mode If the packet is a voice packet does not carry the voice VLAN tag or PVID tag the packet is dropped Packets carrying other tags Otherwise the packet is forwarded or dropped depending on whether the port allows packets of these VLANs to pass through Untagged packets The port does not check the source MAC addresses of inbound packets All types of packets can Packets carrying the voice VLAN tag be transmitted in the voice VLAN Normal mode Forwarded or dropped depending Packets carrying other tags on whether the port allows packets of these VLANs to pass through Recommended voice VLAN configuration procedure Before configuring the voice VLAN you must create the VLAN and configure the link type of each port to be assigned to the VLAN Because VLAN 1 is the system detault VLAN you do not need to create it how
399. laying all the operation parameters for a port Select Device gt Port Management from the navigation tree Click the Detail tab Select a port whose operation parameters you want to view in the chassis front panel The operation parameter settings of the selected port are displayed on the lower part of the page Whether the parameter takes effect is displayed in the square brackets Figure 60 The Detail tab Summary Setup Select a Port eee db H k k d Port State PVID Flow Control Link Type MDI Speed Duplex Max MAC Count Broadcast Suppression Multicast Suppression Power Save EEE Unicast Suppression Description The table shows the configured values for the selected port while those inside the square brackets are the actual values of the selected port 74 Port management configuration example Network requirements As shown in Figure 61 e Server A Server B and Server C are connected to GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 of the switch respectively The rates of the network adapters of these servers are all 1000 Mbps e The switch connects to the external network through GigabitEthernet 1 0 4 whose speed is 1000 Mbps To avoid congestion at the egress port GigabitEthernet 1 0 4 configure the autonegotiation speed range on GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 as 100 Mbps Figure 61 Network diagram IP network GE1 0 4 S
400. le If the timer expires during MAC authentication the user cannot access the network Using MAC authentication with other features VLAN assignment You can specify a VLAN in the user account for a MAC authentication user to control its access to network resources After the user passes MAC authentication the authentication server either the local access device or a RADIUS server assigns the VLAN to the port as the default VLAN After the user logs off the initial default VLAN or the default VLAN configured before any VLAN is assigned by the authentication server restores If the authentication server assigns no VLAN the initial default VLAN applies A hybrid port is always assigned to a server assigned VLAN as an untagged member After the assignment do not re configure the port as a tagged member in the VLAN If MAC based VLAN is enabled on a hybrid port the device maps the server assigned VLAN to the MAC address of the user The default VLAN of the hybrid port does not change ACL assignment You can specify an ACL in the user account for a MAC authentication user to control its access to network resources After the user passes MAC authentication the authentication server either the local access device or a RADIUS server assigns the ACL to the access port to filter the traffic from this user You must configure the ACL on the access device for the ACL assignment function You can change ACL rules while the user is online Auth
401. le reboot the switch to validate the upgraded image 33 Configuration wizard The contiguration wizard guides you through configuring the basic service parameters including the system name system location contact information and management IP address Basic service setup Entering the configuration wizard homepage Select Wizard from the navigation tree Figure 21 Configuration wizard homepage Welcome to the Management IP Interface Setup Wizard Step 1 of 4 This ward helps you set modify or quickhy view the IP configuration parameters Te continue click Next Next gt Cancel Contiguring system parameters 1 On the wizard homepage click Next 34 Figure 22 System parameter configuration page System Parameters Step 2 of 4 Sysname sysname 1 20Char Syslocation Server room 501 i 200Char Syscontact Hewlett Packard Development Company L P 1 200Char lt Back Next gt Cancel 2 Configure the parameters as described in Table 3 Table 3 Configuration items ltem Descri ption Specify the system name The system name appears at the top of the navigation tree Sysname You can also set the system name in the System Name page you enter by selecting Device gt Basic For more information see Configuring basic device settings Specify the physical location of the system Syslocation You can also set the physical location in the setup page you enter by selecting Device gt SNMP For more in
402. le destination packet flooding in a switched LAN an Ethernet device uses a MAC address table to forward frames This table describes from which port a MAC address or host can be reached Upon receiving a frame the device uses the destination MAC address of the frame to look for a match in the MAC address table If a match is found the device forwards the frame out of the outgoing interface in the matching entry If no match is found the device floods the frame out of all but the incoming port How a MAC address entry is created The device automatically learns entries in the MAC address table or you can add them manually MAC address learning The device can automatically populate its MAC address table by learning the source MAC addresses of incoming frames on each port When a frame arrives at a port for example Port A the device performs the following tasks 1 Verifies the source MAC address for example MAC SOURCE of the frame 2 looks up the source MAC address in the MAC address table o If an entry is found the device updates the entry o If no entry is found the device adds an entry for MAC SOURCE and Port A 3 When the device receives a frame destined for MAC SOURCE atter learning this source MAC address the device finds the MAC SOURCE entry in the MAC address table and forwards the frame out of Port A The device performs this learning process each time it receives a frame from an unknown source MAC address until the
403. lients such as shared keys and IP addresses e Dictionary Stores RADIUS protocol attributes and their values 363 Security and authentication mechanisms The RADIUS client and the RADIUS server use a shared key to authenticate RADIUS packets and encrypt user passwords exchanged between them For security this key must be manually configured on the client and the server RADIUS servers support multiple authentication protocols including PPP PAP and CHAP A RADIUS server can act as the client of another AAA server to provide authentication proxy services Basic RADIUS message exchange process Figure 347 illustrates the interactions between the host the RADIUS client and the RADIUS server Figure 347 Basic RADIUS message exchange process Host RADIUS client RADIUS server 1 Username and password ans 2 Access Request 3 Access Accept Reject 4 Accounting Request start a 5 Accounting Response 6 The host accesses the resources 7 Accounting Request stop 8 Accounting Response 9 Notification of access termination RADIUS operates in the following manner 1 The host initiates a connection request that carries the user s username and password to the RADIUS client 2 Having received the username and password the RADIUS client sends an authentication request Access Request to the RADIUS server with the user password encrypted using the MD5 algorithm and the shared key 3 The RA
404. limit 64 time 2001 4 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 2 8 15 ms The output shows that IPv address 2001 4 is reachable and the echo replies are all returned from the destination The minimum average and maximum roundtrip intervals are 2 millisecond 8 milliseconds and 15 milliseconds respectively quit Syntax quit Parameters None Description Use quit to log out of the system Examples Log out of the system lt Sysname gt quit KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK Copyright c 2010 2014 Hewlett Packard Development Company L P x Without the owner s prior written consent i no decompiling or reverse engineering shall be allowed N RR RR KOK KOK KRKK KK K OK KERK KOK K KOK K OK KOK KOK K KOK KOK K RR KOK KOK RR KOK KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK User interface auxO0 is available 28 reboot Syntax reboot Parameters None Description Use reboot to reboot the device and run the main configuration file Use the command with caution because reboot results in service interruption It the main configuration tile is corrupted or does not exist the device cannot be rebooted with the reboot command In this case you can specify a new main configuration file to reboot the device or you can power off the device and then power it on and the system will automatically use the backup con
405. ling Event If you select the Create Default Event box this option is not configurable Displaying RMON statistics 1 Select Device gt RMON from the navigation tree The page in Figure 80 appears 2 Click the icon for the statistics entry of an interface 101 Figure 88 RMON statistics Statistics History Event Log Add an Alarm Group Alarm Variable Static Item Number of Packet Discarding Events v Interface Name GigabitEthernet1 0 1 v Sample Item Interval Seconds 5 65535 Sample Type Absolute v Owner Chars 1 127 Alarm Create Default Event Rising Threshold 0 2147483647 Rising Event 1 v Falling Threshold 0 2147483647 Falling Event 1 v e Before creating Alarm please create Statistic and Event at fisrt Items marked with an asterisk are required Apply Cancel Table 28 Field description Field Description Total number of octets received by the interface Number of Received Bytes corresponding to the MIB node etherStatsOctets Total number of packets received by the interface Number of Received Packets corresponding to the MIB node etherStatsPkts Total number of broadcast packets received by the Number of Received Broadcasting Packets interface corresponding to the MIB node etherStatsBroadcastPkts Total number of multicast packets received by the Number of Received Multicast Packets interface corresponding to the MIB node etherStatsMulticastPkts Total number of
406. ling MLD snooping in a VLAN 270 MLD snooping contiguration 266 MLD snooping port function configuration 272 IRF DHCP overview 292 isolating ports See port isolation isolation group configuration 440 ISP AAA ISP domain accounting methods configuration 357 AAA ISP domain authentication methods configuration 355 AAA ISP domain authorization methods configuration 356 AAA ISP domain configuration 354 AAA user management by ISP domains 353 IST MST region 187 K key Ethernet link aggregation operational key 205 L LACP configuration 205 213 Ethernet link aggregation 205 LACP enabled port Ethernet link aggregation 211 LAN VLAN configuration 133 145 Layer 2 Ethernet aggregate intertace 205 Ethernet aggregation group 205 Ethernet link aggregation and LACP configuration 205 Ethernet link aggregation group contiguration 208 516 Ethernet link aggregation group creation 208 Ethernet link dynamic aggregation group configuration 208 Ethernet link static aggregation group contiguration 208 LLDP configuration 236 loopback detection contiguration 447 447 loopback test configuration 89 89 NMM port mirroring configuration 79 port isolation configuration 440 441 portbased VLAN configuration 135 VLAN configuration 133 145 VLAN type 134 Layer 2 aggregate interface management 69 Layer 2 Ethernet port management 69 5 Layer 3 DHCP overview 292 DHCP relay agent confi
407. link local address prefix FE80 64 Manual and the link layer address of the interface Configure IPv e Manual Select this option to manually assign an IPv link local link local address address to the interface IPv address Specify an IPv link local address for the VLAN interface This field is configurable if you select Manual The address prefix must be FE80 64 Finishing configuration wizard After finishing the management IP address configuration click Next The page displays your configurations Review the configurations and if you want to modify the settings click Back to go back to the page Click Finish to confirm your settings and the system performs the configurations 37 Figure 24 Configuration complete IP Setup Completing the Management IF Interface Setup Wizard Step 4 of 4 You have successfully completed the Management F Interface Setup waard You have specified the following settings Sysname sysname Syslocation Server room 501 Syscontact Hewlett Packard Development Company L P VLAN Interface 1 Admin Status UP Config IPv4 address Method Manual IPv4 address 192 168 1 60 Subnet mask 255 255 255 0 Config IPv link local address Method NoChange IPv6 address NoChange 38 Configuring stack Overview The stack management feature allows you to configure and monitor a group of connected devices by logging in to one device in the stack as shown in Figure 25
408. lock the client will not synchronize its clock to the server s 59 The synchronization process takes some time The clock status might be displayed as unsynchronized after your configuration In this case refresh the page to view the clock status and system time later on If the system time of the NTP server is ahead of the system time of the device and the time gap exceeds the Web idle time specitied on the device all online Web users are logged out because of timeout after the synchronization finishes 60 Configuring syslog System logs record network and device information including running status and contiguration changes With system logs administrators can take corresponding actions against network problems and security problems The system sends system logs to the following destinations Console Monitor terminal a terminal that has logged in to the device through the AUX or VTY user interface Log buffer Log host Web intertace Log tile Displaying syslogs l 2 Select Device gt Syslog from the navigation tree The page for displaying syslogs appears You can click Reset to clear all system logs saved in the log buffer on the Web interface You can click Refresh to manually refresh the page or you can set the refresh interval on the Log Setup page to enable the system to automatically refresh the page periodically For more information see Setting buffer capacity and refresh interval Figure 50 Dis
409. lt in personal injury A An alert that calls attention to important information that if not understood or followed can CAUTION result in data loss data corruption or damage to hardware or software OD IMPORTANT An alert that calls attention to essential information NOTE An alert that contains additional or supplementary information Q TIP An alert that provides helpful information 504 Network topology icons Represents a generic network device such as a router switch or firewall Represents a routing capable device such as a router or Layer 3 switch Represents a generic switch such as a Layer 2 or Layer 3 switch or a router that supports Layer 2 forwarding and other Layer 2 features Represents an access controller a unified wired WLAN module or the switching engine on a unified wired WLAN switch Represents an access point 0 9 6 GE Represents a mesh access point Represents omnidirectional signals Represents directional signals Represents a security product such as a firewall UTM multiservice security gateway or load balancing device Represents a security card such as a firewall load balancing NetStream SSL VPN IPS or ACG card Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device 505 Index Numerics 802 1X access control methods 321 ACL assignment 331 architecture 321 authent
410. lues are supported Select the time range during which the rule takes effect 465 Configuring QoS Grayed out options on Web configuration pages cannot be configured Overview Quality of Service QoS reflects the ability of a network to meet customer needs In an internet QoS evaluates the ability of the network to forward packets of different services The evaluation can be based on different criteria because the network might provide various services Generally QoS performance is measured with respect to bandwidth delay jitter and packet loss ratio during packet forwarding process Networks without QoS guarantee On traditional IP networks without QoS guarantee devices treat all packets equally and handle them using the first in first out FIFO policy All packets share the resources of the network and devices How many resources the packets can obtain completely depends on the time they arrive This service is called best effort It delivers packets to their destinations as possibly as it can without any guarantee for delay jitter packet loss ratio and so on This service policy is only suitable for applications insensitive to bandwidth and delay such as Word Wide Web WWW and email QoS requirements of new applications The Internet has been growing along with the fast development of networking technologies Besides traditional applications such as WWW email and FTP network users are experiencing new s
411. ly obtain its IP address through the DHCP server You can log in to the device through the console port and execute the summary command to view the information about its IP address lt Sysname gt summary Select menu option Summary IP Method DHCP IP address 169 254 1 2 Subnet mask 2992990 Default gateway 0 0 0 0 lt Omitted gt Assuming that the IP address of the device is 169 254 1 2 to log in to the Web interface of the device from a PC 1 Connect the Ethernet interface of the device to a PC by using a crossover Ethernet cable By default all interfaces belong to VLAN 1 2 Configure an IP address for the PC and make sure that the PC and device can reach each other For example assign the PC an IP address for example 169 254 1 27 within 169 254 0 0 16 except for the IP address of the device 3 Open the browser and input the login information a Type the IP address http 169 254 1 2 in the address bar and press Enter The login page of the web interface see Figure 5 appears b Enter the username admin and the verification code leave the password blank and click Login Figure 5 Login page of the Web interface Web User Login verityCode SDT Login a Logging out of the Web interface AN CAUTION e You cannot log out by directly closing the browser e For security purposes log out of the Web interface after you finish your operations 1 Save the current configuration Bec
412. m number of handshake attempts set by the Retry Times setting has been made the Enable Handshake network access device sets the user in the offline state For information about the timers see Configuring 802 1X globally NOTE If the network has 802 1X clients that cannot exchange handshake packets with the network access device disable the online user handshake function to prevent their connections from being inappropriately torn down 334 ltem Descri ption Specifies whether to enable periodic online user re authentication on the port Periodic online user re authentication tracks the connection status of online users and updates the authorization attributes assigned by the server such as the ACL and VLAN The re authentication interval is specified by the Re Authentication Period setting in Table 104 NOTE e The periodic online user re authentication timer can also be set by the authentication server in the session timeout attribute The server assigned timer overrides the timer setting on the access device and it enables periodic online user re authentication even if the function is not configured on the access device Support for the server assignment of re authentication timer and the re authentication timer configuration on the server vary with servers Enable Re Authentication e The VLAN assignment status must be consistent before and after re authentication If the authentication server has assigned a VLAN
413. main Select Authentication gt AAA from the navigation tree 2 Click the Authentication tab Figure 336 Authentication method configuration page Domain Setup Authorization Accounting Authentication Configuration of AAA Select an ISP domain system Default Auth Local Name Secondary Method LAN access AuthN Name Secondary Method Login Auth Name Secondary Method PPP Auth Name Secondary Method Portal Auth Name Secondary Method 3 Select the ISP domain and specify authentication methods for the domain as described in Table 109 4 Click Apply Table 109 Configuration items ltem Description Select an ISP domain Select the ISP domain for which you want to specify authentication methods Configure the default authentication method and secondary authentication method for all types of users Options include Default AuihN e HWTACACS HWTACACS authentication You must specify the HWTACACS scheme to be used Name Secondary Method e Local Local authentication None No authentication This method trusts all users and is not for general use e RADIUS RADIUS authentication You must specify the RADIUS scheme to be used e Not Set The device uses the default authentication setting which is local authentication 355 ltem Descri ption Configure the authentication method and secondary authentication method for LAN access users LAN access AuthN Options include Local Local authentication None
414. make sure the product of the TTL multiplier and the LLDP frame transmission interval is less than 255 seconds for CDP compatible LLDP to work correctly with Cisco IP phones Fast LLDPDU Count Set the number of LLDP frames sent each time fast LLDP frame transmission is triggered 228 ltem Descri ption Set the TTL multiplier The TTL TLV carried in an LLDPDU determines how long the device information carried in the LLDPDU can be saved on a recipient device You can configure the TTL of locally sent LLDPDUs to determine how long information about the local device can be saved on a neighbor device by setting the TTL multiplier The TTL is expressed as TTL multiplier x LLDP frame transmission interval TTL Multiplier When you configure the TTL multiplier follow these guidelines e If the product of the TTL multiplier and the LLDP frame transmission interval is greater than 65535 the TTL carried in transmitted LLDP frames takes 65535 seconds e Because the maximum TTL allowed by CDP is 255 seconds you must make sure the product of the TTL multiplier and the LLDP frame transmission interval is less than 255 seconds for CDP compatible LLDP to work correctly with Cisco IP phones Set the minimum interval for sending traps With the LLDP trapping function enabled on a port traps are sent out of the Trap Interval port to advertise the topology changes detected over the trap interval to neighbors By tuning this interval you can prev
415. mar Remove Time Range Mame testtime Ma2 Chars Periodic Time Range StatTime 8 lo w End TImel 18 lo w Sun V Mon Tue v wer V Thu VJFri Sat J Absolute Time Range From i i l T l SUMIMm ary 2 Add an advanced IPv4 ACL a Select QoS gt ACL IPv4 from the navigation tree b Click the Add tab c Enter the ACL number 3000 d Click Apply Figure 478 Adding an advanced IPv4 ACL Summar Basic Setup Advanced Setup Link Layer Setup Remove ACL Number S000 2000 2999 for basic ACLS 3000 3999 for advanced ACLS Match Order 4000 4999 for Ethernet frame header ACLs Description Characters 0 1277 ACL Number Type Humber of Rules Match Order Description 3 Define an ACL rule for traffic to the FTP server a Click the Advanced Setup tab b Select 3000 in the ACL list 490 c Select the Rule ID box and enter rule ID 2 d Select Permit in the Action list e Select the Destination IP Address box and enter IP address 10 1 1 1 and destination wildcard 0 0 0 0 f Select test time in the Time Range list g Click Add Figure 479 Defining an ACL rule for traffic to the FTP server Summary Add Basic Setup Link Layer Setup Remove ACL 3000 Ww Help configure an Advanced ACL Rule ID 2 O Ne If no ID is entered the system will specify one Non first Fragments Only LI Logging IF Address Filter Destination IP Address 10 1 1 1 Destination Wildcard 0 0 0 0 Pro
416. me Select the name of the interface on which the history entry is created Set the capacity of the history record list corresponding to this history entry the maximum number of records that can be saved in the history record list If the current number of the entries in the table has reached the maximum Buckets Granted number the system deletes the earliest entry to save the latest one The statistics include total number of received packets on the current interface total number of broadcast packets and total number of multicast packets in a sampling period Interval Set the sampling period Owner Set the owner of the entry 98 Contiguring an event entry 1 Select Device gt RMON from the navigation tree 2 Click the Event tab Figure 84 Event entry Statistics History Alarm Log search Advanced Search Index Description sel Es Owner otatus aii null Log es useri Active Add Del Selected 3 Click Add Figure 85 Adding an event entry Statistics History Alarm Log Add an Event Group Description ears Maan Owner Ooo saaa Event Type Clog Trap tems marked with an asterisk are required Apply Cancel Configure an event entry as described in Table 26 5 Click Apply Table 26 Configuration items liem Description Description Set the description for the event Owner Set the entry owner Set the actions that the system takes when the event is triggered e Log The system logs the event Eve
417. minutes 63 Managing the configuration You can back up restore save or reset the device configuration Backing up the configuration Configuration backup allows you to do the following e Open and view the configuration files for the next startup including the cdfg tile and xml file e Back up the configuration files for the next startup to your local host D IMPORTANT HP recommends backing up both the cfg and xml files If you back up only the cfg file some configuration information might not be restored when for example the configuration is mistakenly removed To back up the configuration 1 Select Device gt Configuration from the navigation tree The Backup page appears Figure 53 Backing up the configuration Restore Save Initialize Configuration File Backup Backup the configuration file with the extension cfg Backup Backup the configuration file with the extension xml Backup 2 Click the upper Backup button The tile download dialog box appears 3 Choose to view the cfg file or to save the file to your local host Click the lower Backup button The tile download dialog box appears 5 Choose to view the xml file or to save the file to the local host Restoring the contiguration Configuration restoration allows you to do the following e Upload a efg file from your local host to the device e Upload an xml file from your local host to the device and delete the xml con
418. mmary displaying 42 state Ethernet link aggregation member port state 205 static ARP configuration 246 DHCP address allocation 292 Ethernet link aggregation mode 206 Ethernet link aggregation static mode 206 Ethernet link static aggregation group configuration 208 MAC address table entry 174 static ARP table entry 244 static routing contiguration IPv4 283 configuration IPv6 287 contiguration guideline 291 route creation IPv4 280 route creation IPv6 281 statistics NMM RMON configuration 93 105 105 NMM RMON Ethernet statistics group 93 NMM RMON statistics function 95 statistics entry configuration 97 STP 530 algorithm calculation 179 basic concepts 178 BPDU forwarding 184 CIST 187 CST 187 designated bridge 178 designated port 178 IST 187 loop detection 177 MST common root bridge 187 MST port roles 187 MST port states 188 MST region 186 MST region configuration 191 MST regional root 187 MSTI 186 MSTI calculation 189 MSTP 185 See also MSTP MSTP CIST calculation 189 MSTP device implementation 189 path cost 1 9 protocol packets 177 root bridge 178 root port 178 RSTP 184 See also RSTP timers 184 VLAN to instance mapping table 187 summary displaying basic system information 47 displaying device information 47 48 displaying recent system logs 48 displaying system information 47 47 displaying system resource state 48 setti
419. move the CA certificate and local certificate first Required When requesting a certificate an entity introduces itself to the CA by providing its identity information and public key which will be the major components of the certificate A certificate request can be submitted to a CA in online mode or offline mode e In online mode if the request is granted the local certificate will be 5 Requesting a local retrieved to the local system automatically certificate e In offline mode you must retrieve the local certificate by an out of band means IMPORTANT If a local certificate already exists you cannot perform the local certificate retrieval operation This will avoid possible mismatch between the local certificate and registration information resulting from relevant changes To retrieve a new local certificate you must remove the CA certificate and local certificate first 387 Step Remarks Optional a Deseo ynatne Res ke bal Destroy the existing RSA key pair and the corresponding local certificate If the certificate to be retrieved contains an RSA key pair you must destroy the existing key pair Otherwise the retrieving operation will fail 7 Retrieving and displayinga Optional certificate Retrieve an existing certificate 8 Retrieving and displayinga Optional CRL Retrieve a CRL and display its contents Recommended configuration procedure for automatic request Task Remarks Required Create a PKI
420. ms marked with an asterisk are required Apply Cancel 3 Generate an RSA key pair a Click the Certificate tab b Click Create Key c Enter 1024 as the key length and click Apply to generate an RSA key pair Figure 384 Generating an RSA key pair Entity Domain CRL Add Key o Key Length 1024 512 2048 Default 1024 f there is already a key overwrite it tems marked with an asteriski are required A Retrieve the CA certificate a Click the Certificate tab b Click Retrieve Cert c Select torsa as the PKI domain select CA as the certificate type and click Apply 401 Figure 385 Retrieving the CA certificate Entity Domain CRL Retrieve Certificate Domain Name Certificate Type C Enable Offline Mode tems marked with an asteriski are required Apply Cancel 5 Request a local certificate a Click the Certificate tab b Click Request Cert c Select torsa as the PKI domain select Password and enter challenge word as the password d Click Apply The system displays Certificate request has been submitted e Click OK to finish the operation Figure 386 Requesting a local certificate Entity Domain CRL Request Certificate Domain Name torsa Password LELEL EEEE EEE 1 31 Chars Enable Offline Made tems marked with an asterisk are required Apply Cancel 6 Retrieve the CRL a Click the CRL tab b Click Retrieve CRL of the PKI domain of torsa Figure 38
421. n intormation about an ISP domain Specify authentication methods for an ISP domain Display the authorization method configuration intormation about an ISP domain Specify authorization methods for an ISP domain Monitor Configure Configure Monitor Configure Monitor Configure Configure Management Visitor Visitor Visitor Visitor Monitor Configure Monitor Configure Monitor Contigure Monitor Management Monitor Management Monitor Management Function menu Description User level Secu rity QoS RADIUS Users Certificate Manageme nt Port Isolate Group Authorized IP Loopback Detection Time Range ACL IPv4 Accounting RADIUS Server RADIUS Setup Local User User Group Entity Domain Certificate CRL Summary Port Setup Summary Setup Loopback Detection Summary Create Remove Summary Create Basic Setup Advanced Setup Display the accounting method configuration intormation about an ISP domain Specify accounting methods for an ISP domain Display and configure RADIUS server information Display and configure RADIUS parameters Display contiguration information about local users Create modify and remove a local user Display configuration information about user groups Create modify and remove a user group Display information about PKI entities Add modify and delete a PKI entity Display information about
422. n you must enter a number in the box below e kbps Sets the maximum number of kilobits of unicast traffic that can be forwarded on an Ethernet port per second When you select this option you must enter a number in the box below Interface or interfaces that you have selected from the chassis front panel and the Selected Ports aggregate interface list below for which you have set operation parameters You can set only the state and MAC learning limit for an aggregate interface If you set operation parameters that a port does not support you are notified of invalid settings and might fail to set the supported operation parameters for the port or other ports Displaying port operation parameters Displaying a specified operation parameter for all ports 1 Select Device gt Port Management from the navigation tree The Summary page appears by default 2 Select the option for a parameter you want to view The parameter information for all the ports is displayed in the lower part of the page 73 Figure 59 The Summary tab Detail Setup Select Feature PortState Max MAC Count Flow Control Default VLAN ID PVID Link Type MDI Duplex Speed Broadcast Suppression Multicast Suppression Unicast Suppression Power Save Description EEE Feature Summary Ports Setting GE1 0 1 Enabled GE1 0 2 Enabled GE1 0 3 Enabled GE1 0 4 Enabled GE1 0 5 Enabled GE1 0 6 Enabled Disp
423. n 192 168 1 2 1812 i Pri mary Accounting 192 168 1 2 1813 il Add Items marked with an asterisk are required Apply Cancel 4 Click Apply Configuring AAA 1 Configure AAA authentication method a From the navigation tree select Authentication gt AAA b Click the Authentication tab c Select the ISP domain system d Select Default AuthN select the authentication method RADIUS from the list and select authentication scheme system from the Name list 435 Figure 428 Configuring AAA authentication Domain Setup Authorization Accounting Authentication Configuration of AAA Select an ISP domain system Default AuthN RADIUS Name system Secondary Method E LAN access Auth Name Secondary Method L Login Auth Name Secondary Method PPP Auth Name Secondary Method Portal Auth Name Secondary Method Apply e Click Apply A dialog box appears displaying the configuration progress as shown in Figure 429 Figure 429 Configuration progress dialog box Current Configuration setting Default Auth OK f When the configuration process is complete click Close 2 Configure AAA authorization method a Click the Authorization tab b Select the ISP domain system c Select Default AuthZ select authorization method RADIUS from the list and select the authorization scheme system from the Name list d Click Apply 436 Figure 430 Configuring AAA authorization Domain Setup Authenticati
424. n Configuration of AAA Select an ISP domain test Default Auth Local Name secondary Method LAN access Auth Name secondary Method Login Auth Name secondary Method PPP Auth Name secondary Method Portal Authz Name secondary Method Command AuthZ Name Apply 7 Configure the ISP domain to use local accounting a Select Authentication gt AAA from the navigation tree b Click the Accounting tab c Select the domain test d Select Login Accounting and select the accounting method Local e Click Apply A configuration progress dialog box appears f After the configuration process is complete click Close Figure 345 Configuring the ISP domain to use local accounting Domain Setup Authentication Authorization Accounting Configuration of AAA Select an IEP domain test Accounting Optional Disable E Default Accounting Local Name Secondary Method EH LAN access Accounting Name Secondary Method Login Accounting Name Secondary Method PPP Accounting Name Secondary Method Portal Accounting Name Secondary Method Verifying the configuration Telnet to the switch and enter the username telnet test and password abed You will be serviced as a user in domain test 362 Configuring RADIUS Overview Remote Authentication Dial In User Service RADIUS is a distributed information interaction protocol that uses a client server model to implement AAA It can protect networks against unauthorized acc
425. n manual mode During this period the applicant needs to query the status of the request periodically to get the certificate as soon as possible after the certificate is signed Polling Interval Enable CRL Checking Select this box to specify that CRL checking is required during certificate verification Enter the CRL update period that is the interval at which the PKI entity downloads the latest CRLs This item is available atter you click the Enable CRL Checking box By default the CRL update period depends on the next update field in the CRL file CRL Update Period 392 ltem Description CRL URL Enter the URL of the CRL distribution point The URL can be an IP address or a domain name This item is available atter you click the Enable CRL Checking box If the URL of the CRL distribution point is not set you should get the CA certificate and a local certificate and then get a CRL through SCEP Generating an RSA key pair 1 From the navigation tree select Authentication gt Certificate Management 2 Click the Certificate tab Figure 372 Certificate configuration page Entity Domain CAL Domain Mame Issuer Subject abcd abcd Certificate Type Operation Delete the certificate view the certificate Delete the certificate view the certificate CAHCA server CAH CA server CA CAHCA server Ch aaa Coch Local Create Key Destroy Key Retrieve Cert Request Cert There are two w
426. n of AAA select an ISP domain test Default AuthzZ RADIUS Name system Secondary Method d E LAN access Auth Name Secondary Method El Login Auth Name Secondary Method PPP AuthZ Name Secondary Method Portal Auth Name secondary Method Command Authz Name d Click Apply A configuration progress dialog box appears e After the contiguration process is complete click Close Configure AAA accounting method for the ISP domain a Click the Accounting tab b Select test from the Select an ISP domain list c Select Default Accounting select the accounting method RADIUS as the default accounting method and select the accounting scheme system trom the Name list as shown in Figure 319 342 Figure 319 Configuring the AAA accounting method for the ISP domain Domain Setup Authentication Authorization Accounting Configuration of AAA Select an ISP domain test E Accounting Optional Disable Default Accounting RADIUS Name system Secondary Method E LAN access Accounting Name Secondary Method El Login Accounting Name Secondary Method PFF Accounting Name Secondary Method Portal Accounting Name Secondary Method d Click Apply e After the contiguration process is complete click Close 802 X with ACL assignment configuration example Network requirements As shown in Figure 320 perform 802 1X authentication on port GigabitEthernet 1 0 1 Use the RADIUS se
427. n to take depend on the rule order The following ACL match orders are available e Config Sorts ACL rules in ascending order of rule ID A rule with a lower ID is matched before a rule with a higher ID If you use this method check the rule content and order caretully e Auto Sorts ACL rules in depth first order Depth first ordering makes sure any subset of a rule is always matched before the rule Table 136 lists the sequence of tie breakers that depth first ordering uses to sort rules for each type of ACL 450 Table 136 Depth first match for ACLs ACL category Sequence of tie breakers 1 More Os in the source IP address wildcard more Os means a narrower IPv4 basic ACL IP address range 2 Smaller rule ID 1 Specific protocol number 2 More Os in the source IP address wildcard mask IPv4 advanced ACL 3 More Os in the destination IP address wildcard 4 Narrower TCP UDP service port number range 5 Smaller ID 1 Longer prefix for the source IP address a longer prefix means a Pv basic ACL narrower IP address range 2 Smaller ID 1 Specific protocol number 2 longer prefix for the source IPv6 address IPv advanced ACL 3 Longer prefix for the destination IPv6 address 4 Narrower TCP UDP service port number range 5 Smaller ID 1 More 1s in the source MAC address mask more 1s means a smaller MAC address Ethernet frame header ACL More 1s in the destination MAC address mask 3 Smaller ID
428. nal Please select a VLAN ID 1 32 Chars Apply Select membership type a F Fy i Untagged f B i E Not A Member Select ports to be modified and assigned to this VLAN C Not avaliable for selection Note You can assign multiple ports in different membership types to this VLAN Summary Untagged Membership Tagged Membership 3 Modify the member ports of a VLAN as described in Table 41 4 Click Apply A progress dialog box appears 5 Click Close on the progress dialog box when the dialog box prompts that the configuration succeeds Table 41 Configuration items ltem Description Select the VLAN to be modified The VLANS available for selection are existing VLANs selected on the page for selecting VLANS Please select a VLAN to modify Modify the description string of the selected VLAN Modify Description By default the description string of a VLAN is its VLAN ID such as VLAN 0001 Set the member type of the port to be modified in the VLAN e Untagged Configures the port to send the traffic of the VLAN after removing the Select membership VLAN tag type e Tagged Configures the port to send the traffic of the VLAN without removing the VLAN tag e Nota Member Removes the port from the VLAN 143 ltem Description Select ports to be Select the ports to be modified in the selected VLAN modified and assigned to this VLAN When you configure an access port as a tagged member of a V
429. nce it provides a better load sharing mechanism for redundant links by allowing data flows of different VLANs to be forwarded along separate paths MSTP provides the following features e MSTP divides a switched network into multiple regions each of which contains multiple spanning trees that are independent of one another e MSTP supports mapping VLANs to spanning tree instances by means of a VLAN to instance mapping table MSTP can reduce communication overheads and resource usage by mapping multiple VLANs to one instance e MSIP prunes a loop network into a loop free tree which avoids proliferation and endless cycling of packets in a loop network In addition it supports load balancing of VLAN data by providing multiple redundant paths for data forwarding e MSTP is compatible with STP and RSTP MSTP basic concepts Figure 176 shows a switched network that comprises four MST regions each MST region comprising four MSTP devices 185 Figure 176 Basic concepts in MSTP Region AO VLAN 1 mapped to instance 1 VLAN 2 mapped to instance 2 Other VLANs mapped to CIST BPD BPDU CST ed BPDU BPD Region BO eee VLAN 1 mapped to instance 1 VLAN 1 mapped to instance 1 B as regional root bridge VLAN 2 mapped to instance 2 VLAN 2 mapped to instance 2 Other VLANs mapped to CIST C as regional root bridge Other VLANs mapped to CIST 7 FE Region CO VLAN 1 mapped to instance 1 VLAN 2 mapped to instance 2 Other VL
430. nd are neglected upon reception If the length of a received packet is less than this length the packet is dropped The value of this field is in the range 20 to 4096 The Authenticator field 16 bytes long is used to authenticate replies from the RADIUS server and to encrypt user passwords There are two types of authenticators request authenticator and response authenticator The Attributes field variable in length carries the specific authentication authorization and accounting information that detines the configuration details of the request or response This field may contain multiple attributes each with three sub tields o Type 1 byte long Type of the attribute It is in the range 1 to 255 Commonly used attributes for RADIUS authentication authorization and accounting are listed in Table 113 o Length 1 byte long Length of the attribute in bytes including the Type Length and Value fields o Value Up to 253 bytes Value of the attribute Its format and content depend on the Type and Length fields Table 113 Commonly used RADIUS attributes No Attribute No Attribute 1 User Name 45 Acct Authentic 2 User Password 46 Acct Session Time 3 CHAP Password 47 Acct Input Packets 4 NAS IP Address 48 Acct Output Packets 5 NAS Port 49 Acct Terminate Cause 6 Service Type 50 Acct Multi Session Id 7 Framed Protocol 51 Acct Link Count 8 Framed IP Address 52 Acct Input Gigawords 9 Framed IP Netmask 53 Acct OutputGiga
431. neric endpoint devices Class III A communication endpoint device The class II endpoint devices directly support end users of the IP communication system Providing all capabilities of generic and media endpoint devices Class Ill endpoint devices are used directly by end users 232 Field Description Media policy type e Unknown e Voice e Voice signaling e Guest voice Media policy type Man e Guest voice signaling e Soft phone voice e Videoconferencing e Streaming video e Video signaling Unknown Policy Indicates whether the media policy type is unknown VLAN tagged Indicates whether packets of the media VLAN are tagged Media policy VlanID ID of the media VLAN Media policy L2 priority Layer 2 priority Media policy Dscp DSCP value HardwareRev Hardware version of the neighbor FirmwareRev Firmware version of the neighbor SoftwareRev Software version of the neighbor SerialNum Serial number advertised by the neighbor Manufacturer name Manufacturer name advertised by the neighbor Model name Model name advertised by the neighbor Asset ID advertised by the neighbor This ID is used for the purpose of Asset tracking identifier inventory management and asset tracking PSE power source type PoE PSE power source e Primary e Backup PoE power supply priority of PSE ports e Unknown Unknown PSE priority Port PSE priority e Critical Priority level 1 e High Priority level 2 e Low
432. nfiguration 408 SNMPv1 configuration 124 SNMPv2c configuration 124 SNMPv3 configuration 127 stack global parameters configuration 40 syslog configuration 61 system name configuration 50 VCT configuration 91 Web common page features 16 Web configuration backup 64 Web configuration management 64 Web contiguration reset 66 Web configuration restoration 64 Web configuration save 65 Web device local user adding 86 Web device privilege level switching 88 Web device super password setting 87 Web device user management 86 Web file displaying 67 Web file download 67 Web file management 67 Web file removing 68 Web file upload 68 Web interface 7 Web interface HTTP login 6 Web interface logout 7 Web main boot file specifying 68 Web service management 314 315 Web stack configuration 39 Web user level 8 Web based NM functions 8 device information displaying device information 47 48 device management device reboot 53 diagnostic information 54 electronic label 54 software upgrade 52 DHCP configuring client s IP to MAC bindings 302 configuring DHCP relay agent advanced parameters 299 configuring snooping functions on interface 309 creating DHCP server group 300 displaying client s IP to MAC bindings 302 310 enable 299 enable snooping 309 enabling relay agent on interface 301 IP address allocation 292 293 IP address lease extension 293 message forma
433. nfiguration environment To set up the configuration environment connect a terminal a PC in this example to the console port on the switch with a console cable A console cable is an 8 core shielded cable with a crimped RJ 45 connector at one end for connecting to the console port of the switch and a DB 9 female connector at the other end for connecting to the serial port on the console terminal Figure 14 Console cable A side Main label WE NE C m i 0 Es De Use a console cable to connect a terminal device to the switch as follows 1 Plug the DB 9 female connector to the serial port of the console terminal or PC 2 Connect the RJ 45 connector to the console port of the switch AN CAUTION Identity the mark on the console port to make sure that you are connecting to the correct port 20 NOTE e The serial port on a PC does not support hot swapping When you connect a PC to a powered on switch connect the DB 9 connector of the console cable to the PC before connecting the RJ 45 connector to the switch e When you disconnect a PC from a powered on switch disconnect the DB 9 connector of the console cable from the PC atter disconnecting the RJ 45 connector from the switch Setting terminal parameters To configure and manage the switch you must run a terminal emulator program on the console terminal The following are the required terminal settings e Bits per second 3
434. nfigure the voice VLAN function for ports as described in Table 50 Click Apply Table 50 Configuration items ltem Description Set the voice VLAN assignment mode of a port fo Voice VLAN port mode e Auto Automatic voice VLAN assignment mode e Manual Manual voice VLAN assignment mode 161 ltem Description Select Enable or Disable in the list to enable or disable the voice VLAN function Voice VLAN port state onde Ee Voice VLAN ID Set the voice VLAN ID of a port when the voice VLAN port state is set to Enable Select the port on the chassis front panel You can select multiple ports to configure them in bulk The numbers of the selected ports will be displayed in the Ports selected for voice VLAN field Select Ports NOTE To set the voice VLAN assignment mode of a port to automatic you must make sure that the link type of the port is trunk or hybrid and that the port does not belong to the voice VLAN Adding OUI addresses to the OUI list 1 Select Network gt Voice VLAN from the navigation tree 2 Click the OUI Add tab Figure 152 Adding OUI addresses to the OUI list summary Setup Port Setup OUI Summary OUl Remove specify an QUI and click Apply to add itto the list There can be 6 entries at most OUI Address Example 0070 dc28 a4e9 Mask FFFF FFOO 0000 Description Chars 1 30 tems marked with an asterisk are required Apply Cancel OUI Address Mask Description 0003 6500 0000 fff ffO
435. nfinitely A more eftective solution is to provide differentiated services for different applications through traftic control and resource allocation In this way resources can be used more properly During resources allocation and trattic control the direct or indirect factors that might cause network congestion should be controlled to reduce the probability of congestion Once congestion occurs resource allocation should be performed according to the characteristics and demands of applications to minimize the effects of congestion 467 End to end QoS Figure 454 End to end QoS model Traffic classification Traffic policing Traffic classification Traffic policing Traffic policing Traffic policing So oo Wy ROUTER Oh TA Congestion management Congestion management Congestion management Congestion management Congestion avoidance Congestion avoidance Congestion avoidance Congestion avoidance Traffic shaping Traffic shaping Traffic shaping Traffic shaping ROUTER As shown in Figure 454 traffic classification traffic policing traffic shaping congestion management and congestion avoidance are the foundations for a network to provide differentiated services Mainly they implement the following functions e Traffic classification Uses certain match criteria to organize packets with different characteristics into different classes Traffic classification is usually applied in the inbound direction of a
436. ng DHCP and contiguring advanced parameters for the DHCP relay agent From the navigation tree select Network gt DHCP to enter the default DHCP Relay page 2 Click Display Advanced Configuration to expand the advanced DHCP relay agent configuration area as shown in Figure 274 Figure 274 DHCP relay agent configuration page DHCP Snooping DHCP Service Enable Disable Hide Advanced Configuration Unauthorized Server Detect Enable Disable Dynamic Bindings Refresh Enable Disable Track Timer Interval Auto O Custom Seconds 1 120 Apply Cancel Server Group R server Group ID Search Advanced Search Serer Group IO IP Address Operation 0 10112 i Add Interface Contig i A Interface Mame Search Advanced Search Interface Mame DHCP Relay State Operation Viar interfacet Disabled ES vlar interfacreddg Disabled ES User Information User Information 3 Enable DHCP service and configure advanced parameters for DHCP relay agent as shown in Table 94 299 A Click Apply Table 94 Configuration items ltem Description DHCP Service Enable or disable global DHCP Enable or disable unauthorized DHCP server detection There are unauthorized DHCP servers on networks which reply DHCP clients with wrong IP addresses l With this feature enabled upon receiving a DHCP request the DHCP relay agent Unauthorized Server records the IP address of any DHCP server that
437. ng DHCP relay agent Overview Since the DHCP clients request IP addresses through broadcast messages the DHCP server and clients must be on the same subnet Through a DHCP relay agent DHCP clients can get IP addresses from a DHCP server on another subnet This feature avoids deploying a DHCP server for each subnet to centralize management and reduce investment Figure 272 shows a typical application of the DHCP relay agent Figure 272 DHCP relay agent application DHCP client DHCP client DHCP relay agent DHCP client DHCP client DHCP server The DHCP server and client interact with each other in the same way regardless of whether the relay agent exists see DHCP overview For more information about DHCP packet exchange see IP address allocation process The following only describes steps related to the DHCP relay agent 1 After receiving a DHCP DISCOVER or DHCP REQUEST broadcast message from a DHCP client the DHCP relay agent fills the giaddr tield of the message with its IP address and forwards the message to the designated DHCP server in unicast mode 2 Based on the giaddr field the DHCP server returns an IP address and other configuration parameters in a response 3 The relay agent conveys the response to the client 297 Figure 273 DHCP relay agent operation DHCP client DHCP relay agent DHCP server IE DHCP DISCOVER broadcast DHGP OFFER DHCP REOUEST broadcast DHCP ACK Mr 2 w
438. ng Type e CoS to Queue e DSCP to Queue Input Priority Value Set the output priority value for an input priority value Output Priority Value Click Restore to display the default settings of the current priority mapping Restore table on the page To restore the priority mapping table to the default click Apply 487 Configuring priority trust mode on a port 1 Select QoS gt Port Priority from the navigation tree Figure 474 Configuring port priorities h Interface Name Search Advanced Search Interface Name Priority Trust Mode Operation GigabitEthernet1 0 1 0 Untrust A GigabitEthernet1 0 2 0 Untrust A GigabitEthernet1 0 3 0 Untrust A GigabitEthernet1 0 4 0 Untrust A GigabitEthernet1 0 5 0 Untrust A GigabitEthernet1 0 6 0 Untrust A GigabitEthernet1 0 7 0 Untrust A GigabitEthernet1 0 8 0 Untrust A GigabitEthernet1 0 9 0 Untrust A GigabitEthernet1 0 10 0 Untrust A GigabitEthernet1 0 11 0 Untrust A GigabitEthernet1 0 12 0 Untrust A GigabitEthernet1 0 13 0 Untrust A GigabitEthernet1 0 14 0 Untrust A GigabitEthernet1 0 15 0 Untrust A 28 records 15 v per page page 1 2 record 1 15 Next Last 1 GO 2 Click the A icon for a port Figure 475 Modifying the port priority Interface Name Priority 0 v Trust Mode Untrust v Restore Apply Cancel 3 Configure the port priority for a port as described in Table 162 4 Click Apply Table 162 Configuration items ltem Description Interface Interface to be
439. ng entries Configure Display port priority and trust mode information Monitor Port Priority Port Priority Modify port priority and trust mode Configure Function menu Description User level PoE PoE Display PSE information and PoE interface l Monitor information Configure a PoE interface Configure Configure a port Configure Common items on the Web pages Buttons and icons Table 2 Commonly used buttons and icons Button and icon Apply Cancel Refresh Clear Add Remove Del Selected Select All Select Mone Hess Back Finish Function Applies the configuration on the current page Cancels the configuration on the current page Refreshes the current page Clears all entries in a list or all statistics Adds an item Removes the selected items Selects all the entries in a list Clears selection of all entries in a list Buffers but does not apply the configuration of the current step and enters the next configuration step Buffers but does not apply the configuration of the current step and returns to the previous configuration step Applies the configurations of all configuration steps Enters the modification page of an item so that you can modify the configurations of the item Deletes the item corresponding to this icon Page display function The Web interface can display contents by pages as shown in Figure 7 You can set the number of entries displayed p
440. ng leave 255 IPv multicast MLD snooping done 269 security ARP attack protection configuration 250 method 802 1X access control 321 MIB LLDP contiguration 217 236 SNMP 111 mirroring port See port mirroring MLD snooping aging timer for dynamic port 267 basic concepts 266 contiguration 266 contiguring 274 configuring port functions 272 displaying MLD snooping multicast forwarding entries 2 3 done message 269 enable globally 270 enable in a VLAN 270 enabling MLD snooping globally 270 enabling MLD snooping in a VLAN 270 general query 268 how it works 268 membership report 268 protocols and standards 269 related ports 266 mode Ethernet link aggregation dynamic 206 Ethernet link aggregation dynamic mode 207 Ethernet link aggregation static 206 Ethernet link aggregation static mode 206 LLDP disable 221 LLDP Rx 221 LLDP Tx 221 LLDP TxRx 271 port security advanced mode 421 port security basic mode 421 security 802 1X EAP relay termination comparison 325 security 802 1X multicast trigger mode 324 security 802 1X unicast trigger mode 324 moditying port 144 VLAN 143 VLAN interface 152 CIST 187 common root bridge 187 CST 187 IST 187 MSTI 186 port roles 187 port states 188 region 186 region configuration 19 regional root 187 MSTI calculation 189 MST instance 186 MSTP basic concepts 185 CIST calculation 189 configuration
441. ng or Please select a port ne p traffic directing on the chassis front panel Configuring other actions for a traffic behavior 1 Select QoS gt Behavior from the navigation tree 2 Click Setup to enter the page for setting a traffic behavior 481 Figure 467 Setting a traffic behavior summary Add Fort Setup Remove Please select a behavior Select a behavior E CAR 3 Enable Disable CIR Kops 16 1000000 it must be a multiple of 16 CBS byte 0 429496 7294 Red 2 Discard Pass Remark IP Precedence 0 El Dotip 0 Local Precedence 0 E pscPp 0 default Queue EF Max Bandwidth kbps 8 1000000 CBS byte 32 2000000 Percent 1 100 CBS Ratio 25 500 AF Max Bandwidth Kbps 8 1000000 Percent 1 100 WFQ 16 4096 Filter Permit Accounting Enable Behavior Detail 3 Configure other actions for a traffic behavior as described in Table 155 4 Click Apply Table 155 Configuration items ltem Description Please select a behavior Select an existing behavior in the list CAR Enable Disable Enable or disable CAR 482 ltem Description CIR Set the committed information rate CIR the average traffic rate Set the committed burst size CBS number of bytes that can be sent in CBS each interval This function is not supported in the current software version and it is reserved for future support Set the action to perform for exceeding packets Discard After selecting the Red box you can select one of the follow
442. ng refresh period 48 switch CLI configuration 20 setting configuration environment 20 setting terminal parameters 21 switching MAC address table configuration 173 174 175 port isolation configuration 440 441 port management 69 5 VLAN configuration 133 145 Web device privilege level 88 syslog configuration 61 display 61 setting buffer capacity and refresh interval 63 setting log host 62 system administration basic device settings contiguration 50 CLI configuration 20 configuration wizard 34 device idle timeout period configuration 50 device system name configuration 50 ping 31 7 traceroute 31 7 317 Web common page features 16 Web device contiguration backup 64 Web device configuration management 64 Web device contiguration reset 66 Web device contiguration restoration 64 Web device contiguration save 65 Web device file displaying 67 Web device file download 67 Web device file management 67 Web device file removing 68 Web device file upload 68 Web device local user adding 86 Web device main boot file specitying 68 Web device management 52 Web device privilege level switching 88 Web device super password setting 87 Web device user management 86 Web interface 7 Web interface HTTP login 6 Web interface logout 7 Web service management 314 315 Web user level 8 Web based NM functions 8 system information displaying basic system information 47
443. ng the IP address allocation o After the client receives the DHCP ACK message it broadcasts a gratuitous ARP packet to verify whether the IP address assigned by the server is in use o If the client receives no response within the specitied time the client uses this IP address Otherwise the client sends a DHCP DECLINE message to the server and requests an IP address again IP address lease extension A dynamically assigned IP address has a lease When the lease expires the IP address is reclaimed by the DHCP server To continue using the IP address the client must extend the lease duration When half of the lease duration elapses the DHCP client unicasts a DHCP REQUEST to the DHCP server to extend the lease Depending on the availability of the IP address the DHCP server returns either a DHCP ACK unicast confirming that the client s lease duration has been extended or a DHCP NAK unicast denying the request If the client receives no reply it broadcasts another DHCP REQUEST message for lease extension when seven eighths of the lease duration elapses Again depending on the availability of the IP address the DHCP server returns either a DHCP ACK unicast confirming that the client s lease duration has been extended or a DHCP NAK unicast denying the request 293 DHCP message format Figure 268 shows the DHCP message format DHCP uses some of the fields in significantly different ways The numbers in parentheses indicate the size
444. ng the spanning tree topology e Topology change notification TCN BPDUs Used for notifying the concerned devices of network topology changes Configuration BPDUs contain sufficient information for the network devices to complete spanning tree calculation Important fields in a configuration BPDU include the following e Root bridge ID Consisting of the priority and MAC address of the root bridge e Root path cost Cost of the path to the root bridge denoted by the root identifier from the transmitting bridge e Designated bridge ID Consisting of the priority and MAC address of the designated bridge e Designated port ID Consisting of the priority and global port number of the designated port e Message age Age of the configuration BPDU while it propagates in the network e Max age Maximum age of the configuration BPDU stored on a device e Hello time Configuration BPDU transmission interval 177 e Forward delay Delay that STP bridges use to transit port state The descriptions and examples in this chapter only use the following fields in the contiguration BPDUs e Root bridge ID represented by device priority e Root path cost e Designated bridge ID represented by device priority e Designated port ID represented by port name Basic concepts in STP Root bridge A tree network must have a root bridge The entire network contains only one root bridge and all the other bridges in the network are call
445. ng voice VLAN globally Select Network gt Voice VLAN from the navigation tree 2 Click the Setup tab Figure 150 Configuring voice VLAN Summar Fort Setup Ol Summary OW Add Ol Remove voice VLAN security Enable Ge ie ete 1440 minutes 5 43200 Default 1440 tems marked with an asteriski are required Apply Cancel 160 3 4 Configure the global voice VLAN settings as described in Table 49 Click Apply Table 49 Configuration items ltem Description Select Enable or Disable in the list to enable or disable the voice VLAN security Voice VLAN security mode By default the voice VLANS operate in security mode Set the voice VLAN aging timer The voice VLAN aging timer setting only applies to a port in automatic voice Voice VLAN aging time VLAN assignment mode The voice VLAN aging timer starts as soon as the port is assigned to the voice VLAN If no voice packet has been received before the timer expires the port is removed from the voice VLAN Configuring voice VLAN on ports 3 4 Select Network gt Voice VLAN from the navigation tree Click the Port Setup tab Figure 151 Configuring voice VLAN on ports Summary Setup OUl Summary OUI Add OUl Remove Voice VLAN port mode No Change Voice VLAN port state No Change Voice VLAN ID 2 4094 tems marked with an asterisk are required Select ports Select All Select None Ports selected for voice VLAN Apply Cancel Co
446. ng works between the DHCP client and server or between the DHCP client and DHCP relay agent It guarantees that DHCP clients obtain IP addresses from authorized DHCP servers Also it records P to MAC bindings of DHCP clients called DHCP snooping entries for security purposes DHCP snooping does not work between the DHCP server and DHCP relay agent Overview DHCP snooping defines trusted and untrusted ports to make sure clients obtain IP addresses only from authorized DHCP servers e Trusted A trusted port can forward DHCP messages correctly to make sure the clients get IP addresses from authorized DHCP servers e Untrusted An untrusted port discards received DHCP ACK and DHCP OFFER messages to prevent unauthorized servers from assigning IP addresses DHCP snooping reads DHCP ACK messages received from trusted ports and DHCP REQUEST messages to create DHCP snooping entries A DHCP snooping entry includes the MAC and IP addresses of a client the port that connects to the DHCP client and the VLAN The DHCP snooping entries can be used by ARP detection to prevent ARP attacks For more information about ARP detection see Configuring ARP attack protection Application of trusted ports Configure ports facing the DHCP server as trusted ports and configure other ports as untrusted ports As shown in Figure 283 configure the DHCP snooping device s port that is connected to the DHCP server as a trusted port The trusted port forwa
447. ngs on the upper part of the page as described in Table 33 Click Apply Table 33 Configuration items ltem Description SNMP Specify to enable or disable SNMP agent Configure the local engine ID The validity of a user after it is created depends on the engine ID of the SNMP agent If the engine ID when the user is created is not identical to the current engine ID the user is invalid Local Engine ID Configure the maximum size of an SNMP packet that the agent can receive Maximum Packet Size or send Set a character string to describe contact information for system maintenance Contact ad mad If the device is faulty the maintainer can contact the manufacture factory according to the contact information of the device 114 ltem Description Location Set a character string to describe the physical location of the device SNMP Version Set the SNMP version run by the system Configuring an SNMP view Creating an SNMP view 1 Select Device gt SNMP from the navigation tree 2 Click the View tab The View tab appears Figure 102 View tab Setup Community Group ser Trap R Search Advanced Search View Mamet Rule MIB Subtree OID Subtree Mask Operation viewDefault ii 3 ViewDefault Included 1 ae il ViewDetault Excluded 1 3 6 1 6 3 15 eel i ViewDetault Excluded 1 3 6 1 6 3 16 ae Ti ViewDetault Excluded 1 3 6 1 6 3 18 eel T ViewDetault Excluded 1 3 6 1 4 1 25506 2 111 Ee il Add 3 Click Add The Add Vi
448. ns e Disable Port Temporarily Disables the port for a period of time The period can be configured in the global settings For more information see Configuring global settings for port security e Disable Port Permanently Disables the port permanently upon detecting an illegal frame received on the port The port does not come up unless you bring it up manually e Block MAC Adds the source MAC addresses of illegal frames to the blocked MAC addresses list and discards the frames All subsequent frames sourced from a blocked source MAC address will be dropped A blocked MAC address is restored to normal state after being blocked for 3 minutes The interval is fixed and cannot be changed Specifies whether to enable the outbound traffic control and selects a control method Available control methods e Only MAC Known Unicasts Allows only unicasts frames with their destination MAC addresses being authenticated to pass through e Only Broadcasts and MAC Known Unicasts Allows only broadcast and unicasts packets with their destination MAC addresses being authenticated to pass through e Only Broadcasts Multicasts and MAC Known Unicasts Allows only broadcast multicast and unicasts packets with their destination MAC addresses being authenticated to pass through Specifies whether to configure the port to ignore the authorization information from the authentication server The authorization information is delivered by the
449. nt Type e Trap The system sends a trap in the community name of null If you select both Log and Trap the system logs the event and sends a trap If neither is selected the system takes no action 29 Contiguring an alarm entry 1 Select Device gt RMON from the navigation tree 2 Click the Alarm tab Figure 86 Alarm entry Statistics History Event Log h Index v Search Advanced Search i Current m Rising Falling TEN Sampling Rising Falling 3 Index Interval Sec Static Item Interface Name Type Sampling sie a Event Event Owner Status Operation Value Index Index Number of m 1 10000 Packet GigabitEthernet1 0 1 Absolute 0 10000000 100 1 1 user1 Active A Discarding Events Add Del Selected 3 Click Add Figure 87 Adding an alarm entry Statistics History Event Log Add an Alarm Group Alarm Variable Static Item Number of Packet Discarding Events hd Interface Name GigabitEthernet1 0 1 v Sample Item Interval Seconds 5 65535 Sample Type Absolute Owner Chars 1 127 Alarm E Create Default Event Rising Threshold 0 2147483647 Rising Event 1 Falling Threshold 0 2147483647 Falling Event 1 v e Before creating Alarm please create Statistic and Event at fisrt Items marked with an asterisk are required Apply Cancel 4 Configure an alarm entry as described in Table 27 5 Click Apply Table 27 Configuration items ltem Description Alarm variable Set the traffic statistic
450. nter expert again to confirm the key e Click Apply The RADIUS scheme configuration page refreshes The added servers appear in the server list Figure 356 RADIUS accounting server configuration page Add RADIUS Serer Server Type Primary Accounting IP Address Pv4 1Pv6 10 110 91 146 Part 1613 1 65535 Default 1813 Key TILLI 1 64 Chars Confirm Key pa 1 64 Chars Apply Cancel 5 Click Apply 375 Figure 357 RADIUS scheme configuration Add RADIUS Scheme Scheme Name system 1 32 Chars Common Configuration Server Type Extended Username Format Without domain name F Advanced RADIUS Server Configuration Server Type IP Address Operation Primary Authentication 10 110 91 146 i Primary Accounting 10 110 91 146 i Add Items marked with an asterisk are required Apply Cancel Configuring AAA 1 Select Authentication gt AAA in the navigation tree The domain setup page appears 2 On the domain setup page configure a domain a Enter test for Domain Name b Click Enable to use the domain as the detault domain c Click Apply Figure 358 Creating an ISP domain Authentication Authorization Accounting ISP Domain Domain Name test Bt 24 chars Default Domain Apply Please selectthe ISF domainis Domain Mame Default Domain 376 Select the Authentication tab to configure the authentication scheme a Select the domain name test b Select Default Auth
451. nterface as shown in Table 96 4 Click Apply Table 96 Configuration items ltem Description Interface Name This field displays the name of a specific interface DHCP Relay Enable or disable the DHCP relay agent on the interface Enable or disable IP address check With this function enabled the DHCP relay agent checks whether a requesting Address Match Check client s IP and MAC addresses match a binding dynamic or static on the DHCP relay agent If not the client cannot access outside networks through the DHCP relay agent This prevents invalid IP address configuration Correlate the interface with a DHCP server group Server Group ID A DHCP server group can be correlated with multiple interfaces 301 Configuring and displaying dlients IP 4o MAC bindings 1 From the navigation tree select Network gt DHCP to enter the default DHCP Relay page shown in Figure 274 2 Inthe User Information area click User Information to view static and dynamic bindings as shown in Figure 277 Figure 277 Displaying dlients IP to MAC bindings DHCP Snooping RB Address v Search advanced Search IP Address MAC Address Type Interface Mame Operation 1 1 1 2 00el 1234 5678 Static Vian intertace i Add Return Refresh Reset 3 Click Add to enter the page as shown in Figure 278 Figure 278 Creating a static IP to MAC binding DHCP Snooping tems marked with an asterisk are required Apply Cancel 4 Configure the static
452. ntity EAP Response packet in a RADIUS Access Request packet to the authentication server 326 10 11 12 13 14 The authentication server uses the identity information in the RADIUS Access Request to search its user database If a matching entry is found the server uses a randomly generated challenge EAP Request MD5 challenge to encrypt the password in the entry and sends the challenge in a RADIUS Access Challenge packet to the network access device The network access device relays the EAP Request MD5 Challenge packet in a RADIUS Access Request packet to the client The client uses the received challenge to encrypt the password and sends the encrypted password in an EAP Response MD5 Challenge packet to the network access device The network access device relays the EAP Response MD5 Challenge packet in a RADIUS Access Request packet to the authentication server The authentication server compares the received encrypted password with the one it generated at step 5 If the two are identical the authentication server considers the client valid and sends a RADIUS Access Accept packet to the network access device Upon receiving the RADIUS Access Accept packet the network access device sends an EAP Success packet to the client and sets the controlled port in the authorized state so the client can access the network After the client comes online the network access device periodically sends handshake requests to check whet
453. nutes 53 seconds Table 8 Field description ltem Description Product Information Description for the device Device location which you can configure on the page you enter by Device Location selecting Device gt SNMP gt Setup Contact information which you can configure on the page you enter Contact Information by selecting Device gt SNMP gt Setup SerialNum Serial number of the device Software Version Software version of the device Hardware Version Hardware version of the device Bootrom Version Boot ROM version of the device Running Time System up time 47 Displaying the system resource state The System Resource State area displays the most recent CPU usage memory usage and temperature Displaying recent system logs Table 9 Field description Field Description Time Time when the system logs were generated Level Severity of the system logs Description Description for the system logs The System Information page displays up to five the most recent system logs To display more system logs click More to enter the Log List page You can also enter this page by selecting Device gt Syslog For more information see Configuring syslog Setting the refresh period To set the interval for refreshing system information select one of the following options from the Refresh Period list e Ifyou select a certain period the system refreshes system information at the specified interval e Ifyou select Manual
454. o 78 Configuring port mirroring Port mirroring refers to the process of copying the packets passing through a port VLAN CPU to the monitor port connecting to a monitoring device for packet analysis Terminology Mirroring source The mirroring source can be one or more monitored ports called source ports The device where the ports reside is called a source device Packets called mirrored packets passing through them are copied to a port connecting to a monitoring device for packet analysis Mirroring destination The mirroring destination is the destination port also known as the monitor port of mirrored packets and connects to the data monitoring device The device where the monitor port resides is called the destination device The monitor port forwards the mirrored packets to its connecting monitoring device A monitor port might receive multiple duplicates of a packet in some cases because it can monitor multiple mirroring sources For example assume that Port 1 is monitoring bidirectional trattic on Port 2 and Port 3 on the same device If a packet travels from Port 2 to Port 3 two duplicates of the packet will be received on Port 1 Mirroring direction The mirroring direction indicates that the inbound outbound or bidirectional traffic can be copied on a mirroring source e Inbound Copies packets received on a mirroring source e Outbound Copies packets sent out of a mirroring source e Bidirectiona
455. o authentication no privacy e Auth NoPriv Authentication without privacy Security Level e Auth Priv Authentication and privacy IMPORTANT For an existing SNMP group its security level cannot be modified Read View Select the read view of the SNMP group Select the write view of the SNMP group Write View If no write view is configured the NMS cannot perform the write operations to all MIB objects on the device Er Select the notify view the view that can send trap messages of the SNMP group otify View If no notify view is configured the agent does not send traps to the NMS Associate a basic ACL with the group to restrict the source IP address of SNMP ACL packets To restrict the intercommunication between the NMS and the agent you can allow or prohibit SNMP packets with a specific source IP address 119 Contiguring an SNMP user Select Device gt SNMP from the navigation tree 2 Click the User tab The User tab appears Figure 110 SNMP user Setup Community Group Trap TT 2 Search Advanced Search Authentication F User Mame Group Mame Mode Privacy Wode ALL Operation group mi Bl user NoAuthNoPriyy DS GER i Add Delete Selected 3 Click Add The Add SNMP User page appears Figure 111 Creating an SNMP user Setup community Group Trap View Add SMMP User User Mame st 32a Security Level NoAuth oP riy w Group Name group MoAuth MoPriw Authentication Mode Authentication Passwor
456. o configure rules Select the Rule ID box and enter a number for the rule If you do not specify the rule number the system will assign one Rule ID automatically If the rule number you specify already exists the following operations modify the contiguration of the rule Select the operation to be performed for IPv packets matching the rule Operation po e Permit Allows matched packets to pass e Deny Drops matched packets 464 ltem Descri ption Check Fragment Check Logging IP Address Filter Protocol ICMPv6 Type TCP UDP Port Time Range Source IP Address Source Prefix Destination IP Address Destination Prefix Named ICMPv Type ICMPv6 Type ICMPv6 Code Operator Source Port To Port Operator Port Destinati on To Port Select this box to apply the rule to only non first fragments If you do no select this box the rule applies to all fragments and non fragments Select this box to keep a log of matched IPv packets A log entry contains the ACL rule number operation for the matched packets protocol number source destination address source destination port number and number of matched packets This function is not supported Select the Source IP Address box and enter a source IPv6 address and prefix length The IPv address must be in a format like X X X X An IPv address consists of eight 16 bit long fields each of which is expressed with two hexad
457. o devices that have passed authentication or whose MAC addresses have been learned or configured on the access device Intrusion protection The intrusion protection feature checks the source MAC addresses in inbound frames for illegal frames and takes a predetined action on each detected illegal frames The action can be disabling the port temporarily disabling the port permanently or blocking frames from the illegal MAC address for 3 minutes not user configurable Port security traps You can contigure the port security module to send traps for port security events such as login logoff and MAC authentication These traps help you monitor user behaviors Port security modes Port security supports the following categories of security modes 421 Basic mode In this mode a port can learn the specified number of MAC addresses and save those addresses as secure MAC addresses It permits only frames whose source MAC addresses are secure MAC addresses or configured static MAC addresses When the number of secure MAC addresses reaches the upper limit no more secure MAC addresses can be added Advanced mode Port security supports 802 1X and MAC authentication Different port security modes represent different combinations of the two methods Table 127 describes the advanced security modes Table 127 Advanced security modes Advanced mode Description MAC Auth A port performs MAC authentication for users It services multiple use
458. o example Set the revision level to 0 Select Manual Select 1 from the Instance ID list Set the VLAN ID to 10 Click Apply The system maps VLAN 10 to MSTI 1 and adds the VLAN to instance mapping entry to the VLAN to instance mapping list i Repeat the preceding three steps to map VLAN 20 to MSTI 2 and VLAN 30 to MSTI 3 and add the VLAN to instance mapping entries to the VLAN to instance mapping list gt a mp ao 200 Click Activate Figure 185 Configuring an MST region Global Port Summary Port Setup eee 0 655 Default 0 Manual CO Modula Instance ID VLAN Mapped Contigure MSTP globally a gt a mp ao From the navigation tree select Network gt MSTP Click the Global tab Select Enable from the Enable STP Globally list Select MSTP from the Mode list Select the box before Instance Set the Instance ID field to 1 Set the Root Type field to Primary Click Apply 201 lEampeissio Apply Remove Activate Cancel Figure 186 Configuring MSTP globally on Switch A Region Port Summary Port Setup Global MSTP Configuration Enable STP Globally Mode MSTP Max Hops Path Cost Standard Legacy Bridge Diameter CJ Timertin centiseconds Forward Delay 500s 3000 Must be a multiple of 100 Hello Time 00 100 Must be a multiple of 100 Max Age 2000 00 4000 Must be a multiple of 100 Instance Instance ID Root Type Bridge Priority
459. o support tagged voice traffic Voice VLAN assignment mode Port link type supported for tagged voice Configuration requirements traffic Access Manual Configure the PVID of the port as the voice VLAN In automatic mode the PVID of the port cannot be the voice VLAN Trunk Automatic and manual In manual mode configure the port to permit packets of the voice VLAN to pass through In automatic mode the PVID of the port cannot be the voice VLAN Hybrid Automatic and manual In manual mode configure the port to permit packets of the voice VLAN to pass through tagged e P phones send untagged voice traffic When IP phones send untagged voice traffic you can only configure the voice traffic receiving ports on the device to operate in manual voice VLAN assignment mode Table 47 Required configurations on ports of different link types for them to support tagged voice traffic Voice VLAN assignment mode Port link type supported for untagged voice Configuration requirements traffic Configure the PVID of the port as the voice Access Manual VLAN Trunk ar Configure the PVID of the port as the voice VLAN and assign the port to the voice VLAN Configure the PVID of the port as the voice Hybrid Manual VLAN and configure the port to permit packets of the voice VLAN to pass through untagged NOTE e f an IP phone sends tagged voice traffic and its access port is configured with 802 1X authentication and guest VLAN you must assign different V
460. o the MLD querier for the following purposes Responds to queries if the host is an IPv6 multicast group member Applies tor an IPv multicast group membership After receiving an MLD report the switch forwards it through all the router ports in the VLAN and resolves the address of the reported IPv6 multicast group The switch also performs one of the following actions If no forwarding entry matches the IPv group address the switch creates a forwarding entry for the group adds the receiving port as a dynamic member port to the forwarding entry and starts an aging timer for the port If a forwarding entry matches the IPv group address but the receiving port is not in the forwarding entry tor the group the switch adds the port as a dynamic member port to the forwarding entry and starts an aging timer for the port It a forwarding entry matches the IPv group address and the receiving port is in the forwarding entry for the group the switch resets an aging timer for the port A switch does not forward an MLD report through a non router port If the switch forwards a report through a member port the MLD report suppression mechanism causes all attached hosts that monitor 268 the reported IPv multicast group address to suppress their own reports In this case the switch cannot determine whether the reported IPv6 multicast group still has active members attached to that port Done message When a host leaves an IPv multica
461. ocal Information Global LLDP local information a Chassis ID 0000 2013 1524 System name HP1920 System description 1920 24G Switch Software Version 5 20 99 Alpha 1101 Copyright c 2010 2014 Hewlett Packard Development Company L P System capabilities supported Bridge Router System capabilities enabled Bridge Router MED information Device class Connectivity device MED inventory information of master board HardwareRev REV A Statistic Information LLDP statistics global information LLDP neighbor information last change time 0 days 0 hours 0 minutes 19 seconds The number of LLDP neighbor information inserted 1 The number of LLDP neighbor information deleted 0 The number of LLDP neighbor information dropped 0 The number of LLDP neighbor information aged out 0 Table 79 Field description Field Description Chassis ID Local chassis ID depending on the chassis type defined Capabilities supported on the system System capabilities e Repeater supported o Bridge e Router Capabilities enabled on the system System capabilities e Repeater enabled e Bridge e Router MED device class e Connectivity device An intermediate device that provide network connectivity e Class I A generic endpoint device All endpoints that require the discovery service of LLDP belong to this category e Class II A media endpoint device The class Il endpoint devices support the media stream capabilities
462. ocal from the list 409 Figure 392 Configuring the authentication method for the ISP domain Domain Setup Authorization Accounting Authentication Configuration of AAA Select an ISP domain aabbcc net Default Authn Local Name Secondary Method LAN access Auth Local Name Secondary Method C Login Auth Name Secondary Method PPP Auth Name secondary Method Portal Auth Name Secondary Method 6 Click Apply A configuration progress dialog box appears as shown in Figure 393 Figure 393 Configuration progress dialog box Current Configuration Setting LAN access Authh Ok 7 After the configuration process is complete click Close Configuring MAC authentication 1 Configure MAC authentication globally a From the navigation tree select Authentication gt MAC Authentication Select Enable MAC Authentication ll Click Advanced and configure advanced MAC authentication Set the offline detection period to 180 seconds Set the quiet timer to 180 seconds Select aabbcc net from the Authentication ISP Domain list Select MAC with hyphen from the Authentication Information Format area Click Apply gt a mp ao 410 Figure 394 Configuring MAC authentication globally MAC Authentication Configuration Enable MAC Authentication wT Advanced Offline Detection Period 180 seconds 60 2147483647 Default 300 Quiet Time 180 seconds 1 3600 Default 60 Server Timeout Time 100 seconds 100
463. of a nonexistent VLAN VLAN IDs e When you configure an access port as a tagged member of a VLAN or configure a trunk port as an untagged member of multiple VLANs in bulk the link type of the port is automatically changed into hybrid e You can configure a hybrid port as a tagged or untagged member of a VLAN only if the VLAN is an existing static VLAN VLAN configuration example Network requirements As shown in Figure 140 trunk port GigabitEthernet 1 0 1 of Switch A is connected to trunk port GigabitEthernet 1 0 1 of Switch B Configure the PVID of GigabitEthernet 1 0 1 as VLAN 100 and configure GigabitEthernet 1 0 1 to permit packets from VLAN 2 VLAN 6 through VLAN 50 and VLAN 100 to pass through Figure 140 Network diagram WA GE1 0 1 GE1 0 1 WSF Switch A Switch B Contiguring Switch A 1 Configure GigabitEthernet 1 0 1 as a trunk port and configure VLAN 100 as the PVID a From the navigation tree select Device gt Port Management b Click Setup to enter the page for setting ports c Select Trunk in the Link Type list select the PVID box and then enter PVID 100 d Select GigabitEthernet 1 0 1 on the chassis front device panel e Click Apply 145 Figure 141 Configuring GigabitEthernet 1 0 1 as a trunk port and its PVID as 100 Summary Detail Basic Configuration Port State No Change v Speed No Change Duplex No Change LinkType Trunk PVID 100 1 4094 Description Chars 1 80 Advanced Configurat
464. of each field in bytes Figure 268 DHCP message format file 128 options variable e op Message type defined in option field 1 REQUEST 2 REPLY e htype hlen Hardware address type and length of the DHCP client e hops Number of relay agents a request message traveled e xid Transaction ID a random number chosen by the client to identify an IP address allocation e secs Filled in by the client the number of seconds elapsed since the client began address acquisition or renewal process This field is reserved and set to O e flags The leftmost bit is defined as the BROADCAST B flag If this flag is set to O the DHCP server sent a reply back by unicast If this flag is set to 1 the DHCP server sent a reply back by broadcast The remaining bits of the flags field are reserved for future use e ciaddr Client IP address if the client has an IP address that is valid and usable Otherwise it is set to zero The client does not use this field to request a specific IP address to lease e yiaddr Your client IP address assigned by the server e siaddr Server IP address from which the client obtained configuration parameters e giaddr Gateway IP address of the first relay agent a request message traveled e chaddr Client hardware address e sname Server host name from which the client obtained configuration parameters e file Bootfile name and path information defined by the serv
465. of the MAC addresses 1234 0200 0000 and 1234 0300 0000 439 Configuring port isolation The port isolation feature isolates Layer 2 traftic for data privacy and security without using VLANs You can also use this feature to isolate the hosts in a VLAN from one another The switch supports only one isolation group that is automatically created as isolation group 1 You cannot remove the isolation group or create other isolation groups on the device The number of ports assigned to the isolation group is not limited Within the same VLAN ports in an isolation group can communicate with those outside the isolation group at Layer 2 Contiguring the isolation group 1 Select Security gt Port Isolate Group from the navigation tree 2 Click the Port Setup tab Figure 435 Configuring the port isolation group Summary Config type a B ated port D plink port Select portis 4 m T at Select All Select None Isolated port Uplink port Apply 3 Configure the port isolation group as described in Table 132 4 Click Apply Table 132 Configuration items ltem Descri ption Specify the role of the ports to be assigned to the isolation group e Isolated port Assign the ports to the isolation group as isolated ports see e Uplink port Assign the port to the isolation group as the uplink port The switch does not support the Uplink port config type Select the ports you want to assign to the isolation
466. omain test Configure the shared key as name for packets between the access device and the authentication server and the shared key as money for packets between the access device and the accounting server Exclude the ISP domain name from the username sent to the RADIUS servers Specity the device to try up to 5 times at an interval of 5 seconds in transmitting a packet to the RADIUS server until it receives a response from the server and to send real time accounting packets to the accounting server every 15 minutes Figure 311 Network diagram Vlan int2 A 10 1 1 1 8 10 1 1 2 GE1 0 1 Supplicant Authenticator Authentication servers 1 1 1 10 24 Switch RADIUS server cluster Configuring IP addresses Assign an IP address to each interface as shown in Figure 311 Make sure the supplicant switch and servers can reach each other Details not shown Configuring the RADIUS servers For more information about the RADIUS configuration see Configuring RADIUS Configuring 802 1X for the switch 1 Configure global 802 1X a From the navigation tree select Authentication gt 802 1X b Select Enable 802 1X select the authentication method as CHAP and click Apply Figure 312 Configuring 802 1X globally 002 1 Configuration Enable 602 1 Authentication Method CHAP s F Advanced Apply Ports with 602 14 Enabled Max i Port Me Guest Auth Fail Port L Port Control Mandshake 4 inentication MUMPS VLAN VLAN Autho
467. on 1 From the navigation tree select Network gt Diagnostic Tools 2 Click the Trace Route tab The traceroute configuration page appears Figure 296 Traceroute configuration page Ping Destination IP address orhostmame a Summar 319 Enter the IP address or host name of the destination device in the Trace Route field Click Start View the output in the Summary area Figure 297 Traceroute operation result Summar traceroute to 192 168 2 1 192 168 2 1 30 hops max 40 bytes packet 1 192 168 2 1 1 ms lt 1 ms 1 ms 320 Configuring 802 1X 802 1X overview 802 1X is a port based network access control protocol initially proposed by the IEEE 802 LAN WAN committee for the security of WLANs It has been widely used on Ethernet for access control 802 1X controls network access by authenticating the devices connected to 802 1 X enabled LAN ports This chapter describes how to configure 802 1 X on an HP device You can also configure the port security feature to perform 802 1X Port security combines and extends 802 1X and MAC authentication It applies to a network for example a WLAN that requires different authentication methods for different users on a port For more information see Configuring port security 802 1X architecture 802 1X operates in the client server model It comprises three entities the client the supplicant the network access device the authenticator and the authentication
468. on 368 security 802 1X EAP over RADIUS 323 security 802 1X RADIUS EAP Message attribute 324 security 802 1X RADIUS Message Authentication attribute 324 security and authentication mechanisms 364 security MAC authentication 404 server configuration 373 rate rate limit 473 rate limit working mechanism 474 rebooting device 53 receiving LLDP frames 222 region MST 186 MST region configuration 191 MST regional root 187 relay agent DHCP configuration 297 298 303 DHCP Option 82 295 DHCP overview 292 DHCP snooping configuration 306 308 enabling DHCP relay agent on interface 301 Remote Authorization Dial In User Service Use RADIUS Remote Network Monitoring Use RMON removing IP services ARP entry 245 Web device file 68 reporting IGMP snooping membership 254 MLD snooping membership 268 resetting Web device contiguration 66 restoring Web device contiguration 64 restrictions NMM port mirroring configuration 80 Web interface login 2 RMON alarm function contiguration 95 alarm group 94 configuration 93 105 Ethernet statistics group 93 event group 94 group 93 history group 94 running status displaying 96 statistics function configuration 95 RMON event logs displaying 104 RMON history sampling information displaying 103 RMON statistics displaying 101 root MST common root bridge 187 MST regional root 187 MST root port role 187 STP algorithm calculation 179 STP root bridge
469. on Its padding formats vary with vendors By default the normal padding format is used on the device You can specify the code type for the sub options as ASCII or HEX The padding contents for sub options in the normal padding format are as follows e Sub option 1 Padded with the VLAN ID and interface number of the interface that received the client s request The following figure gives its format The value of the sub option type is 1 and that of the circuit ID type is O Figure 270 Sub option 1 in normal padding format 0 7 15 23 31 Sub option type 0x01 Length 0x06 Circuit ID type 0x00 Length 0x04 VLAN ID Interface number e Sub option 2 Padded with the MAC address of the DHCP relay agent interface or the MAC address of the DHCP snooping device that received the client s request The following figure gives its format The value of the sub option type is 2 and that of the remote ID type is 0 Figure 271 Sub option 2 in normal padding format 0 7 15 23 31 Sub option type 0x02 Length 0x08 Remote ID type 0x00 Length 0x06 MAC Address Protocols and standards e RFC 2131 Dynamic Host Configuration Protocol e RFC 2132 DHCP Options and BOOTP Vendor Extensions e RFC 1542 Clarifications and Extensions for the Bootstrap Protocol e RFC 3046 DHCP Relay Agent Information Option e RFC 3442 The Classless Static Route Option for Dynamic Host Configuration Protocol DHCP version 4 296 Configuri
470. on Accounting Authorization Configuration of AAA Select an ISP domain system v Default Auth RADIUS Jam Secondary Method E LAN access Auth Name Secondary Method El Login Auth Name Secondary Method PPP Auth Name Secondary Method Portal Auth Name Secondary Method Command Authz Name e When the configuration process is complete click Close 3 Configure AAA accounting method a Click the Accounting tab b Select the ISP domain system c Select Default Accounting select the accounting method RADIUS from the list and select the accounting scheme system from the Name list d Click Apply Figure 431 Configuring AAA accounting Domain Setup Authentication Authorization Accounting Configuration of AAA select an ISP domain system E Accounting Optional Disable Default Accounting RADIUS Name system Secondary Method E LAN access Accounting Name Secondary Method El Login Accounting Name Secondary Method PPP Accounting Name Secondary Method Portal Accounting Name Secondary Method e When the configuration process is complete click Close Configuring port security 1 Enable port security a From the navigation tree select Authentication gt Port Security b Select Enable Port Security c Click Apply 437 Figure 432 Configuring global port security settings Port Security Configuration Enable Port Security F Advanced Apply Security Ports And Secure MAC Address List
471. on at the specified interval e If you select Manual the system refreshes device information only when you click the Refresh button 49 Configuring basic device settings The device basic information feature provides the following functions e Set the system name of the device The configured system name is displayed on the top of the navigation bar e Set the idle timeout period for logged in users The system logs an idle user off the Web for security purpose after the configured period Contiguring system name 1 Select Device gt Basic from the navigation tree The system name configuration page appears Figure 38 Configuring the system name Web Idle Timeout Get sysname sysname HP Chars 1 30 ltems marked with an asterisk are required Apply 2 Enter the system name 3 Click Apply Contiguring idle timeout period 1 Select Device gt Basic from the navigation tree 2 Click the Web Idle Timeout tab The page for configuring idle timeout period appears Figure 39 Configuring the idle timeout period System Name oet idle timeout Idle timeout 10 Minutes 1 999 Default 10 tems marked with an astensk are required Apply 50 3 Set the idle timeout period for logged in users 4 Click Apply 51 Maintaining devices Software upgrade AN CAUTION Software upgrade takes some time Avoid performing any operation on the Web interface during the upgrading procedu
472. onfiguration 352 359 AAA ISP domain authorization methods configuration 356 security 802 1X port authorization status 322 auto DHCP automatic address allocation 292 automatic ACL automatic rule numbering 451 451 B backing up Web device contiguration 64 backup port MST 187 bandwidth QoS policy configuration 466 basic port security basic mode 421 port security basic mode configuration 430 basic ACLs 450 basic management LLDPDU TLV types 218 bidirectional NMM port mirroring 79 blackhole entry MAC address table 174 boundary port MST 187 BPDU STP BPDU forwarding 184 bridge MST common root bridge 187 187 MST regional root 187 STP designated bridge 178 STP root bridge 178 buttons on webpage 16 C cable status testing 91 calculating MSTI calculation 189 MSTP CIST calculation 189 STP algorithm 179 category ACL advanced 450 ACL auto match order sort 450 ACL basic 450 ACL config match order sort 450 ACL Ethernet frame header 450 508 choosing Ethernet link aggregation selected state 205 Ethernet link aggregation unselected state 205 CIST calculation 189 network device connection 187 class Ethernet link aggregation port configuration 206 class two Ethernet link aggregation MAC address learning configuration class 206 Ethernet link aggregation port isolation configuration class 206 Ethernet link aggregation VLAN configuration class 206 CLI commands 24 c
473. onfiguration items ltem Description Select the VLAN interface to be configured Select VLAN Interface The VLAN interfaces available for selection in the list are those created on the page for creating VLAN intertaces 153 ltem Description DHCP Configure the way in which the VLAN interface gets an IPv4 address BOOTP Allow the VLAN interface to get an IP address automatically by selecting the DHCP or _ BOOTP option or manually assign the VLAN interface an IP address by selecting the Manual option In the latter case you must set the mask length or enter a mask in Manual dotted decimal notation format Select Up or Down from the Admin Status list to bring up or shut down the selected VLAN interface Modify Pd When the VLAN interface fails shut down and then bring up the VLAN interface Addes which might restore the VLAN interface By default a VLAN interface is down if all Ethernet ports in the VLAN are down rn Otherwise the VLAN interface is up Status When you set the admin status follow these guidelines e The current VLAN interface state in the Modify IPv4 Address and Modify IPv Address frames changes as the VLAN interface state is modified in the Admin Status list e The state of each port in the VLAN is independent of the VLAN interface state Auto Configure the way in which the VLAN interface gets an IPv link local address Select the Auto or Manual option e Auto The device automaticall
474. onfigure a correct system time so that the device can operate correctly with other devices The system time module allows you to display and set the device system time on the Web interface You can set the system time through manual configuration or network time protocol NTP automatic synchronization Defined in RFC 1305 the NTP synchronizes timekeeping among distributed time servers and clients NTP can keep consistent timekeeping among all clock dependent devices within the network and ensure a high clock precision so that the devices can provide diverse applications based on consistent time Displaying the current system time To view the current system date and time select Device gt System Time from the navigation tree to enter the System Time page Figure 45 System time configuration page Network Time Protocal System Time Configuration 2013 06 25 08 56 19 Apply Manually contiguring the system time 1 Select Device gt System Time from the navigation tree The page for configuration the system time appears 2 Click the System Time Configuration text to open a calendar 56 Figure 46 Calendar page 2013 07 04 13 45 10 Mon Tue Wed Thu Fri Sat Co 15 7 bed bed i 3 Enter the system date and time in the Time field or select the date and time in the calendar To set the time on the calendar page select one of the following methods o Click Today The date setting in the calendar is synchronized
475. ontiguration 20 getting started 20 logging in 24 client DHCP snooping Option 82 support 308 security 802 1X authentication 325 security 802 1X authentication access device initiated 324 security 802 1X authentication client initiated 324 security 802 1X authentication configuration 336 security 802 1X authentication initiation 324 security 802 1X configuration 321 332 security 802 1X configuration global 332 security 802 1X configuration portspecific 333 commands CLI 24 common DHCP options 295 common root bridge 187 comparing security 802 1X EAP relay termination authentication modes 325 contiguration guideline LLDP 241 static routing 291 contiguration guidelines ACL 452 QoS 476 contiguration wizard basic service setup 34 contiguring 509 802 1X ACL assignment 343 802 1X Auth Fail VLAN 336 802 1X guest VLAN 335 AAA 352 359 AAA accounting methods for ISP domain 357 AAA authentication methods for ISP domain 355 AAA authorization methods for ISP domain 356 AAA ISP domain 354 ACL 489 ACL Ethernet frame header 459 ACL time range 453 ACLs 450 advanced IPv4 ACL 456 advanced Pv6 ACL 463 alarm entry 100 ARP 242 ARP static 246 Auth Fail VLAN 802 1X 330 authorized IP 443 444 basic device settings 50 basic IPv4 ACL 455 basic IPv6 ACL 462 client s IP to MAC bindings 302 DHCP relay agent 297 298 303 DHCP relay agent advanced param
476. ontrols and plug ins Script ActiveX controls marked safe for scripting and Active scripting Figure 2 Internet Explorer settings 2 Security Settings Settings Disable Enable j Active scripting F Disable 5 Click OK to save your settings Enabling JavaScript in a Firefox browser 1 Launch the Firefox browser and select Tools gt Options 2 In the Options dialog box click the Content icon and select Enable JavaScript 3 Others Figure 3 Firefox browser settings ira ef A F Main Tabs Content Applications Privacy Security Advanced Options Block pop up windows Exceptions Load images automatically Exceptions Enable JavaScript Advanced Enable Jaya Fonts amp Colors Default Font Times New Size 16 kd Colors Languages Choose your preferred language For displaying pages Choose Click OK to save your settings The Web interface does not support the Back Next and Refresh buttons provided by the browser Using these buttons might result in abnormal display of Web pages To ensure correct display of Web page contents after software upgrade or downgrade clear data cached by the browser before you log in If you click the verification code displayed on the Web login page you can get a new verification code Up to five users can concurrently log in to the device through the Web interface A list can contain a maximum of 20000 entries
477. operation parameters for a port 74 displaying basic system information 47 displaying client s IP to MAC bindings 302 310 displaying current system time 56 displaying device information 48 displaying global LLDP 234 displaying IGMP snooping multicast forwarding entries 259 displaying interface statistics 132 displaying IP services ARP entries 244 displaying LLDP for a port 229 displaying LLDP information 236 displaying MLD snooping multicast forwarding entries 2 3 displaying MSTP information on port 197 displaying PoE 500 displaying port operation parameters 73 displaying recent system logs 48 displaying RMON event logs 104 displaying RMON history sampling information 103 displaying RMON running status 96 displaying RMON statistics 101 displaying SNMP packet statistics 123 displaying specified operation parameter for all ports 73 displaying stack device summary 42 displaying stack topology summary 42 displaying syslogs 61 displaying system information 47 displaying system resource state 48 displaying Web device file 67 downloading Web device file 67 enabling DHCP 299 enabling DHCP relay agent on interface 301 enabling DHCP snooping 309 enabling IGMP snooping globally 256 enabling IGMP snooping in a VLAN 257 enabling LLDP globally 227 enabling LLDP on ports 223 enabling MLD snooping globally 270 enabling MLD snooping in a VLAN 270 enabling PSE detect nonstandard PDs
478. oping can process IGMPv1 and IGMPv2 messages but it floods IGMPv3 messages in the VLAN instead of processing them e IGMPv3 snooping can process IGMPv1 IGMPv2 and IGMPv3 messages Version IMPORTANT If you change IGMPv3 snooping to IGMPv2 snooping the system clears all IGMP snooping forwarding entries that are dynamically added 257 ltem Description Enable or disable the IGMP snooping querier function On an IP multicast network that runs IGMP a Layer 3 device acts as an IGMP querier to send IGMP queries and establish and maintain multicast forwarding entries ensuring correct multicast traffic forwarding at the network layer Querier On a network without Layer 3 multicast devices IGMP querier cannot work because a Layer 2 device does not support IGMP To address this issue you can enable IGMP snooping querier on a Layer 2 device so that the device can generate and maintain multicast forwarding entries at the data link layer providing IGMP querier functions Query interval Configure the IGMP query interval General Query Source IP Specify the source IP address of general queries Special Query Source IP Specify the source IP address of group specific queries Contiguring IGMP snooping port tunctions 1 From the navigation tree select Network gt IGMP snooping 2 Click the Advanced tab Figure 231 Configuring IGMP snooping port functions Basic Port Configuration Part Please select a port VLAN IO
479. or an advanced IPv ACL Complete one of the tasks according to the ACL category Contiguring a time range 1 Select QoS gt Time Range from the navigation tree 2 Click the Add tab Figure 445 Adding a time range SUMM ary Remove Time Range Name NN Chars Periodic Time Range Star Time i End Time Sun Mon Tue ved Thu Fri Sat Absolute Time Range From i l l To i Apply SUMIM ary 3 Configure a time range as described in Table 137 453 A Click Apply Table 137 Configuration items liem Description Time Range Name Set the name for the time range Start Time Set the start time of the periodic time range You can define Set the end time of the periodic time range The end time must both a periodic de ie be greater than the start time time range and Periodic oo Time Range Sun Mon pas Select the day or days of the week on which the periodic time time range to Tue Wed ae Thu Fri range is valid You can select any combination of the days of adda ee the week compound time and Sat range This Set the start time and date of the absolute time range The time compound time From of the day is in the hh mm format 24 hour clock and the date range recurs on is in the MM DD YYYY format the day or days Absolute esses of the week Time Range Set the end time and date of the absolute time range The time oy within th N y within the of the day is in the hh mm format 24 hour clock and th
480. or designated port to enter the forwarding state much faster than STP If the old root port on the device has stopped forwarding data and the upstream designated port has started forwarding data a newly elected RSTP root port rapidly enters the forwarding state A newly elected RSTP designated port rapidly enters the forwarding state if it is an edge port a port that directly connects to a user terminal rather than to another network device or a shared LAN segment or it connects to a point to point link Edge ports directly enter the forwarding state Connecting to a point to point link a designated port enters the forwarding state immediately after the device receives a handshake response from the directly connected device 184 Introduction to MSTP MSTP overcomes the following STP and RSTP limitations e STP limitations STP does not support rapid state transition of ports A newly elected port must wait twice the forward delay time before it transits to the forwarding state even if it connects to a point to point link or is an edge port e RSTP limitations Although RSTP enables faster network convergence than STP RSTP fails to provide load balancing among VLANs As with STP all RSTP bridges in a LAN share one spanning tree and forward packets from all VLANs along this spanning tree MSTP features Developed based on IEEE 802 1s MSTP overcomes the limitations of STP and RSTP In addition to supporting rapid network converge
481. ot provide an independent Boot ROM image instead it integrates the Boot ROM image with the system software image file together in a software package file with the extension name of bin Examples Download software package file main bin from the TFTP server and use the Boot ROM image in the package as the startup configuration file lt Sysname gt upgrade 192 168 20 41 main bin bootrom Download software package file main bin from the TFTP server and use the system software image file in the package as the startup configuration file lt Sysname gt upgrade 192 168 20 41 main bin runtime upgrade ipv Syntax upgrade ipv serveraddress source filename bootrom runtime Parameters server address IPv address of a TFTP server source filename Software package name on the TFTP server bootrom Specities the Boot ROM image in the software package file as the startup configuration file Specities the system software image file in the software package file as the startup configuration ile Description Use upgrade ipv server address source filename bootrom to upgrade the Boot ROM image If the Boot ROM image in the downloaded software package file is not applicable the original Boot ROM image is still used as the startup configuration file Use upgrade ipv server address source filename runtime to upgrade the system software image file If the system software image file in the downloaded software package file is not ap
482. other forwarded traffic Recommended contiguration procedures Step Remarks Required 1 Configure a local mirroring group For more information see Configuring a mirroring group Select the mirroring group type local in the Type list Required 2 Configure source ports for ad p od For more information see Configuring ports for the mirroring group the mirroring group Select the port type Mirror Port Required 3 Configure the monitor port for the mirroring group For more information see Configuring ports for the mirroring Qroup Select the port type Monitor Port Configuring a mirroring group 1 From the navigation tree select Device gt Port Mirroring 80 2 Click Add to enter the page for adding a mirroring group Figure 66 Adding a mirroring group summary Remove Modify Port Mirroring Group ID 1 1 Type Local Apply Group ID Type 3 Configure the mirroring group as described in Table 16 4 Click Apply Table 16 Configuration items ltem Descri ption Mirroring Group ID ID of the mirroring group to be added Tupe Specify the type of the mirroring group to be added as Local which indicates YP adding a local mirroring group Configuring ports for the mirroring group 1 From the navigation tree select Device gt Port Mirroring 2 Click Modify Port to enter the page for configuring ports for a mirroring group 8 Figure 67 Modifying ports Summary Add Remove
483. otoco type type address address address address 2 2 1 1 2 6 4 6 4 28 byte ARP request reply e Hardware type Hardware address type The value 1 represents Ethernet e Protocol type Type of the protocol address to be mapped The hexadecimal value Ox0800 represents IP e Hardware address length and protocol address length Length in bytes of a hardware address and a protocol address For an Ethernet address the value of the hardware address length field is 6 For an IPv4 address the value of the protocol address length field is 4 e OP Operation code which describes type of the ARP message Value 1 represents an ARP request and value 2 represents an ARP reply e Sender hardware address Hardware address of the device sending the message e Sender protocol address Protocol address of the device sending the message e Target hardware address Hardware address of the device to which the message is being sent e Target protocol address Protocol address of the device to which the message is being sent ARP operating mechanism As shown in Figure 217 Host A and Host B are on the same subnet Host A sends a packet to Host B as follows 1 Host A looks through its ARP table for an ARP entry for Host B If one entry is found Host A uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame Then Host A sends the frame to Host B 242 2 If Host A finds no entry tor Host B Host A buff
484. ou can select any available Layer 3 interface for example a virtual interface of the device If you select NULL O the destination IPv6 address is unreachable 282 IPv4 static route configuration example Network requirements As shown in Figure 258 configure IPv4 static routes on Switch A Switch B and Switch C for any two hosts to communicate with each other Figure 258 Network diagram Vlan int600 1 1 5 6 30 Vlan int300 Vian int900 1 1 2 3 24 y 1 1 3 1 24 Host A Switch A Switch C Host C 1 1 2 2 24 1 1 3 2 24 Configuration considerations On Switch A configure a default route with Switch B as the next hop On Switch B configure one static route with Switch A as the next hop and the other with Switch C as the next hop On Switch C configure a default route with Switch B as the next hop Configuration procedure 1 Configure a default route to Switch B on Switch A a Select Network gt IPv4 Routing from the navigation tree of Switch A b Click the Create tab c Enter 0 0 0 0 for Destination IP Address O for Mask and 1 1 4 2 for Next Hop d Click Apply 283 Figure 259 Configuring a default route summary Remove dees ee 0 0 0 0 Mask Dok Preference Ps 1 255 Default 60 Next Hop 1 1 4 2 CJ interface tems marked with an asteriski are required Apply Configured Static Route Information Destination IP Address Wask Protocol Preference Fest Hop Interface 2 Configure a s
485. oup ports for the static aggregation group By default no link aggregation group exists 2 Optional Displaying aggregate Display detailed information of an existing aggregation intertace information group Contiguring a dynamic aggregation group Step Remarks Create a dynamic aggregate interface and configure member ports for the 1 Creating a link dynamic aggregation group automatically created LACP is enabled aggregation group automatically on all the member ports By default no link aggregation group exists 2 Optional Displaying aggregate interface Display detailed information of an existing aggregation group information Set LACP priority for the local system and link aggregation member ports 3 Optional Setting Ch RED fh b LACP priority anges o priorities affect the aggregation state of the member ports The default port LACP priority and system LACP priority are both 32768 4 Optional Displayi Te Display detailed information of LACP enabled ports and the corresponding remote partner ports Creating a link aggregation group 1 From the navigation tree select Network gt Link Aggregation 2 Click Create 208 Figure 188 Creating a link aggregation group Summary Modify Remove Enter Link Aggregation Interface ID 1 1 8 Specify Interface Type Static LACP Disabled Note The type ofthe link aggregation interface set here z i overwrites the existing LACF settings ofthe ports in the
486. oute operations access data on the device and configure the device but they cannot upgrade the software add delete modify users or back up or restore the configuration file e Management A management level user can perform any operations on the device Password Set the password for the user Confirm Password Enter the same password again Select the password encryption type e Reversible Uses a reversible encryption algorithm The ciphertext password can be mara decrypted to get the plaintext password e Irreversible Uses an irreversible encryption algorithm The ciphertext password cannot be decrypted to get the plaintext password Select the service types for the user to use including Web FTP and Telnet You must Service Type select at least one service type Setting the super password A management level user can set the password for non management level users to switch to the management level If the password is not set non management level users cannot switch to the management level from a lower level To set the super password 1 2 Select Device gt Users from the navigation tree Click the Super Password tab Figure 73 Setting the super password Summary Create Modify Remove Switch To Management Please specify the super password Create Remove Password 1 16 Chars Confirm Password Password Encryption Reversible Irreversible Apply Note Use the super password to switch from the c
487. packets with CRC errors received on the interface corresponding to the MIB node etherStatsCRCAlignErrors Number of Received Packets With CRC Check Failed Total number of undersize packets shorter than 64 octets received by the interface corresponding to the MIB node etherStatsUndersizePkts Number of Received Packets Smaller Than 64 Bytes Total number of oversize packets longer than 1518 octets received by the interface corresponding to the MIB node etherStatsOversizePkts Number of Received Packets Larger Than 1518 Bytes Total number of undersize packets shorter than 64 octets with CRC errors received by the interface corresponding to the MIB node etherStatsFragments Number of Received Packets Smaller Than 64 Bytes And FCS Check Failed Number of oversize packets longer than 1518 octets with CRC errors received by the interface corresponding to the MIB node etherStatsJabbers Number of Received Packets Larger Than 1518 Bytes And FCS Check Failed 102 Field Description Total number of collisions received on the interface Number of Network Conflicts corresponding to the MIB node etherStatsCollisions EE Diccard na Eveni Total numker of drop events received on the interface a a LE corresponding to the MIB node etherStatsDropEvents Total numker of received packets with 64 octets on the Numbker of Received 64 Bytes Packets interface corresponding to the MIB node etherStatsPkts64Octets Total
488. pe is delta Retresh 108 Configuring energy saving Energy saving enables a port to operate at the lowest transmission speed disable PoE or go down during a specitic time range on certain days of a week The port resumes when the effective time period ends Contiguring energy saving on a port 1 Select Device gt Energy Saving from the navigation tree to enter the energy saving configuration page 2 Click a port Figure 98 Energy saving configuration page Please select a port BEDE Bee eee 1910 24 PoE 1 LILLIE BIL BIR LALIEAEA Index Time Range Sun Mon Tue Wed Thu Fri Sat PoE Disabled LowestSpeed Shutdown 1 08 30 16 00 A mM M E A E 2 22 00 0300 H m M E E E 3 00 00 00 00 A A A A A FB A A E E 4 00 00 00 00 A A P A A PA P A Al E 5 00 00 00 00 Fi A A A A FB A A E E Note lf PoE is enabled through a PoE profile PoE configured in energy saving does nat take effect Cancel 3 Configure an energy saving policy for the port as described in Table 30 4 Click Apply Table 30 Configuration items ltem Descri ption Time Range Set the time period when the port is in the state of energy saving IMPORTANT e Up to five energy saving policies with different time ranges can be configured on a port Sun through Sat e Specify the start time and end time in units of 5 minutes such as 08 05 to 10 15 Otherwise the start time is postponed and the end time is brought forward so that they meet the requirements For
489. peed 100Mbps Speed 100Mbps Speed 100Mbps Server A Server B Server C Configuring the switch 1 As shown in Figure 62 set the speed of GigabitEthernet 1 0 4 to 1000 Mbps 75 Figure 62 Configuring the speed of GigabitEthernet 1 0 4 Summary Detail Basic Configuration Port State No Change Speed 1000 Duplex No Change Link Type No Change E Pyp 1 4094 Combo No Change Description Chars 1 80 Advanced Configuration MDI No Change Flow Control Ma Change Max MAC Power Save Mo Change Count Mo Change 0 8192 Storm Suppression Broadcast Mo Change Multicast Na Change No Change Suppression Suppression Suppression pps range 1 148610 for a 100 Mbps port 1 260000 for a GE port and 1 260000 for a 10GE port kbps range 1 102400 for a 100 Mbps port 1 180000 for a GE port and 1 180000 for a 10GE port See AEAA AAR 1910 24 Switch BOOG mimi mimi ABEE Ha Select All Select None Selected Ports GE1 0 25 ee it may take some time if you apply the above settings to multiple ports Apply Cancel Batch contigure the autonegotiation speed range on GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 as 100 Mbps a On the Setup tab select Auto 100 from the Speed list b Select 1 2 and 3 on the chassis front panel 1 2 and 3 represent ports GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 c Click Apply 76 Figure 63 B
490. perating Mode list Click Apply A progress dialog box appears Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds Figure 212 Setting the LLDP operating mode to Tx Global Setup Global Summary Neighbor Summary Interface Name GE1 0 1 LLDP State Enable Basic Settings LLDP Operating Mode Tx v Encapsulation Format ETHII CDP Operating Mode Disable v LLDP Polling Interval LLDP Trapping Disable v Base TLV Settings V Port Description V System Capabilities V System Description V System Name V Management Address Number v Addtional TLV Settings Cancel Enable global LLDP a Click the Global Setup tab b Select Enable from the LLDP Enable list Click Apply A progress dialog box appears seconds 1 30 Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds Verifying the configuration 1 Display the status information of port GigabitEthernet 1 0 1 on Switch A a From the navigation tree select Network gt LLDP By default the Port Setup tab is displayed 237 2 b Click the GigabitEthernet1 0 1 port name in the port list c Click the Status Information tab at the lower half of the page The output shows that port GigabitEthernet 1 0 1 is connected to an MED neighbor device Figure 213 The status information tab 1 Local Information Neighbor Information Statistic Informat
491. perform operations on the multiple tagged VLANs Detail Modify VLAN and Modify Port tabs You can repeat these steps b Modifying a VLAN to configure multiple Configure the hybrid port as a tagged tagged VLANs for the member of the specitied VLAN hybrid port Configure the tagged 7 Modifying ports VLAN of the hybrid port Creating VLANs From the navigation tree select Network gt VLAN Click Create to enter the page for creating VLANs Enter the VLAN IDs a VLAN ID range or both Click Create Ak N 139 Figure 134 Creating VLANS Select VLAN Port Detail Detail bodite WYLAN Modity Port Remove Create VLAN IDs _ Bample3 5 10 Create ID Description 1 VLAN 0001 Modity VLAN description Note vou can da this later on the Modify VLAN page Modity the description ofthe selected VLAN ID Description et chars Table 40 Configuration items ltem Description VLAN IDs IDs of the VLANs to be created Modify the description of the selected VLAN e ID Select the ID of the VLAN whose description string is to be modified Click the ID of the VLAN to be modified in the list in the middle of the page e Description Set the description string of the selected VLAN By default the description string of a VLAN is its VLAN ID such as VLAN 0001 Contiguring the link type of a port You can also configure the link type of a port on the Setup tab of Device gt Port Management For more information see Man
492. playing device information eeeeeeeeeeeeeeereresereeeeeereserseeeseesseeseceseceseeseresereseeeseesseoseresreesresseseresereeserereosereseeeseeseeeseeeseeeseese 48 Configuring basic device settings EE EE T E A EE E S E E E E EE EO P E EE E E 50 Configuring system EE COSCO SOOOeer errr eee eeee rere reee rere rerrreerreerrerrrerrrerrreerterereerreerrererrteereerree 50 Configuring idle timeout period EE EE EE EO S OE EO EE TEE 50 Maintaining ET ERR EOEO OOOO OST eee ree eer eter erreer eer eereeererreereer rere erreer eee cerreererreereeererreerrerrerreereeeee 52 Software upgrade ER EE OE E E E E EE A E 52 Device TE EE RRR TREE ERE EERE REETO SET OEEOOSEEOSEO CEO Seer tere reeeteeereeereerreerrerr rere reerreeereerreerreeerrterrrerreerreerreetreerrrerrreerreerreerreerree 53 Electronic label eeeeeeeereeeseeseresereereseeeseeseeeseeeseenseesseeseeeseeeseesseoseeeseeeseeseesseeseresereseessresereseressreseroseresecesreseresereseceseesseesereseeeseee 54 Diagnostic TE RE Ee ee 5A Configuring system TE ee 56 Overy rasan anes ER RE EE RE EE EE EE EE ER TR N 56 Displaying the current system TT ee 56 Manually configuring the system TE ee 56 Configuring system time by using NTP E E RE ET EE HE EE E E E E E T 57 System time configuration example EE EE RE OE EE OE EO OE 58 Network requirements RE EE EE EE EL OO N AE EE 58 Configuring the system TT eee eee eee Ce ee eee tee ee etree terete reer eeer tere teeereeereerreerree 59 Verifying the configuration EE EE
493. playing syslogs Loghas Log Seup This page impements the sytem log manasernerd function a TimeDate Seach advanced Search Timeabe corte Level Digesi Desorption Jul 4 12454 036 2013 Cup Notficaion WEBOPT_CLI_CHANGECLOCK System dock changed Ape 26 120226 891 2000 CFM Notficaion CPM_SAVECONFIG SUCCESSFULLY Configuration b saved successfully aa l Perii e Evyertinders 1 CommandSouces 1 CongSsuces2 Apr AA 172 EA Soo CFGMAN Matficaboan BPMN CGCtHAN GED Confighlesmnanon a Gonaguration is cnangea Apr 26 120222 054 200 WEE Wamang WEBOPT_LOGIN_SUC admin logged in ram 192 168 1 169 aa Aaa 4 PERS AAATPRSAOOCOUMTAAAS die res local Sanvice login Apr 26 1202 ZYEAA 2000 SC Information SC_AsA_SUCCESS Usemtlame acmingsystemy MAA Is successful EE i AAT ppe AT AAA ere hals wire logins Apr 26 1202 71 649 200 SC Inlermatien aC LAUNCH ror MA UseiNamesadnin srstem MA launched T i BAAT pesAUTAOR AMSrhe mes local Sonteosllogin pt 26 120221 EAT C information AAA SUCCES ER ER N sia l TUER Usertamesadmin system MA is Succes styl ET re me AAATRSALITANR AAAS che nas Inral Aardraslngin ma t T 1 i ir t ii Ji me E a dd ER UseNamesadnin system MA launched OE i i AAATIDESAUTAEM AAAS heme local Senice login J f ke I d E EL Apr di iioa aga MOM oe Infarmatien BO AA SUCCESS Userttamesadming system MAA is successful many yn AAATYpE AUTHEN AAAScheme local Senice logint Ape FA 102 EAE NON ac Information Sf AAA AUINGH Lis erPLame BATuNgNSy
494. plicable the original system software image file is still used as the startup configuration file To validate the downloaded software package file reboot the device NOTE The HP 1920 Switch Series does not provide an independent Boot ROM image instead it integrates the Boot ROM image with the system software image file together in a software package file with the extension name of bin 3 Examples Download software package file main bin from the TFTP server and use the Boot ROM image in the package as the startup configuration file lt Sysname gt upgrade ipv6 2001 2 main bin bootrom Download software package file main bin from the TFTP server and use the system software image file in the package as the startup configuration file lt Sysname gt upgrade ipv 2001 2 main bin runtime Contiguration example for upgrading the system software image at the CLI Network requirements As shown in Figure 20 a 1920 switch is connected to the PC through the console cable and connected to the gateway through Ethernet 1 0 1 The IP address of the gateway is 192 168 1 1 24 and that of the TFTP server where the system software image suppose its name is Switch1920 bin is located is 192 168 10 1 24 The gateway and the switch can reach each other The administrator upgrades the Boot ROM image and the system software image file of the 1920 switch through the PC and sets the IP address of the switch to 192 168 1 2 24 Figure
495. port e Traffic policing Polices particular flows entering or leaving a device according to configured specitications and can be applied in both inbound and outbound directions of a port When a flow exceeds the specification some restriction or punishment measures can be taken to prevent overconsumption of network resources e Traffic shaping Proactively adjusts the output rate of traffic to adapt traffic to the network resources of the downstream device and avoid unnecessary packet drop and congestion Trattic shaping is usually applied in the outbound direction of a port e Congestion management Provides a resource scheduling policy to arrange the forwarding sequence of packets when congestion occurs Congestion management is usually applied in the outbound direction of a port e Congestion avoidance Monitors the usage status of network resources and is usually applied in the outbound direction of a port As congestion becomes worse it actively reduces the amount of trattic by dropping packets Among these QoS technologies traffic classification is the basis for providing differentiated services Traffic policing traffic shaping congestion management and congestion avoidance manage network traffic and resources in different ways to realize differentiated services This section is focused on traffic classification and the subsequent sections will introduce the other technologies in details Traffic classification When def
496. ptional 1 Select Device gt SNMP from the navigation tree The SNMP configuration page appears 113 Figure 101 Setup tab Community Group User Trap View SNMP Enable Disable Local Engine ID AOODE3AAOSACESABCDAAFE e 0 64 Hex Chars Maximum Packet Size 1500 Bytes 464 17940 Default 1500 Contact Hewlett Packard Development LomparF1 200 Chars Location HP 1 200 Chars SNMP Version vt Lovee iva Mote Ifyou disable SNMP all SMMP related configurations will not be saved tems marked with an asteriski are required Apply Cancel SNMP Statistics Count Messages delivered to the SNMP entity Messages which were for an Unsupported version Messages which used a SNMP community name not known Messages which represented an illegal operation forthe community supplied ASM 1 or HER errors in the process of decoding MIB objects retrieved successfully MIB objects altered successfully GetRequestPDU accepted and processed GetNextRequestPDOW accepted and processed SetRequestPDU accepted and processed Messages passed fram the SNMP entity SNMP POWs which had tooBig errorstatus Maximum packet size 1500 SNMP POU s which had nosuchName errorstatus SNMP PDUs which had badValue errot status SNMP POWs which had denErr errorstatus GetResponse PDW accepted and processed Trap POWs accepted and processed 17 records 100 per page page 1 1 record 1 17 Refresh Z2 a Aa Aa A A A A Se eo prey ore oo A a Configure SNMP setti
497. ptional intormation You can display the local global LLDP information and statistics 6 Displaying LLDP information received from LLDP neighbors You can display the LLDP information received from LLDP neighbors Optional Enabling LLDP on ports 1 From the navigation tree select Network gt LLDP By default the Port Setup tab is displayed This tab displays the enabling status and operating mode of LLDP on a port 2 Select one or more ports and click Enable To disable LLDP on a port select the port and click Disable Figure 198 The port setup tab Global Setup Global Summary Neighbor Summary h Port Name v Search Advanced Search FI Port Name LLDP Status LLDP Work Mode Operation GigabitEthernet1 0 1 Enabled TXRX A E GigabitEthernet1 0 2 Enabled TXRX A GigabitEthernet1 0 3 Enabled TxRx A F GigabitEthernet1 0 4 Enabled TXRX A F GigabitEthernet1 0 5 Enabled TXRX A F GigabitEthernet1 0 6 Enabled TxRx A GigabitEthernet1 0 7 Enabled TXRX A E GigabitEthernet1 0 8 Enabled TxRx A F GigabitEthernet1 0 9 Enabled TxRx A F GigabitEthernet1 0 10 Enabled TXRX A GigabitEthernet1 0 11 Enabled TXRX A F GigabitEthernet1 0 12 Enabled TxRx A GigabitEthernet1 0 13 Enabled TXRX A E GigabitEthernet1 0 14 Enabled TxRx fe F GigabitEthernet1 0 15 Enabled TxRx A 28 records 15 v per page page 1 2 record 1 15 Next Last 1 GO Enable Disable Modify Selec
498. r 802 1Q Destination u Length Type Data CRC 32 Address i Address TPID 6 bytes 6 bytes 4 bytes 2 bytes 46 to 1500 bytes 4 bytes As shown in Figure 456 the 4 byte 802 1Q tag header consists of the tag protocol identifier TPID two bytes in length whose value is 0x8100 and the tag control information TCI two bytes in length Figure 457 presents the format of the 802 1Q tag header The priority in the 802 1Q tag header is called 802 1p priority because its use is defined in IEEE 802 1 p Table 147 presents the values for 802 1 p priority 470 Figure 457 802 1 tag header Byte 1 Byte 2 Byte 3 Byte 4 TPID Tag protocol identifier TCI Tag control information 765432107645 432107605 4321310765 4 3 2 1 0 Table 147 Description on 802 1p priority 802 1p priority decimal 802 1p priority binary Description O 000 best effort 001 background 2 010 spare 3 011 excellent effort 4 100 controlled load 5 101 video 6 110 voice 7 111 network management Queue scheduling In general congestion management uses queuing technology The system uses a certain queuing algorithm for traffic classitication and then uses a certain precedence algorithm to send the traffic Each queuing algorithm handles a particular network traffic problem and has significant impacts on bandwidth resource assignment delay and jitter In this section two common hardware queue scheduling algorithms Strict Priority SP queu
499. r ACLs Description Characters 0 12 7 Apply ACL Number Type Number of Rules Match Order Description 4 Click the Advanced Setup tab 5 Configure the following parameters a Select 3000 from the ACL list b Select Rule ID enter the rule ID 0 and select the action Deny 348 c In the IP Address Filter area select Destination IP Address Enter 10 0 0 1 as the destination IP address Enter 0 0 0 0 as the destination IP address wildcard d Click Add Figure 330 ACL rule configuration SUMMar Add Basic Setup Link Layer Setup Remove ACL 3000 wt Help Configure an Advanced ACL Rule ID Of 5534 fno ID is entered the system will specify one Action C Mon first Fragments Only L Logging IPF Address Filter Destination IP Address 10 0 0 1 Destination Wildcard 0 0 0 0 Protocol IP_ sl ICMP Type IMP Message eme Twe koss temp code oss TEP UDP Part TCP Connection Established u e N eeina E era por NL Range of Portis 0 65535 Precedence Filter DSCP Not Check yt TOS Not Check ka Precedence Mot Check wt C Time Range Add Rule ID Operation Description Time Fiat Configuring 802 1X 1 Configure 802 1X globally a From the navigation tree select Authentication gt 802 1X b Select Enable 802 1X 349 c Select the authentication method CHAP d Click Apply Figure 331 Configuring 802 1X globally 02 1 Configuration Enable 802 1 Authentication Method C
500. r communicate by using the proprietary RADIUS protocol and packet format 370 ltem Descri ption Select the format of usernames to be sent to the RADIUS server Typically a username is in the format of userid isp name of which isp name is used by the device to determine the ISP domain for the user If a RADIUS server such as a RADIUS server of some early version does not accept a username that contains an ISP domain name you can configure the device to remove the domain name of a username before sending it to the RADIUS Username Format server The options include e Original format Configure the device to send the username of a user on an as is basis e With domain name Configure the device to include the domain name in a username e Without domain name Configure the device to remove any domain name of a username Set the shared key for RADIUS authentication packets and that for RADIUS accounting packets The RADIUS client and the RADIUS authentication accounting server use MD5 to encrypt RADIUS packets They verify packets through the specified Authentication Key shared key The client and the server can receive and respond to packets Confirm Authentication Key from each other only when they use the same shared key Accounting Key IMPORTANT Confirm Accounting Key e The shared keys contigured on the device must be consistent with those contigured on the RADIUS servers e The shared keys configure
501. r configuration 380 port security advanced control configuration 428 507 port security advanced mode contiguration 433 port security authentication modes 421 port security basic control configuration 425 port security basic mode configuration 430 port security configuration 421 423 430 port security configuration global 424 port security permitted OUls configuration 429 RADIUS common parameter configuration 369 RADIUS scheme configuration 368 RADIUS server contiguration 373 security 802 1X access device initiated authentication 324 security 802 1X authentication 325 security 802 1X client initiated 324 security 802 1X EAP over RADIUS 323 security 802 1X EAP relay authentication 326 security 802 1X EAP relay termination mode 325 security 802 1X EAP termination 327 security 802 1X initiation 324 security 802 1X RADIUS Message Authentication attribute 324 security MAC authentication 404 security MAC authentication ACL assignment 411 security MAC authentication contiguration 406 408 security MAC local authentication configuration 408 user group configuration 382 using 802 1X authentication with other features 329 using MAC authentication with other features 405 Authentication Authorization and Accounting Use AAA Auth Fail VLAN 802 1X authentication 330 configuring 802 1X 336 MAC authentication 405 authorized IP configuration 443 444 authorizing AAA c
502. r ports of the ports aggregated at one end are also aggregated The two ends can automatically negotiate the aggregation state of each member port 215 Do not assign the following types of ports to Layer 2 aggregate groups O O O O O O MAC address authentication enabled ports port security enabled ports packet filtering enabled ports Ethernet frame filtering enabled ports IP source guard enabled ports 802 1 X enabled ports Deleting a Layer 2 aggregate interface also deletes its aggregation group and causes all member ports to leave the aggregation group When a load sharing aggregation group becomes non load sharing because of insufficient load sharing resources one of the following problems might occur o The number of Selected ports of the actor is inconsistent with that of the partner which might result in incorrect traffic forwarding o The peer port of a Selected port is Unselected which might result anomalies in upper layer protocol and traffic forwarding 216 Configuring LLDP Overview In a heterogeneous network a standard configuration exchange platform makes sure different types of network devices from different vendors can discover one another and exchange configuration The Link Layer Discovery Protocol LLDP is specified in IEEE 802 1AB The protocol operates on the data link layer to exchange device information between directly connected devices With LLDP a device sends loca
503. r the ISP domain a Click the Authentication tab b Select test from the Select an ISP domain list c Select Default AuthN select RADIUS as the default authentication method and select the authentication scheme system from the Name list as shown in Figure 325 Figure 325 Configuring the AAA authentication method for the ISP domain Domain Setup Authorization Accounting Authentication Configuration of AAA Select an ISP domain test Default AuthN RADIUS Name system Secondary Method Ol LAN access AuthN Name Secondary Method El Login Authn Name Secondary Method PFP Authh Name Secondary Method Portal Auth Name Secondary Method d Click Apply A configuration progress dialog box appears as shown in Figure 326 346 Figure 326 Configuration progress dialog box Current Configuration setting Default Authh OK e After the contiguration process is complete click Close Configure AAA authorization method for the ISP domain a Click the Authorization tab b Select test trom the Select an ISP domain list c Select Default AuthZ select RADIUS as the default authorization method and select the authorization scheme system from the Name list as shown in Figure 327 Figure 327 Configuring the AAA authorization method for the ISP domain Domain Setup Authentication Accounting Authorization Configuration of AAA Select an ISP domain test Default Authz RADIUS Name system Secondary Method E
504. ration in fast mode click the Save button at the upper right of the auxiliary area 65 Figure 55 Saving the configuration Save Help Logout Backup Restore Initialize Save Current Settings Note Click Save Current Settings to save the current configuration e Common mode To save the configuration in common mode a Select Device gt Configuration trom the navigation tree b Click the Save tab c Click Save Current Settings Resetting the contiguration Resetting the configuration restores the device s factory defaults deletes the current configuration files and reboots the device To reset the configuration 1 Select Device gt Configuration from the navigation tree 2 Click the Initialize tab 3 Click Restore Factory Default Settings Figure 56 Resetting the configuration Backup Restore save Restore Factory Default Settings Note Click Restore Factory Default Settings to restore and initialize the factory default settings and reboot 66 Managing files The device requires a series of files for correct operation including boot files and configuration files These files are saved on the storage media You can display files on the storage media download upload or remove a file or specify the main boot file Displaying tiles 1 Select Device gt File Management from the navigation tree Figure 57 File management page Please select disk flash v Used space 22 18 MB Free space
505. rations on its member ports nor do they take part in aggregation calculations The configuration on a member port of the aggregate group does not take effect until the port leaves the aggregate group Specify the ID of the VLAN in which port functions are to be configured VLAN ID The configurations made in a VLAN take effect on the ports only in this VLAN Configure the maximum number of IPv multicast groups on a port With this feature you can regulate IPv multicast traffic on the port Multicast Group IMPORTANT Limit When the number of IPv multicast groups on a port exceeds the limit that you are setting the system deletes all the IPv forwarding entries related to that port from the MLD snooping forwarding table The receiver hosts to that port can join the IPv multicast groups again before the number of IPv multicast groups on this port reaches the limit 272 ltem Descri ption Enable or disable fast leave processing on the port When a port that is enabled with the MLD snooping fast leave processing feature receives an MLD done message the switch immediately deletes that port from the IPv forwarding table entry for the multicast group specified in the message When the switch receives MLD multicast address specific queries for that multicast group it does not forward them to that port Fast Leave You can enable MLD snooping fast leave processing on ports to save bandwidth and resources Displaying
506. rd table ethernetHistoryTable The statistics include bandwidth utilization number of error packets and total number of packets The history statistics table record trattic statistics collected for each sampling interval The sampling interval is user contigurable Event group The event group detines event indexes and controls the generation and notifications of the events triggered by the alarms defined in the alarm group and the private alarm group The events can be handled in one of the following ways e Log Logs event information including event time and description in the event log table so the management device can get the logs through SNMP e Trap Sends an SNMP notification when the event occurs e Log Trap Logs event information in the event log table and sends an SNMP notification when the event occurs None No action Alarm group The RMON alarm group monitors alarm variables such as the count of incoming packets etherStatsPkts on an interface After you define an alarm entry the system gets the value of the monitored alarm variable at the specified interval If the value of the monitored variable is greater than or equal to the rising threshold a rising event is triggered If the value of the monitored variable is smaller than or equal to the falling threshold a falling event is triggered The event is then handled as defined in the event group If an alarm entry crosses a threshold multiple times in
507. rds response messages from the DHCP server to the client The untrusted port connected to the unauthorized DHCP server discards incoming DHCP response messages 306 Figure 283 Trusted and untrusted ports DHCP server DHCP client Unauthorized DHCP server gt gt DHCP reply messages In a cascaded network as shown in Figure 284 configure each DHCP snooping device s ports connected to other DHCP snooping devices as trusted ports To save system resources you can disable the untrusted ports that are not directly connected to DHOP clients from generating DHCP snooping entries Figure 284 Trusted and untrusted ports in a cascaded network DHCP client Host A DHCP snooping Switch A GE1 0 1 GE1 0 2 GE1 0 4 DHCP server Device GE1 0 2 GEVORM n GE1 0 1 ir DHCP client GE1 0 3 Host B DHCP snooping Switch C GE1 0 1 GE1 0 4 ait DHCP client GEuor3f DHCP snooping Host C Switch B Untrusted ports Trusted ports disabled from recording binding entries DHCP client Trusted ports enabled to record binding entries Host D Table 98 describes roles of the ports shown in Figure 284 Table 98 Roles of ports Trusted port disabled from Trusted port enabled to Device Untrusted port EE Er a recording binding entries record binding entries Switch A ee GigabitEthernet 1 0 3 GigabitEthernet 1 0 2 307 Trusted port disabled from Trusted port enabled to Device Untruste
508. re Otherwise the upgrade operation may be interrupted A boot file also known as the system software or device software is an application file used to boot the device Software upgrade allows you to obtain a target application file from the local host and set the file as the boot file to be used at the next reboot In addition you can select whether to reboot the device to bring the upgrade software into effect 1 Select Device gt Device Maintenance from the navigation tree to enter the Software Upgrade tab Figure 40 Software upgrade configuration page Reboot Diagnostic Information File Type C ifa file with the same name already exists overwrite it without any prompt 1To Upgrade the files of slave boards at one time _ Reboot after the Upgrade is finished Mote Do not perform any operation when Upgrade is in process The length of filename cannot exceed 37 and must end with an extension of app or bin tems marked with an asteriski are required Apply 2 Configure software upgrade parameters as described in Table 10 3 Click Apply Table 10 Configuration items ltem Description File Specify the path and filename of the local application file which must be suffixed with the app or bin extension Specify the type of the boot file for the next boot File Type e Main Boots the device e Backup Boots the device when the main boot file is unavailable 52 ltem Description ia tileawih t
509. re 366 User group configuration page Local User Add User Group Group name 1 32 Chars WLAN Potty ACL 000 4999 Userprofile Ys 1 32 Chars Allow Guest Accounts tems marked with an asterisk are required Apply Cancel Configure the user group as described in Table 119 Click Apply Table 119 Configuration items ltem Descri ption Group name Specify a name for the user group level Select an authorization level for the user group Visitor Monitor Configure or m Management in ascending order of priority VLAN Specify the VLAN to be authorized to users of the user group after the users pass authentication ACL Specify the ACL to be used by the access device to control the access of users of the user group after the users pass authentication Specify the user profile for the user group User profile This option does not take effect on this software version Select this option to allow guest accounts to be added to the user group Allow Guest Accounts This option is selected for the system defined user group system and cannot be modified However this option does not take effect on this software version 383 Managing certificates Overview The Public Key Infrastructure PKI offers an infrastructure for securing network services through public key technologies and digital certificates and for verifying the identities of the digital certificate owners A digital certificate is a bin
510. rect 0 127 0 0 1 InLoopBackO 127 0 0 0 255 0 0 0 Direct 0 127 0 0 1 InLoopBacko 127 0 0 1 255 255 255 255 Direct 0 127 0 0 1 InLoopBack0 192 168 10 255 255 255 0 Direct 0 192 168 12 Vlan interface100 192 168 12 255 255 255 255 Direct 0 127 0 0 1 InLoopBack0 8 records 15 perpagelpage 1 1 record 1 8 1 GO Table 90 Field description Field Description Destination IP Address Destination IP address and subnet mask of the IPv4 route Mask Protocol Protocol that discovered the IPv4 route Preference value for the IPv4 route Preference l The smaller the number the higher the preference Next Hop Next hop IP address of the IPv4 route Interi Output interface of the IPv4 route Packets destined for the specified nterface network segment are sent out of the interface 279 Creating an Pv4 static route Select Network gt IPv4 Routing from the navigation tree 2 Click the Create tab The page for configuring an IPv4 static route appears Figure 255 Creating an Pv4 static route Summar Remove de IE EE Address ask fF Preference 1 255 Default 60 NetHop interface tems marked with an asterisk are required Apply Configured Static Route Information Destination IP Address Wask Protocol Preference Mest Hop 3 Create an IPv4 static route as described in Table 91 4 Click Apply Table 91 Configuration items ltem Description Destination IP Address Enter the destination host or network IP address in dot
511. reerrereeer terete eerrerreereeererreeriere 317 Ping RE RR EE TR T E E E EE N O E ER es 317 Wicelec ell cr EE AE ER 317 Ping operation EE EE EE EE EE OE 318 Traceroute operation EE EE EE EE EE OO EE N N EE EE TN 319 Vil Configuring BOD X EE ee 32 002 LX overia EE EE EE RE EE 372 802 1X architecture OR 321 Access control methods seeeeeeeeeeseeeseesseeseeesereseeeseeseeeseeeseesseeseoseeeseeeseesseosereseesseeseeosereseeeseeseeosereseeesreseroseeeseeeseeseeesee 3921 Controlled uncontrolled port and port authorization status EE Ee EE ee EE ee AE EE ee ee EE EE ee ee ee 399 Packet ET 322 EAP over VEE EE E ENEE EE OE 323 Initiating 802 1X GT TER RE Ee 394 802 1X authentication procedures AT ET EE 395 ee aeons TERE TE hea anatasecaisetesedsinterneaeutaeee 328 Using 802 1X authentication with other features srrresserssssteseeseestecnsestecneestecneennecneenecneeneensenneenneceneeneennes 399 Configuration ed 0 1 DE EE 331 Recommended configuration procedure EE EE ET E 339 Configuring 802 1X globally EE EE ee ee 339 Configuring 802 1X ona DOr eseseseseseseee ee EER EE EE EE EE EE EE EE EE EE EE EE EE EE ee ee ER ER ER ER ER ER ER ee ee ee ee ee ee ee ee ee 333 Configuring an 802 1X guest VLAN eers sees Rg ee GER GER EER GE GER gek EER GER GER gek EER eER GER gee ee GER GER gek gek ee ee ge Rek ee 335 Configuring an Auth Fail VLAN sesse sere esse sesse ee se see ee EE ee Ee Re EER Oe EE Ee EE EE Re EER Oe EE Ee GE EE Re DE EE Re RE Ee Re E
512. regate interfaces below the chassis front panel You can select aggregate interfaces from this list and configure them as mirroring ports of a port mirroring group Select port s 82 Local port mirroring contiguration example Network requirements As shown in Figure 68 configure local port mirroring on Switch A so the server can monitor the packets received and sent by the Marketing department and Technical department Figure 68 Network diagram Marketing Dept GE1 0 1 GE1 0 3 Device A GE1 0 2 Technical Dept amp Source port C Monitor port Configuration procedure Adding a local mirroring group 1 From the navigation tree select Device gt Port Mirroring 2 Click Add to enter the page for adding mirroring groups as shown in Figure 69 Figure 69 Adding a local mirroring group Summary Remove Modify Port Mirroring Group ID 1 Type Local Group ID Type 83 3 Enter 1 for Mirroring Group ID and select Local from the Type list 4 Click Apply Configuring GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 as the source ports Click Modify Port Select 1 Local from the Mirroring Group ID list Select Mirror Port from the Port Type list Select both from the Stream Orientation list Select 1 GigabitEthernet 1 0 1 and 2 GigabitEthernet 1 0 2 on the chassis front panel Figure 70 Configuring the source ports N de Se Ma Summary Add Remove Mirroring Group ID 1 Local Port Type Mir
513. retransmits an authentication request if it does not receive a response to the request it has sent to the client within a period of time set Retry Times f f i by the TX Period or the Supplicant Timeout Time value The network access device stops retransmitting the request if it has made the maximum number of request transmission attempts but still received no response TX Period Sets the username request timeout timer Handshake Period Sets the handshake timer Re Authentication l Sets the periodic online user re authentication timer Period Supplicant Timeout Sets the client timeout timer Time Server Timeout Time Sets the server timeout timer NOTE You can set the client timeout timer to a high value in a low performance network and adjust the server timeout timer to adapt to the performance of different authentication servers In most cases the default settings are sufficient Configuring 802 1X on a port 1 From the navigation tree select Authentication gt 802 1X 2 In the Ports With 802 1X Enabled area click Add 3 Configure 802 1X features on a port as shown in Figure 310 and then click Apply Ys Figure 310 Configuring 802 1X on a port Apply 802 1X Port Configuration Port GigabitEthernet1 0 1 X Port Control MAC Based hi Port Authorization Auto ad Max Number of Users 256 1 256 Default 256 7j Enable Handshake Enable Re Authentication Guest VLAN 1 4094 Enable MAC VLAN Only hybrid
514. ribute types which are defined by RFC 2865 RFC 2866 RFC 2867 and RFC 2568 Extended RADIUS attributes Attribute 26 Vendor Specific an attribute defined by RFC 2865 allows a vendor to define extended attributes to implement functions that the standard RADIUS protocol does not provide A vendor can encapsulate multiple sub attributes as TLVs in attribute 26 to provide extended functions As shown in Figure 349 a sub attribute encapsulated in Attribute 26 consists of the following parts e Vendor ID ID of the vendor lts most significant byte is O The other three bytes contains a code that is compliant to RFC 1700 e Vendor Type Type of the sub attribute e Vendor Length Length of the sub attribute e Vendor Data Contents of the sub attribute 367 Figure 349 Format of attribute 26 23 31 0 7 15 Vendor ID continued Vendor Type Vendor Length Vendor Data Specified attribute value Protocols and standards e RFC 2865 Remote Authentication Dial In User Service RADIUS e RFC 2866 RADIUS Accounting e RFC 2867 RADIUS Accounting Modifications for Tunnel Protocol Support e RFC 2868 RADIUS Attributes for Tunnel Protocol Support RFC 2869 RADIUS Extensions Contiguring a RADIUS scheme A RADIUS scheme defines a set of parameters that the device uses to exchange information with the RADIUS servers There might be authentication servers and accounting servers or primary servers and secondary servers
515. ring common parameters 1 Click the expand button before Advanced in the Common Configuration area to expand the advanced configuration area 369 Figure 352 Common configuration Common Configuration Server Type standard Username Format Without domain name Advanced Authentication Key 1 64 Chars Confirm Authentication Key 1 64 Chars Accounting Key 1 64 Chars Confirm Accounting Key 1 64 Chars Quiet Time Minutes 0 255 Default 5 Sever Response Timeout Time Seconds 1 10 Default 3 Request Transmission Attempts 1 20 Default 3 Realtime Accounting Interval Minutes 0 60 Default 12 must be a multiple of 3 Realtime Accounting Attempts 1 255 Default 5 Unit for Data Flows Byte Unit for Packets One packet Security Policy Server RADIUS Packet Source IP Pv4 C IPv6 E Buffer stop accounting packets Stop Accounting Attempts 10 65535 Default 500 EF Send accounting on packets Attribute Interpretation ki 2 Configure the parameters as described in Table 115 Table 115 Configuration items ltem Description Select the type of the RADIUS servers supported by the device which can be e Standard Standard RADIUS servers The RADIUS client and RADIUS server communicate by using the standard RADIUS protocol and packet Server Type format defined in RFC 2138 2139 or later e Extended Extended RADIUS servers usually running on CAMS or IMC The RADIUS client and the RADIUS serve
516. ring rate limit on a ee OO EE Ee A86 Configuring priority mapping de A87 Configuring priority trust mode on q URE EE EE Ee A88 ACL and QoS configuration example OE OO EO EE EE EO Ee ee A89 Network requirements srsssssssssssessessesssecesssseesssssscssssssssssnssessssseesssssscsssssecssassscssssscssssssecssassssssassesssasscessnescsssnessssnnneeen A89 Configuring Switch EE 489 Contiguring POE eeeereeeseseeseseseeseeeeseseneoseereseeresesrereseereseeresesroresesreseerereeroreseoresesreseereresrereseoresresesrsreseeresesreseseereseereseeeeee 497 GT EE EE EE OE aaa 497 Configuring POE eereeeseeseeesereseeeseeeseesereseeeseesseosereseceseeseeeeresereseeesresereseceseeesreseresecesressreseresreereeseresereseeeseeseresereseeeseesereseeeseee 498 Configuring PoE ports ER LE EE RE T T 498 Configuring non standard PD detection ee EE EE EE EE EE EER EER EER EER EER EER AE ERA EE ee ERA Ee Ee Ee ee A99 Displaying information about PSE and PoE ports EE OE EE 500 PoE configuration example EE RE N TE EE EE RE EA 501 Support and other resources teeeeeeeeereeseeeeerereseseereerereseeeereseeeeseoreseseeseseoreseereseerosesrosescoresrsreseerereerereseeresesresesrereseeresee 503 Contacting HP ssesese sesse sesse sees ee es ER ER EE EE EE EE EE EE ER ER ER EE EE EE EE EE EE EE EE EE ER ER ER ER EE EE EE EE EE EE ER ER ER ER anes EE ER ER ER EE EE EE EE EE EE EE EER ER ER ER ee 503 Subscription TT TE nese eeu neeeeeeunseu seu eseeaseeaseeaneeeeeeuees 503 Related EES BR 5
517. rization OP eration of Users Add Del Selected 337 2 Configure 802 1X for GigabitEthernet 1 0 1 a In the Ports With 802 1X Enabled area click Add b Select GigabitEthernet1 0 1 from the Port list select Enable Re Authentication and click Apply Figure 313 Configuring 802 1X for GigabitEthernet 1 0 1 Apply 802 1X Port Configuration Port GigabitEthernet1 0 1 4 Port Control MAC Based v Por Authorization Auto Max Number of Users 256 1 256 Default 256 Vv Enable Handshake J Enable Re Authentication Guest VLAN 1 4094 Enable MAC VLAN Only hybrid ports support this configration Auth Fail VLAN 1 4094 Items marked with an asterisk are required Apply Cancel Configuring the RADIUS scheme for the switch 1 Configure authentication and accounting attributes for the RADIUS scheme a From the navigation tree select Authentication gt RADIUS and click Add b Enter the scheme name system c Select the server type Extended and select Without domain name from the Username Format list Click Advanced Enter name in the Authentication Key and Confirm Authentication Key fields Enter money in the Accounting Key and Confirm Accounting Key fields Enter 5 as the server timeout timer gt a mo 8 Enter 5 as the maximum number of request transmission attempts i Enter 15 as the realtime accounting interval 338 Figure 314 Configuring the RADIUS scheme Add RADIUS scheme Scheme Name 1 32 Chars
518. roduce Specify the range of VLANs available for l the same result and the latest selection during related operations er ie N Configure a subset of all existing VLANS n n Ga This step is required before you perform NN By default the untagged operations on the Detail Modify VLAN VLAN of a trunk port is VLAN and Modify Port tabs l b Modifying a VLAN When you change the Configure the trunk port as an untagged untagged VLAN PVID of a member of the specified VLANSs trunk port the former untagged VLAN automatically becomes a Configure the untagged tagged VLAN of the trunk port 5 Modifyi ts ai dk iki VLAN of the trunk port 6 Configure the trunk port as a tagged member of the specified VLANs a Selecting VLANs Specify the range of VLANs available for selection during related operations Required Configure a subset of all existing VLANs This step is required before you perform operations on the Detail Modify VLAN and Modify Port tabs b Modifying a VLAN Configure the trunk port as a tagged member of the specified VLANs N A A trunk port can have multiple tagged VLANs You can repeat these steps to configure multiple tagged VLANs for the trunk port Configure the tagged 7 Modifyi ts Ak ae VLAN of the trunk port Recommended configuration procedure for assigning a hybrid port to a VLAN Step Remarks Required 1 Creating VLANs Create one or multiple VLANs Optional Configure th
519. ror Port v Stream Orientation both Select port s AE Select All Select None N Port s Mm Available for Selection Apply Selected Port s GE1 0 1 GE1 0 2 Note 1 Selected Port s Configured member port s 2 Not Available for Selection All the member ports of mirroring group on the device except Selected Port s 6 Click Apply A contiguration progress dialog box appears 7 After the success notification appears click Close Configuring GigabitEthernet 1 0 3 as the monitor port Click Modify Port Select 1 Local from the Mirroring Group ID list Select Monitor Port from the Port Type list Select 3 GigabitEthernet 1 0 3 on the chassis front panel gt YS 84 Figure 71 Configuring the monitor port Summary Add Remove Modify Po Mirroring Group ID 1 Local Port Type Monitor Port v Stream Orientation both Select port s nate aoa EHEHE E N Port s Mm Available for Selection Selected Port s Note 1 Selected Port s Configured member port s 2 NotAvailable for Selection All the member ports of mirroring group on the device except Selected Port s 5 Click Apply A configuration progress dialog box appears 6 After the success notification appears click Close 85 Apply Managing users The user management function allows you to do the following e Adding a local user and specifying the password access level and service types for the user e Settin
520. routers on the local subnet to determine whether any active multicast group members exist on the subnet The destination address of IGMP general queries is 224 0 0 1 After receiving an IGMP general query the switch forwards the query through all ports in the VLAN except the receiving port The switch also performs one of the following actions e Ifthe receiving port is a dynamic router port in the router port list the switch restarts the aging timer for the port e Ifthe receiving port is not in the router port list the switch adds the port as a dynamic router port into the router port list and starts an aging timer for the port IGMP report A host sends an IGMP report to the IGMP querier for the following purposes e Responds to IGMP queries if the host is a multicast group member e Applies for a multicast group membership After receiving an IGMP report the switch forwards it through all the router ports in the VLAN resolves the address of the reported multicast group and performs one of the following actions e If no forwarding entry matches the group address the switch creates a forwarding entry for the group adds the receiving port as a dynamic member port to the forwarding entry and starts an aging timer for the port e fa forwarding entry matches the group address but the receiving port is not in the forwarding entry for the group the switch adds the port as a dynamic member port to the forwarding entry and
521. rrent user level to the management level Login 88 Configuring a loopback test You can check whether an Ethernet port operates correctly by performing Ethernet port loopback test During the test time the port cannot forward data packets correctly Ethernet port loopback test has the following types Internal loopback test Establishes self loop in the switching chip and checks whether there is a chip failure related to the functions of the port External loopback test Uses a loopback plug on the port Packets forwarded by the port will be received by itself through the loopback plug The external loopback test can be used to check whether there is a hardware failure on the port Contiguration guidelines When you contigure a loopback test follow these restrictions and guidelines When a port is physically down you cannot pertorm an external loopback test on the port After a port is shut down manually you can perform neither internal nor external test on the port When a port is under loopback test you cannot apply Rate Duplex Cable Type and Port Status contiguration to the port An Ethernet port operates in full duplex mode when a loopback test is performed It restores its original duplex mode after the loopback test is finished Contiguration procedure 1 2 3 From the navigation tree select Device gt Loopback Figure 75 Loopback test page Testing type External Internal 4 a4 gt
522. rs A port performs 802 1X authentication and implements port based access control In this mode a port can service multiple 802 1X users If one 802 1X user 802 1X Port Based passes authentication all the other 802 1X users of the port can access the network without authentication In this mode neither outbound restriction nor intrusion protection will be triggered A port performs 802 1X authentication and implements MAC based access control It services only one user passing 802 1X authentication 802 1X Single Host A port performs 802 1X authentication of users and implements MAC based access control The port in this mode supports multiple online 802 1X users 802 1X MAC Based Similar to the 802 1X Single Host mode a port in this mode performs 802 1X authentication of users and allows only one 802 1X user to access at a time 802 1X MAC Based Or OUI e The port also permits frames from a wired terminal whose MAC address contains a specific OUI e For frames from a wireless user the port performs OUI check at first If the OUI check fails the port performs 802 1X authentication This mode is the combination of the 802 1X Single Host and MAC Auth modes with 802 1X authentication having higher priority e For wired users the port performs MAC authentication upon receiving non 802 1X frames and performs 802 1X authentication upon receiving 802 1X frames e For wireless users 802 1X authentication is performed
523. rt rate of an aggregate interface equals the total rate of its member ports in Selected state and its duplex mode is the same as that of the selected member ports For more information about the states of member ports in an aggregation group see Static aggregation mode and Dynamic aggregation mode LACP The Link Aggregation Control Protocol LACP is defined in IEEE 802 3ad It uses LACPDUs to exchange aggregation information between LACP enabled devices LACP is automatically enabled on member ports in a dynamic aggregation group An LACP enabled port sends LACPDUs to notify the remote system the partner of its system LACP priority system MAC address LACP port priority port number and operational key Upon receiving an LACPDU the peer port compares the received information with the information received on other member ports In this way the two systems reach an agreement on which ports are placed in Selected state Operational key When aggregating ports link aggregation control automatically assigns each port an operational key based on port attributes including the port rate duplex mode and link state configuration In an aggregation group all Selected ports are assigned the same operational key 205 Configuration classes Port configurations include the following classes e Class two configurations A member port can be placed in the Selected state only if it has the same class two configurations as the aggregat
524. rver at 10 1 1 1 as the authentication and authorization server and the RADIUS server at 10 1 1 2 as the accounting server Assign an ACL to GigabitEthernet 1 0 1 to deny the access of 802 1X users to the FTP server at 10 0 0 1 24 Figure 320 Network diagram Authentication servers RADIUS server cluster 10 1 1 1 10 1 1 2 l A gv Vlan int2 n Internet GE1 0 1 N Host Switch FTP server 192 168 1 10 10 0 0 1 Configuring IP addresses Assign an IP address to each interface as shown in Figure 320 Details not shown Configuring a RADIUS scheme 1 Create a RADIUS scheme a From the navigation tree select Authentication gt RADIUS and then click Add b Enter the scheme name system c Select the server type Extended 343 d Select Without domain name from the Username Format list e Click Apply Configure the primary authentication server in the RADIUS scheme a In the RADIUS Server Configuration area click Add b Select the server type Primary Authentication c Enter the IP address 10 1 1 1 and enter the port number 1812 d Enter expert in the Key and Confirm Key fields e Click Apply Figure 321 Configuring the RADIUS authentication server Add RADIUS Server IP Address IPv4 IPvG Part 181200 Default 1512 Key eeeeee 64 Chars Confirm Key eeeeese MA Chars Apply Cancel Configure the primary accounting server in the RADIUS scheme a In the RADIUS Server Con
525. rvice IPv4 Ping IPv Ping Pv4 Traceroute IPv6 Traceroute MAC Authentication 802 1X Port Security Domain Setup Authentication Authorization Display the IPv active route table Create an Pv6 static route Delete the selected IPv static routes Display information about the DHCP status advanced configuration information about the DHCP relay agent DHCP server group contiguration DHCP relay agent interface configuration and the DHCP client information Enable disable DHCP configure advanced DHCP relay agent settings contigure a DHCP server group and enable disable the DHCP relay agent on an interface Display the status trusted and untrusted ports and DHCP client information about DHCP snooping Enable disable DHCP snooping and configure DHCP snooping trusted and untrusted ports Display the states of services enabled or disabled Enable disable services and set related parameters Ping an IPv4 address Ping an IPv6 address Perform IPv4 trace route operations Perform Pv6 trace route operations Display MAC authentication configuration information Configure MAC authentication Display 802 1X configuration information globally or on a port Configure 802 1X globally or on a port Display port security configuration information Configure port security Display ISP domain configuration information Add and remove ISP domains Display the authentication configuratio
526. s Ping IP address 1 1 2 2 lt Sysname gt ping 1 1 2 2 PING 1 1 2 2 56 data bytes press CTRL_C to break Reply from 1 1 2 2 bytes 56 Sequence 1 ttl 254 time 205 ms Reply from 1 1 2 2 bytes 56 Sequence 2 ttl 254 time 1 ms Reply from 1 1 2 2 bytes 56 Sequence 3 ttl 254 time 1 ms Reply from 1 1 2 2 bytes 56 Sequence 4 ttl 254 time 1 ms Reply from 1 1 2 2 bytes 56 Sequence 5 ttl 254 time 1 ms 1 1 2 2 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 1 41 205 ms The output shows that IP address 1 1 2 2 is reachable and the echo replies are all returned from the destination The minimum average and maximum roundtrip intervals are 1 millisecond 41 milliseconds and 205 milliseconds respectively ping ipv6 Syntax ping ipv6 host Parameters host Destination IPv address or host name a string of 1 to 255 characters Description Use ping ipv6 to ping a specified destination To terminate a ping operation press Ctrl C 27 Examples Ping IPv address 2001 4 lt Sysname gt ping ipv6 2001 4 PING 2001 4 56 data bytes press CTRL_C to break Reply from 2001 4 bytes 56 Sequence 1 hop limit 64 time 15 ms Reply from 2001 4 bytes 56 Sequence 2 hop limit 64 time 2 ms Reply from 2001 4 11 ms bytes 56 Sequence 3 hop limit 64 time Reply from 2001 4 bytes 56 Sequence 4 hop limit 64 time 2 ms Reply from 2001 4 12 ms bytes 56 Sequence 5 hop
527. s Configure the PVID of the 3 Setting the PVID for a port access port 4 Configuring the access ports as untagged members of a VLAN a Selecting VLANs Specify the range of VLANs available for selection during related operations Configure a subset of all existing VLANs This step is required before you perform operations on the Detail Modify VLAN and Modify Port tabs b Modifying a VLAN By default an access port Contigure the access ports as untagged is an untagged member of members of the specified VLAN VLAN 1 Required An access port has only one untagged VLAN and the untagged VLAN is its PVID The three operations N A produce the same result and the latest operation takes effect Configure the untagged 5 Modifyi ts ee oe VLAN of the port Recommended configuration procedure tor assigning a trunk port to a VLAN Step Remarks Required 1 Creating VLANs Create one or multiple VLANs Optional Configure the link type of the port as trunk 2 Configuring the link type of a port To configure a hybrid port as a trunk port first configure it as an access port By default the link type of a port is access 137 Step Remarks Configure the PVID of the 3 Setting the PVID for a port trunk port Required 4 Configure the trunk port as an untagged A trunk port has only one member of the specified VLANs pce ae ano ve untagge is its a lesing TRS The three operations p
528. s 01 80 C2 00 00 03 or the broadcast MAC address If any intermediate device between the client and the authentication server does not support the multicast address you must use an 802 1X client for example the HP iNode 802 1X client that can send broadcast EAPOLStart packets Access device as the initiator The access device initiates authentication if a client cannot send EAPOL Start packets One example is the 802 1X client available with Windows XP The access device supports the following modes e Multicast trigger mode The access device multicasts Identity EAP Request packets periodically every 30 seconds by default to initiate 802 1 X authentication e Unicast trigger mode Upon receiving a frame with the source MAC address not in the MAC address table the access device sends an Identity EAP Request packet out of the receiving port to the unknown MAC address It retransmits the packet if no response has been received within a certain time interval 324 802 1X authentication procedures 802 1X provides the following methods for authentication e EAP relay e EAP termination You choose either mode depending on the support of the RADIUS server for EAP packets and EAP authentication methods e EAP relay mode EAP relay is defined in IEEE 802 1X In this mode the network device uses EAPOR packets to send authentication information to the RADIUS server as shown in Figure 304 Figure 304 EAP relay Client Baie RAD
529. s 173 MAC addressing port security secure MAC address contiguration 427 MAC authentication ACL assignment 405 411 Auth Fail VLAN 405 configuration 404 406 408 configuration global 406 configuration portspecific 408 local authentication 404 408 port security advanced control configuration 428 port security advanced mode configuration 433 port security basic control configuration 425 port security basic mode configuration 430 port security configuration 421 423 430 port security configuration global 424 port security modes 421 port security permitted OUls configuration 429 RADIUS based 404 timers 405 user account policies 404 using with other features 405 VLAN assignment 405 Management Information Base Use MIB managing port 69 75 Web device contiguration 64 67 Web device file management 67 Web device user 86 Web devices 52 Web services 314 315 mapping MSTP VLAN to instance mapping table 187 master port MST 187 match order ACL auto 450 ACL contig 450 max age timer STP 184 mechanism rate limit 474 member IGMP snooping member port 252 MLD snooping member port 266 member device logging from the master 42 518 membership report IGMP snooping 254 MLD snooping 268 message ARP configuration 242 ARP message format 242 ARP static contiguration 246 DHCP format 294 gratuitous ARP contiguration 246 gratuitous ARP packet learning 244 IP multicast IGMP snoopi
530. s The switch removes the port from the forwarding entry for the multicast group when the aging timer expires Protocols and standards RFC 4541 Considerations for Internet Group Management Protocol IGMP and Multicast Listener Discovery MLD Snooping Switches Recommended configuration procedure Step Remarks 1 Enabling IGMP Required snooping globally Disabled by default 255 Step Remarks Required Enable IGMP snooping in the VLAN and configure the IGMP snooping version and querier feature 2 Configuring IGMP By default IGMP snooping is disabled in a VLAN snooping ina VLAN When you enable IGMP snooping follow these guidelines e Enable IGMP snooping globally before you enable it for a VLAN e IGMP snooping for a VLAN takes effect only on the member ports in that VLAN Optional Configure the maximum number of multicast groups and fast leave processing on ad a port of the specified VLAN 3 Configuring IGMP snooping port functions e Before you enable IGMP snooping on a port enable multicast routing or IGMP snooping globally When you configure IGMP snooping port functions follow these guidelines e IGMP snooping enabled on a port takes effect only after IGMP snooping is enabled in the VLAN or IGMP is enabled on the VLAN interface 4 Displaying IGMP snooping multicast Optional forwarding entries Enabling IGMP snooping globally 1 From the navigation tree select Network gt IGMP
531. s mm 100M 10M 10M 100M gt EI gt gt 100M gt 10M f 50M 100M 10M 50M gt 100M 1 2 e The traffic enters a device from a high speed link and is forwarded over a low speed link e The packet flows enter a device from several incoming interfaces and are forwarded out of an outgoing interface whose rate is smaller than the total rate of these incoming interfaces When traffic arrives at the line speed a bottleneck is created at the outgoing interface causing congestion Besides bandwidth bottlenecks congestion can be caused by resource shortage in various forms such as insufficient processor time buffer and memory and by network resource exhaustion resulting from excessive arriving traffic in certain periods Impacts Congestion might bring these negative results e Increased delay and jitter during packet transmission e Decreased network throughput and resource use efficiency e Network resource memory in particular exhaustion and even system breakdown It is obvious that congestion hinders resource assignment for traffic and degrades service performance Congestion is unavoidable in switched networks and multi user application environments To improve the service performance of your network you must address the congestion issues Countermeasures A simple solution for congestion is to increase network bandwidth however it cannot solve all the problems that cause congestion because you cannot increase network bandwidth i
532. s entries 1 Select Network gt MAC from the navigation tree 2 Click the Setup tab to enter the page for setting the MAC address entry aging time Figure 171 Setting the aging time for MAC address entries MAC set mac address aging time No aging Aging Time 300 seconds 10 1000000 Default 300 Apply 3 Configure the aging time for MAC address entries as described in Table 53 4 Click Apply Table 53 Configuration items liem Description No aging Specity that the MAC address entry never ages out Aging time Set the aging time for the MAC address entry MAC address table contiguration example Network requirements Use the Web based NMS to configure the MAC address table of the device Add a static MAC address O00e0 fc35 de71 under GigabitEthernet 1 0 1 in VLAN 1 175 Creating a static MAC address entry 1 Select Network gt MAC from the navigation tree By default the MAC tab is displayed Click Add Configure a MAC address entry a Type MAC address 00e0 fc35 dce71 b Select static from the Type list c Select 1 from the VLAN list d Select GigabitEthernet1 0 1 from the Port list Click Apply Figure 172 Creating a static MAC address entry Setup Add MAC MAC 00e0 fc35 dc71 Example 0010 dc28 a4e9 Type static v VLAN 1 X Port GigabitEthernet1 0 1 v Items marked with an asterisk are required Apply Cancel 176 Configuring MSTP Overview Spanning tree protocols elim
533. s of different VLANs to communicate you must use a router or Layer 3 switch to perform layer 3 forwarding To achieve this you can use VLAN interfaces VLAN interfaces are virtual interfaces used for Layer 3 communication between different VLANs They do not exist as physical entities on devices For each VLAN you can create one VLAN interface You can assign the VLAN interface an IP address and specify it as the gateway of the VLAN to forward the traffic destined for an IP network segment different from that of the VLAN Creating a VLAN interface When you create a VLAN interface you can select to assign an IPv4 address and an IPv link local address to the VLAN interface in this step or in a separate step If you do not select to contigure an IP address you can create the VLAN interface and configure an IP address for the VLAN interface by modifying it To create a VLAN interface 1 From the navigation tree select Network gt VLAN Interface 2 Click Create to enter the page for creating a VLAN interface 150 di 4 Figure 146 Creating a VLAN interface SUMIM Ary Wo gity Remove input a WYLAN ID 4094 Configure Primary IPyd Address DHCP BOOTP Manual Pvt address Mask Length Configure IFP 6 Link Local Address Auto Manual P address s O Apply Cancel Configure the VLAN interface as described in Table 43 Click Apply Table 43 Configuration items ltem Description Inout a VLAN ID Enter th
534. s service such as 802 1X and SSH Servicetype If you do not specify any service type for a local user who uses local authentication the user cannot pass authentication and therefore cannot log in The service type of the guest administrator and security log administrator is Web 381 ltem Description Specify an expiration time for the local user in the HH MM SS YYYY MM DD format Expire time To authenticate a local user with the expiration time configured the access device checks whether the expiration time has passed If it has not passed the device permits the user to log in Specify the VLAN to be authorized to the local user after the user passes VLAN authentication This option takes effect on only LAN users Specify the ACL to be used by the access device to restrict the access of the local user ACL after the user passes authentication This option takes effect on only LAN users Specify the user profile for the local user User protile This option takes effect on only LAN users but it does not take effect on this software version Contiguring a user group 1 Select Authentication gt Users from the navigation tree 2 Click the User Group tab to display the existing user groups Figure 365 User group list Local User Group Mame Level VLAN AGL ser Profile IGRI OE Operation Accounts system Visitor YES EI i Add 3 Click Add The page for configuring a user group appears 382 4 5 Figu
535. s that are collected and monitored For Static It i i atic Item more information see Table 28 Set the name of the interface whose traffic statistics are Interface Name collected and monitored Sample Item 100 ltem Description Interval Set the sampling interval Set the sampling type e Absolute Absolute sampling to obtain the value of the variable when the sampling time is reached Sample Type e Delta Delta sampling to obtain the variation value of the variable during the sampling interval when the sampling time is reached Owner Set the owner of the alarm entry Alarm Select whether to create a default event The description of the default event is default event the action is log and trap and the owner is default owner Create Default Event If there is no event you can create the default event And when the value of the alarm variable is higher than the alarm rising threshold or lower than the alarm falling threshold the system adopts the default action log and trap Rising Threshold Set the alarm rising threshold Set the action that the system takes when the value of the alarm variable is higher than the alarm rising threshold Rising Event If you select the Create Default Event box this option is not configurable Falling Threshold Set the alarm falling threshold Set the action that the system takes when the value of the alarm variable is lower than the alarm falling threshold Fal
536. s the alarm variables that can be configured through the Web interface are MIB variables that defined in the history group or the statistics group configure the RMON Ethernet statistics function or the RMON history statistics function on the monitored Ethernet interface After you create a statistics entry on an interface the system collects various traffic statistics on the interface including network collisions CRC alignment errors undersize oversize packets broadcasts multicasts bytes received and packets received The statistics are cleared at a reboot IMPORTANT You can create only one statistics entry for one interface Required You can create up to 60 event entries for an event table An event entry defines event indexes and the actions the system takes including log the event send a trap to the NMS take no action and log the event and send a trap to the NMS IMPORTANT You cannot create an entry if the values of the specified alarm variable sampling interval sampling type rising threshold and falling threshold are identical to those of an existing entry in the system Required You can create up to 60 alarm entries for an alarm table With an alarm entry created the specified alarm event is triggered when an abnormity occurs The alarm event defines how to deal with the abnormity IMPORTANT You cannot create an entry if the values of the specified event description owners and actions are identi
537. select 1 from the Rising Event list enter 100 in the Falling Threshold field select 1 from the Falling Event list and click Apply 107 Figure 96 Configuring an alarm group Statistics History Event Log Add an Alarm Group Alarm Variable Static Item Number of Packet Discarding Events id Interface Name GigabitEthernet1 0 1 v Sample Item Interval 10 Seconds 5 65535 Sample Type Delta v Owner user Chars 1 127 Alarm E Create Default Event Rising Threshold 1000 0 2147483647 Rising Event 1 v Falling Threshold 100 0 2147483647 Falling Event 1 v e Before creating Alarm please create Statistic and Event at fisrt Items marked with an asterisk are required Apply Cancel Verifying the configuration Atter the above configuration when the alarm event is triggered you can display log information for event 1 on the Web interface 1 2 Select Device gt RMON from the navigation tree Click the Log tab The log page appears The log in this example indicates that event 1 generated one log which was triggered because the alarm value 22050 exceeded the rising threshold 1000 The sampling type is absolute Figure 97 Log information for event 1 Statistics History Alarm Event R Event Index Search Advanced Search Event Log faites lees nel las Description 2011 5 16 The 1 3 6 1 2 1 16 1 1 1 4 1 defined in alarmEntry 1 uprise 1000 16 3253 with alarm value 22050 Alarm sample ty
538. select a policy policy1 Direction Inbound v Please select port s Laz sof 2 23 Popp HHHH Select AIl Select None 496 Configuring PoE Only a device with a mark of PoE supports the PoE feature Overview IEEE 802 3af compliant power over Ethernet PoE enables a power sourcing equipment PSE to supply power to powered devices PDs through Ethernet intertaces over straight through twisted pair cables Examples of PDs include IP telephones wireless APs portable chargers card readers Web cameras and data collectors A PD can also use a different power source from the PSE at the same time for power redundancy As shown in Figure 488 a PoE system comprises the following elements e PoE power The entire PoE system is powered by the PoE power e PSE The PSE supplies power for PDs A PSE can examine the Ethernet cables connected to PoE interfaces search for PDs classify them and supply power to them When detecting that a PD is removed the PSE stops supplying power to the PD A PSE can be built in Endpoint or external Midspan A built in PSE is integrated into a switch or router and an external PSE is independent of a switch or router The HP PSEs are built in Only one PSE is available on the device so the entire device is considered as a PSE e PI An Ethernet interface with the PoE capability is called PoE interface A PoE interface can be an FE or GE interface e PD A PD receives power from the
539. server Figure 298 802 1X architecture Device Authentication server Client e Client A user terminal seeking access to the LAN It must have 802 1X software to authenticate to the network access device e Network access device Authenticates the client to control access to the LAN In a typical 802 1X environment the network access device uses an authentication server to perform authentication e Authentication server Provides authentication services for the network access device The authentication server authenticates 802 1X clients by using the data sent from the network access device and returns the authentication results to the network access device to make access decisions The authentication server is typically a RADIUS server In a small LAN you can also use the network access device as the authentication server Access control methods HP implements port based access control as defined in the 802 1 X protocol and extends the protocol to support MAC based access control e Port based access control Once an 802 1 X user passes authentication on a port any subsequent user can access the network through the port without authentication When the authenticated user logs off all other users are logged off 32 e MAC based access control Each user is separately authenticated on a port When a user logs off no other online users are affected Controlled uncontrolled port and port authorization status 802 1X
540. specified VLAN Contiguring MLD snooping When you configure MLD snooping port functions follow these port functions guidelines e Enable MLD snooping globally before you enable it on a port e MLD snooping enabled on a port takes effect only after MLD snooping is enabled for the VLAN Displaying MLD snooping multicast forwarding entries Optional Enabling MLD snooping globally 1 Select Network gt MLD snooping from the navigation tree 2 Click Enable for MLD snooping 3 Click Apply Figure 243 Enabling MLD snooping globally Advanced MLD Snooping Enable Disable Apply VLAN Configuration at VLAN ID Search Advanced Search VLAN ID es Version Querier In De e General Query Source Address Special Query Source Address Operation 1 Disabled 1 Disabled 125 FE80 2FF FFFF FEOO 1 FE80 2FF FFFF FEOO 1 100 Disabled 1 Disabled 125 FESO 2FF FFFF FEOO 1 FESOC2FFFFEFFEOO 1 200 Disabled 1 Disabled 125 FE80 2FF FFFF FEO0 1 FESO 2FF FFFF FEOU1 Es 300 Disabled 1 Disabled 125 FESO 2FF FFFF FEOO 1 FE amp O 2FF FFFF FEOD 1 is Show Entries Refresh Contiguring MLD snooping in a VLAN l Select Network gt MLD snooping from the navigation tree 270 2 Click the EF icon for the VLAN Figure 244 Configuring MLD snooping in a VLAN Advanced VLAN Configuration VLAN ID 1 MLD Snooping Enable Disable Version 2 1 2 Querier Enable Disable Query Interval Seconds 2 300 Default 125 Genera
541. spend the sending of packets The egress port is expected to stop sending any new packet when it receives the Pause frame In this way flow control helps to avoid dropping of packets Flow Control Flow control works only after it is enabled on both the ingress and egress ports Enable or disable auto power down on a port that is down By default auto power down is disabled on an Ethernet port that is down With auto power down enabled on an Ethernet port that stays in the down state for a certain period the following events occur Power Save e The device automatically stops supplying power to the port e The port enters the power save mode When the Ethernet port comes up the following events occur e The device automatically restores power supply to the port e The port resumes its normal state Set the MAC learning limit on the port Max MAC Count e User Defined Select this option to set the limit manually e No Limited Select this option to set no limit Enable or disable Energy Efficient Ethernet EEE on a link up port EEE With EEE enabled when a link up Ethernet port does not receive any packet for a certain period it automatically enters low power mode When a packet arrives later the device restores power supply to the port and the port resumes its normal state Set broadcast suppression on the port e ratio Sets the maximum percentage of broadcast traffic to the total bandwidth of an Ethernet port When you s
542. splayed as active routes on the pages 2 Ping Host C from Host A assuming both hosts run Windows XP C Documents and Settings Administrator gt ping 1 1 3 2 Pinging 1 1 3 2 wath 32 bytes of data Reply from 1 1 bytes 32 time lms TTL 128 Reply from 1 1 bytes 32 time lms TTL 128 Reply from 1 1 bytes 32 time lms TTL 128 Reply from 1 1 bytes 32 time lms TTL 128 Ping statistics for 1 1 3 2 Packets Sent 4 Received 4 Lost 0 0 loss Approximate round trip times in milli seconds Minimum Maximum lms 286 Average lms IPv6 static route configuration example Network requirements As shown in Figure 262 configure IPv6 static routes on Switch A Switch B and Switch C for any two hosts to communicate with each other Figure 262 Network diagram Host B 2 2 64 Vlan int400 Vlan int200 4 2 64 Vlan inta00 Vlan int200 Vlan int300 4 1 64 a Vlan int100 1 1 64 3 1 64 Host A 1 2 64 Switch A Switch C Host C 3 2 64 Configuration considerations On Switch A configure a default route with Switch B as the next hop On Switch B configure one static route with Switch A as the next hop and the other with Switch C as the next hop On Switch C configure a default route with Switch B as the next hop Configuration procedure 1 Configure a default route to Switch B on Switch A a Select Network gt IPv Routing from the navigation tree of Switch A b Click the
543. ss field Enter 00e0 fc01 0000 in the MAC Address field Select Advanced Options Enter 100 in the VLAN ID field Select GigabitEthernet1 0 1 from the Port list Click Apply a gt a mp ao Figure 225 Creating a static ARP entry Gratuitous ARP New Static ARP Entry IP Address 192 168 1 1 MAC Address 00e0 fc01 0000 Example 0010 dc28 a4e9 Z Advanced Options VLAN ID 100 1 4094 Port GigabitEthernet1 0 1 Items marked with an asterisk are required Apply Back 249 Configuring ARP attack protection Overview Although ARP is easy to implement it provides no security mechanism and is vulnerable to network attacks The ARP detection feature enables access devices to block ARP packets from unauthorized clients to prevent user spoofing and gateway spoofing attacks ARP detection provides user validity check and ARP packet validity check User validity check This feature does not check ARP packets received from ARP trusted ports but it checks ARP packets from ARP untrusted ports Upon receiving an ARP packet from an ARP untrusted interface this feature compares the sender IP and MAC addresses against the DHCP snooping entries and 802 1 X security entries If a match is found from those entries the ARP packet is considered valid and is forwarded If no match is found the ARP packet is considered invalid and is discarded ARP packet validity check This feature does not check ARP packets received
544. st group the host sends an MLD done message to the multicast router When the switch receives an MLD done message on a member port the switch first examines whether a forwarding entry matches the IPv group address in the message and if a match is found determines whether the forwarding entry contains the dynamic member port If no forwarding entry matches the IPv multicast group address or if the forwarding entry does not contain the port the switch directly discards the MLD done message If a forwarding entry matches the IPv6 multicast group address and contains the port the switch forwards the MLD done message to all router ports in the VLAN Because the switch does not know whether any other hosts attached to the port are still listening to that IPv6 multicast group address the switch does not immediately remove the port from the forwarding entry for that group Instead the switch resets the aging timer for that port After receiving the MLD done message the MLD querier resolves the IPv6 multicast group address in the message and sends an MLD multicast address specitic query to that IPv multicast group through the port that received the MLD done message After receiving the MLD multicast address specific query the switch forwards it through all its router ports in the VLAN and all member ports for that IPv6 multicast group The switch also performs one of the following actions for the port that received the MLD done message If the
545. static ports NOTE When IGMP snooping is enabled all ports that receive PIM hello messages or IGMP general queries with the source addresses other than 0 0 0 0 are considered dynamic router ports Aging timers for dynamic ports in IGMP snooping _ Message received before Action after the timer Timer Description the timer expires expires When a port receives an IGMP general query with the source address other than Dynamic ee ee IGMP general query with the The switch removes this router port AGE GE source address other than port from its router port aging timer 0 0 0 0 or PIM hello message list aging timer for the port When the timer expires the dynamic router port ages out 253 ie Message received before Action after the timer Timer Description the timer expires expires When a port dynamically Danie joins a multicast group the The switch removes this switch starts or resets an aging port from the IGMP se port timer for the port When the Penis piep snooping forwarding aging timer timer expires the dynamic table member port ages out NOTE In IGMP snooping only dynamic ports age out How IGMP snooping works The ports in this section are dynamic ports IGMP messages include general query IGMP report and leave message An IGMP snooping enabled switch performs differently depending on the message General query The IGMP querier periodically sends IGMP general queries to all hosts and
546. stsize The capacity of the token bucket or the maximum traffic size permitted in each burst It is usually set to the committed burst size CBS The set burst size must be greater than the maximum packet size One evaluation is performed on each arriving packet In each evaluation if the number of tokens in the bucket is enough the traffic conforms to the specification and the tokens for forwarding the packet are taken away If the number of tokens in the bucket is not enough it means that too many tokens have been used and the traffic is excessive Working mechanism of rate limit With rate limit configured on an interface all packets to be sent through the interface are firstly handled by the token bucket of rate limit If the token bucket has enough tokens packets can be forwarded Otherwise packets are put into QoS queues for congestion management In this way the traffic passing the physical interface is controlled Figure 461 Rate limit implementation Put tokens into the token Packets to be sent via bucket at the set rate this interface Packets sent gt Buffer queue With a token bucket used for traffic control when the token bucket has tokens the bursty packets can be transmitted When no tokens are available packets cannot be transmitted until new tokens are generated in the token bucket In this way the traffic rate is restricted to the rate for generating tokens the traffic rate is limited and
547. succession the RMON agent generates an alarm event only for the first crossing For example if the value of a sampled alarm variable crosses the rising threshold multiple times before it crosses the falling threshold only the first crossing triggers a rising alarm event as shown in Figure 79 Figure 79 Rising and falling alarm events Alarm variable value Rising threshold Falling threshold Time 94 RMON configuration task list Configuring the RMON statistics function The RMON statistics function can be implemented by either the Ethernet statistics group or the history group but the objects of the statistics are different as follows e Asstatistics object of the Ethernet statistics group is a variable defined in the Ethernet statistics table and the recorded content is a cumulative sum of the variable from the time the statistics entry is created to the current time Perform the tasks in Table 20 to configure RMON Ethernet statistics function A statistics object of the history group is the variable defined in the history record table and the recorded content is a cumulative sum of the variable in each period Perform the tasks in Table 21 to configure RMON history statistics function Table 20 RMON statistics group configuration task list Task Remarks Required You can create up to 100 statistics entries in a statistics table After you create a statistics entry on an interface the system collects various traf
548. t 5 V Enable Intrusion Protection Disable Port Temporarily E Enable Outbound Restriction Only MAC Known Unicasts Items marked with an asterisk are required Apply Cancel Verifying the configuration 1 Display the secure MAC address entries learned and manually configured on port GigabitEthernet 1 0 3 The maximum number of secure MAC is configured as 3 so up to 3 MAC addresses can be learned and added as secure MAC addresses as shown in Figure 421 431 Figure 421 Secure MAC address list Security Ports And Secure MAC Address List F Port Max tse of intrusion Protection Outbound Restriction Operation F GigabitEthernet1 0 3 3 Disable Port Temporarily A i Add Del Selected Secure MAC Address List k Port v Search Advanced Search a Port MAC VLAN ID Operation GigabitEthernet1 0 3 0000 0000 0001 100 i GigabitEthernet1 0 3 0000 0000 0002 100 i F GigabitEthernet1 0 3 001b 2188 86ff 100 i Add Del Selected 2 When the maximum number of MAC addresses is reached intrusion protection is triggered Select Device gt Port Management from the navigation tree and then select the Detail tab On the page click the target port GigabitEthernet 1 0 3 in this example to view details Figure 422 shows that the port state is inactive Figure 422 Displaying port state Summary letai Setup Select a Port Port State PVID 100 Flow Control Disabled E Link Type
549. t d Set the voice VLAN aging timer to 30 minutes e Click Apply Figure 156 Configuring the voice VLAN function globally Summar Fort Setup Ol Summary OW Add Ol Remove Dice vLAMN security sice YLail een Ure minutes 5 43200 Default 1440 tems marked with an asteriski are required Apply Cancel 4 Configure voice VLAN on GigabitEthernet 1 0 1 165 a Click the Port Setup tab b Select Auto in the Voice VLAN port mode list c Select Enable in the Voice VLAN port state list d Enter voice VLAN ID 2 e Select GigabitEthernet 1 0 1 on the chassis front panel f Click Apply Figure 157 Configuring voice VLAN on GigabitEthernet 1 0 1 summary setup OUI Summary DUI Add OUl Remove Voice VLAN port mode Voice VLAN port state Voice VLAN ID Items marked with an asterisk are required Sel ect ports Select All Select None Ports selected for voice VLAN Apply Cancel Add OUI addresses to the OUI list a Click the OUI Add tab b Enter OUI address 0011 2200 0000 c Select FFFF FFOO 0000 in the Mask list d Enter description string test e Click Apply Figure 158 Adding OUI addresses to the OUI list summary Setup Port Setup OUI Summary OUI Remove specify an OUI and click Apply to add it to the list There can be 6 entries at most OUI Address 0011 2200 0000 Example 0010 dc28 a4e9 Mask FFFF FF00 0000 Description test Chars 1 30 Apply Cancel tems marked
550. t 294 Option 295 See also Option Option 121 295 Option 150 295 Option 3 Option 003 295 Option 33 Option 033 295 Option 51 Option O51 295 Option 53 Option 053 295 Option 55 Option 055 295 Option 6 Option 006 295 Option 60 Option 060 295 Option 66 Option 066 295 Option 67 Option 067 295 Option 82 relay agent Option 082 relay agent 295 options 295 options common 295 overview 292 protocols and standards 296 relay agent configuration 297 298 303 snooping See DHCP snooping snooping configuration 306 308 311 snooping Option 82 support 308 snooping trusted port 306 306 snooping untrusted port 306 306 diagnostic tools 317 direction NMM port mirroring bidirectional 79 NMM port mirroring inbound 79 NMM port mirroring outbound 79 discarding MST discarding port state 188 displaying active route table IPv4 279 active route table IPv6 281 all operation parameters for a port 74 client s IP to MAC bindings 302 310 current system time 56 Ethernet link aggregation aggregate interface 209 Ethernet link aggregation LACP enabled port 211 global LLDP 234 IGMP snooping multicast forwarding entries 259 interface statistics 132 IP services ARP entry 244 LLDP for a port 229 LLDP information 236 MAC address table 174 MLD snooping multicast forwarding entries 273 MSTP information on port 197 NMM RMON running status 96 PoE 500 port operation parameters 3 RMON
551. t 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 32 in the Select Ports area c Select Untagged for Select membership type d Enter 100 as the VLAN ID e Click Apply 262 3 Figure 236 Assigning ports to the VLAN Select VLAN Create Port Detail Detail Modify VLAN Sel ect Ports H ant Select All Select None E Not avaliable for selection Select membership type 5 Not A Member Tagged Link Type Enter VLAN IDs to which the portis to be assigned VLAN IDs 100 Example 1 3 5 10 Selected ports Enable IGMP snooping globally a From the navigation tree select Network gt IGMP snooping b Select Enable c Click Apply Figure 237 Enabling IGMP snooping globally Advanced IGMP Snooping Enable Disable Apply VLAN Configuration AR LAN ID search Advanced Search IGMP f Drop Livery meee Snooping eta Unknown EEN Interval Sec 1 Disabled 2 Disabled Disabled 60 0 0 0 0 100 Disabled 2 Disabled Disabled GO 0 0 0 0 Show Entries Enable IGMP snooping for VLAN 100 a Click the icon for VLAN 100 b Select Enable for IGMP snooping c Select 2 for Version d Click Apply 263 PID Apply Cancel General Query Source IF Special Query Source IF Operation Figure 238 Configuring IGMP snooping in VLAN 100 Advanced VLAN Configuration VLAN ID 100 IGMP Snooping Enable Disable Version 2 ma Querier Enable D
552. t DAWGoSE Lexx SO ISBibh1 pJ1YhT turn Tf2deNHITiBdcUOAeNIZRGEFER LOJeyyillqqhRrtzedHwh 9ihk yM9doxtwi Yl yF27 cTocdR x0dtst ECCOCeEO Wd AdgEwIDADABOAARDOTIEOEIKZCNAODEEBOADYTEAFIAETYGhtaHA gGEv1BELISE TaasO6sIkatsip3GE1ll3dex0s37 snel 1GUEPBYE fileOB7EGaGTT7UuTEODVLH EYY2wcTEVAThOlaeYOAMUsEn T0 L danW1DbtieGl46EGASINGERAFSSTANE BET WplcaFlueslz OzelyBs Hack 397 Retrieving and displaying a CRL 1 From the navigation tree select Authentication gt Certificate Management 2 Click the CRL tab Figure 379 CRL page Entity Domain Certificate Domain Mame Operation abcd Retrieve CRL View CEL 3 Click Retrieve CRL to retrieve the CRL of a domain 4 Click View CRL for the domain to display the contents of the CRL Figure 380 CRL information Entity Domain Certificate View CRL Details Certificate Revocation List Version 2 0x1 Signature Algorithm Issuer C cn D cl oU cl CN cl Last Update Oct 5 O7 34 16 Next Update NONE CRL extensions KSO0 v3 CEL Number CRL shealWithRssEncryption mr rm ZULU GMT X50373 Authority Key Identifier keyid BD5SD0565 E744AA13 EA4142E8 AABESAAS F 2zE6C1o No Revoked Certificates Signature Algorithm shalWithRSAEncryption CTEGF3E1 444190F4 O27 F9CFF CO4E235B 10028062 CSEBEA4D G356BR7D D2177A43 354781828E 29665C1D 315DB401 S3B9CBAG EBZAEDAA TADBFOF1 ZEFS41F3 ADGSCZED 24025849 EZ4E1AAC 14F09629 BF250C94 BACAEDIF TBRFSD609 o245569F
553. t Mo Change Multicast Na Change Unicast Suppression Suppression Suppression pps range 1 148810 for a 100 Mbps port 1 260000 for a GE port and 1 260000 for a 10GE port Kbps range 1 100000 for a 100 Mbps port 1 180000 for a GE port and 1 180000 for a 10GE port oodeooacgecad BUDD ODDO DEE HEHE H No Change 0 8192 No Change Select All Select None Unit Selected Ports 1 it may take some time if you apply the above settings to multiple ports Apply Cancel Assign GigabitEthernet 1 0 1 to VLAN 2 as an untagged member b Select Network gt VLAN from the navigation tree Click the Modify Port tab Select GigabitEthernet 1 0 1 from the chassis front panel Select the Untagged option Enter VLAN ID 2 Click Apply A configuration progress dialog box appears After the configuration process is complete click Close 169 Figure 164 Assigning GigabitEthernet 1 0 1 to VLAN 2 as an untagged member Select VLAN Create Port Detail Detail Modify VLAN Remove Select Ports z4 e 4 a4 Select All Select None C Not avaliable for selection Select membership type 8 Untagged Tagged NotAMember Link Type PVID Enter VLAN IDs to which the portis to be assigned VLAN IDs 2 Example 1 3 5 10 Selected ports Untagged Membership GENO Apply Cancel Configure voice VLAN on GigabitEthernet 1 0 1 a Select Network gt Voice VLAN from the navigation tree Click
554. t Uplink port Apply e Click Apply A configuration progress dialog box appears f After the configuration process is complete click Close Viewing information about the isolation group Click Summary 2 Display port isolation group 1 which contains ports GigabitEthernet 1 0 2 GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 Figure 438 Viewing information about port isolation group 1 Port Setup Isolate group ID Uplink port Isolated port GE 1 0 2 GE VO Isolated vor ll Port type Uplink worl 442 Configuring authorized IP The authorized IP function associates the HTTP or Telnet service with an ACL to filter the requests of clients Only the clients that pass the ACL filtering can access the device Contiguration procedure 1 From the navigation tree select Security gt Authorized IP 2 Click Setup to enter the authorized IP configuration page Figure 439 Authorized IP configuration page Summary Telnet Pd ACL NoChange vi IPvB ACL Wieb HTTP IPy4 ACL NoChange Rule ID Operation Description Time Range 3 Configure authorized IP as described in Table 133 4 Click Apply Table 133 Configuration items ltem Description Associate the Telnet service with an IPv4 ACL IPv4 ACL a To configure the IPv4 ACL to be selected select QoS gt ACL IPv4 elnet Associate the Telnet service with an IPv6 ACL IPv ACL To configure the IPv ACL to be selected select QoS gt ACL IPv6
555. t is not true with master ports A master port on MSTIs is a root port on the CIST Port states In MSTP a port can be in one of the following states e Forwarding The port learns MAC addresses and forwards user traffic e Learning The port learns MAC addresses but does not forward user traffic e Discarding The port does not learn MAC addresses or forwards user traffic A port can have different port states in different MSTls A port state is not exclusively associated with a port role Table 57 lists the port states supported by each port role A check mark v indicates that the 188 port state is available for the corresponding port role and a dash indicates that the port state is not available for the corresponding port role Table 57 Ports states supported by different port roles Port role Port state Root port master Designated Boundary Alternate port Backup port ort ort ort Forwarding v v ul Learning v v Discarding vV v y d d How MSTP works MSTP divides an entire Layer 2 network into multiple MST regions which are connected by a calculated CST Inside an MST region multiple spanning trees called MSTIs are calculated Among these MSTIs MSTI O is the CIST Similar to RSTP MSTP uses configuration BPDUs to calculate spanning trees An important difference is that an MSTP BPDU carries the MSTP configuration of the bridge from which the BPDU is sent CIST calculation The calculation of
556. target host Display SNMP view information Create modify and delete an SNMP view Display and clear the statistics information about an interface Function menu Description User level Visitor Configure Configure Monitor Configure Configure Configure Configure Configure Configure Monitor Configure Monitor Configure Monitor Configure Monitor Configure Monitor Configure Monitor Configure Configure Function menu Description User level Select VLAN Select a VLAN range Monitor Create Create VLANs Configure Port Detail Display the VLAN related details of a port Monitor Display the member port information about a VLAN Detail VLAN Monitor Modify VLAN Modify the description and member ports of a ne VLAN Modify Port Change the VLAN to which a port belongs Configure Remove Remove VLANS Configure TN Display information about VLAN interfaces by rd address type Cea Create VLAN interfaces and configure IP addresses Conf VLAN eate here onfigure Interface i Modify Modi y the IP addresses and status of VLAN EA interfaces Remove Remove VLAN interfaces Configure Sunay Display voice VLAN information globally or on a ES port Setup Configure the global voice VLAN Configure Net Port Setup Configure a voice VLAN on a port Configure work Voice VLAN Display the addresses of the OUls that can be Sey identitied by voice VLAN pronto Add the address of an OUI that can be identified
557. tatic route to Switch A and Switch C on Switch B a Select Network gt IPv4 Routing from the navigation tree of Switch B b Click the Create tab The page for configuring a static route appears c Enter 1 1 2 0 for Destination IP Address 24 for Mask and 1 1 4 1 for Next Hop d Click Apply 284 Figure 260 Configuring a static route summary Destination IF Address Wask Mext Hop Remove tems marked with an asteriski are required Apply Configured Static Route Information Destination IP Address Wask Protocal Preference J irterface Preference t 285 Detaurt 60 Next Hap Interface e Enter 1 1 3 0 for Destination IP Address enter 24 for Mask and enter 1 1 5 6 for Next Hop f Click Apply Configure a default route to Switch B on Switch C a b C 285 Select Network gt IPv4 Routing from the navigation tree of Switch C Click the Create tab Enter 0 0 0 0 for Destination IP Address O for Mask and 1 1 5 5 for Next Hop Click Apply Figure 261 Configuring a default route Remove Summary Preference 285 Default B0 J interface tems marked with an asteriski are required Apply Configured Static Route Information Destination IP Address Mask Protocol Preference Mext Hop Interface Veritying the contiguration 1 Display the routing table Enter the IPv4 route page of Switch A Switch B and Switch C to verify that the newly configured static routes are di
558. ted Configure a target host SNMP traps a Click Add on the Trap tab page The page for adding a target host of SNMP traps appears 130 b Select the IPv4 Domain option and type 1 1 1 2 in the following field type user in the Security Name field select v3 from the Security Model list and select Auth Priv from the Security Level list c Click Apply Figure 128 Adding a trap target host Setup Community Group ser MR Add Trap Target Host Destination IF Address IPy4 Damain PG 1 1 1 2 1 255Chars 3 Security Name user U BaChars UDF Fort 162 0 65535 Default 162 Security Model v4 w Security Level AuthPri w tems marked with an asterisk are required Apply Cancel Configuring the NMS The configuration on NMS must be consistent with that on the agent Otherwise you cannot perform corresponding operations To contigure the NMS Specify the SNMP version for the NMS as v3 Create an SNMP user userl Enable both authentication and privacy functions Use MD5 for authentication and DES56 for encryption ie Ma Set the authentication key to authkey and the privacy key to prikey For information about configuring the NMS see the NMS manual Verifying the configuration Atter the above configuration the NMS can establish an SNMP connection with the agent and query and reconfigure values of objects in the agent MIB Disable or enable an idle interface on the agent and you can see the interface stat
559. ted Neighbor Information Statistic Information Status Information 223 Setting LLDP parameters on ports The Web interface allows you to set LLDP parameters for a single port or for multiple ports in batch Setting LLDP parameters for a single port 1 From the navigation tree select Network gt LLDP By detault the Port Setup tab is displayed 2 Click the icon for the port On the page as shown in Figure 199 the LLDP settings of the port are displayed Figure 199 Modifying LLDP settings on a port Global Setup Global Summary Neighbor Summary Interface Name GE1 0 1 LLDP State Enable Basic Settings LLDP Operating Mode TxRx v Encapsulation Format ETHII CDP Operating Mode Disable v LLDP Polling Interval seconds 1 30 LLDP Trapping Disable v Base TLV Settings V Port Description System Capabilities W System Description V System Name W Management Address Number v Addtional TLV Settings Apply Cancel 3 Configure the LLDP parameters for the port as described in Table 75 Click Apply A progress dialog box appears 5 Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds Table 75 Configuration items ltem Descri ption Interface Name Displays the name of the port or ports you are configuring Displays the LLDP enabling status on the port you are configuring DLDP State This field is not available when you batch configure ports Set the L
560. ted decimal notation Enter the mask of the destination IP address Mask You can enter a mask length or a mask in dotted decimal notation Set a preference value for the static route The smaller the number the higher the preference Preference For example specifying the same preference for multiple static routes to the same destination enables load sharing on the routes Specifying different preferences enables route backup Next Hop Enter the next hop IP address in dotted decimal notation 280 ltem Description Select the output interface Interface You can select any available Layer 3 interface for example a virtual interface of the device If you select NULL O the destination IP address is unreachable Displaying the IPv active route table Select Network gt IPv Routing from the navigation tree to enter the page Figure 256 IPv6 active route table Create Remove Active Route Table Pretix Destination IP Address Length Protocol Preference Next Hop Interface 1 128 Direct 0 1 INLOopBackO Table 92 Field description Field Description Destination IP Address Destination IP address and prefix length of the IPv route Prefix Length Protocol Protocol that discovered the IPv6 route Preference value for the IPv6 route Preference The smaller the number the higher the preference Next Hop Next hop IP address of the IPv6 route Output interface of the IPv route Packets destined for the specifi
561. tely so the old root ports and designated ports that have not detected the topology change continue forwarding data along the old path If the new root ports and designated ports begin to forward data as soon as they are elected a temporary loop might occur STP timers STP calculation involves the following timers e Forward delay The delay time for device state transition A path failure can cause spanning tree recalculation to adapt the spanning tree structure to the change However the resulting new contiguration BPDU cannot propagate throughout the network immediately If the newly elected root ports and designated ports start to forward data immediately a temporary loop is likely to occur For this reason as a mechanism for state transition in STP the newly elected root ports or designated ports require twice the forward delay time betore they transit to the forwarding state which makes sure the new configuration BPDU has propagated throughout the network e Hellotime The time interval at which a device sends hello packets to the neighboring devices to make sure the paths are fault free e Max age A parameter used to determine whether a configuration BPDU held by the device has expired The device discards the BPDU if the max age is exceeded Introduction to RSTP Developed based on the 802 1 w standard of IEEE RSTP is an optimized version of STP It achieves rapid network convergence by allowing a newly elected root port
562. ter the page as shown in Figure 287 Figure 287 DHCP snooping user information DHCP Relay IP Address v Search Advanced Search IP Address MAC Address Type Interface Name VLAN Remaining Lease Time Sec Operation 10 55 80 103 001b 2188 86ff Dynamic GigabitEthernet1 0 24 1 691152 i Return Refresh Reset Table 101 describes the fields of DHCP snooping entries Table 101 Field description ltem Description IP Address Displays the IP address assigned by the DHCP server to the client MAC Address Displays the MAC address of the client 310 ltem Description Displays the client type e Dynamic The IP to MAC binding is generated dynamically ype e Static The IP to MAC binding is configured manually Static bindings are not supported Interface Name Displays the device interface to which the client is connected VLAN Displays the VLAN to which the device belongs Remaining Lease Time Displays the remaining lease time of the IP address DHCP snooping configuration example Network requirements As shown in Figure 288 a DHCP snooping device Switch B is connected to a DHCP server through GigabitEthernet 1 0 1 and to DHCP clients through GigabitEthernet 1 0 2 and GigabitEthernet 17073 e Enable DHCP snooping on Switch B and configure DHCP snooping to support Option 82 Configure the handling strategy for DHCP requests containing Option 82 as replace e Enable GigabitEthernet 1 0 1 to forward DHCP server respons
563. terface does not support contiguration of the detault preference If you specity the next hop address first and then contigure it as the IP address of a local interface such as a VLAN interface the static route does not take effect When you specify the output interface note the following o If the output interface is NULL O or a loopback interface no next hop address is required o If the output interface is a broadcast interface such as a VLAN interface you must specify the output interface and the next hop at the same time You can delete only IPv4 IPv6 static routes on the Remove tab 291 DHCP overview The Dynamic Host Configuration Protocol DHCP provides a framework to assign configuration information to network devices DHCP uses the client server model Figure 266 shows a typical DHCP application A DHCP client can obtain an IP address and other configuration parameters from a DHCP server on another subnet through a DHCP relay agent For more information about the DHCP relay agent see Configuring DHCP relay agent You can enable the DHCP client on an interface For more information about the DHCP client configuration see Configuring VLAN interface Figure 266 A typical DHCP application DHCP client DHCP client DHCP server E 2E DHCP client DHCP client DHCP address allocation Allocation mechanisms DHCP supports the following mechanisms for IP address allocation e Staticallocation T
564. ters configuration 40 STP algorithm calculation 179 STP designated bridge 178 STP designated port 178 STP path cost 179 STP root bridge 178 STP root port 178 VLAN type 134 Web common page features 16 Web device contiguration backup 64 Web device contiguration reset 66 Web device contiguration restoration 64 Web device contiguration save 65 Web device file displaying 67 Web device file download 67 Web device file removing 68 Web device file upload 68 Web device local user adding 86 Web device main boot file specitying 68 Web device privilege level switching 88 Web device super password setting 87 Web interface 7 Web interface HTTP login 6 network management 802 1X ACL assignment configuration 343 AAA configuration 352 359 ACL contiguration 450 489 ACL time range configuration 453 ARP configuration 242 ARP static contiguration 246 basic device settings contiguration 50 configuration wizard 34 DHCP overview 292 DHCP relay agent configuration 297 298 303 DHCP snooping configuration 306 308 311 displaying active route table IPv4 279 displaying active route table IPv6 281 Ethernet link aggregation and LACP configuration 205 213 flow interval 92 gratuitous ARP contiguration 246 IP routing configuration IPv4 278 IP routing configuration IPv6 278 LLDP basic concepts 217 LLDP configuration 217 236 loopback detection 447 447 loopback test 89
565. th the TC BPDU guard function you can prevent frequent flushing of forwarding address entries HP recommends not disabling this function Sets the maximum number of immediate forwarding address entry flushes the tc protection threshold device can perform within a certain period of time after receiving the first TC BPDU Contiguring MSTP on a port 1 From the navigation tree select Network gt MSTP 2 Click the Port Setup tab Figure 181 MSTP configuration on a port Region Global Port Summary STP No Change v Protection No Change v Note The new protection will replace the old one instance Advanced EPE QEIRA le Select All Select None Cancel 3 Configure MSTP for ports as described in Table 60 and then click Apply Table 60 Configuration items ltem Description STP Selects whether to enable STP on the port Sets the type of protection to be enabled on the port Protection e Not Set No protection is enabled on the port e Edged Port Root Protection Loop Protection For more information see Table 61 195 liem Description Sets the priority and path cost of the port in the current MSTI e Priority The priority of a port is an important factor in determining whether the port can be elected as the root port of a device If all other conditions are the same the Instance port with the highest priority will be elected as the root port On an MSTP enabled Instance ID device a port can hav
566. the CLI 1 Press Enter The Username prompt displays Login authentication Username 2 Enter your username at the Username prompt Username admin 3 Press Enter The Password prompt appears Password The login information is verified and the tollowing CLI menu appears HOP 1920 Switch gt If the password is invalid the following message appears and process restarts O Login failed CLI commands This section contains the following commands Task Display a list of CLI commands on the device Reboot the device and run the default configuration Configure VLAN interface 1 to obtain an IPv4 address through DHCP or manual configuration Configure VLAN interface 1 to obtain an IPv address through the autoconfiguration function or manual configuration Modify the login password Log out of the system Download the Boot ROM image or system software image file from the TFTP server and specify it as the startup configuration file Reboot the device and run the main configuration file View the summary information about the device Ping a specitied destination Tear down the current connection and quit the system Command initialize ipsetup dhcp ip address ip address mask mask length default gateway ip address ipsetup ipv auto address ipv address pretix length ipv6 address pretix length default gateway ipv address password quit upgrade ip
567. the class The device does not support this operator 478 Contiguring classification rules 1 Select QoS gt Classifier from the navigation tree 2 Click Setup to enter the page for setting a class Figure 464 Configuring classification rules summary Add Remove Please selectaclassifier Select a classifier Any DScP IP Precedence Classifier Inbound Interface 0 63 you can input 8 entries for example 3 5 7 0 7 you can input 8 entries for example 3 5 7 1 31 Chars RTF Port from to 2000 65535 Dotip Service 602 1p Customer 802 1p 0 7 you can input 6 entries for example 3 5 7 MAC Source MAC Destination MAC Format of MAC is H H H VLAN oe 1 4094 input a range such as 3 20 or upto 8 entries SENEE VLA like 3 5 7 1 4094 input a range such as 3 20 or up to 8 entries E Customer VLAN like 3 5 7 ACL E ACL IPv4 2000 4999 E ACL IPv6 2000 3999 Apply Rule Type Rule Value 3 Configure classification rules for a class as described in Table 152 4 Click Apply 479 Table 152 Configuration items ltem Description Define a rule to match customer VLAN IDs If multiple such rules are configured for a class the new configuration does not overwrite the previous one VLAN Customer VLAN You can configure only one VLAN ID at a time Otherwise the relevant QoS policy fails to be applied If the same VLAN ID is specified multiple times the system considers
568. the information of LACP enabled ports Setup Select portis from the table to view partner port details LACP Port Inactive Partner Partner Oper Unit Port State Priority State Reason Port Port State Key 07 1 t Not in group 3 0 2 Enable 7EB Not in group 3 View Details Partner Port Details Unit Port Partner ID Partner Port Priority Partner Oper Key 028000 0000 0000 0000 a2 768 Note The following numbers are used to indicate the reasons for being inactive 1 All active ports are already in use for this aggregator 2 All aggregation resources are already in use 3 The port is not configured properly 4 The ports partner is not configured properly Table 67 Field description Field Description Unit ID of a device in a stack Port Port where LACP is enabled LACP State State of LACP on the port Port Priority LACP priority of the port Aggregation state of the port If a port is Selected this field also displays the ID State of the aggregation group it belongs to Reason code indicating why a port is Unselected for receiving or sending user Inactive Reason data For more information about the reason codes see the bottom of the page shown in Figure 191 212 Field Description Partner Port ID of the peer port States of the peer port e A LACP is enabled e B LACP short timeout If B does not appear it indicates LACP long timeout e C The sending system considers the link is aggreg
569. the loghost Display and configure the buffer capacity and interval for refreshing system logs Back up the configuration file to be used at the next startup from the device to the host of the current user Upload the configuration file to be used at the next startup from the host of the current user to the device Save the current configuration to the configuration file to be used at the next startup Restore the factory default settings Manage files on the device such as displaying the file list downloading a file uploading a file and removing a file Display port information by features Display feature information by ports Create modify delete and enable disable a port and clear port statistics Display the configuration information about a port mirroring group Create a port mirroring group Remove a port mirroring group Configure ports for a mirroring group Display the brief information about FTP and Telnet users Configure a password for a lower level user to switch from the current access level to the management level Create an FTP or Telnet user Modify FTP or Telnet user information Remove an FTP or a Telnet user Function menu Description User level Monitor Management Configure Monitor Monitor Configure Configure Configure Management Management Configure Configure Management Monitor Monitor Configure Monitor Configure Configure Configure Mon
570. the navigation tree select Authentication gt Port Security 2 In the Port Security Configuration area configure global port security settings a Select Enable Port Security b Click Advanced c Specify the system to disable the port temporarily for 30 seconds d Select Intrusion from the Trap Switch area e Click Apply 430 Figure 419 Configuring port security Port Security Configuration Enable Port Security wFAdvanced Temporarily Disabling Port Time 30 seconds 20 300 Default 20 Traps Switch C MAC Learned 802 1 Auth Failure Cl 802 1 Logoff 802 1 Logon Intrusion C MAC Auth Failure Cl mMAC Auth Logot Cl MAC AUh Logon Apply Security Ports And Secure MAC Address List L Fort ba eas Intrusion Protection Outbound Restriction Operation Add Del Selected Secure MAC Address List Advanced Port Security Configuration F Ports Enabled With Advanced Features Permitted OUls for ports working in the mode of 802 18 MAC Based Or OUI Configuring the basic port security control In the Security Ports And Secure MAC Address List area click Add On the page that appears select GigabitEthernet1 0 3 Enter 3 as the maximum number of MAC addresses Select Enable Intrusion Protection and select Disable Port Temporarily from the list Click Apply Figure 420 Applying the port security feature nub WN Apply Port Security Control Port GigabitEthernet1 0 3 hd Max Number of MAC 3 1 1024 Defaul
571. the nearest higher multiple of the numbering step to the current highest rule ID starting with O 451 For example if the numbering step is 5 the default and there are five ACL rules numbered O 5 9 10 and 12 the newly defined rule is numbered 15 If the ACL does not contain any rule the first rule is numbered O Whenever the step changes the rules are renumbered starting from O For example if there are five rules numbered 5 10 13 15 and 20 changing the step from 5 to 2 causes the rules to be renumbered 0 2 4 6 and 8 Implementing time based ACL rules You can implement ACL rules based on the time of day by applying a time range to them A time based ACL rule takes effect only in any time periods specified by the time range The following basic types of time range are available e Periodic time range Recurs periodically on a day or days of the week e Absolute time range Represents only a period of time and does not recur IPv4 fragments filtering with ACLs Traditional packet filtering matches only first fragments of IPv4 packets and allows all subsequent non irst fragments to pass through Attackers can fabricate non tirst fragments to attack networks To improve network security ACL filters all packets by default including fragments and non fragmented packets Meanwhile to improve match efficiency you can modify ACL rules For example you can configure ACL rules to filter non first fragments only Cont
572. the packet and then sends the packet to the gateway A If the gateway has an ARP entry for Host B it forwards the packet to Host B directly If not the gateway broadcasts an ARP request in which the target IP address is the IP address of Host B 5 After the gateway gets the MAC address of Host B it sends the packet to Host B ARP table An ARP table stores dynamic and static ARP entries 243 Dynamic ARP entry ARP automatically creates and updates dynamic entries A dynamic ARP entry is removed when its aging timer expires or the output interface goes down In addition a dynamic ARP entry can be overwritten by a static ARP entry Static ARP entry A static ARP entry is manually configured and maintained It does not age out and cannot be overwritten by any dynamic ARP entry Static ARP entries protect communication between devices because attack packets cannot modify the P to MAC mapping in a static ARP entry Gratuitous ARP In a gratuitous ARP packet the sender IP address and the target IP address are the IP address of the sending device the sender MAC address is the MAC address of the sending device and the target MAC address is the broadcast address FEIT A device sends a gratuitous ARP packet for either of the following purposes e Determine whether its IP address is already used by another device If the IP address is already used the device is informed of the conflict by an ARP reply e Inform other devic
573. thentication for authentication timeouts or network connection problems The way that the network access device handles VLANs on the port differs by 802 1X access control mode e Ona port that performs port based access control 330 Authentication status VLAN manipulation A user fails 802 1X The device assigns the Auth Fail VLAN to the port as the PVID All 802 1X authentication users on this port can access only resources in the Auth Fail VLAN A user in the Auth Fail VLAN The Auth Fail VLAN is still the PVID on the port and all 802 1X users on tails 802 1X this port are in this VLAN re authentication e The device assigns the VLAN specified for the user to the port as the PVID and removes the port from the Auth Fail VLAN After the user logs off the user configured PVID restores A user passes 802 1X My e If the authentication server assigns no VLAN the initial PVID applies authentication The user and all subsequent 802 1X users are assigned to the vser configured PVID After the user logs off the PVID remains unchanged On a port that pertorms MAC based access control Authentication status VLAN manipulation A user fails 802 1X The device remaps the MAC address of the user to the Auth Fail VLAN authentication The user can access only resources in the Auth Fail VLAN A user in the Auth Fail VLAN fails 802 1X The user is still in the Auth Fail VLAN re authentication The device remaps the MAC a
574. thz Name Secondary Method PPP Auth Name secondary Method Portal Auth Name secondary Method Command Authz Name After the configuration process is complete click Close Configure AAA accounting method for the ISP domain a b C Click the Accounting tab Select the ISP domain test Select Default Accounting select the accounting method RADIUS and select the accounting scheme system from the Name list Click Apply 416 Figure 404 Configuring the accounting method for the ISP domain Domain Setup Authentication Authorization Accounting Configuration of AAA Select an ISP domain test E Accounting Optional Disable Default Accounting RADIUS Name system Secondary Method H LAN access Accounting Name Secondary Method Login Accounting Name Secondary Method PPP Accounting Name secondary Method Portal Accounting Name Secondary Method e After the configuration process is complete click Close Configuring an ACL 1 From the navigation tree select QoS gt ACL IPv4 2 Click the Add tab 3 Enter the ACL number 3000 and then click Apply Figure 405 Adding ACL 3000 summary Basic Setup Advanced Setup Link Layer Setup Remove ACL Number S000 2000 2999 for basic ACLS 3000 3999 for advanced ACLs Match Order 4000 4999 for Ethernet frame header ACLs Description Characters 0 1277 ACL Number Type Number of Rules Match Order Description 4 Click the Advanced Setup tab 5 Contigure the
575. tication 353 Step Remarks Optional 3 Configuring authorization eal ia ar P minors bid SEE domain pecity the authorization methods tor various types of users By default all types of users use local authorization Required 4 Configuring accounting methods brihe i daman Specify the accounting methods for various types of users By default all types of users use local accounting Configuring an ISP domain 1 Select Authentication gt AAA from the navigation tree The Domain Setup page appears Figure 335 Domain Setup page Authentication Authorization Accounting ISP Domain Please select the ISP domain Domain Name Default Domain 2 Create an ISP domain as described in Table 108 3 Click Apply Table 108 Configuration items ltem Description Enter the ISP domain name which is for identifying the domain Domain Name You can enter a new domain name to create a domain or specify an existing domain to change its status whether it is the default domain 354 ltem Description Specify whether to use the ISP domain as the default domain Options include e Enable Uses the domain as the default domain Default Domain e Disable Uses the domain as a non default domain There can only be one default domain at a time If you specify another domain as the default domain the original default domain becomes a non default domain Configuring authentication methods for the ISP do
576. tiguration file at the next startup If you reboot the device when file operations are being performed the system does not execute the command to ensure security Examples If the configuration does not change reboot the device lt Sysname gt reboot Start to check configuration with next startup configuration file please Wea od RR week DONE This command will reboot the device Continue Y N y Now rebooting please wait If the configuration changes reboot the device lt Sysname gt reboot Start to check configuration with next startup configuration file please We LE ps sek rw DONE This command will reboot the device Current configuration will be lost in next startup if you continue Continue Y N sy Now rebooting please wait summary Syntax summary Parameters None Description Use summary to view the summary of the device including the IP address of VLAN interface 1 and software version information Examples Display summary information about the device lt sysname gt summary 29 Select menu option Summary IP Method Manual IP address 192 168 0 233 Subnet mask 255 299425990 Default gateway IPv6 Method IPv6 link local address IPv6 subnet mask length IPv6 global address IPv6 subnet mask length IPv6 default gateway Current boot app is flash hp1920 24G bin Next main boot app is flash hp1920 24G bin Next backup boot app is flash test bin HP Comware Platform Software Comware So
577. time s Configuration BPDU transmission interval in seconds Max hops Maximum hops of the current MST region MSTP contiguration example Network requirements As shown in Figure 183 configure MSTP as follows All devices on the network are in the same MST region Packets of VLAN 10 VLAN 20 VLAN 30 and VLAN 40 are forwarded along MSTI 1 MSTI 2 MSTI 3 and MSTI O respectively Switch A and Switch B operate at the distribution layer Switch C and Switch D operate at the access layer VLAN 10 and VLAN 20 are terminated on the distribution layer devices and VLAN 30 is terminated on the access layer devices so the root bridges of MSTI 1 and MSTI 2 are Switch A and Switch B respectively and the root bridge of MSTI 3 is Switch C 199 Figure 183 Network diagram Switch A Switch B Permit all VLAN Permit VLAN 20 40 Permit VLAN 10 40 Permit Permit VLAN 10 40 VLAN 20 40 Permit VLAN 30 40 Switch C Switch D Permit next to a link in the figure is followed by the VLANs the packets of which are permitted to pass this link Configuration procedure Configuring Switch A 1 Configure an MST region a From the navigation tree select Network gt MSTP By default the Region tab is displayed b Click Modify Figure 184 The region tab Global Port Summary Port Setup Format Selector Region Name Revision Level 0 OOedtcOO3620 0 Modify Instance VLAN Mapped 0 1 io 4094 Set the region name t
578. tination port number and number of matched packets This function is not supported Source IP Address Select the Source IP Address box and enter a source IPv address and prefix length The IPv address must be in a format like X X X X An IPv address consists of eight Source Prefix 16 bit long fields each of which is expressed with two hexadecimal numbers and separated from its neighboring fields by colon Time Range Select the time range during which the rule takes effect Configuring a rule for an advanced IPv6 ACL 1 Select QoS gt ACL IPv6 from the navigation tree 2 Click the Advance Setup tab The rule configuration page for an advanced IPv6 ACL appears 463 Figure 452 Configuring a rule for an advanced IPv ACL Summary Add Hasic Setup Remove Select Access Control LisHACL SelectanACl Help Configure an Advanced ACL Rule ID 85834 fno ID is entered the system will specify one Operation check Fragment Check Logging IF Address Filter C Destination IF Address Po Destination Prefix Protocol ICMPye Type Mamed ICMPEyf Type owe Tye 0 285 leMPvBEedel 0 288 TOPIUDP Part Range of Portis 0 65535 Tire Range Cancel Fule ID Operation Description Time Fiat 3 Adda rule for an advanced IPv ACL as described in Table 144 A Click Add Table 144 Configuration items lem Description Select Access Control List ACL Select the advanced IPv6 ACL for which you want t
579. tion items ltem Descri ption Select an ISP domain Default AuthZ Name Secondary Method LAN access AuthZ Name Secondary Method Login AuthZ Name Secondary Method Select the ISP domain for which you want to specify authentication methods Configure the default authorization method and secondary authorization method for all types of users Options include HWTACACS HWTACACS authorization You must specify the HWTACACS scheme to be used Local Local authorization None This method trusts all users and assigns default rights to them RADIUS RADIUS authorization You must specify the RADIUS scheme to be used Not Set The device uses the default authorization setting which is local authorization Configure the authorization method and secondary authorization method for LAN access users Options include Local Local authorization None This method trusts all users and assigns default rights to them RADIUS RADIUS authorization You must specify the RADIUS scheme to be used Not Set The device uses the settings in the Default AuthZ area for LAN access users Configure the authorization method and secondary authorization method for login users Options include HWTACACS HWTACACS authorization You must specify the HWTACACS scheme to be used Local Local authorization None This method trusts all users and assigns default rights to them RADIUS RADIUS authorization You m
580. to option is selected the refresh interval is calculated by the relay agent according to the number of client entries Creating a DHCP server group 1 From the navigation tree select Network gt DHCP to enter the default DHCP Relay page shown in Figure 274 2 In the Server Group area click Add to enter the page shown in Figure 275 Figure 275 Create a server group DHCP Snooping Server Group ID 0 19 IP Address r tems marked with an asterlsk are required Apply Cancel 300 3 Configure the DHCP server group as shown in Table 95 A Click Apply Table 95 Configuration items ltem Descri ption Enter the ID of a DHCP server group Server Group ID You can create up to 20 DHCP server groups Enter the IP address of a server in the DHCP server group IP Address The server IP address cannot be on the same subnet as the IP address of the DHCP relay agent Otherwise the client cannot obtain an IP address Enabling the DHCP relay agent on an interface 1 From the navigation tree select Network gt DHCP to enter the default DHCP Relay page shown in Figure 274 2 In the Interface Config field click the icon of a specitic interface to enter the page shown in Figure 276 Figure 276 Configuring a DHCP relay agent interface DHCP Snooping Inierface Mame Vilan intemtace DHCP Relay Enable Disable Address Match eer Enable Disable Apply Cancel 3 Configure the DHCP relay agent on the i
581. to the operating mode If you configure the reinitialization delay a port must wait the specified amount of time to initialize LLDP atter the LLDP operating mode changes Working mechanism Transmitting LLDP frames An LLDP enabled port operating in TxRx mode or Tx mode sends LLDP frames to its directly connected devices both periodically and when the local configuration changes To prevent LLDP frames from overwhelming the network during times of frequent changes to local device information an interval is introduced between two successive LLDP frames This interval is shortened to 1 second in either of the following cases 221 e A new neighbor is discovered A new LLDP frame is received carrying device information new to the local device e The LLDP operating mode of the port changes from Disable or Rx to TxRx or Tx This is the fast sending mechanism of LLDP With this mechanism the specitied number of LLDP frames is sent successively at the 1 second interval The mechanism helps LLDP neighbors discover the local device as soon as possible Then the normal LLDP frame transmission interval resumes Receiving LLDP frames An LLDP enabled port operating in TxRx mode or Rx mode confirms the validity of TLVs carried in every received LLDP frame If the TLVs are valid the information is saved and an aging timer is set When the TTL value in the Time to Live TLV carried in the LLDP frame becomes zero the information ages out immediat
582. toeolliP S ICMP Type ICMP Message cme Twe ozs tom codef a 285 TOPRIUDP Part TCP Connection Established EE por LT Pesag gaiis NN G Range of Portis 0 65534 Precedence Filter DSCP Mot Check ka TOS Mot Check wt Precedence Mot Check w Time Range Add Rule ID Operation Description Time Rar 4 Add a class a Select QoS gt Classifier from the navigation tree b Click the Add tab 491 5 c Enter the class name class1 d Click Add Figure 480 Adding a class SUMMary Setup Remove Operation And h Add Classifier Name Operation Rule Count Define classification rules a Click the Setup tab b Select the class name class in the list c Select the ACL IPv4 box and select ACL 3000 in the following list 492 Figure 481 Defining dlassification rules Summary Add Setup Remove Please select a classifier class1 CJ Any DScP 0 63 you can input 8 entries for example 3 5 7 _ IP Precedence 0 7 you can input 8 entries for example 3 5 7 Classifier 1 31 Chars _ Inbound Interface h _ RTF Port from to 2000 65535 Dotip _ Service 802 1p _ Customer 802 1p 0 7 you can input 6 entries for example 3 5 7 MAC C Source MAC Cl Destination MAC Format of MAC is H H H VLAN ma 1 4094 input a range such as 3 20 or up to 6 entries _ Service VLAN like 3 5 7 1 4094 input a range such as 3
583. tree that connects all MST regions in a switched network If you regard each MST region as a device the CST is a spanning tree calculated by these devices through STP or RSTP The red lines in Figure 176 represent the CST An internal spanning tree IST is a spanning tree that runs in an MST region It is also called MSTI O a special MSTI to which all VLANs are mapped by default In Figure 176 the CIST has a section in each MST region and this section is the IST in the respective MST region The common and internal spanning tree CIST is a single spanning tree that connects all devices in a switched network It consists of the ISTs in all MST regions and the CST In Figure 176 the ISTs in all MST regions plus the inter region CST constitute the CIST of the entire network Regional root bridge The root bridge of the IST or an MSTI within an MST region is the regional root bridge of the IST or the MSTI Based on the topology different spanning trees in an MST region might have different regional roots As shown in Figure 176 the regional root of MSTI 1 in region DO is device B and that of MSTI 2 is device C Common root bridge The common root bridge is the root bridge of the CIST In Figure 176 for example the common root bridge is a device in region AO Port roles A port can play different roles in different MSTIs As shown in Figure 177 an MST region has device A device B device C and device D Port 1 and port
584. tts step 100 Power Prority No change v Selected Ports Apply Cancel 3 Configure the PoE ports as described in Table 163 4 Click Apply Table 163 Configuration items ltem Description Select Port Select ports to be configured and they are displayed in the Selected Ports area Enable or disable PoE on the selected ports e The system does not supply power to or reserve power for the PD connected to a PoE port if the PoE port is not enabled with the PoE function e You can enable PoE for a PoE port if the PoE port does not result in PoE power Persele overload Otherwise you cannot enable PoE for the PoE port By default PoE is enabled on a PoE port IMPORTANT When the sum of the power consumption of all ports exceeds the maximum power of PSE the system considers the PSE as overloaded 498 ltem Description Set the maximum power for the PoE port The maximum PoE interface power is the maximum power that the PoE interface Power Max can provide to the connected PD If the PD requires more power than the maximum PoE interface power the PoE interface does not supply power to the PD By default the maximum power of a PoE port is 30 watts Set the power supply priority for a PoE port In descending order the power supply priority levels of a PoE port are critical high and low e When the PoE power is insufficient power is first supplied to PoE ports with a higher priority level e If the PoE pow
585. twork gt LLDP By default the Port Setup tab is displayed as shown in Figure 209 b Select port GigabitEthernet1 0 1 and GigabitEthernet1 0 2 c Click Modify Selected 236 The page shown in Figure 210 appears Figure 209 The port setup tab Port Setup Global Setup Global Summary Neighbor Summary R Port Name v Search Advanced Search F Port Name LLDP Status LLDP Work Mode Operation W GigabitEthernet1 0 1 Enabled TxRx A Enabled TxRx ES F GigabitEthernet1 0 3 Enabled TxRx A F GigabitEthernet1 0 4 Enabled TxRx A F GigabitEthernet1 0 5 Enabled TXRX A E GigabitEthernet1 0 6 Enabled TXRx A E GigabitEthernet1 0 7 Enabled TXRX A F GigabitEthernet1 0 8 Enabled TxRx A F GigabitEthernet1 0 9 Enabled TXRX A GigabitEthernet1 0 10 Enabled TxRx A F GigabitEthernet1 0 11 Enabled TxRx A F GigabitEthernet1 0 12 Enabled TxRx A F GigabitEthernet1 0 13 Enabled TxRx A T GigabitEthernet1 0 14 Enabled TXRX A F GigabitEthernet1 0 15 Enabled TXRX A 28 records 15 per page page 1 2 record 1 15 First Prev Next Last 1 GO Enable Disable Modify Selected Neighbor Information Statistic Information Status Information d Select Rx from the LLDP Operating Mode list Click Apply A progress dialog box appears Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds 237 Figure 210 Setting LLDP on multiple ports
586. uirements EE ET ER EE E A E E E E E ERSA 2 ON Ee 5 eN ER ER RE EE EE EE EI 6 Logging in to the Web SEE SI 6 Logging out of the Web interface eeeeeeeeeereeeseeeseeseeeeeeseeeseeeseesseeseceseceseeseeseeoseceseeeseeseeseroseceseeeseeseeceseeesreseeesereseeeseesseeseresee 7 Web interface TE ee 7 NAT es ley ME less eure EE ER g VAAR VEER e A AA AAAA AEAEE EAEE g Common items on the Web lolo EER A A ee Ee Ge Oe ee Ee ee 16 Configuring the switch at the Cl ee EE EE EE EE EE RE EE EER EE EE Ee ER ER EE EER Ee EE RR EE EE Ee ER ER EE EER Ee EER Ee EE RE Re EER Ee Ee neue ees 20 Getting Started With the CLlleeeeeeeeeeeeseeseeseeseeseeseeseeeeeeeeeseeseeseoseosseseessesseseoseoseosresseseeseesseeseeseoseesseesreseesresrosrosrosreseeseesseeeeene 20 Setting up the configuration TEE 20 Setting terminal parameters ie issu EE ni eee ico EE OR OR EE EN 21 Logging in to TEI EE ee 24 ol TREE ee ee NE EENE ere terre tere 24 Tali ile TO EEOC E CEE REO COCO eSe Cee reer cere rere rere rere rere rerereerreerreerreerreerreer reer rere rerrreerreerreerreerreerreerreeern 25 ipsetup EE EE EE EE EE EE EE EE EE EE eiewels 25 PET LEE EG 26 REELE EG 26 TREE EG 27 TREE EG 27 quit RE EE E E EE A A EEE 28 reboot eeeeeeeseeseeseeseeseeeereereseesresresroseoreseeeeeeseesresresrosrosresreseesresseereerresresresrsreseesreoreeeeesreseeeseeseeseesresresresresresresreseesseeseeeee 29 MEEL ET 99 TEE EG 30 upgrade ipv EE EE EE E EE EE 3 Configuration example for upgrading the
587. uitous ARP packet learning is enabled by default Enable the device to send gratuitous ARP packets upon receiving ARP Send gratuitous ARP packets when requests from another network segment receiving ARP requests from another l l network segment By default the device does not send gratuitous ARP packets upon receiving ARP requests from another network segment Static ARP configuration example Network Requirements As shown in Figure 221 hosts are connected to Switch A and Switch A is connected to Router B through GigabitEthernet 1 0 1 in VLAN 100 To ensure secure communications between Switch A and Router B configure a static ARP entry on Switch A for Router B 246 Figure 221 Network diagram Router B 192 168 1 1 24 00e0 fc01 0000 GE1 0 1 VLAN 100 Switch A Configuring Switch A 1 Create VLAN 100 a From the navigation tree select Network gt VLAN b Click the Add tab c Enter 100 in the VLAN ID field d Click Create Figure 222 Creating VLAN 100 Select VLAN Port Detail Detail bodite VLAN Modity Part Remove Create VLAN IDs Example 3 6 10 Create ID Description 1 VLAN 0001 Modify VLAN description Mote you can do this later on the Modify VLAN page Modify the description of the selected VLAN ID Description tt Chars 2 Add GigabitEthernet 1 0 1 to VLAN 100 a Click the Modify Port tab b In the Select Ports area select interface GigabitEthernet 1 0 1 247
588. up tab select GigabitEthernet1 0 1 b Click Enable Figure 32 Configuring a stack port on Switch A Topology Summary Device Summary Global Settings Private Net IP 192 168 1 1 Mask 255 255 255 0 Build Stack Enable v Apply Port Settings R Port Name Search Advanced Search E Port Name Por Status J GigabitEthernet1 0 1 not stack port GigabitEthernet1 0 2 not stack port F GigabitEthernet1 0 3 not stack port GigabitEthernet1 0 4 not stack port F GigabitEthernet1 0 5 not stack port 28 records 5 vY per page page 1 6 record 1 5 First Next Last 1 GO Disable On Switch B configure GigabitEthernet 1 0 2 connected to Switch A GigabitEthernet 1 0 1 connected to Switch C and GigabitEthernet 1 0 3 connected to Switch D as stack ports a Select Stack from the navigation tree of Switch B b In the Port Settings area on the Setup tab select GigabitEfhernet1 0 1 GigabitEthernet1 0 2 and GigabitEthernet1 0 3 c Click Enable 44 Figure 33 Configuring stack ports on Switch B Topology Summary Device Summary Global Settings Private Net IP Mask Build Stack Disable v Apply Por Settings R Port Name v Search Advanced Search Port Name Port Status GigabitEthernet1 0 1 not stack port GigabitEthernet1 0 2 not stack port GigabitEthernet1 0 3 not stack port GigabitEthernet1 0 4 not stack port F GigabitEthernet1 0 5 not stack port 28 records 5 v per pag
589. uperior BP2 will act as the designated port and the configuration BPDU on this port will be replaced with the calculated configuration BPDU which will be sent out periodically Port CP1 receives the configuration BPDU of Device A 10 O O AP2 Device C finds that the received configuration BPDU is superior to the configuration BPDU of the local port 2 0 2 CP1 and it updates the configuration BPDU of CP 1 Port CP2 receives the configuration BPDU of port BP2 of Device B 1 O 1 BP2 before the configuration BPDU is updated Device C finds that the received configuration BPDU is superior to the configuration BPDU of the local port 2 0 2 CP2 and it updates the configuration BPDU of CP2 182 AP1 0 O O AP1 AP2 0 O O AP2 BP1 0 O O APT BP2 1 O 1 BP2 Root port BP1 10 O O AP1 Designated port BP2 0 5 1 BP2 CP1 0 O O AP2 CP2 1 0 1 BP2 Configuration BPDU on Device Comparison process ports after comparison After comparison e The configuration BPDU of CP1 is elected as the optimum configuration BPDU so CP1 is identified as the root port the e poo port CPT 0 0 contiguration BPDUs of which will not be changed O AP2 ai e Device C compares the calculated designated port e Designated port CP2 configuration BPDU 0 10 2 CP2 with the configuration 0 10 2 CP2 BPDU of CP2 and CP2 becomes the designated port and the configuration BPDU of this port will b
590. uration items ltem Description Please select a policy Select an existing policy in the list Classitier Name Select an existing classifier in the list Behavior Name Select an existing behavior in the list Applying a policy to a port 1 Select QoS gt Port Policy from the navigation tree 2 Click Setup to enter the page for applying a policy to a port 484 Figure 470 Applying a policy to a port Summary Remove Please select a policy Select a policy v Direction Inbound v Please select port s Select AIl Select None 3 Apply a policy to a port as described in Table 158 4 Click Apply Table 158 Configuration items ltem Description Please select a policy Select an existing policy in the list Set the direction in which the policy is to be applied Direction e Inbound Applies the policy to the incoming packets of the specified ports e Outbound Applies the policy to the outgoing packets of the specified ports Please select port s Select one port to which the QoS policy is to be applied on the chassis front panel Configuring queue scheduling on a port 1 Select QoS gt Queue from the navigation tree 2 Click Setup to enter the queue scheduling configuration page Figure 471 Configuring queue scheduling Summary WRR Setup WRR Enable v Queue No Change v Group SP Weight 1 Please select port s Select All Select None Cancel 3 Configure queue scheduling on a port as describ
591. urrent user level to the management level Configure a super password as described in Table 19 87 A Click Apply Table 19 Configuration items ltem Description Select the operation type Create Remove e Create Configure or change the super password e Remove Remove the current super password Password Set the password for non management level users to switch to the management level Confirm Password Enter the same password again Select the password encryption type e Reversible Uses a reversible encryption algorithm The ciphertext password can be Password decrypted to get the plaintext password Encryption e Irreversible Uses an irreversible encryption algorithm The ciphertext password cannot be decrypted to get the plaintext password Switching to the management level A non management level user can switch to the management level after providing the correct super password The level switching operation does not change the access level setting for the user When the user logs in to the Web interface again the access level of the user is still the level set for the user To switch to the management level 1 Select Device gt Users from the navigation tree 2 Click the Switch To Management tab 3 Enter the correct super password 4 Click Login Figure 74 Switching to the management level Summary super Password Create Modify Remove Please enter the super password to switch from the cu
592. ust specify the RADIUS scheme to be used Not Set The device uses the settings in the Default AuthZ area for login users Configuring accounting methods for the ISP domain 1 Select Authentication gt AAA from the navigation tree 2 Click the Accounting tab 357 Figure 338 Accounting method configuration page Domain Setup Authentication Authorization Accounting Configuration of AAA Select an ISP domain Accounting Optional Default Accounting LAN access Accounting Login Accounting PPP Accounting Portal Accounting system Disable Local Name Secondary Method Name Secondary Method Name Secondary Method Name Secondary Method Name Secondary Method 3 Select the ISP domain and specify accounting methods for the ISP domain as described in Table 111 4 Click Apply Table 111 Configuration items ltem Descri ption Select an ISP domain Accounting Optional Default Accounting Name Secondary Method LAN access Accounting Name Secondary Method Select the ISP domain for which you want to specify authentication methods Specify whether to enable the accounting optional feature The feature enables a user who would otherwise be disconnected to use network resources even if there is no accounting server available or communication with the current accounting server fails If accounting for the user fails the device no longer sends real time accounting updates for the user
593. v server address source filename bootrom runtime reboot summary ping ipv host quit 24 initialize Syntax initialize Parameters None Description Use initialize to delete the configuration file to be used at the next startup and reboot the device with the default contiguration being used during reboot Use the command with caution because this command deletes the contiguration file to be used at the next startup and restores the factory default settings Examples Delete the configuration file to be used at the next startup and reboot the device with the default configuration being used during reboot lt Sysname gt initialize The startup configuration file will be deleted and the system will be rebooted Continue Y N y Please wait Ipsetup Syntax ipsetup 1 dhcp ip address ip address mask mask length default gateway ip address Parameters dhcp Specifies the interface to obtain an IPv4 address through DHCP ip address ip address Specifies an IPv4 address for VLAN interface 1 in dotted decimal notation mask Subnet mask in dotted decimal notation mask length Subnet mask length the number of consecutive ones in the mask in the range of O to 32 default gateway ip address Specifies the IPv4 address of the default gateway With this argument and keyword combination configured the command not only assigns an IPv4 address to the interface but also specities a default route for
594. val 245 security ARP attack protection configuration 250 traceroute 31 IP routing configuration IPv4 278 contiguration IPv6 278 displaying active route table IPv4 279 displaying active route table IPv6 281 routing table 278 static route 2 8 static route creation IPv4 280 static route creation IPv6 281 static routing configuration IPv4 283 static routing configuration IPv 287 static routing default route 279 IP services configuring client s IP to MAC bindings 302 configuring DHCP relay agent advanced parameters 299 configuring DHCP snooping functions on interface 309 creating DHCP server group 300 DHCP address allocation 292 DHCP overview 292 DHCP relay agent configuration 297 298 303 DHCP snooping configuration 311 DHCP snooping Option 82 support 308 DHCP snooping trusted port 306 displaying client s IP to MAC bindings 302 310 enabling DHCP 299 enabling DHCP relay agent on interface 301 ip validity check ARP 250 P to MAC DHCP snooping configuration 306 308 IPvd ACL configuration IPv4 454 active route table 279 static route creation 280 static routing contiguration 283 IPv ACL configuration IPv6 461 active route table 281 static route creation 281 static routing configuration 287 IPv multicast configuring MLD snooping 274 displaying MLD snooping multicast forwarding entries 2 3 enabling MLD snooping globally 270 enab
595. voice devices are in use In broadband communities data traffic and voice traffic are usually transmitted in the network at the same time Usually voice traffic needs higher priority than data traffic to reduce the transmission delay and packet loss ratio A voice VLAN is configured for voice traffic After assigning the ports that connect to voice devices to a voice VLAN the system automatically modities quality of service QoS parameters for voice traftic to improve the transmission priority of voice traffic and ensure voice quality NOTE Common voice devices include IP phones and integrated access devices ADs Only IP phones are used in the voice VLAN contiguration examples in this document OUI addresses A device determines whether an incoming packet is a voice packet by checking its source MAC address If the source MAC address of a received packet matches an organizationally unique identifier OUI in the voice device OUI list referred to as the OUI list in this document maintained by the switch the packet is regarded as a voice packet You can add OUI addresses to the OUI list maintained by the device or use the default OUI list shown in Table 45 for voice traffic identification Table 45 The default OUI list Number OUI Address Vendor 1 0003 6b00 0000 Cisco phone 2 00e0 7500 0000 Polycom phone An OUI address is usually the first 24 bits of a MAC address in binary format It is a globally unique identitier assigned to
596. warding entries related to that port from the IGMP snooping forwarding table The receiver hosts attached to that port can join multicast groups again before the number of multicast groups on the port reaches the limit Enable or disable fastleave processing on the port When a port that is enabled with the IGMP snooping fastleave processing feature receives an IGMP leave message the switch immediately removes that port from the forwarding entry for the multicast group specitied in the message When the switch receives IGMP group specific queries for that multicast group it does not forward them to that port You can enable IGMP snooping fast leave processing on ports to save bandwidth and resources Displaying IGMP snooping multicast forwarding entries From the navigation tree select Network gt IGMP snooping Click Show Entries to display information about IGMP snooping multicast forwarding entries Figure 232 Displaying entry information Show Entries BLA ID mv Search Advanced Search VLAN ID SOURCE Group Operation 100 0 0 0 0 224 1 1 1 N To display detailed information about an entry click the Ss icon for the entry 259 Figure 233 Displaying detailed information about the entry Advanced Entry Details VLAN ID 100 Source Address 0 0 0 0 Group Address 224 1 1 1 Router Port s GigabitEthernett 01 Member Port s GigabitEthemett 0 3 Back Table 85 Field description Field Description VLAN
597. with an asterisk are required OUl Address Mask Description 0003 6b00 0000 fif f00 0000 Cisco phone O0e0 7500 0000 TT TOO DODO Polycom phone 166 Verifying the configuration 1 When the preceding configurations are completed the OUI Summary tab is displayed by default as shown in Figure 159 You can view the information about the newly added OUI address Figure 159 Displaying the current OUI list of the device Summary Setup Fort Setup OUl Add OU Remove OUl Address Mask Description 0003 6b00 0000 fiff fO0 0000 Cisco phone 0011 2200 0000 fif fO0 0000 test O0e0 7500 0000 T TOO DOODO Polycom phone 2 Click the Summary tab where you can view the current voice VLAN information Figure 160 Displaying voice VLAN information Setup Port Setup OUI Summary DUI Add OUl Remove Voice VLAN security Enabled Voice VLAN aging time 30 minutes Maximum af voice VLANs 1 Current number of voice VLANs 1 Ports enabled for voice VLAN Port Name Voice VLAN ID Mode GigabitEthernet1 0 1 2 Auto Contiguring a voice VLAN on a port in manual voice VLAN assignment mode Network requirements As shown in Figure 161 e Configure VLAN 2 as a voice VLAN that carries only voice traffic e The IP phone connected to hybrid port GigabitEthernet 1 0 1 sends untagged voice traffic e GigabitEtfhernet 1 0 1 operates in manual voice VLAN assignment mode and allows voice packets whose source MAC addresses match the OUI addresses spe
598. words 10 Framed Routing 54 unassigned 11 Filter ID 55 Event Timestamp 12 Framed MTU 56 59 unassigned 13 Framed Compression 60 CHAP Challenge 14 Login IP Host 61 NAS Port Type 15 Login Service 62 Port Limit 16 Login TCP Port 63 Login LAT Port 17 unassigned 64 Tunnel Type 18 Reply_Message 65 Tunnel Medium Type 19 Callback Number 66 Tunnel ClientEndpoint 20 Callback ID 67 Tunnel Server Endpoint 21 unassigned 68 Acct Tunnel Connection 22 Framed Route 69 Tunnel Password 366 No Attribute No Attribute 23 Framed IPX Network 70 ARAP Password 24 State 7 ARAP Features 25 Class 72 ARAP Zone Access 26 Vendor Specific 73 ARAP Security 27 Session Timeout 74 ARAP Security Data 28 ldle Timeout 75 Password Retry 29 Termination Action 76 Prompt 30 Called Station ld 77 ConnectInfo 31 Calling Station Id 78 Configuration Token 32 NAS ldentifier 79 EAP Message 33 Proxy State 80 Message Authenticator 34 Login LAT Service 81 Tunnel Private Group id 35 Login LAT Node 82 Tunnel Assignment id 36 Login LAT Group 83 Tunnel Preference 37 Framed AppleTalk Link 84 ARAP Challenge Response 38 Framed AppleTalk Network 85 Acct Interim Interval 39 Framed AppleTalk Zone 86 Acct Tunnel Packets Lost 40 Acct Status Type 87 NAS Port ld 41 Acct Delay Time 88 Framed Pool 42 Acct Input Octets 89 unassigned 43 Acct Output Octets 90 Tunnel Client Auth id 44 Acct Session ld 91 Tunnel Server Auth id NOTE This table lists the att
599. works without QoS JUArAN EE EE EE EE EE ee 466 QoS requirements of new applications ee EE 466 Congestion causes impacts and countermeasures ssrsssssessssssessssesssssecssssecssnssessssecssssecssascesanscssaneeessnees 467 ad Fea each OOS eae EE EE ee tee aes 468 TR ET TE EE 468 EET ternett tesseetersneeesseet terrenet 469 Gueue scheduling esse 471 TERTE nese nese esse eeeee esse nese nese eeeeeseeeseea nese eeeeeeeeens A473 TEE TEE terrent tesseettesnenrsseetttessetteesseeteesseereeseen 474 Introduction to priority mapping dT 475 Configuration guidelines RR EO 476 Recommended QoS configuration procedures EE EE EE naan 476 Adding ER ee A78 Contiguring classification rules ee EE EE EE OE EE OE EER EER Oe EER ORE EER EER OE EE EO EER EER Re EER EE EE Re RE EE Re EE ee EE eens 479 Adding a traffic behayiop ereeerreeerreesreeerererrsecsereesereesercsereesereeserceseecserceserceserceseroserceserceseresereesrcesercesercesereeseeeserereeseeceeeee 480 Configuring traffic mirroring and traffic redirecting for a traffic behavior sees er ER ER ER EE EE ER ER ER ER ER ER Ee ee ee eng 481 Configuring other actions for a traffic behavior Ese Ee Ee EE EE See ee ee EE ee ee EER ee ARE EE ee Ee ee dee Ee 48 Adding d policy ee ee 483 Configuring classifier behavior associations for the policy eeeeeeeeereeeeeeeeeetrrrrrereeeeetsrrrrsssesereresnsnnnnnseeeeeeesan 484 Applying a policy O A ds EE EE Ee A84 Configuring queue scheduling ETE EE EE EE EE Ee A85 Configu
600. y assigns a link local address to the VLAN interface Manual according to the link local address prefix FE80 64 and the link layer address of the VLAN interface e Manual Configures an IPv link local address for the VLAN interface manually Select Up or Down from the Admin Status list to bring up or shut down the selected VLAN interface When the VLAN interface fails shut down and then enable the VLAN interface which might restore the VLAN intertace By default a VLAN interface is down if all Ethernet ports in the VLAN are down ll Otherwise the VLAN interface is up l atus Modify When you set the admin status follow these guidelines ee e The current VLAN interface state in the Modify IPv4 Address and Modify IPv ress Address frames changes as the VLAN interface state is modified in the Admin Status list e The state of each port in the VLAN is independent of the VLAN interface state Assign an Pv6 site local address or global unicast address to the VLAN interface Add IPv Enter an IPv6 address in the field and select a prefix length in the list next to it Unicast The prefix of the IPv address you entered cannot be FE80 10 the prefix of the Address link local address The prefix of the IPv site local address you enter must be FECO 10 Select the box to generate IPv6 site local addresses or global unicast addresses in the 64 bit Extended Unique Identifier EUI 64 format If the EUI 64 box is not spe
Download Pdf Manuals
Related Search