3Com 10014298 Switch User Manual
Contents
1. Figure 26 Comparison Between the Unicast and Multicast Transmission Receiver ZZ gt Unicast N g gt Receiver pR w gt gt Receiver servar Joa II J Receiver a Receiver T Server A multicast source does not necessarily belong to a multicast group It only sends data to the multicast group and it is not necessarily a receiver Multiple sources can send packets to a multicast group simultaneously A router that does not support multicast may exist on the network A multicast router can encapsulate multicast packets in unicast IP packets by tunneling and sending them on to the neighboring multicast router The neighboring multicast router removes the unicast IP header and continues the multicast transmission Multicast advantages m Enhanced efficiency by reducing network traffic and relieving server and CPU loads Optimized performance decreases traffic redundancy a Distributed applications make multipoint applications possible Configuring an IP Multicast Overview is described in the following sections a Mu2. PC user2 S Accountir server1 Switch 7700 Switch 7700 ISP1 gt E E C PC user4 a Internet gt Switch 7700 Ss a ISP2 zs Configuring AAA AAA configuration includes tasks that are described in the following sections a Creating Deleting an ISP Domain a Configuring Relevant Attributes of an ISP Domain a Creating a Local User a Setting Attributes of a Local User a Disconnecting a User by Force Among the above configuration tasks creating an ISP domain is required otherwise the supplicant attributes cannot be distinguished The other tasks are optional You can configure them as required Creating Deleting an ISP Domain An ISP domain is a group of users belonging to the same ISP Taking gw20010608 3com163 net as an example in the userid isp name format the iso name i e 3com163 net following the is the ISP domain name When the Switch 7750 controls user access as for an ISP user whose username is in 218 CHAPTER 9 AAA AND RADIUS OPERATION userid isp name format the system will take userid part as username for identification and take isp name part as domain name The purpose of introducing ISP domain settings is to support the multi ISP application environment In such an environment one access device might access users of different ISPs Because the attributes of ISP users such as username support and password form
3. Multicast Nonmulticast Nonmulticast group group group member member member Packets are not forwarded to all ports when IGMP operates See Figure 29 Layer 2 p Ethernet switch A a Internev intranet Se a Video stream A VOD server 7 Sa Video m video Video stream i jstream is Sas AREITIO ERDER N E Multicast Nonmulticast Nonmulticast group group group member member member Implement IGMP Snooping This section introduces related switch concepts of IGMP Snooping Router Port The port directly connected to the multicast router Multicast member port The port connected to the multicast member The multicast member refers to a host that joined a multicast group MAC multicast group The multicast group is identified with MAC multicast address and maintained by the Switch 7750 Router port aging time Time set on the router port aging timer If the switch has not received any IGMP general query messages before the timer times out it is no longer considered a router port Multicast group member port aging time When a port joins an IP multicast group the aging timer of the port begins timing If the switch has not received any IGMP report messages before the timer times out it transmits IGMP specific query message to the port Maximum response time When the switch transmits IGMP specific query message to the multicast member port the Switc
4. Configuring DHCP is described in the following sections a Configuring DHCP Relay a Troubleshooting a DHCP Relay Configuration DHCP relay configuration includes tasks described in the following sections a Configuring a DHCP Server IP Address in a DHCP Server Group a Configuring the DHCP Server Group for the VLAN Interface a Configuring the Address Table Entry a Enabling Disabling DHCP Security Features a Displaying and Debugging DHCP Relay The server IP address is associated through its DHCP server group with a specific VLAN interface This implementation differs from others in which the server IP is a global parameter Configuring a DHCP Server IP Address in a DHCP Server Group Perform the following configuration in System view Table 69 Configure Delete the IP Address of the DHCP Server Operation Command Configure the IP address for a DHCP Server dhcp server groupNo ip ipaddress1 ipaddress2 74 CHAPTER 4 NETWORK PROTOCOL OPERATION Table 69 Configure Delete the IP Address of the DHCP Server Operation Command Remove all the IP addresses of the DHCP undo dhcp server groupNo Server set the IP addresses of the primary and secondary servers to 0 The backup server IP address cannot be configured independently instead it has to be configured together with the master server IP address By default the IP address of the DHCP Server is not configured The DHCP Server address must be configured befor
5. Network port Console port X 235 S Switch Enter the system view of the switch lt SW7750 gt system view Add a MAC address specify the native VLAN port and state SW7750 mac address static 00e0 fc35 dc71 interface Ethernet 1 0 2 vlan 1 Set the address aging time to 500s SW7750 mac address timer 500 Display the MAC address configurations in all views SW7750 display mac address interface Ethernet 1 0 2 MAC ADDR VLAN ID STATE PORT INDEX AGING TIME s 00 e0 c 35 dc 71 Static Ethernet1 0 2 NOAGED 00 e0 fc 17 a7 d6 LearnedEthernet1 0 2 300 00 e0 fc 5e b1 f b Learned Ethernet1 0 2 300 00 e0 fc 55 f 1 16 Learned Ethernet1 0 2 300 PRP RH Managing Devices With device management the Switch 7750 displays the current state and event debugging information about the slots and physical devices In addition there is a command for rebooting the system when a function failure occurs 254 CHAPTER 11 SYSTEM MANAGEMENT Designating the APP for the Next Boot Configuring the Managing Devices is described in the following sections a Designating the APP for the Next Boot a Displaying Devices In the case that there are several operational images in the flash memory you can use this command to designate the operational file app to use when the Switch 7750 is booted Perform the following configuration in user view Table 276 Designating the APP for the next boot Operation Command Designate the APP fo
6. SS 1 88 255 35 1 Configure the DHCP Server IP addresses into DHCP Server Group 1 SW7750 dhcp server 1 ip 1 99 255 36 1 99 255 35 2 Associate DHCP Server Group 1 with VLAN interface 2 SW7750 VLAN Interface2 dhcp server 1 3 Configure the IP address corresponding to DHCP server group 2 SW7750 dhcp server 2 ip 1 88 255 36 1 88 255 35 4 Associate the DHCP Server Group 2 with VLAN interface 3 SW7750 VLAN Interface3 dhcp server 2 5 Configure the corresponding interface and gateway address of VLAN2 76 CHAPTER 4 NETWORK PROTOCOL OPERATION Troubleshooting a DHCP Relay Configuration 1 SW7750 vlan 2 SW7750 vlan2 port Ethernet 1 0 2 SW7750 interface vlan 2 SW7750 VLAN Interface2 ip address 1 1 2 1 255 255 0 0 Configure the corresponding interface and gateway address of VLAN3 SW7750 vlan 3 SW7750 vlan3 port Ethernet 1 0 3 SW7750 interface vlan 3 SW7750 VLAN Interface3 ip address 21 2 2 1 255 255 0 0 It is necessary to configure a VLAN for the servers The corresponding interface VLAN of the DHCP server group 1 is configured as 4000 and that of the group 2 is configured as 3001 SW7750 vlan 4000 SW7750 vlan4000 port Ethernet 1 0 4 SW7750 interface vlan 4000 SW7750 VLAN Interface4000 ip address 1 99 255 1 255 255 0 0 SW7750 vlan 3001 SW7750 vlan3001 port Ethernet 1 0 5 SW7750 interface vlan 3001 SW7750 VLAN Interface3001 ip address 1 88 255 1 255 255 0 0 In t
7. Operation Command Enable receiving host routes host route Disable receiving host routes undo host route By default the router receives the host route Enabling RIP 2 Route Aggregation Route aggregation means that different subnet routes in the same natural network can be aggregated into one natural mask route for transmission when they are sent to other outside networks Route aggregation can be performed to reduce the routing traffic on the network as well as to reduce the size of the routing table RIP 1 only sends the routes with natural mask that is it always sends routes in the route aggregation form RIP 2 supports subnet mask and classless inter domain routing To advertise all the subnet routes the route aggregation function of RIP 2 can be disabled Perform the following configurations in RIP view Table 91 Enabling Route Aggregation Operation Command Enable the automatic aggregation function of summary RIP 2 Disable the automatic aggregation function of undo summary RIP 2 By default RIP 2 uses the route aggregation function Setting RIP 2 Packet Authentication RIP 1 does not support packet authentication However you can configure packet authentication on RIP 2 interfaces RIP 2 supports two authentication modes a Simple authentication This mode does not ensure security The key is not encrypted and can be seen in a network trace so simple authentication should not be applied when there are h
8. Enable the IGMP information debugging debugging igmp all event host packet timer Disable the IGMP information debugging undo debugging igmp all event host packet timer 124 CHAPTER 6 MULTICAST PROTOCOL IGMP Snooping IGMP Snooping Internet Group Management Protocol Snooping is a multicast control mechanism running on layer 2 It is used for multicast group management and control IGMP Snooping runs on the link layer When receiving the IGMP messages the Switch 7750 uses IGMP Snooping to analyze the information If the switch hears an IGMP host report message from an IGMP host it adds the host to the corresponding multicast table If the switch hears IGMP leave a message from an IGMP host it will remove the host from the corresponding multicast table The switch continuously listens to the IGMP messages to create and maintain a MAC multicast address table on Layer 2 It can then forward the multicast packets transmitted from the upstream router according to the MAC multicast address table When IGMP Snooping is disabled the packets are multicast to all ports See Figure 28 Figure 28 Multicast Packet Transmission Without IGMP Snooping Peed ince eee ar Video stream Multicast router Internet Intranet Video stream VOD Server Layer 2 y Ethernet Switch _S Ss Video stream Video Video stream a stream I
9. SW7750 snmp agent community read 3com acl 2000 SW7750 snmp agent group v2c 3comgroup acl 2001 SW7750 snmp agent usm user v2c 3comuser 3comgroup acl 2002 180 CHAPTER 7 QOS OPERATION STP OPERATION This chapter covers the following topics a STP Overview a Configuring STP a MSTP Overview a Configuring MSTP STP Overview Spanning Tree Protocol STP is applied in a loop network to block undesirable redundant paths Using STP avoids the proliferation and infinite cycling of a packet in a loop network The fundamental feature of STP is that the switches exchange packets called configuration Bridge Protocol Data Units or BPDU to decide the topology of the network The configuration BPDU contains the information that ensures that switches can compute the spanning tree The configuration BPDU contains the following information a The root ID consisting of root priority and MAC address a The cost of the shortest path to the root a A designated switch ID consisting of designated switch priority and MAC address a A designated port ID consisting of port priority and port number a The age of the configuration BPDU MessageAge a The maximum age of the configuration BPDU MaxAge a A configuration BPDU interval HelloTime a A forward delay of the port ForwardDelay Configuring STP STP configuration is described in the following sections a Designating Switches and Ports a Calculating the STP Algorithm a
10. Common Root Bridge The common root bridge refers to the root bridge of the CIST There is only one common root bridge in the network Boundary port The boundary port refers to the port located at the edge of the MST region The boundary port connects different MST regions an MST region and an STP region or an MST region and an RSTP region For MSTP calculation the boundary port has the same role on MSTI and CIST instance For example the boundary port as a master port on a CIST instance should serve as a master port on every MSTI in the region Port role In the process of MSTP calculation a port can serve as a designated port root port master port alternate port or BACKUP a The root port is the port through which the data is forwarded to the root m The designated port is the one through which the data is forwarded to the downstream network segment or switch a Master port is the port connecting the entire region to the common root bridge and located on the shortest path between them a An alternate port is the backup of the master port When the master port is blocked the alternate port takes its place a f two ports of a switch are connected there must be a loop In this case the switch will block one of them The blocked port is called BACKUP port A port can play different roles in different spanning tree instances Figure 54 illustrates the these concepts MSTP Principles Figure 54 Port Roles
11. If the existing PIM neighbors exceed the configured value during configuration they are not deleted Displaying and Debugging PIM DM Execute the display command in all views to display the running of PIM DM configuration and to verify the effect of the configuration Execute debugging command in user view for the debugging of PIM DM Table 144 Displaying and Debugging PIM DM Operation Command Display the PIM multicast routing table display pim routing table g group address mask mask length mask rp I rp address mask mask length mask group address mask mask length mask source address mask mask length mask incoming interface interface type interface num interface name null dense mode sparse mode Display the PIM interface information display pim interface interface type interface number Display the information about PIM display pim neighbor interface neighboring routers interface type interface number Enable the PIM debugging debugging pim common all event packet timer Disable the PIM debugging undo debugging pim common all event packet timer Enable the PIM DM debugging debugging pim dm alert all mbr mrt timer warning recv send all assert graft graft ack join prune Configuring PIM DM 135 Table 144 Displaying and Debugging PIM DM Operation Command Di
12. 2 Set the access control mode This command could not be configured when it is configured as MAC based by default SW7750 dot1ix port method macbased interface ethernet 1 0 2 3 Create the RADIUS group radius1 and enter its configuration mode SW7750 radius scheme radius1l 4 Set the IP address of the primary authentication accounting RADIUS servers 10 11 12 13 14 15 16 SW7750 radius radius1 primary authentication 10 11 1 1 SW7750 radius radius1 primary accounting 10 11 1 2 Set the IP address of the second authentication accounting RADIUS servers SW7750 radius radius1 secondary authentication 10 11 1 2 SW7750 radius radius1 secondary accounting 10 11 1 1 Set the encryption key when the system exchanges packets with the authentication RADIUS server SW7750 radius radius1 key authentication name Set the encryption key when the system exchanges packets with the accounting RADIUS server SW7750 radius radiusl key accounting money Set the timeouts and times for the system to retransmit packets to the RADIUS server SW7750 radius radius1 timer 5 SW7750 radius radius1 retry 5 Set the interval for the system to transmit real time accounting packets to the RADIUS server SW7750 radius radius1 timer realtime accounting 15 Configure the system to transmit the user name to the RADIUS server after removing the domain name SW7750 radius radius1 user name format without domain SW7750
13. For more about the commands see the Switch 7750 Command Reference Guide Upon the change of path cost of a port MSTP will recalculate the port role and transit the state When instance id takes O it indicates to set the path cost on the CIST By default MSTP is responsible for calculating the port path cost Specify the Standard To BeFollowed in Path Cost Calculation The following two standards are currently available on the switch m dot1d 1998 The switch calculates the default Path Cost of a port by the IEEE 802 1D 1998 standard m dotit The switch calculates the default Path Cost of a port by the IEEE 802 1t standard m legacy The switch calculates the default Path Cost of a port by the Huawei 3Com standard You can specify the intended standard by using the following commands Perform the following configuration in system view Table 204 Specifying the Standard To Be Followed in Path Cost Calculation Operation Command Specify the standard to be adopted when the switch stp pathcost standard calculates the default Path Cost for the connected dot1d 1998 dot1t legacy link Restore the default standard to be used undo stp pathcost standard By default the switch calculates the default Path Cost of a port by the IEEE 802 1t standard Table 205 Cost Corresponding to the Port Speed of Different Standard dot1d 1998 Huawei 3Com Link speed Duplex state value range dotit value range cost value 0 65535 200 000 0
14. If a router in a network is regarded as a node and a route segment in the Internet is regarded as a link message routing in the Internet works in a similar way as the message routing in a conventional network Routing a message through the shortest route may not always be the optimal route For example routing through three LAN route segments may be much faster than a route through two WAN route segments Configuring the IP Routing Protocol Overview is described in the following sections a Selecting Routes Through the Routing Table m Routing Management Policy For the router a routing table is the key to forwarding packets Each router saves a routing table in its memory and each entry in this table specifies the physical port of the router through which a packet is sent to a subnet or a host The packet can reach the next router over a particular path or reach a destination host through a directly connected network A routing table has the following key entries a A destination address Identifies the destination IP address or the destination network of the IP packet which is 32 bits in length m A network mask Is made up of several consecutive 1s which can be expressed either in the dotted decimal format or by the number of the consecutive 1s in the mask Combined with the destination address the network mask identifies the network address of the destination host or router With the destination address and the network mas
15. NTP configuration examples are shown in the following Example Configuring NTP Servers m Example Configuring NTP Peers a Example Configuring NTP Broadcast Mode a Example Configuring NTP Multicast Mode a Example Configuring Authentication Enabled NTP Server Mode Example Configuring NTP Servers On SW77501 set the local clock as the NTP master clock at stratum 2 On SW77502 configure SW77501 as the time server in server mode and set the local equipment as in client mode Figure 66 Typical NTP Configuration Networking Diagram Vian interface2 M i 3 04 31 x 4 7_Vian interface2 _ 5 f SW77003 sw77oo1 10111 yo f 1014 3012 Viannterace A 0 1 2 0 1 jan interface2 H d 3 0 1 32 E i 5w77000 5W77004 geel i x 10 1 12 j X 5 SW77002 a N Varinterface 5 ra E SW77005 Configure the Switch SW77501 1 Enter system view lt SW77501 gt system view 2 Set the local clock as the NTP master clock at stratum 2 SW77501 ntp service refclock master 2 Configure Ethernet Switch SW77502 1 Enter system view lt SW77502 gt system view 2 Set SW77501 as the NTP server SW77502 ntp service unicast server 1 0 1 11 The above examples synchronized SW77502 by SW77501 Before the synchronization the SW77502 is shown in the following status SW77502 display ntp service status clock status unsynchronized clock stratum 16 reference clock ID none nominal frequency 100 0000 Hz actual
16. Setting the Size of an SNMP Packet Sent or Received by an Agent Use the following commands to set the size of SNMP packet sent or received by an agent The agent can receive or send the SNMP packets ranging from 484 bytes to 17940 bytes By default the size of an SNMP packet is 1500 bytes Perform the following configuration in system view Table 309 Setting the Size of an SNMP Packet Sent or Received by an Agent Operation Command Set the size of an SNMP packet set or received snmp agent packet max size by an agent byte count Restore the default size of an SNMP packet undo snmp agent packet max size sent or received by an agent 272 CHAPTER 11 SYSTEM MANAGEMENT Enabling and Disabling Transmission of Trap Information To enable or disable transmission of trap information perform the following configuration in Ethernet port view Table 310 Enable Disable Transmission of Trap Information Operation Command Enable the current port to transmit the trap enable snmp trap updown information Disable the current port from transmitting tap undo enable snmp trap updown information Disabling the SNMP Agent To disable the SNMP Agent perform the following configuration in system view Table 311 Disabling SNMP Agent Operation Command Disable snmp agent undo snmp agent If a user disables an NMP Agent it is enabled whatever the snmp agent command is configured Displaying and Debugging SNMP Execute the d
17. link group ac number ac name rule rule cpu interface interface name interface type interface num Remove traffic redirection undo traffic redirect inbound ip group acl number acl name rule rule link group ac number ac name rule rule Note that the packets cannot be forwarded normally when they are redirected to the CPU i gt Traffic redirection is only available to the permitted rules in ACL 166 CHAPTER 7 QOS OPERATION Only the 20 Port 10 100 1000BASE T and 20 Port 1000BASE X SFP I O modules i gt support this configuration Relabeling the Priority Level Relabeling the priority level creates a policy to tag the priority of the packets so they match the ACL The new priority can be filled in the priority field of the packet header Perform the following configuration in QoS view Table 181 Relabeling the Priority Level Operation Command Relabel traffic priority traffic priority inbound outbound ip group ac number acl name rule rule link group ac number acl name rule rule dscp dscp value ip precedence pre value local precedence pre value Cancel the traffic priority marking undo traffic priority inbound outbound ip group ac number acl name rule rule link group ac number acl name rule rule The Switch 7750 tags the packets with IP precedence specified by p precedence in the traffic p
18. I xX E S S PC Telnet client Telnet server 1 Authenticate the Telnet user through the console port on the Telnet Server Switch 7750 before login D gt By default a password is required for authenticating the Telnet user to log in the Switch 7750 If a user logs into Telnet without password the system displays the following message Login password has not been set 2 Enter system view return to user view by pressing Ctr Z lt SW7750 gt system view SW7750 user interface vty 0 SW7750 ui vty0 set authentication password simple cipher xxxx xxxx is the preset login password of Telnet user 3 Log in to the Telnet client Switch 7750 For the login process see Connecting the PC to the Switch 7750 4 Perform the following operations on the Telnet client lt SW7750 gt telnet xxxx XXXX can be the hostname or IP address of the Telnet Server If it is the hostname you must use the ip host command to specify it 5 Enter the preset login password The Switch 7750 prompt lt sw7750 gt displays If the message All user interfaces are used please try later displays try to connect later 6 Use the appropriate commands to configure the Switch 7750 or view its operational state Enter to get immediate help For details on a specific command refer to the appropriate chapter in this guide Configuring Througha To configure your router through a dial up modem Dial up Modem 1 Authenticate the modem user through
19. Perform the following configurations in Ethernet port view Table 59 Enabling Disabling Port GVRP Operation Command Enable port GVRP gvrp Disable port GVRP undo gvrp You should enable GVRP globally before you enable it on the port GVRP can only be enabled or disabled on a trunk port By default global GVRP is disabled Setting the GVRP Registration Type The GVRP includes normal fixed and forbidden registration types see IEEE 802 1Q Configuring GARP GVRP 65 a When an Ethernet port registration type is set to normal the dynamic and manual creation registration and logout of VLAN are allowed on this port a When one trunk port registration type is set to fixed the system adds the port to the VLAN if a static VLAN is created on the switch and the trunk port allows the VLAN passing GVRP also adds this VLAN item to the local GVRP database one link table for GVRP maintenance However GVRP cannot learn dynamic VLAN through this port The learned dynamic VLAN from other ports of the local switch will not be able to send statements to the outside through this port a When an Ethernet port registration type is set to forbidden all the VLANs except VLAN1 are logged out and no other VLANs can be created or registered on this port Perform the following configurations in Ethernet port view Table 60 Setting the GVRP Registration Type Operation Command Set GVRP registration type gvrp registration normal fix
20. Port Configuration on page 35 The port number preceding the key word to must be smaller than the number following to All ports within the specified range must be of the same type The amp lt 1 10 gt of the command specifies the repetition times of the parameter ranging from 1 to 10 In addition you cannot specify any trunk ports By default the system adds all ports to VLAN1 Table 53 describes how incoming packets are treated when they pass through ports that are members of both tagged and protocol based VLANs Table 53 Incoming Packets in Tagged and Protocol Based VLANs Receiving Port on the VLAN Incoming Packet Tagged Untagged Default VLAN PVID Tagged Perform VLAN check 802 1q Tagged Perform VLAN check Untagged Perform protocol VLAN Add to PVID if no match match if a or no protocol VLAN is protocol VLAN is configured configured Untagged Perform protocol Add to PVID if no match VLAN match if a or no protocol VLAN is protocol VLAN is configured configured Configuring protocol based VLANs includes tasks described in the following sections a Creating and Deleting a VLAN Protocol Type Creating and Deleting the Association Between a Port and a Protocol Based VLAN Protocol based VLANs are supported only in the 48 port 10 100BASE T Auto sensing FE 24 port 100BASE FX MMF FE 8 port 1000BASE X GE and 8 port 10 100 1000BASE T GE I O modules 58 CHAPTER 3 VLAN CONFIGURATION 1 Creating and Deleting a V
21. acl number Display the address prefix list information display ip ip prefix ip prefix name Routing information filtering cannot be implemented in normal operation of the routing protocol Check for the following faults a The if match mode of at least one node of the Route policy should be the permit mode When a Route policy is used for the routing information filtering if a piece of routing information does not pass the filtering of any node then it means that the route information does not pass the filtering of the Route policy When all the nodes of the Route policy are in the deny mode then all the routing information cannot pass the filtering of the Route policy m The if match mode of at least one list item of the ip prefix should be the permit mode The list items of the deny mode can be defined to rapidly filter the routing information not satisfying the requirement but if all the items are in the deny mode no routes will pass the ip prefix filtering You can define an item of permit 0 0 0 0 0 less equal 32 after the multiple list items in the deny mode so as to let all the other routes pass the filtering If less equal 32 is not specified only the default route will be matched Route Capacity gt Configuring Route Capacity In practical networking applications there is always a large number of routes in the routing table The routing information is usually stored in the memory of the Ethernet switch Wh
22. ip group ac number acl name rule rule link group ac number ac name rule rule Cancel the traffic statistics configuration undo traffic statistic inbound outbound ip group ac number acl name rule rule link group acl number acl name rule rule Display the statistics information display qos info traffic statistic interface name interface type interface num traffic statistic For details about the command see the Switch 7750 Command Reference Guide Displaying and Debugging QoS After you configure QoS execute the display command in all views to display the QoS configuration and to verify the effect of the configuration Execute the reset command in user view to clear the statistics of the QoS module Table 184 Display and Debug QoS Operation Command Display port mirroring configuration Display the mapping relationship between cos and local precedence Display line rate for outbound packets Display traffic redirection Display actions he parameter settings of all the QoS Display the queue scheduling mode and parameter Display the parameter settings of rate limit Display the settings of priority tag Display information about the traffic Display the information about traffic bandwidth Display the information about the RED operation display mirroring group groupid display qos cos local precedence map display qos interfac
23. isp name display connection access type dotix domain domain name interface interface type interface number ip ip address mac mac address radius scheme radius scheme name vlan vlanid ucibindex ucib index user name user name display local user domain isp name idle cut disable enable service type telnet tp lan access terminal state active block user name user name vlan vlan id display local server statistics display radius radius scheme name display radius statistics display stop accounting buffer radius scheme radius scheme name session id session id time range start time stop time user name user name display hwtacacs hwtacacs scheme name display stop accounting buffer hwtacacs scheme hwtacacs scheme name reset stop accounting buffer radius scheme radius scheme name session id session id time range start time stop time user name user name 238 CHAPTER 9 AAA AND RADIUS OPERATION Table 256 Displaying and Debugging AAA and RADIUS HWTACACS Protocol Operation Command Clear stop accounting packets from the buffer reset stop accounting buffer radius scheme radius scheme name session id session id time range start time stop time user name user name Reset the statistics of RADIUS server reset radius statistics Clear stop accounting packets from the buffer reset stop accounting buffer hwtacacs scheme hwtacacs scheme n
24. m Port role There are 4 MST regions in Figure 53 MSTP Overview 187 Figure 53 MSTP Concepts Region AO vlan 1 mapped to Instance 1 vlan 2 mapped to Instance 2 Other vlans mapped to CIST CIST Common and Internal Spanning Tree gj MSTI Multiple SpanningTree Instance z 8 s S Region AO BDU lt g Brou vlan 1 mapped to Instance 1 region root B vlan 2 and 3 mapped to Instance 2 region root C Other vlans mapped to CIST Region BO vlan 1 mapped to Instance 1 vlan 2 mapped to Instance 2 Other vlans mapped to CIST A N CST Common i Spanning Tree eX B ew D e ey BPDU ET xz E 8 ta Region CO vlan 1 mapped to Instance 1 vlan 2 and 3 mapped to Instance 2 Other vlans mapped to CIST MST Region A multiple spanning tree region contains several physically and directly connected MSTP capable switches sharing the same region name VLAN spanning tree mapping configuration and MSTP revision level configuration and the network segments between them There can be several MST regions on a switching network You can group several switches into a MST region using MSTP configuration commands For example in Figure 53 in MST region AO the 4 switches are configured with the same region name vlan mapping table VLAN1 map to instance 1
25. Configure IP Address and HostName for a Host Perform the following configuration in System view Table 62 Configure the Host Name and the Corresponding IP Address Operation Command Configure the host name and the ip host hostname ip address corresponding IP address Delete the host name and the corresponding undo ip host hostname IP address ip address By default there is no host name associated to any host IP address Configuring the IP Address of the VLAN Interface You can configure an IP address for every VLAN interface of the Ethernet Switch Configuring IP Address 69 Perform the following configuration in VLAN interface view Table 63 Configure IP Address for a VLAN Interface Operation Command Configure IP address for a VLAN interface ip address ip address net mask sub Delete the IP address of a VLAN interface undo ip address ip address net mask mask length sub The network ID of an IP address is identified by the mask For example the IP address of a VLAN interface is 129 9 30 42 and the mask is 255 255 0 0 After performing the AND operation for the IP address and the mask you can assign that device to the network segment 129 9 0 0 Generally it is sufficient to configure one IP address for an interface However you can also configure more than one IP address for an interface so that it can be connected to several subnets Among these IP addresses one is the primary IP address and all
26. In IGMP Version 1 hosts leave the multicast group quietly without informing the multicast router The multicast router can only depend on the timeout of the response time to confirm when hosts leave the group In Version 2 when a host leaves a multicast group it will send a leave group message a Specific group query In IGMP Version 1 a query of multicast routers is targeted at all the multicast groups on the network segment This is known as General Query In IGMP Version 2 besides general query Group Specific Query is added The destination IP address of the query packet is the IP address of the multicast group The group address domain in the packet is also the IP address of the multicast group This prevents the hosts of members of other multicast groups from sending response messages a Max response time The Max Response Time was added in IGMP Version 2 It is used to dynamically adjust the allowed maximum time for a host to respond to the membership query message Once multicast is enabled IGMP will automatically run on each interface Generally IGMP does not need to be configured In the following configuration only the first one is mandatory Basic IGMP configuration includes a Enabling Multicast a Enabling IGMP on an Interface 118 CHAPTER 6 MULTICAST PROTOCOL Advanced IGMP configuration includes a Configuring the IGMP Version a Configuring the Interval for Sending the IGMP Group Specific Query Packet a C
27. MACA Port 2 The Switch 7750 also provides the function of MAC address aging If the switch does not receive a packet from a MAC address for a set period of time it will delete the related entry from the MAC address table You can add or modify MAC address entries manually according to the actual networking environment The entries can be static or dynamic MAC address table management includes Setting MAC Address Table Entries a Disabling or Enabling Global MAC Address Learning a Disabling or Enabling MAC Address Learning on a Port a Setting MAC Address Aging Time a Displaying and Debugging the MAC Address Table Setting MAC Address Table Entries You can manually add modify or delete entries in a MAC address table according to actual needs you can also delete all unicast MAC address table entries related to a specified port or delete a specified type of entries such as dynamic or static entries Use the following commands to add modify or delete the entries in MAC address table Perform the following configuration in system view Table 271 Setting MAC Address Table Entries Operation Command Add or modify an address entry mac address static dynamic hw addr interface interface name interface type interface num Delete an address entry undo mac address static dynamic mac address interface interface name interface type interface num vlan id Disabling or Enabling Global MAC Add
28. MSTP divides the entire Layer 2 network into several MST regions and calculates and generates CST for them Multiple spanning trees are generated in a region and each of them is called an MSTI The instance O is called IST and others are called MSTI CIST calculation The CIST root is the highest priority switch elected from the switches on the entire network by comparing their configuration BPDUs MSTP calculates and generates an IST in an MST region and also the CST connecting the regions CIST is the unique single spanning tree of the entire switching network MSTI calculation Inside an MST region MSTP generates different MSTIs for different VLANs according to the association between the VLAN and the spanning tree In this way the packets of a VLAN travel along the corresponding MSTI inside the MST region and the CST between different regions Configuring MSTP Configuring MSTP includes tasks that are described in the following sections a Configuring the MST Region for a Switch a Specifying the Switch as Primary or Secondary Root Switch a Configuring the MSTP Running Mode Configuring the Bridge Priority for a Switch Configuring the Max Hops in an MST Region a Configuring the Switching Network Diameter a Configuring the Time Parameters of a Switch Configuring the Max Transmission Speed on a Port a Configuring a Port as an Edge Port 190 CHAPTER 8 STP OPERATION i gt Configuring the MST Region for a Swit
29. RED operation is set so that the queue length that triggers random discarding ranges from 64 Kbytes to 128 Kbytes The probability for random discarding is 20 The 20 Port 10 100 1000BASE T and 20 Port 1000BASE X SFP I O modules do not support this configuration Figure 45 RED E3 0 8 E3 0 2 OLANa 2 0 0 1 8 To create this configuration Define the time range 8 00 to 18 00 Define the time range SW7750 time range 3com 8 00 to 18 00 daily Define traffic rules for the packets of IP address 1 0 0 1 SW7750 acl number 2000 SW7750 acl basic 2000 rule 0 permit ip source 1 0 0 1 0 0 0 0 time range 3com Run the RED operation for the packets of IP address 1 0 0 1 and view the configuration with the display command Enter QoS view SW7750 Ethernet3 0 8 qos SW7750 qoss Ethernet3 0 8 Run RED operation for the packets of IP address 1 0 0 1 and view the configuration with the display command SW7750 qoss Ethernet3 0 8 traffic red outbound ip group 1 rule 0 SW7750 display qos interface Ethernet3 0 8 traffic red Traffic Bandwidth For the packets sent between 8 00 and 18 00 each day to the port E3 0 8 the minimum bandwidth for those of source IP address 1 0 0 1 is 20M the maximum bandwidth is 60M with bandwidth weight of 40 The minimum bandwidth for those of source IP address 2 0 0 1 is 20M maximum bandwidth is 60M with bandwidth weight of 60 174 CHAPTER 7 QOS OPERATION The 20 Port
30. Set the encryption key as name when the system exchanges packets with the authentication RADIUS server and money when the system exchanges packets with the accounting RADIUS server Configure the system to retransmit packets to the RADIUS server if no response is received in 5 seconds Retransmit the packet no more than 5 times in all Configure the system to transmit a real time accounting packet to the RADIUS server every 15 minutes The system is instructed to transmit the user name to the RADIUS server after removing the user domain name The user name of the local 802 1x access user is localuser and the password is localpass input in plain text The idle cut function is enabled Figure 56 Enabling 802 1x and RADIUS to Perform AAA on the Requester Sr i Fp qo i T 100 FS Authentication servers RADIUS server cluster IP address 10 11 1 1 10 11 1 2 Switch E1 0 2 a 2 c Authenticator Requestor The following examples concern most of the AAA RADIUS configuration commands The configurations for accessing user workstation and the RADIUS server are omitted 1 Enable the 802 1x performance on the specified port Ethernet 1 0 2 SW7750 dot1ix interface ethernet 1 0 2
31. acl name rule rule not care for interface ARP packets are always permitted to pass through the switch You can t use the packet filter command to filter ARP packets See the Switch 7750 Command Reference Guide for additional details Displaying and Debugging an ACL After you configure an ACL execute the display command in all views to display the ACL configuration and to verify the effect of the configuration Execute the reset command in user view to clear the statistics of the ACL module Table 168 Display and Debug ACL Operation Command Display the status of the time range display time range all name Display the detail information about the ACL display acl config all ac number acl name Display the ACL mode chosen by the switch display acl mode ACL Configuration Examples Access Control Table 168 Display and Debug ACL Operation Command Display the information about the ACL display acl running packet filter all running state interface interface name interface type interface num Clear ACL counters reset acl counter all ac number acl name The matched information of the display acl config command specifies the rules treated by the switch s CPU The matched information of the transmitted data by the switch can be displayed with the display qos info traffic statistic command For a description of the syntax of these commands see the Switch 7750 Command Refer
32. corresponding logging files Configuring the facility severity filter and the file syslog conf integrally makes it possible to perform the detailed classification for the purpose of information filtering If you are using a UNIX workstation as a syslog server consult your UNIX system manager manual for syslog configuration information Example Log Configuration Configure to output log on the console as follows Enable the logging system SW7750 info center enable Configure the logging output of the console and allows the log output of RSTP module with the severity ranged from emergencies to debugging SW7750 info center console channel console SW7750 info center source rstp channel 6 log level debugging Enable RSTP module debugging lt SW7750 gt debugging rstp all Configure the info center loghost as follows Enable the logging system SW7750 info center enable Set the host at 202 38 1 10 as info center loghost sets the severity threshold to informational the output language to English and allows the RSTP and IP modules to output information SW7750 info center loghost 202 38 1 10 language english SW7750 info center source rstp channel 5 log level informational SW7750 info center source ip channel 4 log level informational For the configurations at the host side see Configuring the Info center Loghost on page 264 Displaying and Debugging the Syslog Function After performing
33. debugging lacp state interface interface type interface number interface name to interface type interface num interface name actor churn mux partner churn ptx rx all undo debugging lacp packet interface interface type interface number interface name to interface type interface num interface name undo debugging link aggregation error undo debugging link aggregation event CHAPTER 2 PORT CONFIGURATION Example Link Aggregation Configuration Switch A connects switch B with three aggregation ports numbered as Ethernet1 0 1 to Ethernet1 0 3 so that the incoming and outgoing loads can be balanced among the member ports Figure 14 Networking For Link Aggregation Link aggregation Switch A Switch B The following code example lists only the configuration for switch A The configuration for switch B is similar 1 Configure a manual link aggregation Create manual aggregation group 1 SW7750 link aggregation group 1 mode manual a Add Ethernet ports Ethernet1 0 1 to Ethernet1 0 3 into aggregation group 1 SW7750 interface ethernet1 0 1 SW7750 Ethernet1 0 1 SW7750 Ethernet1 0 1 SW7750 Ethernet1 0 2 SW7750 Ethernet1 0 2 SW7750 Ethernet1 0 3 port link aggregation group 1 interface ethernet1 0 2 port link aggregation group 1 interface ethernet1 0 3 port link aggregation group 1 2 Configure a static LACP aggregation Cre
34. hop address of the route is specified can the link layer find the corresponding link layer address and then forward the packet For different configurations of preference value you can flexibly apply the routing management policy The reject and blackhole attributes indicate the unreachable route and the blackhole route Configuring a Default Route Perform the following configurations in system view Table 80 Configuring a Default Route Operation Command Configure a default route ip route static0 0 0 0 0 0 0 0 o interface name gateway address preference value reject blackhole Delete a default route undo ip route static 0 0 0 0 0 0 0 0 0 interface name gateway address Parameters for default route are the same as for static route Deleting All Static Routes You can use the undo ip route static command to delete one static route The Switch 7750 also provides the delete static route all command for you to delete all static routes at one time including the default routes Static Routes 87 Perform the following configuration in system view Table 81 Deleting All Static Routes Operation Command Delete all static routes delete static routes all Displaying and Debugging Static Routes After you configure static and default routes execute the display command in all views to display the static route configuration and to verify the effect of the configuration Table 82 D
35. the smaller the value the higher the preference of the routes that they learn are shown in Table 78 Table 78 Routing Protocols and the Default Preferences for Routes The preference of the corresponding Routing protocol or route type route DIRECT 0 STATIC 60 RIP 100 UNKNOWN 255 In the table O indicates a direct route and 255 indicates any route from an unreliable source Except for direct routing the preferences of various dynamic routing protocols can be manually configured to meet the user requirements The preferences for individual static routes can be different Routes Shared Between Routing Protocols As the algorithms of various routing protocols are different different protocols can generate different routes This situation creates the problem of how to resolve different routes being generated by different routing protocols The Switch 7750 supports an operation to import the routes generated by one routing protocol into another routing protocol Each protocol has its own route redistribution mechanism For details refer to Enabling RIP to Import Routes of Other Protocols or Importing Routing Information Discovered by Other Routing Protocols Static Routes A static route is a route that is manually configured by the network administrator You can set up an interconnected network using static routes However if a fault occurs in the network the static route cannot change automatically to steer
36. 0 0 16 0 64 0 0 0 0 0 0 5 128 108 22 44 0 0 0 0 16 0 64 0 0 0 0 0 0 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Example Configuring NTP Multicast Mode SW77503 sets the local clock as the master clock at stratum 2 and multicast packets from Vlan interface2 Set SW77504 and SW77501 to receive multicast messages from their respective Vlan interface2 See Figure 66 Configure Ethernet Switch SW77503 Enter system view lt SW77503 gt system view Set the local clock as a master NTP clock at stratum 2 SW77503 ntp service refclock master 2 Enter Vlan interface2 view SW77503 interface vlan interface 2 Set it as a multicast server SW77503 Vlan Interface2 ntp service multicast server Configure Ethernet Switch SW77504 Enter system view lt SW77504 gt system view Enter Vian interface2 view SW77504 interface vlan interface 2 292 CHAPTER 11 SYSTEM MANAGEMENT Enable multicast client mode SW77504 Vlan Interface2 ntp service multicast client Configure Ethernet Switch SW77501 Enter system view lt SW77501 gt system view Enter Vlan interface2 view SW77501 interface vlan interface 2 Enable multicast client mode SW77501 Vlan Interface2 ntp service multicast client The previous examples configure SW77504 and SW77501 to receive multicast messages from Vlan interface2 SW77503 multicast messages from Vlan interface2 Since SW77501 and SW77503 are not located on t
37. 2002 C0325201 2811A112 By this time SW77504 has been synchronized by SW77505 and it is at stratum 2 or higher than SW77505 by 1 Display the sessions of SW77504 and you will see SW77504 has been connected with SW77505 SW77504 display ntp service sessions source reference stra reach poll now offset delay disper kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk eeEAK 12345 127 127 1 0 LOCAL 0 7 377 64 57 0 0 0 0 1 0 Syd o eT 0 0 0 0 16 0 64 0 0 0 0 0 0 5 128 108 22 44 0 0 0 0 16 0 64 0 0 0 0 0 0 note 1 source master 2 source peer 3 selected 4 candidate 5 configured 290 CHAPTER 11 SYSTEM MANAGEMENT Example Configuring NTP Broadcast Mode On SW77503 set local clock as the NTP master clock at stratum 2 and configure to broadcast packets from Vlan interface2 Configure SW77504 and SW77501 to listen to the broadcast from their Vlan interface2 See Figure 66 Configure Ethernet Switch SW77503 Enter system view lt SW77503 gt system view Set the local clock as the NTP master clock at stratum 2 SW77503 ntp service refclock master 2 Enter Vlan interface2 view SW77503 interface vlan interface 2 Set it as broadcast server SW77503 Vlan Interface2 ntp service broadcast server Configure Ethernet Switch SW77504 Enter system view lt SW77504 gt system view Enter Vian interface2 view SW77504 interface vlan interface 2 SW77504 Vlan Interface2 ntp service broadc
38. 249 Set the Unit of Data Flow Transmitted to RADIUS Server Operation Command Set the unit of data flow transmitted to data flow format data byte RADIUS server giga byte kilo byte mega byte packet giga byte kilo byte mega byte one packet 228 CHAPTER 9 AAA AND RADIUS OPERATION By default the default data unit is a byte and the default data packet unit is one packet Configuring a Local RADIUS Server Group RADIUS service adopts authentication authorization accounting servers to manage users Local authentication authorization accounting service is also used in these products and it is called local RADIUS function Perform the following commands in system view to create delete local RADIUS server group Table 250 Create Delete a Local RADIUS Server Group Operation Command Create a local RADIUS server group and enter local radius nas ip ip address key its view password Delete a local RADIUS server group undo local radius nas ip ip address By default the IP address of local RADIUS server group is 127 0 0 1 and the password is 3com When using the local RADIUS server function of the Switch 7750 remember the number of the UDP port used for authentication is 1812 and the number for accounting is 1813 Configuring Source Address for RADIUS Packets Sent by NAS Perform the following configurations in the corresponding view Table 251 Configuring source address for the RADIUS packets sent by the NAS O
39. ACCESS v Verbose output ICMP packets other than ECHO RESPONSE that are received are listed STRING lt 1 20 gt IP address or hostname of a remote system Ip IP Protocol m Enter a command with a separated by a space If this position is for parameters all the parameters and their brief descriptions will be listed Quidway interface vlan lt 1 4094 gt VLAN interface number Quidway interface vlan 1 lt Ccr gt lt cr gt indicates no parameter in this position The next command line repeats the command you can press Enter to execute it directly a Enter a character string with a and list all the commands beginning with this character string lt SW7750 gt pi ping a Input a command with a character string and and list all the key words beginning with this character string in the command lt SW7750 gt display ver version Common Command Line Error Messages All the commands that are entered by users can be correctly executed if they have passed the grammar check Otherwise error messages are reported to users Common error messages are listed in Table 21 Table 21 Common Command Line Error Messages Error messages Causes Unrecognized command Cannot find the command Cannot find the keyword Wrong parameter type The value of the parameter exceeds the range Incomplete command The command is incomplete Too many parameters You entered too many parameters Ambiguous command The parameters you entered
40. Ethernet Port You can use the following command to set the speed on the Ethernet port If the speed is set to auto auto negotiation mode the local and peer ports will automatically negotiate the port speed Perform the following configuration in Ethernet port view Table 29 Set Speed on Ethernet Port Operation Command Set 100M Ethernet port speed speed 10 100 auto Set Gigabit Ethernet port speed speed 10 100 1000 auto Restore the default speed on Ethernet port undo speed Setting Cable Type for Ethernet Port The Ethernet port supports the straight through MDI and cross over MDIX network cables The Switch 7750 only supports auto auto sensing If you set another duplex type an error message displays By default the cable type is auto auto recognized The system will automatically recognize the type of cable connecting to the port Perform the following configuration in Ethernet port view The settings only take effect on 10 100BASE T and 10 100 1000BASE T ports Table 30 Set the Type of the Cable Connected to the Ethernet Port Operation Command Set the type of the cable connected to the mdi auto Ethernet port Restore the default type of the cable undo mdi connected to the Ethernet port CHAPTER 2 PORT CONFIGURATION Setting Flow Control for Ethernet Port If congestion occurs in the local switch after enabling flow control in both the local and the peer switch then the switch will
41. Ethernet Port Broadcast Suppression Ratio You can use the following commands to restrict the broadcast traffic Once the broadcast traffic exceeds the value set by the user the system maintains an appropriate broadcast packet ratio by discarding the overflow traffic This is done to suppress broadcast storm avoid suggestion and ensure the normal service The parameter is taken the maximum wire speed ratio of the broadcast traffic allowed on the port The smaller the ratio is the less broadcast traffic is allowed If the ratio is 100 do not perform broadcast storm suppression on the port Ethernet Port Overview 39 Perform the following configuration in Ethernet port view Table 33 Setting Ethernet Port Broadcast Suppression Ratio Operation Command Set Ethernet port broadcast suppression ratio broadcast suppression pct Restore the default Ethernet port broadcast undo broadcast suppression suppression ratio By default 100 broadcast traffic is allowed to pass through that is no broadcast suppression will be performed Note that in the Switch 7750 you can only use the command at the port on a 20 port 10 100 1000BASE T Gigabit Ethernet card or a 20 port 1000BASE X Gigabit Ethernet card Setting the Link Type for an Ethernet Port An Ethernet port can operate in three different link types access hybrid and trunk The access port carries one VLAN only and is used for connecting to the user s computer The trunk port can belo
42. Group a Adding or Deleting Ethernet Ports to or from an Aggregation Group a Setting or Deleting an Aggregation Group Descriptor m Configuring System Priority Configuring Port Priority a Displaying and Debugging Link Aggregation Enabling or Disabling LACP at a Port You should first enable LACP at the ports before performing dynamic aggregation so that both parties can agree on adding deleting the ports into from a dynamic LACP aggregation group Perform the following configuration in Ethernet port view Table 39 Enabling Disabling LACP at a Port Operation Command Enable LACP at the port lacp enable Disable LACP at the port undo lacp enable LACP is disabled at the port by default Note that m You cannot enable LACP at a a Mirrored port a Port with a static MAC address configured a Port with static ARP configured Port with 802 1x enabled a You cannot enable LACP on a port in a manual aggregation group a You can add a port with LACP enabled to a manual aggregation group but the LACP will be disabled on it automatically However you can add a port with LACP disabled into a static LACP aggregation group and the LACP will be enabled automatically Configuring Link Aggregation 47 Creating or Deleting an Aggregation Group You can use the following command to create a manual aggregation group or static LACP aggregation group but the dynamic LACP aggregation group is established by the system when LACP is enabled o
43. HWTACACS 230 Displaying and Debugging the AAA RADIUS and HWTACACS Protocols 237 AAA RADIUS and HWTACACS Protocol Configuration Examples 238 Configuring FTP Telnet User Authentication at Remote RADIUS Server 238 Configuring FTP Telnet User Authentication at the Local RADIUS Server 239 Configuring the FTP Telnet User Authentication at a Remote TACACS Server 239 Dynamic VLAN with RADIUS Server Configuration Example 240 Troubleshooting AAA RADIUS and HWTACACS Configurations 241 SYSTEM MANAGEMENT File System 243 Using a Directory 243 Managing Files 244 Formatting Storage Devices 244 Setting the Prompt Mode of the File System 244 Configuring File Management 245 FP 246 TMP 248 Managing the MAC Address Table 249 Configuring the MAC Address Table 250 Managing Devices 253 Designating the APP for the Next Boot 254 Displaying Devices 255 Maintaining and Debugging the System 255 Configuring System Basics 256 Displaying System Information and State 257 Debugging the System 257 Testing Tools for Network Connection 259 Logging Function 260 SNMP 265 SNMP Versions and Supported MIB 266 Configuring SNMP 267 RMON 274 Configuring RMON 274 NTP 278 Configuring NTP 279 NTP Configuration Examples 286 ABOUT THIS GUIDE This guide describes the 3Com Switch 7750 and how to configure it in version 3 0 of the software Conventions Table 1 lists icon conventions that are used throughout this book Table 1 Notice Icons Icon N
44. HWTACACS view undo nas ip Configure the source address for HWTACACS packets sent from the NAS System view hwtacacs nas ip ip address Cancel the configured source address for HWTACACS packets sent from the NAS System view undo hwtacacs nas ip The HWTACACS view takes precedence over the system view when configuring the source address for HWTACACS packets sent from the NAS By default the source address is not specified and the interface address for packet sending is used as the source address 2 4 7 Setting a Key for Securing the Communication with TACACS Server When using a TACACS server as an AAA server you can set a key to improve the communication security between the switch and the TACACS server Perform the following configuration in HWTACACS view Table 2 43 Setting a key for securing the communication with the HWTACACS server OperationCommand Configure a key for securing the communication with the accounting authorization or authentication serverkey accounting authorization authentication string Delete the configurationundo key accounting authorization authentication No key is configured by default 2 4 8 Setting the Username Format Acceptable to the TACACS Server Username is usually in the userid isp name format with the domain name following If a TACACS server does not accept the username with domain name you can remove the domain name and resend it to the TACACS server Perform
45. IGMP Snooping By default IGMP Snooping is disabled Configure Router Port Aging Time Use this to manually configure the router port aging time If the switch has not received a general query message from the router prior to it aging it will remove the port from all the MAC multicast groups Perform the following configuration in system view Table 134 Configure Router Port Aging Time Operation Command Configure router port aging time igmp snooping router aging time seconds 128 CHAPTER 6 MULTICAST PROTOCOL Table 134 Configure Router Port Aging Time Operation Command Restore the default aging time undo igmp snooping router aging time By default the port aging time is 260 seconds Configuring Maximum Response Time This task sets the maximum response time If the Switch 7750 receives no report message from a port in the maximum response time it will remove the port from the multicast group Perform the following configuration in system view Table 135 Configuring the Maximum Response Time Operation Command Configure the maximum response time Restore the default setting igmp snooping max response time seconds undo IGMP snooping max response time By default the maximum response time is 10 seconds Configure Aging Time of Multicast Group Member This task sets the aging time of the multicast group member port If the switch receives no multicast group report message during the
46. If the destination address of a packet fails to match any entry of the routing table the router selects the default route to forward this packet If there is no default route and the destination address of the packet fails to match any entry in the routing table the packet is discarded and an Internet Control Message Protocol ICMP packet is sent to the originating host to indicate that the destination host or network is unreachable In a typical network that consists of hundreds of routers if you used multiple dynamic routing protocols without configuring a default route then significant bandwidth would be consumed Using the default route can provide appropriate bandwidth but not high bandwidth for communications between large numbers of users Configuring Static Routes is described in the following sections a Configuring Static Routes a Troubleshooting Static Routes Static route configuration tasks are described in the following sections Configuring a Static Route a Configuring a Default Route a Deleting All Static Routes a Displaying and Debugging Static Routes Configuring a Static Route Perform the following configurations in system view Table 79 Configuring a Static Route Operation Command Add a static route ip route static ip address mask mask length interface name gateway address preference value reject blackhole Delete a static route undo ip route static ip address mask mask length
47. Independent Multicast Sparse Mode Dense mode uses the flood prune technology which is not applicable for WAN In WAN multicast receivers are sparse and therefore the sparse mode is used In sparse mode hosts need not receive multicast packets unless by default there is an explicit request for the packets A multicast router must send a join message to the RP Rendezvous Point which needs to be built into the network and is a virtual place for data exchange corresponding to the group for receiving the multicast data traffic from the specified group The join message passes routers and finally reaches the root i e the RP The join message becomes a branch of the shared tree In PIM sparse mode multicast packets are sent to the RP first and then are forwarded along the shared tree rooted at the RP and with members as the branches To prevent the branches of the shared tree from being deleted PIM sparse mode sends join messages to branches periodically to maintain the multicast distribution tree To send data to the specified address senders register with the RP first before forwarding data to the RP When the data reaches the RP the multicast packets are replicated and sent to receivers along the path of the distribution tree Replication only happens at the branches of the distribution tree This process can be repeated automatically until the packets reach the destination In the multicast model the source host sends information to th
48. Interval Operation Command Set a real time accounting interval timer realtime accounting minute Restore the default value of the interval undo timer realtime accounting The minute variable specifies the real time accounting interval in minutes The value must be a multiple of 3 The value of minute is related to the performance of NAS and RADIUS server The smaller the value is the higher the performances of NAS and RADIUS have to be When there are a large amount of users more than 1000 inclusive we suggest a Configuring the RADIUS Protocol 225 larger value The following table recommends the ratio of minute value to the number of users Table 242 Recommended Ratio of Minute to Number of Users Number of users Real time accounting interval minute 1 to 99 3 100 to 499 6 500 to 999 12 1000 15 By default minute is set to 12 minutes Setting Maximum Times of Real time Accounting Request The RADIUS server usually verifies that a user is online with timeout timer If the RADIUS server has not received the real time accounting packet from NAS for a specified period it stops accounting Therefore it may be necessary to disconnect the user at the NAS end and on the RADIUS server when some unpredictable failure exists The Switch 7750 allows you to configure the maximum number of retries for real time accounting requests NAS disconnects the user if it has not received a real time accounting response from the RADIUS serv
49. Interval After PIM is enabled on an interface it will send Hello messages periodically The interval at which Hello messages are sent can be modified according to the bandwidth and type of the network connected to the interface Configuring PIM DM 133 Perform the following configuration in VLAN interface view Table 140 Configure Hello Message Interval on an Interface Operation Command Configure the hello message interval on an pim timer hello seconds interface Restore the interval to the default value undo pim timer hello The default interval is 30 seconds You can configure the value according to different network environments Generally this parameter does not need to be modified This configuration can be performed only after PIM PIM DM or PIM SM is enabled in VLAN interface view Configuring the Filtering of Multicast Source Group You can set to filter the source and group address of multicast data packets via this command When this feature is configured the router filters not only multicast data but the multicast data encapsulated in the registration packets Perform the following configuration in the PIM view Table 141 Configuring the Filtering of Multicast Source Group Operation Command Configure the filtering of multicast source policy acl number source group Remove the configuration of filtering undo source policy If resource address filtering is configured as well as basic ACLs then the router
50. Memory When the amount of free memory is reduced to the safety value but has not reached the lower limit you can use the display memory limit command to see how much free memory remains 106 CHAPTER 5 IP ROUTING PROTOCOL OPERATION If automatic memory restoration is enabled when the free memory of the Ethernet switch exceeds the safety value the disconnected routes will be restored Perform the following configurations in system view Table 109 Setting the Safety Value of the Ethernet Switch Memory Operation Command Set the safety value of the Ethernet switch memory safety value memory By default the safety value of the Ethernet switch memory is 4Mbytes The safety value of the memory must be larger than the lower limit value Setting the Lower Limit and the Safety Value Simultaneously When you need to modify both the lower limit and the safety value of the Ethernet switch memory 3Com recommends that you modify the two configurations simultaneously You can also restore the lower limit and the safety value of the Ethernet switch memory to the default value at the same time if it is necessary Perform the following configuration in the system view Table 110 Setting the Lower Limit and the Safety Value of the Ethernet Switch Memory Simultaneously Operation Command Set the lower limit and the safety value of the memory safety safety value limit Ethernet switch memory simultaneously limit value Restore the lo
51. Request Buffer Operation Command Enable the stop accounting request buffer stop accounting buffer enable Disable the stop accounting request buffer undo stop accounting buffer enable By default the stop accounting request will be saved in the buffer Setting the Maximum Retransmitting Times of the Stop Accounting Request Because the stop accounting request concerns account balance and will affect the amount to charge a customer which is very important for both the subscribers and the ISP NAS will make its best effort to send the message to the RADIUS accounting server If the message from the Switch 7750 to RADIUS accounting server has not replied the switch saves it in the local buffer and retransmits it until the server responds or discards the messages Use this command to set the maximum retransmission times Perform the following configurations in RADIUS server group view Table 245 Set the Maximum Retransmitting Times of Stopping Accounting Request Operation Command Set the maximum retransmitting times of stop retry stop accounting retry times accounting request Restore the maximum retransmitting times of undo retry stop accounting stop accounting request to the default value By default the stop accounting request can be retransmitted for up to 500 times Setting the Supported Type of RADIUS Server The Switch 7750 supports the standard RADIUS protocol and the extended RADIUS service platforms such as IP Hotel a
52. SW7750 vlan2 interface vlan 2 SW7750 Vlan interface2 ip address 129 102 0 1 255 255 255 0 274 CHAPTER 11 SYSTEM MANAGEMENT 5 Set the administrator ID contact and the physical location of the Ethernet switch SW7750 snmp agent sys info contact Mr Smith Tel 3306 SW7750 snmp agent sys info location telephone closet 3rd floor 6 Enable the SNMP agent to send the trap to Network Management Station whose IP address is 129 102 149 23 The SNMP community is public SW7750 snmp agent trap enable standard authentication SW7750 snmp agent trap enable standard coldstart SW7750 snmp agent trap enable standard linkup SW7750 snmp agent trap enable standard linkdown SW7750 snmp agent target host trap address udp domain 129 102 149 23 udp port 5000 params securityname public RMON Configuring RMON Remote Network Monitoring RMON is a type of IETF defined MIB It is the most important enhancement to the MIB II standard It is used for monitoring the data traffic on a segment and even on a whole network It is one of the most widely used network management standards RMON is based on the SNMP architecture and is compatible with the existing SNMP framework so it is not necessary to adjust the protocol RMON includes NMS and the agent running on the network devices On the network monitor or detector RMON agent tracks and accounts for different traffic information on the segment connected to its port For example the total number
53. Scheduling Modify the correspondence between 802 1p priority levels and local priority levels to change the mapping between 802 1p priority levels and queues That is put packets into outbound queues according to the new mapping Use WRR algorithm and the weight for different queues is respectively 5 5 10 10 15 15 9 and 9 The mapping between the modified 802 1p priority levels and the local priority levels is listed in the following figure See Queue Scheduling for the default mapping Table 185 Modifying Mapping Between 802 1p and Local Priority Levels 802 1p Priority Level Local Priority Level 0 7 1 6 2 5 3 4 4 3 5 2 6 1 7 0 The 20 Port 10 100 1000BASE T and 20 Port 1000BASE X SFP I O modules support SP WRR and RR algorithm Other interface units support only SP algorithm Figure 44 Queue Scheduling GE7 0 8 E7 0 2 Lana 2 0 0 1 8 To create this configuration 1 Respecify mapping between 802 1p priority levels and local priority levels SW7750 qos cos local precedence map 765 43 210 2 Define WRR algorithm for the switch and specify the weight of outbound queues as 5 5 10 10 15 15 9 and 9 SW7750 queue scheduler wrr 5 5 10 10 15 15 9 9 3 View the configuration with the display command SW7750 display queue scheduler RED Run the RED operation for the packets sent between 8 00 and 18 00 every day from IP address 1 0 0 1 to the port E3 0 8
54. Table 148 Configuring Candidate BSRs Operation Command Configure a candidate BSR c bsr interface type interface number hash mask len priority Remove the candidate BSR configured undo c bsr Candidate BSRs should be configured on the routers in the network backbone By default no BSR is set The default priority is O Only one router can be configured with one candidate BSR When a candidate BSR is configured on another interface it will replace the previous configuration Configuring Candidate RPs In PIM SM the shared tree built by the multicast routing data is rooted at the RP There is mapping from a multicast group to an RP A multicast group can be mapped to an RP Different groups can be mapped to one RP Perform the following configuration in PIM view Table 149 Configuring Candidate RPs Operation Command Configure a candidate RP c rp interface type interface number group policy acl number Remove the candidate RP configured undo c rp interface type interface number If the range of the served multicast group is not specified the RP will serve all multicast groups Otherwise the range of the served multicast group is the multicast group in the specified range It is suggested to configure Candidate RP on the backbone router Configuring Static RP Static RP serves as the backup of dynamic RP to make the network more robust Perform the following configuration in PIM view Table 150 Config
55. Table 20 describes the function features of different views 30 CHAPTER 1 SYSTEM ACCESS For all views use the quit command to return to system view and use the return command to return to user view Table 20 Function Feature of Command View Command view Function Prompt Command to enter User view Show basic infor lt SW7750 gt Enter immediately mation about after connecting the operation and switch statistics System view Configure system SW7750 Enter system view Ethernet Port view VLAN view VLAN interface view Local user view User interface view FTP Client view PIM view RIP view Route policy view Basic ACL view Advanced ACL view Layer 2 ACL view RADIUS scheme view HWTACACS view parameters Configure Ethernet port parameters Configure VLAN parameters Configure IP interface parameters for a VLAN or a VLAN aggregation Configure local user parameters Configure user interface parameters Configure FTP Client parameters Configure PIM parameters Configure RIP parameters Configure route policy parameters Define the rule of basic ACL Define the rule of advanced ACL Define the rule of layer 2 ACL Configure radius parameters Configure HWTACACS parameters SW7750 Etherne t1 0 1 SW7750 Gigabit Ethernet1 0 1 SW7750 Vlani SW7750 Vlan in terfacel SW7750 user userl1 SW7750 ui0 ftp SW7750 PIM SW7750 rip SW7750 route
56. The following configuration only shows the operations related to RIP Before performing the following configuration verify that the Ethernet link layer works normally Configure RIP on Switch A Switch A rip Switch A rip network 110 11 2 0 Switch A rip network 155 10 1 0 Configure RIP on Switch B Switch B rip Switch B rip network 196 38 165 0 Switch B rip network 110 11 2 0 Configure RIP on Switch C Switch C rip Switch C rip network 117 102 0 0 Switch C rip network 110 11 2 0 The Switch 7750 cannot receive update packets when the physical connection to the peer routing device is normal a RIP does not operate on the corresponding interface for example if the undo rip work command is executed or this interface is not enabled through the network command m The peer routing device is configured for multicast mode for example the rip version 2 multicast command is executed but the multicast mode has not been configured on the corresponding interface of the local Ethernet switch IP Routing Policy Routing Information Filters When a router distributes or receives routing information it needs to implement policies to filter the routing information so it can receive or distribute the routing information that meets only the specified condition A routing protocol such as RIP may need to import routing information discovered by other protocols to enrich its routing knowledge While importing the routing
57. aggregation group the one with the lowest port number serves as the master port for that group and the others are sub ports In comparing system IDs the system first compares system priority values if they are equal then it compares system MAC addresses The smaller system ID is considered highest priority Comparing port IDs works in the same way the system first compares port priority values and then port numbers and the small port ID is considered highest priority If the system ID changes from non priority to priority then the selected or standby state is determined by the port priority of the system You can decide whether the port is selected or standby by setting system priority and port priority Link aggregation may be load balancing and non load balancing In general the system only provides limited load balancing aggregation resources so the system need to rationally allocate these resources among manual aggregation groups static LACP aggregation groups dynamic LACP aggregation groups and the aggregation groups including special ports which require hardware aggregation resources The system will always allocate hardware aggregation resources to the aggregation groups with higher priority levels When the load sharing aggregation resources are used up for existing aggregation groups newly created aggregation groups will be non load sharing ones The priority levels in descending order for allocating load sharing aggregation reso
58. authentication block active By default the state of each server in RADIUS server group is active Setting Username Format Transmitted to RADIUS Server As mentioned before clients are generally named in userid isp name format The part following is the ISP domain name The Switch 7750 will put users into different ISP domains according to their domain name However some earlier RADIUS servers rejected the username including ISP domain name In this case you have to remove the domain name before sending the username to the RADIUS server The following command decides whether the username to be sent to RADIUS server carries ISP domain name or not Table 248 Set Username Format Transmitted to RADIUS Server Operation Command Set username format transmitted to the user name format with domain RADIUS Server without domain If a RADIUS server group is configured not to allow usernames including ISP domain names the RADIUS server group cannot be simultaneously used in more than one ISP domain Otherwise the RADIUS server will regard two users in different ISP domains as the same user by mistake if they have the same username excluding their respective domain names By default the RADIUS server group acknowledges that the username sent to it includes ISP domain name Setting the Unit of Data Flow that Transmitted to RADIUS Server The following command defines the unit of the data flow sent to RADIUS server Table
59. be set to listening state and will not forward packets any more as if the link to the port is disconnected If the port has not received any higher priority BPDU for a certain period of time thereafter it will resume the normal state When you configure a port only one configuration at a time can be effective among loop protection root protection and edge port configuration By default the switch does not enable BPDU protection root protection or edge port protection 204 CHAPTER 8 STP OPERATION Enabling MSTP on the Device Enabling or Disabling MSTP on a Port For more about the configuration commands see the Switch 7750 Command Reference Guide You can use the following command to enable MSTP on the device Perform the following configuration in system view Table 213 Enable Disable MSTP on a Device Operation Command Enable MSTP on a device stp enable Disable MSTP on a device stp disable Restore the disable state of MSTP as undo stp defaulted Only if MSTP has been enabled on the device will other MSTP configurations take effect By default MSTP is disabled You can use the following command to enable or disable MSTP on a port You may disable MSTP on some Ethernet ports of a switch to spare them from spanning tree calculation This measure flexibly controls MSTP operation and saves the CPU resources of the switch MSTP can be enabled disabled on a port the following ways Configuring in System View P
60. by the physical state of the port and the network structure You can configure it according to the network conditions You can configure the max transmission speed on a port in the following ways Configuring in system view Perform the following configuration in system view Table 198 Configure the Max Transmission Speed on a Port Operation Command Configure the max transmission speed on a stp interface interface list port transit limit packetnum Restore the max transmission speed on a port undo stp interface interface list transit limit Configuring in Ethernet port view Perform the following configuration in Ethernet port view Table 199 Configure the Max Transmission Speed on a Port Operation Command Configure the max transmission speed on a stp transit limit packetnum port Restore the max transmission speed on a port undo stp transit limit For more about the commands see the Switch 7750 Command Reference Guide Configuring a Port as an Edge Port This parameter only takes a relative value without units If it is set too large too many packets will be transmitted during every hello time and too many network resources will be occupied The default value is recommended By default the max transmission speed on every Ethernet port of the switch is 3 An edge port refers to the port not directly connected to any switch or indirectly connected to a switch over the connected network You can configure a por
61. can determine the match order of ACL s sub rules There are two match orders configuration which follows the user defined configuration order when matching the rule and automatic which follows the depth first principle Filtering or Classifying Data Transmitted by the Software The depth first principle puts the statement specifying the smallest range of addresses on the top of the list For example 129 102 1 1 0 0 0 0 specifies a host while 129 102 1 1 0 0 255 255 specifies the network segment 129 102 0 1 through 129 102 255 255 The host is listed first in the access control list The specific standard is m For basic ACL statements source address wildcards are compared directly If the wildcards are the same the configuration sequence is used a For the ACL based on the interface filter the rule that is configured is listed at the end while others follow the configuration sequence m For the advanced ACL source address wildcards are compared first If they are the same then destination address wildcards are compared For the same destination address wildcards ranges of port numbers are compared and the smaller range is listed first If the port numbers are in the same range the configuration sequence is used After you specify the match order of an access control rule you cannot modify it later unless you delete all the contents and specify the match order again This type of filtering includes ACLs cited by route policy f
62. configuration configuration begin exclude include regular expression The configuration files are displayed in their corresponding saving formats Saving the Current Configuration Use the save command to retain the current configuration in the flash memory The configurations are saved and used when the system is next powered on Perform the following configuration in user view Table 262 Save the Current Configuration Operation Command Save the current configuration save Erasing the Configuration Files from Flash Memory The reset saved configuration command can be used to erase the configuration files from flash memory The system will use the default configuration parameters for initialization when the switch is powered on the next time Perform the following configuration in user view Table 263 Erase the Configuration Files from Flash Memory Operation Command Erase the configuration files from the Flash reset saved configuration Memory You can erase the configuration files from flash memory in the following cases m f the software does not match the configuration files after the software is upgraded a f the configuration files in flash are damaged for example if the wrong configuration file has been downloaded FTP is acommon way to transmit files on the Internet and IP network FTP is a TCP IP protocol on the application layer and is used for transmitting files between a remote se
63. console port To set up the local configuration environment Plug the DB 9 or DB 25 female plug of the console cable into the serial port of the PC or the terminal where the switch is to be configured Connect the RJ 45 connector of the console cable to the console port of the switch as shown in Figure 1 Figure 1 Setting Up the Local Configuration Environment Through the Console Port RS 232 Serial port LJ Console port Console cable Setting Terminal Parameters 13 Setting Terminal To set terminal parameters Parameters 1 Start the PC and select Start gt Programs gt Accessories gt Communications gt HyperTerminal The HyperTerminal window displays the Connection Description dialog box as shown in Figure 2 Figure 2 Set Up the New Connection Connection Description Sa New Connection Enter a name and choose an icon for the connection Name sw770d Icon 2 Enter the name of the new connection in the Name field and click OK The dialog box shown in Figure 3 displays 3 Select the serial port to be used from the Connect using dropdown menu Figure 3 Properties Dialog Box I 2 D sw7700 Enter details for the phone number that you want to dial Country region United States of America 1 zj Area code 508 Phone number Connect using i Cancel 4 Click OK The Port Settings tab shown in Figure 4 displays and you can s
64. controls debugging output of a protocol a The terminal debugging switch controls debugging output on a specified user screen Figure 61 illustrates the relationship between two switches 258 CHAPTER 11 SYSTEM MANAGEMENT Figure 61 Debugging Output y y OFF Debugging information i Protocol debugging switch Screen output switch W UX You can use the following commands to control debugging PaK Perform the following operations in user view Table 287 Enabling and Disabling Debugging Operation Command Enable the protocol debugging debugging all timeout interval module name debugging option Disable the protocol debugging undo debugging all protocol name function name debugging option Enable the terminal debugging terminal debugging Disable the terminal debugging undo terminal debugging For more about the usage and format of the debugging commands refer to the appropriate chapters Since the debugging output will affect the system operating efficiency do not i gt enable the debugging command unnecessarily Use the debugging all command especially with caution When the debugging is over disable all debugging Displaying Diagnostic Information You can collect information about the switch to locate the source of faults Each module has a corresponding display command which makes it difficult to collect gt Testing Tools for Network C
65. database query and update and returns the configuration information and accounting data to NAS NAS then controls supplicant and corresponding connections while the RADIUS protocol regulates how to transmit configuration and accounting information between NAS and RADIUS NAS and RADIUS exchange the information with UDP packets During the interaction both sides encrypt the packets with keys before uploading user configuration information like password etc to avoid being intercepted or stolen Configuring AAA 217 RADIUS server generally uses a proxy function of the devices like access server to perform user authentication The operation process is as follows Send client username and encrypted password to RADIUS server User receives one of the following response messages a ACCEPT Indicates that the user has passed the authentication m REJECT Indicates that the user has not passed the authentication and needs to input username and password again otherwise he will be rejected from access Implementing AAA RADIUS on Ethernet Switch As described above the Switch 7750 serving as the user access device or NAS is the RADIUS client Figure 57 illustrates the RADIUS authentication network Figure 57 Networking with Switch 7750 Applying RADIUS Authentication Authentication server PC use1
66. entry number owner text string Delete an entry from the statistics table undo rmon statistics entry number Displaying the RMON Configuration Execute the display command in all views to display the RMON configuration and to verify the configuration Table 318 Displaying and Debugging RMON Operation Command Display the RMON statistics Display the history information of RMON Display the alarm information of RMON Display the extended alarm information of RMON Display the RMON event Display the event log of RMON Example RMON Configuration display rmon statistics port num display rmon history port num display rmon alarm alarm table entry display rmon prialarm prialarm table entry display rmon event event table entry display rmon eventlog event number Set an entry in the RMON Ethernet statistics table for Ethernet port performance which is convenient for network administrators query Figure 64 RMON Configuration Networking Internet Network port Console por Switch 1 Configure RMON SW7750 Ethernet2 0 1 rmon statistics 1 owner 3com rmon 2 View the configurations in user view lt SW7750 gt display rmon statistics Ethernet2 0 1 Statistics entry 1 owned by 3com rmon is VALID Gathers statistics of interface Ethernet2 0 1 Received octets 270149 packets 1954 broadcast packets 1570 multicast packets 365
67. filters the resource addresses of all multicast data packets received Those not matched will be discarded If resource address filtering is configured as well as advanced ACLs then the router filters the resource and group addresses of all multicast data packets received Those not matched will be discarded Configuring the Filtering of PIM Neighbors You can set to filter the PIM neighbors on the current interface via the following configuration Perform the following configuration in the PIM view Table 142 Configuring the Filtering of PIM Neighbors Operation Command Configure filtering of PIM neighbor pim neighbor policy acl number Remove the configuration of filtering undo pim neighbor policy By default no filtering rules are set Only the routers that match the filtering rule in the ACL can serve as a PIM neighbor of the current interface 134 CHAPTER 6 MULTICAST PROTOCOL Configuring the Maximum Number of PIM Neighbor on an Interface You can limit the PIM neighbors on an interface No neighbor can be added any more when the limit is reached Perform the following configuration in the PIM view Table 143 Configure the Maximum Number of PIM Neighbor on an Interface Operation Command Configure the maximum number of PIM pim neighbor limit limit neighbor on an interface Restore the limit of PIN neighbor to the pim neighbor limit default value By default the PIM neighbors on the interface are limited to 128
68. gmrp event Example Configuring GMRP Implement dynamic registration and an update of multicast information between switches Figure 36 GMRP Networking E0 1 E0 1 F F oa nae Switch A Switch B Configure LS_A 1 Enable GMRP globally SW7750 gmrp 148 CHAPTER 6 MULTICAST PROTOCOL 2 Enable GMRP on the port SW7750 interface Ethernet 1 0 1 SW7750 Ethernet1 0 1 gmrp Configure LS_B 1 Enable GMRP globally SW7750 gmrp 2 Enable GMRP on the port SW7750 interface Ethernet 1 0 1 SW7750 Ethernet1 0 1 gmrp QoS OPERATION a ACL Overview a Configuring ACLs a Displaying and Debugging an ACL a Configuring Qos a Configuring ACL Control ACL Overview Filtering or Classifying Data Transmitted by the Hardware The Access Control List ACL classifies the data packets with a series of matching rules including source address destination address and port number The switch verifies the data packets with the rules in the ACL and decides to forward prioritize or discard them A series of matching rules are required for the network devices to identify the packets After identifying the packets the switch can permit or deny them to pass through according to the defined policy The ACL is used to implement these functions The data packet matching rules that are defined by ACL can also be used in other cases requiring traffic classification such as defining traffic classification fo
69. interface name gateway address preference value 86 CHAPTER 5 IP ROUTING PROTOCOL OPERATION The parameters are explained as follows IP address and mask The IP address and mask use a decimal format Because the 1s in the 32 bit mask must be consecutive the dotted decimal mask can also be replaced by the mask length which refers to the digits of the consecutive 1s in the mask Transmitting interface or next hop address When you configure a static route you can specify either the interface type port number to designate a transmitting interface or the gateway address to decide the next hop address depending on the actual conditions You can specify the transmitting interfaces in the cases below For the interface that supports resolution from the network address to the link layer address such as the Ethernet interface that supports ARP when ip address and mask or mask length specifies a host address and this destination address is in the directly connected network the transmitting interface can be specified For a P2P interface the address of the next hop defines the transmitting interface because the address of the opposite interface is the address of the next hop of the route In fact for all routing items the next hop address must be specified When the IP layer transmits a packet it first searches the matching route in the routing table depending on the destination address of the packet Only when the next
70. interface type interface number null If in this command the group address is 224 0 0 0 24 and source address is the RP address where group address can have a mask but the resulting IP address must be 224 0 0 0 and source address has no mask then it means only the RP item will be cleared If in this command the group address is any group address and source address is O where group address can have a mask and source address has no mask then only the G item will be cleared This command clears multicast route entries from PIM routing table as well as the corresponding route entries and forward entries in the multicast core routing table and MFC Clearing PIM Neighbors Perform the following configuration in user view Table 156 Clearing PIM Neighbors Operation Command Clear PIM neighbors reset pim neighbor all neighbor address interface interface type interface number Displaying and Debugging PIM SM Execute the display command in all views to display the PIM SM configuration and to verify the configuration 144 CHAPTER 6 MULTICAST PROTOCOL Execute the debugging command in user view to debug PIM SM Table 157 Display and Debug PIM SM Operation Display the BSR information Display the RP information Enable the PIM SM debugging Disable the PIM SM debugging Example Configuring PIM SIM Command display pim bsr info display pim rp info group address debugg
71. is a broadcast protocol To exchange route information with the non broadcast network the unicast transmission mode must be adopted Perform the following configuration in the RIP view Table 85 Configuring Unicast RIP Messages Operation Command Configure unicast RIP messages peer ip address Cancel unicast RIP messages undo peer ip address By default RIP does not send messages to unicast addresses Usually this command is not recommended because the opposite side does not need to receive two of the same messages at a time It should be noted that the peer command should also be restricted by the rip work rip output rip input and network commands Specifying the RIP Version RIP has two versions RIP 1 and RIP 2 You can specify the version of the RIP packet processed by the interface RIP 1 broadcasts the packets RIP 2 can transmit packets by both broadcast and multicast By default multicast is adopted for transmitting packets In RIP 2 the 92 CHAPTER 5 IP ROUTING PROTOCOL OPERATION default multicast address is 224 0 0 9 The advantage of transmitting packets in the multicast mode is that the hosts in the same network that do not run RIP do not receive RIP broadcast packets In addition this mode prevents the hosts that are running RIP 1 from incorrectly receiving and processing the routes with subnet mask in RIP 2 When an interface is running RIP 2 it can also receive RIP 1 packets Perform the following confi
72. local engineid engineid 270 CHAPTER 11 SYSTEM MANAGEMENT By default the engine ID is expressed as enterprise No device information The device information can be IP address MAC address or user defined text Setting and Deleting an SNMP Group Use the following commands to set or delete an SNMP group Perform the following configuration in system view Table 305 Setting and Deleting an SNMP Group Operation Command Setting an SNMP group snmp agent group group name v1 v2c read view read view write view write view notify view notify view aclacl list snmp agent group group name v3 authentication privacy read view read view write view write view notify viewnotify view acl acl list Deleting an SNMP group undo snmp agent group group name v1 v2e undo snmp agent group group name v3 authentication privacy The authentication parameter specifies that the packet is authenticated without encryption This parameter is supported only in SNMP V3 The privacy parameter specifies that the packet is authenticated and encrypted This parameter is supported only in SNMP V3 Setting the Source Address of the Trap Use the following commands to set or remove the source address of the trap Perform the following configuration in system view Table 306 Setting the Source Address of the Trap Operation Command Set the Source Address of Trap snmp agent trap source interface n
73. low limit no packets are discarded m f the queue length is greater than the high limit all the packets that arrive after the limit is reached are discarded m f the queue length is between the high and low limits the packets are discarded randomly as they arrive Every new packet is given a random number Configuring QoS This random number is compared with the discarding probability for the current queue Any packet whose random number is greater than the probability is discarded The longer the queue the higher the discarding probability However there is a maximum discarding probability Through randomly discarding packets RED avoids global TCP synchronism When some packets of a TCP connection are discarded and the transmission speed is lowered other TCP connections can still keep the higher transmission speed In this way there are always some TCP connections with higher transmission speeds that make a better use of the line bandwidth Before you create a QoS configuration you must define an ACL Packet filtering is enabled when you create an ACL so packet filtering configuration is not described here The following sections describe QoS configuration tasks a Setting Port Priority a Setting Port Mirroring a Setting Queue Scheduling a Entering QoS View a Configuring the Traffic Limit a Setting Line Limit a Setting Traffic Bandwidth a Setting Traffic Redirection a Relabeling the Priority Level a Configurin
74. minute range is expressed in the units of minutes and hour The date range is expressed in the units of date month and year The periodic time range is expressed by the day of the week Use the following command to set the time range in system view Table 162 Set the Absolute Time Range Operation Command Set the absolute time range time range time name start time to end time days of the week from start time start date to end time end date Delete the absolute time range undo time range time name start time to end time days of the week from start time start date to end time end date When the start time and end time are not configured they are set to define one day The end time must be later than the start time When the end time end date is not configured it will be all the time from now to the latest date that can be displayed by the system The end time must be later than the start time The Switch 7750 can only have one of two modes ip based or link based In either mode only L2 ACLs can be defined activated and cited by other applications You can use the following command to configure a traffic classification rule in ip based or link based mode Perform the following configuration in system view Table 163 Select ACL Mode Operation Command Select ACL mode acl mode ip based link based By default the Switch 7750 uses ip based mode and the L3 traffic classification rule The Switc
75. mode The list items of the deny mode can be defined to rapidly filter the routing information not satisfying the requirement but if all the items are in the deny mode no route will pass the ip prefix filtering You can define an item of permit 0 0 0 0 0 greater equal O less equal 32 after the multiple list items in the deny mode to let all the other routes pass Configuring for Filtering Received Routes Perform the following configuration in routing protocol view Define a policy that filters the routing information that does not satisfy the conditions and receives routes with the help of an ACL or address prefix list The filter policy gateway command specifies that only the update packets from a specific neighboring router will be received Table 105 Configuring Filtering for Received Routes Operation Command Configure to filter the received routing filter policy gateway information distributed by the specified ip prefix name import address Cancel the filtering of the received routing undo filter policy gateway information distributed by the specified ip prefix name import address Configure to filter the received global routing f ilter policy acl number information ip prefix ip prefix name gateway import Cancel the filtering of the received global undo filter policy acl number routing information ip prefix ip prefix name gateway import 104 CHAPTER 5 IP ROUTING PROTOCOL OPERATION Troublesho
76. name acl acl number snmp agent usm user v3 user name group name authentication mode md5 sha auth password privacy des56 priv password acl ac number The privacy mod priv password parameters are supported only in the extended version of the software SNMP community is one of the features of SNMP v1 and SNMP v2 so with these versions of SNMP you can import the ACL into the commands with SNMP community already configured SNMP username or group name is one of the features of SNMP V2 and above so with these versions of SNMP you import the ACL into the commands with SNMP username or group name already configured If you import the ACL into both features the switch will filter both features for the users You can call different ACLs for these commands Only the numbered basic ACL can be called for network management user control For more about the commands see the Switch 7750 Command Reference Guide Example Controlling SNMP Users with an ACL Figure 49 illustrates a configuration that controls SNMP users with ACL Figure 49 Control SNMP User With ACL ax D Switch Use the following commands to control SNMP users with ACL Define the basic ACLs SW7750 acl number 2000 match order config SW7750 acl basic 2000 rule 1 permit source 10 110 100 52 0 SW7750 acl basic 2000 rule 2 permit source 10 110 100 46 0 SW7750 acl basic 2000 quit Configuring ACL Control 179 2 Import the basic ACLs
77. network for an IP packet according to the destination address of the packet Each router on the path receives the packet and forwards it to the next router The last router in the path submits the packet to the destination host In a network the router regards a path for sending a packet as a logical route unit and calls it a hop For example in Figure 22 a packet sent from Host A to Host C goes through 3 networks and 2 routers and the packet is transmitted through two hops and router segments Therefore when a node is connected to another node through a network there is a hop between these two nodes and these two nodes are considered adjacent in the Internet Adjacent routers are two routers connected to the same network The number of route segments between a router and hosts in the same network count as zero In Figure 22 the bold arrows represent the hops A router can be connected to any physical link that constitutes a route segment for routing packets through the network When an Ethernet switch runs a routing protocol it can perform router functions In this guide a router and its icon represent a generic router or an Ethernet switch running routing protocols 82 CHAPTER 5 IP ROUTING PROTOCOL OPERATION Selecting Routes Through the Routing Table Figure 22 About Hops Networks can have different sizes so the segment lengths connected between two different pairs of routers are also different
78. network is connected to an STP switch the port will automatically transition to operate in STP compatible mode The port stays in STP compatible mode and cannot automatically transition back to MSTP mode when the STP switch is removed In this case you can perform an mCheck operation to transit the port to MSTP mode by force You can use the following measures to perform mCheck operation on a port Configuring in system view Perform the following configuration in system view Table 210 Configure the mCheck Variable of a Port Operation Command Perform mCheck operation on a port stp interface interface list mcheck Configuring in Ethernet port view Perform the following configuration in Ethernet port view Table 211 Configure the mCheck Variable of a Port Operation Command Perform mCheck operation on a port stp mcheck For more about the commands see the Switch 7750 Command Reference Guide The command can be used only if the switch runs MSTP The command does not make any sense when the switch runs in STP compatible mode An MSTP switch provides BPDU protection Root protection and loop protection functions For an access device the access port is mainly directly connected to the user terminal or a file server and the access port is set to edge port to implement fast transition When such a port receives a BPDU packet the system will automatically set it as a non edge port and recalculate the spanning tree which caus
79. number may be set improperly Set a proper number 2 The accounting service and authentication authorization service are provided on different servers but NAS requires the services to be provided on one server by specifying the same IP address Make sure the settings of servers are consistent with the actual conditions 242 CHAPTER 9 AAA AND RADIUS OPERATION eoo e e Peeee SYSTEM MANAGEMENT This chapter covers the following topics a File System a Managing the MAC Address Table a Managing Devices a Maintaining and Debugging the System a SNMP a RMON NTP File System Using a Directory The Switch 7750 provides a file system module for efficient management with storage devices such as flash memory The file system offers file access and directory management including creating the file system creating deleting modifying and renaming a file or a directory and opening files By default the file system requires that the user confirm before executing commands This prevents unwanted data loss Managing the file system is described in the following sections a Using a Directory a Managing Files Formatting Storage Devices a Setting the Prompt Mode of the File System a Configuring File Management m FIP THP You can use the file system to create or delete a directory display the current working directory and display the information about the files or directories under a specified director
80. others are secondary By default the IP address of a VLAN interface is null Displaying and Debugging an IP Address Use the display command in all views to display the IP address configuration on interfaces and to verify configuration Table 64 Display and Debug IP Address Operation Command Display all hosts on the network and the display ip hosts corresponding IP addresses Display the configurations of each interface display ip interface vian interface vian id Example Configuring an IP Address Configure the IP address as 129 2 2 1 and subnet mask as 255 255 255 0 for the VLAN interface 1 of the Ethernet Switch 70 CHAPTER 4 NETWORK PROTOCOL OPERATION Troubleshooting an IP Address Configuration 1 Figure 19 IP Address Configuration Networking Switch LET Ss Console cable PC Enter VLAN interface 1 SW7750 interface vlan 1 Configure the IP address for VLAN interface 1 SW7750 vlan interfacel ip address 129 2 2 1 255 255 255 0 If the Ethernet Switch cannot ping a certain host on the LAN proceed as follows Determine which VLAN includes the port connected to the host Check whether the VLAN has been configured with the VLAN interface Determine whether the IP address of the VLAN interface and the host are on the same network segment If the configuration is correct enable ARP debugging on the switch from user level and check whether
81. policy SW7750 acl basic 2000 SW7750 acl adv 3000 SW7750 acl link 4000 SW7750 radius 1 SW7750 hwtacacs 1 in user view 100M Ethernet port view Enter interface ethernet1 0 1 in system view Gigabit Ethernet port view Enter interface gigabitethernet 1 0 1 in system view Enter vlan 1in System view Enter interface vlan interface 1 in System view Enter local user user1 in System view Enter user interface 0 in System view Enter tp in user view Enter pim in system view Enter rip in system view Enter route policy policyl permit node 10 in System view Enter acl number 2000 in System view Enter acl number 3000 in system view Enter acl number 4000 in system view Enter radius scheme 1 in system view Enter hwtacacs scheme1 in system view Features and Functions of the Command Line Command Line Interface 31 Table 20 Function Feature of Command View continued Command view Function Prompt Command to enter ISP domain view Configure ISP domain SW7750 isp 163 Enter domain parameters net isp 163 net in system view Tasks for configuring the features and functions of the command line are described as follows a Online Help a Common Command Line Error Messages a History Command a Editing Features of the Command Line a Displaying Features of the Command Line Online Help The command line interface provides full and partial online Help modes You can ge
82. power display power power ID This section includes descriptions of the following types of system maintenance and debugging a Configuring System Basics a Displaying System Information and State 256 CHAPTER 11 SYSTEM MANAGEMENT Configuring System Basics a Debugging the System a Testing Tools for Network Connection a Logging Function This section describes the following basic system configuration tasks Setting the System Name a Setting the System Clock a Setting the Time Zone a Setting Daylight Saving Time Setting the System Name Perform the following commands in system view Table 282 Setting the System Name Operation Command Set the switch name sysname sysname Restore the switch name to the default name undo sysname Setting the System Clock Perform the following command in user view Table 283 Setting the System Clock Operation Command Set the system clock clock datetime HH MM SS YYYY MM DD Setting the Time Zone You can configure the name of the local time zone and the time difference between the local time and the standard Universal Time Coordinated UTC Perform the following commands in user view Table 284 Setting the Time Zone Operation Command Set the local time clock timezone zone name add minus HH MM SS Restore to the default UTC time zone undo clock timezone By default the UTC time zone is set Setting Daylight Saving Time Use these commands to configure the st
83. quit SW7750 gvrp 4 Enable GVRP on the trunk port SW7750 interface Ethernet 1 0 1 SW7750 Ethernet1 0 1 gvrp Configure Switch B 1 Set Gigabit Ethernet2 1 as a trunk port and allow all the VLANs to pass through SW7750 interface Ethernet 2 0 1 SW7750 Ethernet2 0 1 port link type trunk SW7750 Ethernet2 0 1 port trunk permit vlan all 2 Enable GVRP globally SW7750 Ethernet2 0 1 quit SW7750 gvrp 3 Enable GVRP on the trunk port SW7750 interface ethernet 2 0 1 SW7750 Ethernet2 0 1 gvrp NETWORK PROTOCOL OPERATION This chapter covers the following topics Configuring IP Address a Configuring Address Resolution Protocol ARP a DHCP Relay a P Performance Configuring IP Address IP address is a 32 bit address represented by four octets IP addresses are divided into five classes A B C D and E The octets are set according to the first few bits of the first octet The rule for IP address classification is described as follows a Class A addresses are identified with the first bit of the first octet being 0 a Class B addresses are identified with the first bits of the first octet being 10 a Class C addresses are identified with the first bits of the first octet being 110 a Class D addresses are identified with the first bits of the first octet being 1110 a Class E addresses are identified with the first bits of the first octet being 11110 Addresses of Classes A B and C are unicast a
84. set the local equipment as in client mode At the same time SW77505 sets SW77504 as its peer See Figure 66 Configure Ethernet Switch SW77503 Enter system view lt SW77503 gt system view Set the local clock as the NTP master clock at stratum 2 SW77503 ntp service refclock master 2 Configure Ethernet Switch SW77504 Enter system view lt SW77504 gt system view Set SW77501 as the NTP server at stratum 3 after synchronization SW77504 ntp service unicast server 3 0 1 31 Configure Ethernet Switch SW77505 SW77504 has been synchronized by SW77503 Enter system view lt SW77505 gt system view Set the local clock as the NTP master clock at stratum 1 SW77505 ntp service refclock master 1 After performing local synchronization set SW77504 as a peer SW77505 ntp service unicast peer 3 0 1 32 The previous examples configure SW77504 and SW77505 as peers and configure SW77505 as in active peer mode and SW77504 in passive peer mode Since SW77505 is at stratum 1 and SW77504 is at stratum 3 synchronize SW77504 by SW77505 After synchronization SW77504 status is shown as follows SW77504 display ntp service status clock status synchronized clock stratum 8 reference clock ID LOCAL 0 nominal frequency 100 0000 Hz actual frequency 100 0000 Hz clock precision 2 17 clock offset 0 0000 ms root delay 0 00 ms root dispersion 10 94 ms peer dispersion 10 00 ms reference time 20 54 25 156 UTC Mar 7
85. specified by the if match clauses are satisfied The apply clause specifies the actions that are performed after the node match test concerning the attribute settings of the route information The comparison of different nodes in a route policy uses a Boolean or statement The system examines the nodes in the route policy in sequence Once the route is permitted by a single node in the route policy the route passes the matching test of the route policy without attempting the test of the next node ACL The access control list ACL used by the route policy can be divided into three types advanced ACL basic ACL and Layer 2 ACL 100 CHAPTER 5 IP ROUTING PROTOCOL OPERATION Configuring an IP Routing Policy A basic ACL is usually used for routing information filtering When the user defines the ACL the user defines the range of an IP address subnet for the destination network segment address or the next hop address of the routing information If an advanced ACL is used perform the matching operation by the specified source address range Layer 2 ACLs IP Prefix The function of the ip prefix is similar to that of the acl but it is more flexible and easier for users to understand When the ip prefix is applied to routing information filtering its matching objects are the destination address information and the domain of the routing information In addition in the ip prefix you can specify the gateway options and require it to r
86. synchronizes the local clock according to the arrived broadcast message 282 CHAPTER 11 SYSTEM MANAGEMENT Perform the following configurations in VLAN interface view Table 322 Configuring NTP Broadcast Client Mode Operation Command Configure NTP broadcast client mode ntp service broadcast client Disable NTP broadcast client mode undo ntp service broadcast client This command can only be configured on the interface where the NTP broadcast packets are received Configuring NTP Multicast Server Mode Designate an interface on the local switch to transmit NTP multicast packets In this case the local equipment operates in multicast mode and serves as a multicast server to multicast messages to its clients regularly Perform the following configurations in VLAN interface view Table 323 Configuring NTP Multicast Server Mode Operation Command Configure NTP multicast server mode ntp service multicast server ip address authentication keyid keyid ttl ttl number version number Cancel NTP multicast server mode undo ntp service multicast server NTP version number number ranges from 1 to 3 and defaults to 3 the authentication key ID keyid ranges from 0 to 4294967295 tt1 number of the multicast packets ranges from 1 to 255 And the multicast IP address defaults to 224 0 1 1 This command can only be configured on the interface where the NTP multicast packet is transmitted Configuring NTP Multicast Client
87. table through manual commands ARP configuration includes tasks described in the following sections a Manually Adding Deleting Static ARP Mapping Entries a Learning Gratuitous ARPs Configuring the Dynamic ARP Aging Timer a Displaying and Debugging ARP Manually Adding Deleting Static ARP Mapping Entries Perform the following configuration in System view Table 65 Manually Adding Deleting Static ARP Mapping Entries Operation Command Manually add a static ARP mapping entry arp static ip address mac address VLANID interface _type interface num interface name Manually delete a static ARP mapping entry undo arp static ip address Static ARP mapping entries will not time out however dynamic ARP mapping entries time out after 20 minutes The ARP mapping table is empty and the address mapping is obtained through dynamic ARP by default Learning Gratuitous ARPs Perform the following configuration in System view Table 66 Learning Gratuitous ARPs Operation Command Enable the switch to learn gratuitous ARPs gratuitous arp learning enable 72 CHAPTER 4 NETWORK PROTOCOL OPERATION Table 66 Learning Gratuitous ARPs Operation Command Prevent the switch from learning gratuitous undo gratuitous arp learning ARPs enable By default the switch does not learn gratuitous ARPs Configuring the Dynamic ARP Aging Timer The following commands assign a dynamic ARP aging period to enable flexible configurations When
88. the MAC Address Table The Switch 7750 maintains a MAC address table for fast forwarding of packets A table entry includes the MAC address of a device and the port ID of the switch connected to it The switch learns dynamic entries when it receives a data frame from a port assumed as port A The switch analyzes the source MAC address and considers that the packets destined for the source MAC address can be forwarded through port A If the MAC address table contains the MAC_SOURCE the switch updates the corresponding entry otherwise it adds the new MAC address and the corresponding forwarding port as a new entry to the table The system forwards the packets whose destination addresses can be found in the MAC address table The network device responds after receiving a broadcast packet and the response contains the MAC address of the device which the 250 CHAPTER 11 SYSTEM MANAGEMENT Configuring the MAC Address Table switch learns and adds in the MAC address table After this subsequent packets destined for the same MAC address can be forwarded directly If the MAC address cannot be found after broadcasting the packet the switch will drop it and notify the transmitter that the packet did not arrive at the destination Figure 59 The Switch 7750 Forwards Packets According to the MAC Address Table MAC Address MACA MACB MACC MACD MACD MACA _ MACD
89. the console port of the Switch 7750 before the user logs in to the switch through a dial up modem i gt By default a password is required for authenticating the modem user to log in to the Switch 7750 If a user logs in through the modem without a password the user sees an error message lt SW7750 gt system view SW7750 user interface aux 0 SW7750 ui aux0 set authentication password simple cipher xxxx xxxx is the preset login password of the Modem user 2 Using the modem command you can configure the console port to modem mode SW7750 ui aux0 modem 3 To set up the remote configuration environment connect the modems to a PC or a terminal serial port and to the Switch 7750 console port as shown in Set Up Remote Configuration Environment Setting Terminal Parameters 19 Figure 10 Set Up Remote Configuration Environment Modem serial port line Modem eee Telephone line gt ax S Modem Console port Remote telephone 555 5555 4 Dial for a connection to the switch using the terminal emulator and modem on the remote end Dial the telephone number of the modem connected to the Switch 7750 See Figure 11 and Figure 12 Figure 11 Set the Dialed Number Connect To a customer Enter details for the phone number that you want to dial Country region United States 1 Area code Phone number 555 5555 Connect using 3Com Megahert
90. the following configuration in HWTACACS view Table 2 44 Setting the username format acceptable to the TACACS server OperationCommand Send username with domain name user name format with domain Send username without domain name user name format without domain By default each username sent to a TACACS server contains a domain name 2 4 9 Setting the Unit of Data Flows Destined for the TACACS Server Perform the following configuration in HWTACACS view Table 2 45 Setting the unit of data flows destined for the TACACS server OperationCommand Set the unit of data flows destined for the TACACS serverdata flow format data byte giga byte kilo byte mega byte data flow format packet giga packet kilo packet mega packet one packet Restore the default unit of data flows destined for the TACACS serverundo data flow format data packet The default data flow unit is byte 236 CHAPTER 9 AAA AND RADIUS OPERATION Setting TACACS Server Timers Setting the response timeout timer After HWTACACS is implemented on the basis of TCP server response timeout or TCP timeout may terminate the connection to the TACACS server Perform the following configuration in HWTACACS view Table 252 Setting the response timeout timer Operation Command Set the response timeout time timer response timeout seconds Restore the default setting undo timer response timeout The default response timeout timer is set to 5 seconds Sett
91. the interface to transmit NTP message undo ntp service source interface An interface is specified by interface name Or interface type interface number The source address of the packets will be taken from the IP address of the interface If the ntp service unicast server Of ntp service unicast peer command also designates a transmitting interface use the one designated by them Setting the NTP Master Clock This configuration task sets the external reference clock or the local clock as the NTP master clock Perform the following configurations in system view Table 329 Setting the External Reference Clock or the Local Clock as the NTP Master Clock Operation Command Set the external reference clock or the local ntp service refclock master clock as the NTP master clock ip address stratum Cancel the NTP master clock settings undo ntp service refclock master ip address ip address specifies the IP address 127 127 1 u of a reference clock in which u ranges from 0 to 3 stratum specifies how many strata the local clock belongs to and ranges from 1 to 15 If no IP address is specified the system defaults to setting the local clock as the NTP master clock You can specify the stratum parameter Enabling or Disabling an Interface to Receive an NTP Message This configuration task enables or disables an interface to receive the NTP message Perform the following configurations in VLAN interface view Table 330 Enablin
92. the syslog configuration execute the display command in all views to display the configuration and to verify the effect of the configuration Execute the reset command in user view to clear the statistics of the syslog module Execute the debugging command in user view to debug the syslog module Perform the following configuration in system view Table 297 Displaying and Debugging the Syslog Function Operation Command View details about the information channel View the configuration of the system log and the information recorded in the memory buffer Reset the information in the log buffer Reset the information in the trap buffer Enable terminal log information display Disable terminal log information display Enable the log debugging log trap on the terminal monitor Disable the log debugging log trap on the terminal monitor Enable terminal trap information display Disable terminal trap information display display channel channel number channel name display info center reset logbuffer reset trapbuffer terminal logging undo terminal logging terminal monitor undo terminal monitor terminal trapping undo terminal trapping SNMP The Simple Network Management Protocol SNMP is used for transmitting management information between any two nodes In this way network administrators can easily search and modify the information on any node on the network They can also locate faults promptly
93. to prevent the corresponding packets from being sent to the CPU Perform the following configuration in system view Table 75 Configure Whether to Send Special IP Packets to CPU Operation Command Configure the system to send packets tothe ip redirects ttl expires CPU unreachables Configure the system not to send packets to undo ip redirects ttl expires the CPU unreachables By default redirection packets and route unreachable packets are not sent to CPU while TTL timeout packets are sent to CPU Broadcast packets include full net broadcast packets and direct connected broadcast packets The destination IP address of a full net broadcast packet is all ones 255 255 255 255 or all zeros A direct connected broadcast packet is a packet whose destination IP address is the network broadcast address of a subnet but the source IP address is not in the subnet segment When a switch forwards a packet it cannot tell whether the packet is a broadcast packet unless the switch is connected with the subnet If a broadcast packet reaches the destination network after being forwarded by the switch the switch will receive the broadcast packet the switch also belongs to the subnet The VLAN of the switch isolates the broadcast domain it will stop forwarding the packet to the network Using the following configuration task you can choose to forward the broadcast packet to the network for broadcasting Perform the following confi
94. topics m Product Overview a Configuring the Switch 7750 a Setting Terminal Parameters Command Line Interface Product Overview Features The 3Com Switch 7750 is a large capacity modularized wire speed Layer 2 Layer 3 switch It is designed for IP metropolitan area networks MAN large sized enterprise networks and campus network users The Switch 7750 has an integrated chassis structure The chassis contains a card area fan area power supply area and a power distribution area In the card area there are seven slots Slot 0 is prepared specially for the switch Fabric module The remaining slots are for interface modules You can install different interface modules for different networks the slots support a mixed set of modules The Switch 7750 supports the following services a MAN enterprise campus networking a Multicast service and multicast routing functions and audio and video multicast service Table 3 lists and describes the function features that the Switch 7750 supports Table 3 Function Features Features Support VLAN VLANs compliant with IEEE 802 1Q standard Port based VLAN Protocol based VLAN GARP VLAN Registration Protocol GVRP STP protocol Spanning Tree Protocol STP Multiple Spanning Tree Protocol MSTP compliant with IEEE 802 1D IEEE 802 15 Standard Flow control IEEE 802 3x flow control full duplex Back pressure based flow control half duplex Broadcast suppression Broadcast sup
95. undo multicast routing enable By default multicast routing is disabled Configuring Common Multicast 115 Only when multicast is enabled can another multicast configuration be used Configuring the Multicast Route Limit If the existing route entries exceed the capacity value you configured when using this command the system will not delete the existing entries but displays the message Existing route entries exceed the configured capacity value Perform the following configuration in system view Table 117 Configure the Multicast Route Limit Operation Command Configure multicast route limit multicast route limit limit Restore multicast route limit to the undo multicast route limit default value By default the multicast route limit is 512 Clearing MFC Forwarding Entries or Statistic Information You can clear the multicast forwarding cache MFC forward entries or statistical information of FMC forward entries using the reset multicast forwarding table command Perform the following configuration in user view Table 118 Clear MFC Forwarding Entries or Statistic Information Operation Command Clear MFC forwarding entries reset multicast forwarding table statistics or its statistic information all group address mask group mask group mask length source address mask source mask source mask length incoming interface interface type interface number Clearing Route Entr
96. undo shutdown command in port view It is better to configure the BPDU protection on the edge port to prevent the switch from being attacked Before BPDU protection is enabled on the switch the port runs as a non edge port when it receives BPDU even if the user has set it as an edge port By default all the Ethernet ports of the switch have been configured as non edge ports 198 CHAPTER 8 STP OPERATION Configuring the Path Cost of a Port Path cost is related to the speed of the link connected to the port On the MSTP switch a port can be configured with different path costs for different STIs Thus the traffic from different VLANs can run over different physical links thereby implementing the VLAN based load balancing You can configure the path cost of a port in the following ways Configuring in System View Perform the following configuration in system view Table 202 Configure the Path Cost of a Port Operation Command Configure the Path Cost of a port stp interface interface list instance instance id cost cost Restore the default path cost of a port undo stp interface interface list instance instance id cost Configuring in Ethernet Port View Perform the following configuration in Ethernet port view Table 203 Configure the Path Cost of a Port Operation Command Configure the Path Cost of a port stp instance instance id cost cost Restore the default path cost of a port undo stp instance instance id cost
97. undo stp point to point port is directly connected with the point to point link as defaulted For more about the commands see the Switch 7750 Command Reference Guide The ports connected with the point to point link upon some port role conditions being met can transit to forwarding state rapidly through transmitting synchronization packet thus reducing the unnecessary forwarding delay If the parameter is configured in auto mode MSTP will automatically detect if the current Ethernet port is connected with the point to point link For a link aggregation only the master port can be configured to connect with the point to point link If a port in auto negotiation mode operates in full duplex mode upon negotiation it can be configured to connect with the point to point link This configuration takes effect on the CIST and all the MSTIs The settings of a port determine whether or not the point to point link will be applied to all the STIs to which the port belongs Note that a temporary loop may be redistributed if you 202 CHAPTER 8 STP OPERATION Configuring the mCheck Variable of a Port gt Configuring the Switch Security Function configure a port not physically connected with the point to point link rather connected to such a link by force By default the parameter is configured as auto The port of an MSTP switch operates in either STP compatible or MSTP mode If a port of an MSTP switch on a switching
98. user can access the commands at Level 1 after logon Setting the Command Level Used after a User Logs in from a User Interface Use the user privilege level command to set the command level after a user logs in from a specific user interface so that a user is able to execute the commands at that command level Table 14 describes the user privilege level command Perform the following configuration in user interface view Table 14 Set Command Level After User Login Operation Command Set command level used after a user logging user privilege level level in from a user interface Restore the default command level used after undo user privilege level a user logging in from a user interface 26 CHAPTER 1 SYSTEM ACCESS By default a user can access the commands at Level 3 after logging in through the AUX user interface and the commands at Level 0 after logging in through the VTY user interface When a user logs in to the switch the command level that the user can access depends on two points One is the command level that the user can access the other is the set command level of the user interface If the two levels are different the former is taken For example the command level of VTY 0 user interface is 1 however user Tom has the right to access commands of level 3 if Tom logs in from VTY 0 user interface he can access commands of level 3 and lower Setting Command Priority The command privilege level command sets the p
99. view Table 279 Setting the Slot Temperature Limit Operation Command Set slot temperature limit temperature limit slot down value up value Setting the Backboard View The backboard view command determines the backplane bandwidth allocated to each slot in the Switch 7750 The Switch 7750 Fabric 64 is capable of 64 Gbps full duplex on the backplane but the chassis has a maximum capability of 240 Gbps full duplex The Switch 7750 Fabric 32 is capable of 32 Gbps full duplex on the backplane but the chassis has a maximum capability of 128 Gbps full duplex This command sets the bandwidth available to each slot in the system Perform the following configuration in system view Table 280 Set Backboard View Operation Command Set back board view set backboard view value The default setting is 1 Execute the display command in all views to display the device management configuration and to verify the configuration Table 281 Displaying Devices Operation Command Display the CPU display cpu slot slotnum Display the set back board view display backboard view Display the module types and states of each display device detail shelf card shelf no frame frame no slot slot no Display the state of the built in fans display fan fan id Display the information about the display environment environment Display the used status of switch memory display memory slot slot number Display the state of the
100. while in block state users cannot request any network service An ISP is in the block state when it is created a Maximum number of supplicants specifies how many supplicants can be contained in the ISP By default for any ISP domain there is no limit to the number of supplicants a The idle cut function means that if the traffic from a certain connection is lower than the defined traffic cut off the connection Perform the following configurations in ISP domain view Table 230 Configure Relevant Attributes of ISP Domain Operation Command Specify the adopted RADIUS server group radius scheme radius scheme name Specify the ISP domain state to be used state active block Set a limit to the amount of supplicants access limit disable enable max user number Configuring AAA Table 230 Configure Relevant Attributes of ISP Domain Operation Command Set the idle idle cut disable enable minute flow By default after an ISP domain is created the used RADIUS server group is the default system for relevant parameter configuration refer to Configuring the RADIUS Protocol the state of domain is active there is no limit to the amount of supplicants and the idle cut is disabled Creating a Local User A local user is a group of users set on NAS The username is the unique identifier of a user A supplicant requesting network service may use local authentication only if its corresponding local
101. with VLAN Tag if the VLAN ID of the packet is identical to the default VLAN ID of the port the system will remove VLAN Tag before sending this packet Perform the following configuration in Ethernet port view Table 36 Set the Default VLAN ID for the Ethernet Port Operation Command Set the default VLAN ID for the hybrid port port hybrid pvid vlan vlan id Set the default VLAN ID for the trunk port port trunk pvid vlan vlan_id Restore the default VLAN ID of the hybrid port undo port hybrid pvid to the default value Restore the default VLAN ID of the trunk port undo port trunk pvid to the default value a A Trunk port and isolate user vian cannot be configured simultaneously A hybrid port and isolate user vian can be configured simultaneously However if the default VLAN has been mapped in isolate user vian you cannot modify the default VLAN ID until the mapping relationship has been removed Ethernet Port Overview 41 a To guarantee proper packet transmission the default VLAN ID of local hybrid port or Trunk port should be identical to that of the hybrid port or Trunk port on the peer switch The VLAN of hybrid port and trunk port is VLAN 1 by default The access port is the VLAN to which it belongs Copying a Port Configuration to Other Ports To keep the configuration of other ports consistent with a specified port you can copy the configuration of that specified port to other ports Port configuration involves the followi
102. 00 200 000 10Mb s Half Duplex 100 2 000 000 2 000 Full Duplex 99 1 999 999 2 000 Aggregated Link 95 1 000 000 1 800 z Aronen 95 666 666 1 600 Aggregated Link 95 500 000 1 400 4 Ports 100Mb s Half Duplex 19 200 000 200 Full Duplex 18 199 999 200 Aggregated Link 15 100 000 180 E e AB 66 666 160 eee bnk jg 50 000 140 Aggregated Link 4 Ports 1000Mb s Full Duplex 4 20 000 20 Aggregated Link 3 10 000 18 PE a a 6 666 16 oe Link 3 5 000 14 Aggregated Link 4 Ports 10G s Full Duplex 2 2 000 2 Aggregated Link 1 1 000 1 2 Ports 1 666 1 arei Link 1 500 1 Aggregated Link 4 Ports Generally the path cost of the links in full duplex status is lower than those in half duplex status 200 CHAPTER 8 STP OPERATION Configuring the Priority of a Port In calculating the path cost of aggregation links the 802 1D 1998 does not take into account the number of aggregation links but the 802 1T does The formula involved is Path Cost 200 000 000 link speed in 100Kbps Where the link speed is the sum of the speed of the ports in unblocked status within the aggregation links For spanning tree calculation the port priority is an important factor when determining if a port can be elected as the root port With other attributes being equal the port with the highest priority is elected as the root port On the MSTP switch a port can have different priorities in different STIs and play different roles The traffic from different VLANs can run o
103. 10 100 1 OOOBASE T and 20 Port 1000BASE X SFP I O modules do not i gt support this configuration Figure 46 Traffic Bandwidth E3 0 8 A amp L S E3 0 2 vane J5 ILANS 1 0 0 1 8 2 0 0 1 8 To create this configuration 1 Define the time range 8 00 to 18 00 SW7750 time range 3com 8 00 to 18 00 daily 2 Define traffic rules for the packets of IP addresses 1 0 0 1 and 2 0 0 1 SW7750 acl number 2000 SW7750 acl basic 2000 rule 0 permit ip source 1 0 0 1 0 0 0 0 time range 3com SW7750 acl basic 2000 rule 1 permit ip source 2 0 0 1 0 0 0 0 time range 3com 3 Configure traffic bandwidth for the packets of IP addresses 1 0 0 1 and 2 0 0 1 view the configuration with the display command Enter QoS view SW7750 Ethernet3 0 8 qos SW7750 qoss Ethernet3 0 8 Configure traffic bandwidth for the packets of IP addresses 1 0 0 1 and 2 0 0 1 view the configuration with the display command SW7750 qoss Ethernet3 0 8 traffic bandwidth outbound ip group 1 rule 0 20 60 40 SW7750 qoss Ethernet3 0 8 traffic bandwidth outbound ip group 1 rule 1 40 60 60 SW7750 display qos interface Ethernet3 0 8 traffic bandwidth Traffic Statistics In this example the IP address of the PC1 is 1 0 0 1 and the address of PC2 is 2 0 0 2 The switch is uplinked through the port GE7 0 8 Count the packets sent between 8 00 and 18 00 each day from the switch to PC1 Configuring ACL Control 175 Figure 47 Traffic Stat
104. 1am 11 00 02em ax x 3 Z Com D s ISA ISB NTP Packet received at 10 00 03 xXx xXx Network i Ss LSA LSB S In Figure 65 Ethernet Switch A and Ethernet Switch B are connected to the Ethernet port They have independent system clocks Before implementing automatic clock synchronization on both switches Note that Before synchronizing the system clocks on Ethernet Switch A and B the clock on Ethernet Switch A is set to 10 00 00am and the clock on B is set to 11 00 00am Configuring NTP Ethernet Switch B serves as an NTP time server and Ethernet Switch A synchronizes the local clock with the clock of B It takes 1 second to transmit a data packet from either A or B to the opposite end The system clocks are synchronized as follows Ethernet Switch A sends an NTP packet to Ethernet Switch B The packet carries the timestamp 10 00 00am T1 that tells when it left Ethernet Switch A When the NTP packet arrives at Ethernet Switch B Ethernet Switch B adds a local timestamp 11 00 01am T2 to it When the NTP packet leaves Ethernet Switch B Ethernet Switch B adds another local timestamp 11 00 02am T3 to it When Ethernet Switch A receives the acknowledgement packet it adds a new timestamp 10 00 03am T4 to it Next Ethernet Switch A collects enough information to calculate the following two important parameters The delay for a round trip of an NTP packet traveling bet
105. 255 255 0 n Switch A ip route static 1 1 5 0 255 255 255 0 1 1 2 2 He a N 2 Configure the static route for Ethernet Switch B Switch B ip route static 1 1 2 0 255 255 255 0 1 1 3 1 Switch B ip route static 1 1 5 0 255 255 255 0 4 Switch B ip route static 1 1 1 0 255 255 255 0 1 1 3 1 z w a 3 Configure the static route for Ethernet Switch C Switch C ip route static 1 1 1 0 255 255 255 0 1 1 2 1 Switch C ip route static 1 1 4 0 255 255 255 0 1 1 3 2 4 Configure the default gateway of the Host A to be 1 1 5 2 5 Configure the default gateway of the Host B to be 1 1 4 1 6 Configure the default gateway of the Host C to be 1 1 1 2 Using this procedure all the hosts or switches in Figure 24 can be interconnected in pairs Troubleshooting Static The Switch 7750 is not configured with any dynamic routing protocols enabled Routes Both the physical status and the link layer protocol status of the interface are enabled but the IP packets cannot be forwarded normally a Use the display ip routing table protocol static command to view whether the corresponding static route is correctly configured a Use the display ip routing table command to view whether the corresponding route is valid RIP Routing Information Protocol RIP is a simple dynamic routing protocol that is Distance Vector D V algorithm based It uses hop counts to measure the distance to the destination host which is called routing cost In R
106. 30 seconds and 180 seconds The value of garbage collection timer is four times that of period update timer 120 seconds In fact you may find that the timeout time of garbage collection timer is not fixed If period update timer is set to 30 seconds garbage collection timer might range from 90 to 120 seconds Before RIP completely deletes an unreachable route from the routing table it advertises the route by sending four update packets with route metric of 16 to let all the neighbors knows that the route is unreachable Routes do not always become unreachable when a new period starts so the actual value of the garbage collection timer is 3 to 4 times the value of the period update timer You must consider network performance when adjusting RIP timers and configure all the routes that are running RIP so as to avoid unnecessary traffic or network oscillation Configuring RIP 1 Zero Field Check of the Interface Packet According to the RFC1058 some fields in the RIP 1 packet must be 0 When an interface version is set to RIP 1 the zero field check must be performed on the packet If the value in the zero field is not zero processing is refused There are no zero fields in RIP 2 packets so configuring a zero field check is invalid for RIP 2 Perform the following configurations in RIP view Table 88 Configuring Zero Field Check of the Interface Packet Operation Command Configure zero field check on the RIP 1 packet checkzero Dis
107. 7750 acl basic traffic of host rule 1 deny ip source 10 1 1 1 0 time range 3com Activate ACL Activate the ACL traffic of host SW7750 Ethernet2 0 1 qos QSW7750 qoss Ethernet2 0 1 packet filter inbound ip group traffic of host Using Link ACL filter the packet whose source MAC address is 00e0 fc01 0101 and destination MAC address is O0e0 fc01 0303 during time range 8 00 to 18 00 every day The ACL is activated on Ethernet2 0 1 In the following configurations only the commands related to ACL configurations are listed To configure a link ACL Define the time range Define time range 8 00 to 18 00 SW7750 time range 3com 8 00 to 18 00 daily Select ACL mode Select link based ACL mode SW7750 acl mode link based Define the ACL for packet whose source MAC address is 00e0 fc01 0101 and destination MAC address is 00e0 fc01 0303 Enter the named link ACL named as traffic of link SW7750 acl name traffic of link link Define the rules for a packet whose source MAC address is 00e0 fcO1 0101 and destination MAC address is 00e0 fc0 1 0303 SW7750 acl link traffic of link rule 1 deny ip ingress 00e0 fc01 0101 egress 00e0 fc01 0303 time range 3com Activate ACL Activate the ACL traffic of link SW7750 Ethernet2 0 1 qos SW7750 qoss Ethernet2 0 1 packet filter inbound link group traffic of link Configuring QoS In a traditional IP network all packets are treated equally without priority difference Every switc
108. BPDU 0 5 1 e1 0 4 from Switch B Since this configuration BPDU is better then the old one the old BPDU will be updated to 0 5 1 e1 0 4 Meanwhile Ethernet 1 0 5 receives the configuration BPDU from Switch A but its configuration BPDU is not updated and remains 0 O 0 e1 0 2 By comparison the configuration BPDU of Ethernet 1 0 1 is elected as the optimum one Ethernet 1 0 1 is elected as the root port whose BPDU does not change while Ethernet 1 0 5 is blocked and retains its BPDU but it does not receive the data forwarded from Switch A until spanning tree calculation is triggered again by changes for example the link from Switch B to C is down Thus the spanning tree is stabilized The tree with the root Switch A is illustrated in Figure 52 Figure 52 The Final Stabilized Spanning Tree Switch A with priority 0 i S Switch B with priority 1 Switch c E1 0 4 4 with priority 2 ax E1 0 1 Ss The root ID and the designated switch ID in actual calculation should include both switch priority and switch MAC address The designated port ID should include port priority and port MAC address In the updating process of a configuration BPDU other configuration BPDUs besides the first four items make modifications according to certain rules The basic calculation process is described below Upon the initiation of the network all the switches regard themselves as the roots The desi
109. CS authentication authorization server are required all other tasks are optional and you can determine whether to perform these configurations as needed 2 4 2 Creating a HWTACAS Scheme 232 CHAPTER 9 AAA AND RADIUS OPERATION As aforementioned HWTACACS protocol is configured scheme by scheme Therefore you must create a HWTACACS scheme and enter HWTACACS view before you perform other configuration tasks Perform the following configuration in system view Table 2 37 Creating a HWTACACS scheme OperationCommand Create a HWTACACS scheme and enter HWTACACS view hwtacacs scheme hwtacacs scheme name Delete a HWTACACS scheme undo hwtacacs scheme hwtacacs scheme name By default no HWTACACS scheme exists If the HWTACACS scheme you specify does not exist the system creates it and enters HWTACACS view The system supports up to 16 HWTACACS schemes You can only delete the schemes that are not being used 2 4 3 Configuring HWTACACS Authentication Servers Perform the following configuration in HWTACACS view Table 2 38 Configuring HWTACACS authentication servers OperationCommand Configure the HWTACACS primary authentication server primary authentication ip address port Delete the HWTACACS primary authentication server undo primary authentication Configure the HWTACACS secondary authentication server secondary authentication ip address port Delete the HWTACACS secondary authentication server undo secondary authenti
110. Command Enable the 802 1x dot1x interface interface list Disable the 802 1x undo dotix interface interface list User can configure 802 1x on an individual port The configuration will take effect right after 802 1x is enabled globally By default 802 1x authentication has not been enabled globally or on any port Setting the Port Access Control Mode The following commands can be used for setting 802 1x access control mode on the specified port When no port is specified the access control mode of all ports is configured Perform the following configurations in system view or Ethernet port view Table 219 Set the Port Access Control Mode Operation Command Set the port access control mode dotix port control authorized force unauthorized force auto interface interface list Restore the default access control mode of the undo dot1lx port control port interface interface list By default access control on the port is auto automatic identification mode which is also called protocol control mode That is the initial state of the port is unauthorized It only permits EAPoL packets receiving transmitting and does not permit the user to access the network resources If the authentication flow is passed the port will be switched to the authorized state and permit the user to access the network resources this is most common Setting Port Access Control Method The following commands are used for sett
111. Down or Enabling a VLAN Interface a Displaying and Debugging a VLAN Creating or Deleting a VLAN Use the following command to create or delete a VLAN Perform the following configurations in system view Table 46 Creating or Deleting a VLAN Operation Command Create and enter a VLAN view vlan vian_id Delete the specified VLAN undo vlan vian_id The command creates the VLAN first then enters the VLAN view If the VLAN already exists the command enters the VLAN view directly Note that the default VLAN VLAN 1 cannot be deleted Specifying the Broadcast Suppression Ratio for a VLAN You can use the following command to specify the broadcast suppression ratio for the VLAN Perform the following configuration in VLAN view Table 47 Setting the Broadcast Suppression Ratio for VLAN Operation Command Specify the broadcast broadcast suppression max ratio suppression ratio for the VLAN Restore the default broadcast undo broadcast suppression suppression ratio for the Using this command you can set the threshold for broadcast traffic that can pass through the VLAN This value is represented by the following ratio format broadcast traffic the entire traffic passed this VLAN The system discards the traffic that exceeds the threshold to limit broadcast traffic and maintain the normal operation of network services The lower the value of the max ratio parameter the lower the volume of broadcast traffic that is allowed to pas
112. ELNET Users 176 Configuring ACL Control for SNMP Users 177 STP OPERATION STP Overview 181 Configuring STP 181 Designating Switches and Ports 182 Calculating the STP Algorithm 182 Generating the Configuration BPDU 183 Selecting the Optimum Configuration BPDU 183 Designating the Root Port 183 Configuring the BPDU Forwarding Mechanism 185 MSTP Overview 186 MSTP Concepts 186 MSTP Principles 189 Configuring MSTP 189 Configuring the MST Region for a Switch 190 Specifying the Switch as Primary or Secondary Root Switch 191 Configuring the MSTP Running Mode 192 Configuring the Bridge Priority fora Switch 193 Configuring the Max Hops in an MST Region 194 Configuring the Switching Network Diameter 194 Configuring the Time Parameters of a Switch 195 Configuring the Max Transmission Speed on a Port 196 Configuring a Port as an Edge Port 197 Configuring the Path Cost of aPort 198 Configuring the Priority of aPort 200 Configuring the Port Connection with the Point to Point Link 201 Configuring the mCheck Variable of a Port 202 Configuring the Switch Security Function 202 Enabling MSTP on the Device 204 Enabling or Disabling MSTP ona Port 204 Displaying and Debugging MSTP 205 Digest Snooping 205 Configuring Digest Snooping 205 AAA AND RADIUS OPERATION IEEE 802 1x 207 802 1x System Architecture 207 Configuring 802 1x 209 Implementing the AAA and RADIUS Protocols 215 Configuring AAA 217 Configuring the RADIUS Protocol 220 Configuring
113. ER 6 MULTICAST PROTOCOL IP Multicast Protocols Assigned Number Authority stipulates that the higher 24 bits of the multicast MAC address is 0x01005e and the lower 23 bits of the MAC address is the lower 23 bits of the multicast IP address Figure 27 Mapping Between the Multicast IP Address and the Ethernet MAC Address 32 bit IP address 5 bits Lower 23 bits directly map ed not mapped 48 bit MAC address Only 23 bits of the last 28 bits in the IP multicast address is mapped to the MAC address Therefore the 32 IP multicast addresses are mapped to the same MAC address Multicast uses the multicast group management protocol and the multicast routing protocol The multicast group management protocol uses Internet Group Management Protocol IGMP as the IP multicast basic signaling protocol It is used between hosts and routers and enables routers to determine if members of the multicast group are on the network segment The multicast routing protocol is used between multicast routers and creates and maintains multicast routes and allows high efficient multicast packet forwarding At present multicast routing protocols mainly include PIM SM PIM DM Tasks for configuring IP Multicast Protocols are described in the following sections a Internet Group Management Protocol IGMP a Multicast Routing Protocol Internet Group Management
114. Ethernet1 0 1 as 100 SW7750 Ethernet1 0 1 port trunk pvid vlan 100 If the default VLAN ID configuration fails take the following steps Execute the display interface Of display port command to check if the port is a trunk port or a hybrid port If it is neither of them configure it as a trunk port or a hybrid port Configure the default VLAN ID Link aggregation means aggregating several ports together to implement the outgoing incoming payload balance among the member ports and to enhance connection reliability IEEE802 3ad based link aggregation control protocol LACP implements dynamic link aggregation and disaggregation and exchanges information with the peer through LACP data unit LACPDU When LACP is enabled on it the port notifies the peer by sending LACPDUs with the port s system priority system MAC port priority port number and operation key When the peer receives this port information it compares the received information with the information stored at other ports to determine which ports can be aggregated so that the two parties can agree on adding ports to or deleting ports from a dynamic aggregation group Types of Link Aggregation Configuring Link Aggregation 43 The operation key is a configuration set generated by LACP based on port setting speed duplex mode basic configuration and management key When LACP is enabled the management key of a dynamic aggregation port is O by default but the man
115. F routing information display multicast rpf info source address Enable multicast packet forwarding debugging multicast forwarding debugging Disable multicast packet forwarding undo debugging multicast debugging forwarding Enable multicast forwarding status debugging debugging multicast status forwarding Disable multicast forwarding status debugging undo debugging multicast status forwarding Enable multicast kernel routing debugging debugging multicast kernel routing Disable multicast kernel routing debugging undo debugging multicast kernel routing IGMP Internet Group Management Protocol is a protocol in the TCP IP suite responsible for management of IP multicast members It is used to establish and maintain multicast membership among IP hosts and their connected neighboring routers IGMP excludes transmitting and maintenance information among multicast routers which are completed by multicast routing protocols All hosts participating in multicast must implement IGMP Hosts participating in multicast can join or leave a multicast group at any time in any place and without limitation of member numbers A multicast router does not need and cannot keep the membership of all hosts It only uses IGMP to learn whether receivers i e group members of a multicast group are present on the subnet connected to each interface A host only needs to keep the multicast groups it has joined IGMP is not symmetric on hosts and routers Hos
116. FTP server and transmits data to it then receives the acknowledgement from it TFIP configuration tasks include Configuring the File Transmission Mode m Downloading Files with TFTP a Downloading Files with TFTP Configuring the File Transmission Mode TFTP transmits files in two modes binary mode for program files and ASCII mode for text files Use the following commands to configure the file transmission mode Perform the following configuration in system view Table 268 Configuring the File Transmission Mode Operation Command Configure the file transmission mode tftp ascii binary By default TFTP transmits files in binary mode Downloading Files with TFTP To download a file the client sends a request to the TFTP server and receives data from it then sends acknowledgement to it Use the following commands to download files with TFTP Perform the following configuration in system view Table 269 Downloading Files with TFTP Operation Command Download files with TFTP tftp tftp server get source file dest file Uploading Files with TFTP To upload a file the client sends a request to the TFTP server and transmits data to it then receives the acknowledgement from it Use the following commands to upload files Perform the following configuration in system view Table 270 Uploading Files with TFTP Operation Command Upload files with TFTP tftp tftp server put source file dest file Managing
117. Generating the Configuration BPDU a Selecting the Optimum Configuration BPDU a Designating the Root Port a Configuring the BPDU Forwarding Mechanism 182 CHAPTER 8 STP OPERATION Designating Switches and Ports Calculating the STP Algorithm A designated switch is a switch in charge of forwarding packets to the local switch by a port called the designated port For a LAN the designated switch is a switch that forwards packets to the network segment by the designated port As illustrated in Figure 50 Switch A forwards data to Switch B through Ethernet port 1 0 1 So to Switch B the designated switch is Switch A and the designated port is Ethernet 1 0 1 of Switch A Also Switch B and Switch C are connected to the LAN and Switch B forwards packets to the LAN So the designated switch of the LAN is Switch B and the designated port is Ethernet 1 0 4 of Switch B Figure 50 Designated Switch and Designated Port Switch A E1 0 1 s E1 0 2 __EVo 7 E1 0 5 2x K Switch C Switch B s S E1 0 4 FUON LAN The following example illustrates the calculation process of STP The Figure 51 illustrates the network Figure 51 Switch 7750 Networking Switch A with priority 0 ax S E1 0 1 E1 0 2 5 E1 0 7 10 Switch B a with priorityl SS E1 0 4 E1 0 5 oo on lt Switch C Ss with priority 2 Only the first four parts of the configuration BPDU are given in the example They a
118. IGMP Membership Report message within the defined period equal to robust value seconds it continues to maintain the membership of this group When the IGMP query router receives no IGMP Membership Report messages from any hosts within the defined period it perceives a timeout and stops membership maintenance for the group Perform the following configuration in VLAN interface view Table 124 Configure the Times of Sending IGMP Group Specific Query Packet Operation Command Configure the times of sending IGMP igmp robust count robust value Group Specific Query packet Restore the times of sending IGMP undo igmp robust count Group Specific Query packet to the default value By default the robust value is 2 This command is only available on an IGMP query router running IGMP v2 For a host running IGMP v1 this command cannot take effect because the host may not send the IGMP Leave message when it leaves a group Configuring the Limit of IGMP Groups on an Interface You limit the number of multicast groups from O to 1024 on an interface using the following configuration Perform the following configuration in VLAN interface view Table 125 Configure the Limit of IGMP Groups on an Interface Operation Command Configure the limit of IGMP groups on an igmp group limit limit interface Restore the limit of IGMP groups on an undo igmp group limit interface to the default value Configuring a Router to be a Member of a Gro
119. IP the hop count from a router to its directly connected network is 0 The hop count to a network which can be reached through another router is 1 and so on To restrict the time to converge RIP prescribes that the cost value is an integer that ranges from O to 15 The hop count equal to or exceeding 16 is defined as infinite or the destination network or host is unreachable RIP exchanges routing information using UDP packets RIP sends a routing refresh message every 30 seconds If no routing refresh message is received from one network neighbor in 180 seconds RIP tags all routes of the network neighbor as unreachable If no routing refresh message is received from one network neighbor in 300 seconds RIP removes the routes of the network neighbor from the routing table RIP v2 has the MD5 cipher authentication function while RIP v1 does not To improve performance and avoid routing loops RIP supports split horizon poison reverse and allows for importing routes discovered by other routing protocols Each router that is running RIP manages a route database which contains routing entries to all the reachable destinations in the network These routing entries contain the following information Destination address The IP address of a host or network a Next hop address The address of the next router that an IP packet will pass through to reach the destination a Output interface The interface through which the IP packet sho
120. LAN Protocol Type You can use the following command to create or delete a VLAN protocol type Perform the following configuration in VLAN view Table 54 Creating and Deleting a VLAN Protocol Type Operation Command Create a VLAN protocol type Delete an existing VLAN protocol type protocol vlan protocol index ip ip address net_mask ethernetii lle raw snap at mode ethernetii 11c snap undo protocol vlan protocol protocol index toprotocol end all Creating and Deleting the Association Between a Port and a Protocol Based VLAN Perform the following configuration in Ethernet port view Table 55 Creating and Deleting the Association Between a Port and a Protocol Based VLAN Operation Command Create the association between a port and a protocol based VLAN Delete the association between a port and a protocol based VLAN port hybrid protocol vlan vilan protocol list undo port hybrid protocol vlan vlan protocol list Note that the port must be a hybrid port and it must belong to that protocol based VLAN Example VLAN Configuration Create VLAN2 and VLAN3 Add Ethernet1 0 1 and Ethernet1 0 2 to VLAN2 Add Ethernet1 0 3 and Ethernet1 0 4 to VLAN3 Figure 16 VLAN Configuration Example Switch E1 0 1 VLAN2 Create VLAN 2 and enter its view SW7750 vlan 2 2 Add Ethernet1 0 1 and Ethernet1 0 2 to VLANZ2 Configuring VLANs 59
121. Login authentication and prompts you for the logon password 5 Enter the password The terminal displays the command line prompt lt sw77505 If the message All user interfaces are used please try later appears try to reconnect later At most 5 Telnet users are allowed to log on to a Switch 7750 simultaneously 6 Use the appropriate commands to configure the Switch 7750 or to monitor the operational state Enter to get immediate help For details on specific commands refer to the chapters in this guide When configuring the Switch 7750 by Telnet do not modify the IP address unless necessary because the modification might terminate the Telnet connection By default after passing the password authentication and logging on a Telnet user can access the commands at login level 0 Connecting Two Switch 7750 Systems Before you can telnet the Switch 7750 to another Switch 7750 as shown in Figure 9 you must 1 Configure the IP address of a VLAN interface for the Switch 7750 through the console port using the ip address command in VLAN interface view 2 Add the port that connects to a terminal to this VLAN using the port command in VLAN view 3 Log in to the Switch 7750 After you telnet to a Switch 7750 you can run the telnet command to log in and configure another Switch 7750 18 CHAPTER 1 SYSTEM ACCESS Figure 9 Provide Telnet Client Service
122. MP Snooping group in user view and then input the display igmp snooping group command to check if MAC multicast forwarding table in the bottom layer and that created by IGMP Snooping is consistent You may also input the display mac vlan command in all views to check if MAC multicast forwarding table under vianid in the bottom layer and that created by IGMP Snooping is consistent If they are not consistent contact the maintenance personnel for help Configuring PIM DM PIM DM Protocol Independent Multicast Dense Mode belongs to dense mode multicast routing protocols PIM DM is suitable for small networks Members of multicast groups are relatively dense in such network environments The working procedures of PIM DM include neighbor discovery flood and prune and graft Neighbor discovery The PIM DM router needs to use Hello messages to perform neighbor discovery when it is started All network nodes running PIM DM keep in touch with one another with Hello messages which are sent periodically Flood and Prune PIM DM assumes that all hosts on the network are ready to receive multicast data When a multicast source S begins to send data to a multicast group G after the router receives the multicast packets the router will perform RPF check according to the unicast routing table first If an RPF check is passed the router will create an S G entry and then flood the data to all downstream PIM DM nodes If the RPF ch
123. Mode Designate an interface on the local switch to receive NTP multicast messages and operate in multicast client mode The local switch listens to the multicast from the server When it receives the first multicast packets it starts a brief client server mode to switch messages with a remote server for estimating the network delay Thereafter the local switch enters multicast client mode and continues listening to the multicast and synchronizes the local clock by the arrived multicast message Perform the following configurations in VLAN interface view Table 324 Configuring NTP Multicast Client Mode Operation Command Configure NTP multicast client mode ntp service multicast client ip address Cancel NTP multicast client mode undo ntp service multicast client Multicast IP address ip address defaults to 224 0 1 1 This command can only be configured on the interface where the NTP multicast packets is received Configuring NTP ID Authentication Enable NTP authentication set the MD5 authentication key and specify the reliable key A client will synchronize itself by a server only if the server can provide a reliable key Perform the following configurations in system view Table 325 Configuring NTP Authentication Operation Command Enable NTP authentication ntp service authentication enable Disable NTP authentication undo ntp service authentication enable Setting the NTP Authentication Key This configuration task s
124. PIM Neighbor See Configuring PIM DM on page 130 Configuring the Maximum Number of PIM Neighbor on an Interface See Configuring PIM DM on page 130 Configuring RP to Filter the Register Messages Sent by DR In the PIM SM network the register message filtering mechanism can control which sources to send messages to which groups on the RP i e RP can filter the register messages sent by DR to accept specified messages only Perform the following configuration in PIM view Table 152 Configuring RP to Filter the Register Messages Sent by DR Operation Command Configure RP to filter the register messages register policy acl number sent by DR Cancel the configured filter of messages undo register policy If an entry of a source group is denied by the ACL or the ACL does not define operation to it or there is no ACL defined the RP will send RegisterStop messages to the DR to prevent the register process of the multicast data stream 142 CHAPTER 6 MULTICAST PROTOCOL gt Only the register messages matching the ACL permit clause can be accepted by the RP Specifying an undefined ACL will make the RP deny all register messages Limiting the Range of Legal BSR In the PIM SM network using BSR bootstrap router mechanism every router can set itself as C BSR candidate BSR and take the authority to advertise RP information in the network once it wins in the contention To prevent malicious BSR proofing in the netw
125. Protocol IGMP Internet Group Management Protocol IGMP is the only protocol that hosts can use It defines the membership establishment and maintenance mechanism between hosts and routers and is the basis of the entire IP multicast Hosts report the group membership to a router through IGMP and inform the router of the conditions of other members in the group through the directly connected host If a user on the network joins a multicast group through IGMP declaration the multicast router on the network will transmit the information sent to the multicast group through the multicast routing protocol Finally the network will be added to the multicast tree as a branch When the host as a member of a multicast group begins receiving the information the router queries the group periodically to check whether members in the group are involved As long as one host is involved the router receives data When all users on the network quit the multicast group the related branches are removed from the multicast tree Multicast Routing Protocol A multicast group address has a virtual address Unicast allows packets to be routed from the data source to the specified destination address This is not possible for multicast The multicast application sends the packets to a group of receivers as with multicast addresses who are ready to receive the data but not only to one receiver as with unicast address Forwarding IP Multicast Packets IP Mult
126. Qo Switch 7750 3coM Configuration Guide Version 3 1 5 http www 3com com Published August 2005 Part No 10014298 3Com Corporation 350 Campus Drive Marlborough MA 01752 3064 Copyright 2005 3Com Corporation All rights reserved No part of this documentation may be reproduced in any form or by any means or used to make any derivative work such as translation transformation or adaptation without written permission from 3Com Corporation 3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of 3Com Corporation to provide notification of such revision or change 3Com Corporation provides this documentation without warranty term or condition of any kind either implied or expressed including but not limited to the implied warranties terms or conditions of merchantability satisfactory quality and fitness for a particular purpose 3Com may make improvements or changes in the product s and or the program s described in this documentation at any time If there is any software on removable media described in this documentation it is furnished under a license agreement included with the product as a separate document in the hard copy documentation or on the removable media in a directory file named LICENSE TXT or LICENSE TXT If you are unable to locate a copy please contact 3Com and a copy will be provided to you UNITED STATES GO
127. R 11 SYSTEM MANAGEMENT
128. R fails you can switch over to another BSR A BSR is elected among the C BSRs automatically The C BSR with the highest priority is elected as the BSR If the priority is the same the C BSR with the largest IP address is elected as the BSR Configure Static RP The router that serves as the RP is the core router of multicast routes If the dynamic RP elected by BSR mechanism is invalid for some reason the static RP can 138 CHAPTER 6 MULTICAST PROTOCOL Configuring PIM SM be configured to specify RP As the backup of dynamic RP static RP improves network robustness and enhances the operation and management capability of multicast network Basic PIM SM configuration includes a Enabling Multicast a Enabling IGMP on an Interface a Enabling PIM SM a Setting the PIM SM Domain Border a Entering PIM View a Configuring Candidate BSRs m Configuring Candidate RPs Configuring Static RP Advanced PIM SM configuration includes a Configuring the Interface Hello Message Interval m Configuring the Filtering of Multicast Source Group m Configuring the Filtering of PIM Neighbor Configuring the Maximum Number of PIM Neighbor on an Interface Configuring RP to Filter the Register Messages Sent by DR a Limiting the Range of Legal BSR a Limiting the Range of Legal C RP a Clearing Multicast Route Entries from PIM Routing Table a Clearing PIM Neighbors a Displaying and Debugging PIM SM At least one router in an entire PIM SM domai
129. RP attribute values The leaveall timer is started as soon as a GARP participant is enabled A leaveall message is sent at timeout so that other GARP participants remove all the attribute values of this participant Then the leaveall timer is restarted and a new cycle begins When a switch receives GARP registration information it does not send a join message immediately Instead it enables a hold timer and sends the join message outward when the hold timer times out In this way all the VLAN registration information received within the time specified by the hold timer can be sent in one frame to save bandwidth Table 56 Setting the GARP Timers Operation Command Configure the hold join and leave timers in Ethernet port view Set the GARP hold join and garp timer hold join leave timer value leave timers Restore the default GARP undo garp timer hold join leave hold join and leave timer settings Configuring GVRP Configuring GARP GVRP 63 Table 56 Setting the GARP Timers continued Operation Command Configure the leaveall timer in system view Set GARP leaveall timer garp timer leaveall timer value Restore the default GARP undo garp timer leaveall leaveall timer settings Note that the value of the join timer should be no less than twice the value of the hold timer and the value of the leave timer should be greater than twice the value of the join timer and smaller than the leaveall timer val
130. STP which is an enhancement to STP and is compatible with both STP and RSTP An MSTP switch can recognize both STP and RSTP packets and can calculate the spanning tree with them Beside the basic MSTP functions the Switch 7750 provides additional MSTP features which include root bridge hold secondary root bridge root protection and BPDU protection STP cannot stabilize a network rapidly Even on the point to point link or the edge port it takes an interval as long as twice the forward delay before the network converges MSTP makes the network converge rapidly and distributes the traffic of different VLANs along their respective paths This provides a better load balance mechanism for the redundant links MSTP associates VLAN with a spanning tree domain and divides a switching network into several regions each of which has a spanning tree independent of one another MSTP prunes the network into a loopfree tree to avoid proliferation it also provides multiple redundant paths for data forwarding to implement the VLAN data forwarding load balance Configuring MSTP is described in the following sections a MSTP Concepts a MSTP Principles MSTP Concepts are described in the following sections a MST Region a VLAN Mapping Table a Internal Spanning Tree IST a Common Spanning Tree CST a Common and Internal Spanning Tree CIST a Multiple Spanning Tree Instance MSTI a MSTI Region root Common Root Bridge a Boundary port
131. SW7750 vlan10 quit SW7750 pim SW7750 pim interface vlan interface 10 SW7750 vlan interfacel10 pim sm SW7750 vlan interfacel10 quit SW7750 vlan 11 SW7750 vlanil port Ethernet 1 0 4 to Ethernet 1 0 5 SW7750 vlani11 quit SW7750 pim SW7750 pim interface vlan interface 11 SW7750 vlan interfacell pim sm SW7750 vlan interfacel11 quit SW7750 vlan 12 SW7750 vlanil2 port Ethernet 1 0 6 to Ethernet 1 0 7 SW7750 vlan12 quit SW7750 pim SW7750 pim interface vlan interface 12 SW7750 vlan interfacel2 pim sm SW7750 vlan interfacel12 quit 2 Configure the C BSR SW7750 pim SW7750 pim c bsr vlan interface 10 30 2 3 Configure the C RP SW7750 acl number 2005 SW7750 acl basic 2005 rule permit source 225 0 0 0 0 255 255 255 SW7750 pim SW7750 pim c rp vlan interface 10 group list 5 4 Configure PIM domain border SW7750 interface vlan interface 12 SW7750 vlan interfacel2 pim bsr boundary After VLAN interface 12 is configured as BSR the LS_D will be excluded from the local PIM domain and cannot receive the BSR information transmitted from LS_B anymore 146 CHAPTER 6 MULTICAST PROTOCOL Configure Switch C 1 Enable PIM SM SW7750 multicast routing enable SW7750 vlan 10 SW7750 vlanl10 port Ethernet 1 0 2 to Ethernet 1 0 3 SW7750 vlan10 quit SW7750 pim SW7750 pim interface vlan interface 10 SW7750 vlan interface10 pim sm SW7750 vlan interface10 quit SW7750 vlan 11 SW7750 vlan11 port Ether
132. SW7750 vlan2 port ethernet1 0 1 to ethernet1 0 2 3 Create VLAN 3 and enters its view SW7750 vlan2 vlan 3 4 Add Ethernet1 0 3 and Ethernet1 0 4 to VLAN3 SW7750 vlan3 port ethernet1 0 3 to ethernet1 0 4 Example Protocol Based VLAN Configuration From port G1 0 1 all the traffic with source IP 10 0 0 1 will belong to VLAN 2 and any other IP traffic will belong to VLAN 3 If we configure port G1 0 2 in VLAN 2 the traffic with source IP 10 0 0 1 will be sent from port G1 0 2 If we configure port G1 0 3 in VLAN 3 any other IP traffic will be sent out from port G1 0 3 Figure 17 Protocol Based VLAN Configuration Example G 1 0 2 G 1 0 3 G 1 0 1 1 Configure port G1 0 1 as hybrid port and allow VLAN 2 and VLAN 3 to pass SW7750 GigabitEthernet1 0 1 port link type hybrid SW7750 GigabitEthernet1 0 1 display th interface GigabitEthernet1 0 1 port link type hybrid port hybrid vlan 1 untagged return SW7750 GigabitEthernet1 0 1 port hybrid vlan 2 to 3 t SW7750 GigabitEthernet1 0 1 display th interface GigabitEthernet1 0 1 port link type hybrid port hybrid vlan 2 to 3 tagged 60 CHAPTER 3 VLAN CONFIGURATION port hybrid vlan 1 untagged return 2 Configure VLAN 2 and VLAN 3 as protocol VLANs Set VLAN 2 as IP 10 0 0 1 protocol and VLAN 3 as IP protocol SW7750 vlan2 protocol vlan at Specify AT AppleTalk Protocol configuration information ip Specify IP Internet Protocol configuration information mod
133. Server Execute the display command in all views to display the FTP Server configuration and to verify the effect of the configuration Table 267 Display and Debug the FTP Server Operation Command Display FTP server display ftp server Display the connected FTP users display ftp user The display ftp server command can be used for displaying configuration information about the current FTP server including the maximum amount of users supported by FTP server and the FTP connection timeout The display ftp user command can be used for displaying the detail information about connected FTP users Introduction to FTP Client As an additional function provided by the Switch 7750 the FTP client is an application module and has no configuration functions The switch connects the FTP clients and the remote server and inputs the command from the clients for corresponding operations such as creating or deleting a directory Trivial File Transfer Protocol TFTP is a simple protocol for file transmission that has no complicated interactive access interface or authentication control and therefore it can be used when there is no complicated interaction between the clients and server TFTP is implemented on the basis of UDP TFIP transmission originates with the client To download a file the client sends a request to the TFTP server and receives the data then sends an acknowledgement to it To upload a file the client sends a request to the T
134. VERNMENT LEGEND If you are a United States government agency then this documentation and the software described herein are provided to you subject to the following All technical data and computer software are commercial in nature and developed solely at private expense Software is delivered as Commercial Computer Software as defined in DFARS 252 227 7014 June 1995 or as a commercial item as defined in FAR 2 101 a and as such is provided with only such rights as are provided in 3Com s standard commercial license for the Software Technical data is provided with limited rights only as provided in DFAR 252 227 7015 Nov 1995 or FAR 52 227 14 June 1987 whichever is applicable You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in or delivered to you in conjunction with this User Guide Unless otherwise indicated 3Com registered trademarks are registered in the United States and may or may not be registered in other countries 3Com the 3Com logo are registered trademarks of 3Com Corporation Intel and Pentium are registered trademarks of Intel Corporation Microsoft MS DOS Windows and Windows NT are registered trademarks of Microsoft Corporation UNIX is a registered trademark in the United States and other countries licensed exclusively through X Open Company Ltd All other company and product names may be trademarks of the respective companies with w
135. VLAN 2 map to instance 2 other VLAN map to instance 0 and revision level not indicated in Figure 53 VLAN Mapping Table A VLAN mapping table is an attribute of an MST region and is used for describing the mapping relationship of VLAN and STI For example the VLAN mapping table of MST region AO in Figure 53 is VLAN1 map to instance 1 VLAN 2 map to instance 2 other VLAN map to instance O Internal Spanning Tree IST The entire switching network has a Common and Internal Spanning Tree CIST An MSTP region has an Internal Spanning Tree IST which is a fragment of CIST For example every MST region in Figure 53 has an IST Common Spanning Tree CST CST connects the spanning trees of the MST region Taking every MST region as a switch the CST can be regarded as their spanning tree generated with STP RSTP For example the red line indicates the CST in Figure 53 Common and Internal Spanning Tree CIST A single spanning tree made of IST and CST The CIST in Figure 53 is composed of each IST in every MST region and the CST 188 CHAPTER 8 STP OPERATION Multiple Spanning Tree Instance MSTI Multiple spanning trees can be generated in an MST region and are independent of one another Each of these spanning trees is called an MSTI MSTI Region root The MSTI region root refers to the root of the MSTI in an MST region Each spanning tree in an MST region can have a different topology with a different region root
136. able zero field check on the RIP 1 packet undo checkzero By default RIP 1 performs zero field check on the packet Specifying the Operating State of the Interface In the VLAN interface view you can specify whether RIP update packets are sent and received on the interface In addition you can specify whether an interface sends or receives RIP update packets Perform the following configuration in VLAN interface view Table 89 Specifying the Operating State of the Interface Operation Command Enable the interface to run RIP rip work Disable RIP on the interface undo rip work Enable the interface to receive RIP update rip input packets Disable receipt of RIP update packets on the undo rip input interface Enable the interface to send RIP update rip output packets Disable transmission of RIP packets on the undo rip output interface The rip work command is functionally equivalent to both rip input and rip output Commands 94 CHAPTER 5 IP ROUTING PROTOCOL OPERATION By default all interfaces except loopback interfaces both receive and transmit RIP update packets Disabling Host Route In some cases the router can receive many host routes from the same segment and these routes are of little help in route addressing but consume a lot of network resources Routers can be configured to reject host routes by using undo host route command Perform the following configurations in RIP view Table 90 Disabling Host Routes
137. addr wildcard any fragment time range name Delete a sub item from the ACL from basic undo rule ru e id source fragment ACL view time range Delete one ACL or all the ACL from system undo acl number ac number name view acl name all A basic ACL is defined by numbers from 2000 to 2999 Define an Advanced ACL The classification rules for advanced ACL are defined on the basis of attributes such as source and destination IP address the TCP or UDP port number in use and the packet priority to process the data packets The advanced ACL supports the analyses of three kinds of packet priorities ToS Type of Service IP and DSCP priorities Configuring ACLs 153 Perform the following configuration in designated view Table 165 Define Advanced ACL Operation Command Enter advanced ACL view from system view acl number ac number name ac name advanced match order config auto Add a sub item to the ACL from advanced rule ru e id permit deny protocol ACL view source source adar source wildcard any destination dest adar wildcard any source port operator port port2 destination port operator port port2 icmp type type code established precedence precedence tos tos dscp dscp fragment time range name Delete a sub item from the ACL from undo rule ru e id source destination advanced ACL view source port d
138. agement key of a static aggregation port includes the aggregation group ID For a dynamic aggregation group all member ports must have the same operation key while for a manual or static aggregation group only the active member ports must have the same operation key The basic configuration of member ports in an aggregation group must be the same That is if one is a trunk port others must be trunk ports also If a port turns into an access port then others must change to access ports Basic configuration includes the following types of settings a STP Includes STP enabling disabling link attribute point to point or not STP priority path cost max transmission speed loop protection root protection edge port or not a QoS Includes traffic limiting priority marking default 802 1p priority bandwidth assurance congestion avoidance traffic redirection traffic statistics a VLAN Includes permitted VLAN types and the default VLAN ID a Port Includes port link type The Switch 7750 supports a maximum of sixty four load balance groups with each group containing a maximum of eight 1000M ports or sixteen 100M ports For the 48 port 10 100BASE T auto sensing fast Ethernet interface card a port grouped in first 24 ports cannot be aggregated with the one grouped in the last 24 ports Configuring Link Aggregation is described in the following sections m Types of Link Aggregation a Load Sharing a Configuring Link Aggre
139. agg id group Ethernet port view Delete an Ethernet port from the aggregation undo port link aggregation group port Ethernet port view Aggregate Ethernet ports System view link aggregation interface namel to interface name2 both Note that a You cannot enable LACP at the mirrored port port with static MAC address configured port with static ARP configured port with 802 1x enabled a You must delete the aggregation group instead of the port if the manual or static LACP aggregation group contains only one port CHAPTER 2 PORT CONFIGURATION Setting or Deleting an Aggregation Group Descriptor Perform the following configuration in system view Table 42 Set Delete an Aggregation Group Descriptor Operation Command Set aggregation group descriptor link aggregation group agg id description alname Delete aggregation group descriptor undo link aggregation group agg id description By default an aggregation group has no descriptor Note that if you have saved the current configuration with the save command the configured manual aggregation groups static LACP aggregation groups and corresponding descriptors will be retained when the system reboots However the dynamic LACP groups and descriptors are not retained when the system reboots Configuring System Priority The LACP refers to system IDs in determining if the member ports are selected or standby one for a dynamic LACP aggregation group The system ID consists
140. ally and the multicast registration information dynamically registered by other switches The main tasks in a GMRP configuration are described in the following sections a Enable Disable GMRP Globally a Enabling Disabling GMRP on the Port a Displaying and Debugging GMRP In the configuration process GMRP must be enabled globally before it is enabled on the port Enable Disable GMRP Globally Perform the following configuration in system view Table 158 Enabling Disabling GMRP Globally Operation Command Enable GMRP globally gmrp Disable GMRP globally undo gmrp By default GMRP is disabled Enabling Disabling GMRP on the Port Perform the following configuration in Ethernet port view Table 159 Enabling Disabling GMRP on the Port Operation Command Enable GMRP on the port_ gmrp Disable GMRP on the port_ undo gmrp GMRP should be enabled globally before being enabled on a port By default GMRP is disabled on the port Displaying and Debugging GMRP After the previous configuration execute the display command to display the GMRP configuration and to verify the effect of the configuration Execute the debugging command in user view to debug GMRP configuration Table 160 Display and Debug GMRP Operation Command Display GMRP statistics display gmrp statistics interface interface list Display GMRP global status display gmrp status Enable GMRP debugging debugging gmrp Disable GMRP debugging undo debugging
141. ame Reset the statistics of HWTACACS server reset hwtacacs statistics accounting authentication authorization all Enable RADIUS packet debugging debugging radius packet Disable RADIUS packet debugging undo debugging radius packet Enable debugging of local RADIUS debugging local server all authentication server error event packet Disable debugging of local RADIUS undo debugging local server all authentication server error event packet Enable HWTACACS debugging debugging hwtacacs all error event message receive packet send packet Disable HWTACACS debugging undo debugging hwtacacs all error event message receive packet send packet AAA RADIUS and HWTACACS Protocol Configuration Examples Configuring FTP Telnet User Authentication at Remote RADIUS Server AAAJRADIUS protocol configuration commands are generally used together with 802 1x configuration commands Refer to the typical configuration examples provided in Configuring 802 1x on page 209 Configuring Telnet user authentication at the remote server is similar to configuring FTP users The following description is based on Telnet users In the environment illustrated in the following figure the the RADIUS server must be configured to authenticate the Telnet users to be registered One RADIUS server the authentication server is connected to the switch and the server IP address is 10 110 91 146 The passw
142. ame interface num Remove the source address of trap undo snmp agent trap source Adding and Deleting a User to or from an SNMP Group Use the following commands to add or delete a user to or from an SNMP group Perform the following configuration in system view Table 307 Adding and Deleting a User to or from an SNMP Group Operation Command Add a user to an SNMP group snmp agent usm user v1 v2c username groupname aclacl list snmp agent usm user v3 username groupname authentication mod md5 sha auth password privacy mod des56 priv_password aelacl list Delete a user from an SNMP group undo snmp agent usm user v1 v2c username groupname undo snmp agent usm user v3 username groupname local engineid engine id The authentication mode parameter specifies the use of authentication The privacy mode parameter specifies the use of authentication and encryption This parameter is supported only in SNMP V3 For details see the Switch 7750 Command Reference Guide Creating and Updating View Information or Deleting a View Use the following commands to create update the information of views or delete a view Perform the following configuration in system view Table 308 Creating and Updating View Information or Deleting a View Operation Command Create or update view information snmp agent mib view included excluded view name oid tree Delete a view undo snmp agent mib view view name
143. and implement the fault diagnosis capacity planning and report generating SNMP adopts the polling mechanism and provides the most basic function set It is most applicable to the small sized fast speed and low cost environment It only requires the unverified transport layer protocol UDP and is widely supported by many other products 266 CHAPTER 11 SYSTEM MANAGEMENT SNMP Versions and Supported MIB In terms of structure SNMP can be divided into two parts NMS and Agent NMS Network Management Station is the workstation for running the client program At present the commonly used NM platforms include Sun NetManager and IBM NetView The agent is the server software operated on network devices NMS can send GetRequest GetNextRequest and SetRequest messages to the agent Upon receiving the requests from the NMS the agent will perform a read or write operation according to the message types and generate and return the response message to NMS On the other hand the agent will send a trap message on its own initiative to NMS to report events whenever the device encounters any abnormalities Configuring SNMP is described in the following sections a SNMP Versions and Supported MIB Configuring SNMP To uniquely identify the management variables of a device in SNMP messages SNMP adopts the hierarchical naming scheme to identify the managed objects It is like a tree A tree node represents a managed object as shown in the figure be
144. ange Meaning 224 0 0 0 224 0 0 255 Reserved multicast addresses addresses of permanent groups Address 224 0 0 0 is reserved The other addresses can be used by routing protocols 224 0 1 0 238 255 255 255 Multicast addresses available for users addresses of temporary groups They are valid in the entire network 239 0 0 0 239 255 255 255 Multicast addresses for local management They are valid only in the specified local range Reserved multicast addresses that are commonly used are shown Table 115 Table 115 Reserved Multicast Address List Class D address Meaning 224 0 0 0 Base Address Reserved 224 0 0 1 Addresses of all hosts 224 0 0 2 Addresses of all multicast routers 224 0 0 3 Unassigned 224 0 0 4 DVMRP routers 224 0 0 7 ST routers 224 0 0 8 ST hosts 224 0 0 9 RIP 2 routers 224 0 0 10 IGRP routers 224 0 0 11 Mobile agents 224 0 0 12 DHCP server Relay agent 224 0 0 13 All PIM routers 224 0 0 14 RSVP encapsulation 224 0 0 15 All CBT routers 224 0 0 16 Designated SBM 224 0 0 17 All SBMS Ethernet Multicast MAC Addresses When unicast IP packets are transmitted in Ethernet the destination MAC address is the MAC address of the receiver However when multicast packets are transmitted the destination is no longer a specific receiver but a group with unspecific members Therefore the multicast MAC address should be used Multicast MAC addresses correspond to multicast IP addresses IANA Internet 112 CHAPT
145. are not specific History Command The command line interface provides a function similar to DosKey The commands entered by users can be automatically saved by the command line interface and you can invoke and execute them at any time By default the history command buffer can store 10 history commands for each user The operations are shown in Table 22 Table 22 Retrieve History Command Operation Key Result Display history command display Displays history commands by history command the user who is entering them Retrieve the previous history Up cursor key lt gt or lt Ctrl P gt Retrieves the previous history command command if there is any Command Line Interface 33 Table 22 Retrieve History Command Operation Key Result Retrieve the next history Down cursor key lt gt or Retrieves the next history command lt Ctrl N gt command if there is any Editing Features of the Command Line The command line interface provides a basic command editing function and supports editing multiple lines A command cannot be longer than 256 characters See Table 23 Table 23 Editing Functions Key Function Common keys Inserts at the cursor position and the cursor moves to the right if the edition buffer still has free space Backspace Deletes the character preceding the cursor and the cursor moves backward Left cursor key lt or Ctrl B Moves the cursor a character backward Right cursor key gt or Ctrl F Moves the
146. art and end time of daylight saving time Displaying System Information and State Debugging the System Perform this command in user view Table 285 Setting Daylight Saving Time Operation Command Set the name and range of daylight saving clock summer time zone name time one off repeating start time start date end time end date offset time Remove the setting of the summer time undo clock summer time By default daylight saving time is not set The following display commands are used for displaying the system state and the statistics information For the display commands related to each protocol and different ports refer to the appropriate chapters Perform the following operations in all views Table 286 The Display Commands of the System Operation Command Display the system clock display clock Display the system version display version Display the terminal user display users all Display the state of the debugging display debugging interface interface name interface type interface number module name Tasks for debugging the system are described in the following sections a Enabling and Disabling Terminal Debugging a Displaying Diagnostic Information Enabling and Disabling Terminal Debugging The Switch 7750 provides various ways for debugging most of the supported protocols and functions The following switches control the outputs of debugging information a The protocol debugging switch
147. ast client Configure Ethernet Switch SW77501 Enter system view lt SW77501 gt system view Enter Vlan interface2 view SW77501 interface vlan interface 2 SW77501 Vlan Interface2 ntp service broadcast client The above examples configured SW77504 and SW77501 to listen to the broadcast through Vlan interface2 SW77503 to broadcast packets from Vlan interface2 Since SW77501 and SW77503 are not located on the same segment they cannot receive any broadcast packets from SW77503 while SW77504 is synchronized by SW77503 after receiving its broadcast packet After the synchronization you can find the state of SW77504 as follows SW77504 display ntp service status clock status synchronized clock stratum 8 reference clock ID LOCAL 0 nominal frequency 100 0000 Hz actual frequency 100 0000 Hz clock precision 2 17 clock offset 0 0000 ms root delay 0 00 ms root dispersion 10 94 ms peer dispersion 10 00 ms reference time 20 54 25 156 UTC Mar 7 2002 C0325201 2811A112 By this time SW77504 has been synchronized by SW77503 and it is at stratum 3 higher than SW77503 by 1 Display the status of SW77504 sessions and you will see SW77504 has been connected to SW77503 SW77502 display ntp service sessions source reference stra reach poll now offset delay disper kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk kkkkkkk eeEAK 12345 127 127 1 0 LOCAL 0 7 377 64 57 0 0 0 0 T0 S 25 0 211 0 0
148. ate static LACP aggregation group 1 SW7750 link aggregation group 1 mode static a Add Ethernet ports Ethernet1 0 1 to Ethernet1 0 3 into aggregation group 1 SW7750 SW7750 Ethernet1 0 1 SW7750 Ethernet1 0 1 SW7750 Ethernet1 0 2 SW7750 Ethernet1 0 2 SW7750 Ethernet1 0 3 interface ethernet1 0 1 port link aggregation group 1 interface ethernet1 0 2 port link aggregation group 1 interface ethernet1 0 3 port link aggregation group 1 3 Configure a dynamic LACP aggregation a Enable LACP at Ethernet ports Ethernet1 0 1 to Ethernet1 0 3 SW7750 SW7750 Ethernet1 0 1 SW7750 Ethernet1 0 1 SW7750 Ethernet1 0 2 SW7750 Ethernet1 0 2 SW7750 Ethernet1 0 3 interface ethernet1 0 1 lacp enable interface ethernet1 0 2 lacp enable interface ethernet1 0 3 lacp enable Configuring Link Aggregation 51 Only when the three ports are configured with identical basic configuration rate and duplex mode can they be added into a same dynamic aggregation group after LACP is enabled on them for load sharing 52 CHAPTER 2 PORT CONFIGURATION VLAN CONFIGURATION This chapter covers the following topics a VLAN Overview a Configuring VLANs a Configuring GARP GVRP VLAN Overview A virtual local area network VLAN creates logical groups of LAN devices into segments to implement virtual workgroups Using VLAN technology you can logically divide the physical LAN into different broadcast domains Every VLAN con
149. ats etc are usually different it is necessary to group them by setting ISP domain In the Switch 7750 ISP domain view you can configure a complete set of exclusive ISP domain attributes on a per ISP domain basis which includes AAA policy RADIUS server group applied etc For the Switch 7750 each supplicant belongs to an ISP domain Up to 16 domains can be configured in the system If a user has not reported its ISP domain name the system will put it into the default domain Perform the following configurations in system view Table 229 Create Delete ISP Domain Operation Command Create ISP domain or enter the view of a domain isp name default specified domain disable enable isp name Remove a specified ISP domain undo domain isp name By default the domain name system is already created The attributes of system are all default values Configuring Relevant Attributes of an ISP Domain The relevant attributes of an ISP domain include the adopted RADIUS server group state and maximum number of supplicants Note the following m The adopted RADIUS server group is the one used by all the users in the ISP domain The RADIUS server group can be used for RADIUS authentication or accounting By default the default RADIUS server group is used For details refer to Configuring the RADIUS Protocol m Every ISP has active block states If an ISP domain is in active state the users can request for network service
150. ault cost of the imported undo default cost route By default the cost value for the RIP imported route is 1 Setting the RIP Preference Each routing protocol has its own preference by which the routing policy selects the optimal one from the routes of different protocols The greater the preference value the lower the preference The preference of RIP can be set manually Perform the following configurations in RIP view Table 96 Setting the RIP Preference Operation Command Set the RIP Preference preference value Restore the default value of RIP preference undo preference By default the preference of RIP is 100 Setting Additional Routing Metrics The additional routing metric is the input or output routing metric added to a RIP route It does not change the metric value of the route in the routing table but adds a specified metric value when the interface receives or sends a route Perform the following configuration in VLAN interface view Table 97 Setting Additional Routing Metric Operation Command Set the additional routing metric of the route rip metricin value when the interface receives an RIP packet Table 97 Setting Additional Routing Metric Operation Command Disable the additional routing metric of the undo rip metricin route when the interface receives an RIP packet Set the additional routing metric of the route when the interface sends an RIP packet ip metricout value Disable the ad
151. ay stp region configuration region Clear the MSTP statistics information reset stp interface interface list Enable Disable MSTP packet undo debugging stp interface receiving transmitting event error interface list packet event debugging on the port Enable Disable the global MSTP debugging undo debugging stp global event global error all Enable Disable specified STI debugging undo debugging stp instance instance id According to IEEE 802 1s two connected switches can communicate through MSTIs multiple spanning tree instances in a MSTP multiple spanning tree protocol domain only when they are configured with the same domain settings With MSTP employed interconnected switches determine whether or not they are in the same domain by checking the configuration IDs of the BPDUs between them Configuration ID comprises information such as domain ID and configuration digest As some switches come with some proprietary protocols concerning STP employed they cannot communicate with other switches in MSTP domains even both of these two types of switches are configured with the same domain configuration settings This can be overcome by implementing digest snooping Digest snooping enables a switch to track and maintain configuration digests of other switches that are in the same domain by examining their BPDUs and insert corresponding configuration digests in its BPDUs destined for these swi
152. ay the protocol information and protocol display protocol vlan interface index configured on the specified port interface list Example VLAN Configuration Create VLAN2 and VLANS Add Ethernet 1 0 1 and Ethernet 2 0 1 to VLAN2 and add Ethernet 1 0 2 and Ethernet 2 0 2 to VLAN3 Figure 15 VLAN Configuration Example E1 0 1 E2 0 1 E1 0 2 E2 0 2 aa n et ee Create VLAN 2 and enter its view SW7750 vlan 2 Add Ethernet 1 0 1 and Ethernet 2 0 1 to VLAN2 SW7750 vlan2 port Ethernet 1 0 1 Ethernet 2 0 1 Create VLAN 3 and enters its view SW7750 vlan2 vlan 3 Add Ethernet 1 0 2 and Ethernet 2 0 2 to VLAN3 SW7750 vlan3 port Ethernet 1 0 2 Ethernet 2 0 2 Configuring Port Based VLANs Configuring Protocol Based VLANs Configuring VLANs 57 Adding Ethernet Ports to a VLAN Use the following command to add Ethernet ports to a VLAN Perform the following configuration in VLAN view Table 52 Adding Ethernet Ports to a VLAN Operation Command Add Ethernet ports toa VLAN port interface type interface num interface name to interface type interface num interface name amp lt 1 10 gt Remove Ethernet ports froma undo port interface type interface num VLAN interface name to interface type interface num interface name amp lt 1 10 gt For the meanings of the parameters related to the Ethernet ports and the specific numbering rules of the ports see
153. ber priority Cancel NTP server mode undo ntp service unicast server ip address NTP version number number ranges from 1 to 3 and defaults to 3 the authentication key ID keyid ranges from 0 to 4294967295 interface name or interface type interface number specifies the IP address of an interface from which the source IP address of the NTP packets sent from the local switch to the time server will be taken priority indicates the time server will be the first choice Configuring NTP Peer Mode Set a remote server whose IP address is ip address as the peer of the local equipment In this case the local equipment operates in symmetric active mode ip address specifies a host address other than a broadcast multicast or reference clock IP address In this mode both the local switch and the remote server can synchronize their clocks with the clock of the opposite end Perform the following configurations in system view Table 320 Configuring NTP Peer Mode Operation Command Configure NTP peer mode ntp service unicast peer ip address version number authentication key keyid source interface interface name interface type interface number priority Cancel NTP peer mode undo ntp service unicast peer ip address NTP version number number ranges from 1 to 3 and defaults to 3 the authentication key ID keyid ranges from 1 to 4294967295 interface name or interface type interface number specifies the IP address of an inte
154. bles the router to learn the routing information of the entire network RIP has become one of the most popular standards of transmitting router and host routes It can be used in most campus networks and regional networks that are simple yet extensive RIP is not recommended for larger and more complicated networks Configuring RIP is described in the following sections Configuring RIP m Troubleshooting RIP Only after RIP is enabled can other functional features be configured But the configuration of the interface related functional features is not dependent on whether RIP has been enabled After RIP is disabled the interface related features also become invalid The RIP configuration tasks are described in the following sections a Enabling RIP and Entering the RIP View a Enabling the RIP Interface a Configuring Unicast RIP Messages a Specifying the RIP Version m Configuring RIP Timers m Configuring RIP 1 Zero Field Check of the Interface Packet m Specifying the Operating State of the Interface a Disabling Host Route a Enabling RIP 2 Route Aggregation m Setting RIP 2 Packet Authentication Configuring Split Horizon a Enabling RIP to Import Routes of Other Protocols m Configuring the Default Cost for the Imported Route a Setting the RIP Preference a Setting Additional Routing Metrics Configuring Route Filtering a Displaying and Debugging RIP Enabling RIP and Entering the RIP View Perform the following confi
155. by a remote server a peer Allow local NTP time service request and control query And the local clock will also be synchronized by a remote server Setting Maximum Local Sessions This configuration task sets the maximum local sessions Perform the following configurations in system view Table 332 Setting the Maximum Local Sessions Operation Command Set the maximum local sessions ntp service max dynamic sessions number Resume the maximum number of local undo ntp service sessions max dynamic sessions number specifies the maximum number of local sessions ranges from O to 100 and defaults to 100 Displaying and Debugging NTP After completing the previous configurations you can use the display command to show how NTP runs and verify the configurations according to the outputs You can use the debugging command in user view to debug NTP See Table 333 for the details of these commands Table 333 Displaying and Debugging NTP Operation Command Display the status of NTP service display ntp service status 286 CHAPTER 11 SYSTEM MANAGEMENT NTP Configuration Examples Table 333 Displaying and Debugging NTP Operation Command Display the status of sessions maintained by display ntp service sessions NTP service verbose Display the brief information about every NTP display ntp service trace time server on the way from the local equipment to the reference clock source Debug NTP debugging ntp service
156. cation The primary and secondary authentication servers cannot use the same IP address The default port number is 49 If you execute this command repeatedly the new settings will replace the old settings The authentication server can be deleted only when there is no active TCP connection used for sending authentication packets 2 4 4 Configuring HWTACACS Authorization Servers Perform the following configuration in HWTACACS view Table 2 39 Configuring HWTACACS authorization servers OperationCommand Configure the primary HWTACACS authorization server primary authorization ip address port Delete the primary HWTACACS authorization server undo primary authorization Configure the secondary HWTACACS authorization server secondary authorization ip address port Delete the secondary HWTACACS authorization server undo secondary authorization The primary and secondary authorization servers cannot use the same IP address The default port number is 49 If you execute this command repeatedly the new settings will replace the old settings 2 4 5 Configuring HWTACACS Accounting Servers and the Related Attributes Configuring HWTACACS accounting servers Perform the following configuration in HWTACACS view Table 2 40 Configuring HWTACACS accounting servers OperationCommand Configure the primary TACACS accounting server primary accounting ip address port Delete the primary TACACS accounting server undo primary account
157. cation data are encapsulated in the EAP frame which is encapsulated in packets of other AAA upper layer protocols e g RADIUS This provides a channel through the complicated network to the Authentication Server Such procedure is called EAP Relay There are two types of ports for the Authenticator One is the Uncontrolled Port and the other is the Controlled Port The Uncontrolled Port is always in a bi directional connection state The user can access and share the network resources any time through the ports The Controlled Port will be in a connecting state only after the user passes the authentication Then the user is allowed to access the network resources Figure 55 802 1x System Architecture I I 1 Requester Authenticator system Authenticator system E server system I i Services offered by Requester Authenticator 1 Authenticator 1 1 system Authenticator PAE 4t server 7 a I i I I l I I l l bt Unauthorized EAP aa heat Han rt carried in higher layer T ee protocol fp I I I I l Controlled I I I l I I I l Mas a Peas at ENEN EENEN eee eee AE eee dl Dy fate LAN Tasks for configuring 802 1x System Architecture is described in the following sections ma 802 1x Authentication Process a Implement 802 1x on Ethernet Switch 802 1x Authentication Process 802 1x configures EAP frame to carry the authentication i
158. ch m Configuring the Path Cost of a Port m Configuring the Priority of a Port m Configuring the Port Connection with the Point to Point Link m Configuring the mCheck Variable of a Port m Configuring the Switch Security Function m Enabling MSTP on the Device a Enabling or Disabling MSTP on a Port a Displaying and Debugging MSTP Only after MSTP is enabled on the device will other configurations take effect Before enabling MSTP you can configure the related parameters of the device and Ethernet ports The configuration of the related parameters and Ethernet ports will take effect upon enabling MSTP and stay effective even after resetting MSTP The display stp region configuration command shows the parameters that are configured before MSTP is enabled To display parameters configured after MSTP is enabled you can use the related display commands For detailed information see Displaying and Debugging MSTP on page 205 You do not have to perform all these tasks to configure MSTP Many of them are designed to adjust the MSTP parameters provided with default values You can configure these parameters depending on your actual conditions or simply take the defaults For more detailed information refer to the task description or to the command descriptions in the Switch 7750 Command Reference Guide When GVRP and MSTP start up on the switch simultaneously GVRP packets will propagate along CIST which is a spanning tree instance In th
159. ch only one mirroring group can be configured in one direction Figure 41 Port Mirroring Configuration Eon X A esoe S NY Server m E3 0 2 To create this configuration Define a mirroring group with monitoring port being Ethernet0 8 SW7750 mirroring group 1 inbound ethernet3 0 1 ethernet3 0 2 mirrored to ethernet3 0 8 SW7750 mirroring group 2 outbound ethernet3 0 1 ethernet3 0 2 mirrored to ethernet3 0 8 Priority Relabeling Configuration Example In this example ef labels are appended on packets sent between 8 00 and 18 00 each day from PC1 IP 1 0 0 2 as priority labeling reference for the upper layer device Figure 42 Priority Relabeling Configuration GE7 0 8 GE7 I0 E3 0 2 VLAN2 VLANS 1 0 0 1 8 2 0 0 1 8 Pct Bn aay G To create this configuration Define the time range Define the time range between 8 00 and 18 00 SW7750 time range 3com 8 00 to 18 00 daily Define traffic rules for PC packets Enter the number based basic ACL and select the ACL 2000 SW7750 acl number 2000 Define traffic classification rules for PC1 packets SW7750 acl basic 2000 rule 0 permit ip sourc
160. cified by the instance instance id parameter If the instance id takes O the current switch is specified as the primary or secondary root switch of the CIST The root types of a switch in different STIs are independent of one another A switch can be a primary or secondary root of any STI However a switch cannot serve as both the primary and secondary roots of one STI If the primary root is down or powered off unless you configure a new primary root the secondary root will take its place If there are two or more configured secondary root switches MSTP selects the one with the smallest MAC address to take the place of the failed primary root When configuring the primary and secondary switches you can also configure the network diameter and hello time of the specified switching network For detailed information refer to the configuration tasks Configuring the Switching Network Diameter and Configuring the Time Parameters of a Switch You can configure the current switch as the root of several STIs however it is not necessary to specify two or more roots for an STI In other words please do not specify the root for an STI on two or more switches You can configure more than one secondary root for a spanning tree by specifying the secondary STI root on two or more switches Generally you are recommended to designate one primary root and more than one secondary root for a spanning tree By default a switch is neither
161. come from any unicast routing protocol independent of any specified unicast routing protocol such as the routing information learned by RIP a Assert mechanism As shown in the following figure both routers A and B on the LAN have their own receiving paths to multicast source S In this case when they receive a multicast packet sent from multicast source S they will both forward the packet to the LAN Multicast Router C at the downstream node will receive two copies of the same multicast packet Figure 32 Assert Mechanism Diagram Multicast packets forwarded by the upstream node outer A Router B Receiver Router C When they detect such a case routers need to select a unique sender by using the assert mechanism Routers send Assert packets to select the best path If two or more have the same priority and metric the path with a higher IP address will be the upstream neighbor of the S G entry This is responsible for forwarding the S G multicast packet a Graft When the pruned downstream node needs to be restored to the forwarding state the node will send a graft packet to inform the upstream node Configuring PIM DM is described in the following sections a Configuring PIM DM a Example PIM DM Configuration Basic PIM DM configuration includes a Enabling Multicast a Enabling PIM DM a Entering PIM View Advanced PIM DM configuration includes a Configuring the Interface Hello Message Interval Configuri
162. connected links but is applicable on the Ethernet Perform the following configuration in VLAN interface view Table 93 Configuring Split Horizon Operation Command Enable split horizon rip split horizon Disable split horizon undo rip split horizon By default split horizon of the interface is enabled Enabling RIP to Import Routes of Other Protocols RIP allows users to import the route information of other protocols into the routing table RIP can import direct and static routes 96 CHAPTER 5 IP ROUTING PROTOCOL OPERATION Perform the following configurations in RIP view Table 94 Enabling RIP to Import Routes of Other Protocols Operation Command Enable RIP to import routes of other protocols import route protocol cost value route policy route policy name Disable route imports from other protocols undo import route protocol By default RIP does not import the route information of other protocols Configuring the Default Cost for the Imported Route When you use the import route command to import the routes of other protocols you can specify their cost If you do not specify the cost of the imported route RIP will set the cost to the default cost specified by the default cost parameter Perform the following configurations in RIP view Table 95 Configuring the Default Cost for the Imported Route Operation Command Configure default cost for the imported route default cost value Restore the def
163. cursor a character forward Up cursor key or Ctrl P Retrieves the history command Down cursor key v or Ctri N Tab Press Tab after typing the incomplete key word and the system will execute the partial help If the key word matching the typed one is unique the system will replace the typed one with the complete key word and display it in a new line If there is not a matched key word or the matched key word is not unique the system will do no modification but displays the originally typed word in a new line Displaying Features of the Command Line If information to be displayed exceeds one screen the pause function allows users three choices as described in Table 24 Table 24 Display Functions Key or Command Function Press Ctrl C when the display pauses Stop displaying and executing command Enter a space when the display pauses Continue to display the next screen of information Press Enter when the display pauses Continue to display the next line of information 34 CHAPTER 1 SYSTEM ACCESS PORT CONFIGURATION This chapter covers the following topics Ethernet Port Overview Configuring Link Aggregation Ethernet Port Overview Configuring Ethernet Ports The following features are found in the Ethernet ports of the Switch 7750 1OBASE T 100BASE TX Gigabit Ethernet ports support MDI MDI X auto sensing and can be configured to operate in half full duplex mode or auto negotiation mode to negotiate t
164. cy route policy name permit deny node node number The permit argument specifies that if a route satisfies all the if match clauses of a node the route passes the filtering of the node and the apply clauses for the node are executed without taking the test of the next node If a route does not satisfy all the if match clauses of a node however the route takes the test of the next node The deny argument specifies that the apply clauses are not executed If a route satisfies all the if match clauses of the node the node denies the route and the route does not take the test of the next node If a route does not satisfy all the if match clauses of the node however the route takes the test of the next node The router tests the route against the nodes in the route policy in sequence once a node is matched the route policy filtering is passed By default the route policy is not defined If multiple nodes are defined in a route policy at least one of them should be in permit mode Apply the route policy to filter routing information If the routing information does not match any node the route policy denies the routing information If all the nodes in the route policy are in deny mode all routing information will be denied by the route policy Defining If match Clauses for a Route Policy The if match clauses define the matching rules that the routing information must satisfy to pass the route policy The matching objects are a
165. d Enable DHCP security features address check enable Disable DHCP security features on VLAN address check disable interface By default DHCP security features function are disabled Displaying and Debugging DHCP Relay Execute display command in all views to display the current DHCP Relay configuration and to verify the effect of the configuration Execute the debugging command in user view to debug DHCP Relay configuration Table 73 Displaying and Debugging DHCP Relay Operation Command Display the information about the DHCP display dhcp server groupNo server group Display the information about the DHCP display dhcp server interface server group corresponding to the VLAN vlan interface vlan id interface Enable DHCP relay debugging debugging dhcp relay Disable DHCP relay debugging undo debugging dhcp relay Display address information for all the legal display dhcp security clients of the DHCP Server group ip address dynamic static Example Configuring DHCP Relay Configure the VLAN interface corresponding to the user and the related DHCP server so as to use DHCP relay Figure 21 Networking Diagram of Configuring DHCP Relay Server Group 1 VLAN 3
166. d Updating View Information or Deleting a View Setting the Size of an SNMP Packet Sent or Received by an Agent Enabling and Disabling Transmission of Trap Information Disabling the SNMP Agent Displaying and Debugging SNMP Setting the Community Name Both SNMP V1 and SNMPV2C use the community name authentication scheme An SNMP message that does not comply with the community name that is accepted by the device is discarded An SNMP community is named with a character string which is called the community name Communities can have read only or read write access modes A community with read only authority can 268 CHAPTER 11 SYSTEM MANAGEMENT only query the device information whereas the community with read write authority can also configure the device Use the following commands to set the community name Perform the following configuration in system view Table 299 Setting the Community Name Operation Command Set the community name and the access snmp agent community read authority write community name mib view view name acl acl list Remove the community name and the access undo snmp agent community authority community name Enabling and Disabling the SNMP Agent to Send a Trap The managed device transmits a trap without a request to the NMS to report critical and urgent events such as a restart You can use the following commands to enable or disable the managed device to transmit a trap message Pe
167. d low priority queues which are shown as the Queue 3 2 1 and 0 in turn with sequentially reduced priority During the progress of queue dispatching SP strictly follows the priority order from high to low and gives preference and sends the packets in the higher priority queue first When the higher priority queue is empty SP sends the packets in the lower priority groups In this way SP can guarantee that key service packets of higher priority are transmitted first while the packets of lower service priority are transmitted during the idling gap between higher priority When congestion occurs and many packets are queued in the higher priority queue messages in the lower priority queue are set aside without service until all high priority messages are transmitted Traffic Mirroring The traffic mirroring function copies the specified data packets to the monitoring port for network diagnosis and troubleshooting Traffic Counting With flow based traffic counting you can request a traffic count to count and analyze the packets RED When the congestion reaches a certain degree the Switch 7750 selects some frames to drop using the RED algorithm The RED algorithm can alleviate the excessive congestion Also the global TCP synchronization caused by the Tail Drop algorithm can be avoided In the RED algorithm every queue has a pair of high and low limits This algorithm also regulates that m f the queue length is smaller than the
168. date RPs and BSRs The BSR is responsible for collecting the information from the candidate RP and advertising the information Configuring PIM SM is described in the following sections a PIM SM Operating Principles a Preparing to Configure PIM SM Configuring PIM SM The PIM SM working process is as follows neighbor discovery building the RP rooted shared tree RPT multicast source registration and SPT switchover etc The neighbor discovery mechanism is the same as that of PIM DM Build the RP shared tree RPT When hosts join a multicast group G the leaf routers send IGMP messages to learn the receivers of the multicast group G The leaf routers calculate the corresponding rendezvous point RP for multicast group G and then send join messages to the node of a higher level toward the rendezvous point RP Each router along the path between the leaf routers and the RP will generate G entries in the forwarding table indicating that all packets sent to multicast group G are applicable When the RP receives packets sent to multicast group G the packets will be sent to leaf routers along the path built and then reach the hosts In this way an RP rooted tree RPT is built as shown in Figure 34 Preparing to Configure PIM SM Figure 34 RPT Schematic Diagram Receiver join gt Multicast source gt registration Multicast Source Registration When multicast source S sends a multicast packet to g
169. ddresses The Class D addresses are multicast addresses and Class E addresses are reserved for future use At present IP addresses are mostly Class A Class B and Class C IP addresses of Classes A B and C are composed of two parts network ID and host ID Their network ID lengths are different m Class A IP addresses use only the first octet to indicate the network ID a Class B IP addresses use the first two octets to indicate the network ID a Class C IP addresses use the first three octets to indicate the network ID At most there are 28 128 Class A addresses 216 16384 Class B addresses and 224 2 097 152 Class C addresses The IP address is in dotted decimal format Each IP address contains 4 integers in dotted decimal notation Each integer corresponds to one byte e g 10 110 50 101 Configuring an IP Address is described in the following sections a Subnet and Mask a Configuring an IP Address CHAPTER 4 NETWORK PROTOCOL OPERATION Subnet and Mask Configuring an IP Address a Troubleshooting an IP Address Configuration IP protocol allocates one IP address for each network interface Multiple IP addresses can only be allocated to a device which has multiple network interfaces IP addresses on a device with multiple interfaces have no relationship among themselves With the rapid development of the Internet IP addresses are depleting very fast The traditional IP address allocation method uses up IP addresses with lit
170. dent from each other The settings will take effect only after enabling the information center Defining the Log Filtering Rules The SYSLOG classifies the information into eight levels of severity The log filtering prevents the system from outputting information whose severity level is greater than the set threshold The more urgent the logging packet is the lower its severity level The level for emergencies is 1 and the level for debugging is 8 Therefore when the threshold of the severity level is 8 the system will output all information Table 294 Syslog Defined Severity Severity 1 Emergencies 2 Alerts 3 Critical 4 Errors Description The extremely urgent errors that endanger data The errors that need to be corrected immediately Critical errors The errors that need to be addressed but are not critical Table 294 Syslog Defined Severity Severity Description 5 Warnings Warning there might be an error 6 Notifications The information should be read 7 Informational Common prompting information 8 Debugging Helpful information for debugging Use the following commands to define the filtering rules of the channels Perform the following operation in system view Table 295 Define the Filtering Rules of the Channels Operation Command Add the filtering record about a certain type info center source modu name of information in a module to the information default channel channel number channe
171. destination It is used for checking if the network is connected and analyzing where faults occur in the network 260 CHAPTER 11 SYSTEM MANAGEMENT Logging Function The following list provides the tracert execution process Tracert sends a packet with TTL value of 1 The first hop sends back an ICMP error message indicating that the packet cannot be sent for the TTL is timeout Re send the packet with TTL value of 2 4 The second hop returns the TTL timeout message The process is repeated until the packet reaches the destination The process is to record the source address of each ICMP TTL timeout message to provide the route of an IP packet to the destination Perform the following operation in user view Table 290 The Tracert Command Operation Command Trace a route tracert f first TTL m max TTL pport qnqueries wtimeout host The Syslog is an indispensable part of the Switch 7750 It serves as an information center of the system software modules The logging system is responsible for most of the information output and also to make detailed classification to filter the information efficiently Coupled with the debugging program the syslog provides powerful support for the network administrators to monitor the operational state of networks and to diagnose network failures The syslog of the Switch 7750 has the following features Support for six different output destinations console moni
172. ding order of priority levels a full duplex high speed full duplex low speed a half duplex high speed half duplex low speed m The system sets ports to inactive state if they cannot aggregate with the active port with the lowest port number due to a hardware limit for example if trans board aggregation is not available m The system sets ports to inactive state if their basic configurations are different from the basic configuration of the active port with the lowest port number In a static LACP aggregation group the system sets the ports to active or inactive state based on these rules m The system sets the port with the highest priority to active state and others to inactive state based on the following descending order of priority levels a full duplex high speed full duplex low speed a half duplex high speed half duplex low speed m f the Switch 7750 is connected to a peer device on which the maximum number of ports in a link aggregation is smaller than on the Switch 7750 the Switch 7750 sets to active the number of ports that correspond to the peer s maximum The Switch 7750 sets its extra ports to inactive m The system sets ports to inactive if they cannot aggregate with the active port with the lowest port number because of a hardware limit for example if trans board aggregation is not available m The system sets ports to inactive if their basic configurations are different from the basic configuration
173. ditional routing metric of the route when the interface sends an RIP packet undo rip metricout By default the additional routing metric added to the route when RIP sends the packet is 1 The additional routing metric when RIP receives the packet is O Configuring Route Filtering The router provides the route filtering function You can configure the filter policy rules by specifying the ACL and ip prefix for route redistribution and distribution To import a route the RIP packet of a specific router can also be received by designating a neighbor router Perform the following configurations in RIP view Table 98 Configuring RIP to Filter Routes Operation Command Configure filtering the received routing information distributed by the specified address filter policy gateway ip prefix name import undo filter policy gateway ip prefix name import Cancel filtering the received routing information distributed by the specified address filter policy acl number Configure filtering the received global i ip prefix ip prefix name import routing information undo filter policy acl number Cancel filtering the received global routing ip prefix ip prefix name import information By default RIP does not filter received and distributed routing information Displaying and Debugging RIP After configuring RIP execute the display command in all views to display the RIP configuration and to verify the effect
174. ds With the no aging parameter the command performs no aging on the MAC address entries Displaying and Debugging the MAC Address Table Execute the display command in all views to display the MAC address table configuration and to verify the effect of the configuration Execute the debugging command in user view to debug MAC address table configuration Table 275 Displaying and Debugging MAC Address Table Operation Command Display the information in the address table display mac address static dynamic interface interface name interface type interface num vlanvlan id Display the aging time of dynamic address display mac address aging time table entries Display the dynamic MAC address learning display mac address learning capability of the system and ports interface type interface num interface name Table 275 Displaying and Debugging MAC Address Table Operation Command Enable the address table management debugging mac address debugging Disable the address table management undo debugging mac address debugging Example Configuring MAC Address Table Management The user logs in to the switch through the console port to configure the address table management Set the address aging time to 500s and add a static address 00e0 fc35 dc71 to Ethernet 1 0 2 in vian1 Figure 60 Typical Configuration of Address Table Management a Internet Q
175. e interface type interface num display qos interface interface type interface num display qos interface interface type interface num display qos interface interface type interface num queue scheduler display qos interface interface type interface num display qos interface interface type interface num display qos interface interface type interface num display qos interface interface type interface num traffic bandwidth display qos interface interface type interface num interface name line rate interface name traffic redirect interface name all interface name interface name traffic limit interface name traffic priority interface name traffic statistic interface name interface name traffic red 168 CHAPTER 7 QOS OPERATION QoS Configuration Examples Table 184 Display and Debug QoS Operation Command Display the settings of priority used for putting display priority trust the packet to the sending queue Clear the statistics information reset traffic statistic inbound outbound all ip group ac number acl name rule rule link group ac number acl name rule rule For output and description of the related commands see the Switch 7750 Command Reference Guide This section provides the following configuration examples Traffic Limit and Line Rate a Port Mirroring a Priority Relabeling Configuration Exam
176. e 1 0 0 2 0 time range 3com Relabel ef priority for PC1 packets Enter QoS view SW7750 GigabitEthernet7 0 1 qos SW7750 qosb GigabitEthernet7 0 1 Relabel ef priority for PC1 packets SW7750 qosb GigabitEthernet7 0 1 traffic priority inbound ip group 1 dscp ef Packet Redirection In this example packets sent 8 00 18 00 each day are forwarded from PC1 IP 1 0 0 2 to the port GE7 0 8 Only the 20 Port 10 100 1000BASE T and 20 Port 1000BASE X SFP I O modules support packet redirection Figure 43 Packet Redirection GE7 0 8 ax GE7 0 GE3 0 2 vane 160 18 LAN3 2 0 0 1 8 A PGi F r PC2 To create this configuration Define the time range 8 00 to 18 00 SW7750 time range 3com 8 00 to 18 00 daily Define traffic rules for PC1 packets Enter the number based basic ACL and select ACL 2000 SW7750 acl number 2000 Define traffic classification rules for PC1 packets SW7750 acl basic 2000 rule 0 permit ip source 1 0 0 2 0 time range 3com Forward PC1 packets to the port GE7 0 8 Enter QoS view SW7750 GigabitEthernet7 0 1 qos SW7750 qosb GigabitEthernet7 0 1 Forward PC1 packets to the port GE7 0 8 172 CHAPTER 7 QOS OPERATION SW7750 qosb GigabitEthernet7 0 1 traffic redirect inbound ip group 1 rule 0 interface gigabitetherent7 0 8 Queue
177. e Accounting Interval a Setting Maximum Times of Real time Accounting Request a Enabling Disabling Stop Accounting Request Buffer a Setting the Maximum Retransmitting Times of the Stop Accounting Request a Setting the Supported Type of RADIUS Server a Setting RADIUS Server State a Setting Username Format Transmitted to RADIUS Server a Setting the Unit of Data Flow that Transmitted to RADIUS Server Configuring a Local RADIUS Server Group Configuring Source Address for RADIUS Packets Sent by NAS a Displaying and Debugging the AAA RADIUS and HWTACACS Protocols a Configuring FIP Telnet User Authentication at Remote RADIUS Server a Configuring FTP Telnet User Authentication at the Local RADIUS Server Among these tasks creating RADIUS server group and setting IP address of the RADIUS server are required while other takes are optional and can be performed per your requirements Creating Deleting a RADIUS Server Group As mentioned above RADIUS protocol configurations are performed on the per RADIUS server group basis Therefore before performing other RADIUS protocol configurations it is compulsory to create the RADIUS server group and enter its view to set its IP address You can use the following commands to create delete a RADIUS server group Perform the following configurations in system view Table 235 Create Delete a RADIUS Server Group Operation Command Create a RADIUS server group and enter its radius scheme radiu
178. e DHCP relay can be used Configuring the DHCP Server Group for the VLAN Interface Perform the following configuration in VLAN interface view Table 70 Configure Delete the Corresponding DHCP Server Group of VLAN Interface Operation Command Configure the DHCP server group for the dhep server groupNo VLAN interface Delete the DHCP server group for the VLAN undo dhep server interface When associating a VLAN interface to a new DHCP server group you can configure the association without disassociating it from the previous group By default VLAN interfaces have no associated DHCP server group Configuring the Address Table Entry To check the address of users who have valid and fixed IP addresses in the VLAN with DHCP enabled it is necessary to add an entry in the static address table Perform the following configuration in system view Table 71 Configure Delete the Address Table Entry Operation Command Add an entry to the address table dhcp security static ip address mac_address dynamic static Delete an entry from the address table undo dhcp security ip address all dynamic static Enabling Disabling DHCP Security Features Enabling DHCP security features starts an address check on the VLAN interface while disabling DHCP security features cancels an address check Perform the following configuration in VLAN interface view Table 72 Enable Disable DHCP Security on VLAN Interfaces Operation Comman
179. e Specify other protocol mode configuration information SW7750 vlan2 vlan SW7750 vlan2 protocol vlan SW7750 vlan2 protocol vlan ip 10 0 0 1 SW7750 vlan2 vlan 3 SW7750 vlan3 protocol vlan ip SW7750 vlan3 dis protocol vlan vlan all SW7750 vlan3 dis protocol vlan vlan all VLAN ID 2 VLAN Type Protocol based VLAN Protocol Index Protocol Type 0 ip 10 0 0 1 255 255 255 0 VLAN ID 3 VLAN Type Protocol based VLAN Protocol Index Protocol Type 0 ip 3 Configure the protocol VLAN on port G1 0 1 SW7750 int g1 0 1 SW7750 GigabitEthernet1 0 1 port hybrid SW7750 GigabitEthernet1 0 1 port hybrid protocol vlan Specify current hybrid port s protocol based VLAN characteristics pvid Specify current hybrid port s PVID VLAN characteristics Configuring GARP GVRP 61 vlan Specify current hybrid port s VLAN ID SW7750 GigabitEthernet1 0 1 port hybrid protocol SW7750 GigabitEthernet1 0 1 port hybrid protocol vlan 2 0 SW7750 GigabitEthernet1 0 1 port hybrid protocol vlan 3 0 SW7750 GigabitEthernet1 0 1 display th interface GigabitEthernet1 0 1 port link type hybrid port hybrid vlan 2 to 3 tagged port hybrid vlan 1 untagged port hybrid protocol vlan 2 0 port hybrid protocol vlan 3 0 return Configure port G1 0 3 as VLAN 3 and port G1 0 2 as VLAN 2 SW7750 vlan 3 SW7750 vlan3 port g1 0 3 SW7750 vlan3 vlan 2 SW7750 vlan2 port g1 0 2 Configuring GARP GVRP Generic Attribute Registration Protocol GARP all
180. e host group represented by the multicast group address within the destination address fields of the IP packets The multicast model must forward multicast packets to multiple external interfaces so that the packets can be forwarded to all receivers RPF Reverse Path Forwarding To ensure that a multicast packet reaches the router along the shortest path the multicast must depend on the unicast routing table or a unicast routing table independently provided for multicast This check mechanism is the basis for most multicast routing protocols which is known as a RPF Reverse Path Forwarding check A multicast router uses the source address from the multicast packet to query the unicast routing table or the independent 114 CHAPTER 6 MULTICAST PROTOCOL Applying Multicast multicast routing table to determine the incoming interface at which the packet arrives If a source tree is used the source address is the address of the source host sending the multicast packet If a shared tree is used the source address is the address of the root of the shared tree When a multicast packet arrives at the router if RPF check succeeds the packet will be forwarded according to the multicast forwarding entry Otherwise the packet will be dropped IP multicast technology effectively solves the problem of packet forwarding from single point to multi point It implements high efficient data transmission from single point to multi point in IP networks a
181. e vlan interface vlan_id interface Create a VLAN before creating an interface for it Shutting Down or Enabling a VLAN Interface You can use the following command to shut down or enable VLAN interface Perform the following configuration in VLAN interface view Table 50 Shutting Down or Enabling a VLAN Interface Operation Command Shut down the VLAN interface shutdown Enable the VLAN interface undo shutdown The operation of shutting down or enabling the VLAN interface has no effect on the UP DOWN status of the Ethernet ports in the VLAN By default when the status of all Ethernet ports in a VLAN is DOWN the status of the VLAN interface is DOWN also so the VLAN interface is shut down When the 56 CHAPTER 3 VLAN CONFIGURATION 1 2 3 4 status of one or more Ethernet ports is UP the status of the VLAN interface is UP also so the VLAN interface is enabled Displaying and Debugging a VLAN After the configuring a VLAN execute the display command in any view to display the VLAN configuration and to verify the effect of the configuration Table 51 Displaying and Debugging a VLAN Operation Command Display the information about a VLAN display interface vlan interface interface vlan_id Display the information about a VLAN display vlan vlan_id all static dynamic Display the protocol information and protocol display protocol vlan vlan list index configured on the specified VLAN Displ
182. eall timer times out The join and leave messages cooperate to ensure the logout and the re registration of a message By exchanging messages all the attribute information to be registered can be propagated to all the switches in the same switching network The destination MAC addresses of the packets of the GARP participants are specific multicast MAC addresses A switch that supports GARP classifies the packets that it receives from GARP participants and processes them with the corresponding GARP applications GVRP or GMRP GARP and GMRP are described in details in the IEEE 802 1p standard The Switch 7750 fully supports GARP compliant with the IEEE standards a The value of the GARP timer is used in all GARP applications including GVRP and GMRP that are running in a switching network a n one switching network GARP timers on all the switching devices should be set to the same value Setting the GARP Timers GARP timers include the hold join and leaveall timers The GARP participant sends join message regularly when the join timer times out so that other GARP participants can register its attribute values When the GARP participant wants to remove attribute values it sends a leave message When the leave message arrives the receiving GARP participant starts the leave timer If the receiving participant does not receive a join message from the sender before the leave timer expires the receiving participant removes the sender s GA
183. eceive only the routing information distributed by certain routers An ip prefix is identified by the ip prefix name Each ip prefix can include multiple list items and each list item can specify the match range of the network prefix forms and is identified with a index number The index number designates the matching check sequence in the ip prefix During the matching the router checks list items identified by the sequence number in ascending order Once a single list item meets the condition it means that it has passed the ip prefix filtering and does not enter the testing of the next list item Configuring a routing policy includes tasks described in the following sections Defining a Route Policy a Defining If match Clauses for a Route Policy a Defining Apply Clauses for a Route Policy a Importing Routing Information Discovered by Other Routing Protocols a Defining IP Prefix m Configuring for Filtering Received Routes Configuring for Filtering Distributed Routes a Displaying and Debugging the Routing Policy Defining a Route Policy A route policy can include multiple nodes Each node is a unit for the matching operation The nodes are tested again by sequence number Perform the following configurations in system view Table 100 Defining a Route Policy Operation Command Enter Route policy view route policy route policy name permit deny node node number Remove the specified route policy undo route poli
184. eck is not passed that is when multicast packets enter from an error interface the packets will be discarded After this process an S G entry will be created in the PIM DM multicast domain If the downstream node has no multicast group members it will send a Prune message to the upstream nodes to inform the upstream node not to forward data to the downstream node Receiving the prune message the upstream node will remove the corresponding interface from the outgoing interface list corresponding to the multicast forwarding entry S G In this way a SPT Shortest Path Tree rooted at Source S is built Leaf routers initiate the pruning process This is called the flood amp prune process Nodes that are pruned provide timeout mechanism Each router re starts the flood amp prune process upon pruning timeout The consistent flood amp prune process of PIM DM is performed periodically During this process PIM DM uses the RPF check and the existing unicast routing table to build a multicast forwarding tree rooted at the data source When a packet arrives the router judges the validity of the path If the interface is indicated by the unicast routing to the multicast source the packet is regarded to be from the correct path otherwise the packet will be discarded Configuring PIM DM Configuring PIM DM 131 as a redundancy packet without the multicast forwarding The unicast routing information as path judgment can
185. ed forbidden Set the GVRP registration type undo gvrp registration back to the default setting By default the GVRP registration type is normal Displaying and Debugging GVRP After you set the GVRP registration type execute the display command in all views to display the GVRP configuration and to verify the effect of the configuration Execute the debugging command in user view to debug the configuration of GVRP Table 61 Displaying and Debugging GVRP Operation Command Display GVRP statistics display gvrp statistics interface information interface list Display GVRP global status display gvrp status information Enable GVRP packet or event debugging gvrp packet event debugging Disable GVRP packet or event undo debugging gvrp packet event debugging Example GVRP Configuration Example Set network requirements to dynamically register and update VLAN information among switches 66 CHAPTER 3 VLAN CONFIGURATION Figure 18 GVRP Configuration Example AZA E1 0 1 E2 0 1 5 S2 Switch B Switch A Configure Switch A 1 Set Ethernet1 0 1 as a trunk port and allow all the VLANs to pass through SW7750 interface Ethernet 1 0 1 SW7750 Ethernet1 0 1 port link type trunk SW7750 Ethernet1 0 1 port trunk permit vlan all 2 Create VLANs SW7750 Ethernet1 0 1 vlan 3 SW7750 vlan3 vlan 4 3 Enable GVRP globally SW7750 vlan4
186. en the size of the routing table increases it can consume a significant amount of switch s memory The Switch 7750 provides a mechanism to control the size of the routing table It monitors the free memory in the system to determine whether to add new routes to the routing table and whether or not to keep connection with a routing protocol The default value normally meets the network requirements You should be careful when modifying the configuration to avoid reducing the stability of the network Route capacity configuration includes tasks described in the following sections Setting the Lower Limit for Switch Memory a Setting the Safety Value for Switch Memory a Setting the Lower Limit and the Safety Value Simultaneously a Preventing Automatic Recovery of Disconnected Routing Protocols a Enabling Automatic Recovery of Disconnected Routing Protocols a Displaying and Debugging Route Capacity Setting the Lower Limit for Switch Memory When the Ethernet switch memory is equal to or lower than the lower limit routes will be disconnected Perform the following configurations in system view Table 108 Setting the Lower Limit of the Ethernet Switch Memory Operation Command Set the lower limit of the Ethernet switch memory limit value memory By default the lower limit of the Ethernet switch memory is 2Mbytes The lower limit value set for the memory must be smaller than the safety value Setting the Safety Value for Switch
187. ence Guide This section provides examples for the following configurations m Access Control a Basic ACL ma Link ACL The interconnection between different departments on a company network is implemented through the 100M ports of the Switch 7750 The payment query server of the Financial Dept is accessed through Ethernet1 0 1 at 129 110 1 2 The ACL must be properly configured to prevent departments other than the Office of President from having access to the payment query server between 8 00 AM and 6 00 PM The Office of President at 129 111 1 2 can access the server without limitation Figure 37 Access Control Configuration Example Office of Presiden 129 1212 Pay query server 129 110 1 2 J ES 3 i ia 000000 4 SS gi ke PEE Switch z mi E n Tn a i LM Administration Department Financial Department subnet address subnet address 10 120 0 0 10 110 0 0 Connected to a router In the following configuration steps only the commands related to ACL configurations are listed 156 CHAPTER 7 QOS OPERATION Basic ACL Define the work time range Set the time range 8 00 to 18 00 SW7750 time range 3com 8 00 to 18 00 working day Define the ACL to access the payment s
188. enter loghost host ip addr channel channel number channel name facility local number language chinese english undo info center loghost host ip addr CHAPTER 11 SYSTEM MANAGEMENT Table 292 Log Output continued Operation Command Set the address of the interface specified by interface name as the source address for packets sent to loghost Cancel the source address setting for the packets sent to loghost Configure to output the information to the trap buffer Disable the output of the information to the trap buffer Configure to output the information to SNMP Disable the output of the information to SNMP Rename a channel specified by channel number as channel name info center loghost source interface name undo info center loghost source info center trapbuffer size buffersize channel channel number channel name undo info center trapbuffer channel size channel channel name info center snmp channel number undo info center snmp channel info center channel channel number name channel name The system assigns a channel in each output direction by default See Table 293 Table 293 Numbers and Names of the Channels for Log Output Name Channel number Default channel name Console 0 console Monitor 1 monitor Info center loghost 2 loghost Trap buffer 3 trapbuf Logging buffer 4 logbuf SNMP 5 snmpagent The six settings are indepen
189. er a The AUX user interface is the first interface user interface O m The VTY is numbered after the AUX user interface The absolute number of the first VTY is the AUX user interface number plus 1 Setting Terminal Parameters 21 To number the user interface by relative number represented by interface number assigned to each type of user interface a AUX user interface AUX 0 a The first VTY interface VTY 0 the second one VTY 1 and so on Tasks for configuring the user interface are described in the following sections a Entering the User Interface View a Configuring the Attributes of the AUX Console Port a Configuring the Terminal Attributes a Managing Users Configuring the Attributes of a Modem a Configuring Redirection a Displaying and Debugging User Interface Entering the User Interface View Use the user interface command see Table 4 to enter a user interface view You can enter a single user interface view or multi user interface view to configure one or more user interfaces Perform the following configuration in system view Table 4 Enter User Interface View Operation Command Enter a single user interface view or multi user user interface type first number interface views last number Configuring the Attributes of the AUX Console Port Use the speed flow control parity stop bit and data bit commands see Table 5 to configure these attributes of the AUX Console port Perfor
190. er 2 ACL view from system view acl number ac number name ac name link match order config auto 154 CHAPTER 7 QOS OPERATION Activating an ACL i gt Table 166 Define Layer 2 ACL Operation Command Add a sub item to the ACL from Layer 2 ACL rule rule id permit deny view protocol type format type ingress source vian id source mac adar any egress dest mac addr any time range name Delete a sub item from the ACL from Layer 2 undo rule rule id ACL view Delete one ACL or all the ACL from system undo acl number ac number name view acl name all A Layer 2 ACL can be identified with numbers ranging from 4000 to 4999 If you assign an ACL to an interface and then make changes to the ACL you must reassign the ACL to the interface before the changes to the ACL will apply on the interface A defined ACL can be active after being enabled globally on the switch This function is used to activate ACL filtering or to classify the data transmitted by the hardware of the switch Perform the following configuration in Qos view Table 167 Activate ACL Operation Command Activate an ACL packet filter inbound ip group acl number acl name rule rule link group ac number ac name rule rule not care for interface Deactivate an ACL undo packet filter inbound ip group acl number acl name rule rule link group ac number
191. er for the specified number of times Perform the following configurations in RADIUS server group view Table 243 Set Maximum Times of Real Time Accounting Request Failing to be Responded Operation Command Configure the maximum number of retries for retry realtime accounting real time accounting requests retry times Restore the maximum number of retries for undo retry realtime accounting real time accounting requests to the default value The value of retry times is the ceiling value of T t where T is the period of time in which the RADIUS server connection will timeout and t is the real time accounting interval of NAS By default the value for retry times is 5 Enabling Disabling Stop Accounting Request Buffer Because the stop accounting request concerns the account balance and affects the amount to charge a customer NAS makes its best effort to send the message to the RADIUS accounting server If the message from the Switch 7750 to RADIUS accounting server has not been responded to the switch saves it in the local buffer and retransmits until the server responds or discards the messages The following command can be used to enable the storage of the stop accounting message If the stop accounting buffer is enabled make sure you set the maximum retransmission time 226 CHAPTER 9 AAA AND RADIUS OPERATION Perform the following configurations in RADIUS server group view Table 244 Enable Disable Stopping Accounting
192. erally by applying client server architecture AAA framework boasts the following advantages a Good scalability a Ability to use standard authentication schemes a Easy control and convenient for centralized management of user information a Ability to use multiple level backup systems to enhance the security of the whole framework As mentioned above AAA is a management framework so it can be implemented by some protocols RADIUS is frequently used Remote Authentication Dial In User Service RADIUS is distributed information switching protocol in Client Server architecture RADIUS can prevent the network from an interruption by unauthorized access and it is often used in the network environments requiring both high security and remote user access For example it is often used for managing a large number of scattering dial in users who use serial ports and modems RADIUS system is the important auxiliary part of Network Access Server NAS After the RADIUS system is started if the user wants to access other networks or use network resources through connection to NAS dial in access server in PSTN environment or Ethernet switch with access function in Ethernet environment the RADIUS client transmits the user s AAA request to the RADIUS server The RADIUS server has a user database recording all user authentication and network services information On receiving the user s request from NAS the RADIUS server performs AAA through user
193. erform the following configuration in system view Table 214 Enable Disable MSTP on a Port Operation Command Enable MSTP on a port stp interface interface list enable Disable MSTP on a port stp interface interface list disable Restore the default MSTP state on the port undo stp interface list Configuring in Ethernet Port View Perform the following configuration in Ethernet port view Table 215 Enable Disable MSTP on a Port Operation Command Enable MSTP on a port stp enable Disable MSTP on a port stp disable Restore the default MSTP state on the port undo stp For more information about the commands see the Switch 7750 Command Reference Guide A redundant route may be generated after MSTP is disabled Displaying and Debugging MSTP Digest Snooping Configuring Digest Snooping By default MSTP is enabled on all the ports after it is enabled on the device After you configure MSTP execute the display command in all views to display the running of the MSTP configuration and to verify the effect of the configuration Execute the reset command in user view to clear the statistics of MSTP module Use the debugging command in user view to debug the MSTP module Table 216 Display and Debug MSTP Operation Command Show the configuration information about the display stp instance instance id current port and the switch interface interface list brief Show the configuration information about the displ
194. ers of this group and then starts a maximum response timer If the switch has not received any report message from the multicast group the port will be removed from the corresponding MAC multicast group If the MAC multicast group does Configuring IGMP Snooping not have any member the switch will notify the multicast router to remove it from the multicast tree Configuring IGMP Snooping is described in the following sections a Configuring IGMP Snooping a Example IGMP Snooping Configuration a Troubleshooting IGMP Snooping The main IGMP Snooping configuration includes Enabling Disabling IGMP Snooping a Configure Router Port Aging Time a Configuring Maximum Response Time a Configure Aging Time of Multicast Group Member a Displaying and Debugging IGMP Snooping Of the above configuration tasks enabling IGMP Snooping is required while others are optional Enabling Disabling IGMP Snooping You can use the following commands to enable disable IGMP Snooping on Layer 2 Perform the following configuration in system view To enable IGMP snooping you must also issue the igmp snooping enable command in VLAN view Table 133 Enable Disable IGMP Snooping Operation Command Enable disable IGMP Snooping igmp snooping enable disable Restore the default setting undo igmp snooping IGMP Snooping and GMRP cannot run at the same time You can check if GMRP is running using the display gmrp status command in all views before enabling
195. erver Enter the name of the advanced ACL named traffic of payserver SW7750 acl name traffic of payserver advanced match order config Set the rules for other department to access the payment server SW7750 acl adv traffic of payserver rule 1 deny ip source any destination 129 110 1 2 0 0 0 0 time range 3com Set the rules for the Office of President to access the payment server SW7750 acl adv traffic of payserver rule 2 permit ip source 129 111 1 2 0 0 0 0 destination 129 110 1 2 0 0 0 0 Activate ACL Activate the traffic of payserver ACL SW7750 Ethernet2 0 1 qos SW7750 qoss Ethernet2 0 1 packet filter inbound ip group traffic of payserver Using basic ACL filter the packet with source IP address 10 1 1 1 between 8 00 and 18 00 every day The host connects to port Ethernet2 0 1 of the switch Figure 38 Access Control Configuration Example X comet to Router Switch In the following configurations only the commands related to ACL configurations are listed Define the time range Define time range 8 00 to 18 00 SW7750 time range 3com 8 00 to 18 00 daily Select ACL mode Select ip based ACL mode SW7750 acl mode ip based Define the ACL for packet with source IP address 10 1 1 1 Enter the named basic ACL named as traffic of host SW7750 acl name traffic of host basic Link ACL gt Define the rules for packet with source IP address 10 1 1 1 SW
196. es Local or IP Priority Level Queue SN OD mo BY wji N o NI OD Mm BR WwW N gt j o Table 173 Mapping Between DSCP Priority Levels and Outbound Queues DSCP Value Name DSCP value Queue 0 7 be 0 0 8 15 cs1 8 af1 10 1 16 23 cs2 16 af2 18 2 24 31 cs3 24 af3 26 3 32 39 cs4 32 af4 34 4 40 47 cs5 ef 46 5 47 55 cs6 48 6 56 63 cs7 56 7 Configuring the Mapping List for 802 1p Priority You cannot modify the mapping between local priority levels and outbound queues but you can change the mapping between 802 1p and local priority levels Then the mapping between 802 1p priority levels and outbound queues change Perform the following configurations in system view Table 174 Setting Mapping Table Operation Command Configure the COS local precedence qos cos local precedence map mapping table cos0 map local prec cos1 map local prec cos2 map local prec cos3 map local prec cos4 map local prec cos5 map local prec cos6 map local prec cos7 map local prec Restore the default mapping undo qos cos local precedence map By default the switch selects the default mapping 164 CHAPTER 7 QOS OPERATION Configuring the Priority for Queue Scheduling You can use the following command to configure which priority is used for queue scheduling Perform the following configuration in system view Table 175 Configuring the Priority for Queue Scheduling Operation Co
197. es the network topology flapping Normally these ports will not receive STP BPDU If someone forges BPDU to attack the switch the network will flap BPDU protection function is used against such network attacks The primary and secondary root switches of the spanning tree especially those of ICST must be located in the same region This is because the primary and secondary roots of CIST are generally placed in the core region with a high bandwidth in network design In case of configuration error or malicious attack the legal primary root may receive the BPDU with a higher priority and then lose its place which causes network topology change errors Due to the illegal change the traffic that is supposed to travel over the high speed link may be pulled to the low speed link and congestion will occur on the network The root protection function is used against such problem The root port and other blocked ports maintain their state according to the BPDUs sent by an uplink switch Once the link is blocked or has trouble the ports cannot receive BPDUs and the switch will select a root port again In this case the former root port will turn into a specified port and the former blocked ports will enter the forwarding state and a link loop will be created The security functions can control the generation of loop After it is enabled the root port cannot be changed the blocked port will remain in the discarding state and will not forward packet
198. estination port icmp type precedence tos dscp fragment time range Delete one ACL or all the ACL from system undo acl number ac number name view acl name all An advanced ACL is identified with numbers ranging from 3000 to 3999 Note that port1 and port2 in this command specify the TCP or UDP ports used by various high layer applications For some common port numbers you can use the mnemonic symbols as a shortcut When you configure the rule the following parameters are not supported by the switch icmp type type code tos tos fragment When you configure the TCP UDP port parameter the following restrictions apply a If you use the operator gt the value of parameter port1 can only be 32767 a f you use the It operator the value of parameter port should be a power value of 2 i e 24n a The switch doesn t support the operator neq a f you use the operator range these rules for the parameters port1 and port2 support port_range port2 port1 1 should be followed a port_range is a power value of 2 a port is a multiple value of port_range Defining a Layer 2 ACL The rules of Layer 2 ACL are defined on the basis of the Layer 2 information such as source MAC address source VLAN ID Layer 2 protocol type Layer 2 packet fomat and destination MAC address Perform the following configuration in the designated view Table 166 Define Layer 2 ACL Operation Command Enter Lay
199. et and there is no response packet it means the DHCP Server has not sent the message to the Switch 7750 In this case check if the DHCP Server has been configured properly If the numbers of request and response packets are normal enable the debugging dhcp relay in User view and then use the terminal IP Performance 77 debugging command to output the debugging information to the console In this way you can view the detailed information of all DHCP packets on the console while applying for the IP address thereby conveniently locating the problem IP Performance Configuring TCP Attributes Configuring Special IP Packet Transmission to the CPU IP performance configuration includes a Configuring TCP Attributes a Configuring Special IP Packet Transmission to the CPU a Configuring L3 Broadcast Forwarding a Displaying and Debugging IP Performance a Troubleshooting IP Performance The TCP attributes that can be configured include m synwait timer When sending the syn packets TCP starts the synwait timer If response packets are not received before synwait timeout the TCP connection will be terminated The timeout of synwait timer ranges 2 to 600 seconds and it is 75 seconds by default a finwait timer When the TCP connection state turns from FIN_WAIT_1 to FIN_WAIT_2 finwait timer will be started If FIN packets are not received before finwait timer timeout the TCP connection will be terminated Finwait ranges 76 to 3600
200. et serial port parameters Set the following parameters x 14 CHAPTER 1 SYSTEM ACCESS Baud rate 9600 a Databit 8 m Parity check none a Stopbit 1 Flow control none Figure 4 Set Communication Parameters COM1 Properties 5 Click OK The HyperTerminal dialogue box displays as shown in Figure 5 6 Select Properties Setting Terminal Parameters 15 ote eee ee Figure 5 HyperTerminal Window SW7700 HyperTerminal 7 In the Properties dialog box select the Settings tab as shown in Figure 6 8 Select VT100 in the Emulation dropdown menu 9 Click OK Figure 6 Settings Tab SW7700 Properties 16 CHAPTER 1 SYSTEM ACCESS Setting the Terminal Parameters is described in the following sections m Configuring Through Telnet a Configuring Through a Dial up Modem Configuring the User Interface Configuring Through Before you can telnet to a Switch 7750 and configure it you must Telnet 1 Configure the IP address of a VLAN interface for the Switch 7750 through the console port using the ip address command in VLAN interface view 2 Add the port that connects to a terminal to this VLAN using the port command in VLAN view 3 Log in to the Switch 7750 Tasks for Configuring through Telnet are described in the following sections m Connecting the PC to the Switch 7750 Connecting Two Switch 7750 Systems Connecting the PC to the Switch 7750 To connect the PC and S
201. ets the NTP authentication key Perform the following configurations in system view Table 326 Configuring the NTP Authentication Key Operation Command Configure the NTP authentication key ntp service authentication keyid number authentication mode md5 value Remove the NTP authentication key undo ntp service authentication keyid number Key number number ranges from 1 to 4294967295 the key value contains 1 to 32 ASCII characters Setting the Specified Key to Be Reliable This configuration task is to set the specified key as reliable Perform the following configurations in system view Table 327 Setting the Specified Key as Reliable Operation Command Set the specified key as reliable ntp service reliable authentication keyid key number Cancel the specified reliable key undo ntp service reliable authentication keyid key number Key number key number ranges from 1 to 4294967295 Designating an Interface to Transmit the NTP Message If the local equipment is configured to transmit all NTP messages these packets have the same source IP address which is taken from the IP address of the designated interface 284 CHAPTER 11 SYSTEM MANAGEMENT Perform the following configurations in system view Table 328 Designating an Interface to Transmit NTP Message Operation Command Designate an interface to transmit NTP ntp service source interface message interface name interface type interface number Cancel
202. event entry2 owner text Delete an entry from the alarm table undo rmon alarm entry number Adding and Deleting an Entry to or from the Event Table RMON event management defines the event ID and handling of the event by keeping logs sending trap messages to NMS or performing both at the same time Use the following commands to add or delete an entry to or from the event table Perform the following configuration in system view Table 314 Add or Delete an Entry to or from the Event Table Operation Command Add an entry to the event table rmon event event entry description string log trap trap community log trap log trapcommunity none owner rmon station Delete an entry from the event table undo rmon event event entry 276 CHAPTER 11 SYSTEM MANAGEMENT Adding and Deleting an Entry to or from the History Control Table The history data management helps you set the history data collection periodical data collection and storage of the specified ports The sampling information includes the utilization ratio error counts and the total number of packets Use the following commands to add or delete an entry to or from the history control table Perform the following configuration in Ethernet port view Table 315 Adding or Deleting an Entry to or from the History Control Table Operation Command Add an entry to the history control table rmon history entry number buckets number interval sampling i
203. f the specific user on the incoming traffic so it can make better use of the assigned resources Bandwidth Assurance Through the traffic reservation a minimum bandwidth is reserved for specified traffic flow Even when network congestion occurs QoS requirements such as packet dropping ratio delay and jitter can also be satisfied Port Traffic Limit The port traffic limit is the port based traffic limit used for limiting the general speed of packet output on the port Redirection You can specify a new port to forward the packets according to your requirements on the QoS policy Traffic Priority The Switch 7750 can deliver priority tag service for special packets The tags include TOS DSCP and 802 1p etc which can be used and defined in different QoS modules Queue Scheduling When congestion occurs packets compete for resources Strict Priority Queue SP algorithms overcome the problem 160 CHAPTER 7 QOS OPERATION Figure 39 SP Packets sent through this interface ___ gt Packets sent DTTL YDD ow oo one i Sending queue Classify Dequeue SP is designed for the key service application A significant feature of the key service is required for priority to enjoy the service to reduce the response delay when congestion occurs Take 4 egress queues for each port as example SP divides the queue of a port into 4 kinds at most high priority medium priority normal priority an
204. face list Reset the 802 1x statistics information reset dotlx statistics interface interface list Enable the error event packet all debugging of debugging dotix error event 802 1x packet all Disable the error event packet all debugging undo debugging dotix error of 802 1x event packet all Example 802 1x Configuration As shown in the following figure the workstation is connected to port 1 0 2 of the Switch 7750 The switch administrator will enable 802 1x on all the ports to authenticate the supplicants in order to control their access to the Internet The access control mode is based on the MAC address 214 CHAPTER 9 AAA AND RADIUS OPERATION All the supplicants belong to the default domain 3com163 net which can contain up to 30 users RADIUS authentication is performed first If there is no response from the RADIUS server local authentication will be performed For accounting if the RADIUS server fails to account the user will be disconnected In addition when the user is connected the domain name does not follow the user name Normally if the user s traffic is less than 2kbps consistently over a period of 20 minutes they will be disconnected A server group consisting of two RADIUS servers at 10 11 1 1 and 10 11 1 2 is connected to the switch The former one acts as the primary authentication second accounting server The latter one acts as the secondary authentication primary accounting server
205. fault settings of the timers undo dotix timer quiet period tx period supp timeout server timeout By default the quiet period value is 60 seconds the tx period value is 30 seconds the supp timeout value is 30 seconds the server timeout value IS 100 seconds For more detailed information on the dotix timer command see the Switch 7750 Command Reference Guide Enabling Disabling Quiet Period Timer You can use the following commands to enable disable a quiet period timer of the Switch 7750 If an 802 1x user has not passed authentication the Authenticator will keep quiet specified by quiet period before launching the authentication again During the quiet period the Authenticator does not do anything related to 802 1x authentication Perform the following configuration in system view Table 227 Enable Disable a Quiet Period Timer Operation Command Enable a quiet period timer dotlx quiet period Disable a quiet period timer undo dotlx quiet period Displaying and Debugging 802 1x Execute the display command in all views to display the VLAN configuration and to verify the configuration Execute the reset command in user view to reset 802 1x statistics information Execute the debugging command in user view to debug the 802 1x module Table 228 Display and Debug 802 1x Operation Command Display the configuration running and display dot1x sessions Statistics information of 802 1x statistics interface inter
206. frequency 100 0000 Hz clock precision 2 17 clock offset 0 0000 ms root delay 0 00 ms root dispersion 0 00 ms peer dispersion 0 00 ms reference time 00 00 00 000 UTC Jan 1 1900 00000000 00000000 After the synchronization SW77502 turns into the following status SW77502 display ntp service status clock status synchronized clock stratum 8 reference clock ID LOCAL 0 nominal frequency 100 0000 Hz actual frequency 100 0000 Hz clock precision 2 17 clock offset 0 0000 ms root delay 0 00 ms root dispersion 10 94 ms peer dispersion 10 00 ms reference time 20 54 25 156 UTC Mar 7 2002 C0325201 2811A112 By this time SW77502 has been synchronized by SW77501 and is at stratum 3 higher than SW77501 by 1 288 CHAPTER 11 SYSTEM MANAGEMENT Display the sessions of SW77502 and you will see SW77502 has been connected with SW77501 SW77502 display ntp service sessions source reference stra reach poll now offset delay disper kkxkkxkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk kkkkkkk kkkkkkkk x x x 12345 127 127 1 0 LOCAL 0 7 377 64 57 0 0 0 0 1 0 5 1 0 1 11 0 0 0 0 16 0 64 0 0 0 0 0 0 5 128 108 22 44 0 0 0 0 16 0 64 z 0 0 0 0 0 0 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Example Configuring NTP Peers On SW77503 set local clock as the NTP master clock at stratum 2 On SW77502 configure SW77501 as the time server in server mode and
207. from the contents of the packet The following are the UDP packet formats UDP output packet Source IP address 202 38 160 1 Source port 1024 Destination IP Address 202 38 160 1 Destination port 4296 ai Use the debugging tcp packet Of debugging tcp transaction command to enable the TCP debugging to trace the TCP packets There are two available ways for debugging TCP a Debug and trace the packets of the TCP connection that take this device as one end Operations include lt SW7750 gt terminal debugging lt SW7750 gt debugging tcp packet The TCP packets received or sent can be checked in real time Specific packet formats include TCP output packet Source IP address 202 38 160 1 Source port 1024 Destination IP Address 202 38 160 1 Destination port 4296 Sequence number 4185089 Ack number 0 Flag SYN Packet length 60 Data offset 10 a Debug and trace the packets located in SYN FIN or RST Operations include lt SW7750 gt terminal debugging lt SW7750 gt debugging tcp transact The TCP packets received or sent can be checked in real time and the specific packet formats are the same as those mentioned above CHAPTER 4 NETWORK PROTOCOL OPERATION IP ROUTING PROTOCOL OPERATION This chapter covers the following topics a IP Routing Protocol Overview a Static Routes a RIP a IP Routing Policy a Route Capacity IP Routing Protocol Overview Routers select an appropriate path through a
208. g RADIUS accounting server or server to the default values Set IP address and port number of secondary secondary authentication RADIUS authentication authorization server ip address port number Restore IP address and port number of second undo secondary authentication RADIUS authentication authorization or server to the default values Set IP address and port number of second secondary accounting ip address RADIUS accounting server port number Restore IP address and port number of second undo secondary accounting RADIUS accounting server or server to the default values In real networking environments the above parameters should be set according to the specific requirements For example you may specify 4 groups of different data to map 4 RADIUS servers or specify one of the two servers as primary authentication authorization server and second accounting server and the other one as second authentication authorization server and primary accounting server You may also set 4 groups of exactly the same data so that every server serves as a primary and secondary AAA server To guarantee normal interaction between the NAS and RADIUS servers you must to guarantee a default route between RADIUS server and NAS before setting IP address and UDP port of the RADIUS server Because RADIUS protocol uses different UDP ports to receive transmit authentication authorization and accounting packets you should set two different ports accordingl
209. g Terminal Parameters 27 Perform the following configuration in user view Table 17 Configure to Send Messages Between User Interfaces Operation Command Configure to send messages between send all number type number different user interfaces The auto execute Command is used to run a command automatically after you log in The command is automatically executed when you log in again See Table 18 This command is usually used to execute the telnet command automatically on a terminal which connects the user to a designated device Perform the following configuration in user interface view Table 18 Configure Automatic Command Execution Operation Command Configure to automatically run the command auto execute command text Configure not to automatically run the undo auto execute command command CAUTION After applying the auto execute command the user interface can no longer be used to carry out the routine configurations for the local system Make sure that you will be able to log in to the system in some other way and cancel the configuration before you use the auto execute command and save the configuration Telnet 10 110 100 1 after the user logs in through VTYO automatically SW7750 ui vty0 auto execute command telnet 10 110 100 1 When a user logs on by VTY O the system will run telnet 10 110 100 1 automatically Displaying and Debugging User Interface After creating the previous configuration execu
210. g or Disabling an Interface to Receive an NTP Message Operation Command Enable an interface to receive an NTP message undo ntp service in interface disable Disable an interface from receiving an NTP ntp service in interface disable message This configuration task must be performed on the interface to be disabled from receiving an NTP message Setting the Authority to Access a Local Switch Set the authority to access the NTP services on a local switch This is a basic security measure An access request will be matched with peer serve serve only and query only in an ascending order of the limitation The first matched authority will be granted Perform the following configurations in system view Table 331 Setting the Authority to Access a Local Ethernet Switch Operation Command Set authority to access a local Ethernet switch ntp service access query synchronization serve peer acl number Cancel settings of the authority to access a undo ntp service access query local Ethernet switch synchronization serve peer IP address ACL number is specified through the acl number parameter and ranges from 2000 to 2999 The meanings of other authority levels are as follows a query Allow control query for the local NTP service only m synchronization Allow request for local NTP time service only a serve Allow local NTP time service request and control query However the local clock will not be synchronized
211. g the RED Operation a Configuring Traffic Statistics a Displaying and Debugging QoS The 20 Port 10 100 1000BASE T and 20 Port 1000BASE X SFP I O modules only support QoS configuration for the inbound packets Setting Port Priority If the received packets contain no VLAN labels the switch adds the default VLAN and modifies their 802 1p priority levels with port priority levels Perform the following configurations in Ethernet interface view Table 169 Setting Port Priority Operation Command Set port priority priority priority level Restore the default priority undo priority The switch supports eight priority levels numbered O 7 according to your needs By default the port priority level is O 162 CHAPTER 7 QOS OPERATION i gt Perform the following two configuration tasks in system view Setting Port Mirroring Port mirroring means duplicating data on the monitored port to the designated monitor port for purpose of data analysis and supervision The switch supports many to one mirroring that is you can duplicate packets from multiple ports to a monitoring port You can also specify the monitoring direction for only inbound or outbound packets Perform the following configurations in system view Table 170 Setting Port Mirroring Operation Command Set port mirroring mirroring group groupid inbound outbound mirroring port list amp lt 1 8 gt mirrored to monitor port Remove port mirrori
212. g the active members and the port through which each member can be reached 64 CHAPTER 3 VLAN CONFIGURATION All the switches that support GVRP can distribute their local VLAN registration information to other switches so that VLAN information is consistent on all GVRP devices in the same network The VLAN registration information that is distributed by GVRP includes both the local static registration information that is configured manually and the dynamic registration information from other switches GVRP is described in the IEEE 802 1Q standard The Switch 7750 fully supports GARP compliant with the IEEE standards GVRP configuration steps include tasks described in the following sections a Enabling or Disabling Global GVRP a Enabling or Disabling Port GVRP a Setting the GVRP Registration Type When you configure GVRP you need to enable it globally and for each port participating in GVRP Similarly the GVRP registration type can take effect only after you configure port GVRP In addition you must configure GVRP on the trunk port Enabling or Disabling Global GVRP Use the following commands to enable or disable global GVRP Perform the following configurations in system view Table 58 Enabling Disabling Global GVRP Operation Command Enable global GVRP gvrp Disable global GVRP undo gvrp By default GVRP is disabled on a port Enabling or Disabling Port GVRP Use the following commands to enable or disable GVRP on a port
213. gation a Example Link Aggregation Configuration The types of link aggregation are described in the following sections a Manual and Static LACP Aggregation a Dynamic LACP aggregation Manual and Static LACP Aggregation Both manual aggregation and static LACP aggregation require manual configuration of aggregation groups They prohibit automatic adding or deleting of member ports by the system A manual or static LACP aggregation group must contain at least one member port and you must delete the aggregation group instead of the port if the group contains only one port At a manual aggregation port LACP is disabled and you are not allowed to enable it LACP is enabled at a static aggregation port When a static aggregation group is deleted its member ports form one or several dynamic LACP aggregation groups and LACP remains enabled on them You are not allowed to disable LACP protocol at a static aggregation group CHAPTER 2 PORT CONFIGURATION In a manual or static LACP aggregation group its ports may be in an active or inactive state However only the active ports can receive user service packets The active port with the minimum port number serves as the master port while others act as sub ports In a manual aggregation group the system sets the ports to active or inactive state based on these rules m The system sets the port with the highest priority to active state and others to inactive state based on the following descen
214. gnated ports send the configuration BPDUs of local ports at a regular interval of HelloTime If it is the root port that receives the configuration BPDU the switch will enable a timer to time the configuration BPDU as well as increase MessageAge carried in the configuration BPDU by certain rules If a path goes wrong the root port on this path will not receive configuration BPDUs anymore and the old configuration BPDUs will be discarded due to timeout Recalculation of the spanning tree will be initiated to generate a new path to replace the failed one and thus restore the network connectivity The new configuration BPDU as now recalculated will not be propagated throughout the network right away so the old root ports and designated ports that have not detected the topology change will continue to forward the data through the old path If the new root port and designated port begin to forward data immediately after they are elected a occasional loop may still occur In RSTP 186 CHAPTER 8 STP OPERATION a transitional state mechanism is then adopted to ensure the new configuration BPDU has been propagated throughout the network before the root port and designated port begin to send data again That is the root port and designated port should undergo a transitional state for a period of Forward Delay before they enter the forwarding state MSTP Overview MSTP Concepts The Switch 7750 implements the Multiple Spanning Tree Protocol M
215. guration in VLAN interface view Table 86 Specifying RIP Version of the Interface Operation Command Specify the interface version as RIP 1 rip version 1 Specify the interface version as RIP 2 rip version 2 broadcast multicast Restore the default RIP version running on the undo rip version 1 2 interface By default the interface receives and sends RIP 1 packets It transmits packets in multicast mode when the interface RIP version is set to RIP 2 Configuring RIP Timers As stipulated in RFC1058 RIP is controlled by three timers period update timeout and garbage collection a Period update is triggered periodically to send all RIP routes to all the neighbors a If aRIP route has not been updated when the timeout timer expires the route will be considered unreachable a f the garbage collection timer times out before the unreachable route is updated by the update packets from the neighbors the route will be deleted completely from the routing table Modification of these timers can affect the convergence speed of RIP Perform the following configuration in RIP view Table 87 Configuring RIP Timers Operation Command Configure RIP timers timers update update timer length timeout timeout timer length Restore the default settings of RIP undo timers update timeout The modification of RIP timers takes effect immediately By default the values of period update and timeout timers are
216. guration in system view Table 76 Configure Whether to Forward L3 Broadcast Packets Operation Command Configure forward L3 broadcast packets ip forward broadcast Disable forward L3 broadcast packets undo ip forward broadcast By default L3 broadcast packets are forwarded After the previous configuration display the operation of the IP Performance configuration in all views and verify the effect of the configuration Execute the debugging command in user view to debug IP Performance configuration Table 77 Display and Debug IP Performance Operation Command Display TCP connection state display tcp status Display TCP connection statistics data display tcp statistics Display IP statistics information display ip statistics Display ICMP statistics information display icmp statistics Reset IP statistics information reset ip statistics Reset TCP statistics information reset tcp statistics Troubleshooting IP Performance IP Performance 79 If the IP layer protocol works normally but TCP and UDP do not work normally you can enable the corresponding debugging information output to view the debugging information m Use the terminal debugging command to output the debugging information to the console m Use the debugging udp packet command to enable the UDP debugging to trace the UDP packet When the router sends or receives UDP packets the content format of the packet can be displayed in real time You can locate the problem
217. gurations in system view Table 83 Enabling RIP and Entering the RIP View Operation Command Enable RIP and enter the RIP view rip Disable RIP undo rip By default RIP is not enabled Enabling the RIP Interface For flexible control of RIP operation you can specify the interface and configure the network where it is located in the RIP network so that these interfaces can send and receive RIP packets Perform the following configurations in RIP view Table 84 Enabling RIP Interface Operation Command Enable RIP on the specified network interface network network address Disable RIP on the specified network interface undo network network address After the RIP interface is enabled you should also specify its operating network segment because RIP only operates on the interface when the network segment has been specified RIP does not receive or send routes for an interface that is not on the specified network and does not forward its interface route The network address parameter is the address of the enabled or disabled network and it can also be configured as the IP network address of the appropriate interfaces When a network command is used for an address the effect is to enable the interface of the network with the address For example for network 129 102 1 1 you can see network 129 102 0 0 using either the display current configuration command or the display rip command Configuring Unicast RIP Messages RIP
218. h 7750 starts a response timer which times before the response to the query If the switch has not received any IGMP report message before the timer times out it will remove the port from the multicast member ports The Switch 7750 runs IGMP Snooping to listen to the IGMP messages and map the host and its ports to the corresponding multicast group address To implement IGMP Snooping Switch 7750 processes different IGMP messages shown in the figure below 126 CHAPTER 6 MULTICAST PROTOCOL Figure 30 Implementing IGMP Snooping A router running IGMP a An Ethernet switch running IGMP snooping A IGMP packets IGMP general query message Transmitted by the multicast router to query which multicast group contains member When a router port receives an IGMP general query message the Switch 7750 will reset the aging timer of the port When a port other than a router port receives the IGMP general query message the Switch 7750 will notify the multicast router that a port is ready to join a multicast group and starts the aging timer for the port IGMP specific query message Transmitted from the multicast router to the multicast members and used for querying if a specific group contains any member When received IGMP specific query message the switch only transmits the specific query message to the IP multicast group which is queried IGMP report message Transmitted from the host to the multicast ro
219. h 7750 supports several kinds of ACLs 152 CHAPTER 7 QOS OPERATION To define the ACL Enter the corresponding ACL view Add a rule to the ACL You can add multiple rules to one ACL If a specific time range is not defined the ACL functions after it is activated During the process of defining the ACL you can use the rule command several times to define multiple rules for an ACL If ACL is used to filter or classify the data transmitted by the hardware of the switch the match order defined in the acl command is ignored If ACL is used to filter or classify the data treated by the software of the switch you can determine the match order for the ACL sub rules After you specify the match order of an ACL rule you cannot modify it later The default matching order of ACL follows the order that is configured by the user Tasks for defining an ACL are described in the following sections m Defining a Basic ACL m Define an Advanced ACL m Defining a Layer 2 ACL Defining a Basic ACL The rules of the basic ACL are defined on the basis of the Layer 3 source IP address to analyze the data packets Perform the following configuration in the designated view Table 164 Define Basic ACL Operation Command Enter basic ACL view from system view acl number ac number name ac name basic match order config auto Add a sub item to the ACL from basic ACL rule ru e id permit deny source view source
220. h an ACL can filter the illegal network management users and prevent them from accessing the local switch The steps to control SNMP users with ACL are described in the following sections a Defining an ACL a Importing an ACL to Control SNMP Users Defining an ACL To implement the ACL control function you can only call the numbered basic ACL ranging from 2000 to 2999 Use the configuration commands introduced in Configuring ACL Control for TELNET Users Importing an ACL to Control SNMP Users To control network management users with an ACL import the defined ACL when configuring the SNMP community name username and group name Perform the following configuration in system view Table 188 Define a Numbered Basic ACL Operation Command Import an ACL when configuring the SNMP snmp agent community read write community name community name mib view view name acl ac number 178 CHAPTER 7 QOS OPERATION Table 188 Define a Numbered Basic ACL Operation Command Import an ACL when configuring SNMP group snmp agent group v1 v2c group name name read view read view write view write view notify view notify view acl acl number snmp agent group v3 group name authentication privacy read view read view write view write view notify view notify view acl ac number Import an ACL when configuring SNMP snmp agent usm user v1 v2c username user name group
221. h or router handles the packets following the first in first out FIFO policy Switches and routers make their best effort to transmit the 158 CHAPTER 7 QOS OPERATION Qos Concepts packets to the destination not making any commitment or guarantee of the transmission reliability delay or to satisfy other performance requirements Ethernet technology is currently the most widely used network technology Ethernet has been the dominant technology of various independent Local Area Networks LANs and many Ethernet LANs have been part of the Internet To implement the end to end QoS solution on the whole network one must consider how to guarantee Ethernet QoS service This requires the Ethernet switching devices to apply Ethernet QoS technology and deliver the QoS guarantee at different levels to different types of signal transmissions over the networks especially those having requirements of shorter time delay and lower jitter Configuring Qos is described in the following sections m Qos Concepts m Configuring QoS m QoS Configuration Examples Tasks for configuring Qos Concepts are as follows m Traffic a Traffic Classification a Packet Filter m Traffic Policing m Bandwidth Assurance m Port Traffic Limit a Redirection a Traffic Priority m Queue Scheduling a Traffic Mirroring a Traffic Counting m RED Traffic Traffic refers to all packets passing through a switch Traffic Classification Traffic classification
222. haracter string of the display snmp agent sys info system version Example SNMP Configuration A Network Management Station NMS and the Ethernet switch are connected by the Ethernet The IP address of NMS is 129 102 149 23 and the IP address of the VLAN interface on the switch is 129 102 0 1 Perform the following configurations on the switch a Set the community name and access authority a Set the administrator ID contact and switch location a Enable the switch to send a trap packet Figure 63 SNMP Configuration Example 129 102 149 23 129 102 0 1 a 0 Ethernet Enter the system view lt SW7750 gt system view Set the community name group name and user SW7750 snmp agent sys info version all SW7750 snmp agent community write public SW7750 snmp agent mib include internet 1 3 6 1 SW7750 snmp agent group v3 managev3group write internet SW7750 snmp agent usm v3 managev3user managev3group Set the administrator ID contact and the physical location of the Ethernet switch SW7750 snmp agent sys info contact Mr Smith Tel 3306 SW7750 snmp agent sys info location telephone closet 3rd floor Set the VLAN interface 2 as the interface used by network management Add Ethernet port 2 0 3 to the VLAN 2 This port will be used for network management Set the IP address of VLAN interface 2 as 129 102 0 1 SW7750 vlan 2 SW7750 vlan2 port ethernet 2 0 3
223. he DHCP relay serves as conduit between the DHCP Client and the server located on different subnets The DHCP packets can be relayed to the destination DHCP server or Client across network segments The DHCP clients on different networks can use the same DHCP server This is economical and convenient for centralized management Configuring DHCP Relay Figure 20 DHCP Relay Schematic Diagram DHCP client 43 iy H a z WY 5 rea i x z U Intranet o a S U tu I Switch O H e When the DHCP Client performs initialization it broadcasts the request packet on the local network segment If there is a DHCP server on the local network segment e g the Ethernet on the right side of the figure then the DHCP can be configured directly without the relay If there is no DHCP server on the local network segment DHCP relay will process the received broadcast packets and forward them to remote DHCP servers The server configures the clients based on the information provided in the DHCP request packet and in the server setup Then the server transmits the configuration information to the clients through the DHCP relay thereby completing the dynamic configuration of the client DHCP server fnil
224. he Log The syslog of the Ethernet switch has six possible output destinations Use the configuration commands to specify the required channels for syslog output All the information will be filtered by the specified channel and then transmitted to the configured destination You can configure the channel and filtering information for every destination to implement the filtering and redirection of different information Use the following commands to configure the output channel of the log Perform the following configuration in system view Table 292 Log Output Operation Command Configure to output the information to the Console Disable the output of the information to the Console Configure to output the information to the Telnet terminal or monitor Disable the output of the information to the Telnet terminal or monitor Configure to output the information to the ogging buffer Disable the output of the information to the ogging buffer Configure to output the information to the info center loghost Disable the output of the information to the info center loghost info center console channel channel number channel name undo info center console channel info center monitor channel channel number channel name undo info center monitor channel info center logbuffer size buffersize channel channel number channel name undo info center logbuffer channel size info c
225. he duplex mode and speed with other network devices This also allows you to use the optimal mode automatically 1OOBASE FX MMF Ethernet ports operate in 100 Mbps full duplex mode The duplex mode can be configured as full full duplex or auto auto negotiation The speed can be set to 100 100 Mbps or auto auto negotiation 1O00BASE X Gigabit Ethernet ports work in gigabit full duplex mode The duplex mode can be configured as full full duplex or auto auto negotiation The speed can be set to 1000 1000Mbps or auto auto negotiation 10 100 1000BASE T Gigabit Ethernet ports support MDI MDI X auto sensing and the modes are 1000 Mbps full duplex 100 Mbps half full duplex and 10 Mbps half full duplex These modules also support auto negotiation 1O0GBASE R XENPAK 10 Gigabit Ethernet ports work in 10 gigabit full duplex mode The duplex mode can be configured as full full duplex or auto autonegotiation and the speed can be set to 10000 10000 Mbps or auto autonegotiation Configuring an Ethernet Port Overview is described in the following sections Configuring Ethernet Ports Example Configuring the Default VLAN ID of the Trunk Port Troubleshooting VLAN Port Configuration Tasks for configuring Ethernet ports are described in the following sections Entering Ethernet Port View Enabling and Disabling Ethernet Ports Setting Description Character String for Ethernet Port Setting Duplex Attribute of the Ethernet Port Set
226. he same segments SW77501 cannot receive the multicast packets from SW77503 while SW77504 is synchronized by SW77503 after receiving the multicast packet Example Configuring Authentication Enabled NTP Server Mode SW77501 sets the local clock as the NTP master clock at stratum 2 SW77502 sets SW77501 as its time server in server mode and itself in client mode and enables authentication See Figure 66 Configure Ethernet Switch SW77501 Enter system view lt SW77501 gt system view Set the local clock as the master NTP clock at stratum 2 SW77501 ntp service refclcok master 2 Configure Ethernet Switch SW77502 Enter system view lt SW77502 gt system view Set SW77501 as time server SW77502 ntp service unicast server 1 0 1 11 Enable authentication SW77502 ntp service authentication enable Set the key SW77502 ntp service authentication keyid 42 authentication mode md5 aNiceKey Set the key as reliable SW77502 ntp service reliable authentication keyid 42 The previous examples synchronized SW77502 by SW77501 Since SW77501 has not been enabled authentication it cannot synchronize SW77502 Perform the following additional configurations on SW77501 Enable authentication SW77501 ntp service authentication enable Set the key SW77501 ntp service authentication keyid 42 authentication mode md5 aNiceKey Configure the key as reliable SW77501 ntp service reliable authentication keyid 42 294 CHAPTE
227. her password 220 CHAPTER 9 AAA AND RADIUS OPERATION Table 233 Set Remove the Attributes Concerned with a Specified User Operation Command Remove the password set for the specified undo password user Set the state of the specified user state active block Disable the state of the specified user undo state active block Set a service type for the specified user service type ftp ftp directory directory lan access level level telnet level level telnet level level level level Cancel the service type of the specified user undo service type telnet level level ftp ftp directory lan access level telnet level Configure the attributes of lan access users attribute ip ip address mac mac address idle cut second access limit max user number vlanvlanid location nas ip ip address port portnum port portnum Remove the attributes defined for the undo attribute ip mac idle cut lan access users access limit vlan location Disconnecting a User by Force Sometimes it is necessary to disconnect a user or a category of users by force The system provides the following command to serve this purpose Perform the following configurations in system view Table 234 Disconnect a User by Force Operation Command Disconnect a user by force cut connection all access type dotlx gcm domain domain name interface portnum
228. hich they are associated CONTENTS ABOUT THIS GUIDE Conventions 9 SYSTEM ACCESS Product Overview 11 Features 11 Configuring the Switch 7750 12 Setting Terminal Parameters 13 Configuring Through Telnet 16 Configuring Through a Dial up Modem 18 Configuring the User Interface 20 Command Line Interface 28 Command Line View 28 Features and Functions of the Command Line 31 PORT CONFIGURATION Ethernet Port Overview 35 Configuring Ethernet Ports 35 Troubleshooting VLAN Port Configuration 42 Configuring Link Aggregation 42 Types of Link Aggregation 43 Load Sharing 45 Configuring Link Aggregation 46 VLAN CONFIGURATION VLAN Overview 53 Configuring VLANs 53 Common VLAN Configuration Tasks 54 Configuring Port Based VLANs 57 Configuring Protocol Based VLANs 57 Configuring GARP GVRP_ 61 Configuring GVRP 63 NETWORK PROTOCOL OPERATION Configuring IP Address 67 Subnet and Mask 68 Configuring an IP Address 68 Troubleshooting an IP Address Configuration 70 Configuring Address Resolution Protocol ARP 70 Configuring ARP 71 DHCP Relay 72 Configuring DHCP Relay 73 Troubleshooting a DHCP Relay Configuration 76 IP Performance 77 Configuring TCP Attributes 77 Configuring Special IP Packet Transmission to the CPU 77 Configuring L3 Broadcast Forwarding 78 Displaying and Debugging IP Performance 78 Troubleshooting IP Performance 79 IP ROUTING PROTOCOL OPERATION IP Routing Protocol Overview 81 Selecting Routes Thr
229. his example clients on VLAN2 will receive IP addresses from the servers in DHCP server group 1 VLAN 4000 Clients on VLAN3 will receive IP addresses from the servers in DHCP server group 2 VLAN 3001 Show the configuration of DHCP server groups in User view lt SW7750 gt display dhcp server 1 Show the DHCP Server Group number corresponding to the VLAN interface in User view lt SW7750 gt display dhcp server interface vlan interface 2 lt SW7750 gt display dhcp server interface vlan interface 3 Perform the following procedure if a user cannot apply for an IP address dynamically Use the display dhcp server groupNo command to check if the IP address of the corresponding DHCP server has been configured Use the display VLAN and display IP commands to check if the VLAN and the corresponding interface IP address have been configured Ping the configured DHCP Server to ensure that the link is connected 4 Ping the IP address of the VLAN interface of the switch to where the DHCP user is connected from the DHCP server to make sure that the DHCP server can correctly find the route of the network segment the user is on If the ping execution fails check if the default gateway of the DHCP server has been configured as the address of the VLAN interface that it locates on If no problems are found in the last two steps use the display dhcp server groupNo command to view the packet that has been received If you only see the Discover pack
230. icast Overview 113 The multicast routing creates a loop free data transmission path from one data source to multiple receivers The task of the multicast routing protocol is to create a distribution tree architecture A multicast router can use multiple methods to build up a path for data transmission i e the distribution tree PIM DM Protocol Independent Multicast Dense Mode PIM dense mode is suitable for small networks It assumes that each subnet in the network contains at least one receiver who is interested in the multicast source Multicast packets are flooded to all points of the network Subsequent resources such as bandwidth and CPU of routers are consumed In order to decrease the consumption of these precious network resources branches that do not have members send Prune messages toward the source to reduce the unwanted unnecessary traffic To enable the receivers to receive multicast data streams the pruned branches can be restored periodically to a forwarding state To reduce latency time the PIM dense mode uses the prune mechanism to actively restore multicast packet forwarding The periodical flood and prune are characteristics of PIM dense mode Generally the forwarding path in dense mode is a source tree rooted at the source with multicast members as the branches Since the source tree uses the shortest path from the multicast source and the receiver it is also called the shortest path tree SPT PIM SM Protocol
231. ies From the Core Multicast Routing Table You can clear route entries from the core multicast routing table as well as MFC forwarding entries using the reset multicast routing table command Perform the following configuration in user view Table 119 Clear Routing Entries of Multicast Routing Table Operation Command Clear routing entries of multicast routing table reset multicast routing table all group address mask group mask group mask length l source address mask source mask source mask length 1 incoming interface interface type interface number sae 116 CHAPTER 6 MULTICAST PROTOCOL Configuring IGMP Displaying and Debugging Common Multicast Configuration After the previous configurations execute the display command to view the multicast configuration and to verify the configuration Execute debugging command in user view for the debugging of multicast Table 120 Display and Debug Common Multicast Configuration Operation Command Display the multicast routing table display multicast routing table group address mask mask mask length source address mask mask mask length incoming interface interface type interface number register Display the multicast forwarding table display multicast forwarding table group address mask mask mask length source address mask mask mask length incoming interface register Display the RP
232. igh security requirements a MD5 authentication This mode uses two packet formats One format follows RFC 1723 RIP Version 2 Carrying Additional Information the other format follows RFC2082 RIP 2 MD5 Authentication Perform the following configuration in VLAN interface view Table 92 Setting RIP 2 Packet Authentication Operation Command Configure RIP 2 simple authentication key rip authentication mode simple password string Configure RIP 2 MD5 authentication with rip authentication mode simple packet type following RFC 1723 password md5 usual key string nonstandard key string key id Configure RIP 2 MD5 authentication with rip authentication mode simple packet type following RFC 2082 password md5 usual key string nonstandard key string key id Set the packet format type of RIP 2 MD5 rip authentication mode simple authentication password md5 usual key string nonstandard key string key id Cancel authentication of RIP 2 packet undo rip authentication mode The usual packet format follows RFC 1723 and nonstandard follows RFC2082 Configuring Split Horizon Split horizon means that the route received through an interface will not be sent through this interface again The split horizon algorithm can reduce the generation of routing loops but in some special cases split horizon must be disabled to obtain correct advertising at the cost of efficiency Disabling split horizon has no effect on the P2P
233. imer By default timeout timer of RADIUS server is 3 seconds ll Setting a Real time Accounting Interval To implement real time accounting it is necessary to set a real time accounting interval After the attribute is set NAS will transmit the accounting information of online users to the RADIUS server regularly You can use the following command to set a real time accounting interval Perform the following configurations in RADIUS scheme view Table 2 33 Setting a real time accounting interval OperationCommand Set a real time accounting intervaltimer realtime accounting minutes Restore the default value of the intervalundo timer realtime accounting minute specifies the real time accounting interval in minutes The value shall be a multiple of 3 The value of minute is related to the performance of NAS and RADIUS server The smaller the value is the higher the performances of NAS and RADIUS are required When there are a large amount of users more than 1000 inclusive we suggest a larger value The following table recommends the ratio of minute value to the number of users Table 2 34 Recommended ratio of minute to number of users Number of usersReal time accounting interval minute 1 to 993 100 to 4996 230 CHAPTER 9 AAA AND RADIUS OPERATION 500 to 99912 1000 15 By default minute is set to 12 minutes Ill Configure the RADIUS Server Response Timer If the NAS receives no response from the RADIUS server afte
234. inform its peer to pause sending packets Once the peer switch receives this message it will pause packet sending and vice versa In this way packet loss is effectively reduced The flow control function of the Ethernet port can be enabled or disabled through the following command Perform the following configuration in Ethernet port view Table 31 Set Flow Control for Ethernet Port Operation Command Enable Ethernet port flow control flow control Disable Ethernet port flow control undo flow control By default Ethernet port flow control is disabled Permitting Forbidding Jumbo Frames on the Ethernet port Using the jumbo frame enable command you can allow jumbo frames 1523 to to 9216 bytes to pass through the specified Ethernet port Note that packets up to 1522 bytes including the IEEE 802 1Q tagging are always allowed to pass through Ethernet ports Jumbo frames are only allowed for Ethernet Type II frames Most network equipment including NICs switches and routers are not capable of supporting jumbo frames and will always discard these packets Perform the following configuration in Ethernet port view Table 32 Permitting Forbidding Jumbo Frame to Pass Through the Ethernet Port Operation Command Permit jumbo frame to pass through the jumboframe enable Ethernet port jumboframe_ value Forbid jumbo frame to pass through the undo jumboframe enable Ethernet port By default jumbo frames are disabled Setting
235. information it must import only the information that meets its conditions To implement the routing policy you must define a set of rules by specifying the characteristics of the routing information to be filtered You can set the rules based on such attributes as destination address and source address of the information The rules can be set in advance and then used in the routing policy to advertise receive and import the route information Configuring IP Routing Policy is described in the following sections a Routing Information Filters a Configuring an IP Routing Policy a Troubleshooting Routing Policies a Configuring Route Capacity The Switch 7750 supports four kinds of filters route policy acl ip prefix and community list The following sections introduce these filters a Route Policy m ACL a P Prefix Route Policy A route map is used for matching some attributes with given routing information and the attributes of the information will be set if the conditions are satisfied A route map can include multiple nodes Each node is a unit for match testing and the nodes are matched in a sequence number based order Each node includes a set of if match and apply clauses The if match clauses define the matching rules and the matching objects are attributes of routing information The comparison of if match clauses for a node uses a series of Boolean and statements As a result a match is found if all the matching conditions
236. ing Configure the secondary TACACS accounting server secondary accounting ip address port Delete the secondary TACACS accounting server undo secondary accounting The primary and secondary accounting servers cannot use the same IP address The default port number is 49 If you execute this command repeatedly the new settings will replace the old settings ll Enabling stop accounting packet retransmission 234 CHAPTER 9 AAA AND RADIUS OPERATION Perform the following configuration in HWTACACS view Table 2 41 Configuring stop accounting packet retransmission OperationCommand Enable stop accounting packet retransmission and set the allowed maximum number of transmission attemptsretry stop accounting retry times Disable stop accounting packet retransmissionundo retry stop accounting Clear the stop accounting request packets that have no responsereset stop accounting buffer hwtacacs scheme hwtacacs scheme name By default stop accounting packet retransmission is enabled and the maximum number of transmission attempts is 300 2 4 6 Configuring Source Address for HWTACACS Packets Sent by NAS Perform the following configuration in the corresponding view Table 2 42 Configuring source address for HWTACACS packets sent by the NAS OperationCommand Configure the source address for HWTACACS packets sent from the NAS HWTACACS view nas ip ip address Delete the configured source address for HWTACACS packets sent from the NAS
237. ing 802 1x access control method on the specified port When no port is specified in system view the access control method of the port is configured globally Perform the following configurations in system view or Ethernet port view Table 220 Set Port Access Control Method Operation Command Set port access control method dotix port method macbased portbased interface interface list Table 220 Set Port Access Control Method Operation Command Restore the default port access control method undo dot1x port method interface interface list By default 802 1x authentication method on the port is MAC based That is authentication is performed based on MAC addresses Checking the Users that Log on the Switch by Proxy The following commands are used for checking the users that log on by proxy Perform the following configurations in system view or Ethernet port view Table 221 Check the Users that Log on the Switch by Proxy Operation Enable the check for access users by proxy Cancel the check for access users by proxy Setting Number of Users on a Port Command dotlx supp proxy check logoff trap interface interface list undo dotlx supp proxy check logoff trap interface interface list The following commands are used for setting the number of users allowed by 802 1x on a specified port When no port is specified all the ports accept the same number of users Perfo
238. ing configuration in system view Table 265 Configure the FTP Server Authentication and Authorization Operation Command Create new local user and enter local user local user username view system view Delete local user system view undo local user username all service type ftp Configure password for local user local user password cipher simple view password Configure service type for local user local user service type ftp ftp directory view directory Cancel password for local user local user undo password view Cancel service type for local user local user undo service type ftp view ftp directory Only clients who have passed the authentication and authorization successfully can access the FTP server 248 CHAPTER 11 SYSTEM MANAGEMENT TFTP Configuring FTP Server Parameters You can use the following commands to configure the connection timeout of the FTP server If the FTP server does not receive a service request from the FTP client for a period of time it will cut the connection to it thereby avoiding illegal access by unauthorized users Perform the following configuration in system view Table 266 Configure FTP Server Connection Timeout Operation Command Configure FTP server connection timeouts ftp timeout minute Restoring the default FTP server connection undo ftp timeout timeouts By default the FTP server connection timeout is 30 minutes Displaying and Debugging the FTP
239. ing pim sm all mbr register proxy mrt timer warning recv send assert graft graft ack join prune undo debugging pim sm all mbr register proxy mrt timer warning recv send assert graft graft ack join prune Host A is the receiver of the multicast group at 225 0 0 1 Host B begins transmitting data destined to 225 0 0 1 Switch A receives the multicast data from Host B by Switch B Figure 35 PIM SM Configuration Networking LJ Host A Host B VLAN11 VLAN10 VLAN 10 VLAN12 LSD Configure Switch A 1 Enable PIM SM SW7750 multicast routing enable SW7750 vlan 10 J VLAN12 VLAN10 SW7750 vlanl0 port Ethernet 1 0 2 to Ethernet 1 0 3 SW7750 vlan10 quit SW7750 interface vlan interface 10 SW7750 vlan interfacel10 pim sm SW7750 vlan interfacel10 quit SW7750 vlan 11 SW7750 vlanll port Ethernet 1 0 4 to Ethernet 1 0 5 SW7750 vlani11 quit SW7750 pim SW7750 pim interface vlan interface 11 SW7750 vlan interfacel1l pim sm SW7750 vlan interfacel11 quit SW7750 vlan 12 SW7750 vlanl2 port Ethernet 1 0 6 to Ethernet 1 0 7 SW7750 vlan12 quit SW7750 pim SW7750 pim interface vlan interface 12 SW7750 vlan interfacel2 pim sm SW7750 vlan interfacel12 quit Configure Switch B 1 Enable PIM SM SW7750 multicast routing enable SW7750 vlan 10 SW7750 vlanl0 port Ethernet 1 0 2 to Ethernet 1 0 3
240. ing the quiet timer for the primary TACACS server Perform the following configuration in HWTACACS view Table 253 Setting the quiet timer for the primary TACACS server Operation Command Set the quiet timer for the primary TACACS timer quiet minutes server Restore the default setting undo timer quiet By default the primary TACACS server must wait five minutes before it can resume the active state Setting a realtime accounting interval The setting of real time accounting interval is necessary to real time accounting After an interval value is set the NAS transmits the accounting information of online users to the TACACS accounting server periodically Perform the following configuration in HWTACACS view Table 254 Setting a real time accounting interval Operation Command Set a real time accounting interval timer realtime accounting minutes Restore the default real time accounting undo timer realtime accounting interval The interval is in minutes and must be a multiple of 3 The setting of real time accounting interval somewhat depends on the performance of the NAS and the TACACS server a shorter interval requires higher device performance You are therefore recommended to adopt a longer interval when there are a large number of users more than 1000 inclusive The following table lists the numbers of users and the recommended intervals Table 255 Numbers of users and the recommended intervals Number of users Real
241. ink group ac number ac name rule rule For details about the command see the Switch 7750 Command Reference Guide Setting Line Limit Line limit refers to limiting the total rate at the port The adjustment step for the line rate of the Switch 7750 is 1Mbps Perform the following configurations in QoS view Table 178 Setting the Line Rate Operation Command Set the line limit line rate target rate Remove the line limit undo line rate You can set line limit at a single port Setting Traffic Bandwidth You can set desired traffic bandwidth to ensure target services Perform the following configurations in QoS view Table 179 Setting Traffic Bandwidth Operation Command Set traffic bandwidth traffic bandwidth outbound ip group acl number acl name rule rule link group ac number ac name rule rule min guaranteed bandwidth max guaranteed bandwidth weight Remove traffic bandwidth setting undo traffic bandwidth outbound ip group ac number acl name rule rule link group ac number ac name rule rule Setting Traffic Redirection Traffic redirection refers to changing packet forwarding direction that is forwarding packets to CPU or other ports Perform the following configurations in QoS view Table 180 Setting Traffic Redirection Operation Command Set traffic redirection traffic redirect inbound ip group acl number acl name rule rule
242. ion Command Import routes of other protocols import route protocol med med cost cost tag value type 1 2 route policy route policy name Do not import routes of other protocols undo import route protocol By default the routes discovered by other protocols are not imported In different routing protocol views the parameter options are different For details refer to the description of the import route command for each protocol Defining IP Prefix A prefix list is identified by the IP prefix name Each IP prefix can include multiple items and each item can specify the matching range of the network prefix forms The index number parameter specifies the matching sequence in the prefix list Perform the following configurations in system view Table 104 Defining Prefix list Operation Command Define a prefix list ip ip prefix ip prefix name index index number permit deny network len greater equal greater equal less equal less equal Remove a prefix list undo ip ip prefix ip prefix name index index number permit deny During the matching the router checks list items identified by the index number in the ascending order If only one list item meets the condition it means that it has passed the ip prefix filtering and does not enter the testing of the next list item If more than one IP prefix item is defined then the match mode of at least one list item should be the permit
243. ion information to the RADIUS server in the form of EAP packets directly so that the RADIUS server never supports EAP authentication Perform the following configurations in system view Table 224 Configure the Authentication Method for 802 1x Users Operation Command Configure the authentication method for dotix authentication method 802 1x users chap pap eap md5 challenge Restore the default authentication method for undo dotlx authentication method 802 1x users Setting the Maximum Retransmission Times The following commands are used for setting the maximum authenticator to supplicant frame retransmission times Perform the following configurations in system view Table 225 Set the Maximum Retransmission Times Operation Command Set the maximum retransmission times dotix retry max retry value Restore the default maximum retransmission undo dotlx retry times By default the max retry value is 3 That is the switch can retransmit the authentication request frame to a supplicant 3 times at most Configuring Timers The following commands are used for configuring the 802 1x timers Perform the following configurations in system view Table 226 Configure Timers Operation Command Configure timers dotix timer quiet period quiet period value tx period tx period value supp time out supp timeout value server timeout server timeout value Table 226 Configure Timers Operation Command Restore de
244. ipip address mac mac address radius scheme radius scheme name vlanvlanid ucibindex ucib index user name user name By default no online user will be disconnected by force Configuring the RADIUS Protocol On the Switch 7750 the RADIUS protocol is configured per RADIUS server group basis In a real networking environment a RADIUS server group can be an independent RADIUS server or a set of primary secondary RADIUS servers with the same configuration but two different IP addresses Attributes of every RADIUS server group include IP addresses of primary and secondary servers shared key and RADIUS server type etc RADIUS protocol configuration only defines some necessary parameters using information for interaction between NAS and RADIUS Server To make these parameters effective it is necessary to configure in the view an ISP domain to use Configuring the RADIUS Protocol 221 the RADIUS server group and specify it to use RADIUS AAA schemes For more about the configuration commands refer to Configuring AAA Tasks for configuring RADIUS are described in the following sections a Creating Deleting a RADIUS Server Group a Setting the IP Address and Port Number of RADIUS Server a Setting the RADIUS Packet Encryption Key a Setting the Response Timeout Timer of RADIUS Server a Setting Retransmission Times of the RADIUS Request Packet a Enabling the Selection of the RADIUS Accounting Option a Setting a Real tim
245. is case if you want to issue a certain VLAN through GVRP on the network you should make sure that the VLAN is mapped to CIST when configuring the VLAN mapping table of MSTP CIST Is spanning tree instance 0 The MST region that a switch belongs to is determined with the configurations of the region name VLAN mapping table and MSTP revision level You can perform the following configurations to put a switch into an MST region Tasks for configuring the MST Region for a Switch is described in the following sections a Entering MST region view m Configuring the MST Region a Activating the MST Region Configuration and Exiting the MST Region View Entering MST region view Perform the following configuration in system view Table 189 Enter MST Region View Operation Command Enter MST region view from system view stp region configuration Restore the default settings of MST region undo stp region configuration Specifying the Switch as Primary or Secondary Root Switch Configuring the MST Region Perform the following configuration in MST region view Table 190 Configure the MST Region for a Switch Operation Command Configure MST region name region name name Restore the default MST region name undo region name Configure VLAN mapping table instance instance id vlan vilan list Restore the default VLAN mapping table undo instance Configure the MSTP revision level of MST revision level level region Restore the MSTP revision
246. isable the output of the timestamp field undo info center timestamp log trap debugging 264 CHAPTER 11 SYSTEM MANAGEMENT Configuring the Info center Loghost This configuration is performed on the info center loghost The following configuration example is implemented on SunOS 4 0 The configurations on the Unix operating systems of other vendors are similar Perform the following commands with the identity of root mkdir var log SW7750 touch var log SW7750 config touch var log SW7750 security Edit the file etc syslog conf with the identity of root and add the following selector action pairs SW7750 configuration messages Local4 crit var log SW7750 config SW7750 security messages local5 notice var log SW7750 security Pay attention to the following points when editing the file etc syslog conf a The description must start from a fresh line and begin with a pound key a Use tab character to separate the selectors action pairs instead of space m No redundant spaces should be left behind the name of the file When the log files config and security are created and the file letc syslog cont is modified perform the following commands to send a HUP signal to the system demon syslogd so that the syslogd can read the configuration file etc syslog cont again ps ae grep syslogd 147 kill HUP 147 After the operations are performed the system can record information in the
247. isplay command to view the SNMP configuration and to verify the effect of the configuration Execute the debugging command in user view to debug the SNMP configuration Table 312 Displaying and Debugging SNMP Operation Command Display the statistics information about SNMP display snmp agent statisitcs packets Display the engine ID of the active device display snmp agent local engineid remote engineid Display the group name the security mode display snmp agent group the states for all types of views and the storage mode of each group of the switch Display the names of all users in the group display snmp agent usm user user table local engineidengineid username groupname Display the current community name display snmp agent community read write Display the current MIB view display snmp agent mib view exclude include viewname mib view Display the contact character string of the display snmp agent sys info system contact Display the location character string of the display snmp agent sys info system location Display the version character string of the display snmp agent sys info system version SNMP 273 Table 312 Displaying and Debugging SNMP continued Operation Command Display the contact character string of the display snmp agent sys info system contact Display the location character strng of the display snmp agent sys info system location Display the version c
248. isplaying and Debugging the Routing Table Operation Command View routing table summary display ip routing table View routing table details display ip routing table verbose View the detailed information of a specific display ip routing table route ip address View the route filtered through specified basic display ip routing table acl access control list ACL acl number acl name verbose View the route information that through display ip routing table specified ip prefix list ip prefix ip prefix number verbose View the routing information found by the display ip routing table protocol specified protocol protocol inactive verbose View the tree routing table display ip routing table radix View the integrated routing information display ip routing table statistics Example Typical Static Route Configuration As shown in the Figure 24 the masks of all the IP addresses in the figure are 255 255 255 0 All the hosts or switches must be interconnected in pairs by configuring static routes 88 CHAPTER 5 IP ROUTING PROTOCOL OPERATION Figure 24 Static Route Configuration C Host 1 1 5 1 1 1 5 2 24 X 1 1 3 1 24 Switch C 1 1 2 1 24 1 1 3 2 24 E es 1 1 1 2 24 gt A Switch A Switch B Host 1 1 1 1 _ Configure the static route for Ethernet Switch A Switch A ip route static 1 1 3 0 255 255 255 0 1 1 2 2 Switch A ip route static 1 1 4 0 255
249. istics GE7 0 8 a GE7 0 GES 0 2 VLAN2 VLANS 1 0 0 1 8 2 0 0 1 8 A Y PCi e E PC2 To create this configuration 1 Define the time range 8 00 to 18 00 SW7750 time range 3com 8 00 to 18 00 daily 2 Define traffic rules for PC1 packets SW7750 acl number 2000 SW7750 acl basic 2000 rule 0 permit ip source 1 0 0 1 0 0 0 0 time range 3com 3 Count PC1 packets view the statistics with the display command Enter QoS view SW7750 GigabitEthernet7 0 1 qos SW7750 qosb GigabitEthernet7 0 1 Count PC1 packets view the statistics with the display command SW7750 qosb GigabitEthernet7 0 1 traffic statistic inbound ip group 1 rule 0 SW7750 display qos interface GigabitEthernet7 0 1 traffic statistic Configuring ACL The Switch 7750 provides several logon and device access measures including Control TELNET access SNMP access and HTTP access The security control over the access measures is provided with the switches to prevent illegal users from logging onto and accessing the devices There are two levels of security controls At the first level the user connection is controlled with an ACL filter and only legal users can be connected to the switch At the second level a connected user can log on to the device only if the user can pass the password authentication This chapter introduces how t
250. k you have the address of the network segment where the destination host or router is located For example if the destination address is 129 102 8 10 the address of the network where the host or the router with the mask 255 255 0 0 is located is 129 102 0 0 Routing Management Policy IP Routing Protocol Overview 83 a The output interface Indicates an interface through which an IP packet should be forwarded a The next hop address Indicates the next router that an IP packet will pass through a The priority added to the IP routing table for a route Indicates the type of route that is selected There may be multiple routes with different next hops to the same destination These routes can be discovered by different routing protocols or they can be the static routes that are configured manually The route with the highest priority the smallest numerical value is selected as the current optimal route Routes are divided into two types subnet routes in which the destination is a subnet or host routes in which the destination is a host In addition depending on whether the network of the destination host is directly connected to the router there are two types of routes a Direct route The router is directly connected to the network where the destination is located a Indirect route The router is not directly connected to the network where the destination is located To limit the size of the routing table an op
251. l channel name log trap debug level severity state state Delete the filtering record about a certain type undo info center source of information in a module or all the modules modu name default channel from the channel channel number channel name m modu name specifies the module name m level refers to the severity levels m severity specifies the severity level of information The information with the level below it will not be output m channel number specifies the channel number m channel name specifies the channel name Every channel has been set with a default record whose module name is default and the module number is OxffffO0000 However for different channels the default record may have different default settings of log trap and debugging When there is no specific configuration record for a module in the channel use the default one When there is more than one Telnet user or monitor user at the same time some configuration parameters are shared among the users such as module based filtering settings and the severity threshold When you modify these settings the changes affect all users Configuring the SNMP Timestamp Output Format Perform the following operation in system view Table 296 Configuring the SNMP Timestamp Output Format Operation Command Configure the SNMP Timestamp Output info center timestamp log Format trap debugging boot date none D
252. le 130 Configure the Maximum Query Response Time Operation Command Configure the maximum query response time igmp max response time seconds for IGMP Restore the maximum query response time to undo igmp max response time the default value The smaller the maximum query response time value the faster the router prunes groups The actual response time is a random value in the range from 1 to 25 seconds The default value is 10 seconds Deleting IGMP Groups Joined on an Interface You can delete an existing IGMP group from the interface via the following command Perform the following configuration in VLAN interface view Table 131 Delete IGMP Groups Joined on an Interface Operation Command Delete IGMP groups joined on an interface reset igmp group all interface interface type interface number all group address group mask Displaying and Debugging IGMP After the previous configurations execute the display command in all views to display the running of IGMP configuration and to verify the effect of the configuration Execute the debugging command in user view to debug IGMP Table 132 Display and Debug IGMP Operation Command Display the information about members of display igmp group GMP multicast groups group address interface interface type interface number Display the IGMP configuration and running display igmp interface information about the interface interface type interface number
253. leurl source fileurl dest dir all file url execute filename The file system can be used to format the flash memory on the Switch 7750 fabric module Perform the following operation in user view Table 259 Formatting Storage Devices Operation Command Format the storage device format filesystem Use the command in Table 260 to confirm prompts for file system commands Perform the following operation in system view Table 260 File System Operation Operation Command Set the file system prompt mode file prompt alert quiet Configuring File Management Example File System Operation Format the flash lt SW7750 gt format flash All sectors will be erased proceed confirm y Format flash completed Display the working directory in the flash lt SW7750 gt ced flash lt SW7750 gt pwd flash Create a directory named test lt SW7750 gt mkdir test Display the flash directory information after creating the test directory lt SW7750 gt dir Directory of 0 drw O Mar 09 2002 12 01 44 test 523776 bytes total 476160 bytes free The management module configuration file provides a user friendly operation interface It saves the configuration of the switch in a text file in command line format as a record of the whole configuration process You can view the configuration information The configuration file includes a Configuration commands Commands are based on c
254. level setting commands Command Line Interface 29 Login users are also classified into four levels that correspond to the four command levels After users of different levels log in they can only use commands at their own or lower levels To prevent unauthorized users from illegal intrusion users are identified when switching from a lower level to a higher level with the super level command User ID authentication is performed when users at a lower level switch to users at a higher level Only when the correct password is entered three times can the user switch to the higher level Otherwise the original user level remains unchanged Command views are implemented according to requirements that are related to one another For example after logging in to the Switch 7750 you enter user view in which you can only use some basic functions such as displaying the operating state and statistics information In user view key in system view to enter system view in which you can key in different configuration commands and enter the corresponding views The command line provides the following views a User view System view a Ethernet Port view a VLAN view a VLAN interface view a Local user view a User interface view a FIP client view a Cluster view a PIM view a RIP view a Route policy view a Basic ACL view a Advanced ACL view a Layer 2 ACL view a RADIUS server group view a HWTACACS view a ISP domain view
255. level of MST region undo revision level An MST region can contain up to 16 spanning tree instances among which Instance 0 is an IST and instances 1 through 16 are MSTIs Upon the completion of these configurations the current switch is put into a specified MST region Two switches belong to the same MST region only if they have been configured with the same MST region name STI VLAN mapping tables of an MST region and the MST region revision level Configuring the related parameters especially the VLAN mapping table of the MST region will lead to the recalculation of spanning tree and network topology flapping To reduce such flapping MSTP triggers to recalculate the spanning tree according to the configurations only if one of the following conditions are met a The user manually activates the configured parameters related to the MST region using the active region configuration command a The user enables MSTP using the stp enable command By default the MST region name is the first switch MAC address all the VLANs in the MST region are mapped to the STI 0 and the MSTP region revision level is 0 You can restore the default settings of MST region using the undo stp region configuration command in system view Activating the MST Region Configuration and Exiting the MST Region View Perform the following configuration in MST region view Table 191 Activate the MST Region Configuration and Exit the MST Region View Operation C
256. low Thus the object can be identified with the unique path starting from the root Figure 62 Architecture of the MIB Tree 5 6 A The MIB Management Information Base is used to describe the hierarchical architecture of the tree and is the set defined by the standard variables of the monitored network device In the above figure the managed object B can be uniquely specified by a string of numbers 1 2 1 1 The number string is the Object Identifier of the managed object Configuring SNMP The current SNMP Agent of Ethernet switch supports SNMP V1 V2C and V3 The MIBs supported are listed in the following table Table 298 MIBs Supported by the Ethernet Switch MIB Attribute MIB Content References Public MIB MIB II based on TCP IP network RFC1213 device BRIDGE MIB RFC 1493 RFC2675 RIP MIB RFC1724 RMON MIB RFC2819 Ethernet MIB RFC2665 IF MIB RFC 1573 Private MIB DHCP MIB QACL MIB ADBM MIB RSTP MIB VLAN MIB Device management Interface management Configuring SNMP includes tasks that are described in the following sections Setting the Community Name Enabling and Disabling the SNMP Agent to Send a Trap Setting the Destination Address of a Trap Setting the Lifetime of the Trap Message Setting SNMP Information Setting the Engine ID of a Local or Remote Device Setting and Deleting an SNMP Group Setting the Source Address of the Trap Adding and Deleting a User to or from an SNMP Group Creating an
257. lticast Addresses a IP Multicast Protocols a Forwarding IP Multicast Packets a Applying Multicast The destination addresses of multicast packets use Class D IP addresses ranging from 224 0 0 0 to 239 255 255 255 Class D addresses cannot appear in the source IP address fields of IP packets During unicast data transmission a packet is transmitted from the source address to the destination address with the hop by hop principle of the IP network A packet has more than one destination address in a multi cast environment i e a group of addresses All the information receivers join a group Once a receiver joins the group data flowing to the group is sent to the receiver immediately All members in the group can receive the packets Membership of a multicast group is dynamic that is hosts can join and leave groups at any time IP Multicast Overview 111 A multicast group can be either permanent or temporary Part of addresses in the multicast group are reserved by the IANA and are known as the permanent multicast group IP addresses of a permanent group are unchanged but the members in the group can change The number of members in a permanent multicast group can be random or even 0 Those IP multicast addresses that are not reserved for permanent multicast groups can be used by temporary groups Ranges and meanings of Class D addresses are shown in Table 114 Table 114 Ranges and Meanings of Class D Addresses Class D address r
258. m the following configurations in user interface AUX user interface only view Table 5 Configure the Attributes of the AUX Console Port Operation Command Configure the transmission speed on AUX speed speed value Console port By default the transmission speed is 9600bps Restore the default transmission speed on undo speed AUX Console port Configure the flow control on AUX Console flow control hardware none port By default no flow control is performed software on the AUX Console port Restore the default flow control mode on AUX undo flow control Console port Configure parity mode on the AUX Console parity even mark none odd space port By default there is no parity bit on the AUX Console port Restore the default parity mode undo parity CHAPTER 1 SYSTEM ACCESS Table 5 Configure the Attributes of the AUX Console Port Operation Command Configure the stop bit of AUX Console port By default AUX Console port supports 1 stop bit Restore the default stop bit of AUX Console port Configure the data bit of AUX Console port By default AUX Console port supports 8 data bits Restore the default data bit of AUX Console port Configuring the Terminal Attributes stopbits 1 1 5 2 undo stopbits databits 7 8 undo databits The following commands can be used for configuring the terminal attributes including enabling disabling terminal service disconnecti
259. managed network device port the error statistics and performance statistics thereby implementing the management usually remote over the network RMON configuration includes tasks described in the following sections a Adding and Deleting an Entry to or from the Alarm Table a Adding and Deleting an Entry to or from the Event Table a Adding and Deleting an Entry to or from the History Control Table a Adding and Deleting an Entry to or from the Extended RMON Alarm Table a Adding and Deleting an Entry to or from the Statistics Table a Displaying the RMON Configuration Adding and Deleting an Entry to or from the Alarm Table RMON alarm management can monitor the specified alarm variables such as Statistics on a port When a value of the monitored data exceeds the defined threshold an alarm event will be generated Generally the event will be recorded in the device log table and a Trap message will be sent to NMS The events are defined in event management The alarm management includes browsing adding and deleting alarm entries Use the following commands to add or delete an entry to or from the alarm table Perform the following configuration in system view Table 313 Adding or Delete an Entry to or from the Alarm Table Operation Command Add an entry to the alarm table rmon alarm entry number alarm variable sampling time delta absolute rising threshold threshold valuel event entryl falling threshold threshold value2
260. mand Configure the interval of sending IGMP igmp lastmember queryinterval Group Specific Query packet seconds Restore the interval of sending IGMP undo igmp Group Specific Query packet to the default lastmember queryinterval value By default the interval is 1 second This command is only available on the IGMP query router running IGMP v2 For the host running IGMP v1 this command cannot take effect because the host may not send the IGMP Leave message when it leaves a group Configuring the Interval for Sending IGMP Group Specific Query Packet In a shared network where the same network segment including multiple hosts and multicast routers the query router is responsible for maintaining the IGMP group membership on the interface When the IGMP v2 host leaves a group it sends a IGMP Leave message When receiving the IGMP Leave message IGMP query router must send the IGMP group query message for specified times by the robust value parameter in the igmp robust count command with default value as 2 in a specified time interval by the seconds parameter in the igmp lastmember queryinterval command with default value as 1 second If other hosts which are interested in the specified group receive the IGMP query message from the IGMP query router they will send back the IGMP Membership Report message within the specified maximum response time interval If the IGMP 120 CHAPTER 6 MULTICAST PROTOCOL query router receives the
261. means identifying the packets with certain characteristics This is done by using a matching rule called the classification rule that is set by the configuration administrator based on the actual requirements The rule can be very simple For example traffic with different priorities can be identified according to the ToS field in the IP packet header There are also some complex rules For example the information over the integrated link layer Layer 2 network layer Layer 3 and transport layer Layer 4 such as MAC address IP protocol source IP address destination IP address and the port number of an application can be used for traffic classification Generally the classification standards are encapsulated in the header of the packets The packet content is seldom used as the classification standard Packet Filter Packet filters filter network traffic For example the deny operation discards the traffic that is matched with a traffic classification rule while allowing other traffic to pass through With the complex traffic classification rules Ethernet switches enable the filtering of information carried in Layer 2 traffic to discard useless unreliable or doubtful traffic and to enhance network security To filter packets Classify the incoming traffic according to the classification rule Filter the classified traffic Traffic Policing To deliver better service with limited network resources QoS monitors the traffic o
262. member port aging time it will transmit the specific query message to that port and start a maximum response timer Perform the following configuration in system view Table 136 Configure Aging Time of the Multicast Member Operation Command Configure aging time of the multicast member Restore the default setting_ igmp snooping host aging time seconds undo igmp snooping host aging time By default the aging time of the multicast member is 260 seconds Displaying and Debugging IGMP Snooping Execute the display command in all views to display the running of the IGMP Snooping configuration and to verify the effect of the configuration Execute the debugging command in user view to debug IGMP Snooping configuration Table 137 Display and Debug IGMP Snooping Operation Command Display the information about current IGMP Snooping configuration_ Display IGMP Snooping statistics of received and sent messages_ Display IP MAC multicast group information in the VLAN_ display igmp snooping configuration display igmp snooping statistics display igmp snooping group vlan vlanid Troubleshooting IGMP Snooping N w N Table 137 Display and Debug IGMP Snooping Operation Command Enable disable IGMP Snooping debugging debug igmp snooping all abnormal group packet timer abnormal group packet timers Disable IGMP Snooping debugging abnormal undo debug igmp snoo
263. meout command is described in Table 7 Table 7 Idle Timeout Operation Command Configure idle timeout idle timeout minutes seconds idle timeout 0 means disabling idle timeout Restore the default idle timeout undo idle timeout Locking the User Interface The lock command locks the current user interface and prompts the user to enter a password This makes it impossible for others to operate in the interface after the user leaves The lock command is described in Table 8 Table 8 Lock User Interface Operation Command Lock user interface lock Setting the Screen Length f a command displays more than one screen of information you can use the screen length command to determine how many lines are displayed on a screen so that information can be separated in different screens and you can view it more conveniently The sereen length command is described in Table 9 Table 9 Setting Screen Length Operation Command Set the screen length screen length screen ength screen length 0 indicates to disable screen display separation function Restore the default screen length undo screen length By default the terminal screen length is 24 lines Setting the History Command Buffer Size Table 10 describes the history command max size command By default the size of the history command buffer is 10 Table 10 Set the History Command Buffer Size Operation Command Set the history command buffer size history comma
264. mmand Configure the priority for queue scheduling priority trust dscp ip precedence cos local precedence By default the switch chooses the local preference as the basic priority Entering QoS View You should run most QoS configurations in QoS view Perform the following configuration in Ethernet interface view Table 176 Entering QoS View Operation Command Enter QoS view qos Different I O modules may support different QoS functions and you can view the QoS configuration items available for the current interface unit by keying in in QoS view Only the 20 Port 10 100 1000BASE T and 20 Port 1000BASE X SFP I O modules support setting of line rate and packet redirection Configuring the Traffic Limit Traffic limiting establishes actions to deal with the traffic flow that exceeds the threshold These actions can include discarding packets or lowering priority You must define the corresponding ACL before performing this configuration task Perform the following configuration in QoS view Table 177 Configuring the Traffic Limit Operation Command Configure the flow based rate limit traffic limit inbound outbound ip group ac number acl name rule rule link group ac number acl name rule rule target rate exceed action Cancel the configuration of the flow based undo traffic limit inbound outbound rate limit ip group ac number acl name rule rule l
265. multicast group Limiting Access to IP Multicast Groups A multicast router learns whether there are members of a multicast group on the network when it receives an IGMP membership message A filter can be set on an interface to limit the range of allowed multicast groups Perform the following configuration in VLAN interface view Table 127 Limit the Access to IP Multicast Groups Operation Command Limit the range of allowed multicast groups on current interface Remove the filter set on the interface Limit the range of allowed multicast groups on current interface Ethernet port view Remove the filter set on the interface Ethernet port view igmp group policy acl number 1 2 undo igmp group policy igmp group policy acl number vlan vlanid undo igmp group policy vlan vlanid By default no filters are configured All multicast groups are allowed on the interface Configuring the IGMP Query Message Interval Multicast routers send IGMP query messages to find present multicast groups on other networks Multicast routers send query messages periodically to refresh their information of members present Perform the following configuration in VLAN interface view Table 128 Configure the IGMP Query Message Interval Operation Command Configure the IGMP query message interval Restore the IGMP query message interval to the default value igmp timer query seconds undo igmp timer query Whe
266. n Command Disable the MAC address learning mac address mac learning disable Enable the MAC address learning undo mac address mac learning disable 252 CHAPTER 11 SYSTEM MANAGEMENT By default the MAC address learning function is enabled Setting MAC Address Aging Time Setting an appropriate aging time implements MAC address aging Too long or too short an aging time set by subscribers will cause the Ethernet switch to flood a large amount of data packets This affects the switch operation performance If aging time is set too long the Ethernet switch stores a great number of out of date MAC address tables This consumes MAC address table resources and the switch will not be able to update the MAC address table according to the network change If aging time is set too short the Ethernet switch may delete valid MAC address table entries You can use the following commands to set the MAC address aging time for the system Perform the following configuration in system view Table 274 Setting the MAC Address Aging Time for the System Operation Command Set the dynamic MAC address aging time mac address timer agingage no aging Restore the default MAC address aging time undo mac address timer aging time In addition this command takes effect on all the ports However the address aging only functions on the dynamic addresses the learned or configured as age entries by the user By default the aging time is 300 secon
267. n process of each switch is Switch A Ethernet 1 0 1 receives the configuration BPDU from Switch B and finds out that the local configuration BPDU priority is higher than that of the received one so it discards the received configuration BPDU The configuration BPDU is processed on the Ethernet 1 0 2 in a similar way Thus Switch A finds itself the root and designated switch in the configuration BPDU of every port it regards itself as the root retains the configuration BPDU of each port and transmits configuration BPDU to others regularly thereafter By now the configuration BPDUs of the two ports are as follows Configuration BPDU of Ethernet 1 0 1 0 0 0 e1 0 1 Configuration BPDU of Ethernet 1 0 2 0 0 0 e1 0 2 Switch B Ethernet 1 0 7 receives the configuration BPDU from Switch A and finds that the received BPDU has a higher priority than the local one so it updates its configuration BPDU Ethernet 1 0 4 receives the configuration BPDU from Switch C and finds that the local BPDU priority is higher than that of the received one so it discards the received BPDU By now the configuration BPDUs of each port are as follows Configuration BPDU of Ethernet 1 0 7 0 0 0 e1 0 1 Configuration BPDU of Ethernet 1 0 4 1 0 1 e1 0 4 Switch B compares the configuration BPDUs of the ports and selects the Ethernet 1 0 7 BPDU as the optimum one Thus Ethernet 1 0 7 is elected as the root port and the configuration BPDUs of S
268. n should be configured with Candidate RPs and Candidate BSRs Enabling Multicast Refer to Configuring Common Multicast on page 114 Enabling IGMP on an Interface Refer to Configuring IGMP on page 116 Enabling PIM SM This configuration can be effective only after multicast is enabled Perform the following configuration in VLAN interface view Table 145 Enabling PIM SM Operation Command Enable PIM SM on an interface pim sm Disable PIM SM on an interface undo pim sm Repeat this configuration to enable PIM SM on other interfaces Only one multicast routing protocol can be enabled on an interface at a time Once enabled PIM DM cannot be enabled on the same interface Setting the PIM SM Domain Border After the PIM SM domain border is configured bootstrap messages cannot cross the border in any direction In this way the PIM SM domain can be split Perform the following configuration in VLAN interface view Table 146 Setting the PIM SM Domain Border Operation Command Set the PIM SM domain border pim bsr boundary Remove the PIM SM domain border undo pim bsr boundary configured By default no domain border is set After this configuration is performed a bootstrap message cannot cross the border but other PIM packets can This configuration can effectively divide a network into domains using different BSRs This command cannot create a multicast packet forwarding border but only a PIM bootstrap me
269. n the ports You can also delete an existing aggregation group when you delete a manual aggregation group all its member ports are disaggregated when you delete a static or dynamic LACP aggregation group its member ports form one or several dynamic LACP aggregation groups Perform the following configuration in system view Table 40 Create or Delete an Aggregation Group Operation Command Create an aggregation group link aggregation group agg idmode manual static Delete an aggregation group undo link aggregation group agg id During creating an aggregation group if it already exists in the system but contains no member port it changes to the new type if it already exists in the system and contains member ports then you can only change a dynamic or static LACP aggregation group to a manual one or a dynamic LACP aggregation group to a static one In the former case LACP shall be disabled at the member ports automatically while in the latter case LACP shall remain enabled Adding or Deleting Ethernet Ports to or from an Aggregation Group You can add delete ports into from a manual or static LACP aggregation group but the addition or deletion of member port for a dynamic LACP aggregation group is automatic Perform the following configuration in corresponding view Table 41 Add Delete Ethernet Port to from Aggregation Group Operation Command Add an Ethernet port into the aggregation port link aggregation group
270. n there are multiple multicast routers on a network segment the querier is responsible for sending IGMP query messages to all hosts on the LAN The default interval is 60 seconds 122 CHAPTER 6 MULTICAST PROTOCOL Configuring the IGMP Querier Present Timer The IGMP querier present timer defines the period of time before the router takes over as the querier Perform the following configuration in VLAN interface view Table 129 Configure the IGMP Querier Present Timer Operation Command Change the IGMP querier present timer igmp timer other querier present seconds Restore the IGMP querier present timer to the undo igmp timer default value other querier present By default the value is 120 seconds If the router has received no query message within twice the interval specified by the igmp timer query command it will regard the previous querier invalid Configuring the Maximum Query Response Time When a router receives a query message the host will set a timer for each multicast group it belongs to The value of the timer is randomly selected between O and the maximum response time When any timer becomes 0 the host will send the membership report message of the multicast group Setting the maximum response time allows the host to respond to query messages quickly In this case the router can master the existing status of the members of the multicast group Perform the following configuration in VLAN interface view Tab
271. ncapsulate the IP packet in an Ethernet frame and send it to Host B If the Configuring ARP corresponding MAC address is not found Host A will store the IP packet in the queue waiting for transmission and broadcast an ARP request to attempt to resolve the MAX address of Host B The ARP request packet contains the IP address of Host B and the IP address and MAC address of Host A Since the ARP request packet is broadcast all hosts on the network segment receive the request However only the requested host i e Host B needs to process the request Host B will first store the IP address and the MAC address of the request sender Host A from the ARP request packet in its own ARP mapping table Host B will then generate an ARP reply packet and add the MAC address of Host B before sending it to Host A The reply packet will be sent directly to Host A instead of being broadcast Upon receiving the reply packet Host A will extract the IP address and the corresponding MAC address of Host B and add them to its own ARP mapping table Then Host A will send Host B all the packets standing in the queue Normally dynamic ARP executes and automatically attempts to resolve the IP address to an Ethernet MAC address with no intervention from the administrator The ARP mapping table can be maintained dynamically or manually Addresses that are mapped manually are referred to as static ARP The user can display add or delete the entries in the ARP mapping
272. nd Portal Perform the following configurations in RADIUS server group view Table 246 Setting the Supported Type of RADIUS Server Operation Command Setting the supported type of RADIUS Server server type 3ComType iphotel portal standard Restore the supported type of RADIUS Server undo server type to the default setting By default the RADIUS server type is standard Setting RADIUS Server State For the primary and secondary servers if the primary server is disconnected from NAS because of a fault NAS will automatically turn to exchange packets with the secondary server However after the primary server recovers NAS does not resume communication with the primary server immediately Instead it continues communicating with the secondary server When the secondary server fails to Configuring the RADIUS Protocol 227 communicate NAS returns to the primary server The following commands can be used to set the primary server to be active manually so that NAS can communicate with it immediately after troubleshooting When the primary and second servers are both active or block NAS sends the packets to the primary server only Perform the following configurations in RADIUS server group view Table 247 Set RADIUS Server State Operation Command Set the state of primary RADIUS server state primary accounting authentication block active Set the state of second RADIUS server state secondary accounting
273. nd can save a large amount of network bandwidth and reduce network loads New value added services that use multicast can be delivered including direct broadcasting Web TV distance learning distance medicine net broadcasting station and real time audio video conferencing a Multimedia and streaming media applications a Communications of the training and corporate sites a Data repository and finance stock applications a Any point to multi point data distribution With the increase of multimedia services on IP networks multicast has huge market potential Configuring Common Multicast Configuring Common Multicast A common multicast configuration covers both the multicast group management protocol and the multicast routing protocol The configuration includes enabling multicast configuring multicast forwarding boundary and displaying multicast routing table and multicast forwarding table Common multicast configuration includes Enabling Multicast a Configuring the Multicast Route Limit a Clearing MFC Forwarding Entries or Statistic Information a Clearing Route Entries From the Core Multicast Routing Table a Displaying and Debugging Common Multicast Configuration Enabling Multicast Enable multicast first before enabling the multicast routing protocol Perform the following configuration in system view Table 116 Enabling Multicast Operation Command Enable multicast multicast routing enable Disable multicast
274. nd max size value Restore the default history command buffer undo history command max size size Managing Users The management of users includes the setting of the user logon authentication method the level of command a user can use after logging on the level of command a user can use after logging on from the specific user interface and the command level 24 CHAPTER 1 SYSTEM ACCESS Configuring the Authentication Method The authentication mode command configures the user login authentication method that allows access to an unauthorized user Table 11 describes the authentication mode command Perform the following configuration in user interface view Table 11 Configure Authentication Method Operation Command Configure the authentication method authentication mode password scheme command authorization Configure no authentication authentication mode none By default terminal authentication is not required for users who log in through the console port whereas a password is required for authenticating modem and Telnet users when they log in To configure authentication for modem and Telnet users Configure local password authentication for the user interface When you set the password authentication mode you must also configure a login password to log in successfully Table 12 describes the set authentication password command Perform the following configuration in user interface view Table 12 Configu
275. ndo stp bridge diameter diameter The network diameter is the parameter specifying the network scale The larger the diameter the larger the scale When a user configures the network diameter on a switch MSTP automatically calculates and sets the hello time forward delay time and maximum age time of the switch to the desirable values The setting of the network diameter takes effect on CIST only but has no effect on MSTI By default the network diameter is 7 and the three corresponding timers take the default values Configuring the Time Parameters of a Switch The switch has three time parameters a Forward delay a Hello time a Max age Forward delay is the switch state transition mechanism The spanning tree will be recalculated upon link faults and its structure will change accordingly The configuration BPDU recalculated cannot be immediately propagated throughout the network Temporary loops can occur if the new root port and designated port forward data right after being elected Therefore the protocol adopts a state transition mechanism It takes a forward delay interval for the root port and designated port to transit from the learning state to forwarding state The forward delay guarantees a period of time during which the new configuration BPDU can be propagated throughout the network The switch sends a hello packet periodically to check if there is any link fault The interval in which the hello packet is sent i
276. net 1 0 4 to Ethernet 1 0 5 SW7750 vlan11 quit SW7750 pim SW7750 pim interface vlan interface 11 SW7750 vlan interfacell pim sm SW7750 vlan interfacel1 quit SW7750 vlan 12 SW7750 vlanl2 port Ethernet 1 0 6 to Ethernet 1 0 7 SW7750 vlan12 quit SW7750 pim SW7750 pim interface vlan interface 12 SW7750 vlan interfacel2 pim sm SW7750 vlan interfacel2 quit GMRP Configuring GMRP GMRP GARP Multicast Registration Protocol based on GARP is used for maintaining dynamic multicast registration information All the switches supporting GMRP can receive multicast registration information from other switches and dynamically update local multicast registration information Local multicast registration information can be transmitted to other switches This information switching mechanism keeps consistency of multicast information maintained by every GMRP supporting device in the same switching network A host transmits GMRP Join message After receiving the message the switch adds the port to the multicast group and broadcasts the message throughout the VLAN thereby the multicast source in the VLAN knows the multicast member When the multicast source sends packets to its group the switch only forwards the packets to the ports connected to members thereby implementing the Layer 2 multicast in VLAN The multicast information transmitted by GMRP includes local static multicast registration information configured manu
277. nformation The Standard defines the following types of EAP frames m EAP Packet Authentication information frame used to carry the authentication information a EAPoL Start Authentication originating frame actively originated by the Supplicant m EAPoL Logoff Logoff request frame actively terminating the authenticated state Configuring 802 1x gt a EAPoL Key Key information frame supporting to encrypt the EAP packets a EAPoL Encapsulated ASF Alert Supports the Alerting message of Alert Standard Forum ASF The EAPoL Start EAPoL Logoff and EAPoL Key only exist between the Supplicant and the Authenticator The EAP Packet information is re encapsulated by the Authenticator System and then transmitted to the Authentication Server System The EAPoL Encapsulated ASF Alert is related to the network management information and terminated by the Authenticator 802 1x provides an implementation solution of user ID authentication However 802 1x itself is not enough to implement the scheme The administrator of the access device should configure the AAA scheme by selecting RADIUS or local authentication to assist 802 1x in implementing the user ID authentication For a detailed description refer to the corresponding AAA configuration Implement 802 1x on Ethernet Switch The Switch 7750 not only supports the port access authentication method regulated by 802 1x but also extends and optimizes it in the following way Supp
278. ng settings a STP setting includes STP enabling disabling link attribute point to point or not STP priority path cost max transmission speed loop protection root protection edge port or not a QoS setting includes traffic limiting priority marking default 802 1 priority bandwidth assurance congestion avoidance traffic redirection traffic Statistics a VLAN setting includes permitted VLAN types default VLAN ID a Port setting includes port link type port speed duplex mode LACP setting includes LACP enabling disabling Perform the following configuration in system view Table 37 Copying a Port Configuration to Other Ports Operation Command Copy port configuration to other ports copy configuration source interface type interface number interface name aggregation group agg id destination interface list aggregation group agg id aggregation group agg id Note that if the copy source is an aggregation group use the port with the lowest ID as the source If the copy destination is an aggregation group make the configurations of all group member ports identical with that of the source Displaying and Debugging Ethernet Ports After configuration execute the display command in all views to display the current configuration of Ethernet port parameters and to verify the configuration Execute the reset command in user view to clear the statistics from the port Table 38 Display and Debug E
279. ng the Filtering of Multicast Source Group Configuring the Filtering of PIM Neighbors 132 CHAPTER 6 MULTICAST PROTOCOL a Configuring the Maximum Number of PIM Neighbor on an Interface a Displaying and Debugging PIM DM When the router is run in the PIM DM domain it is best to enable PIM DM on all interfaces of the non border router Enabling Multicast See Configuring Common Multicast on page 114 Enabling PIM DM PIM DM needs to be enabled in the configuration of all interfaces After PIM DM is enabled on an interface it will send PIM Hello messages periodically and process protocol packets sent by PIM neighbors Perform the following configuration in VLAN interface view Table 138 Enable PIM DM Operation Command Enable PIM DM on an interface pim dm Disable PIM DM on an interface undo pim dm 3Com recommends that you configure PIM DM on all interfaces This configuration is effective only after the multicast routing is enabled in system view Once you enable PIM DM on an interface PIM SM cannot be enabled on the same interface and vice versa Entering PIM View Global parameters of PIM should be configured in PIM view Perform the following configuration in system view Table 139 Entering PIM View Operation Command Enter PIM view pim Return to system view undo pim Use the undo pim command to clear the configuration in PIM view and to return to system view Configuring the Interface Hello Message
280. ng to more than one VLAN and receive send the packets on multiple VLANs The hybrid port can also carry more than one VLAN and receive send the packets on multiple VLANs The difference between the hybrid port and the trunk port is that the hybrid port allows the packets from multiple VLANs to be sent without tags but the trunk port only allows the packets from the default VLAN to be sent without tags Perform the following configuration in Ethernet port view Table 34 Set Link Type for Ethernet Port Operation Command Set the port to access port port link type access Set the port to hybrid port port link type hybrid Set the port to trunk port port link type trunk Restore the default link type that is the undo port link type access port A port on a switch can be configured as an access port a hybrid port or a trunk port However to reconfigure between hybrid and trunk link types you must first restore the default or access link type The default link type is the access link type Adding the Ethernet Port to a VLAN The following commands are used for adding an Ethernet port to a specified VLAN Access ports can be added to only one VLAN while hybrid and trunk ports can be added to multiple VLANs 40 CHAPTER 2 PORT CONFIGURATION gt Perform the following configuration in Ethernet port view Table 35 Adding the Ethernet Port to Specified VLANs Operation Command Add the current access port to a specified port acce
281. ng undo mirroring group groupid You can configure up to 20 mirroring groups Each group includes one monitoring port and multiple monitored ports The monitoring port and the monitored ports must be on the same interface unit For a non 48 port interface unit only one mirroring group can be configured in one direction For example you can only configure one mirroring group for the inbound packets on one interface unit Failure will be prompted if you configure a second The same restriction applies to outbound packets For a 48 port interface unit the monitoring port and the monitored port must all be at the ports 1 24 or the ports 25 48 at which only one mirroring group can be configured in one direction Setting Queue Scheduling Queue scheduling is often used in solving the problem of resource contention during network congestion Each port supports eight outbound queues The switch only supports SP algorithm but you can distribute packets into the target queues according to several types of priority The following tables show the mapping between outbound queues and priority schemes Table 171 Mapping Between 802 1p Priority Levels and Outbound Queues 802 1p priority level Queues OO my BR Ww oN HO my BRB WwW Ni Table 171 Mapping Between 802 1p Priority Levels and Outbound Queues 802 1p priority level Queues 7 7 Table 172 Mapping Between Local or IP Priority Levels and Outbound Queu
282. nition process you can configure multiple rules for an ACL using the rule command repeatedly Importing an ACL To implement ACL control you can import the defined ACL in user interface view Perform the following configuration in the designated view Table 187 Importing an ACL Operation Command Enter user interface view from system view Call an ACL from user interface view user interface type first number last number acl ac number inbound outbound For more information about the command see the Switch 7750 Command Reference Guide Only a numbered basic ACL can be imported for TELNET user control Example Controlling TELNET Users with ACL Figure 48 illustrates a configuration that controls TELNET users with an ACL Configuring ACL Control for SNMP Users Configuring ACL Control 177 Figure 48 Control TELNET User With ACL ax D Switch Use the following commands to control TELNET users with ACL Define the basic ACLs SW7750 acl number 2000 match order config SW7750 acl basic 2000 rule 1 permit source 10 110 100 52 0 SW7750 acl basic 2000 rule 2 permit source 10 110 100 46 0 SW7750 acl basic 2000 quit Call an ACL SW7750 user interface vty 0 4 SW7750 user interface vty0 4 acl 2000 inbound The Switch 7750 supports remote management with the network management software The network management users can access the switch with SNMP Controlling such users wit
283. nterval owner text string Delete an entry from the history control table undo rmon history entry number Adding and Deleting an Entry to or from the Extended RMON Alarm Table You can use the command to add or delete an entry to or from the extended RMON alarm table Perform the following configuration in system view Table 316 Add or Delete an Entry to or from the Extended RMON AlarmTable Operation Command Add an entry to the extended RMON alarm rmon prialarm entry number table alarm var alarm des sampling timer delta absolute changeratio rising threshold threshold valuel event entryl falling threshold threshold value2 event entry2 entrytype forever cycle cycle period ownertext Delete an entry from the extended RMON undo rmon prialarm entry number alarm table Adding and Deleting an Entry to or from the Statistics Table The RMON statistics management concerns port usage monitoring and error statistics when using the ports The statistics include collision CRC and queuing undersize packets or oversize packets timeout transmission fragments broadcast multicast and unicast messages and the usage ratio of bandwidth Use the following commands to add or delete an entry to or from the statistics table Perform the following configuration in Ethernet port view Table 317 Add or Delete an Entry to or from the Statistics Table Operation Command Add an entry to the statistics table rmon statistics
284. o configure the first level security control to filter the logon users with ACL For the information about how to configure the first level security see System Access Configuring ACL Control is described in the following sections a Configuring ACL Control for TELNET Users a Configuring ACL Control for SNMP Users 176 CHAPTER 7 QOS OPERATION Configuring ACL Control for TELNET Users By configuring ACL control over TELNET users can filter the malicious and illegal connection requests before password authentication and ensure device security The steps to control TELNET users with ACL are described in the following sections a Defining an ACL a Importing an ACL Defining an ACL To implement the ACL control function you can only call the numbered basic ACL ranging from 2000 to 2999 Perform the following configuration in system view Table 186 Defining a Basic ACL Operation Command Enter basic ACL view from system view Add a sub item to the ACL from basic ACL view Delete a sub item from the ACL from basic ACL view Delete one ACL or all the ACL from system view acl number ac number name ac name basic ip match order config auto rule ru e id permit deny source source addr source wildcard any fragment time range name undo rule rule id source fragment time range undo acl number ac number name aci name all In the defi
285. ocal RADIUS authentication of Telnet FTP users see Configuring a Local RADIUS Server Group on page 228 Configure the switch to use a TACACS server to provide AAA services to login users see the following figure Connect the switch to one TACACS server providing the services of authentication and authorization with the IP address 10 110 91 164 On the 240 CHAPTER 9 AAA AND RADIUS OPERATION Dynamic VLAN with RADIUS Server Configuration Example 1 switch set the shared key for AAA packet encryption to expert Configure the switch to send usernames to the TACACS server with isp name removed On the TACACS server set the shared key for encrypting the packets exchanged with the switch to expert add the usernames and passwords of users Configure a HWTACACS scheme Quidway hwtacacs scheme hwtac Quidway hwtacacs hwtac primary authentication 10 110 91 164 1812 Quidway hwtacacs hwtac primary authorization 10 110 91 164 1813 Quidway hwtacacs hwtac key authentication expert Quidway hwtacacs hwtac key authorization expert Quidway hwtacacs hwtac undo user name format with domain Quidway hwtacacs hwtac quit Associate the domain with the HWTACACS Quidway domain hwtacacs Quidway isp hwtacacs scheme hwtacacs scheme hwtac The RADIUS server taking Windows IAS as example delivers sting VLAN ID test which corresponds to the name of VLAN 100 on the switch The switch can add the port to VLAN 100 when the se
286. of two byte system priority and six byte system MAC that is system ID system priority system MAC In comparing system IDs the system first compares system priority values if they are equal then it compares system MAC addresses The smaller system ID is considered prior Changing system priority may affect the priority levels of member ports and further their selected or standby state Perform the following configuration in system view Table 43 Configure System Priority Operation Command Configure system priority lacp system priority system priority value Restore the default system priority undo lacp system priority By default system priority is 32768 Configuring Port Priority The LACP compares system IDs first and then port IDs if system IDs are the same in determining if the member ports are selected or standby ones for a dynamic LACP aggregation group If the ports in an aggregation group exceed the port quantity threshold for that group the system sets some ports with smaller port IDs as selected ports and others as standby ports The port ID consists of two byte port priority and two byte port number that is port ID port priority port number The system first compares port priority values and then port numbers and the small port ID is considered prior 49 Configuring Link Aggregation Perform the following configuration in Ethernet port view Table 44 Configure Port Priority Operation Config
287. of packets on a segment in a certain period of time or that of the correct packets sent to a host RMON helps the SNMP monitor the remote network device more actively and effectively which provides a highly efficient means for monitoring subnet operations RMON can reduce communication traffic between the NMS and the agent thus facilitating an effective management over large interconnected networks RMON allows multiple monitors It can collect data in two ways The first way is with a special RMON probe NMS directly obtains the management information from the RMON probe and controls the network resource In this way it obtains all the information of RMON MIB The second way is to implant the RMON Agent directly into the network devices such as routers switches hubs and so on so that the devices become network facilities with RMON probe functions RMON NMS uses the basic SNMP commands to exchange data information with the SNMP Agent and to collect NM information However not all the data of the RMON MIB can be obtained with this method depending on resources In most cases only four groups of information can be collected The four groups are trap information event information history information and statistics information The Switch 7750 implements RMON using the second method With the RMON supported SNMP agent running on the network monitor NMS can obtain such information as the overall traffic of the segment connected to the
288. of the active port with lowest port number Since a defined number of ports can be supported in an aggregation group then if the active ports in an aggregation group exceed the port quantity threshold for that group the system shall set some ports with smaller port numbers in ascending order as selected ports and others as standby ports Both selected and standby ports can transceive LACP protocol but standby ports cannot forward user service packets Load Sharing Configuring Link Aggregation 45 Dynamic LACP aggregation Dynamic LACP aggregation allows automatic adding deleting by the system but prohibits manual configuration of users Dynamic LACP aggregation can be established for a single port this is called single port aggregation LACP is enabled on dynamic aggregation ports Only ports with the same speed duplex mode and basic configuration and connected to the same device can be aggregated dynamically Only a defined number of ports can be supported in an aggregation group If the ports in an aggregation group exceed the port quantity threshold for that group the system will set some ports with smaller system IDs system priority system MAC address and port IDs port priority port number as selected ports and others as standby ports If not all member ports are selected ports Both selected and standby ports can transceive LACP protocol but standby ports cannot forward user service packets Among the selected ports of an
289. of the configuration Execute the debugging command in user view to debug the RIP module Execute the reset command in RIP view to reset the system configuration parameters of RIP Table 99 Displaying and Debugging RIP Operation Command Display the current RIP state and configuration information display rip Enable the RIP debugging information debugging rip packets Enable the debugging of RIP receiving packet Enable the debugging of RIP sending packet Restore the default RIP settings debugging rip receive debugging rip send reset 98 CHAPTER 5 IP ROUTING PROTOCOL OPERATION Troubleshooting RIP Example Typical RIP Configuration As shown in Figure 25 the Switch C connects to the subnet 117 102 0 0 through the Ethernet port The Ethernet ports of Switch A and Switch B are connected to the network 155 10 1 0 and 196 38 165 0 Switch C Switch A and Switch B are connected by Ethernet 110 11 2 0 Correctly configure RIP to ensure that Switch C Switch A and Switch B can interconnect Figure 25 RIP Configuration Interface address 155 10 1 1 24 Network address 155 10 1 0 24 iy Switch A Interface address 110 11 2 1 24 Etherne Network address ner 110 11 2 2 24 Switch C amp switch 8 S Interface address Interface address Network address 117 102 0 1 16 196 38 165 1 24 196 38 165 0 24 Network address 117 102 0 0 16
290. oint to point link directly connects two switches You can configure the port to connect or not connect with the point to point link in the following ways Configuring in System View Perform the following configuration in system view Table 208 Configure the Port Connection With the Point to point Link Operation Command Configure the port to connect with the stp interface interface list point to point link point to point force true Configure the port not to connect with the stp interface interface list point to point link point to point force false Configure MSTP to automatically detect ifthe stp interface interface list port is directly connected with the point to point auto point to point link Configure MSTP to automatically detect if the undo stp interface interface list port is directly connected with the point to point point to point link as defaulted Configuring in Ethernet Port View Perform the following configuration in Ethernet port view Table 209 Configure the Port Connection With the Point to point Link Operation Command Configure the port to connect with the stp point to point force true point to point link Configure the port not to connect with the stp point to point force false point to point link Configure MSTP to automatically detect if the stp point to point auto port is directly connected with the point to point link Configure MSTP to automatically detect if the
291. ommand Show the configuration information of the check region configuration MST region under revision from MST region view Manually activate the MST region active region configuration configuration from MST region view Exit MST region view from MST region view quit MSTP can determine the spanning tree root through calculation You can also specify the current switch as the root using the command provided by the switch 192 CHAPTER 8 STP OPERATION Configuring the MSTP Running Mode You can use the following commands to specify the current switch as the primary or secondary root of the spanning tree Perform the following configuration in system view Table 192 Specify the Switch as Primary or Secondary Root Switch Operation Command Specify current switch as the primary root stp instance instance id root switch of the specified spanning tree primary bridge diameter bridgenum hello time centi senconds Specify current switch as the secondary root stp instance instance id root switch of the specified spanning tree secondary bridge diameter bridgenum hello time centi senconds J Specify current switch not to be the primary or undo stp instance instance id secondary root root After a switch is configured as primary root switch or secondary root switch you cannot modify the bridge priority of the switch You can configure the current switch as the primary or secondary root switch of the STI spe
292. ommand views The commands are sorted in one section The sections are separated with a blank line or a comment line A comment line begins with a pound sign Default constants are not saved a Generally the sections in the file are arranged in the following order system configuration ethernet port configuration vlan interface configuration routing protocol configuration and so on Management of the configuration files includes tasks described in the following sections a Displaying the Current and Saved Configuration of the Switch a Saving the Current Configuration a Erasing the Configuration Files from Flash Memory Displaying the Current and Saved Configuration of the Switch After being powered on the system reads the configuration file from flash memory The default configuration file is sw7750cfg txt If there is no configuration file in flash the system begins the initialization with the default parameters You can use the commands in Table 261 to display the current and saved configuration of the switch 246 CHAPTER 11 SYSTEM MANAGEMENT gt FTP Perform the following configuration in all views Table 261 Display the Configurations of the Ethernet Switch Operation Command Display the saved configuration of the display saved configuration Ethernet switch Display the current configuration of the display current configuration Ethernet switch controller interface interface type interface number
293. on upon timeout lockable user interface configuring terminal screen length and history command buffer size Perform the following configuration in user interface view Perform the lock command in user view Enabling and Disabling Terminal Service After the terminal service is disabled on a user interface you cannot log in to the Switch 7750 through the user interface However if a user is logged in through the user interface before disabling the terminal service the user can continue operation After the user logs out the user cannot log in again In this case the user can log in to the Switch through the user interface only when the terminal service is enabled again Use the commands described in Table 6 to enable or disable terminal service Table 6 Enabling and Disabling Terminal Service Operation Command Enable terminal service shell Disable terminal service undo shell By default terminal service is enabled on all the user interfaces Note the following points a For the sake of security the undo shell command can only be used on the user interfaces other than the AUX user interface m You cannot use this command on the user interface through which you log in a You must confirm your privilege before using the undo shell command in any legal user interface Setting Terminal Parameters 23 Configuring idle timeout By default idle timeout is enabled and set to 10 minutes on all the user interfaces The idle ti
294. onfiguration commands executed after a route satisfies the filtering conditions that are specified in the if match clauses In this way some attributes of the route can be modified Perform the following configurations in Route policy view Table 102 Defining Apply Clauses Operation Command Set the next hop address of the routing apply ip next hop ip address information ip address acl acl number Cancel the next hop address of the routing undo apply ip next hop information Set the tag domain of the routing information apply tag value Cancel the tag domain of the routing undo apply tag information By default no apply clauses are defined If the routing information meets the match conditions specified in the route policy then this value is regarded as the MED value of the IGP route Importing Routing Information Discovered by Other Routing Protocols A routing protocol can import the routes that are discovered by other routing protocols to enrich its route information The route policy can filter route information to implement the redistribution If the destination routing protocol that imports the routes cannot directly reference the route costs of the source routing protocol you should satisfy the requirement of the destination protocol by specifying a route cost for the imported route Perform the following configuration in routing protocol view Table 103 Configuring Importing Routes of Other Protocols Operat
295. onfiguring the Interval for Sending IGMP Group Specific Query Packet m Configuring the Limit of IGMP Groups on an Interface a Configuring a Router to be a Member of a Group a Limiting Access to IP Multicast Groups m Configuring the IGMP Query Message Interval m Configuring the IGMP Querier Present Timer Configuring the Maximum Query Response Time m Deleting IGMP Groups Joined on an Interface a Displaying and Debugging IGMP Enabling Multicast After multicast is enabled IGMP will automatically run on all interfaces For details see Configuring Common Multicast on page 114 Enabling IGMP on an Interface You must enable multicast before you can execute the igmp enable command After this you can initiate the IGMP feature configuration Perform the following configuration in VLAN interface view Table 121 Enable Disable IGMP on an Interface Operation Command Enable IGMP on an interface igmp enable Disable IGMP on an interface undo igmp enable By default IGMP is not enabled Configuring the IGMP Version Perform the following configuration in VLAN interface view Table 122 Select the IGMP Version Operation Command Select the IGMP version that the router uses igmp version 2 1 Restore the default setting undo igmp version The default is IGMP Version 2 All routers on a subnet must support the same version of IGMP After detecting the presence of IGMP Version 1 system a router cannot automatically s
296. onnection all the information needed In this case use display diagnostic information command You can perform the following operations in all views Table 288 Displaying Diagnostic Information Operation Command Display diagnostic information display diagnostic information To view the data later enable saving a screen capture to a file The descriptions of testing tools for a network connection are found in the following sections a Ping a Tracert Command Ping The ping command can be used to check the network connection and to verify whether the host can be reached Perform the following operation in user view Table 289 The Ping Command Operation Command Support IP ping ping a ip address c count d i interface type interface num interface name ip n ppattern q r spacketsize t timeout v host The output of the ping command includes m The response to each ping message If no response packet is received when time is out Request time out information appears Otherwise the data bytes the packet sequence number TTL and the round trip time of the response packet will be displayed a The final statistics which include the a number of the packets the switch sent out and received packet loss ratio round trip time in its minimum value mean value and maximum value Tracert Command Tracert is used for testing the gateways from the source host to the
297. op is reduced by 1 The switch discards the configuration BPDU with O hops left This makes it impossible for the switch beyond the max hops to take part in the spanning tree calculation thereby limiting the scale of the MST region You can use the following command to configure the max hops in an MST region Perform the following configuration in system view Table 195 Configure the Max Hops in an MST Region Operation Command Configure the max hops in an MST region stp max hops hop Restore the default max hops in an MST undo stp max hops region The more the hops in an MST region the larger the scale of the region Only the max hops configured on the region root can limit the scale of MST region Other switches in the MST region also apply the configurations on the region root even if they have been configured with max hops By default the max hops of an MST is 20 Any two hosts on the switching network are connected with a specific path carried by a series of switches Among these paths the one passing more switches than all others is the network diameter expressed as the number of passed switches You can use the following command to configure the diameter of the switching network Perform the following configuration in system view Table 196 Configure the Switching Network Diameter Operation Command Configure the switching network diameter stp bridge diameter bridgenum Restore the default switching network u
298. or not the switch can correctly send and receive ARP packets If it can only send but not receive the ARP packets there are probably errors at the Ethernet physical layer Configuring Address Resolution Protocol ARP An IP address cannot be directly used for communication between network devices because devices can only identify MAC addresses An IP address is the address of a host at the network layer To send data packets through the network layer to the destination host the physical address of the host is required So the IP address must be resolved to a physical address When two hosts in Ethernet communicate they must know each other s MAC address Every host maintains an IP MAC address translation table which is known as the ARP mapping table A series of maps between IP addresses and MAC addresses of other hosts are stored in the ARP mapping table When a dynamic ARP mapping entry is not in use for a long time the host will remove it from the mapping table to save memory space and shorten the search interval Example IP Address Resolution Host A and Host B are on the same network segment The IP address of Host A is IP_A and the IP address of Host B is IP_B Host A wants to transmit packets to Host B Host A checks its own ARP mapping table first to make sure that there are corresponding ARP entries of IP_B in the table If the corresponding MAC address is found Host A will use the MAC address in the ARP mapping table to e
299. ord for exchanging messages between the switch and the authentication server is expert The switch cuts off domain name from username and sends the left part to the RADIUS server Configuring FTP Telnet User Authentication at the Local RADIUS Server Configuring the FTP Telnet User Authentication at a Remote TACACS Server Authentication Servers IP address 10 110 91 164 Telnet user Switch Add a Telnet user For details about configuring FTP and Telnet users see Configuring the User Interface on page 20 Configure the remote authentication mode for the Telnet user in this example the scheme mode SW7750 ui vty0 4 authentication mode scheme Configure the domain SW7750 domain cams SW7750 isp cams quit Configure RADIUS scheme SW7750 radius scheme cams SW7750 radius cams primary authentication 10 110 91 146 1812 SW7750 radius cams key authentication expert SW7750 radius cams server type 3com SW7750 radius cams user name format without domain Configure the association between domain and RADIUS SW7750 radius cams quit SW7750 domain cams SW7750 isp cams radius scheme cams Local RADIUS authentication of Telnet FTP users is similar to remote RADIUS authentication But you should modify the server IP address to 127 0 0 1 authentication password to 3Com the UDP port number of the authentication server to 1645 For details about l
300. ork the following two measures need to be taken m Prevent the router from being spoofed by hosts though faking legal BSR messages to modify RP mapping BSR messages are of multicast type and their TTL is 1 so these types of attacks often hit edge routers Fortunately BSRs are inside the network while assaulting hosts are outside therefore neighbor and RPF checks can be used to stop these types of attacks a If arouter in the network is manipulated by an attacker or an illegal router is accessed into the network the attacker may set itself as C BSR and try to win the contention and gain authority to advertise RP information among the network Since the router configured as C BSR shall propagate BSR messages which are multicast messages sent hop by hop with TTL as 1 among the network then the network cannot be affected as long as the peer routers do not receive these BSR messages One way is to configure bsr policy on each router to limit legal BSR range for example only 1 1 1 1 32 and 1 1 1 2 32 can be BSR thus the routers cannot receive or forward BSR messages other than these two Even legal BSRs cannot contest with them Perform the following configuration in PIM view Table 153 Limiting the Range of Legal BSR Operation Command Limit the legal BSR range bsr policy acl number Restore to the default setting undo bsr policy For detailed information of the bsr policy command see the Switch 7750 Command Reference Guide Limi
301. ort to connect several End Stations in the downstream by a physical port a The access control or the user authentication method can be based on port or MAC address In this way the system becomes more secure and easier to manage The configuration tasks of 802 1x itself can be fulfilled in system view of the Ethernet switch When the global 802 1x is not enabled the user can configure the 802 1x state of the port The configured items will take effect after the global 802 1x is enabled Do not enable 802 1x and RSTP at the same time or the switch may not work normally The 802 1x configuration tasks are described in the following sections a Enabling Disabling 802 1x a Setting the Port Access Control Mode a Setting Port Access Control Method a Checking the Users that Log on the Switch by Proxy a Setting Number of Users on a Port a Enabling DHCP to Launch Authentication Configuring the Authentication Method for 802 1x Users a Setting the Maximum Retransmission Times Configuring Timers a Enabling Disabling Quiet Period Timer a Displaying and Debugging 802 1x 210 CHAPTER 9 AAA AND RADIUS OPERATION Enabling Disabling 802 1x The following commands can be used to enable disable the 802 1x on the specified port When no port is specified in system view the 802 1x is enabled disabled globally Perform the following configurations in system view or Ethernet port view Table 218 Enable Disable 802 1x Operation
302. ot send charging bill to the RADIUS server User authentication authorization always fails The username may not be in the userid isp name format or NAS has not been configured with a default ISP domain Please use the username in proper format and configure the default ISP domain on NAS The user may not have been configured in the RADIUS server database Check the database and make sure that the configuration information of the user does exist in the database The user may have input a wrong password Make sure that the supplicant inputs the correct password The encryption keys of the RADIUS server and NAS server may be different Check carefully and make sure that they are identical There might be some communication fault between NAS and RADIUS server which can be discovered through pinging RADIUS from NAS Ensure the normal communication between NAS and RADIUS RADIUS packet cannot be transmitted to RADIUS server The communication lines on physical layer or link layer connecting NAS and RADIUS server may not work well The IP address of the corresponding RADIUS server may not have been set on NAS Set a proper IP address for RADIUS server UDP ports of authentication authorization and accounting services may not be set properly Make sure they are consistent with the ports provided by RADIUS server After being authenticated and authorized the user cannot send charging bill to the RADIUS server 1 The accounting port
303. otice Type Description gt Information 1 note T Caution h Warning Information instructions or potential device Information injury that describes important features or Information that alerts you to potential loss of data damage to an application system or that alerts you to potential personal Table 2 lists the text conventions used in this book Table 2 Text Conventions Convention Description Screen displays Keyboard key names The words enter and type This typeface represents information as it appears on the screen If you must press two or more keys simultaneously the key names are linked with a plus sign for example Press Ctrl Alt Del When you see the word enter in this guide you must type something and then press Return or Enter Do not press Return or Enter when an instruction simply says type 10 ABOUT THIS GUIDE Table 2 Text Conventions Convention Description Words in italics Italics are used to a Emphasize a point a Denote a new term at the place where it is defined in the text m Identify command variables m Identify menu names menu commands and software button names Examples From the Help menu select Contents Click OK Words in bold Boldface type is used to highlight command names For example Use the display user interface command to SYSTEM ACCESS This chapter covers the following
304. oting Routing Policies Configuring for Filtering Distributed Routes Define a policy concerning route distribution that filters the routing information that does not satisfy the conditions and distributes routes with the help of an ACL or address ip prefix Perform the following configuration in routing protocol view Table 106 Configuring Filtering of Distributed Routes Operation Command Configure to filter the routes distributed by filter policy acl number the protocol ip prefix ip prefix name export routing process Cancel the filtering of the routes distributed undo filter policy acl number by the protocol ip prefix ip prefix name export routing process The route policy supports importing the routes discovered by the following protocols into the routing table m Direct The hop or host to which the local interface is directly connected a Static Static Route Configuration m RIP Route discovered by RIP By default the filtering of the received and distributed routes will not be performed Displaying and Debugging the Routing Policy Execute the display command in all views to display the operation of the routing policy configuration and to verify the effect of the configuration Table 107 Displaying and Debugging the Route Policy Operation Command Display the routing policy display route policy route policy name Display the path information of the AS filter display ip as path acl
305. ough the Routing Table 82 Routing Management Policy 83 Static Routes 84 Configuring Static Routes 85 Troubleshooting Static Routes 88 RIP 89 Configuring RIP 90 Troubleshooting RIP 98 IP Routing Policy 99 Routing Information Filters 99 Configuring an IP Routing Policy 100 Troubleshooting Routing Policies 104 Route Capacity 105 Configuring Route Capacity 105 MULTICAST PROTOCOL IP Multicast Overview 109 Multicast Addresses 110 IP Multicast Protocols 112 Forwarding IP Multicast Packets 113 Applying Multicast 114 Configuring Common Multicast 114 Configuring Common Multicast 114 Configuring IGMP 116 Configuring IGMP 117 IGMP Snooping 124 Configuring IGMP Snooping 127 Troubleshooting IGMP Snooping 129 Configuring PIM DM 130 Configuring PIM DM 131 Configuring PIM SM 136 PIM SM Operating Principles 136 Preparing to Configure PIM SM 137 Configuring PIM SM 138 GMRP 146 Configuring GMRP 146 QoS OPERATION ACL Overview 149 Filtering or Classifying Data Transmitted by the Hardware 149 Filtering or Classifying Data Transmitted by the Software 150 ACL Support on the Switch 7750 150 Configuring ACLs 151 Configuring the Time Range 151 Selecting the ACL Mode 151 Defining an ACL 151 Activating an ACL 154 ACL Configuration Examples 155 Access Control 155 Basic ACL 156 Link ACL 157 Configuring QoS 157 Qos Concepts 158 Configuring QoS 161 QoS Configuration Examples 168 Configuring ACL Control 175 Configuring ACL Control for T
306. ows members in the same switching network to distribute propagate and register information such as VLAN and multicast addresses GARP does not exist in a switch as an entity A GARP participant is called a GARP application The main GARP applications are GVRP and GMRP GVRP is described in Configuring GARP GVRP and GMRP is described in GMRP on page 146 When a GARP participant is on a port of the switch each port corresponds to a GARP participant Through GARP configuration information on one GARP member is advertised rapidly to the entire switching network A GARP member can be a terminal workstation or bridge A GARP member can notify other members to register or remove its attribute information by sending declarations or withdrawal declarations It can also register or remove the attribute information of other GARP members according to declarations or withdrawal declarations that it receives from them GARP members exchange information by sending GARP messages There are three main types of GARP messages including join leave and leaveall When a GARP participant wants to register its attribute information on other switches it sends a 62 CHAPTER 3 VLAN CONFIGURATION join message When the GARP participant wants to remove its attribute information from other switches it sends a leave message The leaveall timer is started at the same time that each GARP participant is enabled and a leaveall message is sent out when the leav
307. p enable SW7750 vlan interfacel1 pim dm SW7750 vlan interfacel1 quit SW7750 interface vlan interface 12 SW7750 vlan interfacel2 ip address 3 3 3 3 255 255 0 0 SW7750 vlan interfacel2 igmp enable 136 CHAPTER 6 MULTICAST PROTOCOL SW7750 vlan interfacel2 pim dm Configuring PIM SM PIM SM Operating Principles PIM SM Protocol Independent Multicast Sparse Mode belongs to sparse mode multicast routing protocols PIM SM is mainly applicable to large scale networks with broad scope and few group members Different from the flood amp prune principle of the dense mode PIM SM assumes that all hosts do not need to receive multicast packets unless clear request is put forward PIM SM uses the RP Rendezvous Point and the BSR Bootstrap Router to advertise multicast information to all PIM SM routers and uses the join prune information of the router to build the RP rooted shared tree RPT This helps to reduce the bandwidth occupied by data packets and control packets and reduces the process overhead of the router Multicast data flows along the shared tree to the network segments When data traffic is sufficient the multicast data flow switches over to the SPT Shortest Path Tree rooted on the source This reduces network delay To perform the RPF check PIM SM does not depend on the specified unicast routing protocol but uses the present unicast routing table Running PIM SM you would need to configure candi
308. packets away from the fault without the help of the administrator In a relatively simple network you only need to configure static routes to make the router work normally The proper configuration and usage of the static route can improve network performance and ensure bandwidth for important applications The following routes are static routes a Reachable route The normal route in which the IP packet is sent to the next hop towards the destination this is a common type of static route Configuring Static Routes Static Routes 85 a Unreachable route When a static route to a destination has the reject attribute all the IP packets to this destination are discarded and the originating host is informed that the destination is unreachable a Blackhole route When a static route to a destination has the blackhole attribute all the IP packets to this destination are discarded and the originating host is not informed The attributes reject and blackhole are usually used to control the range of reachable destinations of this router and to help troubleshoot the network Default Route A default route is also a static route A default route is used only when no suitable routing table entry is found In a routing table the default route is in the form of the route to the network 0 0 0 0 with the mask 0 0 0 0 You can determine whether a default route has been set by viewing the output of the display ip routing table command
309. peration Command Configure the source address to be carried in nas ip ip address the RADIUS packets sent by the NAS RADIUS scheme view Cancel the configured source address to be undo nas ip carried in the RADIUS packets sent by the NAS RADIUS scheme view Configure the source address to be carriedin radius nas ip ip address the RADIUS packets sent by the NAS System view Cancel the configured source address to be undo radius nas ip carried in the RADIUS packets sent by the NAS System view You can use either command to bind a source address with the NAS By default no source address is specified and the source address of a packet is the address of the interface where it is sent Setting the Timers of the RADIUS Server Setting the Response Timeout Timer of the RADIUS Server After RADIUS authentication authorization or accounting request packet has been transmitted for a period of time if NAS has not received the response from Configuring the RADIUS Protocol 229 RADIUS server it has to retransmit the request to guarantee RADIUS service for the user You can use the following command to set response timeout timer of RADIUS server Perform the following configurations in RADIUS scheme view Table 2 32 Setting the response timeout timer of the RADIUS server OperationCommand Set response timeout timer of RADIUS servertimer seconds Restore the response timeout timer of RADIUS server to default valueundo t
310. perform the mcheck operation to transit the port to MSTP mode by force By default MSTP runs in MSTP mode Whether a switch can be elected as the spanning tree root depends on its bridge priority The switch configured with a lower bridge priority is more likely to become the root An MSTP switch can have different priorities in different STIs You can use the following command to configure the bridge priorities of the designated switch in different STIs Perform the following configuration in system view Table 194 Configure the Priority for a Switch Operation Command Configure the priority of the designated stp instance instance id priority switch priority Restore the default priority of the designated undo stp instance instance id switch priority When configuring the switch priority with the instance instance id parameter with a value of 0 you are configuring the CIST priority of the switch In the process of spanning tree root election of two or more switches with the lowest priorities the one has a smaller MAC address will be elected as the root By default the switch priority is 32768 194 CHAPTER 8 STP OPERATION Configuring the Max Hops in an MST Region Configuring the Switching Network Diameter The scale of an MST region is limited by the max hops in the MST region which is configured on the region root As the BPDU travels from the spanning tree root each time it is forwarded by a switch the max h
311. ping all group packet timer abnormal group packet timers Example IGMP Snooping Configuration To implement IGMP Snooping on the switch first enable it The switch is connected with the router through the router port and with user PC through the non router ports Figure 31 IGMP Snooping Configuration Network A router running IGMP An Ethernet switch running IGMP snooping N v IGMP packets Display the status of GMRP lt SW7750 gt display gmrp status Display the current status of IGMP Snooping when GMRP is disabled lt SW7750 gt display igmp snooping configuration Enable IGMP Snooping if it is disabled SW7750 igmp snooping enable If the multicast function cannot be implemented on the switch check for the following conditions and use the accompanying troubleshooting procedure IGMP Snooping is disabled a Input the display current configuration command to display the status of IGMP Snooping a f the switch disabled IGMP Snooping you can input igmp snooping enable in the system view to enable IGMP Snooping Multicast forwarding table set up by IGMP Snooping is wrong 130 CHAPTER 6 MULTICAST PROTOCOL Input the display igmp snooping group command to see if the multicast group is the expected one Verify that the source IP address is correct for each multicast stream 3 Multicast forwarding table set up on the bottom layer is wrong Enable IG
312. ple m Packet Redirection m Queue Scheduling m RED m Traffic Bandwidth a Traffic Statistics Traffic Limit and Line Rate In this example the intranet is connected through 100M ports between departments and the wage server is connected through the port GigabitEthernet7 0 1 subnet address 129 110 1 2 For the wage server the inbound traffic is limited to 20M and the outbound traffic to 20M on average Those packets exceeding the threshold are labeled with priority level 4 Only the 20 Port 10 100 1000BASE T and 20 Port 1000BASE X SFP I O modules support further processing for excessive traffic Only the 20 Port 10 100 1000BASE T and 20 Port 1000BASE X SFP I O modules support line rate setting For the 20 Port 10 100 1000BASE T and 20 Port 1000BASE X SFP I O modules the adjustment step for both traffic limit and line rate is 1 Mbps but for other interface units the adjustment step for traffic limit is 64 Kbps Figure 40 Traffic Limit and Line Rate Configuration Wage server 129 110 1 2 m UE s O tn moc To switch Only the commands concerning QoS ACL configuration are listed here To create this configuration Define outbound traffic for the wage server Enter name based advanced ACL view using the t
313. ple the user tel hwtac passes the authentication of the TACACS server 192 168 6 1 and logs into the switch through the port vtyO As the authentication mode scheme command authorization command is configured for the vtyO port on the switch the NAS sends a request for authorization to the AAA server when you perform the display current configuration command If the reply indicates that the authorization succeeds the user can execute the command Set the Switch 7750 to allow user access without authentication SW7750 ui vty0 authentication mode none By default the password is required for authenticating the modem and Telnet users when they log in If the password has not been set when a user logs in the following message displays Login password has not been set lf the authentication mode none command is used the modem and Telnet users are not required to enter a password Set the Command Level after Login The following command is used for setting the command level used after a user logs in Perform the following configuration in local user view Table 13 Set Command Level Used After a User Logs In Operation Command Set command level used after a user logging service type level level in telnet level level telnet level level level level Restore the default command level used after undo service type level a user logging in telnet level telnet level level By default a Telnet
314. pression Multicast GARP Multicast Registration Protocol GMRP Internet Group Management Protocol IGMP Snooping Internet Group Management Protocol IGMP Protocol Independent Multicast Dense Mode PIM DM Protocol Independent Multicast Sparse Mode PIM SM 12 CHAPTER 1 SYSTEM ACCESS Table 3 Function Features continued Features Support IP routing Static route RIP V1 4v2 IP routing policy DHCP Relay Dynamic Host Configuration Protocol DHCP Relay Link aggregation Link aggregation Mirror Port based mirroring Security features Quality of Service QoS Management and maintenance Loading and updating Multi level user management and password protection 802 1X authentication Packet filtering AAA and RADIUS HWTACACS Traffic classification Bandwidth control Priority Queues of different priority on the port Queue scheduling supports Strict Priority Queueing SP Command line interface configuration Configuration through the console port Remote configuration by Telnet Configuration through dialing the modem SNMP System log Level alarms Output of the debugging information PING and Tracert Remote maintenance with Telnet modem Loading and upgrading software using the XModem protocol Loading and upgrading software using the File Transfer Protocol FTP and Trivial File Transfer Protocol TFTP Configuring the Switch 7750 On the Switch 7750 you can set up the configuration environment through the
315. r QoS An access control rule includes several statements Different statements specify different ranges of packets When matching a data packet with the access control rule the issue of match order arises Configuring ACL Overview is described in the following sections a Filtering or Classifying Data Transmitted by the Hardware a Filtering or Classifying Data Transmitted by the Software a ACL Support on the Switch 7750 An ACL can be used to filter or classify the data transmitted by the hardware of the switch In this case the match order of the ACL s sub rules is determined by the switch hardware and this match order takes precedence over the match order defined by the user An ACL is configured with multiple sub rules The sub rule with the more accurate range is matched first If some rules define the same range the latest sub rule will be matched first For example ACL 2000 has rule O and rule 1 the definition of rule O is rule O permit ip source 1 1 1 1 0 0 255 255 destination 2 2 2 2 0 0 255 255 the definition of rule 1 is rule 1 permit ip source 1 1 1 1 0 0 0 255 destination 2 2 2 20 0 0 255 rule 1 is more accurate it will be matched first 150 CHAPTER 7 QOS OPERATION This type of filtering includes ACLs that are used with the QoS function ACLs used to filter the packet transmitted by the hardware and so on An ACL can be used to filter or classify the data transmitted by the software of the switch The user
316. r sending a RADIUS request authentication authorization or accounting request for a period of time the NAS resends the request thus ensuring the user can obtain the RADIUS service You can specify this period by setting the RADIUS server response timeout timer taking into consideration the network condition and the desired system performance Perform the following configurations in RADIUS scheme view Table 2 35 Configure the RADIUS server response timer OperationCommand Configure the RADIUS server response timertimer response timeout seconds Restore the default value of the intervalundo timer response timeout By default the response timeout timer for the RADIUS server is set to three seconds Configuring HWTACACS HWTACACS configuration tasks include Table 2 36 HWTACACS configuration SubsectionTaskCommandViewDescription 1 Creating a HWTACACS schemehwtacacs schemeSystem viewCreating a scheme 2 Configuring the TACACS authentication serverprimary authentication HWTACACS viewConfiguring the primary authentication server secondary authenticationHWTACACs viewConfiguring the secondary authentication server 3 Configuring the TACACS authorization serverprimary authorization HWTACACS viewConfiguring the primary authorization server secondary authorizationHWTACACs viewConfiguring the secondary authorization server 4 Configuring the TACACS accounting server and related featuresprimary accountingHWTACACS viewConfiguring the p
317. r the next boot boot bootloader file url Tasks for designating the APP for the next boot are described in the following sections a Upgrading BootROM a Resetting a Slot a Setting the Slot Temperature Limit a Setting the Backboard View Upgrading BootROM You can use this command to upgrade the BootROM with the BootROM program in the flash memory This configuration task facilitates the remote upgrade You can upload the BootROM program file from a remote end to the switch by FIP and then use this command to upgrade the BootROM on the modules Perform the following configuration in user view Table 277 Upgrading BootROM Operation Command Upgrade BootROM boot BootROM file url Resetting a Slot The Switch 7750 allows the administrator to reset a slot in the system Perform the following configuration in user view Table 278 Resetting a Slot Operation Command Reset a slot reboot slot slot num The parameter s ot num ranges from 0 to 6 Setting the parameter to O resets the fabric module taking the same effect as resetting the entire system Setting the parameter from 1 through 6 resets the I O modules in the corresponding slots If you input reboot only the whole system will be reset Displaying Devices Maintaining and Debugging the System Setting the Slot Temperature Limit The Switch 7750 sounds an alarm when the temperature on a slot exceeds the preset limit Perform the following configuration in user
318. radius radius1 quit Create the user domain 3com163 net and enters isp configuration mode SW7750 domain 3com163 net Specify radius1 as the RADIUS server group for the users in the domain 3com163 net SW7750 isp 3com163 net radius scheme radius1 Set a limit of 30 users to the domain 3com163 net SW7750 isp 3com163 net access limit enable 30 Enable idle cut function for the user and set the idle cut parameter in the domain 3com163 net SW7750 isp 3com163 net idle cut enable 50 5000 Add a local supplicant and set its parameter SW7750 1ocal user localuser SW7750 luser localuser attribute service type lan access SW7750 luser localuser password simple localpass Enable the 802 1x globally SW7750 dot1ix Implementing the AAA and RADIUS Protocols The Authentication Authorization and Accounting AAA protocol provides a uniform framework for configuring these three security functions and implements network security management 216 CHAPTER 9 AAA AND RADIUS OPERATION The network security mentioned here refers to access control including m Which user can access the network server a Which service can the authorized user enjoy m How to keep accounts for the user who is using network resource AAA provides the following services a Authenticates whether the user can access the network server a Authorizes the user with specified services Accounts for network resources that are consumed by the user Gen
319. raffic of payserver SW7750 aclname traffic of payserver advanced Define the traffic of payserver rule in the advanced ACL SW7750 acl adv traffic of payserver rule 1 permit ip source 129 110 1 2 0 0 0 0 destination any Set traffic limit for the wage server Enter QoS view SW7750 GigabitEthernet7 0 1 qos SW7750 qosb GigabitEthernet7 0 1 Limit average outbound traffic of the wage server to 20 Mbps and label over threshold packets with priority level 4 SW7750 qosb GigabitEthernet7 0 1 traffic limit inbound ip group traffic of payserver 20 exceed remark dscp 4 Limit inbound traffic of the wage server from the port GigabitEthernet7 0 1 to 20 Mbps SW7750 qosb GigabitEthernet7 0 1 line rate 20 Port Mirroring This configuration uses one server to monitor the packets of two PCs One PC is accessed from the port E3 0 1 and the other from the port E3 0 2 The server is connected to the port Ethernet3 0 8 The monitoring port and the monitored ports must be on the same I O module For a non 48 port module only one mirroring group can be configured in one direction For example you can only configure one mirroring group for the inbound packets on one module The configuration will fail if you configure a second mirroring group The same restriction applies to outbound packets 170 CHAPTER 7 QOS OPERATION For a 48 port module the monitoring port and the monitored port must all be at the ports 1 24 or ports 25 48 on whi
320. re root ID expressed as Ethernet switch priority path cost to the root designated switch ID expressed as Ethernet switch priority and the designated port ID expressed as the port number As illustrated in the figure above the priorities of Switch A B and C are 0 1 and 2 and the path costs of their links are 5 10 and 4 Generating the Configuration BPDU Selecting the Optimum Configuration BPDU Designating the Root Port When initialized each port of the switches will generate the configuration BPDU taking itself as the root root path cost as 0 designated switch IDs as their own switch IDs and the designated ports as their ports a Switch A Configuration BPDU of Ethernet 1 0 1 0 0 0 e1 0 1 Configuration BPDU of Ethernet 1 0 2 0 0 0 e1 0 2 a Switch B Configuration BPDU of Ethernet 1 0 7 1 0 1 e1 0 7 Configuration BPDU of Ethernet 1 0 4 1 0 1 e1 0 4 a Switch C Configuration BPDU of Ethernet 1 0 1 2 0 2 e1 0 1 Configuration BPDU of Ethernet 1 0 5 2 0 2 e1 0 5 Every switch transmits its configuration BPDU to others When a port receives a configuration BPDU with a lower priority than that of its own it will discard the message and keep the local BPDU unchanged When a higher priority configuration BPDU is received the local configuration BPDU will be updated The optimum configuration BPDU will be elected through comparing the configuration BPDUs of all the ports The comparison rule
321. re the Local Authentication Password Operation Command Configure the local authentication password set authentication password cipher simple password Remove the local authentication password undo set authentication password Configure for password authentication when a user logs in through a VTY O user interface and set the password to 3Com SW7750 user interface vty 0 SW7750 ui vty0 authentication mode password SW7750 ui vty0 set authentication password simple 3Com Configure the local or remote authentication username and password Use the authentication mode scheme command to perform local or remote authentication of username and password The type of the authentication depends on your configuration For detailed information see AAA and RADIUS Operation Perform username and password authentication when a user logs in through the VTY 0 user interface and set the username and password to zor and 3Com respectively SW7750 ui vty0 authentication mode scheme SW7750 ui vty0 quit SW7750 local user zbr SW7750 luser zbr service type telnet Authorize users to use the command lines The authentication mode scheme command authorization Command indicates that you must be authorized to use the command lines on the TACACS Setting Terminal Parameters 25 authentication server before executing the other commands Commands that different users can execute are defined on the TACACS authentication server For exam
322. ress Learning With the address learning function an Ethernet switch can learn new MAC addresses When it receives a packet destined for a MAC address it has already learned the switch forwards the packet directly instead of flooding all ports Sometimes for the sake of security it is necessary to disable the address learning function A common threat is from hackers who attack the switch with packets from different source MAC addresses thereby exhausting the address table resources and making it impossible for the switch to update the MAC address table to reflect network changes Such an attack can be avoided by disabling the MAC address learning function You can use the following commands to disable or enable the MAC address learning globally Perform the following configuration in system view Table 272 Disabling or Enabling the MAC Address Learning Operation Command Disable the MAC address learning mac address mac learning disable Enable the MAC address learning undo mac address mac learning disable By default the MAC address learning function is enabled Disabling or Enabling MAC Address Learning on a Port After the MAC address learning has been enabled globally you can disable it on individual ports Use the following commands to disable the MAC address learning on a specified port Perform the following configurations in the Ethernet port view Table 273 Disable Enable the MAC Address Learning Operatio
323. rface from which the source IP address of the NTP packets sent from the local switch to the peer will be taken priority indicates that the peer will be the first choice for time server Configuring NTP Broadcast Server Mode Designate an interface on the local switch to transmit NTP broadcast packets In this case the local equipment operates in broadcast mode and serves as a broadcast server to broadcast messages to its clients regularly Perform the following configurations in VLAN interface view Table 321 Configuring NTP Broadcast Server Mode Operation Command Configure NTP broadcast server mode ntp service broadcast server authentication keyidkeyid version number Cancel NTP broadcast server mode undo ntp service broadcast server NTP version number number ranges from 1 to 3 and defaults to 3 the authentication key ID keyid ranges from 0 to 4294967295 This command can only be configured on the interface where the NTP broadcast packets will be transmitted Configuring NTP Broadcast Client Mode Designate an interface on the local switch to receive NTP broadcast messages and operate in broadcast client mode The local switch listens to the broadcast from the server When it receives the first broadcast packets it starts a brief client server mode to switch messages with a remote server for estimating the network delay Thereafter the local switch enters broadcast client mode and continues listening to the broadcast and
324. rform the following configuration in system view Table 300 Enabling and Disabling an SNMP Agent to Send a Trap Operation Command Enable to send a trap snmp agent trap enable standard authentication coldstart linkdown linkup warmstart Disable to send a trap undo snmp agent trap enable standard authentication linkdown linkup coldstart warmstart Setting the Destination Address of a Trap You can use the following commands to set or delete the destination address of the trap Perform the following configuration in system view Table 301 Setting the Destination Address of a Trap Operation Command Set the destination address of trap snmp agent target host trap address udp domain host addr udp port udp port number params securityname community string vl v2c v3 authentication privacy Delete the destination address of trap undo snmp agent target host host addr securityname community string The authentication parameter specifies that the packet is authenticated without encryption This parameter is supported only in SNMP V3 The privacy parameter specifies that the packet is authenticated and encrypted This parameter is supported only in SNMP V3 Setting the Lifetime of the Trap Message You can use the following command to set lifetime of a trap message A trap message that exists longer than the set lifetime will be dropped Perform the following config
325. rimary accounting server secondary accountingHWTACACS viewConfiguring the secondary accounting server retry stop accountingHWTACACS viewEnabling stop accounting packet retransmission and setting the allowed maximum number of transmission attempts reset stop accounting buffer hwtacacs schemeHWTACACS viewClearing the stop accounting request packets that have no response 5 Configuring the source address for HWTACACS packets sent from NASnas ip HWTACACS viewOptional hwtacacs nas ipSystem viewRequired 6 Setting the key of the TACACS serverkeyHWTACACS viewConfiguring keys 7 Setting the username format for the TACACS serveruser name format HWTACACS viewConfiguring the format of user name 8 Setting the data flow unit for the TACACS serverdata flow formatHWTACACS viewConfiguring flow traffic unit 9 Setting the timers of the TACACS servertimer response timeoutHWTACACS viewSetting the TACACS server response timeout time timer quietHWTACACS viewSetting the waiting time before the primary TACACS server resumes the active state timer realtime accountingHWTACACS viewSetting the real time accounting interval Note Pay attention to the following when configuring a TACACS server HWTACACS server does not check whether a scheme is being used by users when changing most of HWTACS attributes unless you delete the scheme By default the TACACS server has no key In the above configuration tasks creating HWTACACS scheme and configuring TACA
326. riority command or DSCP specified by dscp in the traffic priority command You can tag the packets with different priorities as required on QoS policy For details about the command see the Switch 7750 Command Reference Guide Configuring the RED Operation The RED operation monitors and processes packet forwarding to prevent network congestion i gt The 20 Port 10 100 1 OOOBASE T and 20 Port 1000BASE X SFP I O modules do not support this configuration Perform the following configuration in QoS view Table 182 Configure RED Operation Operation Command Configure RED Operation traffic red outbound ip group acl number acl name rule rule link group ac number ac name rule rule qstart qstop probability Cancel the configuration of RED Operation undo traffic red outbound ip group acl number acl name rule rule link group ac number ac name rule rule For details about the command see the Switch 7750 Command Reference Guide Configuring Traffic Statistics The traffic statistics function counts the transmitted data that matches the ACL rules After the traffic statistics function is configured you can use the display gos info traffic statistic command to display the statistics information Perform the following configuration in QoS view Table 183 Configuring Traffic Statistics Operation Command Configure traffic statistics traffic statistic inbound outbound
327. riority of a specified command in a certain view The command levels include visit monitoring configuration and management which are identified with command level 0 through 3 respectively An administrator assigns authority according to user requirements See Table 15 Perform the following configuration in system view Table 15 Set Command Priority Operation Command Set the command priority in a specified view command privilege level eve view view command Restore the default command level in a undo command privilege view view specified view command Configuring the Attributes of a Modem You can use the commands described in Table 16 to configure the attributes of a modem when logging in to the Switch through the modem Perform the following configuration in user interface view Table 16 Configure Modem Operation Command Set the interval since the system receives the modem timer answer seconds RING until CD_UP Restore the default interval since the system undo modem timer answer receives the RING until CD_UP Configure auto answer modem auto answer Configure manual answer undo modem auto answer Configure to allow call in modem call in Configure to bar call in undo modem call in Configure to permit call in and call out modem both Configure to disable call in and call out undo modem both Configuring Redirection The send Command can be used for sending messages between user interfaces See Table 17 Settin
328. rm the following configurations in system view or Ethernet port view Table 222 Set Maximum Number of Users by Specified Port Operation Command Set maximum number of users by specified port Restore the maximum number of users on the port to the default value dotlx max user user number interface interface list undo dotlix max user interface interface list By default 802 1x allows up to 1024 supplicants on each port for Switch 7750 Enabling DHCP to Launch Authentication When the user runs DHCP and applies for dynamic IP addresses use the following commands to set whether or not 802 1x will enable the Ethernet switch to launch the user ID authentication Perform the following configurations in system view Table 223 Set to Enable DHCP to Launch Authentication Operation Command Enable DHCP to launch authentication Disable DHCP to launch authentication dotix dhcp launch undo dotix dhcp launch 212 CHAPTER 9 AAA AND RADIUS OPERATION By default authentication will not be launched when the user runs DHCP and applies for dynamic IP addresses Configuring the Authentication Method for 802 1x Users The following commands can be used to configure the authentication method for 802 1x users Three kinds methods of authentication are available m PAP the RADIUS server must support this method a CHAP the RADIUS server must support this method m EAP relay the switch sends authenticat
329. rnet port view Table 27 Set Description Character String for Ethernet Port Operation Command Set description character string for Ethernet description text port Delete the description character string of undo description Ethernet By default the port description is a null character string Ethernet Port Overview 37 Setting Duplex Attribute of the Ethernet Port Set the port to full duplex to send and receive data packets at the same time Set the port to half duplex to either send or receive only If the port has been set to auto negotiation mode the local and peer ports will automatically negotiate the duplex mode Perform the following configuration in Ethernet port view Table 28 Set Duplex Attribute for Ethernet Port Operation Command Set duplex attribute for Ethernet port duplex auto full half Restore the default duplex attribute of undo duplex Ethernet port The 100 Mbps TX Ethernet port can operate in full duplex half duplex or auto negotiation mode The Gigabit TX Ethernet port can operate in full duplex half duplex or auto negotiation mode When the port operates at 1000 Mbps the duplex mode can be set to full full duplex or auto auto negotiation The optical 100M Gigabit 1 O0Gigabit Ethernet ports support full duplex mode and can be configured to operate in full full duplex or auto auto negotiation mode By default the port is in auto auto negotiation mode Setting the Speed of the
330. roup G the PIM SM multicast router is responsible for encapsulating the packet into a registration packet upon receipt It then sends the packet to the corresponding RP in unicast If there are multiple PIM SM multicast routers on a network segment the Designated Router DR will be responsible for sending the multicast packet Tasks for preparing to Configure PIM SM are described in the following sections a Configure Candidate RPs Configure BSRs a Configure Static RP Configure Candidate RPs In a PIM SM network multiple RPs candidate RPs can be configured Each Candidate RP C RP is responsible for forwarding multicast packets with the destination addresses in a certain range Configuring multiple C RPs is to implement load balancing of the RP These C RPs are equal All multicast routers calculate the RPs corresponding to multicast groups according to the same algorithm after receiving the C RP messages that the BSR advertises One RP can serve multiple multicast groups or all multicast groups Each multicast group can only be uniquely correspondent to one RP at a time rather than multiple RPS Configure BSRs The BSR is the management core in a PIM SM network Candidate RPs send announcement to the BSR which is responsible for collecting and advertising the information about all candidate RPs It should be noted that there can be only one BSR in a network but you can configure multiple candidate BSRs In this case once a BS
331. rver and a local host The Ethernet switch provides the following FTP services m FTP server You can run the FTP client program to log in to the server and access the files on it a FIP client After connecting to the server by running the terminal emulator or Telnet on a PC you can access the files on it using the FTP command FTP Server configuration includes tasks described in the following sections a Enabling and Disabling the FTP Server Configuring the FIP Server Authentication and Authorization a Configuring FIP Server Parameters a Displaying and Debugging the FTP Server a Introduction to FTP Client Enabling and Disabling the FTP Server You can use the following commands to enable or disable the FTP server Perform the following configuration in system view Table 264 Enable Disable FTP Server Operation Command Enable the FTP server ftp server enable Disable the FTP server undo ftp server The FTP server supports multiple user access A remote FTP client sends a request to the FTP server Then the FTP server carries out the corresponding operation and returns the result to the client By default the FTP server is disabled Configuring the FTP Server Authentication and Authorization You can use the following commands to configure FTP server authentication and authorization The authorization information of the FTP server includes the top working directory provided for FTP clients Perform the follow
332. rver delivers test Specify RADIUS scheme Quidway radius scheme ias Quidway radius ias primary authentication 10 11 1 1 Quidway radius ias primary accounting 10 11 1 2 Quidway radius ias key authentication hello Quidway radius ias key accounting hello Quidway radius ias quit Create ISP domain Quidway domain ias Quidway isp ias scheme radius scheme ias Configure VLAN delivery mode as string Quidway isp ias vlan assignment mode string Quidway isp ias quit Create a VLAN and specify its name Create a VLAN Quidway vlan 100 Configure name of the delivered VLAN Quidway vlan100 name test Configure on the Windows IAS server the VLAN delivery mode to string and the name of the delivered VLAN to test For the string delivery mode the VLAN to be delivered must be an existing one on the switch That is you must have created the VLAN and configured a name for it on the switch There is no such a restriction for the integer mode Troubleshooting AAA RADIUS and HWTACACS Configurations The RADIUS protocol of the TCP IP protocol suite is located on the application layer It specifies how to exchange user information between the NAS and RADIUS servers of an ISP Tasks for Troubleshooting AAA and Radius are described in the following sections User authentication authorization always fails RADIUS packet cannot be transmitted to RADIUS server After being authenticated and authorized the user cann
333. s You can use the following command to configure the security functions of the switch Perform the following configuration in corresponding configuration modes Table 212 Configure the Switch Security Function Operation Command Configure switch BPDU protection from stp bpdu protection system view Restore the disabled BPDU protection state as undo stp bpdu protection defaulted from system view Configure switch Root protection from stp interface interface list system view root protection Restore the disabled Root protection state as undo stp interface interface list defaulted from system view root protection Configure switch Root protection from stp root protection Ethernet port view Restore the disabled Root protection state as undo stp root protection defaulted from Ethernet port view Configure switch loop protection function stp loop protection from Ethernet port view Restore the disabled loop protection state as stp loop protection defaulted from Ethernet port view After configured with BPDU protection the switch will disable the edge port through MSTP which receives a BPDU and notifies the network manager at the same time These ports can be resumed by the network manager only The port configured with root protection only plays the role of designated port on every instance Whenever such a port receives a higher priority BPDU that is it is about to turn into non designated port it will
334. s are a The configuration BPDU with a smaller root ID has a higher priority a If the root IDs are the same perform the comparison based on root path costs The cost comparison is as follows the path cost to the root recorded in the configuration BPDU plus the corresponding path cost of the local port is set as X the configuration BPDU with a smaller X has a higher priority a f the costs of a path to the root are the same compare in sequence the designated switch ID designated port ID and the ID of the port through which the configuration BPDU was received On a bridge the port receiving the optimum configuration BPDU is considered the root port whose configuration BPDU remains the same Any other port whose configuration BPDU has been updated as explained in Selecting the Optimum Configuration BPDU will be blocked and will not forward any data In addition any other port only receives but does not retransmit a BPDU and its BPDU remains the same On other bridges a port whose BPDU has not been updated is called the designated port Its configuration BPDU is modified by substituting a The root ID with the root ID in the configuration BPDU of the root port The cost of path to root with the value made by the root path cost plus the path cost corresponding to the root port a The designated switch ID with the local switch ID a The designated port ID with the local port ID 184 CHAPTER 8 STP OPERATION The compariso
335. s on the port of the device If the user s device can pass authentication the user can access resources in the LAN 802 1x defines port based network access control protocol and the point to point connection between the access device and the access port only The port can be either physical or logical A typical application environment is as follows Each physical port of the LAN Switch only connects to one user workstation based on the physical port and the wireless LAN access environment based on the logical port etc Configuring IEEE 802 1x is described in the following sections a 802 1x System Architecture a Configuring 802 1x The system using 802 1x is a typical C S Client Server system architecture It contains three entities Supplicant System Authenticator System and Authentication Server System 208 CHAPTER 9 AAA AND RADIUS OPERATION The LAN access control device needs to provide the Authenticator System of 802 1x The computers need to be installed with the 802 1x client Supplicant software for example the 802 1x client provided by Microsoft Windows XP The 802 1x Authentication Server system normally stays in the carrier s AAA center Authenticator and Authentication Server exchange information through EAP Extensible Authentication Protocol frames The Supplicant and the Authenticator exchange information through the EAPoL Extensible Authentication Protocol over LANs frame defined by IEEE 802 1x Authenti
336. s server name view Delete a RADIUS server group undo radius scheme radius server name 222 CHAPTER 9 AAA AND RADIUS OPERATION Several ISP domains can use a RADIUS server group at the same time By default the system has a RADIUS server group named system whose attributes are all default values The default attribute values are introduced in the following section Setting the IP Address and Port Number of RADIUS Server After creating a RADIUS server group you set IP addresses and UDP port numbers for the RADIUS servers including primary second authentication authorization servers and accounting servers You can configure up to 4 groups of IP addresses and UDP port numbers However you have to set one group of IP address and UDP port numbers for each pair of primary second servers to ensure normal AAA operation Perform the following configurations in RADIUS server group view Table 236 Set IP Address and Port Number of RADIUS Server Operation Command Set IP address and port number of primary RADIUS authentication authorization server Restore IP address and port number of primary primary authentication ip address port number undo primary authentication RADIUS authentication authorization or server to the default values Set IP address and port number of primary primary accounting ip address RADIUS accounting server port number Restore IP address and port number of primary undo primary accountin
337. s specified by the hello timer Max age specifies when the configuration BPDU expires The switch will discard the expired configuration BPDU You can use the following command to configure the time parameters for the switch Perform the following configuration in system view Table 197 Configure the Time Parameters of a Switch Operation Command Configure Forward Delay on the switch stp timer forward delay centiseconds Restore the default Forward Delay of the undo stp timer forward delay switch Configure Hello Time on the switch stp timer hello centiseconds Restore the default Hello Time on the switch undo stp timer hello Configure Max Age on the switch stp timer max age centiseconds Restore the default Max Age on the switch undo stp timer max age Every switch on the switching network adopts the values of the time parameters configured on the root switch of the CIST The forward delay configured on a switch depends on the switching network diameter Generally the forward delay is supposed to be longer when the network diameter is longer Note that a forward delay that is too short can redistribute some redundant routes temporarily while a forward delay that is too long can prolong the network connection resuming The default value is recommended A suitable hello time ensures that the switch can detect the link fault on the network but also occupy moderate network resources The default value is recommended If you se
338. s through By default max ratio is set to 100 and broadcast suppression is not performed on the specified VLAN Note that you cannot use this command on a port on the 20 port 10 100 1000BASE T or 20 port 1000BASE X SFP I O modules Configuring VLANs 55 Setting or Deleting the VLAN Description Character String You can use the following command to set or delete the VLAN description character string The description character strings such as workgroup_name and department_name are used to distinguish the different VLANs Perform the following configuration in VLAN view Table 48 Setting and Deleting VLAN Description Character String Operation Command Set the description character description string string for the specified VLAN Delete the description undo description character string of the specified VLAN By default the string parameter is null Specifying or Removing VLAN Interfaces You can use the following command to specify or remove the VLAN interfaces To implement the network layer function on a VLAN interface the VLAN interface should be set the IP address and mask For the corresponding configuration refer to Network Protocol Operation on page 67 Perform the following configurations in system view Table 49 Specifying and Removing VLAN interfaces Operation Command Create anew VLAN interface interface vlan interface vlan_id and enter VLAN interface view Remove the specified VLAN undo interfac
339. sable the PIM DM debugging undo debugging pim dm alert all mbr mrt timer warning recv send all assert graft graft ack join prune Example PIM DM Configuration LS_A has a port carrying Vlan 10 to connect Multicast Source a port carrying Vlan11 to connect LS_B and a port carrying Vlan12 to connect LS_C Configure to implement multicast between Multicast Source and Receiver 1 and Receiver 2 Figure 33 PIM DM Configuration Networking VLAN11 Switch B Receiver 1 Multicast f C coirce Switch A VLAN12 Switch C Receiver 2 Configuration procedure This section only provides the configuration for Switch A because the configuration procedures for Switch B and Switch C are similar 1 Enable the multicast routing protocol SW7750 multicast routing enable 2 Enable PIM DM SW7750 vlan 10 SW7750 vlanl0 port Ethernet 1 0 2 to Ethernet 1 0 3 SW7750 vlan10 quit SW7750 vlan 11 SW7750 vlanll port Ethernet 1 0 4 to Ethernet 1 0 5 SW7750 vlani11 quit SW7750 vlan 12 SW7750 vlanl2 port Ethernet 1 0 6 to Ethernet 1 0 7 SW7750 vlan12 quit SW7750 interface vlan interface 10 SW7750 vlan interfacel0 ip address 1 1 1 1 255 255 0 0 SW7750 vlan interfacel0 igmp enable SW7750 vlan interfacel10 pim dm SW7750 vlan interfacel0 quit SW7750 interface vlan interface 11 SW7750 vlan interfacell ip address 2 2 2 2 255 255 0 0 SW7750 vlan interfacell igm
340. seconds and it is 675 seconds by default a The receiving sending buffer size of connection oriented Socket is in the range from 1 to 32K bytes and is 4K bytes by default Perform the following configuration in System view Table 74 Configure TCP Attributes Operation Command Configure synwait timer time for TCP tcp timer syn timeout time value connection establishment Restore synwait timer time for TCP connection undo tcp timer syn timeout establishment to default value Configure FIN_WAIT_2 timer time of TCP tcp timer fin timeout time value Restore FIN_WAIT_2 timer time of TCP to undo tcp timer fin timeout default value Configure the Socket receiving sending buffer tep window window size size of TCP Restore the socket receiving sending buffer undo tcp window size of TCP to default value By default the TCP finwait timer is 675 seconds the synwait timer is 75 seconds and the receiving sending buffer size of connection oriented Socket is 4K bytes In IP packet forwarding redirection packets TTL timeout packets and route unreachable packets are often sent to CPU which will notify the peer end for further processing upon receiving them Configuration errors and malicious assaults may cause CPU overload In this case to maintain normal system 78 CHAPTER 4 NETWORK PROTOCOL OPERATION Configuring L3 Broadcast Forwarding Displaying and Debugging IP Performance operation you may have to use the following commands
341. smission times of RADIUS request retry retry time packet Restore the default value of retransmission undo retry times By default RADIUS request packet will be retransmitted up to three times Enabling the Selection of the RADIUS Accounting Option If no RADIUS server is available or if RADIUS accounting server fails when the accounting optional is configured the user can still use the network resource otherwise the user will be disconnected Perform the following configurations in RADIUS server group view Table 240 Enable the Selection of the RADIUS Accounting Option Operation Command Enable the selection of the RADIUS accounting accounting optional option Disable the selection of the RADIUS undo accounting optional accounting option The user configured with accounting optional command in RADIUS scheme longer sends a real time accounting update packet or offline accounting packet The accounting optional command in a RADIUS server group view is only effective on the accounting that uses this RADIUS server group By default selection of RADIUS accounting option is disabled Setting a Real time Accounting Interval To implement this feature it is necessary to set a real time accounting interval After the attribute is set NAS will transmit the accounting information of online users to the RADIUS server regularly Perform the following configurations in RADIUS server group view Table 241 Set a Real Time Accounting
342. ss vlan vlan_id VLAN Add the current hybrid port to specified port hybrid vlan vlan_id list VLANs tagged untagged Add the current trunk port to specified VLANs port trunk permit vlan vlan id list all Remove the current access port from to a undo port access vlan specified VLAN Remove the current hybrid port from to undo port hybrid vlan specified VLANS vlan id list Remove the current trunk port from specified undo port trunk permit vlan VLANS vlan id list all The access port will be added to an existing VLAN other than VLAN 1 The VLAN to which a Hybrid port is added must exist The VLAN to which a Trunk port is added cannot be VLAN 1 After adding the Ethernet port to the specified VLANs the local port can forward packets from these VLANs The hybrid and trunk ports can be added to multiple VLANs thereby implementing the VLAN intercommunication between peers For the hybrid port you can tag VLAN packets to process packets in different ways depending on the target device Setting the Default VLAN ID for Ethernet Port Since the access port can only be included in one VLAN its default VLAN is the one to which it belongs The hybrid port and the trunk port can be included in several VLANs however it is necessary to configure the default VLAN ID If the default VLAN ID has been configured the packets without VLAN Tag will be forwarded to the port that belongs to the default VLAN When sending the packets
343. ssage border Entering PIM View Global parameters of PIM should be configured in PIM view Perform the following configuration in system view Table 147 Entering PIM View Operation Command Enter PIM view pim Back to system view undo pim Using undo pim command you can clear the configuration in PIM view and back to system view Configuring Candidate BSRs In a PIM domain one or more candidate BSRs should be configured A BSR Bootstrap Router is elected among candidate BSRs The BSR takes charge of collecting and advertising RP information The automatic election among candidate BSRs is described as follows One interface which has started PIM SM must be specified when configuring the router as the candidate BSR At first each candidate BSR considers itself as the BSR of the PIM SM domain and sends a Bootstrap message by taking the IP address of the interface as the BSR address When receiving Bootstrap messages from other routers the candidate BSR will compare the BSR address of the newly received Bootstrap message with that of itself Comparison standards include priority and IP address The bigger IP address is considered better when the priority is the same If the new BSR address is better the candidate BSR will replace its BSR address 140 CHAPTER 6 MULTICAST PROTOCOL Otherwise the candidate BSR will keep its BSR address and continue to regard itself as the BSR Perform the following configuration in PIM view
344. t a hello time that is too long when there is packet dropped over a link the switch may consider it as link fault and the network device will recalculate the spanning tree accordingly However for a hello time 196 CHAPTER 8 STP OPERATION Configuring the Max Transmission Speed on a Port that is too short the switch frequently sends configuration BPDU which adds burden and wastes the network resources A max age that is too short can cause the network device to calculate the spanning tree frequently and mistake the congestion as a link fault If the max age is too long the network device may not be able to discover the link fault and recalculate the spanning tree in time which weakens the auto adaptation capacity of the network The default value is recommended To avoid frequent network flapping the values of hello time forward delay and maximum age should guarantee the following formulas equal 2 forward delay 1seconds gt maximum age maximum age gt 2 hello 1 0 seconds You should use the stp root primary command to specify the network diameter and hello time of the switching network so MSTP will calculate automatically and give better values By default forward delay is 15 seconds hello time is 2 seconds and max age is 20 seconds The max transmission speed on a port specifies how many MSTP packets will be transmitted every hello time through the port The max transmission speed on a port is limited
345. t as an edge port or non edge port in the following ways Configuring in System View Perform the following configuration in system view Table 200 Configure a Port as an Edge Port or a Non edge Port Operation Command Configure a port as an edge port stp interface interface list edged port enable Configure a port as a non edge port stp interface interface list edged port disable Restore the default setting non edge port of undo stp interface interface list the port edged port Configuring in Ethernet Port View Perform the following configuration in Ethernet port view Table 201 Configure a Port as an Edge Port or a Non edge Port Operation Command Configure a port as an edge port stp edged port enable Configure a port as a non edge port stp edged port disable Restore the default setting non edge port of undo stp edged port the port For more about the commands see the Switch 7750 Command Reference Guide After it is configured as an edge port the port can transit rapidly from a blocking state to a forwarding state without any delay In the case that BPDU protection has not been enabled on the switch the configured edge port will turn into non edge port again when it receives BPDU from the other port In case BPDU protection is enabled the port will be disabled This parameter is configured the same and takes effect on all the STIs To reenable a port that was disabled by the stp edged port disable command use the
346. t key key accounting string Restore the default RADIUS accounting packet undo key accounting key Setting the Response Timeout Timer of RADIUS Server RADIUS authentication authorization or accounting request packet is transmitted for a specific period of time If NAS has not received the response from RADIUS server it has to retransmit the request to guarantee RADIUS service for the user Perform the following configurations in RADIUS server group view Table 238 Set Response Timeout Timer of RADIUS Server Operation Command Set response timeout timer of RADIUS server timer second Restore the response timeout timer of RADIUS undo timer server to default value By default timeout timer of RADIUS server is 3 seconds Setting Retransmission Times of the RADIUS Request Packet Since RADIUS protocol uses UDP packets to carry the data the communication process is not reliable If the RADIUS server has not responded to NAS before timeout NAS has to retransmit the RADIUS request packet If it transmits the packet for more than retry time and RADIUS server still has not given any 224 CHAPTER 9 AAA AND RADIUS OPERATION response NAS considers the communication with the current RADIUS server disconnected and will transmit the request packet to other RADIUS servers Perform the following configurations in RADIUS server group view Table 239 Set Retransmission Times of RADIUS Request Packet Operation Command Set retran
347. t packets the local switch will operate in broadcast mode If you configure an interface on the local switch to receive NTP broadcast packets the local switch will operate in broadcast client mode If you configure an interface on the local switch to transmit NTP multicast packets the local switch will operate in multicast mode You may also configure an interface on the local switch to receive NTP multicast packets the local switch will operate in multicast client mode The following sections describe how to configure NTP modes m Configuring NTP Server Mode Configuring NTP Peer Mode m Configuring NTP Broadcast Server Mode a Configuring NTP Broadcast Client Mode a Configuring NTP Multicast Server Mode a Configuring NTP Multicast Client Mode Configuring NTP Server Mode Set a remote server whose IP address is ip address as the local time server jo address specifies a host address other than a broadcast multicast or reference clock IP address In this case the local switch operates in client mode In this mode only the local client synchronizes its clock with the clock of the remote server while the reverse synchronization will not happen Perform the following configurations in system view Table 319 Configuring NTP Time Server Operation Command Configure NTP time server ntp service unicast server ip address version number authentication keyid keyid source interface interface name interface type interface num
348. t the help information through these online help commands which are described as follows a Enter in any view to get all the commands in that view and corresponding descriptions lt SW7750 gt User view commands boot Set boot option cd Change current directory clock Specify the system clock copy Copy from one file to another debugging Enable system debugging functions delete Delete a file dir List files on a file system display Display current system information Enter a command with a separated by a space If this position is for keywords then all the keywords and the corresponding brief descriptions will be listed lt SW7750 gt ping a Select source IP address c Specify the number of echo requests to send d Specify the SO DEBUG option on the socket being used h Specify TTL value for echo requests to be sent I Select the interface sending packets n Numeric output only No attempt will be made to lookup host addresses for symbolic names p No more than 8 pad hexadecimal characters to fill out the sent packet For example p f2 will fill the sent packet with f and 2 repeatedly q Quiet output Nothing is displayed except the summary lines at startup time and when finished r Record route Includes the RECORD_ROUTE option in the ECHO REQUEST packet and displays the route s Specifies the number of data bytes to be sent t Timeout in milliseconds to wait for each reply 32 CHAPTER 1 SYSTEM
349. tains a group of workstations with the same demands However the workstations of a VLAN do not have to belong to the same physical LAN segment Within a VLAN broadcast and unicast traffic is not forwarded to other VLANs Therefore VLAN configurations are very helpful in controlling network traffic saving device investment simplifying network management and improving security VLANs are divided into four categories m Port based VLAN m Protocol based VLAN a MAC based VLAN a Policy based VLAN Port based VLANs define VLAN members according to switch ports This is the simplest and most efficient way to create VLANs The Switch 7750 supports port based and network layer based VLANs The network layer based VLANs are divided by protocols such as IP so they are called protocol based VLANs Because this method is based on protocols it is not related to routes and has nothing to do with routing at the network layer Configuring VLANs The following sections describe how to configure VLANs a Common VLAN Configuration Tasks Configuring Port Based VLANs a Configuring Protocol Based VLANs 54 CHAPTER 3 VLAN CONFIGURATION Common VLAN Configuration Tasks The following sections discuss the common tasks for configuring a VLAN Creating or Deleting a VLAN m Specifying the Broadcast Suppression Ratio for a VLAN a Setting or Deleting the VLAN Description Character String m Specifying or Removing VLAN Interfaces a Shutting
350. tches through which switches of different type are capable of communicating with each other in a MSTP domain Configure digest snooping on a switch to enable it to communicate in MSTP domains with other switches that are configured with some proprietary protocols to calculate configuration digest through MSTI 206 CHAPTER 8 STP OPERATION Prerequisites Switches of different manufacturers are interconnected in a network and have MSTP properly employed The network operates properly Configuration Procedure Table 217 Configure digest snooping Operation Enter system view Enter Ethernet interface view Enable digest snooping on the interface Quit Ethernet interface view Enable digest snooping globally Display current configuration information Note the following Command system view interface interface_type interface_num stp config digest snoopin g quit stp config digest snoopin g display current configuration Remark interface_type Interface type interface _num Interface number Required Digest snooping is disabled by default Required Digest snooping is disabled by default This command can be executed in any view a You must enable digest snooping on an interface first before enabling it globally a Digest snooping is unnecessay if the interconnected switches are from the same vendor m To enable digest snooping the interconneted switches must be configured with
351. te the display command in all views to display the user interface configuration and to verify the effect of the configuration Execute the free command in user view to clear a specified user interface Table 19 Display and Debug User Interface Operation Command Clear a specified user interface free user interface type number Display the user application information of the display users all user interface Display the physical attributes and some display user interface type configurations of the user interface number number summary 28 CHAPTER 1 SYSTEM ACCESS Command Line Interface Command Line View The Switch 7750 provides a series of configuration commands and command line interfaces for configuring and managing the Switch 7750 The command line interface has the following features Local configuration through the console port Local or remote configuration through Telnet Remote configuration through a dial up Modem to log in to the Switch 7750 Hierarchy command protection to prevent unauthorized users from accessing the switch Access to online Help by entering Network test commands such as Tracert and Ping for rapid troubleshooting of the network Detailed debugging information to help with network troubleshooting Ability to log in and manage other Switch 7750s directly using the telnet command FTP service for the users to upload and download files Ability to view previously exec
352. the primary root or the secondary root of the spanning tree MSTP and RSTP are compatible and can recognize each other s packets However STP cannot recognize MSTP packets To implement the compatibility MSTP Configuring the Bridge Priority for a Switch provides two operation modes STP compatible mode and MSTP mode In STP compatible mode the switch sends STP packets by every port and serves as a region itself In MSTP mode the switch ports send MSTP or STP packets when connected to the STP switch and the switch provides the multiple spanning tree function You can use the following command to configure MSTP running mode MSTP can intercommunicate with STP If there is a STP switch in the switching network you can use the command to configure the current MSTP to run in STP compatible mode otherwise configure it to run in MSTP mode Perform the following configuration in system view Table 193 Configure the MSTP Running Mode Operation Command Configure MSTP to run in STP compatible stp mode stp mode Configure MSTP to run in RSTP mode stp mode rstp Configure MSTP to run in MSTP mode stp mode mstp Restore the default MSTP running mode undo stp mode Generally if there is a STP switch on the switching network the port connected to it will automatically transit from MSTP mode to STP compatible mode The port cannot automatically transition itself back to MSTP mode after the STP switch is removed In this case you can
353. the route capacity related memory display memory limit setting and state information 108 CHAPTER 5 IP ROUTING PROTOCOL OPERATION MULTICAST PROTOCOL This chapter includes information on the following a P Multicast Overview a Configuring Common Multicast a Configuring IGMP a IGMP Snooping a Configuring PIM DM a Configuring PIM SM a GMRP IP Multicast Overview Many transmission methods can be used when the destination including data voice and video is the secondary use of the network If the multicast method is used you should establish an independent data transmission path for each user The broadcast method can be used if you intend to send the information to all users on the network In either case the end users will receive the information For example if the same information is required by 200 users on the network the traditional solution is to send the information 200 times in unicast mode In the broadcast mode the data is broadcast over the entire network However both of the methods waste bandwidth resources In addition the broadcast mode cannot ensure information security IP multicast technology solves this problem The multicast source sends the information only once Multicast routing protocols establish tree type routing for multicast packets see Figure 26 so that information can be correctly sent with high efficiency to each user 110 CHAPTER 6 MULTICAST PROTOCOL Multicast Addresses
354. the same settings m To enable digest snooping all interfaces in a MSTP domain used to connect other switches must have digest snooping enabled a Do not enable digest snooping on border interfaces of an MSTP domain m To change domain configuration be sure to disable digest snooping first to prevent broadcast storm AAA AND RADIUS OPERATION This chapter covers the following topics mw IEEE 802 1x a Implementing the AAA and RADIUS Protocols a Configuring AAA Configuring the RADIUS Protocol a Configuring HWTACACS a Displaying and Debugging the AAA RADIUS and HWTACACS Protocols a AAA RADIUS and HWTACACS Protocol Configuration Examples a Troubleshooting AAA RADIUS and HWTACACS Configurations IEEE 802 1x 802 1x System Architecture IEEE 802 1x referred to as 802 1x is a port based network access control protocol that is used as the standard for LAN user access authentication In LANs that comply with IEEE 802 standards the user can access devices and share resources in the LAN by connecting a device such as a LAN Switch In telecom access commercial LAN a typical example is the LAN in the office building and mobile office etc the LAN providers generally aim to control the user s access The requirement on the above mentioned port based network access control is the most applicable As the name implies port based network access control means to authenticate and control all accessed device
355. the system learns a dynamic ARP entry its aging period is based on the currently configured value Perform the following configuration in system view Table 67 Configure the Dynamic ARP Aging Timer Operation Command Configure the dynamic ARP aging timer arp timer aging aging time Restore the default dynamic ARP aging time undo arp timer aging By default the aging time of the dynamic ARP aging timer is 20 minutes Displaying and Debugging ARP After the previous configuration execute display command in all views to display the operation of the ARP configuration and to verify the effect of the configuration Execute the debugging command in user view to debug the ARP configuration Table 68 Display and Debug ARP Operation Command Display ARP mapping table display arp ip address static dynamic begin include exclude text Display the current setting of the dynamic ARP display arp timer aging map aging timer Enable ARP information debugging debugging arp packet status Disable ARP information debugging undo debugging arp packet status By default all ARP mapping entries of the Ethernet switch are displayed DHCP Relay Dynamic Host Configuration Protocol DHCP offers dynamic IP address assignment DHCP works in Client Server mode With this protocol the DHCP Client can dynamically request configuration information and the DHCP server can configure the information for the Client T
356. thernet Port Operation Command Display all the information of the port display interface interface type interface type interface num interface name Display hybrid port or trunk port display port hybrid trunk Clear the statistics information of the port reset counters interface interface type interface type interface num interface_name 42 CHAPTER 2 PORT CONFIGURATION Troubleshooting VLAN Port Configuration Configuring Link Aggregation 1 Example Configuring the Default VLAN ID of the Trunk Port In this example the Ethernet Switch Switch A is connected to the peer Switch B through the trunk port Ethernet1 0 1 This example shows the default VLAN ID for the trunk port and verifies the port trunk pvid vlan command As a typical application of the port trunk pvid vlan command the trunk port will transmit the packets without tag to the default VLAN Figure 13 Configure the Default VLAN for a Trunk Port ax S S Switch A Switch B The following configurations are used for Switch A configure Switch B in a similar way Enter the Ethernet port view of Ethernet1 0 1 SW7750 interface ethernet1 0 1 Set the Ethernet1 0 1 as a trunk port and allow VLAN 2 6 through 50 and 100 to pass through SW7750 Ethernet1 0 1 port link type trunk SW7750 Ethernet1 0 1 port trunk permit vlan 2 6 to 50 100 Create the VLAN 100 SW7750 vlan 100 Configure the default VLAN ID of
357. time accounting interval minutes 1 99 3 100 499 6 Displaying and Debugging the AAA RADIUS and HWTACACS Protocols 237 Table 255 Numbers of users and the recommended intervals Number of users Real time accounting interval minutes 500 999 12 11000 115 The real time accounting interval defaults to 12 minutes Displaying and Debugging the AAA RADIUS and HWTACACS Protocols After you configure RADIUS execute the display command in all views to display the running of the AAA RADIUS and HWTACACS configuration and to verify the effect of the configuration Execute the reset command in user view to reset the configuration Execute the debugging command in user view to debug the configuration Table 256 Displaying and Debugging AAA and RADIUS HWTACACS Protocol Operation Command Display the configuration information of the specified or all the ISP domains Display related information of user s connection Display related information of the local user Display the statistics of local RADIUS authentication server Display the configuration information of RADIUS schemes Display the statistics of RADIUS packets Display the stopping accounting requests saved in buffer without response Display the specified or all the HWTACACS schemes Display information on the stop accounting packets in the buffer Delete the stopping accounting requests saved in buffer without response display domain
358. ting the Range of Legal C RP In the PIM SM network using BSR mechanism every router can set itself as the C RP candidate rendezvous point servicing particular groups If elected a C RP becomes the RP servicing the current group In the BSR mechanism a C RP router unicasts C RP messages to the BSR which then propagates the C RP messages among the network by BSR message To prevent C RP spoofing you need to configure crp policy on the BSR to limit legal C RP range and their service group range Since each C BSR has the chance to become BSR you must configure the same filtering policy on each C BSR router Perform the following configuration in PIM view Table 154 Limiting the Range of Legal C RP Operation Command Limit the legal C RP range erp policy acl number Table 154 Limiting the Range of Legal C RP Operation Command Restore to the default setting undo crp policy For detailed information of the erp policy command see the Switch 7750 Command Reference Guide Clearing Multicast Route Entries from PIM Routing Table Perform the following configuration in user view Table 155 Clearing Multicast Route Entries from PIM Routing Table Operation Command Clear multicast route entries from PIM routing reset pim routing table all table group address mask group mask mask length group mask length source address mask source mask mask length source mask length incoming interface
359. ting the Speed of the Ethernet Port Setting Cable Type for Ethernet Port CHAPTER 2 PORT CONFIGURATION m Setting Flow Control for Ethernet Port m Permitting Forbidding Jumbo Frames on the Ethernet port m Setting Ethernet Port Broadcast Suppression Ratio m Setting the Link Type for an Ethernet Port a Adding the Ethernet Port to a VLAN m Setting the Default VLAN ID for Ethernet Port m Copying a Port Configuration to Other Ports a Displaying and Debugging Ethernet Ports Entering Ethernet Port View Before configuring the Ethernet port enter Ethernet port view Perform the following configuration in system view Table 25 Enter Ethernet Port View Operation Command Enter Ethernet port view interface Gigabit Ethernet slot subslot port The submodule on the fabric for the 4 slot chassis is always set to 1 Enabling and Disabling Ethernet Ports The following command can be used for disabling or enabling the port After configuring the related parameters and protocol of the port you can use the following command to enable the port Perform the following configuration in Ethernet port view Table 26 Enable Disable an Ethernet Port Operation Command Disable an Ethernet port shutdown Enable an Ethernet port undo shutdown By default the port is enabled Setting Description Character String for Ethernet Port You can use the following command to identify the Ethernet ports Perform the following configuration in Ethe
360. tion is available to set a default route All the packets that fail to find a suitable table entry are forwarded through this default route In a complicated Internet as shown in the following figure the number in each network is the network address The router R8 is connected to three networks so it has three IP addresses and three physical ports Its routing table is shown in Figure 23 Figure 23 The Routing Table Drey 1 _ mooz 1 Drey 3 za Forwarding Port Ost router passed acation The Switch 7750 supports the configuration of a series of dynamic routing protocols such as RIP as well as static routes The static routes configured by the 84 CHAPTER 5 IP ROUTING PROTOCOL OPERATION user are managed together with the dynamic routes as detected by the routing protocol The static routes and the routes learned or configured by routing protocols can be shared with each other Routing protocols as well as the static configuration can generate different routes to the same destination but not all these routes are optimal In fact at a certain moment only one routing protocol can determine a current route to a single destination Thus each routing protocol including the static configuration has a set preference and when there are multiple routing information sources the route discovered by the routing protocol with the highest preference becomes the current route Routing protocols and the default preferences
361. tle efficiency The concept of mask and subnet was proposed to make full use of the available IP addresses A mask is a 32 bit number corresponding to an IP address The number consists of 1s and Os Principally these 1s and Os can be combined randomly However the first consecutive bits are set to 1s when designing the mask The mask is divided into two parts the subnet address and host address The 1 bits and the mask indicate the subnet address and the other bits indicate the host address If there is no subnet division then the sub net mask is the default value and the length of 1 indicates the net id length Therefore for IP addresses of classes A B and C the default values of the corresponding sub net mask is 255 0 0 0 for Class A 255 255 0 0 for Class B and 255 255 255 0 for Class C The mask can be used to divide a Class A network containing more than 16 000 000 hosts or a Class B network containing more than 60 000 hosts into multiple small networks Each small network is called a subnet For example for the Class A network address 10 110 0 0 the mask 255 255 224 0 can be used to divide the network into 8 subnets 10 110 0 0 10 110 32 0 10 110 64 0 and so on Each subnet can contain more than 8000 hosts The following sections describe the tasks for configuring an IP address Configure IP Address and HostName for a Host Configuring the IP Address of the VLAN Interface a Displaying and Debugging an IP Address
362. tor to Telnet terminal log buffer loghost trap buffer and SNMP a The log is divided into 8 levels according to the significance of the event and it can be filtered based on the levels a The information can be classified in terms of the source modules and the information can be filtered by module a The output language can be selected between English and Chinese SYSLOG configuration includes tasks described in the following sections a Enabling and Disabling the Logging Function a Setting the Output Channel of the Log a Defining the Log Filtering Rules m Configuring the SNMP Timestamp Output Format m Configuring the Info center Loghost a Displaying and Debugging the Syslog Function For the above configuration the log host is not configured on the switch All other configurations will take effect after enabling the logging function Enabling and Disabling the Logging Function You can use the following commands to enable or disable the logging function Perform the following operation in system view Table 291 Enable Disable the Logging Function Operation Command Enable the logging function Disable the logging function info center enable undo info center enable By default syslog is disabled When syslog is enabled system performance is affected by the information classification and the output especially when there is a large amount of information to be processed Setting the Output Channel of t
363. ts need to respond to IGMP query messages from the multicast router i e report the group membership to the router The router needs to send membership query messages periodically to Configuring IGMP discover whether hosts join the specified group on its subnets according to the received response messages When the router receives the report that hosts leave the group the router will send a group specific query IGMP Version 2 to discover whether there are no members in the group IGMP has three versions IGMP Version 1 defined by RFC1112 IGMP Version 2 defined by RFC2236 and IGMP Version 3 IGMP Version 2 is the most widely used version IGMP Version 2 boasts the following improvements over IGMP Version 1 a Election mechanism of multicast routers on the shared network segment A shared network segment means that there are multiple multicast routers on a network segment In this case all routers running IGMP on the network segment can receive the membership report from hosts Therefore only one router is required to send membership query messages In this case the router election mechanism is required to specify a router as the querier In IGMP Version 1 selection of the querier is determined by the multicast routing protocol IGMP Version 2 specifies that the multicast router with the lowest IP address is elected as the querier when there are multiple multicast routers on the same network segment a Leaving group mechanism
364. ttributes of the routing information Perform the following configurations in route policy view Table 101 Defining If match Conditions Operation Command Match the destination address of the routing if match acl ip prefix information Cancel the matched destination address of the undo if match acl acl number routing information set by the ACL ip prefix ip prefix name Match the next hop interface of the routing if match interface information interface type interface number Cancel the matched next hop interface of the undo if match interface routing information Match the next hop of the routing if match ip next hop acl information acl number ip prefix ip prefix name Cancel the matched next hop of the routing undo if match ip next hop information set by the address prefix list ip prefix ip prefix name Match the tag domain of the routing if match tag value information Cancel the tag domain of the matched undo if match tag routing information By default no matching is performed 102 CHAPTER 5 IP ROUTING PROTOCOL OPERATION gt The if match clauses for a node in the route policy require that the route satisfy all the clauses to match the node before the actions specified by the apply clauses can be executed If no if match clauses are specified all the routes pass the filtering on the node Defining Apply Clauses for a Route Policy The apply clauses specify actions which are the c
365. ue Otherwise the system displays an error message Join timer gt 2 x hold timer Leave timer gt 2 x join timer AND lt leavall timer GARP timers have the following default values a Hold timer 10 centiseconds a Join timer 20 centiseconds a Leave timer 60 centiseconds a Leaveall timer 1000 centiseconds Displaying and Debugging GARP After you configure the GARP timer execute the display command in all views to display the GARP configuration and to verify the effect of the configuration Execute the reset command in user view to reset the GARP configuration Execute the debugging command in user view to debug the GARP configuration Table 57 Display and Debug GARP Operation Command Display GARP statistics display garp statistics interface information interface list Display GARP timer display garp timer interface interface list Reset GARP statistics reset garp statistics interface information interface list Enable GARP event debugging debugging garp event Disable GARP event undo debugging garp event debugging GARP VLAN Registration Protocol GVRP is a GARP application GVRP is based on the GARP and maintains the dynamic VLAN registration information in the switch and distributes the information to other switches All the GVRP supporting switches can receive VLAN registration information from other switches and can dynamically update local VLAN registration information includin
366. uld be forwarded Cost The cost for the router to reach the destination which should be an integer in the range of 0 to 15 a Timer The length of time from the last time that the routing entry was modified until now The timer is reset to O whenever a routing entry is modified a Route tag The indication whether the route is generated by an interior routing protocol or by an exterior routing protocol The whole process of RIP startup and operation can be described as follows If RIP is enabled on a router for the first time the router broadcasts a request packet to adjacent routers When they receive the request packet adjacent routers on which RIP is also enabled respond to the request by returning response packets containing information about their local routing tables After receiving the response packets the router that sent the request modifies its own routing table RIP broadcasts its routing table to adjacent routers every 30 seconds The adjacent routers maintain their own routing tables after receiving the packets and elect an optimal route then advertise the modification information to their adjacent network to make the updated route globally available Furthermore RIP uses timeout mechanism to handle timed out routes to ensure the timeliness and 90 CHAPTER 5 IP ROUTING PROTOCOL OPERATION Configuring RIP gt validity of the routes With these mechanisms RIP an interior routing protocol ena
367. unction ACLs used for controlling user logons and so on ACL Support on the Switch 7750 Table 161 lists the categories of ACLs their value ranges and the maximum number of each ACL on a Switch 7750 Table 161 Quantitative Limitation to the ACL Item Value range Maximum Numbered basic ACL 2000 to 2999 99 Numbered advanced ACL 3000 to 3999 00 Numbered Layer 2 ACL 4000 to 4999 00 User defined ACL 5000 to 5999 00 Named basic ACL 000 Named advanced ACL 000 Named Layer 2 AC 000 The sub items of an ACL O to 127 28 Maximum sub items for all 536 with 6 48 port I O ACLs for a 7 slot chassis Maximum sub items for all ACLs for 4 slot chassis Maximum sub items for all ACLs for an 8 slot chassis modules installed 768 with 3 48 port I O modules installed 1536 with 6 48 port I O modules installed Configuring ACLs 151 Configuring ACLs Configuring the Time Range Selecting the ACL Mode Defining an ACL ACL configuration includes the tasks described in the following sections Configuring the Time Range a Selecting the ACL Mode a Defining an ACL a Activating an ACL Configure the time range first then define the ACL using the defined time range in the definition followed by activating the ACL to validate it These steps must be done in sequence The process of configuring a time range includes configuring the hour minute range date range and period range The hour
368. undersized packets 0 oversized packets 0 fragments packets 20 jabbers packets 0 CRC alignment errors 0 collisions 0 278 CHAPTER 11 SYSTEM MANAGEMENT Dropped packet events due to lack of resources 0 Packets received according to length in octets 64 2644 i 65 127 7518 i 128 255 688 256 511 101 j 512 1023 3 i 1024 1518 0 NTP As the network topology gets more and more complex it becomes important to synchronize the clocks of the equipment on the entire network Network Time Protocol NTP is a TCP IP feature that advertises the accurate time throughout the network NTP ensures the consistency of the following applications Synchronizing the clock between two systems for incremental backup between the backup server and client Referencing the same clock and guaranteeing correct processing for multiple systems that coordinate to process a complex event Guaranteeing the normal operation of the inter system Remote Procedure Call Recording an application when a user logs into a system a file is modified or some other operation is performed Figure 65 illustrates the basic operating principle of NTP Figure 65 Basic Operating Principle of NTP NTP 10 00 00am m gt x x i S PR up S NIP 10 00 00em 11 00 01em xX z 2 Isa ISB S lt NTP 10 00 00am 11 00 0
369. up Usually the host operating IGMP will respond to IGMP query packet of the multicast router In case of a response failure the multicast router will consider that there is no multicast member on this network segment and will cancel the corresponding path Configuring one interface of the router as a multicast member can avoid such a problem When the interface receives an IGMP query packet the router will resoond ensuring that the network segment is connected and can receive multicast packets Perform the following configuration in VLAN interface view Table 126 Configure a Router to Be a Member of a Group Operation Command Configure a router to be a member of a igmp host join group address port multicast group VLAN interface view interface type interface num interface_name to interface_type interface_num interface name Table 126 Configure a Router to Be a Member of a Group Operation Command Cancel a router s membership of a multicast group VLAN interface group Configure a router to be a member of a multicast group Ethernet interface view Cancel a router s membership of a multicast group Ethernet interface group undo igmp host join group address port interface type interface _num interface_name to interface_type interface_num interface _name igmp host join group address vlan vlanid undo igmp host join group address vlan vlanid By default a router does not join a
370. uration in system view Table 302 Setting the Lifetime of the Trap Message Operation Command Set lifetime of Trap message Restore lifetime of Trap message snmp agent trap life seconds undo snmp agent trap life By default the lifetime of a trap message is 120 seconds Setting SNMP Information The SNMP system information includes the character string sysContact system contact the character string describing the system location and the version information for SNMP in the system Use the following commands to set the system information Perform the following configuration in system view Table 303 Setting SNMP System Information Operation Command Set SNMP system information Restore the default SNMP system information of the Ethernet switch snmp agent sys info contact sysContact location syslocation version vl v2c v3 all undo snmp agent sys info contact location version vl v2c v3 all By default sysiocation is specified as Marlborough MA Setting the Engine ID of a Local or Remote Device Use the following commands to set the engine ID of a local or remote device Perform the following configuration in system view Table 304 Setting the Engine ID of a Local or Remote Device Operation Command Set the engine ID of the device Restore the default engine ID of the device snmp agent local engineid engineid undo snmp agent
371. urces are as follows a Aggregation groups including special ports which require hardware aggregation resources a Manual and static LACP aggregation groups a Aggregation groups that probably reach the maximum rate after the resources are allocated to them a Aggregation groups with the minimum master port numbers if they reach the equal rate with other groups after the resources are allocated to them When aggregation groups of higher priority levels appear the aggregation groups of lower priority levels release their hardware resources For single port aggregation groups if they can transceive packets normally without occupying hardware resources they shall not occupy the resources CHAPTER 2 PORT CONFIGURATION Configuring Link Aggregation A load sharing aggregation group may contain several selected ports but a non load sharing aggregation group can only have one selected port while others as standby ports Selection criteria of selected ports vary for different types of aggregation groups The Switch 7750 only supports LACP for ports on the same I O module A maximum number of 16 ports can be active in a link aggregation For modules that have fewer than 16 ports such as the 8 port 1000BASE X GE module only eight ports can be active members of a link aggregation Link aggregation configuration includes tasks described in the following sections a Enabling or Disabling LACP at a Port a Creating or Deleting an Aggregation
372. ure port priority Restore the default port priority Command lacp port priority port priority value undo lacp port priority The default value for port priority is 32768 Displaying and Debugging Link Aggregation After you have completed your configuration execute the display command in any view to display the link aggregation configuration and to verify the effect of the configuration You can also use the reset command in user view to clear LACP statistics of the port Use the debugging commands in user view to debug LACP Table 45 Display and Debug Link Aggregation Operation Command Display summary information of all aggregation groups Display detailed information of a specific aggregation group Display local system ID Display detailed link aggregation information at the port Clear LACP statistics at the port Disable enable debugging LACP state machine Disable enable debugging LACP packets Disable enable debugging link aggregation errors Disable enable debugging link aggregation events display link aggregation summary display link aggregation verbose agg id display lacp system id display link aggregation interface interface type interface number interface name to interface type interface num interface name reset lacp statistics interface interface type interface number interface name to interface type interface num interface name undo
373. uring Static RP Operation Command Configure static RP static rp rp address acl number Configure static RP undo static rp Basic ACLs can control the range of the multicast group served by static RP If static RP is in use all routers in the PIM domain must adopt the same configuration If the configured static RP address is the interface address of the local router whose state is UP the router will function as the static RP It is unnecessary to enable PIM on the interface that functions as static RP When the RP elected from BSR mechanism is valid static RP does not work Configuring the Interface Hello Message Interval Generally PIM SM advertises Hello messages periodically on the interface enabled with it to detect PIM neighbors and discover which router is the Designated Router DR Perform the following configuration in VLAN interface view Table 151 Configuring the Interface Hello Message Interval Operation Command Configure the interface hello message interval pim timer hello seconds Restore the interval to the default value undo pim timer hello By default the hello message interval is 30 seconds Users can configure the value according to different network environments This configuration can be performed only after the PIM PIM DM or PIM SM is enabled in VLAN interface view Configuring the Filtering of Multicast Source Group See Configuring PIM DM on page 130 Configuring the Filtering of
374. user has been added onto NAS Perform the following configurations in system view Table 231 Create Delete a Local User and Relevant Properties Operation Command Add local users Delete all the local users Delete a local user by specifying its type local user user name undo local user all undo local user user name all service type lan access ftp telnet By default there is no local user in the system Setting Attributes of a Local User The attributes of a local user include its password state service type and other settings Perform the following configurations in system view Table 232 Set the Method that a Local User Uses to Set Password Operation Command Set the method that a local user uses to set password Cancel the method that the local user uses to set password local user password display mode cipher force auto undo local user password display mode The auto parameter means that the password display mode will be the one specified by the user at the time of configuring a password see the password command in the following table for reference and cipher force means that the password display mode of all the accessing users must be in cipher text Perform the following configurations in local user view Table 233 Set Remove the Attributes Concerned with a Specified User Operation Command Set a password for a specified user password simple cip
375. uted commands The command line interpreter that searches for a target not fully matching the keywords You can enter the whole keyword or part of it as long as it is unique and not ambiguous Configuring a Command Line Interface is described in the following sections Command Line View Features and Functions of the Command Line The Switch 7750 provides hierarchy protection for the command lines to prevent unauthorized users from accessing the switch illegally There are four levels of commands Visit level involves commands for network diagnosis tools such as ping and tracert command of the switch between different language environments of user interface language mode and the telnet command Saving the configuration file is not allowed on this level of commands Monitoring level includes the display command and the debugging command for system maintenance service fault diagnosis and so on Saving the configuration file is not allowed on this level of commands Configuration level provides service configuration command such as the routing command and commands on each network layer that are used to provide direct network service to the user Management level influences the basic operation of the system and the system support module which plays a support role for service Commands at this level involve file system commands FTP commands TFTP commands XModem downloading commands user management commands and
376. uter and used for applying to a multicast group or responding to the IGMP query message When received the switch checks if the MAC multicast group is ready to join If the corresponding MAC multicast group does not exist the switch notifies the router that a member is ready to join a multicast group creates a new MAC multicast group adds the port that received the message to the group starts the port aging timer and then adds all the router ports in the native VLAN of the port into the MAC multicast forwarding table Meanwhile it creates an IP multicast group and adds the port received to it If the corresponding MAC multicast group exists but does not contain the port that received the report message the switch adds the port into the multicast group and starts the port aging timer Then the switch checks if the corresponding IP multicast group exists If it does not exist the switch creates a new IP multicast group and adds the port that received the report message to it If it does exist the switch adds the port If the corresponding MAC multicast group exists and contains the port the switch will only reset the aging timer of the port IGMP leave message Transmitted from the multicast group member to the multicast router to notify that a host has left the multicast group The Switch 7750 transmits the specific query message concerning the group to the port that received the message in an effort to check if the host still has other memb
377. ver different physical links thereby implementing the VLAN based load balancing You can configure the port priority in the following ways Configuring in System View Perform the following configuration in system view Table 206 Configure the Port Priority Operation Command Configure the port priority stp interface interface list instance instance id port priority priority Restore the default port priority undo stp interface interface list instance instance id port priority Configuring in Ethernet Port View Perform the following configuration in Ethernet port view Table 207 Configure the Port Priority Operation Command Configure the port priority stp instance instance id port priority priority Restore the default port priority undo stp instance instance id port priority For more about the commands see the Switch 7750 Command Reference Guide After the change of port priority MSTP will recalculate the port role and transit the state A smaller value represents a higher priority If all the Ethernet ports of a switch are configured with the same priority value the priorities of the ports will be differentiated by the index number The change of Ethernet port priority will lead to spanning tree recalculation You can configure the port priority with actual networking requirements By default the priority of all the Ethernet ports is 128 Configuring the Port Connection with the Point to Point Link The p
378. ween the Switch A and B Delay T4 T1 T3 T2 Offset of Ethernet Switch A clock relative to Ethernet Switch B clock offset 12 11 T3 TA 2 Ethernet Switch A uses this information to set the local clock and to synchronize it with the clock on Ethernet Switch B Configuring NTP is described in the following sections Configuring NTP NTP Configuration Examples NTP configuration includes the tasks described in the following sections Configuring NTP Operating Mode Configuring NTP ID Authentication Setting the NTP Authentication Key Setting the Specified Key to Be Reliable Designating an Interface to Transmit the NTP Message Setting the NTP Master Clock Enabling or Disabling an Interface to Receive an NTP Message Setting the Authority to Access a Local Switch Setting Maximum Local Sessions Displaying and Debugging NTP Configuring NTP Operating Mode The Switch 7750 can serve as an NTP client but not as an NTP server 280 CHAPTER 11 SYSTEM MANAGEMENT You can set the NTP operating mode of the Switch 7750 according to its location in the network and the network structure For example you can set a remote server as the time server of the local equipment In this case the local Ethernet Switch works as an NTP client If you set a remote server as a peer of the local Ethernet Switch the local equipment operates in symmetric active mode If you configure an interface on the local switch to transmit NTP broadcas
379. wer limit and the safety value of undo memory safety limit the Ethernet switch memory to the default value The default values of the lower limit and the safety value of the Ethernet switch memory are 2Mbytes and 4Mbytes respectively Note that safety value must have a higher value than limit value Preventing Automatic Recovery of Disconnected Routing Protocols If the automatic memory restoration function of a Ethernet switch is disabled connection of routing protocols will not be restored even if the free memory returns to the safety value Perform the following configurations in system view Table 111 Preventing Automatic Recovery of Disconnected Routing Protocols Operation Command Prevent automatic recovery of disconnected memory auto establish disable routing protocols By default memory automatic restoration function of a Ethernet switch is enabled Enabling Automatic Recovery of Disconnected Routing Protocols Perform the following configurations in system view Table 112 Enabling Automatic Recovery of Disconnected Routing Protocols Operation Command Enable automatic recovery of disconnected memory auto establish enable routing protocols By default memory automatic restoration function is enabled Displaying and Debugging Route Capacity Execute the display command in all views to display the route capacity configuration Table 113 Displaying and Debugging Route Capacity Operation Command Display
380. witch 7750 through Telnet 1 Authenticate the Telnet user through the console port before the user logs in by Telnet D gt By default a password is required for authenticating the Telnet user to log in the Switch 7750 If a user logs in by Telnet without a password the user sees the message Login password has not been set 2 Enter system view return to user view by pressing Ctr Z lt SW7750 gt system view SW7750 user interface vty 0 4 SW7750 ui vty0 set authentication password simple cipher xxxx xxxx is the preset login password of Telnet user 3 To set up the configuration environment connect the Ethernet port of the PC to that of the Switch 7750 through the LAN See Figure 7 Figure 7 Setting Up the Configuration Environment Through Telnet Workstation gt lt S Ethernet port Ethernet E LJ l hl 5 5 Server Workst PC for configuring he switch through Telnet Setting Terminal Parameters 17 4 Run Telnet on the PC by selecting Start gt Run from the Windows desktop and entering Telnet in the Open field as shown in Figure 8 Click OK Figure 8 Run Telnet Type the name of a program folder document or Internet resource and Windows will open it For you Open telnet xxx xxx xxx xxx The terminal displays
381. witch B ports are updated as follows The configuration BPDU of the root port Ethernet 1 0 7 remains 0 O O e1 0 1 Ethernet 1 0 4 updates the root ID with the root ID in the optimum configuration BPDU updates the path cost to root with 5 sets the designated switch as the local switch ID and the designated port ID as the local port ID Thus the configuration BPDU becomes 0 5 1 e1 0 4 All the designated ports of Switch B then transmit the configuration BPDUs regularly Switch C Ethernet 1 0 1 receives from the Ethernet 1 0 4 of Switch B the configuration BPDU 1 0 1 e1 0 4 that has not been updated then the updating process is launched 1 0 1 e1 0 4 Ethernet 1 0 5 receives the configuration BPDU 0 0 O e1 0 2 from Switch A and Switch C launches the updating The configuration BPDU is updated as 0 0 0 e1 0 2 By comparison the Ethernet 1 0 5 configuration BPDU is elected as the optimum one The Ethernet 1 0 5 is thus specified as the root port with no modifications made on its configuration BPDU However Ethernet 1 0 1 is blocked and its BPDU also remains the same but it will not receive the data excluding the STP packet forwarded from Switch B until spanning tree Configuring the BPDU Forwarding Mechanism calculation is launched again by new events for example the link from Switch B to C is down or the port receives a better configuration BPDU Ethernet 1 0 1 receives the updated configuration
382. witch to Version 1 Configuring the Interval for Sending the IGMP Group Specific Query Packet In the shared network where the same network segment includes multiple hosts and multicast routers the query router is responsible for maintaining the IGMP group membership on the interface When the IGMP v2 host leaves a group it sends an IGMP Group Leave message When the IGMP query router receives the IGMP Leave message it must send the IGMP group query message for the specified number of times the robust value parameter in the igmp robust count command with a default value of 2 ina specified time interval the seconds parameter in the igmp lastmember queryinterval command with a default value of 1 second If other hosts which are interested in the specified group receive the IGMP query message from the IGMP query router they send back the IGMP Membership Report message within the specified maximum response time interval If the IGMP query router receives the IGMP Membership Report message within the defined period equal to robust value seconds it continues to maintain the membership of this group When the IGMP query router receives no IGMP Membership Report messages from any host within the defined period it perceives a timeout and stops membership maintenance for the group Perform the following configuration in VLAN interface view Table 123 Configure The Interval of Sending IGMP Group Specific Query Packet Operation Com
383. y Suggested by RFC2138 2139 the authentication authorization port number is 1812 and the accounting port number is 1813 However you may use values other than the Configuring the RADIUS Protocol 223 ones suggested Especially for some earlier RADIUS Servers authentication authorization port number is often set to 1645 and accounting port number is 1646 The RADIUS service port settings on the Switch 7750 need to be consistent with the port settings on the RADIUS server Normally RADIUS accounting service port is 1813 and the authentication authorization service port is 1812 By default all the IP addresses of primary second authentication authorization and accounting servers are 0 0 0 0 authentication authorization service port is 1812 and accounting service UDP port is 1813 Setting the RADIUS Packet Encryption Key RADIUS client switch system and RADIUS server use MD5 algorithm to encrypt the exchanged packets The two ends verify the packet by setting the encryption key Only when the keys are identical can both ends accept the packets from each other and give a response Perform the following configurations in RADIUS server group view Table 237 Set RADIUS Packet Encryption Key Operation Command Set RADIUS authentication authorization key authentication string packet encryption key Restore the default RADIUS undo key authentication authentication authorization packet encryption key Set RADIUS accounting packe
384. y Use the commands in Table 257 to perform directory operations Perform the following operations in user view Table 257 Directory Operation Operation Command Create a directory mkdir directory 244 Managing Files Formatting Storage Devices Setting the Prompt Mode of the File System CHAPTER 11 SYSTEM MANAGEMENT Table 257 Directory Operation Operation Command Delete a directory Display the current working directory Display the information about directories or files Change the current directory rmdir directory pwd dir all file url cd directory You can use the file system to delete undelete or permanently delete a file It can also be used to display file contents rename copy and move a file and display the information about a specified file Use the commands in Table 258 to perform file operations Perform the following operations in user view Table 258 File Operation Operation Command Delete a file from the file system and move it to the recycle bin Restore a file from the recycle bin Delete a file from the recycle bin permanently View contents of a file Rename a file Copy a file Move a file Display the information about directories or files Execute the specified batch file System view delete file url undelete file url reset recycle bin file url more file url rename fileurl source fileurl dest copy fileurl source fileurl dest move fi
385. z B 10 100 LAN 20 CHAPTER 1 SYSTEM ACCESS 5 6 gt Configuring the User Interface Figure 12 Dial the Remote PC Connect ey customer Phone number 555 5555 Your location New Location s Dialing Properties Calling card None Direct Dial i Cancel Enter the preset login password on the remote terminal emulator and wait for the lt SW7750 gt prompt Use the appropriate commands to configure the Switch 7750 or view its operational state Enter to get immediate help For details on a specific command refer to the appropriate chapter in this guide By default after login a modem user can access the commands at Level 0 User interface configuration is another way to configure and manage port data The Switch 7750 supports the following configuration methods a Local configuration through the console port m Remote configuration through Telnet on the Ethernet port m Remote configuration through a modem through the console port There are two types of user interfaces a AUX user interface is used to log in the Switch 7750 through a dial up modem A Switch 7750 can only have one AUX port a VTY user interface is used to telnet the Switch 7750 For the Switch 7750 the AUX port and Console port are the same port There is only the type of AUX user interface The user interface is numbered by absolute number or relative number To number the user interface by absolute numb
Download Pdf Manuals
Related Search