null  null
H3C S5100-SI/EI Series Ethernet Switches
Operation Manual
Hangzhou H3C Technologies Co., Ltd.
http://www.h3c.com
Manual Version: 20100115-C-1.05
Product Version: Release 220X series
Copyright © 2007-2010, Hangzhou H3C Technologies Co., Ltd. and its licensors
All Rights Reserved
No part of this manual may be reproduced or transmitted in any form or by any means without prior
written consent of Hangzhou H3C Technologies Co., Ltd.
Trademarks
H3C,
, Aolynk,
, H3Care,
, TOP G,
, IRF, NetPilot, Neocean, NeoVTL,
SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V2G, VnG, PSPT,
XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co.,
Ltd.
All other trademarks that may be mentioned in this manual are the property of their respective owners.
Notice
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Technical Support
[email protected]
http://www.h3c.com
About This Manual
Organization
H3C S5100-SI/EI Series Ethernet Switches Operation Manual is organized as follows:
Part
Contents
0 Product Overview
Introduces the characteristics and implementations of the
Ethernet switch.
1 Login
Introduces the ways to log into an Ethernet switch and CLI
related configuration.
2 Configuration File Management
Introduces configuration file and the related configuration.
3 VLAN
Introduces VLAN-/Voice VLAN-related configuration.
4 Management VLAN
Introduces the management VLAN configuration and
DHCP/BOOTP client configuration.
5 Voice VLAN
Introduces voice VLAN and the related configuration.
6 GVRP
Introduces GVRP and the related configuration.
7 Port Basic Configuration
Introduces basic port configuration.
8 Link Aggregation
Introduces link aggregation and the related configuration.
09 Port Isolation
Introduces port isolation and the related configuration.
10 Port Security-Port Binding
Introduces port security, port binding, and the related
configuration.
11 DLDP
Introduces DLDP and the related configuration.
12 MAC Address Table
Management
Introduces MAC address forwarding table management.
13 MSTP
Introduces STP and the related configuration.
14 802.1x and System Guard
Introduces 802.1x and the related configuration.
15 AAA
Introduces AAA, RADIUS, HWTACACS, EAD, and the related
configurations.
16 MAC Address Authentication
Introduces centralized MAC address authentication and the
related configuration.
17 IP Address and Performance
Introduces IP address and IP performance related
configuration
18 DHCP
Introduces DHCP-Snooping, DHCP Client and the related
configuration.
19 ACL
Introduces ACL and the related configuration.
20 QoS-QoS Profile
Introduces QoS and the related configuration.
21 Mirroring
Introduces mirroring and the related configuration.
22 ARP
Introduces ARP and the related configuration.
23 Stack-Cluster
Introduces the related configuration for cluster management by
using HGMP V2.
24 SNMP-RMON
Introduces the configuration for network management through
SNMP and RMON
Part
Contents
25 Multicast
Introduces IGMP snooping and the related configuration.
26 NTP
Introduces NTP and the related configuration.
27 SSH
Introduces SSH2.0 and the related configuration.
28 File System Management
Introduces basic configuration for file system management.
29 FTP-SFTP-TFTP
Introduces basic configuration for FTP, SFTP and TFTP, and
the applications.
30 Information Center
Introduces information center configuration.
31 System Maintenance and
Debugging
Introduces daily system maintenance and debugging.
32 VLAN-VPN
Introduces VLAN VPN and the related configuration.
33 HWPing
Introduces HWPing and the related configuration.
34 DNS
Introduces DNS and the related configuration.
35 Smart Link-Monitor Link
Introduces Smart Link, Monitor Link and the related
configuration.
36 IPv6 Management
Introduces IPv6 and the related configuration.
37 PoE-PoE Profile
Introduces PoE, PoE profile and the related configuration.
38 UDP Helper
Introduces UDP Helper and the related configuration.
39 Access Management
Introduces Access Management and the related configuration.
40 Appendix
Lists the acronyms used in this manual
Conventions
The manual uses the following conventions:
Command conventions
Convention
Description
Boldface
The keywords of a command line are in Boldface.
italic
Command arguments are in italic.
[]
Items (keywords or arguments) in square brackets [ ] are optional.
{ x | y | ... }
Alternative items are grouped in braces and separated by vertical bars.
One is selected.
[ x | y | ... ]
Optional alternative items are grouped in square brackets and
separated by vertical bars. One or none is selected.
{ x | y | ... } *
Alternative items are grouped in braces and separated by vertical bars.
A minimum of one or a maximum of all can be selected.
[ x | y | ... ] *
Optional alternative items are grouped in square brackets and
separated by vertical bars. Many or none can be selected.
&<1-n>
The argument(s) before the ampersand (&) sign can be entered 1 to n
times.
#
A line starting with the # sign is comments.
GUI conventions
Convention
Description
Boldface
Window names, button names, field names, and menu items are in
Boldface. For example, the New User window appears; click OK.
>
Multi-level menus are separated by angle brackets. For example, File >
Create > Folder.
Symbols
Convention
Description
Means reader be extremely careful. Improper operation may cause
bodily injury.
Means reader be careful. Improper operation may cause data loss or
damage to equipment.
Means an action or information that needs special attention to ensure
successful configuration or good performance.
Means a complementary description.
Means techniques helpful for you to make configuration with ease.
Related Documentation
In addition to this manual, each H3C S5100-SI/EI Series Ethernet Switches documentation set includes
the following:
Manual
Description
H3C S5100-SI/EI Series Ethernet Switches
Installation Manual
It provides information for the system installation.
H3C S5100-SI/EI Series Ethernet Switches
Command Manual – Release 220X Series
It is used for assisting the users in using various
commands.
H3C S5100-SI/EI Series Ethernet Switches
Compliance and Safety Manual
It lists the regulatory compliance statements and
provides the safety information of H3C S5100-SI/EI
series Ethernet switches.
Obtaining Documentation
You can access the most up-to-date H3C product documentation on the World Wide Web at this URL:
http://www.h3c.com.
The following are the columns from which you can obtain different categories of product documentation:
[Products & Solutions]: Provides information about products and technologies, as well as solutions.
[Technical Support & Document > Technical Documents]: Provides several categories of product
documentation, such as installation, configuration, and maintenance.
[Technical Support & Document > Software Download]: Provides the documentation released with the
software version.
Documentation Feedback
You can e-mail your comments about product documentation to [email protected]
We appreciate your comments.
Table of Contents
1 Obtaining the Documentation ··················································································································1-1
CD-ROM ·················································································································································1-1
H3C Website ···········································································································································1-1
Software Release Notes ·························································································································1-1
2 Correspondence Between Documentation and Software ·····································································2-1
Manual List··············································································································································2-1
Software Version·····································································································································2-1
3 Product Overview ······································································································································3-1
4 Networking Applications ··························································································································4-1
Convergence Layer Devices···················································································································4-1
Access Layer Devices·····························································································································4-1
Data Center Access ································································································································4-2
i
1
Obtaining the Documentation
H3C Technologies Co., Ltd. provides various ways for you to obtain documentation, through which you
can obtain the product documentations and those concerning newly added new features. The
documentations are available in one of the following ways:
z
CD-ROMs shipped with the devices
z
H3C website
z
Software release notes
CD-ROM
H3C delivers a CD-ROM together with each device. The CD-ROM contains a complete product
document set, including the operation manual, command manual. After installing the reader program
provided by the CD-ROM, you can search for the desired contents in a convenient way through the
reader interface.
The contents in the manual are subject to update on an irregular basis due to product version upgrade
or some other reasons. Therefore, the contents in the CD-ROM may not be the latest version. This
manual serves the purpose of user guide only. Unless otherwise noted, all the information in the
document set does not claim or imply any warranty. For the latest software documentation, go to the
H3C website.
H3C Website
Perform the following steps to query and download the product documentation from the H3C website.
Table 1-1 Acquire product documentation from the H3C website
How to apply for an account
Access the homepage of H3C at http:// www.h3c.com and click on
Registration at the top right. In the displayed page, provide your
information and click on Submit to register.
Approach 1:
How to get documentation
In the homepage of H3C at http:// www.h3c.com, select Technical
Support & Document > Technical Documents from the navigation
menu at the top. Then select a product for its documents.
Approach 2:
In the homepage of H3C at http:// www.h3c.com, select Support >
Technical Documents. Then select a product for its documents.
Software Release Notes
With software upgrade, new software features may be added. You can acquire the information about
the newly added software features through software release notes.
1-1
2
Correspondence Between Documentation and
Software
Manual List
Corresponding
Product
Manual name
H3C S5100-SI/EI Series Ethernet Switches Installation Manual
H3C S5100-SI/EI Series Ethernet Switches Quick Start
H3C S5100-SI/EI Series Ethernet Switches Compliance and Safety Manual
S5100-SI series
H3C S5100-SI/EI Series Ethernet Switches Operation Manual-Release
220X Series
S5100-EI series
H3C S5100-SI/EI Series Ethernet Switches Command Manual-Release
220X Series
Software Version
H3C S5100-SI/EI Series Ethernet Switches Operation Manual-Release 220X Series and H3C
S5100-SI/EI Series Ethernet Switches Command Manual-Release 220X Series are for the software
version of Release2200, Release2201 and Release2203P08 of the S5100-SI/EI series products.
The supported features are different between these software versions. For details, refer to 错误!未找
到引用源。.
Table 2-1 Added and Modified features compared with the earlier software version
Software
Version
Added and Modified Features Compared With The
Earlier Version
Release
2203P08
Manual
RADIUS Attribute Ignore Function
15-AAA
DHCP Relay Agent Function
18-DHCP
The S5100-SI series begin to support Layer 2
ACLs from Release 2203P08 on
Added
features
The S5100-SI series begin to support
assignment of ACLs to hardware for packet
filtering from Release 2203P08 on
Configuring the network management interface
for a cluster ( S5100-EI series only )
Configuring the Cluster Synchronization
Function
19-ACL
23-Stack-Cluster
UDP Helper Function
38-UDP Helper
Access Management Function
39-Access
Management
2-1
Software
Version
Release 2201
Release 2200
Added and Modified Features Compared With The
Earlier Version
Manual
Modified
features
The tx-period-value argument of dot1x timer
tx-period command ranges from 1 to 120,
instead of 10 to 120(in seconds).
14-802.1x and
System Guard
Deleted
features
The S5100-EI series Ethernet switches do not
support to specify a secondary IP address of an
interface
17-IP Address and
Performance
Added
features
Identifying and Diagnosing Pluggable
Transceivers
32-System
Maintenance and
Debugging
Modified
features
None
—
Deleted
features
None
—
—
—
—
2-2
3
Product Overview
For the convenience of users, units of Mega bps/1000 Mega bps in the following chapters are simplified
as M/G.
H3C S5100-SI/EI Series Ethernet Switches (hereinafter referred to as S5100-SI/EI series) are Gigabit
Ethernet switching products developed by H3C Technologies Co., Ltd. H3C S5100-SI/EI series provide
a variety of service features and powerful QACL functions. S5100-SI/EI series are designed as
convergence and access devices for intranets and metropolitan area networks (MANs), and can also be
used for connecting data center server clusters.
The H3C S5100 series come in two series: S5100-SI and S5100-EI, which are available in the following
models:
Table 3-1 H3C S5100-SI/EI series
Series
Model
10/100/1000Base-T
autosensing Ethernet
port
S5100-8P-SI
8
S5100-16P-SI
16
S5100-24P-SI
24
S5100-48P-SI
48
S5100-8P-EI
8
S5100-16P-EI
16
S5100-24P-EI
24
S5100-48P-EI
48
S5100-26C-EI
24
S5100-50C-EI
48
S5100-8P-PWR-EI
8
S5100-16P-PWR-EI
16
S5100-26C-PWR-EI
24
S5100-50C-PWR-EI
48
1000Base-X
SFP port
Console
port
2
S5100-SI
4
2
1
4
S5100-EI
2
4
An SFP port and its corresponding 10/100/1000Base-T autosensing Ethernet port form a Combo port.
That is, only one of the two ports forming the Combo port can be used at a time. Table 3-2 shows the
mapping relations between the ports forming the Combo port.
3-1
Table 3-2 Mapping relations between the ports forming the Combo port
Model
1000Base-X SFP port
10/100/1000Base-T autosensing
Ethernet port
17
14
18
16
19
13
20
15
25
22
S5100-24P-EI
26
24
S5100-26C-EI
27
21
28
23
49
46
S5100-48P-EI
50
48
S5100-50C-EI
51
45
52
47
S5100-16P-SI
S5100-16P-EI
S5100-16P-PWR-EI
S5100-24P-SI
S5100-26C-PWR-EI
S5100-48P-SI
S5100-50C-PWR-EI
3-2
4
Networking Applications
S5100-SI/EI series Gigabit Ethernet switches are designed as convergence layer switches or access
layer switches for enterprise networks and metropolitan area networks (MANs).
S5100-SI/EI series provide 24 or 48 autosensing Gigabit Ethernet ports for connecting downstream
devices. In addition, S5100-26C-EI and S5100-50C-EI also provide two 10GE extension slots to
support flexible networking by means of optional XFP interface cards / XENPAK optical modules /
dedicated stack cards for Gigabit Ethernet to the desktop (GTTD) access of enterprise networks, user
access and convergence of carrier networks, and connection of data center server clusters.
Several typical networking applications are described as follows. (The following applications are for
S5100-EI series.)
Convergence Layer Devices
In medium- and small-sized enterprises or branches of large enterprises, S5100-EI series Ethernet
switches can serve as convergence layer switches that provide high-performance and large-capacity
switching service and support 10GE uplink ports, which provide larger bandwidth for the devices.
S5100-EI series also support abundant QoS features to facilitate users to configure networks with a
variety of features.
Figure 4-1 Application of S5100-EI series in the convergence layer of intranet/MAN
Access Layer Devices
S5100-EI series Gigabit Ethernet switches can serve as access layer switches that provide large
access bandwidth and high port density. In addition, S5100-EI series also provide powerful QACL
features to allow users to better design and plan their networks.
4-1
Figure 4-2 Application of S5100-EI series in the access layer
Data Center Access
In the networking of a data center, S5100-EI series are deployed on the core network to provide
10GE/GE access core network functions. The server cluster can be connected to the core network at
the Gigabit Ethernet rate through S5100-EI series switches.
Figure 4-3 Application of S5100-EI series in data center networking
4-2
Table of Contents
1 Logging In to an Ethernet Switch ············································································································1-1
Logging In to an Ethernet Switch ············································································································1-1
Introduction to the User Interface············································································································1-1
Supported User Interfaces ··············································································································1-1
Relationship Between a User and a User Interface ········································································1-2
User Interface Index ························································································································1-2
Common User Interface Configuration····························································································1-2
2 Logging In Through the Console Port·····································································································2-1
Introduction ·············································································································································2-1
Setting Up a Login Environment for Login Through the Console Port····················································2-1
Console Port Login Configuration ···········································································································2-4
Common Configuration····················································································································2-4
Console Port Login Configurations for Different Authentication Modes ·················································2-6
Console Port Login Configuration with Authentication Mode Being None··············································2-7
Configuration Procedure··················································································································2-7
Configuration Example ····················································································································2-7
Console Port Login Configuration with Authentication Mode Being Password ······································2-8
Configuration Procedure··················································································································2-8
Configuration Example ····················································································································2-9
Console Port Login Configuration with Authentication Mode Being Scheme ·······································2-10
Configuration Procedure················································································································2-10
Configuration Example ··················································································································2-11
3 Logging In Through Telnet ·······················································································································3-1
Introduction ·············································································································································3-1
1.1.1 Common Configuration to Control Telnet Access ··································································3-1
Telnet Configurations for Different Authentication Modes·······························································3-3
Telnet Configuration with Authentication Mode Being None ··································································3-4
Configuration Procedure··················································································································3-4
Configuration Example ····················································································································3-4
Telnet Configuration with Authentication Mode Being Password ···························································3-5
Configuration Procedure··················································································································3-5
Configuration Example ····················································································································3-6
Telnet Configuration with Authentication Mode Being Scheme······························································3-7
Configuration Procedure··················································································································3-7
Configuration Example ····················································································································3-8
Telnetting to a Switch······························································································································3-9
Telnetting to a Switch from a Terminal····························································································3-9
Telnetting to another Switch from the Current Switch···································································3-11
4 Logging In Using a Modem·······················································································································4-1
Introduction ·············································································································································4-1
Configuration on the Switch Side············································································································4-1
Modem Configuration ······················································································································4-1
i
Switch Configuration························································································································4-2
Modem Connection Establishment ·········································································································4-2
5 CLI Configuration ······································································································································5-1
Introduction to the CLI·····························································································································5-1
Command Hierarchy ·······························································································································5-1
Command Level and User Privilege Level ······················································································5-1
Modifying the Command Level········································································································5-2
Switching User Level ·······················································································································5-3
CLI Views ················································································································································5-4
CLI Features ···········································································································································5-7
Online Help······································································································································5-7
Terminal Display······························································································································5-9
Command History····························································································································5-9
Error Prompts ··································································································································5-9
Command Edit·······························································································································5-10
6 Logging In Through the Web-based Network Management Interface ·················································6-1
Introduction ·············································································································································6-1
Establishing an HTTP Connection ··········································································································6-1
Configuring the Login Banner ·················································································································6-2
Configuration Procedure··················································································································6-2
Configuration Example ····················································································································6-3
Enabling/Disabling the WEB Server ·······································································································6-3
7 Logging In Through NMS··························································································································7-1
Introduction ·············································································································································7-1
Connection Establishment Using NMS ···································································································7-1
8 Configuring Source IP Address for Telnet Service Packets ·································································8-1
Overview ·················································································································································8-1
Configuring Source IP Address for Telnet Service Packets ···································································8-1
Displaying Source IP Address Configuration··························································································8-2
9 User Control ···············································································································································9-1
Introduction ·············································································································································9-1
Controlling Telnet Users ·························································································································9-1
Introduction······································································································································9-1
Controlling Telnet Users by ACL ·····································································································9-2
Configuration Example ····················································································································9-3
Controlling Network Management Users by Source IP Addresses ························································9-3
Prerequisites····································································································································9-4
Controlling Network Management Users by Source IP Addresses·················································9-4
Configuration Example ····················································································································9-4
Controlling Web Users by Source IP Address ························································································9-5
Prerequisites····································································································································9-5
Controlling Web Users by Source IP Addresses·············································································9-5
Logging Out a Web User ·················································································································9-6
Configuration Example ····················································································································9-6
ii
1
Logging In to an Ethernet Switch
Go to these sections for information you are interested in:
z
Logging In to an Ethernet Switch
z
Introduction to the User Interface
Logging In to an Ethernet Switch
To manage or configure an S5100-SI/EI Ethernet switch, you can log in to it in one of the following three
methods:
z
Command Line Interface
z
Web-based Network Management Interface
z
Network Management Station
The following table shows the configurations corresponding to each method:
Method
Tasks
Logging In Through the Console Port
Logging In Through Telnet
Command Line Interface
Logging In Using a Modem
CLI Configuration
Web-based Network Management Interface
Logging In Through the Web-based Network
Management Interface
Network Management Station
Logging In Through NMS
Introduction to the User Interface
Supported User Interfaces
The auxiliary (AUX) port and the console port of an H3C low-end and mid-range Ethernet switch are the
same port (referred to as console port in the following part). You will be in the AUX user interface if you
log in through this port.
S5100-SI/EI series Ethernet switches support two types of user interfaces: AUX and VTY.
z
AUX user interface: A view when you log in through the AUX port. AUX port is a line device port.
z
Virtual type terminal (VTY) user interface: A view when you log in through VTY. VTY port is a
logical terminal line used when you access the device by means of Telnet or SSH.
1-1
Table 1-1 Description on user interface
User interface
Applicable user
Port used
Remarks
AUX
Users logging in through the
console port
Console port
Each switch can
accommodate one AUX
user.
VTY
Telnet users and SSH users
Ethernet port
Each switch can
accommodate up to five
VTY users.
One user interface corresponds to one user interface view, where you can configure a set of parameters,
such as whether to authenticate users at login and the user level after login. When the user logs in
through a user interface, the connection follows these parameter settings, thus implementing
centralized management of various sessions.
Relationship Between a User and a User Interface
You can monitor and manage users logging in through different modes by setting different types of user
interfaces. An S5100-SI/EI switch provides one AUX user interface and five VTY user interfaces.
z
A user interface does not necessarily correspond to a specific user.
z
When a user logs in, the system automatically assigns the user a free user interface with the
smallest number based on the user login mode. The login process of the user is restricted by the
configurations under this user interface.
z
The user interface assigned to a user depending on the login mode and login time.
A user interface can be used by one user at one time, however, the user interface is not dedicated to a
specific user. For example, user A can use VTY 0 to log in to the device. When user A logs out, user B
can use VTY 0 to log in to the device.
User Interface Index
Two kinds of user interface index exist: absolute user interface index and relative user interface
index.
1)
The absolute user interface indexes are as follows:
z
The absolute AUX user interface is numbered 0.
z
VTY user interface indexes follow AUX user interface indexes. The first absolute VTY user
interface is numbered 1, the second is 2, and so on.
2)
A relative user interface index can be obtained by appending a number to the identifier of a user
interface type. It is generated by user interface type. The relative user interface indexes are as
follows:
z
AUX user interfaces is numbered AUX0.
z
VTY user interfaces are numbered VTY0, VTY1, and so on.
Common User Interface Configuration
Follow these steps to configure common user interface:
1-2
To do…
Use the command…
Remarks
Optional
Lock the current user
interface
lock
Available in user view
Specify to send messages
to all user interfaces/a
specified user interface
send { all | number | type number }
Free a user interface
free user-interface [ type ] number
Enter system view
system-view
Set the banner
header [ incoming | legal | login |
shell ] text
Set a system name for the
switch
sysname string
A user interface is not locked
by default.
Optional
Available in user view
Optional
Available in user view
—
Optional
By default, no banner is
configured
Optional
By default, the system name
is H3C.
Optional
Enable copyright
information displaying
copyright-info enable
Enter user interface view
user-interface [ type ] first-number
[ last-number ]
Display the information
about the current user
interface/all user interfaces
display users [ all ]
Display the physical
attributes and configuration
of the current/a specified
user interface
display user-interface [ type
number | number ]
Display the information
about the current web users
display web users
1-3
By default, copyright
displaying is enabled. That is,
the copy right information is
displayed on the terminal after
a user logs in successfully.
—
Optional
Available in any view.
2
Logging In Through the Console Port
Go to these sections for information you are interested in:
z
Introduction
z
Setting Up a Login Environment for Login Through the Console Port
z
Console Port Login Configuration
z
Console Port Login Configuration with Authentication Mode Being None
z
Console Port Login Configuration with Authentication Mode Being Password
z
Console Port Login Configuration with Authentication Mode Being Scheme
Introduction
To log in through the console port is the most common way to log in to a switch. It is also the
prerequisite to configure other login methods. By default, you can locally log in to an S5100-SI/EI
Ethernet switch through its console port only.
Table 2-1 lists the default settings of a console port.
Table 2-1 The default settings of a console port
Setting
Default
Baud rate
9,600 bps
Flow control
None
Check mode (Parity)
None
Stop bits
1
Data bits
8
To log in to a switch through the console port, make sure the settings of both the console port and the
user terminal are the same.
After logging in to a switch, you can perform configuration for AUX users. Refer to Console Port
Login Configuration for more.
Setting Up a Login Environment for Login Through the Console Port
Following are the procedures to connect to a switch through the console port.
1)
Connect the serial port of your PC/terminal to the console port of the switch, as shown in Figure
2-1.
2-1
Figure 2-1 Diagram for connecting to the console port of a switch
2)
If you use a PC to connect to the console port, launch a terminal emulation utility (such as Terminal
in Windows 3.X or HyperTerminal in Windows 9X/Windows 2000/Windows XP. The following
assumes that you are running Windows XP) and perform the configuration shown in Figure 2-2
through Figure 2-4 for the connection to be created. Normally, both sides (that is, the serial port of
the PC and the console port of the switch) are configured as those listed in Table 2-1.
2-2
Figure 2-2 Create a connection
Figure 2-3 Specify the port used to establish the connection
Figure 2-4 Set port parameters
3)
Turn on the switch. You will be prompted to press the Enter key if the switch successfully
completes POST (power-on self test). The prompt (such as <H3C>) appears after you press the
Enter key, as shown in Figure 2-5.
2-3
Figure 2-5 HyperTerminal CLI
4)
You can then configure the switch or check the information about the switch by executing the
corresponding commands. You can also acquire help by typing the ? character. Refer to related
parts in this manual for information about the commands used for configuring the switch.
Console Port Login Configuration
Common Configuration
Table 2-2 Common configuration of console port login
Configuration
Baud rate
Remarks
Optional
The default baud rate is 9,600 bps.
Optional
Check mode
Console port
configuration
Stop bits
Data bits
AUX user interface
configuration
Configure the
command level
available to the
users logging in to
the AUX user
interface
Terminal
configuration
Make terminal
services available
Set the maximum
number of lines the
screen can contain
By default, the check mode of the console port is set to
“none”, which means no check bit.
Optional
The default stop bits of a console port is 1.
Optional
The default data bits of a console port is 8.
Optional
By default, commands of level 3 are available to the
users logging in to the AUX user interface.
Optional
By default, terminal services are available in all user
interfaces
Optional
By default, the screen can contain up to 24 lines.
2-4
Configuration
Remarks
Set history
command buffer
size
Optional
Set the timeout time
of a user interface
Optional
By default, the history command buffer can contain up
to 10 commands.
The default timeout time is 10 minutes.
The change to console port configuration takes effect immediately, so the connection may be
disconnected when you log in through a console port and then configure this console port. To configure
a console port, you are recommended to log in to the switch in other ways. To log in to a switch through
its console port after you modify the console port settings, you need to modify the corresponding
settings of the terminal emulation utility running on your PC accordingly in the dialog box shown in
Figure 2-4.
Follow these steps to set common configuration of console port login:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter AUX user interface view
user-interface aux 0
—
Set the baud
rate
Optional
speed speed-value
The default baud rate of a console
port is 9,600 bps.
Optional
Configure
the console
port
Set the check
mode
parity { even | none |
odd }
Set the stop bits
stopbits { 1 | 1.5 | 2 }
Set the databits
databits { 7 | 8 }
By default, the check mode of a
console port is none, that is, no
check is performed.
Optional
The stop bits of a console port is 1.
Optional
The default databits of a console port
is 8.
Optional
Configure the command level
available to users logging in to
the user interface
user privilege level level
Enable terminal services
shell
By default, commands of level 3 are
available to users logging in to the
AUX user interface, and commands
of level 0 are available to users
logging in to the VTY user interface.
Optional
By default, terminal services are
available in all user interfaces.
2-5
To do…
Use the command…
Remarks
Optional
Set the maximum number of
lines the screen can contain
screen-length
screen-length
By default, the screen can contain up
to 24 lines.
You can use the screen-length 0
command to disable the function to
display information in pages.
Optional
Set the history command
buffer size
history-command
max-size value
The default history command buffer
size is 10, that is, a history command
buffer of a user can store up to 10
commands by default.
Optional
The default timeout time of a user
interface is 10 minutes.
Set the timeout time for the
user interface
idle-timeout minutes
[ seconds ]
With the timeout time being 10
minutes, the connection to a user
interface is terminated if no operation
is performed in the user interface
within 10 minutes.
You can use the idle-timeout 0
command to disable the timeout
function.
Console Port Login Configurations for Different Authentication
Modes
Table 2-3 Console port login configurations for different authentication modes
Authentication
mode
Authentication related configuration
Remarks
Optional
None
Password
Set the authentication mode to none
Set the authentication mode to local password
authentication
Set the password for local authentication
Refer to Console Port
Login Configuration with
Authentication Mode
Being None
Refer to Console Port
Login Configuration with
Authentication Mode
Being Password.
Set the authentication mode to scheme
Scheme
Specify to perform local authentication or
remote authentication
Set user names and passwords locally or on
AAA Server
2-6
Refer to Console Port
Login Configuration with
Authentication Mode
Being Scheme.
Changes made to the authentication mode for console port login takes effect after you quit the
command-line interface and then log in again.
Console Port Login Configuration with Authentication Mode Being
None
Configuration Procedure
Follow these steps to configure console port login with the authentication mode being none:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter AUX user interface view
user-interface aux 0
—
Configure not to authenticate
users
authentication-mode
none
Required
By default, users logging in through
the console port (AUX user interface)
are not authenticated.
Configuration Example
Network requirements
Assume that the switch is configured to allow users to log in through Telnet, and the current user
level is set to the administrator level (level 3). Perform the following configurations for users
logging in through the console port (AUX user interface).
z
Do not authenticate the users.
z
Commands of level 2 are available to the users logging in to the AUX user interface.
z
The baud rate of the console port is 19,200 bps.
z
The screen can contain up to 30 lines.
z
The history command buffer can contain up to 20 commands.
z
The timeout time of the AUX user interface is 6 minutes.
2-7
Network diagram
GE1/0/1
Ethernet
Configuration PC
running Telnet
Figure 2-6 Network diagram for AUX user interface configuration (with the authentication mode being
none)
Configuration procedure
# Enter system view.
<Sysname> system-view
# Enter AUX user interface view.
[Sysname] user-interface aux 0
# Specify not to authenticate users logging in through the console port.
[Sysname-ui-aux0] authentication-mode none
# Specify commands of level 2 are available to users logging in to the AUX user interface.
[Sysname-ui-aux0] user privilege level 2
# Set the baud rate of the console port to 19,200 bps.
[Sysname-ui-aux0] speed 19200
# Set the maximum number of lines the screen can contain to 30.
[Sysname-ui-aux0] screen-length 30
# Set the maximum number of commands the history command buffer can store to 20.
[Sysname-ui-aux0] history-command max-size 20
# Set the timeout time of the AUX user interface to 6 minutes.
[Sysname-ui-aux0] idle-timeout 6
After the above configuration, you need to modify the configuration of the terminal emulation utility
running on the PC accordingly in the dialog box shown in Figure 2-4 to log in to the switch successfully.
Console Port Login Configuration with Authentication Mode Being
Password
Configuration Procedure
Follow these steps to configure console port login with the authentication mode being password:
2-8
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter AUX user interface
view
user-interface aux 0
—
Required
Configure to authenticate
users using the local
password
authentication-mode
password
Set the local password
set authentication
password { cipher |
simple } password
By default, users logging in to a switch
through the console port are not
authenticated; while those logging in
through Modems or Telnet are
authenticated.
Required
Configuration Example
Network requirements
Assume the switch is configured to allow users to log in through Telnet, and the user level is set to
the administrator level (level 3). Perform the following configurations for users logging in through
the console port (AUX user interface).
z
Authenticate the users using passwords.
z
Set the local password to 123456 (in plain text).
z
The commands of level 2 are available to the users.
z
The baud rate of the console port is 19,200 bps.
z
The screen can contain up to 30 lines.
z
The history command buffer can store up to 20 commands.
z
The timeout time of the AUX user interface is 6 minutes.
Network diagram
GE1/0/1
Ethernet
Configuration PC
running Telnet
Figure 2-7 Network diagram for AUX user interface configuration (with the authentication mode being
password)
Configuration procedure
# Enter system view.
<Sysname> system-view
2-9
# Enter AUX user interface view.
[Sysname] user-interface aux 0
# Specify to authenticate users logging in through the console port using the local password.
[Sysname-ui-aux0] authentication-mode password
# Set the local password to 123456 (in plain text).
[Sysname-ui-aux0] set authentication password simple 123456
# Specify commands of level 2 are available to users logging in to the AUX user interface.
[Sysname-ui-aux0] user privilege level 2
# Set the baud rate of the console port to 19,200 bps.
[Sysname-ui-aux0] speed 19200
# Set the maximum number of lines the screen can contain to 30.
[Sysname-ui-aux0] screen-length 30
# Set the maximum number of commands the history command buffer can store to 20.
[Sysname-ui-aux0] history-command max-size 20
# Set the timeout time of the AUX user interface to 6 minutes.
[Sysname-ui-aux0] idle-timeout 6
After the above configuration, you need to modify the configuration of the terminal emulation utility
running on the PC accordingly in the dialog box shown in Figure 2-4 to log in to the switch successfully.
Console Port Login Configuration with Authentication Mode Being
Scheme
Configuration Procedure
Follow these steps to configure console port login with the authentication mode being scheme:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter AUX user interface view
user-interface aux 0
—
Required
Configure to authenticate
users in the scheme mode
Quit to system view
authentication-mode
scheme [ commandauthorization ]
The specified AAA scheme
determines what authentication
mode is adopted, local, RADIUS
or HWTACACS.
By default, users logging in
through the console port (AUX
user interface) are not
authenticated.
—
quit
2-10
To do…
Configure
the
authenticati
on mode
Use the command…
Remarks
Enter the
default ISP
domain view
domain domain-name
By default, the local AAA scheme
is applied.
Specify the AAA
scheme to be
applied to the
domain
scheme { local | none |
radius-scheme
radius-scheme-name [ local ]
| hwtacacs-scheme
hwtacacs-scheme-name
[ local ] }
If you specify to apply the local
AAA scheme, you need to
perform the configuration
concerning local user as well.
Optional
If you specify to apply a RADIUS
or HWTACACS scheme, you
need to perform the following
configuration as well:
z
Quit to system
view
quit
z
Perform
RADIUS
and
HWTACACS configuration on
the switch. (Refer to the AAA
part for more.)
Configure the user name and
password accordingly on the
AAA server. (Refer to the user
manual of AAA server.)
Required
Create a local user (Enter local
user view.)
local-user user-name
Set the authentication
password for the local user
password { simple | cipher }
password
Required
Specify the service type for
AUX users
service-type terminal [ level
level ]
Required
No local user exists by default.
Note that:
If you configure to authenticate the users in the scheme mode, the command level available to users
logging in to a switch depends on the command level specified in the AAA scheme:
z
When the AAA scheme is local authentication, the command level available to users depends on
the service-type terminal [ level level ] command.
z
When the AAA scheme is RADIUS or HWTACACS authentication, you need to set the
corresponding user level on the RADIUS or HWTACACS server.
For the introduction to AAA, RADIUS, and HWTACACS, refer to the AAA part of this manual.
Configuration Example
Network requirements
Assume the switch is configured to allow users to log in through Telnet, and the user level is set to
the administrator level (level 3). Perform the following configurations for users logging in through
the console port (AUX user interface).
z
Configure the local user name as guest.
2-11
z
Set the authentication password of the local user to 123456 (in plain text).
z
Set the service type of the local user to Terminal and the command level to 2.
z
Configure to authenticate the users in the scheme mode.
z
The baud rate of the console port is 19,200 bps.
z
The screen can contain up to 30 lines.
z
The history command buffer can store up to 20 commands.
z
The timeout time of the AUX user interface is 6 minutes.
Network diagram
GE1/0/1
Ethernet
Configuration PC
running Telnet
Figure 2-8 Network diagram for AUX user interface configuration (with the authentication mode being
scheme)
Configuration procedure
# Enter system view.
<Sysname> system-view
# Create a local user named guest and enter local user view.
[Sysname] local-user guest
# Set the authentication password to 123456 (in plain text).
[Sysname-luser-guest] password simple 123456
# Set the service type to Terminal, Specify commands of level 2 are available to users logging in to
the AUX user interface.
[Sysname-luser-guest] service-type terminal level 2
[Sysname-luser-guest] quit
# Enter AUX user interface view.
[Sysname] user-interface aux 0
# Configure to authenticate users logging in through the console port in the scheme mode.
[Sysname-ui-aux0] authentication-mode scheme
# Set the baud rate of the console port to 19,200 bps.
[Sysname-ui-aux0] speed 19200
# Set the maximum number of lines the screen can contain to 30.
[Sysname-ui-aux0] screen-length 30
# Set the maximum number of commands the history command buffer can store to 20.
2-12
[Sysname-ui-aux0] history-command max-size 20
# Set the timeout time of the AUX user interface to 6 minutes.
[Sysname-ui-aux0] idle-timeout 6
After the above configuration, you need to modify the configuration of the terminal emulation utility
running on the PC accordingly in the dialog box shown in Figure 2-4 to log in to the switch
successfully.
2-13
3
Logging In Through Telnet
Go to these sections for information you are interested in:
z
Introduction
z
Telnet Configuration with Authentication Mode Being None
z
Telnet Configuration with Authentication Mode Being Password
Introduction
S5100-SI/EI series Ethernet switches support Telnet. You can manage and maintain a switch
remotely by Telnetting to the switch.
To log in to a switch through Telnet, the corresponding configuration is required on both the switch and
the Telnet terminal.
You can also log in to a switch through SSH. SSH is a secure shell added to Telnet. Refer to the
SSH Operation for related information.
Table 3-1 Requirements for Telnetting to a switch
Item
Switch
Requirement
The IP address is configured for the VLAN of the switch, and the route between
the switch and the Telnet terminal is reachable. (Refer to the IP Address
Configuration – IP Performance Configuration and Routing Protocol parts for
more.)
The authentication mode and other settings are configured. Refer to Table 3-2
and Table 3-3.
Telnet is running.
Telnet terminal
The IP address of the VLAN interface of the switch is available.
Telnetting to a switch using IPv6 protocols is similar to Telnetting to a switch using IPv4 protocols. Refer
to the IPv6 Management part for related information.
1.1.1 Common Configuration to Control Telnet Access
Table 3-2 Common Telnet configuration
Configuration
VTY user
interface
configuration
Description
Configure the command
level available to users
logging in to the VTY user
interface
3-1
Optional
By default, commands of level 0 are available to
users logging in to a VTY user interface.
Configuration
Description
Configure the protocols the
user interface supports
Set the commands to be
executed automatically after
a user log in to the user
interface successfully
By default, Telnet and SSH protocol are
supported.
Optional
By default, no command is executed
automatically after a user logs into the VTY user
interface.
Optional
Make terminal services
available
VTY terminal
configuration
Optional
By default, terminal services are available in all
user interfaces
Set the maximum number of
lines the screen can contain
Set history command buffer
size
Set the timeout time of a user
interface
Optional
By default, the screen can contain up to 24 lines.
Optional
By default, the history command buffer can
contain up to 10 commands.
Optional
The default timeout time is 10 minutes.
Follow these steps to set common telnet configuration:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter one or more VTY user
interface views
user-interface vty
first-number [ last-number ]
—
Optional
Configure the command level
available to users logging in to
VTY user interface
user privilege level level
Configure the protocols to be
supported by the VTY user
interface
protocol inbound { all |
ssh | telnet }
By default, commands of level 0
are available to users logging in to
VTY user interfaces.
Optional
By default, both Telnet protocol
and SSH protocol are supported.
Optional
Set the commands to be
executed automatically after a
user logs in to the user
interface successfully
auto-execute command
text
Enable terminal services
shell
By default, no command is
executed automatically after a
user logs into the VTY user
interface.
Optional
By default, terminal services are
available in all user interfaces.
Optional
Set the maximum number of
lines the screen can contain
screen-length
screen-length
3-2
By default, the screen can contain
up to 24 lines.
You can use the screen-length 0
command to disable the function to
display information in pages.
To do…
Use the command…
Remarks
Optional
Set the history command buffer
size
history-command
max-size value
The default history command
buffer size is 10, that is, the history
command buffer of a user can
store up to 10 commands by
default.
Optional
The default timeout time of a user
interface is 10 minutes.
Set the timeout time of the VTY
user interface
idle-timeout minutes
[ seconds ]
With the timeout time being 10
minutes, the connection to a user
interface is terminated if no
operation is performed in the user
interface within 10 minutes.
You can use the idle-timeout 0
command to disable the timeout
function.
Telnet Configurations for Different Authentication Modes
Table 3-3 Telnet configurations for different authentication modes
Authentication
mode
Authentication related configuration
None
Set the authentication mode to none
Password
Set the authentication mode to local
password authentication
Set the password for local authentication
Description
Refer to Telnet Configuration
with Authentication Mode
Being None
Refer to Telnet Configuration
with Authentication Mode
Being Password
Set the authentication mode to scheme
Scheme
Specify to perform local authentication or
remote authentication
Set user names and passwords locally or
on AAA Server
3-3
Refer to Telnet Configuration
with Authentication Mode
Being Scheme
To improve security and prevent attacks to the unused Sockets, TCP 23 and TCP 22, ports for Telnet
and SSH services respectively, will be enabled or disabled after corresponding configurations.
z
If the authentication mode is none, TCP 23 will be enabled, and TCP 22 will be disabled.
z
If the authentication mode is password, and the corresponding password has been set, TCP 23
will be enabled, and TCP 22 will be disabled.
z
If the authentication mode is scheme, there are three scenarios: when the supported protocol is
specified as telnet, TCP 23 will be enabled; when the supported protocol is specified as ssh, TCP
22 will be enabled; when the supported protocol is specified as all, both the TCP 23 and TCP 22
port will be enabled.
Telnet Configuration with Authentication Mode Being None
Configuration Procedure
Follow these steps to configure Telnet with the authentication mode being none:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter one or more VTY user
interface views
user-interface vty
first-number [ last-number ]
—
Configure not to authenticate
users logging in to VTY user
interfaces
authentication-mode none
Required
By default, VTY users are
authenticated after logging in.
Note that if you configure not to authenticate the users, the command level available to users
logging in to a switch depends on the user privilege level level command
Configuration Example
Network requirements
Assume current user logins through the console port, and the current user level is set to the
administrator level (level 3). Perform the following configurations for users logging in through VTY
0 using Telnet.
z
Do not authenticate the users.
z
Commands of level 2 are available to the users.
z
Telnet protocol is supported.
z
The screen can contain up to 30 lines.
z
The history command buffer can contain up to 20 commands.
z
The timeout time of VTY 0 is 6 minutes.
3-4
Network diagram
Figure 3-1 Network diagram for Telnet configuration (with the authentication mode being none)
Configuration procedure
# Enter system view.
<Sysname> system-view
# Enter VTY 0 user interface view.
[Sysname] user-interface vty 0
# Configure not to authenticate Telnet users logging in to VTY 0.
[Sysname-ui-vty0] authentication-mode none
# Specify commands of level 2 are available to users logging in to VTY 0.
[Sysname-ui-vty0] user privilege level 2
# Configure Telnet protocol is supported.
[Sysname-ui-vty0] protocol inbound telnet
# Set the maximum number of lines the screen can contain to 30.
[Sysname-ui-vty0] screen-length 30
# Set the maximum number of commands the history command buffer can store to 20.
[Sysname-ui-vty0] history-command max-size 20
# Set the timeout time to 6 minutes.
[Sysname-ui-vty0] idle-timeout 6
Telnet Configuration with Authentication Mode Being Password
Configuration Procedure
Follow these steps to configure Telnet with the authentication mode being password:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter one or more VTY
user interface views
user-interface vty
first-number [ last-number ]
—
Configure to authenticate
users logging in to VTY
user interfaces using the
local password
authentication-mode
password
Required
Set the local password
set authentication
password { cipher | simple }
password
Required
When the authentication mode is password, the command level available to users logging in to the user
interface is determined by the user privilege level command.
3-5
Configuration Example
Network requirements
Assume current user logins through the console port and the current user level is set to the
administrator level (level 3). Perform the following configurations for users logging in to VTY 0
using Telnet.
z
Authenticate users using the local password.
z
Set the local password to 123456 (in plain text).
z
Commands of level 2 are available to the users.
z
Telnet protocol is supported.
z
The screen can contain up to 30 lines.
z
The history command buffer can contain up to 20 commands.
z
The timeout time of VTY 0 is 6 minutes.
Network diagram
Figure 3-2 Network diagram for Telnet configuration (with the authentication mode being password)
Configuration procedure
# Enter system view.
<Sysname> system-view
# Enter VTY 0 user interface view.
[Sysname] user-interface vty 0
# Configure to authenticate users logging in to VTY 0 using the password.
[Sysname-ui-vty0] authentication-mode password
# Set the local password to 123456 (in plain text).
[Sysname-ui-vty0] set authentication password simple 123456
# Specify commands of level 2 are available to users logging in to VTY 0.
[Sysname-ui-vty0] user privilege level 2
# Configure Telnet protocol is supported.
[Sysname-ui-vty0] protocol inbound telnet
# Set the maximum number of lines the screen can contain to 30.
[Sysname-ui-vty0] screen-length 30
# Set the maximum number of commands the history command buffer can store to 20.
[Sysname-ui-vty0] history-command max-size 20
# Set the timeout time to 6 minutes.
[Sysname-ui-vty0] idle-timeout 6
3-6
Telnet Configuration with Authentication Mode Being Scheme
Configuration Procedure
Follow these steps to configure Telnet with the authentication mode being scheme:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter one or more VTY user
interface views
user-interface vty
first-number [ last-number ]
—
Required
Configure to authenticate
users in the scheme mode
authentication-mode
scheme [ commandauthorization ]
The specified AAA scheme
determines what authentication
mode is adopted, local, RADIUS or
HWTACACS.
Users are authenticated locally by
default.
Quit to system view
Configure
the
authenticati
on scheme
—
quit
Enter the
default ISP
domain view
domain domain-name
Configure the
AAA scheme
to be applied
to the domain
scheme { local | none |
radius-scheme
radius-scheme-name
[ local ] | hwtacacs-scheme
hwtacacs-scheme-name
[ local ] }
Optional
By default, the local AAA scheme is
applied. If you specify to apply the
local AAA scheme, you need to
perform the configuration
concerning local user as well.
If you specify to apply RADIUS or
HWTACACS scheme, you need to
perform the following configuration
as well:
z
Quit to
system view
quit
z
Perform
AAA&RADIUS
configuration on the switch.
(Refer to the AAA part for more.)
Configure the user name and
password accordingly on the
AAA server. (Refer to the user
manual of AAA server.)
Create a local user and enter
local user view
local-user user-name
No local user exists by default.
Set the authentication
password for the local user
password { simple | cipher }
password
Required
Specify the service type for
VTY users
service-type telnet [ level
level ]
Required
Note that:
If you configure to authenticate the users in the scheme mode, the command level available to the users
logging in to the switch depends on the user level defined in the AAA scheme.
z
When the AAA scheme is local, the user level depends on the service-type { ftp | lan-access |
{ ssh | telnet | terminal }* [ level level ] } command.
z
When the AAA scheme is RADIUS or HWTACACS, you need to specify the user level of a user on
the corresponding RADIUS or HWTACACS server.
3-7
Refer to the AAA part of this manual for information about AAA, RADIUS, and HWTACACS.
Configuration Example
Network requirements
Assume current user logins through the console port and the user level is set to the administrator
level (level 3). Perform the following configurations for users logging in to VTY 0 using Telnet.
z
Configure the local user name as guest.
z
Set the authentication password of the local user to 123456 (in plain text).
z
Set the service type of VTY users to Telnet and the command level to 2.
z
Configure to authenticate users logging in to VTY 0 in scheme mode.
z
Only Telnet protocol is supported in VTY 0.
z
The screen can contain up to 30 lines.
z
The history command buffer can store up to 20 commands.
z
The timeout time of VTY 0 is 6 minutes.
Network diagram
Figure 3-3 Network diagram for Telnet configuration (with the authentication mode being scheme)
Configuration procedure
# Enter system view.
<Sysname> system-view
# Create a local user named guest and enter local user view.
[Sysname] local-user guest
# Set the authentication password of the local user to 123456 (in plain text).
[Sysname-luser-guest] password simple 123456
# Set the service type to Telnet, Specify commands of level 2 are available to users logging in to
VTY 0..
[Sysname-luser-guest] service-type telnet level 2
[Sysname-luser-guest] quit
# Enter VTY 0 user interface view.
[Sysname] user-interface vty 0
# Configure to authenticate users logging in to VTY 0 in the scheme mode.
[Sysname-ui-vty0] authentication-mode scheme
# Configure Telnet protocol is supported.
[Sysname-ui-vty0] protocol inbound telnet
3-8
# Set the maximum number of lines the screen can contain to 30.
[Sysname-ui-vty0] screen-length 30
# Set the maximum number of commands the history command buffer can store to 20.
[Sysname-ui-vty0] history-command max-size 20
# Set the timeout time to 6 minutes.
[Sysname-ui-vty0] idle-timeout 6
Telnetting to a Switch
Telnetting to a Switch from a Terminal
1)
Assign an IP address to VLAN-interface 1 of the switch (VLAN 1 is the default VLAN of the switch).
z
Connect the serial port of your PC/terminal to the console port of the switch, as shown in Figure 3-4
Figure 3-4 Diagram for establishing connection to a console port
z
Launch a terminal emulation utility (such as Terminal in Windows 3.X or HyperTerminal in
Windows 95/Windows 98/Windows NT/Windows 2000/Windows XP) on the PC terminal, with the
baud rate set to 9,600 bps, data bits set to 8, parity check set to none, and flow control set to none.
z
Turn on the switch and press Enter as prompted. The prompt (such as <H3C>) appears, as shown
in the following figure.
Figure 3-5 The terminal window
z
Perform the following operations in the terminal window to assign IP address 202.38.160.92/24 to
VLAN-interface 1 of the switch.
<Sysname> system-view
[Sysname] interface Vlan-interface 1
[Sysname-Vlan-interface1] ip address 202.38.160.92 255.255.255.0
2)
Perform Telnet-related configuration on the switch. Refer to Telnet Configuration with
Authentication Mode Being None, Telnet Configuration with Authentication Mode Being Password,
and Telnet Configuration with Authentication Mode Being Scheme for more.
3-9
3)
Connect your PC/terminal and the Switch to an Ethernet, as shown in Figure 3-6. Make sure the
port through which the switch is connected to the Ethernet belongs to VLAN 1 and the route
between your PC and VLAN-interface 1 is reachable.
Workstation
Ethernet Switch
Ethernet port
Ethernet
Server
Workstation Configuration PC
running Telnet
Figure 3-6 Network diagram for Telnet connection establishment
4)
Launch Telnet on your PC, with the IP address of VLAN-interface 1 of the switch as the parameter,
as shown in Figure 3-7.
Figure 3-7 Launch Telnet
5)
If the password authentication mode is specified, enter the password when the Telnet window
displays “Login authentication” and prompts for login password. The CLI prompt (such as
<Sysname>) appears if the password is correct. If all VTY user interfaces of the switch are in use,
you will fail to establish the connection and receive the message that says “All user interfaces are
used, please try later!”. A H3C series Ethernet switch can accommodate up to five Telnet
connections at same time.
6)
After successfully Telnetting to the switch, you can configure the switch or display the information
about the switch by executing corresponding commands. You can also type ? at any time for help.
Refer to the relevant parts in this manual for the information about the commands.
z
A Telnet connection is terminated if you delete or modify the IP address of the VLAN interface in
the Telnet session.
z
By default, commands of level 0 are available to Telnet users authenticated by password. Refer to
the CLI part for information about command hierarchy.
3-10
Telnetting to another Switch from the Current Switch
You can Telnet to another switch from the current switch. In this case, the current switch operates
as the client, and the other operates as the server. If the interconnected Ethernet ports of the two
switches are in the same LAN segment, make sure the IP addresses of the two management
VLAN interfaces to which the two Ethernet ports belong to are of the same network segment, or
the route between the two VLAN interfaces is available.
As shown in Figure 3-8, after Telnetting to a switch (labeled as Telnet client), you can Telnet to
another switch (labeled as Telnet server) by executing the telnet command and then configure it.
Figure 3-8 Network diagram for Telnetting to another switch from the current switch
1)
Perform Telnet-related configuration on the switch operating as the Telnet server. Refer to
Telnet Configuration with Authentication Mode Being None, Telnet Configuration with
Authentication Mode Being Password, and Telnet Configuration with Authentication Mode
Being Scheme for more.
2)
Telnet to the switch operating as the Telnet client.
3)
Execute the following command on the switch operating as the Telnet client:
<Sysname> telnet xxxx
Note that xxxx is the IP address or the host name of the switch operating as the Telnet server. You
can use the ip host to assign a host name to a switch.
4)
After successful login, the CLI prompt (such as <Sysname>) appears. If all the VTY user
interfaces of the switch are in use, you will fail to establish the connection and receive the
message that says “All user interfaces are used, please try later!”.
5)
After successfully Telnetting to the switch, you can configure the switch or display the
information about the switch by executing corresponding commands. You can also type ? at
any time for help. Refer to the following chapters for the information about the commands.
3-11
4
Logging In Using a Modem
Go to these sections for information you are interested in:
z
Introduction
z
Configuration on the Switch Side
z
Modem Connection Establishment
Introduction
The administrator can log in to the console port of a remote switch using a modem through public
switched telephone network (PSTN) if the remote switch is connected to the PSTN through a
modem to configure and maintain the switch remotely. When a network operates improperly or is
inaccessible, you can manage switches in the network remotely in this way.
To log in to a switch in this way, you need to configure the administrator side and the switch
properly, as listed in the following table.
Table 4-1 Requirements for logging in to a switch using a modem
Item
Requirement
The PC can communicate with the modem connected to it.
Administrator
side
The modem is properly connected to PSTN.
The telephone number of the switch side is available.
The modem is connected to the console port of the switch properly.
The modem is properly configured.
Switch side
The modem is properly connected to PSTN and a telephone set.
The authentication mode and other related settings are configured on the switch.
Refer to Table 2-3.
Configuration on the Switch Side
Modem Configuration
Perform the following configuration on the modem directly connected to the switch:
AT&F
----------------------- Restore the factory settings
ATS0=1 ----------------------- Configure to answer automatically after the first ring
AT&D
----------------------- Ignore DTR signal
AT&K0
----------------------- Disable flow control
AT&R1
----------------------- Ignore RTS signal
AT&S0
----------------------- Set DSR to high level by force
ATEQ1&W
----------------------- Disable the Modem from returning command response and the
result, save the changes
4-1
You can verify your configuration by executing the AT&V command.
The configuration commands and the output of different modems may differ. Refer to the user manual
of the modem when performing the above configuration.
Switch Configuration
After logging in to a switch through its console port by using a modem, you will enter the AUX user
interface. The corresponding configuration on the switch is the same as those when logging in to the
switch locally through its console port except that:
z
When you log in through the console port using a modem, the baud rate of the console port is
usually set to a value lower than the transmission speed of the modem. Otherwise, packets may
get lost.
z
Other settings of the console port, such as the check mode, the stop bits, and the data bits, remain
the default.
The configuration on the switch depends on the authentication mode the user is in. Refer to Table
2-3 for the information about authentication mode configuration.
Configuration on switch when the authentication mode is none
Refer to Console Port Login Configuration with Authentication Mode Being None.
Configuration on switch when the authentication mode is password
Refer to Console Port Login Configuration with Authentication Mode Being Password.
Configuration on switch when the authentication mode is scheme
Refer to Console Port Login Configuration with Authentication Mode Being Scheme.
Modem Connection Establishment
1)
Before using Modem to log in the switch, perform corresponding configuration for different
authentication modes on the switch. Refer to Console Port Login Configuration with Authentication
Mode Being None, Console Port Login Configuration with Authentication Mode Being Password,
and Console Port Login Configuration with Authentication Mode Being Scheme for more.
2)
Perform the following configuration to the modem directly connected to the switch. Refer to Modem
Configuration for related configuration.
3)
Connect your PC, the modems, and the switch, as shown in Figure 4-1. Make sure the modems are
properly connected to telephone lines.
4-2
Modem serial cable
Telephone line
Modem
PSTN
Modem
Telephone number
of the romote end:
82882285
Console port
Figure 4-1 Establish the connection by using modems
4)
Launch a terminal emulation utility on the PC and set the telephone number to call the modem
directly connected to the switch, as shown in Figure 4-2 through Figure 4-4. Note that you need to
set the telephone number to that of the modem directly connected to the switch.
4-3
Figure 4-2 Create a connection
Figure 4-3 Set the telephone number
Figure 4-4 Call the modem
5)
If the password authentication mode is specified, enter the password when prompted. If the
password is correct, the prompt (such as <Sysname>) appears. You can then configure or manage
the switch. You can also enter the character ? at anytime for help. Refer to the related parts in this
manual for information about the configuration commands.
4-4
If you perform no AUX user-related configuration on the switch, the commands of level 3 are available
to modem users. Refer to the CLI part for information about command level.
4-5
5
CLI Configuration
When configuring CLI, go to these sections for information you are interested in:
z
Introduction to the CLI
z
Command Hierarchy
z
CLI Views
z
CLI Features
Introduction to the CLI
A command line interface (CLI) is a user interface to interact with a switch. Through the CLI on a
switch, a user can enter commands to configure the switch and check output information to verify
the configuration. Each S5100-SI/EI series Ethernet switch provides an easy-to-use CLI and a set
of configuration commands for the convenience of the user to configure and manage the switch.
The CLI on S5100-SI/EI series Ethernet switches provides the following features, and so has
good manageability and operability.
z
Hierarchical command protection: After users of different levels log in, they can only use
commands at their own, or lower, levels. This prevents users from using unauthorized commands
to configure switches.
z
Online help: Users can gain online help at any time by entering a question mark (?).
z
Debugging: Abundant and detailed debugging information is provided to help users diagnose and
locate network problems.
z
Command history function: This enables users to check the commands that they have lately
executed and re-execute the commands.
z
Partial matching of commands: The system will use partially matching method to search for
commands. This allows users to execute a command by entering partially-spelled command
keywords as long as the keywords entered can be uniquely identified by the system.
Command Hierarchy
Command Level and User Privilege Level
Command level
The S5100-SI/EI series Ethernet switches use hierarchical command protection for command
lines, so as to inhibit users at lower levels from using higher-level commands to configure the
switches.
Based on user privilege, commands are classified into four levels, which default to:
z
Visit level (level 0): Commands at this level are mainly used to diagnose network, and they cannot
be saved in configuration file. For example, ping, tracert and telnet are level 0 commands.
z
Monitor level (level 1): Commands at this level are mainly used to maintain the system and
diagnose service faults, and they cannot be saved in configuration file. Such commands include
debugging and terminal.
5-1
z
System level (level 2): Commands at this level are mainly used to configure services. Commands
concerning routing and network layers are at this level. These commands can be used to provide
network services directly.
z
Manage level (level 3): Commands at this level are associated with the basic operation modules
and support modules of the system. These commands provide support for services. Commands
concerning file system, FTP/TFTP/XModem downloading, user management, and level setting are
at this level.
User privilege level
Users logged into the switch fall into four user privilege levels, which correspond to the four
command levels respectively. Users at a specific level can only use the commands at the same
level or lower levels.
By default, the Console user (a user who logs into the switch through the Console port) is a level-3
user, and Telnet users are level-0 users.
You can use the user privilege level command to set the default user privilege level for users
logging in through a certain user interface. For details, refer to Login Operation.
If a user logs in using AAA authentication, the user privilege level depends on the configuration of the
AAA scheme. For details, refer to AAA Operation.
Modifying the Command Level
Modifying the Command Level
Commands fall into four levels: visit (level 0), monitor (level 1), system (level 2), and manage
(level 3). By using the following command, the administrator can change the level of a command
in a specific view as required.
Follow these steps to set the level of a command in a specific view:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Configure the level of a command in a
specific view
command-privilege level level view
view command
Required
5-2
z
It is recommended not to change the level of a command arbitrarily, for it may cause inconvenience
to maintenance and operation.
z
When you change the level of a command with multiple keywords, you should input the keywords
one by one in the order they appear in the command syntax. Otherwise, your configuration will not
take effect.
Configuration example
The network administrator (a level 3 user) wants to change some TFTP commands (such as tftp get)
from level 3 to level 0, so that general Telnet users (level 0 users) are able to download files through
TFTP.
# Change the tftp get command in user view (shell) from level 3 to level 0. (Originally, only level 3 users
can change the level of a command.)
<Sysname> system-view
[Sysname] command-privilege level 0 view shell tftp
[Sysname] command-privilege level 0 view shell tftp 192.168.0.1
[Sysname] command-privilege level 0 view shell tftp 192.168.0.1 get
[Sysname] command-privilege level 0 view shell tftp 192.168.0.1 get bootrom.btm
After the above configuration, general Telnet users can use the tftp get command to download file
bootrom.btm and other files from TFTP server 192.168.0.1 and other TFTP servers.
Switching User Level
After logging into the switch, users can change their current user levels through a command. Note that:
z
If a switching password is set for a specific user level by the super password command, all users
must enter the password correctly when they switch from lower user levels to this level (if a wrong
password is entered, they will remain at their original levels).
z
If no switching password is set for a specific user level, the Console user can directly switch to the
level, while the Telnet users at lower levels will fail to switch to the level (they will remain at their
original levels) and the information like the following will be displayed: % Password is not set.
Setting a user level switching password
Table 5-1 Set a password for use level switching
Operation
Command
Enter system view
system-view
Set the super password for
user level switching
super password [ level level ]
{ cipher | simple } password
5-3
Remarks
—
Required
By default, the super password
is not set.
Switching to a specific user level
Table 5-2 Switch to a specific user level
Operation
Command
Remarks
Required
Switch to a specified user level
z
super [ level ]
Execute this command in user
view.
If no user level is specified in the super password command or the super command, level 3 is
used by default.
z
For security purpose, the password entered is not displayed when you switch to another user level.
You will remain at the original user level if you have tried three times but failed to enter the correct
password.
Configuration example
After a general user telnets to the switch, his/her user level is 0. Now, the network administrator wants to
allow general users to switch to level 3, so that they are able to configure the switch.
# A level 3 user sets a switching password for user level 3.
<Sysname> system-view
[Sysname] super password level 3 simple 123
# A general user telnets to the switch, and then uses the set password to switch to user level 3.
<Sysname> super 3
Password:
User privilege level is 3, and only those commands can be used
whose level is equal or less than this.
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE
# After configuring the switch, the general user switches back to user level 0.
<Sysname> super 0
User privilege level is 0, and only those commands can be used
whose level is equal or less than this.
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE
CLI Views
CLI views are designed for different configuration tasks. They are both correlated and
distinguishing. For example, once a user logs into a switch successfully, the user enters user view,
where the user can perform some simple operations such as checking the operation status and
statistics information of the switch. After executing the system-view command, the user enters
system view, where the user can go to other views by entering corresponding commands.
Table 5-3 lists the CLI views provided by S5100-SI/EI series Ethernet switches, operations that
can be performed in different CLI views and the commands used to enter specific CLI views.
5-4
Table 5-3 CLI views
View
User view
System view
Available operation
Display operation
status and statistical
information of the
switch
Configure system
parameters
Prompt example
Enter method
Quit method
<Sysname>
Enter user view
once logging into
the switch.
Execute the
quit command
to log out of the
switch.
[Sysname]
Execute the
system-view
command in user
view.
Execute the
quit or return
command to
return to user
view.
1000 Mbps
Ethernet port
view:
Execute the
interface
gigabitethernet
command in
system view.
Ethernet port
view
Configure Ethernet
port parameters
Aux1/0/0 port
(the console
port) view
The S5100-SI/EI
series do not support
configuration on port
Aux1/0/0
[Sysname-Aux1/
0/0]
Execute the
interface aux 1/0/0
command in
system view
VLAN view
Configure VLAN
parameters
[Sysname-vlan1]
Execute the vlan
command in
system view.
VLAN
interface view
Configure VLAN
interface parameters,
including the
management VLAN
parameters
[Sysname-Vlan-i
nterface1]
Execute the
interface
Vlan-interface
command in
system view.
[Sysname-Gigabi
tEthernet1/0/1]
Loopback
interface view
Configure loopback
interface parameters
[Sysname-LoopB
ack0]
Execute the
interface
loopback
command in
system view.
NULL
interface view
Configure NULL
interface parameters
[Sysname-NULL
0]
Execute the
interface null
command in
system view.
Local user
view
Configure local user
parameters
[Sysname-luser-u
ser1]
Execute the
local-user
command in
system view.
User
interface view
Configure user
interface parameters
[Sysname-ui-aux
0]
Execute the
user-interface
command in
system view.
FTP client
view
Configure FTP client
parameters
[ftp]
Execute the ftp
command in user
view.
5-5
Execute the
quit command
to return to
system view.
Execute the
return
command to
return to user
view.
Execute the
quit command
to return to user
view.
View
Available operation
Prompt example
SFTP client
view
Configure SFTP client
parameters
sftp-client>
Execute the sftp
command in
system view.
MST region
view
Configure MST region
parameters
[Sysname-mst-re
gion]
Execute the stp
region-configurati
on command in
system view.
Cluster view
Configure cluster
parameters
[Sysname-cluster
]
Execute the
cluster command
in system view.
Configure the RSA
public key for SSH
users
[Sysname-rsa-pu
blic-key]
Execute the rsa
peer-public-key
command in
system view.
Configure the RSA or
DSA public key for
SSH users
[Sysname-peer-p
ublic-key]
Execute the
public-key peer
command in
system view.
Edit the RSA public
key for SSH users
[Sysname-rsa-ke
y-code]
Edit the RSA or DSA
public key for SSH
users
[Sysname-peer-k
ey-code]
Basic ACL
view
Define rules for a
basic ACL (with ID
ranging from 2000 to
2999)
Advanced
ACL view
Define rules for an
advanced ACL (with
ID ranging from 3000
to 3999)
Public key
view
Public key
editing view
Layer 2 ACL
view
Define rules for an
layer 2 ACL (with ID
ranging from 4000 to
4999)
Only S5100-EI series
Ethernet switches
provide this view
Enter method
Quit method
Execute the
quit command
to return to
system view.
Execute the
return
command to
return to user
view.
Execute the
peer-public-ke
y end
command to
return to system
view.
Execute the
public-key-code
begin command in
public key view.
Execute the
public-key-cod
e end
command to
return to public
key view.
[Sysname-aclbasic-2000]
Execute the acl
number command
in system view.
Execute the
quit command
to return to
system view.
[Sysname-acl-ad
v-3000]
Execute the acl
number command
in system view.
Execute the
return
command to
return to user
view.
[Sysname-acl-eth
ernetframe-4000]
Execute the acl
number command
in system view.
Execute the
qos-profile
command in
system view.
Define QoS profile
QoS profile
view
Only S5100-EI series
Ethernet switches
provide this view
[Sysname-qos-pr
ofile-a123]
RADIUS
scheme view
Configure RADIUS
scheme parameters
[Sysname-radius
-1]
Execute the radius
scheme command
in system view.
ISP domain
view
Configure ISP domain
parameters
[Sysname-isp-aa
a123.net]
Execute the
domain command
in system view.
HWPing test
group view
Configure HWPing
test group parameters
[Sysname-hwpin
g-a123-a123]
Execute the
hwping command
in system view.
5-6
View
HWTACACS
view
PoE profile
view
Available operation
Prompt example
Enter method
Configure
HWTACACS
parameters
[Sysname-hwtac
acs-a123]
Execute the
hwtacacs scheme
command in
system view.
[Sysname-poe-pr
ofile-a123]
Execute the
poe-profile
command in
system view.
Configure PoE profile
parameters
Only S5100-PWR-EI
series switches
provide this view
Smart link
group view
Configure smart link
group parameters
[Sysname-smlk-g
roup1]
Execute the
smart-link group
command in
system view.
Monitor link
group view
Configure monitor link
group parameters
[Sysname-mtlk-g
roup1]
Execute the
monitor-link
group command in
system view.
[Sysname-port-gr
oup-1]
Execute the
port-group
command in
system view.
Port-group
view
Configure port-group
parameters
Only S5100-EI series
switches provide this
view
Configure QinQ
parameters
QinQ view
Only S5100-EI series
Ethernet switches
provide this view
[Sysname-Gigabi
tEthernet1/0/1-vi
d-20]
Execute the
vlan-vpn vid
command in
GigabitEthernet
port view.
The vlan-vpn
enable command
should be first
executed.
Quit method
Execute the
quit command
to return to
GigabitEthernet
port view.
Execute the
return
command to
return to user
view.
The shortcut key <Ctrl+Z> is equivalent to the return command.
CLI Features
Online Help
When configuring the switch, you can use the online help to get related help information. The CLI
provides two types of online help: complete and partial.
Complete online help
1)
Enter a question mark (?) in any view on your terminal to display all the commands available in the
view and their brief descriptions. The following takes user view as an example.
<Sysname> ?
5-7
User view commands:
backup
Backup current configuration
boot
Set boot option
cd
Change current directory
clock
Specify the system clock
cluster
Run cluster command
copy
Copy from one file to another
debugging
Enable system debugging functions
delete
Delete a file
dir
List files on a file system
display
Display current system information
<Other information is omitted>
2)
Enter a command, a space, and a question mark (?).
If the question mark “?” is at a keyword position in the command, all available keywords at the position
and their descriptions will be displayed on your terminal.
<Sysname> clock ?
datetime
Specify the time and date
summer-time
Configure summer time
timezone
Configure time zone
If the question mark “?” is at an argument position in the command, the description of the argument will
be displayed on your terminal.
[Sysname] interface vlan-interface ?
<1-4094>
VLAN interface number
If only <cr> is displayed after you enter “?”, it means no parameter is available at the “?” position, and
you can enter and execute the command directly.
[Sysname] interface vlan-interface 1 ?
<cr>
Partial online help
1)
Enter a character/string, and then a question mark (?) next to it. All the commands beginning with
the character/string will be displayed on your terminal. For example:
<Sysname> p?
ping
pwd
2)
Enter a command, a space, a character/string and a question mark (?) next to it. All the keywords
beginning with the character/string (if available) are displayed on your terminal. For example:
<Sysname> display v?
version
vlan
voice
3)
Enter the first several characters of a keyword of a command and then press <Tab>. If there is a
unique keyword beginning with the characters just typed, the unique keyword is displayed in its
complete form. If there are multiple keywords beginning with the characters, you can have them
displayed one by one (in complete form) by pressing <Tab> repeatedly.
5-8
Terminal Display
The CLI provides the screen splitting feature to have display output suspended when the screen
is full. When display output pauses, you can perform the following operations as needed (see
Table 5-4).
Table 5-4 Display-related operations
Operation
Function
Press <Ctrl+C>
Stop the display output and execution of the
command.
Press any character except <Space>, <Enter>, /,
+, and - when the display output pauses
Stop the display output.
Press the space key
Get to the next page.
Press <Enter>
Get to the next line.
Command History
The CLI provides the command history function. You can use the display history-command
command to view a specific number of latest executed commands and execute them again in a
convenient way. By default, the CLI can store up to 10 latest executed commands for each user.
You can view the command history by performing the operations listed in the following table:
Follow these steps to view history commands:
Purpose
z
Operation
Remarks
Display the latest executed
history commands
Execute the display
history-command command
This command displays the
command history.
Recall the previous history
command
Press the up arrow key or
<Ctrl+P>
This operation recalls the
previous history command (if
available).
Recall the next history
command
Press the down arrow key or
<Ctrl+N>
This operation recalls the next
history command (if available).
The Windows 9x HyperTerminal explains the up and down arrow keys in a different way, and
therefore the two keys are invalid when you access history commands in such an environment.
However, you can use <Ctrl+ P> and <Ctrl+ N> instead to achieve the same purpose.
z
When you enter the same command multiple times consecutively, only one history command entry
is created by the command line interface.
Error Prompts
If a command passes the syntax check, it will be successfully executed; otherwise, an error
message will be displayed. Table 5-5 lists the common error messages.
5-9
Table 5-5 Common error messages
Error message
Remarks
The command does not exist.
The keyword does not exist.
Unrecognized command
The parameter type is wrong.
The parameter value is out of range.
Incomplete command
The command entered is incomplete.
Too many parameters
The parameters entered are too many.
Ambiguous command
The parameters entered are ambiguous.
Wrong parameter
A parameter entered is wrong.
found at '^' position
An error is found at the '^' position.
Command Edit
The CLI provides basic command edit functions and supports multi-line editing. The maximum
number of characters a command can contain is 254. Table 5-6 lists the CLI edit operations.
Table 5-6 Edit operations
Press…
To…
A common key
Insert the corresponding character at the cursor position
and move the cursor one character to the right if the
command is shorter than 254 characters.
Backspace key
Delete the character on the left of the cursor and move the
cursor one character to the left.
Left arrow key or <Ctrl+B>
Move the cursor one character to the left.
Right arrow key or <Ctrl+F>
Move the cursor one character to the right.
Up arrow key or <Ctrl+P>
Down arrow key or <Ctrl+N>
<Tab>
Display history commands.
Use the partial online help. That is, when you input an
incomplete keyword and press <Tab>, if the input
parameter uniquely identifies a complete keyword, the
system substitutes the complete keyword for the input
parameter; if more than one keywords match the input
parameter, you can display them one by one (in complete
form) by pressing <Tab> repeatedly; if no keyword
matches the input parameter, the system displays your
original input on a new line without any change.
5-10
6
Logging In Through the Web-based Network
Management Interface
Go to these sections for information you are interested in:
z
Introduction
z
Establishing an HTTP Connection
z
Configuring the Login Banner
z
Enabling/Disabling the WEB Server
Introduction
An S5100-SI/EI Ethernet switch has a Web server built in. It enables you to log in to an
S5100-SI/EI Ethernet switch through a Web browser and then manage and maintain the switch
intuitively by interacting with the built-in Web server.
To log in to an S5100-SI/EI Ethernet switch through the built-in Web-based network management
interface, you need to perform the related configuration on both the switch and the PC operating
as the network management terminal.
Table 6-1 Requirements for logging in to a switch through the Web-based network management
system
Item
Switch
Requirement
The VLAN interface of the switch is assigned an IP address, and the route
between the switch and the Web network management terminal is reachable.
(Refer to the IP Address Configuration – IP Performance Configuration and
Routing Protocol parts for related information.)
The user name and password for logging in to the Web-based network
management system are configured.
PC operating as
the network
management
terminal
IE is available.
The IP address of the VLAN interface of the switch, the user name, and the
password are available.
Establishing an HTTP Connection
1)
Assign an IP address to VLAN-interface 1 of the switch (VLAN 1 is the default VLAN of the switch).
See Telnetting to a Switch from a Terminal for related information.
2)
Configure the user name and the password on the switch for the Web network management user to
log in.
# Create a Web user account, setting both the user name and the password to admin and the user level
to 3.
<Sysname> system-view
[Sysname] local-user admin
[Sysname-luser-admin] service-type telnet level 3
6-1
[Sysname-luser-admin] password simple admin
3)
Establish an HTTP connection between your PC and the switch, as shown in Figure 6-1.
Figure 6-1 Establish an HTTP connection between your PC and the switch
4)
Log in to the switch through IE. Launch IE on the Web-based network management terminal (your
PC) and enter the IP address of the management VLAN interface of the switch in the address bar.
(Make sure the route between the Web-based network management terminal and the switch is
available.)
5)
When the login authentication interface (as shown in Figure 6-2) appears, enter the user name and
the password configured in step 2 and click <Login> to bring up the main page of the Web-based
network management system.
Figure 6-2 The login page of the Web-based network management system
Configuring the Login Banner
Configuration Procedure
If a login banner is configured with the header command, when a user logs in through Web, the banner
page is displayed before the user login authentication page. The contents of the banner page are the
login banner information configured with the header command. Then, by clicking <Continue> on the
banner page, the user can enter the user login authentication page, and enter the main page of the
Web-based network management system after passing the authentication. If no login banner is
configured by the header command, a user logging in through Web directly enters the user login
authentication page.
Follow these steps to configure the login banner:
To do…
Use the command…
Enter system view
system-view
Configure the banner to be
displayed when a user logs in
through Web
header login text
Remarks
—
Required
6-2
By default, no login banner is
configured.
Configuration Example
Network requirements
z
A user logs in to the switch through Web.
z
The banner page is desired when a user logs into the switch.
Network diagram
Figure 6-3 Network diagram for login banner configuration
Configuration Procedure
# Enter system view.
<Sysname> system-view
# Configure the banner Welcome to be displayed when a user logs into the switch through Web.
[Sysname] header login %Welcome%
Assume that a route is available between the user terminal (the PC) and the switch. After the
above-mentioned configuration, if you enter the IP address of the switch in the address bar of the
browser running on the user terminal and press <Enter>, the browser will display the banner page, as
shown in Figure 6-4.
Figure 6-4 Banner page displayed when a user logs in to the switch through Web
Click <Continue> to enter user login authentication page. You will enter the main page of the
Web-based network management system if the authentication succeeds.
Enabling/Disabling the WEB Server
Follow these steps to enable/Disable the WEB Server:
To do…
Enter system view
Use the command…
Remarks
—
system-view
6-3
To do…
Use the command…
Remarks
Required
Enable the Web server
ip http shutdown
By default, the Web server is
enabled.
Disable the Web server
undo ip http shutdown
Required
To improve security and prevent attack to the unused Sockets, TCP 80 port (which is for HTTP service)
is enabled/disabled after the corresponding configuration.
z
Enabling the Web server (by using the undo ip http shutdown command) opens TCP 80 port.
z
Disabling the Web server (by using the ip http shutdown command) closes TCP 80 port.
6-4
7
Logging In Through NMS
Go to these sections for information you are interested in:
z
Introduction
z
Connection Establishment Using NMS
Introduction
You can also log in to a switch through a Network Management Station (NMS), and then configure and
manage the switch through the agent software on the switch. Simple Network Management Protocol
(SNMP) is applied between the NMS and the agent. Refer to the SNMP-RMON part for related
information.
To log in to a switch through an NMS, you need to perform related configuration on both the NMS
and the switch.
Table 7-1 Requirements for logging in to a switch through an NMS
Item
Switch
Requirement
The IP address of the VLAN interface of the switch is configured. The route between
the NMS and the switch is reachable. (Refer to the IP Address Configuration – IP
Performance Configuration and Routing Protocol parts for related information.)
The basic SNMP functions are configured. (Refer to the SNMP-RMON part for
related information.)
NMS
The NMS is properly configured. (Refer to the user manual of your NMS for related
information.)
Connection Establishment Using NMS
Switch
Network
NMS
Figure 7-1 Network diagram for logging in through an NMS
7-1
8
Configuring Source IP Address for Telnet Service
Packets
Go to these sections for information you are interested in:
z
Overview
z
Configuring Source IP Address for Telnet Service Packets
z
Displaying Source IP Address Configuration
Overview
You can configure source IP address or source interface for the Telnet server and Telnet client. This
provides a way to manage services and enhances security.
The source IP address specified for Telnet service packets is the IP address of an Loopback interface or
VLAN interface. After you specify the IP address of a virtual Loopback interface or an unused VLAN
interface as the source IP address of Telnet service packets, the IP address is used as the source IP
address no matter which interface of the switch is used to transmit packets between the Telnet client
and the Telnet server. This conceals the IP address of the actual interface used. As a result, external
attacks are guarded and the security is improved. On the other hand, you can configure the Telnet
server to accept only Telnet service packets with specific source IP addresses to make sure specific
users can log into the switch.
Configuring Source IP Address for Telnet Service Packets
This feature can be configured in either user view or system view. The configuration performed in user
view takes effect for only the current session, while the configuration performed in system view takes
effect for all the following sessions.
Configuration in user view
Table 8-1 Configure a source IP address for service packets in user view
Operation
Command
Description
Specify a source IP address for
the Telnet client
telnet remote-server source-ip ip-address
Optional
Specify a source interface for the
Telnet client
telnet remote-server source-interface
interface-type interface-number
Optional
Configuration in system view
Table 8-2 Configure a source IP address for service packets in system view
Operation
Specify a source IP address for
Telnet server
Command
telnet-server source-ip ip-address
8-1
Description
Optional
Operation
Command
Description
Specify a source interface for
Telnet server
telnet-server source-interface
interface-type interface-number
Optional
Specify source IP address for
Telnet client
telnet source-ip ip-address
Optional
Specify a source interface for
Telnet client
telnet source-interface interface-type
interface-number
Optional
To perform the configurations listed in Table 8-1 and Table 8-2, make sure that:
z
The IP address specified is that of the local device.
z
The interface specified exists.
z
If a source IP address (or source interface) is specified, you need to make sure that the route
between the IP addresses (or interface) of both sides is reachable.
Displaying Source IP Address Configuration
Execute the display command in any view to display the operation state after the above configurations.
You can verify the configuration effect through the displayed information.
Table 8-3 Display the source IP address configuration
Operation
Command
Display the source IP address
configured for the Telnet client
display telnet source-ip
Display the source IP address
configured for the Telnet server
display telnet-server
source-ip
8-2
Description
You can execute the two
commands in any view.
9
User Control
Go to these sections for information you are interested in:
z
Introduction
z
Controlling Telnet Users
z
Controlling Network Management Users by Source IP Addresses
z
Controlling Web Users by Source IP Address
Refer to the ACL part for information about ACL.
Introduction
You can control users logging in through Telnet, SNMP and WEB by defining Access Control List
(ACL), as listed in Table 9-1.
Table 9-1 Ways to control different types of login users
Login mode
Telnet
SNMP
Control method
Implementation
Related section
By source IP address
Through basic ACL
By source and
destination IP address
Through advanced
ACL
By source MAC
address
Through Layer 2 ACL
By source IP
addresses
Through basic ACL
Controlling Network
Management Users by
Source IP Addresses
By source IP
addresses
Through basic ACL
Controlling Web Users by
Source IP Address
Disconnect Web
users by force
By executing
commands in CLI
Logging Out a Web User
Controlling Telnet Users
WEB
Controlling Telnet Users
Introduction
The controlling policy against Telnet users’ access to VTY user interfaces is determined by
referencing ACL. For the introduction to ACL, refer to the ACL part of this manual.
9-1
z
If no ACL is configured on the VTY user interface, users are not controlled when establishing a
Telnet connection using this user interface.
z
If an ACL is configured on the VTY user interface, there will be two possibilities: if the packets for
establishing a Telnet connection match the ACL rule configured on the VTY user interface, the
connection will be permitted or denied according to the ACL rule; if not, the connection will be
denied directly.
Controlling Telnet Users by ACL
Controlling Telnet users by ACL is achieved by the following two ways:
z
inbound: Applies the ACL to the users Telnetting to the local switch through the VTY user
interface.
z
outbound: Applies the ACL to the users Telnetting to other devices through the current user
interface. This keyword is unavailable to Layer 2 ACLs.
You can configure the following three types of ACLs as needed:
Table 9-2 ACL categories
Category
ACL number
Matching criteria
Basic ACL
2000 to 2999
Source IP address
Advanced ACL
3000 to 3999
Source IP address and
destination IP address
Layer 2 ACL
4000 to 4999
Source MAC address
Source and destination in this manual refer to a Telnet client and a Telnet server respectively.
z
If the inbound keyword is specified, the Telnet client is the user telnetting to the local switch and
the Telnet server is the local switch.
z
If the outbound keyword is specified, the Telnet client is the local switch, and the Telnet server is
another device to which the user is telnetting.
Follow these steps to control Telnet users by ACL:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Create a basic ACL or enter
basic ACL view
acl number acl-number
[ match-order { auto |
config } ]
As for the acl number command, the
config keyword is specified by
default.
Define rules for the ACL
rule [ rule-id ] { deny |
permit } [ rule-string ]
Required
Quit to system view
quit
—
Enter user interface view
user-interface [ type ]
first-number [ last-number ]
—
9-2
To do…
Apply an
ACL to
control
Telnet users
by ACL
Apply a
basic or
advanced
ACL to
control
Telnet users
Apply a
Layer 2 ACL
to control
Telnet users
Use the command…
Remarks
Required
acl acl-number { inbound |
outbound }
Use either command
z
z
acl acl-number inbound
The inbound keyword specifies to
filter the users trying to Telnet to
the current switch.
The outbound keyword specifies
to filter users trying to Telnet to
other switches from the current
switch.
Configuration Example
Network requirements
Only the Telnet users sourced from the IP address of 10.110.100.52 are permitted to access the
switch.
Network diagram
10.110.100.46
Host A
IP network
Switch
Host B
10.110.100.52
Figure 9-1 Network diagram for controlling Telnet users using ACLs
Configuration procedure
# Define a basic ACL.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0
[Sysname-acl-basic-2000] quit
# Apply the ACL.
[Sysname] user-interface vty 0 4
[Sysname-ui-vty0-4] acl 2000 inbound
Controlling Network Management Users by Source IP Addresses
You can manage an S5100-SI/EI Ethernet switch through network management software.
Network management users can access switches through SNMP.
You need to perform the following two operations to control network management users by source
IP addresses.
9-3
z
Defining an ACL
z
Applying the ACL to control users accessing the switch through SNMP
To control whether an NMS can manage the switch, you can use this function.
Prerequisites
The controlling policy against network management users is determined, including the source IP
addresses to be controlled and the controlling actions (permitting or denying).
Controlling Network Management Users by Source IP Addresses
Controlling network management users by source IP addresses is achieved by applying basic
ACLs, which are numbered from 2000 to 2999.
Follow these steps to control network management users by source IP addresses:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Create a basic ACL or
enter basic ACL view
acl number acl-number [ match-order
{ auto | config } ]
As for the acl number
command, the config
keyword is specified by
default.
Define rules for the ACL
rule [ rule-id ] { deny | permit } [ rule-string ]
Required
Quit to system view
quit
—
Apply the ACL while
configuring the SNMP
community name
snmp-agent community { read | write }
community-name [ acl acl-number |
mib-view view-name ]*
Apply the ACL while
configuring the SNMP
group name
snmp-agent group { v1 | v2c }
group-name [ read-view read-view ]
[ write-view write-view ] [ notify-view
notify-view ] [ acl acl-number ]
snmp-agent group v3 group-name
[ authentication | privacy ] [ read-view
read-view ] [ write-view write-view ]
[ notify-view notify-view ] [ acl acl-number ]
snmp-agent usm-user { v1 | v2c }
user-name group-name [ acl acl-number ]
Apply the ACL while
configuring the SNMP
user name
snmp-agent usm-user v3 user-name
group-name [ [ cipher ]
authentication-mode { md5 | sha }
auth-password [ privacy-mode { des56 |
aes128 } priv-password ] ] [ acl
acl-number ]
Required
According to the SNMP
version and configuration
customs of NMS users,
you can reference an ACL
when configuring
community name, group
name or username. For
the detailed configuration,
refer to SNMP-RMON for
more.
Configuration Example
Network requirements
Only SNMP users sourced from the IP addresses of 10.110.100.52 are permitted to log in to the
switch.
9-4
Network diagram
10.110.100.46
Host A
IP network
Switch
Host B
10.110.100.52
Figure 9-2 Network diagram for controlling SNMP users using ACLs
Configuration procedure
# Define a basic ACL.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0
[Sysname-acl-basic-2000] quit
# Apply the ACL to only permit SNMP users sourced from the IP addresses of 10.110.100.52 to
access the switch.
[Sysname] snmp-agent community read aaa acl 2000
[Sysname] snmp-agent group v2c groupa acl 2000
[Sysname] snmp-agent usm-user v2c usera groupa acl 2000
Controlling Web Users by Source IP Address
You can manage an S5100-SI/EI Ethernet switch remotely through Web. Web users can access a
switch through HTTP connections.
You need to perform the following two operations to control Web users by source IP addresses.
z
Defining an ACL
z
Applying the ACL to control Web users
To control whether a Web user can manage the switch, you can use this function.
Prerequisites
The controlling policy against Web users is determined, including the source IP addresses to be
controlled and the controlling actions (permitting or denying).
Controlling Web Users by Source IP Addresses
Controlling Web users by source IP addresses is achieved by applying basic ACLs, which are
numbered from 2000 to 2999.
Follow these steps to control Web users by source IP addresses:
To do…
Enter system view
Use the command…
Remarks
—
system-view
9-5
To do…
Use the command…
Remarks
Create a basic ACL or enter
basic ACL view
acl number acl-number
[ match-order { config | auto } ]
As for the acl number
command, the config keyword
is specified by default.
Define rules for the ACL
rule [ rule-id ] { deny | permit }
[ rule-string ]
Required
Quit to system view
quit
—
Optional
Apply the ACL to control
Web users
ip http acl acl-number
By default, no ACL is applied
for Web users.
Logging Out a Web User
The administrator can log out a Web user using the related command.
Follow the step below to log out a Web user:
To do…
Log out a Web user
Use the command…
free web-users { all | user-id user-id |
user-name user-name }
Remarks
Required
Available in user view
Configuration Example
Network requirements
Only the Web users sourced from the IP address of 10.110.100.52 are permitted to access the
switch.
Network diagram
10.110.100.46
Host A
IP network
Switch
Host B
10.110.100.52
Figure 9-3 Network diagram for controlling Web users using ACLs
Configuration procedure
# Define a basic ACL.
<Sysname> system-view
[Sysname] acl number 2030
[Sysname-acl-basic-2030] rule 1 permit source 10.110.100.52 0
[Sysname-acl-basic-2030] quit
9-6
# Apply ACL 2030 to only permit the Web users sourced from the IP address of 10.110.100.52 to
access the switch.
[Sysname] ip http acl 2030
9-7
Table of Contents
1 Configuration File Management···············································································································1-1
Introduction to Configuration File ············································································································1-1
Configuration Task List ···························································································································1-2
Saving the Current Configuration ····································································································1-2
Erasing the Startup Configuration File ····························································································1-3
Specifying a Configuration File for Next Startup ·············································································1-4
Displaying Switch Configuration······································································································1-5
i
1
Configuration File Management
When configuring configuration file management, go to these sections for information you are
interested in:
z
Introduction to Configuration File
z
Configuration Task List
Introduction to Configuration File
A configuration file records and stores user configurations performed to a switch. It also enables users
to check switch configurations easily.
Types of configuration
The configuration of a switch falls into two types:
z
Saved configuration, a configuration file used for initialization. If this file does not exist, the switch
starts up without loading any configuration file.
z
Current configuration, which refers to the user’s configuration during the operation of a switch. This
configuration is stored in Dynamic Random-Access Memory (DRAM). It is removed when
rebooting.
Format of configuration file
Configuration files are saved as text files for ease of reading. They:
z
Save configuration in the form of commands.
z
Save only non-default configuration settings.
z
The commands are grouped into sections by command view. The commands that are of the same
command view are grouped into one section. Sections are separated by comment lines. (A line is a
comment line if it starts with the character #.)
z
The sections are listed in this order: system configuration section, logical interface configuration
section, physical port configuration section, routing protocol configuration section, user interface
configuration, and so on.
z
End with a return.
The operating interface provided by the configuration file management function is user-friendly. With it,
you can easily manage your configuration files.
Main/backup attribute of the configuration file
Main and backup indicate the main and backup attribute of the configuration file respectively. A main
configuration file and a backup configuration file can coexist on the switch. As such, when the main
configuration file is missing or damaged, the backup file can be used instead. This increases the safety
and reliability of the file system compared with the switch that only support one configuration file. You
can configure a file to have both main and backup attribute, but only one file of either main or backup
attribute is allowed on a switch.
The following three situations are concerned with the main/backup attributes:
1-1
When saving the current configuration, you can specify the file to be a main or backup or normal
z
configuration file.
When removing a configuration file from a switch, you can specify to remove the main or backup
z
configuration file. Or, if it is a file having both main and backup attribute, you can specify to erase
the main or backup attribute of the file.
When setting the configuration file for next startup, you can specify to use the main or backup
z
configuration file.
Startup with the configuration file
When booting, the system chooses the configuration files following the rules below:
1)
If the main configuration file exists, the switch initializes with this configuration.
2)
If the main configuration file does not exist but the backup configuration file exists, the switch
initializes with the backup configuration.
3)
If neither the main nor the backup configuration file exists, the switch starts up without loading the
configuration file.
Configuration Task List
Complete these tasks to configure configuration file management:
Task
Remarks
Saving the Current Configuration
Optional
Erasing the Startup Configuration File
Optional
Specifying a Configuration File for Next Startup
Optional
Saving the Current Configuration
You can modify the configuration on your switch at the command line interface (CLI). To use the
modified configuration for your subsequent startups, you must save it (using the save command)
as a configuration file.
Use the following command to save current configuration:
To do…
Save current configuration
Use the command…
save [ cfgfile | [ safely ]
[ backup | main ] ]
Remarks
Required
Available in any view
Modes in saving the configuration
z
Fast saving mode. This is the mode when you use the save command without the safely keyword.
The mode saves the file quicker but is likely to lose the original configuration file if the switch
reboots or the power fails during the process.
z
Safe mode. This is the mode when you use the save command with the safely keyword. The mode
saves the file slower but can retain the original configuration file in the switch even if the switch
reboots or the power fails during the process.
1-2
When you use the save safely command to save the configuration file, if the switch reboots or the
power fails during the saving process, the switch initializes itself in the following two conditions when it
starts up next time:
z
If a configuration file with the extension .cfg exists in the Flash, the switch uses the configuration
file to initialize itself when it starts up next time.
z
If there is no .cfg configuration file in the Flash, but there is a configuration file with the
extension .cfgbak (backup configuration file containing the original configuration information)
or/and a configuration file with the extension .cfgtmp (temporary configuration file containing the
current configuration information) in the Flash, you can change the extension .cfgbak or .cfgtmp
to .cfg using the rename command. The switch will use the renamed configuration file to initialize
itself when it starts up next time.
For details of the rename command, refer to the File System Management part of the manual.
Three attributes of the configuration file
z
Main attribute. When you use the save [ [ safely ] [ main ] ] command to save the current
configuration, the configuration file you get has main attribute. If this configuration file already
exists and has backup attribute, the file will have both main and backup attributes after execution of
this command. If the filename you entered is different from that existing in the system, this
command will erase its main attribute to allow only one main attribute configuration file in the
switch.
z
Backup attribute. When you use the save [ safely ] backup command to save the current
configuration, the configuration file you get has backup attribute. If this configuration file already
exists and has main attribute, the file will have both main and backup attributes after execution of
this command. If the filename you entered is different from that existing in the system, this
command will erase its backup attribute to allow only one backup attribute configuration file in the
switch.
z
Normal attribute. When you use the save cfgfile command to save the current configuration, the
configuration file you get has normal attribute if it is not an existing file. Otherwise, the attribute is
dependent on the original attribute of the file.
z
It is recommended to adopt the fast saving mode in the conditions of stable power and adopt the
safe mode in the conditions of unstable power or remote maintenance.
z
The extension name of the configuration file must be .cfg.
Erasing the Startup Configuration File
You can clear the configuration files saved on the switch through commands.
Use the following command to erase the configuration file:
To do…
Erase the startup configuration
file from the storage switch
Use the command…
reset saved-configuration
[ backup | main ]
1-3
Remarks
Required
Available in user view
You may need to erase the configuration file for one of these reasons:
z
After you upgrade software, the old configuration file does not match the new software.
z
The startup configuration file is corrupted or not the one you needed.
The following two situations exist:
z
While the reset saved-configuration [ main ] command erases the configuration file with main
attribute, it only erases the main attribute of a configuration file having both main and backup
attribute.
z
While the reset saved-configuration backup command erases the configuration file with backup
attribute, it only erases the backup attribute of a configuration file having both main and backup
attribute.
This command will permanently delete the configuration file from the switch.
Specifying a Configuration File for Next Startup
Use the following command to specify a configuration file for next startup:
To do…
Specify a configuration file for
next startup
Use the command…
startup saved-configuration
cfgfile [ backup | main ]
Remarks
Required
Available in user view
You can specify a configuration file to be used for the next startup and configure the main/backup
attribute for the configuration file.
Assigning main attribute to the startup configuration file
z
If you save the current configuration to the main configuration file, the system will automatically set
the file as the main startup configuration file.
z
You can also use the startup saved-configuration cfgfile [ main ] command to set the file as main
startup configuration file.
Assigning backup attribute to the startup configuration file
z
If you save the current configuration to the backup configuration file, the system will automatically
set the file as the backup startup configuration file.
z
You can also use the startup saved-configuration cfgfile backup command to set the file as
backup startup configuration file.
1-4
z
The configuration file must use .cfg as its extension name and the startup configuration file must be
saved at the root directory of the switch.
z
If you select to skip the current configuration file to boot the device in the Boot ROM menu, it takes
effect only once. When you restart the device, the device is started with the previously specified
configuration file.
Displaying Switch Configuration
To do…
Use the command…
Display the initial configuration
file saved in the Flash of a switch
display saved-configuration [ unit unit-id ]
[ by-linenum ]
Display the configuration file used
for this and next startup
display startup [ unit unit-id ]
Display the current VLAN
configuration of the switch
display current-configuration vlan [ vlan-id ]
[ by-linenum ]
Display the validated
configuration in current view
display this [ by-linenum ]
Display current configuration
display current-configuration
[ configuration [ configuration-type ] |
interface [ interface-type ]
[ interface-number ] ] [ by-linenum ] [ | { begin
| exclude | include } regular-expression ]
1-5
Remarks
Available in
any view.
Table of Contents
1 VLAN Overview ··········································································································································1-1
VLAN Overview·······································································································································1-1
Introduction to VLAN ·······················································································································1-1
Advantages of VLANs ·····················································································································1-2
VLAN Fundamentals ·······················································································································1-2
VLAN Interface ································································································································1-4
VLAN Classification ·························································································································1-4
Port-Based VLAN····································································································································1-4
Link Types of Ethernet Ports ···········································································································1-5
Assigning an Ethernet Port to Specified VLANs ·············································································1-5
Configuring the Default VLAN ID for a Port·····················································································1-5
Protocol-Based VLAN ·····························································································································1-6
Introduction to Protocol-Based VLAN······························································································1-6
Encapsulation Format of Ethernet Data ··························································································1-7
Procedure for the Switch to Judge Packet Protocol········································································1-9
Encapsulation Formats····················································································································1-9
Implementation of Protocol-Based VLAN······················································································1-10
2 VLAN Configuration ··································································································································2-1
VLAN Configuration ································································································································2-1
VLAN Configuration Task List ·········································································································2-1
Basic VLAN Configuration ···············································································································2-1
Basic VLAN Interface Configuration································································································2-2
Displaying VLAN Configuration ·······································································································2-3
Configuring a Port-Based VLAN ·············································································································2-3
Port-Based VLAN Configuration Task List ······················································································2-3
Configuring the Link Type of an Ethernet Port ················································································2-3
Assigning an Ethernet Port to a VLAN ····························································································2-4
Configuring the Default VLAN for a Port ·························································································2-5
Displaying and Maintaining Port-Based VLAN ················································································2-5
Port-Based VLAN Configuration Example·······················································································2-5
Configuring a Protocol-Based VLAN·······································································································2-7
Protocol-Based VLAN Configuration Task List ···············································································2-7
Configuring a Protocol Template for a Protocol-Based VLAN ························································2-7
Associating a Port with a Protocol-Based VLAN·············································································2-8
Displaying Protocol-Based VLAN Configuration ·············································································2-9
Protocol-Based VLAN Configuration Example················································································2-9
i
1
VLAN Overview
This chapter covers these topics:
z
VLAN Overview
z
Port-Based VLAN
z
Protocol-Based VLAN
VLAN Overview
Introduction to VLAN
The traditional Ethernet is a broadcast network, where all hosts are in the same broadcast domain and
connected with each other through hubs or switches. Hubs and switches, which are the basic network
connection devices, have limited forwarding functions.
z
A hub is a physical layer device without the switching function, so it forwards the received packet to
all ports except the inbound port of the packet.
z
A switch is a link layer device which can forward a packet according to the MAC address of the
packet. However, when the switch receives a broadcast packet or an unknown unicast packet
whose MAC address is not included in the MAC address table of the switch, it will forward the
packet to all the ports except the inbound port of the packet.
The above scenarios could result in the following network problems.
z
Large quantity of broadcast packets or unknown unicast packets may exist in a network, wasting
network resources.
z
A host in the network receives a lot of packets whose destination is not the host itself, causing
potential serious security problems.
Isolating broadcast domains is the solution for the above problems. The traditional way is to use routers,
which forward packets according to the destination IP address and does not forward broadcast packets
in the link layer. However, routers are expensive and provide few ports, so they cannot split the network
efficiently. Therefore, using routers to isolate broadcast domains has many limitations.
The Virtual Local Area Network (VLAN) technology is developed for switches to control broadcasts in
LANs.
A VLAN can span multiple physical spaces. This enables hosts in a VLAN to be located in different
physical locations.
By creating VLANs in a physical LAN, you can divide the LAN into multiple logical LANs, each of which
has a broadcast domain of its own. Hosts in the same VLAN communicate in the traditional Ethernet
way. However, hosts in different VLANs cannot communicate with each other directly but need the help
of network layer devices, such as routers and Layer 3 switches. Figure 1-1 illustrates a VLAN
implementation.
1-1
Figure 1-1 A VLAN implementation
Advantages of VLANs
Compared with traditional Ethernet technology, VLAN technology delivers the following benefits:
z
Confining broadcast traffic within individual VLANs. This saves bandwidth and improves network
performance.
z
Improving LAN security. By assigning user groups to different VLANs, you can isolate them at
Layer 2. To enable communication between VLANs, routers or Layer 3 switches are required.
z
Flexible virtual workgroup creation. As users from the same workgroup can be assigned to the
same VLAN regardless of their physical locations, network construction and maintenance is much
easier and more flexible.
VLAN Fundamentals
VLAN tag
To enable a network device to identify frames of different VLANs, a VLAN tag field is inserted into the
data link layer encapsulation.
The format of VLAN-tagged frames is defined in IEEE 802.1Q issued by IEEE in 1999.
In the header of a traditional Ethernet data frame, the field after the destination MAC address and the
source MAC address (DA&SA) is the Type field indicating the upper layer protocol type, as shown in
Figure 1-2.
Figure 1-2 Encapsulation format of traditional Ethernet frames
IEEE 802.1Q inserts a four-byte VLAN tag after the DA&SA field, as shown in Figure 1-3.
1-2
Figure 1-3 Format of VLAN tag
A VLAN tag comprises four fields: tag protocol identifier (TPID), priority, canonical format indicator (CFI),
and VLAN ID.
z
The 16-bit TPID field with a value of 0x8100 indicates that the frame is VLAN tagged. On the H3C
series Ethernet switches, the default TPID is 0x8100.
z
The 3-bit priority field indicates the 802.1p priority of the frame. Refer to the “QoS-QoS profile” part
of this manual for details.
z
The 1-bit CFI field specifies whether the MAC addresses are encapsulated in the canonical format
for the receiving device to correctly interpret the MAC addresses. Value 0 indicates that the MAC
addresses are encapsulated in canonical format; value 1 indicates that the MAC addresses are
encapsulated in non-canonical format. The field is set to 0 by default.
z
The 12-bit VLAN ID field identifies the VLAN the frame belongs to. The VLAN ID range is 0 to 4095.
As 0 and 4095 are reserved by the protocol, a VLAN ID actually ranges from 1 to 4094.
The Ethernet II encapsulation format is used here. Besides the Ethernet II encapsulation format, other
encapsulation formats such as 802.2 LLC and 802.2 SNAP are also supported by Ethernet. The VLAN
tag fields are also added to frames encapsulated in these formats for VLAN identification. Refer to
section Encapsulation Format of Ethernet Data for 802.2/802.3 encapsulation format.
VLAN ID identifies the VLAN to which a packet belongs. When a switch receives a packet carrying no
VLAN tag, the switch encapsulates a VLAN tag with the default VLAN ID of the inbound port for the
packet, and sends the packet to the default VLAN of the inbound port for transmission. For the details
about setting the default VLAN of a port, refer to Configuring the Default VLAN ID for a Port.
MAC address learning mechanism of VLANs
Switches make forwarding decisions based on destination MAC addresses. For this purpose, each
switch maintains a MAC address table, of which each entry records the MAC address of a terminal
connected to the switch and to which port this terminal is connected, assuming that no VLAN is involved.
For the ease of management, a MAC learning mechanism is adopted on switches. With this mechanism,
a switch can populate its MAC address table automatically by learning the source MAC address of
incoming traffic and on which port the traffic is received. When forwarding traffic destined for the learned
MAC address, the switch looks up the table and forwards the traffic according to the entry.
After VLANs are configured, a switch adopts one of the following MAC address learning mechanisms:
z
Shared VLAN learning (SVL), where the switch records all learned MAC address entries in one
MAC address table, regardless of in which VLAN they are learned. This table is called the shared
MAC address forwarding table. Packets received in any VLAN on a port are forwarded according to
this table.
1-3
z
Independent VLAN learning (IVL), where the switch maintains an independent MAC address
forwarding table for each VLAN. The source MAC address of a packet received in a VLAN on a port
is recorded to the MAC address forwarding table of this VLAN only, and packets received in a
VLAN are forwarded according to the MAC address forwarding table for the VLAN.
Currently, the H3C S5100-SI/EI series Ethernet switches adopt the IVL mode only. For more information
about the MAC address forwarding table, refer to the “MAC Address Forwarding Table Management”
part of the manual.
VLAN Interface
Hosts in different VLANs cannot communicate with each other directly unless routers or Layer 3
switches are used to do Layer 3 forwarding. The S5100-SI/EI series Ethernet switches support VLAN
interfaces configuration to forward packets in Layer 3.
VLAN interface is a virtual interface in Layer 3 mode, used to realize the layer 3 communication
between different VLANs, and does not exist on a switch as a physical entity. Each VLAN has a VLAN
interface, which can forward packets of the local VLAN to the destination IP addresses at the network
layer. Normally, since VLANs can isolate broadcast domains, each VLAN corresponds to an IP network
segment. And a VLAN interface serves as the gateway of the segment to forward packets in Layer 3
based on IP addresses.
An S5100-SI/EI series switch can be configured with a single VLAN interface only, and the VLAN must
be the management VLAN. For details about the management VLAN, refer to the “Management VLAN
Configuration” part of this manual.
VLAN Classification
Depending on how VLANs are established, VLANs fall into the following six categories.
z
Port-based VLANs
z
MAC address-based VLANs
z
Protocol-based VLANs
z
IP-subnet-based VLANs
z
Policy-based VLANs
z
Other types
At present, the S5100-SI/EI series switches support the port-based and protocol-based VLANs.
Port-Based VLAN
Port-based VLAN technology introduces the simplest way to classify VLANs. You can assign the ports
on the device to different VLANs. Thus packets received on a port will be transmitted through the
corresponding VLAN only, so as to isolate hosts to different broadcast domains and divide them into
different virtual workgroups.
1-4
Ports on Ethernet switches have the three link types: access, trunk, and hybrid. For the three types of
ports, the process of being added into a VLAN and the way of forwarding packets are different.
Port-based VLANs are easy to implement and manage and applicable to hosts with relatively fixed
positions.
Link Types of Ethernet Ports
The link type of an Ethernet port on the S5100-SI/EI series can be one of the following:
z
Access: An access port can belong to only one VLAN, and is generally connected to a user PC.
z
Trunk: A trunk port can belong to more than one VLAN. It can forward packets for multiple VLANs,
and is generally connected to another switch.
z
Hybrid: A hybrid port can belong to more than one VLAN to forward packets for multiple VLANs. It
can be connected to either a switch or a user PC.
A hybrid port allows the packets of multiple VLANs to be sent untagged, but a trunk port only allows the
packets of the default VLAN to be sent untagged.
The three types of ports can coexist on the same device.
Assigning an Ethernet Port to Specified VLANs
You can assign an Ethernet port to a VLAN to forward packets for the VLAN, thus allowing the VLAN on
the current switch to communicate with the same VLAN on the peer switch.
An access port can be assigned to only one VLAN, while a hybrid or trunk port can be assigned to
multiple VLANs.
Before assigning an access or hybrid port to a VLAN, create the VLAN first.
Configuring the Default VLAN ID for a Port
An access port can belong to only one VLAN. Therefore, the VLAN an access port belongs to is also the
default VLAN of the access port. A hybrid/trunk port can belong to multiple VLANs, so you should
configure a default VLAN ID for the port.
After a port is added to a VLAN and configured with a default VLAN, the port receives and sends
packets in a way related to its link type. For detailed description, refer to the following tables:
1-5
Table 1-1 Packet processing of an access port
Processing of an incoming packet
For an untagged packet
Receive the packet and tag
the packet with the default
VLAN tag.
Processing of an
outgoing packet
For a tagged packet
z
z
If the VLAN ID is just the default VLAN
ID, receive the packet.
If the VLAN ID is not the default VLAN
ID, discard the packet.
Strip the tag from the
packet and send the
packet.
Table 1-2 Packet processing of a trunk port
Processing of an incoming packet
For an untagged packet
z
z
Processing of an outgoing
packet
For a tagged packet
If the port has already been
added to its default VLAN, tag
the packet with the default
VLAN tag and then forward
the packet.
If the port has not been added
to its default VLAN, discard
the packet.
z
z
If the VLAN ID is one of the
VLAN IDs allowed to pass
through the port, receive the
packet.
If the VLAN ID is not one of
the VLAN IDs allowed to
pass through the port,
discard the packet.
z
z
If the VLAN ID is just the
default VLAN ID, strip off
the tag and send the
packet.
If the VLAN ID is not the
default VLAN ID, keep
the
original
tag
unchanged and send the
packet.
Table 1-3 Packet processing of a hybrid port
Processing of an incoming packet
For an untagged packet
z
z
If the port has already been
added to its default VLAN,
tag the packet with the
default VLAN tag and then
forward the packet.
If the port has not been
added to its default VLAN,
discard the packet.
For a tagged packet
z
z
If the VLAN ID is one of the
VLAN IDs allowed to pass
through the port, receive the
packet.
If the VLAN ID is not one of
the VLAN IDs allowed to
pass through the port,
discard the packet.
Processing of an outgoing
packet
Send the packet if the VLAN ID
is allowed to pass through the
port. Use the port hybrid vlan
command to configure whether
the port keeps or strips off the
tags when sending packets of a
VLAN (including the default
VLAN).
Protocol-Based VLAN
Introduction to Protocol-Based VLAN
Protocol-based VLAN is also known as protocol VLAN, which is another way to classify VLANs.
Through the protocol-based VLANs, the switch can analyze the received packets carrying no VLAN tag
on the port and match the packets with the user-defined protocol template automatically according to
different encapsulation formats and the values of specific fields. If a packet is matched, the switch will
add a corresponding VLAN tag to it automatically. Thus, data of specific protocol is assigned
automatically to the corresponding VLAN for transmission.
This feature is used for binding the ToS provided in the network to VLAN to facilitate management and
maintenance.
1-6
Encapsulation Format of Ethernet Data
This section introduces the common encapsulation formats of Ethernet data for you to understand the
procedure for the switch to identify the packet protocols.
Ethernet II and 802.2/802.3 encapsulation
There are two encapsulation types of Ethernet packets: Ethernet II defined by RFC 894 and
802.2/802.3 defined by RFC 1042. The two encapsulation formats are described in the following
figures.
Ethernet II packet:
Figure 1-4 Ethernet II encapsulation format
802.2/802.3 packet:
Figure 1-5 802.2/802.3 encapsulation format
In the two figures, DA and SA refer to the destination MAC address and source MAC address of the
packet respectively. The number in the bracket indicates the field length in bytes.
The maximum length of an Ethernet packet is 1500 bytes, that is, 0x05DC in hexadecimal, so the length
field in 802.2/802.3 encapsulation is in the range of 0x0000 to 0x05DC.
Whereas, the type field in Ethernet II encapsulation is in the range of 0x0600 to 0xFFFF.
Packets with the value of the type or length field being in the range 0x05DD to 0x05FF are regarded as
illegal packets and thus discarded directly.
The switch identifies whether a packet is an Ethernet II packet or an 802.2/802.3 packet according to
the ranges of the two fields.
Extended encapsulation formats of 802.2/802.3 packets
802.2/802.3 packets have the following three extended encapsulation formats:
z
802.3 raw encapsulation: only the length field is encapsulated after the source and destination
address field, followed by the upper layer data. No other fields are included.
Figure 1-6 802.3 raw encapsulation format
Currently, only IPX supports 802.3 raw encapsulation, featuring with the value of the two bytes after the
length field being 0xFFFF.
z
802.2 Logical Link Control (LLC) encapsulation: the length field, the destination service access
point (DSAP) field, the source service access point (SSAP) field and the control field are
encapsulated after the source and destination address field. The value of the control field is always
3.
1-7
Figure 1-7 802.2 LLC encapsulation format
The DSAP field and the SSAP field in the 802.2 LLC encapsulation are used to identify the upper layer
protocol. For example, if the two fields are both 0xE0, the upper layer protocol is IPX protocol.
z
802.2 Sub-Network Access Protocol (SNAP) encapsulation: encapsulates packets according to
the 802.3 standard packet format, including the length, DSAP, SSAP, control, organizationally
unique identifier (OUI), and protocol-ID (PID) fields.
Figure 1-8 802.2 SNAP encapsulation format
In 802.2 SNAP encapsulation format, the values of the DSAP field and the SSAP field are always 0xAA,
and the value of the control field is always 3.
The switch differentiates between 802.2 LLC encapsulation and 802.2 SNAP encapsulation according
to the values of the DSAP field and the SSAP field.
When the OUI is 00-00-00 in 802.2 SNAP encapsulation, the PID field has the same meaning as the
type field in Ethernet II encapsulation, which both refer to globally unique protocol number. Such
encapsulation is also known as SNAP RFC 1042 encapsulation, which is standard SNAP encapsulation.
The SNAP encapsulation mentioned in this chapter refers to SNAP RFC 1042 encapsulation.
1-8
Procedure for the Switch to Judge Packet Protocol
Figure 1-9 Protocol identification procedure
Receive
packets
Ethernet II
encapsulation
0x0600 to 0xFFFF
Type(Length)
field
0x05DD to 0x05FF
Invalid packets
that cannot be
matched
0 to 0x05DC
Match the
type value
802.2/802.3
encapsulation
Control
field
Invalid packets
that cannot be
matched
Value is not 3
Value is 3
802.3 raw
encapsulation
Both are FF
dsap/ssap
value
Both are AA
802.2 SNAP
encapsulation
Other values
802.2 LLC
encapsulation
Match the
type value
Match the
dsap/ssap value
Encapsulation Formats
Table 1-4 lists the encapsulation formats supported by some protocols. In brackets are type values of
these protocols.
Table 1-4 Encapsulation formats
Encapsulation
(left)
Ethernet II
802.3 raw
802.2 LLC
802.2 SNAP
Protocol (down)
IP (0x0800)
Supported
Not supported
Not supported
Supported
IPX (0x8137)
Supported
Supported
Supported
Supported
AppleTalk
(0x809B)
Supported
Not supported
Not supported
Supported
1-9
Implementation of Protocol-Based VLAN
S5100-SI/EI series Ethernet switches assign the packet to the specific VLAN by matching the packet
with the protocol template.
The protocol template is the standard to determine the protocol to which a packet belongs. Protocol
templates include standard templates and user-defined templates:
z
The standard template adopts the RFC-defined packet encapsulation formats and values of some
specific fields as the matching criteria.
z
The user-defined template adopts the user-defined encapsulation formats and values of some
specific fields as the matching criteria.
After configuring the protocol template, you must add a port to the protocol-based VLAN and associate
this port with the protocol template. This port will add VLAN tags to the packets based on protocol types.
The port in the protocol-based VLAN must be connected to a client. However, a common client cannot
process VLAN-tagged packets. In order that the client can process the packets out of this port, you must
configure the port in the protocol-based VLAN as a hybrid port and configure the port to remove VLAN
tags when forwarding packets of all VLANs.
1-10
2
VLAN Configuration
When configuring a VLAN, go to these sections for information you are interested in:
z
VLAN Configuration
z
Configuring a Port-Based VLAN
z
Configuring a Protocol-Based VLAN
VLAN Configuration
VLAN Configuration Task List
Complete the following tasks to configure VLAN:
Task
Remarks
Basic VLAN Configuration
Required
Basic VLAN Interface Configuration
Optional
Displaying VLAN Configuration
Optional
Basic VLAN Configuration
Follow these steps to perform basic VLAN configuration:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Create multiple VLANs in
batch
vlan { vlan-id1 to vlan-id2
| all }
Optional
Create a VLAN and enter
VLAN view
vlan vlan-id
Assign a name for the
current VLAN
name text
Specify the description
string of the current
VLAN
Required
By default, there is only one VLAN, that is,
the default VLAN (VLAN 1).
Optional
By default, the name of a VLAN is its VLAN
ID. VLAN 0001 for example.
Optional
description text
By default, the description string of a VLAN
is its VLAN ID. VLAN 0001 for example.
2-1
z
VLAN 1 is the system default VLAN, which needs not to be created and cannot be removed, either.
z
The VLAN you created in the way described above is a static VLAN. On the switch, there are
dynamic VLANs which are registered through GVRP. For details, refer to “GVRP” part of this
manual.
z
When you use the vlan command to create VLANs, if the destination VLAN is an existing dynamic
VLAN, it will be transformed into a static VLAN and the switch will output the prompt information.
Basic VLAN Interface Configuration
Configuration prerequisites
Before configuring a VLAN interface, create the corresponding VLAN.
Configuration procedure
Follow these steps to perform basic VLAN interface configuration:
To do...
Use the command...
Enter system view
system-view
Create a VLAN interface
and enter VLAN
interface view
interface Vlan-interface
vlan-id
Remarks
—
Required
By default, there is no VLAN interface on a
switch.
Optional
Specify the description
string for the current
VLAN interface
By default, the description string of a VLAN
interface is the name of this VLAN
interface. Vlan-interface1 Interface for
example.
description text
2-2
To do...
Use the command...
Remarks
Optional
Disable the VLAN
interface
shutdown
Enable the VLAN
Interface
undo shutdown
By default, the VLAN interface is enabled.
In this case, the VLAN interface’s status is
determined by the status of the ports in the
VLAN, that is, if all ports of the VLAN are
down, the VLAN interface is down
(disabled); if one or more ports of the VLAN
are up, the VLAN interface is up (enabled).
If you disable the VLAN interface, the VLAN
interface will always be down, regardless of
the status of the ports in the VLAN.
The operation of enabling/disabling a VLAN’s VLAN interface does not influence the physical status of
the Ethernet ports belonging to this VLAN.
Displaying VLAN Configuration
To do...
Use the command...
Display the VLAN interface
information
display interface Vlan-interface
[ vlan-id ]
Display the VLAN information
display vlan [ vlan-id [ to vlan-id ] | all |
dynamic | static ]
Remarks
Available in any
view.
Configuring a Port-Based VLAN
Port-Based VLAN Configuration Task List
Complete these tasks to configure a port-based VLAN:
Task
Remarks
Configuring the Link Type of an Ethernet Port
Optional
Assigning an Ethernet Port to a VLAN
Required
Configuring the Default VLAN for a Port
Optional
Configuring the Link Type of an Ethernet Port
Follow these steps to configure the link type of an Ethernet port:
To do…
Enter system view
Use the command…
Remarks
—
system-view
2-3
To do…
Use the command…
Enter Ethernet port view
interface interface-type
interface-number
Configure the port link type
port link-type { access |
hybrid | trunk }
Remarks
—
Required
The link type of an Ethernet port is
access by default.
To change the link type of a port from trunk to hybrid or vice versa, you need to set the link type to
access first.
Assigning an Ethernet Port to a VLAN
You can assign an Ethernet port to a VLAN in Ethernet port view or VLAN view.
1)
In Ethernet port view
Follow these steps to assign an Ethernet port to one or multiple VLANs:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter Ethernet port view
interface interface-type interface-number
—
Access port
port access vlan vlan-id
Optional
Trunk port
port trunk permit vlan { vlan-id-list | all }
Hybrid port
port hybrid vlan vlan-id-list { tagged |
untagged }
By default, all
Ethernet ports
belong to VLAN
1.
Assign the
port to one
or multiple
VLANs
When assigning an access or hybrid port to a VLAN, make sure the VLAN already exists.
2)
In VLAN view
Follow these steps to assign one or multiple access ports to a VLAN in VLAN view:
To do…
Use the
command…
Enter system view
system-view
Enter VLAN view
vlan vlan-id
Remarks
—
Required
If the specified VLAN does not exist, this
command creates the VLAN first.
2-4
To do…
Assign the specified
access port or ports to
the current VLAN
Use the
command…
Remarks
Required
port interface-list
By default, all ports belong to VLAN 1.
Configuring the Default VLAN for a Port
Because an access port can belong to its default VLAN only, there is no need for you to configure the
default VLAN for an access port.
This section describes how to configure a default VLAN for a trunk or hybrid port.
Follow these steps to configure the default VLAN for a port:
To do…
Remarks
Enter system view
system-view
—
Enter Ethernet port view
interface interface-type
interface-number
—
Trunk port
port trunk pvid vlan vlan-id
Optional
Hybrid port
port hybrid pvid vlan vlan-id
VLAN 1 is the default
VLAN by default.
Configure
the default
VLAN for the
port
z
Use the command…
After configuring the default VLAN for a trunk or hybrid port, you need to use the port trunk permit
command or the port hybrid vlan command to configure the port to allow traffic of the default
VLAN to pass through. Otherwise, the port cannot forward traffic of the default VLAN, nor can it
receive VLAN untagged packets.
z
The local and remote trunk (or hybrid) ports must use the same default VLAN ID for the traffic of the
default VLAN to be transmitted properly.
Displaying and Maintaining Port-Based VLAN
To do…
Use the command…
Display the hybrid or trunk ports
display port { hybrid | trunk }
Remarks
Available in any view.
Port-Based VLAN Configuration Example
Network requirements
z
As shown in Figure 2-1, Switch A and Switch B each connect to a server and a workstation (PC).
z
For data security concerns, the two servers are assigned to VLAN 101 with the descriptive string
being “DMZ”, and the PCs are assigned to VLAN 201.
2-5
z
The devices within each VLAN can communicate with each other but that in different VLANs
cannot communicate with each other directly.
Network diagram
Figure 2-1 Network diagram for VLAN configuration
Configuration procedure
z
Configure Switch A.
# Create VLAN 101, specify its descriptive string as “DMZ”, and add GigabitEthernet1/0/1 to VLAN 101.
<SwitchA> system-view
[SwitchA] vlan 101
[SwitchA-vlan101] description DMZ
[SwitchA-vlan101] port GigabitEthernet 1/0/1
[SwitchA-vlan101] quit
# Create VLAN 201, and add GigabitEthernet1/0/2 to VLAN 201.
[SwitchA] vlan 201
[SwitchA-vlan201] port GigabitEthernet 1/0/2
[SwitchA-vlan201] quit
z
Configure Switch B.
# Create VLAN 101, specify its descriptive string as “DMZ”, and add GigabitEthernet1/0/11 to VLAN
101.
<SwitchB> system-view
[SwitchB] vlan 101
[SwitchB-vlan101] description DMZ
[SwitchB-vlan101] port GigabitEthernet 1/0/11
[SwitchB-vlan101] quit
# Create VLAN 201, and add GigabitEthernet1/0/12 to VLAN 201.
[SwitchB] vlan 201
[SwitchB-vlan201] port GigabitEthernet 1/0/12
[SwitchB-vlan201] quit
z
Configure the link between Switch A and Switch B.
Because the link between Switch A and Switch B need to transmit data of both VLAN 101 and VLAN
102, you can configure the ports at the end of the link as trunk ports and permit packets of the two
VLANs to pass through.
2-6
# Configure GigabitEthernet1/0/3 of Switch A.
[SwitchA] interface GigabitEthernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type trunk
[SwitchA-GigabitEthernet1/0/3] port trunk permit vlan 101
[SwitchA-GigabitEthernet1/0/3] port trunk permit vlan 201
# Configure GigabitEthernet1/0/10 of Switch B.
[SwitchB] interface GigabitEthernet 1/0/10
[SwitchB-GigabitEthernet1/0/10] port link-type trunk
[SwitchB-GigabitEthernet1/0/10] port trunk permit vlan 101
[SwitchB-GigabitEthernet1/0/10] port trunk permit vlan 201
Configuring a Protocol-Based VLAN
Protocol-Based VLAN Configuration Task List
Complete these tasks to configure protocol-based VLAN:
Task
Remarks
Configuring a Protocol Template for a Protocol-Based VLAN
Required
Associating a Port with a Protocol-Based VLAN
Required
Displaying Protocol-Based VLAN Configuration
Optional
Configuring a Protocol Template for a Protocol-Based VLAN
Configuration prerequisites
Create a VLAN before configuring the VLAN as a protocol-based VLAN.
Configuration procedure
Follow these steps to configure the protocol template for a VLAN:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter VLAN view
vlan vlan-id
—
Required
Configure the protocol
template for the VLAN
protocol-vlan [ protocol-index ] { at | ip |
ipx { ethernetii | llc | raw | snap } | mode
{ ethernetii etype etype-id | llc dsap
dsap-id ssap ssap-id | snap etype
etype-id } }
By default, no protocol
template is configured
for the VLAN.
When configuring a protocol template for a protocol-based VLAN, use the at, ip or ipx keyword to
configure a standard template to match AppleTalk, IP, and IPX packets respectively, and use the mode
keyword to configure a user-defined template.
2-7
z
Because the IP protocol is closely associated with the ARP protocol, you are recommended to
configure the ARP protocol type when configuring the IP protocol type and associate the two
protocol types with the same port to avoid that ARP packets and IP packets are not assigned to the
same VLAN, which will cause IP address resolution failure.
z
If you specify some special values for both the dsap-id and ssap-id arguments when configuring
the user-defined template for IIc encapsulation, the matching packets will take the same
encapsulation format as some standard type of packets. For example, when both dsap-id and
ssap-id have a value of 0xFF, the encapsulation format will be the same as that of ipx raw packets;
if they both have a value of 0xE0, the packet encapsulation format will be the same as that of ipx llc
packets; if they both have a value of 0xAA, the packet encapsulation format will be the same as that
of snap packets. To prevent two commands from processing packets of the same protocol type in
different ways, the system does not allow you to set both the dsap-id and ssap-id arguments to
0xFF, 0xE0, or 0xAA.
z
When you use the mode keyword to configure a user-defined protocol template, if you set the
etype-id argument for ethernetii or snap packets to 0x0800, 0x8137, or 0x809B, the matching
packets will take the same format as that of the IP, IPX, and AppleTalk packets respectively. To
prevent two commands from processing packets of the same protocol type in different ways, the
switch will prompt that you cannot set the etype-id argument for Ethernet II or snap packets to
0x0800, 0x8137, or 0x809B.
Associating a Port with a Protocol-Based VLAN
Configuration prerequisites
z
The protocol template for the protocol-based VLAN is configured.
z
The port is configured as a hybrid port, and the port is configured to remove VLAN tags when it
forwards the packets of the protocol-based VLANs.
Configuration procedure
Follow these steps to associate a port with the protocol-based VLAN:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter port view
interface interface-type
interface-number
—
Associate the port with the
specified protocol-based
VLAN
port hybrid protocol-vlan vlan
vlan-id { protocol-index [ to
protocol-index-end ] | all }
2-8
Required
By default, a port is not
associated with any
protocol-based VLAN.
Displaying Protocol-Based VLAN Configuration
To do...
Use the command...
Display the information about the
protocol-based VLAN
display vlan [ vlan-id [ to vlan-id ] | all |
dynamic | static]
Display the protocol information and
protocol indexes configured on the
specified VLAN
display protocol-vlan vlan { vlan-id [ to
vlan-id ] | all }
Display the protocol information and
protocol indexes configured on the
specified port
display protocol-vlan interface
{ interface-type interface-number [ to
interface-type interface-number ] | all }
Remarks
Available in
any view
Protocol-Based VLAN Configuration Example
Network requirements
z
As shown in Figure 2-2, Workroom connects to the LAN through port GigabitEthernet1/0/10 on the
S5100-SI/EI switch.
z
IP network and AppleTalk network workstations (hosts) coexist in the Workroom.
z
The S5100-SI/EI switch connects to VLAN 100 (using IP network) through GigabitEthernet1/0/11
and to VLAN 200 (using AppleTalk network) through GigabitEthernet1/0/12.
z
Configure the switch to automatically assign the IP and AppleTalk packets to proper VLANs for
transmission, so as to ensure the normal communication between the workstations and servers.
Network diagram
Figure 2-2 Network diagram for protocol-based VLAN configuration
IP Server
AppleTalk Server
GE1/0/11
GE1/0/12
GE1/0/10
IP Host
AppleTalk Host
Workroom
Configuration procedure
# Create VLAN 100 and VLAN 200, and add GigabitEthernet1/0/11 and GigabitEthernet1/0/12 to VLAN
100 and VLAN 200 respectively.
<Sysname> system-view
[Sysname] vlan 100
[Sysname-vlan100] port GigabitEthernet 1/0/11
[Sysname-vlan100] quit
2-9
[Sysname] vlan 200
[Sysname-vlan200] port GigabitEthernet 1/0/12
# Configure protocol templates for VLAN 200 and VLAN 100, matching AppleTalk protocol and IP
protocol respectively.
[Sysname-vlan200] protocol-vlan at
[Sysname-vlan200] quit
[Sysname] vlan 100
[Sysname-vlan100] protocol-vlan ip
# To ensure the normal operation of IP network, you need to configure a user-defined protocol template
for VLAN 100 to match the ARP protocol (assume Ethernet II encapsulation is adopted here).
[Sysname-vlan100] protocol-vlan mode ethernetii etype 0806
# Display the created protocol-based VLANs and the protocol templates.
[Sysname-vlan100] display protocol-vlan vlan all
VLAN ID: 100
VLAN Type: Protocol-based VLAN
Protocol Index
Protocol Type
0
ip
1
ethernetii etype 0x0806
VLAN ID: 200
VLAN Type: Protocol-based VLAN
Protocol Index
Protocol Type
0
at
# Configure GigabitEthernet1/0/10 as a hybrid port, which removes the VLAN tag of the packets of
VLAN 100 and VLAN 200 before forwarding the packets.
[Sysname-vlan100] quit
[Sysname] interface GigabitEthernet 1/0/10
[Sysname-GigabitEthernet1/0/10] port link-type hybrid
[Sysname-GigabitEthernet1/0/10] port hybrid vlan 100 200 untagged
# Associate GigabitEthernet1/0/10 with protocol template 0 and 1 of VLAN 100, and protocol template 0
of VLAN 200.
[Sysname-GigabitEthernet1/0/10] port hybrid protocol-vlan vlan 100 0 to 1
[Sysname-GigabitEthernet1/0/10] port hybrid protocol-vlan vlan 200 0
# Display the associations between GigabitEthernet1/0/10 and the VLAN protocol templates to verify
your configuration.
[Sysname-GigabitEthernet1/0/10] display protocol-vlan interface GigabitEthernet 1/0/10
Interface:GigabitEthernet1/0/10
VLAN ID
Protocol-Index
Protocol-Type
100
0
ip
100
1
ethernetii etype 0x0806
200
0
at
The above output information indicates that GigabitEthernet1/0/10 has already been associated with
the corresponding protocol templates of VLAN 100 and VLAN 200. Thus, packets from the IP and
AppleTalk workstations can be automatically assigned to VLAN 100 and VLAN 200 respectively for
2-10
transmission by matching the corresponding protocol templates, so as to realize the normal
communication between workstations and servers.
2-11
Table of Contents
1 Management VLAN Configuration ···········································································································1-1
Introduction to Management VLAN·········································································································1-1
Management VLAN ·························································································································1-1
Static Route ·····································································································································1-1
Default Route···································································································································1-1
Management VLAN Configuration ··········································································································1-2
Prerequisites····································································································································1-2
Configuring the Management VLAN································································································1-2
Configuration Example ····················································································································1-3
Displaying and Maintaining management VLAN configuration·······························································1-4
i
1
Management VLAN Configuration
Introduction to Management VLAN
Management VLAN
To manage an Ethernet switch remotely through Telnet or the built-in Web server, the switch need to be
assigned an IP address, and make sure that a route exists between the user and the switch. As for an
H3C series Layer 2 Ethernet switch, only the management VLAN interface can be assigned an IP
address.
The management VLAN interface of a switch can obtain an IP address in one of the following three
ways:
z
Through the command used to configure IP address
z
Through BOOTP (In this case, the switch operates as a BOOTP client.)
z
Through dynamic host configuration protocol (DHCP) (In this case, the switch operates as a DHCP
client)
The three ways of obtaining an IP address cannot be configured at the same time. That is, the latest IP
address obtained causes the previously IP address to be released. For example, if you assign an IP
address to a VLAN interface by using the corresponding commands and then apply for another IP
address through BOOTP (using the ip address bootp-alloc command), the former 0IP address will be
released, and the final IP address of the VLAN interface is the one obtained through BOOTP.
For details of DHCP, refer to the DHCP module.
Static Route
A static route is configured manually by an administrator. You can make a network with relatively simple
topology to operate properly by simply configuring static routes for it. Configuring and using static routes
wisely helps to improve network performance and can guarantee bandwidth for important applications.
The disadvantages of static route lie in that: When a fault occurs or the network topology changes, static
routes may become unreachable, which in turn results in network failures. In this case, manual
configurations are needed to recover the network.
Default Route
The switch uses the default route when it fails to find a matching entry in the routing table:
z
If the destination address of a packet fails to match any entry in the routing table, the switch uses
the default route;
1-1
z
If no default route exists and the destination address of the packet is not in the routing table, the
packet is discarded, and an ICMP destination unreachable message is returned to the source.
The default route can be configured through a static route and exists in the routing table as a route
destined to the network 0.0.0.0 (with the mask 0.0.0.0).
Management VLAN Configuration
Prerequisites
Before configuring the management VLAN, make sure the VLAN operating as the management VLAN
exists. If VLAN 1 (the default VLAN) is the management VLAN, just go ahead.
Configuring the Management VLAN
Table 1-1 Configure the management VLAN
Operation
Enter system view
Command
system-view
Remarks
—
Required
Configure a specified VLAN to
be the management VLAN
management-vlan vlan-id
Create the management VLAN
interface and enter the
corresponding VLAN interface
view
interface vlan-interface
vlan-id
Assign an IP address to the
management VLAN interface
ip address ip-address mask
[ sub ]
Configure a static route
ip route-static ip-address
{ mask | mask-length }
{ interface-type
interface-number | next-hop }
[ preference preference-value ]
[ reject | blackhole ]
[ description text ]
By default, VLAN 1 operates as
the management VLAN.
Required
Required
z
By default, no IP address is
assigned to the management
VLAN interface.
Optional
To create the VLAN interface for the management VLAN on a switch operating as the management
device in a cluster, make sure that the management VLAN ID is consistent with the cluster
management VLAN ID configured with the management-vlan vlan-id command. Otherwise, the
configuration fails. Refer to the Cluster Operation Manual for detailed introduction to the cluster.
z
Refer to the VLAN module for detailed introduction to VLAN interfaces.
1-2
Configuration Example
Network requirements
For a user to manage Switch A remotely through Telnet, these requirements are to be met: Switch A has
an IP address, and the remote Telnet user is reachable.
You need to configure the switch as follows:
z
Assigning an IP address to the management VLAN interface on Switch A
z
Configuring the default route
Network diagram
Figure 1-1 Network diagram for management VLAN configuration
Configuration procedure
Perform the following configurations after the current user logs in to Switch A through the Console port.
# Enter system view.
<Sysname> system-view
# Create VLAN 10 and configure VLAN 10 as the management VLAN.
[Sysname] vlan 10
[Sysname-vlan10] quit
[Sysname] management-vlan 10
# Create the VLAN 10 interface and enter VLAN interface view.
[Sysname] interface vlan-interface 10
# Configure the IP address of VLAN 10 interface as 1.1.1.1/24.
1-3
[Sysname-Vlan-interface10] ip address 1.1.1.1 255.255.255.0
[Sysname-Vlan-interface10] quit
# Configure the default route.
[Sysname] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
Displaying and Maintaining management VLAN configuration
Table 1-2 Displaying and Maintaining management VLAN configuration
Operation
Command
Remarks
Display the IP-related
information about a
management VLAN interface
display ip interface [ brief ]
[ Vlan-interface [ vlan-id ] ]
Display the information about a
management VLAN interface
display interface
Vlan-interface [ vlan-id ]
Display summary information
about the routing table
display ip routing-table [ |
{ begin | exclude | include }
regular-expression ]
Display detailed information
about the routing table
display ip routing-table
verbose
Display the routes leading to a
specified IP address
display ip routing-table
ip-address [ mask ]
[ longer-match ] [ verbose ]
Display the routes leading to a
specified IP address range
display ip routing-table
ip-address1 mask1 ip-address2
mask2 [ verbose ]
Display the routing information
of the specified protocol
display ip routing-table
protocol protocol [ inactive |
verbose ]
Display the routes that match a
specified basic access control
list (ACL)
display ip routing-table acl
acl-number [ verbose ]
Display the routes that match a
specified IP prefix
display ip routing-table
ip-prefix ip-prefix-name
[ verbose ]
Display the routing table in a
tree structure
display ip routing-table radix
Display the statistics on the
routing table
display ip routing-table
statistics
Clear statistics about a routing
table
reset ip routing-table
statistics protocol { all |
protocol }
Use the reset command in user
view
Delete all static routes
delete static-routes all
Use the delete command in
system view.
1-4
Optional
Available in any view.
Table of Contents
1 Voice VLAN Configuration························································································································1-1
Voice VLAN Overview·····························································································································1-1
How an IP Phone Works ·················································································································1-1
How S5100-EI Series Switches Identify Voice Traffic·····································································1-3
Setting the Voice Traffic Transmission Priority ···············································································1-4
Configuring Voice VLAN Assignment Mode of a Port ·····································································1-4
Support for Voice VLAN on Various Ports·······················································································1-4
Security Mode of Voice VLAN ·········································································································1-6
Voice VLAN Configuration ······················································································································1-6
Configuration Prerequisites ·············································································································1-6
Configuring the Voice VLAN to Operate in Automatic Voice VLAN Assignment Mode··········1-6
Configuring the Voice VLAN to Operate in Manual Voice VLAN Assignment Mode ·········1-8
Displaying and Maintaining Voice VLAN·································································································1-9
Voice VLAN Configuration Example ·····································································································1-10
Voice VLAN Configuration Example (Automatic Mode) ································································1-10
Voice VLAN Configuration Example (Manual Mode) ····································································1-11
i
1
Voice VLAN Configuration
The contents of this chapter are only applicable to the S5100-EI series among S5100-SI/EI series
switches.
When configuring voice VLAN, go to these sections for information you are interested in:
z
Voice VLAN Overview
z
Voice VLAN Configuration
z
Displaying and Maintaining Voice VLAN
z
Voice VLAN Configuration Example
Voice VLAN Overview
Voice VLANs are VLANs configured specially for voice traffic. By adding the ports connected with voice
devices to voice VLANs, you can have voice traffic transmitted within voice VLANs and perform
QoS-related configuration for voice traffic as required, thus ensuring the transmission priority of voice
traffic and voice quality.
How an IP Phone Works
IP phones can convert analog voice signals into digital signals to enable them to be transmitted in
IP-based networks. Used in conjunction with other voice devices, IP phones can offer large-capacity
and low-cost voice communication solutions. As network devices, IP phones need IP addresses to
operate properly in a network. An IP phone can acquire an IP address automatically or through manual
configuration. The following part describes how an IP phone acquires an IP address automatically.
The following part only describes the common way for an IP phone to acquire an IP address. The
detailed process may vary by manufacture. Refer to the corresponding user manual for the detailed
information.
When an IP phone applies for an IP address from a DHCP server, the IP phone can also apply for the
following extensive information from the DHCP server through the Option184 field:
z
IP address of the network call processor (NCP)
z
IP address of the secondary NCP server
1-1
z
Voice VLAN configuration
z
Failover call routing
Following describes the way an IP phone acquires an IP address.
Figure 1-1 Network diagram for IP phones
As shown in Figure 1-1, the IP phone needs to work in conjunction with the DHCP server and the NCP
to establish a path for voice data transmission. An IP phone goes through the following three phases to
become capable of transmitting voice data.
1)
After the IP phone is powered on, it sends an untagged DHCP request message containing
four special requests in the Option 184 field besides the request for an IP address. The
message is broadcast in the default VLAN of the receiving port. After receiving the DHCP
request message, DHCP Server 1, which resides in the default VLAN of the port receiving
the message, responds as follows:
z
If DHCP Server 1 does not support Option 184, it returns the IP address assigned to the IP phone
but ignores the other four special requests in the Option 184 field. Without information about voice
VLAN, the IP phone can only send untagged packets in the default VLAN of the port the IP phone is
connected to. In this case, you need to manually configure the default VLAN of the port as a voice
VLAN.
In cases where an IP phone obtains an IP address from a DHCP server that does not support Option
184, the IP phone directly communicates through the gateway after it obtains an IP address. It does not
go through the steps described below.
z
If DHCP Server 1 supports Option 184, it returns the IP address assigned to the IP phone, the IP
address of the NCP, the voice VLAN ID, and so on.
2)
On acquiring the voice VLAN ID and NCP address from DHCP Server 1, the IP phone
communicates with the specified NCP to download software, ignores the IP address assigned by
DHCP Server 1, and sends a new DHCP request message carrying the voice VLAN tag to the
voice VLAN.
1-2
3)
After receiving the DHCP request, DHCP Server 2 residing in the voice VLAN assigns a new IP
address to the IP phone and sends a tagged response message to the IP phone. After the IP phone
receives the tagged response message, it sends voice data packets tagged with the voice VLAN
tag to communicate with the voice gateway. In this case, the port connecting to the IP phone must
be configured to allow the packets tagged with the voice VLAN tag to pass.
z
An untagged packet carries no VLAN tag.
z
A tagged packet carries the tag of a VLAN.
To set an IP address and a voice VLAN for an IP phone manually, just make sure that the voice VLAN ID
to be set is consistent with that of the switch and the NCP is reachable to the IP address to be set.
How S5100-EI Series Switches Identify Voice Traffic
S5100-EI series Ethernet switches determine whether a received packet is a voice packet by checking
its source MAC address against an organizationally unique identifier (OUI) list. If a match is found, the
packet is considered as a voice packet. Ports receiving packets of this type will be added to the voice
VLAN automatically for transmitting voice data.
You can configure OUI addresses for voice packets or specify to use the default OUI addresses.
An OUI address is a globally unique identifier assigned to a vendor by IEEE. You can determine which
vendor a device belongs to according to the OUI address which forms the first 24 bits of a MAC address.
S5100-EI series Ethernet switches support OUI address mask configuration. You can adjust the
matching depth of MAC address by setting different OUI address masks.
The following table lists the five default OUI addresses on S5100-EI series switches.
Table 1-1 Default OUI addresses pre-defined on the switch
Number
OUI address
Vendor
1
0003-6b00-0000
Cisco phones
2
000f-e200-0000
H3C Aolynk phones
3
00d0-1e00-0000
Pingtel phones
4
00e0-7500-0000
Polycom phones
5
00e0-bb00-0000
3Com phones
1-3
Setting the Voice Traffic Transmission Priority
In order to improve transmission quality of voice traffic, the switch by default re-marks the priority of the
traffic in the voice VLAN as follows:
z
Set the CoS (802.1p) priority to 6.
z
Set the DSCP value to 46.
Configuring Voice VLAN Assignment Mode of a Port
A port can work in automatic voice VLAN assignment mode or manual voice VLAN assignment mode.
You can configure the voice VLAN assignment mode for a port according to data traffic passing through
the port.
Processing mode of untagged packets sent by IP voice devices
z
Automatic voice VLAN assignment mode. An S5100-EI Ethernet switch automatically adds a port
connecting an IP voice device to the voice VLAN by learning the source MAC address in the
untagged packet sent by the IP voice device when it is powered on. The voice VLAN uses the aging
mechanism to maintain the number of ports in the voice VLAN. When the aging timer expires, the
ports whose OUI addresses are not updated (that is, no voice traffic passes) will be removed from
the voice VLAN. In voice VLAN assignment automatic mode, ports can not be added to or removed
from a voice VLAN manually.
z
Manual voice VLAN assignment mode: In this mode, you need to add a port to a voice VLAN or
remove a port from a voice VLAN manually.
Processing mode of tagged packets sent by IP voice devices
Tagged packets from IP voice devices are forwarded based on their tagged VLAN IDs, whether the
automatic or manual voice VLAN assignment mode is used.
If the voice traffic transmitted by an IP voice device carries VLAN tags, and 802.1x authentication and
guest VLAN is enabled on the port which the IP voice device is connected to, assign different VLAN IDs
for the voice VLAN, the default VLAN of the port, and the 802.1x guest VLAN to ensure the effective
operation of these functions.
Support for Voice VLAN on Various Ports
Voice VLAN packets can be forwarded by access ports, trunk ports, and hybrid ports. You can enable a
trunk or hybrid port belonging to other VLANs to forward voice and service packets simultaneously by
enabling the voice VLAN.
For different types of IP phones, the support for voice VLAN varies with port types and port configuration.
For IP phones capable of acquiring IP address and voice VLAN automatically, the support for voice
VLAN is described in Table 1-2.
1-4
Table 1-2 Matching relationship between port types and voice devices capable of acquiring IP address
and voice VLAN automatically
Voice VLAN
assignment
mode
Voice
traffic
type
Port type
Access
Supported or not
Not supported
Supported
Tagged
voice
traffic
Trunk
Supported
Automatic
Untagge
d voice
traffic
Make sure the default VLAN of the port exists and is not
a voice VLAN, and the access port permits the traffic of
the default VLAN.
Hybrid
Make sure the default VLAN of the port exists and is not
a voice VLAN, and the default VLAN is in the list of the
VLANs whose traffic is permitted by the access port.
Access
Hybrid
Not supported, because the default VLAN of the port
must be a voice VLAN and the access port is in the voice
VLAN. This can be done by adding the port to the voice
VLAN manually.
Access
Not supported
Trunk
Supported
Trunk
Tagged
voice
traffic
Make sure the default VLAN of the port exists and is not
a voice VLAN, and the access port permits the traffic of
the default VLAN and the voice VLAN.
Supported
Hybrid
Manual
Access
Make sure the default VLAN of the port exists and is not
a voice VLAN, the traffic of the default VLAN is permitted
to pass through the port, and the voice VLAN is in the list
of the tagged VLANs whose traffic is permitted by the
port.
Supported
Make sure the default VLAN of the port is a voice VLAN.
Supported
Untagge
d voice
traffic
Trunk
Make sure the default VLAN of the port is a voice VLAN
and the port permits the traffic of the VLAN.
Supported
Hybrid
Make sure the default VLAN of the port is a voice VLAN
and is in the list of untagged VLANs whose traffic is
permitted by the port.
IP phones acquiring IP address and voice VLAN through manual configuration can forward only tagged
traffic, so the matching relationship is relatively simple, as shown in Table 1-3:
1-5
Table 1-3 Matching relationship between port types and voice devices acquiring voice VLAN through
manual configuration
Voice VLAN
assignment mode
Port type
Access
Supported or not
Not supported
Supported
Make sure the default VLAN of the port exists and is not a
voice VLAN, and the access port permits the traffic of the
default VLAN.
Trunk
Automatic
Supported
Hybrid
Make sure the default VLAN of the port exists and is not a
voice VLAN, and the default VLAN is in the list of the tagged
VLANs whose traffic is permitted by the access port.
Access
Not supported
Supported
Make sure the default VLAN of the port exists and is not a
voice VLAN, and the access port permits the traffic of the
default VLAN.
Trunk
Manual
Supported
Make sure the default VLAN of the port exists and is not a
voice VLAN, and the default VLAN and the voice VLAN is in
the list of the tagged VLANs whose traffic is permitted by the
access port.
Hybrid
Security Mode of Voice VLAN
On S5100-EI series Ethernet switches, a voice VLAN can operate in the security mode. Voice VLANs
operating in this mode only permit voice data, enabling you to perform voice traffic-specific priority
configuration. With the security mode disabled, both voice data and service data can be transmitted in a
voice VLAN.
Voice VLAN Configuration
Configuration Prerequisites
z
Create the corresponding VLAN before configuring a voice VLAN.
z
VLAN 1 (the default VLAN) cannot be configured as a voice VLAN.
Configuring the Voice VLAN to Operate in Automatic Voice VLAN Assignment
Mode
Follow these steps to configure a voice VLAN to operate in automatic voice VLAN assignment mode:
To do…
Enter system view
Use the command…
system-view
1-6
Remarks
—
To do…
Use the command…
Remarks
Optional
Set an OUI address that can be
identified by the voice VLAN
voice vlan mac-address oui
mask oui-mask [ description
text ]
Enable the voice VLAN security
mode
voice vlan security enable
Set the voice VLAN aging timer
voice vlan aging minutes
The default aging timer is 1440
minutes.
Enable the voice VLAN function
globally
voice vlan vlan-id enable
Required
Enter Ethernet port view
interface interface-type
interface-number
Required
By default, the switch
determines the voice traffic
according to the default OUI
address.
Optional
By default, the voice VLAN
security mode is enabled.
Optional
Required
Enable the voice VLAN function
on a port
voice vlan enable
Enable the voice VLAN legacy
function on the port
voice vlan legacy
By default, voice VLAN is
disabled.
Optional
By default, voice VLAN legacy
is disabled.
Optional
Set the voice VLAN assignment
mode of the port to automatic
z
voice vlan mode auto
The default voice VLAN
assignment mode on a port is
automatic.
A port working in automatic voice VLAN assignment mode cannot be assigned to the voice VLAN
manually. Therefore, if a VLAN is configured as the voice VLAN and a protocol-based VLAN at the
same time, the protocol-based VLAN function cannot be bound with the port. For information about
protocol-based VLANs, refer to VLAN Configuration in this manual.
z
For a port operating in automatic voice VLAN assignment mode, its default VLAN cannot be
configured as the voice VLAN; otherwise the system prompts you for unsuccessful configuration.
When the voice VLAN is working normally, if the device restarts, in order to make the established voice
connections work normally, the system does not need to be triggered by the voice traffic to add the port
in automatic voice VLAN assignment mode to the local devices of the voice VLAN but does so
immediately after the restart.
1-7
Configuring the Voice VLAN to Operate in Manual Voice VLAN Assignment
Mode
Follow these steps to configure a voice VLAN to operate in manual voice VLAN assignment mode:
To do…
Use the command…
Enter system view
system-view
Set an OUI address that can be identified
by the voice VLAN
voice vlan mac-address
oui mask oui-mask
[ description text ]
Remarks
—
Optional
Without this address,
the default OUI
address is used.
Optional
By default, the voice
VLAN security mode is
enabled.
Enable the voice VLAN security mode
voice vlan security enable
Set the voice VLAN aging timer
voice vlan aging minutes
The default aging timer
is 1,440 minutes.
Enable the voice VLAN function globally
voice vlan vlan-id enable
Required
Enter port view
interface interface-type
interface-number
Required
Enable voice VLAN on a port
voice vlan enable
Optional
Required
Enable the voice VLAN legacy function on
the port
By default, voice VLAN
is disabled on a port.
Optional
voice vlan legacy
By default, voice VLAN
legacy is disabled.
Required
Set voice VLAN assignment mode on a
port to manual
undo voice vlan mode
auto
The default voice
VLAN assignment
mode on a port is
automatic.
Quit to system view
quit
—
Access
port
Add a
port in
manual
voice
VLAN
assignm
ent
mode to
the
voice
VLAN
Trunk or
Hybrid
port
Enter VLAN view
vlan vlan-id
Add the port to the
VLAN
port interface-list
Enter port view
interface interface-type
interface-num
Add the port to the
VLAN
Configure the
voice VLAN to be
the default VLAN
of the port
port trunk permit vlan
vlan-id
Required
By default, all the ports
belong to VLAN 1.
port hybrid vlan vlan-id
{ tagged | untagged }
Optional
port trunk pvid vlan vlan-id
port hybrid pvid vlan
vlan-id
1-8
Refer to Table 1-2 to
determine whether or
not this operation is
needed.
z
The voice VLAN function can be enabled for only one VLAN at one time.
z
If the Link Aggregation Control Protocol (LACP) is enabled on a port, voice VLAN feature cannot be
enabled on it.
z
Voice VLAN function can be enabled only for the static VLAN. A dynamic VLAN cannot be
configured as a voice VLAN.
z
When ACL number applied to a port reaches to its threshold, voice VLAN cannot be enabled on
this port. You can use the display voice vlan error-info command to locate such ports.
z
When a voice VLAN operates in security mode, the device in it permits only the packets whose
source addresses are the identified voice OUI addresses. Packets whose source addresses
cannot be identified, including certain authentication packets (such as 802.1x authentication
packets), will be dropped. Therefore, you are suggested not to transmit both voice data and service
data in a voice VLAN. If you have to do so, make sure that the voice VLAN does not operate in
security mode.
z
The voice VLAN legacy feature realizes the communication between H3C device and other
vendor's voice device by automatically adding the voice VLAN tag to the voice data coming from
other vendors’ voice device. The voice vlan legacy command can be executed before voice VLAN
is enabled globally and on a port, but it takes effect only after voice VLAN is enabled globally and
on the port.
To assign a trunk port or a hybrid port to the voice VLAN, refer to VLAN Configuration of this manual for
the related command.
Displaying and Maintaining Voice VLAN
To do…
Use the command…
Display information about the ports on which voice
VLAN configuration fails
display voice vlan
error-info
Display the voice VLAN configuration status
display voice vlan status
Display the OUI list
display voice vlan oui
Display the ports operating in the voice VLAN
display vlan vlan-id
1-9
Remarks
In any view
Voice VLAN Configuration Example
Voice VLAN Configuration Example (Automatic Mode)
Network requirements
Create a voice VLAN and configure it to operate in automatic mode to enable the port to which an IP
phone is connected to join or exit the voice VLAN automatically and voice traffic to be transmitted within
the voice VLAN.
z
Create VLAN 2 and configure it as a voice VLAN, with the aging time being 100 minutes.
z
The IP phone sends tagged packets. It is connected to GigabitEthernet 1/0/1, a hybrid port, with
VLAN 6 being its default VLAN. Set this port to operates in automatic mode.
z
You need to add a user-defined OUI address 0011-2200-000, with the mask being ffff-ff00-0000
and the description string being “test”.
Network diagram
Figure 1-2 Network diagram for voice VLAN configuration (automatic mode)
Device A
Device B
Internet
VLAN 2
GE1/0/1
VLAN 2
010-1001
OUI:0011-2200-0000
Mask:ffff-ff00-0000
Configuration procedure
# Create VLAN 2 and VLAN 6.
<DeviceA> system-view
[DeviceA] vlan 2
[DeviceA-vlan2] quit
[DeviceA] vlan 6
[DeviceA-vlan6] quit
# Set the aging time for the voice VLAN.
[DeviceA] voice vlan aging 100
# Add a user-defined OUI address 0011-2200-000 and set the description string to “test”.
[DeviceA] voice vlan mac-address 0011-2200-0000 mask ffff-ff00-0000 description test
# Enable the voice VLAN function globally.
[DeviceA] voice vlan 2 enable
# Configure the vocie VLAN to operate in automatic mode on GigabitEthernet 1/0/1. This operation is
optional. By default, a voice VLAN operates in automatic mode on a port.
[DeviceA] interface GigabitEthernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] voice vlan mode auto
1-10
# Configure GigabitEthernet 1/0/1 as a hybrid port.
[DeviceA-GigabitEthernet1/0/1] port link-type hybrid
# Configure VLAN 6 as the default VLAN of GigabitEthernet 1/0/1, and configure GigabitEthernet 1/0/1
to permit packets with the tag of VLAN 6.
[DeviceA-GigabitEthernet1/0/1] port hybrid pvid vlan 6
[DeviceA-GigabitEthernet1/0/1] port hybrid vlan 6 tagged
# Enable the voice VLAN function on GigabitEthernet 1/0/1.
[DeviceA-GigabitEthernet1/0/1] voice vlan enable
Voice VLAN Configuration Example (Manual Mode)
Network requirements
Create a voice VLAN and configure it to operate in manual mode. Add the port to which an IP phone is
connected to the voice VLAN to enable voice traffic to be transmitted within the voice VLAN.
z
Create VLAN 2 and configure it as a voice VLAN. Set the voice VLAN to operate in security mode
z
The IP phone sends untagged packets. It is connected to GigabitEthernet 1/0/1, a hybrid port. Set
this port to operates in manual mode.
z
You need to add a user-defined OUI address 0011-2200-000, with the mask being ffff-ff00-0000
and the description string being “test”.
Network diagram
Figure 1-3 Network diagram for voice VLAN configuration (manual mode)
Device A
Device B
Internet
VLAN 2
GE1/0/1
VLAN 2
010-1001
OUI:0011-2200-0000
Mask:ffff-ff00-0000
Configuration procedure
# Enable the security mode for the voice VLAN so that the ports in the voice VLAN permit valid voice
packets only. This operation is optional. The security mode is enabled by default.
<DeviceA> system-view
[DeviceA] voice vlan security enable
# Add a user-defined OUI address 0011-2200-000 and set the description string to “test”.
[DeviceA] voice vlan mac-address 0011-2200-0000 mask ffff-ff00-0000 description test
# Create VLAN 2 and configure it as a voice VLAN.
[DeviceA] vlan 2
[DeviceA-vlan2] quit
[DeviceA] voice vlan 2 enable
1-11
# Configure GigabitEthernet 1/0/1 to operate in manual mode.
[DeviceA] interface GigabitEthernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] undo voice vlan mode auto
# Configure GigabitEthernet 1/0/1 as a hybrid port.
[DeviceA-GigabitEthernet1/0/1] port link-type hybrid
# Configure the voice VLAN as the default VLAN of GigabitEthernet 1/0/1, and add the voice VLAN to
the list of untagged VLANs whose traffic is permitted by the port.
[DeviceA-GigabitEthernet1/0/1] port hybrid pvid vlan 2
[DeviceA-GigabitEthernet1/0/1] port hybrid vlan 2 untagged
# Enable the voice VLAN function on GigabitEthernet 1/0/1.
[DeviceA-GigabitEthernet1/0/1] voice vlan enable
Verification
# Display the OUI addresses, the corresponding OUI address masks and the corresponding description
strings that the system supports.
<DeviceA> display voice vlan oui
Oui Address
Mask
Description
0003-6b00-0000
ffff-ff00-0000
Cisco phone
000f-e200-0000
ffff-ff00-0000
H3C Aolynk phone
0011-2200-0000
ffff-ff00-0000
test
00d0-1e00-0000
ffff-ff00-0000
Pingtel phone
00e0-7500-0000
ffff-ff00-0000
Polycom phone
00e0-bb00-0000
ffff-ff00-0000
3Com phone
# Display the status of the current voice VLAN.
<DeviceA> display voice vlan status
Voice Vlan status: ENABLE
Voice Vlan ID: 2
Voice Vlan security mode: Security
Voice Vlan aging time: 1440 minutes
Current voice vlan enabled port mode:
PORT
MODE
---------------------------------------GigabitEthernet1/0/1
MANUAL
1-12
Table of Contents
1 GVRP Configuration ··································································································································1-1
Introduction to GVRP ······························································································································1-1
GARP···············································································································································1-1
GVRP···············································································································································1-4
Protocol Specifications ····················································································································1-4
GVRP Configuration································································································································1-4
GVRP Configuration Tasks ·············································································································1-4
Enabling GVRP ·······························································································································1-4
Configuring GVRP Timers ···············································································································1-5
Configuring GVRP Port Registration Mode ·····················································································1-6
Displaying and Maintaining GVRP··········································································································1-6
GVRP Configuration Example ················································································································1-7
GVRP Configuration Example·········································································································1-7
i
1
GVRP Configuration
When configuring GVRP, go to these sections for information you are interested in:
z
Introduction to GVRP
z
GVRP Configuration
z
Displaying and Maintaining GVRP
z
GVRP Configuration Example
Introduction to GVRP
GARP VLAN registration protocol (GVRP) is an implementation of generic attribute registration protocol
(GARP). GARP is introduced as follows.
GARP
The generic attribute registration protocol (GARP), provides a mechanism that allows participants in a
GARP application to distribute, propagate, and register with other participants in a bridged LAN the
attributes specific to the GARP application, such as the VLAN or multicast attribute.
GARP itself does not exist on a device as an entity. GARP-compliant application entities are called
GARP applications. One example is GVRP. When a GARP application entity is present on a port on
your device, this port is regarded a GARP application entity.
GARP messages and timers
1)
GARP messages
GARP members communicate with each other through the messages exchanged between them. The
messages performing important functions for GARP fall into three types: Join, Leave and LeaveAll.
z
When a GARP entity wants its attribute information to be registered on other devices, it sends Join
messages to these devices. A GARP entity also sends Join messages when it receives Join
messages from other entities or it wants some of its statically configured attributes to be registered
on other GARP entities.
z
When a GARP entity wants some of its attributes to be deregistered on other devices, it sends
Leave messages to these devices. A GARP entity also sends Leave messages when it receives
Leave messages from other entities for deregistering some attributes or it has some attributes
statically deregistered.
z
Once a GARP entity is launched, the LeaveAll timer is triggered at the same time. The GARP entity
sends out LeaveAll messages after the timer times out. LeaveAll messages deregister all the
attributes, through which the attribute information of the entity can be registered again on the other
GARP entities.
Leave messages, LeaveAll messages, together with Join messages ensure attribute information can be
deregistered and re-registered.
Through message exchange, all the attribute information to be registered can be propagated to all the
GARP-enabled switches in the same LAN.
1-1
2)
GARP timers
Timers determine the intervals of sending different types of GARP messages. GARP defines four timers
to control the period of sending GARP messages.
z
Hold: When a GARP entity receives a piece of registration information, it does not send out a Join
message immediately. Instead, to save the bandwidth resources, it starts the Hold timer and puts
all received registration information before the timer times out into one Join message and sends
out the message after the timer times out.
z
Join: To make sure the devices can receive Join messages, each Join message is sent twice. If the
first Join message sent is not responded for a specific period, a second one is sent. The period is
determined by this timer.
z
Leave: When a GARP entity expects to deregister a piece of attribute information, it sends out a
Leave message. Any GARP entity receiving this message starts its Leave timer, and deregisters
the attribute information if it does not receives a Join message again before the timer times out.
z
LeaveAll: Once a GARP entity starts up, it starts the LeaveAll timer, and sends out a LeaveALL
message after the timer times out, so that other GARP entities can re-register all the attribute
information on this entity. After that, the entity restarts the LeaveAll timer to begin a new cycle.
z
The settings of GARP timers apply to all GARP applications, such as GVRP, on a LAN.
z
Unlike other three timers, which are set on a port basis, the LeaveAll timer is set in system view and
takes effect globally.
z
A GARP application entity may send LeaveAll messages at the interval set by its LeaveAll timer or
the LeaveAll timer on another device on the network, whichever is smaller. This is because each
time a device on the network receives a LeaveAll message it resets its LeaveAll timer.
Operating mechanism of GARP
Through the mechanism of GARP, the configuration information on a GARP member will be propagated
within the whole LAN. A GARP member can be a terminal workstation or a bridge; it instructs other
GARP members to register/deregister its attribute information by declaration/recant, and
register/deregister other GARP member's attribute information according to other member's
declaration/recant. When a port receives an attribute declaration, the port will register this attribute.
When a port receives an attribute recant, the port will deregister this attribute.
The protocol packets of GARP entities use specific multicast MAC addresses as their destination MAC
addresses. When receiving these packets, the switch distinguishes them by their destination MAC
addresses and delivers them to different GARP application (for example, GVRP) for further processing.
GARP message format
The GARP packets are in the following format:
1-2
Figure 1-1 Format of GARP packets
The following table describes the fields of a GARP packet.
Table 1-1 Description of GARP packet fields
Field
Description
Value
Protocol ID
Protocol ID
1
Message
Each message consists of two
parts: Attribute Type and
Attribute List.
—
Attribute Type
Defined by the specific GARP
application
The attribute type of GVRP is
0x01.
Attribute List
It contains multiple attributes.
—
Attribute
Each general attribute consists
of three parts: Attribute Length,
Attribute Event, and Attribute
Value.
—
Each LeaveAll attribute
consists of two parts: Attribute
Length and LeaveAll Event.
Attribute Length
The length of the attribute
2 to 255 (in bytes)
0: LeaveAll Event
1: JoinEmpty
Attribute Event
The event described by the
attribute
2: JoinIn
3: LeaveEmpty
4: LeaveIn
5: Empty
Attribute Value
The value of the attribute
For GVRP packets, the value of
this field is the VLAN ID;
however, for LeaveAll
messages, this field is invalid.
End Mark
End mark of an GARP PDU
The value of this field is fixed to
0x00.
1-3
GVRP
As an implementation of GARP, GARP VLAN registration protocol (GVRP) maintains dynamic VLAN
registration information and propagates the information to the other switches through GARP.
With GVRP enabled on a device, the VLAN registration information received by the device from other
devices is used to dynamically update the local VLAN registration information, including the information
about the VLAN members, the ports through which the VLAN members can be reached, and so on. The
device also propagates the local VLAN registration information to other devices so that all the devices in
the same LAN can have the same VLAN information. VLAN registration information propagated by
GVRP includes static VLAN registration information, which is manually configured locally on each
device, and dynamic VLAN registration information, which is received from other devices.
GVRP has the following three port registration modes: Normal, Fixed, and Forbidden, as described in
the following.
z
Normal. A port in this mode can dynamically register/deregister VLANs and propagate
dynamic/static VLAN information.
z
Fixed. A port in this mode cannot register/deregister VLANs dynamically. It only propagates static
VLAN information. Besides, the port permits only static VLANs, that is, it propagates only static
VLAN information to the other GARP members.
z
Forbidden. A port in this mode cannot register/deregister VLANs dynamically. It permits only the
default VLAN (namely, VLAN 1), that is, the port propagates only the information about VLAN 1 to
the other GARP members.
Protocol Specifications
GVRP is defined in IEEE 802.1Q standard.
GVRP Configuration
GVRP Configuration Tasks
Complete the following tasks to configure GVRP:
Task
Remarks
Enabling GVRP
Required
Configuring GVRP Timers
Optional
Configuring GVRP Port Registration Mode
Optional
Enabling GVRP
Configuration Prerequisite
The port on which GVRP will be enabled must be set to a trunk port.
Configuration procedure
Follow these steps to enable GVRP:
1-4
To do ...
Use the command ...
Enter system view
system-view
Enable GVRP globally
gvrp
Enter Ethernet port view
interface interface-type
interface-number
Remarks
—
Required
By default, GVRP is disabled
globally.
—
Required
Enable GVRP on the port
gvrp
By default, GVRP is disabled
on the port.
z
After you enable GVRP on a trunk port, you cannot change the port to a different type.
z
Use the port trunk permit all command to permit the traffic of all dynamically registered VLANs to
pass through a trunk port with GVRP enabled.
Configuring GVRP Timers
Follow these steps to configure GVRP timers:
To do ...
Use the command ...
Enter system view
system-view
Configure the LeaveAll timer
garp timer leaveall
timer-value
Enter Ethernet port view
interface interface-type
interface-number
Remarks
—
Optional
By default, the LeaveAll timer is
set to 1,000 centiseconds.
—
Optional
Configure the Hold, Join, and
Leave timers
garp timer { hold | join |
leave } timer-value
By default, the Hold, Join, and
Leave timers are set to 10, 20,
and 60 centiseconds
respectively.
Note that:
z
The setting of each timer must be a multiple of 5 (in centiseconds).
z
The timeout ranges of the timers vary depending on the timeout values you set for other timers. If
you want to set the timeout time of a timer to a value out of the current range, you can set the
timeout time of the associated timer to another value to change the timeout range of this timer.
The following table describes the relations between the timers:
1-5
Table 1-2 Relations between the timers
Timer
Lower threshold
Upper threshold
Hold
10 centiseconds
This upper threshold is less than or
equal to one-half of the timeout time of
the Join timer. You can change the
threshold by changing the timeout time
of the Join timer.
Join
This lower threshold is greater than or
equal to twice the timeout time of the
Hold timer. You can change the
threshold by changing the timeout time
of the Hold timer.
This upper threshold is less than
one-half of the timeout time of the Leave
timer. You can change the threshold by
changing the timeout time of the Leave
timer.
Leave
This lower threshold is greater than twice
the timeout time of the Join timer. You
can change the threshold by changing
the timeout time of the Join timer.
This upper threshold is less than the
timeout time of the LeaveAll timer. You
can change the threshold by changing
the timeout time of the LeaveAll timer.
LeaveAll
This lower threshold is greater than the
timeout time of the Leave timer. You can
change threshold by changing the
timeout time of the Leave timer.
32,765 centiseconds
The following are recommended GVRP timer settings:
z
GARP hold timer: 100 centiseconds (1 second)
z
GARP Join timer: 600 centiseconds (6 seconds)
z
GARP Leave timer: 3000 centiseconds (30 seconds)
z
GARP LeaveAll timer: 120000 centiseconds (2 minutes)
Configuring GVRP Port Registration Mode
Follow these steps to configure GVRP port registration mode:
To do ...
Use the command ...
Remarks
Enter system view
system-view
—
Enter Ethernet port view
interface interface-type
interface-number
—
Configure GVRP port
registration mode
gvrp registration { fixed |
forbidden | normal }
Optional
By default, GVRP port registration
mode is normal.
Displaying and Maintaining GVRP
To do …
Display GARP statistics
Use the command …
display garp statistics
[ interface interface-list ]
1-6
Remarks
Available in any view
To do …
Use the command …
Display the settings of the
GARP timers
display garp timer [ interface
interface-list ]
Display GVRP statistics
display gvrp statistics
[ interface interface-list ]
Display the global GVRP status
display gvrp status
Clear GARP statistics
reset garp statistics
[ interface interface-list ]
Remarks
GVRP Configuration Example
GVRP Configuration Example
Network requirements
z
Enable GVRP on all the switches in the network so that the VLAN configurations on Switch C and
Switch E can be applied to all switches in the network, thus implementing dynamic VLAN
information registration and refresh.
z
By configuring the GVRP registration modes of specific Ethernet ports, you can enable the
corresponding VLANs in the switched network to communicate with each other.
Network diagram
Figure 1-2 Network diagram for GVRP configuration
Configuration procedure
1)
Configure Switch A
# Enable GVRP globally.
<SwitchA> system-view
[SwitchA] gvrp
# Configure GigabitEthernet1/0/1 to be a trunk port and to permit the packets of all the VLANs.
[SwitchA] interface GigabitEthernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] port trunk permit vlan all
# Enable GVRP on GigabitEthernet1/0/1.
[SwitchA-GigabitEthernet1/0/1] gvrp
[SwitchA-GigabitEthernet1/0/1] quit
1-7
# Configure GigabitEthernet1/0/2 to be a trunk port and to permit the packets of all the VLANs.
[SwitchA] interface GigabitEthernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type trunk
[SwitchA-GigabitEthernet1/0/2] port trunk permit vlan all
# Enable GVRP on GigabitEthernet1/0/2.
[SwitchA-GigabitEthernet1/0/2] gvrp
[SwitchA-GigabitEthernet1/0/2] quit
# Configure GigabitEthernet1/0/3 to be a trunk port and to permit the packets of all the VLANs.
[SwitchA] interface GigabitEthernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type trunk
[SwitchA-GigabitEthernet1/0/3] port trunk permit vlan all
# Enable GVRP on GigabitEthernet1/0/3.
[SwitchA-GigabitEthernet1/0/3] gvrp
[SwitchA-GigabitEthernet1/0/3] quit
2)
Configure Switch B
# The configuration procedure of Switch B is similar to that of Switch A and is thus omitted.
3)
Configure Switch C
# Enable GVRP on Switch C, which is similar to that of Switch A and is thus omitted.
# Create VLAN 5.
[SwitchC] vlan 5
[SwitchC-vlan5] quit
4)
Configure Switch D
# Enable GVRP on Switch D, which is similar to that of Switch A and is thus omitted.
# Create VLAN 8.
[SwitchD] vlan 8
[SwitchD-vlan8] quit
5)
Configure Switch E
# Enable GVRP on Switch E, which is similar to that of Switch A and is thus omitted.
# Create VLAN 5 and VLAN 7.
[SwitchE] vlan 5
[SwitchE-vlan5] quit
[SwitchE] vlan 7
[SwitchE-vlan7] quit
6)
Display the VLAN information dynamically registered on Switch A, Switch B, and Switch E.
# Display the VLAN information dynamically registered on Switch A.
[SwitchA] display vlan dynamic
Total 3 dynamic VLAN exist(s).
The following dynamic VLANs exist:
5, 7, 8,
# Display the VLAN information dynamically registered on Switch B.
[SwitchB] display vlan dynamic
Total 3 dynamic VLAN exist(s).
1-8
The following dynamic VLANs exist:
5, 7, 8,
# Display the VLAN information dynamically registered on Switch E.
[SwitchE] display vlan dynamic
Total 1 dynamic VLAN exist(s).
The following dynamic VLANs exist:
8
7)
Configure GigabitEthernet1/0/1 on Switch E to operate in fixed GVRP registration mode and
display the VLAN information dynamically registered on Switch A, Switch B, and Switch E.
# Configure GigabitEthernet1/0/1 on Switch E to operate in fixed GVRP registration mode.
[SwitchE] interface GigabitEthernet 1/0/1
[SwitchE-GigabitEthernet1/0/1] gvrp registration fixed
# Display the VLAN information dynamically registered on Switch A.
[SwitchA] display vlan dynamic
Total 3 dynamic VLAN exist(s).
The following dynamic VLANs exist:
5, 7, 8,
# Display the VLAN information dynamically registered on Switch B.
[SwitchB] display vlan dynamic
Total 3 dynamic VLAN exist(s).
The following dynamic VLANs exist:
5, 7, 8,
# Display the VLAN information dynamically registered on Switch E.
[SwitchE-GigabitEthernet1/0/1] display vlan dynamic
No dynamic vlans exist!
8)
Configure GigabitEthernet1/0/1 on Switch E to operate in forbidden GVRP registration mode and
display the VLAN registration information dynamically registered on Switch A, Switch B, and Switch
E.
# Configure GigabitEthernet1/0/1 on Switch E to operate in forbidden GVRP registration mode.
[SwitchE-GigabitEthernet1/0/1] gvrp registration forbidden
# Display the VLAN information dynamically registered on Switch A.
[SwitchA] display vlan dynamic
Total 2 dynamic VLAN exist(s).
The following dynamic VLANs exist:
5, 8,
# Display the VLAN information dynamically registered on Switch B.
[SwitchB] display vlan dynamic
Total 2 dynamic VLAN exist(s).
The following dynamic VLANs exist:
5, 8,
# Display the VLAN information dynamically registered on Switch E.
[SwitchE] display vlan dynamic
No dynamic vlans exist!
1-9
1-10
Table of Contents
1 Port Basic Configuration ··························································································································1-1
Ethernet Port Configuration ····················································································································1-1
Combo Port Configuration ···············································································································1-1
Initially Configuring a Port ···············································································································1-2
Configuring Port Auto-Negotiation Speed ·······················································································1-2
Limiting Traffic on individual Ports···································································································1-3
Enabling Flow Control on a Port······································································································1-4
Duplicating the Configuration of a Port to Other Ports ····································································1-4
Configuring Loopback Detection for an Ethernet Port·····································································1-5
Enabling Loopback Test··················································································································1-6
Enabling the System to Test Connected Cable ··············································································1-6
Configuring the Interval to Perform Statistical Analysis on Port Traffic···········································1-7
Disabling Up/Down Log Output on a Port ·······················································································1-7
Configuring a Port Group·················································································································1-8
Displaying and Maintaining Basic Port Configuration ·····································································1-9
i
1
Port Basic Configuration
Ethernet Port Configuration
Combo Port Configuration
A Combo port can operate as either an optical port or an electrical port. Inside the device there is only
one forwarding interface. For a Combo port, the electrical port and the corresponding optical port are
TX-SFP multiplexed. You can specify a Combo port to operate as an electrical port or an optical port.
That is, a Combo port cannot operate as both an electrical port and an optical port simultaneously.
When one is enabled, the other is automatically disabled.
Table 1-1 Mapping relations between the ports forming the Combo port
Model
1000Base-X SFP port
10/100/1000Base-T
autosensing Ethernet port
GigabitEthernet1/0/17
GigabitEthernet1/0/14
GigabitEthernet1/0/18
GigabitEthernet1/0/16
GigabitEthernet1/0/19
GigabitEthernet1/0/13
GigabitEthernet1/0/20
GigabitEthernet1/0/15
GigabitEthernet1/0/25
GigabitEthernet1/0/22
S5100-24P-EI
GigabitEthernet1/0/26
GigabitEthernet1/0/24
S5100-26C-EI
GigabitEthernet1/0/27
GigabitEthernet1/0/21
GigabitEthernet1/0/28
GigabitEthernet1/0/23
GigabitEthernet1/0/49
GigabitEthernet1/0/46
S5100-48P-EI
GigabitEthernet1/0/50
GigabitEthernet1/0/48
S5100-50C-EI
GigabitEthernet1/0/51
GigabitEthernet1/0/45
GigabitEthernet1/0/52
GigabitEthernet1/0/47
S5100-16P-SI
S5100-16P-EI
S5100-16P-PWR-EI
S5100-24P-SI
S5100-26C-PWR-EI
S5100-48P-SI
S5100-50C-PWR-EI
Follow these steps to configure the state of a double Combo port:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter Ethernet interface view
interface interface-type
interface-number
—
Optional
Enable a specified double Combo
port
undo shutdown
1-1
By default, of the two
ports in a Combo port, the
one with a smaller port ID
is enabled.
Initially Configuring a Port
Follow these steps to initially configure a port:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter Ethernet port view
interface interface-type
interface-number
—
Optional
Enable the Ethernet port
By default, the port is enabled.
undo shutdown
Use the shutdown command to
disable the port.
Optional
Set the description string
for the Ethernet port
description text
Set the duplex mode of
the Ethernet port
duplex { auto | full | half }
By default, the description string of an
Ethernet port is null.
Optional
By default, the duplex mode of the
port is auto (auto-negotiation).
Optional
Set the speed of the
Ethernet port
speed { 10 | 100 | 1000 | auto }
Set the medium
dependent interface
(MDI) mode of the
Ethernet port
mdi { across | auto | normal }
By default, the speed of an Ethernet
port is determined through
auto-negotiation (the auto keyword).
Optional
Be default, the MDI mode of an
Ethernet port is auto.
Optional
Set the maximum frame
size allowed on the
Ethernet port to 9,216
bytes
jumboframe enable
By default, the maximum frame size
allowed on an Ethernet is 9,216
bytes. To set the maximum frame
size allowed on an Ethernet port to
1,536 bytes, use the undo
jumboframe enable command.
z
The speed and mdi commands are not available on the combo port.
z
The mdi command is not available on the Ethernet ports of the expansion interface card.
Configuring Port Auto-Negotiation Speed
You can configure an auto-negotiation speed for a port by using the speed auto command.
Take a 10/100/1000 Mbps port as an example.
z
If you expect that 10 Mbps is the only available auto-negotiation speed of the port, you just need to
configure speed auto 10.
z
If you expect that 10 Mbps and 100 Mbps are the available auto-negotiation speeds of the port, you
just need to configure speed auto 10 100.
1-2
z
If you expect that 10 Mbps and 1000 Mbps are the available auto-negotiation speeds of the port,
you just need to configure speed auto 10 1000.
Follow these steps to configure auto-negotiation speeds for a port:
To do...
z
Use the command...
Remarks
Enter system view
system-view
—
Enter Ethernet interface
view
interface interface-type
interface-number
—
Configure the available
auto-negotiation speed(s)
for the port
speed auto [ 10 | 100 |
1000 ]*
Optional
By default, the port speed is
determined through auto-negotiation.
Only ports on the front panel of the device support the auto-negotiation speed configuration feature.
And ports on the extended interface card do not support this feature currently.
z
After you configure auto-negotiation speed(s) for a port, if you execute the undo speed command
or the speed auto command, the auto-negotiation speed setting of the port restores to the default
setting.
z
The effect of executing speed auto 10 100 1000 equals to that of executing speed auto, that is,
the port is configured to support all the auto-negotiation speeds: 10 Mbps, 100 Mbps, and 1000
Mbps.
Limiting Traffic on individual Ports
By performing the following configurations, you can limit the incoming broadcast traffic on individual
ports. When a type of incoming traffic exceeds the threshold you set, the system drops the packets
exceeding the traffic limit to reduce the traffic ratio of this type to the reasonable range, so as to keep
normal network service.
Follow these steps to limit traffic on port:
To do...
Use the command...
Enter system view
system-view
Limit broadcast traffic received
on each port
broadcast-suppression { ratio
| pps max-pps }
Enter Ethernet port view
interface interface-type
interface-number
Limit broadcast traffic received
on the current port
broadcast-suppression { ratio
| pps max-pps }
1-3
Remarks
—
Optional
By default, the switch does not
suppress broadcast traffic.
—
Optional
By default, the switch does not
suppress broadcast traffic.
Enabling Flow Control on a Port
Flow control is enabled on both the local and peer switches. If congestion occurs on the local switch:
z
The local switch sends a message to notify the peer switch of stopping sending packets to itself or
reducing the sending rate temporarily.
z
The peer switch will stop sending packets to the local switch or reduce the sending rate temporarily
when it receives the message; and vice versa. By this way, packet loss is avoided and the network
service operates normally.
Follow these steps to enable flow control on a port:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter Ethernet port view
interface interface-type
interface-number
—
Enable flow control on the
Ethernet port
flow-control
By default, flow control is not
enabled on the port.
Duplicating the Configuration of a Port to Other Ports
To make other ports have the same configuration as that of a specific port, you can duplicate the
configuration of a port to specific ports.
Specifically, the following types of port configuration can be duplicated from one port to other ports:
VLAN configuration, protocol-based VLAN configuration, LACP configuration, QoS configuration,
GARP configuration, STP configuration and initial port configuration. Refer to the command manual for
the configurations that can be duplicated.
Follow these steps to duplicate the configuration of a port to specific ports:
To do...
z
Use the command...
Remarks
Enter system view
system-view
—
Duplicate the
configuration of a port to
specific ports
copy configuration source { interface-type
interface-number | aggregation-group
source-agg-id } destination { interface-list
[ aggregation-group destination-agg-id ] |
aggregation-group destination-agg-id }
Required
If you specify a source aggregation group ID, the system will use the port with the smallest port
number in the aggregation group as the source.
z
If you specify a destination aggregation group ID, the configuration of the source port will be copied
to all ports in the aggregation group and all ports in the group will have the same configuration as
that of the source port.
1-4
Configuring Loopback Detection for an Ethernet Port
Loopback detection is used to monitor if loopback occurs on a switch port.
After you enable loopback detection on Ethernet ports, the switch can monitor if external loopback
occurs on them. If there is a loopback port found, the switch will put it under control.
z
If loopback is found on an access port, the system disables the port, sends a Trap message to the
client and removes the corresponding MAC forwarding entry.
z
If loopback is found on a trunk or hybrid port, the system sends a Trap message to the client. When
the loopback port control function is enabled on these ports, the system disables the port, sends a
Trap message to the client and removes the corresponding MAC forwarding entry.
Follow these steps to configure loopback detection for an Ethernet port:
To do...
Remarks
Enter system view
system-view
Enable loopback detection
globally
loopback-detection enable
By default, loopback detection
is disabled globally.
Set the interval for performing
port loopback detection
loopback-detection
interval-time time
Optional
Enter Ethernet port view
interface interface-type
interface-number
—
Required
The default is 30 seconds.
—
Required
Enable loopback detection on a
specified port
loopback-detection enable
Enable loopback port control on
the trunk or hybrid port
loopback-detection control
enable
Configure the system to run
loopback detection on all
VLANs of the current trunk or
hybrid port
z
Use the command...
By default, port loopback
detection is disabled.
Optional
By default, loopback port
control is not enabled.
Optional
loopback-detection per-vlan
enable
By default, the system runs
loopback detection only on the
default VLAN of the current
trunk or hybrid port.
To enable loopback detection on a specific port, you must use the loopback-detection enable
command in both system view and the specific port view.
z
After you use the undo loopback-detection enable command in system view, loopback detection
will be disabled on all ports.
z
The commands of loopback detection feature cannot be configured with the commands of port link
aggregation at the same time.
1-5
Enabling Loopback Test
You can configure the Ethernet port to run loopback test to check if it operates normally. The port
running loopback test cannot forward data packets normally. The loopback test terminates
automatically after a specific period.
Follow these steps to enable loopback test:
To do...
z
Use the command...
Remarks
Enter system view
system-view
—
Enter Ethernet port view
interface interface-type interface-number
—
Enable loopback test
loopback { external | internal }
Required
external: Performs external loop test. In the external loop test, self-loop headers must be used on
the port of the switch ( for 1000M port, the self-loop header are made from eight cores of the 8-core
cables, then the packets forwarded by the port will be received by itself.). The external loop test can
locate the hardware failures on the port.
z
internal: Performs internal loop test. In the internal loop test, self loop is established in the
switching chip to locate the chip failure which is related to the port.
Note that:
z
After you use the shutdown command on a port, the port cannot run loopback test.
z
You cannot use the speed, duplex, mdi and shutdown commands on the ports running loopback
z
Some ports do not support loopback test, and corresponding prompts will be given when you
test.
perform loopback test on them.
Enabling the System to Test Connected Cable
You can enable the system to test the cable connected to a specific port. The test result will be returned
in five seconds. The system can test these attributes of the cable: Receive and transmit directions (RX
and TX), short circuit/open circuit or not, the length of the faulty cable.
Follow these steps to enable the system to test connected cables:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter Ethernet port view
interface interface-type
interface-number
—
Enable the system to test
connected cables
virtual-cable-test
Required
1-6
z
Optical port (including Combo optical port) does not support VCT (virtual-cable-test) function.
z
Combo electrical port supports VCT function only when it is in UP condition (using undo shutdown
command), normal Ethernet electrical port always supports this function.
Configuring the Interval to Perform Statistical Analysis on Port Traffic
By performing the following configuration, you can set the interval to perform statistical analysis on the
traffic of a port.
When you use the display interface interface-type interface-number command to display the
information of a port, the system performs statistical analysis on the traffic flow passing through the port
during the specified interval and displays the average rates in the interval. For example, if you set this
interval to 100 seconds, the displayed information is as follows:
Last 100 seconds input:
Last 100 seconds output:
0 packets/sec 0 bytes/sec
0 packets/sec 0 bytes/sec
Follow these steps to set the interval to perform statistical analysis on port traffic:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter Ethernet port view
interface interface-type
interface-number
—
Set the interval to perform
statistical analysis on port
traffic
flow-interval interval
Optional
By default, this interval is 300
seconds.
Disabling Up/Down Log Output on a Port
An Ethernet port has three physical link statuses: Up, Down, and Administratively Down. For status
transition conditions, refer to the description of the display brief interface command in Basic Port
Configuration Command.
When the physical link status of an Ethernet port changes between Up and Down or Up and
Administratively Down, the switch will generate Up/Down log and send the log information to the
terminal automatically by default. If the status of Ethernet ports in a network changes frequently, large
amount of log information may be sent to the terminal, which consumes more network resources.
Additionally, too frequent log information is not convenient for you to view.
You can limit the amount of the log information sent to the terminal by disabling the Up/Down log output
function on some Ethernet ports selectively. For information about log output settings, refer to the
Information Center module.
Disable Up/Down log output on a port
Follow these steps to disable UP/Down log output on a port:
1-7
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter Ethernet port view
interface interface-type
interface-number
—
Disable a port from generating
UP/Down log
Required
undo enable log updown
By default, UP/Down log output
is enabled.
Configuration examples
# In the default conditions, where UP/DOWN log output is enabled, execute the shutdown command or
the undo shutdown command on GigabitEthernet 1/0/1. The Up/Down log information for
GigabitEthernet 1/0/1 is generated and displayed on the terminal.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] shutdown
%Apr
5 07:25:37:634 2000 Sysname L2INF/5/PORT LINK STATUS CHANGE:- 1 -
GigabitEthernet1/0/1 is DOWN
[Sysname-GigabitEthernet1/0/1] undo shutdown
%Apr
5 07:25:56:244 2000 Sysname L2INF/5/PORT LINK STATUS CHANGE:- 1 -
GigabitEthernet1/0/1 is UP
# Disable GigabitEthernet 1/0/1 from generating Up/Down log information and execute the shutdown
command or the undo shutdown command on GigabitEthernet 1/0/1. No Up/Down log information is
generated or output for GigabitEthernet 1/0/1.
[Sysname-GigabitEthernet1/0/1] undo enable log updown
[Sysname-GigabitEthernet1/0/1] shutdown
[Sysname-GigabitEthernet1/0/1] undo shutdown
Configuring a Port Group
To make the configuration task easier for users, certain devices allow users to configure on a single port
as well as on multiple ports in a port group. In port group view, the user only needs to input the
configuration command once on one port and that configuration will apply to all ports in the port group.
This effectively reduces redundant configurations.
A Port group could be manually created by users. Multiple Ethernet ports can be added to the same port
group but one Ethernet port can only be added to one port group.
Table 1-2 Configuring a Port Group
Operation
Command
Remarks
Enter system view
system-view
—
Create a port group or enter the
specified port group view
port-group group-id
Required
Add an Ethernet port to a
specified port group
port interface-list
Required
1-8
z
Only S5100-EI Series Ethernet Switches support Port Group feature.
z
A port can not be added to a port group if it has been added to an aggregation group, and vice
versa.
Displaying and Maintaining Basic Port Configuration
To do...
Use the command...
Display port configuration
information
display interface [ interface-type |
interface-type interface-number ]
Display the enable/disable
status of port loopback
detection
display loopback-detection
Display information for a
specified port group
display port-group group-id
Display brief information about
port configuration
display brief interface [ interface-type
[ interface-number ] ] [ | { begin |
include | exclude } regular-expression ]
Display the Combo ports and
the corresponding
optical/electrical ports
display port combo
Display port information about
a specified unit
display unit unit-id interface
Clear port statistics
reset counters interface
[ interface-type | interface-type
interface-number ]
Remarks
Available in any view
Available in user view
1-9
After 802.1x is enabled
on a port, clearing the
statistics on the port
will not work.
Table of Contents
1 Link Aggregation Configuration ··············································································································1-1
Overview ·················································································································································1-1
Introduction to Link Aggregation······································································································1-1
Introduction to LACP ·······················································································································1-1
Consistency Considerations for the Ports in Aggregation·······························································1-1
Link Aggregation Classification···············································································································1-2
Manual Aggregation Group ·············································································································1-2
Static LACP Aggregation Group······································································································1-3
Dynamic LACP Aggregation Group·································································································1-4
Aggregation Group Categories ···············································································································1-5
Link Aggregation Configuration···············································································································1-6
Configuring a Manual Aggregation Group·······················································································1-6
Configuring a Static LACP Aggregation Group ···············································································1-7
Configuring a Dynamic LACP Aggregation Group ··········································································1-8
Configuring a Description for an Aggregation Group ······································································1-8
Displaying and Maintaining Link Aggregation Configuration ··································································1-9
Link Aggregation Configuration Example································································································1-9
Ethernet Port Aggregation Configuration Example ·········································································1-9
i
1
Link Aggregation Configuration
When configuring link aggregation, go to these sections for information you are interested in:
z
Overview
z
Link Aggregation Classification
z
Aggregation Group Categories
z
Link Aggregation Configuration
z
Displaying and Maintaining Link Aggregation Configuration
z
Link Aggregation Configuration Example
Overview
Introduction to Link Aggregation
Link aggregation aggregates multiple physical Ethernet ports into one logical link, also called an
aggregation group.
It allows you to increase bandwidth by distributing traffic across the member ports in the aggregation
group. In addition, it provides reliable connectivity because these member ports can dynamically back
up each other.
Introduction to LACP
The Link Aggregation Control Protocol (LACP) is defined in IEEE 802.3ad. It uses link aggregation
control protocol data units (LACPDUs) for information exchange between LACP-enabled devices.
With LACP enabled on a port, LACP notifies the following information of the port to its peer by sending
LACPDUs: priority and MAC address of this system, priority, number and operation key of the port.
Upon receiving the information, the peer compares the information with the information of other ports on
the peer device to determine the ports that can be aggregated. In this way, the two parties can reach an
agreement in adding/removing the port to/from a dynamic aggregation group.
When aggregating ports, link aggregation control automatically assigns each port an operational key
based on the port speed, duplex mode, and basic configurations described in Consistency
Considerations for the Ports in Aggregation.
In a manual or static link aggregation group, the selected ports are assigned the same operational key.
In a dynamic link aggregation group, all member ports are assigned the same operational key.
Consistency Considerations for the Ports in Aggregation
To participate in traffic sharing, member ports in an aggregation group must use the same
configurations with respect to STP, QoS, GVRP, QinQ, BPDU tunnel, VLAN, port attributes, MAC
address learning, and so on as shown in the following table.
1-1
Table 1-1 Consistency considerations for ports in an aggregation
Category
Considerations
State of port-level STP (enabled or disabled)
Attribute of the link (point-to-point or otherwise) connected to the port
Port path cost
STP
STP priority
STP packet format
Loop protection
Root protection
Port type (whether the port is an edge port)
Rate limiting
Priority marking
QoS
802.1p priority
Congestion avoidance
Traffic redirecting
Traffic accounting
Link type
Link type of the ports (trunk, hybrid, or access)
GVRP state on ports (enabled or disabled)
GVRP
GVRP registration type
GARP timer settings
VLAN-VPN
State of VLAN-VPN (enabled or disabled)
TPID on the ports
Link Aggregation Classification
Depending on different aggregation modes, the following three types of link aggregation exist:
z
Manual aggregation
z
Static LACP aggregation
z
Dynamic LACP aggregation
Manual Aggregation Group
Introduction to manual aggregation group
A manual aggregation group is manually created. All its member ports are manually added and can be
manually removed (it inhibits the system from automatically adding/removing ports to/from it). Each
manual aggregation group must contain at least one port. When a manual aggregation group contains
only one port, you cannot remove the port unless you remove the whole aggregation group.
LACP is disabled on the member ports of manual aggregation groups, and you cannot enable LACP on
ports in a manual aggregation group.
Port status in manual aggregation group
A port in a manual aggregation group can be in one of the two states: selected or unselected. In a
manual aggregation group, only the selected ports can forward user service packets.
1-2
In a manual aggregation group, the system sets the ports to selected or unselected state according to
the following rules.
z
Among the ports in an aggregation group that are in up state, the system determines the mater port
with one of the following settings being the highest (in descending order) as the master port: full
duplex/high speed, full duplex/low speed, half duplex/high speed, half duplex/low speed. The ports
with their rate, duplex mode and link type being the same as that of the master port are selected
ports, and the rest are unselected ports.
z
There is a limit on the number of selected ports in an aggregation group. Therefore, if the number of
the selected ports in an aggregation group exceeds the maximum number supported by the device,
those with lower port numbers operate as the selected ports, and others as unselected ports.
Among the selected ports in an aggregation group, the one with smallest port number operates as the
master port. Other selected ports are the member ports.
Requirements on ports for manual aggregation
Generally, there is no limit on the rate and duplex mode of the ports (also including initially down port)
you want to add to a manual aggregation group.
Static LACP Aggregation Group
Introduction to static LACP aggregation
A static LACP aggregation group is also manually created. All its member ports are manually added and
can be manually removed (it inhibits the system from automatically adding/removing ports to/from it).
Each static aggregation group must contain at least one port. When a static aggregation group contains
only one port, you cannot remove the port unless you remove the whole aggregation group.
LACP is enabled on the member ports of static aggregation groups. When you remove a static
aggregation group, all the member ports in up state form one or multiple dynamic aggregations with
LACP enabled. LACP cannot be disabled on static aggregation ports.
Port status of static aggregation group
A port in a static aggregation group can be in one of the two states: selected or unselected.
z
Both the selected and the unselected ports in the up state can transceive LACP protocol packets.
z
Only the selected ports can transceive service packets; the unselected ports cannot.
In a static aggregation group, the system sets the ports to selected or unselected state according to the
following rules.
z
Among the ports in an aggregation group that are in up state, the system determines the master
port with one of the following settings being the highest (in descending order) as the master port:
full duplex/high speed, full duplex/low speed, half duplex/high speed, half duplex/low speed. The
ports with their rate, duplex mode and link type being the same as that of the master port are
selected port, and the rest are unselected ports.
z
The ports connected to a peer device different from the one the master port is connected to or
those connected to the same peer device as the master port but to a peer port that is not in the
same aggregation group as the peer port of the master port are unselected ports.
z
The system sets the ports with basic port configuration different from that of the master port to
unselected state.
1-3
z
There is a limit on the number of selected ports in an aggregation group. Therefore, if the number of
the selected ports in an aggregation group exceeds the maximum number supported by the device,
those with lower port numbers operate as the selected ports, and others as unselected ports.
Dynamic LACP Aggregation Group
Introduction to dynamic LACP aggregation group
A dynamic LACP aggregation group is automatically created and removed by the system. Users cannot
add/remove ports to/from it. Ports can be aggregated into a dynamic aggregation group only when they
are connected to the same peer device and have the same speed, duplex mode, and basic
configurations, and their peer ports have the same configurations.
Besides multiple-port aggregation groups, the system is also able to create single-port aggregation
groups, each of which contains only one port. LACP is enabled on the member ports of dynamic
aggregation groups.
Port status of dynamic aggregation group
A port in a dynamic aggregation group can be in one of the two states: selected and unselected.
z
Both the selected and the unselected ports can receive/transmit LACP protocol packets;
z
The selected ports can receive/transmit user service packets, but the unselected ports cannot.
z
In a dynamic aggregation group, the selected port with the smallest port number serves as the
master port of the group, and other selected ports serve as member ports of the group.
There is a limit on the number of selected ports in an aggregation group. Therefore, if the number of the
member ports that can be set as selected ports in an aggregation group exceeds the maximum number
supported by the device, the system will negotiate with its peer end, to determine the states of the
member ports according to the port IDs of the preferred device (that is, the device with smaller system
ID). The following is the negotiation procedure:
1)
Compare device IDs (system priority + system MAC address) between the two parties. First
compare the two system priorities, then the two system MAC addresses if the system priorities are
equal. The device with smaller device ID will be considered as the preferred one.
2)
Compare port IDs (port priority + port number) on the preferred device. The comparison between
two port IDs is as follows: First compare the two port priorities, then the two port numbers if the two
port priorities are equal; the port with the smallest port ID is the selected port and the left ports are
unselected ports.
For an aggregation group:
z
When the rate or duplex mode of a port in the aggregation group changes, packet loss may occur
on this port;
z
When the rate of a port decreases, if the port belongs to a manual or static LACP aggregation
group, the port will be switched to the unselected state; if the port belongs to a dynamic LACP
aggregation group, deaggregation will occur on the port.
1-4
Aggregation Group Categories
Depending on whether or not load sharing is implemented, aggregation groups can be load-sharing or
non-load-sharing aggregation groups. When load sharing is implemented,
z
For IP packets, the system will implement load-sharing based on source IP address and
destination IP address;
z
For non-IP packets, the system will implement load-sharing based on source MAC address and
destination MAC address.
In general, the system only provides limited load-sharing aggregation resources, so the system needs
to reasonably allocate the resources among different aggregation groups.
The system always allocates hardware aggregation resources to the aggregation groups with higher
priorities. When load-sharing aggregation resources are used up by existing aggregation groups,
newly-created aggregation groups will be non-load-sharing ones.
Load-sharing aggregation resources are allocated to aggregation groups in the following order:
z
An aggregation group containing special ports which require hardware aggregation resources has
higher priority than any aggregation group containing no special port.
z
A manual or static aggregation group has higher priority than a dynamic aggregation group (unless
the latter contains special ports while the former does not).
z
For aggregation groups, the one that might gain higher speed if resources were allocated to it has
higher priority than others. If the groups can gain the same speed, the one with smallest master
port number has higher priority than other groups.
When an aggregation group of higher priority appears, the aggregation groups of lower priorities
release their hardware resources. For single-port aggregation groups, they can transceive packets
normally without occupying aggregation resources
A load-sharing aggregation group contains at least two selected ports, but a non-load-sharing
aggregation group can only have one selected port at most, while others are unselected ports.
1-5
Link Aggregation Configuration
z
The commands of link aggregation cannot be configured with the commands of port loopback
detection feature at the same time.
z
The ports where the mac-address max-mac-count command is configured cannot be added to
an aggregation group. Contrarily, the mac-address max-mac-count command cannot be
configured on a port that has already been added to an aggregation group.
z
MAC-authentication-enabled ports and 802.1x-enabled ports cannot be added to an aggregation
group.
z
Mirroring destination ports and mirroring reflector ports cannot be added to an aggregation group.
z
Ports configured with blackhole MAC addresses, static MAC addresses, multicast MAC addresses,
or the static ARP protocol cannot be added to an aggregation group.
z
Ports where the IP-MAC address binding is configured cannot be added to an aggregation group.
z
Port-security-enabled ports cannot be added to an aggregation group.
z
The port with Voice VLAN enabled cannot be added to an aggregation group.
z
Do not add ports with IP filtering enabled to an aggregation group.
z
Do not add ports with ARP intrusion detection enabled to an aggregation group.
z
Do not add ports with source IP addresses/source MAC addresses statically bound to them to an
aggregation group.
z
A port belonging to a port group cannot be added to an aggregation group. Conversely, a port
belonging to an aggregation group cannot be added to a port group.
Configuring a Manual Aggregation Group
You can create a manual aggregation group, or remove an existing manual aggregation group (after
that, all the member ports will be removed from the group).
For a manual aggregation group, a port can only be manually added/removed to/from the manual
aggregation group.
Follow these steps to configure a manual aggregation group:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Create a manual aggregation
group
link-aggregation group agg-id mode
manual
Required
Enter Ethernet port view
interface interface-type
interface-number
—
Add the Ethernet port to the
aggregation group
port link-aggregation group agg-id
Required
Note that:
1)
When creating an aggregation group:
1-6
If the aggregation group you are creating already exists but contains no port, its type will change to
z
the type you set.
If the aggregation group you are creating already exists and contains ports, the possible type
z
changes may be: changing from dynamic or static to manual, and changing from dynamic to static;
and no other kinds of type change can occur.
When you change a dynamic/static group to a manual group, the system will automatically disable
z
LACP on the member ports. When you change a dynamic group to a static group, the system will
remain the member ports LACP-enabled.
1)
When a manual or static aggregation group contains only one port, you cannot remove the port
unless you remove the whole aggregation group.
Configuring a Static LACP Aggregation Group
You can create a static LACP aggregation group, or remove an existing static LACP aggregation group
(after that, the system will re-aggregate the original member ports in the group to form one or multiple
dynamic aggregation groups.).
For a static aggregation group, a port can only be manually added/removed to/from the static
aggregation group.
When you add an LACP-enabled port to a manual aggregation group, the system will automatically
disable LACP on the port. Similarly, when you add an LACP-disabled port to a static aggregation group,
the system will automatically enable LACP on the port.
Follow these steps to configure a static LACP aggregation group:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Create a static aggregation
group
link-aggregation group agg-id
mode static
Required
Enter Ethernet port view
interface interface-type
interface-number
—
Add the port to the aggregation
group
port link-aggregation group
agg-id
Required
For a static LACP aggregation group or a manual aggregation group, you are recommended not to
cross cables between the two devices at the two ends of the aggregation group. For example, suppose
port 1 of the local device is connected to port 2 of the peer device. To avoid cross-connecting cables, do
not connect port 2 of the local device to port 1 of the peer device. Otherwise, packets may be lost.
1-7
Configuring a Dynamic LACP Aggregation Group
A dynamic LACP aggregation group is automatically created by the system based on LACP-enabled
ports. The adding and removing of ports to/from a dynamic aggregation group are automatically
accomplished by LACP.
You need to enable LACP on the ports which you want to participate in dynamic aggregation of the
system, because, only when LACP is enabled on those ports at both ends, can the two parties reach
agreement in adding/removing ports to/from dynamic aggregation groups.
You cannot enable LACP on a port which is already in a manual aggregation group.
Follow these steps to configure a dynamic LACP aggregation group:
To do…
Use the command…
Enter system view
system-view
Configure the system priority
lacp system-priority
system-priority
Enter Ethernet port view
interface interface-type
interface-number
Remarks
—
Optional
By default, the system priority is
32,768.
—
Required
Enable LACP on the port
lacp enable
Configure the port priority
lacp port-priority
port-priority
By default, LACP is disabled on a
port.
Optional
By default, the port priority is
32,768.
Changing the system priority may affect the priority relationship between the aggregation peers, and
thus affect the selected/unselected status of member ports in the dynamic aggregation group.
Configuring a Description for an Aggregation Group
To do…
Use the command…
Enter system view
system-view
Configure a description for an
aggregation group
link-aggregation group agg-id
description agg-name
Remarks
—
Optional
1-8
By default, no description is
configured for an aggregation
group.
If you have saved the current configuration with the save command, after system reboot, the
configuration concerning manual and static aggregation groups and their descriptions still exists, but
that of dynamic aggregation groups and their descriptions gets lost.
Displaying and Maintaining Link Aggregation Configuration
To do…
Use the command…
Display summary information of
all aggregation groups
display link-aggregation summary
Display detailed information of
a specific aggregation group or
all aggregation groups
display link-aggregation verbose
[ agg-id ]
Display link aggregation details
of a specified port or port range
display link-aggregation interface
interface-type interface-number [ to
interface-type interface-number ]
Display local device ID
display lacp system-id
Clear LACP statistics about a
specified port or port range
reset lacp statistics [ interface
interface-type interface-number [ to
interface-type interface-number ] ]
Remarks
Available in any
view
Available in user
view
Link Aggregation Configuration Example
Ethernet Port Aggregation Configuration Example
Network requirements
z
Switch A connects to Switch B with three ports GigabitEthernet 1/0/1 to GigabitEthernet 1/0/3. It is
required that load between the two switches can be shared among the three ports.
z
Adopt three different aggregation modes to implement link aggregation on the three ports between
switch A and B.
Network diagram
Figure 1-1 Network diagram for link aggregation configuration
1-9
Configuration procedure
The following only lists the configuration on Switch A; you must perform the similar configuration on
Switch B to implement link aggregation.
1)
Adopting manual aggregation mode
# Create manual aggregation group 1.
<Sysname> system-view
[Sysname] link-aggregation group 1 mode manual
# Add GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to aggregation group 1.
[Sysname] interface GigabitEthernet1/0/1
[Sysname-GigabitEthernet1/0/1] port link-aggregation group 1
[Sysname-GigabitEthernet1/0/1] quit
[Sysname] interface GigabitEthernet 1/0/2
[Sysname-GigabitEthernet1/0/2] port link-aggregation group 1
[Sysname-GigabitEthernet1/0/2] quit
[Sysname] interface GigabitEthernet1/0/3
[Sysname-GigabitEthernet1/0/3] port link-aggregation group 1
2)
Adopting static LACP aggregation mode
# Create static aggregation group 1.
<Sysname> system-view
[Sysname] link-aggregation group 1 mode static
# Add GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to aggregation group 1.
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] port link-aggregation group 1
[Sysname-GigabitEthernet1/0/1] quit
[Sysname] interface GigabitEthernet 1/0/2
[Sysname-GigabitEthernet1/0/2] port link-aggregation group 1
[Sysname-GigabitEthernet1/0/2] quit
[Sysname] interface GigabitEthernet1/0/3
[Sysname-GigabitEthernet1/0/3] port link-aggregation group 1
3)
Adopting dynamic LACP aggregation mode
# Enable LACP on GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3.
<Sysname> system-view
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] lacp enable
[Sysname-GigabitEthernet1/0/1] quit
[Sysname] interface GigabitEthernet 1/0/2
[Sysname-GigabitEthernet1/0/2] lacp enable
[Sysname-GigabitEthernet1/0/2] quit
[Sysname] interface GigabitEthernet1/0/3
1-10
[Sysname-GigabitEthernet1/0/3] lacp enable
The three LACP-enabled ports can be aggregated into one dynamic aggregation group to implement
load sharing only when they have the same basic configuration (such as rate, duplex mode, and so on).
1-11
Table of Contents
1 Port Isolation Configuration ·····················································································································1-1
Port Isolation Overview ···························································································································1-1
Port Isolation Configuration·····················································································································1-1
Displaying and Maintaining Port Isolation Configuration ········································································1-2
Port Isolation Configuration Example······································································································1-2
i
1
Port Isolation Configuration
When configuring port isolation, go to these sections for information you are interested in:
z
Port Isolation Overview
z
Port Isolation Configuration
z
Displaying and Maintaining Port Isolation Configuration
z
Port Isolation Configuration Example
Port Isolation Overview
With the port isolation feature, you can add the ports to be controlled into an isolation group to isolate
the Layer 2 and Layer 3 data between each port in the isolation group. Thus, you can construct your
network in a more flexible way and improve your network security.
Currently, you can create only one isolation group on an S5100SI/EI Series Ethernet switch. The
number of Ethernet ports in an isolation group is not limited.
An isolation group only isolates the member ports in it.
Port Isolation Configuration
You can perform the following operations to add an Ethernet port to an isolation group, thus isolating
Layer 2 and Layer 3 data among the ports in the isolation group.
Follow these steps to configure port isolation:
To do …
Use the command …
Remarks
Enter system view
system-view
—
Enter Ethernet port view
interface interface-type
interface-number
—
Add the Ethernet port to the
isolation group
port isolate
Required
1-1
By default, an isolation group
contains no port.
z
When a member port of an aggregation group joins/leaves an isolation group, the other ports in the
same aggregation group will join/leave the isolation group at the same time.
z
For ports that belong to an aggregation group and an isolation group simultaneously, removing a
port from the aggregation group has no effect on the other ports. That is, the rest ports remain in
the aggregation group and the isolation group.
z
Ports that belong to an aggregation group and an isolation group simultaneously are still isolated
even when you remove the aggregation group in system view.
z
Adding an isolated port to an aggregation group causes all the ports in the aggregation group on
the local unit to be added to the isolation group.
Displaying and Maintaining Port Isolation Configuration
To do …
Display information about the
Ethernet ports added to the
isolation group
Use the command …
display isolate port
Remarks
Available in any view
Port Isolation Configuration Example
Network requirements
As shown in Figure 1-1, PC2, PC3 and PC4 connect to the switch ports GigabitEthernet1/0/2,
GigabitEthernet1/0/3, and GigabitEthernet1/0/4 respectively. The switch connects to the Internet
through GigabitEthernet1/0/1.
It is desired to isolate PC2, PC3 and PC4 to disable them from communicating directly with each other.
Network diagram
Figure 1-1 Network diagram for port isolation configuration
1-2
Configuration procedure
# Add GigabitEthernet1/0/2, GigabitEthernet1/0/3, and GigabitEthernet1/0/4 to the isolation group.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface GigabitEthernet1/0/2
[Sysname-GigabitEthernet1/0/2] port isolate
[Sysname-GigabitEthernet1/0/2] quit
[Sysname] interface GigabitEthernet1/0/3
[Sysname-GigabitEthernet1/0/3] port isolate
[Sysname-GigabitEthernet1/0/3] quit
[Sysname] interface GigabitEthernet1/0/4
[Sysname-GigabitEthernet1/0/4] port isolate
[Sysname-GigabitEthernet1/0/4] quit
[Sysname] quit
# Display information about the ports in the isolation group.
<Sysname> display isolate port
Isolated port(s) on UNIT 1:
GigabitEthernet1/0/2, GigabitEthernet1/0/3, GigabitEthernet1/0/4
1-3
Table of Contents
1 Port Security Configuration······················································································································1-1
Port Security Overview····························································································································1-1
Introduction······································································································································1-1
Port Security Features·····················································································································1-1
Port Security Modes ························································································································1-1
Port Security Configuration Task List······································································································1-4
Enabling Port Security ·····················································································································1-4
Setting the Maximum Number of MAC Addresses Allowed on a Port ············································1-5
Setting the Port Security Mode········································································································1-6
Configuring Port Security Features ·································································································1-7
Ignoring the Authorization Information from the RADIUS Server····················································1-8
Configuring Security MAC Addresses ·····························································································1-8
Displaying and Maintaining Port Security Configuration·········································································1-9
Port Security Configuration Example ····································································································1-10
Port Security Configuration Example ····························································································1-10
2 Port Binding Configuration ······················································································································2-1
Port Binding Overview·····························································································································2-1
Introduction······································································································································2-1
Configuring Port Binding ·················································································································2-1
Displaying and Maintaining Port Binding Configuration··········································································2-1
Port Binding Configuration Example ·······································································································2-2
Port Binding Configuration Example ·······························································································2-2
i
1
Port Security Configuration
When configuring port security, go to these sections for information you are interested in:
z
Port Security Overview
z
Port Security Configuration Task List
z
Displaying and Maintaining Port Security Configuration
z
Port Security Configuration Example
Port Security Overview
Introduction
Port security is a security mechanism for network access control. It is an expansion to the current
802.1x and MAC address authentication.
Port security allows you to define various security modes that enable devices to learn legal source MAC
addresses, so that you can implement different network security management as needed.
With port security enabled, packets whose source MAC addresses cannot be learned by your switch in
a security mode are considered illegal packets, The events that cannot pass 802.1x authentication or
MAC authentication are considered illegal.
With port security enabled, upon detecting an illegal packet or illegal event, the system triggers the
corresponding port security features and takes pre-defined actions automatically. This reduces your
maintenance workload and greatly enhances system security and manageability.
Port Security Features
The following port security features are provided:
z
NTK (need to know) feature: By checking the destination MAC addresses in outbound data frames
on the port, NTK ensures that the switch sends data frames through the port only to successfully
authenticated devices, thus preventing illegal devices from intercepting network data.
z
Intrusion protection feature: By checking the source MAC addresses in inbound data frames or the
username and password in 802.1x authentication requests on the port, intrusion protection detects
illegal packets or events and takes a pre-set action accordingly. The actions you can set include:
disconnecting the port temporarily/permanently, and blocking packets with the MAC address
specified as illegal.
z
Trap feature: When special data packets (generated from illegal intrusion, abnormal login/logout or
other special activities) are passing through the switch port, Trap feature enables the switch to
send Trap messages to help the network administrator monitor special activities.
Port Security Modes
Table 1-1 describes the available port security modes:
1-1
Table 1-1 Description of port security modes
Security mode
noRestriction
Description
In this mode, access to the port is not
restricted.
Feature
In this mode, neither the
NTK nor the intrusion
protection feature is
triggered.
In this mode, the port automatically learns
MAC addresses and changes them to security
MAC addresses.
autolearn
This security mode will automatically change
to the secure mode after the amount of
security MAC addresses on the port reaches
the maximum number configured with the
port-security max-mac-count command.
After the port security mode is changed to the
secure mode, only those packets whose
source MAC addresses are security MAC
addresses learned or dynamic MAC
addresses configured can pass through the
port.
In either mode, the device
will trigger NTK and
intrusion protection upon
detecting an illegal
packet.
In this mode, the port is disabled from learning
MAC addresses.
secure
userlogin
Only those packets whose source MAC
addresses are security MAC addresses
learned and static or dynamic MAC addresses
can pass through the port.
In this mode, port-based 802.1x authentication
is performed for access users.
1-2
In this mode, neither NTK
nor intrusion protection
will be triggered.
MAC-based 802.1x authentication is
performed on the access user. The port is
enabled only after the authentication
succeeds. When the port is enabled, only the
packets of the successfully authenticated user
can pass through the port.
userLoginSecure
In this mode, only one 802.1x-authenticated
user is allowed to access the port.
When the port changes from the
noRestriction mode to this security mode, the
system automatically removes the existing
dynamic MAC address entries and
authenticated MAC address entries on the
port.
userLoginSecureExt
userLoginWithOUI
This mode is similar to the userLoginSecure
mode, except that there can be more than one
802.1x-authenticated user on the port.
This mode is similar to the userLoginSecure
mode, except that, besides the packets of the
single 802.1x-authenticated user, the packets
whose source MAC addresses have a
particular OUI are also allowed to pass
through the port.
When the port changes from the normal mode
to this security mode, the system
automatically removes the existing
dynamic/authenticated MAC address entries
on the port.
macAddressWithRa
dius
In this mode, MAC address–based
authentication is performed for access users.
In this mode, both MAC authentication and
802.1x authentication can be performed, but
802.1x authentication has a higher priority.
macAddressOrUser
LoginSecure
802.1x authentication can still be performed
on an access user who has passed MAC
authentication.
No MAC authentication is performed on an
access user who has passed 802.1x
authentication.
In this mode, there can be only one
802.1x-authenticated user on the port, but
there can be several MAC-authenticated
users.
macAddressOrUser
LoginSecureExt
macAddressElseUs
erLoginSecure
This mode is similar to the
macAddressOrUserLoginSecure mode,
except that there can be more than one
802.1x-authenticated user on the port. .
In this mode, a port performs MAC
authentication of an access user first. If the
authentication succeeds, the user is
authenticated. Otherwise, the port performs
802.1x authentication of the user.
In this mode, there can be only one
802.1x-authenticated user on the port, but
there can be several MAC-authenticated
users.
1-3
In any of these modes, the
device triggers the NTK
and Intrusion Protection
features upon detecting
an illegal packet or illegal
event.
macAddressElseUs
erLoginSecureExt
macAddressAndUs
erLoginSecure
This mode is similar to the
macAddressElseUserLoginSecure mode,
except that there can be more than one
802.1x-authenticated user on the port.
In this mode, a port firstly performs MAC
authentication for a user and then performs
802.1x authentication for the user if the user
passes MAC authentication. The user can
access the network after passing the two
authentications.
In this mode, up to one user can access the
network.
macAddressAndUs
erLoginSecureExt
z
This mode is similar to the
macAddressAndUserLoginSecure mode,
except that more than one user can access
the network.
When the port operates in the userlogin-withoui mode, Intrusion Protection will not be triggered
even if the OUI address does not match.
z
On a port operating in either the macAddressElseUserLoginSecure mode or the
macAddressElseUserLoginSecureExt mode, Intrusion Protection is triggered only after both
MAC-based authentication and 802.1x authentication on the same packet fail.
Port Security Configuration Task List
Complete the following tasks to configure port security:
Task
Remarks
Enabling Port Security
Required
Setting the Maximum Number of MAC Addresses Allowed on a
Port
Optional
Setting the Port Security Mode
Required
Configuring Port
Security
Features
Configuring the NTK feature
Configuring intrusion protection
Configuring the Trap feature
Optional
Choose one or more features
as required.
Ignoring the Authorization Information from the RADIUS Server
Optional
Configuring Security MAC Addresses
Optional
Enabling Port Security
Configuration Prerequisites
Before enabling port security, you need to disable 802.1x and MAC authentication globally.
1-4
Enabling Port Security
Follow these steps to enable port security:
To do...
Use the command...
Enter system view
system-view
Enable port security
port-security enable
Remarks
—
Required
Disabled by default
Enabling port security resets the following configurations on the ports to the defaults (shown in
parentheses below):
z
802.1x (disabled), port access control method (macbased), and port access control mode (auto)
z
MAC authentication (disabled)
In addition, you cannot perform the above-mentioned configurations manually because these
configurations change with the port security mode automatically.
z
For details about 802.1x configuration, refer to the sections covering 802.1x and System-Guard.
z
For details about MAC authentication configuration, refer to the sections covering MAC
authentication configuration.
Setting the Maximum Number of MAC Addresses Allowed on a Port
Port security allows more than one user to be authenticated on a port. The number of authenticated
users allowed, however, cannot exceed the configured upper limit.
By setting the maximum number of MAC addresses allowed on a port, you can
z
Control the maximum number of users who are allowed to access the network through the port
z
Control the number of Security MAC addresses that can be added with port security
This configuration is different from that of the maximum number of MAC addresses that can be leaned
by a port in MAC address management.
Follow these steps to set the maximum number of MAC addresses allowed on a port:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter Ethernet port view
interface interface-type
interface-number
—
Set the maximum number of
MAC addresses allowed on the
port
port-security max-mac-count
count-value
1-5
Required
Not limited by default
Setting the Port Security Mode
Follow these steps to set the port security mode:
To do...
Enter system view
Use the command...
system-view
Remarks
—
Optional
z
Set the OUI value for user
authentication
port-security oui OUI-value
index index-value
Enter Ethernet port view
interface interface-type
interface-number
Set the port security mode
port-security port-mode
{ autolearn |
mac-and-userlogin-secure |
mac-and-userlogin-secure-e
xt | mac-authentication |
mac-else-userlogin-secure |
mac-else-userlogin-secure-e
xt | secure | userlogin |
userlogin-secure |
userlogin-secure-ext |
userlogin-secure-or-mac |
userlogin-secure-or-mac-ext
| userlogin-withoui }
In userLoginWithOUI mode, a
port supports one 802.1x user
plus one user whose source
MAC address has a specified
OUI value.
—
Required
By default, a port operates in
noRestriction mode. In this
mode, access to the port is not
restricted.
You can set a port security
mode as needed.
Before setting the port security mode to autolearn, you need to set the maximum number of MAC
addresses allowed on the port with the port-security max-mac-count command.
z
When the port operates in the autoLearn mode, you cannot change the maximum number of MAC
addresses allowed on the port.
z
After you set the port security mode to autolearn, you cannot configure any static or blackhole
MAC addresses on the port.
z
If the port is in a security mode other than noRestriction, before you can change the port security
mode, you need to restore the port security mode to noRestriction with the undo port-security
port-mode command.
If the port-security port-mode mode command has been executed on a port, none of the following can
be configured on the same port:
z
Maximum number of MAC addresses that the port can learn
z
Reflector port for port mirroring
z
Link aggregation
1-6
Configuring Port Security Features
Configuring the NTK feature
Follow these steps to configure the NTK feature:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter Ethernet port view
interface interface-type
interface-number
—
Configure the NTK feature
port-security ntk-mode
{ ntkonly |
ntk-withbroadcasts |
ntk-withmulticasts }
Required
By default, NTK is disabled on
a port, namely all frames are
allowed to be sent.
Currently, the S5100-SI/EI series do not support the ntkonly NTK feature.
Configuring intrusion protection
Follow these steps to configure the intrusion protection feature:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter Ethernet port view
interface interface-type
interface-number
—
Set the corresponding action to
be taken by the switch when
intrusion protection is triggered
port-security intrusion-mode
{ blockmac | disableport |
disableport-temporarily }
Required
Return to system view
quit
—
Set the timer during which the
port remains disabled
port-security timer disableport
timer
Optional
By default, intrusion
protection is disabled.
20 seconds by default
The port-security timer disableport command is used in conjunction with the port-security
intrusion-mode disableport-temporarily command to set the length of time during which the port
remains disabled.
1-7
If you configure the NTK feature and execute the port-security intrusion-mode blockmac command
on the same port, the switch will be unable to disable the packets whose destination MAC address is
illegal from being sent out that port; that is, the NTK feature configured will not take effect on the packets
whose destination MAC address is illegal.
Configuring the Trap feature
Follow these steps to configure port security trapping:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enable sending traps for the
specified type of event
port-security trap { addresslearned |
dot1xlogfailure | dot1xlogoff | dot1xlogon |
intrusion | ralmlogfailure | ralmlogoff |
ralmlogon }
Required
By default, no
trap is sent.
Ignoring the Authorization Information from the RADIUS Server
After an 802.1x user or MAC-authenticated user passes Remote Authentication Dial-In User Service
(RADIUS) authentication, the RADIUS server delivers the authorization information to the device. You
can configure a port to ignore the authorization information from the RADIUS server.
Follow these steps to configure a port to ignore the authorization information from the RADIUS server:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter Ethernet port view
interface interface-type
interface-number
—
Ignore the authorization
information from the RADIUS
server
port-security authorization
ignore
Required
By default, a port uses the
authorization information from
the RADIUS server.
Configuring Security MAC Addresses
Security MAC addresses are special MAC addresses that never age out. One security MAC address
can be added to only one port in the same VLAN so that you can bind a MAC address to one port in the
same VLAN.
Security MAC addresses can be learned by the auto-learn function of port security or manually
configured.
Before adding security MAC addresses to a port, you must configure the port security mode to
autolearn. After this configuration, the port changes its way of learning MAC addresses as follows.
z
The port deletes original dynamic MAC addresses;
1-8
z
If the amount of security MAC addresses has not yet reach the maximum number, the port will
learn new MAC addresses and turn them to security MAC addresses;
z
If the amount of security MAC addresses reaches the maximum number, the port will not be able to
learn new MAC addresses and the port mode will be changed from autolearn to secure.
The security MAC addresses manually configured are written to the configuration file; they will not get
lost when the port is up or down. As long as the configuration file is saved, the security MAC addresses
can be restored after the switch reboots.
Configuration prerequisites
z
Port security is enabled.
z
The maximum number of security MAC addresses allowed on the port is set.
z
The security mode of the port is set to autolearn.
Configuring a security MAC address
Follow these steps to configure a security MAC address:
To do...
Enter system view
In system
view
Add a security
MAC address
Use the command...
system-view
—
mac-address security mac-address
interface interface-type interface-number vlan
vlan-id
Either is
required.
interface interface-type interface-number
In Ethernet
port view
Remarks
mac-address security mac-address vlan
vlan-id
By default, no
security MAC
address is
configured.
Displaying and Maintaining Port Security Configuration
To do...
Use the command...
Display information about port
security configuration
display port-security [ interface interface-list ]
Display information about
security MAC address
configuration
display mac-address security [ interface
interface-type interface-number ] [ vlan vlan-id ]
[ count ]
1-9
Remarks
Available in
any view
Port Security Configuration Example
Port Security Configuration Example
Network requirements
Implement access user restrictions through the following configuration on GigabitEthernet 1/0/1 of the
switch.
z
Allow a maximum of 80 users to access the port without authentication and permit the port to learn
and add the MAC addresses of the users as security MAC addresses.
z
To ensure that Host can access the network, add the MAC address 0001-0002-0003 of Host as a
security MAC address to the port in VLAN 1.
z
After the number of security MAC addresses reaches 80, the port stops learning MAC addresses. If
any frame with an unknown MAC address arrives, intrusion protection is triggered and the port will
be disabled and stay silent for 30 seconds.
Network diagram
Figure 1-1 Network diagram for port security configuration
Configuration procedure
# Enter system view.
<Switch> system-view
# Enable port security.
[Switch] port-security enable
# Enter GigabitEthernet1/0/1 port view.
[Switch] interface GigabitEthernet 1/0/1
# Set the maximum number of MAC addresses allowed on the port to 80.
[Switch-GigabitEthernet1/0/1] port-security max-mac-count 80
# Set the port security mode to autolearn.
[Switch-GigabitEthernet1/0/1] port-security port-mode autolearn
# Add the MAC address 0001-0002-0003 of Host as a security MAC address to the port in VLAN 1.
[Switch-GigabitEthernet1/0/1] mac-address security 0001-0002-0003 vlan 1
# Configure the port to be silent for 30 seconds after intrusion protection is triggered.
[Switch-GigabitEthernet1/0/1] port-security intrusion-mode disableport-temporarily
[Switch-GigabitEthernet1/0/1] quit
[Switch] port-security timer disableport 30
1-10
2
Port Binding Configuration
When configuring port binding, go to these sections for information you are interested in:
z
Port Binding Overview
z
Displaying and Maintaining Port Binding Configuration
z
Port Binding Configuration Example
Port Binding Overview
Introduction
Port binding enables the network administrator to bind the MAC address and IP address of a user to a
specific port. After the binding, the switch forwards only the packets received on the port whose MAC
address and IP address are identical with the bound MAC address and IP address. This improves
network security and enhances security monitoring.
Configuring Port Binding
Follow these steps to configure port binding:
To do...
Use the command...
Enter system view
Bind the MAC
address and
IP address of
a user to a
specific port
system-view
In system
view
am user-bind mac-addr mac-address
ip-addr ip-address interface
interface-type interface-number
interface interface-type interface-number
In Ethernet
port view
Remarks
—
Either is required.
By default, no user
MAC address or IP
address is bound to a
port.
am user-bind mac-addr mac-address
ip-addr ip-address
z
An IP address can be bound to only one port at a time.
z
A MAC address can be bound to only one port at a time.
Displaying and Maintaining Port Binding Configuration
To do...
Display port binding
information
Use the command...
display am user-bind [ interface interface-type
interface-number | ip-addr ip-address | mac-addr
mac-address ]
2-1
Remarks
Available in any
view
Port Binding Configuration Example
Port Binding Configuration Example
Network requirements
It is required to bind the MAC and IP addresses of Host A to GigabitEthernet 1/0/1 on Switch A, so as to
prevent malicious users from using the IP address they steal from Host A to access the network.
Network diagram
Figure 2-1 Network diagram for port binding configuration
Configuration procedure
Configure Switch A as follows:
# Enter system view.
<SwitchA> system-view
# Enter GigabitEthernet 1/0/1 port view.
[SwitchA] interface GigabitEthernet 1/0/1
# Bind the MAC address and the IP address of Host A to GigabitEthernet 1/0/1.
[SwitchA-GigabitEthernet1/0/1] am user-bind mac-addr 0001-0002-0003 ip-addr 10.12.1.1
2-2
Table of Contents
1 DLDP Configuration ··································································································································1-1
Overview ·················································································································································1-1
DLDP Fundamentals·······························································································································1-2
DLDP packets··································································································································1-2
DLDP Status····································································································································1-4
DLDP Timers ···································································································································1-4
DLDP Operating Mode ····················································································································1-5
DLDP Implementation ·····················································································································1-6
DLDP Neighbor State ······················································································································1-7
Link Auto-recovery Mechanism ·······································································································1-7
DLDP Configuration ································································································································1-8
Performing Basic DLDP Configuration ····························································································1-8
Resetting DLDP State ·····················································································································1-9
Displaying and Maintaining DLDP·································································································1-10
DLDP Configuration Example ···············································································································1-10
i
1
DLDP Configuration
When configuring DLDP, go to these sections for information you are interested in:
z
Overview
z
DLDP Fundamentals
z
DLDP Configuration
z
DLDP Configuration Example
Overview
Device link detection protocol (DLDP) is an H3C technology for dealing with unidirectional links that
may occur in a network.
If two switches, A and B, are connected via a pair of optical fiber cables, one used for sending from A to
B, the other sending from B to A, it is a bidirectional link (two-way link). If one of these fibers gets broken,
this is a unidirectional link (one-way link).
When a unidirectional link appears, the local device can receive packets from the peer device through
the link layer, but the peer device cannot receive packets from the local device. Unidirectional link can
cause problems such as network loops.
As for fiber links, two kinds of unidirectional links exist:
z
Fiber cross-connection, as shown in Figure 1-1
z
Fibers that are not connected or are broken, as shown in Figure 1-2, the hollow lines in which refer
to fibers that are not connected or are broken.
Figure 1-1 Fiber cross-connection
1-1
Figure 1-2 Fiber broken or not connected
Device link detection protocol (DLDP) can detect the link status of an optical fiber cable or copper
twisted pair (such as super category 5 twisted pair). If DLDP finds a unidirectional link, it disables the
related port automatically or prompts you to disable it manually according to the configurations, to avoid
network problems.
A copper twisted-pair cable (such as a Category 5e twisted-pair cable) contains eight wires. Some of
these wires only transmit data, while the others only receive data. When the wires that only receive data
or those that only transmit data all fail while the others are normal, a unidirectional link occurs.
DLDP provides the following features:
z
As a link layer protocol, it works together with the physical layer protocols to monitor the link status
of a device.
z
The auto-negotiation mechanism at the physical layer detects physical signals and faults. DLDP
identifies peer devices and unidirectional links, and disables unreachable ports.
z
Even if both ends of links can work normally at the physical layer, DLDP can detect whether these
links are connected correctly and whether packets can be exchanged normally at both ends.
However, the auto-negotiation mechanism cannot implement this detection.
DLDP Fundamentals
DLDP packets
DLDP detects link status by exchanging the following types of packets.
Table 1-1 DLDP packet types
DLDP packet type
Advertisement
Function
Notifies the neighbor devices of the existence of the local device. An
advertisement packet carries only the local port information, and it does
not require response from the peer end.
1-2
DLDP packet type
Function
RSY-Advertisement
packets (referred to as
RSY packets hereafter)
Advertisement packet with the RSY flag set to 1. RSY advertisement
packets are sent to request synchronizing the neighbor information when
neighbor information is not locally available or a neighbor information
entry ages out.
Flush-Advertisement
packets (referred to as
flush packets hereafter)
Advertisement packet with the flush flag set to 1. A flush packet carries
only the local port information (instead of the neighbor information) and is
used to trigger neighbors to remove the information about the local
device.
Probe
Probe packets are used to probe the existence of a neighbor. Echo
packets are required from the corresponding neighbor. Probe packets
carry the local port information. Neighbor information is optional for probe
packets. A probe packet carrying neighbor information probes the
specified neighbors; A probe packet carrying no neighbor information
probes all the neighbors.
Echo
Response to probe packets. An echo packet carries the information about
the response port and the neighbor information it maintains. Upon
receiving an echo packet, a port checks whether the neighbor information
carried in the echo packet is consistent with that of itself. If yes, the link
between the local port and the neighbor is regarded as bidirectional.
Disable
Disable packets are used to notify the peer end that the local end is in the
disable state. Disable packets carry only the local port information instead
of the neighbor information. When a port detects a unidirectional link and
enters the disable state, the port sends disable packets to the neighbor. A
port enters the disable state upon receiving a disable packet.
LinkDown
Linkdown packets are used to notify unidirectional link emergencies (a
unidirectional link emergency occurs when the local port is down and the
peer port is up). Linkdown packets carry only the local port information
instead of the neighbor information. In some conditions, a port is
considered to be physically down if the link connecting to the port is
physically abnormal (for example, the Rx line of the fiber on the port is
disconnected, while the Tx line operates properly). But for the peer end,
as Rx signals can still be received on the physical layer, the port is still
considered to be normal. Such a situation is known as unidirectional link
emergency.
When a unidirectional link emergency occurs, DLDP sends linkdown
packets immediately to inform the peer of the link abnormality. Without
linkdown packets, the peer can detect the link abnormality only after a
period when the corresponding neighbor information maintained on the
neighbor device ages out, which is three times the advertisement interval.
Upon receiving a linkdown packet, if the peer end operates in the
enhanced mode, it enters the disable state, and sets the receiving port to
the DLDP down state (auto shutdown mode) or gives an alarm to the user
(manual shutdown mode).
Recover Probe
Recover probe packets are used to detect whether a link recovers to
implement the port auto-recovery mechanism. Recover probe packets
carry only the local port information instead of the neighbor information.
They request for recover echo packets as the response. A port in the
DLDP down state sends a recover probe packet every two seconds.
Recover Echo
Recover echo packets are response to recover probe packets in the port
auto-recovery mechanism. A link is considered to restore to the
bidirectional state if a port on one end sends a recover probe packet,
receives a recover echo packet, and the neighbor information contained
in the recover echo packet is consistent with that of the local port.
1-3
DLDP Status
A link can be in one of these DLDP states: initial, inactive, active, advertisement, probe, disable, and
delaydown.
Table 1-2 DLDP status
Status
Description
Initial
Initial status before DLDP is enabled.
Inactive
DLDP is enabled but the corresponding link is down
Active
DLDP is enabled, and the link is up or an neighbor entry is cleared
Advertisement
All neighbors communicate normally in both directions, or DLDP
remains in active state for more than five seconds and enters this
status. It is a stable state where no unidirectional link is found
Probe
DHCP sends packets to check whether the link is a unidirectional. It
enables the probe sending timer and an echo waiting timer for each
target neighbor.
Disable
DLDP detects a unidirectional link, or finds (in enhanced mode) that a
neighbor disappears. In this case, DLDP sends and receives only
recover probe packets and recover echo packets.
DelayDown
When a device in the active, advertisement, or probe DLDP state
receives a port down message, it does not removes the
corresponding neighbor immediately, neither does it changes to the
inactive state. Instead, it changes to the delaydown state first.
When a device changes to the delaydown state, the related DLDP
neighbor information remains, and the DelayDown timer is triggered.
After the DelayDown timer expires, the DLDP neighbor information is
removed.
DLDP Timers
Table 1-3 DLDP timers
Timer
Advertisement
sending timer
Probe sending timer
Description
Interval between sending advertisement packets, which can be configured
on a command line interface.
By default, the timer length is 5 seconds.
The interval is 0.5 seconds. In the probe state, DLDP sends two probe
packets in a second.
It is enabled when DLDP enters the probe state. The echo waiting timer
length is 10 seconds.
Echo waiting timer
If no echo packet is received from the neighbor when the Echo waiting timer
expires, the state of the local end is set to unidirectional link (one-way audio)
and the state machine turns into the disable state. DLDP outputs log and
tracking information, sends flush packets. Depending on the user-defined
DLDP down mode, DLDP disables the local port automatically or prompts
you to disable the port manually. At the same time, DLDP deletes the
neighbor entry.
1-4
Timer
Description
When a new neighbor joins, a neighbor entry is created and the
corresponding entry aging timer is enabled
When an advertisement packet is received from a neighbor, the neighbor
entry is updated and the corresponding entry aging timer is updated
Entry aging timer
In the normal mode, if no packet is received from the neighbor when the entry
aging timer expires, DLDP sends an advertisement packet with an RSY tag,
and deletes the neighbor entry.
In the enhanced mode, if no packet is received from the neighbor when the
entry aging timer expires, DLDP enables the enhanced timer
The entry aging timer length is three times the advertisement timer length.
In the enhanced mode, if no packet is received from the neighbor when the
entry aging timer expires, DLDP enables the enhanced timer for the
neighbor. The enhanced timer length is 10 seconds
The enhanced timer then sends one probe packet every second and eight
packets successively to the neighbor.
Enhanced timer
If no echo packet is received from the neighbor when the enhanced timer
expires, the state of the local end is set to unidirectional communication state
and the state machine turns into the disable state. DLDP outputs log and
tracking information and sends flush packets. Depending on the user-defined
DLDP down mode, DLDP disables the local port automatically or prompts
you to disable the port manually. Meanwhile, DLDP deletes the neighbor
entry.
When a device in the active, advertisement, or probe DLDP state receives a
port down message, it does not removes the corresponding neighbor
immediately, neither does it changes to the inactive state. Instead, it changes
to the delaydown state first.
DelayDown timer
When a device changes to the delaydown state, the related DLDP neighbor
information remains, and the DelayDown timer is triggered. The DelayDown
timer is configurable and ranges from 1 to 5 seconds.
A device in the delaydown state only responds to port up messages.
A device in the delaydown state resumes its original DLDP state if it receives
a port up message before the delaydown timer expires. Otherwise, it
removes the DLDP neighbor information and changes to the inactive state.
DLDP Operating Mode
DLDP can operate in two modes: normal mode and enhanced mode.
Table 1-4 DLDP operating mode and neighbor entry aging
DLDP
operating
mode
DLDP detects whether
neighbors exist or not
when neighbor tables
are aging
The entry aging timer
is enabled or not
during neighbor entry
aging
The enhanced timer is enabled
or not when the entry aging
timer expires
Normal
mode
No
Yes (The neighbor entry
ages out after the entry
aging timer expires)
No
Yes
Yes (The enhanced
timer is enabled after
the entry aging timer
expires)
Yes (When the enhanced timer
expires, the state of the local end
is set to unidirectional link, and
the neighbor entry is aged out.)
Enhanced
mode
1-5
In normal DLDP mode, only fiber cross-connected unidirectional links (as shown in Figure 1-1 ) can
z
be detected.
In enhanced DLDP mode, two types of unidirectional links can be detected. One is fiber
z
cross-connected links (as shown in Figure 1-1). The other refers to fiber pairs with one fiber not
connected or disconnected (as shown in Figure 1-2). To detect unidirectional links that are of the
latter type, you need to configure the ports to operate at specific speed and in full duplex mode.
Otherwise, DLDP cannot take effect.
DLDP Implementation
1)
If the DLDP-enabled link is up, DLDP sends DLDP packets to the peer device, and
analyzes/processes the DLDP packets received from the peer device. DLDP packets sent in
different DLDP states are of different types.
Table 1-5 DLDP state and DLDP packet type
DLDP state
Type of the DLDP packets sent
Active
Advertisement packets, with the RSY flag set or not set.
Advertisement
Advertisement packets
Probe
Probe packets
2)
A DLDP packet received is processed as follows:
z
In authentication mode, the DLDP packet is authenticated and is then dropped if it fails the
authentication.
z
The packet is further processed, as described in Table 1-6.
You can prevent network attacks and illegal detect through DLDP authentication. Three DLDP
authentication modes exist: non-authentication, plain text authentication, MD5 authentication.
Table 1-6 The procedure to process a received DLDP packet
Packet type
Advertisement
packet
Processing procedure
Extracts neighbor
information
If the corresponding neighbor entry does not exist on the
local device, DLDP creates the neighbor entry, triggers
the entry aging timer, and switches to the probe state.
If the corresponding neighbor entry already exists on the
local device, DLDP resets the aging timer of the entry.
Flush packet
Removes the neighbor entry from the local device
1-6
Packet type
Probe packet
Echo packet
3)
Processing procedure
Sends echo packets
containing both
neighbor and its own
information to the
peer
Checks to
see if the
local device
is in the
probe state
Creates the neighbor entry if it does not exist on the local
device.
Resets the aging timer of the entry if the neighbor entry
already exists on the local device.
No
Drops the echo packet
Yes
Checks to
see if the
neighbor
information
contained in
the packet is
the same as
that on the
local device
No
Drops the echo packet
Sets the flag bit of the neighbor
to bidirectional link
Yes
If all neighbors are in the
bidirectional link state, DLDP
switches from the probe state to
the advertisement state, and
sets the echo waiting timer to 0.
If no echo packet is received from the neighbor, DLDP performs the following processing:
Table 1-7 Processing procedure when no echo packet is received from the neighbor
No echo packet received from the
neighbor
In normal mode, no echo packet is received
when the echo waiting timer expires.
In enhanced mode, no echo packet is
received when the enhanced timer expires
Processing procedure
DLDP switches to the disable state, outputs log and
tracking information, and sends flush packets.
Depending on the user-defined DLDP down mode,
DLDP disables the local port automatically or prompts
you to disable the port manually. DLDP sends RSY
messages and removes the corresponding neighbor
entries.
DLDP Neighbor State
A DLDP neighbor can be in one of these two states: two way and unknown. You can check the state of
a DLDP neighbor by using the display dldp command.
Table 1-8 Description on the two DLDP neighbor states
DLDP neighbor state
Description
two way
The link to the neighbor operates properly.
unknown
The device is detecting the neighbor and the neighbor state is unknown.
Link Auto-recovery Mechanism
If the shutdown mode of a port is set to auto shutdown, the port is set to the DLDP down state when
DLDP detects the link connecting to the port is a unidirectional link. A port in DLDP down state does not
forward service packets or receive/send protocol packets except DLDPDUs.
A port in the DLDP down state recovers when the corresponding link recovers. A port in the DLDP down
state sends recover probe packets periodically. On receiving a correct recover echo packet (which
1-7
means that the unidirectional link is restored to a bidirectional link), it is brought up by DLDP. The
detailed process is as follows.
1)
A port in the DLDP down state sends a recover probe packet every 2 seconds. Recover probe
packets carry only the local port information.
2)
Upon receiving a recover probe packet, the peer end responds with a recover echo packet.
3)
Upon receiving a recover echo packet, the local end checks to see if the neighbor information
carried in the recover echo packet is consistent with that of the local port. If yes, the link between
the local port and the neighbor is considered to be recovered to bidirectional, the port changes from
the disable state to the active state, and neighboring relationship is reestablished between the local
port and the neighbor.
Only ports in the DLDP down state can send and process recover probe packets and recover echo
packets. The auto-recovery mechanism does apply to ports that are shut down manually.
DLDP Configuration
Performing Basic DLDP Configuration
Follow these steps to perform basic DLDP configuration:
To do …
Use the command …
Enter system view
system-view
Enable DLDP on all optical
ports of the switch
Enable
DLDP
Enable DLDP
on the current
port (a
non-optical
port or an
optical port)
Remarks
—
dldp enable
Enter Ethernet
port view
interface interface-type
interface-number
Enable DLDP
dldp enable
Required.
By default, DLDP is
disabled.
Set the authentication mode and
password
dldp
authentication-mode
{ none | simple
simple-password | md5
md5-password }
Set the interval of sending DLDP packets
dldp interval timer-value
Set the delaydown timer
dldp delaydown-timer
delaydown-time
By default, the delaydown
timer expires after 1
second it is triggered.
Set the DLDP handling mode when an
unidirectional link is detected
dldp
unidirectional-shutdown
{ auto | manual }
Optional.
Optional.
By default, the
authentication mode is
none.
Optional.
By default, the interval is 5
seconds.
Optional
1-8
By default, the handling
mode is auto.
To do …
Set the DLDP operating mode
Use the command …
dldp work-mode
{ enhance | normal }
Remarks
Optional.
By default, DLDP works in
normal mode.
Note the following when performing basic DLDP configuration.
z
DLDP can detect unidirectional links only after the links are connected. Therefore, before enabling
DLDP, make sure that optical fibers or copper twisted pairs are connected.
z
To ensure unidirectional links can be detected, make sure DLDP is enabled on both sides; and the
interval for sending advertisement packets, authentication mode, and password are the same on
both sides.
z
The interval for sending advertisement packets ranges from 1 to 100 seconds and defaults to 5
seconds. You can adjust this setting as needed to enable DLDP to respond in time to link failures.
If the interval is too long, STP loops may occur before unidirectional links are terminated; if the
interval is too short, network traffic may increase in vain and available bandwidth decreases.
Normally, the interval is shorter than one-third of the STP convergence time, which is generally 30
seconds.
z
DLDP does not process any link aggregation control protocol (LACP) event, and treats each link in
the aggregation group as independent.
z
When connecting two DLDP-enabled devices, make sure the software running on them is of the
same version. Otherwise, DLDP may operate improperly.
z
When you use the dldp enable/dldp disable command in system view to enable/disable DLDP on
all optical ports of the switch, the configuration takes effect on the existing optical ports, instead of
those added subsequently.
z
Make sure the authentication mode and password configured on both sides are the same for DLDP
to operate properly.
z
When DLDP works in enhanced mode, the system can identify two types of unidirectional links:
one is caused by fiber cross-connection and the other is caused by one fiber being not connected
or being disconnected.
z
When DLDP works in normal mode, the system can identify unidirectional links caused by fiber
cross-connection.
z
When the device is busy with services and the CPU utilization is high, DLDP may issue mistaken
reports. You are recommended to configure the operating mode of DLDP as manual after
unidirectional links are detected, so as to reduce the influence of mistaken reports.
Resetting DLDP State
You can reset the DLDP state for the ports shut down by DLDP due to unidirectional links to enable
DLDP detection again.
This function is only applicable to ports that are in DLDP down state.
Follow these steps to reset DLDP state:
1-9
To do …
Use the command …
Reset DLDP state for all the
ports shut down by DLDP
Reset the DLDP state for a port
shut down by DLDP
Remarks
system-view
dldp reset
interface interface-type
interface-number
Select either of the two.
dldp reset
Displaying and Maintaining DLDP
To do …
Use the command …
Display the DLDP configuration
of a unit or a port
display dldp { unit-id |
interface-type interface-number }
Remarks
Available in any view.
DLDP Configuration Example
Network requirements
As shown in Figure 1-3,
Switch A and Switch B are connected through two pairs of fibers. Both of them support DLDP. All
z
the ports involved operate in mandatory full duplex mode, with their rates all being 1,000 Mbps.
Suppose the fibers between Switch A and Switch B are cross-connected. DLDP disconnects the
z
unidirectional links after detecting them.
After the fibers are connected correctly, the ports shut down by DLDP are restored.
z
Network diagram
Figure 1-3 Network diagram for DLDP configuration
Switch A
GE1/0/50
GE1/0/50
GE1/0/51
Switch B
GE1/0/51
PC
Configuration procedure
1)
Configure Switch A
# Configure the ports to work in mandatory full duplex mode at a rate of 1000 Mbps.
<SwitchA> system-view
1-10
[SwitchA] interface gigabitethernet 1/0/50
[SwitchA-GigabitEthernet1/0/50] duplex full
[SwitchA-GigabitEthernet1/0/50] speed 1000
[SwitchA-GigabitEthernet1/0/50] quit
[SwitchA] interface gigabitethernet 1/0/51
[SwitchA-GigabitEthernet1/0/51] duplex full
[SwitchA-GigabitEthernet1/0/51] speed 1000
[SwitchA-GigabitEthernet1/0/51] quit
# Enable DLDP globally
[SwitchA] dldp enable
# Set the interval between sending DLDP packets to 15 seconds.
[SwitchA] dldp interval 15
# Configure DLDP to work in enhanced mode
[SwitchA] dldp work-mode enhance
# Set the DLDP handling mode for unidirectional links to auto.
[SwitchA] dldp unidirectional-shutdown auto
# Display the DLDP state
[SwitchA] display dldp 1
When two switches are connected through fibers in a crossed way, two or three ports may be in the
disable state, and the rest in the inactive state.
When a fiber is connected to a device correctly on one end with the other end connected to no device:
z
If the device operates in the normal DLDP mode, the end that receives optical signals is in the
advertisement state; the other end is in the inactive state.
z
If the device operates in the enhance DLDP mode, the end that receives optical signals is in the
disable state; the other end is in the inactive state.
# Restore the ports shut down by DLDP
[SwitchA] dldp reset
2)
Configure Switch B
The configuration of Switch B is the same to that of Switch A and is thus omitted.
1-11
Table of Contents
1 MAC Address Table Management············································································································1-1
Overview ·················································································································································1-1
Introduction to MAC Address Table ································································································1-1
Introduction to MAC Address Learning ···························································································1-1
Managing MAC Address Table ·······································································································1-3
Configuring MAC Address Table Management ······················································································1-4
Configuration Task List····················································································································1-4
Configuring a MAC Address Entry ··································································································1-5
Setting the Aging Time of MAC Address Entries ············································································1-6
Setting the Maximum Number of MAC Addresses a Port Can Learn ·············································1-6
Disabling MAC Address learning for a VLAN ··················································································1-7
Displaying MAC Address Table Information ···························································································1-7
Configuration Example····························································································································1-8
Adding a Static MAC Address Entry Manually ················································································1-8
i
1
MAC Address Table Management
This chapter describes the management of static, dynamic, and blackhole MAC address entries. For
information about the management of multicast MAC address entries, refer to the part related to
multicast protocol.
Overview
Introduction to MAC Address Table
An Ethernet switch is mainly used to forward packets at the data link layer, that is, transmit the packets
to the corresponding ports according to the destination MAC address of the packets. To forward packets
quickly, a switch maintains a MAC address table, which is a Layer 2 address table recording the MAC
address-to-forwarding port association. Each entry in a MAC address table contains the following fields:
z
Destination MAC address
z
ID of the VLAN which a port belongs to
z
Forwarding egress port numbers on the local switch
When forwarding a packet, an Ethernet switch adopts one of the two forwarding methods based upon
the MAC address table entries.
z
Unicast forwarding: If the destination MAC address carried in the packet is included in a MAC
address table entry, the switch forwards the packet through the forwarding egress port in the entry.
z
Broadcast forwarding: If the destination MAC address carried in the packet is not included in the
MAC address table, the switch broadcasts the packet to all ports except the one receiving the
packet.
Introduction to MAC Address Learning
MAC address table entries can be updated and maintained through the following two ways:
z
Manual configuration
z
MAC address learning
Generally, the majority of MAC address entries are created and maintained through MAC address
learning. The following describes the MAC address learning process of a switch:
1)
As shown in Figure 1-1, User A and User B are both in VLAN 1. When User A communicates with
User B, the packet from User A needs to be transmitted to GigabitEthernet 1/0/1. At this time, the
switch records the source MAC address of the packet, that is, the address “MAC-A” of User A to the
MAC address table of the switch, forming an entry shown in Figure 1-2.
1-1
Figure 1-1 MAC address learning diagram (1)
Figure 1-2 MAC address table entry of the switch (1)
2)
After learning the MAC address of User A, the switch starts to forward the packet. Because there is
no MAC address and port information of User B in the existing MAC address table, the switch
forwards the packet to all ports except GigabitEthernet 1/0/1 to ensure that User B can receive the
packet.
Figure 1-3 MAC address learning diagram (2)
3)
Because the switch broadcasts the packet, both User B and User C can receive the packet.
However, User C is not the destination device of the packet, and therefore does not process the
packet. Normally, User B will respond to User A, as shown in Figure 1-4. When the response
packet from User B is sent to GigabitEthernet 1/0/4, the switch records the association between the
MAC address of User B and the corresponding port to the MAC address table of the switch.
1-2
Figure 1-4 MAC address learning diagram (3)
4)
At this time, the MAC address table of the switch includes two forwarding entries shown in Figure
1-5. When forwarding the response packet, the switch unicasts the packet instead of broadcasting
it to User A through GigabitEthernet 1/0/1, because MAC-A is already in the MAC address table.
Figure 1-5 MAC address table entries of the switch (2)
5)
After this interaction, the switch directly unicasts the communication packets between User A and
User B based on the corresponding MAC address table entries.
z
Under some special circumstances, for example, User B is unreachable or User B receives the
packet but does not respond to it, the switch cannot learn the MAC address of User B. Hence, the
switch still broadcasts the packets destined for User B.
z
The switch learns only unicast addresses by using the MAC address learning mechanism but
directly drops any packet with a broadcast source MAC address.
Managing MAC Address Table
Aging of MAC address table
To fully utilize a MAC address table, which has a limited capacity, the switch uses an aging mechanism
for updating the table. That is, the switch starts an aging timer for an entry when dynamically creating
the entry. The switch removes the MAC address entry if no more packets with the MAC address
recorded in the entry are received within the aging time.
1-3
Aging timer only takes effect on dynamic MAC address entries.
Entries in a MAC address table
Entries in a MAC address table fall into the following categories according to their characteristics and
configuration methods:
z
Static MAC address entry: Also known as permanent MAC address entry. This type of MAC
address entries are added/removed manually and can not age out by themselves. Using static
MAC address entries can reduce broadcast packets remarkably and are suitable for networks
where network devices seldom change.
z
Dynamic MAC address entry: This type of MAC address entries age out after the configured aging
time. They are generated by the MAC address learning mechanism or configured manually.
z
Blackhole MAC address entry: This type of MAC address entries are configured manually. A switch
discards the packets destined for or originated from the MAC addresses contained in blackhole
MAC address entries.
Table 1-1 lists the different types of MAC address entries and their characteristics.
Table 1-1 Characteristics of different types of MAC address entries
MAC address entry
Configuration method
Aging time
Reserved or not at
reboot (if the
configuration is
saved)
Static MAC address
entry
Manually configured
Unavailable
Yes
Dynamic MAC address
entry
Manually configured or
generated by MAC address
learning mechanism
Available
No
Blackhole MAC
address entry
Manually configured
Unavailable
Yes
Configuring MAC Address Table Management
Configuration Task List
Table 1-2 Configure MAC address table management
Task
Remarks
Configuring a MAC Address Entry
Required
Setting the Aging Time of MAC Address Entries
Optional
Setting the Maximum Number of MAC Addresses a Port
Can Learn
Optional
Disabling MAC Address learning for a VLAN
Optional
1-4
Configuring a MAC Address Entry
You can add, modify, or remove a MAC address entry, remove all MAC address entries concerning a
specific port, or remove specific type of MAC address entries (dynamic or static MAC address entries).
You can add a MAC address entry in either system view or Ethernet port view.
Adding a MAC address entry in system view
Table 1-3 Add a MAC address entry in system view
Operation
z
Command
Description
Enter system view
system-view
—
Add a MAC address entry
mac-address { static | dynamic |
blackhole } mac-address interface
interface-type interface-number vlan
vlan-id
Required
When you add a MAC address entry, the port specified by the interface argument must belong to
the VLAN specified by the vlan argument in the command. Otherwise, the entry will not be added.
z
If the VLAN specified by the vlan argument is a dynamic VLAN, after a static MAC address is
added, it will become a static VLAN.
Adding a MAC address entry in Ethernet port view
Table 1-4 Add a MAC address entry in Ethernet port view
Operation
z
Command
Description
Enter system view
system-view
—
Enter Ethernet port view
interface interface-type interface-number
—
Add a MAC address entry
mac-address { static | dynamic |
blackhole } mac-address vlan vlan-id
Required
When you add a MAC address entry, the current port must belong to the VLAN specified by the
vlan argument in the command. Otherwise, the entry will not be added.
z
If the VLAN specified by the vlan argument is a dynamic VLAN, after a static MAC address is
added, it will become a static VLAN.
1-5
Setting the Aging Time of MAC Address Entries
Setting aging time properly helps effective utilization of MAC address aging. The aging time that is too
long or too short affects the performance of the switch.
z
If the aging time is too long, excessive invalid MAC address entries maintained by the switch may
fill up the MAC address table. This prevents the MAC address table from being updated with
network changes in time.
z
If the aging time is too short, the switch may remove valid MAC address entries. This decreases the
forwarding performance of the switch.
Table 1-5 Set aging time of MAC address entries
Operation
Command
Enter system view
system-view
Set the aging time of MAC
address entries
mac-address timer { aging
age | no-aging }
Description
—
Required
The default aging time is 300
seconds.
Normally, you are recommended to use the default aging time, namely, 300 seconds. The no-aging
keyword specifies that MAC address entries do not age out.
MAC address aging configuration applies to all ports, but only takes effect on dynamic MAC addresses
that are learnt or configured to age.
Setting the Maximum Number of MAC Addresses a Port Can Learn
The MAC address learning mechanism enables an Ethernet switch to acquire the MAC addresses of
the network devices on the segment connected to the ports of the switch. By searching the MAC
address table, the switch directly forwards the packets destined for these MAC addresses through the
hardware, improving the forwarding efficiency. A MAC address table too big in size may prolong the time
for searching MAC address entries, thus decreasing the forwarding performance of the switch.
By setting the maximum number of MAC addresses that can be learnt from individual ports, the
administrator can control the number of the MAC address entries the MAC address table can
dynamically maintain. When the number of the MAC address entries learnt from a port reaches the set
value, the port stops learning MAC addresses.
Table 1-6 Set the maximum number of MAC addresses a port can learn
Operation
Command
Description
Enter system view
system-view
—
Enter Ethernet port view
interface interface-type
interface-number
—
1-6
Operation
Set the maximum number of
MAC addresses the port can
learn
Command
Description
Required
mac-address max-mac-count
count
By default, the number of the
MAC addresses a port can
learn is not limited.
Disabling MAC Address learning for a VLAN
You can disable a switch from learning MAC addresses in specific VLANs to improve stability and
security for the users belong to these VLANs and prevent unauthorized accesses.
Table 1-7 Disable MAC address learning for a VLAN
Operation
z
Command
Description
Enter system view
system-view
—
Enter VLAN view
vlan vlan-id
—
Disable the switch from
learning MAC addresses in
the VLAN
mac-address
max-mac-count 0
Required
By default, a switch learns MAC
addresses in any VLAN.
If the VLAN is configured as a remote probe VLAN used by port mirroring, you can not disable MAC
address learning of this VLAN. Similarly, after you disable MAC address learning, this VLAN can
not be configured as a remote probe VLAN.
z
Disabling the MAC address learning function of a VLAN takes no effect on enabling the centralized
MAC address authentication on the ports that belong to the VLAN.
Displaying MAC Address Table Information
To verify your configuration, you can display information about the MAC address table by executing the
display command in any view.
Table 1-8 Display MAC address table information
Operation
Command
Display information about the MAC
address table
display mac-address
[ display-option ]
Display the aging time of the dynamic
MAC address entries in the MAC
address table
display mac-address
aging-time
1-7
Description
The display command
can be executed in any
view.
Configuration Example
Adding a Static MAC Address Entry Manually
Network requirements
The server connects to the switch through GigabitEthernet 1/0/2. To prevent the switch from
broadcasting packets destined for the server, it is required to add the MAC address of the server to the
MAC address table of the switch, which then forwards packets destined for the server through
GigabitEthernet 1/0/2.
z
The MAC address of the server is 000f-e20f-dc71.
z
Port GigabitEthernet 1/0/2 belongs to VLAN 1.
Configuration procedure
# Enter system view.
<Sysname> system-view
[Sysname]
# Add a MAC address, with the VLAN, ports, and states specified.
[Sysname] mac-address static 000f-e20f-dc71
interface GigabitEthernet 1/0/2 vlan 1
# Display information about the current MAC address table.
[Sysname] display mac-address interface GigabitEthernet 1/0/2
MAC ADDR
VLAN ID
STATE
000f-e20f-dc71
1
Config static GigabitEthernet1/0/2 NOAGED
000f-e20f-a7d6
1
Learned
GigabitEthernet1/0/2 AGING
000f-e20f-b1fb
1
Learned
GigabitEthernet1/0/2 AGING
000f-e20f-f116
1
Learned
GigabitEthernet1/0/2 AGING
---
PORT INDEX
4 mac address(es) found on port GigabitEthernet1/0/2 ---
1-8
AGING TIME(s)
Table of Contents
1 MSTP Configuration ··································································································································1-1
Overview ·················································································································································1-1
Spanning Tree Protocol Overview···································································································1-1
Rapid Spanning Tree Protocol Overview ······················································································1-10
Multiple Spanning Tree Protocol Overview ···················································································1-10
MSTP Implementation on Switches ······························································································1-14
Protocols and Standards ···············································································································1-15
MSTP Configuration Task List ··············································································································1-15
Configuring Root Bridge························································································································1-17
Configuring an MST Region ··········································································································1-17
Specifying the Current Switch as a Root Bridge/Secondary Root Bridge·····································1-18
Configuring the Bridge Priority of the Current Switch····································································1-20
Configuring How a Port Recognizes and Sends MSTP Packets ··················································1-20
Configuring the MSTP Operation Mode ························································································1-21
Configuring the Maximum Hop Count of an MST Region ·····························································1-22
Configuring the Network Diameter of the Switched Network ························································1-23
Configuring the MSTP Time-related Parameters ··········································································1-23
Configuring the Timeout Time Factor····························································································1-25
Configuring the Maximum Transmitting Rate on the Current Port ················································1-25
Configuring the Current Port as an Edge Port ··············································································1-26
Setting the Link Type of a Port to P2P ··························································································1-27
Enabling MSTP······························································································································1-28
Configuring Leaf Nodes ························································································································1-29
Configuring the MST Region ·········································································································1-29
Configuring How a Port Recognizes and Sends MSTP Packets ··················································1-30
Configuring the Timeout Time Factor····························································································1-30
Configuring the Maximum Transmitting Rate on the Current Port ················································1-30
Configuring a Port as an Edge Port·······························································································1-30
Configuring the Path Cost for a Port ·····························································································1-30
Configuring Port Priority ················································································································1-32
Setting the Link Type of a Port to P2P ··························································································1-33
Enabling MSTP······························································································································1-33
Performing mCheck Operation ·············································································································1-33
Configuration Prerequisites ···········································································································1-34
Configuration Procedure················································································································1-34
Configuration Example ··················································································································1-34
Configuring Guard Functions ················································································································1-34
Configuring BPDU Guard ··············································································································1-34
Configuring Root Guard·················································································································1-35
Configuring Loop Guard ················································································································1-36
Configuring TC-BPDU Attack Guard ·····························································································1-37
Configuring BPDU Dropping ·········································································································1-38
Configuring Digest Snooping ················································································································1-39
i
Introduction····································································································································1-39
Configuring Digest Snooping·········································································································1-40
Configuring Rapid Transition ················································································································1-41
Introduction····································································································································1-41
Configuring Rapid Transition·········································································································1-43
Configuring VLAN-VPN Tunnel·············································································································1-44
Introduction····································································································································1-44
Configuring VLAN-VPN tunnel ······································································································1-44
MSTP Maintenance Configuration ········································································································1-45
Introduction····································································································································1-45
Enabling Log/Trap Output for Ports of MSTP Instance·································································1-45
Configuration Example ··················································································································1-45
Enabling Trap Messages Conforming to 802.1d Standard···································································1-46
Displaying and Maintaining MSTP ········································································································1-46
MSTP Configuration Example···············································································································1-47
VLAN-VPN Tunnel Configuration Example ··························································································1-49
ii
1
MSTP Configuration
Go to these sections for information you are interested in:
z
Overview
z
MSTP Configuration Task List
z
Configuring Root Bridge
z
Configuring Leaf Nodes
z
Performing mCheck Operation
z
Configuring Guard Functions
z
Configuring Digest Snooping
z
Configuring Rapid Transition
z
Configuring VLAN-VPN Tunnel
z
MSTP Maintenance Configuration
z
Enabling Trap Messages Conforming to 802.1d Standard
z
Displaying and Maintaining MSTP
z
MSTP Configuration Example
z
VLAN-VPN Tunnel Configuration Example
Overview
As a Layer 2 management protocol, the Spanning Tree Protocol (STP) eliminates Layer 2 loops by
selectively blocking redundant links in a network, and in the mean time, allows for link redundancy.
Like many other protocols, STP evolves as the network grows. The later versions of STP are Rapid
Spanning Tree Protocol (RSTP) and Multiple Spanning Tree Protocol (MSTP). This chapter describes
the characteristics of STP, RSTP, and MSTP and the relationship among them.
Spanning Tree Protocol Overview
Why STP
Spanning tree protocol (STP) is a protocol conforming to IEEE 802.1d. It aims to eliminate loops on data
link layer in a local area network (LAN). Devices running this protocol detect loops in the network by
exchanging packets with one another and eliminate the loops detected by blocking specific ports until
the network is pruned into one with a tree topology. As a network with a tree topology is loop-free, STP
prevents packets in it from being duplicated and forwarded endlessly and prevents device and network
performance degradation caused by data loops.
In the narrow sense, STP refers to IEEE 802.1d STP; in the broad sense, STP refers to the IEEE 802.1d
STP and various enhanced spanning tree protocols derived from that protocol.
Protocol Packets of STP
STP uses bridge protocol data units (BPDUs), also known as configuration messages, as its protocol
packets.
1-1
STP identifies the network topology by transmitting BPDUs between STP compliant network devices,
typically switches and routers. BPDUs contain sufficient information for the network devices to complete
the spanning tree calculation.
In STP, BPDUs come in two types:
z
Configuration BPDUs, used to calculate spanning trees and maintain the spanning tree topology.
z
Topology change notification (TCN) BPDUs, used to notify concerned devices of network topology
changes, if any.
Basic concepts in STP
1)
Root bridge
A tree network must have a root; hence the concept of root bridge has been introduced in STP.
There is one and only one root bridge in an entire STP-based network at a given time. But the root
bridge can change because of with changes of the network topology. Therefore, the root bridge is not
fixed.
Upon initialization of a network, each device generates and sends out BPDUs periodically with itself as
the root bridge; after network convergence, only the root bridge generates and sends out configuration
BPDUs at a certain interval, and the other devices just forward the BPDUs.
2)
Root port
On a non-root bridge device, the root port is the port with the lowest path cost to the root bridge. The
root port is used for communicating with the root bridge. A non-root-bridge device has one and only one
root port. The root bridge has no root port.
3)
Designated bridge and designated port
Refer to the following table for the description of designated bridge and designated port.
Table 1-1 Designated bridge and designated port
Classification
Designated bridge
Designated port
For a device
A designated bridge is a device that is
directly connected to a switch and is
responsible for forwarding BPDUs to this
switch.
The port through which the
designated bridge forwards
BPDUs to this device
For a LAN
A designated bridge is a device
responsible for forwarding BPDUs to this
LAN segment.
The port through which the
designated bridge forwards
BPDUs to this LAN segment
Figure 1-1 shows designated bridges and designated ports. In the figure, AP1 and AP2, BP1 and BP2,
and CP1 and CP2 are ports on Device A, Device B, and Device C respectively.
z
If Device A forwards BPDUs to Device B through AP1, the designated bridge for Device B is Device
A, and the designated port is the port AP1 on Device A.
z
Two devices are connected to the LAN: Device B and Device C. If Device B forwards BPDUs to the
LAN, the designated bridge for the LAN is Device B, and the designated port is the port BP2 on
Device B.
1-2
Figure 1-1 A schematic diagram of designated bridges and designated ports
All the ports on the root bridge are designated ports.
4)
Bridge ID
A bridge ID consists of eight bytes, where the first two bytes represent the bridge priority of the device,
and the latter six bytes represent the MAC address of the device.
The default bridge priority of an H3C device is 32768. You can use a command to configure the bridge
priority of a device. For details, see Configuring the Bridge Priority of the Current Switch.
5)
Path cost
STP uses path costs to indicate the quality of links. A small path cost indicates a higher link quality. The
path cost of a port is related to the rate of the link connecting the port. The higher the link rate, the
smaller the path cost.
By comparing the path costs of different links, STP selects the most robust links and blocks the other
links to prune the network into a tree.
H3C devices support using multiple standards to calculate the path costs of ports, as well as using
commands to configure the path costs of ports. For details, see Configuring the Path Cost for a Port.
1-3
6)
Port ID
A port ID used on an H3C device consists of two bytes, that is, 16 bits, where the first six bits represent
the port priority, and the latter ten bits represent the port number.
The default priority of all Ethernet ports on H3C devices is 128. You can use commands to configure
port priorities. For details, see Configuring Port Priority.
How STP works
STP identifies the network topology by transmitting configuration BPDUs between network devices.
Configuration BPDUs contain sufficient information for network devices to complete the spanning tree
calculation. Important fields in a configuration BPDU include:
z
Root bridge ID, consisting of root bridge priority and MAC address.
z
Root path cost, the cost of the shortest path to the root bridge.
z
Designated bridge ID, designated bridge priority plus MAC address.
z
Designated port ID, designated port priority plus port number.
z
Message age: lifetime for the configuration BPDUs to be propagated within the network.
z
Max age, lifetime for the configuration BPDUs to be kept in a switch.
z
Hello time, configuration BPDU interval.
z
Forward delay, forward delay of the port.
The implementation of the STP algorithm involves only the following four parts of a configuration BPDU:
z
Root bridge ID
z
Root path cost
z
Designated bridge ID
z
Designated port ID
1)
Detailed calculation process of the STP algorithm
z
Initial state
Upon initialization of a device, each device generates a BPDU with itself as the root bridge, in which the
root path cost is 0, designated bridge ID is the device ID, and the designated port is the local port.
z
Selection of the optimum configuration BPDU
Each device sends out its configuration BPDU and receives configuration BPDUs from other devices.
The process of selecting the optimum configuration BPDU is as follows:
1-4
Table 1-2 Selection of the optimum configuration BPDU
Step
Description
Upon receiving a configuration BPDU on a port, the device performs the
following processing:
z
1
z
If the received configuration BPDU has a lower priority than that of the
configuration BPDU generated by the port, the device will discard the
received configuration BPDU without doing any processing on the
configuration BPDU of this port.
If the received configuration BPDU has a higher priority than that of the
configuration BPDU generated by the port, the device will replace the
content of the configuration BPDU generated by the port with the content of
the received configuration BPDU.
The device compares the configuration BPDUs of all the ports and chooses
the optimum configuration BPDU.
2
Principles for configuration BPDU comparison:
z
The configuration BPDU that has the lowest root bridge ID has the highest priority.
z
If all configuration BPDUs have the same root bridge ID, they will be compared for their root path
costs. If the root path cost in a configuration BPDU plus the path cost corresponding to this port is S,
the configuration BPDU with the smallest S value has the highest priority.
If all configuration BPDUs have the same root path cost, the following fields are compared
z
sequentially: designated bridge IDs, designated port IDs, and then the IDs of the ports on which the
configuration BPDUs are received. The smaller these values, the higher priority for the
configuration BPDU.
Selection of the root bridge
z
At network initialization, each STP-compliant device on the network assumes itself to be the root bridge,
with the root bridge ID being its own bridge ID. By exchanging configuration BPDUs, the devices
compare one another’s configuration BPDU priority. The device with the highest configuration BPDU
priority is elected as the root bridge.
Selection of the root port and designated ports
z
The process of selecting the root port and designated ports is as follows:
Table 1-3 Selection of the root port and designated ports
Step
1
Description
A non-root-bridge device takes the port on which the optimum configuration
BPDU was received as the root port.
1-5
Step
Description
Based on the configuration BPDU and the path cost of the root port, the device
calculates a designated port configuration BPDU for each of the rest ports.
z
2
z
z
z
The root bridge ID is replaced with that of the configuration BPDU of the
root port.
The root path cost is replaced with that of the configuration BPDU of the
root port plus the path cost corresponding to the root port.
The designated bridge ID is replaced with the ID of this device.
The designated port ID is replaced with the ID of this port.
The device compares the calculated configuration BPDU with the
configuration BPDU on the port whose role is to be determined, and acts as
follows based on the comparison result:
z
3
z
If the calculated configuration BPDU is superior, this port will serve as the
designated port, and the configuration BPDU on the port will be replaced
with the calculated configuration BPDU, which will be sent out periodically.
If the configuration BPDU on the port is superior, the device stops updating
the configuration BPDUs of the port and blocks the port, so that the port
only receives configuration BPDUs, but does not forward data or send
configuration BPDUs.
When the network topology is stable, only the root port and designated ports forward traffic, while other
ports are all in the blocked state – they only receive STP packets but do not forward user traffic.
Once the root bridge, the root port on each non-root bridge, and designated ports have been
successfully elected, the entire tree-shaped topology has been constructed. At this stage, “STP
convergence” is complete.
2)
Example of how the STP algorithm works
The following is an example of how the STP algorithm works. The specific network diagram is shown in
Figure 1-2. The priority of Device A is 0, the priority of Device B is 1, the priority of Device C is 2, and the
path costs of these links are 5, 10 and 4 respectively.
Figure 1-2 Network diagram for STP algorithm
z
Initial state of each device
1-6
The following table shows the initial state of each device.
Table 1-4 Initial state of each device
Device
Device A
Device B
Device C
z
Port name
BPDU of port
AP1
{0, 0, 0, AP1}
AP2
{0, 0, 0, AP2}
BP1
{1, 0, 1, BP1}
BP2
{1, 0, 1, BP2}
CP1
{2, 0, 2, CP1}
CP2
{2, 0, 2, CP2}
Comparison process and result on each device
The following table shows the comparison process and result on each device.
Table 1-5 Comparison process and result on each device
Device
Comparison process
z
z
Device A
z
z
z
z
Device B
z
z
Port AP1 receives the configuration BPDU of Device B {1, 0,
1, BP1}. Device A finds that the configuration BPDU of the
local port {0, 0, 0, AP1} is superior to the configuration
received message, and discards the received configuration
BPDU.
Port AP2 receives the configuration BPDU of Device C {2, 0,
2, CP1}. Device A finds that the BPDU of the local port {0, 0,
0, AP2} is superior to the received configuration BPDU, and
discards the received configuration BPDU.
Device A finds that both the root bridge and designated
bridge in the configuration BPDUs of all its ports are Device A
itself, so it assumes itself to be the root bridge. In this case, it
does not make any change to the configuration BPDU of
each port, and starts sending out configuration BPDUs
periodically.
Port BP1 receives the configuration BPDU of Device A {0, 0,
0, AP1}. Device B finds that the received configuration BPDU
is superior to the configuration BPDU of the local port {1, 0,1,
BP1}, and updates the configuration BPDU of BP1.
Port BP2 receives the configuration BPDU of Device C {2, 0,
2, CP2}. Device B finds that the configuration BPDU of the
local port {1, 0, 1, BP2} is superior to the received
configuration BPDU, and discards the received configuration
BPDU.
Device B compares the configuration BPDUs of all its ports,
and determines that the configuration BPDU of BP1 is the
optimum configuration BPDU. Then, it uses BP1 as the root
port, the configuration BPDUs of which will not be changed.
Based on the configuration BPDU of BP1 and the path cost of
the root port (5), Device B calculates a designated port
configuration BPDU for BP2 {0, 5, 1, BP2}.
Device B compares the calculated configuration BPDU {0, 5,
1, BP2} with the configuration BPDU of BP2. If the calculated
BPDU is superior, BP2 will act as the designated port, and
the configuration BPDU on this port will be replaced with the
calculated configuration BPDU, which will be sent out
periodically.
1-7
BPDU of port after
comparison
AP1: {0, 0, 0, AP1}
AP2: {0, 0, 0, AP2}
BP1: {0, 0, 0, AP1}
BP2: {1, 0, 1, BP2}
Root port BP1:
{0, 0, 0, AP1}
Designated port
BP2:
{0, 5, 1, BP2}
Device
Comparison process
z
z
Port CP1 receives the configuration BPDU of Device A {0, 0,
0, AP2}. Device C finds that the received configuration BPDU
is superior to the configuration BPDU of the local port {2, 0, 2,
CP1}, and updates the configuration BPDU of CP1.
Port CP2 receives the configuration BPDU of port BP2 of
Device B {1, 0, 1, BP2} before the message was updated.
Device C finds that the received configuration BPDU is
superior to the configuration BPDU of the local port {2, 0, 2,
CP2}, and updates the configuration BPDU of CP2.
BPDU of port after
comparison
CP1: {0, 0, 0, AP2}
CP2: {1, 0, 1, BP2}
By comparison:
z
z
Device C
z
z
The configuration BPDUs of CP1 is elected as the optimum
configuration BPDU, so CP1 is identified as the root port, the
configuration BPDUs of which will not be changed.
Device C compares the calculated designated port
configuration BPDU {0, 10, 2, CP2} with the configuration
BPDU of CP2, and CP2 becomes the designated port, and
the configuration BPDU of this port will be replaced with the
calculated configuration BPDU.
Next, port CP2 receives the updated configuration BPDU of
Device B {0, 5, 1, BP2}. Because the received configuration
BPDU is superior to its old one, Device C launches a BPDU
update process.
At the same time, port CP1 receives configuration BPDUs
periodically from Device A. Device C does not launch an
update process after comparison.
Root port CP1:
{0, 0, 0, AP2}
Designated port
CP2:
{0, 10, 2, CP2}
CP1: {0, 0, 0, AP2}
CP2: {0, 5, 1, BP2}
By comparison:
z
z
Because the root path cost of CP2 (9) (root path cost of the
BPDU (5) + path cost corresponding to CP2 (4)) is smaller
than the root path cost of CP1 (10) (root path cost of the
BPDU (0) + path cost corresponding to CP2 (10)), the BPDU
of CP2 is elected as the optimum BPDU, and CP2 is elected
as the root port, the messages of which will not be changed.
After comparison between the configuration BPDU of CP1
and the calculated designated port configuration BPDU, port
CP1 is blocked, with the configuration BPDU of the port
remaining unchanged, and the port will not receive data from
Device A until a spanning tree calculation process is
triggered by a new condition, for example, the link from
Device B to Device C becomes down.
Blocked port CP2:
{0, 0, 0, AP2}
Root port CP2:
{0, 5, 1, BP2}
After the comparison processes described in the table above, a spanning tree with Device A as the root
bridge is stabilized, as shown in Figure 1-3.
1-8
Figure 1-3 The final calculated spanning tree
To facilitate description, the spanning tree calculation process in this example is simplified, while the
actual process is more complicated.
3)
The BPDU forwarding mechanism in STP
z
Upon network initiation, every switch regards itself as the root bridge, generates configuration
BPDUs with itself as the root, and sends the configuration BPDUs at a regular interval of hello time.
z
If it is the root port that received the configuration BPDU and the received configuration BPDU is
superior to the configuration BPDU of the port, the device will increase message age carried in the
configuration BPDU by a certain rule and start a timer to time the configuration BPDU while it sends
out this configuration BPDU through the designated port.
z
If the configuration BPDU received on the designated port has a lower priority than the
configuration BPDU of the local port, the port will immediately sends out its better configuration
BPDU in response.
z
If a path becomes faulty, the root port on this path will no longer receive new configuration BPDUs
and the old configuration BPDUs will be discarded due to timeout. In this case, the device
generates configuration BPDUs with itself as the root bridge and sends configuration BPDUs and
TCN BPDUs. This triggers a new spanning tree calculation so that a new path is established to
restore the network connectivity.
However, the newly calculated configuration BPDU will not be propagated throughout the network
immediately, so the old root ports and designated ports that have not detected the topology change
continue forwarding data through the old path. If the new root port and designated port begin to forward
data as soon as they are elected, a temporary loop may occur.
4)
STP timers
The following three time parameters are important for STP calculation:
z
Forward delay, the period a device waits before state transition.
A link failure triggers a new round of spanning tree calculation and results in changes of the spanning
tree. However, as new configuration BPDUs cannot be propagated throughout the network immediately,
if the new root port and designated port begin to forward data as soon as they are elected, loops may
temporarily occur.
1-9
For this reason, the protocol uses a state transition mechanism. Namely, a newly elected root port and
the designated ports must go through a period, which is twice the forward delay time, before they transit
to the forwarding state. The period allows the new configuration BPDUs to be propagated throughout
the entire network.
z
Hello time, the interval for sending hello packets. Hello packets are used to check link state.
A switch sends hello packets to its neighboring devices at a regular interval (the hello time) to check
whether the links are faulty.
z
Max time, lifetime of the configuration BPDUs stored in a switch. A configuration BPDU that has
“expired” is discarded by the switch.
Rapid Spanning Tree Protocol Overview
Rapid spanning tree protocol (RSTP) is an optimized version of STP. RSTP allows a newly elected root
port or designated port to enter the forwarding state much quicker under certain conditions than in STP.
As a result, it takes a shorter time for the network to reach the final topology stability.
z
In RSTP, the state of a root port can transit fast under the following conditions: the old root port on
the device has stopped forwarding data and the upstream designated port has started forwarding
data.
z
In RSTP, the state of a designated port can transit fast under the following conditions: the
designated port is an edge port or a port connected with a point-to-point link. If the designated port
is an edge port, it can enter the forwarding state directly; if the designated port is connected with a
point-to-point link, it can enter the forwarding state immediately after the device undergoes
handshake with the downstream device and gets a response.
Multiple Spanning Tree Protocol Overview
Why MSTP
1)
Disadvantages of STP and RSTP
STP does not support rapid state transition of ports. A newly elected root port or designated port must
wait twice the forward delay time before transiting to the forwarding state, even if it is a port on a
point-to-point link or it is an edge port (an edge port refers to a port that directly connects to a user
terminal rather than to another device or a shared LAN segment.)
RSTP supports rapid convergence. Like STP, it is of the following disadvantages: all bridges in a LAN
are on the same spanning tree; redundant links cannot be blocked by VLAN; the packets of all VLANs
are forwarded along the same spanning tree.
2)
Features of MSTP
The multiple spanning tree protocol (MSTP) overcomes the shortcomings of STP and RSTP. In addition
to support for rapid network convergence, it also allows data flows of different VLANs to be forwarded
along their own paths, thus providing a better load sharing mechanism for redundant links.
MSTP features the following:
1-10
z
MSTP supports mapping VLANs to Multiple Spanning Tree (MST) instances (MSTIs) by means of
a VLAN-to-instance mapping table. MSTP introduces instances (which integrates multiple VLANs
into a set) and can bind multiple VLANs to an instance, thus saving communication overhead and
improving resource utilization.
z
MSTP divides a switched network into multiple regions, each containing multiple spanning trees
that are independent of one another.
z
MSTP prunes a ring network into a network with tree topology, preventing packets from being
duplicated and forwarded in a network endlessly. Furthermore, it offers multiple redundant paths
for forwarding data, and thus achieves load balancing for forwarding VLAN data.
z
MSTP is compatible with STP and RSTP.
Basic MSTP Terminology
Figure 1-4 illustrates basic MSTP terms (assuming that MSTP is enabled on each switch in this figure).
Figure 1-4 Basic MSTP terminologies
Region A0:
VLAN 1 mapped to MSTI 1
VLAN 2 mapped to MSTI 2
Other VLANs mapped to CIST
A
BPDU
BPDU
CST
B
C
D
BPDU
Region B0:
VLAN 1 mapped to MSTI 1
VLAN 2 mapped to MSTI 2
Other VLANs mapped to CIST
Region D0:
VLAN 1 mapped to MSTI 1, B
as the regional root bridge
VLAN 2 mapped to MSTI 2, C
as the regional root bridge
Other VLANs mapped to CIST
1)
Region C0:
VLAN 1 mapped to MSTI 1
VLAN 2 and 3 mapped to MSTI 2
Other VLANs mapped to CIST
MST region
A multiple spanning tree region (MST region) comprises multiple physically-interconnected
MSTP-enabled switches and the corresponding network segments connected to these switches. These
switches have the same region name, the same VLAN-to-instance mapping configuration and the same
MSTP revision level.
A switched network can contain multiple MST regions. You can group multiple switches into one MST
region by using the corresponding MSTP configuration commands.
As shown in Figure 1-4, all the switches in region A0 are of the same MST region-related configuration,
including:
z
Region name
z
VLAN-to-instance mapping (that is, VLAN 1 is mapped to MSTI 1, VLAN 2 is mapped to MSTI 2,
and the other VLANs are mapped to CIST.)
z
MSTP revision level (not shown in Figure 1-4)
1-11
2)
MSTI
A multiple spanning tree instance (MSTI) refers to a spanning tree in an MST region.
Multiple spanning trees can be established in one MST region. These spanning trees are independent
of each other. For example, each region in Figure 1-4 contains multiple spanning trees known as MSTIs.
Each of these spanning trees corresponds to a VLAN.
3)
VLAN-to-instance mapping table
A VLAN-to-instance mapping table is maintained for each MST region. The table is a collection of
mappings between VLANs and MSTIs. For example, in Figure 1-4, the VLAN-to-instance mapping table
of region A0 contains these mappings: VLAN 1 to MSTI 1; VLAN 2 to MSTI 2, and other VLANs to CIST.
In an MST region, load balancing is implemented according to the VLAN-to-instance mapping table.
4)
IST
An internal spanning tree (IST) is a spanning tree in an MST region.
ISTs together with the common spanning tree (CST) form the common and internal spanning tree (CIST)
of the entire switched network. An IST is a special MSTI; it is a branch of CIST in the MST region.
In Figure 1-4, each MST region has an IST, which is a branch of the CIST.
5)
CST
A common spanning tree (CST) is a single spanning tree in a switched network that connects all MST
regions in the network. If you regard each MST region in the network as a “switch”, then the CST is the
spanning tree generated by STP or RSTP running on the "switches". For example, the red lines in
Figure 1-4 represent the CST.
6)
CIST
A common and internal spanning tree (CIST) is the spanning tree in a switched network that connects
all switches in the network. It comprises the ISTs and the CST.
In Figure 1-4, the ISTs in the MST regions and the CST connecting the MST regions form the CIST.
7)
Region root
A region root is the root of the IST or an MSTI in an MST region. Different spanning trees in an MST
region may have different topologies and thus have different region roots.
In region D0 shown in Figure 1-4, the region root of MSTI 1 is switch B, and the region root of MSTI 2 is
switch C.
8)
Common root bridge
The common root bridge is the root of the CIST. The common root bridge of the network shown in Figure
1-4 is a switch in region A0.
9)
Port role
MSTP calculation involves the following port roles: root port, designated port, master port, region
boundary port, alternate port, and backup port.
z
A root port is used to forward packets to the root.
z
A designated port is used to forward packets to a downstream network segment or switch.
z
A master port connects an MST region to the common root. The path from the master port to the
common root is the shortest path between the MST region and the common root. In the CST, the
master port is the root port of the region, which is considered as a node. The master port is a
special boundary port. It is a root port in the IST/CIST while a master port in the other MSTIs.
1-12
z
A region boundary port is located on the boundary of an MST region and is used to connect one
MST region to another MST region, an STP-enabled region or an RSTP-enabled region.
z
An alternate port is a secondary port of a root port or master port and is used for rapid transition.
With the root port or master port being blocked, the alternate port becomes the new root port or
master port.
z
A backup port is the secondary port of a designated port and is used for rapid transition. With the
designated port being blocked, the backup port becomes the new designated port fast and begins
to forward data seamlessly. When two ports of an MSTP-enabled switch are interconnected, the
switch blocks one of the two ports to eliminate the loop that occurs. The blocked port is the backup
port.
In Figure 1-5, switch A, switch B, switch C, and switch D form an MST region. Port 1 and port 2 on
switch A connect upstream to the common root. Port 5 and port 6 on switch C form a loop. Port 3 and
port 4 on switch D connect downstream to other MST regions. This figure shows the roles these ports
play.
z
A port can play different roles in different MSTIs.
z
The role a region boundary port plays in an MSTI is consistent with the role it plays in the CIST. The
master port, which is a root port in the CIST while a master port in the other MSTIs, is an exception.
z
For example, in Figure 1-5, port 1 on switch A is a region boundary port. It is a root port in the CIST
while a master port in all the other MSTIs in the region.
Figure 1-5 Port roles
10) Port state
In MSTP, a port can be in one of the following three states:
1-13
z
Forwarding state. Ports in this state can forward user packets and receive/send BPDU packets.
z
Learning state. Ports in this state can receive/send BPDU packets but do not forward user packets.
z
Discarding state. Ports in this state can only receive BPDU packets.
Port roles and port states are not mutually dependent. Table 1-6 lists possible combinations of port
states and port roles.
Table 1-6 Combinations of port states and port roles
Port role
Root/master
port
Region
Boundary
port
Designated
port
Port state
Alternate
port
Backup
port
Forwarding
√
√
√
—
—
Learning
√
√
√
—
—
Discarding
√
√
√
√
√
Principle of MSTP
MSTP divides a Layer 2 network into multiple MST regions. The CSTs are generated between these
MST regions, and multiple spanning trees (also called MSTIs) can be generated in each MST region. As
well as RSTP, MSTP uses configuration BPDUs for spanning tree calculation. The only difference is that
the configuration BPDUs for MSTP carry the MSTP configuration information on the switches.
1)
Calculate the CIST
Through comparing configuration BPDUs, the switch of the highest priority in the network is selected as
the root of the CIST. In each MST region, an IST is calculated by MSTP. At the same time, MSTP
regards each MST region as a switch to calculate the CSTs of the network. The CSTs, together with the
ISTs, form the CIST of the network.
2)
Calculate an MSTI
Within an MST region, MSTP generates different MSTIs for different VLANs based on the
VLAN-to-instance mappings. MSTP performs a separate calculation process, which is similar to
spanning tree calculation in STP, for each spanning tree. For details, refer to How STP works.
In MSTP, a VLAN packet is forwarded along the following paths:
z
Within an MST region, the packet is forwarded along the corresponding MSTI.
z
Between two MST regions, the packet is forwarded along the CST.
MSTP Implementation on Switches
MSTP is compatible with both STP and RSTP. That is, MSTP-enabled switches can recognize the
protocol packets of STP and RSTP and use them for their respective spanning tree calculation.
The S5100 series switches support MSTP. After MSTP is enabled on an S5100 series switch, the switch
operates in MSTP mode by default. If the network contains switches that run the STP/RSTP protocol,
you can use commands to configure the S5100 series switch to operate in STP-compatible mode or
RSTP-compatible mode (see Configuring the MSTP Operation Mode for more information):
z
In STP-compatible mode, all ports of the S5100 series switch send out STP BPDUs
z
In RSTP mode, all ports of the S5100 series switch send out RSTP BPDUs.
1-14
In addition to the basic MSTP functions, H3C series switches also provide the following functions for
users to manage their switches.
z
Root bridge hold
z
Root bridge backup
z
Root guard
z
BPDU guard
z
Loop guard
z
TC-BPDU attack guard
z
BPDU packet drop
Protocols and Standards
MSTP is documented in:
z
IEEE 802.1D: spanning tree protocol
z
IEEE 802.1w: rapid spanning tree protocol
z
IEEE 802.1s: multiple spanning tree protocol
MSTP Configuration Task List
Before configuring MSTP, you need to know the position of each device in each MSTI: root bridge or
leave node. In each MSTI, one, and only one device acts as the root bridge, while all others as leaf
nodes.
Complete these tasks to configure MSTP:
Task
Remarks
Required
Configuring
Root Bridge
To prevent network topology jitter
caused by other related configurations,
you are recommended to enable MSTP
after other related configurations are
performed.
Enabling MSTP
Configuring an MST Region
Required
Specifying the Current Switch as a Root
Bridge/Secondary Root Bridge
Required
Optional
Configuring the Bridge Priority of the
Current Switch
The priority of a switch cannot be
changed after the switch is specified as
the root bridge or a secondary root
bridge.
Configuring How a Port Recognizes and
Sends MSTP Packets
Optional
Configuring the MSTP Operation Mode
Optional
Configuring the Maximum Hop Count of an
MST Region
Optional
Configuring the Network Diameter of the
Switched Network
Optional
Configuring the MSTP Time-related
Parameters
Optional
1-15
The default value is recommended.
The default values are recommended.
Task
Remarks
Configuring the Timeout Time Factor
Optional
Configuring the Maximum Transmitting
Rate on the Current Port
Optional
The default value is recommended.
Configuring the Current Port as an Edge
Port
Optional
Setting the Link Type of a Port to P2P
Optional
Required
To prevent network topology jitter
caused by other related configurations,
you are recommended to enable MSTP
after performing other configurations.
Enabling MSTP
Configuring
Leaf Nodes
Configuring an MST Region
Required
Configuring How a Port Recognizes and
Sends MSTP Packets
Optional
Configuring the Timeout Time Factor
Optional
Configuring the Maximum Transmitting
Rate on the Current Port
Optional
The default value is recommended.
Configuring the Current Port as an Edge
Port
Optional
Configuring the Path Cost for a Port
Optional
Configuring Port Priority
Optional
Setting the Link Type of a Port to P2P
Optional
Performing mCheck Operation
Optional
Configuring Guard Functions
Optional
Configuring Digest Snooping
Optional
Configuring Rapid Transition
Optional
Configuring VLAN-VPN Tunnel
Optional
MSTP Maintenance Configuration
Optional
Enabling Trap Messages Conforming to 802.1d Standard
Optional
In a network containing switches with both GVRP and MSTP enabled, GVRP messages travel along
the CIST. If you want to advertise a VLAN through GVRP, be sure to map the VLAN to the CIST (MSTI
0) when configuring the VLAN-to-instance mapping table.
1-16
Configuring Root Bridge
Configuring an MST Region
Configuration procedure
Follow these steps to configure an MST region:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter MST region view
stp region-configuration
—
Configure the name of the MST
region
region-name name
The default MST region name of a
switch is its MAC address.
instance instance-id vlan
vlan-list
Required
Configure the VLAN-to-instance
mapping table for the MST region
Required
vlan-mapping modulo
modulo
Both commands can be used to
configure VLAN-to-instance
mapping tables.
By default, all VLANs in an MST
region are mapped to MSTI 0.
Required
Configure the MSTP revision
level for the MST region
revision-level level
The default revision level of an
MST region is level 0.
Activate the configuration of the
MST region manually
active
region-configuration
Required
Display the configuration of the
current MST region
check
region-configuration
Optional
Display the currently valid
configuration of the MST region
display stp
region-configuration
Available in any view
Neighbor Topology Discovery Protocol (NTDP) packets sent by devices in a cluster can only be
transmitted within the MSTI where the management VLAN of the cluster resides. For more information
about clusters and the NTDP protocol, see Cluster Operation.
Configuring MST region-related parameters (especially the VLAN-to-instance mapping table) results in
spanning tree recalculation and network topology jitter. To reduce network topology jitter caused by the
configuration, MSTP does not recalculate spanning trees immediately after the configuration; it does
this only after you perform one of the following operations, and then the configuration can really takes
effect:
z
Activate the new MST region-related settings by using the active region-configuration command
z
Enable MSTP by using the stp enable command
1-17
z
MSTP-enabled switches are in the same region only when they have the same format selector (a
802.1s-defined protocol selector, which is 0 by default and cannot be configured), MST region
name, VLAN-to-instance mapping table, and revision level.
z
The H3C series support only the MST region name, VLAN-to-instance mapping table, and revision
level. Switches with the settings of these parameters being the same are assigned to the same
MST region.
Configuration example
# Configure an MST region named info, the MSTP revision level being level 1, VLAN 2 through VLAN
10 being mapped to MSTI 1, and VLAN 20 through VLAN 30 being mapped to MSTI 2.
<Sysname> system-view
[Sysname] stp region-configuration
[Sysname-mst-region] region-name info
[Sysname-mst-region] instance 1 vlan 2 to 10
[Sysname-mst-region] instance 2 vlan 20 to 30
[Sysname-mst-region] revision-level 1
[Sysname-mst-region] active region-configuration
# Verify the above configuration.
[Sysname-mst-region] check region-configuration
Admin configuration
Format selector
:0
Region name
:info
Revision level
:1
Instance
Vlans Mapped
0
1, 11 to 19, 31 to 4094
1
2 to 10
2
20 to 30
Specifying the Current Switch as a Root Bridge/Secondary Root Bridge
MSTP can automatically choose a switch as a root bridge through calculation. You can also manually
specify the current switch as a root bridge by using the corresponding commands.
Specify the current switch as the root bridge of a spanning tree
Follow these steps to specify the current switch as the root bridge of a spanning tree:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Specify the current switch as
the root bridge of a spanning
tree
stp [ instance instance-id ] root primary
[ bridge-diameter bridgenumber [ hello-time
centi-seconds ] ]
Required
1-18
Specify the current switch as the secondary root bridge of a spanning tree
Follow these steps to specify the current switch as the secondary root bridge of a spanning tree:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Specify the current switch as
the secondary root bridge of a
specified spanning tree
stp [ instance instance-id ] root
secondary [ bridge-diameter
bridgenumber [ hello-time
centi-seconds ] ]
Required
Using the stp root primary/stp root secondary command, you can specify the current switch as the
root bridge or the secondary root bridge of the MSTI identified by the instance-id argument. If the value
of the instance-id argument is set to 0, the stp root primary/stp root secondary command specify the
current switch as the root bridge or the secondary root bridge of the CIST.
A switch can play different roles in different MSTIs. That is, it can be the root bridges in an MSTI and be
a secondary root bridge in another MSTI at the same time. But in the same MSTI, a switch cannot be
the root bridge and the secondary root bridge simultaneously.
When the root bridge fails or is turned off, the secondary root bridge becomes the root bridge if no new
root bridge is configured. If you configure multiple secondary root bridges for an MSTI, the one with the
smallest MAC address replaces the root bridge when the latter fails.
You can specify the network diameter and the hello time parameters while configuring a root
bridge/secondary root bridge. Refer to Configuring the Network Diameter of the Switched Network and
Configuring the MSTP Time-related Parameters for information about the network diameter parameter
and the hello time parameter.
z
You can configure a switch as the root bridges of multiple MSTIs. But you cannot configure two or
more root bridges for one MSTI. So, do not configure root bridges for the same MSTI on two or
more switches using the stp root primary command.
z
You can configure multiple secondary root bridges for one MSTI. That is, you can configure
secondary root bridges for the same MSTI on two or more switches using the stp root secondary
command.
z
You can also configure the current switch as the root bridge by setting the priority of the switch to 0.
Note that once a switch is configured as the root bridge or a secondary root bridge, its priority
cannot be modified.
Configuration example
# Configure the current switch as the root bridge of MSTI 1 and a secondary root bridge of MSTI 2.
<Sysname> system-view
[Sysname] stp instance 1 root primary
[Sysname] stp instance 2 root secondary
1-19
Configuring the Bridge Priority of the Current Switch
Root bridges are selected according to the bridge priorities of switches. You can make a specific switch
be selected as a root bridge by setting a lower bridge priority for the switch. An MSTP-enabled switch
can have different bridge priorities in different MSTIs.
Configuration procedure
Follow these steps to configure the bridge priority of the current switch:
To do...
z
Use the command...
Enter system view
system-view
Set the bridge priority for the
current switch
stp [ instance instance-id ]
priority priority
Remarks
—
Required
The default bridge priority of a
switch is 32,768.
Once you specify a switch as the root bridge or a secondary root bridge by using the stp root
primary or stp root secondary command, the bridge priority of the switch cannot be configured
any more.
z
During the selection of the root bridge, if multiple switches have the same bridge priority, the one
with the smallest MAC address becomes the root bridge.
Configuration example
# Set the bridge priority of the current switch to 4,096 in MSTI 1.
<Sysname> system-view
[Sysname] stp instance 1 priority 4096
Configuring How a Port Recognizes and Sends MSTP Packets
A port can send/recognize MSTP packets of two formats:
z
dot1s: 802.1s-compliant standard format
z
legacy: Compatible format
By default, the packet format recognition mode of a port is auto, namely the port automatically
distinguishes the two MSTP packet formats, and determines the format of packets it will send based on
the recognized format. You can configure the MSTP packet format to be used by a port. After the
configuration, when working in MSTP mode, the port sends and receives only MSTP packets of the
format you have configured to communicate with devices that send packets of the same format.
Configuration procedure
Follow these steps to configure how a port recognizes and sends MSTP packets (in system view):
To do...
Enter system view
Use the command...
Remarks
—
system-view
1-20
To do...
Use the command...
Remarks
Required
Configure how a port
recognizes and sends
MSTP packets
stp interface interface-list
compliance { auto | dot1s |
legacy }
By default, a port recognizes and sends
MSTP packets in the automatic mode.
That is, it determines the format of
packets to be sent according to the
format of the packets received.
Follow these steps to configure how a port recognizes and sends MSTP packets (in Ethernet port view):
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter Ethernet port view
interface interface-type
interface-number
—
Required
Configure how a port
recognizes and sends
MSTP packets
stp compliance { auto |
dot1s | legacy }
By default, a port recognizes and sends
MSTP packets in the automatic mode.
That is, it determines the format of
packets to be sent according to the
format of the packets received.
Configuration example
# Configure GigabitEthernet 1/0/1 to recognize and send packets in dot1s format.
<Sysname> system-view
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] stp compliance dot1s
# Restore the default mode for GigabitEthernet 1/0/1 to recognize/send MSTP packets.
[Sysname-GigabitEthernet1/0/1] undo stp compliance
Configuring the MSTP Operation Mode
To make an MSTP-enabled switch compatible with STP/RSTP, MSTP provides the following three
operation modes:
z
STP-compatible mode, where the ports of a switch send STP BPDUs to neighboring devices. If
STP-enabled switches exist in a switched network, you can use the stp mode stp command to
configure an MSTP-enabled switch to operate in STP-compatible mode.
z
RSTP-compatible mode, where the ports of a switch send RSTP BPDUs to neighboring devices. If
RSTP-enabled switches exist in a switched network, you can use the stp mode rstp command to
configure an MSTP-enabled switch to operate in RSTP-compatible mode.
z
MSTP mode, where the ports of a switch send MSTP BPDUs or STP BPDUs (if the switch is
connected to STP-enabled switches) to neighboring devices. In this case, the switch is
MSTP-capable.
Configuration procedure
Follow these steps to configure the MSTP operation mode:
1-21
To do...
Enter system view
Use the command...
system-view
Remarks
—
Required
Configure the MSTP operation
mode
stp mode { stp | rstp | mstp }
An MSTP-enabled switch
operates in the MSTP mode by
default.
Configuration example
# Specify the MSTP operation mode as STP-compatible.
<Sysname> system-view
[Sysname] stp mode stp
Configuring the Maximum Hop Count of an MST Region
The maximum hop count configured on the region root is also the maximum hops of the MST region.
The value of the maximum hop count limits the size of the MST region.
A configuration BPDU contains a field that maintains the remaining hops of the configuration BPDU.
And a switch discards the configuration BPDUs whose remaining hops are 0. After a configuration
BPDU reaches a root bridge of a spanning tree in an MST region, the value of the remaining hops field
in the configuration BPDU is decreased by 1 every time the configuration BPDU passes one switch.
Such a mechanism disables the switches that are beyond the maximum hop count from participating in
spanning tree calculation, and thus limits the size of an MST region.
With such a mechanism, the maximum hop count configured on the switch operating as the root bridge
of the CIST or an MSTI in an MST region becomes the network diameter of the spanning tree, which
limits the size of the spanning tree in the current MST region. The switches that are not root bridges in
the MST region adopt the maximum hop settings of their root bridges.
Configuration procedure
Follow these steps to configure the maximum hop count for an MST region:
To do...
Use the command...
Enter system view
system-view
Configure the maximum hop
count of the MST region
stp max-hops hops
Remarks
—
Required
By default, the maximum hop
count of an MST region is 20.
The bigger the maximum hop count, the larger the MST region is. Note that only the maximum hop
settings on the switch operating as a region root can limit the size of the MST region.
Configuration example
# Configure the maximum hop count of the MST region to be 30.
<Sysname> system-view
[Sysname] stp max-hops 30
1-22
Configuring the Network Diameter of the Switched Network
In a switched network, any two switches can communicate with each other through a specific path
made up of multiple switches. The network diameter of a network is measured by the number of
switches; it equals the number of the switches on the longest path (that is, the path containing the
maximum number of switches).
Configuration procedure
Follow these steps to configure the network diameter of the switched network:
To do...
Use the command...
Enter system view
system-view
Configure the network diameter
of the switched network
stp bridge-diameter
bridgenumber
Remarks
—
Required
The default network diameter of
a network is 7.
The network diameter parameter indicates the size of a network. The bigger the network diameter is,
the larger the network size is.
After you configure the network diameter of a switched network, an MSTP-enabled switch adjusts its
hello time, forward delay, and max age settings accordingly to better values.
The network diameter setting only applies to CIST; it is invalid for MSTIs.
Configuration example
# Configure the network diameter of the switched network to 6.
<Sysname> system-view
[Sysname] stp bridge-diameter 6
Configuring the MSTP Time-related Parameters
Three MSTP time-related parameters exist: forward delay, hello time, and max age. You can configure
the three parameters to control the process of spanning tree calculation.
Configuration procedure
Follow these steps to configure MSTP time-related parameters:
To do...
Use the command...
Enter system view
system-view
Configure the forward delay
parameter
stp timer forward-delay
centiseconds
Remarks
—
Required
The forward delay parameter
defaults to 1,500 centiseconds
(namely, 15 seconds).
Required
Configure the hello time
parameter
stp timer hello centiseconds
1-23
The hello time parameter defaults to
200 centiseconds (namely, 2
seconds).
To do...
Use the command...
Remarks
Required
Configure the max age
parameter
stp timer max-age
centiseconds
The max age parameter defaults to
2,000 centiseconds (namely, 20
seconds).
All switches in a switched network adopt the three time-related parameters configured on the CIST root
bridge.
z
The forward delay parameter and the network diameter are correlated. Normally, a large network
diameter corresponds to a large forward delay. A too small forward delay parameter may result in
temporary redundant paths. And a too large forward delay parameter may cause a network unable
to resume the normal state in time after changes occurred to the network. The default value is
recommended.
z
An adequate hello time parameter enables a switch to detect link failures in time without occupying
too many network resources. And a too small hello time parameter may result in duplicated
configuration BPDUs being sent frequently, which increases the work load of the switches and
wastes network resources. The default value is recommended.
z
As for the max age parameter, if it is too small, network congestion may be falsely regarded as link
failures, which results in frequent spanning tree recalculation. If it is too large, link problems may be
unable to be detected in time, which prevents spanning trees being recalculated in time and makes
the network less adaptive. The default value is recommended.
As for the configuration of the three time-related parameters (that is, the hello time, forward delay, and
max age parameters), the following formulas must be met to prevent frequent network jitter.
2 x (forward delay – 1 second) >= max age
Max age >= 2 x (hello time + 1 second)
You are recommended to specify the network diameter of the switched network and the hello time by
using the stp root primary or stp root secondary command. After that, the three proper time-related
parameters are determined automatically.
Configuration example
# Configure the forward delay parameter to be 1,600 centiseconds, the hello time parameter to be 300
centiseconds, and the max age parameter to be 2,100 centiseconds (assuming that the current switch
operates as the CIST root bridge).
<Sysname> system-view
[Sysname] stp timer forward-delay 1600
[Sysname] stp timer hello 300
[Sysname] stp timer max-age 2100
1-24
Configuring the Timeout Time Factor
When the network topology is stable, a non-root-bridge switch regularly forwards BPDUs received from
the root bridge to its neighboring devices at the interval specified by the hello time parameter to check
for link failures. Normally, a switch regards its upstream switch faulty if the former does not receive any
BPDU from the latter in a period three times of the hello time and then initiates the spanning tree
recalculation process.
Spanning trees may be recalculated even in a steady network if an upstream switch continues to be
busy. You can configure the timeout time factor to a larger number to avoid such cases. Normally, the
timeout time can be four or more times of the hello time. For a steady network, the timeout time can be
five to seven times of the hello time.
Configuration procedure
Follow these steps to configure the timeout time factor:
To do...
Use the command...
Enter system view
system-view
Configure the timeout time
factor for the switch
stp timer-factor number
Remarks
—
Required
The timeout time factor defaults
to 3.
For a steady network, the timeout time can be five to seven times of the hello time.
Configuration example
# Configure the timeout time factor to be 6.
<Sysname> system-view
[Sysname] stp timer-factor 6
Configuring the Maximum Transmitting Rate on the Current Port
The maximum transmitting rate of a port specifies the maximum number of configuration BPDUs a port
can transmit in a period specified by the hello time parameter. It depends on the physical state of the
port and network structure. You can configure this parameter according to the network.
Configure the maximum transmitting rate for specified ports in system view
Follow these steps to configure the maximum transmitting rate for specified ports in system view:
To do...
Use the command...
Enter system view
system-view
Configure the maximum
transmitting rate for specified
ports
stp interface interface-list
transmit-limit packetnum
Remarks
—
Required
The maximum transmitting rate
of all Ethernet ports on a switch
defaults to 10.
Configure the maximum transmitting rate in Ethernet port view
Follow these steps to configure the maximum transmitting rate in Ethernet port view:
1-25
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter Ethernet port view
interface interface-type
interface-number
—
Required
Configure the maximum
transmitting rate
stp transmit-limit packetnum
The maximum transmitting rate
of all Ethernet ports on a switch
defaults to 10.
As the maximum transmitting rate parameter determines the number of the configuration BPDUs
transmitted in each hello time, set it to a proper value to prevent MSTP from occupying too many
network resources. The default value is recommended.
Configuration example
# Set the maximum transmitting rate of GigabitEthernet 1/0/1 to 15.
1)
Configure the maximum transmitting rate in system view
<Sysname> system-view
[Sysname] stp interface GigabitEthernet 1/0/1 transmit-limit 15
2)
Configure the maximum transmitting rate in Ethernet port view
<Sysname> system-view
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] stp transmit-limit 15
Configuring the Current Port as an Edge Port
Edge ports are ports that neither directly connects to other switches nor indirectly connects to other
switches through network segments. After a port is configured as an edge port, the rapid transition
mechanism is applicable to the port. That is, when the port changes from the blocking state to the
forwarding state, it does not have to wait for a delay.
You can configure a port as an edge port in one of the following two ways.
Configure a port as an edge port in system view
Follow these steps to configure a port as an edge port in system view:
To do...
Use the command...
Enter system view
system-view
Configure the specified ports as
edge ports
stp interface interface-list
edged-port enable
Remarks
—
Required
By default, all the Ethernet
ports of a switch are non-edge
ports.
Configure a port as an edge port in Ethernet port view
Follow these steps to configure a port as an edge port in Ethernet port view:
To do...
Enter system view
Use the command...
system-view
1-26
Remarks
—
To do...
Enter Ethernet port view
Use the command...
interface interface-type
interface-number
Remarks
—
Required
Configure the port as an edge
port
stp edged-port enable
By default, all the Ethernet
ports of a switch are non-edge
ports.
On a switch with BPDU guard disabled, an edge port becomes a non-edge port again once it receives a
BPDU from another port.
You are recommended to configure the Ethernet ports connected directly to terminals as edge ports
and enable the BPDU guard function at the same time. This not only enables these ports to turn to the
forwarding state rapidly but also secures your network.
Configuration example
# Configure GigabitEthernet 1/0/1 as an edge port.
1)
Configure GigabitEthernet 1/0/1 as an edge port in system view
<Sysname> system-view
[Sysname] stp interface GigabitEthernet 1/0/1 edged-port enable
2)
Configure GigabitEthernet 1/0/1 as an edge port in Ethernet port view
<Sysname> system-view
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] stp edged-port enable
Setting the Link Type of a Port to P2P
A point-to-point link directly connects two switches. If the roles of the two ports at the two ends of a
point-to-point link meet certain criteria, the two ports can turn to the forwarding state rapidly by
exchanging synchronization packets, thus reducing the forward delay.
You can determine whether or not the link connected to a port is a point-to-point link in one of the
following two ways.
Setting the Link Type of a Port to P2P in system view
Follow these steps to specify whether the link connected to a port is point-to-point link in system view:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Specify whether the link
connected to a port is
point-to-point link
stp interface interface-list
point-to-point { force-true |
force-false | auto }
Required
1-27
The auto keyword is adopted
by default.
Setting the Link Type of a Port to P2P in Ethernet port view
Follow these steps to specify whether the link connected to a port is point-to-point link in Ethernet port
view:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter Ethernet port view
interface interface-type
interface-number
—
Specify whether the link
connected to a port is a
point-to-point link
stp point-to-point { force-true
| force-false | auto }
Required
The auto keyword is adopted
by default.
If you configure the link connected to a port in an aggregation group as a point-to-point link, the
z
configuration will be synchronized to the rest ports in the same aggregation group.
If an auto-negotiating port operates in full duplex mode after negotiation, you can configure the link
z
of the port as a point-to-point link.
After you configure the link of a port as a point-to-point link, the configuration applies to all the MSTIs the
port belongs to. If the actual physical link of a port is not a point-to-point link and you forcibly configure
the link as a point-to-point link, loops may occur temporarily.
Configuration example
# Configure the link connected to GigabitEthernet 1/0/1 as a point-to-point link.
1)
Perform this configuration in system view
<Sysname> system-view
[Sysname] stp interface GigabitEthernet 1/0/1 point-to-point force-true
2)
Perform this configuration in Ethernet port view
<Sysname> system-view
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] stp point-to-point force-true
Enabling MSTP
Configuration procedure
Follow these steps to enable MSTP in system view:
To do...
Use the
command...
Enter system view
system-view
Enable MSTP
stp enable
Remarks
—
Required
MSTP is disabled by default.
1-28
Use the
command...
To do...
Remarks
Optional
Disable MSTP on
specified ports
By default, MSTP is enabled on all ports after you
enable MSTP in system view.
stp interface
interface-list
disable
To enable a switch to operate more flexibly, you can
disable MSTP on specific ports. As MSTP-disabled
ports do not participate in spanning tree calculation,
this operation saves CPU resources of the switch.
Follow these steps to enable MSTP in Ethernet port view:
To do...
Use the command...
Enter system view
system-view
Enable MSTP
stp enable
Enter Ethernet port view
interface interface-type
interface-number
Remarks
—
Required
MSTP is disabled by default.
—
Optional
By default, MSTP is enabled on all ports
after you enable MSTP in system view.
Disable MSTP on the
port
To enable a switch to operate more
flexibly, you can disable MSTP on
specific ports. As MSTP-disabled ports
do not participate in spanning tree
calculation, this operation saves CPU
resources of the switch.
stp disable
Other MSTP-related settings can take effect only after MSTP is enabled on the switch.
Configuration example
# Enable MSTP on the switch and disable MSTP on GigabitEthernet 1/0/1.
1)
Perform this configuration in system view
<Sysname> system-view
[Sysname] stp enable
[Sysname] stp interface GigabitEthernet 1/0/1 disable
2)
Perform this configuration in Ethernet port view
<Sysname> system-view
[Sysname] stp enable
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] stp disable
Configuring Leaf Nodes
Configuring the MST Region
Refer to Configuring an MST Region.
1-29
Configuring How a Port Recognizes and Sends MSTP Packets
Refer to Configuring How a Port Recognizes and Sends MSTP Packets.
Configuring the Timeout Time Factor
Refer to Configuring the Timeout Time Factor.
Configuring the Maximum Transmitting Rate on the Current Port
Refer to Configuring the Maximum Transmitting Rate on the Current Port.
Configuring a Port as an Edge Port
Refer to Configuring the Current Port as an Edge Port.
Configuring the Path Cost for a Port
The path cost parameter reflects the rate of the link connected to the port. For a port on an
MSTP-enabled switch, the path cost may be different in different MSTIs. You can enable flows of
different VLANs to travel along different physical links by configuring appropriate path costs on ports, so
that VLAN-based load balancing can be implemented.
Path cost of a port can be determined by the switch or through manual configuration.
Standards for calculating path costs of ports
Currently, a switch can calculate the path costs of ports based on one of the following standards:
z
dot1d-1998: Adopts the IEEE 802.1D-1998 standard to calculate the default path costs of ports.
z
dot1t: Adopts the IEEE 802.1t standard to calculate the default path costs of ports.
z
legacy: Adopts the proprietary standard to calculate the default path costs of ports.
Follow these steps to specify the standard for calculating path costs:
To do...
Use the command...
Enter system view
—
system-view
Specify the standard for
calculating the default path
costs of the links connected to
the ports of the switch
Remarks
Optional
stp pathcost-standard
{ dot1d-1998 | dot1t | legacy }
By default, the legacy standard
is used to calculate the default
path costs of ports.
Table 1-7 Transmission rates vs. path costs
Operation mode
(half-/full-duplex)
Rate
0
10 Mbps
802.1D-1998
IEEE 802.1t
Latency
standard
—
65,535
200,000,000
200,000
Half-duplex/Full-duplex
100
2,000,000
2,000
Aggregated link 2 ports
95
1,000,000
1,800
Aggregated link 3 ports
95
666,666
1,600
Aggregated link 4 ports
95
500,000
1,400
1-30
Operation mode
(half-/full-duplex)
Rate
100 Mbps
1,000 Mbps
10 Gbps
802.1D-1998
Latency
standard
IEEE 802.1t
Half-duplex/Full-duplex
19
200,000
200
Aggregated link 2 ports
15
100,000
180
Aggregated link 3 ports
15
66,666
160
Aggregated link 4 ports
15
50,000
140
Full-duplex
4
20,000
20
Aggregated link 2 ports
3
10,000
18
Aggregated link 3 ports
3
6,666
16
Aggregated link 4 ports
3
5,000
14
Full-duplex
2
2,000
2
Aggregated link 2 ports
1
1,000
1
Aggregated link 3 ports
1
666
1
Aggregated link 4 ports
1
500
1
Normally, the path cost of a port operating in full-duplex mode is slightly less than that of the port
operating in half-duplex mode.
When calculating the path cost of an aggregated link, the 802.1D-1998 standard does not take the
number of the ports on the aggregated link into account, whereas the 802.1T standard does. The
following formula is used to calculate the path cost of an aggregated link:
Path cost = 200,000,000 / link transmission rate
Where, “link transmission rate” is the sum of the rates of all the unblocked ports on the aggregated link
measured in 100 Kbps.
Configure the path cost for specific ports
Follow these steps to configure the path cost for specified ports in system view:
To do...
Use the command...
Enter system view
system-view
Configure the path cost for
specified ports
stp interface interface-list
[ instance instance-id ] cost
cost
Remarks
—
Required
An MSTP-enabled switch can
calculate path costs for all its
ports automatically.
Follow these steps to configure the path cost for a port in Ethernet port view:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter Ethernet port view
interface interface-type
interface-number
—
Required
Configure the path cost for the
port
stp [ instance instance-id ]
cost cost
1-31
An MSTP-enabled switch can
calculate path costs for all its
ports automatically.
Changing the path cost of a port may change the role of the port and put it in state transition. Executing
the stp cost command with the instance-id argument being 0 sets the path cost on the CIST for the port.
Configuration example (A)
# Configure the path cost of GigabitEthernet 1/0/1 in MSTI 1 to be 2,000.
1)
Perform this configuration in system view
<Sysname> system-view
[Sysname] stp interface GigabitEthernet 1/0/1 instance 1 cost 2000
2)
Perform this configuration in Ethernet port view
<Sysname> system-view
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] stp instance 1 cost 2000
Configuration example (B)
# Configure the path cost of GigabitEthernet 1/0/1 in MSTI 1 to be calculated by the MSTP-enabled
switch according to the IEEE 802.1D-1998 standard.
1)
Perform this configuration in system view
<Sysname> system-view
[Sysname] undo stp interface GigabitEthernet 1/0/1 instance 1 cost
[Sysname] stp pathcost-standard dot1d-1998
2)
Perform this configuration in Ethernet port view
<Sysname> system-view
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] undo stp instance 1 cost
[Sysname-GigabitEthernet1/0/1] quit
[Sysname] stp pathcost-standard dot1d-1998
Configuring Port Priority
Port priority is an important criterion on determining the root port. In the same condition, the port with the
smallest port priority value becomes the root port.
A port on an MSTP-enabled switch can have different port priorities and play different roles in different
MSTIs. This enables packets of different VLANs to be forwarded along different physical paths, so that
VLAN-based load balancing can be implemented.
You can configure port priority in one of the following two ways.
Configure port priority in system view
Follow these steps to configure port priority in system view:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Configure port priority for
specified ports
stp interface interface-list
instance instance-id port
priority priority
Required
1-32
The default port priority is 128.
Configure port priority in Ethernet port view
Follow these steps to configure port priority in Ethernet port view:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter Ethernet port view
interface interface-type
interface-number
—
Configure port priority for the
port
stp [ instance instance-id ]
port priority priority
Required.
The default port priority is 128.
Changing port priority of a port may change the role of the port and put the port into state transition.
A smaller port priority value indicates a higher possibility for the port to become the root port. If all the
ports of a switch have the same port priority value, the port priorities are determined by the port indexes.
Changing the priority of a port will cause spanning tree recalculation.
You can configure port priorities according to actual networking requirements.
Configuration example
# Configure the port priority of GigabitEthernet 1/0/1 in MSTI 1 to be 16.
1)
Perform this configuration in system view
<Sysname> system-view
[Sysname] stp interface GigabitEthernet 1/0/1 instance 1 port priority 16
2)
Perform this configuration in Ethernet port view
<Sysname> system-view
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] stp instance 1 port priority 16
Setting the Link Type of a Port to P2P
Refer to Setting the Link Type of a Port to P2P.
Enabling MSTP
Refer to Enabling MSTP.
Performing mCheck Operation
Ports on an MSTP-enabled switch can operate in three modes: STP-compatible, RSTP-compatible,
and MSTP.
If a port on a device running MSTP (or RSTP) connects to a device running STP, this port will
automatically migrate to the STP-compatible mode. However, it will not be able to migrate automatically
back to the MSTP (or RSTP) mode, but will remain working in the STP-compatible mode under the
following circumstances:
z
The device running STP is shut down or removed.
z
The device running STP migrates to the MSTP (or RSTP) mode.
By then, you can perform an mCheck operation to force the port to migrate to the MSTP (or RSTP)
mode.
1-33
Configuration Prerequisites
MSTP runs normally on the switch.
Configuration Procedure
You can perform the mCheck operation in the following two ways.
Perform the mCheck operation in system view
Follow these steps to perform the mCheck operation in system view:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Perform the mCheck operation
stp [ interface interface-list ]
mcheck
Required
Perform the mCheck operation in Ethernet port view
Follow these steps to perform the mCheck operation in Ethernet port view:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter Ethernet port view
interface interface-type
interface-number
—
Perform the mCheck operation
stp mcheck
Required
Configuration Example
# Perform the mCheck operation on GigabitEthernet 1/0/1.
1)
Perform this configuration in system view
<Sysname> system-view
[Sysname] stp interface GigabitEthernet 1/0/1 mcheck
2)
Perform this configuration in Ethernet port view
<Sysname> system-view
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] stp mcheck
Configuring Guard Functions
The following guard functions are available on an MSTP-enabled switch: BPDU guard, root guard, loop
guard, TC-BPDU attack guard, and BPDU drop.
Configuring BPDU Guard
Normally, the access ports of the devices operating on the access layer are directly connected to
terminals (such as PCs) or file servers. These ports are usually configured as edge ports to achieve
rapid transition. But they resume non-edge ports automatically upon receiving configuration BPDUs,
which causes spanning tree recalculation and network topology jitter.
1-34
Normally, no configuration BPDU will reach edge ports. But malicious users can attack a network by
sending configuration BPDUs deliberately to edge ports to cause network jitter. You can prevent this
type of attacks by utilizing the BPDU guard function. With this function enabled on a switch, the switch
shuts down the edge ports that receive configuration BPDUs and then reports these cases to the
administrator. Ports shut down in this way can only be restored by the administrator.
You are recommended to enable BPDU guard for devices with edge ports configured.
Configuration Prerequisites
MSTP runs normally on the switch.
Configuration procedure
Follow these steps to configure BPDU guard:
To do...
Use the command...
Enter system view
system-view
Enable the BPDU guard
function
stp bpdu-protection
Remarks
—
Required
The BPDU guard function is
disabled by default.
Configuration example
# Enable the BPDU guard function.
<Sysname> system-view
[Sysname] stp bpdu-protection
Configuring Root Guard
A root bridge and its secondary root bridges must reside in the same region. The root bridge of the CIST
and its secondary root bridges are usually located in the high-bandwidth core region. Configuration
errors or attacks may result in configuration BPDUs with their priorities higher than that of a root bridge,
which causes a new root bridge to be elected and network topology jitter to occur. In this case, flows that
should travel along high-speed links may be led to low-speed links, and network congestion may occur.
You can avoid this problem by utilizing the root guard function. Ports with this function enabled can only
be kept as designated ports in all MSTIs. When a port of this type receives configuration BPDUs with
higher priorities, it turns to the discarding state (rather than become a non-designated port) and stops
forwarding packets (as if it is disconnected from the link). It resumes the normal state if it does not
receive any configuration BPDUs with higher priorities for a specified period.
1-35
z
You are recommended to enable root guard on the designated ports of a root bridge.
z
Loop guard, root guard, and edge port settings are mutually exclusive. With one of these functions
enabled on a port, any of the other two functions cannot take effect even if you have configured it
on the port.
Configuration Prerequisites
MSTP runs normally on the switch.
Configuration procedure
Follow these steps to configure the root guard function in system view:
To do...
Use the command...
Enter system view
system-view
Enable the root guard function
on specified ports
stp interface interface-list
root-protection
Remarks
—
Required
The root guard function is
disabled by default.
Follow these steps to enable the root guard function in Ethernet port view:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter Ethernet port view
Interface interface-type
interface-number
—
Enable the root guard function
on the current port
stp root-protection
Required
The root guard function is
disabled by default.
Configuration example
# Enable the root guard function on GigabitEthernet 1/0/1.
1)
Perform this configuration in system view
<Sysname> system-view
[Sysname] stp interface GigabitEthernet 1/0/1 root-protection
2)
Perform this configuration in Ethernet port view
<Sysname> system-view
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] stp root-protection
Configuring Loop Guard
A switch maintains the states of the root port and other blocked ports by receiving and processing
BPDUs from the upstream switch. These BPDUs may get lost because of network congestions or
unidirectional link failures. If a switch does not receive BPDUs from the upstream switch for certain
1-36
period, the switch selects a new root port; the original root port becomes a designated port; and the
blocked ports turns to the forwarding state. This may cause loops in the network.
The loop guard function suppresses loops. With this function enabled, if link congestions or
unidirectional link failures occur, both the root port and the blocked ports become designated ports and
turn to the discarding state. In this case, they stop forwarding packets, and thereby loops can be
prevented.
z
You are recommended to enable loop guard on the root port and alternate port of a non-root bridge.
z
Loop guard, root guard, and edge port settings are mutually exclusive. With one of these functions
enabled on a port, any of the other two functions cannot take effect even if you have configured it
on the port.
Configuration Prerequisites
MSTP runs normally on the switch.
Configuration procedure
Follow these steps to configure loop guard:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter Ethernet port view
interface interface-type
interface-number
—
Enable the loop guard function on
the current port
stp loop-protection
Required
The loop guard function is
disabled by default.
Configuration example
# Enable the loop guard function on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] stp loop-protection
Configuring TC-BPDU Attack Guard
Normally, a switch removes its MAC address table and ARP entries upon receiving Topology Change
BPDUs (TC-BPDUs). If a malicious user sends a large amount of TC-BPDUs to a switch in a short
period, the switch may be busy in removing the MAC address table and ARP entries, which may affect
spanning tree calculation, occupy large amount of bandwidth and increase switch CPU utilization.
With the TC-BPDU attack guard function enabled, a switch performs a removing operation upon
receiving a TC-BPDU and triggers a timer (set to 10 seconds by default) at the same time. Before the
timer expires, the switch only performs the removing operation for limited times (up to six times by
1-37
default) regardless of the number of the TC-BPDUs it receives. Such a mechanism prevents a switch
from being busy in removing the MAC address table and ARP entries.
You can use the stp tc-protection threshold command to set the maximum times for a switch to
remove the MAC address table and ARP entries in a specific period. When the number of the
TC-BPDUs received within a period is less than the maximum times, the switch performs a removing
operation upon receiving a TC-BPDU. After the number of the TC-BPDUs received reaches the
maximum times, the switch stops performing the removing operation. For example, if you set the
maximum times for a switch to remove the MAC address table and ARP entries to 100 and the switch
receives 200 TC-BPDUs in the period, the switch removes the MAC address table and ARP entries for
only 100 times within the period.
Configuration prerequisites
MSTP runs normally on the switch.
Configuration procedure
Follow these steps to configure the TC-BPDU attack guard function:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enable the TC-BPDU attack
guard function
stp tc-protection enable
The TC-BPDU attack guard
function is disabled by default.
Set the maximum times that a
switch can remove the MAC
address table and ARP entries
within each 10 seconds
stp tc-protection threshold
number
Optional
Required
Configuration example
# Enable the TC-BPDU attack guard function
<Sysname> system-view
[Sysname] stp tc-protection enable
# Set the maximum times for the switch to remove the MAC address table and ARP entries within 10
seconds to 5.
<Sysname> system-view
[Sysname] stp tc-protection threshold 5
Configuring BPDU Dropping
In a STP-enabled network, some users may send BPDU packets to the switch continuously in order to
destroy the network. When a switch receives the BPDU packets, it will forward them to other switches.
As a result, STP calculation is performed repeatedly, which may occupy too much CPU of the switches
or cause errors in the protocol state of the BPDU packets.
In order to avoid this problem, you can enable BPDU dropping on Ethernet ports. Once the function is
enabled on a port, the port will not receive or forward any BPDU packets. In this way, the switch is
protected against the BPDU packet attacks so that the STP calculation is assured to be right.
1-38
Configuration Prerequisites
MSTP runs normally on the switch.
Configuration procedure
Follow these steps to configure BPDU dropping:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter Ethernet port view
interface interface-name
—
Enable BPDU dropping
bpdu-drop any
Required
BPDU dropping is disabled by default.
Configuration example
# Enable BPDU dropping on GigabitEthernet 1/0/1.
<Sysname>system-view
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] bpdu-drop any
Configuring Digest Snooping
Introduction
According to IEEE 802.1s, two interconnected switches can communicate with each other through
MSTIs in an MST region only when the two switches have the same MST region-related configuration.
Interconnected MSTP-enabled switches determine whether or not they are in the same MST region by
checking the configuration IDs of the BPDUs between them (A configuration ID contains information
such as region ID and configuration digest).
As some other manufacturers' switches adopt proprietary spanning tree protocols, they cannot
communicate with the other switches in an MST region even if they are configured with the same MST
region-related settings as the other switches in the MST region.
This problem can be overcome by implementing the digest snooping feature. If a port on an S5100
Ethernet switch is connected to another manufacturer's switch that has the same MST region-related
configuration as its own but adopts a proprietary spanning tree protocol, you can enable digest
snooping on the port. Then the S5100 Ethernet switch regards another manufacturer's switch as in the
same region; it records the configuration digests carried in the BPDUs received from another
manufacturer's switch, and put them in the BPDUs to be sent to the another manufacturer's switch. In
this way, the S5100 Ethernet switch can communicate with another manufacturer’s switches in the
same MST region.
The digest snooping function is not applicable to edge ports.
1-39
Configuring Digest Snooping
Configure the digest snooping feature on a switch to enable it to communicate with other switches
adopting proprietary protocols to calculate configuration digests in the same MST region through
MSTIs.
Configuration prerequisites
The switch to be configured is connected to another manufacturer's switch adopting a proprietary
spanning tree protocol. MSTP and the network operate normally.
Configuration procedure
Follow these steps to configure digest snooping:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter Ethernet port view
interface interface-type
interface-number
—
Enable the digest snooping
feature
stp config-digest-snooping
The digest snooping feature is
disabled on a port by default.
Return to system view
quit
—
Enable the digest snooping
feature globally
stp config-digest-snooping
The digest snooping feature is
disabled globally by default.
Display the current
configuration
display current-configuration
Available in any view
Required
Required
1-40
z
When the digest snooping feature is enabled on a port, the port state turns to the discarding state.
That is, the port will not send BPDU packets. The port is not involved in the STP calculation until it
receives BPDU packets from the peer port.
z
The digest snooping feature is needed only when your switch is connected to another
manufacturer’s switches adopting proprietary spanning tree protocols.
z
To enable the digest snooping feature successfully, you must first enable it on all the ports of your
switch that are connected to another manufacturer’s switches adopting proprietary spanning tree
protocols and then enable it globally.
z
To enable the digest snooping feature, the interconnected switches and another manufacturer’s
switch adopting proprietary spanning tree protocols must be configured with exactly the same MST
region-related configurations (including region name, revision level, and VLAN-to-instance
mapping).
z
The digest snooping feature must be enabled on all the switch ports that connect to another
manufacturer’s switches adopting proprietary spanning tree protocols in the same MST region.
z
When the digest snooping feature is enabled globally, the VLAN-to-instance mapping table cannot
be modified.
z
The digest snooping feature is not applicable to boundary ports in an MST region.
z
The digest snooping feature is not applicable to edge ports in an MST region.
Configuring Rapid Transition
Introduction
Designated ports of RSTP-enabled or MSTP-enabled switches use the following two types of packets to
implement rapid transition:
z
Proposal packets: Packets sent by designated ports to request rapid transition
z
Agreement packets: Packets used to acknowledge rapid transition requests
Both RSTP and MSTP specify that the upstream switch can perform rapid transition operation on the
designated port only when the port receives an agreement packet from the downstream switch. The
difference between RSTP and MSTP are:
z
For MSTP, the upstream switch sends agreement packets to the downstream switch; and the
downstream switch sends agreement packets to the upstream switch only after it receives
agreement packets from the upstream switch.
z
For RSTP, the upstream switch does not send agreement packets to the downstream switch.
Figure 1-6 and Figure 1-7 illustrate the rapid transition mechanisms on designated ports in RSTP and
MSTP.
1-41
Figure 1-6 The RSTP rapid transition mechanism
Upstream switch
Downstream switch
Proposal for rapid transition
e
Agre
Root port blocks other nonedge ports, changes to
forwarding state and sends
Agreement to upstream device
t
men
Designated port
changes to
forwarding state
Root port
Designated port
Figure 1-7 The MSTP rapid transition mechanism
Upstream switch
Downstream switch
Proposal for rapid transition
Root port blocks other
non- edge ports
Agreement
Root port changes to
forwarding state and
sends Agreement to
upstream switch
Designated port
changes to
forwarding state
Root port
Designated port
The cooperation between MSTP and RSTP is limited in the process of rapid transition. For example,
when the upstream switch adopts RSTP, the downstream switch adopts MSTP and the downstream
switch does not support RSTP-compatible mode, the root port on the downstream switch receives no
agreement packet from the upstream switch and thus sends no agreement packets to the upstream
switch. As a result, the designated port of the upstream switch fails to transit rapidly and can only turn to
the forwarding state after a period twice the forward delay.
Some other manufacturers' switches adopt proprietary spanning tree protocols that are similar to RSTP
in the way to implement rapid transition on designated ports. When a switch of this kind operating as the
upstream switch connects with a H3C series switch running MSTP, the upstream designated port fails to
change its state rapidly.
The rapid transition feature is developed to resolve this problem. When a H3C series switch running
MSTP is connected in the upstream direction to another manufacturer's switch running proprietary
spanning tree protocols, you can enable the rapid transition feature on the ports of the H3C series
switch operating as the downstream switch. Among these ports, those operating as the root ports will
then send agreement packets to their upstream ports after they receive proposal packets from the
upstream designated ports, instead of waiting for agreement packets from the upstream switch. This
enables designated ports of the upstream switch to change their states rapidly.
1-42
Configuring Rapid Transition
Configuration prerequisites
As shown in Figure 1-8, a H3C series switch is connected to another manufacturer's switch. The former
operates as the downstream switch, and the latter operates as the upstream switch. The network
operates normally.
The upstream switch is running a proprietary spanning tree protocol that is similar to RSTP in the way to
implement rapid transition on designated ports. Port 1 is the designated port.
The downstream H3C switch is running MSTP. Port 2 is the root port.
Figure 1-8 Network diagram for rapid transition configuration
Configuration procedure
1)
Configure the rapid transition feature in system view
Follow these steps to configure the rapid transition feature in system view:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enable the rapid transition
feature
stp interface interface-type
interface-number
no-agreement-check
Required
2)
By default, the rapid transition
feature is disabled on a port.
Configure the rapid transition feature in Ethernet port view
Follow these steps to configure the rapid transition feature in Ethernet port view:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter Ethernet port view
interface interface-type
interface-number
—
Enable the rapid transition
feature
stp no-agreement-check
Required
1-43
By default, the rapid transition
feature is disabled on a port.
z
The rapid transition feature can be enabled on only root ports or alternate ports.
z
If you configure the rapid transition feature on a designated port, the feature does not take effect on
the port.
Configuring VLAN-VPN Tunnel
Introduction
The VLAN-VPN Tunnel function enables STP packets to be transparently transmitted between
geographically dispersed customer networks through specified VLAN VPNs in service provider
networks, through which spanning trees can be generated across these customer networks and are
independent of those of the service provider network.
As shown in Figure 1-9, the upper part is the service provider network, and the lower part comprises the
customer networks. The service provider network comprises packet input/output devices, and the
customer network has networks A and B. On the service provider network, configure the arriving STP
packets at the input device to have MAC addresses in a special format, and reconvert them back to their
original formats at the output device. This is how transparent transmission is implemented over the
service provider network.
Figure 1-9 VLAN-VPN tunnel network hierarchy
Service provider network
Packet input/output
device
Packet input/output
device
Network
Customer networks
Network A
Network B
Configuring VLAN-VPN tunnel
Follow these steps to configure VLAN-VPN tunnel:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enable MSTP globally
stp enable
—
1-44
To do...
Use the command...
Remarks
Required
Enable the VLAN-VPN
tunnel function globally
vlan-vpn tunnel
Enter Ethernet port view
interface interface-type
interface-number
Enable the VLAN VPN
function for the Ethernet
port
vlan-vpn enable
The VLAN-VPN tunnel function is
disabled by default.
Make sure that you enter the Ethernet
port view of the port for which you
want to enable the VLAN-VPN tunnel
function.
Required
By default, the VLAN VPN function is
disabled on all ports.
z
The VLAN-VPN tunnel function can be enabled on STP-enabled devices only.
z
To enable the VLAN-VPN tunnel function, make sure the links between service provider networks
are trunk links.
MSTP Maintenance Configuration
Introduction
In a large-scale network with MSTP enabled, there may be many MSTP instances, and so the status of
a port may change frequently. In this case, maintenance personnel may expect that log/trap information
is output to the log host when particular ports fail, so that they can check the status changes of those
ports through alarm information.
Enabling Log/Trap Output for Ports of MSTP Instance
Follow these steps to enable log/trap output for ports of MSTP instance:
To do...
Use the command...
Enter system view
system-view
Enable log/trap output
for the ports of a
specified instance
stp [ instance
instance-id ] portlog
Enable log/trap output
for the ports of all
instances
Remarks
—
Required
By default, log/trap output is disabled for the
ports of all instances.
Required
stp portlog all
By default, log/trap output is disabled for the
ports of all instances.
Configuration Example
# Enable log/trap output for the ports of instance 1.
<Sysname> system-view
[Sysname] stp instance 1 portlog
1-45
# Enable log/trap output for the ports of all instances.
<Sysname> system-view
[Sysname] stp portlog all
Enabling Trap Messages Conforming to 802.1d Standard
A switch sends trap messages conforming to 802.1d standard to the network management device in the
following two cases:
z
The switch becomes the root bridge of an instance.
z
Network topology changes are detected.
Configuration procedure
Follow these steps to enable trap messages conforming to 802.1d standard:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enable trap messages conforming
to 802.1d standard in an instance
stp [ instance instance-id ] dot1d-trap
[ newroot | topologychange ] enable
Required
Configuration example
# Enable a switch to send trap messages conforming to 802.1d standard to the network management
device when the switch becomes the root bridge of instance 1.
<Sysname> system-view
[Sysname] stp instance 1 dot1d-trap newroot enable
Displaying and Maintaining MSTP
To do...
Use the command...
Display the state and statistics
information about spanning trees of
the current device
display stp [ instance instance-id ]
[ interface interface-list | slot
slot-number ] [ brief ]
Display region configuration
display stp region-configuration
Display information about the ports
that are shut down by STP
protection
display stp portdown
Display information about the ports
that are blocked by STP protection
display stp abnormalport
Display information about the root
port of the instance where the switch
reside
display stp root
Clear statistics about MSTP
reset stp [ interface interface-list ]
1-46
Remarks
Available in any
view
Available in user
view
MSTP Configuration Example
Network requirements
Implement MSTP in the network shown in Figure 1-10 to enable packets of different VLANs to be
forwarded along different MSTIs. The detailed configurations are as follows:
z
All switches in the network belong to the same MST region.
z
Packets of VLAN 10, VLAN 30, VLAN 40, and VLAN 20 are forwarded along MSTI 1, MSTI 3, MSTI
4, and MSTI 0 respectively.
In this network, Switch A and Switch B operate on the convergence layer; Switch C and Switch D
operate on the access layer. VLAN 10 and VLAN 30 are limited in the convergence layer and VLAN 40
is limited in the access layer. Switch A and Switch B are configured as the root bridges of MSTI 1 and
MSTI 3 respectively. Switch C is configured as the root bridge of MSTI 4.
Network diagram
Figure 1-10 Network diagram for MSTP configuration
The word “permit” shown in Figure 1-10 means the corresponding link permits packets of specific
VLANs.
Configuration procedure
1)
Configure Switch A
# Enter MST region view.
<Sysname> system-view
[Sysname] stp region-configuration
# Configure the region name, VLAN-to-instance mapping table, and revision level for the MST region.
[Sysname-mst-region] region-name example
[Sysname-mst-region] instance 1 vlan 10
[Sysname-mst-region] instance 3 vlan 30
[Sysname-mst-region] instance 4 vlan 40
[Sysname-mst-region] revision-level 0
# Activate the settings of the MST region manually.
[Sysname-mst-region] active region-configuration
1-47
# Specify Switch A as the root bridge of MSTI 1.
[Sysname] stp instance 1 root primary
2)
Configure Switch B
# Enter MST region view.
<Sysname> system-view
[Sysname] stp region-configuration
# Configure the region name, VLAN-to-instance mapping table, and revision level for the MST region.
[Sysname-mst-region] region-name example
[Sysname-mst-region] instance 1 vlan 10
[Sysname-mst-region] instance 3 vlan 30
[Sysname-mst-region] instance 4 vlan 40
[Sysname-mst-region] revision-level 0
# Activate the settings of the MST region manually.
[Sysname-mst-region] active region-configuration
# Specify Switch B as the root bridge of MSTI 3.
[Sysname] stp instance 3 root primary
3)
Configure Switch C.
# Enter MST region view.
<Sysname> system-view
[Sysname] stp region-configuration
# Configure the MST region.
[Sysname-mst-region] region-name example
[Sysname-mst-region] instance 1 vlan 10
[Sysname-mst-region] instance 3 vlan 30
[Sysname-mst-region] instance 4 vlan 40
[Sysname-mst-region] revision-level 0
# Activate the settings of the MST region manually.
[Sysname-mst-region] active region-configuration
# Specify Switch C as the root bridge of MSTI 4.
[Sysname] stp instance 4 root primary
4)
Configure Switch D
# Enter MST region view.
<Sysname> system-view
[Sysname] stp region-configuration
# Configure the MST region.
[Sysname-mst-region] region-name example
[Sysname-mst-region] instance 1 vlan 10
[Sysname-mst-region] instance 3 vlan 30
[Sysname-mst-region] instance 4 vlan 40
[Sysname-mst-region] revision-level 0
# Activate the settings of the MST region manually.
[Sysname-mst-region] active region-configuration
1-48
VLAN-VPN Tunnel Configuration Example
Network requirements
z
S5100 switches operate as the access devices of the service provider network, that is, Switch C
and Switch D in the network diagram.
z
Switch A and Switch B are the access devices for the customer networks.
z
Switch C and Switch D are connected to each other through the configured trunk ports of the
switches. The VLAN-VPN tunnel function is enabled in system view, thus implementing
transparent transmission between the customer networks and the service provider network.
Network diagram
Figure 1-11 Network diagram for VLAN-VPN tunnel configuration
Switch D
Switch C
GE 1/0/2
GE 1/0/1
GE 1/0/2
GE 1/0/1
Eth 1/0/1
Eth 1/0/1
Switch A
Switch B
Configuration procedure
1)
Configure Switch A
# Enable MSTP.
<Sysname> system-view
[Sysname] stp enable
# Add Ethernet 1/0/1 to VLAN 10.
[Sysname] vlan 10
[Sysname-Vlan10] port Ethernet 1/0/1
2)
Configure Switch B
# Enable MSTP.
<Sysname> system-view
[Sysname] stp enable
# Add Ethernet 1/0/1 to VLAN 10.
[Sysname] vlan 10
[Sysname-Vlan10] port Ethernet 1/0/1
3)
Configure Switch C
# Enable MSTP.
<Sysname> system-view
[Sysname] stp enable
# Enable the VLAN-VPN tunnel function.
1-49
[Sysname] vlan-vpn tunnel
# Add GigabitEthernet 1/0/1 to VLAN 10.
[Sysname] vlan 10
[Sysname-Vlan10] port GigabitEthernet 1/0/1
[Sysname-Vlan10] quit
# Enable the VLAN VPN function on GigabitEthernet 1/0/1.
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] port access vlan 10
[Sysname-GigabitEthernet1/0/1] vlan-vpn enable
[Sysname-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 as a trunk port.
[Sysname] interface GigabitEthernet 1/0/2
[Sysname-GigabitEthernet1/0/2] port link-type trunk
# Add the trunk port to all VLANs.
[Sysname-GigabitEthernet1/0/2] port trunk permit vlan all
4)
Configure Switch D
# Enable MSTP.
<Sysname> system-view
[Sysname] stp enable
# Enable the VLAN-VPN tunnel function.
[Sysname] vlan-vpn tunnel
# Add GigabitEthernet 1/0/2 to VLAN 10.
[Sysname] vlan 10
[Sysname-Vlan10] port GigabitEthernet 1/0/2
# Enable the VLAN VPN function on GigabitEthernet 1/0/2.
[Sysname] interface GigabitEthernet 1/0/2
[Sysname-GigabitEthernet1/0/2] port access vlan 10
[Sysname-GigabitEthernet1/0/2] vlan-vpn enable
[Sysname-GigabitEthernet1/0/2] quit
# Configure GigabitEthernet 1/0/1 as a trunk port.
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] port link-type trunk
# Add the trunk port to all VLANs.
[Sysname-GigabitEthernet1/0/1] port trunk permit vlan all
1-50
Table of Contents
1 802.1x Configuration ···································································································· 1-1
Introduction to 802.1x ································································································· 1-1
Architecture of 802.1x Authentication ···································································· 1-1
The Mechanism of an 802.1x Authentication System ·············································· 1-3
Encapsulation of EAPoL Messages ······································································· 1-4
802.1x Authentication Procedure··········································································· 1-6
Timers Used in 802.1x ·························································································· 1-9
802.1x Implementation on an S5100-SI/EI Series Switch ····································· 1-10
Introduction to 802.1x Configuration ·········································································· 1-13
Basic 802.1x Configuration ······················································································· 1-14
Configuration Prerequisites ················································································ 1-14
Configuring Basic 802.1x Functions ···································································· 1-14
Timer and Maximum User Number Configuration ················································· 1-16
Advanced 802.1x Configuration ················································································· 1-17
Configuring Proxy Checking ················································································ 1-17
Configuring Client Version Checking ··································································· 1-18
Enabling DHCP-triggered Authentication ····························································· 1-19
Configuring Guest VLAN ····················································································· 1-19
Configuring 802.1x Re-Authentication ································································· 1-20
Configuring the 802.1x Re-Authentication Timer ·················································· 1-20
Displaying and Maintaining 802.1x Configuration ······················································· 1-21
Configuration Example ······························································································ 1-21
802.1x Configuration Example ············································································ 1-21
2 Quick EAD Deployment Configuration ········································································· 2-1
Introduction to Quick EAD Deployment ········································································ 2-1
Quick EAD Deployment Overview ········································································· 2-1
Operation of Quick EAD Deployment ····································································· 2-1
Configuring Quick EAD Deployment ············································································ 2-2
Configuration Prerequisites ·················································································· 2-2
Configuration Procedure ······················································································· 2-2
Displaying and Maintaining Quick EAD Deployment ··············································· 2-4
Quick EAD Deployment Configuration Example···························································· 2-4
Troubleshooting·········································································································· 2-5
3 HABP Configuration ····································································································· 3-1
Introduction to HABP ·································································································· 3-1
HABP Server Configuration ························································································· 3-1
HABP Client Configuration ·························································································· 3-2
Displaying and Maintaining HABP Configuration ·························································· 3-2
4 System-Guard Configuration ······················································································· 4-1
System-Guard Overview ····························································································· 4-1
i
Configuring the System-Guard Feature········································································ 4-1
Configuring the System-Guard Feature ································································· 4-1
Displaying and Maintaining System-Guard ··································································· 4-2
ii
1
802.1x Configuration
When configuring 802.1x, go to these sections for information you are interested in:
z
Introduction to 802.1x
z
Introduction to 802.1x Configuration
z
Basic 802.1x Configuration
z
Advanced 802.1x Configuration
z
Displaying and Maintaining 802.1x Configuration
z
Configuration Example
Introduction to 802.1x
The 802.1x protocol (802.1x for short) was developed by IEEE802 LAN/WAN committee to
address security issues of wireless LANs. It was then used in Ethernet as a common
access control mechanism for LAN ports to address mainly authentication and security
problems.
802.1x is a port-based network access control protocol. It authenticates and controls
devices requesting for access in terms of the ports of LAN access devices. With the 802.1x
protocol employed, a user-side device can access the LAN only when it passes the
authentication. Those fail to pass the authentication are denied when accessing the LAN.
This section covers these topics:
z
Architecture of 802.1x Authentication
z
The Mechanism of an 802.1x Authentication System
z
Encapsulation of EAPoL Messages
z
802.1x Authentication Procedure
z
Timers Used in 802.1x
z
802.1x Implementation on an S5100-SI/EI Series Switch
Architecture of 802.1x Authentication
As shown in Figure 1-1, 802.1x adopts a client/server architecture with three entities: a
supplicant system, an authenticator system, and an authentication server system.
1-1
Figure 1-1 Architecture of 802.1x authentication
z
The supplicant system is an entity residing at one end of a LAN segment and is
authenticated by the authenticator system at the other end of the LAN segment. The
supplicant system is usually a user terminal device. An 802.1x authentication is
triggered when a user launches client program on the supplicant system. Note that the
client program must support the extensible authentication protocol over LAN (EAPoL).
z
The authenticator system is another entity residing at one end of a LAN segment. It
authenticates the connected supplicant systems. The authenticator system is usually
an 802.1x-supported network device (such as a H3C series switch). It provides the port
(physical or logical) for the supplicant system to access the LAN.
z
The authentication server system is an entity that provides authentication service to
the authenticator system. Normally in the form of a RADIUS server, the authentication
server system serves to perform Authentication, Authorization, and Accounting (AAA)
services to users. It also stores user information, such as user name, password, the
VLAN a user belongs to, priority, and the Access Control Lists (ACLs) applied.
The four basic concepts related to the above three entities are PAE, controlled port and
uncontrolled port, the valid direction of a controlled port and the way a port is controlled.
PAE
A port access entity (PAE) is responsible for implementing algorithms and performing
protocol-related operations in the authentication mechanism.
z
The authenticator system PAE authenticates the supplicant systems when they log into
the LAN and controls the status (authorized/unauthorized) of the controlled ports
according to the authentication result.
z
The supplicant system PAE responds to the authentication requests received from the
authenticator system and submits user authentication information to the authenticator
system. It also sends authentication requests and disconnection requests to the
authenticator system PAE.
Controlled port and uncontrolled port
The authenticator system provides ports for supplicant systems to access a LAN. Logically,
a port of this kind is divided into a controlled port and an uncontrolled port.
1-2
z
The uncontrolled port can always send and receive packets. It mainly serves to forward
EAPoL packets to ensure that a supplicant system can send and receive authentication
requests.
z
The controlled port can be used to pass service packets when it is in authorized state.
It is blocked when not in authorized state. In this case, no packets can pass through it.
z
Controlled port and uncontrolled port are two properties of a port. Packets reaching a
port are visible to both the controlled port and uncontrolled port of the port.
The valid direction of a controlled port
When a controlled port is in unauthorized state, you can configure it to be a unidirectional
port, which sends packets to supplicant systems only.
By default, a controlled port is a unidirectional port.
The way a port is controlled
A port of a H3C series switch can be controlled in the following two ways.
z
Port-based authentication. When a port is controlled in this way, all the supplicant
systems connected to the port can access the network without being authenticated
after one supplicant system among them passes the authentication. And when the
authenticated supplicant system goes offline, the others are denied as well.
z
MAC-based authentication. All supplicant systems connected to a port have to be
authenticated individually in order to access the network. And when a supplicant
system goes offline, the others are not affected.
The Mechanism of an 802.1x Authentication System
IEEE 802.1x authentication system uses the Extensible Authentication Protocol (EAP) to
exchange information between the supplicant system and the authentication server.
Figure 1-2 The mechanism of an 802.1x authentication system
z
EAP protocol packets transmitted between the supplicant system PAE and the
authenticator system PAE are encapsulated as EAPoL packets.
z
EAP protocol packets transmitted between the authenticator system PAE and the
RADIUS server can either be encapsulated as EAP over RADIUS (EAPoR) packets or
be terminated at system PAEs. The system PAEs then communicate with RADIUS
servers through Password Authentication Protocol (PAP) or Challenge-Handshake
Authentication Protocol (CHAP) packets.
z
When a supplicant system passes the authentication, the authentication server passes
the information about the supplicant system to the authenticator system. The
authenticator system in turn determines the state (authorized or unauthorized) of the
controlled port according to the instructions (accept or reject) received from the
RADIUS server.
1-3
Encapsulation of EAPoL Messages
The format of an EAPoL packet
EAPoL is a packet encapsulation format defined in 802.1x. To enable EAP protocol packets
to be transmitted between supplicant systems and authenticator systems through LANs,
EAP protocol packets are encapsulated in EAPoL format. The following figure illustrates
the structure of an EAPoL packet.
Figure 1-3 The format of an EAPoL packet
In an EAPoL packet:
z
The PAE Ethernet type field holds the protocol identifier. The identifier for 802.1x is
0x888E.
z
The Protocol version field holds the version of the protocol supported by the sender of
the EAPoL packet.
z
The Type field can be one of the following:
00: Indicates that the packet is an EAP-packet, which carries authentication
information.
01: Indicates that the packet is an EAPoL-start packet, which initiates the
authentication.
02: Indicates that the packet is an EAPoL-logoff packet, which sends logging off
requests.
03: Indicates that the packet is an EAPoL-key packet, which carries key
information.
04: Indicates that the packet is an EAPoL-encapsulated-ASF-Alert packet,
which is used to support the alerting messages of Alerting Standards Forum
(ASF).
z
The Length field indicates the size of the Packet body field. A value of 0 indicates that
the Packet Body field does not exist.
z
The Packet body field differs with the Type field.
Note that EAPoL-Start, EAPoL-Logoff, and EAPoL-Key packets are only transmitted
between the supplicant system and the authenticator system. EAP packets are
encapsulated by RADIUS protocol to allow them successfully reach the authentication
servers. Network management-related information (such as alarming information) is
encapsulated in EAPoL-Encapsulated-ASF-Alert packets, which are terminated by
authenticator systems.
1-4
The format of an EAP packet
For an EAPoL packet with the value of the Type field being EAP-packet, its Packet body
field is an EAP packet, whose format is illustrated in Figure 1-4.
Figure 1-4 The format of an EAP packet
In an EAP packet:
z
The Code field indicates the EAP packet type, which can be Request, Response,
Success, or Failure.
z
The Identifier field is used to match a Response packet with the corresponding
Request packet.
z
The Length field indicates the size of an EAP packet, which includes the Code,
Identifier, Length, and Data fields.
z
The Data field carries the EAP packet, whose format differs with the Code field.
A Success or Failure packet does not contain the Data field, so the Length field of it is 4.
Figure 1-5 shows the format of the Data field of a Request packet or a Response packet.
Figure 1-5 The format of the Data field of a Request packet or a Response packet
z
The Type field indicates the EAP authentication type. A value of 1 indicates Identity
and that the packet is used to query the identity of the peer. A value of 4 represents
MD5-Challenge (similar to PPP CHAP) and indicates that the packet includes query
information.
z
The Type Date field differs with types of Request and Response packets.
Newly added fields for EAP authentication
Two fields, EAP-message and Message-authenticator, are added to a RADIUS protocol
packet for EAP authentication. (Refer to the Introduction to RADIUS protocol section in the
AAA Operation for information about the format of a RADIUS protocol packet.)
The EAP-message field, whose format is shown in Figure 1-6, is used to encapsulate EAP
packets. The maximum size of the string field is 253 bytes. EAP packets with their size
larger than 253 bytes are fragmented and are encapsulated in multiple EAP-message
fields. The type code of the EAP-message field is 79.
1-5
Figure 1-6 The format of an EAP-message field
7
0
Type
15
N
Length
String
EAP packets
The Message-authenticator field, whose format is shown in Figure 1-7, is used to prevent
unauthorized interception to access requesting packets during authentications using CHAP,
EAP,
and
so
on.
A packet
with
the
EAP-message
field
must
also
have
the
Message-authenticator field. Otherwise, the packet is regarded as invalid and is discarded.
Figure 1-7 The format of an Message-authenticator field
802.1x Authentication Procedure
A H3C S5100-SI/EI series Ethernet switch can authenticate supplicant systems in EAP
terminating mode or EAP relay mode.
EAP relay mode
This mode is defined in 802.1x. In this mode, EAP packets are encapsulated in higher level
protocol (such as EAPoR) packets to enable them to successfully reach the authentication
server. Normally, this mode requires that the RADIUS server support the two newly-added
fields: the EAP-message field (with a value of 79) and the Message-authenticator field
(with a value of 80).
Four authentication ways, namely EAP-MD5, EAP-TLS (transport layer security),
EAP-TTLS (tunneled transport layer security), and Protected Extensible Authentication
Protocol (PEAP), are available in the EAP relay mode.
z
EAP-MD5 authenticates the supplicant system. The RADIUS server sends MD5 keys
(contained in EAP-request/MD5 challenge packets) to the supplicant system, which in
turn encrypts the passwords using the MD5 keys.
z
EAP-TLS allows the supplicant system and the RADIUS server to check each other’s
security certificate and authenticate each other’s identity, guaranteeing that data is
transferred to the right destination and preventing data from being intercepted.
z
EAP-TTLS is a kind of extended EAP-TLS. EAP-TLS implements bidirectional
authentication between the client and authentication server. EAP-TTLS transmit
message using a tunnel established using TLS.
z
PEAP creates and uses TLS security channels to ensure data integrity and then
performs new EAP negotiations to verify supplicant systems.
Figure 1-8 describes the basic EAP-MD5 authentication procedure.
1-6
Figure 1-8 802.1x authentication procedure (in EAP relay mode)
EAPOL
Supplicant system
PAE
EAPOR
Authenticator system
PAE
RADUIS
server
EAPOL- Start
EAP- Request / Identity
EAP- Response / Identity
RADIUS Access - Request
(EAP- Response / Identity)
EAP- Request / MD5 challenge
RADIUS Access -Challenge
( EAP- Request /MD5 challenge)
EAP- Response /MD5 challenge
RADIUS Access - Request
( EAP- Response /MD5 challenge)
RADIUS Access -Accept
(EAP-Success)
EAP-Success
Port authorized
Handshake timer
Handshake request
[ EAP- Request / Identity]
Handshake response
[ EAP- Response / Identity]
......
EAPOL-Logoff
Port unauthorized
The detailed procedure is as follows:
z
A supplicant system launches an 802.1x client to initiate an access request by sending
an EAPoL-start packet to the switch, with its user name and password provided. The
802.1x client program then forwards the packet to the switch to start the authentication
process.
z
Upon
receiving
the
authentication
request
packet,
the
switch
sends
an
EAP-request/identity packet to ask the 802.1x client for the user name.
z
The 802.1x client responds by sending an EAP-response/identity packet to the switch
with the user name contained in it. The switch then encapsulates the packet in a
RADIUS Access-Request packet and forwards it to the RADIUS server.
z
Upon receiving the packet from the switch, the RADIUS server retrieves the user name
from the packet, finds the corresponding password by matching the user name in its
database, encrypts the password using a randomly-generated key, and sends the key
to the switch through an RADIUS access-challenge packet. The switch then sends the
key to the 802.1x client.
z
Upon receiving the key (encapsulated in an EAP-request/MD5 challenge packet) from
the switch, the client program encrypts the password of the supplicant system with the
key and sends the encrypted password (contained in an EAP-response/MD5 challenge
packet) to the RADIUS server through the switch. (Normally, the encryption is
irreversible.)
1-7
z
The RADIUS server compares the received encrypted password (contained in a
RADIUS access-request packet) with the locally-encrypted password. If the two match,
it will then send feedbacks (through a RADIUS access-accept packet and an
EAP-success packet) to the switch to indicate that the supplicant system is
authenticated.
z
The switch changes the state of the corresponding port to accepted state to allow the
supplicant system to access the network.
z
The supplicant system can also terminate the authenticated state by sending
EAPoL-Logoff packets to the switch. The switch then changes the port state from
accepted to rejected.
In EAP relay mode, packets are not modified during transmission. Therefore if one of the
four ways are used (that is, PEAP, EAP-TLS, EAP-TTLS or EAP-MD5) to authenticate,
ensure that the authenticating ways used on the supplicant system and the RADIUS server
are the same. However for the switch, you can simply enable the EAP relay mode by using
the dot1x authentication-method eap command.
EAP terminating mode
In this mode, EAP packet transmission is terminated at authenticator systems and the EAP
packets are converted to RADIUS packets. Authentication and accounting are carried out
through RADIUS protocol.
In this mode, PAP or CHAP is employed between the switch and the RADIUS server.
Figure 1-9 illustrates the authentication procedure (assuming that CHAP is employed
between the switch and the RADIUS server).
1-8
Figure 1-9 802.1x authentication procedure (in EAP terminating mode)
Supplicant
system
PAE
EAPOL
RADIUS
Authenticator
system PAE
RADIUS server
EAPOL- Start
EAP- Request /Identity
EAP- Response/Identity
EAP- Request/ MD5 Challenge
EAP- Response/MD5 Challenge
RADIUS Access-Request
( CHAP- Response/MD5 Challenge)
RADIUS Access- Accept
( CHAP-Success)
EAP- Success
Port
authorized
Handshake request
[EAP- Request/Identity]
Handshake timer
Handshake response
[EAP- Response/Identity]
......
EAPOL- Logoff
Port
unauthorized
The authentication procedure in EAP terminating mode is the same as that in the EAP relay
mode except that the randomly-generated key in the EAP terminating mode is generated by
the switch, and that it is the switch that sends the user name, the randomly-generated key,
and the supplicant system-encrypted password to the RADIUS server for further
authentication.
Timers Used in 802.1x
In 802.1 x authentication, the following timers are used to ensure that the supplicant
system, the switch, and the RADIUS server interact in an orderly way.
z
Handshake timer (handshake-period). This timer sets the handshake period and is
triggered after a supplicant system passes the authentication. It sets the interval for a
switch to send handshake request packets to online users. You can set the maximum
number of transmission attempts by using the dot1x retry command. An online user
will be considered offline when the switch has not received any response packets after
the maximum number of handshake request transmission attempts is reached.
z
Quiet-period timer (quiet-period). This timer sets the quiet-period. When a supplicant
system fails to pass the authentication, the switch quiets for the set period (set by the
quiet-period timer) before it processes another authentication request re-initiated by
the supplicant system. During this quiet period, the switch does not perform any 802.1x
authentication-related actions for the supplicant system.
1-9
z
Re-authentication timer (reauth-period). The switch initiates 802.1x re-authentication
at the interval set by the re-authentication timer.
z
RADIUS server timer (server-timeout). This timer sets the server-timeout period.
After sending an authentication request packet to the RADIUS server, the switch sends
another authentication request packet if it does not receive the response from the
RADIUS server when this timer times out.
z
Supplicant system timer (supp-timeout). This timer sets the supp-timeout period and
is triggered by the switch after the switch sends a request/challenge packet to a
supplicant system. The switch sends another request/challenge packet to the
supplicant system if the switch does not receive the response from the supplicant
system when this timer times out.
z
Transmission timer (tx-period). This timer sets the tx-period and is triggered by the
switch in two cases. The first case is when the client requests for authentication. The
switch sends a unicast request/identity packet to a supplicant system and then triggers
the transmission timer. The switch sends another request/identity packet to the
supplicant system if it does not receive the reply packet from the supplicant system
when this timer times out. The second case is when the switch authenticates the
802.1x client who cannot request for authentication actively. The switch sends
multicast request/identity packets periodically through the port enabled with 802.1x
function. In this case, this timer sets the interval to send the multicast request/identity
packets.
z
Client version request timer (ver-period). This timer sets the version period and is
triggered after a switch sends a version request packet. The switch sends another
version request packet if it does receive version response packets from the supplicant
system when the timer expires.
802.1x Implementation on an S5100-SI/EI Series Switch
In addition to the earlier mentioned 802.1x features, an S5100-SI/EI series switch is also
capable of the following:
z
Checking supplicant systems for proxies, multiple network adapters, and so on (This
function needs the cooperation of a CAMS server.)
z
Checking client version
z
The guest VLAN function
H3C's CAMS Server is a service management system used to manage networks and to
secure networks and user information. With the cooperation of other networking devices
(such as switches) in the network, a CAMS server can implement the AAA functions and
rights management.
Checking the supplicant system
An S5100-SI/EI series switch checks:
z
Supplicant systems logging on through proxies
1-10
z
Supplicant systems logging on through IE proxies
z
Whether or not a supplicant system logs in through more than one network adapters
(that is, whether or not more than one network adapters are active in a supplicant
system when the supplicant system logs in).
In response to any of the three cases, a switch can optionally take the following measures:
z
Only disconnects the supplicant system but sends no Trap packets.
z
Sends Trap packets without disconnecting the supplicant system.
This function needs the cooperation of 802.1x client and a CAMS server.
z
The 802.1x client needs to be capable of detecting multiple network adapters, proxies,
and IE proxies.
z
The CAMS server is configured to disable the use of multiple network adapters, proxies,
or IE proxies.
By default, an 802.1x client program allows use of multiple network adapters, proxies, and
IE proxies. In this case, if the CAMS server is configured to disable use of multiple network
adapters, proxies, or IE proxies, it prompts the 802.1x client to disable use of multiple
network adapters, proxies, or IE proxies through messages after the supplicant system
passes the authentication.
z
The client-checking function needs the support of H3C’s 802.1x client program.
z
To implement the proxy detecting function, you need to enable the function on both the
802.1x client program and the CAMS server in addition to enabling the client version
detecting function on the switch by using the dot1x version-check command.
Checking the client version
With the 802.1x client version-checking function enabled, a switch checks the version and
validity of an 802.1x client to prevent unauthorized users or users with earlier versions of
802.1x client from logging in.
This function makes the switch to send version-requesting packets again if the 802.1x
client fails to send version-reply packet to the switch when the version-checking timer
times out.
The 802.1x client version-checking function needs the support of H3C’s 802.1x client
program.
1-11
The guest VLAN function
The guest VLAN function enables supplicant systems that are not authenticated to access
network resources in a restrained way.
The guest VLAN function enables supplicant systems that do not have 802.1x client
installed to access specific network resources. It also enables supplicant systems that are
not authenticated to upgrade their 802.1x client programs.
With this function enabled:
z
The switch sends authentication triggering request (EAP-Request/Identity) packets to
all the 802.1x-enabled ports.
z
After the maximum number retries have been made and there are still ports that have
not sent any response back, the switch will then add these ports to the guest VLAN.
z
Users belonging to the guest VLAN can access the resources of the guest VLAN
without being authenticated. But they need to be authenticated when accessing
external resources.
Normally, the guest VLAN function is coupled with the dynamic VLAN delivery function.
Refer to AAA Operation for detailed information about the dynamic VLAN delivery function.
Enabling 802.1x re-authentication
802.1x re-authentication is timer-triggered or packet-triggered. It re-authenticates users
who have passed authentication. With 802.1x re-authentication enabled, the switch can
monitor the connection status of users periodically. If the switch receives no
re-authentication response from a user in a period of time, it tears down the connection to
the user. To connect to the switch again, the user needs to initiate 802.1x authentication
with the client software again.
z
When re-authenticating a user, a switch goes through the complete authentication
process. It transmits the username and password of the user to the server. The server
may authenticate the username and password, or, however, use re-authentication for
only accounting and user connection status checking and therefore does not
authenticate the username and password any more.
z
An authentication server running CAMS authenticates the username and password
during re-authentication of a user in the EAP authentication mode but does not in PAP
or CHAP authentication mode.
1-12
Figure 1-10 802.1x re-authentication
Internet
Switch
RADIUS
Server
PC
PC
PC
802.1x re-authentication can be enabled in one of the following two ways:
z
The RADIUS server has the switch perform 802.1x re-authentication of users. The
RADIUS server sends the switch an Access-Accept packet with the Termination-Action
attribute field of 1. Upon receiving the packet, the switch re-authenticates the user
periodically.
z
You enable 802.1x re-authentication on the switch. With 802.1x re-authentication
enabled, the switch re-authenticates users periodically.
802.1x re-authentication will fail if a CAMS server is used and configured to perform
authentication but not accounting. This is because a CAMS server establishes a user
session
after
it
begins
to
perform
accounting.
Therefore,
to
enable
802.1x
re-authentication, do not configure the accounting none command in the domain. This
restriction does not apply to other types of servers.
Introduction to 802.1x Configuration
802.1x provides a solution for authenticating users. To implement this solution, you need to
execute 802.1x-related commands. You also need to configure AAA schemes on switches
and specify the authentication scheme (RADIUS or local authentication scheme).
1-13
Figure 1-11 802.1x configuration
Local
authentication
authentication
ISP
ISPdomain
domain
configuration
configuration
802.1x
802.1x
configuration
configuration
AAA
AAAscheme
scheme
RADIUS
RADIUS
scheme
scheme
z
802.1x users use domain names to associate with the ISP domains configured on
switches
z
Configure the AAA scheme (a local authentication scheme or a RADIUS scheme) to be
adopted in the ISP domain.
z
If you specify to use a local authentication scheme, you need to configure the user
names and passwords manually on the switch. Users can pass the authentication
through 802.1x client if they provide user names and passwords that match those
configured on the switch.
z
If you specify to adopt the RADIUS scheme, the supplicant systems are authenticated
by a remote RADIUS server. In this case, you need to configure user names and
passwords on the RADIUS server and perform RADIUS client-related configuration on
the switches.
z
You can also specify to adopt the RADIUS authentication scheme, with a local
authentication scheme as a backup. In this case, the local authentication scheme is
adopted when the RADIUS server fails.
Refer to the AAA Operation for detailed information about AAA scheme configuration.
Basic 802.1x Configuration
Configuration Prerequisites
z
Configure ISP domain and the AAA scheme to be adopted. You can specify a RADIUS
scheme or a local scheme.
z
Ensure that the service type is configured as lan-access (by using the service-type
command) if local authentication scheme is adopted.
Configuring Basic 802.1x Functions
Follow these steps to configure basic 802.1x functions:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enable 802.1x globally
dot1x
By default, 802.1x is disabled
globally.
Enable
802.1x for
specified
ports
In system
view
dot1x interface
interface-list
Required
In port
view
interface interface-type
interface-number
Required
dot1x
1-14
By default, 802.1x is disabled
on all ports.
To do…
Use the command…
Remarks
quit
In system
view
Set port
access
control
mode for
specified
ports
dot1x port-control
{ authorized-force |
unauthorized-force |
auto } [ interface
interface-list ]
interface interface-type
interface-number
In port
view
dot1x port-control
{ authorized-force |
unauthorized-force |
auto }
Optional
By default, an 802.1x-enabled
port operates in the auto mode.
quit
In system
view
Set port
access
method for
specified
ports
dot1x port-method
{ macbased | portbased }
[ interface interface-list ]
interface interface-type
interface-number
In port
view
dot1x port-method
{ macbased | portbased }
Optional
The default port access method
is MAC-address-based (that is,
the macbased keyword is used
by default).
quit
Optional
Set authentication
method for 802.1x users
dot1x
authentication-method
{ chap | pap | eap }
Enable online user
handshaking
dot1x handshake enable
By default, online user
handshaking is enabled.
Enter Ethernet port view
interface interface-type
interface-number
—
Enable the handshake
packet protection
function
By default, a switch performs
CHAP authentication in EAP
terminating mode.
Optional
Optional
dot1x handshake secure
1-15
By default, the handshake
packet protection function is
disabled.
z
802.1x configurations take effect only after you enable 802.1x both globally and for
specified ports.
z
The settings of 802.1x and MAC address learning limit are mutually exclusive.
Enabling 802.1x on a port will prevent you from setting the limit on MAC address
learning on the port and vice versa.
z
The settings of 802.1x and aggregation group member are mutually exclusive.
Enabling 802.1x on a port will prevent you from adding the port to an aggregation group
and vice versa.
z
When a device operates as an authentication server, its authentication method for
802.1x users cannot be configured as EAP.
z
With the support of the H3C proprietary client, handshake packets are used to test
whether or not a user is online.
z
As clients that are not of H3C do not support the online user handshaking function,
switches cannot receive handshake acknowledgement packets from them in
handshaking periods. To prevent users being falsely considered offline, you need to
disable the online user handshaking function in this case.
z
The handshake packet protection function requires the cooperation of the client and
the authentication server. If either of the two ends does not support the function, you
need to disable it on the other one.
Timer and Maximum User Number Configuration
Follow these steps to configure 802.1x timers and the maximum number of users:
To do…
Enter system view
Set the
maximum
number of
concurrent
on-line
users for
specified
ports
In system
view
Use the command...
system-view
Remarks
—
dot1x max-user
user-number [ interface
interface-list ]
Optional
interface interface-type
interface-number
In port
view
dot1x max-user
user-number
By default, a port can
accommodate up to 256
users at a time.
quit
Optional
Set the maximum retry
times to send request
packets
dot1x retry max-retry-value
1-16
By default, the maximum
retry times to send a request
packet is 2. That is, the
authenticator system sends
a request packet to a
supplicant system for up to
two times by default.
To do…
Use the command...
Remarks
Optional
Set 802.1x timers
dot1x timer
{ handshake-period
handshake-period-value |
quiet-period
quiet-period-value |
server-timeout
server-timeout-value |
supp-timeout
supp-timeout-value |
tx-period tx-period-value |
ver-period
ver-period-value }
The settings of 802.1x timers
are as follows.
z
z
z
z
z
z
Enable the quiet-period
timer
z
handshake-period-value:
15 seconds
quiet-period-value:
60
seconds
server-timeout-value: 100
seconds
supp-timeout-value:
30
seconds
tx-period-value:
30
seconds
ver-period-value:
30
seconds
Optional
dot1x quiet-period
By default, the quiet-period
timer is disabled.
As for the dot1x max-user command, if you execute it in system view without
specifying the interface-list argument, the command applies to all ports. You can also
use this command in port view. In this case, this command applies to the current port
only and the interface-list argument is not needed.
z
As for the configuration of 802.1x timers, the default values are recommended.
Advanced 802.1x Configuration
Advanced 802.1x configurations, as listed below, are all optional.
z
Configuration concerning CAMS, including multiple network adapters detecting, proxy
detecting, and so on.
z
Client version checking configuration
z
DHCP–triggered authentication
z
Guest VLAN configuration
z
802.1x re-authentication configuration
z
Configuration of the 802.1x re-authentication timer
You need to configure basic 802.1x functions before configuring the above 802.1x
features.
Configuring Proxy Checking
Follow these steps to configure proxy checking:
To do...
Enter system view
Use the command...
system-view
1-17
Remarks
—
To do...
Use the command...
Remarks
Required
dot1x
supp-proxy-check
{ logoff | trap }
Enable proxy checking
function globally
By default, the 802.1x proxy
checking function is globally
disabled.
dot1x
supp-proxy-check
{ logoff | trap }
[ interface
interface-list ]
In system
view
Enable proxy
checking for a
port/specified
ports
Required
interface interface-type
interface-number
In port view
By default, the 802.1x proxy
checking is disabled on a
port.
dot1x
supp-proxy-check
{ logoff | trap }
quit
z
The proxy checking function needs the cooperation of H3C's 802.1x client (iNode)
program.
z
The proxy checking function depends on the online user handshaking function. To
enable the proxy detecting function, you need to enable the online user handshaking
function first.
z
The configuration listed in the above table takes effect only when it is performed on
CAMS as well as on the switch. In addition, the client version checking function needs
to be enabled on the switch too (by using the dot1x version-check command).
Configuring Client Version Checking
Follow these steps to configure client version checking:
To do...
Enter system view
Enable
802.1x
client
version
checking
In
system
view
In port
view
Use the command...
Remarks
—
system-view
dot1x version-check
[ interface interface-list ]
Required
interface interface-type
interface-number
dot1x version-check
By default, 802.1x client
version checking is disabled on
a port.
quit
Set the maximum
number of retires to
send version checking
request packets
Optional
dot1x retry-version-max
max-retry-version-value
1-18
By default, the maximum
number of retires to send
version checking request
packets is 3.
To do...
Set the client version
checking period timer
Use the command...
dot1x timer ver-period
ver-period-value
Remarks
Optional
By default, the timer is set to
30 seconds.
As for the dot1x version-user command, if you execute it in system view without
specifying the interface-list argument, the command applies to all ports. You can also
execute this command in port view. In this case, this command applies to the current port
only and the interface-list argument is not needed.
Enabling DHCP-triggered Authentication
After performing the following configuration, 802.1x allows running DHCP on access users,
and users are authenticated when they apply for dynamic IP addresses through DHCP.
Follow these steps to enable DHCP-triggered authentication:
To do...
Enter system view
Enable DHCP-triggered
authentication
Use the command...
system-view
Remarks
—
Required
dot1x dhcp-launch
By default, DHCP-triggered
authentication is disabled.
Configuring Guest VLAN
Follow these steps to configure guest VLAN:
To do...
Enter system view
Use the command...
system-view
Remarks
—
Required
Configure port access
method
In system
view
Enable the
guest VLAN
function
dot1x port-method
portbased
dot1x guest-vlan vlan-id
[ interface interface-list ]
interface interface-type
interface-number
In port view
The default port access
method is
MAC-address-based. That
is, the macbased keyword
is used by default.
dot1x guest-vlan vlan-id
quit
1-19
Required
By default, the guest VLAN
function is disabled.
The guest VLAN function is available only when the switch operates in the port-based
z
authentication mode.
z
Only one guest VLAN can be configured for each switch.
z
The guest VLAN function cannot be implemented if you configure the dot1x
dhcp-launch command on the switch to enable DHCP-triggered authentication. This is
because the switch does not send authentication packets in that case.
Configuring 802.1x Re-Authentication
Follow these steps to enable 802.1x re-authentication:
To do...
Enter system view
Enable 802.1x
re-authenticatio
n on port(s)
z
Use the command...
Remarks
system-view
—
In system
view
dot1x re-authenticate
[ interface interface-list ]
Required
In port view
dot1x re-authenticate
By default, 802.1x
re-authentication is
disabled on a port.
To enable 802.1x re-authentication on a port, you must first enable 802.1x globally and
on the port.
z
When re-authenticating a user, a switch goes through the complete authentication
process. It transmits the username and password of the user to the server. The server
may authenticate the username and password, or, however, use re-authentication for
only accounting and user connection status checking and therefore does not
authenticate the username and password any more.
z
An authentication server running CAMS authenticates the username and password
during re-authentication of a user in the EAP authentication mode but does not in PAP
or CHAP authentication mode.
Configuring the 802.1x Re-Authentication Timer
After 802.1x re-authentication is enabled on the switch, the switch determines the
re-authentication interval in one of the following two ways:
1)
The switch uses the value of the Session-timeout attribute field of the Access-Accept
packet sent by the RADIUS server as the re-authentication interval.
2)
The switch uses the value configured with the dot1x timer reauth-period command as
the re-authentication interval for access users.
Note the following:
1-20
During re-authentication, the switch always uses the latest re-authentication interval
configured, no matter which of the above-mentioned two ways is used to determine the
re-authentication interval. For example, if you configure a re-authentication interval on the
switch and the switch receives an Access-Accept packet whose Termination-Action
attribute field is 1, the switch will ultimately use the value of the Session-timeout attribute
field as the re-authentication interval.
The following introduces how to configure the 802.1x re-authentication timer on the switch.
Follow these steps to configure the re-authentication interval:
To do...
Use the command...
Enter system view
system-view
Configure a
re-authentication interval
dot1x timer reauth-period
reauth-period-value
Remarks
—
Optional
By default, the
re-authentication interval is
3,600 seconds.
Displaying and Maintaining 802.1x Configuration
To do...
Use the command...
Remarks
Display the configuration,
session, and statistics
information about 802.1x
display dot1x [ sessions |
statistics ] [ interface
interface-list ]
Available in any view
Clear 802.1x-related
statistics information
reset dot1x statistics
[ interface interface-list ]
Available in user view
Configuration Example
802.1x Configuration Example
Network requirements
z
Authenticate users on all ports to control their accesses to the Internet. The switch
operates in MAC-based access control mode.
z
All supplicant systems that pass the authentication belong to the default domain
named “aabbcc.net”. The domain can accommodate up to 30 users. As for
authentication, a supplicant system is authenticated locally if the RADIUS server fails.
And as for accounting, a supplicant system is disconnected by force if the RADIUS
server fails. The name of an authenticated supplicant system is not suffixed with the
domain name. A connection is terminated if the total size of the data passes through it
during a period of 20 minutes is less than 2,000 bytes.
z
The switch is connected to a server comprising of two RADIUS servers whose IP
addresses are 10.11.1.1 and 10.11.1.2. The RADIUS server with an IP address of
10.11.1.1 operates as the primary authentication server and the secondary accounting
server. The other operates as the secondary authentication server and primary
accounting server. The password for the switch and the authentication RADIUS
servers to exchange message is “name”. And the password for the switch and the
accounting RADIUS servers to exchange message is “money”. The switch sends
1-21
another packet to the RADIUS servers again if it sends a packet to the RADIUS server
and does not receive response for 5 seconds, with the maximum number of retries of
5. And the switch sends a real-time accounting packet to the RADIUS servers once in
every 15 minutes. A user name is sent to the RADIUS servers with the domain name
truncated.
z
The user name and password for local 802.1x authentication are “localuser” and
“localpass” (in plain text) respectively. The idle disconnecting function is enabled.
Network diagram
Figure 1-12 Network diagram for AAA configuration with 802.1x and RADIUS enabled
Configuration procedure
Following configuration covers the major AAA/RADIUS configuration commands. Refer to
AAA Operation for the information about these commands. Configuration on the client and
the RADIUS servers is omitted.
# Enable 802.1x globally.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x
# Enable 802.1x on GigabitEthernet 1/0/1.
[Sysname] dot1x interface GigabitEthernet 1/0/1
# Set the access control method to MAC-based (This operation can be omitted, as
MAC-based is the default).
[Sysname] dot1x port-method macbased interface GigabitEthernet 1/0/1
# Create a RADIUS scheme named “radius1” and enter RADIUS scheme view.
[Sysname] radius scheme radius1
# Assign IP addresses to the primary authentication and accounting RADIUS servers.
[Sysname-radius-radius1] primary authentication 10.11.1.1
1-22
[Sysname-radius-radius1] primary accounting 10.11.1.2
# Assign IP addresses to the secondary authentication and accounting RADIUS server.
[Sysname-radius-radius1] secondary authentication 10.11.1.2
[Sysname-radius-radius1] secondary accounting 10.11.1.1
# Set the password for the switch and the authentication RADIUS servers to exchange
messages.
[Sysname-radius-radius1] key authentication name
# Set the password for the switch and the accounting RADIUS servers to exchange
messages.
[Sysname-radius-radius1] key accounting money
# Set the interval and the number of the retries for the switch to send packets to the
RADIUS servers.
[Sysname-radius-radius1] timer 5
[Sysname-radius-radius1] retry 5
# Set the timer for the switch to send real-time accounting packets to the RADIUS servers.
[Sysname-radius-radius1] timer realtime-accounting 15
# Configure to send the user name to the RADIUS server with the domain name truncated.
[Sysname-radius-radius1] user-name-format without-domain
[Sysname-radius-radius1] quit
# Create the domain named “aabbcc.net” and enter its view.
[Sysname] domain aabbcc.net
# Specify to adopt radius1 as the RADIUS scheme of the user domain. If RADIUS server is
invalid, specify to adopt the local authentication scheme.
[Sysname-isp-aabbcc.net] scheme radius-scheme radius1 local
# Specify the maximum number of users the user domain can accommodate to 30.
[Sysname-isp-aabbcc.net] access-limit enable 30
# Enable the idle disconnecting function and set the related parameters.
[Sysname-isp-aabbcc.net] idle-cut enable 20 2000
[Sysname-isp-aabbcc.net] quit
# Set the default user domain to aabbcc.net.
[Sysname] domain default enable aabbcc.net
# Create a local access user account.
[Sysname] local-user localuser
[Sysname-luser-localuser] service-type lan-access
[Sysname-luser-localuser] password simple localpass
1-23
2
Quick EAD Deployment Configuration
Only the S5100-EI series switches support the Quick EAD Deployment configuration.
When configuring quick EAD deployment, go to these sections for information you are
interested in:
z
Introduction to Quick EAD Deployment
z
Configuring Quick EAD Deployment
z
Displaying and Maintaining Quick EAD Deployment
z
Quick EAD Deployment Configuration Example
z
Troubleshooting
Introduction to Quick EAD Deployment
Quick EAD Deployment Overview
As an integrated solution, an Endpoint Admission Defense (EAD) solution can improve the
overall defense power of a network. In real applications, however, deploying EAD clients
proves to be time consuming and inconvenient.
To address the issue, the H3C S5100-SI/EI series provides the forcible deployment of EAD
clients with 802.1x authentication, easing the work of EAD client deployment.
Operation of Quick EAD Deployment
Quick EAD deployment is achieved with the two functions: restricted access and HTTP
redirection.
Restricted access
Before passing 802.1x authentication, a user is restricted (through ACLs) to a specific
range of IP addresses or a specific server. Services like EAD client upgrading/download
and dynamic address assignment are available on the specific server.
2-1
HTTP redirection
In the HTTP redirection approach, when the terminal users that have not passed 802.1x
authentication access the Internet through Internet Explorer, they are redirected to a
predefined URL for EAD client download.
The two functions ensure that all the users without an EAD client have downloaded and
installed one from the specified server themselves before they can access the Internet,
thus decreasing the complexity and effort that EAD client deployment may involve.
The quick EAD deployment feature takes effect only when the access control mode of an
802.1x-enabled port is set to auto.
Configuring Quick EAD Deployment
Configuration Prerequisites
z
Enable 802.1x on the switch.
z
Set the access mode to auto for 802.1x-enabled ports.
Configuration Procedure
Configuring a free IP range
A free IP range is an IP range that users can access before passing 802.1x authentication.
Follow these steps to configure a free IP range:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Configure the URL for
HTTP redirection
dot1x url url-string
Required
dot1x free-ip ip-address
{ mask-address |
mask-length }
Required
Configure a free IP range
2-2
By default, no free IP
range is configured.
z
You must configure the URL for HTTP redirection before configuring a free IP range. A
URL must start with http:// and the segment where the URL resides must be in the free
IP range. Otherwise, the redirection function cannot take effect.
z
You must disable the DHCP-triggered authentication function of 802.1x before
configuring a free IP range.
z
With dot1x enabled but quick EAD deployment disabled, users cannot access the
DHCP server if they fail 802.1x authentication. With quick EAD deployment enabled,
users can obtain IP addresses dynamically before passing authentication if the IP
address of the DHCP server is in the free IP range.
z
The quick EAD deployment function applies to only ports with the access control mode
set to auto through the dot1x port-control command.
z
At present, 802.1x is the only access approach that supports quick EAD deployment.
z
Currently, the quick EAD deployment function does not support port security. The
configured free IP range cannot take effect if you enable port security.
Setting the ACL timeout period
The quick EAD deployment function depends on ACLs in restricting access of users failing
authentication. Each online user that has not passed authentication occupies a certain
amount of ACL resources. After a user passes authentication, the occupied ACL resources
will be released. When a large number of users log in but cannot pass authentication, the
switch may run out of ACL resources, preventing other users from logging in. A timer called
ACL timer is designed to solve this problem.
You can control the usage of ACL resources by setting the ACL timer. The ACL timer starts
once a user gets online. If the user has not passed authentication when the ACL timer
expires, the occupied ACL resources are released for other users to use. When a
tremendous of access requests are present, you can decrease the timeout period of the
ACL timer appropriately for higher utilization of ACL resources.
Follow these steps to configure the ACL timer:
To do...
Enter system view
Use the command...
Remarks
—
system-view
Required
Set the ACL timer
dot1x timer acl-timeout
acl-timeout-value
2-3
By default, the ACL
timeout period is 30
minutes.
Displaying and Maintaining Quick EAD Deployment
To do...
Display configuration
information about quick
EAD deployment
Use the command...
display dot1x [ sessions |
statistics ] [ interface
interface-list ]
Remarks
Available in any view
Quick EAD Deployment Configuration Example
Network requirements
A user connects to the switch directly. The switch connects to the Web server and the
Internet. The user will be redirected to the Web server to download the authentication
client and upgrade software when accessing the Internet through IE before passing
authentication. After passing authentication, the user can access the Internet.
Network diagram
Figure 2-1 Network diagram for quick EAD deployment
2-4
Configuration procedure
Before enabling quick EAD deployment, be sure that:
z
The Web server is configured properly.
z
The default gateway of the user’s PC is configured as the IP address of the connected
VLAN interface on the switch.
# Configure the URL for HTTP redirection.
<Sysname> system-view
[Sysname] dot1x url http://192.168.0.111
# Configure a free IP range.
[Sysname] dot1x free-ip 192.168.0.111 24
# Set the ACL timer to 10 minutes.
[Sysname] dot1x timer acl-timeout 10
# Enable dot1x globally.
[Sysname] dot1x
# Enable dot1x for GigabitEthernet 1/0/1.
[Sysname] dot1x interface GigabitEthernet 1/0/1
Troubleshooting
Symptom: A user cannot be redirected to the specified URL server, no matter what URL the
user enters in the IE address bar.
Solution:
z
If a user enters an IP address in a format other than the dotted decimal notation, the
user may not be redirected. This is related with the operating system used on the PC.
In this case, the PC considers the IP address string a name and tries to resolve the
name. If the resolution fails, the PC will access a specific website. Generally, this
address is not in dotted decimal notation. As a result, the PC cannot receive any ARP
response and therefore cannot be redirected. To solve this problem, the user needs to
enter an IP address that is not in the free IP range in dotted decimal notation.
z
If a user enters an address in the free IP range, the user cannot be redirected. This is
because the switch considers that the user wants to access a host in the free IP range,
unconcerned about whether this PC exists or not. To solve this problem, the user
needs to enter an address not in the free IP range.
z
Check that you have configured an IP address in the free IP range for the Web server
and a correct URL for redirection, and that the server provides Web services properly.
2-5
3
HABP Configuration
When configuring HABP, go to these sections for information you are interested in:
z
Introduction to HABP
z
HABP Server Configuration
z
HABP Client Configuration
z
Displaying and Maintaining HABP Configuration
Introduction to HABP
When a switch is configured with the 802.1x function, 802.1x will authenticate and
authorize 802.1x-enabled ports and allow only the authorized ports to forward packets. In
case a port fails 802.1x authentication and authorization, service packets from and to that
port will be blocked, making it impossible to manage the switch attached to the port. The
Huawei Authentication Bypass Protocol (HABP) aims at solving this problem.
An HABP packet carries the MAC addresses of the attached switches with it. It can bypass
the 802.1x authentications when traveling between HABP-enabled switches, through
which management devices can obtain the MAC addresses of the attached switches and
thus the management of the attached switches is feasible.
HABP is built on the client-server model. Typically, the HABP server sends HABP requests
to the client periodically to collect the MAC address(es) of the attached switch(es). The
client responds to the requests, and forwards the HABP requests to the attached
switch(es). The HABP server usually runs on the administrative device while the HABP
client runs on the attached switches.
For ease of switch management, it is recommended that you enable HABP for
802.1x-enabled switches.
HABP Server Configuration
With the HABP server launched, a management device sends HABP request packets
regularly to the attached switches to collect their MAC addresses. You need also to
configure the interval on the management device for an HABP server to send HABP
request packets.
Follow these steps to configure an HABP server:
To do...
Use the command...
Enter system view
system-view
Enable HABP
habp enable
Remarks
—
Optional
By default, HABP is enabled.
3-1
To do...
Use the command...
Remarks
Required
Configure the
current switch to be
an HABP server
Configure the
interval to send
HABP request
packets.
By default, a switch operates as an
HABP client after you enable HABP
on the switch. If you want to use the
switch as a management switch,
you need to configure the switch to
be an HABP server.
habp server vlan vlan-id
Optional
The default interval for an HABP
server to send HABP request
packets is 20 seconds.
habp timer interval
HABP Client Configuration
HABP clients reside on switches attached to HABP servers. After you enable HABP for a
switch, the switch operates as an HABP client by default. So you only need to enable HABP
on a switch to make it an HABP client.
Follow these steps to configure an HABP client:
To do...
Enter system view
Use the command...
Remarks
—
system-view
Optional
Enable HABP
HABP is enabled by default. And a
switch operates as an HABP client
after you enable HABP for it.
habp enable
Displaying and Maintaining HABP Configuration
To do...
Use the command...
Remarks
Display HABP configuration
and status
display habp
Available in any view
Display the MAC address
table maintained by HABP
display habp table
Available in any view
Display statistics on HABP
packets
display habp traffic
Available in any view
3-2
4
System-Guard Configuration
System-Guard Overview
At first, you must determine whether the CPU is under attack to implement system guard for the CPU.
You should not determine whether the CPU is under attack just according to whether congestion occurs
in a queue. Instead, you must do that in the following ways:
z
According to the number of packets processed in the CPU in a time range.
z
Or according to the time for one hundred packets to be processed.
If the CPU is under attack, the rate of packets to be processed in the CPU in a certain queue will exceed
the threshold value. In this case, you can determine that the CPU is under attack. Through analyzing
these packets , you get to know the characteristics of the attack source, and then you can adopt
different filtering rules according the characteristics of the attack source. Thus, system guard is
implemented.
Configuring the System-Guard Feature
Through the following configuration, you can enable the system-guard feature, set the threshold for the
number of packets when an attack is detected and the length of the isolation after an attack is detected.
Configuring the System-Guard Feature
Table 4-1 Configure the system-guard feature
Operation
Enter system view
Command
Description
—
system-view
Required
Enable the system-guard
feature
system-guard enable
By default, the system-guard feature is
disabled.
Set the threshold for the
number of packets when an
attack is detected
system-guard
detect-threshold
threshold-value
Optional
Set the length of the
isolation after an attack is
detected
system-guard
timer-interval isolate-timer
The default threshold value is 200
packets.
Optional
4-1
By default, the length of the isolation
after an attack is detected is 10
minutes.
Displaying and Maintaining System-Guard
After the above configuration, execute the display command in any view to display the running status
of the system-guard feature, and to verify the configuration.
Table 4-2 Display and maintain system-guard
Operation
Command
Display the record of detected attacks
display system-guard attack-record
Display the state of the system-guard feature
display system-guard state
4-2
Table of Contents
1 AAA Overview ············································································································································1-1
Introduction to AAA ·································································································································1-1
Authentication··································································································································1-1
Authorization····································································································································1-1
Accounting·······································································································································1-2
Introduction to ISP Domain ·············································································································1-2
Introduction to AAA Services ··················································································································1-2
Introduction to RADIUS ···················································································································1-2
Introduction to HWTACACS ············································································································1-7
2 AAA Configuration ····································································································································2-1
AAA Configuration Task List ···················································································································2-1
Creating an ISP Domain and Configuring Its Attributes ··································································2-2
Configuring an AAA Scheme for an ISP Domain ············································································2-3
Configuring Dynamic VLAN Assignment·························································································2-6
Configuring the Attributes of a Local User·······················································································2-7
Cutting Down User Connections Forcibly························································································2-8
RADIUS Configuration Task List·············································································································2-8
Creating a RADIUS Scheme ·········································································································2-10
Configuring RADIUS Authentication/Authorization Servers ··························································2-11
Configuring Ignorance of Assigned RADIUS Authorization Attributes ··········································2-11
Configuring RADIUS Accounting Servers ·····················································································2-12
Configuring Shared Keys for RADIUS Messages ·········································································2-14
Configuring the Maximum Number of RADIUS Request Transmission Attempts ··············2-14
Configuring the Type of RADIUS Servers to be Supported ··························································2-15
Configuring the Status of RADIUS Servers···················································································2-15
Configuring the Attributes of Data to be Sent to RADIUS Servers ···············································2-16
Configuring the Local RADIUS Server ··························································································2-17
Configuring Timers for RADIUS Servers·······················································································2-18
Enabling Sending Trap Message when a RADIUS Server Goes Down ·······································2-19
Enabling the User Re-Authentication at Restart Function·····························································2-19
HWTACACS Configuration Task List····································································································2-21
Creating a HWTACACS Scheme ··································································································2-21
Configuring TACACS Authentication Servers ···············································································2-21
Configuring TACACS Authorization Servers ·················································································2-22
Configuring TACACS Accounting Servers ····················································································2-23
Configuring Shared Keys for HWTACACS Messages ··································································2-23
Configuring the Attributes of Data to be Sent to TACACS Servers ··············································2-24
Configuring the Timers Regarding TACACS Servers ···································································2-25
Displaying and Maintaining AAA Configuration ····················································································2-26
Displaying and Maintaining AAA Configuration·············································································2-26
Displaying and Maintaining RADIUS Protocol Configuration ························································2-26
Displaying and Maintaining HWTACACS Protocol Configuration ·················································2-26
i
AAA Configuration Examples················································································································2-27
Remote RADIUS Authentication of Telnet/SSH Users ·································································2-27
Local Authentication of FTP/Telnet Users·····················································································2-28
HWTACACS Authentication and Authorization of Telnet Users ···················································2-30
Troubleshooting AAA ····························································································································2-31
Troubleshooting RADIUS Configuration························································································2-31
Troubleshooting HWTACACS Configuration ················································································2-31
3 EAD Configuration·····································································································································3-1
Introduction to EAD ·································································································································3-1
Typical Network Application of EAD ·······································································································3-1
EAD Configuration ··································································································································3-2
EAD Configuration Example ···················································································································3-3
ii
1
AAA Overview
Introduction to AAA
AAA is the acronym for the three security functions: authentication, authorization and accounting. It
provides a uniform framework for you to configure these three functions to implement network security
management.
z
Authentication: Defines what users can access the network,
z
Authorization: Defines what services can be available to the users who can access the network,
and
z
Accounting: Defines how to charge the users who are using network resources.
Typically, AAA operates in the client/server model: the client runs on the managed resources side while
the server stores the user information. Thus, AAA is well scalable and can easily implement centralized
management of user information.
Authentication
AAA supports the following authentication methods:
z
None authentication: Users are trusted and are not checked for their validity. Generally, this
method is not recommended.
z
Local authentication: User information (including username, password, and some other attributes)
is configured on this device, and users are authenticated on this device instead of on a remote
device. Local authentication is fast and requires lower operational cost, but has the deficiency that
information storage capacity is limited by device hardware.
z
Remote authentication: Users are authenticated remotely through RADIUS or HWTACACS
protocol. This device (for example, a H3C series switch) acts as the client to communicate with the
RADIUS or TACACS server. You can use standard or extended RADIUS protocols in conjunction
with such systems as iTELLIN/CAMS for user authentication. Remote authentication allows
convenient centralized management and is feature-rich. However, to implement remote
authentication, a server is needed and must be configured properly.
Authorization
AAA supports the following authorization methods:
z
Direct authorization: Users are trusted and directly authorized.
z
Local authorization: Users are authorized according to the related attributes configured for their
local accounts on this device.
z
RADIUS authorization: Users are authorized after they pass RADIUS authentication. In RADIUS
protocol, authentication and authorization are combined together, and authorization cannot be
performed alone without authentication.
z
HWTACACS authorization: Users are authorized by a TACACS server.
1-1
Accounting
AAA supports the following accounting methods:
z
None accounting: No accounting is performed for users.
z
Remote accounting: User accounting is performed on a remote RADIUS or TACACS server.
Introduction to ISP Domain
An Internet service provider (ISP) domain is a group of users who belong to the same ISP. For a
username in the format of [email protected] or userid.isp-name, the isp-name following the "@" or “.”
character is the ISP domain name. The access device uses userid as the username for authentication,
and isp-name as the domain name.
In a multi-ISP environment, the users connected to the same access device may belong to different
domains. Since the users of different ISPs may have different attributes (such as different forms of
username and password, different service types/access rights), it is necessary to distinguish the users
by setting ISP domains.
You can configure a set of ISP domain attributes (including AAA policy, RADIUS scheme, and so on) for
each ISP domain independently in ISP domain view.
Introduction to AAA Services
Introduction to RADIUS
AAA is a management framework. It can be implemented by not only one protocol. But in practice, the
most commonly used service for AAA is RADIUS.
What is RADIUS
Remote Authentication Dial-in User Service (RADIUS) is a distributed service based on client/server
structure. It can prevent unauthorized access to your network and is commonly used in network
environments where both high security and remote user access service are required.
The RADIUS service involves three components:
z
Protocol: Based on the UDP/IP layer, RFC 2865 and 2866 define the message format and
message transfer mechanism of RADIUS, and define 1812 as the authentication port and 1813 as
the accounting port.
z
Server: RADIUS Server runs on a computer or workstation at the center. It stores and maintains
user authentication information and network service access information.
z
Client: RADIUS Client runs on network access servers throughout the network.
RADIUS operates in the client/server model.
z
A switch acting as a RADIUS client passes user information to a specified RADIUS server, and
takes appropriate action (such as establishing/terminating user connection) depending on the
responses returned from the server.
z
The RADIUS server receives user connection requests, authenticates users, and returns all
required information to the switch.
Generally, a RADIUS server maintains the following three databases (see Figure 1-1):
z
Users: This database stores information about users (such as username, password, protocol
adopted and IP address).
1-2
z
Clients: This database stores information about RADIUS clients (such as shared key).
z
Dictionary: The information stored in this database is used to interpret the attributes and attribute
values in the RADIUS protocol.
Figure 1-1 Databases in a RADIUS server
In addition, a RADIUS server can act as a client of some other AAA server to provide authentication or
accounting proxy service.
Basic message exchange procedure in RADIUS
The messages exchanged between a RADIUS client (a switch, for example) and a RADIUS server are
verified through a shared key. This enhances the security. The RADIUS protocol combines the
authentication and authorization processes together by sending authorization information along with
the authentication response message. Figure 1-2 depicts the message exchange procedure between
user, switch and RADIUS server.
Figure 1-2 Basic message exchange procedure of RADIUS
The basic message exchange procedure of RADIUS is as follows:
1)
The user enters the username and password.
2)
The RADIUS client receives the username and password, and then sends an authentication
request (Access-Request) to the RADIUS server.
1-3
3)
The RADIUS server compares the received user information with that in the Users database to
authenticate the user. If the authentication succeeds, the RADIUS server sends back to the
RADIUS client an authentication response (Access-Accept), which contains the user’s
authorization information. If the authentication fails, the server returns an Access-Reject response.
4)
The RADIUS client accepts or denies the user depending on the received authentication result. If it
accepts the user, the RADIUS client sends a start-accounting request (Accounting-Request, with
the Status-Type attribute value = start) to the RADIUS server.
5)
The RADIUS server returns a start-accounting response (Accounting-Response).
6)
The user starts to access network resources.
7)
The RADIUS client sends a stop-accounting request (Accounting-Request, with the Status-Type
attribute value = stop) to the RADIUS server.
8)
The RADIUS server returns a stop-accounting response (Accounting-Response).
9)
The access to network resources is ended.
RADIUS message format
RADIUS messages are transported over UDP, which does not guarantee reliable delivery of messages
between RADIUS server and client. As a remedy, RADIUS adopts the following mechanisms: timer
management, retransmission, and backup server. Figure 1-3 depicts the format of RADIUS messages.
Figure 1-3 RADIUS message format
1)
The Code field (one byte) decides the type of RADIUS message, as shown in Table 1-1.
Table 1-1 Description on the major values of the Code field
Code
Message type
Message description
Direction: client->server.
The client transmits this message to the server to
determine if the user can access the network.
1
Access-Request
This message carries user information. It must contain
the User-Name attribute and may contain the following
attributes: NAS-IP-Address, User-Password and
NAS-Port.
Direction: server->client.
2
Access-Accept
The server transmits this message to the client if all the
attribute values carried in the Access-Request
message are acceptable (that is, the user passes the
authentication).
1-4
Code
Message type
Message description
Direction: server->client.
3
Access-Reject
The server transmits this message to the client if any
attribute value carried in the Access-Request message
is unacceptable (that is, the user fails the
authentication).
Direction: client->server.
4
Accounting-Request
The client transmits this message to the server to
request the server to start or end the accounting
(whether to start or to end the accounting is determined
by the Acct-Status-Type attribute in the message).
This message carries almost the same attributes as
those carried in the Access-Request message.
Direction: server->client.
5
2)
Accounting-Response
The server transmits this message to the client to notify
the client that it has received the Accounting-Request
message and has correctly recorded the accounting
information.
The Identifier field (one byte) is used to match requests and responses. It changes whenever the
content of the Attributes field changes, and whenever a valid response has been received for a
previous request, but remains unchanged for message retransmission.
3)
The Length field (two bytes) specifies the total length of the message (including the Code, Identifier,
Length, Authenticator and Attributes fields). The bytes beyond the length are regarded as padding
and are ignored upon reception. If a received message is shorter than what the Length field
indicates, it is discarded.
4)
The Authenticator field (16 bytes) is used to authenticate the response from the RADIUS server;
and is used in the password hiding algorithm. There are two kinds of authenticators: Request
Authenticator and Response Authenticator.
5)
The Attributes field contains specific authentication/authorization/accounting information to provide
the configuration details of a request or response message. This field contains a list of field triplet
(Type, Length and Value):
z
The Type field (one byte) specifies the type of an attribute. Its value ranges from 1 to 255. Table 1-2
lists the attributes that are commonly used in RADIUS authentication/authorization.
z
The Length field (one byte) specifies the total length of the attribute in bytes (including the Type,
Length and Value fields).
z
The Value field (up to 253 bytes) contains the information of the attribute. Its format is determined
by the Type and Length fields.
Table 1-2 RADIUS attributes
Type field
value
Type field
value
Attribute type
Attribute type
1
User-Name
23
Framed-IPX-Network
2
User-Password
24
State
3
CHAP-Password
25
Class
4
NAS-IP-Address
26
Vendor-Specific
5
NAS-Port
27
Session-Timeout
1-5
Type field
value
Type field
value
Attribute type
Attribute type
6
Service-Type
28
Idle-Timeout
7
Framed-Protocol
29
Termination-Action
8
Framed-IP-Address
30
Called-Station-Id
9
Framed-IP-Netmask
31
Calling-Station-Id
10
Framed-Routing
32
NAS-Identifier
11
Filter-ID
33
Proxy-State
12
Framed-MTU
34
Login-LAT-Service
13
Framed-Compression
35
Login-LAT-Node
14
Login-IP-Host
36
Login-LAT-Group
15
Login-Service
37
Framed-AppleTalk-Link
16
Login-TCP-Port
38
Framed-AppleTalk-Network
17
(unassigned)
39
Framed-AppleTalk-Zone
18
Reply-Message
40-59
(reserved for accounting)
19
Callback-Number
60
CHAP-Challenge
20
Callback-ID
61
NAS-Port-Type
21
(unassigned)
62
Port-Limit
22
Framed-Route
63
Login-LAT-Port
The RADIUS protocol has good scalability. Attribute 26 (Vender-Specific) defined in this protocol allows
a device vendor to extend RADIUS to implement functions that are not defined in standard RADIUS.
Figure 1-4 depicts the format of attribute 26. The Vendor-ID field used to identify a vendor occupies four
bytes, where the first byte is 0, and the other three bytes are defined in RFC 1700. Here, the vendor can
encapsulate multiple customized sub-attributes (containing vendor-specific Type, Length and Value) to
implement a RADIUS extension.
Figure 1-4 Vendor-specific attribute format
0
7
Type
15
31
7
Vendor-ID
Length
Vendor-ID
Type (specified)
Specified attribute value……
……
1-6
Length (specified)
Introduction to HWTACACS
What is HWTACACS
Huawei Terminal Access Controller Access Control System (HWTACACS) is an enhanced security
protocol based on TACACS (RFC 1492). Similar to the RADIUS protocol, it implements AAA for
different types of users (such as PPP, VPDN, and terminal users) through communicating with TACACS
server in client-server mode.
Compared with RADIUS, HWTACACS provides more reliable transmission and encryption, and
therefore is more suitable for security control. Table 1-3 lists the primary differences between
HWTACACS and RADIUS.
Table 1-3 Differences between HWTACACS and RADIUS
HWTACACS
RADIUS
Adopts TCP, providing more reliable network
transmission.
Adopts UDP.
Encrypts the entire message except the HWTACACS
header.
Encrypts only the password field in
authentication message.
Separates authentication from authorization. For
example, you can use one TACACS server for
authentication and another TACACS server for
authorization.
Combines authentication and
authorization.
Is more suitable for security control.
Is more suitable for accounting.
Supports configuration command authorization.
Does not support.
In a typical HWTACACS application (as shown in Figure 1-5 ), a terminal user needs to log into the
switch to perform some operations. As a HWTACACS client, the switch sends the username and
password to the TACACS server for authentication. After passing authentication and being authorized,
the user successfully logs into the switch to perform operations.
Figure 1-5 Network diagram for a typical HWTACACS application
HWTACACS server
Host
HWTACACS client
HWTACACS server
Basic message exchange procedure in HWTACACS
The following text takes telnet user as an example to describe how HWTACACS implements
authentication, authorization, and accounting for a user. Figure 1-6 illustrates the basic message
exchange procedure:
1-7
Figure 1-6 AAA implementation procedure for a telnet user
The basic message exchange procedure is as follows:
1)
A user sends a login request to the switch acting as a TACACS client, which then sends an
authentication start request to the TACACS server.
2)
The TACACS server returns an authentication response, asking for the username. Upon receiving
the response, the TACACS client requests the user for the username.
3)
After receiving the username from the user, the TACACS client sends an authentication
continuance message carrying the username.
4)
The TACACS server returns an authentication response, asking for the password. Upon receiving
the response, the TACACS client requests the user for the login password.
5)
After receiving the password, the TACACS client sends an authentication continuance message
carrying the password to the TACACS server.
6)
The TACACS server returns an authentication response, indicating that the user has passed the
authentication.
7)
The TACACS client sends a user authorization request to the TACACS server.
8)
The TACACS server returns an authorization response, indicating that the user has passed the
authorization.
1-8
9)
After receiving the response indicating an authorization success, the TACACS client pushes the
configuration interface of the switch to the user.
10) The TACACS client sends an accounting start request to the TACACS server.
11) The TACACS server returns an accounting response, indicating that it has received the accounting
start request.
12) The user logs out; the TACACS client sends an accounting stop request to the TACACS server.
13) The TACACS server returns an accounting response, indicating that it has received the accounting
stop request.
1-9
2
AAA Configuration
AAA Configuration Task List
You need to configure AAA to provide network access services for legal users while protecting network
devices and preventing unauthorized access and repudiation behavior.
Complete the following tasks to configure AAA (configuring a combined AAA scheme for an ISP
domain):
Task
Remarks
Creating an ISP Domain and Configuring Its
Attributes
Required
Configuring a combined AAA scheme
Required
None authentication
AAA
configurati
on
Configuring an AAA
Scheme for an ISP
Domain
z
Local authentication
z
RADIUS authentication
HWTACACS
authentication
Use one of the authentication
methods
You need to configure RADIUS
or
HWATACACS
before
performing
RADIUS
or
HWTACACS authentication
Configuring Dynamic VLAN Assignment
Optional
Configuring the Attributes of a Local User
Optional
Cutting Down User Connections Forcibly
Optional
Complete the following tasks to configure AAA (configuring separate AAA schemes for an ISP domain):
2-1
Task
Remarks
Creating an ISP Domain and Configuring Its
Attributes
Required
Configuring separate AAA schemes
Required
Required
AAA
configuration
Configuring an AAA Scheme for an ISP
Domain
With separate AAA schemes, you
can specify authentication,
authorization and accounting
schemes respectively.
You need to configure RADIUS or
HWATACACS before performing
RADIUS or HWTACACS
authentication.
Configuring Dynamic VLAN Assignment
Optional
Configuring the Attributes of a Local User
Optional
Cutting Down User Connections Forcibly
Optional
Creating an ISP Domain and Configuring Its Attributes
Follow these steps to create an ISP domain and configure its attributes:
To do…
Enter system view
Configure the form of the
delimiter between the
username and the ISP domain
name
Use the command…
system-view
Remarks
—
Optional
domain delimiter { at | dot }
By default, the delimiter
between the username and the
ISP domain name is “@”.
Required
Create an ISP domain or set an
ISP domain as the default ISP
domain
domain { isp-name | default
{ disable | enable isp-name } }
If no ISP domain is set as the
default ISP domain, the ISP
domain "system" is used as the
default ISP domain.
Optional
Set the status of the ISP
domain
state { active | block }
By default, an ISP domain is in
the active state, that is, all the
users in the domain are allowed
to request network service.
Optional
Set the maximum number of
access users that the ISP
domain can accommodate
access-limit { disable |
enable max-user-number }
Set the idle-cut function
idle-cut { disable | enable
minute flow }
2-2
By default, there is no limit on
the number of access users
that the ISP domain can
accommodate.
Optional
By default, the idle-cut function
is disabled.
To do…
Use the command…
Remarks
Optional
Set the accounting-optional
switch
accounting optional
Set the messenger function
messenger time { enable limit
interval | disable }
Set the self-service server
location function
self-service-url { disable |
enable url-string }
By default, the
accounting-optional switch is
off.
Optional
By default, the messenger
function is disabled.
Optional
By default, the self-service
server location function is
disabled.
Note that:
z
On an S5100-SI/EI series switch, each access user belongs to an ISP domain. You can configure
up to 16 ISP domains on the switch. When a user logs in, if no ISP domain name is carried in the
username, the switch assumes that the user belongs to the default ISP domain.
z
If you have configured to use "." as the delimiter, for a username that contains multiple ".", the first
"." will be used as the domain delimiter.
z
If you have configured to use "@" as the delimiter, the "@" must not appear more than once in the
username. If “.” is the delimiter, the username must not contain any “@”.
z
If the system does not find any available accounting server or fails to communicate with any
accounting server when it performs accounting for a user, it does not disconnect the user as long
as the accounting optional command has been executed, though it cannot perform accounting for
the user in this case.
z
The self-service server location function needs the cooperation of a RADIUS server that supports
self-service, such as Comprehensive Access Management Server (CAMS). Through self-service,
users can manage and control their account or card numbers by themselves. A server installed
with self-service software is called a self-service server.
H3C's CAMS Server is a service management system used to manage networks and ensure network
and user information security. With the cooperation of other networking devices (such as switches) in a
network, a CAMS server can implement the AAA functions and right management.
Configuring an AAA Scheme for an ISP Domain
You can configure either a combined AAA scheme or separate AAA schemes.
Configuring a combined AAA scheme
You can use the scheme command to specify an AAA scheme for an ISP domain.
Follow these steps to configure a combined AAA scheme:
2-3
To do…
Use the command…
Remarks
Enter system view
system-view
—
Create an ISP domain and
enter its view, or enter the view
of an existing ISP domain
domain isp-name
Required
Required
Configure an AAA scheme for
the ISP domain
scheme { local | none | radius-scheme
radius-scheme-name [ local ] |
hwtacacs-scheme
hwtacacs-scheme-name [ local ] }
z
By default, an ISP
domain uses the
local AAA scheme.
You can execute the scheme radius-scheme radius-scheme-name command to adopt an already
configured RADIUS scheme to implement all the three AAA functions. If you adopt the local
scheme, only the authentication and authorization functions are implemented, the accounting
function cannot be implemented.
z
If you execute the scheme radius-scheme radius-scheme-name local command, the local
scheme is used as the secondary scheme in case no RADIUS server is available. That is, if the
communication between the switch and a RADIUS server is normal, the local scheme is not used;
otherwise, the local scheme is used.
z
If you execute the scheme hwtacacs-scheme hwtacacs-scheme-name local command, the local
scheme is used as the secondary scheme in case no TACACS server is available. That is, if the
communication between the switch and a TACACS server is normal, the local scheme is not used;
if the TACACS server is not reachable or there is a key error or NAS IP error, the local scheme is
used.
z
If you execute the scheme local or scheme none command to adopt local or none as the primary
scheme, the local authentication is performed or no authentication is performed. In this case you
cannot specify any RADIUS scheme or HWTACACS scheme at the same time.
z
If you configure to use none as the primary scheme, FTP users of the domain cannot pass
authentication. Therefore, you cannot specify none as the primary scheme if you want to enable
FTP service.
Configuring separate AAA schemes
You can use the authentication, authorization, and accounting commands to specify a scheme for
each of the three AAA functions (authentication, authorization and accounting) respectively. The
following gives the implementations of this separate way for the services supported by AAA.
1)
For terminal users
z
Authentication: RADIUS, local, HWTACACS or none.
z
Authorization: none or HWTACACS.
z
Accounting: RADIUS, HWTACACS or none.
You can use an arbitrary combination of the above implementations for your AAA scheme configuration.
2)
For FTP users
Only authentication is supported for FTP users.
2-4
Authentication: RADIUS, local, or HWTACACS.
Follow these steps to configure separate AAA schemes:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Create an ISP domain and
enter its view, or enter the view
of an existing ISP domain
domain isp-name
Required
Configure an authentication
scheme for the ISP domain
authentication
{ radius-scheme
radius-scheme-name [ local ] |
hwtacacs-scheme
hwtacacs-scheme-name
[ local ] | local | none }
Configure an authorization
scheme for the ISP domain
authorization { none |
hwtacacs-scheme
hwtacacs-scheme-name }
Configure an accounting
scheme for the ISP domain
accounting { none |
radius-scheme
radius-scheme-name |
hwtacacs-scheme
hwtacacs-scheme-name }
Optional
By default, no separate
authentication scheme is
configured.
Optional
By default, no separate
authorization scheme is
configured.
Optional
By default, no separate
accounting scheme is
configured.
RADIUS scheme and local scheme do not support the separation of authentication and authorization.
Therefore, pay attention when you make authentication and authorization configuration for a domain:
When the scheme radius-scheme or scheme local command is executed and the authentication
command is not executed, the authorization information returned from the RADIUS or local scheme still
takes effect even if the authorization none command is executed.
Configuration guidelines
Suppose a combined AAA scheme is available. The system selects AAA schemes according to the
following principles:
z
If authentication, authorization, accounting each have a separate scheme, the separate schemes
are used.
z
If you configure only a separate authentication scheme (that is, there are no separate authorization
and accounting schemes configured), the combined scheme is used for authorization and
accounting. In this case, if the combined scheme uses RADIUS or HWTACACS, the system never
uses the secondary scheme for authorization and accounting.
z
If you configure no separate scheme, the combined scheme is used for authentication,
authorization, and accounting. In this case, if the system uses the secondary local scheme for
authentication, it also does so for authorization and accounting; if the system uses the first scheme
for authentication, it also does so for authorization and accounting, even if authorization and
accounting fail.
2-5
Configuring Dynamic VLAN Assignment
The dynamic VLAN assignment feature enables a switch to dynamically add the switch ports of
successfully authenticated users to different VLANs according to the attributes assigned by the
RADIUS server, so as to control the network resources that different users can access.
Currently, the switch supports the following two types of assigned VLAN IDs: integer and string.
z
Integer: If the RADIUS authentication server assigns integer type of VLAN IDs, you can set the
VLAN assignment mode to integer on the switch (this is also the default mode on the switch). Then,
upon receiving an integer ID assigned by the RADIUS authentication server, the switch adds the
port to the VLAN whose VLAN ID is equal to the assigned integer ID. If no such a VLAN exists, the
switch first creates a VLAN with the assigned ID, and then adds the port to the newly created
VLAN.
z
String: If the RADIUS authentication server assigns string type of VLAN IDs, you can set the VLAN
assignment mode to string on the switch. Then, upon receiving a string ID assigned by the RADIUS
authentication server, the switch compares the ID with existing VLAN names on the switch. If it
finds a match, it adds the port to the corresponding VLAN. Otherwise, the VLAN assignment fails
and the user fails the authentication.
In actual applications, to use this feature together with Guest VLAN, you should better set port control to
port-based mode. For more information, refer to Basic 802.1x Configuration of 802.1x and System
Guard Operation.
Follow these steps to configure dynamic VLAN assignment:
To do…
z
Use the command…
Remarks
Enter system view
system-view
—
Create an ISP domain and
enter its view
domain isp-name
—
Set the VLAN assignment
mode
vlan-assignment-mode
{ integer | string }
Create a VLAN and enter its
view
vlan vlan-id
—
Set a VLAN name for VLAN
assignment
name string
This operation is required if the
VLAN assignment mode is set to
string.
Optional
By default, the VLAN assignment
mode is integer.
In string mode, if the VLAN ID assigned by the RADIUS server is a character string containing only
digits (for example, 1024), the switch first regards it as an integer VLAN ID: the switch transforms
the string to an integer value and judges if the value is in the valid VLAN ID range; if it is, the switch
adds the authenticated port to the VLAN with the integer value as the VLAN ID (VLAN 1024, for
example).
z
To implement dynamic VLAN assignment on a port where both MSTP and 802.1x are enabled, you
must set the MSTP port to an edge port.
2-6
Configuring the Attributes of a Local User
When local scheme is chosen as the AAA scheme, you should create local users on the switch and
configure the relevant attributes.
The local users are users set on the switch, with each user uniquely identified by a username. To make
a user who is requesting network service pass local authentication, you should add an entry in the local
user database on the switch for the user.
Follow these steps to configure the attributes of a local user:
To do…
Enter system view
Use the command…
system-view
Remarks
—
Optional
Set the password display mode
of all local users
local-user
password-display-mode
{ cipher-force | auto }
By default, the password
display mode of all access
users is auto, indicating the
passwords of access users are
displayed in the modes set by
the password command.
Required
Add a local user and enter local
user view
local-user user-name
Set a password for the local
user
password { simple | cipher }
password
By default, there is no local
user in the system.
Required
Optional
Set the status of the local user
state { active | block }
Authorize the user to access
specified type(s) of service
service-type { ftp | lan-access
| { telnet | ssh | terminal }*
[ level level ] }
Set the privilege level of the
user
level level
Configure the authorized VLAN
for the local user
By default, the user is in active
state, that is, the user is
allowed to request network
services.
Required
By default, the system does not
authorize the user to access
any service.
Optional
By default, the privilege level of
the user is 0.
Required
authorization vlan string
By default, no authorized VLAN
is configured for the local user.
Optional
Set the attributes of the user
whose service type is
lan-access
attribute { ip ip-address | mac
mac-address | idle-cut second
| access-limit
max-user-number | vlan vlan-id
| location { nas-ip ip-address
port port-number | port
port-number } }*
2-7
When binding the user to a
remote port, you must use
nas-ip ip-address to specify a
remote access server IP
address (here, ip-address is
127.0.0.1 by default,
representing this device).
When binding the user to a
local port, you need not use
nas-ip ip-address.
z
The following characters are not allowed in the user-name string: /:*?<>. And you cannot input
more than one “@” in the string.
z
After the local-user password-display-mode cipher-force command is executed, any password
will be displayed in cipher mode even though you specify to display a user password in plain text by
using the password command.
z
If a username and password is required for user authentication (RADIUS authentication as well as
local authentication), the command level that a user can access after login is determined by the
privilege level of the user. For SSH users using RSA shared key for authentication, the commands
they can access are determined by the levels set on their user interfaces.
z
If the configured authentication method is none or password authentication, the command level
that a user can access after login is determined by the level of the user interface.
z
If the clients connected to a port have different authorized VLANs, only the first client passing the
MAC address authentication can be assigned with an authorized VLAN. The switch will not assign
authorized VLANs for subsequent users passing MAC address authentication. In this case, you are
recommended to connect only one MAC address authentication user or multiple users with the
same authorized VLAN to a port.
z
For local RADIUS authentication to take effect, the VLAN assignment mode must be set to string
after you specify authorized VLANs for local users.
Cutting Down User Connections Forcibly
Follow these steps to cut down user connections forcibly:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Cut down user
connections forcibly
cut connection { all | access-type { dot1x |
mac-authentication } | domain isp-name |
interface interface-type interface-number | ip
ip-address | mac mac-address | radius-scheme
radius-scheme-name | vlan vlan-id | ucibindex
ucib-index | user-name user-name }
Required
You can use the display connection command to view the connections of Telnet users, but you cannot
use the cut connection command to cut down their connections.
RADIUS Configuration Task List
H3C’s Ethernet switches can function not only as RADIUS clients but also as local RADIUS servers.
2-8
Complete the following tasks to configure RADIUS (the switch functions as a RADIUS client):
Task
Configuring the
RADIUS client
Configuring the
RADIUS server
Remarks
Creating a RADIUS Scheme
Required
Configuring RADIUS Authentication/Authorization Servers
Required
Configuring Ignorance of Assigned RADIUS Authorization
Attributes
Optional
Configuring RADIUS Accounting Servers
Required
Configuring Shared Keys for RADIUS Messages
Optional
Configuring the Maximum Number of RADIUS Request
Transmission Attempts
Optional
Configuring the Type of RADIUS Servers to be Supported
Optional
Configuring the Status of RADIUS Servers
Optional
Configuring the Attributes of Data to be Sent to RADIUS
Servers
Optional
Configuring Timers for RADIUS Servers
Optional
Enabling Sending Trap Message when a RADIUS Server
Goes Down
Optional
Enabling the User Re-Authentication at Restart Function
Optional
Refer to the configuration of the RADIUS Server.
—
Complete the following tasks to configure RADIUS (the switch functions as a local RADIUS server):
Task
Configuring the RADIUS
server
Remarks
Creating a RADIUS Scheme
Required
Configuring RADIUS Authentication/Authorization
Servers
Required
Configuring Ignorance of Assigned RADIUS
Authorization Attributes
Optional
Configuring RADIUS Accounting Servers
Required
Configuring Shared Keys for RADIUS Messages
Optional
Configuring the Maximum Number of RADIUS
Request Transmission Attempts
Optional
Configuring the Type of RADIUS Servers to be
Supported
Optional
Configuring the Status of RADIUS Servers
Optional
Configuring the Attributes of Data to be Sent to
RADIUS Servers
Optional
Configuring the Local RADIUS Server
Required
Configuring Timers for RADIUS Servers
Optional
Enabling Sending Trap Message when a RADIUS
Server Goes Down
Optional
2-9
Task
Configuring the RADIUS
client
Remarks
Refer to the configuration of the RADIUS client
—
The RADIUS service configuration is performed on a RADIUS scheme basis. In an actual network
environment, you can either use a single RADIUS server or two RADIUS servers (primary and
secondary servers with the same configuration but different IP addresses) in a RADIUS scheme. After
creating a new RADIUS scheme, you should configure the IP address and UDP port number of each
RADIUS server you want to use in this scheme. These RADIUS servers fall into two types:
authentication/authorization, and accounting. And for each type of server, you can configure two
servers in a RADIUS scheme: primary server and secondary server. A RADIUS scheme has some
parameters such as IP addresses of the primary and secondary servers, shared keys, and types of the
RADIUS servers.
In an actual network environment, you can configure the above parameters as required. But you should
configure at least one authentication/authorization server and one accounting server, and you should
keep the RADIUS server port settings on the switch consistent with those on the RADIUS servers.
Actually, the RADIUS service configuration only defines the parameters for information exchange
between switch and RADIUS server. To make these parameters take effect, you must reference the
RADIUS scheme configured with these parameters in an ISP domain view (refer to AAA Configuration).
Creating a RADIUS Scheme
The RADIUS protocol configuration is performed on a RADIUS scheme basis. You should first create a
RADIUS scheme and enter its view before performing other RADIUS protocol configurations.
Follow these steps to create a RADIUS scheme:
To do…
Enter system view
Use the command…
Remarks
—
system-view
Optional
Enable RADIUS
authentication port
radius client enable
Create a RADIUS
scheme and enter its
view
radius scheme
radius-scheme-name
By default, RADIUS authentication port
is enabled.
Required
By default, a RADIUS scheme named
"system" has already been created in
the system.
A RADIUS scheme can be referenced by multiple ISP domains simultaneously.
2-10
Configuring RADIUS Authentication/Authorization Servers
Follow these steps to configure RADIUS authentication/authorization servers:
To do…
Enter system view
Use the command…
system-view
Remarks
—
Required
Create a RADIUS scheme and
enter its view
radius scheme
radius-scheme-name
By default, a RADIUS scheme
named "system" has already
been created in the system.
Required
Set the IP address and port
number of the primary RADIUS
authentication/authorization
server
primary authentication
ip-address [ port-number ]
By default, the IP address and
UDP port number of the
primary server are 0.0.0.0 and
1812 respectively for a newly
created RADIUS scheme.
Optional
Set the IP address and port
number of the secondary
RADIUS
authentication/authorization
server
z
secondary authentication
ip-address [ port-number ]
By default, the IP address and
UDP port number of the
secondary server are 0.0.0.0
and 1812 respectively for a
newly created RADIUS
scheme.
The authentication response sent from the RADIUS server to the RADIUS client carries
authorization information. Therefore, you need not (and cannot) specify a separate RADIUS
authorization server.
z
In an actual network environment, you can specify one server as both the primary and secondary
authentication/authorization servers, as well as specifying two RADIUS servers as the primary and
secondary authentication/authorization servers respectively.
z
The IP address and port number of the primary authentication server used by the default RADIUS
scheme "system" are 127.0.0.1 and 1645.
Configuring Ignorance of Assigned RADIUS Authorization Attributes
A RADIUS server can be configured to assign multiple authorization attributes, such as authorization
VLAN and idle timeout. Some users may need the attributes but some users may not. Such conflict
occurs if the RADIUS server does not support user-based attribute assignment or it performs uniformed
user management.
The RADIUS authorization attribute ignoring function can solve this issue. It is configured as per
RADIUS scheme. Users using a RADIUS scheme with this function enabled can ignore certain
unexpected attributes.
2-11
As shown in Figure 2-1, NAS 1 and NAS 2 are connected to the same RADIUS server for authentication.
For easy management, the RADIUS server issues the same authorization attributes to all the users.
However, users attached to NAS 1 need these attributes while users attached to NAS 2 do not want to
use the assigned Attribute 28, idle-timeout. You can configure the attribute ignoring function on NAS 2
to ignore Attribute 28.
Figure 2-1 Network diagram for the RADIUS authorization attribute ignoring function
IP network
Switch
RADIUS server
NAS 2
NAS 1
Host 2
Host 1
Follow these steps to configure the RADIUS authorization attribute ignoring function:
To do…
Enter system view
Use the command…
Remarks
—
system-view
Required
Create a RADIUS
scheme and enter its
view
radius scheme
radius-scheme-name
By default, a RADIUS scheme named
"system" has already been created in
the system.
Configure the RADIUS
authorization attribute
ignoring function
attribute-ignore { standard
| vendor vendor-id } type
type-value
Required
Disabled by default.
In a RADIUS scheme, you can configure:
z
One standard attribute ignoring command
z
One proprietary attribute ignoring command per vendor
z
Up to three attribute ignoring commands in total
Configuring RADIUS Accounting Servers
Follow these steps to configure RADIUS accounting servers:
To do…
Enter system view
Use the command…
Remarks
—
system-view
2-12
To do…
Create a RADIUS
scheme and enter its
view
Set the IP address and
port number of the
primary RADIUS
accounting server
Use the command…
Remarks
Required
radius scheme
radius-scheme-name
By default, a RADIUS scheme named
"system" has already been created in
the system.
Required
primary accounting
ip-address [ port-number ]
By default, the IP address and UDP port
number of the primary accounting server
are 0.0.0.0 and 1813 for a newly created
RADIUS scheme.
Optional
Set the IP address and
port number of the
secondary RADIUS
accounting server
secondary accounting
ip-address [ port-number ]
Enable stop-accounting
request buffering
stop-accounting-buffer
enable
Set the maximum
number of transmission
attempts of a buffered
stop-accounting request.
retry stop-accounting
retry-times
By default, the IP address and UDP port
number of the secondary accounting
server are 0.0.0.0 and 1813 for a newly
created RADIUS scheme.
Optional
By default, stop-accounting request
buffering is enabled.
Optional
By default, the system tries at most 500
times to transmit a buffered
stop-accounting request.
Optional
Set the maximum
allowed number of
continuous real-time
accounting failures
z
retry realtime-accounting
retry-times
By default, the maximum allowed
number of continuous real-time
accounting failures is five. If five
continuous failures occur, the switch
cuts down the user connection.
In an actual network environment, you can specify one server as both the primary and secondary
accounting servers, as well as specifying two RADIUS servers as the primary and secondary
accounting servers respectively. In addition, because RADIUS adopts different UDP ports to
exchange authentication/authorization messages and accounting messages, you must set a port
number for accounting different from that set for authentication/authorization.
z
With stop-accounting request buffering enabled, the switch first buffers the stop-accounting
request that gets no response from the RADIUS accounting server, and then retransmits the
request to the RADIUS accounting server until it gets a response, or the maximum number of
transmission attempts is reached (in this case, it discards the request).
z
You can set the maximum allowed number of continuous real-time accounting failures. If the
number of continuously failed real-time accounting requests to the RADIUS server reaches the set
maximum number, the switch cuts down the user connection.
z
The IP address and port number of the primary accounting server of the default RADIUS scheme
"system" are 127.0.0.1 and 1646 respectively.
z
Currently, RADIUS does not support the accounting of FTP users.
2-13
Configuring Shared Keys for RADIUS Messages
Both RADIUS client and server adopt MD5 algorithm to encrypt RADIUS messages before they are
exchanged between the two parties. The two parties verify the validity of the RADIUS messages
received from each other by using the shared keys that have been set on them, and can accept and
respond to the messages only when both parties have the same shared key.
Follow these steps to configure shared keys for RADIUS messages:
To do…
Enter system view
Use the command…
system-view
Remarks
—
Required
Create a RADIUS scheme and
enter its view
radius scheme
radius-scheme-name
Set a shared key for RADIUS
authentication/authorization
messages
key authentication string
Set a shared key for RADIUS
accounting messages
key accounting string
By default, a RADIUS scheme
named "system" has already
been created in the system.
Required
By default, no shared key is
created.
Required
By default, no shared key is
created.
The authentication/authorization shared key and the accounting shared key you set on the switch must
be respectively consistent with the shared key on the authentication/authorization server and the
shared key on the accounting server.
Configuring the Maximum Number of RADIUS Request Transmission Attempts
The communication in RADIUS is unreliable because this protocol uses UDP packets to carry its data.
Therefore, it is necessary for the switch to retransmit a RADIUS request if it gets no response from the
RADIUS server after the response timeout timer expires. If the switch gets no answer after it has tried
the maximum number of times to transmit the request, the switch considers that the request fails.
Follow these steps to configure the maximum transmission attempts of a RADIUS request:
To do…
Use the command…
Enter system view
system-view
Create a RADIUS scheme and
enter its view
radius scheme
radius-scheme-name
Remarks
—
Required
Set the maximum number of
RADIUS request transmission
attempts
By default, a RADIUS scheme
named "system" has already
been created in the system.
Optional
retry retry-times
2-14
By default, the system can try
three times to transmit a
RADIUS request.
Configuring the Type of RADIUS Servers to be Supported
Follow these steps to configure the type of RADIUS servers to be supported:
To do…
Enter system view
Use the command…
system-view
Remarks
—
Required
z
Create a RADIUS scheme and
enter its view
radius scheme
radius-scheme-name
Configure the type of RADIUS
servers to be supported
server-type { extended |
standard }
By default, a RADIUS scheme
named "system" has already
been created in the system.
Optional
If you change the RADIUS server type, the units of data flows sent to RADIUS servers will be
restored to the defaults.
z
When the third party RADIUS server is used, you can select standard or extended as the
server-type in a RADIUS scheme; when the CAMS server is used, you can select extended as the
server-type in a RADIUS scheme.
Configuring the Status of RADIUS Servers
For the primary and secondary servers (authentication/authorization servers, or accounting servers) in
a RADIUS scheme:
When the switch fails to communicate with the primary server due to some server trouble, the switch will
turn to the secondary server and exchange messages with the secondary server.
After the primary server remains in the block state for a set time (set by the timer quiet command), the
switch will try to communicate with the primary server again when it receives a RADIUS request. If it
finds that the primary server has recovered, the switch immediately restores the communication with
the primary server instead of communicating with the secondary server, and at the same time restores
the status of the primary server to active while keeping the status of the secondary server unchanged.
When both the primary and secondary servers are in active or block state, the switch sends messages
only to the primary server.
2-15
Follow these steps to set the status of RADIUS servers:
To do…
Enter system view
Use the command…
system-view
Remarks
—
Required
Create a RADIUS scheme and
enter its view
radius scheme
radius-scheme-name
Set the status of the primary
RADIUS
authentication/authorization
server
state primary authentication
{ block | active }
Set the status of the primary
RADIUS accounting server
state primary accounting
{ block | active }
Set the status of the secondary
RADIUS
authentication/authorization
server
state secondary
authentication { block |
active }
Set the status of the secondary
RADIUS accounting server
state secondary accounting
{ block | active }
By default, a RADIUS scheme
named "system" has already
been created in the system.
Optional
By default, the RADIUS servers
specified with IP addresses in
the RADIUS scheme are all in
the active state.
Configuring the Attributes of Data to be Sent to RADIUS Servers
Follow these steps to configure the attributes of data to be sent to RADIUS servers:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Create a RADIUS scheme and
enter its view
radius scheme
radius-scheme-name
Set the format of the
usernames to be sent to
RADIUS server
user-name-format
{ with-domain |
without-domain }
Set the units of data flows to
RADIUS servers
data-flow-format data { byte |
giga-byte | kilo-byte |
mega-byte } packet
{ giga-packet | kilo-packet |
mega- packet | one-packet }
Set the MAC address format of
the Calling-Station-Id (Type 31)
field in RADIUS packets
calling-station-id mode
{ mode1 | mode2 }
{ lowercase | uppercase }
Set the source IP address of
outgoing RADIUS messages
RADIUS scheme view
Optional
nas-ip ip-address
By default, no source IP
Required
By default, a RADIUS scheme
named "system" has already
been created in the system.
Optional
2-16
By default, the usernames sent
from the switch to RADIUS
server carry ISP domain
names.
Optional
By default, in a RADIUS
scheme, the data unit and
packet unit for outgoing
RADIUS flows are byte and
one-packet respectively.
Optional
By default, the MAC address
format is XXXX-XXXX-XXXX,
in lowercase.
To do…
Use the command…
System view
radius nas-ip ip-address
z
Remarks
address is set; and the IP
address of the corresponding
outbound interface is used as
the source IP address.
Generally, the access users are named in the [email protected] or userid.isp-name format. Here,
isp-name after the “@” or “.” character represents the ISP domain name, by which the device
determines which ISP domain a user belongs to. However, some old RADIUS servers cannot
accept the usernames that carry ISP domain names. In this case, it is necessary to remove domain
names from usernames before sending the usernames to RADIUS server. For this reason, the
user-name-format command is designed for you to specify whether or not ISP domain names are
carried in the usernames to be sent to RADIUS server.
z
For a RADIUS scheme, if you have specified to remove ISP domain names from usernames, you
should not use this RADIUS scheme in more than one ISP domain. Otherwise, such errors may
occur: the RADIUS server regards two different users having the same name but belonging to
different ISP domains as the same user (because the usernames sent to it are the same).
z
In the default RADIUS scheme "system", ISP domain names are removed from usernames by
default.
z
The purpose of setting the MAC address format of the Calling-Station-Id (Type 31) field in RADIUS
packets is to improve the switch’s compatibility with different RADIUS servers. This setting is
necessary when the format of Calling-Station-Id field recognizable to RADIUS servers is different
from the default MAC address format on the switch. For details about field formats recognizable to
RADIUS servers, refer to the corresponding RADIUS server manual.
Configuring the Local RADIUS Server
The switch provides the local RADIUS server function (including authentication and authorization), also
known as the local RADIUS server function, in addition to RADIUS client service, where separate
authentication/authorization server and the accounting server are used for user authentication.
Follow these steps to configure the local RADIUS server function:
To do…
Enter system view
Use the command…
system-view
Remarks
—
Optional
Enable UDP ports for local
RADIUS services
local-server enable
By default, the UDP ports for
local RADIUS services are
enabled.
Required
Configure the parameters of
the local RADIUS server
local-server nas-ip ip-address
key password
2-17
By default, a local RADIUS
server is configured with an
NAS IP address of 127.0.0.1.
z
If
you
adopt
the
local
RADIUS
server
function,
the
UDP
port
number
of
the
authentication/authorization server must be 1645, the UDP port number of the accounting server
must be 1646, and the IP addresses of the servers must be set to the addresses of this switch.
z
The message encryption key set by the local-server nas-ip ip-address key password command
must be identical with the authentication/authorization message encryption key set by the key
authentication command in the RADIUS scheme view of the RADIUS scheme on the specified
NAS that uses this switch as its authentication server.
z
The switch supports IP addresses and shared keys for up to 16 network access servers (NAS).
That is, when acting as the local RADIUS server, the switch can provide authentication service to
up to 16 network access servers (including the switch itself) at the same time.
z
When acting as the local RADIUS server, the switch does not support EAP authentication (that is
you
cannot
set
the
802.1x
authentication
method
as
eap
by
using
the
dot1x
authentication-method eap command).
Configuring Timers for RADIUS Servers
After sending out a RADIUS request (authentication/authorization request or accounting request) to a
RADIUS server, the switch waits for a response from the server. The maximum time that the switch can
wait for the response is called the response timeout time of RADIUS servers, and the corresponding
timer in the switch system is called the response timeout timer of RADIUS servers. If the switch gets no
answer within the response timeout time, it needs to retransmit the request to ensure that the user can
obtain RADIUS service.
For the primary and secondary servers (authentication/authorization servers, or accounting servers) in
a RADIUS scheme:
When the switch fails to communicate with the primary server due to some server trouble, the switch will
turn to the secondary server and exchange messages with the secondary server.
After the primary server remains in the block state for a specific time (set by the timer quiet command),
the switch will try to communicate with the primary server again when it has a RADIUS request. If it finds
that the primary server has recovered, the switch immediately restores the communication with the
primary server instead of communicating with the secondary server, and at the same time restores the
status of the primary server to active while keeping the status of the secondary server unchanged.
To control the interval at which users are charged in real time, you can set the real-time accounting
interval. After the setting, the switch periodically sends online users' accounting information to RADIUS
server at the set interval.
Follow these steps to set timers for RADIUS servers:
To do…
Use the command…
Enter system view
system-view
Create a RADIUS scheme and
enter its view
radius scheme
radius-scheme-name
Remarks
—
Required
2-18
By default, a RADIUS scheme
named "system" has already
been created in the system.
To do…
Use the command…
Remarks
Optional
Set the response timeout time
of RADIUS servers
timer response-timeout
seconds
By default, the response
timeout time of RADIUS
servers is three seconds.
Optional
Set the time that the switch
waits before it try to
re-communicate with primary
server and restore the status of
the primary server to active
timer quiet minutes
Set the real-time accounting
interval
timer realtime-accounting
minutes
By default, the switch waits five
minutes before it restores the
status of the primary server to
active.
Optional
By default, the real-time
accounting interval is 12
minutes.
Enabling Sending Trap Message when a RADIUS Server Goes Down
Follow these steps to specify to send trap message when a RADIUS server goes down:
To do…
Use the command…
Enter system view
system-view
Enable the sending of trap
message when a RADIUS
server is down
radius trap
{ authentication-server-down |
accounting-server-down }
Remarks
—
Optional
By default, the switch does not
send trap message when a
RADIUS server is down.
z
This configuration takes effect on all RADIUS schemes.
z
The switch considers a RADIUS server as being down if it has tried the configured maximum times
to send a message to the RADIUS server but does not receive any response.
Enabling the User Re-Authentication at Restart Function
The user re-authentication at restart function applies only to the environment where the RADIUS
authentication/authorization and accounting server is CAMS.
In an environment that a CAMS server is used to implement AAA functions, if the switch reboots after an
exclusive user (a user whose concurrent online number is set to 1 on the CAMS) gets authenticated and
authorized and begins being charged, the switch will give a prompt that the user has already been
2-19
online when the user re-logs into the network before the CAMS performs online user detection, and the
user cannot get authenticated. In this case, the user can access the network again only when the CAMS
administrator manually removes the user's online information.
The user re-authentication at restart function is designed to resolve this problem. After this function is
enabled, every time the switch restarts:
1)
The switch generates an Accounting-On message, which mainly contains the following information:
NAS-ID, NAS-IP-address (source IP address), and session ID.
2)
The switch sends the Accounting-On message to the CAMS at regular intervals.
3)
Once the CAMS receives the Accounting-On message, it sends a response to the switch. At the
same time it finds and deletes the original online information of the users who were accessing the
network through the switch before the restart according to the information (NAS-ID,
NAS-IP-address and session ID) contained in the message, and ends the accounting for the users
depending on the last accounting update message.
4)
Once the switch receives the response from the CAMS, it stops sending Accounting-On messages.
5)
If the switch does not receive any response from the CAMS after it has tried the configured
maximum number of times to send the Accounting-On message, it will not send the Accounting-On
message any more.
The switch can automatically generate the main attributes (NAS-ID, NAS-IP-address and session ID)
contained in Accounting-On messages. However, you can also manually configure the NAS-IP-address
with the nas-ip command. If you choose to manually configure the attribute, be sure to configure an
appropriate valid IP address. If this attribute is not configured, the switch will automatically choose the
IP address of a VLAN interface as the NAS-IP-address.
Follow these steps to enable the user re-authentication at restart function:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter RADIUS scheme
view
radius scheme
radius-scheme-name
—
By default, this function is disabled.
Enable the user
re-authentication at restart
function
accounting-on enable
[ send times | interval
interval ]
2-20
If you use this command without any
parameter, the system will try at most
15 times to send an Accounting-On
message at the interval of three
seconds.
HWTACACS Configuration Task List
Complete the following tasks to configure HWTACACS:
Task
Configuring the
TACACS client
Configuring the
TACACS server
Remarks
Creating a HWTACACS Scheme
Required
Configuring TACACS Authentication Servers
Required
Configuring TACACS Authorization Servers
Required
Configuring TACACS Accounting Servers
Optional
Configuring Shared Keys for RADIUS Messages
Optional
Configuring the Attributes of Data to be Sent to TACACS
Servers
Optional
Configuring the Timers Regarding TACACS Servers
Optional
Refer to the configuration of TACACS servers.
—
Creating a HWTACACS Scheme
The HWTACACS protocol configuration is performed on a scheme basis. Therefore, you must create a
HWTACACS scheme and enter HWTACACS view before performing other configuration tasks.
Follow these steps to create a HWTACACS scheme:
To do…
Use the command…
Enter system view
system-view
Create a HWTACACS scheme
and enter its view
hwtacacs scheme
hwtacacs-scheme-name
Remarks
—
Required
By default, no HWTACACS
scheme exists.
The system supports up to 16 HWTACACS schemes. You can delete a HWTACACS scheme only
when it is not referenced.
Configuring TACACS Authentication Servers
Follow these steps to configure TACACS authentication servers:
To do…
Use the command…
Enter system view
system-view
Create a HWTACACS scheme
and enter its view
hwtacacs scheme
hwtacacs-scheme-name
2-21
Remarks
—
Required
By default, no HWTACACS
scheme exists.
To do…
Use the command…
Remarks
Required
Set the IP address and port
number of the primary
TACACS authentication server
primary authentication
ip-address [ port ]
By default, the IP address of
the primary authentication
server is 0.0.0.0, and the port
number is 0.
Optional
Set the IP address and port
number of the secondary
TACACS authentication server
z
secondary authentication
ip-address [ port ]
By default, the IP address of
the secondary authentication
server is 0.0.0.0, and the port
number is 0.
You are not allowed to configure the same IP address for both primary and secondary
authentication servers. If you do this, the system will prompt that the configuration fails.
z
You can remove an authentication server setting only when there is no active TCP connection that
is sending authentication messages to the server.
Configuring TACACS Authorization Servers
Follow these steps to configure TACACS authorization servers:
To do…
Use the command…
Enter system view
system-view
Create a HWTACACS scheme
and enter its view
hwtacacs scheme
hwtacacs-scheme-name
Remarks
—
Required
By default, no HWTACACS
scheme exists.
Required
Set the IP address and port
number of the primary
TACACS authorization server
primary authorization
ip-address [ port ]
By default, the IP address of
the primary authorization
server is 0.0.0.0, and the port
number is 0.
Optional
Set the IP address and port
number of the secondary
TACACS authorization server
secondary authorization
ip-address [ port ]
2-22
By default, the IP address of
the secondary authorization
server is 0.0.0.0, and the port
number is 0.
z
You are not allowed to configure the same IP address for both primary and secondary authorization
servers. If you do this, the system will prompt that the configuration fails.
z
You can remove a server only when it is not used by any active TCP connection for sending
authorization messages.
Configuring TACACS Accounting Servers
Follow these steps to configure TACACS accounting servers:
To do…
Use the command…
Enter system view
system-view
Create a HWTACACS scheme
and enter its view
hwtacacs scheme
hwtacacs-scheme-name
Remarks
—
Required
By default, no HWTACACS
scheme exists.
Required
Set the IP address and port
number of the primary
TACACS accounting server
primary accounting
ip-address [ port ]
By default, the IP address of
the primary accounting server
is 0.0.0.0, and the port number
is 0.
Required
Set the IP address and port
number of the secondary
TACACS accounting server
Enable the stop-accounting
message retransmission
function and set the maximum
number of transmission
attempts of a buffered
stop-accounting message
z
secondary accounting
ip-address [ port ]
By default, the IP address of
the secondary accounting
server is 0.0.0.0, and the port
number is 0.
Optional
retry stop-accounting
retry-times
By default, the stop-accounting
messages retransmission
function is enabled and the
system can transmit a buffered
stop-accounting request for
100 times.
You are not allowed to configure the same IP address for both primary and secondary accounting
servers. If you do this, the system will prompt that the configuration fails.
z
You can remove a server only when it is not used by any active TCP connection for sending
accounting messages.
Configuring Shared Keys for HWTACACS Messages
When using a TACACS server as an AAA server, you can set a key to improve the communication
security between the switch and the TACACS server.
2-23
The TACACS client and server adopt MD5 algorithm to encrypt HWTACACS messages before they are
exchanged between the two parties. The two parties verify the validity of the HWTACACS messages
received from each other by using the shared keys that have been set on them, and can accept and
respond to the messages only when both parties have the same shared key.
Follow these steps to configure shared keys for HWTACACS messages:
To do…
Use the command…
Enter system view
system-view
Create a HWTACACS scheme
and enter its view
hwtacacs scheme
hwtacacs-scheme-name
Set a shared key for
HWTACACS authentication,
authorization or accounting
messages
key { accounting |
authorization |
authentication } string
Remarks
—
Required
By default, no HWTACACS
scheme exists.
Required
By default, no such key is set.
Configuring the Attributes of Data to be Sent to TACACS Servers
Follow these steps to configure the attributes for data to be sent to TACACS servers:
To do…
Use the command…
Enter system view
system-view
Create a HWTACACS scheme
and enter its view
hwtacacs scheme
hwtacacs-scheme-name
Remarks
—
Required
By default, no HWTACACS
scheme exists.
Optional
Set the format of the
usernames to be sent to
TACACS server
Set the units of data flows to
TACACS servers
Set the source IP address of
outgoing HWTACACS
messages
user-name-format
{ with-domain |
without-domain }
By default, the usernames sent
from the switch to TACACS
server carry ISP domain
names.
data-flow-format data { byte |
giga-byte | kilo-byte |
mega-byte }
Optional
data-flow-format packet
{ giga-packet | kilo-packet |
mega-packet | one-packet }
By default, in a TACACS
scheme, the data unit and
packet unit for outgoing
HWTACACS flows are byte
and one-packet respectively.
HWTACACS scheme view
Optional
nas-ip ip-address
By default, no source IP
address is set; the IP address
of the corresponding outbound
interface is used as the source
IP address.
System view
hwtacacs nas-ip ip-address
2-24
Generally, the access users are named in the [email protected] or userid.isp-name format. Where,
isp-name after the “@” or “.” character represents the ISP domain name. If the TACACS server does not
accept the usernames that carry ISP domain names, it is necessary to remove domain names from
usernames before they are sent to TACACS server.
Configuring the Timers Regarding TACACS Servers
Follow these steps to configure the timers regarding TACACS servers:
To do…
Use the command…
Enter system view
system-view
Create a HWTACACS scheme
and enter its view
hwtacacs scheme
hwtacacs-scheme-name
Set the response timeout time
of TACACS servers
timer response-timeout
seconds
Set the time that the switch
must wait before it can restore
the status of the primary server
to active
Remarks
—
Required
By default, no HWTACACS
scheme exists.
Optional
By default, the response
timeout time is five seconds.
Optional
timer quiet minutes
By default, the switch must wait
five minutes before it can
restore the status of the primary
server to active.
Optional
Set the real-time accounting
interval
z
timer realtime-accounting
minutes
By default, the real-time
accounting interval is 12
minutes.
To control the interval at which users are charge in real time, you can set the real-time accounting
interval. After the setting, the switch periodically sends online users' accounting information to the
TACACS server at the set interval.
z
The real-time accounting interval must be a multiple of 3.
z
The setting of real-time accounting interval somewhat depends on the performance of the
TACACS client and server devices: A shorter interval requires higher device performance.
2-25
Displaying and Maintaining AAA Configuration
Displaying and Maintaining AAA Configuration
To do…
Use the command…
Remarks
Display configuration
information about one specific
or all ISP domains
display domain [ isp-name ]
Display information about user
connections
display connection [ access-type { dot1x |
mac-authentication } | domain isp-name |
interface interface-type interface-number | ip
ip-address | mac mac-address | radius-scheme
radius-scheme-name | hwtacacs-scheme
hwtacacs-scheme-name | vlan vlan-id |
ucibindex ucib-index | user-name user-name ]
Display information about local
users
display local-user [ domain isp-name | idle-cut
{ disable | enable } | vlan vlan-id | service-type
{ ftp | lan-access | ssh | telnet | terminal } |
state { active | block } | user-name user-name ]
Available in
any view
Displaying and Maintaining RADIUS Protocol Configuration
To do…
Use the command…
Remarks
Display RADIUS message
statistics about local RADIUS
server
display local-server statistics
Display configuration information
about one specific or all RADIUS
schemes
display radius scheme
[ radius-scheme-name ]
Display RADIUS message
statistics
display radius statistics
Display buffered non-response
stop-accounting requests
display stop-accounting-buffer
{ radius-scheme radius-scheme-name |
session-id session-id | time-range start-time
stop-time | user-name user-name }
Delete buffered non-response
stop-accounting requests
reset stop-accounting-buffer
{ radius-scheme radius-scheme-name |
session-id session-id | time-range start-time
stop-time | user-name user-name }
Clear RADIUS message statistics
reset radius statistics
Available in
any view
Available in
user view
Displaying and Maintaining HWTACACS Protocol Configuration
To do…
Display the configuration or
statistic information about one
specific or all HWTACACS
schemes
Use the command…
display hwtacacs
[ hwtacacs-scheme-name [ statistics ] ]
2-26
Remarks
Available in any
view
To do…
Use the command…
Display buffered
non-response
stop-accounting requests
display stop-accounting-buffer
hwtacacs-scheme
hwtacacs-scheme-name
Clear HWTACACS message
statistics
reset hwtacacs statistics { accounting |
authentication | authorization | all }
Delete buffered non-response
stop-accounting requests
reset stop-accounting-buffer
hwtacacs-scheme
hwtacacs-scheme-name
Remarks
Available in user
view
AAA Configuration Examples
Remote RADIUS Authentication of Telnet/SSH Users
The configuration procedure for remote authentication of SSH users by RADIUS server is similar to that
for Telnet users. The following text only takes Telnet users as example to describe the configuration
procedure for remote authentication.
Network requirements
In the network environment shown in Figure 2-2, you are required to configure the switch so that the
Telnet users logging into the switch are authenticated by the RADIUS server.
z
A RADIUS authentication server with IP address 10.110.91.164 is connected to the switch.
z
On the switch, set the shared key it uses to exchange messages with the authentication RADIUS
server to aabbcc.
z
A CAMS server is used as the RADIUS server. You can select extended as the server-type in a
RADIUS scheme.
z
On the RADIUS server, set the shared key it uses to exchange messages with the switch to
aabbcc, set the authentication port number, and add Telnet usernames and login passwords.
The Telnet usernames added to the RADIUS server must be in the format of [email protected] if you
have configured the switch to include domain names in the usernames to be sent to the RADIUS server
in the RADIUS scheme.
2-27
Network diagram
Figure 2-2 Remote RADIUS authentication of Telnet users
RADIUS server
10.110.91.164/16
Internet
Telnet user
Configuration procedure
# Enter system view.
<Sysname> system-view
# Adopt AAA authentication for Telnet users.
[Sysname] user-interface vty 0 4
[Sysname-ui-vty0-4] authentication-mode scheme
[Sysname-ui-vty0-4] quit
# Configure an ISP domain.
[Sysname] domain cams
[Sysname-isp-cams] access-limit enable 10
[Sysname-isp-cams] quit
# Configure a RADIUS scheme.
[Sysname] radius scheme cams
[Sysname-radius-cams] accounting optional
[Sysname-radius-cams] primary authentication 10.110.91.164 1812
[Sysname-radius-cams] key authentication aabbcc
[Sysname-radius-cams] server-type Extended
[Sysname-radius-cams] user-name-format with-domain
[Sysname-radius-cams] quit
# Associate the ISP domain with the RADIUS scheme.
[Sysname] domain cams
[Sysname-isp-cams] scheme radius-scheme cams
A Telnet user logging into the switch by a name in the format of userid @cams belongs to the cams
domain and will be authenticated according to the configuration of the cams domain.
Local Authentication of FTP/Telnet Users
2-28
The configuration procedure for local authentication of FTP users is similar to that for Telnet users. The
following text only takes Telnet users as example to describe the configuration procedure for local
authentication.
Network requirements
In the network environment shown in Figure 2-3, you are required to configure the switch so that the
Telnet users logging into the switch are authenticated locally.
Network diagram
Figure 2-3 Local authentication of Telnet users
Configuration procedure
Method 1: Using local authentication scheme.
# Enter system view.
<Sysname> system-view
# Adopt AAA authentication for Telnet users.
[Sysname] user-interface vty 0 4
[Sysname-ui-vty0-4] authentication-mode scheme
[Sysname-ui-vty0-4] quit
# Create and configure a local user named telnet.
[Sysname] local-user telnet
[Sysname-luser-telnet] service-type telnet
[Sysname-luser-telnet] password simple aabbcc
[Sysname-luser-telnet] quit
# Configure an authentication scheme for the default “system” domain.
[Sysname] domain system
[Sysname-isp-system] scheme local
A Telnet user logging into the switch with the name [email protected] belongs to the "system" domain and
will be authenticated according to the configuration of the "system" domain.
Method 2: using local RADIUS server
This method is similar to the remote authentication method described in Remote RADIUS
Authentication of Telnet/SSH Users. However, you need to:
2-29
z
Change the server IP address, and the UDP port number of the authentication server to 127.0.0.1,
and 1645 respectively in the configuration step "Configure a RADIUS scheme" in Remote RADIUS
Authentication of Telnet/SSH Users.
z
Enable the local RADIUS server function, set the IP address and shared key for the network
access server to 127.0.0.1 and aabbcc, respectively.
z
Configure local users.
HWTACACS Authentication and Authorization of Telnet Users
Network requirements
You are required to configure the switch so that the Telnet users logging into the switch are
authenticated and authorized by the TACACS server.
A TACACS server with IP address 10.110.91.164 is connected to the switch. This server will be used as
the authentication and authorization server. On the switch, set both authentication and authorization
shared keys that are used to exchange messages with the TACACS server to aabbcc. Configure the
switch to strip domain names off usernames before sending usernames to the TACACS server.
Configure the shared key to aabbcc on the TACACS server for exchanging messages with the switch.
Network diagram
Figure 2-4 Remote HWTACACS authentication and authorization of Telnet users
Authentication server
10.110.91.164/16
Internet
Telnet user
Configuration procedure
# Add a Telnet user.
(Omitted here)
# Configure a HWTACACS scheme.
<Sysname> system-view
[Sysname] hwtacacs scheme hwtac
[Sysname-hwtacacs-hwtac] primary authentication 10.110.91.164 49
[Sysname-hwtacacs-hwtac] primary authorization 10.110.91.164 49
[Sysname-hwtacacs-hwtac] key authentication aabbcc
[Sysname-hwtacacs-hwtac] key authorization aabbcc
[Sysname-hwtacacs-hwtac] user-name-format without-domain
[Sysname-hwtacacs-hwtac] quit
# Configure the domain name of the HWTACACS scheme to hwtac.
[Sysname] domain hwtacacs
2-30
[Sysname-isp-hwtacacs] scheme hwtacacs-scheme hwtac
Troubleshooting AAA
Troubleshooting RADIUS Configuration
The RADIUS protocol operates at the application layer in the TCP/IP protocol suite. This protocol
prescribes how the switch and the RADIUS server of the ISP exchange user information with each
other.
Symptom 1: User authentication/authorization always fails.
Possible reasons and solutions:
z
The username is not in the [email protected] or userid.isp-name format, or the default ISP domain
is not correctly specified on the switch — Use the correct username format, or set a default ISP
domain on the switch.
z
The user is not configured in the database of the RADIUS server — Check the database of the
RADIUS server, make sure that the configuration information about the user exists.
z
The user input an incorrect password — Be sure to input the correct password.
z
The switch and the RADIUS server have different shared keys — Compare the shared keys at the
two ends, make sure they are identical.
z
The switch cannot communicate with the RADIUS server (you can determine by pinging the
RADIUS server from the switch) — Take measures to make the switch communicate with the
RADIUS server normally.
Symptom 2: RADIUS packets cannot be sent to the RADIUS server.
Possible reasons and solutions:
z
The communication links (physical/link layer) between the switch and the RADIUS server is
disconnected/blocked — Take measures to make the links connected/unblocked.
z
None or incorrect RADIUS server IP address is set on the switch — Be sure to set a correct
RADIUS server IP address.
z
One or all AAA UDP port settings are incorrect — Be sure to set the same UDP port numbers as
those on the RADIUS server.
Symptom 3: The user passes the authentication and gets authorized, but the accounting information
cannot be transmitted to the RADIUS server.
Possible reasons and solutions:
z
The accounting port number is not properly set — Be sure to set a correct port number for RADIUS
accounting.
z
The switch requests that both the authentication/authorization server and the accounting server
use the same device (with the same IP address), but in fact they are not resident on the same
device — Be sure to configure the RADIUS servers on the switch according to the actual situation.
Troubleshooting HWTACACS Configuration
See the previous section if you encounter an HWTACACS fault.
2-31
3
EAD Configuration
Only the S5100-EI series switches support the EAD configuration.
Introduction to EAD
Endpoint Admission Defense (EAD) is an attack defense solution. Using this solution, you can enhance
the active defense capability of network endpoints, prevents viruses and worms from spreading on the
network, and protects the entire network by limiting the access rights of insecure endpoints.
With the cooperation of switch, AAA sever, security policy server and security client, EAD is able to
evaluate the security compliance of network endpoints and dynamically control their access rights.
With EAD, a switch:
z
Verifies the validity of the session control packets it receives according to the source IP addresses
of the packets: It regards only those packets sourced from authentication or security policy server
as valid.
z
Dynamically adjusts the VLAN, rate, packet scheduling priority and Access Control List (ACL) for
user terminals according to session control packets, whereby to control the access rights of users
dynamically.
Typical Network Application of EAD
EAD checks the security status of users before they can access the network, and forcibly implements
user access control policies according to the check results. In this way, it can isolate the users that are
not compliant with security standard and force these users to update their virus databases and install
system patches. Figure 3-1 shows a typical network application of EAD.
3-1
Figure 3-1 Typical network application of EAD
After a client passes the authentication, the security Client (software installed on the client PC) interacts
with the security policy server to check the security status of the client. If the client is not compliant with
the security standard, the security policy server issues an ACL to the switch, which then inhibits the
client from accessing any parts of the network except for the virus/patch server.
After the client is patched and compliant with the required security standard, the security policy server
reissues an ACL to the switch, which then assigns access right to the client so that the client can access
more network resources.
EAD Configuration
The EAD configuration includes:
z
Configuring the attributes of access users (such as username, user type, and password). For local
authentication, you need to configure these attributes on the switch; for remote authentication, you
need to configure these attributes on the AAA sever.
z
Configuring a RADIUS scheme.
z
Configuring the IP address of the security policy server.
z
Associating the ISP domain with the RADIUS scheme.
EAD is commonly used in RADIUS authentication environment.
This section mainly describes the configuration of security policy server IP address. For other related
configuration, refer to AAA Overview.
Follow these steps to configure EAD:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter RADIUS scheme
view
radius scheme
radius-scheme-name
—
Configure the RADIUS
server type to extended
server-type extended
Required
Configure the IP address of
a security policy server
security-policy-server
ip-address
Required
3-2
Each RADIUS scheme supports
up to eight IP addresses of
security policy servers.
EAD Configuration Example
Network requirements
In Figure 3-2:
z
A user is connected to GigabitEthernet 1/0/1 on the switch.
z
The user adopts 802.1x client supporting EAD extended function.
z
You are required to configure the switch to use RADIUS server for remote user authentication and
use security policy server for EAD control on users.
The following are the configuration tasks:
z
Connect the RADIUS authentication server 10.110.91.164 and the switch, and configure the switch
to use port number 1812 to communicate with the server.
z
Configure the authentication server type to extended.
z
Configure the encryption password for exchanging messages between the switch and RADIUS
server to expert.
z
Configure the IP address 10.110.91.166 of the security policy server.
Network diagram
Figure 3-2 EAD configuration
Configuration procedure
# Configure 802.1x on the switch. Refer to “Configuring 802.1x” in 802.1x and System Guard
Configuration.
# Configure a domain.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] quit
# Configure a RADIUS scheme.
[Sysname] radius scheme cams
[Sysname-radius-cams] primary authentication 10.110.91.164 1812
3-3
[Sysname-radius-cams] accounting optional
[Sysname-radius-cams] key authentication expert
[Sysname-radius-cams] server-type extended
# Configure the IP address of the security policy server.
[Sysname-radius-cams] security-policy-server 10.110.91.166
# Associate the domain with the RADIUS scheme.
[Sysname-radius-cams] quit
[Sysname] domain system
[Sysname-isp-system] radius-scheme cams
3-4
Table of Contents
1 MAC Address Authentication Configuration ··························································································1-1
MAC Address Authentication Overview ··································································································1-1
Performing MAC Address Authentication on a RADIUS Server ·····················································1-1
Performing MAC Address Authentication Locally ···········································································1-1
Related Concepts····································································································································1-2
MAC Address Authentication Timers ······························································································1-2
Quiet MAC Address·························································································································1-2
Configuring Basic MAC Address Authentication Functions ····································································1-2
MAC Address Authentication Enhanced Function Configuration ···························································1-4
MAC Address Authentication Enhanced Function Configuration Task List ····································1-4
Configuring a Guest VLAN ··············································································································1-4
Configuring the Maximum Number of MAC Address Authentication Users Allowed to Access a Port
·························································································································································1-6
Displaying and Maintaining MAC Address Authentication Configuration ···············································1-7
MAC Address Authentication Configuration Examples···········································································1-7
i
1
MAC Address Authentication Configuration
When configuring MAC address authentication, go to these sections for information you are interested:
z
MAC Address Authentication Overview
z
Related Concepts
z
Configuring Basic MAC Address Authentication Functions
z
MAC Address Authentication Enhanced Function Configuration
z
Displaying and Maintaining MAC Address Authentication Configuration
z
MAC Address Authentication Configuration Examples
MAC Address Authentication Overview
MAC address authentication provides a way for authenticating users based on ports and MAC
addresses, without requiring any client software to be installed on the hosts. Once detecting a new MAC
address, it initiates the authentication process. During authentication, the user does not need to enter
username or password manually.
For S5100-SI/EI Series Ethernet switches, MAC address authentication can be implemented locally or
on a RADIUS server.
After determining the authentication method, users can select one of the following types of user name
as required:
z
MAC address mode, where the MAC address of a user serves as the user name for authentication.
z
Fixed mode, where user names and passwords are configured on a switch in advance. In this case,
the user name, the password, and the limits on the total number of user names are the matching
criterion for successful authentication. For details, refer to AAA of this manual for information about
local user attributes.
Performing MAC Address Authentication on a RADIUS Server
When authentications are performed on a RADIUS server, the switch serves as a RADIUS client and
completes MAC address authentication in combination of the RADIUS server.
z
In MAC address mode, the switch sends the MAC addresses detected to the RADIUS server as
both the user names and passwords, or sends the MAC addresses detected to the RADIUS server
as the user names and uses the configured fixed password as the password.
z
In fixed mode, the switch sends the user name and password previously configured for the user to
the RADIUS server for authentication.
A user can access a network upon passing the authentication performed by the RADIUS server.
Performing MAC Address Authentication Locally
When authentications are performed locally, users are authenticated by switches. In this case,
z
In MAC address mode, the local user name to be configured is the MAC address of an access user,
while the password may be the MAC address of the user or the fixed password configured (which is
1-1
used depends on your configuration). Hyphens must or must not be included depending on the
format
configured
with
the
mac-authentication
authmode
usernameasmacaddress
usernameformat command; otherwise, the authentication will fail.
z
In fixed mode, all users’ MAC addresses are automatically mapped to the configured local
passwords and usernames.
z
The service type of a local user needs to be configured as lan-access.
Related Concepts
MAC Address Authentication Timers
The following timers function in the process of MAC address authentication:
z
Offline detect timer: At this interval, the switch checks to see whether an online user has gone
offline. Once detecting that a user becomes offline, the switch sends a stop-accounting notice to
the RADIUS server.
z
Quiet timer: Whenever a user fails MAC address authentication, the switch does not initiate any
MAC address authentication of the user during a period defined by this timer.
z
Server timeout timer: During authentication of a user, if the switch receives no response from the
RADIUS server in this period, it assumes that its connection to the RADIUS server has timed out
and forbids the user from accessing the network.
Quiet MAC Address
When a user fails MAC address authentication, the MAC address becomes a quiet MAC address, which
means that any packets from the MAC address will be discarded simply by the switch until the quiet
timer expires. This prevents an invalid user from being authenticated repeatedly in a short time.
If the quiet MAC is the same as the static MAC configured or an authentication-passed MAC, then the
quiet function is not effective.
Configuring Basic MAC Address Authentication Functions
Follow these steps to configure basic MAC address authentication functions:
To do...
Use the command...
Enter system view
system-view
Enable MAC address
authentication
globally
mac-authentication
Enable MAC address
authentication for the
specified port(s) or
the current port
In system view
In interface
view
Remarks
—
mac-authentication interface
interface-list
interface interface-type
interface-number
mac-authentication
1-2
Required
Disabled by default
Use either method
Disabled by default
quit
Set the user name in
MAC address mode
for MAC address
authentication
Set the user name in
fixed mode for MAC
address
authentication
Specify an ISP
domain for MAC
address
authentication
mac-authentication authmode
usernameasmacaddress [ usernameformat
{ with-hyphen | without-hyphen } { lowercase |
uppercase } | fixedpassword password ]
Set the user name in
fixed mode for MAC
address
authentication
mac-authentication
authmode usernamefixed
Configure the user
name
mac-authentication
authusername username
Configure the
password
mac-authentication
authpassword password
Optional
By default, the MAC
address of a user is
used as the user
name.
Optional
By default, the user
name is “mac” and
no password is
configured.
Required
mac-authentication domain isp-name
The default ISP
domain (default
domain) is used by
default.
Optional
The default timeout
values are as
follows:
Configure the MAC
address
authentication timers
mac-authentication timer { offline-detect
offline-detect-value | quiet quiet-value |
server-timeout server-timeout-value }
300 seconds for
offline detect timer;
60 seconds for quiet
timer; and
100 seconds for
server timeout timer
z
If MAC address authentication is enabled on a port, you cannot configure the maximum number of
dynamic MAC address entries for that port (through the mac-address max-mac-count command),
and vice versa.
z
If MAC address authentication is enabled on a port, you cannot configure port security (through the
port-security enable command) on that port, and vice versa.
z
You can configure MAC address authentication on a port before enabling it globally. However, the
configuration will not take effect unless MAC address authentication is enabled globally.
1-3
MAC Address Authentication Enhanced Function Configuration
MAC Address Authentication Enhanced Function Configuration Task List
Complete the following tasks to configure MAC address authentication enhanced function:
Task
Remarks
Configuring a Guest VLAN
Optional
Configuring the Maximum Number of MAC Address Authentication Users
Allowed to Access a Port
Optional
Configuring a Guest VLAN
Different from Guest VLANs described in the 802.1x and System-Guard manual, Guest VLANs
mentioned in this section refer to Guests VLANs dedicated to MAC address authentication.
After completing configuration tasks in Configuring Basic MAC Address Authentication Functions for a
switch, this switch can authenticate access users according to their MAC addresses or according to
fixed user names and passwords. The switch will not learn MAC addresses of the clients failing in the
authentication into its local MAC address table, thus prevent illegal users from accessing the network.
In some cases, if the clients failing in the authentication are required to access some restricted
resources in the network (such as the virus library update server), you can use the Guest VLAN.
You can configure a Guest VLAN for each port of the switch. When a client connected to a port fails in
MAC address authentication, this port will be added into the Guest VLAN automatically. The MAC
address of this client will also be learned into the MAC address table of the Guest VLAN, and thus the
user can access the network resources of the Guest VLAN.
1-4
After a port is added to a Guest VLAN, the switch will re-authenticate the first access user of this port
(namely, the first user whose unicast MAC address is learned by the switch) periodically. If this user
passes the re-authentication, this port will exit the Guest VLAN, and thus the user can access the
network normally.
z
Guest VLANs are implemented in the mode of adding a port to a VLAN. For example, when
multiple users are connected to a port, if the first user fails in the authentication, the other users can
access only the contents of the Guest VLAN. The switch will re-authenticate only the first user
accessing this port, and the other users cannot be authenticated again. Thus, if more than one
client is connected to a port, you cannot configure a Guest VLAN for this port.
z
After users that are connected to an existing port failed to pass authentication, the switch adds the
port to the Guest VLAN. Therefore, the Guest VLAN can separate unauthenticated users on an
access port. When it comes to a trunk port or a hybrid port, if a packet itself has a VLAN tag and be
in the VLAN that the port allows to pass, the packet will be forwarded perfectly without the influence
of the Guest VLAN. That is, packets can be forwarded to the VLANs other than the Guest VLAN
through the trunk port and the hybrid port, even users fail to pass authentication.
Follow these steps to configure a Guest VLAN:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter Ethernet port view
interface interface-type
interface-number
—
Configure the Guest VLAN for
the current port
mac-authentication
guest-vlan vlan-id
Return to system view
quit
Required
By default, no Guest VLAN is
configured for a port by default.
—
Optional
Configure the interval at which
the switch re-authenticates
users in Guest VLANs
mac-authentication timer
guest-vlan-reauth interval
1-5
By default, the switch
re-authenticates the users in
Guest VLANs at the interval of
30 seconds by default.
z
If more than one client are connected to a port, you cannot configure a Guest VLAN for this port.
z
When a Guest VLAN is configured for a port, only one MAC address authentication user can
access the port. Even if you set the limit on the number of MAC address authentication users to
more than one, the configuration does not take effect.
z
The undo vlan command cannot be used to remove the VLAN configured as a Guest VLAN. If you
want to remove this VLAN, you must remove the Guest VLAN configuration for it. Refer to the
VLAN module in this manual for the description on the undo vlan command.
z
Only one Guest VLAN can be configured for a port, and the VLAN configured as the Guest VLAN
must be an existing VLAN. Otherwise, the Guest VLAN configuration does not take effect. If you
want to change the Guest VLAN for a port, you must remove the current Guest VLAN and then
configure a new Guest VLAN for this port.
z
802.1x authentication cannot be enabled for a port configured with a Guest VLAN.
z
The Guest VLAN function for MAC address authentication does not take effect when port security
is enabled.
Configuring the Maximum Number of MAC Address Authentication Users Allowed to
Access a Port
You can configure the maximum number of MAC address authentication users for a port in order to
control the maximum number of users accessing a port. After the number of access users has
exceeded the configured maximum number, the switch will not trigger MAC address authentication for
subsequent access users, and thus these subsequent access users cannot access the network
normally.
Follow these steps to configure the maximum number of MAC address authentication users allowed to
access a port:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter Ethernet port view
interface interface-type
interface-number
—
Configure the maximum
number of MAC address
authentication users allowed to
access a port
mac-authentication
max-auth-num
user-number
Required
1-6
By default, the maximum number
of MAC address authentication
users allowed to access a port is
256.
z
If both the limit on the number of MAC address authentication users and the limit on the number of
users configured in the port security function are configured for a port, the smaller value of the two
configured limits is adopted as the maximum number of MAC address authentication users allowed
to access this port. Refer to the Port Security manual for the description on the port security
function.
z
You cannot configure the maximum number of MAC address authentication users for a port if any
user connected to this port is online.
Displaying and Maintaining MAC Address Authentication
Configuration
To do...
Use the command...
Remarks
Display global or on-port
information about MAC
address authentication
display mac-authentication [ interface
interface-list ]
Available in any
view
Clear the statistics of global or
on-port MAC address
authentication
reset mac-authentication statistics
[ interface interface-type
interface-number ]
Available in user
view
MAC Address Authentication Configuration Examples
Network requirements
As illustrated in Figure 1-1, a supplicant is connected to the switch through port GigabitEthernet 1/0/2.
z
MAC address authentication is required on port GigabitEthernet 1/0/2 to control user access to the
Internet.
z
All users belong to domain aabbcc.net. The authentication performed is locally and the MAC
address of the PC (00-0d-88-f6-44-c1) is used as both the user name and password.
Network Diagram
Figure 1-1 Network diagram for MAC address authentication configuration
Configuration Procedure
# Enable MAC address authentication on port GigabitEthernet 1/0/2.
<Sysname> system-view
[Sysname] mac-authentication interface GigabitEthernet 1/0/2
1-7
# Set the user name in MAC address mode for MAC address authentication, requiring hyphened
lowercase MAC addresses as the usernames and passwords.
[Sysname] mac-authentication authmode usernameasmacaddress usernameformat with-hyphen
lowercase
# Add a local user.
z
Specify the user name and password.
[Sysname] local-user 00-0d-88-f6-44-c1
[Sysname-luser-00-0d-88-f6-44-c1] password simple 00-0d-88-f6-44-c1
z
Set the service type to lan-access.
[Sysname-luser-00-0d-88-f6-44-c1] service-type lan-access
[Sysname-luser-00-0d-88-f6-44-c1] quit
# Add an ISP domain named aabbcc.net.
[Sysname] domain aabbcc.net
New Domain added.
# Specify to perform local authentication.
[Sysname-isp-aabbcc.net] scheme local
[Sysname-isp-aabbcc.net] quit
# Specify aabbcc.net as the ISP domain for MAC address authentication
[Sysname] mac-authentication domain aabbcc.net
# Enable MAC address authentication globally (This is usually the last step in configuring access control
related features. Otherwise, a user may be denied of access to the networks because of incomplete
configuaration.)
[Sysname] mac-authentication
After doing so, your MAC address authentication configuration will take effect immediately. Only users
with the MAC address of 00-0d-88-f6-44-c1 are allowed to access the Internet through port
GigabitEthernet 1/0/2.
1-8
Table of Contents
1 IP Addressing Configuration····················································································································1-1
IP Addressing Overview··························································································································1-1
IP Address Classes ·························································································································1-1
Special IP Addresses ······················································································································1-2
Subnetting and Masking ··················································································································1-2
Protocols and Standards ·················································································································1-3
Configuring IP Addresses ·······················································································································1-3
Displaying IP Addressing Configuration··································································································1-4
VLAN Interface IP Address Configuration Examples··············································································1-4
IP Address Configuration Example I ·······························································································1-4
IP Address Configuration Example II ······························································································1-5
2 IP Performance Optimization Configuration···························································································2-1
IP Performance Overview ·······················································································································2-1
Introduction to IP Performance Configuration ·················································································2-1
Introduction to FIB ···························································································································2-1
Protocols and Standards ·················································································································2-1
Configuring IP Performance Optimization·······························································································2-1
IP Performance Optimization Configuration Task List ····································································2-1
Configuring TCP Attributes··············································································································2-1
Disabling Sending of ICMP Error Packets·······················································································2-2
Displaying and Maintaining IP Performance Optimization Configuration ···············································2-3
i
1
IP Addressing Configuration
The term IP address used throughout this chapter refers to IPv4 address. For details about IPv6
address, refer to IPv6 Management.
When configuring IP addressing, go to these sections for information you are interested in:
z
IP Addressing Overview
z
Configuring IP Addresses
z
Displaying IP Addressing Configuration
z
VLAN Interface IP Address Configuration Examples
IP Addressing Overview
IP Address Classes
On
an
IP
network,
a
32-bit
address
is
used
to
identify
a
host.
An
example
is
01010000100000001000000010000000 in binary. To make IP addresses in 32-bit form easier to read,
they are written in dotted decimal notation, each being four octets in length, for example, 10.1.1.1 for the
address just mentioned.
Each IP address breaks down into two parts:
z
Net ID: The first several bits of the IP address defining a network, also known as class bits.
z
Host ID: Identifies a host on a network.
IP addresses are divided into five classes, as shown in the following figure (in which the blue parts
represent the address class).
Figure 1-1 IP address classes
Table 1-1 describes the address ranges of these five classes.
1-1
Table 1-1 IP address classes and ranges
Class
Address range
Remarks
The IP address 0.0.0.0 is used
by a host at bootstrap for
temporary communication. This
address is never a valid
destination address.
A
0.0.0.0 to 127.255.255.255
Addresses starting with 127 are
reserved for loopback test.
Packets destined to these
addresses are processed
locally as input packets rather
than sent to the link.
B
128.0.0.0 to 191.255.255.255
––
C
192.0.0.0 to 223.255.255.255
––
D
224.0.0.0 to 239.255.255.255
Multicast addresses
E
240.0.0.0 to 255.255.255.255
Reserved for future use except
for the broadcast address
255.255.255.255.
Special IP Addresses
The following IP addresses are for special use, and they cannot be used as host IP addresses:
z
IP address with an all-zero net ID: Identifies a host on the local network. For example, IP address
0.0.0.16 indicates the host with a host ID of 16 on the local network.
z
IP address with an all-zero host ID: Identifies a network.
z
IP address with an all-one host ID: Identifies a directed broadcast address. For example, a packet
with the destination address of 192.168.1.255 will be broadcasted to all the hosts on the network
192.168.1.0.
Subnetting and Masking
Subnetting was developed to address the risk of IP address exhaustion resulting from fast expansion of
the Internet. The idea is to break a network down into smaller networks called subnets by using some
bits of the host ID to create a subnet ID. To identify the boundary between the host ID and the
combination of net ID and subnet ID, masking is used.
Each subnet mask comprises 32 bits related to the corresponding bits in an IP address. In a subnet
mask, the part containing consecutive ones identifies the combination of net ID and subnet ID whereas
the part containing consecutive zeros identifies the host ID.
Figure 1-2 shows how a Class B network is subnetted.
1-2
Figure 1-2 Subnet a Class B network
In the absence of subnetting, some special addresses such as the addresses with the net ID of all zeros
and the addresses with the host ID of all ones, are not assignable to hosts. The same is true for
subnetting. When designing your network, you should note that subnetting is somewhat a tradeoff
between subnets and accommodated hosts. For example, a Class B network can accommodate 65,534
(216 – 2. Of the two deducted Class B addresses, one with an all-ones host ID is the broadcast address
and the other with an all-zero host ID is the network address) hosts before being subnetted. After you
break it down into 512 (29) subnets by using the first 9 bits of the host ID for the subnet, you have only 7
bits for the host ID and thus have only 126 (27 – 2) hosts in each subnet. The maximum number of hosts
is thus 64,512 (512 × 126), 1022 less after the network is subnetted.
Class A, B, and C networks, before being subnetted, use these default masks (also called natural
masks): 255.0.0.0, 255.255.0.0, and 255.255.255.0 respectively.
Protocols and Standards
z
RFC 1366, Guidelines for Management of IP Address Space
z
RFC 1367, Schedule for IP Address Space Management Guidelines
Configuring IP Addresses
S5100 Series Ethernet Switches support assigning IP addresses to loopback interfaces and VLAN
interfaces.
A loopback interface is a virtual interface. The physical layer state and link layer protocols of a loopback
interface are always up unless the loopback interface is manually shut down. A loopback interface can
be configured with an IP address, so routing protocols can be enabled on a loopback interface, and a
loopback interface is capable of sending and receiving routing protocol packets.
Each VLAN needs an IP address so that it can be addressed. For more information about VLAN
interfaces, refer to VLAN Operation in this manual.
Besides directly assigning an IP address to a VLAN interface, you may configure a VLAN interface to
obtain an IP address through BOOTP or DHCP as alternatives. If you change the way an interface
obtains an IP address, from manual assignment to BOOTP for example, the IP address obtained from
BOOTP will overwrite the old one manually assigned.
This chapter only covers how to assign an IP address manually. For the other two approaches, refer to
the part discussing DHCP.
1-3
You may assign an interface multiple IP addresses, one primary and multiple secondaries, to connect
multiple logical subnets on the same physical subnet.
Follow these steps to configure an IP address for an interface:
To do…
z
Use the command…
Remarks
Enter system view
system-view
––
Enter interface view
interface interface-type
interface-number
––
Assign an IP address to the
Interface
ip address ip-address { mask |
mask-length } [ sub ]
Required
No IP address is assigned by
default.
You can assign at most two IP addresses to an interface of the S5100-SI Series Ethernet Switches,
one of which is the primary IP address and the other is the secondary IP address. The primary and
secondary IP addresses of an interface cannot reside on the same network segment. A VLAN
interface cannot be configured with a secondary IP address if the interface has been configured to
obtain an IP address through BOOTP or DHCP.
z
The S5100-EI series Ethernet switches do not support to specify a secondary IP address of an
interface.
z
A newly specified primary IP address overwrites the previous one if there is any.
Displaying IP Addressing Configuration
To do…
Use the command…
Display information about a
specified or all Layer 3
interfaces
display ip interface
[ interface-type
interface-number ]
Display brief configuration
information about a specified or
all Layer 3 interfaces
display ip interface brief
[ interface-type
[ interface-number ] ]
Remarks
Available in any view
VLAN Interface IP Address Configuration Examples
IP Address Configuration Example I
Network requirement
Assign IP address 129.2.2.1 with mask 255.255.255.0 to VLAN-interface 1 of the switch.
1-4
Network diagram
Figure 1-3 Network diagram for IP address configuration
Configuration procedure
# Configure an IP address for VLAN-interface 1.
<Switch> system-view
[Switch] interface vlan-interface 1
[Switch-Vlan-interface1] ip address 129.2.2.1 255.255.255.0
IP Address Configuration Example II
Network requirements
As shown in Figure 1-4, a port in VLAN 1 on a S5100-SI is connected to a LAN comprising two
segments: 172.16.1.0/24 and 172.16.2.0/24.
To enable the hosts on the two network segments to communicate with the external network through the
switch, and the hosts on the LAN can communicate with each other, do the following:
z
Assign two IP addresses to VLAN-interface 1 on the S5100-SI.
z
Set the S5100-SI as the gateway on all PCs in the two networks.
Network diagram
Figure 1-4 Network diagram for IP address configuration
Configuration procedure
# Assign a primary IP address and a secondary IP address to VLAN-interface 1.
<S5100-SI> system-view
1-5
[S5100-SI] interface Vlan-interface 1
[S5100-SI-Vlan-interface1] ip address 172.16.1.1 255.255.255.0
[S5100-SI-Vlan-interface1] ip address 172.16.2.1 255.255.255.0 sub
# Set the gateway address to 172.16.1.1 on the PCs attached to the subnet 172.16.1.0/24, and to
172.16.2.1 on the PCs attached to the subnet 172.16.2.0/24.
# Ping a host on the subnet 172.16.1.0/24 from the S5100-SI to check the connectivity.
<S5100-SI> ping 172.16.1.2
PING 172.16.1.2: 56
data bytes, press CTRL_C to break
Reply from 172.16.1.2: bytes=56 Sequence=1 ttl=255 time=25 ms
Reply from 172.16.1.2: bytes=56 Sequence=2 ttl=255 time=27 ms
Reply from 172.16.1.2: bytes=56 Sequence=3 ttl=255 time=26 ms
Reply from 172.16.1.2: bytes=56 Sequence=4 ttl=255 time=26 ms
Reply from 172.16.1.2: bytes=56 Sequence=5 ttl=255 time=26 ms
--- 172.16.1.2 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 25/26/27 ms
The output information shows the S5100-SI can communicate with the hosts on the subnet
172.16.1.0/24.
# Ping a host on the subnet 172.16.2.0/24 from the S5100-SI to check the connectivity.
<S5100-SI> ping 172.16.2.2
PING 172.16.2.2: 56
data bytes, press CTRL_C to break
Reply from 172.16.2.2: bytes=56 Sequence=1 ttl=255 time=25 ms
Reply from 172.16.2.2: bytes=56 Sequence=2 ttl=255 time=26 ms
Reply from 172.16.2.2: bytes=56 Sequence=3 ttl=255 time=26 ms
Reply from 172.16.2.2: bytes=56 Sequence=4 ttl=255 time=26 ms
Reply from 172.16.2.2: bytes=56 Sequence=5 ttl=255 time=26 ms
--- 172.16.2.2 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 25/25/26 ms
The output information shows the S5100-SI can communicate with the hosts on the subnet
172.16.2.0/24.
1-6
2
IP Performance Optimization Configuration
When optimizing IP performance, go to these sections for information you are interested in:
z
IP Performance Overview
z
Configuring IP Performance Optimization
z
Displaying and Maintaining IP Performance Optimization Configuration
IP Performance Overview
Introduction to IP Performance Configuration
In some network environments, you can adjust the IP parameters to achieve best network performance.
The IP performance optimization configuration supported by S5100-SI/EI Series Ethernet Switches
includes:
z
Configuring TCP attributes
z
Disabling ICMP to send error packets
Introduction to FIB
Every switch stores a forwarding information base (FIB). FIB is used to store the forwarding information
of the switch and guide Layer 3 packet forwarding.
You can know the forwarding information of the switch by viewing the FIB table. Each FIB entry includes:
destination address/mask length, next hop, current flag, timestamp, and outbound interface.
When the switch runs normally, its FIB table and routing table have the same contents.
Protocols and Standards
z
RFC 793, Transmission Control Protocol
z
RFC 1323, TCP Extensions for High Performance
Configuring IP Performance Optimization
IP Performance Optimization Configuration Task List
Complete the following tasks to configure IP performance Optimization:
Task
Remarks
Configuring TCP Attributes
Optional
Disabling Sending of ICMP Error Packets
Optional
Configuring TCP Attributes
TCP optional parameters that can be configured include:
2-1
synwait timer: When sending a SYN packet, TCP starts the synwait timer. If no response packet is
z
received within the synwait timer interval, the TCP connection cannot be created.
finwait timer: When a TCP connection is changed into FIN_WAIT_2 state, the finwait timer is
z
started. If no FIN packet is received within the timer timeout, the TCP connection will be terminated.
If a FIN packet is received, the TCP connection state changes to TIME_WAIT. If a non-FIN packet
is received, the system restarts the timer upon receiving the last non-FIN packet. The connection is
broken after the timer expires.
Size of TCP receive/send buffer
z
Follow these steps to configure TCP attributes:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Configure the TCP synwait
timer
tcp timer syn-timeout
time-value
Optional
Configure the TCP finwait timer
tcp timer fin-timeout
time-value
Optional
Configure the size of TCP
receive/send buffer
tcp window window-size
75 seconds by default.
675 seconds by default.
Optional
8 kilobytes by default.
Disabling Sending of ICMP Error Packets
Sending error packets is a major function of the Internet Control Message Protocol (ICMP). In case of
network abnormalities, ICMP packets are usually sent by the network or transport layer protocols to
notify corresponding devices so as to facilitate management.
Advantages of sending ICMP error packets
ICMP redirect packets and destination unreachable packets are two kinds of ICMP error packets. Their
sending conditions and functions are as follows.
1)
Sending ICMP redirect packets
A host may have only a default route to the default gateway in its routing table after startup. The default
gateway will send an ICMP redirect packet to the source host, telling it to reselect a better next hop to
send the subsequent packets, if the following conditions are satisfied:
z
The receiving and forwarding interfaces are the same.
z
The selected route has not been created or modified by any ICMP redirect packet.
z
The selected route is not the default route.
z
There is no source route option in the data packet.
ICMP redirect packets simplify host administration and enables a host to gradually establish a sound
routing table.
2)
Sending ICMP destination unreachable packets
If a device receives an IP packet with an unreachable destination, it will drop the packet and send an
ICMP destination unreachable error packet to the source.
Conditions for sending an ICMP unreachable packet:
z
If neither a route nor the default route for forwarding a packet is available, the device will send a
“network unreachable” ICMP error packet.
2-2
z
If the destination of a packet is local while the transport layer protocol of the packet is not supported
by the local device, the device sends a “protocol unreachable” ICMP error packet to the source.
z
When receiving a packet with the destination being local and transport layer protocol being UDP, if
the packet’s port number does not match the running process, the device will send the source a
“port unreachable” ICMP error packet.
z
If the source uses “strict source routing" to send packets, but the intermediate device finds that the
next hop specified by the source is not directly connected, the device will send the source a “source
routing failure” ICMP error packet.
z
When forwarding a packet, if the MTU of the sending interface is smaller than the packet but the
packet has “Don’t Fragment” set, the device will send the source a “fragmentation needed and
Don’t Fragment (DF)-set” ICMP error packet.
Disadvantages of sending ICMP error packets
Although sending ICMP error packets facilitate control and management, it still has the following
disadvantages:
z
Sending a lot of ICMP packets will increase network traffic.
z
If a device receives a lot of malicious packets that cause it to send ICMP error packets, its
performance will be reduced.
z
As the ICMP redirection function increases the routing table size of a host, the host’s performance
will be reduced if its routing table becomes very large.
z
If a host sends malicious ICMP destination unreachable packets, end users may be affected.
To prevent the above mentioned problems, you can disable the device from sending such ICMP error
packets.
Follow these steps to disable sending ICMP error packets:
To do…
Use the command…
Enter system view
system-view
Disable sending of ICMP
redirects
undo icmp redirect send
Disable sending of ICMP
destination unreachable
packets
undo icmp unreach send
Remarks
—
Required
Enabled by default.
Required
Enabled by default.
Displaying and Maintaining IP Performance Optimization
Configuration
To do…
Use the command…
Display TCP connection status
display tcp status
Display TCP connection
statistics
display tcp statistics
Display UDP traffic statistics
display udp statistics
Display IP traffic statistics
display ip statistics
Display ICMP traffic statistics
display icmp statistics
2-3
Remarks
Available in any view
To do…
Use the command…
Display the current socket
information of the system
display ip socket [ socktype
sock-type ] [ task-id socket-id ]
Display the forwarding
information base (FIB) entries
display fib
Display the FIB entries
matching the destination IP
address
display fib ip_address1
[ { mask1 | mask-length1 }
[ ip_address2 { mask2 |
mask-length2 } | longer ] |
longer ]
Display the FIB entries
permitted by a specific ACL
display fib acl number
Display the FIB entries in the
buffer which begin with, include
or exclude the specified
character string.
display fib | { begin | include |
exclude } regular-expression
Display FIB statistics
display fib statistics
Clear IP traffic statistics
reset ip statistics
Clear TCP traffic statistics
reset tcp statistics
Clear UDP traffic statistics
reset udp statistics
2-4
Remarks
Available in user view
Table of Contents
1 DHCP Overview··········································································································································1-1
Introduction to DHCP ······························································································································1-1
DHCP IP Address Assignment ···············································································································1-1
IP Address Assignment Policy ········································································································1-1
Obtaining IP Addresses Dynamically ······························································································1-2
Updating IP Address Lease·············································································································1-2
DHCP Packet Format······························································································································1-3
Protocol Specification······························································································································1-4
2 DHCP Relay Agent Configuration ············································································································1-1
Introduction to DHCP Relay Agent ·········································································································1-1
Usage of DHCP Relay Agent ··········································································································1-1
DHCP Relay Agent Fundamentals··································································································1-1
Option 82 Support on DHCP Relay Agent ······················································································1-2
Configuring the DHCP Relay Agent········································································································1-3
DHCP Relay Agent Configuration Task List····················································································1-3
Correlating a DHCP Server Group with a Relay Agent Interface····················································1-4
Configuring DHCP Relay Agent Security Functions ·······································································1-4
Configuring the DHCP Relay Agent to Support Option 82······························································1-6
Displaying and Maintaining DHCP Relay Agent Configuration·······························································1-7
DHCP Relay Agent Configuration Example····························································································1-7
Troubleshooting DHCP Relay Agent Configuration················································································1-8
3 DHCP Snooping Configuration ················································································································3-1
DHCP Snooping Overview······················································································································3-1
Introduction to DHCP Snooping ······································································································3-1
Introduction to DHCP-Snooping Option 82 ·····················································································3-2
Introduction to IP Filtering················································································································3-5
Configuring DHCP Snooping ··················································································································3-5
Configuring DHCP Snooping···········································································································3-5
Configuring DHCP Snooping to Support Option 82 ········································································3-6
Configuring IP Filtering ··················································································································3-10
Displaying DHCP Snooping Configuration····························································································3-10
DHCP Snooping Configuration Examples ····························································································3-11
DHCP-Snooping Option 82 Support Configuration Example ························································3-11
IP Filtering Configuration Example································································································3-12
4 DHCP/BOOTP Client Configuration ·········································································································4-1
Introduction to DHCP Client····················································································································4-1
Introduction to BOOTP Client ·················································································································4-1
Configuring a DHCP/BOOTP Client········································································································4-1
Displaying DHCP/BOOTP Client Configuration······················································································4-2
DHCP/BOOTP Client Configuration Example ························································································4-3
DHCP Client Configuration Example·······························································································4-3
BOOTP Client Configuration Example ····························································································4-3
i
1
DHCP Overview
When configuring DHCP, go to these sections for information you are interested in:
z
Introduction to DHCP
z
DHCP IP Address Assignment
z
DHCP Packet Format
z
Protocol Specification
Introduction to DHCP
With networks getting larger in size and more complicated in structure, lack of available IP addresses
becomes the common situation the network administrators have to face, and network configuration
becomes a tough task for the network administrators. With the emerging of wireless networks and the
using of laptops, the position change of hosts and frequent change of IP addresses also require new
technology. Dynamic Host Configuration Protocol (DHCP) is developed to solve these issues.
DHCP adopts a client/server model, where the DHCP clients send requests to DHCP servers for
configuration parameters; and the DHCP servers return the corresponding configuration information
such as IP addresses to implement dynamic allocation of network resources.
A typical DHCP application includes one DHCP server and multiple clients (such as PCs and laptops),
as shown in Figure 1-1.
Figure 1-1 Typical DHCP application
DHCP IP Address Assignment
IP Address Assignment Policy
Currently, DHCP provides the following three IP address assignment policies to meet the requirements
of different clients:
z
Manual assignment. The administrator configures static IP-to-MAC bindings for some special
clients, such as a WWW server. Then the DHCP server assigns these fixed IP addresses to the
clients.
1-1
z
Automatic assignment. The DHCP server assigns IP addresses to DHCP clients. The IP addresses
will be occupied by the DHCP clients permanently.
z
Dynamic assignment. The DHCP server assigns IP addresses to DHCP clients for predetermined
period of time. In this case, a DHCP client must apply for an IP address again at the expiration of
the period. This policy applies to most clients.
Obtaining IP Addresses Dynamically
A DHCP client undergoes the following four phases to dynamically obtain an IP address from a DHCP
server:
1)
Discover: In this phase, the DHCP client tries to find a DHCP server by broadcasting a
DHCP-DISCOVER packet.
2)
Offer: In this phase, the DHCP server offers an IP address. After the DHCP server receives the
DHCP-DISCOVER packet from the DHCP client, it chooses an unassigned IP address from the
address pool according to the priority order of IP address assignment and then sends the IP
address and other configuration information together in a DHCP-OFFER packet to the DHCP client.
The sending mode is decided by the flag filed in the DHCP-DISCOVER packet, refer to section
DHCP Packet Format for details.
3)
Select: In this phase, the DHCP client selects an IP address. If more than one DHCP server sends
DHCP-OFFER packets to the DHCP client, the DHCP client only accepts the DHCP-OFFER
packet that first arrives, and then broadcasts a DHCP-REQUEST packet containing the assigned
IP address carried in the DHCP-OFFER packet.
4)
Acknowledge: In this phase, the DHCP servers acknowledge the IP address. Upon receiving the
DHCP-REQUEST packet, only the selected DHCP server returns a DHCP-ACK packet to the
DHCP client to confirm the assignment of the IP address to the client, or returns a DHCP-NAK
packet to refuse the assignment of the IP address to the client. When the client receives the
DHCP-ACK packet, it broadcasts an ARP packet with the assigned IP address as the destination
address to detect the assigned IP address, and uses the IP address only if it does not receive any
response within a specified period.
z
After the client receives the DHCP-ACK message, it will probe whether the IP address assigned by
the server is in use by broadcasting a gratuitous ARP packet. If the client receives no response
within specified time, the client can use this IP address. Otherwise, the client sends a
DHCP-DECLINE message to the server and requests an IP address again.
z
If there are multiple DHCP servers, IP addresses offered by other DHCP servers are assignable to
other clients.
Updating IP Address Lease
After a DHCP server dynamically assigns an IP address to a DHCP client, the IP address keeps valid
only within a specified lease time and will be reclaimed by the DHCP server when the lease expires. If
the DHCP client wants to use the IP address for a longer time, it must update the IP lease.
1-2
By default, a DHCP client updates its IP address lease automatically by unicasting a DHCP-REQUEST
packet to the DHCP server when half of the lease time elapses. The DHCP server responds with a
DHCP-ACK packet to notify the DHCP client of a new IP lease if the server can assign the same IP
address to the client. Otherwise, the DHCP server responds with a DHCP-NAK packet to notify the
DHCP client that the IP address will be reclaimed when the lease time expires.
If the DHCP client fails to update its IP address lease when half of the lease time elapses, it will update
its IP address lease by broadcasting a DHCP-REQUEST packet to the DHCP servers again when
seven-eighths of the lease time elapses. The DHCP server performs the same operations as those
described above.
DHCP Packet Format
DHCP has eight types of packets. They have the same format, but the values of some fields in the
packets are different. The DHCP packet format is based on that of the BOOTP packets. The following
figure describes the packet format (the number in the brackets indicates the field length, in bytes):
Figure 1-2 DHCP packet format
The fields are described as follows:
z
op: Operation types of DHCP packets, 1 for request packets and 2 for response packets.
z
htype, hlen: Hardware address type and length of the DHCP client.
z
hops: Number of DHCP relay agents which a DHCP packet passes. For each DHCP relay agent
that the DHCP request packet passes, the field value increases by 1.
z
xid: Random number that the client selects when it initiates a request. The number is used to
identify an address-requesting process.
z
secs: Elapsed time after the DHCP client initiates a DHCP request.
z
flags: The first bit is the broadcast response flag bit, used to identify that the DHCP response
packet is a unicast (set to 0) or broadcast (set to 1). Other bits are reserved.
z
ciaddr: IP address of a DHCP client.
z
yiaddr: IP address that the DHCP server assigns to a client.
z
siaddr: IP address of the DHCP server.
z
giaddr: IP address of the first DHCP relay agent that the DHCP client passes after it sent the
request packet.
z
chaddr: Hardware address of the DHCP client.
1-3
z
sname: Name of the DHCP server.
z
file: Path and name of the boot configuration file that the DHCP server specifies for the DHCP
client.
z
option: Optional variable-length fields, including packet type, valid lease time, IP address of a DNS
server, and IP address of the WINS server.
Protocol Specification
Protocol specifications related to DHCP include:
z
RFC2131: Dynamic Host Configuration Protocol
z
RFC2132: DHCP Options and BOOTP Vendor Extensions
z
RFC1542: Clarifications and Extensions for the Bootstrap Protocol
z
RFC3046: DHCP Relay Agent Information option
1-4
2
DHCP Relay Agent Configuration
When configuring the DHCP relay agent, go to these sections for information you are interested in:
z
Introduction to DHCP Relay Agent
z
Configuring the DHCP Relay Agent
z
Displaying and Maintaining DHCP Relay Agent Configuration
z
DHCP Relay Agent Configuration Example
z
Troubleshooting DHCP Relay Agent Configuration
z
Currently, the interface-related DHCP relay agent configurations can only be made on VLAN
interfaces.
z
The contents of this chapter are only applicable to the S5100-EI series among S5100 series
switches.
Introduction to DHCP Relay Agent
Usage of DHCP Relay Agent
Since the packets are broadcasted in the process of obtaining IP addresses, DHCP is only applicable to
the situation that DHCP clients and DHCP servers are in the same network segment, that is, you need
to deploy at least one DHCP server for each network segment, which is far from economical.
DHCP relay agent is designed to address this problem. It enables DHCP clients in a subnet to
communicate with the DHCP server in another subnet so that the DHCP clients can obtain IP addresses.
In this case, the DHCP clients in multiple networks can use the same DHCP server, which can decrease
your cost and provide a centralized administration.
DHCP Relay Agent Fundamentals
Figure 2-1 illustrates a typical DHCP relay agent application.
1-1
Figure 2-1 Typical DHCP relay agent application
In the process of dynamic IP address assignment through the DHCP relay agent, the DHCP client and
DHCP server interoperate with each other in a similar way as they do without the DHCP relay agent.
The following sections only describe the forwarding process of the DHCP relay agent.
1)
After receiving the DHCP-DISCOVER or DHCP-REQUEST broadcast from the client, the network
device providing the DHCP relay agent function unicasts the message to the designated DHCP
server based on the configuration.
2)
The DHCP server selects an IP address and other parameters and sends the configuration
information to the DHCP relay agent that relays the information to the client (the sending mode is
decided by the flag filed in the client’s DHCP-DISCOVER packet, refer to section DHCP Packet
Format for details).
Option 82 Support on DHCP Relay Agent
Introduction to Option 82
Option 82 is the relay agent information option in the DHCP message. It records the location information
of the DHCP client. With this option, the administrator can locate the DHCP client to further implement
security control and accounting. The Option 82 supporting server can also use such information to
define individual assignment policies of IP address and other parameters for the clients.
Option 82 involves at most 255 sub-options. If Option 82 is defined, at least one sub-option must be
defined. Currently the DHCP relay agent supports two sub-options: sub-option 1 (circuit ID sub-option)
and sub-option 2 (remote ID sub-option).
Padding content of Option 82
Option 82 has no unified definition in RFC 3046. Its padding information varies with vendors. Currently,
S5100-EI Series Ethernet Switches that operate as DHCP relay agents support the extended padding
format of Option 82 sub-options. By default, the sub-options of Option 82 are padded as follows, as
shown in Figure 2-2 and Figure 2-3. (The content in brackets is the fixed value of each field.)
z
sub-option 1: Padded with the port index (smaller than the physical port number by 1) and VLAN ID
of the port that received the client’s request.
1-2
z
sub-option 2: Padded with the bridge MAC address of the DHCP relay agent device that received
the client’s request.
Figure 2-2 Padding contents for sub-option 1 of Option 82
Figure 2-3 Padding contents for sub-option 2 of Option 82
Mechanism of Option 82 supported on DHCP relay agent
The procedure for a DHCP client to obtain an IP address from a DHCP server through a DHCP relay
agent is similar to that for the client to obtain an IP address from a DHCP server directly. The following
are the mechanism of Option 82 support on DHCP relay agent.
1)
Upon receiving a DHCP request, the DHCP relay agent checks whether the packet contains Option
82 and processes the packet accordingly.
z
If the request packet contains Option 82, the DHCP relay agent processes the packet depending
on the configured strategy (that is, discards the packet, replaces the original Option 82 in the
packet with its own, or leaves the original Option 82 unchanged in the packet), and forwards the
packet (if not discarded) to the DHCP server.
z
If the request packet does not contain Option 82, the DHCP relay agent adds Option 82 to the
packet and forwards the packet to the DHCP server.
2)
Upon receiving the packet returned from the DHCP server, the DHCP relay agent strips Option 82
from the packet and forwards the packet with the DHCP configuration information to the DHCP
client.
Request packets sent by a DHCP client fall into two categories: DHCP-DISCOVER packets and
DHCP-REQUEST packets. As DHCP servers coming from different manufacturers process DHCP
request packets in different ways (that is, some DHCP servers process Option 82 in DHCP-DISCOVER
packets, whereas the rest process Option 82 in DHCP-REQUEST packets), a DHCP relay agent adds
Option 82 to both types of packets to accommodate to DHCP servers of different manufacturers.
Configuring the DHCP Relay Agent
DHCP Relay Agent Configuration Task List
Complete the following tasks to configure the DHCP relay agent:
1-3
Task
Remarks
Correlating a DHCP Server Group with a Relay Agent Interface
Required
Configuring DHCP Relay Agent Security Functions
Optional
Configuring the DHCP Relay Agent to Support Option 82
Optional
Correlating a DHCP Server Group with a Relay Agent Interface
To enhance reliability, you can set multiple DHCP servers on the same network. These DHCP servers
form a DHCP server group. When an interface of the relay agent establishes a correlation with the
DHCP server group, the interface will forward received DHCP packets to all servers in the server group.
Follow these steps to correlate a DHCP server group with a relay agent interface:
To do…
Enter system view
Configure the DHCP server IP
address(es) in a specified
DHCP server group
Map an interface to a DHCP
server group
Use the command…
system-view
Remarks
—
Required
dhcp-server groupNo ip
ip-address&<1-8>
By default, no DHCP server IP
address is configured in a
DHCP server group.
interface interface-type
interface-number
Required
dhcp-server groupNo
By default, a VLAN interface is
not mapped to any DHCP
server group.
z
You can configure up to eight DHCP server IP addresses in a DHCP server group.
z
You can map multiple VLAN interfaces to one DHCP server group. But one VLAN interface can be
mapped to only one DHCP server group.
z
If you execute the dhcp-server groupNo command repeatedly, the new configuration overwrites
the previous one.
z
You need to configure the group number specified in the dhcp-server groupNo command in VLAN
interface view by using the command dhcp-server groupNo ip ip-address&<1-8> in advance.
Configuring DHCP Relay Agent Security Functions
Configuring address checking
After relaying an IP address from the DHCP server to a DHCP client, the DHCP relay agent can
automatically record the client’s IP-to-MAC binding and generate a dynamic address entry. It also
supports static bindings, which means you can manually configure IP-to-MAC bindings on the DHCP
relay agent, so that users can access external network using fixed IP addresses.
The purpose of the address checking function on DHCP relay agent is to prevent unauthorized users
from statically configuring IP addresses to access external networks. With this function enabled, a
DHCP relay agent inhibits a user from accessing external networks if the IP address configured on the
1-4
user end and the MAC address of the user end do not match any entries (including the entries
dynamically tracked by the DHCP relay agent and the manually configured static entries) in the user
address table on the DHCP relay agent.
Follow these steps to configure address checking:
To do…
z
Use the command…
Remarks
Enter system view
system-view
—
Create a static
IP-to-MAC binding
dhcp-security static
ip-address mac-address
Optional
Enter interface view
interface interface-type
interface-number
Enable the address
checking function
address-check enable
Not created by default.
—
Required
Disabled by default.
The address-check enable command is independent of other commands of the DHCP relay
agent. That is, the invalid address check takes effect when this command is executed, regardless
of whether other commands (such as the command to enable DHCP) are used.
z
Before executing the address-check enable command on the interface connected to the DHCP
server, you need to configure the static binding of the IP address to the MAC address of the DHCP
server. Otherwise, the DHCP client will fail to obtain an IP address.
Enabling unauthorized DHCP server detection
If there is an unauthorized DHCP server in the network, when a client applies for an IP address, the
unauthorized DHCP server may assign an incorrect IP address to the DHCP client.
With this feature enabled, upon receiving a DHCP message with the siaddr field (IP addresses of the
servers offering IP addresses to the client) not being 0 from a client, the DHCP relay agent will record
the value of the siaddr field and the receiving interface. The administrator can use this information to
check out any DHCP unauthorized servers.
Follow these steps to enable unauthorized DHCP server detection:
To do…
Use the command…
Enter system view
system-view
Enable unauthorized DHCP
server detection
dhcp-server detect
1-5
Remarks
—
Required
Disabled by default.
With the unauthorized DHCP server detection enabled, the relay agent will log all DHCP servers,
including authorized ones, and each server is recorded only once until such information is removed and
is recorded again. The administrator needs to find unauthorized DHCP servers from the system log
information.
Configuring the DHCP Relay Agent to Support Option 82
Prerequisites
Before configuring Option 82 support on a DHCP relay agent, you need to:
z
z
Configure network parameters and relay function of the DHCP relay device.
Perform assignment strategy-related configurations, such as network parameters of the DHCP
server, address pool, and lease time.
z
The routes between the DHCP relay agent and the DHCP server are reachable.
Enabling Option 82 support on a DHCP relay agent
Follow these steps to enable Option 82 support on a DHCP relay agent:
To do…
z
Use the command…
Remarks
Enter system view
system-view
—
Enable Option 82 support on
the DHCP relay agent
dhcp relay information
enable
Required
Configure the strategy for the
DHCP relay agent to process
request packets containing
Option 82
dhcp relay information
strategy { drop | keep |
replace }
Optional
Disabled by default.
By default, the replace strategy
is adopted
By default, with the Option 82 support function enabled on the DHCP relay agent, the DHCP relay
agent will adopt the replace strategy to process the request packets containing Option 82. However,
if other strategies are configured before, then enabling the 82 support on the DHCP relay agent will
not change the configured strategies.
z
To enable Option 82, you need to perform the corresponding configuration on the DHCP server
and the DHCP relay agent.
1-6
Displaying and Maintaining DHCP Relay Agent Configuration
To do…
Use the command…
Display the information about a specified
DHCP server group
display dhcp-server groupNo
Display the information about the DHCP
server group to which a specified VLAN
interface is mapped
display dhcp-server interface
Vlan-interface vlan-id
Display the specified client address entries
on the DHCP relay agent
display dhcp-security
[ ip-address | dynamic | static ]
Clear the statistics information of the
specified DHCP server group
reset dhcp-server groupNo
Remarks
Available in any
view
Available in user
view
DHCP Relay Agent Configuration Example
Network requirements
VLAN-interface 1 on the DHCP relay agent (Switch A) connects to the network where DHCP clients
reside. The IP address of VLAN-interface 1 is 10.10.1.1/24 and IP address of VLAN-interface 2 is
10.1.1.2/24 that communicates with the DHCP server 10.1.1.1/24. As shown in the figure below, Switch
A forwards messages between DHCP clients and the DHCP server to assign IP addresses in subnet
10.10.1.0/24 to the clients.
Network diagram
Figure 2-4 Network diagram for DHCP relay agent
Configuration procedure
# Create DHCP server group 1 and configure an IP address of 10.1.1.1 for it.
<SwitchA> system-view
[SwitchA] dhcp-server 1 ip 10.1.1.1
# Map VLAN-interface 1 to DHCP server group 1.
[SwitchA] interface Vlan-interface 1
[SwitchA-Vlan-interface1] dhcp-server 1
1-7
z
You need to perform corresponding configurations on the DHCP server to enable the DHCP clients
to obtain IP addresses from the DHCP server. The DHCP server configurations vary with different
DHCP server devices, so the configurations are omitted.
z
The DHCP relay agent and DHCP server must be reachable to each other.
Troubleshooting DHCP Relay Agent Configuration
Symptom
A client fails to obtain configuration information through a DHCP relay agent.
Analysis
This problem may be caused by improper DHCP relay agent configuration. When a DHCP relay agent
operates improperly, you can locate the problem by enabling debugging and checking the information
about debugging and interface state (You can display the information by executing the corresponding
display command.)
Solution
z
Check if an address pool that is on the same network segment with the DHCP clients is configured
on the DHCP server.
z
Check if a reachable route is configured between the DHCP relay agent and the DHCP server.
z
Check the DHCP relay agent. Check if the correct DHCP server group is configured on the
interface connecting the network segment where the DHCP client resides. Check if the IP address
of the DHCP server group is correct.
z
If the address-check enable command is configured on the interface connected to the DHCP
server, verify the DHCP server’s IP-to-MAC address binding entry is configured on the DHCP relay
agent; otherwise the DHCP client cannot obtain an IP address.
1-8
3
DHCP Snooping Configuration
When configuring DHCP snooping, go to these sections for information you are interested in:
z
DHCP Snooping Overview
z
Configuring DHCP Snooping
z
Displaying DHCP Snooping Configuration
z
DHCP Snooping Configuration Examples
DHCP Snooping Overview
Introduction to DHCP Snooping
For the sake of security, the IP addresses used by online DHCP clients need to be tracked for the
administrator to verify the corresponding relationship between the IP addresses the DHCP clients
obtained from DHCP servers and the MAC addresses of the DHCP clients.
z
Layer 3 switches can track DHCP clients’ IP addresses through the security function of the DHCP
relay agent operating at the network layer.
z
Layer 2 switches can track DHCP clients’ IP addresses through the DHCP snooping function at the
data link layer.
When an unauthorized DHCP server exists in the network, a DHCP client may obtains an illegal IP
address. To ensure that the DHCP clients obtain IP addresses from valid DHCP servers, you can
specify a port to be a trusted port or an untrusted port by the DHCP snooping function.
z
Trusted: A trusted port is connected to an authorized DHCP server directly or indirectly. It forwards
DHCP messages to guarantee that DHCP clients can obtain valid IP addresses.
z
Untrusted: An untrusted port is connected to an unauthorized DHCP server. The DHCP-ACK or
DHCP-OFFER packets received from the port are discarded, preventing DHCP clients from
receiving invalid IP addresses.
Figure 3-1 illustrates a typical network diagram for DHCP snooping application, where Switch A is an
S5100-SI/EI series Ethernet switch.
3-1
Figure 3-1 Typical network diagram for DHCP snooping application
DHCP snooping listens the following two types of packets to retrieve the IP addresses the DHCP clients
obtain from DHCP servers and the MAC addresses of the DHCP clients:
z
DHCP-REQUEST packet
z
DHCP-ACK packet
Introduction to DHCP-Snooping Option 82
Introduction to Option 82
Option 82 is the relay agent information option in the DHCP message. It records the location information
of the DHCP client.
When a DHCP relay agent (or a device enabled with DHCP snooping) receives a client’s request, it
adds the Option 82 to the request message and sends it to the server.
The administrator can locate the DHCP client to further implement security control and accounting. The
Option 82 supporting server can also use such information to define individual assignment policies of IP
address and other parameters for the clients.
Option 82 involves at most 255 sub-options. If Option 82 is defined, at least one sub-option must be
defined. Currently the DHCP relay agent supports two sub-options: sub-option 1 (circuit ID sub-option)
and sub-option 2 (remote ID sub-option).
Padding content and frame format of Option 82
There is no specification for what should be padded in Option 82. Manufacturers can pad it as required.
By default, the sub-options of Option 82 for S5100-SI/EI Series Ethernet Switches (enabled with DHCP
snooping) are padded as follows:
z
sub-option 1 (circuit ID sub-option): Padded with the port index (smaller than the physical port
number by 1) and VLAN ID of the port that received the client’s request.
z
sub-option 2 (remote ID sub-option): Padded with the bridge MAC address of the DHCP snooping
device that received the client’s request.
By default, when S5100-SI/EI Series Ethernet Switches serve as DHCP snooping devices, Option 82
adopts the extended format. Refer to Figure 3-2 and Figure 3-3 for the extended format of the
3-2
sub-options (with the default padding contents). That is, the circuit ID or remote ID sub-option defines
the type and length of a circuit ID or remote ID.
The remote ID type field and circuit ID type field are determined by the option storage format. They are
both set to 0 in the case of HEX format and to 1 in the case of ASCII format.
Figure 3-2 Extended format of the circuit ID sub-option
Figure 3-3 Extended format of the remote ID sub-option
In practice, some network devices do not support the type and length identifiers of the Circuit ID and
Remote ID sub-options. To interwork with these devices, S5100-SI/EI Series Ethernet Switches support
Option 82 in the standard format. Refer to Figure 3-4 and Figure 3-5 for the standard format of the
sub-options (with the default padding contents). In the standard format, the Circuit ID or Remote ID
sub-option does not contain the two-byte type and length fields of the circuit ID or remote ID.
Figure 3-4 Standard format of the circuit ID sub-option
Figure 3-5 Standard format of the remote ID sub-option
Mechanism of DHCP-snooping Option 82
With DHCP snooping and DHCP-snooping Option 82 support enabled, when the DHCP snooping
device receives a DHCP client’s request containing Option 82, it will handle the packet according to the
handling policy and the configured contents in sub-options. For details, see Table 3-1.
Table 3-1 Ways of handling a DHCP packet with Option 82
Handling policy
Drop
Sub-option configuration
—
The DHCP Snooping device will…
Drop the packet.
3-3
Handling policy
Keep
Sub-option configuration
The DHCP Snooping device will…
Forward the packet without changing
Option 82.
—
Forward the packet after replacing the
original Option 82 with the default content.
Neither of the two
sub-options is configured
Replace
The storage format of Option 82 content is
the one specified with the dhcp-snooping
information format command or the
default HEX format if this command is not
executed.
Circuit ID sub-option is
configured
Forward the packet after replacing the
circuit ID sub-option of the original Option
82 with the configured circuit ID sub-option
in ASCII format.
Remote ID sub-option is
configured
Forward the packet after replacing the
remote ID sub-option of the original Option
82 with the configured remote ID sub-option
in ASCII format.
When receiving a DHCP client’s request without Option 82, the DHCP snooping device will add the
option field with the configured sub-option and then forward the packet. For details, see Table 3-2.
Table 3-2 Ways of handling a DHCP packet without Option 82
Sub-option configuration
The DHCP-Snooping device will …
Forward the packet after adding Option 82 with
the default contents.
The format of Option 82 is the one specified with
the dhcp-snooping information format
command or the default HEX format if this
command is not executed.
Neither of the two sub-options is configured.
Circuit ID sub-option is configured.
Forward the packet after adding Option 82 with
the configured circuit ID sub-option in ASCII
format.
Remote ID sub-option is configured.
Forward the packet after adding Option 82 with
the configured remote ID sub-option in ASCII
format.
The circuit ID and remote ID sub-options in Option 82, which can be configured simultaneously or
separately, are independent of each other in terms of configuration sequence.
When the DHCP snooping device receives a DHCP response packet from the DHCP server, the DHCP
snooping device will delete the Option 82 field, if contained, before forwarding the packet, or will directly
forward the packet if the packet does not contain the Option 82 field.
3-4
Introduction to IP Filtering
A denial-of-service (DoS) attack means an attempt of an attacker sending a large number of forged
address requests with different source IP addresses to the server so that the network cannot work
normally. The specific effects are as follows:
z
The resources on the server are exhausted, so the server does not respond to other requests.
z
After receiving such type of packets, a switch needs to send them to the CPU for processing. Too
many request packets cause high CPU usage rate. As a result, the CPU cannot work normally.
z
The switch can filter invalid IP packets through the DHCP-snooping table and IP static binding
table.
DHCP-snooping table
After DHCP snooping is enabled on a switch, a DHCP-snooping table is generated. It is used to record
IP addresses obtained from the DHCP server, MAC addresses, the number of the port through which a
client is connected to the DHCP-snooping-enabled device, and the number of the VLAN to which the
port belongs to. These records are saved as entries in the DHCP-snooping table.
IP static binding table
The DHCP-snooping table only records information about clients that obtains IP address dynamically
through DHCP. If a fixed IP address is configured for a client, the IP address and MAC address of the
client cannot be recorded in the DHCP-snooping table. Consequently, this client cannot pass the IP
filtering of the DHCP-snooping table, thus it cannot access external networks.
To solve this problem, the switch supports the configuration of static binding table entries, that is, the
binding relationship between IP address, MAC address, and the port connecting to the client, so that
packets of the client can be correctly forwarded.
IP filtering
The switch can filter IP packets in the following two modes:
z
Filtering the source IP address in a packet. If the source IP address and the number of the port that
receives the packet are consistent with entries in the DHCP-snooping table or static binding table,
the switch regards the packet as a valid packet and forwards it; otherwise, the switch drops it
directly.
z
Filtering the source IP address and the source MAC address in a packet. If the source IP address
and source MAC address in the packet, and the number of the port that receives the packet are
consistent with entries in the DHCP-snooping table or static binding table, the switch regards the
packet as a valid packet and forwards it; otherwise, the switch drops it directly.
Configuring DHCP Snooping
Configuring DHCP Snooping
Follow these steps to configure DHCP snooping:
To do…
Use the command…
Enter system view
system-view
Enable DHCP snooping
dhcp-snooping
Remarks
—
Required
3-5
By default, the DHCP snooping
function is disabled.
To do…
Use the command…
Enter Ethernet port view
interface interface-type
interface-number
Remarks
—
Required
Specify the current port as a
trusted port
z
dhcp-snooping trust
By default, after DHCP
snooping is enabled, all ports of
a switch are untrusted ports.
If an S5100-SI/EI Ethernet switch is enabled with DHCP snooping, the clients connected to it
cannot dynamically obtain IP addresses through BOOTP.
z
You need to specify the ports connected to the valid DHCP servers as trusted to ensure that DHCP
clients can obtain valid IP addresses. The trusted port and the port connected to the DHCP client
must be in the same VLAN.
z
You are not recommended to configure both the DHCP snooping and selective Q-in-Q function on
the switch, which may result in the DHCP snooping to function abnormally.
Configuring DHCP Snooping to Support Option 82
Enable DHCP snooping and specify trusted ports on the switch before configuring DHCP snooping to
support Option 82.
Complete the following tasks to configure the DHCP snooping to support Option 82:
Task
Remarks
Enabling DHCP-snooping Option 82 support
Required
Configuring a handling policy for DHCP packets
with Option 82
Optional
Configuring the storage format of Option 82
Optional
Configuring the circuit ID sub-option
Optional
Configuring the remote ID sub-option
Optional
Configuring the padding format for Option 82
Optional
Enabling DHCP-snooping Option 82 support
Follow these steps to enable DHCP-snooping Option 82 support:
3-6
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enable DHCP-snooping Option
82 support
dhcp-snooping information
enable
Required
Disabled by default.
Configuring a handling policy for DHCP packets with Option 82
Follow these steps to configure a handling policy for DHCP packets with Option 82:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Configure a global handling
policy for requests that contain
Option 82
dhcp-snooping information
strategy { drop | keep |
replace }
Optional
Enter Ethernet port view
interface interface-type
interface-number
Configure a handling policy for
requests that contain Option 82
received on the specified
interface
dhcp-snooping information
strategy { drop | keep |
replace }
The default handling policy is
replace.
—
Optional
The default policy is replace.
If a handling policy is configured on a port, this configuration overrides the globally configured handling
policy for requests received on this port, while the globally configured handling policy applies on those
ports where a handling policy is not natively configured.
Configuring the storage format of Option 82
S5100-SI/EI Series Ethernet Switches support the HEX or ASCII format for the Option 82 field.
Follow these steps to configure a storage format for the Option 82 field:
3-7
To do…
Use the command…
Remarks
Enter system view
system-view
—
Configure a storage format for
the Option 82 field
dhcp-snooping information
format { hex | ascii }
Optional
By default, the format is hex.
The dhcp-snooping information format command applies only to the default content of the Option 82
field. If you have configured the circuit ID or remote ID sub-option, the format of the sub-option is ASCII,
instead of the one specified with the dhcp-snooping information format command.
Configuring the circuit ID sub-option
Follow these steps to configure the circuit ID sub-option:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter Ethernet port view
interface interface-type
interface-number
—
Optional
Configure the circuit ID
sub-option in Option 82
z
dhcp-snooping information
[ vlan vlan-id ] circuit-id string
string
By default, the circuit ID
sub-option contains the VLAN
ID and port index related to the
port that receives DHCP
request packets from DHCP
clients
If you have configured a circuit ID with the vlan vlan-id argument specified, and the other one
without the argument in Ethernet port view, the former circuit ID applies to the DHCP messages
from the specified VLAN; while the latter one applies to DHCP messages from other VLANs.
z
In a port aggregation group, you can use this command to configure the primary and member ports
respectively. When Option 82 is added, however, the circuit ID sub-option is subject to the one
configured on the primary port.
z
The circuit ID sub-option configured on a port will not be synchronized in the case of port
aggregation.
Configuring the remote ID sub-option
You can configure the remote ID sub-option in system view or Ethernet port view:
z
In system view, the remote ID takes effect on all interfaces. You can configure Option 82 as the
system name (sysname) of the device or any customized character string in the ASCII format.
3-8
z
In Ethernet port view, the remote ID takes effect only on the current interface. You can configure
Option 82 as any customized character string in the ASCII format for different VLANs. That is to say,
you can add different configuration rules for packets from different VLANs.
Follow these steps to configure the remote ID sub-option in Option 82:
To do…
Enter system view
Use the command…
system-view
Remarks
—
Optional
Configure the remote ID
sub-option in system view
dhcp-snooping information
remote-id { sysname | string
string }
Enter Ethernet port view
interface interface-type
interface-number
By default, the remote ID
sub-option is the MAC address
of the DHCP snooping device
that received the DHCP client’s
request.
—
Optional
Configure the remote ID
sub-option in Ethernet port view
z
dhcp-snooping information
[ vlan vlan-id ] remote-id
string string
By default, the remote ID
sub-option is the MAC address
of the DHCP snooping device
that received the client’s
request.
If you configure a remote ID sub-option in both system view and on a port, the remote ID sub-option
configured on the port applies when the port receives a packet, and the global remote ID applies to
other interfaces that have no remote ID sub-option configured.
z
If you have configured a remote ID with the vlan vlan-id argument specified, and the other one
without the argument in Ethernet port view, the former remote ID applies to the DHCP messages
from the specified VLAN, while the latter one applies to DHCP messages from other VLANs.
z
In a port aggregation group, you can use this command to configure the primary and member ports
respectively. When Option 82 is added, however, the remote ID is subject to the one configured on
the primary port.
z
The remote ID configured on a port will not be synchronized in the case of port aggregation.
Configuring the padding format for Option 82
Follow these steps to configure the padding format for Option 82:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Optional
Configure the padding format
dhcp-snooping information
packet-format { extended |
standard }
3-9
By default, the padding format
is in extended format.
Configuring IP Filtering
Follow these steps to configure IP filtering:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter Ethernet port view
interface interface-type
interface-number
—
Enable IP filtering
ip check source ip-address
[ mac-address ]
Create a static binding
ip source static binding
ip-address ip-address
[ mac-address mac-address ]
Required
By default, this function is
disabled.
Optional
By default, no static binding
entry is created.
z
Enable DHCP snooping and specify trusted ports on the switch before configuring IP filtering.
z
You are not recommended to configure IP filtering on the ports of an aggregation group.
z
To create a static binding after IP filtering is enabled with the mac-address keyword specified on a
port, the mac-address argument must be specified; otherwise, the packets sent from this IP
address cannot pass the IP filtering.
z
A static entry has a higher priority than the dynamic DHCP snooping entry that has the same IP
address as the static one. That is, if the static entry is configured after the dynamic entry is
recorded, the static entry overwrites the dynamic entry; if the static entry is configured before
DHCP snooping is enabled, no DHCP client can obtain the IP address of the static entry, that is, the
dynamic DHCP snooping entry cannot be generated.
z
The VLAN ID of the IP static binding configured on a port is the VLAN ID of the port.
Displaying DHCP Snooping Configuration
To do…
Use the command…
Display the user IP-MAC
address mapping entries
recorded by the DHCP
snooping function
display dhcp-snooping [ unit
unit-id ]
Display the (enabled/disabled)
state of the DHCP snooping
function and the trusted ports
display dhcp-snooping trust
Display the IP static binding
table
display ip source static
binding [ vlan vlan-id |
interface interface-type
interface-number ]
3-10
Remarks
Available in any view
DHCP Snooping Configuration Examples
DHCP-Snooping Option 82 Support Configuration Example
Network requirements
As shown in Figure 3-6 , GigabitEthernet 1/0/5 of the switch is connected to the DHCP server, and
GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 are respectively connected to
Client A, Client B, and Client C.