Instruction/ maintenance manual of the product 5500G 3Com
Go to page of 336
3Com ® Stackable Switch Family Advanced Configuration Guide 3Com Switch 5500 3Com Switch 5500G 3Com Switch 4500 3Com Switch 4200G 3Com Switch 4210 www.
3Com Corporation 350 Campus Drive Marlbor ough, MA USA 01752-3064 Copyright © 2006-2008, 3Com Corporation . All rights reserved . No part of this documentati on may be rep roduced in an y form or by .
C ONTENTS A BOUT T HIS G UIDE Conventions 9 Related Docum entation 9 Products Supported by this Docu ment 10 1 L OGIN C ONFIGURATION G UIDE Logging In fr om the Console Port 13 Logging In Thr ough T e.
4 3C OM S TACKABLE S WITCHES A DVANCED C ONFIGURATION G UIDE 9 P ORT S ECURITY C ONFIGURATION G UIDE Configuring Port Security autolearn Mode 47 Configuring Port Security mac- authenticati on Mode 48 .
Contents 5 Configuring Anycast RP Application 159 17 802.1 X C ONFIGURATION G UIDE Configuring 802.1x Access Control 165 18 AAA C ONFIGURATION G UIDE Configuring RADIU S Authentication for T elnet Use.
6 3C OM S TACKABLE S WITCHES A DVANCED C ONFIGURATION G UIDE 25 M IRR ORING C ONFIGURATION G UIDE Local Port Mirroring Configuration 229 Remote Port Mirr oring Configur ation 231 T raf fic Mirr oring .
Contents 7 Configuring a Switch as F TP Client 307 Configuring a Switch as TF TP Client 309 34 I NFORMATION C ENTER C ONFIGURATION G UIDE Outputting Log Infor mation to a Unix Log Host 311 Outputting .
8 3C OM S TACKABLE S WITCHES A DVANCED C ONFIGURATION G UIDE.
A BOUT T HIS G UIDE Provides advanced configuration exampl es for the 3Com stackable switches, which includes the following: ■ 3Com Swi tch 55 00 ■ 3Com Swit ch 5500G ■ 3Com Swi tch 45 00 ■ 3C.
10 A BOUT T HIS G UIDE ■ 3Com Switch Family Configuration Guides — Describe how to configure your Stackable Switch using the supported protocols and CLI commands. ■ 3Com Switch Family Quick Reference Guides — Pr ovide a summary of command line inte rface (CLI) co mmands that are required for you to manage your Stackable Sw itch .
Products Supported by this Document 11.
12 A BOUT T HIS G UIDE.
1 L OGIN C ONFIGURATION G UIDE n Unless otherwise specified, all the switch es used in the following configuration examples and configuratio n procedures are Switch 5500 (r elease V03.
14 C HAPTER 1: L OGIN C ONFIGURATION G UIDE # Set the history command buffer size to 20 for VTY 0. [3Com-ui-vty0] history-command max -size 20 # Set the idle-timeout time of VTY 0 to 6 minutes.
Logging In Th rough Telnet 15 Complete Configuration ■ T elnet login configuration with the authentication mode being none user-interface vty 0 authentication-mode none user privilege level 2 histor.
16 C HAPTER 1: L OGIN C ONFIGURATION G UIDE Network Diagram Figure 2 T elneting to the switch to configure console login Networking and Configuration Requirements As shown in Figure 2, telnet to the switch to configure console login. The curr ent user level is manage level (level 3).
Logging In Th rough Telnet 17 The following three authentication modes are available for console login: none, password, and scheme. The configurat ion procedures for the three authentication modes are described below: 1 Configure not to authenticate console login users.
18 C HAPTER 1: L OGIN C ONFIGURATION G UIDE ■ Console login configuration w ith the authentication mode being scheme # local-user guest password simple 123456 service-type terminal level 2 # user-in.
Configuring Login Acce ss Control 19 [3Com-acl-basic-2000] rule 1 permit sou rce 10.110.100.52 0 [3Com-acl-basic-2000] rule 2 permit sou rce 10.110.100.46 0 [3Com-acl-basic-2000] rule 3 deny sourc e any [3Com-acl-basic-2000] quit # Reference ACL 2000 to control T elnet login by sour ce IP address.
20 C HAPTER 1: L OGIN C ONFIGURATION G UIDE.
2 VLAN C ONFIGURATION G UIDE Configuring Port-Based VLAN The VLAN technology allows you to divide a broadcast LAN into multiple distinct broadc ast domains, each as a virtual work gr oup. Port-based VLAN is the simplest approach to VLAN implementation.
22 C HAPTER 2: VLAN C ONFIGURATI ON G UIDE [SwitchA-vlan101] quit [SwitchA] vlan 201 [SwitchA-vlan201] port Ethernet 1/ 0/2 # Configure Ethernet 1/0/3 of Switch A to be a trunk port and to permit the packets carrying the tag of VLAN 101 or VLAN 201 to pass through.
Configuring Protocol-Based VLAN 23 # interface Ethernet1/0/11 port access vlan 101 # interface Ethernet1/0/12 port access vlan 201 Precautions ■ After you assign the servers and the workstations to dif ferent VLANs, they cannot communicate with each other .
24 C HAPTER 2: VLAN C ONFIGURATI ON G UIDE Configuration Pr ocedur e # Create VLAN 100 and VLAN 200; a dd Ethernet 1/0/11 to VLAN 100 and Ethern et 1/0/12 to VLAN 20 0. 1 Create VLAN 100 and add Ethernet1/0/11 to VLAN 100. [3Com] vlan 100 [3Com-vlan100] port Ethernet 1/0/1 1 2 Create VLAN 200 and add Ethernet 1/0/12 to VLAN 200.
Configuring Protocol-Based VLAN 25 port hybrid protocol-vlan vlan 200 0 # interface Ethernet1/0/11 port access vlan 100 # interface Ethernet1/0/12 port access vlan 200 Precautions Because IP depends o.
26 C HAPTER 2: VLAN C ONFIGURATI ON G UIDE.
3 IP A DDR ESS C ONFIGURATION G UIDE IP Address Configuration Guide If you want to manage a re mote Ethern et switch through network management or telnet, you need to config ure an IP add ress f or the r emote switch and ensur e that the local device and the remote switch are r eachable to each other .
28 C HAPTER 3: IP A DDRESS C ONFIGURATION G UIDE Configuration Pr ocedur e Assign a primary and second ary IP addresses to VLAN-interface 1 of Switch to ensure that all the hosts on the LAN can acce ss external ne tworks through Switch.
4 V OICE VLAN C ONFIGURATION G UIDE Configuring V oice VLAN In automatic mode, the switch configured with voice VLAN checks the source MAC address of each incoming packet agai nst the voice device vendor OUI. If a match is found, the switch assigns the receiving port to the voice VLAN and tags the packet with the voice VLAN ID automatically .
30 C HAPTER 4: V OICE VLAN C ONFIGURATION G UIDE ■ As the OUI address of IP phone 2 is not in the default voice device vendor OUI list of the switch, you need to add it s OUI address 000f-2200-0000. In addition, configure its description as IP Phone2 .
Configuring Voice VLAN 31 phone traffic arrives at Ethernet 1/0/1, the port automatically permits the voice VLAN and transmits the voice traffic with the voice VLAN tag, so that the IP phone can receive packets normally . ■ Y ou ca n set Etherne t 1/0/1 as a hybrid or trunk port fo llowing the same procedure.
32 C HAPTER 4: V OICE VLAN C ONFIGURATION G UIDE Pre cautions ■ Y ou cannot add a port operating in automatic mode to the voice VLAN manually . Therefore, if you configure a VLAN as a voice VLAN and a pr otocol VLAN at the same time, you will be unable to associat e the pr otocol VLAN with such a port.
5 GVRP C ONFIGURATION G UIDE Configuring GVRP GVRP enables a switch to propagate loca l VLAN r egistration information to other participant switches and dynamically upda te the VLAN registration information from other switches to its local d ataba se about active VLAN members and through which port they can be reached.
34 C HAPTER 5: GVR P C ONFIGURATI ON G UIDE Configuration Pr ocedur e ■ Configu re Switch A # Enable GVRP globally . <SwitchA> system-view [SwitchA] gvrp # Configure Ethernet 1/0/1 to be a trunk port and to permit the packets of all the VLANs to pass through.
Configuring GVRP 35 # Configur e Et hernet 1/0/1 to be a trunk port and t o permit the packet s of all the VLANs to pass through. Enable GVRP globa lly and enable GVRP on the port. # The configuration on Switch C is similar to that on Switch A. n For simplicity , the following provides only configuration steps.
36 C HAPTER 5: GVR P C ONFIGURATI ON G UIDE [SwitchA] display vlan dynamic Total 3 dynamic VLAN exist(s). The following dynamic VLANs exist: 5, 7, 8, # Display the dynamic VLAN information on Switch B. [SwitchB] display vlan dynamic Total 3 dynamic VLAN exist(s).
Configuring GVRP 37 # interface Ethernet1/0/3 port link-type trunk port trunk permit vlan all gvrp ■ Configuratio n on Switch B # gvrp # interface Ethernet1/0/1 port link-type trunk port trunk permi.
38 C HAPTER 5: GVR P C ONFIGURATI ON G UIDE Precautions ■ The port trunk permit vlan all command is designed for GVRP only . T o prevent users of unauthorized VLANs fr om accessing r estrictive resour ces from a port, do not use the command when GVRP is disabled on the port.
6 P ORT B ASIC C ONFIGURATION G UIDE Configuring the Basic Functions of an Ethernet Port An Ether net port on a Switch 5500 can operate in one of the thr ee link types: ■ Access: an access port can belong to only one VLAN and is generally used to connect to a PC.
40 C HAPTER 6: P ORT B ASIC C ONFIGURATION G UIDE # Enter Ethernet port view of Ethernet 1/0/1. <3Com> system-view System View: return to User View w ith Ctrl+Z.
7 L INK A GGR EGATION C ONFIGURATION G UIDE Configuring Link Aggregation Link aggregation aggr egates multiple ports into one logical link, also called an aggregation gr oup. Link aggregation allows you to in crease bandwidt h by distribu ting incoming/outgoing traffic on the member ports in the aggregation group.
42 C HAPTER 7: L INK A GGREGATION C ONFIGURATION G UIDE Configuration Pr ocedur e n The example only provides the configur ation on Switch A. Perform the same configuration on Swit ch B to implement link aggregation. 1 In manual aggregation mode # Create manual aggr egation group 1.
Configuring Link Aggreg ation 43 Complete Configuration 1 In manual aggregation mode # link-aggregation group 1 mode manual # interface Ethernet1/0/1 port link-aggregation group 1 # interface Ethernet.
44 C HAPTER 7: L INK A GGREGATION C ONFIGURATION G UIDE.
8 P ORT I SOLATION C ONFIGURATION G UIDE Configuring Port Isolation Port isolation allows you to add a port into an isolation group to isolate Layer -2 and Layer -3 tr affic of the port fr om that of all other ports in the isolation group. While incr easing network security , this allows for gr eat fl exibility .
46 C HAPTER 8: P ORT I SOLATION C ON FIGURATIO N G UIDE Configuration Pr ocedur e # Add Ether net 1/0/2, Ether n et 1/0/3, and Ether net 1/0/4 to the isolation group.
9 P ORT S ECURITY C ONFIGURATION G UIDE Configuring Port Security autolearn Mode In autolear n mode, a port can learn a specified nu mber of MAC addr esses and save those addresses as secur e MAC addr esses .
48 C HAPTER 9: P ORT S ECURITY C ONFIGURAT ION G UIDE # Enter Ether net 1/0/1 port view . [3Com] interface Ethernet1/0/1 # Set the maximum number of MAC addresses allowed on the port to 80. [3Com-Ethernet1/0/1] port-security max-mac-count 80 # Set th e port se curity mo de to autolearn .
Configuring Port Security mac-authentication Mode 49 Network Diagram Figure 13 Network diagram for configuring po rt security mac-authentication mode Networking and Configuration Requiremen ts The host connects to the switch through the port Ethernet 1/0/1, and the switch authenticates the host through the RADIUS server .
50 C HAPTER 9: P ORT S ECURITY C ONFIGURAT ION G UIDE # Specify the secondar y RADIUS authen tication server and secondary RADIUS accounting server . [3Com-radius-radius1] secondary au thentication 192.168.1.2 [3Com-radius-radius1] secondary ac counting 192.
Configuring Port Security userlogin-withoui Mode 51 [3Com-Ethernet1/0/1] port-security intr usion-mode blockmac Complete Configuration # domain default enable aabbcc.net # port-security enable # MAC-authentication domain aabbcc.net # radius scheme radius1 server-type standard primary authentication 192.
52 C HAPTER 9: P ORT S ECURITY C ONFIGURAT ION G UIDE On port Ether net 1/0/1 of the switch, perform configurat ions to meet the following requir ements: ■ Allow one 802.1x user to get online. ■ Set two OUI values, and allow only on e user whose MAC address matches one of the two OUI values to get online.
Configuring Port Security userlogin-withoui Mode 53 [3Com-radius-radius1] timer 5 [3Com-radius-radius1] retry 5 # Set the timer for the switch to send re al-time accounting packets to the RADIUS server to 15 minutes.
54 C HAPTER 9: P ORT S ECURITY C ONFIGURAT ION G UIDE [3Com] interface Ethernet 1/0/1 [3Com-Ethernet1/0/1] port-security port-mode userlogin-withoui [3Com-Ethernet1/0/1] quit # Configure port security trapping.
Configuring Port Security mac-els e-userlogin-secure-ext Mode 55 Configuring Port Security mac-else-userlogin-sec ure-ext Mode In mac-else-userlogin-secure-ext mode, a port first performs MAC authentication of a user . If the authentication is successful, the user can access the port; otherwise, the port perfor ms 802.
56 C HAPTER 9: P ORT S ECURITY C ONFIGURAT ION G UIDE # Cr eate a RADIUS scheme named radius1 . <3Com> system-view [3Com] radius scheme radius1 # Specify the primary RADIUS authentication server and primary RADIUS accounting server . [3Com-radius-radius1] primary auth entication 192.
Configuring Port Security mac-els e-userlogin-secure-ext Mode 57 # Set aabbcc.net as the default user domain. [3Com] domain default enable aabbcc.net # Set the maximum number of concurrent 802.
58 C HAPTER 9: P ORT S ECURITY C ONFIGURAT ION G UIDE idle-cut enable 20 2000 # interface Ethernet1/0/1 port-security max-mac-count 200 port-security port-mode mac-else-userlogin-secure-ext port-security ntk-mode ntkonly dot1x max-user 64 Precautions ■ Befor e enabling port security , be sure to disable 802.
10 P ORT B INDING C ONFIGURATION G UIDE Configuring a Port Binding Port binding allows the network administ rator to bind the MAC and IP addresses of a user to a specific port.
60 C HAPTER 10: P ORT B INDING C ONFIGURATION G UIDE # Bind the MAC address and the IP addr ess of Host A to Ethernet 1/0/1. [3Com-Ethernet1/0/1] am user-bind mac-addr 0001-0002-0003 ip-addr 10.12.1.1 Complete Configuration <3Com> system-view [3Com] interface Ethernet1/0/1 [3Com-Ethernet1/0/1] am user-bind mac-addr 0001-0002-0003 ip-addr 10.
11 MAC A DDR ESS T ABLE M ANAGEMENT C ONFIGURATION G UIDE MAC Address T able Management The Switch 5500 provides the MAC address table managemen t function. Through configuration commands, you can add/m odify/remove a MAC addr ess, set the aging time for dynamic MAC addresses, and set the maximum number of MAC addresses an Ethernet port can learn.
62 C HAPTER 11: MAC A DDRESS T ABLE M ANAGEMENT C ONFIGURATION G UIDE # Add a static MAC address entry . [3Com] mac-address static 000f-e20f-dc71 interface Ethernet 1/0/2 vlan 1 # Set the aging time of dynamic MAC address entries on Switch to 500 seconds.
12 DLDP C ONFIGURATION G UIDE Configuring DLDP Sometimes, unidirectional lin ks may appear in networks. On a unidir ectional link, one end can receive packets fr om th e other end but the other end cannot. Unidirectional links can be ca used by fiber cross-connectio n or fiber cu t (including single-fiber cut and lack of a fiber connection).
64 C HAPTER 12: DLDP C ONFIGURATION G UIDE # Configure the ports to work in mand atory full duplex mode at 100 0 Mbps. <SwitchA> system-view [SwitchA] interface GigabitEtherne t 1/1/3 [SwitchA-G.
Configuring DLDP 65 The configuration on Switch B is th e same as that on Switch A. Precautions 1 When enabling DLDP on two connected devi ces, make sure that they ar e using the same software version.
66 C HAPTER 12: DLDP C ONFIGURATION G UIDE.
13 A UTO D ETECT C ONFIGURATION G UIDE Auto Detect Implementation in Static Routing Y ou can bind a stat ic r oute with a detecte d gr oup. The auto dete ct functio n will then detect the reachability of the static route through the path specified in the detected group.
68 C HAPTER 13: A UTO D ETECT C ONFIGURATION G UIDE ■ Create detected gr oup 9 on Switch C; detect the r eachability of IP address 10.1.1.3, with the next hop being 192.168.1.1/24, an d the detecting numbe r being 1. Applicable Products Configuration Pr ocedur e Configure IP addresses for the interfaces according to Figure 19.
Auto Detect Implementation in VRRP 69 # Detect the reachability of 10.1.1.3, with the next hop being 192.1 68.1.1/24, and the detecting number being 1. [SwitchC-detect-group-9] detect-list 1 ip address 192.168.1.1 nextho p 10.1.1.3 [SwitchC-detect-group-9] quit # Configure a static route to Switch A.
70 C HAPTER 13: A UTO D ETECT C ONFIGURATION G UIDE ■ The master swit ch remains as master when the detected group is reachable . ■ The priority of the master switch decr eases and thus becomes a backup when the detected group is unr eachable .
Auto Detect Implementation in VRRP 71 # Configure an IP addr ess for VLAN-interface 2. [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 10 .1.1.1 24 # Enable VRRP on VLAN-interface 2, and set the virtual IP address of the VRRP group to 10.
72 C HAPTER 13: A UTO D ETECT C ONFIGURATION G UIDE Auto Detect Implementation in VLAN Interface Backup Y ou can imp lement VLAN interface backup through auto detect.
Auto Detect Implementation in VLAN Interface Backup 73 Applicable Products Configuration Procedur e ■ Configure Switch A # Enter system view . <SwitchA> system-view # Configure an IP addr ess for VLAN-interface 1. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 19 2.
74 C HAPTER 13: A UTO D ETECT C ONFIGURATION G UIDE [SwitchC] interface vlan-interface 1 [SwitchC-Vlan-interface1] ip addre ss 10.1.2.1 24 [SwitchC-Vlan-interface1] quit # Cr eate detected group 9. [SwitchC] detect-group 9 # Detect the reachability of 192.
Auto Detect Implementation in VLAN Interface Backup 75 ip address 10.1.1.4 255.255.255.0 # Precautions None.
76 C HAPTER 13: A UTO D ETECT C ONFIGURATION G UIDE.
14 MSTP C ONFIGURATION G UIDE Configuring MSTP The Switch 5500 suppor ts the Multiple Spanning T ree Pr ot ocol (MSTP), which allows you to map one or multiple VLANs to a multiple spanni ng tr ee instance (MSTI). Note that one VLAN can be ma pped to only one MSTI.
78 C HAPTER 14: MSTP C ONFIGURATION G UIDE Applicable Products Configuration Pr ocedur e 1 Configuratio n on Switch A # Enter MST region view . <3Com> system-view [3Com] stp region-configuration # Configure the region name, VLAN-to-MST I mapping, and revi sion level of the MST r egi on.
Configuring MSTP 79 3 Configuratio n on Switch C # Configure the MST region. <3Com> system-view [3Com] stp region-configuration [3Com-mst-region] region-name example [3Com-mst-region] instance 1.
80 C HAPTER 14: MSTP C ONFIGURATION G UIDE instance 4 vlan 40 active region-configuration # ■ Configuratio n on Switch C # stp instance 4 root primary stp region-configuration region-name example in.
Configuring VLAN-VPN Tunneli ng 81 Applicable Products Configuration Procedur e 1 Configuratio n on Switch A # Enable MS TP . <3Com> system-view [3Com] stp enable # Add Ethernet 1/0/1 to VLAN 10. [3Com] vlan 10 [3Com-Vlan10] port Ethernet1/0/1 2 Configuratio n on Switch B # Enable MS TP .
82 C HAPTER 14: MSTP C ONFIGURATION G UIDE [3Com] interface Ethernet1/0/2 [3Com-Ethernet1/0/2] port link-typ e trunk # Add the trunk port Ethernet 1/0/2 to all the VLANs. [3Com-Ethernet1/0/2] port trunk pe rmit vlan all 4 Configuratio n on Switch D # Enable MSTP .
Configuring RSTP 83 # stp enable # vlan-vpn tunnel # interface Ethernet1/0/1 port access vlan 10 vlan-vpn enable # interface Ethernet1/0/2 port link-type trunk port trunk permit vlan all # 4 Configura.
84 C HAPTER 14: MSTP C ONFIGURATION G UIDE Network Diagram Figure 24 Network diagram for RSTP configuration Networking and Configuration Requirements ■ Switch A is operating at the core. ■ Switch B and Switch C are operating at the distribution layer .
Configuring RSTP 85 Configuration Procedur e 1 Configuratio n on Switch A # Enable MS TP . <3Com> system-view [3Com] stp enable # Enabling MST P globally on the swi tch enables RST P on all the ports. Disab le MSTP on the ports that are not involved in RSTP calculation, for example GigabitEther net 2/0/4.
86 C HAPTER 14: MSTP C ONFIGURATION G UIDE # Configure Switch C and Switch B to back up each other , and set the bridge priority of Switch B to 4096. [3Com] stp priority 4096 # Enable the root guard function on each designated port.
Configuring RSTP 87 # Enable MS TP . <3Com> system-view [3Com] stp enable # Enabling MST P globally on the swi tch enables RST P on all the ports. Disab le MSTP on the ports that ar e not involved in RSTP calculation, for example Ethe rnet 1/0/3.
88 C HAPTER 14: MSTP C ONFIGURATION G UIDE interface Ethernet1/0/8 stp disable # 3 Configuratio n on Switch C # stp instance 0 priority 8192 stp enable # interface Ethernet1/0/1 stp root-protection # .
Configuring Digest Snooping and Ra pid Transition 89 Network Diagram Figure 25 Network diagram for digest snooping and rapid transition configuration Networking and Configuration Requiremen ts ■ Use another vendor’ s switch, Swit ch A in this scenario, as the r oot switch.
90 C HAPTER 14: MSTP C ONFIGURATION G UIDE [3Com] interface Ethernet 1/0/1 [3Com-Ethernet1/0/1] stp config-di gest-snooping # Enable rapid transition on the r oot port Ether net 1/0/1. [3Com-Ethernet1/0/1] stp no-agreement-check [3Com-Ethernet1/0/1] quit 2 Configuratio n on Switch C # Enable MSTP .
Configuring Digest Snooping and Ra pid Transition 91 stp config-digest-snooping # interface Ethernet1/0/1 stp no-agreement-check # interface Ethernet1/0/2 stp config-digest-snooping #.
92 C HAPTER 14: MSTP C ONFIGURATION G UIDE.
15 R OUTING C ONFIGURATION G UIDE Configuring Static Routes A static route is manually configured by an administrator . In a simple network, you only need to configure static routes to make the network work normally .
94 C HAPTER 15: R OUTING C ONFIGURATION G UIDE Configuration Pr ocedur e Configure the switches: ■ Configure static r outes on Switch A. <SwitchA> system-view [SwitchA] ip route-static 1.1.3.0 255.255.255.0 1.1.2.2 [SwitchA] ip route-static 1.
Configuring RIP 95 ■ Y ou cannot configur e the next hop of a static r oute as the addr ess of an interface on the local switch. ■ Y ou can configur e dif fer ent pr e fer ences or an identical pr efer ence for r outes to the same destination for route backup or load sharing.
96 C HAPTER 15: R OUTING C ONFIGURATION G UIDE Configuration Pr ocedur e ■ Configu re Switch A. # Configure RIP . <SwitchA> system-view [SwitchA] interface Vlan-interface 1 [SwitchA-Vlan-interface1] ip addre ss 110.
Configuring RIP 97 Complete Configuration ■ Perform the following config uration on Switch A. # vlan 1 # vlan 2 # interface Vlan-interface1 ip address 110.11.2.1 255.255.255.0 rip version 2 multicast # interface Vlan-interface2 ip address 155.10.1.1 255.
98 C HAPTER 15: R OUTING C ONFIGURATION G UIDE Precautions ■ RIPv2 supports automatic route summarization (with the summary command). This function is enabled by default. ■ Based on your needs, you can configure the switch to receive or send RIP packets with the rip input command or the rip output command.
Configuring OSPF 99 Networking and Configuration Requiremen ts Network devices run OSPF to forward pack ets. For network security , disable the device interfaces not enabled with OSPF from sending OSPF packets. Configuration Procedur e ■ Configure Switch A.
100 C HAPTER 15: R OUTING C ONFIGURATION G UIDE [SwitchC-ospf-1-area-0.0.0.1] netw ork 192.168.2.0 0.0.0.255 [SwitchC-ospf-1-area-0.0.0.1] quit [SwitchC-ospf-1] quit ■ Configure Switch D (r efer to “Configure Switch C.” on page 99). Complete Configuration ■ Perform the following configur ation on Switch A.
Configuring OSPF 101 interface Vlan-interface20 ip address 192.168.2.1 255.255.255.0 # interface Vlan-interface200 ip address 10.1.2.2 255.255.255.0 # interface Vlan-interface300 ip address 10.1.4.1 255.255.255.0 # ospf 1 silent-interface Vlan-interface10 silent-interface Vlan-interface20 area 0.
102 C HAPTER 15: R OUTING C ONFIGURATION G UIDE Precautions ■ Befor e configuring OSPF basic functions, configure a router ID for each OSPF process to ensur e OSPF runs normally . Y ou ar e r ecommended to use the ospf command to configure r outer IDs for th e proc esses, especia lly on a de vice running multiple processes.
Configuring OSPF DR Election 103 Networking and Configuration Requiremen ts Use OSPF to enable communication betw een devices in a broadcast network. Devices with higher performance shoul d become the DR and BDR to improve network performance. Disable the devices with lower performance from taking part in the DR/BDR election.
104 C HAPTER 15: R OUTING C ONFIGURATION G UIDE [SwitchB-ospf-1-area-0.0.0.0] quit [SwitchB-ospf-1] quit ■ Configure Switch C. # Assign a r outer ID to Switch C. <SwitchC> system-view [SwitchC] router id 3.3.3.3 # Configure an IP addr ess for the VLAN interface.
Configuring OSPF DR Election 105 area 0.0.0.0 network 196.1.1.0 0.0.0.255 ■ Perform the following configuration on Switch B. # router id 2.2.2.2 # vlan 1 # interface Vlan-interface 1 ip address 196.1.1.2 255.255.255.0 ospf dr-priority 0 # ospf 1 area 0.
106 C HAPTER 15: R OUTING C ONFIGURATION G UIDE Configuring a (T otally) Stub Area When a large number of OSPF routers ar e pr esent on a network, the LSDB of routers may become so large that a gr eat amount of storage space is occupied and CPU resour ces ar e exhausted when performing the SPF computation.
Configuring a (Totally) Stub Area 107 Configuration Procedur e Non-backbone ar ea and backbone ar ea configuration (ar ea 1 is a non-backbone area) ■ Configure Switch A. # Create VLANs and configure IP addr esses for the VLAN interfaces. The configurat ion pr ocedur e is omitt ed.
108 C HAPTER 15: R OUTING C ONFIGURATION G UIDE # Redistribute the stat ic route to specify Switch D as an ASBR. [SwitchD-ospf-1] import-route static [SwitchD-ospf-1] quit n ■ The above-mentioned steps configur e non-backbon e areas, backbon e area, and ABRs/AS BRs.
Configuring a (Totally) Stub Area 109 ip address 10.2.1.1 255.255.255.0 # ospf 1 router-id 1.1.1.1 area 0.0.0.1 network 10.2.1.0 0.0.0.255 # area 0.0.0.0 network 10.1.1.0 0.0.0.255 # ■ Perform the following configuration on Switch B. # vlan 100 # vlan 200 # interface Vlan-interface100 ip address 10.
110 C HAPTER 15: R OUTING C ONFIGURATION G UIDE ip address 10.5.1.1 255.255.255.0 # ospf 1 router-id 4.4.4.4 import-route static area 0.0.0.2 network 10.
Configuring a (Totally) NSSA Area 111 Refer to the configuration of Switch D when area 1 is a non-backbone area. Configuration information when area 1 is a totally stub ar ea: ■ Perform the following configuration on Switch A. # vlan 100 # vlan 200 # interface Vlan-interface100 ip address 10.
112 C HAPTER 15: R OUTING C ONFIGURATION G UIDE Network Diagram Figure 31 Network diagram for (totally) NSSA area configuration Networking and Configuration Requirements Run OSPF on the network devices. Based on actual conditions, you can configure an (totally) NSSA area to reduce the r outing table size in the area.
Configuring a (Totally) NSSA Area 113 <SwitchC> system-view [SwitchC] ip route-static 2.0.0.0 8 10. 4.1.2 # Configure OS PF for area 1. [SwitchC] ospf 1 router-id 3.3.3.3 [SwitchC-ospf-1] area 1 [SwitchC-ospf-1-area-0.0.0.1] network 1 0.2.1.0 0.
114 C HAPTER 15: R OUTING C ONFIGURATION G UIDE # Configure ar ea 1 as an NSSA area. [SwitchA-ospf-1-area-0.0.0.1] nssa [SwitchC-ospf-1-area-0.0.0.1] nssa n ■ The steps above configure an NSSA area. ■ Use the display ospf lsdb command on Switch C t o display the LSDB.
Configuring a (Totally) NSSA Area 115 ■ Use the display ospf lsdb command on Switch C to display the LSDB. Y ou can see that no T ype-4 LSAs or T ype-5 LSAs exist in the LSDB.
116 C HAPTER 15: R OUTING C ONFIGURATION G UIDE interface Vlan-interface200 ip address 10.3.1.1 255.255.255.0 # ospf 1 router-id 2.2.2.2 area 0.0.0.2 network 10.3.1.0 0.0.0.255 # area 0.0.0.0 network 10.1.1.0 0.0.0.255 # ■ Perform the following configuration on Switch C.
Configuring OSPF Route Summarization 117 ■ After you configure an area as a totally NSSA ar ea, the ABR of the totally NSSA area will automatically generate a T ype -3 default LSA int o the totally NSSA are a. ■ For the ASBR of an NSSA ar ea to gene rate a default T ype-7 LSA, the default route with the destination addr ess 0.
118 C HAPTER 15: R OUTING C ONFIGURATION G UIDE If this featur e is configured on the ABR of the NSSA ar ea, the ABR will summarize T ype-5 LSAs translated from T ype-7 LSAs. Network Diagram Figure 33 Network diagram for route summarization configuration Networking and Configuration Requirements Network devices run OSPF to forward packets.
Configuring OSPF Route Summarization 119 # Configur e the static r outes 2.1.3. 0/24 , 2.1.4.0/24, 2.1.5.0/ 24, 2.1.6.0/24, and 2.1.7.0/24. <SwitchC> system-view [SwitchC] ip route-static 2.1.3.0 24 20 .1.2.2 [SwitchC] ip route-static 2.1.4.0 24 20 .
120 C HAPTER 15: R OUTING C ONFIGURATION G UIDE # Configure ABR r oute summarization to summarize the routes 30.1.1.0/24 and 30.1.2.0/24 in area 2 into 30.1.0.0/22. [SwitchB-ospf-1] area 2 [SwitchB-ospf-1-area-0.0.0.2] abr-summary 30.1.0.0 255.255 .252.
Configuring OSPF Route Summarization 121 network 20.1.1.0 0.0.0.255 nssa # area 0.0.0.0 network 10.1.1.0 0.0.0.255 # ■ Perform the following configuration on Switch B. # vlan 100 # vlan 200 # interface Vlan-interface100 ip address 10.1.1.2 255.255.255.
122 C HAPTER 15: R OUTING C ONFIGURATION G UIDE vlan 300 # interface Vlan-interface200 ip address 30.1.1.2 255.255.255.0 # interface Vlan-interface300 ip address 30.1.2.1 255.255.255.0 # ospf 1 router-id 4.4.4.4 import-route static area 0.0.0.2 network 30.
Configuring OSPF Route Summarization 123 ospf 1 router-id 2.2.2.2 area 0.0.0.2 network 30.1.1.0 0.0.0.255 # area 0.0.0.0 network 10.1.1.0 0.0.0.255 # ■ Configure Switch C. # vlan 200 # vlan 300 # interface Vlan-interface200 ip address 20.1.1.2 255.255.
124 C HAPTER 15: R OUTING C ONFIGURATION G UIDE ip route-static 1.1.7.0 255.255.255.0 30.1.2.2 preference 60 # ASBR route summarization configuration 2 n Configure ASBR route summarizat ion on Switch A to summarize the T ype-5 LSAs translated from T ype-7 LSAs.
Configuring OSPF Route Summarization 125 ip address 20.1.1.2 255.255.255.0 # interface Vlan-interface300 ip address 20.1.2.1 255.255.255.0 # ospf 1 router-id 3.3.3.3 import-route static area 0.0.0.2 network 20.1.1.0 0.0.0.255 network 20.1.2.0 0.0.0.255 nssa # ip route-static 2.
126 C HAPTER 15: R OUTING C ONFIGURATION G UIDE Configuring OSPF Virtual Link Among OSPF areas in an AS, one area is different fr om any other area. Its area ID is 0 and it is usually called the backbone ar ea. The backbone area is r esponsible for distributing routing information between none-backbone areas.
Configuring OSPF Virtual Link 127 Configuration Procedur e 1 Configure OSPF basic functions. # Configure Switch A. <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 19 6.
128 C HAPTER 15: R OUTING C ONFIGURATION G UIDE # router id 1.1.1.1 # vlan 1 # vlan 2 # interface Vlan-interface1 ip address 196.1.1.2 255.255.255.0 # interface Vlan-interface2 ip address 197.1.1.2 255.255.255.0 # ospf 1 area 0.0.0.0 network 196.1.1.0 0.
Configuring Routing Policies 129 Network Diagram Figure 35 Network diagram for r outing policy configuration Networking and Configuration Requiremen ts ■ As shown in the figure above, Switch A an d Switch B run OSPF . The router ID of Switch A is 1.
130 C HAPTER 15: R OUTING C ONFIGURATION G UIDE # Configure an ACL. [SwitchA] acl number 2000 [SwitchA-acl-basic-2000] rule deny source 30.0.0.0 0.255.255.255 [SwitchA-acl-basic-2000] rule perm it source any [SwitchA-acl-basic-2000] quit # Configure a r outing policy .
Configuring Routing Policies 131 [SwitchA] router id 1.1.1.1 [SwitchA] ospf [SwitchA-ospf-1] area 0 [SwitchA-ospf-1-area-0.0.0.0] network 1 0.0.0.0 0.255.255.255 [SwitchA-ospf-1-area-0.0.0.0] quit [SwitchA-ospf-1] quit # Configure an ACL. [SwitchA] acl number 2000 [SwitchA-acl-basic-2000] rule deny sour ce 30.
132 C HAPTER 15: R OUTING C ONFIGURATION G UIDE # Configure r oute summarization to prevent network 30.0.0.0/8 from being advertised. [SwitchA-ospf-1] asbr-summary 30.0 .0.0 255.0.0.0 not-advertise # Redistribute the s tatic routes. [SwitchA-ospf-1] import-route stat ic ■ Configure Switch B.
Configuring Routing Policies 133 ip address 10.0.0.2 255.0.0.0 # ospf 1 area 0.0.0.0 network 10.0.0.0 0.255.255.255 # Precautions In an OSPF network, when an ASBR redistributes r outes, you can use th.
134 C HAPTER 15: R OUTING C ONFIGURATION G UIDE.
16 M ULTICAST C ONFIGURATION G UIDE Configuring IGMP Snooping Inter net Group Management Protocol Snooping (IGMP Snooping) is a multicas t constraint mechanis m that runs on Laye r 2 Ether net switch es to manage and control multicast gr oups.
136 C HAPTER 16: M ULTICAST C ONFIGURATION G UIDE Configuration Pr ocedur e Configuring IP a ddresses for the inte rfaces of each device Configure the IP address a nd subnet mask for each interface as per Figu re 36. The detailed configuration steps are omitted here.
Configuring IGMP Snoopi ng 137 MAC group address: 0100-5e01-0101 Host port(s): Ethernet1/0/3 Ethernet1/0/4 As shown above, a multicast group entry for 224.1.1.1 has been cr eated on Switch A, with Ethernet 1/0/ 1 as the r o uter port and Ethe rnet 1/0/3 and Ethernet 1/0/4 as dynamic member ports.
138 C HAPTER 16: M ULTICAST C ONFIGURATION G UIDE Configuring IGMP Snooping Only Network Diagram Figure 37 Network diagram for IGMP Snooping only configuration Networking and Configuration Requirement.
Configuring IGMP Snooping On ly 139 [SwitchA] vlan 100 [SwitchA-vlan100] port Ethernet 1/0/1 Ethernet 1/0/2 [SwitchA-vlan100] igmp-snooping enable # Enable IGMP Snooping querier in VLAN 100. [SwitchA-vlan100] igmp-snooping querier [SwitchA-vlan100] quit # Enable dropping unknown multicast packets.
140 C HAPTER 16: M ULTICAST C ONFIGURATION G UIDE V erifying the configuration Check the reception of multicast stream for mult icast group 224.1.1.1 on Host A, and take the following steps to verify the configurations made on the switches. 1 View the information on Switch B # View the IGMP packet statistics on Switch B.
Configuring IGMP Snooping On ly 141 <Switch A> display igmp-snooping group Total 1 IP Group(s). Total 1 MAC Group(s). Vlan(id):100. Total 1 IP Group(s). Total 1 MAC Group(s). Router port(s): IP group(s):the following ip group( s) match to one mac group.
142 C HAPTER 16: M ULTICAST C ONFIGURATION G UIDE vlan 100 igmp-snooping enable igmp-snooping querier # interface Ethernet1/0/1 port access vlan 100 # interface Ethernet1/0/2 port access vlan 100 # Co.
Configuring Multicast VLAN 143 Since multicast packets are transmitted within the multicast VLAN, which is isolated from user VLAN s, the band width and security can be guaranteed.
144 C HAPTER 16: M ULTICAST C ONFIGURATION G UIDE Configuration Pr ocedur e Assume that the IP addresses have been configured and the devices have been connected co rrectly . 1 Configure Switch A. # Configure the IP address of VLAN-int erface 20 as 168.
Configuring Multicast VLAN 145 [SwitchB-vlan10] igmp-snooping enable [SwitchB-vlan10] quit # Configure Ethernet 1/0/10 as a Hybrid po rt, assign it to VLAN 2, VLAN 3 and VLAN 10, and configure it to send packets of VLAN 2, VLAN 3, and VLAN 10 with the respective VLAN tags kept.
146 C HAPTER 16: M ULTICAST C ONFIGURATION G UIDE # v l a n1t o3 # vlan 10 service-type multicast igmp-snooping enable # interface Ethernet1/0/1 port link-type hybrid port hybrid vlan 1 to 2 10 untagg.
Configuring PIM-SM plus IGMP plus IGMP Snoopi ng 147 Then, the multicast sour ce se nds the mu lticast tra ffi c along the SPT to the RP . Upon reaching the RP , the multicast traffic flows down the R PT to the receivers.
148 C HAPTER 16: M ULTICAST C ONFIGURATION G UIDE Networking and Configuration Requirements Requirement Analysis When users receive VOD information through mult icast, the information receiving mode m.
Configuring PIM-SM plus IGMP plus IGMP Snoopi ng 149 [SwitchA-Vlan-interface100] igmp enable [SwitchA-Vlan-interface100] pim sm [SwitchA-Vlan-interface100] quit [SwitchA] interface vlan-interface 101 .
150 C HAPTER 16: M ULTICAST C ONFIGURATION G UIDE Using the following commands to de termine whether Host A and Host C can receive multicast data # View the PIM neighboring relationships on Switch E. <SwitchE> display pim neighbor Neighbor’s Address Interface Name Uptime Expires 192.
Configuring PIM-SM plus IGMP plus IGMP Snoopi ng 151 Vlan-interface100, Protocol 0x1: IGMP, ne ver timeout Matched 1 (S,G) entries, 1 (*,G) entrie s, 0 (*,*,RP) entry The information on Switch B and Switch C is similar to that on Switch A. # View th e PIM routing table on Switch D.
152 C HAPTER 16: M ULTICAST C ONFIGURATION G UIDE MAC group address:0100-5e01-0101 Host port(s):Ethernet1/0/19 # View the multicast group information that contains port information on Switch B. <SwitchB> display mpm group Total 1 IP Group(s). Total 1 MAC Group(s).
Configuring PIM-SM plus IGMP plus IGMP Snoopi ng 153 Vlan(id):103. Total 0 IP Group(s). Total 0 MAC Group(s). Router port(s):Ethernet1/0/10 As shown above, Ether net 1/0/21 has be come a member port fo r multicast group 225.
154 C HAPTER 16: M ULTICAST C ONFIGURATION G UIDE Configuration on Switch D # acl number 2005 rule 0 permit source 225.1.1.0 0.0.0.255 # multicast routing-enable # interface Vlan-interface101 ip address 192.168.1.2 255.255.255.0 pim sm # interface Vlan-interface105 ip address 192.
Configuring PIM-DM plus IGMP 155 vlan 100 igmp-snooping enable # Precautions ■ Only one C-BSR can be configured on a Layer 3 switch. Configuration of a C-BSR on another interface overwrites the previous configuratio n. ■ It is recommended that C-BSRs and C-RP s be configured on Layer 3 switches in the backbone network.
156 C HAPTER 16: M ULTICAST C ONFIGURATION G UIDE Network Diagram Figure 40 Network diagram for PI M-DM configuration Networking and Configuration Requirements ■ Receivers re ceive multicast VOD informat ion thr ough multicast.
Configuring PIM-DM plus IGMP 157 Configuration Procedur e Configuring the interface IP addr esses and unicast r outing protocol for each switch Configure the IP address and subnet mask for each interface as per Figure 40. The detailed configuration steps are omitted her e.
158 C HAPTER 16: M ULTICAST C ONFIGURATION G UIDE Use the display pim routing-table command to view the PIM routing information on the switches. For example: # View the PIM routing table on Switch A. <SwitchA> display pim routing-table PIM-DM Routing Table Total 1 (S,G) entry (10.
Configuring Anycast R P Application 159 ip address 192.168.2.1 255.255.255.0. pim dm # interface Vlan-interface200 ip address 10.110.2.1 255.255.255.0 igmp enable pim dm # Configuration on Switch C # multicast routing-enable # interface Vlan-interface102 ip address 192.
160 C HAPTER 16: M ULTICAST C ONFIGURATION G UIDE Network Diagram Figure 41 Network diagram for anycast RP configuration Networking and Configuration Requirements ■ The PIM-SM domain in this example has multiple multicast sources and receivers. OSPF needs to run in the domain to provide unicast routes.
Configuring Anycast R P Application 161 Configure OSPF for interconnection between the switches. The detailed configuration steps are omitted here . Enabling IP multic ast r outing a nd enabling PIM-SM on each interface # Enable multicast routing on Switch C, and enable PIM-SM on each interface.
162 C HAPTER 16: M ULTICAST C ONFIGURATION G UIDE As shown above, the multicast source has been registered on Switch C, which is deemed as the RP . # View the PIM routing in fo rmation on Swit ch F . <Switch F>dis pim routing-table PIM-SM Routing Table Total 0 (S,G) entry, 1 (*,G) entri es, 0 (*,*,RP) entry (*, 225.
Configuring Anycast R P Application 163 After the peering relationship is establis hed, the multicast r eceiver can r eceive multicast data from the source. # View th e PIM routing information on Switch C ag ain. [Switch C] display pim routing-table PIM-SM Routing Table Total 1 (S,G) entries, 0 (*,G) entry, 0 (*,*,RP) entry (10.
164 C HAPTER 16: M ULTICAST C ONFIGURATION G UIDE ip address 3.3.3.3 255.255.255.255 pim sm # interface LoopBack10 ip address 10.1.1.1 255.255.255.255 pim sm # pim c-bsr LoopBack1 24 c-rp LoopBack10 # msdp originating-rp Vlan-interface101 peer 192.168.
17 802.1 X C ONFIGURATION G UIDE n The following configurations involve most AAA/RADIUS configuration commands. Refer to “AAA Configuration” in the Configuration Guid e for your product for information about the co mmands. Configurations on the user host and the RADIUS servers are omitted.
166 C HAPTER 17: 802 .1 X C ONFIGURATION G UIDE seconds, it retransmits the packet for up to 5 times. The swit ch sends real-time accounting packets at an interval of 15 minutes. A username is sent to th e RADIUS server with the domain name truncated.
Configuring 802.1 x Access Control 167 # Set the interval and the number of packet transmission att empts for the switch to send packets to the RADIUS server . [3Com-radius-radius1] timer 5 [3Com-radius-radius1] retry 5 # Set the interval for the switch to se nd real-time accounting packets to the RADIUS server .
168 C HAPTER 17: 802 .1 X C ONFIGURATION G UIDE primary authentication 10.11.1.1 primary accounting 10.11.1.2 secondary authentication 10.11.1.2 secondary accounting 10.11.1.1 key authentication name key accounting money timer realtime-accounting 15 timer response-timeout 5 retry 5 user-name-format without-domain # domain aabbcc.
18 AAA C ONFIGURATION G UIDE Configuring RADIUS Authentication for T elnet Users Authentication, Auth orization and Accounting (AAA) is a uniform fr amework used to configure the thr ee functions for network security management. It can be implemented by multiple protocols.
170 C HAPTER 18: AAA C ONFIGURATION G UIDE usernames and logi n passwor ds. Note that t he T elnet us ernames added to the RADIUS server must be in the format of userid @ isp-name . ■ Configure the swit ch to inclu de domain names in the usernames to be sent to the RADIUS server in the RADIU S scheme.
Configuring Dynamic VLAN Assignme nt with RADIUS Authentication 171 primary authentication 10.110.91.164 key authentication aabbcc server-type extended user-name-format with-domain quit # domain cams .
172 C HAPTER 18: AAA C ONFIGURATION G UIDE Configuration Pr ocedur e # Create a RADIUS scheme named cams and specify th e primary and secondary servers. <3Com> system-view [3Com] radius scheme cams [3Com-radius-cams] primary authent ication 192.
Configuring Local Authen ti cation for Telnet Users 173 radius scheme cams primary authentication 192.168.1.19 primary accounting 192.168.1.19 secondary authentication 192.
174 C HAPTER 18: AAA C ONFIGURATION G UIDE Configuration Pr ocedur e # Enter system view . <3Com> system-view # Configure the switch to u se AAA authentication for T elnet users. [3Com] user-interface vty 0 4 [3Com-ui-vty0-4] authentication-mode scheme [3Com-ui-vty0-4] quit # Configure a local user named telnet .
Configuring HWTACACS Authen tication for Telnet Users 175 Network Diagram Figure 46 Network diagram for configuring HWT ACACS authentication for T elnet users Networking and Configuration Requiremen t.
176 C HAPTER 18: AAA C ONFIGURATION G UIDE Complete Configuration # system-view hwtacacs scheme hwtac primary authentication 10.110.91.1 64 49 primary authorization 10.
Configuring EAD 177 Networking and Configuration Requiremen ts As shown in Figure 47, a user host is connected to Ether net 1/0/1 on the switch. On the host runs the 802.
178 C HAPTER 18: AAA C ONFIGURATION G UIDE quit domain system radius-scheme cams Precautions T o support all extended functio ns of CA MS, you are recommended to configur e the 802.1x authentication met hod as EAP an d the RADIUS scheme server type as extended on the switc h.
19 MAC A UTHENTICATION C ONFIGURATION G UIDE Configuring MAC Authentication MAC authentication provides a way for authenticating users based on ports and MAC addresses, without requiring any client software to be installed on the hosts.
180 C HAPTER 19: MAC A UTHENTICATION C ONFIGURATION G UIDE Configuration Pr ocedur e # Enable MAC authentication for por t Ethern et 1/0/2. <3Com> system-view [3Com] mac-authentication interfac e Ethernet 1/0/2 # Specify the MAC authentication username type as MAC addr ess and the MAC address format as with-hyphen .
Configuring MAC Authentic ation 181 h-hyphen # domain aabbcc.net # local-user 00-0d-88-f6-44-c1 password simple 00-0d-88-f6-44-c1 service-type lan-access # Precautions ■ Y ou cannot conf igure the m.
182 C HAPTER 19: MAC A UTHENTICATION C ONFIGURATION G UIDE.
20 VRRP C ONFIGURATION G UIDE Single VRRP Group Configuration Virtual Router Red undancy Pr otocol (VRRP) is an error -tolerant protocol defined in RFC 2338.
184 C HAPTER 20: VRRP C ONFIGURATION G UIDE Applicable Products Configuration Pr ocedur e 1 Configure Switch A. # Configure VLAN 2. <LSW-A> system-view [LSW-A] vlan 2 [LSW-A-vlan2] port Ethernet1/0/6 [LSW-A-vlan2] quit [LSW-A] interface Vlan-interface 2 [LSW-A-Vlan-interface2] ip address 202.
Single VRRP Group Configuration 185 [LSW-B] interface Vlan-interface 2 [LSW-B-Vlan-interface2] ip address 202.38.160.2 255.255.255.0 [LSW-B-Vlan-interface2] quit # Enable the VRRP group to r espond to ping operations destined for its virtual IP address.
186 C HAPTER 20: VRRP C ONFIGURATION G UIDE ■ If both switches in the preemptive mode and switches in the non-preemptive mode exist in a VRRP group, the working mode of the VRRP group conforms to that of the master .
Multiple VRRP Groups Configuration 187 <LSW-A> system-view [LSW-A] vlan 2 [LSW-A-vlan2] port Ethernet1/0/6 [LSW-A-vlan2] quit [LSW-A] interface Vlan-interface 2 [LSW-A-Vlan-interface2] ip address 202. 38.160.1 255.255.255.0 # Create VRRP group 1.
188 C HAPTER 20: VRRP C ONFIGURATION G UIDE ip address 202.38.160.2 255.255.25 5.0 vrrp vrid 1 virtual-ip 202.38.160. 111 vrrp vrid 2 virtual-ip 202.38.160. 112 vrrp vrid 2 priority 110 # interface Ethernet1/0/6 port access vlan 2 # Precautions ■ The Switch 5500 supports VRRP , while the Switch 4500 does not.
VRRP Interface Tracking 189 Network Diagram Figure 51 Network diagram for VRRP Networking and Configuration Requiremen ts Switch A is the master and Switch B is the backup in a VRRP group. Both Switch A and Switch B have an interface connected with the Inter net.
190 C HAPTER 20: VRRP C ONFIGURATION G UIDE # Create VRRP group 1. [LSW-A] interface Vlan-interface 2 [LSW-A-Vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 # Set the priority of Switch A in VRRP group 1 to 110. [LSW-A-Vlan-interface2] vrrp vrid 1 priority 110 # Set the interface to be tracked.
VRRP Port Tracking 191 port access vlan 2 # ■ Configuratio ns on Switch B # vrrp ping-enable # interface Vlan-interface2 ip address 202.38.160.2 255.255.255.0 vrrp vrid 1 virtual-ip 202.38.160.111 # interface Ethernet1/0/5 port access vlan 2 # Precautions ■ The Switch 5500 supports VRRP , while the Switch 4500 does not.
192 C HAPTER 20: VRRP C ONFIGURATION G UIDE Networking and Configuration Requirements ■ There ar e two switches, the master and the backup, in VRRP group 1. ■ The IP addresses of the master and the backup are 10.100.10.2 and 10.100.10.3 respectively .
VRRP Port Tracking 193 [3Com] interface Vlan-interface 3 [3Com-Vlan-interface3] vrrp vrid 1 virt ual-ip 10.100.10.1 # Enter port view of Ethernet 1/0/1 and enable th e VRRP port tracking function.
194 C HAPTER 20: VRRP C ONFIGURATION G UIDE.
21 DHCP C ONFIGURATION G UIDE DHCP Server Global Address Pool Configuration Guide In general, there ar e two typical DHCP ne twork topologies. One is to deploy the DHCP server and DHCP clients in the sa me network segment. This enables the clients to communicate with the server directly .
196 C HAPTER 21: DHCP C ONFIGURATION G UIDE Applicable Products Configuration Pr ocedur e # Enable DHCP . [SwitchA] dhcp enable # Exclude the IP addr esses of the DNS se rver , WINS server , and gateways from dynamic assignment. [SwitchA] dhcp server forbidden-ip 10.
DHCP Server Global Address Po ol Configuration Guide 197 <SwitchA> %Apr 10 21:34:55:782 2000 3Com DHCPS/4/ DHCPS_LOCAL_SERVER:- 1 - Local DHCP server information(detect b y server):SERVER IP = 10.
198 C HAPTER 21: DHCP C ONFIGURATION G UIDE DHCP Server Interface Address Pool Configuration Guide Network Diagram Figure 54 Network diagram for DHCP server in terface address pool configuration Networking and Configuration Requirements ■ Configure the IP address of VLAN-interfa ce 1 on the DHCP server (Switch A) as 192.
DHCP Relay Agent Configuration Guide 199 [SwitchA-Vlan-interface1] dhcp select i nterface # Configure a static IP-to-MAC binding in t he DHCP interface address pool.
200 C HAPTER 21: DHCP C ONFIGURATION G UIDE Network Diagram Figure 55 Network diagram for DHCP relay agent configuration Networking and Configuration Requirements ■ VLAN-interface 1 on the DHCP relay agen t (Switch A) connects to the network where DHCP clients r eside.
DHCP Snooping Configuratio n Guide 201 [SwitchA] dhcp-security static 10.10.10 .5 0001-0010-0001 # Enable the address check function on the DHCP relay agent. [SwitchA] interface Vlan-interface 1 [SwitchA-Vlan-interface1] address-check enable Currently , a Switch 4500 operating as a DHCP relay agent does not support the address check function.
202 C HAPTER 21: DHCP C ONFIGURATION G UIDE Network Diagram Figure 56 Network diagram for DHCP snooping configuration Networking and Configuration Requirements As shown in Figur e 56, Ethernet 1/0/5 o.
DHCP Accounting Configuration G uide 203 Precautions ■ Y ou need to specify the port connected to the auth orized DHCP server as a trusted port to ensure that DHCP clie nts can obtain valid IP addresses. The trusted port and the ports co nnected to th e DHCP clients must be in the same VLAN.
204 C HAPTER 21: DHCP C ONFIGURATION G UIDE # Enter Ether net 1/0/1 view and add the port to VLAN 2. [3Com] interface Ethernet 1/0/1 [3Com-Ethernet1/0/1] port access v lan 2 [3Com-Ethernet1/0/1] quit # Enter Ether net 1/0/2 view and add the port to VLAN 3.
DHCP Client Configuration G uide 205 # vlan 2 # vlan 3 # interface Vlan-interface2 ip address 10.1.1.1 255.255.255.0 # interface Vlan-interface3 ip address 10.
206 C HAPTER 21: DHCP C ONFIGURATION G UIDE Complete Configuration # interface Vlan-interface1 ip address dhcp-alloc # Precautions None.
22 ACL C ONFIGURATION G UIDE Configuring Basic ACLs Basic ACLs filter packets base d on only sour ce IP address. The numbers of basic ACLs range from 2000 to 2999.
208 C HAPTER 22: ACL C ONFIGURATION G UIDE Complete Configuration # acl number 2000 rule 1 deny source 10.1.1.1 0 time-range test # interface Ethernet1/0/1 packet-filter inbound ip-group 2000 rule 1 #.
Configuring Ethernet Frame He ader ACLs 209 Configuration Procedur e # Define a periodic time range that is from 8:00 to 18:00 on working days. <3Com> system-view [3Com] time-range test 8:00 to 18:00 wo rking-day # Define advanced ACL 3000 to filter pack ets destined for the wage query server .
210 C HAPTER 22: ACL C ONFIGURATION G UIDE Network Diagram Figure 60 Network diagram for Ether net frame header ACL configuration Networking and Configuration Requirements PC 1 and PC 2 co nnect to the switch th rough Ethernet 1/0/1 (assuming t hat the switch is a Switch 5500).
Configuring User-Defined ACLs 211 Precautions ■ If a packet matches multiple ACL rules at the same time and some ac tions of the rules conflict, th e last assigned rule takes effective. For an Ethernet frame header ACL appl ied to a port, you cannot configure the fo rmat-type argument as 802.
212 C HAPTER 22: ACL C ONFIGURATION G UIDE # Define ACL 5000 to deny any ARP pa cket whose source IP addr ess is 192.168.0.1 from 8:00 to 18:00 everyday (provided that VLAN-VPN is not enabled on any port).
Configuring User-Defined ACLs 213 ■ W ith the Switch 5500/5500G, for a user - defined ACL to be assigned successfully , the maximum length of a user -defined rule string is 32 bytes. The string may or may not contain spaces, and can occupy up to eight mask offset units.
214 C HAPTER 22: ACL C ONFIGURATION G UIDE.
23 Q O S/Q O S P R OFILE C ONFIGURATION G UIDE Configuring T raffic Policing and LR Network Diagram Figure 62 Network diagram for traf fic policing and LR configuration Networking and Configuration Requiremen ts A company uses a switch (a Switch 5500 in this example) to inter connect all the departments.
216 C HAPTER 23: Q O S/Q O S P ROFILE C ONFIGURATION G UIDE Configuration Pr ocedur e 1 Define traffic classification rules # Create basic ACL 2000 and enter b asic ACL view . <3Com> system-view [3Com] acl number 2000 # Define a rule to match th e packets with source IP address 192.
Configuring Priority Marki ng and Queue Scheduling 217 Configuring Priority Marking and Queue Scheduling Network Diagram Figure 63 Network diagram for priority marking and queue scheduling configuration Networking and Configuration Requiremen ts A company uses a switch (a Switch 5500 in this example) to inter connect all the departments.
218 C HAPTER 23: Q O S/Q O S P ROFILE C ONFIGURATION G UIDE Configuration Pr ocedur e 1 Define traffic classification rules # Cr eate advanced ACL 3000 and enter advanced ACL view . <3Com> system-view [3Com] acl number 3000 # Define traffic classification rules wi th destination IP address as the match criterion.
Configuring Priority Marki ng and Queue Scheduling 219 acl number 3000 rule 0 permit IP destination 192.168.0 .1 0 rule 1 permit IP destination 192.168.
220 C HAPTER 23: Q O S/Q O S P ROFILE C ONFIGURATION G UIDE ■ The Switch 4210 supports the WRR queue schedulin g algorithm and the high queue-WRR (HQ-WRR) queue schedulin g algorithm. HQ-WRR is implemented based on WRR. HQ-WRR selects queue 3 as the high-prior ity queue from the four output queues.
Configuring Traffic Redirecti on and Traffic Accounting 221 ■ During non-working time, count the HTTP traffic from PC 1 to the Internet. Applicable Products Configuration Procedur e 1 Define a time range for working days # Create time range tr1 , setting it to become acti ve between 8:30 to 18:00 during working days.
222 C HAPTER 23: Q O S/Q O S P ROFILE C ONFIGURATION G UIDE rule 1 permit TCP source 192.168.0.1 0 destination-port eq www time-range tr2 # interface Ethernet1/0/1 traffic-redirect inbound ip-group 30.
Configuring QoS Profile 223 Applicable Products Configuration Procedur e 1 Configurat ion on the AAA serv er Configure authentication information and user name-t o-QoS-profile mapping for the user on the AAA server . Refer to “AAA Configuration” in the Configuration Guide for your product for detailed information.
224 C HAPTER 23: Q O S/Q O S P ROFILE C ONFIGURATION G UIDE # Enable 802.1x. [3Com] dot1x [3Com] dot1x interface Ethernet 1/ 0/1 Complete Configuration # dot1x # radius scheme system radius scheme radius1 server-type standard primary authentication 10.
24 W EB C ACHE R EDIR ECTION C ONFIGURATION G UIDE Configuring Web Cache Redirection The Web cache r edirection function r edire cts the packets accessing We b pages to a Web cache server , thus reducing the load on the links between a LAN and the Inter net and improving the speed of ob taining information from the Internet.
226 C HAPTER 24: W EB C ACHE R EDIRE CTION C ONFIGURATION G UIDE ■ The Web cache server belongs to VLAN 40 and is connected to Ether net 1/0/4 of the switch. The IP ad dress of the VLAN interface for VLAN 40 is 192.168.4.1/24. The IP address and the MAC address of the W eb cache server is 192.
Configuring Web Cache Redirection 227 [3Com-Vlan-interface40] ip address 192.168.4.1 24 [3Com-Vlan-interface40] quit # Create VLAN 50 for the switch to connect to t he router and configure the IP address of VLAN-interface 50 as 192.
228 C HAPTER 24: W EB C ACHE R EDIRE CTION C ONFIGURATION G UIDE interface Ethernet1/0/1 port access vlan 10 # interface Ethernet1/0/2 port access vlan 20 # interface Ethernet1/0/3 port access vlan 30 # interface Ethernet1/0/4 port link-type trunk port trunk permit vlan 1 40 50 webcache address 192.
25 M IRR ORING C ONFIGURATION G UIDE Local Port Mirroring Configuration In local port mirroring, packets of one or more source ports of a device are copied to a destination port on the device for pac ket analysis a nd monito ring. In local port mirroring, the sour ce ports and the destination port are on the same device.
230 C HAPTER 25: M IRRORING C ONFIGURATION G UIDE Configuration Pr ocedur e Configu re Switch C: # Create a local mirr oring group. <3Com> system-view [3Com] mirroring-group 1 local # Configure the source ports and destination port for the local mirroring group.
Remote Port Mirroring Configuration 231 Remote Port Mi rroring Configuration Remote port mirroring does not require th e source and destination ports to be on the same devic e. The sour c e and destina tion por ts can be lo cated on mu ltiple devices acr oss the network.
232 C HAPTER 25: M IRRORING C ONFIGURATION G UIDE Network Diagram Figure 69 Network diagram for r emote port mirr oring Networking and Configuration Requirements The departments of a company connect to each other through Switch 5500s: ■ Switch A, Switch B, and Switch C are Switch 5500s.
Remote Port Mirroring Configuration 233 Configuration Procedur e 1 Configure the sour ce switch (Switch A) # Create r emote source mirr oring group 1. <3Com> system-view [3Com] mirroring-group 1 remote-source # Configure VLAN 10 as the remote-probe VLAN.
234 C HAPTER 25: M IRRORING C ONFIGURATION G UIDE [3Com] vlan 10 [3Com-vlan10] remote-probe vlan en able [3Com-vlan10] quit # Configure the destination port and remote-probe VLAN for the remote destinatio n mirroring gr oup.
Remote Port Mirroring Configuration 235 3 Configurat ion on the dest ination switch (Switch C) # mirroring-group 1 remote-destination # vlan 10 remote-probe vlan enable # interface Ethernet1/0/1 port .
236 C HAPTER 25: M IRRORING C ONFIGURATION G UIDE ■ Packets received on the destination p o rt are those pr ocessed and forwarded by the switch. ■ The destination port to be configured cannot be a.
Traffic Mirroring Config uration 237 Configuration Procedur e # Configure a basic ACL 2000, matching th e packets whose source IP address is 192.168.0.1. <3Com> system-view [3Com] acl number 2000 [3Com-acl-basic-2000] rule permit sourc e 192.168.
238 C HAPTER 25: M IRRORING C ONFIGURATION G UIDE.
26 XRN C ONFIGURATION G UIDE XRN Fabric Configuration Several Expandable Resilient Networking (XRN) supported switches can be interconnected to form a fabric, in wh ich each switch is a unit, the ports connecting the units are called fabric ports, and the other ports that are used to connect the fabric to users are called user ports.
240 C HAPTER 26: XRN C ONFIGURATION G UIDE Fabric Cable Connection n Y ou are recommended to connect the switches with cables after the configuration in “Configuration Procedure” on page 241 “Config uration Procedure” on page 241.
XRN Fabric Configuration 241 ■ An Switch 5500Gs switch has two ports: up port and down port. Given a switch, its up port is connected to the down port of an other switch, and its down port is connected to the up port of a third one. ■ Plug the cable connectors completely into the fabric ports.
242 C HAPTER 26: XRN C ONFIGURATION G UIDE # Configure the fabric name as hello . [3Com] sysname hello # Configure the authentication mode as simple and password as welcome . [hello] XRN-fabric authentication- mode simple welcome 2 Configure Switch B.
XRN Fabric Configuration 243 By viewing the Left Port and Right Port fields in the output information, yo u can know the running status of the current fabric ports. The above prompt information indicates that the fabric por ts are working normally (displayed as Normal).
244 C HAPTER 26: XRN C ONFIGURATION G UIDE [3Com] sysname hello The configurations and verification on Sw itch C are the same as those on a Switch 5500. Therefore they ar e omitted here. Complete Configuration Complete configuration on the Switch 5500 n T o avoid repetition, only the complete c onfiguration of Switch A is listed below .
XRN Fabric Configuration 245 Otherwise, you cannot enable the fab ric port. For detailed restrictions, refer to the error information output by devices. ■ When configuring XRN, do not confi gure other functions, and before configuring other funct ions, make sure the fabric has been established and works normally .
246 C HAPTER 26: XRN C ONFIGURATION G UIDE.
27 C LUSTER C ONFIGURATION G UIDE Cluster Configuration The cluster function is implemented th rough 3Com Group Management Protocol version 2 (Switch Clusteringv2). Using Switch Clusteringv2, yo u can manage multiple switches through the public IP addr ess of a master device.
248 C HAPTER 27: C LUSTER C ONFIGURATI ON G UIDE ■ Ethern et 1/0/1 belongs to VLAN 2, whos e interface IP address is 163.172.55 .1. ■ All the devices in t he cluster share the same F T P/TF TP server . ■ The F TP/TF TP server uses IP address 63.
Cluster Configuration 249 [3Com] ndp enable [3Com] undo ndp enable intferface Ethernet 1/0/1 [3Com] interface Ethernet 1/0/1 [3Com-Ethernet1/0/1] undo ntdp enable [3Com-Ethernet1/0/1] quit # Enable NDP on Ethernet 1/0/2 and Eth ernet 1/0/3.
250 C HAPTER 27: C LUSTER C ONFIGURATI ON G UIDE [3Com] cluster [3Com-cluster] # Configure a private IP address pool for a cluster . The IP address pool contains six IP addresses, starting fr om 172.16.0.1. [3Com-cluster] ip-pool 172.16.0.1 255.255.255.
Network Management Interface Configuration 251 Complete Configuration 1 Configurat ions on the manage ment devic e # interface Vlan-interface2 ip address 163.172.55.1 255.255.255.0 # ntdp hop 2 ntdp timer port-delay 15 ntdp timer hop-delay 150 ntdp timer 3 # ndp timer hello 70 ndp timer aging 200 # cluster ip-pool 172.
252 C HAPTER 27: C LUSTER C ONFIGURATI ON G UIDE Network Diagram Figure 75 Network diagram for network mana gement interface configuration Networking and Configuration Requirements ■ Configure VLAN-interface 2 as th e network management interface. ■ Configur e VLAN 3 as the ma nagement VLAN .
Network Management Interface Configuration 253 # Add Ethernet 1/0/2 to VLAN 2. [3Com] vlan 2 [3Com-vlan2] port Ethernet 1/0/2 [3Com-vlan2] quit # Configure the IP address of VLAN-interface 2 as 192.168.4.22. [3Com] interface Vlan-interface 2 [3Com-Vlan-interface2] ip address 192.
254 C HAPTER 27: C LUSTER C ONFIGURATI ON G UIDE ■ The netwo rk manageme nt interfa ce can be conf igur ed on the ma nagement switch only . n The network management in terface cannot be co nfigured on the Switch 4 210.
Cluster Configuration in Real Networking 255 The member switches: ■ Member switch Switch B is connected to Switch D through Ethernet 1/0/2. ■ Switch B is connected to Switch E through Ethernet 1/0/3. ■ Switch B is connected to Switch F through Ethernet 1/0/4.
256 C HAPTER 27: C LUSTER C ONFIGURATI ON G UIDE [3Com] interface Ethernet 1/0/2 [3Com-Ethernet1/0/2] ntdp enable [3Com-Ethernet1/0/2] quit [3Com] interface Ethernet 1/0/3 [3Com-Ethernet1/0/3] ntdp en.
Cluster Configuration in Real Networking 257 [3Com] ntdp timer hop-delay 180 # Set the delay for a port of a member device to forward topology collection request to 20 ms. [3Com] ntdp timer port-delay 20 # Set the topology collection interval to three minutes.
258 C HAPTER 27: C LUSTER C ONFIGURATI ON G UIDE Complete Configuration 1 Configuratio n on Switch A # ntdp hop 2 ntdp timer port-delay 20 ntdp timer hop-delay 180 ntdp timer 3 # ndp timer hello 100 ndp timer aging 300 # cluster ip-pool 172.16.0.1 255.
28 P O E/P O E P R OFILE C ONFIGURATION G UIDE PoE Configuration Power over Ether net (PoE)-enabled devices use 10BASE- T , 100BASE-TX and 1000BASE-T twisted pair cables to sup p ly power to powered devices (PD) and implement power supply and data transmission simultaneously .
260 C HAPTER 28: P O E/P O E P ROFI LE C ONFIGURATION G UIDE Configuration Pr ocedur e # Upgrade the power processing software. <SwitchA> system-view [SwitchA] poe update refresh 0290_ 021.s19 Update PoE board successfully # Enable the PoE feature on ports Ethernet 1/0/1, Ether net 1/0/2 and Ether net 1/0/8.
PoE Profile Configuration 261 Ethernet1/0/8 on enable signal critical Standard PD was detected ...... # View the PoE pow er information of all the ports on the switch.
262 C HAPTER 28: P O E/P O E P ROFI LE C ONFIGURATION G UIDE Network Diagram Figure 78 Network diagram for PoE profile configuration Networking and Configuration Requirements Switch A is a Switch 5500 supporting PoE.
PoE Profile Configuration 263 # In Pr ofile1, add the Po E policy configuratio n applicabl e to Ethe rnet 1/0/1 through Ethernet 1/0/5 for users of group A.
264 C HAPTER 28: P O E/P O E P ROFI LE C ONFIGURATION G UIDE # interface Ethernet1/0/7 apply poe-profile Profile2 # interface Ethernet1/0/8 apply poe-profile Profile2 # interface Ethernet1/0/9 apply p.
29 UDP H ELPER C ONFIGURATION G UIDE UDP Helper Configuration Guide The Switch 5500 provides the UDP Helper f unction to relay specified UDP packets. In other words, U DP Helper functions as a relay agent that converts UDP br oadc ast packets into unicast packets and forwards them to a specified destination server .
266 C HAPTER 29: UDP H ELPER C ONFIGURATION G UIDE [SwitchA] udp-helper enable # Configure the switch to forward br oadcasts containing the destination UDP port number 137. (By default, the device, after enabled with UDP Helper , forwards the broadcasts containing the destination UDP port n umber 137.
30 SNMP-RMON C ONFIGURATION G UIDE SNMP Configuration The Simple Network Management Protoc ol (SNMP) is used for ensuring the transmission of t he management informat ion b etween any two network nodes.
268 C HAPTER 30: SNMP-RMON C ONFIGURATION G UIDE # For SNMPv3, set the SNMPv3 group and user , set the security level to authentication with p rivacy , authentication protocol to HMAC-MD5 , authentication password to passmd5 , encryption protocol to DES , and encryption password to cfb128cfb128 .
RMON Configuration 269 RMON Configuration Remote Monitoring (RMON) is a kind of MI B defined by Inter net Engineering T as k Force (IETF). It is an important enhancem ent to MIB II standards.
270 C HAPTER 30: SNMP-RMON C ONFIGURATION G UIDE [3Com] rmon prialarm 2 (.1.3.6.1.2 .1.16.1.1.1.9.1+.1.3.6.1.2.1.16. 1. 1.1.10.1) test 10 changeratio risi ng_threshold 50 1 falling_thresh ol d 5 2 entrytype forever owner user 1 Complete Configuration # rmon event 1 description null log owner n ull rmon event 2 description null trap 10.
31 NTP C ONFIGURATION G UIDE NTP Client/Server Mode Configuration Defined in RFC 1305, the Network T ime Protocol (NTP) sync hronizes timekeeping among distributed time servers and client s. NTP runs over the User Datagram Protocol (UDP), using UDP port 123.
272 C HAPTER 31: NTP C ONFIGURATION G UIDE [DeviceB] display ntp-service sess ions Complete Configuration # ntp-service unicast-server 1.0.1.11 Precautions The local clock of a 3Com Switch 5500, 550 0G, or 4210 cannot be set as a refer ence clock. It can synchr onize other de vices as a r efer ence clock only when its clock is synchr on ized.
NTP Broadcast Mode Configuration 273 # Set Device C as the symmetric-peer . <DeviceB> system-view [DeviceB] ntp-service unicast-peer 3.0. 1.33 # View NTP status and NTP session information of Device C after clock synchronization.
274 C HAPTER 31: NTP C ONFIGURATION G UIDE Applicable Products Configuration Pr ocedur e ■ Configu re Device C. # Set Device C to work as the br oadc as t sever and send br oadcasts through its VLAN-interface 2.
NTP Multicast Mode Configuration 275 Precautions The local clock of the Switch 5500, 5500G, or 4210 cannot be set as a r eference clock. It can synchronize ot her devices as a r efer ence clock only when its clock is synchronized.
276 C HAPTER 31: NTP C ONFIGURATION G UIDE <DeviceA> system-view [DeviceA] interface Vlan-interface 2 [DeviceA-Vlan-interface2] ntp-serv ice multicast-client ■ View the NTP status and NTP sess.
NTP Client/Server Mode with Authentication Configuration 277 ■ Device B is a Switch 5500, which takes Device A as the time server and works in the client mode. Device A automa tically works in the server mode. ■ Configur e NTP auth entication between Device A and Device B.
278 C HAPTER 31: NTP C ONFIGURATION G UIDE ntp-service reliable authentication-keyid 42 ntp-service unicast-server 1.0.1.11 ■ Configuration on Device A.
32 SSH C ONFIGURATION G UIDE Configuring the Switch to Act as the SSH Server and Use Password Authentication Network Diagram Figure 87 Network diagram for configuring the switch to act as the SSH serv.
280 C HAPTER 32: SSH C ONFIGURATION G UIDE # Set the authentication mode for the user interfaces to AAA. [3Com] user-interface vty 0 4 [3Com-ui-vty0-4] authentication-mo de scheme # Enable the user inter faces to support SSH.
Configuring the Switch to Act as the SSH Server and Use Password Authentication 281 T ake SSH client software PuTTY v0.58 as an example: 1 Run PuTTY .exe to enter the following configuration interface. Figure 88 SSH client configuration interface In the Host Name (or IP address) text box, enter the IP address of the SSH server .
282 C HAPTER 32: SSH C ONFIGURATION G UIDE Figure 89 SSH client configuration interface 2 Under Protocol options , select 2 fr om Pr eferred SSH pr otocol version . 3 As shown in Figure 89, click Open . If the connect ion is normal, you can enter the username client001 and password abc at pr ompt.
Configuring the Switch to Act as th e SSH Server and Use RSA Authentication 283 Configuring the Switch to Act as the SSH Server and Use RSA Authentication Network Diagram Figure 90 Network diagram for.
284 C HAPTER 32: SSH C ONFIGURATION G UIDE [3Com-ui-vty0-4] user privilege le vel 3 [3Com-ui-vty0-4] quit # Configure the authentication method of the SSH client n amed client001 as RSA.
Configuring the Switch to Act as th e SSH Server and Use RSA Authentication 285 n During the generation process, you must move the mo use continuously and keep the mouse off the green process bar shown in Figure 92. Otherwise, the process bar stops moving and the key pair generation process is stopped.
286 C HAPTER 32: SSH C ONFIGURATION G UIDE Figure 93 Client key pair generation interface 3 Likewise, to save the private ke y , click Save private key . A warning window pops up to prompt you whether to save the private key without any protection. Click Ye s and enter the name of the file for saving the private key ( private.
Configuring the Switch to Act as th e SSH Server and Use RSA Authentication 287 T ake SSH client software PuTTY v0.58 as an example: 1 Run PuTTY .exe to enter the following configuration interface. Figure 95 SSH client configuration interface 1 In the Host Name (or IP address) text box, enter the IP address of the SSH server .
288 C HAPTER 32: SSH C ONFIGURATION G UIDE Figure 96 SSH client configuration interface 2 Under Protocol options , select 2 fr om Pr eferred SSH pr otocol version .
Configuring the Switch to Act as th e SSH Server and Use RSA Authentication 289 Figure 97 SSH client configuration interface 2 Click Br owse... to bring up the file selection wi ndow , navigate to the private key file and click OK . 4 In the window shown in Figure 97, click Open .
290 C HAPTER 32: SSH C ONFIGURATION G UIDE Configuring the Switch to Act as the SSH Client and Use Password Authenticati on Network Diagram Figure 98 Network diagram for configuring the switch to act .
Configuring the Switch to Act as the SS H Client and Use Password Authenticati on 291 [3Com-ui-vty0-4] protocol inbound ssh [3Com-ui-vty0-4] quit # Cre ate local user client001 , and set the authentication password to abc , protocol type to SSH, and command privilege level to 3 for the client.
292 C HAPTER 32: SSH C ONFIGURATION G UIDE authentication-mode scheme protocol inbound ssh ■ Configure Switch A # interface Vlan-interface1 ip address 10.
Configuring the Switch to Act as the SSH Client and Use RSA Authentication 293 [3Com] rsa local-key-pair create # Set the authentication mode for the user interfaces to AAA. [3Com] user-interface vty 0 4 [3Com-ui-vty0-4] authentication-mode sc heme # Enable the user interfaces to support SSH.
294 C HAPTER 32: SSH C ONFIGURATION G UIDE # Display the host p ublic key . <3Com> display rsa local-key-pair public ================================== =================== Time of Key pair creat.
Configuring the Switch to Act as the SSH Client and Not to Support First-Time Authentication 295 ip address 10.165.87.136 255.255.255.0 # ssh user client001 assign rsa-key Swit ch001 ssh user client00.
296 C HAPTER 32: SSH C ONFIGURATION G UIDE # Create a VLAN interface on the switch and assign an IP address for it. The SSH client will use this address as the destination for SSH connection. <3Com> system-view [3Com] interface vlan-interface 1 [3Com-Vlan-interface1] ip address 10.
Configuring the Switch to Act as the SSH Client and Not to Support First-Time Authentication 297 # Display the server host public key . [3Com] display rsa local-key-pair public =======================.
298 C HAPTER 32: SSH C ONFIGURATION G UIDE n After generating a key pair on a client, y ou need to manually configur e the host public key on the server and have the co nfiguration on the ser ver done before continuing configurat ion on the client. # Disable first-time authentication.
Configuring the Switch to Act as the SSH Client and Not to Support First-Time Authentication 299 D5E2C4F8 AED72834 74D3404A 0B14363D D709 CC63 68C8CE00 57C0EE6 B 074C0CA9 0203 010001 public-key-code end peer-public-key end # vlan 1 # interface Vlan-interface1 ip address 10.
300 C HAPTER 32: SSH C ONFIGURATION G UIDE Configuring SF TP Network Diagram Figure 101 Network diagram for configuring SF TP Networking and Configuration Requirements As shown in Figure 101, establish an SS H connection between the SF TP client (Switch A) and the SF TP server (Switch B) .
Configuring SFTP 301 [3Com] ssh user client001 authenticatio n-type password # Specify the service type as SF TP . [3Com] ssh user client001 service-type sftp # Enable the SF TP server . [3Com] sftp server enable ■ Configure the SF TP client (Switch A) # Create a VLAN interface on the switch and assign an IP address for it.
302 C HAPTER 32: SSH C ONFIGURATION G UIDE drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub # Add a directory named new1 , and then check that the new directory has been successfully created.
Configuring SFTP 303 Complete Configuration ■ Configure Switch B # local-user client001 password simple abc service-type ssh # interface Vlan-interface1 ip address 192.
304 C HAPTER 32: SSH C ONFIGURATION G UIDE.
33 F TP AND TF TP C ONFIGURATION G UIDE Configuring a Switch as F TP Server The Ethernet switch can act as an F TP serv er to provide file transfer services. Y ou can run F TP client software on a PC to log into the F TP server to access the files on the server .
306 C HAPTER 33: FTP AND TFTP C ONFIGURATI ON G UIDE # Assign IP address 1.1.1.1/16 to VLAN-int erface 1. (Y ou can log in to the switch through the Console port. For detailed info rmatio n, r efer to “Logging in through the Console Port” in the Configuration Guide for your product.
Configuring a Swit ch as FTP Client 307 Complete Configuration Configure the switch # local-user switch password simple hello service-type ftp # vlan 1 # interface Vlan-interface1 ip address 1.
308 C HAPTER 33: FTP AND TFTP C ONFIGURATI ON G UIDE Applicable Products Configuration Pr ocedur e ■ Perform F TP service-r elated configuratio ns on the PC, that is, create a user account on th e F TP server with the user name switch and password hello .
Configuring a Switch as TFTP Client 309 <3Com> boot boot-loader switch.bin <3Com> reboot Complete Configuration # vlan 1 # interface Vlan-interface1 ip address 1.
310 C HAPTER 33: FTP AND TFTP C ONFIGURATI ON G UIDE ■ Configure the TF TP client (the switch): # Assign IP address 1.1.1.1/16 to VLAN-int erface 1. (Y ou can log in to the switch through the Console port. For detailed info rmatio n, see “Logging in through the Console Port” in the Configuration Guide fo r your product.
34 I NFORMATION C ENTER C ONFIGURATION G UIDE Outputting Log Information to a Unix Log Host Network Diagram Figure 105 Network diagram for outpu tting log information to a Unix log host Networking and Configuration Requiremen ts Send log information with severity higher than informational to a Unix log host with an IP address of 202.
312 C HAPTER 34: I NFORMATION C ENTER C ONFIGURATION G UIDE [3Com] info-center source ip chann el loghost log level information al debug state off trap state off ■ Configuration on the log host. The following configurations were perfo rmed on SunO S 4.
Outputting Log Information to a Linux Log Host 313 Outputting Log Information to a Linux Log Host Network Diagram Figure 106 Network diagram for outpu tting log information to a Linux log host Networking and Configuration Requiremen ts Send log information to a Linux log host with an IP address of 202.
314 C HAPTER 34: I NFORMATION C ENTER C ONFIGURATION G UIDE # ps -ae | grep syslogd 147 # kill -9 147 # syslogd -r & Complete Configuration ■ Configurat ion on the switch. # info-center source default channel 2 log level error trap state off info-center loghost 202.
Outputting Log and Trap Information to a Log Host Through the Same Channel 315 Applicable Products Configuration Procedur e ■ Configuratio n on the switch. # Enable the information center . <3Com> system-view [3Com] info-center enable # The system outputs information of al l modules through channel6 by default.
316 C HAPTER 34: I NFORMATION C ENTER C ONFIGURATION G UIDE # Open the TF TPD32 application program on the W indows operating system as shown in the following figure: 1 Current Dir ectory indicates the dir ectory of the log file syslog.t xt . Y ou can click the Browse button to set it.
Outputting Log Informa tion to the Console 317 Precautions On the Windows operating system, software settings vary with log host software. Outputting Log Information to the Console Network Diagram Fig.
318 C HAPTER 34: I NFORMATION C ENTER C ONFIGURATION G UIDE info-center source IP channel 0 trap stat e off undo info-center source default channel 0 Precautions None Displaying the Time Stamp with th.
Use of the Facility Argument in Log Information Output 319 Use of the Facility Argument in Log Information Output Network Diagram Figure 110 Network diagram for use of the facility argument in log information output Networking and Configuration Requiremen ts Multiple switches in a LAN send log in format ion to the same log host.
320 C HAPTER 34: I NFORMATION C ENTER C ONFIGURATION G UIDE [SwitchA]info-center enable [SwitchA]info-center source default channel loghost log level debugging [SwitchA]info-center loghost 192.
35 VLAN-VPN C ONFIGURATION G UIDE Configuring VLAN-VPN W ith VLAN-VPN en abled, a device tags a priv ate net work pack et with an oute r VLAN tag, thus enabling the packet to be transmitted through the service providers’ backbone network with both i nner and outer VLAN ta gs.
322 C HAPTER 35: VLAN-VPN C ONFIGUR ATION G UID E n Only the Switch 5 500 supports the configuration of TPID. The Switch 5500G and the Switch 4210 do not support that configur ation. ■ Configure VLAN-VPN on Switch A and Switch B to enab le the PC users and the terminal users to communicate with their respective servers.
Configuring VLAN-VPN 323 # Set the TPID valu e of Ethernet 1/0/12 to 0x 9200. [SwitchA-Ethernet1/0/12] vlan-vpn tpid 9200 ■ Configure Switch B # Enable VLAN-VPN on Ether net 1/0/21 of Switch B, using the tag of VLAN 1040 as the outer VLAN tag for packets received on this port.
324 C HAPTER 35: VLAN-VPN C ONFIGUR ATION G UID E ■ Configure Switch B # vlan 1040 # interface Ethernet1/0/21 port access vlan 1040 undo ntdp enable stp disable vlan-vpn enable vlan-vpn tpid 9200 # .
Configuring BPDU Tunnel 325 ■ Configure the service provider network to transmit NDP packets of the customer network through a BPDU tunnel. ■ Enable VLAN-VPN for the service provider network, and enable the service provider network to use VLAN 100 to transmit data packets of the customer network .
326 C HAPTER 35: VLAN-VPN C ONFIGUR ATION G UID E [3Com] interface Ethernet 1/0/3 [3Com-Ethernet1/0/3] port link-typ e trunk [3Com-Ethernet1/0/3] port trunk pe rmit vlan 100 Complete Configuration ■.
36 R EMOTE - PING C ONFIGURATION G UIDE Remote-ping Configuration Remote-ping is a network diagnostic tool. It is used to test the performance of various protocols running in networks.
328 C HAPTER 36: R EMOTE - PING C ONFIGURATION G UIDE Configuration procedur e # Enable the Remote-ping client. <3Com> system-view System View: return to User View w ith Ctrl+Z. [3Com] remote-ping-agent enable # Create a Remote-ping test gr oup, configuring the administrator name as administrator and test operation tag as ICMP .
37 DNS C ONFIGURATION G UIDE Static Domain Name Resolution Configuration Guide Static domain name resolution is ba sed on manually configured domain name-to-IP address mappings. If you teln et a r emote device using its name, the local device will look up th e corr esponding IP address in the static domain name reso lution table .
330 C HAPTER 37: DNS C ONFIGURATION G UIDE 0.00% packet loss round-trip min/avg/max = 2/3/5 ms Complete Configuration # ip host host.com 10.1.1.2 Dynamic Domain Name Resolution Configuration Guide Domain Name System (DNS) is a distribute d database used by TCP/IP applications to translate domain names into correspond ing IP addresses.
Dynamic Domain Name Resolution Configuration Guide 331 PING host.com (3.1.1.1): 56 data bytes, press CTRL_C to break Reply from 3.1.1.1: bytes=56 Sequen ce=1 ttl=125 time=4 ms Reply from 3.1.1.1: bytes=56 Sequen ce=2 ttl=125 time=4 ms Reply from 3.1.1.
332 C HAPTER 37: DNS C ONFIGURATION G UIDE.
38 A CCESS M ANAGEMENT C ONFIGURATION G UIDE Configuring Access Management The access management f unction is de signed to co ntrol user accesses on access switches.
334 C HAPTER 38: A CCESS M ANAGEMENT C ONFIGURATION G UIDE ■ Permit all the PCs of organization 1 to access the Inter net through Ethernet 1/0/1 on Switch A. Ethernet 1/0/ 1 carrie s VLAN 1. The IP a ddr ess assigned to the interface of VLAN 1 is 202.
Configuring Access Management with Port Isolation 335 Configuring Access Management with Port Isolation Network Diagram Figure 117 Network diagram for access management and port isolation configuration Networking and Configuration Requiremen ts Client PCs are connected to the Internet through Switch A.
336 C HAPTER 38: A CCESS M ANAGEMENT C ONFIGURATION G UIDE # Configure the IP address of VL AN-interface 1 as 202.10.20.200/24. [SwitchA] interface Vlan-interface 1 [SwitchA-Vlan-interface1] ip address 202.10.20.200 24 [SwitchA-Vlan-interface1] quit # Configur e an acce ss manageme nt IP addr ess pool for Ethe rnet 1/0/1.
An important point after buying a device 3Com 5500G (or even before the purchase) is to read its user manual. We should do this for several simple reasons:
If you have not bought 3Com 5500G yet, this is a good time to familiarize yourself with the basic data on the product. First of all view first pages of the manual, you can find above. You should find there the most important technical data 3Com 5500G - thus you can check whether the hardware meets your expectations. When delving into next pages of the user manual, 3Com 5500G you will learn all the available features of the product, as well as information on its operation. The information that you get 3Com 5500G will certainly help you make a decision on the purchase.
If you already are a holder of 3Com 5500G, but have not read the manual yet, you should do it for the reasons described above. You will learn then if you properly used the available features, and whether you have not made any mistakes, which can shorten the lifetime 3Com 5500G.
However, one of the most important roles played by the user manual is to help in solving problems with 3Com 5500G. Almost always you will find there Troubleshooting, which are the most frequently occurring failures and malfunctions of the device 3Com 5500G along with tips on how to solve them. Even if you fail to solve the problem, the manual will show you a further procedure – contact to the customer service center or the nearest service center