H3c-technologies H3C S3100 Series Switches Bedienungsanleitung

H3C S3100 Series Ethernet SwitchesOperation ManualHangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document Version: 20100908-C-1.00 Produc

8 Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text

2-9 Protocol-Based VLAN Configuration Task List Complete these tasks to configure protocol-based VLAN: Task Remarks Configuring a Protocol Template

1-12 Configuring an Access Control Policy By configuring a certificate attribute-based access control policy, you can further control access to the s

1-13 PKI Configuration Examples z The SCEP plug-in is required when you use the Windows Server as the CA. In this case, when configuring the PKI d

1-14 After configuring the basic attributes, you need to perform configuration on the jurisdiction configuration page of the CA server. This includes

1-15 . z Apply for certificates # Retrieve the CA certificate and save it locally. [Switch] pki retrieval-certificate ca domain torsa Retrieving CA/

1-16 Modulus (1024 bit): 00D67D50 41046F6A 43610335 CA6C4B11 F8F89138 E4E905BD 43953BA2 623A5

1-17 Configuration procedure 1) Configure the CA server z Install the certificate server suites From the start menu, select Control Panel > Add

1-18 # Specify the entity for certificate request as aaa. [Switch-pki-domain-torsa] certificate request entity aaa z Generate a local key pair using

1-19 Subject: CN=switch Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public K

1-20 z The network connection is not proper. For example, the network cable may be damaged or loose. z No trusted CA is specified. z The URL of th

1-21 z The CRL distribution URL is not configured. z The LDAP server version is wrong. Solution z Make sure that the network connection is physica

2-10 z At present, the S3100 series support only the standard templates of AppleTalk and IP, the standard template of IPX encapsulated in Ethernet

i Table of Contents 1 SSL Configuration ··············································································································

1-1 1 SSL Configuration When configuring SSL, go to these sections for information you are interested in: z SSL Overview z SSL Configuration Task

1-2 SSL Protocol Stack As shown in Figure 1-2, the SSL protocol consists of two layers of protocols: the SSL record protocol at the lower layer and t

1-3 Configuration Prerequisites When configuring an SSL server policy, you need to specify the PKI domain to be used for obtaining the server side ce

1-4 z If you enable client authentication here, you must request a local certificate for the client. z Currently, SSL mainly comes in these versio

1-5 [Switch-pki-entity-en] quit # Create a PKI domain and configure it. [Switch] pki domain 1 [Switch-pki-domain-1] ca identifier ca1 [Switch-pki-dom

1-6 # Configure the system to strip domain name off a user name before transmitting the user name to the RADIUS server. [Switch-radius-radius1] user-

1-7 To do… Use the command… Remarks Specify the preferred cipher suite for the SSL client policy prefer-cipher { rsa_3des_ede_cbc_sha | rsa_aes_128

1-8 z If the SSL server is configured to authenticate the client, but the certificate of the SSL client does not exist or cannot be trusted, request

i Table of Contents 1 HTTPS Configuration ············································································································

2-11 To do... Use the command... Remarks Display the protocol information and protocol indexes configured on the specified port display protocol-v

1-1 1 HTTPS Configuration When configuring HTTPS, go to these sections for information you are interested in: z HTTPS Overview z HTTPS Configurati

1-2 Associating the HTTPS Service with an SSL Server Policy You need to associate the HTTPS service with a created SSL server policy before enabling

1-3 Associating the HTTPS Service with a Certificate Attribute Access Control Policy Associating the HTTPS service with a configured certificate acce

1-4 HTTPS Configuration Example Network requirements z Host acts as the HTTPS client and Device acts as the HTTPS server. z Host accesses Device th

1-5 [Device] pki retrieval-certificate ca domain 1 # Apply for a local certificate. [Device] pki request-certificate domain 1 2) Configure an SSL se

i Table of Contents 1 Ethernet OAM Configuration······································································································

1-1 1 Ethernet OAM Configuration When configuring the Ethernet OAM function, go to these sections for information you are interested in: z Ethernet

1-2 Ethernet OAMPDUs Figure 1-1 shows the formats of different types of OAMPDUs. Figure 1-1 Formats of different types of Ethernet OAMPDUs The fiel

1-3 Table 1-2 Functions of different types of OAMPDUs OAMPDU type Function Information OAMPDU Used for transmitting state information of an Ethernet

1-4 z OAM connections can be initiated only by OAM entities operating in active OAM mode, while those operating in passive mode wait and respond to

2-12 [Switch] vlan 100 [Switch-vlan100] protocol-vlan ip # To ensure the normal operation of IP network, you need to configure a user-defined protoco

1-5 z The system transforms the period of detecting errored frame period events into the maximum number of 64-byte frames that a port can send in t

1-6 Task Remarks Configuring Errored Symbol Event Detection Optional Configuring Errored Frame Event Detection Optional Configuring Errored Frame

1-7 To do… Use the command… Remarks Enter system view System-view — Configure the Ethernet OAM handshake packet transmission interval oam timer hel

1-8 Follow these steps to configure errored frame event detection: To do… Use the command… Remarks Enter system view system-view — Configure the er

1-9 Enabling OAM Remote Loopback After enabling OAM remote loopback on a port, you can send loopback frames from the port to a remote port and then o

1-10 Displaying and Maintaining Ethernet OAM Configuration To do… Use the command… Remarks Display global Ethernet OAM configuration display oam co

1-11 # Configure Ethernet 1/0/1 to operate in active Ethernet OAM mode (the default) and enable Ethernet OAM for it. <DeviceB> system-view [De

1-12 The above information indicates that 35 errors occurred since Ethernet OAM is enabled on Device A, 17 of which are caused by error frames. The l

i Table of Contents 1 CFD Configuration···············································································································

1-1 1 CFD Configuration When configuring CFD, go to these sections for information you are interested in: z Overview z CFD Configuration Task List

i Table of Contents 1 Static Route Configuration······································································································

1-2 Figure 1-1 Two nested MDs CFD exchanges messages and performs operations on a per-domain basis. By planning MDs properly in a network, you can

1-3 As shown in Figure 1-2, an outward-facing MEP sends packets to its host port. Figure 1-3 Inward-facing MEP As shown in Figure 1-3, an inward-f

1-4 Figure 1-4 Levels of MPs Device A Device B Device C Device D Device E Device F5 535 53 332 2 2 20 0 0 0 0 0MD level 5MD level 3MD Level 2 MD Leve

1-5 Linktrace Linktrace is responsible for identifying the path between the source MEP and the destination MEP. This function is implemented in the

1-6 z Normally, a port blocked by STP cannot receive, send, or respond to CFD messages. However, if it is configured as an outward-facing MEP, it c

1-7 To do... Use the command... Remarks Create an MA cfd ma ma-name md md-name vlan vlan-id Required Not created by default Create a service instan

1-8 MIPs are generated on each port automatically according to related MIP generation rules. If a port has no MIP, the system will check the MAs in e

1-9 Configuring CFD Functions Configuration Prerequisites Before configuring CFD functions, you need to complete basic CFD configurations first. Con

1-10 Follow these steps to configure LB on a MEP: To do... Use the command... Remarks Enter system view system-view — Enable LB cfd loopback servic

1-11 To do... Use the command... Remarks Display MP information display cfd mp [ interface interface-type interface-number ] Available in any view

1-1 1 Static Route Configuration When configuring a static route, go to these sections for information you are interested in: z Introduction to Sta

1-12 Figure 1-6 Network diagram for CFD configuration Configuration procedure 1) Configure a VLAN and assign ports to it On each device shown in F

1-13 [DeviceC] cfd service-instance 2 md MD_B ma MA_B 4) Configure MEPs # On Device A, configure a MEP list in service instance 1; create and enable

1-14 # On Device B, enable the sending of CCMs for MEP 2001 in service instance 2 on Ethernet 1/0/3. [DeviceB] interface ethernet 1/0/3 [DeviceB-Ethe

i Table of Contents Appendix A Acronyms ··············································································································

A-1 Appendix A Acronyms A AAA Authentication, Authorization and Accounting ABR Area Border Router ACL Access Control List ARP Address Resolutio

A-2 IGMP Internet Group Management Protocol IGP Interior Gateway Protocol IP Internet Protocol L LLDP Link Layer Discovery Protocol LSA Link Sta

A-3 TTL Time To Live U UDP User Datagram Protocol V VLAN Virtual LAN VOD Video On Demand W WRR Weighted Round Robin X XID eXchange Identificati

1-2 Static Route Configuration Configuration Prerequisites Before configuring a static route, perform the following tasks: z Configuring the physic

1-3 Operation Command Remarks Display the routes that match a specified basic access control list (ACL) display ip routing-table acl acl-number [ v

i Table of Contents 1 IP Addressing Configuration·····································································································

1-1 1 IP Addressing Configuration IP Addressing Overview IP Address Classes IP addressing uses a 32-bit address to identify each host on a network.

9 Category Documents Purposes z S3100-EI series switches marketing brochure z S3100-SI series switches marketing brochure Describe product specifi

1-2 Class Address range Description D 224.0.0.0 to 239.255.255.255 Multicast address. E 240.0.0.0 to 255.255.255.255 Reserved for future use exc

1-3 bits for the host ID and thus have only 126 (27 – 2) hosts in each subnet. The maximum number of hosts is thus 64,512 (512 × 126), 1022 less afte

1-4 Configuring an IP address to a VLAN interface Table 1-3 Configure an IP address to a VLAN interface(S3100-SI) Operation Command Remarks Enter s

1-5 Operation Command Remarks Display brief configuration information about a specified or all Layer 3 interfaces display ip interface brief [ inte

2-1 2 IP Performance Configuration IP Performance Overview Introduction to IP Performance Configuration In some network environments, you need to ad

2-2 Table 2-2 Configure TCP attributes Operation Command Remarks Enter system view system-view — Configure TCP synwait timer’s timeout value tcp ti

2-3 Use the reset command in user view to clear the IP, TCP, and UDP traffic statistics. Table 2-4 Display and maintain IP performance Operation Com

i Table of Contents 1 Voice VLAN Configuration········································································································

1-1 1 Voice VLAN Configuration The contents of this chapter are only applicable to the S3100-EI series among S3100 series switches. When configur

1-2 z Voice VLAN configuration z Failover call routing Following describes the way a typical IP phone acquires an IP address. Figure 1-1 Network d

10 You can e-mail your comments about product documentation to [email protected]. We appreciate your comments.

1-3 DHCP Server 1, and sends a new DHCP request message carrying the voice VLAN tag to the voice VLAN. 4) After receiving the DHCP request, DHCP Se

1-4 Setting the Voice Traffic Transmission Priority In order to improve transmission quality of voice traffic, the switch by default re-marks the pri

1-5 Table 1-2 Matching relationship between port types and voice devices capable of acquiring IP address and voice VLAN automatically Voice VLAN assi

1-6 Table 1-3 Matching relationship between port types and voice devices acquiring voice VLAN through manual configuration Voice VLAN assignment mode

1-7 Voice VLAN Mode Packet Type Processing Method Packet carrying any other VLAN tag The packet is forwarded or dropped based on whether the receivi

1-8 Configuring the Voice VLAN to Operate in Automatic Voice VLAN Assignment Mode Follow these steps to configure a voice VLAN to operate in automa

1-9 When the voice VLAN is working normally, if the device restarts, in order to make the established voice connections work normally, the system do

1-10 To do… Use the command… Remarks Enter VLAN view vlan vlan-id Access port Add the port to the VLAN port interface-list Enter port view interfac

1-11 Displaying and Maintaining Voice VLAN To do… Use the command… Remarks Display information about the ports on which voice VLAN configuration f

1-12 # Set the voice VLAN aging timer. [DeviceA] voice vlan aging 100 # Add a user-defined OUI address 0011-2200-000 and set the description string

i Table of Contents 1 CLI Configuration ·············································································································

1-13 Configuration procedure # Enable the security mode for the voice VLAN so that the ports in the voice VLAN permit valid voice packets only. This

i Table of Contents 1 GVRP Configuration··············································································································

1-1 1 GVRP Configuration When configuring GVRP, go to these sections for information you are interested in: z Introduction to GVRP z GVRP Configur

1-2 Through message exchange, all the attribute information to be registered can be propagated to all the GARP-enabled switches in the same LAN. 2)

1-3 Figure 1-1 Format of GARP packets The following table describes the fields of a GARP packet. Table 1-1 Description of GARP packet fields Field

1-4 GVRP As an implementation of GARP, GARP VLAN registration protocol (GVRP) maintains dynamic VLAN registration information and propagates the info

1-5 To do ... Use the command ... Remarks Enter system view system-view — Enable GVRP globally gvrp Required By default, GVRP is disabled globally.

1-6 Table 1-2 Relations between the timers Timer Lower threshold Upper threshold Hold 10 centiseconds This upper threshold is less than or equal to

1-7 To do … Use the command … Remarks Display the settings of the GARP timers display garp timer [ interface interface-list ] Display GVRP statisti

1-8 [SwitchA] interface Ethernet 1/0/2 [SwitchA-Ethernet1/0/2] port link-type trunk [SwitchA-Ethernet1/0/2] port trunk permit vlan all # Enable GVRP

1-1 1 CLI Configuration Introduction to the CLI A command line interface (CLI) is a user interface to interact with a switch. Through the CLI on a s

1-9 The following dynamic VLANs exist: 8 7) Configure Ethernet1/0/1 on Switch E to operate in fixed GVRP registration mode and display the VLAN i

i Table of Contents 1 Port Basic Configuration ·······································································································

1-1 1 Port Basic Configuration Ethernet Port Configuration Combo Port Configuration Introduction to Combo port A Combo port can operate as either an

1-2 Operation Command Remarks Enable the Ethernet port undo shutdown Optional By default, the port is enabled. Use the shutdown command to disable

1-3 z After you configure auto-negotiation speed(s) for a port, if you execute the undo speed command or the speed auto command, the auto-negotiati

1-4 Table 1-3 Enable flow control on a port Operation Command Remarks Enter system view system-view — Enter Ethernet port view interface interfa

1-5 z If you have additionally enabled the loopback port auto-shutdown function on the port, the system will shut down the port, and send log and tr

1-6 Operation Command Remarks Enable loopback detection on a specified port loopback-detection enable Optional By default, the loopback detection

1-7 z external: Performs external loop test. In the external loop test, self-loop headers must be used on the port of the switch ( for 100M port,

1-8 Enabling the System to Test Connected Cable You can enable the system to test the cable connected to a specific port. The test result will be ret

1-2 z Manage level (level 3): Commands at this level are associated with the basic operation modules and support modules of the system. These comman

1-9 status of Ethernet ports in a network changes frequently, large amount of log information may be sent, which increases work load of the log serve

1-10 z With traffic upper and lower thresholds specified on a port, the system periodically collects statistics about the broadcast/multicast traffi

1-11 The port state change delay takes effect when the port goes down but not when the port goes up. Table 1-11 set the port state change delay Op

1-12 Displaying and Maintaining Basic Port Configuration Table 1-12 Display and maintain basic port configuration Operation Command Remarks Display

1-13 z Only the configuration for Switch A is listed below. The configuration for Switch B is similar to that of Switch A. z This example suppose

i Table of Contents 1 Link Aggregation Configuration ·································································································

1-1 1 Link Aggregation Configuration Overview Introduction to Link Aggregation Link aggregation can aggregate multiple Ethernet ports together to fo

1-2 z S3100 series that support extended LACP functions can be used as intermediate devices in LACP MAD implementation. z For details about IRF,

1-3 manual aggregation group must contain at least one port. When a manual aggregation group contains only one port, you cannot remove the port unles

1-4 z The ports connected to a peer device different from the one the master port is connected to or those connected to the same peer device as the

1-3 z It is recommended not to change the level of a command arbitrarily, for it may cause inconvenience to maintenance and operation. z When you

1-5 z When the rate or duplex mode of a port in the aggregation group changes, packet loss may occur on this port; z When the rate of a port decrea

1-6 Link Aggregation Configuration z The commands of link aggregation cannot be configured with the commands of port loopback detection feature at

1-7 z If the aggregation group you are creating already exists but contains no port, its type will change to the type you set. z If the aggregation

1-8 Configuring a Dynamic LACP Aggregation Group A dynamic LACP aggregation group is automatically created by the system based on LACP-enabled ports.

1-9 Operation Command Remarks Configure a description for an aggregation group link-aggregation group agg-id description agg-name Optional By defau

1-10 Network diagram Figure 1-1 Network diagram for link aggregation configuration Configuration procedure The following only lists the configura

1-11 3) Adopting dynamic LACP aggregation mode # Enable LACP on Ethernet1/0/1 through Ethernet1/0/3. <Sysname> system-view [Sysname] interface

i Table of Contents 1 Port Isolation Configuration····································································································

1-1 1 Port Isolation Configuration Port Isolation Overview Through the port isolation feature, you can add the ports to be controlled into an isolat

1-2 z When a member port of an aggregation group joins/leaves an isolation group, the other ports in the same aggregation group on the local device

1-4 The high-to-low user level switching is unlimited. However, the low-to-high user level switching requires the corresponding authentication. Gener

1-3 Network diagram Figure 1-1 Network diagram for port isolation configuration Configuration procedure # Add Ethernet1/0/2, Ethernet1/0/3, and Eth

i Table of Contents 1 Port Security Configuration·····································································································

1-1 1 Port Security Configuration When configuring port security, go to these sections for information you are interested in: z Port Security Overv

1-2 Table 1-1 Description of port security modes Security mode Description Feature noRestriction In this mode, access to the port is not restricted

1-3 Security mode Description Feature userLoginSecure MAC-based 802.1x authentication is performed on the access user. The port is enabled only aft

1-4 Security mode Description Feature macAddressElseUserLoginSecureExt This mode is similar to the macAddressElseUserLoginSecure mode, except that

1-5 Enabling Port Security Configuration Prerequisites Before enabling port security, you need to disable 802.1x and MAC authentication globally. En

1-6 To do... Use the command... Remarks Enter Ethernet port view interface interface-type interface-number — Set the maximum number of MAC addresse

1-7 If the port-security port-mode mode command has been executed on a port, none of the following can be configured on the same port: z Maximum num

1-8 If you configure the NTK feature and execute the port-security intrusion-mode blockmac command on the same port, the switch will be unable to di

1-5 When both the super password authentication and the HWTACACS authentication are specified, the device adopts the preferred authentication mode f

1-9 To do… Use the command… Remarks Enter system view system-view — Set the interval at which the switch triggers MAC address authentication after

1-10 To do... Use the command... Remarks Enter Ethernet port view interface interface-type interface-number — Ignore the authorization information

1-11 To do... Use the command... Remarks interface interface-type interface-number In Ethernet port view mac-address security mac-address vlan vlan

1-12 To do... Use the command... Remarks Display information about security MAC address configuration display mac-address security [ interface inte

1-13 [Switch-Ethernet1/0/1] quit [Switch] port-security timer disableport 30 Guest VLAN Configuration Example Network requirements As shown in Figure

1-14 [Switch] radius scheme 2000 [Switch-radius-2000] primary authentication 10.11.1.1 1812 [Switch-radius-2000] primary accounting 10.11.1.1 1813 [S

2-1 2 Port Binding Configuration When configuring port binding, go to these sections for information you are interested in: z Port Binding Overview

2-2 Configuring Port Binding Follow these steps to configure port binding: To do... Use the command... Remarks Enter system view system-view — In s

2-3 Network diagram Figure 2-1 Network diagram for port binding configuration 10.12.1.1/24MAC address: 0001-0002-0003Host A Host BEth1/0/1Switch ASwi

i Table of Contents 1 DLDP Configuration ·············································································································

1-6 Operation Command Description Enter system view system-view — Enter ISP domain view domain domain-name — Set the HWTACACS authentication scheme

1-1 1 DLDP Configuration When configuring DLDP, go to these sections for information you are interested in: z Overview z DLDP Fundamentals z DLDP

1-2 Figure 1-1 Fiber cross-connection Figure 1-2 Fiber broken or not connected Switch AGE1/1/1GE1/1/2Switch BGE1/1/1 GE1/1/2PC Device link detecti

1-3 z The auto-negotiation mechanism at the physical layer detects physical signals and faults. DLDP identifies peer devices and unidirectional link

1-4 DLDP packet type Function LinkDown Linkdown packets are used to notify unidirectional link emergencies (a unidirectional link emergency occurs w

1-5 Status Description DelayDown When a device in the active, advertisement, or probe DLDP state receives a port down message, it does not removes t

1-6 Timer Description DelayDown timer When a device in the active, advertisement, or probe DLDP state receives a port down message, it does not remo

1-7 Figure 1-3 A case for Enhanced DLDP mode z In normal DLDP mode, only fiber cross-connected unidirectional links (as shown in Figure 1-1 ) can

1-8 Table 1-6 The procedure to process a received DLDP packet Packet type Processing procedure If the corresponding neighbor entry does not exist on

1-9 Link Auto-recovery Mechanism If the shutdown mode of a port is set to auto shutdown, the port is set to the DLDP down state when DLDP detects the

1-10 To do … Use the command … Remarks Set the delaydown timer dldp delaydown-timer delaydown-time Optional By default, the delaydown timer expires

Copyright © 2010, Hangzhou H3C Technologies Co., Ltd. and its licensors All Rights Reserved No part of this manual may be reproduced or transmitted in

1-7 # Set the password used by the current user to switch to level 3. [Sysname] super password level 3 simple 123 z A VTY 0 user switches its level

1-11 This function is only applicable to ports that are in DLDP down state. Follow these steps to reset DLDP state: To do … Use the command … Rem

1-12 Network diagram Figure 1-4 Network diagram for DLDP configuration Switch AGE1/1/1GE1/1/2Switch BGE1/1/1 GE1/1/2PC Configuration procedure 1) C

1-13 When two switches are connected through fibers in a crossed way, two or three ports may be in the disable state, and the rest in the inactive s

i Table of Contents 1 MAC Address Table Management····································································································

1-1 1 MAC Address Table Management When configuring MAC address table management, go to these sections for information you are interested in: z Ove

1-2 Generally, the majority of MAC address entries are created and maintained through MAC address learning. The following describes the MAC address l

1-3 3) Because the switch broadcasts the packet, both User B and User C can receive the packet. However, User C is not the destination device of the

1-4 Managing MAC Address Table Aging of MAC address table To fully utilize a MAC address table, which has a limited capacity, the switch uses an agin

1-5 MAC Address Replication Configuration The contents of this section are only applicable to the S3100-EI series among S3100 series switches. Over

1-6 With the MAC address replication feature enabled, the switch copies the MAC address entries of the original VLAN to the MAC address table of the

1-8 Table 1-2 lists the CLI views provided by S3100 series Ethernet switches, operations that can be performed in different CLI views and the command

1-7 Configuring a MAC Address Entry You can add, modify, or remove a MAC address entry, remove all MAC address entries concerning a specific port, or

1-8 z When you add a MAC address entry, the current port must belong to the VLAN specified by the vlan argument in the command. Otherwise, the entr

1-9 By setting the maximum number of MAC addresses that can be learned from individual ports, the administrator can control the number of the MAC add

1-10 z If the VLAN is configured as a remote probe VLAN used by port mirroring, you can not disable MAC address learning of this VLAN. Similarly, a

1-11 Configuring MAC Address Replication The contents of this section are only applicable to the S3100-EI series among S3100 series switches. Follo

1-12 Configuration Example Adding a Static MAC Address Entry Manually Network requirements The server connects to the switch through Ethernet 1/0/2.

1-13 Figure 1-8 Network diagram for MAC address replication and VLAN marking configuration Eth1/0/1Network192.168.1.0/24NetworkMAC-A VLAN3MAC-A VLAN

1-14 # Configure MAC address replication on Ethernet 1/0/1 to copy the MAC address entries of VLAN 3 to the MAC address table of VLAN 4. [SwitchA-Et

i Table of Contents 1 MSTP Configuration ·············································································································

ii Introduction····································································································································1-4

1-9 View Available operation Prompt example Enter method Quit method FTP client view Configure FTP client parameters [ftp] Execute the ftp command i

1-1 1 MSTP Configuration Go to these sections for information you are interested in: z Overview z MSTP Configuration Task List z Configuring Root

1-2 STP identifies the network topology by transmitting BPDUs between STP compliant network devices, typically switches and routers. BPDUs contain su

1-3 Figure 1-1 A schematic diagram of designated bridges and designated ports All the ports on the root bridge are designated ports. 4) Bridge I

1-4 6) Port ID A port ID used on an H3C device consists of two bytes, that is, 16 bits, where the first six bits represent the port priority, and the

1-5 Table 1-2 Selection of the optimum configuration BPDU Step Description 1 Upon receiving a configuration BPDU on a port, the device performs the

1-6 Step Description 3 The device compares the calculated configuration BPDU with the configuration BPDU on the port whose role is to be determined,

1-7 Device Port name BPDU of port BP1 {1, 0, 1, BP1} Device B BP2 {1, 0, 1, BP2} CP1 {2, 0, 2, CP1} Device C CP2 {2, 0, 2, CP2} z Comparison

1-8 Device Comparison process BPDU of port after comparison z Port CP1 receives the configuration BPDU of Device A {0, 0, 0, AP2}. Device C finds

1-9 Figure 1-3 The final calculated spanning tree To facilitate description, the spanning tree calculation process in this example is simplified,

1-10 For this reason, the protocol uses a state transition mechanism. Namely, a newly elected root port and the designated ports must go through a pe

1-10 View Available operation Prompt example Enter method Quit method Advanced IPv6 ACL view Define rules for an advanced IPv6 ACL (with ID ranging

1-11 z MSTP supports mapping VLANs to Multiple Spanning Tree (MST) instances (MSTIs) by means of a VLAN-to-instance mapping table. MSTP introduces i

1-12 3) MSTI A multiple spanning tree instance (MSTI) refers to a spanning tree in an MST region. Multiple spanning trees can be established in one M

1-13 z A region boundary port is located on the boundary of an MST region and is used to connect one MST region to another MST region, an STP-enable

1-14 z Forwarding state. Ports in this state can forward user packets and receive/send BPDUs. z Learning state. Ports in this state can receive/sen

1-15 In addition to the basic MSTP functions, H3C series switches also provide the following functions for users to manage their switches. z Root br

1-16 Task Remarks Configuring the Timeout Time Factor Optional Configuring the Maximum Transmitting Rate on the Current Port Optional The default v

1-17 Configuring Root Bridge Configuring an MST Region Configuration procedure Follow these steps to configure an MST region: To do... Use the comma

1-18 z MSTP-enabled switches are in the same region only when they have the same format selector (a 802.1s-defined protocol selector, which is 0 by

1-19 Specify the current switch as the secondary root bridge of a spanning tree Follow these steps to specify the current switch as the secondary roo

1-20 Configuring the Bridge Priority of the Current Switch Root bridges are selected according to the bridge priorities of switches. You can make a s

1-11 View Available operation Prompt example Enter method Quit method PKI entity view Configure PKI entity parameters [Sysname-pki-entity-en] Execut

1-21 In auto mode, if a port frequently receives MSTP packets of different formats alternately, the port will be forcibly placed in the discarding s

1-22 z STP-compatible mode, where the ports of a switch send STP BPDUs to neighboring devices. If STP-enabled switches exist in a switched network,

1-23 To do... Use the command... Remarks Configure the maximum hop count of the MST region stp max-hops hops Required By default, the maximum hop c

1-24 Configuration procedure Follow these steps to configure MSTP time-related parameters: To do... Use the command... Remarks Enter system view sy

1-25 Configuration example # Configure the forward delay parameter to be 1,600 centiseconds, the hello time parameter to be 300 centiseconds, and the

1-26 To do... Use the command... Remarks Enter system view system-view — Configure the maximum transmitting rate for specified ports stp interface

1-27 To do... Use the command... Remarks Configure the specified ports as edge ports stp interface interface-list edged-port enable Required By def

1-28 You can determine whether or not the link connected to a port is a point-to-point link in one of the following two ways. Setting the Link Type o

1-29 Enabling MSTP Configuration procedure Follow these steps to enable MSTP in system view: To do... Use the command... Remarks Enter system view sy

1-30 [Sysname-Ethernet1/0/1] stp disable Configuring Leaf Nodes Configuring the MST Region Refer to Configuring an MST Region. Configuring How a Port

1-12 The shortcut key <Ctrl+Z> is equivalent to the return command. CLI Features Online Help When configuring the switch, you can use the on

1-31 Table 1-7 Transmission rates vs. path costs Rate Operation mode (half-/full-duplex) 802.1D-1998 IEEE 802.1t Latency standard 0 — 65,535 200,0

1-32 Follow these steps to configure the path cost for a port in Ethernet port view: To do... Use the command... Remarks Enter system view system-v

1-33 Configure port priority in system view Follow these steps to configure port priority in system view: To do... Use the command... Remarks Enter

1-34 Performing mCheck Operation Ports on an MSTP-enabled switch can operate in three modes: STP-compatible, RSTP-compatible, and MSTP. If a port on

1-35 [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp mcheck Configuring Guard Functions The following guard functions are available on

1-36 Configuring Root Guard A root bridge and its secondary root bridges must reside in the same region. The root bridge of the CIST and its secondar

1-37 Configuration example # Enable the root guard function on Ethernet 1/0/1. 1) Perform this configuration in system view <Sysname> system-v

1-38 Configuration example # Enable the loop guard function on Ethernet 1/0/1. <Sysname> system-view [Sysname] interface Ethernet 1/0/1 [Sysnam

1-39 # Set the maximum times for the switch to remove the MAC address table and ARP entries within 10 seconds to 5. <Sysname> system-view [Sysn

1-40 Configuring Digest Snooping Introduction According to IEEE 802.1s, two interconnected switches can communicate with each other through MSTIs in

1-13 Partial online help 1) Enter a character/string, and then a question mark (?) next to it. All the commands beginning with the character/string

1-41 To do... Use the command... Remarks Return to system view quit — Enable the digest snooping feature globally stp config-digest-snooping Requir

1-42 Figure 1-6 and Figure 1-7 illustrate the rapid transition mechanisms on designated ports in RSTP and MSTP. Figure 1-6 The RSTP rapid transition

1-43 upstream designated ports, instead of waiting for agreement packets from the upstream switch. This enables designated ports of the upstream swit

1-44 z The rapid transition feature can be enabled on only root ports or alternate ports. z If you configure the rapid transition feature on a des

1-45 Configuring VLAN-VPN tunnel Follow these steps to configure VLAN-VPN tunnel: To do... Use the command... Remarks Enter system view system-view

1-46 Configuration Example # Enable log/trap output for the ports of instance 1. <Sysname> system-view [Sysname] stp instance 1 portlog # Enab

1-47 To do... Use the command... Remarks Display information about the root port of the instance where the switch reside display stp root Clear sta

1-48 [Sysname-mst-region] region-name example [Sysname-mst-region] instance 1 vlan 10 [Sysname-mst-region] instance 3 vlan 30 [Sysname-mst-region] in

1-49 [Sysname-mst-region] region-name example [Sysname-mst-region] instance 1 vlan 10 [Sysname-mst-region] instance 3 vlan 30 [Sysname-mst-region] in

1-50 # Add Ethernet 1/0/1 to VLAN 10. [Sysname] vlan 10 [Sysname-Vlan10] port Ethernet 1/0/1 3) Configure Switch C # Enable MSTP. <Sysname> sy

1-14 Purpose Operation Remarks Recall the next history command Press the down arrow key or <Ctrl+N> This operation recalls the next history c

1-51 [Sysname-GigabitEthernet1/0/1] port trunk permit vlan all

i Table of Contents 1 Multicast Overview ·············································································································

ii Introduction to MLD Snooping·········································································································3-1 Basic Conc

iii Configuration Prerequisites ·············································································································4-3 Confi

1-1 1 Multicast Overview Multicast Overview With development of networks on the Internet, more and more interaction services such as data, voice, an

1-2 Information Transmission in the Broadcast Mode When you adopt broadcast, the system transmits information to all users on a network. Any user on

1-3 Figure 1-3 Information transmission in the multicast mode Assume that Hosts B, D and E need the information. To transmit the information to th

1-4 Table 1-1 An analogy between TV transmission and multicast transmission Step TV transmission Multicast transmission 1 A TV station transmits

1-5 ASM model In the ASM model, any sender can become a multicast source and send information to a multicast group; numbers of receivers can join a m

1-6 Multicast Address As receivers are multiple hosts in a multicast group, you should be concerned about the following questions: z What destinati

1-15 Press… To… Left arrow key or <Ctrl+B> Move the cursor one character to the left. Right arrow key or <Ctrl+F> Move the cursor one

1-7 Class D address range Description 232.0.0.0 to 232.255.255.255 Available source-specific multicast (SSM) multicast group addresses. 239.0.0.0 to

1-8 Figure 1-4 IPv6 multicast format Referring to Figure 1-4, the meanings of the fields of an IPv6 multicast address are as follows: z 0xFF: Th

1-9 Value Meaning E Global scope Group ID: 112 bits, IPv6 multicast group identifier that uniquely identifies an IPv6 multicast group in the scope

1-10 Multicast Protocols z Generally, we refer to IP multicast working at the network layer as Layer 3 multicast and the corresponding multicast p

1-11 2) Multicast routing protocols A multicast routing protocol runs on Layer 3 multicast devices to establish and maintain multicast routes and fo

1-12 In the traditional multicast-on-demand mode, when users in different VLANs on a Layer 2 device need multicast information, the upstream Layer 3

1-13 using the RPF interface as the incoming interface, and installs the entry into the multicast forwarding table. z If the interface on which the

1-14 the interface on which the packet actually arrived. The RPF check succeeds and the packet is forwarded.

2-1 2 IGMP Snooping Configuration IGMP Snooping Overview Internet Group Management Protocol Snooping (IGMP Snooping) is a multicast constraining mec

2-2 Figure 2-2 IGMP Snooping related ports Router A Switch ASwitch BEth1/0/1 Eth1/0/2Eth1/0/3Eth1/0/1Eth1/0/2ReceiverReceiverHost AHost BHost CHost D

i Table of Contents 1 Logging into an Ethernet Switch ································································································

2-3 z If the receiving port is a router port existing in its router port list, the switch resets the aging timer of this router port. z If the rec

2-4 z If any IGMP report in response to the group-specific query arrives to the member port before its aging timer expires, this means that some oth

2-5 Operation Command Remarks Enable IGMP Snooping globally igmp-snooping enable Required By default, IGMP Snooping is disabled globally. Enter VLA

2-6 Configuring Timers This section describes how to configure the aging timer of the router port, the aging timer of the multicast member ports,. Ta

2-7 z The fast leave processing function works for a port only if the host attached to the port runs IGMPv2 or IGMPv3. z The configuration perform

2-8 Operation Command Remarks Configure a multicast group filter igmp-snooping group-policy acl-number [ vlan vlan-list ] Optional No group filter

2-9 z To prevent bursting traffic in the network or performance deterioration of the device caused by excessive multicast groups, you can set the m

2-10 Operation Command Remarks Enable IGMP Snooping igmp-snooping enable Required By default, IGMP Snooping is disabled. Enter VLAN view vlan vlan-

2-11 Table 2-11 Suppress flooding of unknown multicast traffic in the VLAN Operation Command Remarks Enter system view system-view — Enable unkno

2-12 Operation Command Remarks Configure specified port(s) as static member port(s) of a multicast group in the VLAN multicast static-group group-

1 Preface H3C S3100 Series Ethernet Switches Operation Manual-Release 22XX Series describes the software features for the H3C S3100 Series Ethernet Sw

ii Configuration on the Switch Side············································································································4-1 Mod

2-13 z When receiving an IGMP general query, the simulated host responds with an IGMP report. Meanwhile, the switch sends the same IGMP report to it

2-14 It is not recommended to configure this function while the multicast VLAN function is in effect. Configuring Multicast VLAN In traditional mul

2-15 Operation Command Remarks Enable IGMP Snooping igmp-snooping enable — Enter VLAN view vlan vlan-id — Enable IGMP Snooping igmp-snooping enab

2-16 Table 2-20 Display and maintain IGMP Snooping Operation Command Remarks Display the current IGMP Snooping configuration display igmp-snooping

2-17 2) Configure Router A # Enable IP multicast routing, enable PIM-DM on each interface, and enable IGMP on Ethernet1/0/1. <RouterA> system

2-18 Configuring Multicast VLAN Network requirements As shown in Figure 2-4, Workstation is a multicast source. Switch A forwards multicast data from

2-19 1) Configure Switch A: # Set the interface IP address of VLAN 20 to 168.10.1.1 and enable PIM DM on the VLAN interface. <SwitchA> system-

2-20 [SwitchB] interface Ethernet 1/0/2 [SwitchB-Ethernet1/0/2] port link-type hybrid [SwitchB-Ethernet1/0/2] port hybrid vlan 3 10 untagged [SwitchB

3-1 3 MLD Snooping Configuration Only the S3100-EI series support MLD Snooping Configuration. When configuring MLD snooping, go to these sections

3-2 Figure 3-1 Before and after MLD snooping is enabled on the Layer 2 device IPv6 multicast packet transmission without MLD SnoopingSourceMulticast

1-1 1 Logging into an Ethernet Switch Logging into an Ethernet Switch You can log into an S3100 Ethernet switch in one of the following ways: z Log

3-3 Ports involved in MLD snooping, as shown in Figure 3-2, are described as follows: z Router port: A router port is a port on the Ethernet switch

3-4 The description about adding or deleting a port in this section is only for a dynamic port. Static ports can be added or deleted only through th

3-5 Done messages When a host leaves an IPv6 multicast group, the host sends an MLD done message to the multicast router. When the switch receives a

3-6 Figure 3-3 Network diagram for MLD snooping proxying As shown in Figure 3-3, Switch A works as an MLD Snooping proxy. As a host from the persp

3-7 MLD Snooping Configuration Task List Complete these tasks to configure MLD snooping: Task Remarks Enabling MLD Snooping Required Configuring

3-8 Configuring Basic Functions of MLD Snooping Configuration Prerequisites Before configuring the basic functions of MLD snooping, complete the foll

3-9 If you switch MLD snooping from version 2 to version 1, the system will clear all MLD snooping forwarding entries from dynamic joining, and wil

3-10 Configuring Aging Timers for Dynamic Ports If the switch receives no MLD general queries or IPv6 PIM hello messages on a dynamic router port, th

3-11 To do... Use the command... Remarks Configure the port(s) as static member port(s) mld-snooping static-group ipv6-group-address [ source-ip i

3-12 z Each simulated host is equivalent to an independent host. For example, when receiving an MLD query, the simulated host corresponding to each

1-2 z VTY user interface indexes follow AUX user interface indexes. The first absolute VTY user interface is numbered 1, the second is 2, and so on.

3-13 Configuring MLD Snooping Querier Configuration Prerequisites Before configuring MLD snooping querier, complete the following task: z Enable M

3-14 the maximum response time (the host obtains the value of the maximum response time from the Max Response Time field in the MLD query it received

3-15 Configuring Source IPv6 Addresses of MLD Queries This configuration allows you to change the source IPv6 address of MLD queries. Follow these s

3-16 Configuring a Source IPv6 Address for the MLD Messages Sent by the Proxy You can set the source IPv6 addresses in the MLD reports and done messa

3-17 Configuring MLD Report Suppression When a Layer 2 device receives an MLD report from an IPv6 multicast group member, the Layer 2 device forward

3-18 z When the number of IPv6 multicast groups that can be joined on a port reaches the maximum number configured, the system deletes all the forw

3-19 To do... Use the command... Remarks Enable IPv6 multicast group replacement mld-snooping overflow-replace [ vlan vlan-list ] Required Disable

3-20 To do… Use the command... Remarks Clear the statistics information of all kinds of MLD messages learned by MLD snooping reset mld-snooping st

3-21 Enable IPv6 forwarding and configure an IPv6 address and prefix length for each interface as per Figure 3-4. The detailed configuration steps ar

3-22 Port flags: D-Dynamic port, S-Static port, C-Copy port Subvlan flags: R-Real VLAN, C-Copy VLAN Vlan(id):100. Total 1 IP Group(s).

2-1 2 Logging in through the Console Port Introduction To log in through the Console port is the most common way to log into a switch. It is also th

3-23 If no static router port is configured, when the path of Switch A—Switch B—Switch C gets blocked, at least one MLD query-response cycle must be

3-24 # Enable MLD snooping globally. <SwitchA> system-view [SwitchA] mld-snooping [SwitchA-mld-snooping] quit # Create VLAN 100, assign Etherne

3-25 Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Port flags: D-Dynamic port, S-Static port, C-Copy port Subvlan flags

3-26 As shown above, Ethernet 1/0/3 and Ethernet 1/0/5 on Switch C have become static member ports for IPv6 multicast group FF1E::101. MLD Snooping Q

3-27 [SwitchA-vlan100] mld-snooping querier [SwitchA-vlan100] quit 2) Configure Switch B # Enable IPv6 forwarding and enable MLD snooping globally.

3-28 Figure 3-7 Network diagram for MLD snooping proxying configuration SourceReceiverHost BHost AHost C1::1/64Eth1/0/4Eth1/0/2Eth1/0/3Eth1/0/1Eth1/0

3-29 After the configuration is completed, Host A and Host B send MLD join messages addressed to group FF1E::101. When receiving the messages, Switch

3-30 Port flags: D-Dynamic port, S-Static port, C-Copy port Subvlan flags: R-Real VLAN, C-Copy VLAN Vlan(id):100. Total 1 IP Group(s).

4-1 4 IPv6 Multicast VLAN Configuration Only the S3100-EI series support IPv6 Multicast VLAN Configuration. When configuring IPv6 multicast VLAN,

4-2 As shown in Figure 4-2, Host A, Host B and Host C are in three different user VLANs. All the user ports are hybrid ports. On Switch A, configure

2-2 2) If you use a PC to connect to the Console port, launch a terminal emulation utility (such as Terminal in Windows XP/Windows 2000. The followi

4-3 Configuring IPv6 Multicast VLAN When configuring port-based IPv6 multicast VLAN, you need to configure the attributes of each user port and then

4-4 Configuring IPv6 Multicast VLAN Ports In this approach, you need to configure a VLAN as an IPv6 multicast VLAN and then assign user ports to thi

4-5 IPv6 Multicast VLAN Configuration Examples Network requirements z As shown in Figure 4-3, Router A connects to an IPv6 multicast source (Source

4-6 [RouterA-Ethernet1/0/1] ipv6 pim dm [RouterA-Ethernet1/0/1] quit [RouterA] interface ethernet 1/0/2 [RouterA-Ethernet1/0/2] ipv6 pim dm [RouterA-

4-7 # View the MLD Snooping multicast group information on Switch A. [SwitchA] display mld-snooping group Total 1 IP Group(s). Total 1 IP Source(

5-1 5 Multicast User Control Policy Configuration Only the S3100-EI series support multicast user control policy configuration. IPv4 Multicast Us

5-2 To do... Use the command... Remarks Configure the mode to apply a QoS profile as user-based undo qos-profile port-based z If the 802.1x authe

5-3 Figure 5-1 Network diagram for IPv4 multicast user control policy configuration Switch BReceiverHost AHost BEth1/0/2Eth1/0/3Eth1/0/1Source 11.1.1

5-4 [SwitchB] igmp-snooping enable # Create VLAN 103, assign Ethernet 1/0/1 through Ethernet 1/0/3 to this VLAN, and enable IGMP snooping in this VLA

5-5 # Display information about IGMP snooping multicast groups in VLAN 103 on Switch B. [SwitchB] display igmp-snooping group vlan 103 verbose Tota

2-3 Figure 2-4 Set port parameters 3) Turn on the switch. You will be prompted to press the Enter key if the switch successfully completes POST (p

5-6 is then processed as per the rule), the rule order is important in determining which match criteria will apply. Two rule orders are available fo

5-7 A bigger step means more numbering flexibility. This is helpful when the config rule order is adopted, with which ACL rules are sorted in ascendi

5-8 z You can only modify the existing rules of an ACL that uses the rule order of config. When modifying a rule of such an ACL, you may choose to c

5-9 To do… Use the command… Remarks Set the rule numbering step step step-value Optional 5 by default Configure a description for the advanced IP

5-10 z The source IPv6 ACL and the destination IPv6 ACL must be of the same type. z The destination ACL does not take the name of the source IPv6

5-11 To do... Use the command... Remarks Configure an IPv6 multicast group filter mld-snooping group-policy acl6-number [ vlan vlan-list ] Require

5-12 z For details about the qos-profile, qos-profile port-based and undo qos-profile port-based commands, refer to QoS-QoS Profile Operation. z A

5-13 # Create VLAN 101 through VLAN 104 and assign Ethernet 1/0/1 through Ethernet 1/0/3 to the four VLANs respectively. <SwitchA> system-view

5-14 [SwitchB-radius-scheme1] primary accounting 2::1 [SwitchB-radius-scheme1] key accounting 321123 [SwitchB-radius-scheme1] user-name-format withou

5-15 MAC group address:3333-0000-0101 Host port(s):total 1 port. Eth1/0/3 As shown above, Ethernet 1/0/3 on Switch B has

2-4 Console Port Login Configuration Common Configuration Table 2-2 lists the common configuration of Console port login. Table 2-2 Common configurat

6-1 6 Common Multicast Configuration Common Multicast Configuration Table 6-1 Common multicast configuration tasks Configuration task Remarks Conf

6-2 Configuring multicast source port suppression in Ethernet port view Table 6-3 Configure multicast source port suppression in Ethernet port view O

6-3 z If the multicast MAC address entry to be created already exists, the system gives you a prompt. z If you want to add a port to a multicast M

6-4 Table 6-7 Display common multicast configuration Operation Command Remarks Display the statistics information about multicast source port suppr

i Table of Contents 1 802.1x Configuration············································································································

ii 4 System-Guard Configuration (For S3100-EI)··························································································4-1 System-Gua

1-1 1 802.1x Configuration Introduction to 802.1x The 802.1x protocol (802.1x for short) was developed by IEEE802 LAN/WAN committee to address secur

1-2 stores user information, such as user name, password, the VLAN a user belongs to, priority, and the ACLs (access control list) applied. The four

1-3 Figure 1-2 The mechanism of an 802.1x authentication system z EAP protocol packets transmitted between the supplicant system PAE and the authe

1-4 z The Packet body field differs with the Type field. Note that EAPoL-Start, EAPoL-Logoff, and EAPoL-Key packets are only transmitted between the

2-5 Table 2-3 Console port login configurations for different authentication modes Authentication mode Console port login configuration Remarks None

1-5 fragmented and are encapsulated in multiple EAP-message fields. The type code of the EAP-message field is 79. Figure 1-6 The format of an EAP-mes

1-6 Figure 1-8 802.1x authentication procedure (in EAP relay mode) Supplicant SystemPAERADUIS serverEAPOLEAPOREAPOL-StartEAP-Request / IdentityEAP-Re

1-7 z The RADIUS server compares the received encrypted password (contained in a RADIUS access-request packet) with the locally-encrypted password.

1-8 Figure 1-9 802.1x authentication procedure (in EAP terminating mode) Supplicant system PAEAuthenticator system PAERADIUS serverEAPOLRADIUSEAPOL-

1-9 request packet if it does not receive the response from the RADIUS server when this timer times out. z Supplicant system timer (supp-timeout). T

1-10 z The 802.1x client needs to capable of detecting multiple network adapters, proxies, and IE proxies. z The CAMS server is configured to disab

1-11 If a user of a port in the guest VLAN initiates authentication but fails the authentication, the port will be added to the Auth-Fail VLAN config

1-12 z If the authentication server assigns a VLAN, the port joins the assigned VLAN. After the user goes offline, the port returns to its initial V

1-13 Figure 1-10 802.1x re-authentication PCInternetPC PCRADIUS ServerSwitch 802.1x re-authentication can be enabled in one of the following two way

1-14 z 802.1x users use domain names to associate with the ISP domains configured on switches z Configure the AAA scheme (a local authentication s

2-6 Operation Command Description Configure not to authenticate users authentication-mode none Required By default, users logging in through the Co

1-15 Operation Command Remarks quit In system view dot1x port-method { macbased | portbased } [ interface interface-list ] interface interface-type

1-16 z 802.1x configurations take effect only after you enable 802.1x both globally and for specified ports. z If you enable 802.1x for a port, yo

1-17 Operation Command Remarks Set 802.1x timers dot1x timer { handshake-period handshake-period-value | quiet-period quiet-period-value | server-t

1-18 authentication domains for different ports even if the user certificates are from the same certificate authority (that is, the user domain names

1-19 Configuring Proxy Checking Table 1-4 Configure proxy checking Operation Command Remarks Enter system view system-view — Enable proxy checking

1-20 Operation Command Remarks Set the client version checking period timer dot1x timer ver-period ver-period-value Optional By default, the timer

1-21 Configuring Guest VLAN Table 1-8 Configure a guest VLAN Operation Command Remarks Enter system view system-view — In system view dot1x guest-v

1-22 z At present, only the S3100-EI series supports the Auth-Fail VLAN function. z Different ports can be configured with different Auth-Fail VLA

1-23 2) The switch uses the value configured with the dot1x timer reauth-period command as the re-authentication interval for access users. Note the

1-24 z The switch is connected to a server comprising of two RADIUS servers whose IP addresses are 10.11.1.1 and 10.11.1.2. The RADIUS server with a

2-7 Configuration Example Network requirements Assume that the switch is configured to allow users to log in through Telnet, and the user level is se

1-25 # Create a RADIUS scheme named “radius1” and enter RADIUS scheme view. [Sysname] radius scheme radius1 # Assign IP addresses to the primary auth

1-26 802.1X Mandatory Authentication Domain Configuration Example Network Requirements As shown in Figure 1-13, Host A (an 802.1X user) and Host B (a

1-27 [Switch-isp-aabbcc] scheme radius-scheme radius1 [Switch-isp-aabbcc] quit # Configure RADIUS scheme radius1. [Switch] radius scheme radius1 [Sw

2-1 2 Quick EAD Deployment Configuration The configuration introduced in this chapter is only supported by the S3100-EI series switches. Introduc

2-2 Configuring Quick EAD Deployment Configuration Prerequisites z Enable 802.1x on the switch. z Set the access mode to auto for 802.1x-enabled po

2-3 You can control the usage of ACL resources by setting the ACL timer. The ACL timer starts once a user gets online. If the user has not passed aut

2-4 Network diagram Figure 2-1 Network diagram for quick EAD deployment Configuration procedure Before enabling quick EAD deployment, be sure tha

2-5 Troubleshooting Symptom: A user cannot be redirected to the specified URL server, no matter what URL the user enters in the IE address bar. Solu

3-1 3 HABP Configuration Introduction to HABP With 802.1x enabled, a switch authenticates and then authorizes 802.1x-enabled ports. Packets can be f

3-2 HABP Client Configuration HABP clients reside on switches attached to HABP servers. After you enable HABP for a switch, the switch operates as an

2 Part Features 05-Static Route Operation z Introduction to static route z Static route configuration z Troubleshooting a static route 06-IP Addre

2-8 After the above configuration, you need to modify the configuration of the terminal emulation utility running on the PC accordingly in the dialog

4-1 4 System-Guard Configuration (For S3100-EI) The configuration introduced in this chapter is only supported by the S3100-EI series switches. S

4-2 Operation Command Description Set the length of the isolation after an attack is detected system-guard timer-interval isolate-timerOptional By

5-1 5 System-Guard Configuration (For S3100-SI) The configuration introduced in this chapter is only supported by the S3100-SI series switches. S

5-2 Table 5-2 Configure system-guard related parameters Operation Command Description Enter system view system-view — Configure system-guard-relate

i Table of Contents 1 AAA Overview····················································································································

ii Per User Type AAA Configuration Example··················································································2-31 Remote RADIUS Authent

1-1 1 AAA Overview Introduction to AAA AAA is the acronym for the three security functions: authentication, authorization and accounting. It provide

1-2 Accounting AAA supports the following accounting methods: z None accounting: No accounting is performed for users. z Local accounting: It is no

1-3 Introduction to AAA Services Introduction to RADIUS AAA is a management framework. It can be implemented by not only one protocol. But in practic

1-4 the authentication response message. Figure 1-3 depicts the message exchange procedure between user, switch and RADIUS server. Figure 1-3 Basic m

2-9 Operation Command Description Set the timeout time for the user interface idle-timeout minutes [ seconds ] Optional The default timeout time o

1-5 Figure 1-4 RADIUS message format 2) The Code field (one byte) decides the type of RADIUS message, as shown in Table 1-1. Table 1-1 Descriptio

1-6 5) The Authenticator field (16 bytes) is used to authenticate the response from the RADIUS server; and is used in the password hiding algorithm.

1-7 Figure 1-5 depicts the format of attribute 26. The Vendor-ID field used to identify a vendor occupies four bytes, where the first byte is 0, and

1-8 Figure 1-6 Network diagram for a typical HWTACACS application HostHWTACACS clientHWTACACS serverHWTACACS server Basic message exchange procedure

1-9 1) A user sends a login request to the switch acting as a TACACS client, which then sends an authentication start request to the TACACS server.

2-1 2 AAA Configuration AAA Configuration Task List Configuration introduction You need to configure AAA to provide network access services for lega

2-2 Task Remarks Cutting Down User Connections Forcibly Optional Creating an ISP Domain and Configuring Its Attributes Table 2-3 Create an ISP dom

2-3 z If you have configured to use "." as the delimiter, for a user name that contains multiple ".", the first "." wi

2-4 Operation Command Remarks Create an ISP domain and enter its view, or enter the view of an existing ISP domain domain isp-name Required Config

2-5 z You can execute the scheme radius-scheme radius-scheme-name command to adopt an already configured RADIUS scheme to implement all the three A

2-10 # Set the local password to 123456 (in plain text). [Sysname-ui-aux0] set authentication password simple 123456 # Specify commands of level 2 ar

2-6 z Local authentication (local): Authentication is performed by the NAS, which is configured with the user information, including the usernames,

2-7 Operation Command Remarks Specify the default authorization method for all types of users authorization { local | none | hwtacacs-scheme hwtaca

2-8 Configuring Dynamic VLAN Assignment The dynamic VLAN assignment feature enables a switch to dynamically add the switch ports of successfully auth

2-9 z In string mode, if the VLAN ID assigned by the RADIUS server is a character string containing only digits (for example, 1024), the switch fir

2-10 Operation Command Remarks Configure the authorization VLAN for the local user authorization vlan string Required By default, no authorization

2-11 You can use the display connection command to view the connections of Telnet users, but you cannot use the cut connection command to cut down

2-12 Task Remarks Configuring the Type of RADIUS Servers to be Supported Optional Configuring the Status of RADIUS Servers Optional Configuring th

2-13 Operation Command Remarks Enable RADIUS authentication port radius client enable Optional By default, RADIUS authentication port is enabled. C

2-14 z The authentication response sent from the RADIUS server to the RADIUS client carries authorization information. Therefore, you need not (and

2-15 Follow these steps to configure the RADIUS authorization attribute ignoring function: To do… Use the command… Remarks Enter system view system

2-11 Operation Command Description Configure to authenticate users locally or remotely authentication-mode scheme [ command- authorization ] Requir

2-16 Configuring RADIUS Accounting Servers Table 2-14 Configure RADIUS accounting servers Operation Command Remarks Enter system view system-view —

2-17 z In an actual network environment, you can specify one server as both the primary and secondary accounting servers, as well as specifying two

2-18 The authentication/authorization shared key and the accounting shared key you set on the switch must be respectively consistent with the shared

2-19 z If you change the type of RADIUS server, the data stream destined to the original RADIUS server will be restored to the default unit. z Whe

2-20 Configuring the Attributes of Data to be Sent to RADIUS Servers Table 2-19 Configure the attributes of data to be sent to RADIUS servers Operati

2-21 z Generally, the access users are named in the userid@isp-name or userid.isp-name format. Here, isp-name after the “@” or “.” character repres

2-22 z If you adopt the local RADIUS authentication server function, the UDP port number of the authentication/authorization server must be 1645, t

2-23 Operation Command Remarks Create a RADIUS scheme and enter its view radius scheme radius-scheme-name Required By default, a RADIUS scheme name

2-24 In an environment that a CAMS server is used to implement AAA functions, if the switch reboots after an exclusive user (a user whose concurrent

2-25 HWTACACS Configuration Task List Table 2-24 HWTACACS configuration tasks Task Remarks Creating an HWTACACS Scheme Required Configuring TACACS

2-12 Configuration Example Network requirements Assume the switch is configured to allow users to log in through Telnet, and the user level is set to

2-26 Operation Command Remarks Set the IP address and port number of the primary TACACS authentication server primary authentication ip-address [ p

2-27 Configuring TACACS Accounting Servers Table 2-28 Configure TACACS accounting servers Operation Command Remarks Enter system view system-view —

2-28 Operation Command Remarks Create an HWTACACS scheme and enter its view hwtacacs scheme hwtacacs-scheme-name Required By default, no HWTACACS s

2-29 Configuring the Timers Regarding TACACS Servers Table 2-31 Configure the timers regarding TACACS servers Operation Command Remarks Enter syste

2-30 Operation Command Remarks Display information about user connections display connection [ access-type { dot1x | mac-authentication } | domain

2-31 Operation Command Remarks Delete buffered non-response stop-accounting requests reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-n

2-32 # Configure RADIUS scheme radius1. [Switch] radius scheme radius1 [Switch-radius-radius1] primary authentication 10.110.91.164 1812 [Switch-radi

2-33 The Telnet user names added to the RADIUS server must be in the format of userid@isp-name if you have configured the switch to include domain na

2-34 The configuration procedure for local authentication of FTP users is similar to that for Telnet users. The following text only takes Telnet use

2-35 z Change the server IP address, and the UDP port number of the authentication server to 127.0.0.1, and 1645 respectively in the configuration s

2-13 [Sysname-ui-aux0] speed 19200 # Set the maximum number of lines the screen can contain to 30. [Sysname-ui-aux0] screen-length 30 # Set the maxim

2-36 Troubleshooting AAA Troubleshooting RADIUS Configuration The RADIUS protocol operates at the application layer in the TCP/IP protocol suite. Thi

3-1 3 EAD Configuration Only the S3100-EI series switches support the EAD configuration. Introduction to EAD Endpoint admission defense (EAD) is

3-2 Figure 3-1 Typical network application of EAD Virus patch serverSupplicantAuthentication serverSecurity policy server After a client passes the

3-3 EAD Configuration Example Network requirements In Figure 3-2: z A user is connected to Ethernet 1/0/1 on the switch. z The user adopts 802.1x

3-4 [Sysname-radius-cams] key authentication expert [Sysname-radius-cams] server-type extended # Configure the IP address of the security policy serv

i Table of Contents 1 MAC Authentication Configuration································································································

1-1 1 MAC Authentication Configuration MAC Authentication Overview MAC authentication provides a way for authenticating users based on ports and MAC

1-2 Related Concepts MAC Authentication Timers The following timers function in the process of MAC authentication: z Offline detect timer: At this i

1-3 Operation Command Remarks Set the user name in fixed mode for MAC authenticationmac-authentication authmode usernamefixedConfigure the user nam

1-4 MAC Address Authentication Enhanced Function Configuration MAC Address Authentication Enhanced Function Configuration Tasks Table 1-2 MAC addres

3-1 3 Logging in through Telnet Introduction S3100 series Ethernet switches support Telnet. You can manage and maintain a switch remotely by Telnett

1-5 In PGV or PAFV mode, when a user fails MAC authentication on a port, the device adds the port to the guest VLAN or Auth-Fail VLAN. Therefore, t

1-6 z The Auth-Fail VLAN for MAC authentication takes precedence over the guest VLAN for MAC authentication. When both of them are configured on a

1-7 z If both the limit on the number of MAC address authentication users and the limit on the number of users configured in the port security func

1-8 MAC Authentication Configuration Example Network requirements As illustrated in Figure 1-1, a supplicant is connected to the switch through port

1-9 After doing so, your MAC authentication configuration will take effect immediately. Only users with the MAC address of 00-0d-88-f6-44-c1 are allo

i Table of Contents 1 Web Authentication Configuration ·······························································································

1-1 1 Web Authentication Configuration When configuring Web authentication, go to these sections for information you are interested in: z Introduct

1-2 z Web authentication can use only a RADIUS authentication scheme; it does not support local authentication. z The user number limit configured

1-3 z Before enabling global Web authentication, you should first set the IP address of a Web authentication server. z Do not add a Web authentica

1-4 Configuration Procedure Follow these steps to configure an Auth-Fail VLAN for Web authentication: To do… Use the command… Remarks Enter system

3-2 Table 3-2 Common Telnet configuration Configuration Description Configure the command level available to users logging into the VTY user interfa

1-5 After you configure HTTPS access for Web authentication on the switch, the switch will allow clients to use HTTPS to open the authentication page

1-6 The web-authentication customize command is used to customize part of the information provided on the default authentication page. You cannot ch

1-7 Table 1-1 Main authentication page file names Main authentication page File name Login page login.htm Login success page loginSuccess.htm Logi

1-8 <p><input type=SUBMIT value="Login" name = "WaButton" style="width:60px;"> </form> 3) Authenticat

1-9 The auto mode allows a user to move between ports in the same VLAN rather than different VLANs. If a user moves between VLANs, the access is den

1-10 Web Authentication Configuration Example Network requirements As shown in Figure 1-1, a user connects to the Ethernet switch through port Ethern

1-11 [Sysname -radius-radius1] key authentication expert # Configure the system to strip domain name off a user name before transmitting the user nam

i Table of Content 1 Triple Authentication Configuration······························································································

1-1 1 Triple Authentication Configuration Triple Authentication Overview Currently, among S3100 series Ethernet switches, only the S3100-EI series

1-2 z Upon startup, a terminal triggers MAC authentication first on the access device. If it passes MAC authentication, no other types of authentica

3-3 Authentication mode Telnet configuration Description Manage VTY usersSet service type for VTY users Required Perform common configuration Perfor

1-3 Triple Authentication Configuration Complete the following tasks to configure triple authentication: Task Remarks For details Configure 802.1X

1-4 Configuration Procedure z Make sure that the terminals, the servers and the switch are reachable to each other. z If using an external DHCP s

1-5 Configure IP address pool 3, including the address range, lease and gateway address. A short lease is recommended to shorten the time terminals u

1-6 # Set the MAC authentication timers. [Switch] mac-authentication timer offline-detect 180 [Switch] mac-authentication timer quiet 180 # Specify t

i Table of Contents 1 ARP Configuration···············································································································

1-1 1 ARP Configuration Introduction to ARP ARP Function Address Resolution Protocol (ARP) is used to resolve an IP address into a data link layer a

1-2 Table 1-1 describes the fields of an ARP packet. Table 1-1 Description on the fields of an ARP packet Field Description Hardware Type Type of th

1-3 Table 1-3 ARP entries ARP entry Generation Method Maintenance Mode Static ARP entry Manually configured Manual maintenance Dynamic ARP entry

1-4 Introduction to ARP Attack Detection Man-in-the-middle attack According to the ARP design, after receiving an ARP response, a host adds the IP-to

1-5 packets, or through trusted ports if the MAC address table contains no such destination MAC addresses. Introduction to ARP Packet Rate Limit To p

3-4 Operation Command Description Make terminal services available shell Optional By default, terminal services are available in all user interface

1-6 Operation Command Remarks Configure the ARP aging timer arp timer aging aging-time Optional By default, the ARP aging timer is set to 20 minute

1-7 Operation Command Remarks Enable the ARP attack detection function arp detection enable Required By default, ARP attack detection is disabled

1-8 Table 1-6 Configure the ARP packet rate limit function Operation Command Remarks Enter system view system-view — Enter Ethernet port view int

1-9 The sending of gratuitous ARP packets is enabled as long as an S3100 switch operates. No command is needed for enabling this function. That is,

1-10 z Add a static ARP entry, with the IP address being 192.168.1.1, the MAC address being 000f-e201-0000, and the outbound port being Ethernet1/0/

1-11 [SwitchA-Ethernet1/0/1] arp detection trust [SwitchA-Ethernet1/0/1] quit # Enable ARP attack detection on all ports in VLAN 1. [SwitchA] vlan 1

i Table of Contents 1 DHCP Overview···················································································································

ii Introduction to DHCP Accounting··································································································2-23 DHCP Accounti

1-1 1 DHCP Overview Introduction to DHCP With networks getting larger in size and more complicated in structure, lack of available IP addresses beco

1-2 Obtaining IP Addresses Dynamically A DHCP client undergoes the following four phases to dynamically obtain an IP address from a DHCP server: 1)

3 Part Features 16-Multicast Operation z Internet group management protocol (IGMP) snooping v2&v3 z Multicast Listener Discovery (MLD) snooping

3-5 # Enter VTY 0 user interface view. [Sysname] user-interface vty 0 # Configure not to authenticate Telnet users logging into VTY 0. [Sysname-ui-vt

1-3 If the DHCP client fails to update its IP address lease when half of the lease time elapses, it will update its IP address lease by broadcasting

1-4 Protocol Specification Protocol specifications related to DHCP include: z RFC2131: Dynamic Host Configuration Protocol z RFC2132: DHCP Options

2-1 2 DHCP Server Configuration When configuring the DHCP server, go to these sections for information you are interested in: z Introduction to DHC

2-2 picks an IP address from the pool and sends the IP address and other related parameters (such as the IP address of the DNS server, and the lease

2-3 The DHCP server assigns an IP address to the client in the following order from an interface address pool or a global address pool: 3) If there

2-4 To do… Use the command… Remarks Enter system view system-view — Enable DHCP dhcp enable Optional By default, DHCP is enabled. To improve secu

2-5 Enabling the Global Address Pool Mode on Interface(s) You can configure the global address pool mode on the specified or all interfaces of a DHCP

2-6 address, the DHCP server searches for the IP address corresponding to the MAC address of the DHCP client and assigns the IP address to the DHCP c

2-7 To improve security and avoid malicious attack to the unused sockets, S3100 Ethernet switches provide the following functions: z UDP 67 and UDP

2-8 z In the same DHCP global address pool, the network command can be executed repeatedly. In this case, the new configuration overwrites the pre

3-6 Operation Command Description Set the maximum number of lines the screen can contain screen-length screen-length Optional By default, the scree

2-9 Configuring WINS Servers for the DHCP Client For Microsoft Windows-based DHCP clients that communicate through NetBIOS protocol, the host name-t

2-10 Configuring Gateways for the DHCP Client Gateways are necessary for DHCP clients to access servers/hosts outside the current network segment. A

2-11 z Sub-option 4: Fail-over call routing. Meanings of the sub-options for Option 184 Figure 2-1 Meanings of the sub-options for Option 184 Sub-op

2-12 For the configurations specifying to add sub-option 2, sub-option 3, and sub-option 4 in the response packets to take effect, you need to confi

2-13 Specify an IP address for the network calling processor before performing other configuration. Configuring a Self-Defined DHCP Option By conf

2-14 Configuring the Interface Address Pool Based DHCP Server In the interface address pool mode, after the addresses in the interface address pool

2-15 Task Remarks Enabling the Interface Address Pool Mode on Interface(s) Required Configuring the static IP address allocation mode Configuring an

2-16 To improve security and avoid malicious attack to the unused sockets, S3600 Ethernet switches provide the following functions: z UDP port 67

2-17 z The IP addresses statically bound in interface address pools and the interface IP addresses must be in the same network segment. z There is

2-18 To do… Use the command… Remarks Specify the IP addresses that are not dynamically assigned dhcp server forbidden-ip low-ip-address [ high-ip-a

3-7 # Enter VTY 0 user interface view. [Sysname] user-interface vty 0 # Configure to authenticate users logging into VTY 0 using the password. [Sysna

2-19 To do… Use the command… Remarks Enter system view system-view — interface interface-type interface-number dhcp server dns-list ip-address&

2-20 To do… Use the command… Remarks Configure multiple interfaces in system view dhcp server nbns-list ip-address&<1-8> { interface inte

2-21 Follow these steps to configure Option 184 parameters for the client with voice service: To do… Use the command… Remarks Enter system view sy

2-22 z Define new DHCP options. New configuration options will come out with DHCP development. To support new options, you can add them into the att

2-23 To do… Use the command… Remarks Enable the unauthorized DHCP server detecting function dhcp server detect Required Disabled by default. With

2-24 z After sending a DHCP-ACK packet with the IP configuration parameters to the DHCP client, the DHCP server sends an Accounting START packet to

2-25 If a DHCP server is configured to ignore Option 82, after the DHCP server receives packets containing Option 82, the DHCP server will not add Op

2-26 DHCP Server Configuration Examples Currently, DHCP networking can be implemented in two ways. One is to deploy the DHCP server and DHCP clients

2-27 If you use the inheriting relation of parent and child address pools, make sure that the number of the assigned IP addresses does not exceed th

2-28 # Configure DHCP address pool 0, including address range, domain name suffix of the clients, and domain name server address. [SwitchA] dhcp serv

3-8 Operation Command Description Enter one or more VTY user interface views user-interface vty first-number [ last-number ] — Configure to authen

2-29 Network diagram DHCP client DHCP clientDHCP client 3COM VCXDHCP ServerIP:10.1.1.1/24 Figure 2-3 Network diagram for Option 184 support configura

2-30 z The IP address of VLAN-interface 1 is 10.1.1.1/24, and that of VLAN-interface 2 is 10.1.2.1/24. z The IP address of the RADIUS server is 10.

2-31 [Sysname] domain 123 [Sysname-isp-123] scheme radius-scheme 123 [Sysname-isp-123] quit # Create an address pool on the DHCP server. [Sysname] dh

3-1 3 DHCP Snooping Configuration Introduction Introduction to DHCP Snooping For the sake of security, the IP addresses used by online DHCP clients

3-2 z Trusted: A trusted port is connected to an authorized DHCP server directly or indirectly. It forwards DHCP messages to guarantee that DHCP cli

3-3 Padding content and frame format of Option 82 There is no specification for what should be padded in Option 82. Manufacturers can pad it as requi

3-4 Figure 3-5 Standard format of the remote ID sub-option Mechanism of DHCP-snooping Option 82 With DHCP snooping and DHCP-snooping Option 82 supp

3-5 The circuit ID and remote ID sub-options in Option 82, which can be configured simultaneously or separately, are independent of each other in te

3-6 DHCP Snooping Configuration Configuring DHCP Snooping Follow these steps to configure DHCP snooping: Operation Command Description Enter system

3-7 Configuring Unauthorized DHCP Server Detection Only the S3100-SI series among S3100 series switches support the unauthorized DHCP server detect

3-9 Table 3-7 Determine the command level when users logging into switches are authenticated in the scheme mode Scenario Authentication mode User typ

3-8 z Only the S3100-EI series among S3100 series switches support the DHCP-snooping Option 82 support feature. z Enable DHCP snooping and specify

3-9 If a handling policy is configured on a port, this configuration overrides the globally configured handling policy for requests received on this

3-10 z If you have configured a circuit ID with the vlan vlan-id argument specified, and the other one without the argument in Ethernet port view,

3-11 z If you configure a remote ID sub-option in both system view and on a port, the remote ID sub-option configured on the port applies when the

3-12 z Enable DHCP snooping and specify trusted ports on the switch before configuring IP filtering. z You are not recommended to configure IP fil

3-13 DHCP Snooping Configuration Example DHCP-Snooping Option 82 Support Configuration Example Network requirements As shown in Figure 3-8, Ethernet1

3-14 # Set the circuit ID sub-option in DHCP packets from VLAN 1 to “abcd” on Ethernet 1/0/3. [Switch] interface Ethernet1/0/3 [Switch-Ethernet1/0/3]

3-15 [Sysname-Ethernet1/0/2] quit # Enable unauthorized DHCP server detection on Ethernet 1/0/3. [Sysname] interface ethernet1/0/3 [Sysname-Ethernet

3-16 [Switch-Ethernet1/0/1] dhcp-snooping trust [Switch-Ethernet1/0/1] quit # Enable IP filtering on Ethernet1/0/2, Ethernet1/0/3, and Ethernet1/0/4

4-1 4 DHCP Packet Rate Limit Configuration The contents of this chapter are only applicable to the S3100-EI series among S3100 series switches. I

3-10 Refer to AAA Operation and SSH Operation of this manual for information about AAA, RADIUS, and SSH. Configuration Example Network requirements

4-2 Configuring DHCP Packet Rate Limit Configuring DHCP Packet Rate Limit Follow these steps to configure rate limit of DHCP packets: Operation Comm

4-3 Networking diagram Figure 4-1 Network diagram for DHCP packet rate limit configuration Ethernet1/0/2Client A Client BEthernet1/0/11DHCP ServerDHC

5-1 5 DHCP/BOOTP Client Configuration Introduction to DHCP Client After you specify a VLAN interface as a DHCP client, the device can use DHCP to ob

5-2 z The S3100 EPON series Ethernet switches do not support automatic configuration feature. z To implement the automatic configuration feature,

5-3 An intermediate file maintains the IP address-to-host name mappings which are created using the ip host hostname ip-address command. When you us

5-4 Because a DHCP server can interact with a BOOTP client, you can use the DHCP server to assign an IP address to the BOOTP client, without needing

5-5 DHCP Client Configuration Example Network requirements Using DHCP, VLAN-interface 1 of Switch A is connected to the LAN to obtain an IP address f

i Table of Contents 1 ACL Configuration···············································································································

1-1 1 ACL Configuration ACL Overview As the network scale and network traffic are increasingly growing, security control and bandwidth assignment pl

1-2 For depth-first rule, there are two cases: Depth-first match order for rules of a basic ACL 1) Range of source IP address: The smaller the sourc

3-11 [Sysname-ui-vty0] screen-length 30 # Set the maximum number of commands the history command buffer can store to 20. [Sysname-ui-vty0] history-co

1-3 Being referenced by upper-level software ACLs can also be used to filter and classify the packets to be processed by software. In this case, the

1-4 z Periodic time range, which recurs periodically on the day or days of the week. z Absolute time range, which takes effect only in a period of

1-5 Time-range : test ( Inactive ) 08:00 to 18:00 working-day # Define an absolute time range spans from 15:00 1/28/2006 to 15:00 1/28/2008. <Sy

1-6 z With the auto match order specified, the newly created rules will be inserted in the existent ones by depth-first principle, but the numbers o

1-7 Operation Command Description Assign a description string to the ACL description text Optional No description by default Note that: z With

1-8 Configuration procedure Table 1-4 Define a Layer 2 ACL rule Operation Command Description Enter system view system-view — Create a Layer 2 AC

1-9 z src-ip: Matches the source address field in IPv6 packets. z dest-ip: Matches the destination address field in IPv6 packets. z src-port: Matc

1-10 Configuration prerequisites z To configure a time range-based IPv6 ACL rule, you need to create the corresponding time range first. For informa

1-11 z IPv6 ACLs do not match IPv6 packets with extension headers. z Do not use IPv6 ACLs with VLAN mapping and trusted port priority together.

1-12 Assigning an ACL Globally Configuration prerequisites Before applying ACL rules to a VLAN, you need to define the related ACLs. For information

3-12 2) Perform Telnet-related configuration on the switch. Refer to section "Telnet Configuration with Authentication Mode Being None”, sectio

1-13 Configuration example # Apply ACL 2000 to VLAN 10 to filter the inbound packets of VLAN 10 on all the ports. <Sysname> system-view [Sysna

1-14 Configuration procedure Table 1-9 Apply an ACL to a port Operation Command Description Enter system view system-view — Enter Ethernet port vie

1-15 Example for Upper-Layer Software Referencing ACLs Example for Controlling Telnet Login Users by Source IP Network requirements Apply an ACL to

1-16 Configuration procedure # Define ACL 2001. <Sysname> system-view [Sysname] acl number 2001 [Sysname-acl-basic-2001] rule 1 permit source

1-17 Advanced ACL Configuration Example Network requirements Different departments of an enterprise are interconnected through a switch. The IP addre

1-18 Network diagram Figure 1-5 Network diagram for Layer 2 ACL Configuration procedure # Define a periodic time range that is active from 8:00 to

1-19 <Sysname> system-view [Sysname] time-range test 8:00 to 18:00 daily # Set the port to trust the 802.1p (CoS) priority in received packets.

1-20 # Define an ACL to deny packets destined for the database server. [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule 1 deny ip destination 19

i Table of Contents 1 QoS Configuration···············································································································

ii Configuration Example····························································································································2-

3-13 z A Telnet connection is terminated if you delete or modify the IP address of the VLAN interface in the Telnet session. z By default, command

1-1 1 QoS Configuration Overview Introduction to QoS Quality of Service (QoS) is a concept concerning service demand and supply. It reflects the abi

1-2 traffic, and setting priority of the packets. To meet those requirements, the network should be provided with better service capability. Major T

1-3 Category Features Refer to… following types: z Basic ACLs z Advanced ACLs z Layer-2 ACLs (applicable only to the S3100-EI series) z IPv6 AC

1-4 Priority Trust Mode Precedence types 1) IP precedence, ToS precedence, and DSCP precedence Figure 1-2 DS field and ToS byte The ToS field in a

1-5 z Best Effort (BE) class: This class is a special class without any assurance in the CS class. The AF class can be degraded to the BE class if i

1-6 The 4-byte 802.1Q tag header consists of the tag protocol identifier (TPID, two bytes in length), whose value is 0x8100, and the tag control info

1-7 For incoming 802.1q tagged packets, you can configure the switch to trust packet priority with the priority trust command or to trust port priori

1-8 Table 1-7 DSCP-precedence-to-local-precedence mapping table DSCP Local precedence 0 to 15 0 16 to 31 1 32 to 47 2 48 to 63 3 Table 1-8 IP-p

1-9 network resources and provide better service for more users. For example, a traffic flow can be limited to get only its committed resources durin

1-10 Traffic policing The typical application of traffic policing is to supervise specific traffic into the network and limit it to a reasonable rang

4-1 4 Logging in Using a Modem Introduction The administrator can log into the Console port of a remote switch using a modem through public switched

1-11 Port Rate Limiting Port rate limiting refers to limiting the total rate of inbound or outbound packets on a port. Port rate limiting can be imp

1-12 In queue scheduling, SP sends packets in the queue with higher priority strictly following the priority order from high to low. When the queue w

1-13 Burst The Burst function can provide better packet cache function and traffic forwarding performance. It is suitable for networks where z Large

1-14 For detailed information about priority trust mode, refer to Priority trust mode. Configuration prerequisites The priority trust mode to be con

1-15 Operation Command Description specifying the trusted priority type, the switch trusts the 802.1p (CoS) priority of the received packets. Note

1-16 Configuration procedure Table 1-11 Configure CoS-precedence-to-local-precedence mapping table Operation Command Description Enter system view

1-17 local precedence(queue) : 0 0 1 1 2 2 3 3 Marking Packet Priority Only H3C S3100-EI series switches support t

1-18 Table 1-15 Mark the priority for packets that are of a VLAN and match specific ACL rules Operation Command Description Enter system view syste

1-19 [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 10.1.1.1 0.0.0.255 [Sysname-acl-basic-2000] quit [Sysname] traffic-priorit

1-20 Table 1-20 Configure traffic policing for packets that are of a port group and match specific ACL rules Operation Command Description Enter s

4 Part Features 27-Stack-Cluster Operation z Stack z Huawei Group Management Protocol (HGMP) v2 z Neighbor Discovery Protocol (NDP) z Neighbor To

4-2 The configuration commands and the output of different modems may differ. Refer to the user manual of the modem when performing the above config

1-21 [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 10.1.1.1 0.0.0.255 [Sysname-acl-basic-2000] quit [Sysname] traffic-limit v

1-22 Configuration procedure Table 1-23 Configure port rate limiting Operation Command Description Enter system view system-view — Enter Ethernet

1-23 Table 1-25 Redirect packets that are of a VLAN and match specific ACL rules Operation Command Description Enter system view system-view — Con

1-24 2) Method II <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 10.1.1.1 0.0.0.255 [Sysname-acl-b

1-25 Operation Command Description Configure queue scheduling queue-scheduler { strict-priority | hq-wrr queue0-weight queue1-weight queue2-weight

1-26 Table 1-30 Generate traffic statistics on all the packets matching specific ACL rules Operation Command Description Enter system view system-

1-27 Configuration example z Ethernet 1/0/1 is connected to the 10.1.1.0/24 network segment. z Generate statistics on the packets sourced from the

1-28 Only H3C S3100-EI series switches support this configuration. Refer to section Traffic Mirroring for information about traffic mirroring. Con

1-29 Table 1-37 Configure traffic mirroring for a port group Operation Command Description Enter system view system-view — Enter Ethernet port view

1-30 [Sysname] interface Ethernet 1/0/4 [Sysname-Ethernet1/0/4] monitor-port [Sysname-Ethernet1/0/4] quit [Sysname] interface Ethernet 1/0/1 [Sysname

4-3 Figure 4-1 Establish the connection by using modems Console portPSTNTelephone lineModem serial cableTelephone number of the romote end:82882285Mo

1-31 Operation Command Description unit-id } traffic-shape Display traffic accounting configuration of a port or all the ports display qos-interfa

1-32 Network diagram Figure 1-9 Network diagram for traffic policing configuration Configuration procedure 1) Define an ACL for traffic classifica

2-1 2 QoS Profile Configuration Only H3C S3100-EI series switches support this configuration. Overview Introduction to QoS Profile QoS profile i

2-2 A user-based QoS profile application fails if the traffic classification rule defined in the QoS profile contains source address information (in

2-3 Operation Command Description local-precedence pre-value }* Applying a QoS Profile You can configure to apply a QoS profile dynamically or sim

2-4 Displaying QoS Profile Configuration After the above configuration, you can execute the display command in any view to view the running status of

2-5 <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] primary authentication 10.11.1.1 [Sysname-radius-radius1] pr

i Table of Contents 1 Mirroring Configuration ········································································································

1-1 1 Mirroring Configuration Mirroring Overview Mirroring refers to the process of copying packets of one or more ports (source ports) to a destina

1-2 To implement remote port mirroring, a special VLAN, called remote-probe VLAN, is needed. All mirrored packets are sent from the reflector port of

4-4 Figure 4-3 Set the telephone number Figure 4-4 Call the modem 5) If the password authentication mode is specified, enter the password when p

1-3 Switch Ports involved Function Trunk port Receives remote mirrored packets. Destination switch Destination port Receives packets forwarded fro

1-4 Operation Command Description In system viewmirroring-group group-id mirroring-port mirroring-port-list { both | inbound | outbound } interface

1-5 Operation Command Description Configure the current VLAN as the remote-probe VLAN remote-probe vlan enable Required Return to system view quit

1-6 z Layer 2 connectivity is ensured between the source and destination switches over the remote-probe VLAN. 2) Configuration procedure Table 1-5 C

1-7 Operation Command Description Configure trunk port to permit packets from the remote-probe VLAN port trunk permit vlan remote-probe-vlan-id Re

1-8 z Configure Ethernet 1/0/3 as the mirroring destination port. Network diagram Figure 1-3 Network diagram for local port mirroring Configuratio

1-9 z Ethernet 1/0/2 of Switch B connects to Ethernet 1/0/1 of Switch C. z The data detection device is connected to Ethernet 1/0/2 of Switch C. Th

1-10 # Configure Ethernet 1/0/3 as trunk port, allowing packets of VLAN 10 to pass. [Sysname] interface Ethernet 1/0/3 [Sysname-Ethernet1/0/3] port l

1-11 [Sysname-Ethernet1/0/1] port trunk permit vlan 10 [Sysname-Ethernet1/0/1] quit # Display configuration information about remote destination mirr

i Table of Contents 1 Stack ··························································································································

5-1 5 Logging in through the Web-based Network Management System Introduction An S3100 Ethernet switch has a Web server built in. It enables you to

1-1 1 Stack The S3100 series switches can be stacked only when stack modules are installed. Stack Function Overview A stack is a management domai

1-2 z Connect the intended main switch and slave switches through stack modules and dedicated stack cables. (Refer to H3C S3100 Series Ethernet Swit

1-3 z Make sure the IP addresses in the IP address pool of a stack are successive so that they can be assigned successively. For example, the IP add

1-4 Introduction to the Stack-Port Function If you enable the stack function on a stack-supporting device, the device will send join-in requests to t

1-5 Operation Command Description Display the stack status information on a slave switch display stacking The display command can be executed in an

1-6 Main device for stack. Total members:3 Management-vlan:1(default vlan) # Display the information about the stack members on switch A. <stack

2-1 2 Cluster Cluster Overview Introduction to HGMP A cluster contains a group of switches. Through cluster management, you can manage multiple geog

2-2 you can configure and manage all the member devices through the management device without the need to log onto them one by one. z It provides th

2-3 Figure 2-2 State machine of cluster role z A candidate device becomes a management device when you create a cluster on it. Note that a cluster

2-4 z The management device adds the candidate devices to the cluster or removes member devices from the cluster according to the candidate device i

5-2 Figure 5-1 Establish an HTTP connection between your PC and the switch 4) Log into the switch through IE. Launch IE on the Web-based network m

2-5 device busy processing of the NTDP topology collection responses. To avoid such cases, the following methods can be used to control the NTDP topo

2-6 To create a cluster, you need to determine the device to operate as the management device first. The management device discovers and determines c

2-7 Additionally, on the management device, you can configure the FTP server, TFTP server, logging host and SNMP host to be shared by the whole clust

2-8 1) Determine whether the destination MAC address or destination IP address is used to trace a device in the cluster z If you use the tracemac c

2-9 Configuration task Remarks Configuring the Cluster Synchronization Function Optional Configuring the Management Device Management device confi

2-10 Operation Command Description Enter Ethernet port view interface interface-type interface-number specified Ethernet ports In Ethernet port vie

2-11 Operation Command Description Configure the port forward delay of topology collection requests ntdp timer port-delay time Optional By default,

2-12 Operation Command Description Set the interval for the management device to send multicast packets cluster-mac syn-interval time-interval Opti

2-13 Operation Command Description Configure a shared TFTP server for the cluster tftp-server ip-address Optional By default, no shared TFTP server

2-14 To reduce the risk of being attacked by malicious users against opened socket and enhance switch security, the S3100 series Ethernet switches p

5-3 Configuration Example Network requirements z A user logs in to the switch through Web. z The banner page is desired when a user logs into the

2-15 Operation Command Description Enter Ethernet port view interface interface-type interface-number — Enable NTDP on the port ntdp enable Require

2-16 Operation Command Description Enter system view system-view — Enter cluster view cluster — Configuring MAC address of Management device admini

2-17 The topology information is saved as a topology.top file in the Flash memory to the administrative device. You cannot specify the file name ma

2-18 Operation Command Description Display the topology of the current cluster display cluster current-topology [ mac-address mac-address1 [ to-mac

2-19 SNMP configuration synchronization With this function, you can configure the public SNMP community name, SNMP group, SNMP users and MIB views. T

2-20 z Perform the above operations on the management device of the cluster. z Configuring the public SNMP information is equal to executing these

2-21 Member 2 succeeded in the usm-user configuration. Member 1 succeeded in the usm-user configuration. Finish to synchronize the command. # Afte

2-22 z A cluster is established, and you can manage the member devices through the management device. 2) Configuration procedure Perform the followi

2-23 Operation Command Description Clear the statistics on NDP ports reset ndp statistics [ interface port-list ] You can execute the reset command

2-24 Network diagram Figure 2-4 Network diagram for HGMP cluster configuration NetworkFTP server/TFTP serverSNMP host/logging host63.172.55.1/2469.17

5-4 Operation Command Description Enable the Web server ip http shutdown Required By default, the Web server is enabled. Disable the Web server und

2-25 # Set the holdtime of NDP information to 200 seconds. [Sysname] ndp timer aging 200 # Set the interval to send NDP packets to 70 seconds. [Sysna

2-26 [aaa_0.Sysname-cluster] tftp-server 63.172.55.1 [aaa_0.Sysname-cluster] logging-host 69.172.55.4 [aaa_0.Sysname-cluster] snmp-host 69.172.55.4 3

2-27 Network diagram Figure 2-5 Network diagram for the enhanced cluster feature configuration Configuration procedure # Enter cluster view. <a

i Table of Contents 1 PoE Configuration ··············································································································

1-1 1 PoE Configuration PoE Overview Introduction to PoE Power over Ethernet (PoE)-enabled devices use twisted pairs through electrical ports to sup

1-2 Switch Input power supply Number of electrical ports supplying power Maximum PoE distance Maximum power provided by each electrical port Total Ma

1-3 Task Remarks Setting PoE Management Mode and PoE Priority of a Port Optional Setting the PoE Mode on a Port Optional Configuring the PD Compat

1-4 more than one port has the same lowest priority, the switch will power down the PD connected to the port with larger port number. z manual: When

1-5 Table 1-7 Configure the PD compatibility detection function Operation Command Description Enter system view system-view — Enable the PD compati

1-6 z In the case that the PSE processing software is damaged (that is, no PoE command can be executed successfully), use the full update mode to u

6-1 6 Logging in through NMS Introduction You can also log into a switch through a network management station (NMS), and then configure and manage t

1-7 Networking diagram Figure 1-1 Network diagram for PoE Switch ANetworkEth1/0/2Eth1/0/1 Eth1/0/8Switch B AP AP Configuration procedure # Upgrade t

2-1 2 PoE Profile Configuration Introduction to PoE Profile On a large-sized network or a network with mobile users, to help network administrators

2-2 Operation Command Description In system view apply poe-profile profile-name interface interface-type interface-number [ to interface-type inter

2-3 Ethernet 1/0/1 through Ethernet 1/0/10 of Switch A are used by users of group A, who have the following requirements: z The PoE function can be

2-4 [SwitchA] display poe-profile name Profile1 Poe-profile: Profile1, 3 action poe enable poe max-power 3000 poe priority critical # Create Profile2

i Table of Contents 1 SNMP Configuration··············································································································

1-1 1 SNMP Configuration SNMP Overview The simple network management protocol (SNMP) is used for ensuring the transmission of the management informa

1-2 adopts a hierarchical naming scheme to organize the managed objects. It is like a tree, with each tree node representing a managed object, as sho

1-3 Configuring Basic SNMP Functions SNMPv3 configuration is quite different from that of SNMPv1 and SNMPv2c. Therefore, the configuration of basic S

1-4 Table 1-3 Configure basic SNMP functions (SNMPv3) Operation Command Description Enter system view system-view — Enable SNMP agent snmp-agent Op

7-1 7 User Control Refer to the ACL part for information about ACL. Introduction A switch provides ways to control different types of login user

1-5 An S3100 Ethernet switch provides the following functions to prevent attacks through unused UDP ports. z Executing the snmp-agent command or an

1-6 Configuring Extended Trap The extended Trap includes the following. z “Interface description” and “interface type” are added into the linkUp/lin

1-7 Table 1-7 Display SNMP Operation Command Description Display the SNMP information about the current device display snmp-agent sys-info [ contac

1-8 [Sysname] snmp-agent sys-info version all [Sysname] snmp-agent community read public [Sysname] snmp-agent community write private # Set the acces

1-9 Authentication-related configuration on an NMS must be consistent with that of the devices for the NMS to manage the devices successfully.

2-1 2 RMON Configuration Introduction to RMON Remote monitoring (RMON) is a kind of management information base (MIB) defined by Internet Engineerin

2-2 Commonly Used RMON Groups Event group Event group is used to define the indexes of events and the processing methods of the events. The events de

2-3 The statistics include the number of the following items: collisions, packets with cyclic redundancy check (CRC) errors, undersize (or oversize)

2-4 Displaying RMON After the above configuration, you can execute the display command in any view to display the RMON running status, and to verify

2-5 # Add an entry numbered 2 to the extended alarm table to allow the system to calculate the alarm variables with the (.1.3.6.1.2.1.16.1.1.1.9.1+.1

7-2 Table 7-2 Control Telnet users by source IP addresses Operation Command Description Enter system view system-view — Create a basic ACL or enter

i Table of Contents 1 NTP Configuration···············································································································

1-1 1 NTP Configuration Introduction to NTP Network time protocol (NTP) is a time synchronization protocol defined in RFC 1305. It is used for time

1-2 z The clock stratum determines the accuracy, which ranges from 1 to 16. The stratum of a reference clock ranges from 1 to 15. The clock accurac

1-3 z Device A sends an NTP message to Device B, with a timestamp 10:00:00 am (T1) identifying when it is sent. z When the message arrives at Devic

1-4 Symmetric peer mode Figure 1-3 Symmetric peer mode In the symmetric peer mode, the local S3100 Ethernet switch serves as the symmetric-active p

1-5 Table 1-1 NTP implementation modes on H3C S3100 series Ethernet switches NTP implementation mode Configuration on S3100 series switches Server/c

1-6 z Configuring NTP Server/Client Mode z Configuring the NTP Symmetric Peer Mode z Configuring NTP Broadcast Mode z Configuring NTP Multicast M

1-7 z The remote server specified by remote-ip or server-name serves as the NTP server, and the local switch serves as the NTP client. The clock o

1-8 z In the symmetric peer mode, you need to execute the related NTP configuration commands (refer to section Configuring NTP Implementation Modes

1-9 Operation Command Description Configure the switch to work in the NTP broadcast server mode ntp-service broadcast-server [ authentication-keyi

5 Part Features 42-ARP and IP Attack Defense Operation z Supporting ARP packet filtering based on gateway’s address (applicable only to the S3100-EI

7-3 Table 7-4 Control Telnet users by source MAC addresses Operation Command Description Enter system view system-view — Create or enter Layer 2 AC

1-10 Configuring a switch to work in the multicast client mode Table 1-8 Configure a switch to work in the NTP multicast client mode Operation Comma

1-11 The access-control right mechanism provides only a minimum degree of security protection for the local switch. A more secure method is identit

1-12 with the corresponding NTP broadcast/multicast client. Otherwise, NTP authentication cannot be enabled normally. z Configurations on the server

1-13 Operation Command Description Configure the specified key as a trusted key ntp-service reliable authentication-keyid key-id Required By defaul

1-14 Configuring the Number of Dynamic Sessions Allowed on the Local Switch A single device can have a maximum of 128 associations at the same time,

1-15 Operation Command Description Display the brief information about NTP servers along the path from the local device to the reference clock sour

1-16 Actual frequency: 100.0000 Hz Clock precision: 2^18 Clock offset: 0.66 ms Root delay: 27.47 ms Root dispersion: 208.39 ms Peer dispersion:

1-17 # Enter system view. <DeviceB> system-view # Set Device C as the peer of Device B. [DeviceB] ntp-service unicast-peer 3.0.1.33 Device C an

1-18 Network diagram Figure 1-8 Network diagram for the NTP broadcast mode configuration Vlan-int21.0.1.31/24Vlan-int23.0.1.31/24Vlan-int23.0.1.32/24

1-19 The output information indicates that Device D is synchronized to Device C, with the clock stratum level of 3, one level lower than that of Devi

7-4 Controlling Network Management Users by Source IP Addresses You can manage an S3100 Ethernet switch through network management software. Network

1-20 [DeviceA] interface Vlan-interface 2 [DeviceA-Vlan-interface2] ntp-service multicast-client After the above configurations, Device A and Device

1-21 Configuration procedure 1) Configure Device B. # Enter system view. <DeviceB> system-view # Enable the NTP authentication function. [Devi

1-22 Total associations : 1

i Table of Contents 1 SSH Configuration···············································································································

1-1 1 SSH Configuration When configuring SSH, go to these sections for information you are interested: z SSH Overview z SSH Server and Client Conf

1-2 Figure 1-1 Encryption and decryption Key-based algorithm is usually classified into symmetric key algorithm and asymmetric key algorithm. Asymm

1-3 Version negotiation z The server opens port 22 to listen to connection requests from clients. z The client sends a TCP connection request to t

1-4 z In password authentication, the client encrypts the username and password, encapsulates them into a password authentication request, and sends

1-5 Table 1-2 Complete the following tasks to configure the SSH server: Task Remarks Configuring the User Interfaces for SSH Clients Required Prepar

1-6 Table 1-3 Follow these steps to configure the user interface for SSH clients: To do... Use the command... Remarks Enter system view system-view

7-5 Network diagram Figure 7-2 Network diagram for controlling SNMP users using ACLs Switch10.110.100.46Host AIP networkHost B10.110.100.52 Configur

1-7 z You can configure a login header only when the service type is stelnet. For configuration of service types, refer to Specifying a Service Typ

1-8 To do... Use the command... Remarks Destroy the DSA key pair public-key local destroy dsa Optional Use the command to destroy the generated DSA

1-9 z For password authentication type, the username argument must be consistent with the valid user name defined in AAA; for publickey authenticat

1-10 This configuration is not necessary if the password authentication mode is configured for SSH users. With the publickey authentication mode co

1-11 This configuration task is unnecessary if the SSH user’s authentication mode is password. For the publickey authentication mode, you must spec

1-12 Configuring the SSH Client The configurations required on the SSH client are related to the authentication mode that the SSH server uses. In add

1-13 z Selecting the protocol for remote connection as SSH. Usually, a client can use a variety of remote connection protocols, such as Telnet, Rlo

1-14 Figure 1-3 Generate the client keys (2) After the key pair is generated, click Save public key and enter the name of the file for saving the p

1-15 Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any pr

1-16 Figure 1-7 SSH client configuration interface 1 In the Host Name (or IP address) text box, enter the IP address of the server. Note that there

7-6 Operation Command Description Create a basic ACL or enter basic ACL view acl number acl-number [ match-order { config | auto } ] As for the acl

1-17 Figure 1-8 SSH client configuration interface 2 Under Protocol options, select 2 from Preferred SSH protocol version. Some SSH client softwa

1-18 Figure 1-9 SSH client configuration interface 3 Click Browse… to bring up the file selection window, navigate to the private key file and clic

1-19 Configuring whether first-time authentication is supported When the device connects to the SSH server as an SSH client, you can configure whethe

1-20 To do... Use the command... Remarks Start the client to establish a connection with an SSH server ssh2 { host-ip | host-name } [ port-num ] [

1-21 Operation Original commands Current commands Display information about the peer RSA public keys display rsa peer-public-key [ brief | name k

1-22 Network diagram Figure 1-10 Switch acts as server for local password authentication Configuration procedure z Configure the SSH server # Crea

1-23 # Configure the SSH client software to establish a connection to the SSH server. Take SSH client software Putty (version 0.58) as an example: 1

1-24 Figure 1-12 SSH client configuration interface 2 Under Protocol options, select 2 from Preferred SSH protocol version. 3) As shown in Figure

1-25 Network diagram Figure 1-13 Switch acts as server for password and RADIUS authentication Configuration procedure 1) Configure the RADIUS serv

1-26 Figure 1-14 Add an access device # Add a user for device management. From the navigation tree, select User Management > User for Device Man

7-7 [Sysname] ip http acl 2030

1-27 Generating the RSA and DSA key pairs on the server is prerequisite to SSH login. # Generate RSA and DSA key pairs. [Switch] public-key local c

1-28 Figure 1-16 SSH client configuration interface (1) In the Host Name (or IP address) text box, enter the IP address of the SSH server. z From

1-29 authentication succeeds, you will log in to the server. The level of commands that you can access after login is authorized by the CAMS server.

1-30 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vt

1-31 2) From the category on the left pane of the window, select Connection > SSH. The window as shown in Figure 1-20 appears. Figure 1-20 SSH cl

1-32 Configuration procedure Under the publickey authentication mode, either the RSA or DSA public key can be generated for the server to authentic

1-33 # Import the client’s public key named Switch001 from file public. [Switch] public-key peer Switch001 import sshkey public # Assign the public

1-34 Figure 1-23 Generate a client key pair (2) After the key pair is generated, click Save public key and enter the name of the file for saving th

1-35 Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any pr

1-36 Figure 1-27 SSH client configuration interface 2 Under Protocol options, select 2 from Preferred SSH protocol version. 4) Select Connection/SS

i Table of Contents 1 Configuration File Management···································································································

1-37 Click Browse… to bring up the file selection window, navigate to the private key file and click OK. 5) From the window shown in Figure 1-28, cl

1-38 [SwitchB] local-user client001 [SwitchB-luser-client001] password simple abc [SwitchB-luser-client001] service-type ssh level 3 [SwitchB-luser-c

1-39 Configuration procedure In public key authentication, you can use either RSA or DSA public key. Here takes the DSA public key as an example.

1-40 # Import the client public key pair named Switch001 from the file Switch001. [SwitchB] public-key peer Switch001 import sshkey Switch001 # Assi

1-41 When Switch Acts as Client and First-Time Authentication is not Supported Network requirements As shown in Figure 1-31, establish an SSH connect

1-42 Before doing the following steps, you must first generate a DSA key pair on the client and save the key pair in a file named Switch001, and the

1-43 When first-time authentication is not supported, you must first generate a DSA key pair on the server and save the key pair in a file named Sw

i Table of Contents 1 File System Management Configuration····························································································

1-1 1 File System Management Configuration File System Configuration Introduction to File System To facilitate management on the switch memory, S310

1-2 Table 1-2 Directory operations To do… Use the command… Remarks Create a directory mkdir directory Optional Delete a directory rmdir directory O

1-1 1 Configuration File Management Introduction to Configuration File A configuration file records and stores user configurations performed to a sw

1-3 To do… Use the command… Remarks Execute the specified batch file execute filename Optional This command should be executed in system view. z

1-4 To do… Use the command… Remarks Configure the prompt mode of the file system file prompt { alert | quiet } Required By default, the prompt mod

1-5 7239 KB total (3585 KB free) (*) -with main attribute (b) -with backup attribute (*b) -with both main and backup attribute File Attribute Con

1-6 Booting with the Startup File The device selects the main startup file as the preferred startup file. If the device fails to boot with the main s

1-7 z The configuration of the main or backup attribute of a Web file takes effect immediately without restarting the switch. z After upgrading a

i Table of Contents 1 FTP and SFTP Configuration······································································································

1-1 1 FTP and SFTP Configuration Introduction to FTP and SFTP Introduction to FTP FTP (file transfer protocol) is commonly used in IP-based networks

1-2 FTP Configuration Table 1-2 FTP configuration tasks Item Configuration task Description Creating an FTP user Required Enabling an FTP server

1-3 z Only one user can access an H3C S3100 series Ethernet switch at a given time when the latter operates as an FTP server. z Operating as an F

1-4 With an H3C S3100 series Ethernet switch acting as the FTP server, if a network administrator attempts to disconnect a user that is uploading/do

1-2 z When setting the configuration file for next startup, you can specify to use the main or backup configuration file. Startup with the configura

1-5 Table 1-7 Configure the banner display for an FTP server Operation Command Description Enter system view system-view — Configure a login banner

1-6 Operation Command Description Get the local working path on the FTP client lcd Display the working directory on the FTP server pwd Create a dir

1-7 to upgrade the switch application and download the configuration file config.cfg from the switch, thus to back up the configuration file. z Cre

1-8 ftp> put switch.bin 200 Port command okay. 150 Opening ASCII mode data connection for switch.bin. 226 Transfer complete. ftp: 75980 bytes rece

1-9 z An FTP user named “switch” and the password “hello” have been configured on the FTP server. z The IP addresses 1.1.1.1 for a VLAN interface

1-10 z Create a user account on the FTP server with the user name “switch” and password “hello”, and grant the user “switch” read and write permissi

1-11 [ftp] put config.cfg # Execute the get command to download the file named switch.bin to the Flash memory of the switch. [ftp] get switch.bin # E

1-12 Configuring connection idle time After the idle time is configured, if the server does not receive service requests from a client within a speci

1-13 Operation Command Description Enter SFTP client view sftp { host-ip | host-name } [ port-num ] [ identity-key { dsa | rsa } | prefer_kex { dh_

1-14 If you specify to authenticate a client through public key on the server, the client needs to read the local private key when logging in to the

1-3 S3100 series Ethernet switches do not support the safe mode. When you are saving a configuration file using the save safely command, if the devi

1-15 # Configure the authentication mode as password. Authentication timeout time, retry number, and update time of the server key adopt the default

1-16 drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub Received status: End of fi

1-17 -rwxrwxrwx 1 noone nogroup 283 Sep 02 06:36 puk Received status: End of file Received status: Success sftp-client> # Exit SFTP. s

2-1 2 TFTP Configuration Introduction to TFTP Compared with FTP, TFTP (trivial file transfer protocol) features simple interactive access interface

2-2 Item Configuration task Description TFTP server configuration For details, see the corresponding manual — TFTP Configuration: A Switch Opera

2-3 2) Configure the TFTP client (switch). # Log in to the switch. (You can log in to a switch through the Console port or by telnetting the switch.

i Table of Contents 1 Information Center··············································································································

1-1 1 Information Center Information Center Overview Introduction to Information Center Acting as the system information hub, information center cla

1-2 The system supports ten channels. The channels 0 through 5 have their default channel names and are associated with six output directions by defa

1-3 Module name Description DEV Device management module DNS Domain name system module ETH Ethernet module FIB Forwarding module FTM Fabric topol

1-4 z While the reset saved-configuration [ main ] command erases the configuration file with main attribute, it only erases the main attribute of a

1-4 To sum up, the major task of the information center is to output the three types of information of the modules onto the ten channels in terms of

1-5 z severity (the information level) ranges from 1 to 8. Table 1-1 details the value and meaning associated with each severity. Note that the prio

1-6 Note that there is a space between the sysname and module fields. %% This field is a preamble used to identify a vendor. It is displayed only whe

1-7 Task Remarks Setting to Output System Information to the SNMP NMS Optional Configuring Synchronous Information Output Synchronous information

1-8 Operation Command Description Log host direction info-center timestamp loghost date Set the time stamp format in the output direction of the in

1-9 Table 1-8 Default output rules for different output directions LOG TRAP DEBUG Output direction Modules allowed Enabled/disabled SeverityEnabled

1-10 Setting to output system information to a monitor terminal Table 1-10 Set to output system information to a monitor terminal Operation Command

1-11 Make sure that the debugging/log/trap information terminal display function is enabled (use the terminal monitor command) before you enable th

1-12 Setting to Output System Information to the Trap Buffer Table 1-13 Set to output system information to the trap buffer Operation Command Descr

1-13 Setting to Output System Information to the SNMP NMS Table 1-15 Set to output system information to the SNMP NMS Operation Command Description

6 Software version Added features compared with the earlier version Release 2108P04 Part Limit broadcast traffic in pps 09-Port Basic Configuration O

1-5 Displaying Device Configuration After the above configuration, you can execute the display command in any view to display the current and initial

1-14 Operation Command Description Display the status of trap buffer and the information recorded in the trap buffer display trapbuffer [ unit unit

1-15 # Switch configuration messages local4.info /var/log/Switch/information When you edit the file “/etc/syslog.conf”, note that: z A note mus

1-16 # Enable the information center. <Switch> system-view [Switch] info-center enable # Configure the host whose IP address is 202.38.1.10 as

1-17 Log Output to the Console Network requirements The switch sends the following information to the console: the log information of the two module

1-18 # Set the time stamp format of the log information to be output to the log host to date. <Switch> system-view System View: return to User

i Table of Contents 1 Boot ROM and Host Software Loading ·····························································································

ii Configuring a Scheduled Task················································································································5-1 Con

1-1 1 Boot ROM and Host Software Loading Traditionally, switch software is loaded through a serial port. This approach is slow, time-consuming and c

1-2 BOOT Menu Starting... *********************************************************** *

1-3 Loading by XModem through Console Port Introduction to XModem XModem protocol is a file transfer protocol that is widely used due to its simplici

i Table of Contents 1 VLAN Overview···················································································································

1-4 If you have chosen 9600 bps as the download baudrate, you need not modify the HyperTerminal’s baudrate, and therefore you can skip Step 4 and 5

1-5 Figure 1-2 Console port configuration dialog box Step 5: Click the <Disconnect> button to disconnect the HyperTerminal from the switch an

1-6 Step 7: Choose [Transfer/Send File] in HyperTerminal, and click <Browse> in pop-up dialog box, as shown in Figure 1-4. Select the software

1-7 z If the HyperTerminal’s baudrate is not reset to 9600 bps, the system prompts "Your baudrate should be set to 9600 bps again! Press enter

1-8 Loading the Boot ROM Figure 1-6 Local loading using TFTP Step 1: As shown in Figure 1-6, connect the switch through an Ethernet port to the TFT

1-9 Step 6: Enter Y to start file downloading or N to return to the Boot ROM update menu. If you enter Y, the system begins to download and update th

1-10 You can use one computer as both configuration device and FTP server. Step 2: Run the FTP server program on the FTP server, configure an FTP u

1-11 When loading the Boot ROM and host software using FTP through BOOT menu, you are recommended to use the PC directly connected to the device as

1-12 This will update BootRom file on unit 1. Continue? [Y/N] y Upgrading BOOTROM, please wait... Upgrade BOOTROM succeeded! Step 3: Restart the s

1-13 You can configure the IP address for any VLAN on the switch for FTP transmission. However, before configuring the IP address for a VLAN interfa

ii Associating a Port with a Protocol-Based VLAN···········································································2-10 Displaying Protocol-Ba

1-14 Figure 1-11 Enter Boot ROM directory Step 6: Enter ftp 192.168.0.28 and enter the user name test, password pass, as shown in Figure 1-12, to l

1-15 Figure 1-13 Upload file switch.btm to the switch Step 8: Configure switch.btm to be the Boot ROM at next startup, and then restart the switch.

1-16

2-1 2 Basic System Configuration and Debugging Basic System Configuration Table 2-1 Basic System Configuration Operation Command Description Set t

2-2 Table 2-2 System information display commands Operation Command Description Display the current date and time of the system display clock Displ

2-3 You can use the following commands to enable the two switches. Table 2-3 Enable debugging and terminal display for a specific module Operation

2-1 Command Alias Configuration Introduction As the network environment becomes more complex and network products become increasingly diverse, users

3-1 3 Network Connectivity Test Network Connectivity Test ping You can use the ping command to check the network connectivity and the reachability o

4-1 4 Device Management Introduction to Device Management Device Management includes the following: z Reboot the Ethernet switch z Configure real-

4-2 Scheduling a Reboot on the Switch After you schedule a reboot on the switch, the switch will reboot at the specified time. Table 4-3 Schedule a

1-1 1 VLAN Overview This chapter covers these topics: z VLAN Overview z Port-Based VLAN z MAC-Based VLAN z Protocol-Based VLAN VLAN Overview Int

4-3 Table 4-5 Specify the APP to be used at reboot Operation Command Description Specify the APP to be used at reboot boot boot-loader [ backup-att

4-4 Table 4-8 Commonly used pluggable transceivers Transceiver type Applied environment Whether can be an optical transceiver Whether can be an elec

4-5 TX power, and RX power. When these parameters are abnormal, you can take corresponding measures to prevent transceiver faults. Table 4-10 Display

4-6 The switch acts as the FTP client, and the remote PC serves as both the configuration PC and the FTP server. Perform the following configuration

4-7 Trying ... Press CTRL+K to abort

5-1 5 Scheduled Task Configuration What Is a Scheduled Task A scheduled task defines a command or a group of commands and when such commands will be

5-2 Specify the time delay to execute the commands in the task Follow these steps to configure a scheduled task: To do… Use the command… Descripti

5-3 [Switch] job phone1 # Configure the view where the specified command to be executed as Ethernet interface view. [Switch-job-phone1] view Ethernet

i Table of Contents 1 VLAN-VPN Configuration··········································································································

1-1 1 VLAN-VPN Configuration When configuring VLAN-VPN, go to these sections for information you are interested in: z VLAN-VPN Overview z VLAN-VPN

1-2 way. However, hosts in different VLANs cannot communicate with each other directly but need the help of network layer devices, such as routers an

1-2 Implementation of VLAN-VPN With the VLAN-VPN feature enabled, no matter whether or not a received packet already carries a VLAN tag, the switch w

1-3 Protocol type Value IS-IS 0x8000 LACP 0x8809 802.1x 0x888E VLAN-VPN Configuration VLAN-VPN Configuration Task List Complete the following tasks

1-4 Follow these steps to configure the TPID for VLAN-VPN packets : To do... Use the command... Remarks Enter system view system-view — Set the TPI

1-5 Network diagram Figure 1-4 Network diagram for VLAN-VPN configuration Configuration procedure z Configure Switch A. # Enable the VLAN-VPN feat

1-6 [SwitchB] interface Ethernet 1/0/21 [SwitchB-Ethernet1/0/21] vlan-vpn enable # Set the global TPID value to 0x9200 (for intercommunication with t

2-1 2 Selective QinQ Configuration This chapter is only applicable to S3100-EI series switches. When configuring selective QinQ, go to these sect

2-2 Figure 2-1 Diagram for a selective QinQ implementation In this implementation, Switch A is an access device of the service provider. The users

2-3 Configuring Global Tag Mapping Rules for Selective QinQ Table 2-1 Configure global tag mapping rules for selective QinQ Operation Command Descr

2-4 z The public network permits packets of VLAN 1000 and VLAN 1200. Apply QoS policies for these packets to reserve bandwidth for packets of VLAN 1

2-5 [SwitchA-Etherent1/0/5] port hybrid vlan 5 1000 1200 tagged [SwitchA-Ethernet1/0/5] quit # Configure Ethernet 1/0/3 as a hybrid port and configur

1-3 IEEE 802.1Q inserts a four-byte VLAN tag after the DA&SA field, as shown in Figure 1-3. Figure 1-3 Format of VLAN tag A VLAN tag comprises

2-6 [SwitchB-Etherent1/0/12] port hybrid pvid vlan 12 [SwitchB-Etherent1/0/12] port hybrid vlan 12 1000 untagged [SwitchB-Ethernet1/0/12] quit # Con

3-1 3 BPDU Tunnel Configuration This chapter is only applicable to S3100-EI series switches. When configuring BPDU tunnel, go to these sections f

3-2 customer network to the service provider network. The customer network contains Network A and Network B. You can make the BPDU packets of the cus

3-3 Figure 3-3 The structure of a BPDU packet after it enters a BPDU tunnel To prevent the devices in the service provider network from processin

3-4 To do... Use the command... Remarks Enter Ethernet port view interface interface-type interface-number — Enable BPDU tunnel for packets of a sp

3-5 z Enable the service provider network to transmit STP packets of the customer network through BPDU tunnel. The destination MAC address for tunne

3-6 [Sysname-Ethernet1/0/4] bpdu-tunnel stp # Enable VLAN-VPN and use VLAN 100 to transmit user data packets through BPDU tunnels. [Sysname-Ethernet

i Table of Contents 1 VLAN Mapping Configuration ·····································································································

1-1 1 VLAN Mapping Configuration The VLAN mapping feature is applicable to only the S3100-EI series among the S3100 series. VLAN Mapping Overvie

1-2 As shown in Figure 1-1, each user in the community has multiple applications. The VLAN technology is used on the home gateway to distinguish tra

1-4 z Shared VLAN learning (SVL), where the switch records all learned MAC address entries in one MAC address table, regardless of in which VLAN the

1-3 Figure 1-3 After many-to-one VLAN mapping …… Configuring the DHCP Option 82 for Many-to-One VLAN Mapping Option 82 is the relay agent option in

1-4 Configuring One-to-one VLAN Mapping One-to-one VLAN Mapping Configuration Task List Complete the following tasks to configure one-to-one VLAN ma

1-5 z You cannot enable one-to-one VLAN mapping on a link aggregation group member port. z When you configure a global one-to-one VLAN mapping ru

1-6 To do… Use the command… Remarks Configure a many-to-one VLAN mapping rule and enable many-to-one VLAN mapping on the port vlan-mapping n-to-1 v

1-7 This example describes how to configure one-to-one VLAN mapping for two users: map the three traffic streams from user A to VLAN 1001, VLAN 1002,

1-8 z If you configure Ethernet 1/0/1 and Ethernet 1/0/2 as trunk ports, you also need to assign them to the corresponding original VLANs and targe

1-9 Figure 1-6 Network diagram for many-to-one VLAN mapping configuration …… Configuration Procedure Configuring Many-to-One VLAN Mapping # Create V

1-10 [SwitchA] interface GigabitEthernet 1/1/1 [SwitchA-GigabitEthernet1/1/1] port link-type trunk [SwitchA-GigabitEthernet1/1/1] port trunk permit v

i Table of Contents 1 HWPing Configuration ···········································································································

1-1 1 HWPing Configuration When configuring HWPing, go to these sections for information you are interested in: z HWPing Overview z HWPing Configu

1-5 Port-Based VLAN Port-based VLAN technology introduces the simplest way to classify VLANs. You can assign the ports on the device to different VLA

1-2 Test Types Supported by HWPing Table 1-1 Test types supported by HWPing Supported test types Description ICMP test DHCP test FTP test HTTP test

1-3 Test parameter Description Number of probes per test (count) For tests except jitter test, only one test packet is sent in a probe. In a jitter

1-4 Test parameter Description Interval to send jitter test packets (jitter-interval) Each jitter probe will send multiple UDP test packets at regul

1-5 To do… Use the command… Remarks Enter system view system-view — Enable the HWPing client function hwping-agent enable Required By default, the

1-6 To do… Use the command… Remarks Configure the retaining time of statistics information statistics keep-time keep-time Optional By default, the

1-7 To do… Use the command… Remarks Create an HWPing test group and enter its view hwping administrator-name operation-tag Required By default, no

1-8 To do… Use the command… Remarks Enable the HWPing client function hwping-agent enable Required By default, the HWPing client function is disabl

1-9 To do… Use the command… Remarks Configure the probe timeout time timeout time Optional By default, a probe times out in three seconds. Configur

1-10 To do… Use the command… Remarks Configure the source IP address source-ip ip-address Optional By default, no source IP address is configured.

1-11 To do… Use the command… Remarks Configure the type of HTTP operation http-operation { get | post } Optional By default, the type of HTTP opera

1-6 Before assigning an access or hybrid port to a VLAN, create the VLAN first. Configuring the Default VLAN ID for a Port An access port can belo

1-12 To do… Use the command… Remarks Configure a stuffing character string datafill string Optional By default, the numbers between 0 and 255 are s

1-13 To do… Use the command… Remarks Configure advantage factor for a jitter voice test adv-factor adv-number By default, the advantage factor is z

1-14 To do… Use the command… Remarks Configure the retaining time of statistics information statistics keep-time keep-time Optional By default, the

1-15 To do… Use the command… Remarks Configure the destination port destination-port port-number Required in a Tcpprivate test A Tcppublic test is

1-16 To do… Use the command… Remarks Configure the type of service tos value Optional By default, the service type is zero. Start the test test-ena

1-17 To do… Use the command… Remarks Enable history record history-record enable Optional By default, history record is not enabled. Configure the

1-18 To do… Use the command… Remarks Configure the source IP address source-ip ip-address Optional By default, no source IP address is specified. C

1-19 To do… Use the command… Remarks Configure the IP address of the DNS server dns-server ip-address Required By default, no DNS server address is

1-20 Displaying HWPing Configuration To do… Use the command… Remarks Display the results of the test display hwping { results | history | jitter }

1-21 Destination ip address:10.2.2.2 Send operation times: 10 Receive response times: 10 Min/Max/Average Round Trip Ti

1-7 MAC-Based VLAN The contents of this section are only applicable to the S3100-EI series among S3100 series switches. Introduction to MAC-Based V

1-22 [Sysname-hwping-administrator-dhcp] source-interface Vlan-interface 1 # Configure to make 10 probes per test. [Sysname-hwping-administrator-dhc

1-23 FTP Test Network requirements Both the HWPing client and the FTP server are H3C S3100 series Ethernet switches. Perform an HWPing FTP test betwe

1-24 # Start the test. [Sysname-hwping-administrator-ftp] test-enable # Display test results [Sysname-hwping-administrator-ftp] display hwping resul

1-25 Network diagram Figure 1-5 Network diagram for the HTTP test Configuration procedure z Configure HTTP Server: Use Windows 2003 Server as the

1-26 DNS Resolve Time: 0 HTTP Operation Time: 675 DNS Resolve Min Time: 0 HTTP Test Total Time: 748 D

1-27 <Sysname> system-view [Sysname] hwping-server enable [Sysname] hwping-server udpecho 10.2.2.2 9000 z Configure HWPing Client (Switch A):

1-28 Negative SD Number:30 Negative DS Number:24 Negative SD Sum:64 Negative DS Sum: 41 Negative S

1-29 z The SNMP network management function must be enabled on SNMP agent before it can receive response packets. z The SNMPv2c version is used as

1-30 4 10 1 0 2000-04-03 08:57:19.9 5 9 1 0 2000-04-03 08:57:19.9

1-31 [Sysname-hwping-administrator-tcpprivate] history-records 10 # Start the test. [Sysname-hwping-administrator-tcpprivate] test-enable # Display

7 Software version Added features compared with the earlier version Release 2108P04 Part Web authentication 20-Web Authentication Operation DHCP Serve

1-8 Protocol-Based VLAN The contents of this section are only applicable to the S3100-EI series among S3100 series switches. Introduction to Proto

1-32 <Sysname> system-view [Sysname] hwping-server enable [Sysname] hwping-server udpecho 10.2.2.2 8000 z Configure HWPing Client (Switch A):

1-33 7 10 1 0 2000-04-02 08:29:45.3 8 10 1 0 2000-04-02 08:29:45.3

1-34 [Sysname-hwping-administrator-dns] display hwping results administrator dns HWPing entry(admin administrator, tag dns) test result: Destin

i Table of Contents 1 IPv6 Configuration··············································································································

1-1 1 IPv6 Configuration z H3C S3100 Series Ethernet Switches support IPv6 management features, but do not support IPv6 forwarding and related fe

1-2 Adequate address space The source IPv6 address and the destination IPv6 address are both 128 bits (16 bytes) long. IPv6 can provide 3.4 x 1038 ad

1-3 z If an IPv6 address contains two or more consecutive groups of zeros, they can be replaced by the double-colon (::) option. For example, the ab

1-4 Type Format prefix (binary) IPv6 prefix ID Anycast address Anycast addresses are taken from unicast address space and are not syntactically dis

1-5 hexadecimal number FFFE needs to be inserted in the middle of MAC addresses (behind the 24 high-order bits).To ensure the interface identifier ob

1-6 z H3C S3100 Series Ethernet Switches do not support RS, RA, or Redirect message. z Of the above mentioned IPv6 NDP functions, H3C S3100 Serie

1-9 Packets with the value of the type or length field being in the range 0x05DD to 0x05FF are regarded as illegal packets and thus discarded directl

1-7 duplication address detection is accomplished through NS and NA messages. Figure 1-4 shows the duplicate address detection procedure. Figure 1-4

1-8 z If they are consistent, the device resets the aging timer for the ND snooping entry. z If they are inconsistent and the received packet is a

1-9 z Router Advertisement (RA) z Redirect The ND protocol functions powerfully, but without any security mechanism, it is apt to be used by attac

1-10 The user legality check is based on the source IPv6 address and source MAC address in the ND packet to check whether the user is legal on the VL

1-11 Ensuring DHCPv6 clients to obtain IP addresses from authorized DHCPv6 servers If there is an unauthorized DHCPv6 server on a network, the DHCPv6

1-12 Figure 1-7 Diagram for the IPv6 filtering function The switch can filter invalid IPv6 packets through IPv6 static binding entries or IP-to-MAC

1-13 z RFC 1981: Path MTU Discovery for IP version 6 z RFC 2375: IPv6 Multicast Address Assignments z RFC 2460: Internet Protocol, Version 6 (IPv6

1-14 z Manual configuration: IPv6 site-local addresses or global unicast addresses are configured manually. IPv6 link-local addresses can be acquire

1-15 z IPv6 unicast addresses can be configured for only one VLAN interface of an H3C S3100 Series Ethernet Switches. Only one global unicast addre

1-16 dynamically learned neighbors reaches the threshold, the interface will stop learning neighbor information. Table 1-7 Configure the maximum numb

2-1 2 VLAN Configuration When configuring a VLAN, go to these sections for information you are interested in: z VLAN Configuration z Configuring a

1-17 Table 1-10 Configure the neighbor reachable timeout time on an interface To do… Use the command… Remarks Enter system view system-view — Enter

1-18 Configuring the Maximum Number of IPv6 ICMP Error Packets Sent within a Specified Time If too many IPv6 ICMP error packets are sent within a sho

1-19 Configuring ND snooping Follow these steps to configure ND snooping: To do… Use the command… Remarks Enter system view system-view — Enter VLA

1-20 To do… Use the command Remarks Enter Layer-2 Ethernet interface view interface interface-type interface-number — Configure the ports requirin

1-21 Configuring DHCPv6 snooping support for DHCPv6 Option 18/Option 37 DHCPv6 Option 37, also known as the DHCPv6 relay agent remote ID option, reco

1-22 You cannot configure both IPv6 filtering and port binding. Configuring IPv6 DNS Configure a static host name to IPv6 address mapping You can d

1-23 Displaying and Maintaining IPv6 To do… Use the command… Remarks Display DHCPv6 snooping entries display dhcp-snooping ipv6 { all | unit unit-i

1-24 To do… Use the command… Remarks Clear the statistics by ND detection reset ipv6 nd detection statistics [ interface interface-type interface-n

1-25 [SwitchB-Vlan-interface1] ipv6 address 3001::2/64 Verification # Display the brief IPv6 information of an interface on Switch A. [SwitchA-Vlan-i

1-26 bytes=56 Sequence=3 hop limit=64 time = 6 ms Reply from FE80::2E0:FCFF:FE00:2006 bytes=56 Sequence=4 hop limit=64 time = 7 ms

2-2 z VLAN 1 is the system default VLAN, which needs not to be created and cannot be removed, either. z The VLAN you created in the way described

1-27 Configuration procedure # Enable DHCPv6 snooping. <SwitchA> system-view [SwitchA] dhcp-snooping ipv6 enable # Specify Ethernet 1/1 as trus

1-28 # Configure the upper port Ethernet 1/0/3 as ND trusted port, while the lower ports Ethernet 1/0/1 and Ethernet 1/0/2 as the default state, name

1-29 # Enable IPv6 filtering on Ethernet 1/0/2, Ethernet 1/0/3, and Ethernet 1/0/4 to filter packets based on the source IP addresses/MAC addresses.

2-1 2 IPv6 Application Configuration Introduction to IPv6 Applications IPv6 are supporting more and more applications. Most of IPv6 applications are

2-2 Figure 2-1 Traceroute process Device AHop Limit=1Hop Limit exceededHop Limit=2Hop Limit exceededHop Limit=nUDP port unreachableDevice B Device C

2-3 When you use the tftp ipv6 command to connect to the TFTP server, you must specify the “–i” keyword if the destination address is a link-local a

2-4 IPv6 Application Configuration Example Network requirements In Figure 2-3, SWA, SWB, and SWC are three switches, among which SWA is an H3C S3100

2-5 # On SWA, configure static routes to SWC, the Telnet Server, and the TFTP Server. <SWA> system-view [SWA] ipv6 route-static 3002:: 64 3003:

2-6 Unable to Run TFTP Symptom Unable to download and upload files by performing TFTP operations. Solution z Check that the route between the device

i Table of Contents 1 DNS Configuration···············································································································

2-3 To do... Use the command... Remarks Create a VLAN interface and enter VLAN interface view interface Vlan-interface vlan-id Required By default,

1-1 1 DNS Configuration This chapter covers only IPv4 DNS configuration. For details about IPv6 DNS, refer to IPv6 Management Operation. DNS Over

1-2 Figure 1-1 Dynamic domain name resolution Figure 1-1 shows the relationship between user program, DNS client, and DNS server. The resolver and

1-3 z The IP address you assign to a host name last time will overwrite the previous one if there is any. z You may create up to 50 static mappin

1-4 Operation Command… Remarks Clear the information in the dynamic domain name cache reset dns dynamic-host Available in user view DNS Configurat

1-5 Dynamic Domain Name Resolution Configuration Example Network requirements As shown in Figure 1-3, the switch serving as a DNS client uses dynamic

1-6 Reply from 3.1.1.1: bytes=56 Sequence=2 ttl=125 time=4 ms Reply from 3.1.1.1: bytes=56 Sequence=3 ttl=125 time=4 ms Reply from 3.1.1.

i Table of Contents 1 Smart Link Configuration ·······································································································

1-1 1 Smart Link Configuration Currently, only S3100-EI series Ethernet switches support the smart link feature. Smart Link Overview As shown in

1-2 Master port The master port can be either an Ethernet port or a manually-configured or static LACP aggregation group. For example, you can config

1-3 Operating Mechanism of Smart Link Figure 1-2 Network diagram of Smart Link operating mechanism BLOCKSwitch A Switch BEth1/0/1Eth1/0/2Switch C Sw

2-4 To do… Use the command… Remarks Enter system view system-view — Enter VLAN view vlan vlan-id Required If the specified VLAN does not exist, thi

1-4 Configuration Tasks Table 1-1 Smart Link configuration tasks Task Remarks Create a Smart Link group Add member ports to the Smart Link group Con

1-5 Operation Command Remarks Configure a link aggregation group as a member of the Smart Link group link-aggregation group group-id { master | sla

1-6 5) When a Combo port operates as a member port of a Smart Link group, the optical port and the electrical port of the Combo port must not be bot

1-7 Smart Link Configuration Example Implementing Link Redundancy Backup Network requirements As shown in Figure 1-3, Switch A is an H3C S3100 series

1-8 # Configure Ethernet1/0/1 as the master port and Ethernet1/0/2 as the slave port for Smart Link group 1. [SwitchA-smlk-group1] port Ethernet 1/0

2-1 2 Monitor Link Configuration Currently, only S3100-EI series Ethernet switches support the monitor link feature. Introduction to Monitor Link

2-2 How Monitor Link Works Figure 2-2 Network diagram for a Monitor Link group implementation BLOCKSwitch A Switch BEth1/0/1Eth1/0/2Switch C Switch D

2-3 Before configuring a Monitor Link group, you must create a Monitor Link group and configure member ports for it. A Monitor Link group consists o

2-4 Operation Command Remarks Monitor Link group view port interface-type interface-number uplink quit interface interface-type interface-number C

2-5 Table 2-5 Display Monitor Link configuration Operation Command Remarks Display the information about one or all Monitor Link groups display mon

2-5 z To configure a Trunk port into a Hybrid port (or vice versa), you need to use the Access port as a medium. For example, the Trunk port has to

2-6 [SwitchA-Ethernet1/0/1] stp disable [SwitchA-Ethernet1/0/1] quit [SwitchA] interface Ethernet 1/0/2 [SwitchA-Ethernet1/0/2] stp disable # Return

i Table of Contents 1 ARP and IP Attack Defense Configuration ························································································

1 1 ARP and IP Attack Defense Configuration ARP Packet Filtering Based on Gateway’s Address Introduction According to the ARP design, after receivin

2 Among the S3100 series Ethernet switches, only the S3100-EI series support ARP Packet Filtering. Follow these steps to configure ARP packet filt

3 To do… Use the command… Remarks Configure the maximum number of dynamic ARP entries that the VLAN interface can learn arp max-learning-num number

4 Follow these steps to configure 802.1x-based ARP/IP attack defense: To do… Use the command… Remarks Enter system view system-view — Enable using

5 z If they are not consistent, the ARP packet is considered invalid and the corresponding ARP entry is not learned. Enabling ARP Source MAC Addres

6 [Switch] interface Ethernet 1/0/2 [Switch-Ethernet1/0/2] arp filter source 192.168.100.1 [Switch-Ethernet1/0/2] quit # Configure ARP packet filteri

7 [SwitchA-Vlan-interface1] arp max-learning-num 500 [SwitchA-Vlan-interface1] quit ARP/IP Attack Defense Configuration Example III Network Requireme

8 [Switch] interface ethernet1/0/1 [Switch-Ethernet1/0/1] dot1x # Enable IP filtering based on IP-MAC bindings of authenticated 802.1x clients. [Swi

2-6 Port-Based VLAN Configuration Example Network requirements z As shown in Figure 2-1, Switch A and Switch B each connect to a server and a workst

i Table of Contents 1 LLDP Configuration··············································································································

1-1 1 LLDP Configuration When configuring LLDP, go to these sections for information you are interested in: z Overview z LLDP Configuration Task L

1-2 Figure 1-1 Ethernet II-encapsulated LLDP frame format The fields in the frame are described in Table 1-1: Table 1-1 Description of the fields

1-3 Field Description Source MAC address The MAC address of the sending port. If the port does not have a MAC address, the MAC address of the sendin

1-4 Type Description Remarks Port Description Port description of the sending port. System Name Assigned name of the sending device. System Descr

1-5 LLDP-MED TLVs LLDP-MED TLVs provide multiple advanced applications for voice over IP (VoIP), such as basic configuration, network policy configur

1-6 How LLDP Works Transmitting LLDP frames An LLDP-enabled port operating in TxRx mode or Tx mode sends LLDP frames to its directly connected device

1-7 Performing Basic LLDP Configuration Enabling LLDP To make LLDP take effect on certain ports, you need to enable LLDP both globally and on these p

1-8 Enabling LLDP Polling With LLDP polling enabled, a device checks for local configuration changes periodically. Upon detecting a configuration ch

1-9 To do… Use the command… Remarks Enter Ethernet interface view interface interface-type interface-number Required Enable LLDP to advertise manag

2-7 Because the link between Switch A and Switch B need to transmit data of both VLAN 101 and VLAN 102, you can configure the ports at the end of the

1-10 Setting an Encapsulation Format for LLDPDUs LLDPDUs can be encapsulated in Ethernet II or SNAP frames. z With Ethernet II encapsulation config

1-11 With CDP compatibility enabled, the device can use LLDP to receive and recognize CDP packets from Cisco IP phones and respond with CDP packets c

1-12 Follow these steps to configure LLDP trapping: To do… Use the command… Remarks Enter system view system-view — Enter Ethernet interface view i

1-13 Figure 1-4 Network diagram for basic LLDP configuration NMSSwitch AMEDSwitch BEth1/0/2Eth1/0/1Eth1/0/1 Configuration procedure 1) Configure Sw

1-14 Hold multiplier : 4 Reinit delay : 2s Transmit delay : 2s Trap interval :

1-15 Port status of LLDP : Enable Admin status : Rx_Only Trap flag : No Roll time

1-16 Figure 1-5 Network diagram for CDP-compatible LLDP configuration Configuration procedure 1) Configure a voice VLAN on Switch A # Create VLAN

1-17 [SwitchA] display lldp neighbor-information CDP neighbor-information of port 1[Ethernet1/0/1]: CDP neighbor index : 1 Chassis ID : S

i Table of Contents 1 PKI Configuration ··············································································································

1-1 1 PKI Configuration When configuring PKI, go to these sections for information you are interested in: z Introduction to PKI z PKI Configurati

2-8 Configuring a MAC-Based VLAN Configuration prerequisites Create a VLAN before configuring the VLAN as a protocol-based VLAN. Configuration proce

1-2 CAs are trusted by different users in a PKI system, the CAs will form a CA tree with the root CA at the top level. The root CA has a CA certifica

1-3 CA A CA is a trusted authority responsible for issuing and managing digital certificates. A CA issues certificates, specifies the validity period

1-4 2) The RA reviews the identity of the entity and then sends the identity information and the public key with a digital signature to the CA. 3)

1-5 The configuration of an entity DN must comply with the CA certificate issue policy. You need to determine, for example, which entity DN paramete

1-6 Configuring a PKI Domain Before requesting a PKI certificate, an entity needs to be configured with some enrollment information, which is referre

1-7 To do… Use the command… Remarks Specify the entity for certificate request certificate request entity entity-name Required No entity is specifi

1-8 Follow these steps to configure an entity to submit a certificate request in auto mode: To do… Use the command… Remarks Enter system view syste

1-9 z If a PKI domain already has a local certificate, creating an RSA key pair will result in inconsistency between the key pair and the certifica

1-10 z If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it. This is in order to avoid inconsistency bet

1-11 To do… Use the command… Remarks Enter PKI domain view pki domain domain-name — Disable CRL checking crl check disable Required Enabled by defa