3Com WX3000 - Manuals

Convention Description &<1-n> The argument(s) before the ampersand (&) sign can be entered 1 to n times. # A line starting with the # sign is comments. GUI conventions Convention Description Boldface Window names, button names, field names, and menu items are in Boldface. For example, ...

Manual Description 3Com WX3000 Series Unified Switches Web-Based Configuration Manual Introduces the Web-based functions of the access control engine of WX3000 series unified switches access controller engines. Obtaining Documentation You can access the most up-to-date 3Com product documentation on ...

i Table of Contents 1 CLI Configuration ······································································································································ 1-1 Introduction to the CLI ·································································································...

1-1 1 CLI Configuration The sample output information in this manual was created on the WX3024. The output information on your device may vary. Introduction to the CLI A command line interface (CLI) is a user interface to interact with a device. Through the CLI on a device, a user can enter commands...

1-2 z Manage level (level 3): Commands at this level are associated with the basic operation modules and support modules of the system. These commands provide support for services. Commands concerning file system, FTP/TFTP/XModem downloading, user management, and level setting are at this level. Use...

1-3 Configuration example After a general user telnets to the device, his/her user level is 0. Now, the network administrator wants to allow general users to switch to level 3, so that they are able to configure the device. # A level 3 user sets a switching password for user level 3. <device> ...

1-4 # Change the tftp get command in user view (shell) from level 3 to level 0. (Originally, only level 3 users can change the level of a command.) <device> system-view [device] command-privilege level 0 view shell tftp [device] command-privilege level 0 view shell tftp 192.168.0.1 [device] co...

1-7 View Available operation Prompt example Enter method Quit method QinQ view Configure QinQ parameters [device-GigabitEthernet1/0/1-vid-20] Execute the vlan-vpn vid command in Ethernet port view. The vlan-vpn enable command should be first executed. Execute the quit command to return to Ethernet p...

1-8 timezone Configure time zone If the question mark (?) is at an argument position in the command, the description of the argument will be displayed on your terminal. [device] interface vlan-interface ? <1-4094> VLAN interface number If only <cr> is displayed after you enter a question...

ii Configuring Source IP Address for Telnet Service Packets ···································································6-1 Displaying Source IP Address Configuration ·························································································· 6-2 7 User Control ················...

1-1 1 Logging In to the Switching Engine The sample output information in this manual was created on the WX3024. The output information on your device may vary. Logging In to the Switching Engine You can log in to the switching engine of the device in one of the following ways: z Logging in through ...

2-1 2 Logging In Through OAP OAP Overview As an open software and hardware system, Open Application Architecture (OAA) provides a set of complete standard software and hardware interfaces. The third party vendors can develop products with special functions. These products can be compatible with each...

2-3 Resetting the OAP Software System If the operating system works abnormally or is under other anomalies, you can reset the OAP software system. Follow these steps to reset the OAP software system: To do… Use the command… Remarks Reset the OAP software system oap reboot slot 0 Required Available i...

3-1 3 Logging In Through Telnet Introduction The device supports Telnet. You can manage and maintain the switching engine remotely by Telnetting to the switching engine. To log in to the switching engine through Telnet, the corresponding configuration is required on both the switching engine and the...

3-2 Configuration Description Make terminal services available Optional By default, terminal services are available in all user interfaces Set the maximum number of lines the screen can contain Optional By default, the screen can contain up to 24 lines. Set history command buffer size Optional By de...

3-3 To improve security and prevent attacks to the unused Sockets, TCP 23 and TCP 22, ports for Telnet and SSH services respectively, will be enabled or disabled after corresponding configurations. z If the authentication mode is none , TCP 23 will be enabled, and TCP 22 will be disabled. z If the a...

3-4 To do… Use the command… Remarks Set the history command buffer size history-command max-size value Optional The default history command buffer size is 10. That is, a history command buffer can store up to 10 commands by default. Set the timeout time of the VTY user interface idle-timeout minutes...

3-5 # Specify commands of level 2 are available to users logging in through VTY 0. [device-ui-vty0] user privilege level 2 # Configure Telnet protocol is supported. [device-ui-vty0] protocol inbound telnet # Set the maximum number of lines the screen can contain to 30. [device-ui-vty0] screen-length...

3-7 [device-ui-vty0] authentication-mode password # Set the local password to 123456 (in plain text). [device-ui-vty0] set authentication password simple 123456 # Specify commands of level 2 are available to users logging in to VTY 0. [device-ui-vty0] user privilege level 2 # Configure Telnet protoc...

3-10 Refer to AAA Operation and SSH Operation of this manual for information about AAA, RADIUS, and SSH. Configuration Example Network requirements As shown in Figure 3-3 , assume a current user logs in using the oap connect slot 0 command and the user level is set to the manage level (level 3). Per...

3-11 [device-ui-vty0] protocol inbound telnet # Set the maximum number of lines the screen can contain to 30. [device-ui-vty0] screen-length 30 # Set the maximum number of commands the history command buffer can store to 20. [device-ui-vty0] history-command max-size 20 # Set the timeout time to 6 mi...

3-13 Figure 3-7 Launch Telnet 5) If the password authentication mode is specified, enter the password when the Telnet window displays “Login authentication” and prompts for login password. The CLI prompt (such as <System_LSW>) appears if the password is correct. If all VTY user interfaces of t...

3-14 1) Perform Telnet-related configuration on the switching engine operating as the Telnet server. For details, refer to Telnet Configuration with Authentication Mode Being None , Telnet Configuration with Authentication Mode Being Password , and Telnet Configuration with Authentication Mode Being...

4-2 Setting Up a Web Configuration Environment Your WX series access controller products were delivered with a factory default configuration. This configuration allows you to log into the built-in Web-based management system of the access controller product from a Web browser on a PC by inputting ht...

4-3 Figure 4-1 Web interface of the access controller engine 3) Set up a Web configuration environment, as shown in Figure 4-2 . Figure 4-2 Set up a Web configuration environment 4) Log in to the switching engine through IE. Launch IE on the Web-based network management terminal (your PC) and enter ...

4-5 Figure 4-5 Banner page displayed when a user logs in to the switching engine through Web Click Continue to enter user login authentication page. You will enter the main page of the Web-based network management system if the authentication succeeds. Enabling/Disabling the WEB Server Follow these ...

5-1 5 Logging In from NMS Introduction You can also log in to the switching engine from a network management station (NMS), and then configure and manage the switching engine through the agent module on the switch. Simple network management protocol (SNMP) is applied between the NMS and the agent. R...

6-1 6 Configuring Source IP Address for Telnet Service Packets Overview You can configure source IP address or source interface for the Telnet server and Telnet client. This provides a way to manage services and enhances security. The source IP address specified for Telnet service packets is the IP ...

6-2 To do… Use the command… Remarks Specify a source interface for Telnet client telnet source-interface interface-type interface-number Optional When configuring a source IP address for Telnet packets, ensure that: z The source IP address must be one on the local device. z The source interface must...

7-1 7 User Control Refer to the ACL part for information about ACL. Introduction The switching engine provides ways to control different types of login users, as listed in Table 7-1 . Table 7-1 Ways to control different types of login users Login mode Control method Implementation Reference By sourc...

7-2 To do… Use the command… Remarks Enter system view system-view — Create a basic ACL or enter basic ACL view acl number acl-number [ match-order { config | auto } ] As for the acl number command, the config keyword is specified by default. Define rules for the ACL rule [ rule-id ] { deny | permit ...

7-3 Controlling Telnet Users by Source MAC Addresses Controlling Telnet users by source MAC addresses is achieved by applying Layer 2 ACLs, which are numbered from 4000 to 4999. Follow these steps to control Telnet users by source MAC addresses: To do… Use the command… Remarks Enter system view syst...

7-4 Controlling Network Management Users by Source IP Addresses You can manage the device through network management software. Network management users can access switching engines through SNMP. You need to perform the following two operations to control network management users by source IP address...

7-5 You can specify different ACLs while configuring the SNMP community name, SNMP group name, and SNMP user name. As SNMP community name is a feature of SNMPv1 and SNMPv2c, the specified ACLs in the command that configures SNMP community names (the snmp-agent community command) take effect in the n...

i Table of Contents 1 Configuration File Management ··············································································································· 1-1 Introduction to Configuration File ·································································································...

1-1 1 Configuration File Management The sample output information in this manual was created on the WX3024. The output information on your device may vary. Introduction to Configuration File A configuration file records and stores user configurations performed to the device. It also enables users to...

1-2 can configure a file to have both main and backup attribute, but only one file of either main or backup attribute is allowed on a device. The following three situations are concerned with the main/backup attributes: z When saving the current configuration, you can specify the file to be a main o...

1-3 z Safe mode. This is the mode when you use the save command with the safely keyword. The mode saves the file slower but can retain the original configuration file in the device even if the device reboots or the power fails during the process. The configuration file to be used for next startup ma...

1-4 To do… Use the command… Remarks Erase the startup configuration file from the storage device reset saved-configuration [ backup | main ] Required Available in user view You may need to erase the configuration file for one of these reasons: z After you upgrade software, the old configuration file...

1-5 The configuration file must use “.cfg” as its extension name and the startup configuration file must be saved at the root directory of the device. Displaying and Maintaining Device Configuration To do… Use the command… Remarks Display the initial configuration file saved in the storage device di...

i Table of Contents 1 VLAN Overview ·········································································································································· 1-1 VLAN Overview ···········································································································...

1-1 1 VLAN Overview z The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of a unified switch in the WX3000 series. z The sample output information in this manual was created on the WX3024. The output information on your device may var...

1-2 of network layer devices, such as routers and Layer 3 switches. Figure 1-1 illustrates a VLAN implementation. Figure 1-1 A VLAN implementation Switch Router Switch VLAN A VLANB VLAN A VLANB VLAN A VLAN B Advantages of VLANs Compared with the traditional Ethernet, VLAN enjoys the following advant...

1-3 Figure 1-2 Encapsulation format of traditional Ethernet frames Type Data DA&SA In Figure 1-2 DA refers to the destination MAC address, SA refers to the source MAC address, and Type refers to the upper layer protocol type of the packet. IEEE 802.1Q protocol defines that a 4-byte VLAN tag is e...

1-7 Procedure for the Switch to Judge Packet Protocol Figure 1-9 Procedure for the switch to judge packet protocol Receive packets Type(Length) field Ethernet II encapsulation Match the type value Invalid packets that cannot be matched 802.2/802.3 encapsulation Control field Invalid packets that can...

2-1 2 VLAN Configuration VLAN Configuration Configuration Task List Complete the following tasks to configure VLAN: Task Remarks Basic VLAN Configuration Required Basic VLAN Interface Configuration Optional Displaying and Maintaining VLAN Optional Basic VLAN Configuration Follow these steps to make ...

2-2 Basic VLAN Interface Configuration Configuration prerequisites Before configuring a VLAN interface, create the corresponding VLAN. Configuration procedure Follow these steps to make basic VLAN interface configuration: To do… Use the command… Remarks Enter system view system-view — Create a VLAN ...

2-3 Configuring a Port-Based VLAN Configuring a Port-Based VLAN Configuration prerequisites Create a VLAN before configuring a port-based VLAN. Configuration procedure Follow these steps to configure a port-based VLAN: To do… Use the command… Remarks Enter system view system-view — Enter VLAN view v...

2-5 For the command of configuring a port link type ( port link-type ) and the command of allowing packets of certain VLANs to pass through a port ( port trunk permit ), refer to the section of configuring Ethernet ports in the “Port Basic Configuration” part of this document. Configuring a Protocol...

2-6 z Because the IP protocol is closely associated with the ARP protocol, you are recommended to configure the ARP protocol type when configuring the IP protocol type and associate the two protocol types with the same port to avoid that ARP packets and IP packets are not assigned to the same VLAN, ...

2-7 For the operation of adding a hybrid port to a VLAN in the untagged way (when forwarding a packet, the port removes the VLAN tag of the packet), refer to the section of configuring Ethernet ports in the “Port Basic Configuration” part of this manual. Displaying and Maintaining Protocol-Based VLA...

i Table of Contents 1 Auto Detect Configuration ························································································································ 1-1 Introduction to the Auto Detect Function·······················································································...

1-1 1 Auto Detect Configuration z The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of a unified switch in the WX3000 series. z The sample output information in this manual was created on the WX3024. The output information on your de...

1-2 Auto Detect Configuration Complete the following tasks to configure auto detect: Task Remarks Auto Detect Basic Configuration Required Auto Detect Implementation in Static Routing Optional Auto Detect Implementation in VLAN Interface Backup Optional Auto Detect Basic Configuration Follow these s...

1-4 To do… Use the command… Remarks Enter system view system-view — Enter VLAN interface view interface Vlan-interface vlan - id — Enable the auto detect function to implement VLAN interface backup standby detect-group group-number Required This operation is only needed on the secondary VLAN interfa...

1-5 <SwitchC> system-view # Configure a static route to Switch A. [SwitchC] ip route-static 192.168.1.1 24 10.1.1.3 Configuration Example for Auto Detect Implementation in VLAN Interface Backup Network requirements z As shown in Figure 1-2 , make sure the routes between Switch A, Switch B, and...

i Table of Contents 1 Voice VLAN Configuration························································································································ 1-1 Voice VLAN Overview ·············································································································...

1-1 1 Voice VLAN Configuration The sample output information in this manual was created on the WX3024. The output information on your device may vary. Voice VLAN Overview Voice VLANs are VLANs configured specially for voice traffic. By adding the ports connected with voice devices to voice VLANs, yo...

1-3 3) After the IP phone acquires the IP address assigned by DHCP Server2, the IP phone establishes a connection to the NCP specified by DHCP Server1 and downloads corresponding software. After that, the IP phone can communicate properly. z An untagged packet carries no VLAN tag. z A tagged packet ...

1-4 Processing mode of untagged packets sent by IP voice devices z Automatic mode. A WX3000 device automatically adds a port connecting an IP voice device to the voice VLAN by learning the source MAC address in the untagged packet sent by the IP voice device when it is powered on. The voice VLAN use...

1-5 Table 1-2 Matching relationship between port types and voice traffic types Port voice VLAN mode Voice traffic type Port type Supported or not Access Not supported Trunk Supported Make sure the default VLAN of the port exists and is not a voice VLAN. And the access port permits the traffic of the...

1-6 Voice VLAN Configuration Configuration Prerequisites z Create the corresponding VLAN before configuring a voice VLAN. z VLAN 1 (the default VLAN) cannot be configured as a voice VLAN. Configuring a Voice VLAN to Operate in Automatic Mode Follow these steps to configure a voice VLAN to operate in...

1-7 When the voice VLAN is working normally, if the device restarts, in order to make the established voice connections work normally, the system does not need to be triggered by the voice traffic to add the port in automatic mode to the local devices of the voice VLAN but does so immediately after ...

1-9 Displaying and Maintaining Voice VLAN To do… Use the command… Remarks Display the information about ports on which voice VLAN configuration fails display voice vlan error-info Display the voice VLAN configuration status display voice vlan status Display the currently valid OUI addresses display ...

1-10 [DeviceA] voice vlan aging 100 # Add a user-defined OUI address 0011-2200-000 and set the description string to “test”. [DeviceA] voice vlan mac-address 0011-2200-0000 mask ffff-ff00-0000 description test # Enable the voice VLAN function globally. [DeviceA] voice vlan 2 enable # Configure the v...

1-11 <DeviceA> system-view [DeviceA] voice vlan security enable # Add a user-defined OUI address 0011-2200-000 and set the description string to “test”. [DeviceA] voice vlan mac-address 0011-2200-0000 mask ffff-ff00-0000 description test # Create VLAN 2 and configure it as a voice VLAN. [Devic...

i Table of Contents 1 GVRP Configuration ·································································································································· 1-1 Introduction to GVRP ·······································································································...

1-1 1 GVRP Configuration z The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of a unified switch in the WX3000 series. z The sample output information in this manual was created on the WX3024. The output information on your device ma...

1-3 Figure 1-1 Format of GARP packets Ethernet Frame PDU DA DA length DSAP Ctrl SSAP Protocol ID Message 1 Message N ... End Mark 1 3 N Attribute Type Attribute List 1 2 N Attribute 1 Attribute N ... End Mark 1 N Attribute Length Attribute Event Attribute Vlaue 1 2 3 N GARP PDU structure Message str...

1-4 GVRP As an implementation of GARP, GARP VLAN registration protocol (GVRP) maintains dynamic VLAN registration information and propagates the information to the other devices through GARP. With GVRP enabled on a device, the VLAN registration information received by the device from other devices i...

1-5 Configuration procedure Follow these steps to enable GVRP on an Ethernet port: To do… Use the command… Remarks Enter system view system-view — Enable GVRP globally gvrp Required By default, GVRP is disabled globally. Enter Ethernet port view interface interface-type interface-number — Enable GVR...

1-6 Table 1-2 Relations between the timers Timer Lower threshold Upper threshold Hold 10 centiseconds This upper threshold is less than or equal to one-half of the timeout time of the Join timer. You can change the threshold by changing the timeout time of the Join timer. Join This lower threshold i...

1-7 GVRP Configuration Example GVRP Configuration Example Network requirements z Enable GVRP on all the switches in the network so that the VLAN configurations on Switch C and Switch E can be applied to all switches in the network, thus implementing dynamic VLAN information registration and refresh,...

i Table of Contents 1 Basic Port Configuration ·························································································································· 1-1 Ethernet Port Overview ·······································································································...

1-1 1 Basic Port Configuration z The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of a unified switch in the WX3000 series. z The sample output information in this manual was created on the WX3024. The output information on your dev...

1-2 Link Types of Ethernet Ports An Ethernet port of the device can operate in one of the following three link types: z Access: An access port can belong to only one VLAN, and is generally used to connect user PCs. z Trunk: A trunk port can belong to more than one VLAN. It can receive/send packets f...

1-3 Table 1-3 Processing of incoming/outgoing packets Processing of an incoming packet Port type If the packet does not carry a VLAN tag If the packet carries a VLAN tag Processing of an outgoing packet Access z If the VLAN ID is just the default VLAN ID, receive the packet. z If the VLAN ID is not ...

1-4 To do… Use the command… Remarks Enter system view system-view — Enter Ethernet port view interface interface-type interface-number — Enable the Ethernet port undo shutdown By default, the port is enabled. Use the shutdown command to disable the port. Set the description of the Ethernet port desc...

1-7 To do… Use the command… Remarks Enter system view System-view — Enter Ethernet port view interface interface-type interface-number — Set the link type for the port as trunk port link-type trunk Required Set the default VLAN ID for the trunk port port trunk pvid vlan vlan-id Optional By default, ...

1-9 configuration command once on one port and that configuration will apply to all ports in the port group. This effectively reduces redundant configurations. A Port group could be manually created by users. Multiple Ethernet ports can be added to the same port group but one Ethernet port can only ...

1-10 To do… Use the command… Remarks Configure the system to run loopback detection on all VLANs for the trunk and hybrid ports loopback-detection per-vlan enable Optional By default, the system runs loopback detection only on the default VLAN for the trunk and hybrid ports. z To enable loopback det...

1-11 Enabling the System to Test Connected Cable You can enable the system to test the cable connected to a specific port. The test result will be returned in five minutes. The system can test these attributes of the cable: Receive and transmit directions (RX and TX), short circuit/open circuit or n...

1-12 Displaying and Maintaining Ethernet Ports To do… Use the command… Remarks Display port configuration information display interface [ interface-type | interface-type interface-number ] Display information for a specified port group display port-group group-id Display port loopback detection stat...

1-13 [device] vlan 100 # Configure the default VLAN ID of GigabitEthernet 1/0/1 as 100. [device-GigabitEthernet1/0/1] port trunk pvid vlan 100 Troubleshooting Ethernet Port Configuration Symptom : Default VLAN ID configuration failed. Solution : Take the following steps. z Use the display interface ...

i Table of Contents 1 Link Aggregation Configuration ·············································································································· 1-1 Overview ···························································································································...

1-1 1 Link Aggregation Configuration z The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of a unified switch in the WX3000 series. z The sample output information in this manual was created on the WX3024. The output information on yo...

1-2 Operation Key An operation key of an aggregation port is a configuration combination generated by system depending on the configurations of the port (rate, duplex mode, other basic configuration, and management key) when the port is aggregated. 1) The selected ports in a manual/static aggregatio...

1-3 For an aggregation group: z When the rate or duplex mode of a port in the aggregation group changes, packet loss may occur on this port; z When the rate of a port decreases, if the port belongs to a manual or static LACP aggregation group, the port will be switched to the unselected state; if th...

1-4 Dynamic LACP Aggregation Group Introduction to dynamic LACP aggregation group A dynamic LACP aggregation group is automatically created and removed by the system. Users cannot add/remove ports to/from it. A port can participate in dynamic link aggregation only when it is LACP-enabled. Ports can ...

1-5 Changing the system priority of a device may change the preferred device between the two parties, and may further change the states (selected or unselected) of the member ports of dynamic aggregation groups. Configuring port priority LACP determines the selected and unselected states of the dyna...

1-6 A load-sharing aggregation group contains at least two selected ports, but a non-load-sharing aggregation group can only have one selected port at most, while others are unselected ports. Link Aggregation Configuration z The commands of link aggregation cannot be configured with the commands of ...

1-7 To do… Use the command… Remarks Configure a description for the aggregation group link-aggregation group agg-id description agg-name Optional By default, an aggregation group has no description. Enter Ethernet port view interface interface-type interface-number — Add the Ethernet port to the agg...

1-8 To do… Use the command… Remarks Configure a description for the aggregation group link-aggregation group agg-id description agg-name Optional By default, an aggregation group has no description. Enter Ethernet port view interface interface-type interface-number — Add the port to the aggregation ...

i Table of Contents 1 Port Isolation Configuration ····················································································································· 1-1 Port Isolation Overview ·······································································································...

1-1 1 Port Isolation Configuration z The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of a unified switch in the WX3000 series. z The sample output information in this manual was created on the WX3024. The output information on your...

1-2 z When a member port of an aggregation group is added to an isolation group, the other ports in the same aggregation group are added to the isolation group automatically. z When a member port of an aggregation group is deleted from an isolation group, the other ports in the same aggregation grou...

i Table of Contents 1 Port Security Configuration······················································································································ 1-1 Port Security Overview··········································································································...

1-1 1 Port Security Configuration z The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of a unified switch in the WX3000 series. z The sample output information in this manual was created on the WX3024. The output information on your ...

1-2 Port Security Modes Table 1-1 describes the available port security modes. Table 1-1 Description of port security modes Security mode Description Feature noRestriction Port security is disabled on the port and access to the port is not restricted. In this mode, neither the NTK nor the intrusion ...

1-4 Port Security Configuration Complete the following tasks to configure port security: Task Remarks Enabling Port Security Required Setting the Maximum Number of MAC Addresses Allowed on a Port Optional Setting the Port Security Mode Required Configuring the NTK feature Configuring intrusion prote...

1-6 To do… Use the command… Remarks Enter Ethernet port view interface interface-type interface-number — Set the port security mode port-security port-mode { autolearn | mac-and-userlogin-secure | mac-and-userlogin-secure-ext | mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secu...

1-9 The security MAC addresses manually configured are written to the configuration file; they will not get lost when the port is up or down. As long as the configuration file is saved, the security MAC addresses can be restored after the device reboots. Configuration prerequisites z Port security i...

1-10 z To ensure that Host can access the network, add the MAC address 0001-0002-0003 of Host as a security MAC address to the port in VLAN 1. z After the number of security MAC addresses reaches 80, the port stops learning MAC addresses. If any frame with an unknown MAC address arrives, intrusion p...

2-1 2 Port Binding Configuration Port Binding Overview Introduction Port binding enables the network administrator to bind the MAC address and IP address of a user to a specific port. After the binding, the switch forwards only the packets received on the port whose MAC address and IP address are id...

2-2 Port Binding Configuration Example Network requirements As shown in Figure 2-1 , it is required to bind the MAC and IP addresses of Host 1 to GigabitEthernet 1/0/1 on switch A, so as to prevent malicious users from using the IP address they steal from Host 1 to access the network. Figure 2-1 Net...

i Table of Contents 1 DLDP Configuration ·································································································································· 1-1 DLDP Overview···············································································································...

1-1 1 DLDP Configuration z The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of a unified switch in the WX3000 series. z The sample output information in this manual was created on the WX3024. The output information on your device ma...

1-2 Figure 1-2 Fiber correct connection/disconnection in one direction GE1/0/10 SwitchA GE1/0/11 GE1/0/10 SwitchB GE1/0/11 PC DLDP provides the following features: z As a link layer protocol, it works together with the physical layer protocols to monitor the link status of a device. While the auto-n...

1-3 Status Description Probe DHCP sends packets to check if it is a unidirectional link. It enables the probe sending timer and an echo waiting timer for each target neighbor. Disable DLDP detects a unidirectional link, or finds (in enhanced mode) that a neighbor disappears. In this case, DLDP does ...

1-6 DLDP neighbor state A DLDP neighbor can be in one of these two states: two way and unknown. You can check the state of a DLDP neighbor by using the display dldp command. Table 1-7 Description on the two DLDP neighbor states DLDP neighbor state Description two way The link to the neighbor operate...

1-7 To do… Use the command… Remarks Set the delaydown timer dldp delaydown-timer delaydown-time Optional By default, the delaydown timer expires after 1 second it is triggered. Set the DLDP handling mode when an unidirectional link is detected dldp unidirectional-shutdown { auto | manual } Optional....

1-8 To do… Use the command… Remarks Enter system view system-view Reset the DLDP status of the system dldp reset Enter Ethernet port view interface interface-type interface-number Reset the DLDP status of a port dldp reset Optional This command only applies to the ports in DLDP down status. DLDP Net...

i Table of Contents 1 MAC Address Table Management············································································································ 1-1 Overview ································································································································...

1-1 1 MAC Address Table Management z The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of a unified switch in the WX3000 series. z The sample output information in this manual was created on the WX3024. The output information on your...

1-3 Figure 1-4 MAC address learning diagram (3) Geth 1/0/1 Geth 1/0/3 Geth 1/0/4 User A User B User C 4) At this time, the MAC address table of the device includes two forwarding entries shown in Figure 1-5 . When forwarding the response packet, the device unicasts the packet instead of broadcasting...

1-4 Aging timer only takes effect on dynamic MAC address entries. Entries in a MAC address table Entries in a MAC address table fall into the following categories according to their characteristics and configuration methods: z Static MAC address entry: Also known as permanent MAC address entry. This...

1-5 Configuring a MAC Address Entry You can add, modify, or remove a MAC address entry, remove all MAC address entries concerning a specific port, or remove specific type of MAC address entries (dynamic or static MAC address entries). You can add a MAC address entry in either system view or Ethernet...

1-6 Setting the Aging Time of MAC Address Entries Setting aging time properly helps effective utilization of MAC address aging. The aging time that is too long or too short affects the performance of the device. z If the aging time is too long, excessive invalid MAC address entries maintained by the...

1-7 To do… Use the command… Remarks Set the maximum number of MAC addresses the port can learn mac-address max-mac-count count Required By default, the number of the MAC addresses a port can learn is not limited. Specifying the maximum number of MAC addresses a port can learn disables centralized MA...

1-8 Displaying and Maintaining MAC Address Table To do… Use the command… Remarks Display information about the MAC address table display mac-address [ display-option ] Display the aging time of the dynamic MAC address entries in the MAC address table display mac-address aging-time The display comman...

i Table of Contents 1 MSTP Configuration ·································································································································· 1-1 STP Overview ···············································································································...

1-1 1 MSTP Configuration z The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of a unified switch in the WX3000 series. z The sample output information in this manual was created on the WX3024. The output information on your device ma...

1-3 4) Path cost Path cost is a value used for measuring link capacity. By comparing the path costs of different links, STP selects the most robust links and blocks the other links to prune the network into a tree. How STP works STP identifies the network topology by transmitting configuration BPDUs...

1-6 Table 1-5 Comparison process and result on each device Device Comparison process BPDU of port after comparison Device A z Port AP1 receives the configuration BPDU of Device B {1, 0, 1, BP1}. Device A finds that the configuration BPDU of the local port {0, 0, 0, AP1} is superior to the configurat...

1-9 For this reason, the protocol uses a state transition mechanism. Namely, a newly elected root port and the designated ports must go through a period, which is twice the forward delay time, before they transit to the forwarding state. The period allows the new configuration BPDUs to be propagated...

1-10 z MSTP supports mapping VLANs to MST instances by means of a VLAN-to-instance mapping table. MSTP introduces “instance” (integrates multiple VLANs into a set) and can bind multiple VLANs to an instance, thus saving communication overhead and improving resource utilization. z MSTP divides a swit...

1-12 z A region edge port is located on the edge of an MST region and is used to connect one MST region to another MST region, an STP-enabled region or an RSTP-enabled region z An alternate port is a secondary port of a root port or master port and is used for rapid transition. With the root port or...

1-13 z Forwarding state. Ports in this state can forward user packets and receive/send BPDU packets. z Learning state. Ports in this state can receive/send BPDU packets. z Discarding state. Ports in this state can only receive BPDU packets. Port roles and port states are not mutually dependent. Tabl...

1-14 For MSTP, CIST configuration information is generally expressed as follows: (Root bridge ID, External path cost, Master bridge ID, Internal path cost, Designated bridge ID, ID of sending port, ID of receiving port), so the compared as follows z The smaller the Root bridge ID of the configuratio...

1-15 z BPDU guard z Loop guard z TC-BPDU attack guard z BPDU packet drop STP-related Standards STP-related standards include the following. z IEEE 802.1D: spanning tree protocol z IEEE 802.1w: rapid spanning tree protocol z IEEE 802.1s: multiple spanning tree protocol Configuring Root Bridge Complet...

1-17 Configuring MST region-related parameters (especially the VLAN mapping table) results in spanning tree recalculation and network topology jitter. To reduce network topology jitter caused by the configuration, MSTP does not recalculate spanning trees immediately after the configuration; it does ...

1-19 z You can configure a device as the root bridges of multiple spanning tree instances. But you cannot configure two or more root bridges for one spanning tree instance. So, do not configure root bridges for the same spanning tree instance on two or more devices using the stp root primary command...

1-20 Configuration example # Set the bridge priority of the current device to 4,096 in spanning tree instance 1. <device> system-view [device] stp instance 1 priority 4096 Configuring the Mode a Port Recognizes and Sends MSTP Packets A port can be configured to recognize and send MSTP packets ...

1-21 To do… Use the command… Remarks Enter system view system-view — Enter Ethernet port view interface interface-type interface-number — Configure the mode a port recognizes and sends MSTP packets stp compliance { auto | dot1s | legacy } Required By default, a port recognizes and sends MSTP packets...

1-22 Configuration example # Specify the MSTP operation mode as STP-compatible. <device> system-view [device] stp mode stp Configuring the Maximum Hop Count of an MST Region The maximum hop count configured on the region root is also the maximum hops of the MST region. The value of the maximum...

1-23 To do… Use the command… Remarks Enter system view system-view — Configure the network diameter of the switched network stp bridge-diameter bridgenumber Required The default network diameter of a network is 7. The network diameter parameter indicates the size of a network. The bigger the network...

1-24 z The forward delay parameter and the network diameter are correlated. Normally, a large network diameter corresponds to a large forward delay. A too small forward delay parameter may result in temporary redundant paths. And a too large forward delay parameter may cause a network unable to resu...

1-25 Configuration procedure Follow these steps to configure the timeout time factor: To do… Use the command… Remarks Enter system view system-view — Configure the timeout time factor for the device stp timer-factor number Required The timeout time factor defaults to 3. For a steady network, the tim...

1-26 Configuration example # Set the maximum transmitting speed of GigabitEthernet 1/0/1 to 15. 1) Configure the maximum transmitting speed in system view <device> system-view [device] stp interface GigabitEthernet1/0/1 transmit-limit 15 2) Configure the maximum transmitting speed in Ethernet ...

1-28 To do… Use the command… Remarks Specify whether the link connected to a port is a point-to-point link stp point-to-point { force-true | force-false | auto } Required The auto keyword is adopted by default. z Among aggregated ports, you can only configure the links of master ports as point-to-po...

1-29 To do… Use the command… Remarks Enter system view system-view — Enable MSTP stp enable Required MSTP is disabled by default. Enter Ethernet port view interface interface-type interface-number — Disable MSTP on the port stp disable Optional By default, MSTP is enabled on all ports after you enab...

1-31 Configuring the Path Cost for a Port The path cost parameter reflects the rate of the link connected to the port. For a port on an MSTP-enabled device, the path cost may be different in different spanning tree instances. You can enable flows of different VLANs to travel along different physical...

1-32 When calculating the path cost of an aggregated link, the 802.1D-1998 standard does not take the number of the ports on the aggregated link into account, whereas the 802.1T standard does. The following formula is used to calculate the path cost of an aggregated link: Path cost = 200,000/ link t...

1-33 [device] stp pathcost-standard dot1d-1998 2) Perform this configuration in Ethernet port view <device> system-view [device] interface GigabitEthernet1/0/1 [device-GigabitEthernet1/0/1] undo stp instance 1 cost [device-GigabitEthernet1/0/1] quit [device] stp pathcost-standard dot1d-1998 Co...

1-34 [device] stp interface GigabitEthernet1/0/1 instance 1 port priority 16 2) Perform this configuration in Ethernet port view <device> system-view [device] interface GigabitEthernet1/0/1 [device-GigabitEthernet1/0/1] stp instance 1 port priority 16 Specifying Whether the Link Connected to a...

1-35 To do… Use the command… Remarks Enter system view system-view — Enter Ethernet port view interface interface-type interface-number — Perform the mCheck operation stp mcheck Required Configuration Example # Perform the mCheck operation on GigabitEthernet 1/0/1. 1) Perform this configuration in s...

1-36 Loop guard A device maintains the states of the root port and other blocked ports by receiving and processing BPDUs from the upstream device. These BPDUs may get lost because of network congestions or unidirectional link failures. If a device does not receive BPDUs from the upstream device for ...

1-37 Configuration Prerequisites MSTP runs normally on the device. Configuring BPDU Guard Configuration procedure Follow these steps to configure BPDU guard: To do… Use the command… Remarks Enter system view system-view — Enable the BPDU guard function stp bpdu-protection Required The BPDU guard fun...

1-38 2) Perform this configuration in Ethernet port view <device> system-view [device] interface GigabitEthernet1/0/1 [device-GigabitEthernet1/0/1] stp root-protection Configuring Loop Guard Configuration procedure Follow these steps to configure loop guard: To do… Use the command… Remarks Ent...

1-39 # Set the maximum times for the device to remove the MAC address table within 10 seconds to 5. <device> system-view [device] stp tc-protection threshold 5 Configuring BPDU Dropping Follow these steps to configure BPDU dropping: To do… Use the command… Remarks Enter system view system-view...

1-41 z When the digest snooping feature is enabled on a port, the port state turns to the discarding state. That is, the port will not send BPDU packets. The port is not involved in the STP calculation until it receives BPDU packets from the peer port. z The digest snooping feature is needed only wh...

1-44 z The rapid transition feature can be enabled on only root ports or alternate ports. z If you configure the rapid transition feature on a designated port, the feature does not take effect on the port. Configuring VLAN-VPN Tunnel Introduction The VLAN-VPN Tunnel function enables STP packets to b...

1-45 To do… Use the command… Remarks Enter Ethernet port view interface interface-type interface-number Make sure that you enter the Ethernet port view of the port for which you want to enable the VLAN-VPN tunnel function. Enable the VLAN VPN function for the Ethernet port vlan-vpn enable Required B...

1-46 [device] stp portlog all Enabling Trap Messages Conforming to 802.1d Standard The device sends trap messages conforming to 802.1d standard to the network management device in the following two cases: z The device becomes the root bridge of an instance. z Network topology changes are detected. C...

1-47 MSTP Configuration Example Network requirements Implement MSTP in the network shown in Figure 1-10 to enable packets of different VLANs to be forwarded along different spanning tree instances. The detailed configurations are as follows: z All switches in the network belong to the same MST regio...

1-49 VLAN-VPN tunnel Configuration Example Network requirements As shown in Figure 1-11 : z The WX3000 series devices operate as the access devices of the operator’s network, that is, Switch C and Switch D in the network diagram. z Devices of other series operate as the access devices of the user’s ...

i Table of Contents 1 802.1x Configuration ································································································································· 1-1 Introduction to 802.1x·····································································································...

1-1 1 802.1x Configuration The sample output information in this manual was created on the WX3024. The output information on your device may vary. Introduction to 802.1x The 802.1x protocol (802.1x for short) was developed by IEEE802 LAN/WAN committee to address security issues of wireless LANs. It ...

1-3 The Mechanism of an 802.1x Authentication System IEEE 802.1x authentication uses the extensible authentication protocol (EAP) to exchange information between supplicant systems and the authentication servers. To be compatible with 802.1X in a LAN environment, the client program must support the ...

1-4 03: Indicates that the packet is an EAPoL-key packet, which carries key information. 04: Indicates that the packet is an EAPoL-encapsulated-ASF-Alert packet, which is used to support the alerting messages of ASF (alerting standards forum). z The Length field indicates the size of the Packet body...

1-5 Fields added for EAP authentication Two fields, EAP-message and Message-authenticator, are added to a RADIUS protocol packet for EAP authentication. (Refer to the Introduction to RADIUS protocol section in the AAA Operation Manual for information about the format of a RADIUS protocol packet.) Th...

1-7 password using a randomly-generated key, and sends the key to the device through an RADIUS access-challenge packet. The device then sends the key to the iNode client. z Upon receiving the key (encapsulated in an EAP-request/MD5 challenge packet) from the device, the client program encrypts the p...

1-8 Figure 1-9 802.1x authentication procedure (in EAP terminating mode) Supplicant system PAE Authenticator system PAE RADIUS server EAPOL RADIUS EAPOL- Start EAP- Request /Identity EAP- Response /Identity EAP- Request / MD5 Challenge EAP- Success EAP- Response /MD 5 Challenge RADIUS Access-Request...

1-9 z RADIUS server timer ( server-timeout ). This timer sets the server-timeout period. After sending an authentication request packet to the RADIUS server, the device sends another authentication request packet if it does not receive the response from the RADIUS server when this timer times out. z...

1-10 This function needs the cooperation of iNode client and a iMC server. z The iNode client needs to capable of detecting multiple network adapters, proxies, and IE proxies. z The iMC server is configured to disable the use of multiple network adapters, proxies, or IE proxies. By default, an iNode...

1-11 Refer to AAA Operation Manual for detailed information about the dynamic VLAN delivery function. Enabling 802.1x re-authentication 802.1x re-authentication is timer-triggered or packet-triggered. It re-authenticates users who have passed authentication. With 802.1x re-authentication enabled, th...

1-12 Figure 1-11 802.1x configuration ISP domain configuration AAA scheme Local authentication RADIUS scheme 802.1x configuration ISP domain configuration AAA scheme Local authentication RADIUS scheme 802.1x configuration z An 802.1x user uses the domain name to associate with the ISP domain configu...

1-14 z 802.1x configurations take effect only after you enable 802.1x both globally and for specified ports. z If you enable 802.1x for a port, you cannot set the maximum number of MAC addresses that can be learnt for the port. Meanwhile, if you set the maximum number of MAC addresses that can be le...

1-15 To do… Use the command… Remarks Set 802.1x timers dot1x timer { handshake-period handshake-period-value | quiet-period quiet-period-value | server-timeout server-timeout-value | supp-timeout supp-timeout-value | tx-period tx-period-value | ver-period v er-period-value } Optional The settings of...

1-16 To do… Use the command… Remarks In system view dot1x supp-proxy-check { logoff | trap } [ interface interface-list ] interface interface-type interface-number dot1x supp-proxy-check { logoff | trap } Enable proxy checking for a port/specified ports In port view quit Required By default, the 802...

1-18 Configuring 802.1x Re-Authentication Follow these steps to enable 802.1x re-authentication: To do… Use the command… Remarks Enter system view system-view — Enable 802.1x globally dot1x Required By default, 802.1x is disabled globally. In system view dot1x [ interface interface-list ] Enable 802...

1-19 Follow these steps to configure the re-authentication interval: To do… Use the command… Remarks Enter system view system-view — Configure a re-authentication interval dot1x timer reauth-period reauth-period-value Optional By default, the re-authentication interval is 3,600 seconds. Displaying a...

2-1 2 Quick EAD Deployment Configuration Introduction to Quick EAD Deployment Quick EAD Deployment Overview As an integrated solution, an endpoint admission defense (EAD) solution can improve the overall defense power of a network. In real applications, however, deploying EAD clients proves to be ti...

2-2 Configuration Procedure Configuring a free IP range A free IP range is an IP range that users can access before passing 802.1x authentication. Follow these steps to configure a free IP range: To do… Use the command… Remarks Enter system view system-view — Configure the URL for HTTP redirection d...

2-3 Follow these steps to configure the ACL timer: To do… Use the command… Remarks Enter system view system-view — Set the ACL timer dot1x timer acl-timeout acl-timeout-value Required By default, the ACL timeout period is 30 minutes. Displaying and Maintaining Quick EAD Deployment To do… Use the com...

2-4 Configuration procedure Before enabling quick EAD deployment, make sure that: z The Web server is configured properly. z The default gateway of the PC is configured as the IP address of the Layer-3 virtual interface of the VLAN to which the port that is directly connected with the PC belongs. # ...

3-1 3 System-Guard Configuration System-Guard Overview At first, you must determine whether the CPU is under attack to implement system guard for the CPU. You should not determine whether the CPU is under attack just according to whether congestion occurs in a queue. Instead, you must do that in the...

3-2 Displaying and Maintaining System-Guard To do… Use the command… Remarks Display the record of detected attacks display system-guard attack-record Available in any view Display the state of the system-guard feature display system-guard state Available in any view

i Table of Contents 1 AAA Overview ············································································································································ 1-1 Introduction to AAA ····································································································...

ii Troubleshooting AAA ···························································································································· 2-30 Troubleshooting RADIUS Configuration························································································2-30 Troubleshooting HW...

1-1 1 AAA Overview The sample output information in this manual was created on the WX3024. The output information on your device may vary. Introduction to AAA AAA is the acronym for the three security functions: authentication, authorization and accounting. It provides a uniform framework for you to...

1-2 z Local authorization: Users are authorized according to the related attributes configured for their local accounts on this device. z RADIUS authorization: Users are authorized after they pass RADIUS authentication. In RADIUS protocol, authentication and authorization are combined together, and ...

1-3 z The RADIUS server receives user connection requests, authenticates users, and returns all required information to the device. Generally, a RADIUS server maintains the following three databases (see Figure 1-1 ): z Users: This database stores information about users (such as user name, password...

1-4 2) The RADIUS client receives the user name and password, and then sends an authentication request (Access-Request) to the RADIUS server. 3) The RADIUS server compares the received user information with that in the Users database to authenticate the user. If the authentication succeeds, the RADI...

1-6 Type field value Attribute type Type field value Attribute type 8 Framed-IP-Address 30 Called-Station-Id 9 Framed-IP-Netmask 31 Calling-Station-Id 10 Framed-Routing 32 NAS-Identifier 11 Filter-ID 33 Proxy-State 12 Framed-MTU 34 Login-LAT-Service 13 Framed-Compression 35 Login-LAT-Node 14 Login-I...

1-7 Compared with RADIUS, HWTACACS provides more reliable transmission and encryption, and therefore is more suitable for security control. Table 1-3 lists the primary differences between HWTACACS and RADIUS. Table 1-3 Differences between HWTACACS and RADIUS HWTACACS RADIUS Adopts TCP, providing mor...

2-1 2 AAA Configuration AAA Configuration Task List Configuration Introduction You need to configure AAA to provide network access services for legal users while protecting network devices and preventing unauthorized access and repudiation behavior. Complete the following tasks to configure a combin...

2-2 Task Remarks Creating an ISP Domain and Configuring Its Attributes Required Configuring separate AAA schemes Required Configuring an AAA Scheme for an ISP Domain Required z With separate AAA schemes, you can specify authentication, authorization and accounting schemes respectively. z You need to...

2-3 To do… Use the command… Remarks Set the accounting-optional switch accounting optional Optional By default, the accounting-optional switch is off. Set the messenger function messenger time { enable limit interval | disable } Optional By default, the messenger function is disabled. Set the self-s...

2-4 this way, you cannot specify different schemes for authentication, authorization and accounting respectively. Follow these steps to configure a combined AAA scheme: To do… Use the command… Remarks Enter system view system-view — Create an ISP domain and enter its view, or enter the view of an ex...

2-5 You can use an arbitrary combination of the above implementations for your AAA scheme configuration. 2) For FTP users Only authentication is supported for FTP users. Authentication: RADIUS, local, or HWTACACS. Follow these steps to configure separate AAA schemes: To do… Use the command… Remarks ...

2-6 upon receiving an integer ID assigned by the RADIUS authentication server, the device adds the port to the VLAN whose VLAN ID is equal to the assigned integer ID. If no such a VLAN exists, the device first creates a VLAN with the assigned ID, and then adds the port to the newly created VLAN. z S...

2-8 z The following characters are not allowed in the user-name string: /:*?<>. And you cannot input more than one “@” in the string. z After the local-user password-display-mode cipher-force command is executed, any password will be displayed in cipher mode even though you specify to display ...

2-10 secondary servers with the same configuration but different IP addresses) in a RADIUS scheme. After creating a new RADIUS scheme, you should configure the IP address and UDP port number of each RADIUS server you want to use in this scheme. These RADIUS servers fall into two types: authenticatio...

2-11 To do… Use the command… Remarks Enter system view system-view — Create a RADIUS scheme and enter its view radius scheme radius-scheme-name Required By default, a RADIUS scheme named "system" has already been created in the system. Set the IP address and port number of the primary RADIUS...

2-12 To do… Use the command… Remarks Set the IP address and port number of the secondary RADIUS accounting server secondary accounting ip-address [ port-number ] Optional By default, the IP address and UDP port number of the secondary accounting server are 0.0.0.0 and 1813 for a newly created RADIUS...

2-13 received from each other by using the shared keys that have been set on them, and can accept and respond to the messages only when both parties have the same shared key. Follow these steps to configure shared keys for RADIUS messages: To do… Use the command… Remarks Enter system view system-vie...

2-14 To do… Use the command… Remarks Enter system view system-view — Create a RADIUS scheme and enter its view radius scheme radius-scheme-name Required By default, a RADIUS scheme named "system" has already been created in the system. Configure the type of RADIUS servers to be supported ser...

2-15 To do… Use the command… Remarks Set the status of the primary RADIUS authentication/authorization server state primary authentication { block | active } Set the status of the primary RADIUS accounting server state primary accounting { block | active } Set the status of the secondary RADIUS auth...

2-16 z Generally, the access users are named in the userid@isp-name or userid.isp-name format. Here, isp-name after the “ @” or “.” character represents the ISP domain name, by which the device determines which ISP domain a user belongs to. However, some old RADIUS servers cannot accept the user nam...

2-17 z If you adopt the local RADIUS authentication server function, the UDP port number of the authentication/authorization server must be 1645, the UDP port number of the accounting server must be 1646, and the IP addresses of the servers must be set to the addresses of this device. z The message ...

2-18 To do… Use the command… Remarks Set the response timeout time of RADIUS servers timer response-timeout seconds Optional By default, the response timeout time of RADIUS servers is three seconds. Set the time that the device waits before it try to re-communicate with primary server and restore th...

2-19 online when the user re-logs into the switching engine before the iMC performs online user detection, and the user cannot get authenticated. In this case, the user can access the network again only when the iMC administrator manually removes the user's online information. The user re-authentica...

2-20 Task Remarks Creating a HWTACACS Scheme Required Configuring TACACS Authentication Servers Required Configuring TACACS Authorization Servers Required Configuring TACACS Accounting Servers Optional Configuring Shared Keys for RADIUS Messages Optional Configuring the Attributes of Data to be Sent...

2-21 To do… Use the command… Remarks Set the IP address and port number of the primary TACACS authentication server primary authentication ip-address [ port ] Required By default, the IP address of the primary authentication server is 0.0.0.0, and the port number is 0. Set the IP address and port nu...

2-22 z You are not allowed to configure the same IP address for both primary and secondary authorization servers. If you do this, the system will prompt that the configuration fails. z You can remove a server only when it is not used by any active TCP connection for sending authorization messages. C...

2-23 The TACACS client and server adopt MD5 algorithm to encrypt HWTACACS messages before they are exchanged between the two parties. The two parties verify the validity of the HWTACACS messages received from each other by using the shared keys that have been set on them, and can accept and respond ...

2-24 Generally, the access users are named in the userid@isp-name or userid.isp-name format. Where, isp-name after the “ @ ” or “.” character represents the ISP domain name. If the TACACS server does not accept the user names that carry ISP domain names, it is necessary to remove domain names from u...

2-25 Displaying and Maintaining AAA Displaying and maintaining AAA information To do… Use the command… Remarks Display configuration information about one specific or all ISP domains display domain [ isp-name ] Display information about user connections display connection [ access-type { dot1x | mac...

2-26 Displaying and maintaining HWTACACS protocol information To do… Use the command… Remarks Display the configuration or statistic information about one specific or all HWTACACS schemes display hwtacacs [ hwtacacs-scheme-name [ statistics ] ] Display buffered non-response stop-accounting requests ...

2-28 Local Authentication of FTP/Telnet Users The configuration procedure for local authentication of FTP users is similar to that for Telnet users. The following text only takes Telnet users as example to describe the configuration procedure for local authentication. Network requirements In the net...

2-29 z Change the server IP address, and the UDP port number of the authentication server to 127.0.0.1, and 1645 respectively in the configuration step "Configure a RADIUS scheme" in Remote RADIUS Authentication of Telnet/SSH Users z Enable the local RADIUS server function, set the IP addres...

2-30 Troubleshooting AAA Troubleshooting RADIUS Configuration The RADIUS protocol operates at the application layer in the TCP/IP protocol suite. This protocol prescribes how the device and the RADIUS server of the ISP exchange user information with each other. Symptom 1 : User authentication/author...

3-1 3 EAD Configuration Introduction to EAD Endpoint admission defense (EAD) is an attack defense solution. Using this solution, you can enhance the active defense capability of network endpoints, prevents viruses and worms from spreading on the network, and protects the entire network by limiting t...

3-2 After the client is patched and compliant with the required security standard, the security policy server reissues an ACL to the device, which then assigns access right to the client so that the client can access more network resources. EAD Configuration The EAD configuration includes: z Configu...

i Table of Contents 1 MAC Authentication Configuration·········································································································· 1-1 MAC Authentication Overview ···········································································································...

1-1 1 MAC Authentication Configuration The sample output information in this manual was created on the WX3024. The output information on your device may vary. MAC Authentication Overview MAC authentication provides a way for authenticating users based on ports and MAC addresses, without requiring an...

1-2 included depending on the format configured with the mac-authentication authmode usernameasmacaddress usernameformat command; otherwise, the authentication will fail. z If the username type is fixed username, you need to configure the fixed username and password on the device, which are used by ...

1-4 MAC Address Authentication Enhanced Function Configuration MAC Address Authentication Enhanced Function Configuration Tasks Complete the following tasks to configure MAC address authentication enhanced function: Task Remarks Configuring a Guest VLAN Optional Configuring the Maximum Number of MAC...

1-7 z If both the limit on the number of MAC address authentication users and the limit on the number of users configured in the port security function are configured for a port, the smaller value of the two configured limits is adopted as the maximum number of MAC address authentication users allow...

i Table of Contents 1 IP Addressing Configuration ···················································································································· 1-1 IP Addressing Overview ··········································································································...

1-1 z The term switch used throughout this document refers to a switching device in a generic sense or the switching engine of the WX3000 series. z The sample output information in this manual was created on the WX3024. The output information on your device may vary. 1 IP Addressing Configuration IP...

1-2 Table 1-1 IP address classes and ranges Class Address range Remarks A 0.0.0.0 to 127.255.255.255 Address 0.0.0.0 means this host no this network. This address is used by a host at bootstrap when it does not know its IP address. This address is never a valid destination address. Addresses startin...

1-3 adds an additional level, subnet ID, to the two-level hierarchy with IP addressing, IP routing now involves three steps: delivery to the site, delivery to the subnet, and delivery to the host. In the absence of subnetting, some special addresses such as the addresses with the net ID of all zeros...

1-4 z You can assign at most two IP address to an interface, among which one is the primary IP address and another is secondary IP addresses. A newly specified primary IP address overwrites the previous one if there is any. z The primary and secondary IP addresses of an interface cannot reside on th...

1-5 IP Address Configuration Example II Network requirements As shown in Figure 1-4 , VLAN-interface 1 on Switch is connected to a LAN comprising two segments: 172.16.1.0/24 and 172.16.2.0/24. To enable the hosts on the two network segments to communicate with the external network through Switch, an...

2-1 2 IP Performance Configuration IP Performance Overview Introduction to IP Performance Configuration In some network environments, you need to adjust the IP parameters to achieve best network performance. The IP performance configuration supported by the device includes: z Configuring TCP attribu...

2-2 To do… Use the command… Remarks Enter system view system-view — Configure TCP synwait timer’s timeout value tcp timer syn-timeout time-value Optional By default, the timeout value is 75 seconds. Configure TCP finwait timer’s timeout value tcp timer fin-timeout time-value Optional By default, the...

2-3 Displaying and Maintaining IP Performance Configuration To do… Use the command… Remarks Display TCP connection status display tcp status Display TCP connection statistics display tcp statistics Display UDP traffic statistics display udp statistics Display IP traffic statistics display ip statist...

i Table of Contents 1 DHCP Overview·········································································································································· 1-1 Introduction to DHCP ·····································································································...

1-1 z The term switch used throughout this document refers to a switching device in a generic sense or the switching engine of the WX3000 series. z The sample output information in this manual was created on the WX3024. The output information on your device may vary. 1 DHCP Overview Introduction to ...

1-2 z Manual assignment. The administrator configures static IP-to-MAC bindings for some special clients, such as a WWW server. Then the DHCP server assigns these fixed IP addresses to the clients. z Automatic assignment. The DHCP server assigns IP addresses to DHCP clients. The IP addresses will be...

1-3 Updating IP Address Lease After a DHCP server dynamically assigns an IP address to a DHCP client, the IP address keeps valid only within a specified lease time and will be reclaimed by the DHCP server when the lease expires. If the DHCP client wants to use the IP address for a longer time, it mu...

1-4 z siaddr: IP address of the DHCP server. z giaddr: IP address of the first DHCP relay agent that the DHCP client passes after it sent the request packet. z chaddr: Hardware address of the DHCP client. z sname: Name of the DHCP server. z file: Path and name of the boot configuration file that the...

2-1 2 DHCP Relay Agent Configuration When configuring the DHCP relay agent, go to these sections for information you are interested in: z Introduction to DHCP Relay Agent z Configuring the DHCP Relay Agent z Displaying and Maintaining DHCP Relay Agent Configuration z DHCP Relay Agent Configuration E...

2-2 Figure 2-1 Typical DHCP relay agent application In the process of dynamic IP address assignment through the DHCP relay agent, the DHCP client and DHCP server interoperate with each other in a similar way as they do without the DHCP relay agent. The following sections only describe the forwarding...

2-3 Figure 2-2 Padding contents for sub-option 1 of Option 82 Figure 2-3 Padding contents for sub-option 2 of Option 82 Mechanism of Option 82 supported on DHCP relay agent The procedure for a DHCP client to obtain an IP address from a DHCP server through a DHCP relay agent is similar to that for th...

2-4 Configuring the DHCP Relay Agent If a device belongs to an IRF fabric, you need to enable the UDP Helper function on it before configuring it as a DHCP relay agent. DHCP Relay Agent Configuration Task List Complete the following tasks to configure the DHCP relay agent: Task Remarks Correlating a...

2-5 To improve security and avoid malicious attack to the unused SOCKETs, the device provides the following functions: z UDP 67 and UDP 68 ports used by DHCP are enabled only when DHCP is enabled. z UDP 67 and UDP 68 ports are disabled when DHCP is disabled. The corresponding implementation is as fo...

2-6 To do… Use the command… Remarks Enter system view system-view — Create a static IP-to-MAC binding dhcp-security static ip-address mac - address Optional Not created by default. Enter interface view interface interface-type interface-number — Enable the address checking function address-check ena...

2-7 To do… Use the command… Remarks Set the interval at which the DHCP relay agent dynamically updates the client address entries dhcp-security tracker { interval | auto } Optional By default, auto is adopted, that is, the interval is automatically calculated. Enabling unauthorized DHCP server detec...

2-8 To do… Use the command… Remarks Enter system view system-view — Enable Option 82 support on the DHCP relay agent dhcp relay information enable Required Disabled by default. Configure the strategy for the DHCP relay agent to process request packets containing Option 82 dhcp relay information stra...

2-9 Figure 2-4 Network diagram for DHCP relay agent Configuration procedure # Create DHCP server group 1 and configure an IP address of 10.1.1.1 for it. <SwitchA> system-view [SwitchA] dhcp-server 1 ip 10.1.1.1 # Map VLAN-interface 1 to DHCP server group 1. [SwitchA] interface vlan-interface 1...

3-1 3 DHCP Snooping Configuration After DHCP snooping is enabled on a device, clients connected with the device cannot obtain IP addresses dynamically through BOOTP. DHCP Snooping Overview Function of DHCP Snooping For security, the IP addresses used by online DHCP clients need to be tracked for the...

3-2 Figure 3-1 Typical network diagram for DHCP snooping application DHCP Client Switch A (DHCP Snooping) DHCP Client DHCP Client DHCP Client Switch B (DHCP Relay) Internet GE 1/0/2 GE1/0/1 DHCP Server DHCP snooping listens the following two types of packets to retrieve the IP addresses the DHCP cli...

3-3 contents). That is, the circuit ID or remote ID sub-option defines the type and length of a circuit ID or remote ID. The remote ID type field and circuit ID type field are determined by the option storage format. They are both set to “0” in the case of HEX format and to “1” in the case of ASCII ...

3-4 Table 3-1 Ways of handling a DHCP packet with Option 82 Handling policy Sub-option configuration The DHCP snooping device will… Drop — Drop the packet. Keep — Forward the packet without changing Option 82. Neither of the two sub-options is configured Forward the packet after replacing the origin...

3-5 z The resources on the server are exhausted, so the server does not respond to other requests. z After receiving such type of packets, a device needs to send them to the CPU for processing. Too many request packets cause high CPU usage rate. As a result, the CPU cannot work normally. The device ...

3-6 To do… Use the command… Remarks Specify the current port as a trusted port dhcp-snooping trust Required By default, after DHCP snooping is enabled, all ports of a device are untrusted ports. z You need to specify the ports connected to the valid DHCP servers as trusted to ensure that DHCP client...

3-8 The dhcp-snooping information format command applies only to the default content of the Option 82 field. If you have configured the circuit ID or remote ID sub-option, the format of the sub-option is ASCII, instead of the one specified with the dhcp-snooping information format command. Configure...

3-9 To do… Use the command… Remarks Enter system view system-view — Configure the remote ID sub-option in system view dhcp-snooping information remote-id { sysname | string string } Optional By default, the remote ID sub-option is the MAC address of the DHCP snooping device that received the DHCP cl...

3-10 To do… Use the command… Remarks Enable IP filtering ip check source ip-address [ mac-address ] Required By default, this function is disabled. Create an IP static binding entry ip source static binding ip-address ip-address [ mac-address mac-address ] Optional By default, no static binding entr...

3-11 Configuration procedure # Enable DHCP snooping on Switch. <Switch> system-view [Switch] dhcp-snooping # Specify GigabitEthernet 1/0/5 as the trusted port. [Switch] interface gigabitethernet 1/0/5 [Switch-GigabitEthernet1/0/5] dhcp-snooping trust [Switch-GigabitEthernet1/0/5] quit # Enable...

3-13 Displaying and Maintaining DHCP Snooping Configuration To do… Use the command… Remarks Display the user IP-MAC address mapping entries recorded by the DHCP snooping function display dhcp-snooping [ unit unit-id ] Display the (enabled/disabled) state of the DHCP snooping function and the trusted...

4-1 4 DHCP/BOOTP Client Configuration Introduction to DHCP Client After you specify a VLAN interface as a DHCP client, the device can use DHCP to obtain parameters such as IP address dynamically from the DHCP server, which facilitates user configuration and management. Refer to Obtaining IP Addresse...

4-2 To do… Use the command… Remarks Configure the VLAN interface to obtain IP address through DHCP or BOOTP ip address { bootp-alloc | dhcp-alloc } Required By default, no IP address is configured for the VLAN interface. Currently, the device operating as a DHCP client can use an IP address for no m...

4-3 Displaying and Maintaining DHCP/BOOTP Client Configuration To do… Use the command… Remarks Display related information on a DHCP client display dhcp client [ verbose ] Display related information on a BOOTP client display bootp client [ interface vlan-interface vlan-id ] Available in any view

i Table of Contents 1 ACL Configuration ····································································································································· 1-1 ACL Overview ·············································································································...

1-1 1 ACL Configuration z The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of a WX3000. z The sample output information in this manual was created on the WX3024. The output information on your device may vary. ACL Overview As the ne...

1-2 z auto : where rules in an ACL are matched in the order determined by the system, namely the “depth-first” rule. For depth-first rule, there are two cases: Depth-first match order for rules of a basic ACL 1) Range of source IP address: The smaller the source IP address range (that is, the more t...

1-3 When applying an ACL in this way, you can specify the order in which the rules in the ACL are matched. The match order cannot be modified once it is determined, unless you delete all the rules in the ACL and define the match order. An ACL can be referenced by upper-layer software: z Referenced b...

1-5 Configuring Basic ACL A basic ACL filters packets based on their source IP addresses. A basic ACL can be numbered from 2000 to 2999. Configuration Prerequisites z To configure a time range-based basic ACL rule, you need to create the corresponding time range first. For information about time ran...

1-6 rule 0 deny source 192.168.0.1 0 Configuring Advanced ACL An advanced ACL can filter packets by their source and destination IP addresses, the protocols carried by IP, and protocol-specific features such as TCP/UDP source and destination ports, ICMP message type and message code. An advanced ACL...

1-7 z If the ACL is created with the auto keyword specified, the newly created rules will be inserted in the existent ones by depth-first principle, but the numbers of the existent rules are unaltered. Configuration Example # Configure ACL 3000 to permit the TCP packets sourced from the network 129....

1-8 Note that: z You can modify any existent rule of the Layer 2 ACL and the unmodified part of the ACL remains. z If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically. If the ACL has no rules, the rule is numbered 0; otherwise, it is the maxi...

1-9 z ACLs assigned globally take precedence over those that are assigned to VLANs. That is, when a packet matches a rule of a globally assigned ACL and a rule of an ACL assigned to a VLAN, the device will perform the action defined in the rule of the globally assigned ACL if the actions defined in ...

1-10 To do… Use the command… Remarks Enter system view system-view — Apply an ACL to a VLAN packet-filter vlan vlan-id inbound acl-rule Required For description on the acl-rule argument, refer to ACL Command . Configuration example # Apply ACL 2000 to VLAN 10 to filter the inbound packets of VLAN 10...

1-11 Assigning an ACL to a Port Configuration prerequisites Before applying ACL rules to a VLAN, you need to define the related ACLs. For information about defining an ACL, refer to Configuring Basic ACL , Configuring Advanced ACL , Configuring Layer 2 ACL . Configuration procedure Follow these step...

1-12 Examples for Upper-layer Software Referencing ACLs Example for Controlling Telnet Login Users by Source IP Network requirements As shown in Figure 1-1 , apply an ACL to permit users with the source IP address of 10.110.100.52 to telnet to the switching engine. Figure 1-1 Network diagram for con...

1-13 Configuration procedure # Define ACL 2001. <device> system-view [device] acl number 2001 [device-acl-basic-2001] rule 1 permit source 10.110.100.46 0 [device-acl-basic-2001] quit # Reference ACL 2001 to control users logging in to the Web server. [device] ip http acl 2001 Examples for App...

1-14 GigabitEthernet 1/0/1 of Switch. Apply an ACL to deny requests from the R&D department and destined for the wage server during the working hours (8:00 to 18:00). Figure 1-4 Network diagram for advanced ACL configuration GEth 1/ 0/ 1 The R&D Department Switch To the router W age query se...

1-15 <device> system-view [device] time-range test 8:00 to 18:00 daily # Define ACL 4000 to filter packets with the source MAC address of 000f-e20f-0101 and the destination MAC address of 000f-e20f-0303. [device] acl number 4000 [device-acl-ethernetframe-4000] rule 1 deny source 000f-e20f-0101...

i Table of Contents 1 QoS Configuration ····································································································································· 1-1 Overview ·················································································································...

1-1 1 QoS Configuration z The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of the WX3000 series. z The sample output information in this manual was created on the WX3024. The output information on your device may vary. Overview Intr...

1-2 Video-on-Demand (VoD). Enterprise users expect to connect their regional branches together using VPN techniques for coping with daily business, for instance, accessing databases or manage remote equipments through Telnet. All these new applications have one thing in common, that is, they have sp...

1-3 information carried in packet header. Packet payload is rarely adopted for traffic classification. The identifying rule is unlimited in range. It can be a quintuplet consisting of source address, source port number, protocol number, destination address, and destination port number. It can also b...

1-5 As shown in the figure above, each host supporting 802.1Q protocol adds a 4-byte 802.1Q tag header after the source address of the former Ethernet frame header when sending packets. The 4-byte 802.1Q tag header consists of the tag protocol identifier (TPID, two bytes in length), whose value is 0...

1-6 The device does not support marking drop precedence for packets. A device can operate in one of the following two priority trust modes when assigning precedence to received packets: z Packet priority trusted mode z Port priority trusted mode In terms of priority trust mode, the priority mapping ...

1-8 Protocol Priority Protocol packets carry their own priority. You can modify the priority of a protocol packet to implement QoS. Priority Marking The priority marking function is to use ACL rules in traffic classification and reassign the priority for the packets matching the ACL rules. Traffic P...

1-10 Figure 1-6 Diagram for traffic shaping Token bucket Drop Packet classification Packets to be sent through this port C ontinue to send Put tokens in the bucket at the set rate Queue For example, if the device A sends packets to the device B. The device B will perform traffic policing on packets ...

1-13 Table 1-7 Queue-scheduling sequence of SDWRR Scheduling algorithm Queue-scheduling sequence Description WRR 0, 0, 0, 0, 0, 1, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1 SDWRR 0, 1, 0, 1, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0 0 indicates packets in queue0 1 indicates packets in queue1 Flow-based Traffic Accounti...

1-14 Task Remarks Enabling the Burst Function Optional Configuring Traffic Mirroring Optional Configuring Priority Trust Mode Refer to Priority Trust Mode for introduction to priority trust mode. Configuration prerequisites z The priority trust mode to be adopted is determined. z The port where prio...

1-15 Configuration example z Configure to trust port priority on GigabitEthernet 1/0/1 and set the priority of GigabitEthernet 1/0/1 to 7. Configuration procedure: <device> system-view [device] interface GigabitEthernet1/0/1 [device-GigabitEthernet1/0/1] priority 7 z Configure to trust 802.1p ...

1-18 37 : 7 38 : 7 39 : 7 40 : 0 41 : 0 42 : 0 43 : 0 44 : 0 45 : 0 46 : 0 47 : 0 48 : 5 49 : 5 50 : 5 51 : 5 52 : 5 53 : 5 54 : 5 55 : 5 56 : 6 57 : 6 58 : 6 59 : 6 60 : 6 61 : 6 62 : 6 63 : 6 Setting the Priority of Protocol Packets Refer to Protocol Priority for information about priority of prot...

1-19 Configuration example z Set the IP precedence of ICMP packets to 3. z Display the configuration. Configuration procedure: <device> system-view [device] protocol-priority protocol-type icmp ip-precedence 3 [device] display protocol-priority Protocol: icmp IP-Precedence: flash(3) Marking Pa...

1-20 Follow these steps to mark the priority for packets that are of a port group and match specific ACL rules: To do… Use the command… Remarks Enter system view system-view — Enter port group view port-group group-id — Mark the priorities for packets matching specific ACL rules traffic-priority inb...

1-22 To do… Use the command… Remarks Enter system view system-view — Enter Ethernet port view interface interface-type interface-number — Configure traffic policing traffic-limit inbound acl-rule target-rate [ conform con-action ] [ exceed exceed-action ] [ meter-statistic ] Required By default, tra...

1-23 Configuration procedure Follow these steps to configure traffic shaping: To do… Use the command… Remarks Enter system view system-view — Enter Ethernet port view interface interface-type interface-number — Configure traffic shaping traffic-shape [ queue queue-id ] max-rate burst-size Required T...

1-25 [device-acl-basic-2000] quit [device] interface GigabitEthernet1/0/1 [device-GigabitEthernet1/0/1] traffic-redirect inbound ip-group 2000 interface GigabitEthernet1/0/7 2) Method II <device> system-view [device] acl number 2000 [device-acl-basic-2000] rule permit source 10.1.1.1 0.0.0.255...

1-27 Configuration example # Configure a device to adopt SP+SDWRR combination for queue scheduling, assigning queue 3, queue 4, and queue 5 to WRR scheduling group 1, with the weigh of 20, 20 and 30; assigning queue 0, queue 1, and queue 2 to WRR scheduling group 2, with the weight 20, 20, and 40; u...

1-29 [device] acl number 2000 [device-acl-basic-2000] rule permit source 10.1.1.1 0.0.0.255 [device-acl-basic-2000] quit [device] interface GigabitEthernet1/0/1 [device-GigabitEthernet1/0/1] traffic-statistic inbound ip-group 2000 [device-GigabitEthernet1/0/1] reset traffic-statistic inbound ip-grou...

1-32 [device] mirrored-to vlan 2 inbound ip-group 2000 monitor-interface Displaying and Maintaining QoS To do… Use the command… Remarks Display the protocol packet priority configuration display protocol-priority Display the COS-precedence-to-Drop-precedence mapping relationship display qos cos-drop...

1-33 To do… Use the command… Remarks Display VLAN mapping configuration of a port or all the ports display qos-interface { interface-type interface-number | unit-id } traffic-remark-vlanid Display traffic mirroring configuration of a port or all the ports display qos-interface { interface-type inter...

2-1 2 QoS Profile Configuration Overview Introduction to QoS Profile QoS profile is a set of QoS configurations. It provides an easy way for performing and managing QoS configuration. A QoS profile can contain one or multiple QoS functions. In networks where hosts change their positions frequently, ...

2-2 QoS Profile Configuration QoS Profile Configuration Task List Complete the following tasks to configure a QoS profile: Task Remarks Configuring a QoS Profile Required Applying a QoS Profile Optional Applying a QoS Profile Optional Configuring a QoS Profile Configuration prerequisites z The ACL r...

2-3 Configuration procedure Follow these steps to configure to apply a QoS profile dynamically: To do… Use the command… Remarks Enter system view system-view — Enter Ethernet port view interface interface-type interface-number — Configure the mode to apply a QoS profile as port-based qos-profile por...

2-4 Configuration Example QoS Profile Configuration Example Network requirements As shown in Figure 2-1 , the user name is “someone”, and the authentication password is “hello”. It is connected to GigabitEthernet 1/0/1 of the switch and belongs to the test.net domain. It is required to configure a Q...

i Table of Contents 1 Mirroring Configuration ···························································································································· 1-1 Mirroring Overview ··········································································································...

1-1 1 Mirroring Configuration z The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of a unified switch in the WX3000 series. z The sample output information in this manual was created on the WX3024. The output information on your devi...

1-2 z VLAN-based mirroring: a device copies packets of a specified VLAN to the destination port. Local Port Mirroring In local port mirroring, packets passing through one or more source ports of a device are copied to the destination port on the same device for packet analysis and monitoring. In thi...

1-3 Table 1-1 Ports involved in the mirroring operation Switch Ports involved Function Source port Port monitored. It copies packets to the reflector port through local port mirroring. There can be more than one source port. Reflector port Receives packets from the source port and broadcasts the pac...

1-4 Mirroring Configuration Complete the following tasks to configure mirroring: Task Remarks Configuring Local Port Mirroring Optional Configuring Remote Port Mirroring Optional Configuring MAC-Based Mirroring Optional Configuring VLAN-Based Mirroring Optional Configuring Local Port Mirroring Confi...

1-5 Configuring Remote Port Mirroring The device can serve as a source switch, an intermediate switch, or a destination switch in a remote port mirroring networking environment. Configuration on the device acting as a source switch 1) Configuration prerequisites z The source port, the reflector port...

1-6 When configuring the source switch, note that: z All ports of a remote source mirroring group are on the same device. Each remote source mirroring group can be configured with only one reflector port. z The reflector port cannot be a member port of an existing mirroring group, a member port of a...

1-7 Follow these steps to configure remote port mirroring on the destination switch: To do… Use the command… Remarks Enter system view system-view — Create a VLAN and enter VLAN view vlan vlan-id v lan-id is the ID of the remote-probe VLAN. Configure the current VLAN as a remote-probe VLAN remote-pr...

1-8 Configuration prerequisites z The MAC address to be matched is determined. z The destination port is determined. Configuration procedure Follow these steps to configure MAC-based mirroring: To do… Use the command… Remarks Enter system view system-view — Create a local or remote source mirroring ...

1-9 Configuration procedure Follow these steps to configure VLAN-based mirroring: To do… Use the command… Remarks Enter system view system-view — Create a local or remote source mirroring group mirroring-group group-id { local | remote-source } Required Configuring VLAN-Based Mirroring mirroring-gro...

1-10 Use the local port mirroring function to meet the requirement. Perform the following configurations on Switch C. z Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as mirroring source ports. z Configure GigabitEthernet 1/0/3 as the mirroring destination port. Figure 1-3 Network diagram...

i Table of Contents 1 ARP Configuration····································································································································· 1-1 Introduction to ARP ·······································································································...

1-1 1 ARP Configuration z The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of the WX3000 series. z The sample output information in this manual was created on the WX3024. The output information on your device may vary. Introduction ...

1-4 mode, all hosts on this subnet can receive the request, but only the requested host (namely, Host B) will process the request. 4) Host B compares its own IP address with the destination IP address in the ARP request. If they are the same, Host B saves the source IP address and source MAC address...

1-5 After you enable the ARP attack detection function, the device will check the following items of an ARP packet: the source MAC address, source IP address, port number of the port receiving the ARP packet, and the ID of the VLAN the port resides. If these items match the entries of the DHCP snoop...

1-6 To do… Use the command… Remarks Enable the ARP entry checking function (that is, disable the device from learning ARP entries with multicast MAC addresses) arp check enable Optional By default, the ARP entry checking function is enabled. z Static ARP entries are valid as long as the device opera...

1-7 To do… Use the command… Remarks Quit to system view quit — Enter VLAN view vlan vlan-id — Enable ARP restricted forwarding arp restricted-forwarding enable Optional By default, the ARP restricted forwarding function is disabled. The device forwards legal ARP packets through all its ports. z You ...

1-8 Displaying and Maintaining ARP To do… Use the command… Remarks Display specific ARP mapping table entries display arp [ static | dynamic | ip-address ] Display the ARP mapping entries related to a specified string in a specified way display arp [ dynamic | static ] | { begin | include | exclude ...

i Table of Contents 1 SNMP Configuration ·································································································································· 1-1 SNMP Overview ··············································································································...

1-1 1 SNMP Configuration z The term switch used throughout this document refers to a switching device in a generic sense or the switching engine of a WX3000 series. z The sample output information in this manual was created on the WX3024. The output information on your device may vary. SNMP Overview...

1-2 SNMP NMS and SNMP agent. Community name functions as password. It can limit accesses made by SNMP NMS to SNMP agent. You can perform the following community name-related configuration. z Specifying MIB view that a community can access. z Set the permission for a community to access an MIB object...

1-3 MIB attribute MIB content Related RFC DHCP MIB QACL MIB MSTP MIB VLAN MIB IPV6 ADDRESS MIB MIRRORGROUP MIB QINQ MIB 802.x MIB HGMP MIB NTP MIB Device management Private MIB Interface management — Configuring Basic SNMP Functions Because the configuration of SNMPv3 is quite different from that of...

1-4 To do… Use the command… Remarks Direct configuration Set a community name snmp-agent community { read | write } community-name [ acl acl-number | mib-view view-name ]* Set an SNMP group snmp-agent group { v1 | v2c } group-name [ read-view read-view ] [ write-view write-view ] [ notify-view notif...

1-5 To do… Use the command… Remarks Set an SNMP group snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ] Required Encrypt a plain-text password to generate a cipher-text one snmp-agent calculate...

1-6 To do… Use the command… Remarks Enter system view system-view — Enable the device to send Trap messages to NMS snmp-agent trap enable [ configuration | flash | standard [ authentication | coldstart | linkdown | linkup | warmstart ]* | system | ] Enter port view or interface view interface interf...

1-7 Enabling Logging for Network Management Follow these steps to enable logging for network management: To do… Use the command… Remarks Enter system view system-view — Enable logging for network management snmp-agent log { set-operation | get-operation | all } Optional Disabled by default. Use the ...

1-8 z Perform the following configuration on Switch A: setting the community name and access permission, administrator ID, contact and location of Switch A, and enabling the device to sent trap messages. Thus, the NMS is able to access Switch A and receive the trap messages sent by Switch A. Figure ...

1-9 [device] snmp-agent trap enable standard linkdown [device] snmp-agent target-host trap address udp-domain 10.10.10.1 udp-port 5000 params securityname public Configuring the NMS The device supports iMC NMS. SNMPv3 adopts user name and password authentication. When you use the iMC, you need to se...

2-1 2 RMON Configuration Introduction to RMON Remote monitoring (RMON) is a kind of management information base (MIB) defined by Internet Engineering Task Force (IETF). It is an important enhancement made to MIB II standards. RMON is mainly used to monitor the data traffic across a network segment o...

2-2 Commonly Used RMON Groups Event group Event group is used to define the indexes of events and the processing methods of the events. The events defined in an event group are mainly used by entries in the alarm group and extended alarm group to trigger alarms. You can specify a network device to a...

2-4 Displaying and Maintaining RMON To do… Use the command… Remarks Display RMON statistics display rmon statistics [ interface-type interface-number | unit unit-number ] Display RMON history information display rmon history [ interface-type interface-number | unit unit-number ] Display RMON alarm i...

i Table of Contents 1 Multicast Overview ···································································································································· 1-1 Multicast Overview ·······································································································...

1-1 1 Multicast Overview z The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of the WX3000 series devices. z The sample output information in this manual was created on the WX3024. The output information on your device may vary. Mult...

1-2 Figure 1-1 Information transmission in the unicast mode Source Server Receiver Receiver Receiver Host A Host B Host C Host D Host E Packets for Host B Packets for Host D Packets for Host E Assume that Hosts B, D and E need this information. The source server establishes transmission channels for...

1-3 Figure 1-2 Information transmission in the broadcast mode Source Server Receiver Receiver Receiver Host A Host B Host C Host D Host E Packets for all the network Assume that Hosts B, D, and E need the information. The source server broadcasts this information through routers, and Hosts A and C o...

1-4 Figure 1-3 Information transmission in the multicast mode Source Server Receiver Receiver Receiver Host A Host B Host C Host D Host E Packets for the multicast group Assume that Hosts B, D and E need the information. To transmit the information to the right users, it is necessary to group Hosts ...

1-5 Table 1-1 An analogy between TV transmission and multicast transmission Step TV transmission Multicast transmission 1 A TV station transmits a TV program through a television channel. A multicast source sends multicast data to a multicast group. 2 A user tunes the TV set to the channel. A receiv...

1-6 ASM model In the ASM model, any sender can become a multicast source and send information to a multicast group; numbers of receivers can join a multicast group identified by a group address and obtain multicast information addressed to that multicast group. In this model, receivers are not aware...

1-7 As receivers are multiple hosts in a multicast group, you should be concerned about the following questions: z What destination should the information source send the information to in the multicast mode? z How to select the destination address? These questions are about multicast addressing. To...

1-8 Class D address range Description 239.0.0.0 to 239.255.255.255 Administratively scoped multicast addresses, which are for specific local use only. As specified by IANA, the IP addresses ranging from 224.0.0.0 to 224.0.0.255 are reserved for network protocols on local networks. The following tabl...

1-9 multicast MAC address is used as the destination address because the destination is a group with an uncertain number of members. As stipulated by IANA, the high-order 24 bits of a multicast MAC address are 0x01005e, while the low-order 23 bits of a MAC address are the low-order 23 bits of the mu...

1-10 Figure 1-5 Positions of Layer 3 multicast protocols AS 1 AS 2 Source Receiver Receiver Receiver PIM PIM MSDP IGMP IGMP IGMP 1) Multicast management protocols Typically, the Internet Group Management Protocol (IGMP) is used between hosts and Layer 3 multicast devices directly connected with the ...

1-11 Figure 1-6 Positions of Layer 2 multicast protocols Source Receiver Receiver multicast packets IGMP Snooping 2) IGMP Snooping Running on Layer 2 devices, Internet Group Management Protocol Snooping (IGMP Snooping) are multicast constraining mechanisms that manage and control multicast groups by...

1-12 2) If the corresponding (S, G) entry exists, but the interface on which the packet actually arrived is not the incoming interface in the multicast forwarding table, the multicast packet is subject to an RPF check. z If the result of the RPF check shows that the RPF interface is the incoming int...

2-1 2 IGMP Snooping Configuration IGMP Snooping Overview Internet Group Management Protocol Snooping (IGMP Snooping) is a multicast constraining mechanism that runs on Layer 2 devices to manage and control multicast groups. Principle of IGMP Snooping By analyzing received IGMP messages, a Layer 2 de...

2-2 Figure 2-2 IGMP Snooping related ports Router A Switch A Switch B Eth1/ 0/1 Et h1/0 /2 Et h 1/0/ 3 Et h 1/0/ 1 Et h1/0 /2 Receiver Receiver Host A Host B Host C Host D Source Multicast packets Router port Member port Ports involved in IGMP Snooping, as shown in Figure 2-2 , are described as foll...

2-3 When receiving a general query The IGMP querier periodically sends IGMP general queries to all hosts and routers on the local subnet to find out whether active multicast group members exist on the subnet. Upon receiving an IGMP general query, the device forwards it through all ports in the VLAN ...

2-4 immediately delete the forwarding entry corresponding to that port from the forwarding table; instead, it resets the aging timer of the member port. Upon receiving the IGMP leave message from a host, the IGMP querier resolves from the message the address of the multicast group that the host just...

2-5 Operation Remarks Configuring a VLAN Tag for Query Messages Optional Configuring Multicast VLAN Optional Enabling IGMP Snooping Follow these steps to enable IGMP Snooping: To do… Use the command… Remarks Enter system view system-view — Enable IGMP Snooping globally igmp-snooping enable Required ...

2-6 z Before configuring related IGMP Snooping functions, you must enable IGMP Snooping in the specified VLAN. z Different multicast group addresses should be configured for different multicast sources because IGMPv3 Snooping cannot distinguish multicast data from different sources to the same multi...

2-7 Enabling fast leave processing in Ethernet port view Follow these steps to enable fast leave processing in Ethernet view: To do… Use the command… Remarks Enter system view system - view — Enter Ethernet port view interface interface-type interface-number — Enable fast leave processing for specif...

2-8 Configuring a multicast group filter in system view Follow these steps to configure a multicast group filter in system view: To do… Use the command… Remarks Enter system view system-view — Configure a multicast group filter igmp - snooping group - policy acl-number [ vlan vlan-list ] Required No...

2-9 Follow these steps to configure the maximum number of multicast groups on a port: To do… Use the command… Remarks Enter system view system-view — Enter Ethernet port view interface interface-type interface-number — Limit the number of multicast groups on a port igmp-snooping group-limit limit [ ...

2-11 In Ethernet port view Follow these steps to configure a static multicast group member port in Ethernet port view: To do… Use the command… Remarks Enter system view system-view — Enter Ethernet port view interface interface-type interface-number — Configure the current port as a static member po...

2-12 In VLAN view Follow these steps to configure a static router port in VLAN view: To do… Use the command… Remarks Enter system view system-view — Enter VLAN view vlan vlan-id — Configure a specified port as a static router port multicast static-router-port interface-type interface-number Required...

2-15 z One port can belong to only one multicast VLAN. z The port connected to a user terminal must be a hybrid port. z The multicast member ports must be in the same VLAN with the router port. Otherwise, the multicast member port cannot receive multicast packets. z If a router port is in a multicas...

2-17 Total 1 IP Group(s). Total 1 MAC Group(s). Vlan(id):100. Total 1 IP Group(s). Total 1 MAC Group(s). Static Router port(s): Dynamic Router port(s): GigabitEthernet1/0/1 IP group(s):the following ip group(s) match to one mac group. IP group address: 224.1.1.1 Static host port(s): Dynamic host por...

2-19 # Configure VLAN 10 as the multicast VLAN and enable IGMP Snooping on it. [SwitchB] vlan 10 [SwitchB-vlan10] service-type multicast [SwitchB-vlan10] igmp-snooping enable [SwitchB-vlan10] quit # Define GigabitEthernet 1/0/10 as a hybrid port, add the port to VLAN 2, VLAN 3, and VLAN 10, and conf...

3-1 3 Common Multicast Configuration Common Multicast Configuration Configuring a Multicast MAC Address Entry In Layer 2 multicast, the system can add multicast forwarding entries dynamically through a Layer 2 multicast protocol. Alternatively, you can statically bind a port to a multicast MAC addre...

3-2 Configuring Dropping Unknown Multicast Packets Generally, if the multicast address of the multicast packet received on the device is not registered on the local device, the packet will be flooded in the VLAN. When the function of dropping unknown multicast packets is enabled, the device will dro...

i Table of Contents 1 NTP Configuration ····································································································································· 1-1 Introduction to NTP ······································································································...

1-1 1 NTP Configuration When configuring NTP, go to these sections for information you are interested in: z Introduction to NTP z NTP Configuration Task List z Configuring NTP Implementation Modes z Configuring Access Control Right z Configuring NTP Authentication z Configuring Optional NTP Paramete...

1-2 z In network management, the analysis of the log information and debugging information collected from different devices is meaningful and valid only when network devices that generate the information adopts the same time. z The billing system requires that the clocks of all network devices be co...

1-3 Figure 1-1 Implementation principle of NTP IP network IP network IP network IP network Device B Device A Device B Device A Device B Device A Device B Device A 10:00:00 am 11:00:01 am 10:00:00 am NTP message 10:00:00 am 11:00:01 am 11:00:02 am NTP message NTP message NTP message received at 10:00...

1-4 Server/client mode Figure 1-2 Server/client mode Server Clock synchronization request Response Network Client Works in server mode automatically and send sa response packet Filters and selects a clockand synchronizes the local clock to that of the preferred server Symmetric peer mode Figure 1-3 ...

1-5 Multicast mode Figure 1-5 Multicast mode Client Multicast clock synchronization packets periodically Network Server Initiates a client /server mode request after receiving the first multicast packet Works in the server mode automatically and sends responses Client/server mode request Response Ob...

1-6 NTP Configuration Task List Complete the following tasks to configure NTP: Task Remarks Configuring NTP Implementation Modes Required Configuring Access Control Right Optional Configuring NTP Authentication Optional Configuring Optional NTP Parameters Optional Displaying and Maintaining NTP Conf...

1-7 To do… Use the command… Remarks Enter system view system-view — Configure an NTP client ntp-service unicast-server { remote-ip | server-name } [ authentication-keyid key-id | priority | source-interface Vlan-interface vlan-id | version number ]* Required By default, the device is not configured ...

1-8 z In the symmetric peer mode, you need to execute the related NTP configuration commands (refer to Configuring NTP Implementation Modes for details) to enable NTP on a symmetric-passive peer; otherwise, the symmetric-passive peer will not process NTP messages from the symmetric-active peer. z Th...

1-9 Configuring the device to work in the NTP broadcast client mode To do… Use the command… Remarks Enter system view system-view — Enter VLAN interface view interface Vlan-interface vlan-id — Configure the device to work in the NTP broadcast client mode ntp-service broadcast-client Required Not con...

1-10 Configuring Access Control Right With the following command, you can configure the NTP service access-control right to the local device for a peer device. There are four access-control rights, as follows: z query : Control query right. This level of right permits the peer device to perform cont...

1-11 synchronized only to that of the server that passes the authentication. This improves network security. Table 1-2 shows the roles of devices in the NTP authentication function. Table 1-2 Description on the roles of devices in NTP authentication function Role of device Working mode Client in the...

1-12 To do… Use the command… Remarks Configure the NTP authentication key ntp-service authentication-keyid key-id authentication-model md5 value Required By default, no NTP authentication key is configured. Configure the specified key as a trusted key ntp-service reliable authentication-keyid key-id...

1-13 To do… Use the command… Remarks Configure on the NTP broadcast server ntp-service broadcast-server authentication-keyid key-id Associate the specified key with the corresponding broadcast/multicast client Configure on the NTP multicast server ntp-service multicast-server authentication-keyid ke...

1-14 Configuring the Number of Dynamic Sessions Allowed on the Local Device Follow these steps to configure the number of dynamic sessions allowed on the local device: To do… Use the command… Remarks Enter system view system-view — Configure the maximum number of dynamic sessions that can be establi...

1-16 [12345]1.0.1.11 127.127.1.0 2 1 64 1 350.1 15.1 0.0 note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured Total associations : 1 Configuring NTP Symmetric Peer Mode Network requirements z As shown in Figure 1-7 , the local clock of Device A is set as the NTP master clock, wi...

1-20 Clock status: synchronized Clock stratum: 3 Reference clock ID: 3.0.1.31 Nominal frequency: 60.0002 Hz Actual frequency: 60.0002 Hz Clock precision: 2^18 Clock offset: 198.7425 ms Root delay: 27.47 ms Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Thu Sep 7...

i Table of Contents 1 SSH Configuration ····································································································································· 1-1 SSH Overview ·············································································································...

1-1 1 SSH Configuration z The term switch used throughout this document refers to a switching device in a generic sense or the switching engine of a WX3000 series. z The sample output information in this manual was created on the WX3024. The output information on your device may vary SSH Overview In...

1-2 Figure 1-1 Encryption and decryption Encryption Key Decryption Ciph er text Plain text Key Plain text Encryption Key Decryption Ciph er text Plain text Key Plain text Key-based algorithm is usually classified into symmetric key algorithm and asymmetric key algorithm. Asymmetric Key Algorithm Asy...

1-4 z In password authentication, the client encrypts the username and password, encapsulates them into a password authentication request, and sends the request to the server. Upon receiving the request, the server decrypts the username and password, compares them with those it maintains, and then i...

1-5 SSH Server Configuration Tasks Complete the following tasks to configure SSH server: Task Remark Configuring the Protocol Support for the User Interface Required Generating/Destroying a RSA or DSA Key Pair Required Exporting the RSA or DSA Public Key Optional Creating an SSH User and Specify an ...

1-6 z If you have configured a user interface to support SSH protocol, you must configure AAA authentication for the user interface by using the authentication-mode scheme command to ensure successful login. z On a user interface, if the authentication-mode password or authentication-mode none comma...

1-7 Exporting the RSA or DSA Public Key You can display the generated RSA or DSA key pair on the screen in a specified format, or export it to a specified file for configuring the key at a remote end. Follow these steps to export the RSA public key: To do… Use the command… Remarks Enter system view ...

1-8 z For password authentication type, the username argument must be consistent with the valid user name defined in AAA; for publickey authentication, the username argument is the SSH local user name, so that there is no need to configure a local user in AAA. z If the default authentication type fo...

1-9 To do… Use the command… Remarks Enter system view system-view — Set SSH authentication timeout time ssh server timeout seconds Optional By default, the timeout time is 60 seconds. Set SSH authentication retry times ssh server authentication-retries times Optional By default, the number of retry ...

1-11 Follow these steps to import the RSA public key from a public key file: To do… Use the command… Remarks Enter system view system-view — Import the RSA public key from a public key file rsa peer-public-key keyname import sshkey filename Required The result of the display rsa local-key-pair publi...

1-12 Follow these steps to specify a source IP address/interface for the SSH server: To do… Use the command… Remarks Enter system view system-view — Specify a source IP address for the SSH server ssh-server source-ip ip-address Required By default, the system determines the IP address for clients to...

1-13 z Selecting the protocol for remote connection as SSH. Usually, a client can use a variety of remote connection protocols, such as Telnet, Rlogin, and SSH. To establish an SSH connection, you must select SSH z Selecting the SSH version. Since the device supports SSH Server 2.0 now, select 2.0 o...

1-14 Figure 1-3 Generate the client keys (2) After the key pair is generated, click Save public key and enter the name of the file for saving the public key ( public in this case) to save the public key. Figure 1-4 Generate the client keys (3)

1-15 Likewise, to save the private key, click Save private key . A warning window pops up to prompt you whether to save the private key without any precaution. Click Yes and enter the name of the file for saving the private key (“private” in this case) to save the private key. Figure 1-5 Generate th...

1-16 Figure 1-7 SSH client configuration interface 1 In the Host Name (or IP address) text box, enter the IP address of the server. Note that there must be a route available between the IP address of the server and the client. Select a protocol for remote connection As shown in Figure 1-7 , select S...

1-17 Figure 1-8 SSH client configuration interface 2 Under Protocol options , select 2 from Preferred SSH protocol version . Some SSH client software, for example, Tectia client software, supports the DES algorithm only when the ssh1 version is selected. The PuTTY client software supports DES algori...

1-18 Figure 1-9 SSH client configuration interface 3 Click Browse… to bring up the file selection window, navigate to the private key file and click Open to enter the following SSH client interface. If the connection is normal, a user will be prompted for a username. Once passing the authentication,...

1-19 Open an SSH connection with password authentication From the window shown in Figure 1-9 , click Open. The following SSH client interface appears. If the connection is normal, you will be prompted to enter the username and password, as shown in Figure 1-11 . Figure 1-11 SSH client interface (2) ...

1-20 Follow these steps to enable the device to support first-time authentication: To do… Use the command… Remarks Enter system view system-view — Enable the device to support first-time authentication ssh client first-time enable Optional By default, the client is enabled to run initial authenticat...

1-21 When logging into the SSH server using public key authentication, an SSH client needs to read the local private key for authentication. As two algorithms (RSA or DSA) are available, the identity-key keyword must be used to specify one algorithm in order to get the correct private key. Specifyin...

1-22 SSH Configuration Examples When the Device Acts as the SSH Server and the Authentication Type is Password Network requirements As shown in Figure 1-12 , establish an SSH connection between the host (SSH Client) and the device (SSH Server) for secure data exchange. The host runs SSH2.0 client so...

1-23 Take SSH client software “Putty” (version 0.58) as an example: 1) Run PuTTY.exe to enter the following configuration interface. Figure 1-13 SSH client configuration interface In the Host Name (or IP address) text box, enter the IP address of the SSH server. 2) As shown in Figure 1-13 , click Op...

1-24 Figure 1-14 SSH client interface When the Device Acts as an SSH Server and the Authentication Type is Publickey Network requirements As shown in Figure 1-15 , establish an SSH connection between the host (SSH client) and the device (SSH Server) for secure data exchange. The host runs SSH2.0 cli...

1-25 <device> system-view [device] interface vlan-interface 1 [device-Vlan-interface1] ip address 192.168.0.1 255.255.255.0 [device-Vlan-interface1] quit # Generate RSA and DSA key pairs. [device] public-key local create rsa [device] public-key local create dsa # Set the authentication mode fo...

i Table of Contents 1 File System Management Configuration ································································································· 1-1 File System Configuration ·················································································································...

1-1 1 File System Management Configuration The sample output information in this manual was created on the WX3024. The output information on your device may vary. File System Configuration Introduction to File System To facilitate management on the device memory, the device provides the file system ...

1-2 z Displaying the current work directory, or contents in a specified directory Follow these steps to perform directory-related operations in user view: To do… Use the command… Remarks Create a directory mkdir directory Optional Delete a directory rmdir directory Optional Display the current work ...

1-3 To do… Use the command… Remarks Enter system view system-view — Execute the specified batch file execute filename Optional This command should be executed in system view. z For deleted files whose names are the same, only the latest deleted file is kept in the recycle bin and can be restored. z ...

1-4 Follow these steps to perform configuration on prompt mode of file system: To do… Use the command… Remarks Enter system view system-view — Configure the prompt mode of the file system file prompt { alert | quiet } Required By default, the prompt mode of the file system is alert . File System Con...

1-5 <device> dir unit1>flash:/test/ Directory of unit1>flash:/test/ 1 -rw- 1443 Apr 02 2000 02:45:13 1.cfg 6858 KB total (6841 KB free) (*) -with main attribute (b) -with backup attribute (*b) -with both main and backup attribute File Attribute Configuration Introduction to File Attribut...

1-6 attribute. If you download a valid file with the same name as the deleted file to the flash memory, the file will possess the main attribute. Configuring File Attributes You can configure and view the main attribute or backup attribute of the startup file used for the next startup of a switch, a...

i Table of Contents 1 FTP and SFTP Configuration···················································································································· 1-1 Introduction to FTP and SFTP ······································································································...

1-1 1 FTP and SFTP Configuration z The term switch used throughout this document refers to a switching device in a generic sense or the switching engine of a WX3000 series. z The sample output information in this manual was created on the WX3024. The output information on your device may vary. z FTP...

1-2 Introduction to SFTP Secure FTP (SFTP) is established based on an SSH2 connection. It allows a remote user to log in to the switching engine to manage and transmit files, providing a securer guarantee for data transmission. In addition, since the device can be used as a client, you can log in to...

1-4 Source interface refers to the existing VLAN interface or Loopback interface on the device. Source IP address refers to the IP address configured for the interface on the device. Each source interface corresponds to a source IP address. Therefore, specifying a source interface for the FTP server...

1-6 To do… Use the command… Remarks Configure a shell banner header shell text Use either command or both. By default, no banner is configured. For details about the header command, refer to the Login part of the manual. Displaying FTP server information To do… Use the command… Remarks Display the i...

1-8 Specifying the source interface and source IP address for an FTP client You can specify the source interface and source IP address for the device acting as an FTP client, so that it can connect to a remote FTP server. Follow these steps to specify the source interface and source IP address for a...

1-10 200 Port command okay. 150 Opening ASCII mode data connection for config.cfg. 226 Transfer complete. This example uses the command line window tool provided by Windows. When you log in to the FTP server through another FTP client, refer to the corresponding instructions for operation descriptio...

1-12 Figure 1-5 Network diagram for FTP configurations: the device operating as an FTP client Switch A FTP Client FTP Server Vlan -I nt 1 1.1. 1.1/8 2. 2.2 .2/ 8 Network PC Configuration procedure 1) Configure the PC (FTP server) Perform FTP server–related configurations on the PC, that is, create a...

1-13 <device> # After downloading the file, use the startup saved-configuration command to specify the downloaded configuration file as the main configuration file for next startup, and then restart the device. <device>startup saved-configuration config.cfg main Please wait.................

1-14 To do… Use the command… Remarks Enter system view system-view — Configure the connection idle time for the SFTP server ftp timeout time-out-value Optional 10 minutes by default Supported SFTP client software The device operating as an SFTP server can interoperate with SFTP client software, incl...

1-16 If you specify to authenticate a client through public key on the server, the client needs to read the local private key when logging in to the SFTP server. Since both RSA and DSA are available for public key authentication, you need to use the identity-key key word to specify the algorithms to...

2-1 2 TFTP Configuration Introduction to TFTP Compared with FTP, TFTP (trivial file transfer protocol) features simple interactive access interface and no authentication control. Therefore, TFTP is applicable in the networks where client-server interactions are relatively simple. TFTP is implemented...

2-2 Task Remarks TFTP server configuration For details, see the corresponding manual — TFTP Configuration: The Device Operating as a TFTP Client Basic configurations on a TFTP client By default the device can operate as a TFTP client. In this case you can connect the device to the TFTP server to per...

2-3 To do… Use the command… Remarks Specify an interface as the source interface a TFTP client uses every time it connects to a TFTP server tftp source-interface interface-type interface-number Specify an IP address as the source IP address a TFTP client uses every time it connects to a TFTP server ...

i Table of Contents 1 Information Center····································································································································· 1-1 Information Center Overview ······························································································...

1-1 1 Information Center z The term switch used throughout this document refers to a switching device in a generic sense or the switching engine of a WX3000 series. z The sample output information in this manual was created on the WX3024. The output information on your device may vary. Information C...

1-2 Severity Severity value Description informational 7 Informational information to be recorded debugging 8 Information generated during debugging Information filtering by severity works this way: information with the severity value greater than the configured threshold is not output during the fil...

1-3 Configurations for the six output directions function independently and take effect only after the information center is enabled. Outputting system information by source module The system information can be classified by source module and then filtered. Some module names and description are show...

1-4 Module name Description NTP Network time protocol module PKI Public key infrastructure module RDS Radius module RMON Remote monitor module RSA Revest, Shamir and Adleman encryption module SHELL User interface module SNMP Simple network management protocol module SOCKET Socket module SSH Secure s...

1-5 Priority The priority is calculated using the following formula: facility*8+severity-1, in which z facility (the device name) defaults to local7 with the value being 23 (the value of local6 is 22, that of local5 is 21, and so on). z severity (the information level) ranges from 1 to 8. Table 1-1 ...

1-6 You can use the sysname command to modify the system name. Refer to the System Maintenance and Debugging part of this manual for details) Note that there is a space between the sysname and module fields. Module The module field represents the name of the module that generates system information....

1-7 Task Remarks Setting to Output System Information to the SNMP NMS Optional Configuring Synchronous Information Output Synchronous information output refers to the feature that if the system information such as log, trap, or debugging information is output when the user is inputting commands, the...

1-8 To do… Use the command… Remarks Log host direction info-center timestamp loghost date Set the time stamp format in the output direction of the information center to date Non log host direction info-center timestamp { log | trap | debugging } date Required Use either command Set to display the UT...

1-9 Table 1-4 Default output rules for different output directions LOG TRAP DEBUG Output direction Modules allowed Enable d/disab led Severit y Enabled/ disabled Severity Enabled/ disabled Severity Console default (all modules) Enabled warnings Enabled debugging Enabled debugging Monitor terminal de...

1-10 Setting to Output System Information to a Monitor Terminal System information can also be output to a monitor terminal, which is a user terminal that has login connections through the AUX, VTY, or TTY user interface. Setting to output system information to a monitor terminal Follow these steps ...

1-11 Follow these steps to enable the display of system information on a monitor terminal: To do… Use the command… Remarks Enable the debugging/log/trap information terminal display function terminal monitor Optional Enabled by default Enable debugging information terminal display function terminal ...

1-14 Displaying and Maintaining Information Center To do… Use the command… Remarks Display information on an information channel display channel [ channel - number | channel - name ] Display the operation status of information center, the configuration of information channels, the format of time sta...

1-16 Through combined configuration of the device name (facility), information severity level threshold (severity), module name (filter) and the file “syslog.conf”, you can sort information precisely for filtering. Log Output to a Linux Log Host Network requirements As shown in Figure 1-2 , Switch s...

1-17 Note the following items when you edit file “/etc/syslog.conf”. z A note must start in a new line, starting with a “#" sign. z In each pair, a tab should be used as a separator instead of a space. z No space is permitted at the end of the file name. z The device name (facility) and received...

i Table of Contents 1 Host Configuration File Loading ·············································································································· 1-1 Introduction to Loading Approaches ································································································...

1-1 1 Host Configuration File Loading z The term switch used throughout this document refers to a switching device in a generic sense or the switching engine of a WX3000 series. z The sample output information in this manual was created on the WX3024. The output information on your device may vary. ...

1-2 Connected to OAP! <device_LSW> ftp 192.168.0.100 Trying ... Press CTRL+K to abort Connected. 220 3Com 3CDaemon FTP Server Version 2.0 User(none):admin 331 User name ok, need password Password: 230 User logged in [ftp]get config.cfg config.cfg 227 Entering passive mode (192,168,0,100,5,95) ...

1-3 Figure 1-2 Remote loading using FTP server Switch PC Ethernet port Internet FTP Serve 10 .1 .1.1 FTP Server 192 .168 .0. 51 Step 1: As shown in Figure 1-2 , connect Switch through an Ethernet port to the PC (whose IP address is 10.1.1.1) Step 2: Configure the IP address of VLAN-interface 1 on Sw...

1-5 z The steps listed above are performed in the Windows operating system, if you use other FTP client software, refer to the corresponding user guide before operation. z Only the configuration steps concerning loading are listed here. For detailed description on the corresponding configuration com...

2-1 2 Basic System Configuration and Debugging Basic System Configuration Follow these steps to perform basic system configuration: To do… Use the command… Remarks Set the current date and time of the system clock datetime HH:MM:SS { YYYY/MM/DD | MM/DD/YYYY } Required Execute this command in user vi...

2-2 Displaying the System Status To do… Use the command… Remarks Display the current date and time of the system display clock Display the version of the system display version Display the information about users logging onto the device display users [ all ] Available in any view Debugging the Syste...

2-3 You can use the following commands to enable the two settings. Follow these steps to enable debugging and terminal display for a specific module: To do… Use the command… Remarks Enable system debugging for specific module debugging module-name [ debugging - option ] Required Disabled for all mod...

3-1 3 Network Connectivity Test Network Connectivity Test ping You can use the ping command to check the network connectivity and the reachability of a host. Follow these steps to execute the ping command: To do… Use the command… Remarks Check the IP network connectivity and the reachability of a ho...

4-1 4 Device Management Introduction to Device Management Device Management includes the following: z Reboot the device z Configure real-time monitoring of the running status of the system z Specify the main configuration file to be used at the next reboot Device Management Configuration Device Mana...

4-2 Scheduling a Reboot on the Device After you schedule a reboot on the device, the device will reboot at the specified time. Follow these steps to schedule a reboot on the device: To do… Use the command… Remarks Schedule a reboot on the device, and set the reboot date and time schedule reboot at h...

4-3 Follow the step below to specify the main configuration file to be used at reboot: To do… Use the command… Remarks Specify the main configuration file to be used at next reboot startup saved-configuration filename [ main | backup ] Required Identifying and Diagnosing Pluggable Transceivers Intro...

4-4 Follow these steps to identify pluggable transceivers: To do… Use the command… Remarks Display main parameters of the pluggable transceiver(s) display transceiver interface [ interface-type interface-number ] Available for all pluggable transceivers Diagnosing pluggable transceivers The system o...

i Table of Contents 1 VLAN-VPN Configuration·························································································································· 1-1 VLAN-VPN Overview ···············································································································...

1-1 1 VLAN-VPN Configuration z The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of a unified switch in the WX3000 series. z The sample output information in this manual was created on the WX3024. The output information on your devic...

1-3 As the position of the TPID field in an Ethernet packet is the same as that of the upper-layer protocol type field in a packet without VLAN Tag, to avoid confusion in the process of receiving/forwarding a packet, the TPID value cannot be any of the protocol type value listed in Table 1-1 . Table...

1-4 TPID Adjusting Configuration Configuration Prerequisites z To change the global TPID value 0x8100, you need to specify a port on the device as a VLAN VPN uplink port. Before the configuration, make sure that VLAN VPN is disabled on the port. z For proper packet transmission, confirm the TPID val...

1-5 VLAN-VPN Configuration Example Transmitting User Packets through a Tunnel in the Public Network by Using VLAN-VPN Network requirements z As shown in Figure 1-4 , both Switch A and Switch B are the WX3000 series devices. They connect the users to the servers through the public network. z PC users...

1-6 # Set the global TPID value of Switch A to 0x9200 and configure GigabitEthernet 1/0/12 as a VLAN VPN uplink port, so that Switch A can intercommunicate with devices in the public network. [SwitchA] vlan-vpn tpid 9200 [SwitchA] interface GigabitEthernet1/0/12 [SwitchA-GigabitEthernet1/0/12] port ...

2-1 2 Selective QinQ Configuration Selective QinQ Overview Selective QinQ Overview Selective QinQ is an enhanced application of the VLAN-VPN feature. With the selective QinQ feature, you can configure inner-to-outer VLAN tag mapping, according to which you can add different outer VLAN tags to the pa...

2-2 In this way, you can configure different forwarding policies for data of different type of users, thus improving the flexibility of network management. On the other hand, network resources are well utilized, and users of the same type are also isolated by their inner VLAN tags. This helps to imp...

2-3 You are recommended not to configure both the DHCP snooping and selective Q-in-Q function on the device, which may result in the DHCP snooping to function abnormally. Configuring the Inner-to-Outer Tag Priority Mapping Feature Configuration Prerequisites Enabling the VLAN-VPN feature on the curr...

i Table of Contents 1 HWPing Configuration ······························································································································ 1-1 HWPing Overview ··············································································································...

1-1 1 HWPing Configuration z The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of a WX3000. z The sample output information in this manual was created on the WX3024. The output information on your device may vary. HWPing Overview Int...

1-2 Figure 1-1 HWPing illustration Switch A Switch B HWPing Client IP network HWPing Server Test Types Supported by HWPing Table 1-1 Test types supported by HWPing Supported test types Description ICMP test DHCP test FTP test HTTP test DNS test SNMP test For these types of tests, you need to configu...

1-4 Test parameter Description File name for FTP operation ( filename ) Name of a file to be transferred between HWPing client and FTP server Number of jitter test packets to be sent per probe ( jitter-packetnum ) z Jitter test is used to collect statistics about delay jitter in UDP packet transmiss...

1-5 HWPing server configuration The following table describes the configuration on HWPing server, which is the same for HWPing test types that need to configure HWPing server. Follow these steps to configure the HWPing server: To do… Use the command… Remarks Enter system view system-view — Enable th...

1-16 To do… Use the command… Remarks Configure the probe timeout time timeout time Optional By default, a probe times out in three seconds. Configure the type of service tos value Optional By default, the service type is zero. Configure the domain name to be resolved dns resolve-targetdomai domainna...

1-17 Displaying and Maintaining HWPing To do… Use the command… Remarks Display test history display hwping history [ administrator-name operation-tag ] Display the results of the latest test display hwping results [ administrator-name operation-tag ] Available in any view HWPing Configuration Exampl...

1-18 # Display test results. [device-hwping-administrator-icmp] display hwping results administrator icmp HWPing entry(admin administrator, tag icmp) test result: Destination ip address:10.2.2.2 Send operation times: 10 Receive response times: 10 Min/Max/Average Round Trip Time: 3/6/3 Square-Sum of ...

1-19 # Create a HWPing test group, setting the administrator name to "administrator" and test tag to "DHCP". [device] Hwping administrator dhcp # Configure the test type as dhcp . [device-hwping-administrator-dhcp] test-type dhcp # Configure the source interface, which must be a VLAN...

1-20 FTP Test Network requirements As shown in Figure 1-4 , both the HWPing client and the FTP server are WX3000 series devices. Perform a HWPing FTP test between the two devices to test the connectivity to the specified FTP server and the time required to upload a file to the server after the conne...

1-22 HTTP Test Network requirements As shown in Figure 1-5 , Switch serves as the HWPing client, and a PC serves as the HTTP server. Perform a HWPing HTTP test between Switch and the HTTP server to test the connectivity and the time required to download a file from the HTTP server after the connecti...

1-23 SD Maximal delay: 0 DS Maximal delay: 0 Packet lost in test: 0% Disconnect operation number: 0 Operation timeout number: 0 System busy operation number: 0 Connection fail number: 0 Operation sequence errors: 0 Drop operation number: 0 Other operation errors: 0 Http result: DNS Resolve Time: 0 H...

1-24 Network diagram Figure 1-6 Network diagram for the Jitter test Switch A Switch B HWPing Client IP network 10.1.1.1/8 10.2.2.2/8 HWPing Server Configuration procedure z Configure HWPing Server (Switch B): # Enable the HWPing server and configure the IP address and port to listen on. <device&g...

1-25 Packet lost in test: 0% Disconnect operation number: 0 Operation timeout number: 0 System busy operation number: 0 Connection fail number: 0 Operation sequence errors: 0 Drop operation number: 0 Other operation errors: 0 Jitter result: RTT Number:100 Min Positive SD:1 Min Positive DS:1 Max Posi...

1-26 Network diagram Figure 1-7 Network diagram for the SNMP test Switch A Switch B HWPing Client IP n etwork 10.1.1.1/8 10.2.2.2/ 8 SNMP Agent Configuration procedure z Configure SNMP Agent (Switch B): # Start SNMP agent and set SNMP version to V2C, read-only community name to "public", and...

1-27 [device-hwping-administrator-snmp] test-enable # Display test results [device-hwping-administrator-snmp] display hwping results administrator snmp HWPing entry(admin administrator, tag snmp) test result: Destination ip address:10.2.2.2 Send operation times: 10 Receive response times: 10 Min/Max...

1-28 Configuration procedure z Configure HWPing Server (Switch B): # Enable the HWPing server and configure the IP address and port to listen on. <device> system-view [device] hwping-server enable [device] hwping-server tcpconnect 10.2.2.2 8000 z Configure HWPing Client (Switch A): # Enable th...

1-29 Index Response Status LastRC Time 1 4 1 0 2000-04-02 08:26:02.9 2 5 1 0 2000-04-02 08:26:02.8 3 4 1 0 2000-04-02 08:26:02.8 4 5 1 0 2000-04-02 08:26:02.7 5 4 1 0 2000-04-02 08:26:02.7 6 5 1 0 2000-04-02 08:26:02.6 7 6 1 0 2000-04-02 08:26:02.6 8 7 1 0 2000-04-02 08:26:02.5 9 5 1 0 2000-04-02 08...

1-30 [device-hwping-administrator-udpprivate] destination-ip 10.2.2.2 # Configure the destination port on the HWPing server. [device-hwping-administrator-udpprivate] destination-port 8000 # Configure to make 10 probes per test. [device-hwping-administrator-udpprivate] count 10 # Set the probe timeou...

1-31 Network diagram Figure 1-10 Network diagram for the DNS test Switch HWPing Client IP network 10.1.1.1/8 10.2.2.2/8 DNS Server Configuration procedure z Configure DNS Server: Use Windows 2003 Server as the DNS server. For DNS server configuration, refer to the related instruction on Windows 2003...

i Table of Contents 1 DNS Configuration····································································································································· 1-1 DNS Overview···············································································································...

1-1 1 DNS Configuration z The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of the WX3000 series. z The sample output information in this manual was created on the WX3024. The output information on your device may vary. z This chapte...

1-2 Figure 1-1 Dynamic domain name resolution Request Response Response Request Save Read DNS client DNS server Resolver Cache User program Figure 1-1 shows the relationship between user program, DNS client, and DNS server. The resolver and cache comprise the DNS client. The user program and DNS cli...

1-3 To do… Use the command… Remarks Enter system view system-view — Configure a mapping between a host name and an IP address ip host hostname ip-address Required No IP address is assigned to a host name by default. The IP address you assign to a host name last time will overwrite the previous one i...

1-4 Figure 1-2 Network diagram for static DNS configuration 10.1 .1. 1/ 24 10 .1. 1. 2/ 24 host. com Host Switch Configuration procedure # Configure a mapping between host name host.com and IP address 10.1.1.2. <device> system-view [device] ip host host.com 10.1.1.2 # Execute the ping host.com...

i Table of Contents 1 Smart Link Configuration ························································································································· 1-1 Smart Link Overview ···········································································································...

1-1 1 Smart Link Configuration z The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of a unified switch in the WX3000 series. z The sample output information in this manual was created on the WX3024. The output information on your dev...

1-2 Master port The master port can be either an Ethernet port or a manually-configured or static LACP aggregation group. For example, you can configure GigabitEthernet 1/0/1 of switch A in Figure 1-1 as the master port through the command line. Slave port The slave port can be either an Ethernet po...

1-3 Operating Mechanism of Smart Link Figure 1-2 Network diagram of Smart Link operating mechanism BLOCK Switch A Switch B GE 1/0 /1 GE1 /0/ 2 Switch C Switch D Switch E GE1 /0/ 1 GE1 /0/ 2 GE 1/0 /3 GE 1/ 0/1 GE 1/ 0/2 GE1/ 0/ 3 GE 1/ 0/11 GE 1/ 0/ 12 As shown in Figure 1-2 , GigabitEthernet 1/0/1 ...

1-4 Task Remarks Create a Smart Link group Add member ports to the Smart Link group Configuring a Smart Link Device Enable the function of sending flush messages in the specified control VLAN Required Configuring Associated Devices Enable the function of processing flush messages received from the s...

1-5 To do… Use the command… Remarks Enable the function of sending flush messages in the specified control VLAN flush enable control-vlan vlan-id Optional By default, no control VLAN for sending flush messages is specified. Configuring Associated Devices An associated device mentioned in this docume...

1-6 z When you copy a port, the Smart Link/Monitor Link group member information configured on the port will not be copied to other ports. z If a single port is specified as a member of a Smart Link/Monitor Link group, you cannot execute the lacp enable command on this port or add this port into oth...

2-1 2 Monitor Link Configuration Introduction to Monitor Link Monitor Link is a collaboration scheme introduced to complement for Smart Link. It is used to monitor uplink and to perfect the backup function of Smart Link. A monitor Link consists of an uplink port and one or multiple downlink ports. W...

2-2 How Monitor Link Works Figure 2-2 Network diagram for a Monitor Link group implementation BLOCK Switch A Switch B GE 1/0 /1 GE1 /0/ 2 Switch C Switch D Switch E GE1 /0/ 1 GE1 /0/ 2 GE 1/0 /3 GE 1/ 0/1 GE 1/ 0/2 GE1/ 0/ 3 GE 1/ 0/11 GE 1/ 0/ 12 As shown in Figure 2-2 , the devices Switch C and Sw...

2-3 Configuring Monitor Link Before configuring a Monitor Link group, you must create a Monitor Link group and configure member ports for it. A Monitor Link group consists of an uplink port and one or multiple downlink ports. The uplink port can be a manually-configured or static LACP link aggregati...

2-4 To do… Use the command… Remarks Configure the specified link aggregation group as the uplink port of the Monitor Link group link-aggregation group group-id uplink Configure the specified Smart Link group as the uplink port of the Monitor Link group smart-link group group-id uplink Monitor Link g...

2-5 z A Smart Link/Monitor Link group with members cannot be deleted. A Smart Link group as a Monitor Link group member cannot be deleted. z The Smart Link/Monitor Link function and the remote port mirroring function are incompatible with each other. z If a single port is specified as a Smart Link/M...

i Table of Contents 1 PoE Configuration ····································································································································· 1-1 PoE Overview ·············································································································...

1-1 1 PoE Configuration When configuring PoE, go to these sections for information you are interested in: z PoE Overview z PoE Configuration z PoE Configuration Example The terms switching engine and Ethernet switch used throughout this documentation refer to a switching device in a generic sense or...

1-2 PoE Features Supported by the Device Table 1-1 Power supply parameters of PoE device Device Input power supply Number of electrical ports supplying power Maximum PoE distance Maximum power provided by each electrical port Total Maximum PoE output power DC input 600 W WX3024 AC input 24 100 m (32...

1-6 z In the case that the PSE processing software is damaged (that is, no PoE command can be executed successfully), use the full update mode to upgrade and thus restore the software. z The refresh update mode is to upgrade the original processing software in the PSE through refreshing the software...

2-1 2 PoE Profile Configuration Introduction to PoE Profile On a large-sized network or a network with mobile users, to help network administrators to monitor the PoE features of the device, the device provides the PoE profile features. A PoE profile is a set of PoE configurations, including multipl...

2-2 To do… Use the command… Remarks In system view apply poe-profile profile-name interface interface-type interface-number [ to interface-type interface-number ] Enter Ethernet port view interface interface-type interface-number Apply the existing PoE profile to the specified Ethernet port In Ether...

2-3 PoE Profile Configuration Example PoE Profile Application Example Network requirements As shown in Figure 2-1 , Switch A supports PoE. GigabitEthernet 1/0/1 through GigabitEthernet 1/0/10 of Switch A are used by users of group A, who have the following requirements: z The PoE function can be ena...

i Table of Contents 1 IP Routing Protocol Overview ·················································································································· 1-1 Introduction to IP Route and Routing Table ·······················································································...

1-1 1 IP Routing Protocol Overview Go to these sections for information you are interested in: z Introduction to IP Route and Routing Table z Routing Protocol Overview z Displaying and Maintaining a Routing Table The term router in this chapter refers to a router in a generic sense or a WX3000 serie...

1-3 Routing Protocol Overview Static Routing and Dynamic Routing Static routing is easy to configure and requires less system resources. It works well in small, stable networks with simple topologies. It cannot adapt itself to any network topology change automatically so that you must perform routin...

1-4 each routing protocol (including static routes) is assigned a priority. The route found by the routing protocol with the highest priority is preferred. The following table lists some routing protocols and the default priorities for routes found by them: Table 1-1 Routing protocols and priorities...

1-5 routing information. Each routing protocol shares routing information discovered by other routing protocols through a route redistribution mechanism. Displaying and Maintaining a Routing Table To do… Use the command… Remarks Display brief information about a routing table display ip routing-tabl...

2-1 2 Static Route Configuration When configuring a static route, go to these sections for information you are interested in: z Introduction to Static Route z Static Route Configuration z Displaying and Maintaining Static Routes z Static Route Configuration Example z Troubleshooting a Static Route T...

2-2 Default Route To avoid too large a routing table, you can configure a default route. When the destination address of a packet fails to match any entry in the routing table, z If there is default route in the routing table, the default route will be selected to forward the packet. z If there is n...

2-4 Configuration procedure When only one interface of the device is interconnected with another network segment, you can implement network communication by configuring either a static route or default route. 1) Perform the following configurations on the device. # Approach 1: Configure static route...

3-1 3 RIP Configuration When configuring RIP, go to these sections for information you are interested in: z RIP Overview z RIP Configuration Task List z RIP Configuration Example z Troubleshooting RIP Configuration The term router in this chapter refers to a router in a generic sense or a WX3000 ser...

3-2 z Interface: Outbound interface on this router, through which IP packets should be forwarded to reach the destination. z Metric: Cost from the local router to the destination. z Route time: Time elapsed since the routing entry was last updated. The time is reset to 0 every time the routing entry...

3-3 RIP Configuration Task List Complete the following tasks to configure RIP: Task Remarks Enabling RIP on the interfaces attached to a specified network segment Required Setting the RIP operating status on an interface Optional Configuring Basic RIP Functions Specifying the RIP version on an inter...

3-4 z Related RIP commands configured in interface view can take effect only after RIP is enabled. z RIP operates on the interfaces attached to a specified network segment. When RIP is disabled on an interface, it does not operate on the interface, that is, it neither receives/sends routes on the in...

3-5 z Set the preference of RIP to change the preference order of routing protocols. This order makes sense when more than one route to the same destination is discovered by multiple routing protocols. z Redistribute external routes in an environment with multiple routing protocols. Configuration Pr...

3-7 z The filter-policy import command filters the RIP routes received from neighbors, and the routes being filtered out will neither be added to the routing table nor be advertised to any neighbors. z The filter-policy export command filters all the routes to be advertised, including the routes red...

3-8 Configuration Prerequisites Before adjusting RIP, perform the following tasks: z Configuring the network layer addresses of interfaces so that adjacent nodes are reachable to each other at the network layer z Configuring basic RIP functions Configuration Tasks Configuring RIP timers Follow these...

3-9 To do... Use the command... Remarks Enter system view system-view — Enter RIP view rip — Enable the check of the must be zero field in RIP-1 packets checkzero Required Enabled by default Some fields in a RIP-1 packet must be 0, and they are known as must be zero field. For RIP-1, the must be zer...

3-11 Configuration procedure Only the configuration related to RIP is listed below. Before the following configuration, make sure the Ethernet link layer works normally and the IP addresses of VLAN interfaces are configured correctly. 1) Configure Switch A: # Configure RIP. <SwitchA> system-vi...

4-1 4 IP Route Policy Configuration When configuring an IP route policy, go to these sections for information you are interested in: z IP Route Policy Overview z IP Route Policy Configuration Task List z Displaying and Maintaining IP Route Policy z IP Route Policy Configuration Example z Troubleshoo...

4-2 For ACL configuration, refer to the part discussing ACL. Route policy A route policy is used to match some attributes with given routing information and the attributes of the information will be set if the conditions are satisfied. A route policy can comprise multiple nodes. Each node is a unit ...

4-4 To do... Use the command... Remarks Define a rule to match the next-hop address of routing information if-match ip next-hop acl acl-number Optional By default, no matching is performed on the next-hop address of routing information. Apply a cost to routes satisfying matching rules apply cost val...

4-6 [SwitchA-rip] network 2.0.0.0 [SwitchA-rip] network 3.0.0.0 2) Configure Switch B. # Create VLANs and configure IP addresses for the VLAN interfaces. The configuration procedure is omitted. # Configure RIP. <SwitchB> system-view [SwitchB] rip [SwitchB-rip] network 1.0.0.0 [SwitchB-rip] net...

4-7 # Create node 40 with the matching mode being permit in the route policy. Define if-match clauses. Apply the cost 5 to routes matching the outgoing interface VLAN-interface 6 and ACL 2001. [SwitchC] route-policy in permit node 40 [SwitchC-route-policy] if-match interface Vlan-interface6 [SwitchC...

4-8 Precautions 1) When you configure the apply cost command in a route policy: z The new cost should be greater than the original one to prevent RIP from generating routing loop in the case that a loop exists in the topology. z The cost will become 16 if you try to set it to a value greater than 16...

i Table of Contents 1 UDP Helper Configuration ························································································································ 1-1 Introduction to UDP Helper ·····································································································...

1-1 1 UDP Helper Configuration When configuring UDP helper, go to these sections for information you are interested in: z Introduction to UDP Helper z Configuring UDP Helper z Displaying and Maintaining UDP Helper z UDP Helper Configuration Example Introduction to UDP Helper Sometimes, a host needs ...

1-2 Protocol UDP port number Time Service 37 Configuring UDP Helper Follow these steps to configure UDP Helper: To do… Use the command… Remarks Enter system view system-view — Enable UDP Helper udp-helper enable Required Disabled by default. Specify a UDP port number udp-helper port { port-number | ...

1-3 Displaying and Maintaining UDP Helper To do… Use the command… Remarks Display the UDP broadcast relay forwarding information of a specified VLAN interface on the device display udp-helper server [ interface vlan-interface vlan-id ] Available in any view Clear statistics about packets forwarded b...

i Table of Contents Appendix A Acronyms ································································································································ A-1

A-1 Appendix A Acronyms A AAA Authentication, Authorization and Accounting ABR Area Border Router ACL Access Control List ARP Address Resolution Protocol AS Autonomous System ASBR Autonomous System Border Router B BDR Backup Designated Router C CAR Committed Access Rate CLI Command Line Interface Co...