3Com 5500-SI - page 526

526 CHAPTER 24: DYNAMICALLY APPLY ACL BY RADIUS SERVER CONFIGURATION

Configuration

Example

This section contains a configuration example.

Network requirements The switch implements the Dynamically Apply ACL by RADIUS Server function for the

access users.

The IP address of the VLAN interface, which connects the switch and the RADIUS

Server, is 10.153.1.1.

The encryption key of the NAS ( that is the switch ) is aaaa.

The user name is test and its authentication password is test. It is accessed on

Ethernet1/0/1 of the switch and belongs to the test163.net domain. Its corresponding

ACL is ACL 3000 and the content of ACL 3000 is to forbid the users to access the

10.153.1.0/24.

The IP address of the user PC is 10.153.1.9.

Take Shiva access manager as the RADIUS server, the IP address of the server is

10.153.1.2. Note that, the Shiva use the 1645 and 1646 as the authentication and

account port number.

Network diagram Figure 149 QoS configuration example

AAA Server

Switch

User

Network

AAA Server

Switch

User

NetworkNetwork

Contents

Main 3Com Corporation 350 Campus Drive Marlborough, MA USA 01752-3064 C C ABOUT THIS GUIDE 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 Page 22 Page 23 24 25 26 27 28 29 30 31 32 33 A B C D ABOUT THIS GUIDE Organization of the Manual Intended Readership Conventions Related Manuals Tabl e 2 Text conventions (continued) Page 1 Product Overview XRN Overview Figure1 Networking Topology with XRN Product Features Tabl e 4 Function Features Tabl e 4 Function Features (continued) Logging in to the Switch Console port Console cable Page Page Page Page Page Page Page Command Line Interface Page Tabl e 5 Features of Command Views (continued) Page Page User Interface Page Page Page Page Page Page Page Page 2 CONFIGURATION Introduction to Address Management Configuring Address Management Address Management Configuration Page Page 3 Ethernet Port Configuration Introduction Page Page Page Page Page Table45 Setting Loopback Detection for the Ethernet Port Table44 Configure loopback detection for Ethernet port (continued) Page Page Page Page Page Page Link Aggregation Page Page Page Page Page Perform the following configuration in Ethernet Port View. By default, port priority is 32768. Displaying and Debugging Link Aggregation Table56 Configuring Port Priority Table57 Displaying And Debugging Link Aggregation Page Global Broadcast Suppression Feature Displaying Information About a Specified Optical Port Page 4 Introduction to XRN Configuring an XRN Fabric Fabric Page Page Fabric Configuration RMON on XRN Clustering on XRN Peer Fabric Port Detection Page Multiple Fabric Port Candidates Page Page 5 DLDP Overview Page DLDP operating mode DLDP can operate in two modes: normal and enhanced. Table73 Table72 DLDP timers (continued) Table74 2DLDP analyzes and processes received packets as follows: those do not pass the authentication. Table75 Table76 DLDP Configuration DLDP Configuration Page Page 6 VLAN Configuration Page Page Protocol-Based VLAN Page Voice VLAN Page Page Table96 Page Creating VLANs in Batches Voice VLAN Configuring the Voice VLAN Function Configuration Prerequisites support the voice VLAN function. Table99 Configuring a voice VLAN to operate in automatic mode Voice VLAN Displaying and Debugging Refer to Table101 to display or debug a voice VLAN. Voice V LAN Configuration Example Network requirements Page 7 Introduction to GVRP Page GVRP Packet Format The GVRP packets are in the following format: Figure26 Format of GVRP packets Table102 describes the packet fields in Figure 26. Protocol Specifications GVRP is defined in IEEE 802.1Q standard. Table102 GVRP Configuration configuring the GVRP port registration mode. Prerequisite Table103 Page Displaying GVRP 8 VLAN-VPN Overview VLAN-VPN Inner VLAN Tag Priority Replication TPID Adjusting VLAN-VPN Configuration Page Page 9 Introduction to DHCP DHCP IP Address Assignment 10 Page Page Global Address Pool-Based DHCP Server Configuration Page Page Page Interface Address Pool-based DHCP Server Configuration Page Page Table123 Configure to assign IP addresses dynamically (continued) Table124 Configure DNS services for DHCP clients Page DHCP Security Option 184 Supporting Page Configuring the option 184 supporting function in system view Table129 Configure the option 184 supporting function in system view Configuring the option 184 supporting function in interface view Table130 Configure the option 184 supporting function in interface view Page Figure33 Network diagram for option 184 supporting configuration cConfigure VLAN 2 interface to operate in the DHCP server mode. dEnter DHCP address pool view. eConfigure sub-options of option 184 in global DHCP address pool view. DHCP Server Displaying and Debugging DHCP Server Configuration Page Troubleshooting DHCP 11 Introduction to DHCP Relay DHCP Relay DHCP Relay Displaying DHCP Relay Configuration Troubleshooting DHCP Relay 12 VRRP Overview Page Page Page VRRP Configuration Configuring Backup Group-Related Parameters Table138 lists the operations to configure a switch in a backup group. Table137 Configure a virtual router IP address (continued) Table138 Configure backup group-related parameters Displaying and Clearing VRRP Information VRRP Configuration Page Figure40 Network diagram for inte rface tracking configuration 1Configure Switch A. bConfigure that the virtual router can be pinged. cCreate a backup group. dSet the priority for the backup group. eSet the authentication key for the backup group. Page Figure41 Network diagram for multiple-VRRP backup group configuration 1Configure Switch A. bCreate backup group 1. cSet the priority for backup group 1. dCreate backup group 2. 2Configure Switch B. Troubleshooting VRRP 13 MSTP Overview Page Page Page Page Root Bridge Page Setting the Switch as the Root/Secondary Root Bridge Page Page Page Page Page Page Page Configuration procedure in system view Configuration procedure in Ethernet port view Table155 Configure a port to connect to a point-to-point link in system view Table156 Configure a port to connect to a point-to-point link in Ethernet port view 2Configure in Ethernet port view. Enabling MSTP Configuration procedure You can enable MSTP in system view or Ethernet port view. Only when you enable MSTP on a switch, can MSTP configurations take effect. Table157 Enable MSTP in system view Table158 Enable MSTP in Ethernet port view Leaf Node Page Table162 Configure the path costs of specified ports in system view Table163 Configure the path cost of a port in Ethernet port view Table161 Transmission speeds and the corresponding path costs (continued) Page Enabling MSTP mCheck Configuration Protection Functions Page Page BPDU Tunnel Page Displaying and Debugging MSTP MSTP Configuration Page BPDU Tunnel Configuration Page Page 14 AUTHENTICATION CONFIGURATION Page Page Page 15 SSH Terminal Services Page Page Page Page Operations on the server are described in Table185. The automatic mode is recommended for its simplicity. Table184 Configure client public keys Table185 Configure client public keys Page Page Page Figure50 Network diagram for SSH client configuration 1Configure the client to run the initial authentication. 2Configure server public keys on the client. Page SFTP Service SFTP Client The following sections describe SFTP client configuration tasks: Configuring SFTP client Table191 Configuring SFTP client Table192 Enable the SFTP client Disabling the SFTP client Table193 Disable the SFTP client Table194 Operate with SFTP directories Table195 Operate with SFTP files Page bDisplay the current directory on the SFTP server, delete file z and verify the operation. cCreate directory new1 and verify the operation. dChange the name of directory new1 to new2 and verify the operation. eDownload file pubkey2 and rename it to public. fUpload file pu to the SFTP server and rename it to puk. Verify the operations. gExit from SFTP. Page 16 IP Routing Protocol Overview Page IP Routing Protocol Overview 219 Figure53 The routing table Routing Management Policy The routing table of router R8 Table197 Routing Protocols and the Default Preferences for Routes Static Routes Page Page Page RIP Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page IP Routing Policy Page Page Page Page Page Page Route Capacity Page Page Page 17 IP Address Table265 IP Address Classes and Ranges Page Page ARP Configuration Page Introduction to Gratuitous ARP Page Page Page BOOTP Client Configuration DHCP Configuration Page Page Page Page Page Page Page Page Page Page Page Introduction to DHCP Accounting Page Page Introduction to DHCP Accounting 295 10.1.1.0/24. The DHCP server operates as a RADIUS client and adopts AAA for authentication. Figure73 Network diagram for DHCP accounting configuration <S5500> system-view 2Create VLAN 2. [S5500] vlan 2 Page Page Page Access Management Page Page Page UDP Helper Page IP Performance Page Page Page 18 IP Multicast Overview Page Page Page Page IGMP Snooping Figure81 Multica st packet transmission when IGMP Snooping runs IGMP Snooping Terminology Table308 explains switching terminology relevant to IGMP Snooping. Table308 Switching Terminology relevant to IGMP Snooping Figure82 Implementing IGMP Snooping Table309 explains IGMP Snooping terminology. Table309 IGMP Snooping Terminology Page Page Page Configuring Multicast VLAN Table316 Configure the maximum number of multicast groups on a port (continued) Table317 Configure multicast VLAN on Layer 3 switch Table318 Configure multicast VLAN on Layer 2 switch Page Page Common Multicast Page Page Internet Group Management Protocol (IGMP) Page Page Page Page Page Page PIM-DM Overview Page Page Page Page Displaying and Debugging PIM-DM Figure85 PIM-DM configuration networking PIM-DM Configuration Example Table349 Displaying and debugging PIM-DM PIM-SM Overview Page Page Page Page Page Page Page Figure87 PIM-SM configura tion networking 1On Switch_A: aEnable PIM-SM. 2On Switch_B: aEnable PIM-SM. bConfigure the C-BSR. cConfigure the C-RP. dConfigure PIM domain border. Page Page 19 Brief Introduction to ACL Page Page Page Page Page Page Page QoS Configuration Page Page Page Page Page Page Page Table389 Control Telnet using source IP and destination IP Table388 Control Telnet using source IP Figure92 Perform ACL control over Telnet users of the switch 1Define the basic ACL. 2Reference an ACL. Table390 Control Telnet using Source MAC Page Page Page QoS Profile Page Page Page ACL Control Page Page Page Page 20 RSPAN Features Page Procedures in the Source Switch Procedures in the Intermediate Switch Table404 Configuration procedures in the source switch Table405 Configuration procedures in the intermediate switch Page Page Features of Traffic Statistics Improving the Depth First Order of ACL Matching Displaying Information of the display acl command Subdividing DSCP while Defining ACL Rules The Synchronization Feature of Queue Scheduling for Aggregation Ports Configuring Control Over Telnet Source IP This configuration can be implemented by means of basic ACL, which ranges from 2000 to 2999. Source IP and Destination IP Table409 Control Telnet using source IP Table410 Control Telnet using source IP and destination IP Source MAC Figure103 Perform ACL control over Telnet users of the switch 1Define the basic ACL. 2Reference an ACL. Table411 Control Telnet using Source MAC 21 IEEE 802.1x Overview Page Configuring 802.1x Page Page Page Page Page 802.1x Client Version Checking Page Page Page Page Page Page Page Page Page AAA and RADIUS Protocol Page Page AAA Separation Page AAA Separation 415 Figure108 Network diagram for separate AAA schemes <S5500> system-view 2Create an ISP domain named cams. [S5500] domain cams 3Return to system view. [S5500-isp-cams] quit 4Configure a RADIUS scheme named radius. Page Dynamic VLAN Assignment Figure109 Network diagram for dynamic VLAN assignment 1Create a RADIUS scheme. 2Create an ISP domain and reference the created RADIUS scheme in the domain. 3Configure the VLAN assignment mode to string and return to the system view. 4Create a VLAN and specify a name for the VLAN. 5Set the name of the assigned VLAN to test. Page Page Page Page Page User Re-authentication at Reboot Page Page Page Page Page Page Page Page Page Page Page Page 22 File Attribute File Attribute Table473 Assign attributes to files File Operation Configuring File Page Configuration File Backup and Restoration FTP Overview Page Page Page Page Page TFTP Overview Page MAC Address Table Page Page Page Page Device Management Page Page System Maintenance and Debugging Page Terminating the FTP Connection of a Specified User Restarting the Switch Displaying the State and Information of the System Page Page Testing Tools for Network Connection Introduction to Remote-ping Remote-ping Page Logging Function Page Page Page 1Sending the information to loghost. Table523 Sending the Information to Loghost Table524 Sending the Information to the Control Terminal. 2Sending the information to the control terminal. 3Sending the Information to monitor terminal 4Sending the Information to log buffer. Table527 Sending the Information to Trap Buffer Table526 Sending the Information to Log Buffer 5Sending the Information to trap buffer. 6Sending the Information to SNMP Table528 Sending the Information to SNMP 7Turn on/off the information synchronization Switch in Fabric Figure124 Turn on/off the Information Synchronization Switch in Fabric Sending the Information to Loghost Page Page Page Page Page Page Page Page Page Page Page Page Page Page RMON Configuration Page Page NTP Overview Page NTP Configuration Page Page Page Page Typ ica l NT P Configuration Examples Figure132 Typical NTP Configuration Networking Diagram Configure Switch 1: 1Enter System View. 2Set the local clock as the NTP master clock at stratum 2. Configure Switch 2: 1Enter System View. 2Set SW5500 1 as the NTP server. ...... Page Page Page Page Page SSH Terminal Services Page Page Page Page Page Page Page Page Page File System File System Perform the following file system configuration in user view. Table585 Configure the file system Operation Command Description FTP Lighting Swit ch PC Swit chSwit ch PC Figure145 7Clock wise rotating of the seven-segment digital LED Table586 Upload file from an FTP client to the switch acting as FTP server Device Operation Command Description TFTP Lighting Swit ch PC Swit chSwit ch PC Page 23 Introduction to the Port Tracking Function Port Tracking Figure147 Network diagram for port tracking configuration Configure the master switch. Network 24 SERVER CONFIGURATION Introduction to Dynamically Apply ACL by RADIUS Server Introduction to Dynamically Apply ACL by RADIUS Server Configurations Figure148 Dynamically Apply ACL by RADIUS Server Configurations Page Page Page Page Page 25 Introduction to the Auto Detect Function Auto Detect Implementation Auto Detect Implementation in Static Routing Auto Detect Implementation in VRRP Page Auto Detect Implementation in VLAN Interface Backup Page Page 26 STP Overview Page Page Page Page RSTP Configuration Switch E Switch F Switch G Switch C discussed below. Figure162 Configuring STP Page Page Table596 Enable/Disable RSTP on a Device Page Page Page Page Page Page Page Page RSTP Configuration Switch BSwitch C Switch ESwitch F Switch A Switch D Page Page 27 Introduction to PoE Profile PoE Profile This section contains information on PoE configuration PoE Profile Configuration Tasks PoE Profile Configuration Example Figure164 PoE Profile application Configuration procedures 1Create Profile 1, and enter PoE Profile view. 3Display detailed configuration information for Profile 1. 4Create Profile 2, and enter poe-profile view. 6Display detailed configuration information for Profile 2. Page 28 SNMP Configuration Introduction Table616 MIBs Supported by the Switch (Sheet 1 of 2) Page Page Page Page Page Page Page Figure167 SNMP configura tion example Ethernet NMS 129.102.0.1 129.102.149.23 29 Configuring Source IP Address for Service Packets Table632 Configure source IP address for service packets Displaying the Source IP Address Configuration Table632 Configure source IP address for service packets (continued) Table633 Display the source IP address configuration 30 O The password control feature is designed to manage the following passwords: Table634 Functions provided by password control Function Description Application Page Page Page Page Page Displaying Password Control Page Page Page 31 Introduction to MSDP Page Page Page Page Configuring MSDP Basic Functions Configuring Connection Between MSDP Peers Page Configuring SA Message Transmission Page Page Displaying and Debugging MSDP MSDP Configuration Example Configuration Example of Anycast RP Application Page Page Troubleshooting MSDP Configuration Page 32 Clustering Overview Cluster Page Page Page Management Device Enabling the Cluster Function Configuring cluster parameters manually Configuring Cluster Parameters Table660 Enable the cluster function on a switch Table659 Configure NTDP parameters (continued) Configuring a cluster Automatically Configuring Internal-External Interaction NM Interface for Cluster Management Configuration Preparation Table662 Configure a cluster automatically Member Device Configuring Cluster Parameters Displaying and Maintaining Cluster Configurations Table668 Configure cluster parameters Table669 Display and maintain cluster configurations Clustering Configuration Page Page Figure176 Network diagram for the interfaces of cluster management network Configuring the Switch 5500 switch 1Enter system view. Specify VLAN 3 as the management VLAN. 2Assign port Ethernet 1/0/1 to VLAN 3. 3Configure the IP address of Vlan-interface3 to 192.168.4.30. 4Assign port Ethernet 1/0/2 to VLAN 2. 5Configure the IP address of Vlan-interface2 to 192.168.4.22. Page 33 Configuring HWTACACS This chapter contains information on HWTACACS configuration. HWTACACS configuration tasks Refer to the tasks in Table671 to configure HWTACACS. Table671 HWTACACS configuration Page Page Page Page The real-time accounting interval defaults to 12 minutes. Displaying and Debugging HWTACACS Protocol Table683 Numbers of users and the recommended intervals Table684 Displaying and debugging AAA and RADIUS/HWTACACS protocol HWTACACS Protocol Configuration Page A Introduction CLI Commands Controlling Bootrom Access Bootrom Interface Page Page B CLIENT SETUP Setting Up A RADIUS Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Setting Up the RADIUS Client Page Page C WITH CISCO SECURE ACS Cisco Secure ACS (TACACS+) and the 3Com Switch 5500 Setting Up the Cisco Secure ACS (TACACS+) Page Page Page Page Page Page Page Page Page D What is XRN? XRN Terminology Benefits of XRN XRN Features Page Page How to Implement XRNOverview Important Considerations and Recommendations Page Unit ID Numbering Mechanism Network Example using XRN Page Recovering your XRN Network How XRN Interacts with other 3Com Switches How XRN Interacts with other Features Page Page How a Failure affects the Distributed Fabric X