# Apply ACL 3000 to Ethernet 1/0/1 | 3Com 5500G, 4210, 4200G

Configuring Ethernet Frame Header ACLs 209

Product series	Software version	Hardware version

Switch 5500G	Release V03.02.04	All versions
Switch 4500	Release V03.03.00	All versions

Configuration Procedure # Define a periodic time range that is from 8:00 to 18:00 on working days.

<3Com> system-view

[3Com] time-range test 8:00 to 18:00 working-day

# Define advanced ACL 3000 to filter packets destined for the wage query server.

[3Com] acl number 3000

[3Com-acl-adv-3000] rule 1 deny ip destination 192.168.1.2 0 time-range test

[3Com-acl-adv-3000] quit

# Apply ACL 3000 to Ethernet 1/0/1.

[3Com] interface Ethernet 1/0/1 [3Com-Ethernet1/0/1] packet-filter inbound ip-group 3000

Complete Configuration #

acl number 3000

rule 1 deny IP destination 192.168.1.2 0 time-range test

#

interface Ethernet1/0/1

packet-filter inbound ip-group 3000 rule 1

#

time-range test 08:00 to 18:00 working-day

#

Precautions ■ ACL 3998 and ACL 3999 are reserved for cluster management.

■If a packet matches multiple ACL rules at the same time and some actions of the rules conflict, the last assigned rule takes effective.

■For an advanced ACL applied to a port, if a rule defines the TCP/UDP port information, the operator argument can only be eq.

■When applying multiple rules, you are recommended to apply rules in the ascending order of their mask ranges and apply rues with the same mask range at the same time. This is to ensure that the actual operation of the rules is consistent with the requirements.

■Some functions and protocols configured on the device may occupy ACL rule resources. The actual occupation varies with functions and protocols.

Configuring Ethernet Ethernet frame header ACLs filter packets based on Layer 2 header information

Frame Header ACLs such as source and destination MAC addresses, 802.1p priority and type of the Layer 2 protocol.

The numbers of Ethernet frame header ACLs range from 4000 to 4999.

Image 209

3Com 5500G, 4210, 4200G manual # Apply ACL 3000 to Ethernet 1/0/1, Complete Configuration #

Contents

3Com Stackable Switch Family 3Com Corporation Campus Drive Marlborough, MA USA Contents Port Binding Configuration Guide 17 802.1X Configuration Guide XRN Configuration Guide VLAN-VPN Configuration Guide 3COM Stackable Switches Advanced Configuration Guide Conventions About this GuideRelated Documentation SKU Products Supported by this Document Products Supported by this Document About this Guide # Enable the Telnet service on VTY Login Configuration GuideIs manage level level Applicable Products # Set the idle-timeout time of VTY 0 to 6 minutes # Set the history command buffer size to 20 for VTY# Set the authentication password to 123456 in plain text # Enter VTY 0 user interface view Telnet Precautions None # Set the idle-timeout time of AUX 0 to 6 minutes # Set the history command buffer size to 20 for AUXConfigure the authentication mode for console login Requirements Applicable Products # Enter AUX 0 user interface view # Set the authentication mode to scheme for console login Configuring Login Access Control Configuration for WEB login control by source IP address Configuration for Snmp login control by source IP address Login Configuration Guide Configuring Vlan Configuration GuideNetwork Diagram Port-Based Vlan Configuration on Switch B Complete Configuration Configuration on Switch a Protocol-Based Vlan PrecautionsBe disconnected Assign packets to a Vlan by protocol Vlan 200 is numbered Create Vlan 200 and add Ethernet 1/0/12 to Vlan Configuring Protocol-Based Vlan Vlan Configuration Guide IP Address IP Address Configuration GuideConfiguration Guide That they can communicate with each other Interface has obtained an IP address through Bootp or DhcpTo 172.16.2.1 on the hosts in subnet 172.16.2.0/24 # Ping Host B on Host a to verify the connectivity Configuring Voice Voice Vlan Configuration GuidePacket with the voice Vlan ID automatically Voice Vlan # Configure Vlan 2 as the voice Vlan Configuration Procedure # Create Vlan 2 and Vlan# Configure Ethernet 1/0/1 as a trunk port # Enable voice Vlan on Ethernet 1/0/1 Traffic # Enable voice Vlan on Ethernet 1/0/2 Precautions Networking Configuration Requirements Gvrp Configuration Guide Configuration Procedure Configure Switch a # Create Vlan Configure Switch E Configure Switch D# Display the dynamic Vlan information on Switch B # Display the dynamic Vlan information on Switch E SwitchE-Ethernet1/0/1 gvrp registration forbidden Configuration on Switch E Configuration on Switch CConfiguration on Switch D Gvrp Configuration Guide Configuring the Basic Functions of an Ethernet Port Port Basic Configuration Guide # Enter Ethernet port view of Ethernet 1/0/1 # Configure Vlan 100 as the default Vlan of Ethernet 1/0/1Complete Configuration # Configuring Link Link Aggregation Configuration GuideAggregation Networking Manual aggregation mode # Create manual aggregation group Configuration Procedure Manual aggregation mode Complete ConfigurationStatic Lacp aggregation mode Dynamic Lacp aggregation mode Link Aggregation Configuration Guide Configuring Port Port Isolation Configuration GuideNetworking Configuration Requirements Applicable Products Isolation Isolation group that they have joined if any Need to perform the configuration manually for each of themIsolation group automatically Configuration Procedure # Enter system view Port Security Configuration GuideSecurity autolearn Mode Security Mac-authentication Mode # Create a Radius scheme named radius1 Configure Radius parameters # Specify the ISP domain for MAC authentication # Set aabbcc.net as the default user domain# Set the port security mode to mac-authentication # Create a domain named aabbcc.net and enter its view Security Userlogin-withouiMirroring, fabric port, or link aggregation Unique identifier OUI value to pass the port Applicable Products # Set the port security mode to userlogin-withoui Configure port security # Enable port security# Set the maximum number of users of the ISP domain to # Create a local user # Configure port security trapping Configuring Port Security mac-else-userlogin-secure-ext Mode 3Com-isp-aabbcc.net scheme radius-scheme radius1 # Set the maximum number of concurrent 802.1x users # Set the NeedToKnow mode of the port to ntkonly Port Security Configuration Guide # Enter Ethernet 1/0/1 port view on switch a Port Binding Configuration Guide Complete Configuration 3Com MAC Address Table Management Configuration Guide MAC address entry will make the Vlan become a static Vlan Command. Otherwise, the entry will not be added# Add a static MAC address entry Both of the switches support Dldp Dldp Configuration GuideConfiguring Dldp # Configure Dldp to operate in enhanced mode # Enable Dldp globally# Restore the ports brought down by Dldp # Set the interval for sending Dldp packets to 15 seconds Configuring Dldp Dldp Configuration Guide Static Routing Auto Detect Configuration Guide # Create detected group # Configure a static route to Switch CConfigure Switch C # Enter system view Implementation Auto Detect SwitchA system-view SwitchA detect-group Complete Configuration Configure Switch a # Configure an IP address for VLAN-interface# Set the Vrrp priority of Switch B to Vlan Interface Auto Detect Implementation in Vlan Interface Backup Must already exist on Switch C Ip address 10.1.1.4 Auto Detect Configuration Guide Configuring Mstp Mstp Configuration Guide # Activate the MST region configuration manually Configuration on Switch a # Enter MST region view# Specify Switch a as the root bridge of Msti Configuration on Switch B # Enter MST region view Configuration on Switch D # Enter MST region view Configuration on Switch C # Configure the MST region# Specify Switch C as the root bridge of Msti VLAN-VPN Tunneling Network diagram for VLAN-VPN tunneling configuration Configuration on Switch B # Enable Mstp Configuration on Switch a # Enable MstpConfiguration on Switch C # Enable Mstp # Enable VLAN-VPN tunneling Configuration on Switch a Configuration on Switch D # Enable Mstp# Add the trunk port Ethernet 1/0/2 to all the VLANs # Add Ethernet 1/0/2 to Vlan Forwarded along the same spanning tree Configuring RstpNetwork topology to become stable Switch 8800 or Switch # Enable the TC-BPDU attack guard function on Switch a # Enable the root guard function on each designated port 3Com interface Ethernet 1/0/3 3Com-Ethernet1/0/3 stp disable Configuring Digest Snooping and Rapid Transition # Enable digest snooping on the root port Ethernet 1/0/1 # Set the priority of Switch B to# Enable digest snooping on Switch B # Set the priority of Switch C to # Enable rapid transition on the root port Ethernet 1/0/1# Enable digest snooping on Switch C # Enable digest snooping on the root port Ethernet 1/0/2 Configuring Digest Snooping and Rapid Transition Mstp Configuration Guide Configuring Static Routing Configuration GuideRoutes To the peer on each device Configure the hosts Configuration Procedure Configure the switches Routing protocols Configuring RIP Configure Switch C # Configure RIP # Configure RIPConfigure Switch B # Configure RIP Perform the following configuration on Switch B Configuring Ospf # Enable the interfaces in the specified areas to run Ospf # Disable the interfaces from sending Ospf packets Perform the following configuration on Switch B Perform the following configuration on Switch D Network diagram for DR/BDR election Network Diagram Figure # Configure an IP address for the Vlan interface # Assign a router ID to Switch aConfigure Switch B # Assign a router ID to Switch B # Assign a DR priority to the Vlan interface Configure Switch D # Assign a router ID to Switch D Configure Switch C # Assign a router ID to Switch C Area Network 196.1.1.0 Backbone area Configuration Routing table size RequirementsTotally Stub area Nssa area # Configure Ospf for the backbone area ABRs/ASBRs Perform the following configuration on Switch a Perform the following configuration on Switch B Configuration information when area 1 is a stub area Nssa Area Configuration information when area 1 is a totally stub area Network diagram for totally Nssa area configuration Nssa area configuration 1 area 1 is an Nssa area Configuration procedure is omitted Nssa area configuration 3 area 1 is an Nssa area # Configure area 1 as an Nssa areaNssa area configuration 2 area 1 is an Nssa area Vlan Interface Vlan-interface100 Ip address 10.1.1.2 Perform the following configuration on Switch C Route Summarization ConfigurationSingle route and distribute it to other areas Routers Routes through route summarization Network diagram for route summarization configuration # Redistribute the static routes ABR route summarization configuration Based on Ospf basic configuration and area configuration on Asbr route summarization configurationPerform the following configuration From being advertised to any other area Network 20.1.1.0 0.0.0.255 nssa Area Network 10.1.1.0 Configure Asbr route summarization on Switch D Configure Switch C Ip route-static 1.1.7.0 255.255.255.0 30.1.2.2 preference Configure Switch D Virtual Link This case, configuring Ospf virtual links is a solution Configure a virtual link # Configure Switch a Configure Ospf basic functions # Configure Switch a# Configure Switch B Perform the following configuration on Switch B # Configure three static routes # Configure the IP address of the interface # Configure an ACL# Configure a routing policy # Redistribute static routes # Apply ACL 2000 to filter the advertised routes SwitchA-ospf-1 asbr-summary 30.0.0.0 255.0.0.0 not-advertise Ip address 10.0.0.2 Ospf Area Network 10.0.0.0 Routing Configuration Guide Configuring Igmp Multicast Configuration GuideSnooping Control multicast groups Configuring Switch a Configuring Router a# Enable Igmp Snooping globally Verifying the configuration System view otherwise the configuration will not succeed Configuration on Switch a Querier Configuring Igmp Snooping Only # Enable dropping unknown multicast packets # Enable Igmp Snooping querier in VlanConfiguring Switch B Configuring Switch C Verifying the configuration Complete Configuration Configuration on Switch a Configuration on Switch C Configuration on Switch B Receive multicast packets through Vlan OstA OstB Configure Switch B # Enable Igmp Snooping globally SwitchB-vlan10 igmp-snooping enable SwitchB-vlan10 quit Configuring PIM-SM plus Igmp plus Igmp Snooping Configuring PIM-SM plus Igmp plus Igmp Snooping Configuration Plan Mode may vary depending on user requirementsConfiguring multicast protocols Requirement Analysis Host C and verify the configurations made on the switches Two switches# On Switch F, enable Igmp Snooping globally and in Vlan # View the BSR information on Switch E # View the PIM neighboring relationships on Switch E# View the RP information on Switch E # View the PIM routing table on Switch a # View the PIM routing table on Switch E As shown above, Host a and Host C can receive multicast data Configuring simulated joining Complete Configuration Configuration on Switch a Configuration on Switch F Configuration on Switch DConfiguration on Switch E Configuring PIM-DM plus Igmp Network Diagram Network diagram for PIM-DM configuration Dense mode Verifying the configuration Multicast routing-enable Interface Vlan-interface101 Configuring Anycast RP Application Network Diagram Network diagram for anycast RP configuration Configuring Anycast RP Application # Configure an Msdp peer on Switch C Configuring Msdp peers# Configure an Msdp peer on Switch F # View the brief Msdp peer information on Switch F Complete Configuration Configuration on Switch C # View the PIM routing information on Switch F again Configuration on Switch F Access Control 802.1X Configuration Guide # Enable 802.1x on Ethernet 1/0/1 Configuration Procedure # Enable 802.1x globally # Specify the maximum number of users of the user domain to Precautions Configuring Radius AAA Configuration GuideAuthentication for Telnet Users # Associate the ISP domain with the Radius scheme # Configure an ISP domain# Configure a Radius scheme Authentication Configuring DynamicConfiguration of the domain cams Vlan Assignment # Enable guest Vlan on the port # Configure the ISP domain abc as the default ISP domain# Enabled # Enable 802.1x in interface view Hardware capacity Configuring Local System domain # Configure a local user named telnetTelnet users Users through communicating with Tacacs servers # Configure domain hwtacacs to use Hwtacacs scheme hwtac Configuration Procedure # Configure a Hwtacacs scheme Dynamically control their access rights Configuring EADEntire network According to the source IP addresses of the packets # Specify the IP address of the security policy server Quit Domain system Radius-scheme cams Usernameasmacaddress usernameformat command to set the MAC MAC Authentication Configuration GuideConfiguring MAC # Create an ISP domain named aabbcc.net Set the service type to lan-access# Enable MAC authentication globally Configuring MAC Authentication MAC Authentication Configuration Guide LSW B Vrrp Configuration Guide # Set the priority of Switch a in the Vrrp group to Configure Switch a # Configure Vlan# Configure preemptive mode for the Vrrp group Configure Switch B # Configure Vlan Configurations on Switch B Host a Host C # Create Vrrp group # Set the priority of Switch a in Vrrp group 1 to# Set the priority of Switch B in Vrrp group 2 to Tracking Vrrp Interface Vrrp Interface Tracking # Set the interface to be tracked Network Diagram Network diagram for Vrrp port tracking # Configure VLAN-interface Complete Configuration On the master Vrrp Configuration Guide Dhcp Configuration Guide # Enable unauthorized Dhcp server detection Configuration Procedure # Enable Dhcp Dhcp Server Global Address Pool Configuration Guide Dhcp Server Interface Address Pool Configuration Guide SwitchA-Vlan-interface1 dhcp select interface # Map VLAN-interface 1 to Dhcp server group Requirements Dhcp Snooping # Specify Ethernet 1/0/5 as a trusted port Configuration Procedure # Enable Dhcp snooping on the switch Configuration Procedure # Create Vlan Configuration Guide # Enter Ethernet 1/0/1 view and add the port to Vlan # Enable Dhcp accounting# Enter Ethernet 1/0/2 view and add the port to Vlan # Create an address pool on the Dhcp server Dhcp Client Configuration Requirements Applicable Products Interface Vlan-interface1 Ip address dhcp-alloc Configuring Basic ACL Configuration GuideACLs Numbers of basic ACLs range from 2000 to Rules conflict, the last assigned rule takes effective # Apply ACL 3000 to Ethernet 1/0/1 # Apply ACL 4000 to Ethernet 1/0/1 Configuring Specific fields of packets # Apply ACL 5000 to Ethernet 1/0/1Cannot be greater than 79 bytes Are numbered from Offset1 to Offset8 ARP ACL Configuration Guide Configuring Traffic Policing and LR QOS/QOS Profile Configuration Guide Policing action issued the last takes effect Configure traffic policing and LR# Define a rule to match the packets with source IP address Kbps, and drop the packets exceeding the rate limit Configuring Priority Marking and Queue Scheduling 3Com qos cos-local-precedence-map 0 1 2 3 4 5 6 Precautions Note that Configuring Traffic Redirection and Traffic Accounting Configuring Traffic Redirection and Traffic Accounting Configuring QoS Profile Configuring QoS Profile Passed authentication # EnableDefault mode Cannot be applied in the user-based mode Cache Redirection WEB Cache Redirection Configuration Guide WEB Cache Redirection Configuration Guide Configuring Web Cache Redirection WEB Cache Redirection Configuration Guide Mirroring Configuration Guide # Create a local mirroring group Configuration Procedure Configure Switch C Remote port mirroring application Network Diagram Network diagram for remote port mirroring # Configure Vlan 10 as the remote-probe Vlan Configuration on the intermediate switch Switch B Configuration on the source switch Switch a Configuration on the destination switch Switch C Traffic Mirroring Configuration 237 Mirroring Configuration Guide Configuration XRN Configuration Guide Fabric Cable Connection Fabric cable connection mode of Switch 5500sFabric cable connection mode of Switch 5500Gs switches # Configure the unit name as Unit1 Configure Switch a # Bring up the fabric ports# Configure the unit ID as # Configure the unit name as Unit2 # Configure the fabric name as helloConfigure Switch B # Bring up the fabric ports XRN fabric configuration on Switch 5500Gs switches Configurations on Switch a Complete Configuration Complete configuration on the SwitchComplete configuration on Switch 5500Gs switches XRN Fabric Configuration XRN Configuration Guide Cluster Configuration Guide # Enable the cluster function # Enable Ntdp globally and on Ethernet 1/0/1# Configure the IP address for VLAN-interface 2 as # Disable NDP on Ethernet 1/0/1 of the management device # Set the holdtime of NDP information to 200 seconds # Enable NDP on Ethernet 1/0/2 and Ethernet 1/0/3# Set the topology collection range to two hops # Set the topology collection interval to three minutes # Name and build a cluster Precautions Configurations on the management device Connection information of the management switch # Configure the IP address of VLAN-interface 3 as # Configure the IP address of VLAN-interface 2 as Cluster Switch B is connected to Switch E through Ethernet 1/0/3 Member switchesSwitch B is connected to Switch F through Ethernet 1/0/4 # Enable Ntdp globally # Set the holdtime of NDP information to 300 seconds Aaa0.3Com-cluster tftp-server Aaa0.3Com-cluster snmp-host Complete Configuration Implement power supply and data transmission simultaneously POE/POE Profile Configuration GuidePoE Configuration SwitchA poe power-management auto PoE Profile Features of PoE profile SwitchA system-view SwitchA poe-profile Profile1 # Create Profile2 and enter PoE profile view Precautions # Enable UDP Helper on Switch a UDP Helper Configuration GuideUDP Helper Processing Default ports Addressing Configuration and IP Performance ConfigurationBroadcasts containing the destination UDP port number # Specify the destination server on VLAN-interface Configuration Procedure Configuring the switch Snmp agent SNMP-RMON Configuration Guide Configuring the NMS 3Com rmon event 1 log 3Com rmon event 2 trap Precautions None NTP Client/Server NTP Configuration GuideMode Configuration # Set Device a as the time server NTP Symmetric Peers Mode ConfigurationConfiguration Procedure Configure Device C NTP Broadcast Mode Configuration # View NTP session information of Device D Configuration on Device aConfiguration on Device D Respectively NTP Multicast Mode ConfigurationMulticast through its VLAN-interface Configuration Level Requirements NTP Client/Server Mode with Authentication Configuration Configuration Procedure Configure Device B Configuration on Device a # Generate an RSA key pair SSH Configuration GuideConfiguration Procedure Configure the SSH server # Enable the user interfaces to support SSH # Set the authentication mode for the user interfaces to AAA SSH client configuration interface SSH client configuration interface RSA authentication # Set the client’s command privilege level to Client key pair generation interface # Assign the public key Switch001 to client client001 Client key pair generation interface Client key pair generation interface SSH client configuration interface SSH client configuration interface SSH client configuration interface Configuration Procedure Configure Switch B # Establish a connection to the server Complete Configuration Configure Switch B Authentication-mode scheme Protocol inbound ssh # Configure the client public key Switch001 # Display the host public key SSH server SSH client # Generate an RSA key pair # Display the client host public key # Display the server host public key # Specify the server public key on the client # Disable first-time authentication# Configure the server public key Switch002 on the client 2BE0F7AD # Create a local user named client001 Configuring Sftp# Configure the authentication method as password # Enable the Sftp server # Specify the service type as Sftp # Exit Sftp Interface Vlan-interface1 Ip address 192.168.0.2 SSH Configuration Guide Configuration Procedure Configure the switch FTP and Tftp Configuration Guide # Download file config.cfg # Switch data transfer mode to binary Complete Configuration Configure the switch 3Com ftp Ftp As Tftp Client Configuring a SwitchFlash memory before downloading the file Menu to remove them Vlan Interface Vlan-interface1 Ip address 1.1.1.1 Outputting Log Information to a Unix Log Host Information Center Configuration Guide Complete Configuration Configuration on the switch Configuration on the log host# Execute the following commands as a root user Outputting Log Information to a Linux Log Host Through the same channel 3Com undo info-center source default channel channel6 Complete Configuration # Outputting Log Information to Console Configuration Procedure # Enable the information center# Enable terminal display Displaying the Time Stamp with the UTC Time Zone Use of the Facility Argument in Log Information Output SwitchAinfo-center enable Simple way VLAN-VPN Configuration GuideInner tag will be used for packet forwarding Gvrp Ntdp STP Configuration Procedure # Set the Tpid value of Ethernet 1/0/22 to # Set the Tpid value of Ethernet 1/0/12 to Packets of all VLANs Tunnel # Disable NDP on Ethernet 1/0/1 Configuration Procedure Configure ProvideConfigure Provide # Disable NDP on Ethernet 1/0/4 # Enable Bpdu tunnel for NDP BPDUs on Ethernet 1/0/4 Configure Provider Complete Configuration Configure Provider Icmp Test Network diagram REMOTE-PING Configuration GuideNetworking and configuration requirements Remote-ping # Configure the test type as Icmp # Enable the Remote-ping client# Configure the destination IP address as # Configure the number of probes in one test as DNS Configuration Guide # Configure com as the DNS suffix Name ResolutionDynamic Domain Translate them into correct IP addresses DNS server. The DNS server works normally Configurations are done on the devices DNS Configuration Guide Management Access Management Configuration GuideConfiguring Access Can take effect # Enable access management on Switch aVlan to which the port belongs Configuring Access Management with Port Isolation # Add Ethernet 1/0/2 to the isolation group Precautions Refer to Precautions on page 334 for details# Add Ethernet 1/0/1 to the isolation group