# Enable access management on Switch a, Can take effect | 3Com 4210

334CHAPTER 38: ACCESS MANAGEMENT CONFIGURATION GUIDE

■Permit all the PCs of organization 1 to access the Internet through Ethernet 1/0/1 on Switch A. Ethernet 1/0/1 carries VLAN 1. The IP address assigned to the interface of VLAN 1 is 202.10.20.200/24.

■PCs that do not belong to organization 1, such as PC 2 and PC 3, are not allowed to access the Internet through Ethernet 1/0/1 on Switch A.

Applicable Products

Product series	Software version	Hardware version

Switch 5500	Release V03.02.04	All versions
Switch 5500G	Release V03.02.04	All versions
Switch 4500	Release V03.03.00	All versions

Configuration Procedure	# Enable access management on Switch A.
	[SwitchA] am enable
	# Configure the IP address of VLAN-interface 1 as 202.10.20.200/24.
	[SwitchA] interface Vlan-interface 1
	[SwitchA-Vlan-interface1] ip address 202.10.20.200 24
	[SwitchA-Vlan-interface1] quit
	# Configure an access management IP address pool for Ethernet 1/0/1.
	[SwitchA] interface Ethernet 1/0/1
	[SwitchA-Ethernet1/0/1] am ip-pool 202.10.20.1 20
Complete Configuration	#
	am enable
	#
	interface Vlan-interface1
	ip address 202.10.20.200 255.255.255.0
	#
	interface Ethernet1/0/1
	am ip-pool 202.10.20.1 20
	#
Precautions	■ The IP addresses in the access management IP address pool configured for a
	port must be on the same segment as the VLAN-interface IP address of the
	VLAN to which the port belongs.
	■ If the access management IP address pool to be configured for a port contains
	an IP address in a static ARP entry of another port, the system will ask you to
	delete the ARP entry to ensure that the access management IP address pool
	can take effect.
	■ To allow only the hosts bound with a port and with their IP addresses in the
	access management IP address pool of the port to access external networks,
	configure static ARP entries only for IP addresses in the address pool.

Image 334

3Com 4210, 5500G, 4200G manual # Enable access management on Switch a, Vlan to which the port belongs, Can take effect

Contents

3Com Stackable Switch Family 3Com Corporation Campus Drive Marlborough, MA USA Contents Port Binding Configuration Guide 17 802.1X Configuration Guide XRN Configuration Guide VLAN-VPN Configuration Guide 3COM Stackable Switches Advanced Configuration Guide Related About this GuideConventions Documentation Products Supported by this Document SKU Products Supported by this Document About this Guide Is manage level level Login Configuration Guide# Enable the Telnet service on VTY Applicable Products # Set the authentication password to 123456 in plain text # Set the history command buffer size to 20 for VTY# Set the idle-timeout time of VTY 0 to 6 minutes # Enter VTY 0 user interface view Precautions None Telnet Configure the authentication mode for console login # Set the history command buffer size to 20 for AUX# Set the idle-timeout time of AUX 0 to 6 minutes Requirements Applicable Products # Set the authentication mode to scheme for console login # Enter AUX 0 user interface view Configuring Login Access Control Configuration for Snmp login control by source IP address Configuration for WEB login control by source IP address Login Configuration Guide Network Diagram Vlan Configuration GuideConfiguring Port-Based Vlan Complete Configuration Configuration on Switch a Configuration on Switch B Be disconnected PrecautionsProtocol-Based Vlan Assign packets to a Vlan by protocol Create Vlan 200 and add Ethernet 1/0/12 to Vlan Vlan 200 is numbered Configuring Protocol-Based Vlan Vlan Configuration Guide Configuration Guide IP Address Configuration GuideIP Address To 172.16.2.1 on the hosts in subnet 172.16.2.0/24 Interface has obtained an IP address through Bootp or DhcpThat they can communicate with each other # Ping Host B on Host a to verify the connectivity Packet with the voice Vlan ID automatically Voice Vlan Configuration GuideConfiguring Voice Voice Vlan # Configure Ethernet 1/0/1 as a trunk port Configuration Procedure # Create Vlan 2 and Vlan# Configure Vlan 2 as the voice Vlan # Enable voice Vlan on Ethernet 1/0/1 # Enable voice Vlan on Ethernet 1/0/2 Traffic Precautions Gvrp Configuration Guide Networking Configuration Requirements Configuration Procedure Configure Switch a # Display the dynamic Vlan information on Switch B Configure Switch D# Create Vlan Configure Switch E # Display the dynamic Vlan information on Switch E SwitchE-Ethernet1/0/1 gvrp registration forbidden Configuration on Switch D Configuration on Switch CConfiguration on Switch E Gvrp Configuration Guide Port Basic Configuration Guide Configuring the Basic Functions of an Ethernet Port Complete Configuration # # Configure Vlan 100 as the default Vlan of Ethernet 1/0/1# Enter Ethernet port view of Ethernet 1/0/1 Aggregation Link Aggregation Configuration GuideConfiguring Link Networking Configuration Procedure Manual aggregation mode # Create manual aggregation group Static Lacp aggregation mode Complete ConfigurationManual aggregation mode Dynamic Lacp aggregation mode Link Aggregation Configuration Guide Networking Configuration Requirements Applicable Products Port Isolation Configuration GuideConfiguring Port Isolation Isolation group automatically Need to perform the configuration manually for each of themIsolation group that they have joined if any Security autolearn Port Security Configuration GuideConfiguration Procedure # Enter system view Mode Security Mac-authentication Mode Configure Radius parameters # Create a Radius scheme named radius1 # Set the port security mode to mac-authentication # Set aabbcc.net as the default user domain# Specify the ISP domain for MAC authentication # Create a domain named aabbcc.net and enter its view Mirroring, fabric port, or link aggregation Userlogin-withouiSecurity Unique identifier OUI value to pass the port Applicable Products # Set the maximum number of users of the ISP domain to Configure port security # Enable port security# Set the port security mode to userlogin-withoui # Create a local user # Configure port security trapping Configuring Port Security mac-else-userlogin-secure-ext Mode 3Com-isp-aabbcc.net scheme radius-scheme radius1 # Set the NeedToKnow mode of the port to ntkonly # Set the maximum number of concurrent 802.1x users Port Security Configuration Guide Port Binding Configuration Guide # Enter Ethernet 1/0/1 port view on switch a Complete Configuration 3Com MAC Address Table Management Configuration Guide # Add a static MAC address entry Command. Otherwise, the entry will not be addedMAC address entry will make the Vlan become a static Vlan Configuring Dldp Dldp Configuration GuideBoth of the switches support Dldp # Restore the ports brought down by Dldp # Enable Dldp globally# Configure Dldp to operate in enhanced mode # Set the interval for sending Dldp packets to 15 seconds Configuring Dldp Dldp Configuration Guide Auto Detect Configuration Guide Static Routing Configure Switch C # Enter system view # Configure a static route to Switch C# Create detected group Auto Detect Implementation SwitchA system-view SwitchA detect-group # Set the Vrrp priority of Switch B to # Configure an IP address for VLAN-interfaceComplete Configuration Configure Switch a Vlan Interface Auto Detect Implementation in Vlan Interface Backup Must already exist on Switch C Ip address 10.1.1.4 Auto Detect Configuration Guide Mstp Configuration Guide Configuring Mstp # Specify Switch a as the root bridge of Msti Configuration on Switch a # Enter MST region view# Activate the MST region configuration manually Configuration on Switch B # Enter MST region view # Specify Switch C as the root bridge of Msti Configuration on Switch C # Configure the MST regionConfiguration on Switch D # Enter MST region view Network diagram for VLAN-VPN tunneling configuration VLAN-VPN Tunneling Configuration on Switch C # Enable Mstp Configuration on Switch a # Enable MstpConfiguration on Switch B # Enable Mstp # Enable VLAN-VPN tunneling # Add the trunk port Ethernet 1/0/2 to all the VLANs Configuration on Switch D # Enable MstpConfiguration on Switch a # Add Ethernet 1/0/2 to Vlan Network topology to become stable Configuring RstpForwarded along the same spanning tree Switch 8800 or Switch # Enable the TC-BPDU attack guard function on Switch a # Enable the root guard function on each designated port 3Com interface Ethernet 1/0/3 3Com-Ethernet1/0/3 stp disable Configuring Digest Snooping and Rapid Transition # Enable digest snooping on Switch B # Set the priority of Switch B to# Enable digest snooping on the root port Ethernet 1/0/1 # Enable digest snooping on Switch C # Enable rapid transition on the root port Ethernet 1/0/1# Set the priority of Switch C to # Enable digest snooping on the root port Ethernet 1/0/2 Configuring Digest Snooping and Rapid Transition Mstp Configuration Guide Routes Routing Configuration GuideConfiguring Static To the peer on each device Configuration Procedure Configure the switches Configure the hosts Configuring RIP Routing protocols Configure Switch B # Configure RIP # Configure RIPConfigure Switch C # Configure RIP Perform the following configuration on Switch B Configuring Ospf # Disable the interfaces from sending Ospf packets # Enable the interfaces in the specified areas to run Ospf Perform the following configuration on Switch B Perform the following configuration on Switch D Network Diagram Figure Network diagram for DR/BDR election Configure Switch B # Assign a router ID to Switch B # Assign a router ID to Switch a# Configure an IP address for the Vlan interface # Assign a DR priority to the Vlan interface Configure Switch C # Assign a router ID to Switch C Configure Switch D # Assign a router ID to Switch D Area Network 196.1.1.0 Totally Stub area Configuration Routing table size RequirementsBackbone area Nssa area # Configure Ospf for the backbone area Perform the following configuration on Switch a ABRs/ASBRs Perform the following configuration on Switch B Configuration information when area 1 is a stub area Configuration information when area 1 is a totally stub area Nssa Area Network diagram for totally Nssa area configuration Configuration procedure is omitted Nssa area configuration 1 area 1 is an Nssa area Nssa area configuration 2 area 1 is an Nssa area # Configure area 1 as an Nssa areaNssa area configuration 3 area 1 is an Nssa area Vlan Interface Vlan-interface100 Ip address 10.1.1.2 Perform the following configuration on Switch C Single route and distribute it to other areas ConfigurationRoute Summarization Routers Network diagram for route summarization configuration Routes through route summarization ABR route summarization configuration # Redistribute the static routes Perform the following configuration Asbr route summarization configurationBased on Ospf basic configuration and area configuration on From being advertised to any other area Network 20.1.1.0 0.0.0.255 nssa Area Network 10.1.1.0 Configure Asbr route summarization on Switch D Configure Switch C Ip route-static 1.1.7.0 255.255.255.0 30.1.2.2 preference Configure Switch D This case, configuring Ospf virtual links is a solution Virtual Link # Configure Switch B Configure Ospf basic functions # Configure Switch aConfigure a virtual link # Configure Switch a Perform the following configuration on Switch B # Configure three static routes # Configure a routing policy # Configure an ACL# Configure the IP address of the interface # Apply ACL 2000 to filter the advertised routes # Redistribute static routes SwitchA-ospf-1 asbr-summary 30.0.0.0 255.0.0.0 not-advertise Ip address 10.0.0.2 Ospf Area Network 10.0.0.0 Routing Configuration Guide Snooping Multicast Configuration GuideConfiguring Igmp Control multicast groups # Enable Igmp Snooping globally Configuring Router aConfiguring Switch a Verifying the configuration Configuration on Switch a System view otherwise the configuration will not succeed Configuring Igmp Snooping Only Querier Configuring Switch B # Enable Igmp Snooping querier in Vlan# Enable dropping unknown multicast packets Configuring Switch C Verifying the configuration Complete Configuration Configuration on Switch a Configuration on Switch B Configuration on Switch C OstA OstB Receive multicast packets through Vlan Configure Switch B # Enable Igmp Snooping globally SwitchB-vlan10 igmp-snooping enable SwitchB-vlan10 quit Configuring PIM-SM plus Igmp plus Igmp Snooping Configuring PIM-SM plus Igmp plus Igmp Snooping Configuring multicast protocols Mode may vary depending on user requirementsConfiguration Plan Requirement Analysis # On Switch F, enable Igmp Snooping globally and in Vlan Two switchesHost C and verify the configurations made on the switches # View the RP information on Switch E # View the PIM neighboring relationships on Switch E# View the BSR information on Switch E # View the PIM routing table on Switch a # View the PIM routing table on Switch E Configuring simulated joining As shown above, Host a and Host C can receive multicast data Complete Configuration Configuration on Switch a Configuration on Switch E Configuration on Switch DConfiguration on Switch F Configuring PIM-DM plus Igmp Dense mode Network Diagram Network diagram for PIM-DM configuration Verifying the configuration Multicast routing-enable Interface Vlan-interface101 Configuring Anycast RP Application Network Diagram Network diagram for anycast RP configuration Configuring Anycast RP Application # Configure an Msdp peer on Switch F Configuring Msdp peers# Configure an Msdp peer on Switch C # View the brief Msdp peer information on Switch F # View the PIM routing information on Switch F again Complete Configuration Configuration on Switch C Configuration on Switch F 802.1X Configuration Guide Access Control Configuration Procedure # Enable 802.1x globally # Enable 802.1x on Ethernet 1/0/1 # Specify the maximum number of users of the user domain to Precautions Authentication for AAA Configuration GuideConfiguring Radius Telnet Users # Configure a Radius scheme # Configure an ISP domain# Associate the ISP domain with the Radius scheme Configuration of the domain cams Configuring DynamicAuthentication Vlan Assignment # Enabled # Configure the ISP domain abc as the default ISP domain# Enable guest Vlan on the port # Enable 802.1x in interface view Configuring Local Hardware capacity Telnet users # Configure a local user named telnetSystem domain Users through communicating with Tacacs servers Configuration Procedure # Configure a Hwtacacs scheme # Configure domain hwtacacs to use Hwtacacs scheme hwtac Entire network Configuring EADDynamically control their access rights According to the source IP addresses of the packets # Specify the IP address of the security policy server Quit Domain system Radius-scheme cams Configuring MAC MAC Authentication Configuration GuideUsernameasmacaddress usernameformat command to set the MAC # Enable MAC authentication globally Set the service type to lan-access# Create an ISP domain named aabbcc.net Configuring MAC Authentication MAC Authentication Configuration Guide Vrrp Configuration Guide LSW B # Configure preemptive mode for the Vrrp group Configure Switch a # Configure Vlan# Set the priority of Switch a in the Vrrp group to Configure Switch B # Configure Vlan Configurations on Switch B Host a Host C # Set the priority of Switch B in Vrrp group 2 to # Set the priority of Switch a in Vrrp group 1 to# Create Vrrp group Vrrp Interface Tracking Vrrp Interface Tracking # Set the interface to be tracked Network Diagram Network diagram for Vrrp port tracking # Configure VLAN-interface Complete Configuration On the master Vrrp Configuration Guide Dhcp Configuration Guide Configuration Procedure # Enable Dhcp # Enable unauthorized Dhcp server detection Dhcp Server Global Address Pool Configuration Guide Dhcp Server Interface Address Pool Configuration Guide SwitchA-Vlan-interface1 dhcp select interface Requirements # Map VLAN-interface 1 to Dhcp server group Dhcp Snooping Configuration Procedure # Enable Dhcp snooping on the switch # Specify Ethernet 1/0/5 as a trusted port Configuration Guide Configuration Procedure # Create Vlan # Enter Ethernet 1/0/2 view and add the port to Vlan # Enable Dhcp accounting# Enter Ethernet 1/0/1 view and add the port to Vlan # Create an address pool on the Dhcp server Configuration Requirements Applicable Products Dhcp Client Interface Vlan-interface1 Ip address dhcp-alloc ACLs ACL Configuration GuideConfiguring Basic Numbers of basic ACLs range from 2000 to Rules conflict, the last assigned rule takes effective # Apply ACL 3000 to Ethernet 1/0/1 # Apply ACL 4000 to Ethernet 1/0/1 Configuring Cannot be greater than 79 bytes # Apply ACL 5000 to Ethernet 1/0/1Specific fields of packets Are numbered from Offset1 to Offset8 ARP ACL Configuration Guide QOS/QOS Profile Configuration Guide Configuring Traffic Policing and LR # Define a rule to match the packets with source IP address Configure traffic policing and LRPolicing action issued the last takes effect Kbps, and drop the packets exceeding the rate limit Configuring Priority Marking and Queue Scheduling 3Com qos cos-local-precedence-map 0 1 2 3 4 5 6 Precautions Note that Configuring Traffic Redirection and Traffic Accounting Configuring Traffic Redirection and Traffic Accounting Configuring QoS Profile Configuring QoS Profile Default mode # EnablePassed authentication Cannot be applied in the user-based mode WEB Cache Redirection Configuration Guide Cache Redirection WEB Cache Redirection Configuration Guide Configuring Web Cache Redirection WEB Cache Redirection Configuration Guide Mirroring Configuration Guide Configuration Procedure Configure Switch C # Create a local mirroring group Remote port mirroring application Network Diagram Network diagram for remote port mirroring # Configure Vlan 10 as the remote-probe Vlan Configuration on the source switch Switch a Configuration on the intermediate switch Switch B Configuration on the destination switch Switch C Configuration Traffic Mirroring 237 Mirroring Configuration Guide XRN Configuration Guide Configuration Fabric cable connection mode of Switch 5500Gs switches Fabric cable connection mode of Switch 5500sFabric Cable Connection # Configure the unit ID as Configure Switch a # Bring up the fabric ports# Configure the unit name as Unit1 Configure Switch B # Bring up the fabric ports # Configure the fabric name as hello# Configure the unit name as Unit2 XRN fabric configuration on Switch 5500Gs switches Complete configuration on Switch 5500Gs switches Complete Configuration Complete configuration on the SwitchConfigurations on Switch a XRN Fabric Configuration XRN Configuration Guide Cluster Configuration Guide # Configure the IP address for VLAN-interface 2 as # Enable Ntdp globally and on Ethernet 1/0/1# Enable the cluster function # Disable NDP on Ethernet 1/0/1 of the management device # Set the topology collection range to two hops # Enable NDP on Ethernet 1/0/2 and Ethernet 1/0/3# Set the holdtime of NDP information to 200 seconds # Set the topology collection interval to three minutes # Name and build a cluster Configurations on the management device Precautions # Configure the IP address of VLAN-interface 3 as Connection information of the management switch # Configure the IP address of VLAN-interface 2 as Cluster Switch B is connected to Switch F through Ethernet 1/0/4 Member switchesSwitch B is connected to Switch E through Ethernet 1/0/3 # Enable Ntdp globally # Set the holdtime of NDP information to 300 seconds Aaa0.3Com-cluster tftp-server Aaa0.3Com-cluster snmp-host Complete Configuration PoE Configuration POE/POE Profile Configuration GuideImplement power supply and data transmission simultaneously SwitchA poe power-management auto Features of PoE profile PoE Profile SwitchA system-view SwitchA poe-profile Profile1 # Create Profile2 and enter PoE profile view Precautions UDP Helper UDP Helper Configuration Guide# Enable UDP Helper on Switch a Processing Broadcasts containing the destination UDP port number Addressing Configuration and IP Performance ConfigurationDefault ports # Specify the destination server on VLAN-interface SNMP-RMON Configuration Guide Configuration Procedure Configuring the switch Snmp agent Configuring the NMS 3Com rmon event 1 log 3Com rmon event 2 trap Precautions None Mode Configuration NTP Configuration GuideNTP Client/Server Configuration Procedure Configure Device C NTP Symmetric Peers Mode Configuration# Set Device a as the time server NTP Broadcast Mode Configuration Configuration on Device D Configuration on Device a# View NTP session information of Device D Multicast through its VLAN-interface NTP Multicast Mode ConfigurationRespectively NTP Client/Server Mode with Authentication Configuration Configuration Level Requirements Configuration Procedure Configure Device B Configuration on Device a Configuration Procedure Configure the SSH server SSH Configuration Guide# Generate an RSA key pair # Set the authentication mode for the user interfaces to AAA # Enable the user interfaces to support SSH SSH client configuration interface SSH client configuration interface # Set the client’s command privilege level to RSA authentication # Assign the public key Switch001 to client client001 Client key pair generation interface Client key pair generation interface Client key pair generation interface SSH client configuration interface SSH client configuration interface SSH client configuration interface Configuration Procedure Configure Switch B Complete Configuration Configure Switch B # Establish a connection to the server Authentication-mode scheme Protocol inbound ssh # Configure the client public key Switch001 # Display the host public key SSH server SSH client # Generate an RSA key pair # Display the server host public key # Display the client host public key # Configure the server public key Switch002 on the client # Disable first-time authentication# Specify the server public key on the client 2BE0F7AD # Configure the authentication method as password Configuring Sftp# Create a local user named client001 # Specify the service type as Sftp # Enable the Sftp server # Exit Sftp Interface Vlan-interface1 Ip address 192.168.0.2 SSH Configuration Guide FTP and Tftp Configuration Guide Configuration Procedure Configure the switch # Switch data transfer mode to binary # Download file config.cfg Complete Configuration Configure the switch 3Com ftp Ftp Flash memory before downloading the file Configuring a SwitchAs Tftp Client Menu to remove them Vlan Interface Vlan-interface1 Ip address 1.1.1.1 Information Center Configuration Guide Outputting Log Information to a Unix Log Host # Execute the following commands as a root user Configuration on the log hostComplete Configuration Configuration on the switch Outputting Log Information to a Linux Log Host Through the same channel 3Com undo info-center source default channel channel6 Complete Configuration # # Enable terminal display Configuration Procedure # Enable the information centerOutputting Log Information to Console Displaying the Time Stamp with the UTC Time Zone Use of the Facility Argument in Log Information Output SwitchAinfo-center enable Inner tag will be used for packet forwarding VLAN-VPN Configuration GuideSimple way Configuration Procedure Gvrp Ntdp STP # Set the Tpid value of Ethernet 1/0/12 to # Set the Tpid value of Ethernet 1/0/22 to Tunnel Packets of all VLANs Configure Provide # Disable NDP on Ethernet 1/0/4 Configuration Procedure Configure Provide# Disable NDP on Ethernet 1/0/1 # Enable Bpdu tunnel for NDP BPDUs on Ethernet 1/0/4 Complete Configuration Configure Provider Configure Provider Networking and configuration requirements REMOTE-PING Configuration GuideIcmp Test Network diagram Remote-ping # Configure the destination IP address as # Enable the Remote-ping client# Configure the test type as Icmp # Configure the number of probes in one test as DNS Configuration Guide Dynamic Domain Name Resolution# Configure com as the DNS suffix Translate them into correct IP addresses Configurations are done on the devices DNS server. The DNS server works normally DNS Configuration Guide Configuring Access Access Management Configuration GuideManagement Vlan to which the port belongs # Enable access management on Switch aCan take effect Configuring Access Management with Port Isolation # Add Ethernet 1/0/1 to the isolation group Precautions Refer to Precautions on page 334 for details# Add Ethernet 1/0/2 to the isolation group