3Com 4200G, 4210, 5500, 5500G 9

9PORT SECURITY CONFIGURATION

GUIDE

Configuring Port

Security autolearn

Mode

In autolearn mode, a port can learn a specified number of MAC addresses and

save those addresses as secure MAC addresses. Once the number of secure MAC

addresses learnt by the port exceeds the upper limit defined by the port-security

max-mac-count command, the port transits to the secure mode. In secure mode,

a port does not save any new secure MAC addresses and permits only packets

whose source addresses are secure MAC address or configured dynamic MAC

addresses.

Network Diagram Figure12 Network diagram for configuring port security autolear n mode

Networking and

Configuration

Requirements

On port Ethernet 1/0/1 of the switch, perform configurations to meet the

following requirements:

■Allow a maximum of 80 users to access the port without authentication, and

save the automatically learned user MAC addresses as secure MAC addresses.

■To ensure that the host can access the network, add the MAC address

0001-0002-0003 as a secure MAC address to VLAN 1 on the port.

■Once the number of secure MAC addresses reaches 80, the port stops MAC

address learning. If any frame with an unknown source MAC address arrives,

intrusion protection is triggered and the port is disabled and kept silent for 30

seconds.

Applicable Products

Configuration Procedure # Enter system view.

<3Com> system-view

# Enable port security.

[3Com] port-security enable

Internet

SwitchHost

Eth1/0/1

MAC:0001-0002-0003

Product series Software version Hardware version

Switch 5500 Release V03.02.04 All versions

Switch 5500G Release V03.02.04 All versions

Switch 4500 R elease V03.03.00 All versions

Contents

Main 3Com Corporation 350 Campus Drive Marlborough, MA USA 01752-3064 C 1 2 3 4 9 10 11 12 13 17 18 19 20 21 25 26 27 28 29 34 35 36 37 38 Page ABOUT THIS GUIDE n c Conventions Related Documentation Products Supported by this Document Page Page 1 n Logging In from the Console Port Page Complete Configuration Telnet login configuration with the authentication mode being none You can telnet to your switch to manage and maintain it remotely. Logging In Through Tel ne t Page Page Configuring Login Access Control # Reference ACL 2000 to control Telnet login by source IP address. # Reference ACL 2000 to control SNMP login by source IP address. # Reference ACL 2000 to control WEB login by source IP address. Complete Configuration Configuration for Telnet login control by source IP address Page 2 Configuring Port-Based VLAN # Create VLAN 101 on Switch B, and add Ethernet 1/0/11 to VLAN 101. # Create VLAN 201 on Switch B, and add Ethernet 1/0/12 to VLAN 201. Complete Configuration Configuration on Switch A Configuring Protocol-Based VLAN n Page Page 3 IP Address Page 4 Configuring Voice VLAN Page n Precautions 5 Configuring GVRP Page n Page Page Page 6 Configuring the Basic Functions of an Ethernet Port n 7 Configuring Link Aggregation n Page Page 8 Configuring Port Isolation Page 9 Configuring Port Security autolearn Configuring Port Security mac-authentication Page Page Configuring Port Security userlogin-withoui Page Page # Configure port security trapping. Configuring Port Security mac-else-userlogin-sec ure-ext Mode Page Page Page 10 Configuring a Port Binding Page 11 MAC Address Table Management Page 12 Configuring DLDP Page Page Page 13 Auto Detect Implementation in Static Routing Page n Auto Detect Implementation in VRRP Page n Auto Detect Implementation in VLAN Interface Backup Page Page Page Page 14 Configuring MSTP Page Page Configuring VLAN-VPN Tunneling Page Page Configuring RSTP n Page Page Page Configuring Digest Snooping and Rapid Tran sit ion Page Page Page Page 15 Configuring Static Routes Page Configuring RIP Configuration Procedure Configure Switch A. Page Configuring OSPF Page Page Page Configuring OSPF DR Election Page Page Page Configuring a (Totally) Stub Area Page n Page Configuration information when area 1 is a stub area: Refer to the configuration of Switch B when area 1 is a non-backbone area. Configuring a (Totally) NSSA Area Page Page Page n Page Configuring OSPF Route Summarization Page Page n Page ASBR route summarization configuration 1 n Page ASBR route summarization configuration 2 n translated from Type-7 LSAs. Page Configuring OSPF Virtual Link Configuration Procedure 1Configure OSPF basic functions. # Configure Switch A. # Configure Switch B. 2Configure a virtual link. # Configure Switch A. # Configure Switch B. Precautions Both ends of a virtual link must be ABRs configured with the vlink-peer command. Configuring Routing Policies Page Page Page Page Page Page 16 Configuring IGMP Snooping Page Page Configuring IGMP Snooping Only c Page Page Configuring Multicast VLAN Page Page Page Configuring PIM-SM plus IGMP plus IGMP Snooping Page Page n # View the BSR information on Switch E. # View the RP information on Switch E. # View the PIM routing table on Switch A. # View the PIM routing table on Switch E. # View multicast group entries created by IGMP Snooping on Switch F. Page Page Configuration on Switch E Configuration on Switch F Configuring PIM-DM plus IGMP Page Page Complete Configuration Configuration on Switch A Configuring Anycast RP Application Page Page Page # View the PIM routing information on Switch F again. Complete Configuration Configuration on Switch C Configuration on Switch F 17 n Configuring 802.1x Access Control Page Page Page 18 Configuring RADIUS Authentication for Telnet Users Page Configuring Dynamic VLAN Assignment with RADIUS Page Configuring Local Authentication for Telnet Users Configuring HWTACACS Authentication for Teln et Use rs Page Configuring EAD Page Page 19 Configuring MAC Page Page Page 20 Single VRRP Group n Page Multiple VRRP Groups Page VRRP Interface Trac kin g Page Page VRRP Port Tracking Page Page Page 21 DHCP Server Global Address Pool Page Page DHCP Server Interface Address Pool DHCP Relay Agent Page DHCP Snooping Page DHCP Accounting Page DHCP Client Page 22 Configuring Basic ACLs Configuring Advanced ACLs Configuring Ethernet Frame Header ACLs Page Configuring User-Defined ACLs Page Page Page 23 Configuring Traffic Policing and LR n Page Configuring Priority Marking and Queue Scheduling n Page Page Configuring Traffic Redirection and Traffic Accounting Page Configuring QoS Profile Page Page 24 Configuring Web Cache Redirection Page Page Page 25 Local Port Mirroring Page Remote Port Mirroring Page Page # Configure the destination port and remote-probe VLAN for the remote destination mirroring group. # Configure Ethernet 1/0/1 as a Trunk port, allowing packets of VLAN 10 to pass. Complete Configuration 1Configuration on the source switch (Switch A) 2Configuration on the intermediate switch (Switch B) Page Traffic Mirroring Page Page 26 XRN Fabric Page Page Page Page n Page Page 27 Cluster Configuration n Page Page Network Management Interface Page Page n Cluster Configuration in Real Networking Cluster Page n Page Complete Configuration 1Configuration on Switch A 28 PoE Configuration Network Page PoE Profile Page # Create Profile2 and enter PoE profile view. # Apply the configured Profile1 to Ethernet 1/0/1 through Ethernet 1/0/5. # Apply the configured Profile2 to Ethernet 1/0/6 through Ethernet 1/0/10. Page 29 UDP Helper Page 30 SNMP Configuration Page RMON Configuration Page 31 NTP Client/Server Mode Configuration NTP Symmetric Peers Mode Configuration NTP Broadcast Mode Page NTP Multicast Mode NTP Client/Server Mode with Authentication Page Page 32 Configuring the Switch to Act as the SSH Server and Use Password Page Page Page Configuring the Switch to Act as the SSH Server and Use RSA Authentication n Page Page Page Page Page Configuring the Switch to Act as the SSH Client and Use Password # Specify the authentication method of user client001 as password. Configuring the Switch to Act as the SSH Client and Use RSA Authentication n # Display the host public key. n Configuring the Switch to Act as the SSH Client and Not to Support First-Time n # Display the server host public key. # Generate an RSA key pair. # Display the client host public key. 298 CHAPTER 32: SSH CONFIGURATION GUIDE n [3Com] undo ssh client first-time n # Specify the server public key on the client. [3Com] ssh client 10.165.87.136 assign rsa-key Switch002 Page Configuring SFTP Page # Add a directory named new1, and then check that the new directory has been successfully created. # Rename the directory to new2, and then verify the operation. # Download the file pubkey2 from the server, renaming it to public. # Upload file pu to the server and rename it to puk, and then verify the operation. # Exit SFTP. Page Page 33 Configuring a Switch as FTP Server SFTP serv er SFTP cli ent Switch B Switch A Vlan-int1 192.168.0 .1/24 Vlan-int1 192.168.0.2/ 24 n Configuring a Switch as FTP Client n Configuring a Switch as TFTP Client Page 34 Outputting Log Information to a Unix Log Host Page Outputting Log Information to a Linux Log Host Outputting Log and Trap Information to a Log Host Through the Same Channel Page Page Outputting Log Information to the Console Displaying the Time Stamp with the UTC Time Zone Use of the Facility Argument in Log Information Output Page 35 Configuring VLAN-VPN n Page Configuring BPDU Tunnel Network Page Complete Configuration Configure Provider 1 36 Page 37 Static Domain Name Resolution Dynamic Domain Name Resolution Page Page 38 Configuring Access Management Internet Page Configuring Access Management with Port Isolation