Manuals / Brands / Computer Equipment / Switch / 3Com / Computer Equipment / Switch

3Com 4200G, 4210, 5500, 5500G Configuring Port Security mac-else-userlogin-sec ure-ext Mode

1 336

Download 336 pages, 4.69 Mb

Configuring Port Security mac-else-userlogin-secure-ext Mode 55

Configuring Port Security mac-else-userlogin-secure-ext Mode

In mac-else-userlogin-secure-ext mode, a port first performs MAC

authentication of a user. If the authentication is successful, the user can access the

port; otherwise, the port performs 802.1x authentication of the user. In this mode,

there can be more than one authenticated user on a port.

Network Diagram Figure15 Network diagram for configuring port security mac-else-userlogin-secure-ext

mode

Networking and

Configuration

Requirements

The host connects to the switch through the port Ethernet 1/0/1, and the switch

authenticates the host through the RADIUS server. After successful authentication,

the host is authorized to access the Internet.

On port Ethernet 1/0/1 of the switch, perform configurations to meet the

following requirements:

■Perform MAC authentication of users and then 802.1x authentication if MAC

authentication fails.

■Allow up to 64 802.1x authenticated users to get online. The total number of

802.1x authenticated users and MAC address authenticated users cannot

exceed 200.

■All users belong to the domain aabbcc.net, and each user uses the MAC

address of the host as the username and password for authentication.

■Enable NeedToKnow feature to prevent packets from being sent to unknown

destination MAC addresses.

Applicable Products

Configuration Procedure

n■The following configurations involve some AAA/RADIUS configuration

commands. For details about the commands, refer to “AAA Configuration” in

the Configuration Guide for your product.

■Configurations on the user host and the RADIUS server are omitted.

■Configure RADIUS parameters

Internet

Switch

Host

Eth1/0/1

Authentication servers

(192.168.1.3/24

192.168.1.2/24)

Product series Software version Hardware version

Switch 5500 Release V03.02.04 All versions

Switch 5500G Release V03.02.04 All versions

Switch 4500 R elease V03.03.00 All versions

Contents

Main 3Com Corporation 350 Campus Drive Marlborough, MA USA 01752-3064 C 1 2 3 4 9 10 11 12 13 17 18 19 20 21 25 26 27 28 29 34 35 36 37 38 Page ABOUT THIS GUIDE n c Conventions Related Documentation Products Supported by this Document Page Page 1 n Logging In from the Console Port Page Complete Configuration Telnet login configuration with the authentication mode being none You can telnet to your switch to manage and maintain it remotely. Logging In Through Tel ne t Page Page Configuring Login Access Control # Reference ACL 2000 to control Telnet login by source IP address. # Reference ACL 2000 to control SNMP login by source IP address. # Reference ACL 2000 to control WEB login by source IP address. Complete Configuration Configuration for Telnet login control by source IP address Page 2 Configuring Port-Based VLAN # Create VLAN 101 on Switch B, and add Ethernet 1/0/11 to VLAN 101. # Create VLAN 201 on Switch B, and add Ethernet 1/0/12 to VLAN 201. Complete Configuration Configuration on Switch A Configuring Protocol-Based VLAN n Page Page 3 IP Address Page 4 Configuring Voice VLAN Page n Precautions 5 Configuring GVRP Page n Page Page Page 6 Configuring the Basic Functions of an Ethernet Port n 7 Configuring Link Aggregation n Page Page 8 Configuring Port Isolation Page 9 Configuring Port Security autolearn Configuring Port Security mac-authentication Page Page Configuring Port Security userlogin-withoui Page Page # Configure port security trapping. Configuring Port Security mac-else-userlogin-sec ure-ext Mode Page Page Page 10 Configuring a Port Binding Page 11 MAC Address Table Management Page 12 Configuring DLDP Page Page Page 13 Auto Detect Implementation in Static Routing Page n Auto Detect Implementation in VRRP Page n Auto Detect Implementation in VLAN Interface Backup Page Page Page Page 14 Configuring MSTP Page Page Configuring VLAN-VPN Tunneling Page Page Configuring RSTP n Page Page Page Configuring Digest Snooping and Rapid Tran sit ion Page Page Page Page 15 Configuring Static Routes Page Configuring RIP Configuration Procedure Configure Switch A. Page Configuring OSPF Page Page Page Configuring OSPF DR Election Page Page Page Configuring a (Totally) Stub Area Page n Page Configuration information when area 1 is a stub area: Refer to the configuration of Switch B when area 1 is a non-backbone area. Configuring a (Totally) NSSA Area Page Page Page n Page Configuring OSPF Route Summarization Page Page n Page ASBR route summarization configuration 1 n Page ASBR route summarization configuration 2 n translated from Type-7 LSAs. Page Configuring OSPF Virtual Link Configuration Procedure 1Configure OSPF basic functions. # Configure Switch A. # Configure Switch B. 2Configure a virtual link. # Configure Switch A. # Configure Switch B. Precautions Both ends of a virtual link must be ABRs configured with the vlink-peer command. Configuring Routing Policies Page Page Page Page Page Page 16 Configuring IGMP Snooping Page Page Configuring IGMP Snooping Only c Page Page Configuring Multicast VLAN Page Page Page Configuring PIM-SM plus IGMP plus IGMP Snooping Page Page n # View the BSR information on Switch E. # View the RP information on Switch E. # View the PIM routing table on Switch A. # View the PIM routing table on Switch E. # View multicast group entries created by IGMP Snooping on Switch F. Page Page Configuration on Switch E Configuration on Switch F Configuring PIM-DM plus IGMP Page Page Complete Configuration Configuration on Switch A Configuring Anycast RP Application Page Page Page # View the PIM routing information on Switch F again. Complete Configuration Configuration on Switch C Configuration on Switch F 17 n Configuring 802.1x Access Control Page Page Page 18 Configuring RADIUS Authentication for Telnet Users Page Configuring Dynamic VLAN Assignment with RADIUS Page Configuring Local Authentication for Telnet Users Configuring HWTACACS Authentication for Teln et Use rs Page Configuring EAD Page Page 19 Configuring MAC Page Page Page 20 Single VRRP Group n Page Multiple VRRP Groups Page VRRP Interface Trac kin g Page Page VRRP Port Tracking Page Page Page 21 DHCP Server Global Address Pool Page Page DHCP Server Interface Address Pool DHCP Relay Agent Page DHCP Snooping Page DHCP Accounting Page DHCP Client Page 22 Configuring Basic ACLs Configuring Advanced ACLs Configuring Ethernet Frame Header ACLs Page Configuring User-Defined ACLs Page Page Page 23 Configuring Traffic Policing and LR n Page Configuring Priority Marking and Queue Scheduling n Page Page Configuring Traffic Redirection and Traffic Accounting Page Configuring QoS Profile Page Page 24 Configuring Web Cache Redirection Page Page Page 25 Local Port Mirroring Page Remote Port Mirroring Page Page # Configure the destination port and remote-probe VLAN for the remote destination mirroring group. # Configure Ethernet 1/0/1 as a Trunk port, allowing packets of VLAN 10 to pass. Complete Configuration 1Configuration on the source switch (Switch A) 2Configuration on the intermediate switch (Switch B) Page Traffic Mirroring Page Page 26 XRN Fabric Page Page Page Page n Page Page 27 Cluster Configuration n Page Page Network Management Interface Page Page n Cluster Configuration in Real Networking Cluster Page n Page Complete Configuration 1Configuration on Switch A 28 PoE Configuration Network Page PoE Profile Page # Create Profile2 and enter PoE profile view. # Apply the configured Profile1 to Ethernet 1/0/1 through Ethernet 1/0/5. # Apply the configured Profile2 to Ethernet 1/0/6 through Ethernet 1/0/10. Page 29 UDP Helper Page 30 SNMP Configuration Page RMON Configuration Page 31 NTP Client/Server Mode Configuration NTP Symmetric Peers Mode Configuration NTP Broadcast Mode Page NTP Multicast Mode NTP Client/Server Mode with Authentication Page Page 32 Configuring the Switch to Act as the SSH Server and Use Password Page Page Page Configuring the Switch to Act as the SSH Server and Use RSA Authentication n Page Page Page Page Page Configuring the Switch to Act as the SSH Client and Use Password # Specify the authentication method of user client001 as password. Configuring the Switch to Act as the SSH Client and Use RSA Authentication n # Display the host public key. n Configuring the Switch to Act as the SSH Client and Not to Support First-Time n # Display the server host public key. # Generate an RSA key pair. # Display the client host public key. 298 CHAPTER 32: SSH CONFIGURATION GUIDE n [3Com] undo ssh client first-time n # Specify the server public key on the client. [3Com] ssh client 10.165.87.136 assign rsa-key Switch002 Page Configuring SFTP Page # Add a directory named new1, and then check that the new directory has been successfully created. # Rename the directory to new2, and then verify the operation. # Download the file pubkey2 from the server, renaming it to public. # Upload file pu to the server and rename it to puk, and then verify the operation. # Exit SFTP. Page Page 33 Configuring a Switch as FTP Server SFTP serv er SFTP cli ent Switch B Switch A Vlan-int1 192.168.0 .1/24 Vlan-int1 192.168.0.2/ 24 n Configuring a Switch as FTP Client n Configuring a Switch as TFTP Client Page 34 Outputting Log Information to a Unix Log Host Page Outputting Log Information to a Linux Log Host Outputting Log and Trap Information to a Log Host Through the Same Channel Page Page Outputting Log Information to the Console Displaying the Time Stamp with the UTC Time Zone Use of the Facility Argument in Log Information Output Page 35 Configuring VLAN-VPN n Page Configuring BPDU Tunnel Network Page Complete Configuration Configure Provider 1 36 Page 37 Static Domain Name Resolution Dynamic Domain Name Resolution Page Page 38 Configuring Access Management Internet Page Configuring Access Management with Port Isolation