Manuals / Brands / Computer Equipment / Switch / 3Com / Computer Equipment / Switch

3Com DUA1750-2BAA01 Chapter 34 Logon User ACL Control Configuration

1 773

Download 773 pages, 4.81 Mb

3Com Switch 8800 Configuration Guide Chapter 34 Logon User ACL Control Configuration

34-1

Chapter 34 Logon User ACL Control Configuration

34.1 Overview

As the Ethernet switches are used more and more widely over the networks, the

security issue becomes even more important. The switches provide several logon and

device accessing measures, mainly including TELNET access, SNMP access, and

HTTP access (currently the Switch 8800 does not support it). The security control over

the access measures is provided with the switches to prevent illegal users from logging

on to and accessing the devices. There are two levels of security controls. At the first

level, the user connection is controlled with ACL filter and only the legal users can be

connected to the switch. At the second level, a connected user can log on to the device

only if he can pass the password authentication.

This chapter mainly introduces how to configure the first level security control over

these access measures, that is, how to configure to filter the logon users with ACL. For

detailed description about how to configure the first level security, refer to “getting

started” module of Operation Manual.

34.2 Configuring ACL for Telnet Users

This configuration can filter out malicious or illegal connection request before password

authentication.

The following sections describe ACL configuration tasks.

z Defining ACL

z Importing ACL

34.2.1 Defining ACL

Currently number-based ACLs or advanced ACL can be imported, with the number

ranging from 2000 to 3999.

Perform the following configurations in system view.

Table 34-1 Define basic ACL and advanced ACL

Operation Command

Enter basic ACL (system view) acl { number acl-number | name acl-name

basic } match-order { config | auto }

Define a sub-rule (basic ACL

view)

rule [ rule-id ] { permit | deny } [ source

source-addr wildcard | any ] [ fragment ]

[ time-range name ]

Contents

Main 3Com Corporation 350 Campus Drive Marlborough, MA 01752-3064 About This Manual Release Notes Related Manuals Organization Intended Audience Conventions I. General conventions II. Command conventions III. GUI conventions IV. Keyboard operation V. Mouse operation VI. Symbols Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Chapter 1 Product Overview 1.1 Product Overview 1.2 Function Features Page Chapter 2 Logging into Switch 2.1 Setting Up Configuration Environment Through the Console Port Page 2.2 Setting Up Configuration Environment Through Telnet 2.2.1 Connecting a PC to the Switch Through Telnet 2.2.2 Telneting a Switch Through Another Switch 2.3 Setting Up Configuration Environment Through a Dial-up the Modem Page Page Chapter 3 Command Line Interface 3.1 Command Line Interface 3.2 Command Line View Page Page Page Page Page 3.3 Features and Functions of Command Line 3.3.1 Online Help of Command Line Page 3.3.2 Displaying Characteristics of Command Line 3.3.3 History Command of Command Line 3.3.4 Common Command Line Error Messages 3.3.5 Editing Characteristics of Command Line Page Chapter 4 User Interface Configuration 4.1 User Interface Overview I. Absolute number II. Relative number 4.2 User Interface Configuration 4.2.1 Entering User Interface View 4.2.2 Define the Login Header 4.2.3 Configuring Asynchronous Port Attributes I. Configuring the transmission speed II. Configuring flow control III. Configuring parity IV. Configuring the stop bit 4.2.4 Configuring Terminal Attributes II. Configuring idle-timeout III. Locking user interface IV. Setting the screen length V. Setting the history command buffer size 4.2.5 Managing Users I. Configuring the authentication method Page II. Setting the command level used after a user logging in III. Setting the command level used after a user logs in from a user interface IV. Setting the command priority V. Setting input protocol for a user terminal 4.2.6 Configuring Modem Attributes 4.2.7 Configuring Redirection I. Send command II. Auto-execute command 4.3 Displaying and Debugging User Interface Chapter 5 Management Interface Configuration 5.1 Management Interface Overview 5.2 Management Interface Configuration Chapter 6 Ethernet Port Configuration 6.1 Ethernet Port Overview 6.2 Ethernet Port Configuration 6.2.1 Entering Ethernet Port View 6.2.2 Enabling/Disabling an Ethernet Port 6.2.3 Setting Ethernet Port Description 6.2.4 Setting the Duplex Attribute of the Ethernet Port 6.2.5 Setting Speed on the Ethernet Port 6.2.6 Setting the Cable Type for the Ethernet Port 6.2.7 Enabling/Disabling Flow Control for the Ethernet Port 6.2.8 Permitting/Forbidding Jumbo Frame to Pass the Ethernet Port 6.2.9 Setting the Ethernet Port Broadcast Suppression Ratio 6.2.10 Setting the Ethernet Port Mode 6.2.11 Setting the Link Type for the Ethernet Port 6.2.12 Adding the Ethernet Port to Specified VLANs 6.2.13 Setting the Default VLAN ID for the Ethernet Port 6.2.14 Setting the VLAN VPN Feature 6.2.15 Copying Port Configuration to Other Ports Page 6.2.16 Setting Port Hold Time 6.2.17 Setting the Ethernet Port in Loopback Mode 6.3 Displaying and Debugging Ethernet Port 6.4 Ethernet Port Configuration Example 6.5 Ethernet Port Troubleshooting Chapter 7 Link Aggregation Configuration 7.1 Overview 7.1.1 Introduction to Link Aggregation 7.1.2 Introduction to LACP 7.1.3 Aggregation Types I. Manual aggregation and static LACP aggregation II. Dynamic LACP aggregation 7.1.4 Load Sharing I. Types of Load sharing II. Port state 7.2 Link Aggregation Configuration 7.2.1 Enabling/Disabling LACP at Port 7.2.2 Creating/Deleting an Aggregation Group 7.2.3 Adding/Deleting an Ethernet Port into/from an Aggregation Group 7.2.4 Setting/Deleting Aggregation Group Description 7.2.5 Configuring System Priority 7.2.6 Configuring Port Priority 7.3 Displaying and Debugging Link Aggregation 7.4 Link Aggregation Configuration Example Page Chapter 8 VLAN Configuration 8.1 VLAN Overview 8.2 Configuring VLAN 8.2.1 Creating/Deleting a VLAN 8.2.2 Specifying a Description Character String for a VLAN or VLAN interface 8.2.3 Creating/Removing a VLAN Interface 8.2.4 Shutting down/Bringing up a VLAN Interface 8.3 Configuring Port-Based VLAN 8.3.1 Adding Ethernet Ports to a VLAN 8.4 Configuring Protocol-Based VLAN 8.4.1 Creating/Deleting a VLAN Protocol Type 8.4.2 Associating/Dissociating a Port with/from a Protocol-Based VLAN 8.5 Displaying VLAN 8.6 VLAN Configuration Example Chapter 9 GARP/GVRP Configuration 9.1 Configuring GARP 9.1.1 GARP Overview 9.1.2 Setting the GARP Timer 9.1.3 Displaying and Debugging GARP 9.2 Configuring GVRP 9.2.1 GVRP Overview 9.2.2 Enabling/Disabling Global GVRP 9.2.3 Enabling/Disabling Port GVRP 9.2.4 Setting the GVRP Registration Type 9.2.5 Displaying and Debugging GVRP 9.2.6 GVRP Configuration Example Page Chapter 10 Super VLAN Configuration 10.1 Super VLAN Overview 10.2 Configuring a Super VLAN 10.2.1 Configuring a Super VLAN Page 10.2.2 Super VLAN Configuration Example Chapter 11 IP Address Configuration 11.1 Introduction to IP Address 11.1.1 IP Address Classification and Representation Page 11.1.2 Subnet and Mask 11.2 Configuring IP Address 11.2.1 Configuring the Hostname and Host IP Address 11.2.2 Configuring the IP Address of the VLAN Interface 11.3 Displaying and debugging IP Address 11.4 IP Address Configuration Example 11.5 Troubleshooting IP Address Configuration Chapter 12 ARP Configuration 12.1 Introduction to ARP I. Necessity of ARP II. ARP implementation procedure 12.2 Configuring ARP 12.2.1 Manually Adding/Deleting Static ARP Mapping Entries 12.2.2 Configuring the Dynamic ARP Aging Timer 12.2.3 Enabling/Disabling the Checking Function of ARP Entry 12.3 Displaying and Debugging ARP 12.4 Enabling/Disabling the Scheme of Preventing Attack from Packets 12.4.1 Introduction to the Scheme of Preventing Attack from Packets Page Chapter 13 DHCP Configuration 13.1 Introduction to DHCP 13.1.1 How DHCP Works I. IP address assignment II. Communications between DHCP clients and DHCP server 13.2 Configuring General DHCP 13.2.1 Enabling/Disabling DHCP Service 13.2.2 Configuring Processing Method of DHCP Packets 13.2.3 Enabling/Disabling Fake DHCP Server Detection 13.3 Configuring DHCP Server 13.3.1 Creating a Global DHCP IP Address Pool 13.3.2 Configuring IP Address Assignment Mode I. Configuring static address binding for a global DHCP address pool II. Configuring static address binding for a VLAN interface address pool III. Configuring dynamic IP address assignment 13.3.3 Forbidding Specified IP Addresses to Be Automatically Assigned 13.3.4 Configuring Lease Time For DHCP Address Pool I. Configuring a lease time for a global DHCP address pool II. Configuring a lease time for current VLAN interface III. Configuring a lease time for multiple VLAN interfaces 13.3.5 Configuring DHCP Client Domain Names I. Configuring a DHCP client domain name for a global DHCP address pool II. Configuring a DHCP client domain name for current VLAN interface III. Configuring a DHCP client domain name for multiple VLAN interfaces 13.3.6 Configuring DNS Server Address for DHCP Clients I. Configuring DNS server address for a global DHCP address pool II. Configuring DNS server address for current VLAN interface III. Configuring DNS server address for multiple VLAN interfaces 13.3.7 Configuring NetBIOS Server Address for DHCP Clients I. Configuring NetBIOS server address for a global DHCP address pool II. Configuring NetBIOS server address for current VLAN interface III. Configuring NetBIOS server address for multiple VLAN interfaces 13.3.8 Configuring NetBIOS Node Type for DHCP Clients I. Configuring NetBIOS node type for a global DHCP address pool II. Configuring NetBIOS node type for current VLAN interface III. Configuring NetBIOS node type for multiple VLAN interfaces 13.3.9 Configuring Custom DHCP Options I. Configuring custom DHCP options for a global DHCP address pool II. Configuring custom DHCP options for current VLAN interface III. Configuring custom DHCP options for multiple VLAN interfaces 13.3.10 Configuring Outbound Gateway Address for DHCP Clients 13.3.11 Configuring Parameters for DHCP Server to Send Ping Packets 13.3.12 Displaying and Debugging the DHCP Server 13.3.13 Clearing the Configuration Information of the DHCP Server 13.3.14 DHCP Server Configuration Example Page 13.4 Configuring DHCP Relay 13.4.1 Introduction to DHCP Relay 13.4.2 Configuring DHCP Relay I. Configuring a DHCP server for a VLAN interface II. Configure user address entries for a DHCP Server III. Enable/Disable DHCP security on a VLAN interface 13.4.3 Displaying and Debugging DHCP Relay 13.4.4 DHCP Relay Configuration Example Page Chapter 14 DNS Configuration 14.1 Introduction to DNS 14.1.1 Static Domain Name Resolution 14.1.2 Dynamic Domain Name Resolution 14.2 Configuring Static Domain Name Resolution 14.3 Configuring Dynamic Domain Name Resolution 14.3.1 Enable/Disable Static Domain Name Resolution 14.3.2 Configure the IP Address of Domain Name Server 14.3.3 Configure Domain Name Suffix 14.4 Displaying and Debugging Domain Name Resolution 14.5 DNS Configuration Example III. Configuraiton procedure 14.6 Troubleshooting Domain Name Resolution Configuration Chapter 15 IP Performance Configuration 15.1 Configuring IP Performance 15.1.1 Configuring TCP Attributes 15.2 Displaying and Debugging IP Performance 15.3 Troubleshooting IP Performance Page Chapter 16 IP Routing Protocol Overview 16.1 Introduction to IP Route and Routing Table 16.1.1 IP Route and Route Segment 16.1.2 Route Selection through the Routing Table Page 16.2 Routing Management Policy 16.2.1 Routing Protocols and the Preferences of the Corresponding Routes 16.2.2 Supporting Load Sharing and Route Backup I. Load sharing II. Route backup 16.2.3 Routes Shared Between Routing Protocols Chapter 17 Static Route Configuration 17.1 Introduction to Static Route 17.1.1 Static Route 17.1.2 Default Route 17.2 Configuring Static Route 17.2.1 Configuring a Static Route 17.2.2 Configuring a Default Route 17.2.3 Deleting All the Static Routes 17.3 Displaying and Debugging Static Route 17.4 Typical Static Route Configuration Example 3Com Switch 8800 Configuration Guide Chapter 17 Static Route Configuration 17-5 Figure 17-1 Network diagram for the static route configuration example Configure the static route for Switch A Configure the static route for Switch B Configure the static route for Switch C 17.5 Troubleshooting Static Route Faults Chapter 18 RIP Configuration 18.1 Introduction to RIP 18.1.1 RIP Operation Mechanism I. RIP basic concepts II. RIP route database 18.2 Configuring RIP 18.2.1 Enabling RIP and Entering RIP View 18.2.2 Enabling RIP on the Specified Network Segment 18.2.3 Configuring Unicast of the Packets 18.2.4 Configuring Split Horizon 18.2.5 Setting Additional Routing Metric 18.2.6 Configuring RIP to Import Routes of Other Protocols 18.2.7 Configuring Route Filtering I. Configuring RIP to filter the received routes II. Configuring RIP to filter the routes advertised by RIP 18.2.8 Disabling RIP to Receive Host Route 18.2.9 Enabling RIP-2 Route Aggregation Function 18.2.10 Setting the RIP Preference 18.2.11 Specifying RIP Version of the Interface 18.2.12 Configuring RIP Timers 18.2.13 Configuring RIP-1 Zero Field Check of the Interface Packet 18.2.14 Specifying the Operating State of the Interface 18.2.15 Setting RIP-2 Packet Authentication 18.3 Displaying and Debugging RIP 18.4 Typical RIP Configuration Example Page 18.5 Troubleshooting RIP Faults Chapter 19 OSPF Configuration 19.1 OSPF Overview 19.1.1 Introduction to OSPF 19.1.2 Process of OSPF Route Calculation 19.1.3 OSPF Packets 19.1.4 LSA Type I. Five basic LSA types II. Type-7 LSA 19.1.5 Basic Concepts Related to OSPF I. Router ID II. DR and BDR III. Area IV. Backbone area and virtual link V. Route summary 19.1.6 OSPF Features Supported by the Switch 8800 19.2 Configuring OSPF 19.2.1 Configuring Router ID 19.2.2 Enabling OSPF 19.2.3 Entering OSPF Area View 19.2.4 Specifying an Interface to Run OSPF 19.2.5 Configuring OSPF to Import Routes of Other Protocols I. Configuring OSPF to import external routes II. Configuring parameters for OSPF to import external routes III. Configuring the default interval and number for OSPF to import external routes 19.2.6 Configuring OSPF to Import Default Routes 19.2.7 Configuring OSPF Route Filtering I. Configuring OSPF to filter the received routes II. Configuring filtering the routes imported to OSPF 19.2.8 Configuring the Route Summary of OSPF I. Configuring the route summary of OSPF area II. Configuring summarization of imported routes by OSPF 19.2.9 Setting OSPF Route Preference 19.2.10 Configuring OSPF Timers I. Setting the interval for Hello packet transmission II. Setting a dead timer for the neighboring routers III. Setting an interval for LSA retransmission between neighboring routers 19.2.11 Configuring the Network Type on the OSPF Interface 19.2.12 Configuring NBMA Neighbors for OSPF 19.2.13 Setting the Interface Priority for DR Election Page 19.2.14 Configuring an Interval Required for Sending LSU Packets 19.2.15 Configuring the Cost for Sending Packets on an Interface 19.2.16 Configuring to Fill the MTU Field When an Interface Transmits DD Packets 19.2.17 Setting a Shortest Path First (SPF) Calculation Interval for OSPF 19.2.18 Disabling the Interface to Send OSPF Packets 19.2.19 Configuring OSPF Authentication I. Configuring the OSPF Area to Support Packet Authentication II. Configuring OSPF packet authentication 19.2.20 Configuring OSPF Virtual Link 19.2.21 Configuring Stub Area of OSPF 19.2.22 Configuring NSSA Area of OSPF 19.2.23 Configuring OSPF and Network Management System (NMS) I. Configuring OSPF MIB binding II. Configuring OSPF TRAP 19.2.24 Resetting the OSPF Process 19.3 Displaying and Debugging OSPF 19.4 Typical OSPF Configuration Example 19.4.1 Configuring DR Election Based on OSPF Priority Page 19.4.2 Configuring OSPF Virtual Link 3Com Switch 8800 Configuration Guide Chapter 19 OSPF Configuration 19-32 Configure Switch A Configure Switch B Configure Switch C 19.5 Troubleshooting OSPF Faults RTA RTB RTC RTD area0 area1 area2 RTA RTB RTC RTD area0 area1 area2 Chapter 20 Integrated IS-IS Configuration 20.1 Introduction to Integrated IS-IS 20.1.1 Terms of IS-IS Routing Protocol I. Terms of IS-IS routing protocol II. Link types IS-IS routing protocol is applied to 20.1.2 Two-level Structure of IS-IS Routing Protocol I. Two-level structure of IS-IS routing protocol II. Level-1 and Level-2 20-3 Figure 20-1 IS-IS topology 20.1.3 NSAP Structure of IS-IS Routing Protocol I. Address structure II. NET 20.1.4 IS-IS Routing Protocol Packets I. Hello packets II. LSP III. SNP 20.2 Configuring Integrated IS-IS Page 20.2.1 Enabling IS-IS and Entering the IS-IS View 20.2.2 Setting Network Entity Title Page 20.2.3 Enabling IS-IS on the Specified Interface 20.2.4 Setting Priority for DIS Election 20.2.5 Setting Router Type 20.2.6 Setting Interface Circuit Level 20.2.7 Configuring IS-IS to Import Routes of Other Protocols 20.2.8 Configuring IS-IS Route Filtering I. Configuring to filter the routes received by IS-IS II. Configuring to filter the advertised routes 20.2.9 Configuring IS-IS Routing Leak 20.2.10 Setting IS-IS Route Summary 20.2.11 Setting to Generate Default Route 20.2.12 Setting the Preference of IS-IS Protocol 20.2.13 Configuring IS-IS Route Metric Type 20.2.14 Setting IS-IS Link State Routing Cost 20.2.15 Configuring IS-IS Timers I. Setting the Hello packet broadcast interval II. Setting the CSNP packet broadcast interval III. Setting the LSP packet transmission interval IV. Setting LSP packet retransmission interval V. Configuringnumber of invalid Hello packets for the interface 20.2.16 Setting IS-IS Authentication I. Setting interface authentication II. Setting IS-IS area or IS-IS routing domain authentication password III. Setting the IS-IS to use the MD5 algorithm compatible with that of the other vendors 20.2.17 Setting the Mesh Group of the Interface 20.2.18 Setting Overload Flag Bit 20.2.19 Setting to Discard the LSPs with Checksum Errors 20.2.20 Setting to Log the Peer Changes 20.2.21 Setting LSP Refreshment Interval 20.2.22 Setting Lifetime of LSP 20.2.23 Setting Parameters Related to SPF I. Setting SPF calculation interval II. Setting SPF calculation in slice III. Setting SPF to release CPU actively 20.2.24 Enabling/Disabling the Interface to Send Packets 20.2.25 Resetting All the IS-IS Data Structure 20.2.26 Resetting the Specified IS-IS Peer 20.3 Displaying and Debugging Integrated IS-IS 20.4 Typical Integrated IS-IS Configuration Example 20-26 Figure 20-3 IS-IS configuration example Configure Switch A Configure Switch B 20-27 Configure Switch C Configure Switch D Chapter 21 BGP Configuration 21.1 BGP/MBGP Overview 21.1.1 Introduction to BGP 21.1.2 BGP Message Types 21.1.3 BGP Routing Mechanism I. Route advertisement policy II. Route selection policy 21.1.4 MBGP I. MBGP overview II. MBGP extension attributes III. Address family 21.1.5 BGP Peer and Peer Group 21.2 Configuring BGP 21.2.1 Enabling BGP 21.2.2 Configuring Basic Features for BGP Peer I. Creating a peer group II. Configuring AS number of an EBGP peer group III. Adding a member to a peer group IV. Configuring the state of a peer/peer group V. Configuring description of a peer (group) VI. Configuring timer of a peer (group) VII. Configuring the interval at which route update messages are sent by a peer group 21.2.3 Configuring application features of a BGP peer (group) I. Configuring to permit connections with EBGP peer groups on indirectly connected networks II. Configuring an IBGP peer group to be a client of a route reflector III. Configuring to send default route to a peer group IV. Configuring itself as the next hop when advertising routes V. Removing private AS numbers while transmitting BGP update messages VI. Configuring to send the community attributes to a peer group VII. Configuring the repeating time of local AS VIII. Specifying the source interface of a route update packet IX. Configuring BGP MD5 authentification password 21.2.4 Configuring Route Filtering of a Peer (group) I. Configuring route policy for a peer (group) II. Configuring route filtering policy based on IP ACL for a peer (group) III. Configuring route filtering policy based on AS path list for a peer (group) IV. Configuring route filtering policy based on address prefix list for a peer (group) 21.2.5 Configuring Network Routes for BGP Distribution 21.2.6 Configuring the Interaction Between BGP and IGP I. Importing IGP routes II. Configuring not to syncronize with IGP 21.2.7 Configuring BGP Route Summarization 21.2.8 Configuring BGP Route Filtering I. Configuring BGP to filter the received route information II. Configuring to filter the routes advertised by the BGP 21.2.9 Configuring BGP Route Dampening I. Configure BGP route dampening II. Clear route attenuation information 21.2.10 Configuring BGP Preference 21.2.11 Configuring BGP Timer 21.2.12 Configuring the Local Preference 21.2.13 Configuring MED for AS 21.2.14 Comparing the MED Routing Metrics from the Peers in Different ASs 21.2.15 Configuring BGP Route Reflector I. Configuring the route reflection between clients II. Configuring the cluster ID 21.2.16 Configuring BGP AS Confederation Attribute I. Configuring confederation_ID II. Configuring sub-AS belonging to the confederation III. Configuring AS confederation attribute compatible with nonstandard 21.2.17 Clearing BGP Connection 21.2.18 Refreshing BGP Routes 21.3 Displaying and Debugging BGP Page 21.4 Typical BGP Configuration Example 21.4.1 Configuring BGP AS Confederation Attribute 3Com Switch 8800 Configuration Guide Chapter 21 BGP Configuration 21-27 Figure 21-2 Network diagram for AS confederation configuration Configure Switch A: Configure Switch B: 3Com Switch 8800 Configuration Guide Chapter 21 BGP Configuration 21-28 21.4.2 Configuring BGP Route Reflector Figure 21-3 Network diagram for BGP route reflector configuration 1) Configure Switch A: Page 21.4.3 Configuring BGP Routing Page Page 21.5 Troubleshooting BGP Page Chapter 22 IP Routing Policy Configuration 22.1 Introduction to IP Routing Policy 22.1.1 Filter I. acl II. ip-prefix 22.2 Configuring IP Routing Policy 22.2.1 Configuring a Route-policy I. Defining a route-policy II. Defining if-match clauses for a route-policy III. Defining apply clauses for a route-policy Page 22.2.2 Configuring ip-prefix 22.2.3 Configuring the AS Path List 22.2.4 Configuring a Community Attribute List 22.2.5 Importing Routing Information Discovered by Other Routing Protocols 22.2.6 Configuring Route Filtering I. Configuring to filter the received routes II. Configuring to filter the advertised routes 22.3 Displaying and Debugging the Routing Policy 22.4 Typical IP Routing Policy Configuration Example 22.4.1 Configuring to Filter the Received Routing Information 22.5 Troubleshooting Routing Policy Chapter 23 IP Multicast Overview 23.1 IP Multicast Overview 23.1.1 Problems with Unicast/Broadcast I. Data transmission in unicast mode II. Data transmission in broadcast mode 23.1.2 Advantages of Multicast I. Multicast Multicast II. Advantages 23.1.3 Application of Multicast 23.2 Implementation of IP Multicast 23.2.1 IP Multicast Addresses I. IP Multicast Addresses Page II. Ethernet Multicast MAC Addresses 23.2.2 IP Multicast Protocols I. Multicast group management protocol II. Multicast routing protocols 23.3 RPF Mechanism for IP Multicast Packets Page Chapter 24 IGMP Snooping Configuration 24.1 IGMP Snooping Overview 24.1.1 IGMP Snooping Principle 24.1.2 Implement IGMP Snooping I. Related concepts of IGMP Snooping II. Implement Layer 2 multicast with IGMP Snooping 24.2 IGMP Snooping Configuration 24.2.1 Enabling/Disabling IGMP Snooping 24.2.2 Configuring Router Port Aging Time 24.2.3 Configuring Maximum Response Time 24.2.4 Configuring Aging Time of Multicast Group Member Ports 24.2.5 Configuring Unknown Multicast Packets not Broadcasted within a VLAN 24.3 Displaying and debugging IGMP Snooping 24.4 IGMP Snooping Configuration Example 24.4.1 Enable IGMP Snooping 24.5 Troubleshoot IGMP Snooping Page Chapter 25 Multicast VLAN Configuration 25.1 Multicast VLAN Overview 25.2 Multicast VLAN Configuration 25.3 Multicast VLAN Configuration Example 3Com Switch 8800 Configuration Guide Chapter 25 Multicast VLAN Configuration 25-3 Figure 25-1 Network diagram for multicast VLAN configuration Page Chapter 26 Common Multicast Configuration 26.1 Introduction to Common Multicast Configuration 26.2 Common Multicast Configuration 26.2.1 Enabling Multicast 26.2.2 Configuring multicast route number limit 26.2.3 Clearing MFC Forwarding Entries or Its Statistic Information 26.2.4 Clearing Route Entries from the Kernel Multicast Routing Table 26.3 Controlled Multicast Configuration 26.3.1 Controlled Multicast Overview 26.3.2 Configuring Controlled Multicast 26.3.3 Controlled Multicast Configuration Example I. Network reuirements II. Network diagram III. Configuration procedure 26.4 Displaying and Debugging Common Multicast Configuration Page Chapter 27 IGMP Configuration 27.1 IGMP Overview 27.1.1 Introduction to IGMP I. Election mechanism of multicast routers on the shared network segment II. Leaving group mechanism 27.2 IGMP Configuration 27.2.1 Enabling Multicast 27.2.2 Enabling IGMP on an Interface 27.2.3 Configuring the IGMP Version 27.2.4 Configuring the Interval to Send IGMP Query Message 27.2.5 Configuring the Interval and the Number of Querying IGMP Packets I. Configuring interval for querying IGMP packets II. Configuring the number of last member querying 27.2.6 Configuring the Present Time of IGMP Querier 27.2.7 Configuring Maximum Response Time for IGMP Query Message 27.2.8 Configuring the limit of IGMP groups on an interface 27.2.9 Configuring a Router to Join Specified Multicast Group 27.2.10 Limiting Multicast Groups that an Interface Can Access 27.2.11 Deleting IGMP Groups Joined on an Interface 27.3 Displaying and Debugging IGMP Chapter 28 PIM-DM Configuration 28.1 PIM-DM Overview 28.1.1 Introduction to PIM-DM 28.1.2 PIM-DM Working Principle I. Neighbor discovery III. Assert mechanism IV. Graft 28.2 PIM-DM Configuration 28.2.1 Enabling Multicast 28.2.2 Enabling PIM-DM 28.2.3 Configuring the Time Intervals for Ports to Send Hello Packets 28.2.4 Entering the PIM View 28.2.5 Configuring the Filtering of Multicast Source/Group 28.2.6 Configuring the Filtering of PIM Neighbor 28.2.7 Configuring the Maximum Number of PIM Neighbor on an Interface 28.2.8 Clearing multicast route entries from PIM routing table 28.2.9 Clearing PIM Neighbors 28.3 Displaying and Debugging PIM-DM 28.4 PIM-DM Configuration Example 3Com Switch 8800 Configuration Guide Chapter 28 PIM-DM Configuration 28-8 Figure 28-2 PIM-DM configuration networking Enable IGMP and PIM-DM on the interface. Chapter 29 PIM-SM Configuration 29.1 PIM-SM Overview 29.1.1 Introduction to PIM-SM 29.1.2 PIM-SM Working Principle I. Build the RP shared tree (RPT) 29.1.3 Preparations before Configuring PIM-SM I. Configuring candidate RPs II. Configuring BSRs III. Configuring static RP 29.2 PIM-SM Configuration 29.2.1 Enabling Multicast 29.2.2 Enabling PIM-SM 29.2.3 Entering the PIM View 29.2.4 Configuring the Time Intervals for Ports to Send Hello Packets 29.2.5 Configuring Candidate-BSRs 29.2.6 Configuring Candidate-RPs 29.2.7 Configuring Static RP 29.2.8 Configuring the PIM-SM Domain Border 29.2.9 Configuring the filtering of multicast source/group 29.2.10 Configuring the filtering of PIM neighbor 29.2.11 Configuring RP to Filter the Register Messages Sent by DR 29.2.12 Limiting the range of legal BSR 29.2.13 Limiting the range of legal C-RP 29.3 Displaying and Debugging PIM-SM 29.4 PIM-SM Configuration Example 3Com Switch 8800 Configuration Guide Chapter 29 PIM-SM Configuration 29-10 Figure 29-2 PIM-SM configuration networking 1) Configure LS_A Enable PIM-SM. Page 3Com Switch 8800 Configuration Guide Chapter 29 PIM-SM Configuration 29-12 Enable PIM-SM. Chapter 30 MSDP Configuration 30.1 MSDP Overview 30.1.1 Introduction 30.1.2 Working Principle I. Indentifying multicast source and receiving multicast data II. Message forwarding and RPF check between MSDP peers III. Precautions for configuration 30.2 MSDP Configuration 30.2.1 Enabling MSDP 30.2.2 Configuring MSDP Peers 30.2.3 Configuring Static RPF Peers 30.2.4 Configuring Originating RP 30.2.5 Configuring SA Caching State 30.2.6 Configuring the Maximum Number of SA caching 30.2.7 Requesting Source Information of MSDP Peers 30.2.8 Controlling the Source Information Created I. Filtering the multicast routing entries imported II. Filtering SA request messages 30.2.9 Controlling the Source Information Forwarded I. Using MSDP outbound filter II. Using TTL to filter SA messages with encapsulated data 30.2.10 Controlling the Received Source Information 30.2.11 Configuring MSDP Mesh Group 30.2.12 Configuring the MSDP Connection Retry Period 30.2.13 Shutting MSDP Peers Down 30.2.14 Clearing MSDP Connections, Statistics and SA Caching Configuration 30.3 Displaying and Debugging MSDP I. Displaying and Debugging MSDP II. Tracing the Transmission Path of SA Messages on the Network 30-13 30.4 MSDP Configuration Examples 30.4.1 Configuring Static RPF Peers Figure 30-3 Configuring static RPF peers Configure Switch A to be a static RPF peer of Switch D. 30.4.2 Configuring Anycast RP 30-15 Figure 30-4 Networking diagram for Anycast RP configuration 1) Configure SwitchB: Configure VLAN Enable multicast. [SwitchB] multicast routing-enable Configure the IP address of interface loopback0. Page 30-17 Enable multicast. Configure the IP address of interface loopback0. Configure the IP address of interface loopback10 and enable IGMP and PIM-SM. Configure the IP address of interface Vlan-interface20 and enable IGMP and PIM-SM. Configure the IP address of Vlan-interface10 and enable IGMP and PIM-SM. 30.4.3 MSDP Integrated Networking I. Networking requirement PIM-SM domain 4 PIM-SM domain 3 Figure 30-5 MSDP integrated networking 30-20 Enable multicast. Configure the IP address of interface loopback0 and enable PIM-SM. Configure the IP address of interface loopback10 and enable PIM-SM. Configure the IP address of Vlan-interface30 and enable IGMP and PIM-SM. Configure the IP address of Vlan-interface10 and enable IGMP and PIM-SM. Configure MSDP peer, Mess Group and Originating RP. Configuring C-RP and BSR. Enable multicast. 2) Configure Switch E: Configuring VLAN Configure the IP address of interface loopback0 and enable PIM-SM. Configure the IP address of interface lookback10 and enable PIM-SM. Configure the IP address of Vlan-interface10 and enable IGMP and PIM-SM. Configure the IP address of Vlan-interface20 and enable IGMP and PIM-SM. Configuring OSPF Page Chapter 31 MBGP Multicast Extension Configuration 31.1 MBGP Multicast Extension Overview 31.1.1 Introduction 31.1.2 MBGP Extension Attributes for Multicast I. MP_REACH_NLRI attribute 31.1.3 MBGP Operating Mode and Message Type 31.2 MBGP Multicast Extension Configuration 31.2.1 Enabling MBGP Multicast Extension Protocol 31.2.2 Specifying Network Routes Notified by MBGP Multicast Extension 31.2.3 Configuring the MED Value for an AS 31.2.4 Comparing MED Values from Different AS Neighbor Paths 31.2.5 Configuring Local Preference 31.2.6 Configuring MBGP Timer 31.2.7 Configuring MBGP Peer (Group) I. Creating a peer group with members II. Enabling a peer (group) III. Adding an MBGP peer to the group IV. Advertising MBGP community attributes to a peer (group) V. Configuring a peer (group) as an MBGP route reflector client VI. Configuring the local address as the next hop when advertising routes VII. Specifying the routing policy for a peer (group) VIII. Configuring IP-ACL-based route filtering policy for a peer (group) IX. Configuring AS-path-list-based route filtering policy for a peer (group) X. Configuring prefix-list-based route filtering policy for a peer (group) 31.2.8 Configuring MBGP Route Aggregation 31.2.9 Configuring an MBGP Route Reflector 31.2.10 Configure MBGP Community Attributes 31.2.11 Importing IGP Routing Information into MBGP 31.2.12 Defining AS Path List and Routing Policy 31.2.13 Configuring MBGP Route Filtering 31.2.14 Resetting BGP Connections 31.3 Displaying and Debugging MBGP Configuration 31.4 MBGP Multicast Extension Configuration Example I. Networking requirement II. Networking diagram III. Configuration procedure Page 3Com Switch 8800 Configuration Guide Chapter 31 MBGP Multicast Extension Configuration 31-14 3) Configure Switch C: 3Com Switch 8800 Configuration Guide Chapter 31 MBGP Multicast Extension Configuration 31-15 Configure the local preference attribute of Switch C. matching ACL 2000 to 200, and otherwise, to 100. (Switch A). 4) Configure Switch D: Page Chapter 32 ACL Configuration 32.1 ACL Overview 32.1.1 Introduction to ACL I. ACLs being activated directly on hardware II. ACLs being referenced by upper-level modules 32.1.2 ACLs Supported 32.2 ACL Configuration 32.2.1 Configuring Time Range 32.2.2 Defining and Applying Flow Template I. Defining Flow Template Page II. Applying Flow Template 32.2.3 Defining ACL I. Defining basic ACL II. Defining advanced ACL III. Defining L2 ACLs 32.2.4 Activating ACL 32.3 Displaying and Debugging ACL Configurations 32.4 ACL Configuration Example 32.4.1 Advanced ACL Configuration Example 32.4.2 Basic ACL Configuration Example 32.4.3 L2 ACL Configuration Example Page Chapter 33 QoS Configuration 33.1 QoS Overview I. Flow II. Traffic classification III. Packet filtering IV. Traffic policing V. Redirection VI. Traffic priority VII. Queue scheduling Page VIII. Traffic mirroring IX. Port mirroring X. Flow-based traffic statistics 33.2 Introduction to Port Group-Based QoS Configuration 33.2.1 Group-Based QoS Configuration Task Page 33.2.2 Configuration Example for port group 33.3 QoS Configuration 33.3.1 Configuring Service Parameter Allocation Rule I. Configuring mapping table II. Configuring default local precedence for port 33.3.2 Configuring Traffic Policing I. Configuring mapping tables II. Configuring traffic policing 33.3.3 Configuring Traffic Shaping 33.3.4 Configuring Traffic Priority 33.3.5 Configuring Traffic Redirection Page 33.3.6 Configuring Queue Scheduling 33.3.7 Configuring WRED Parameters I. Configuring WRED parameters II. Configuring drop algorithm 33.3.8 Configuring Traffic Mirroring 33.3.9 Configuring Port Mirroring 33.3.10 Configuring Traffic Statistics 33.3.11 Displaying and Debugging QoS Configuration Page 33.4 Configuration Example 33.4.1 Traffic Shaping Configuration Example 33.4.2 Port Mirroring Configuration Example Figure 33-7 Networking for port mirroring configuration Define a mirroring group, with monitoring port as GigabitEthernet3/1/8. 33.4.3 Traffic Priority Configuration Example Figure 33-8 Network diagram for priority configuration 1) Define the time range. Define the time range from 8:00 to 18:00. Page 33.4.4 Traffic Redirection Configuration Example 33.4.5 Queue Scheduling Configuration Example 33.4.6 WRED Parameters Configuration Example 33.4.7 Traffic Statistics Configuration Example Page Chapter 34 Logon User ACL Control Configuration 34.1 Overview 34.2 Configuring ACL for Telnet Users 34.2.1 Defining ACL 34.2.2 Importing ACL 34.2.3 Configuration Example 34.3 Configuring ACL for SNMP Users 34.3.1 Defining ACL 34.3.2 Importing ACL 34.3.3 Configuration Example Chapter 35 MPLS Architecture 35.1 MPLS Overview 35.2 MPLS Basic Concepts 35.2.1 FEC 35.2.2 Label I. Label definition II. Label structure III. Label operations Page 35.2.3 LDP 35.3 MPLS Architecture 35.3.1 MPLS Network Structure 35.3.2 Forwarding Labeled Packets 35.3.3 Establishing LSP I. LDP working process ABC D E FG H II. LSP loop control 35.3.4 LSP Tunnel and Hierarchy I. LSP tunnel II. Multi-layer label stack 35.4 MPLS and other Protocols 35.4.1 MPLS and Routing Protocols 35.5 MPLS Application 35.5.1 MPLS VPN Page Chapter 36 MPLS Basic Capability Configuration 36.1 MPLS Basic Capability Overview 36.2 MPLS Configuration 36.2.1 Defining MPLS LSR ID 36.2.2 Enabling MPLS and Entering MPLS View 36.2.3 Configuring the Topology-Driven LSP Setup Policy 36.2.4 Configuring Static LSP 36.3 LDP Configuration 36.3.1 Enabling LDP protocol 36.3.2 Enabling LDP on VLAN interface 36.3.3 Configuring Remote-Peer for Extended Discovery Mode I. Create a remote-peer II. Configuring an address for the remote-peer 36.3.4 Configuring session parameters I. Configuring session hold-time II. Configuring hello transport-address 36.3.5 Configuring LDP Loop Detection Control I. Enabling loop detection II. Setting the maximum hop count for loop detection III. Setting the maximum hop count in path vector mode 36.3.6 Configuring LDP Authentication Mode Between Every Two Routers 36.4 Displaying and Debugging MPLS 36.4.1 Displaying and Debugging MPLS I. Displaying static LSPs II. Displaying MPLS-enabled interfaces III. Displaying LSP IV. Debugging MPLS V. Trapping MPLS 36.4.2 Displaying and Debugging LDP I. LDP display commands II. LDP debugging commands 36.5 Typical MPLS Configuration Example I. Network requirements Switch A 36-12 Figure 36-1 Network diagram 1) Configure Switch A Configure LSR ID and enable MPLS and LDP. Configure IP address and enable MPLS and LDP for VLAN interface 201. Enable OSPF on the interface connecting Switch A with Switch B. 2) Configure Switch B Configure LSR ID and enable MPLS and LDP. Configure IP address and enable MPLS and LDP for VLAN interface 201. Configure IP address and enable MPLS and LDP for VLAN interface 203. 3) Configure Switch C Configure IP address and enable MPLS and LDP for VLAN interface 202. Configure LSR ID and enable MPLS and LDP. Configure IP address and enable LDP and MPLS for VLAN interface 202. Enable OSPF on the interface connecting Switch C with Switch B. 4) Configure Switch D Configure LSR ID and enable MPLS and LDP. Configure IP address and enable MPLS and LDP for VLAN interface 203. 36.6 Troubleshooting MPLS Configuration Chapter 37 BGP/MPLS VPN Configuration 37.1 BGP/MPLS VPN Overview 37-2 37.1.1 BGP/MPLS VPN Model I. BGP/MPLS VPN model Backbone network of the service provider II. Nested BGP/MPLS VPN model III. Basic concepts in BGP/MPLS VPN IV. VPN Target attribute 37.1.2 BGP/MPLS VPN Implementation I. Advertising VPN routing information II. Forwarding VPN packets 37.1.3 Nested BGP/MPLS VPN Implementation 37.1.4 Hierarchical BGP/MPLS VPN Implementation 37.1.5 Introduction to OSPF Multi-instance 37-9 CE22 MPLS VPN Backbone 37.1.6 Introduction to Multi-Role Host 37.2 BGP/MPLS VPN Configuration I. CE router II. PE router III. P router 37.2.1 Configuring CE Router I. Creating static route II. Configuring RIP III. Configuring OSPF IV. Configuring EBGP 37.2.2 Configuring PE Router I. Configuring basic MPLS capability II. Defining BGP/MPLS VPN site Page Page Page III. Configuring PE-CE route exchanging Page Page Page Page Page IV. Configuring PE-PE route exchanging Page Page 37.2.3 Configuring P Router 37.3 Displaying and Debugging BGP/MPLS VPN I. Displaying VPN address information from BGP table II. Displaying IP routing table associated with vpn-instance III. Displaying vpn-instance related information IV. Debugging information concerning processing BGP V. Displaying MPLS l3vpn-lsp information VI. Displaying sham link 37.4 Typical BGP/MPLS VPN Configuration Example 37.4.1 Integrated BGP/MPLS VPN Configuration Example I. Network requirements 37-28 Figure 37-8 Network diagram for integrated BGP/MPLS VPN Page 37-30 37-31 Page 37.4.2 Hybrid BGP/MPLS VPN Configuration Example II. Network diagram loopback0 1.1.1.9/32 192.168.1.1/24 loopback0 1.1.1.9/32 192.168.1.2/24 loopback0 2.2.2.9/32 Page Page Page Page Page 37-40 37.4.3 Extranet Configuration Example SP network Figure 37-10 Network diagram for Extranet Page Page Page 37.4.4 Hub&Spoke Configuration Example Page Page 37-47 Configure loopback interface Page Page 37.4.5 CE Dual-home Configuration Example 37-51 Figure 37-12 Network diagram for CE dual-home 37-52 Configure loopback interface 37-53 Page Page 37.4.6 Cross-domain BGP/MPLS VPN Configuration Example 37-57 Figure 37-13 Network diagram for ASBR 1) Configure PE1 Enable MPLS and LDP. Configure VLAN interface connecting PE1 and P1. [PE1] mpls lsr-id 1.1.1.1 [PE1] mpls [PE1-mpls] quit [PE1] mpls ldp Configure the VLAN interface connecting CE. Bind the VLAN interface with the VPN-instance. Enable EBGP between PE and CE. Enable IBGP between PE-ASBRs. 2) Configure PE2 Configure MPLS. Configure the VLAN interface connecting CE. Configure loopback interface. Configure VPN-instance. Configure the VLAN interface connecting PE2 and P2. Bind the VLAN interface with the VPN-instance. Enable IBGP between PE-ASBRs 3) Configure P1 (P2 in similar way) Configure MPLS basic capability. Configure the interface loopback 0. Configure VLAN interface connecting PE1. Configure VLAN interface connecting PE2. 37.4.7 Cross-Domain BGP/MPLS VPN Configuration Example Option C Figure 37-14 Network diagram for Multihop EBGP cross-domain VPN Page Page 37-64 Configure basic MPLS capability on PE2 and enable LDP on the interface connected to ASBR-PE2. Page Page 37-67 Configure ASBR-PE1: set up EBGP peer relation with ASBR-PE2, and IBGP peer relation with PE1. Configure CE2. 37-68 Configure ASBR-PE2: configure the route policy. 37.4.8 Hierarchical BGP/MPLS VPN Configuration Example Page 37-70 Configure VPN-instance 2) Configure UPE Configure BGP Configure OSPF Configure the basic MPLS capability. Configure VPN-instance Configure interfaces Configure BGP Configure OSPF 37.4.9 OSPF Multi-instance sham link Configuration Example Configure VLAN interface. Figure 37-16 Network diagram for OSPF multi-instance 1) Configure PE1 Enable MPLS and LDP. Configure VPN-instance. Configure BGP peer. Configure BGP and import OSPF routing and direct-connect route. Page 37-75 Configure BGP. Configure VPN-instance and import OSPF and direct-connect route. Configure MBGP and enable peer. Page 37.4.10 Nested BGP/MPLS VPN Configuration Example 37-78 Figure 37-17 Network diagram for nested VPN 37-79 Configure prov_pe2 Configure basic MPLS capability and MPLS LDP on the backbone network. Configure prov_pe1 Configure prov_pe2 Configure IBGP between provider PEs. Configure prov_pe1 37-80 Configure prov_pe2 Configure prov_pe2 37-81 Configure cust_pe1 Configure cust_pe2 37-82 Configure prov_pe1 to access CE5 Configure prov_pe2 to access the corresponding Customer PE. Configure cust_pe1 Configure cust_pe2 37.4.11 OSPF Multi-instance CE Configuration Example 37-84 Figure 37-18 Network diagram for OSPF multi-instance CE configuration 1) Configuring CE router Configure instance vpn1 Configure VLAN203 Configure instance vpn2 Configure VLAN201 37.4.12 Multi-Role Host Configuration Example 37-86 Figure 37-19 Network diagram for multi-role host application [PE2] interface loopback 0 1) Configure OSPF as the IGP protocol on the MPLS backbone network. Configure OSPF on PE1: Configure OSPF on PE2: Configure basic MPLS capability on PE2: 37-88 Create a VPN instance for VPN1 on PE2, and bind Ethernet2/1/0 to VPN1. Configure BGP. Configure CE1: Configure CE2: Configure CE3: 37-89 37.5 Troubleshooting I. Symptom 1 II. Symptom 2 III. Symptom 3 IV. Symptom 4 V. Symptom 5 Chapter 38 MSTP Region-configuration 38.1 Introduction to MSTP 38.1.1 MSTP Concepts I. MST region II. VLAN mapping table III. IST IV. CST V. CIST VI. MSTI VII. Region root VIII. Common Root Bridge XI. TC packet Page 38.1.2 MSTP Principles I. CIST calculation II. MSTI calculation Page Page Page Page 38.1.3 MSTP Implementation on the Switch 38.2 Configuring MSTP 38.2.1 Configuring the MST Region for a Switch I. Entering MST region view II. Configuring parameters for the MST region III. Activating the MST region configuration,and exit the MST region view 38.2.2 Specifying the Switch as a Primary or a Secondary Root bridge 38.2.3 Configuring the MSTP Running Mode 38.2.4 Configuring the Bridge Priority for a Switch 38.2.5 Configuring the Max Hops in an MST Region 38.2.6 Configuring the Switching Network Diameter 38.2.7 Configuring the Time Parameters of a Switch Page 38.2.8 Setting the Timeout Factor of a Specific Bridge 38.2.9 Configuring the Max Transmission Speed on a Port 38.2.10 Configuring a Port as an Edge Port or Non-edge Port 38.2.11 Configuring the Path Cost of a Port I. Configuration in system view II. Configuration in Ethernet port view 38.2.12 STP Path Cost Calculation Standards on STP port I. DOT1T calculation standard II. DOT1D-1998 calculation standard III. The Switch 8800 legacy calculation standard 38.2.13 Configuring the Priority of a Port 38.2.14 Configuring the Port (Not) to Connect with the Point-to-Point Link Page 38.2.15 Configuring the mCheck Variable of a Port 38.2.16 Configuring the Switch Protection Function I. BPDU protection II. Root protection III. Loop protection IV. TC-protection 38.2.17 Enabling/Disabling MSTP on the Device 38.2.18 Enable/Disable Address Table Reset on Specified Port 38.2.19 Enabling/Disabling ARP Address Update 38.2.20 Enabling/Disabling MSTP on a Port 38.3 Displaying and Debugging MSTP 38.4 Typical MSTP Configuration Example Page Page Chapter 39 802.1x Configuration 39.1 802.1x Overview 39.1.1 802.1x Standard Overview 39.1.2 802.1x System Architecture 39.1.3 802.1x Authentication Process 39.1.4 Implementing 802.1x on Ethernet Switches 39.2 802.1x Configuration Page 39.2.1 Enabling/Disabling 802.1x 39.2.2 Setting the Port Access Control Mode 39.2.3 Setting Port Access Control Method 39.2.4 Checking the Users that Log on the Switch via Proxy 39.2.5 Setting Supplicant Number on a Port 39.2.6 Setting the Authentication in DHCP Environment 39.2.7 Configuring Authentication Method for 802.1x User 39.2.8 Enabling/Disabling Guest VLAN 39.2.9 Setting the Maximum times of authentication request message retransmission 39.2.10 Configuring 802.1x Timers 39.2.11 Enabling/Disabling quiet-period Timer 39.3 Displaying and Debugging 802.1x 39.4 802.1x Configuration Example Page Page Chapter 40 AAA and RADIUS/TACACS+ Protocol Configuration 40.1 AAA and RADIUS/TACACS+ Protocol Overview 40.1.1 AAA Overview 40.1.2 RADIUS Protocol Overview I. What is RADIUS 40.1.3 TACACS+ Protocol Overview I. TACACS+ SPECIALITY II. Basic message exchange procedures in TACACS+ Page 3Com Switch 8800 Configuration Guide Chapter 40 AAA and RADIUS/TACACS+ Protocol Con figuration 40-5 User TACACS Client TACACS 40.1.4 Implementing AAA/RADIUS on a Switch 40.2 AAA Configuration 40.2.1 Creating/Deleting an ISP Domain 40.2.2 Configuring Relevant Attributes of an ISP Domain 40.2.3 Configuring Self-Service Server URL 40.2.4 Creating/Deleting a Local User 40.2.5 Setting the Attributes of a Local User I. Setting the password display mode II. Setting/Removing the attributes of a local user 40.2.6 Disconnecting a User by Force 40.2.7 Configuring Dynamic VLAN Delivering 40.3 Configuring RADIUS Protocol 40.3.1 Creating/Deleting a RADIUS scheme 40.3.2 Setting IP Address and Port Number of a RADIUS Server Page 40.3.3 Setting the RADIUS Packet Encryption Key 40.3.4 Setting the Response Timeout Timer of a RADIUS Server 40.3.5 Setting the Retransmission Times of RADIUS Request Packets 40.3.6 Enabling the Selection Of Radius Accounting Option 40.3.7 Setting a Real-time Accounting Interval 40.3.8 Setting the Maximum Times of Real-time Accounting Request Failing to be Responded 40.3.9 Enabling/Disabling Stopping Accounting Request Buffer 40.3.10 Setting the Maximum Retransmitting Times of Stopping Accounting Request 40.3.11 Setting the Supported Type of RADIUS Server 40.3.12 Setting RADIUS Server State 40.3.13 Setting the Username Format Transmitted to RADIUS Server 40.3.14 Setting the Unit of Data Flow that Transmitted to RADIUS Server 40.3.15 Creating/Deleting a Local RADIUS authentication Server 40.4 Configuring TACACS+ Protocol 40.4.1 Creating a HWTACAS Scheme 40.4.2 Configuring TACACS+ Authentication Servers 40.4.3 Configuring TACACS+ Authorization Servers 40.4.4 Configuring TACACS+ Accounting Servers and the Related Attributes I. Configuring TACACS+ accounting servers II. Enabling stop-accounting packet retransmission 40.4.5 Configuring the Source Address for TACACS+ Packets Sent by NAS 40.4.6 Setting a Key for Securing the Communication with TACACS Server 40.4.7 Setting the Username Format Acceptable to the TACACS Server 40.4.8 Setting the Unit of Data Flows Destined for the TACACS Server 40.4.9 Setting Timers Regarding TACACS Server I. Setting the response timeout timer II. Setting the quiet timer for the primary TACACS server III. Setting a realtime accounting interval 40.5 Displaying and Debugging AAA and RADIUS Protocol Page 40.6 AAA and RADIUS/TACACS+ Protocol Configuration Examples 40.6.1 Configuring Authentication at Remote RADIUS Server II. Network Topology III. Configuration procedure 40.6.2 Configuring Authentication at Local RADIUS Authentication Server 40.6.3 Configuring Authentication at Remote TACACS Server III. Configuration procedure 40.7 Troubleshooting AAA and RADIUS/TACACS+ I. Symptom: User authentication/authorization always fails II. Symptom: RADIUS/TACACS+ packet cannot be transmitted to RADIUS/TACACS+ server. Chapter 41 VRRP Configuration 41.1 Introduction to VRRP 41.2 Configuring VRRP 41.2.1 Enabling/Disabling the Function to Ping the Virtual IP Address 41.2.2 Enabling/Disabling the Check of TTL Value of VRRP Packet 41.2.3 Setting Correspondence Between Virtual IP Address and MAC Address 41.2.4 Adding/Deleting a Virtual IP Address 41.2.5 Configuring the Priority of Switches in the Virtual Router 41.2.6 Configuring Preemption and Delay for a Switch Within a Virtual Router 41.2.7 Configuring Authentication Type and Authentication Key 41.2.8 Configuring Virtual Router Timer 41.2.9 Configuring Switch to Track a Specified Interface 41.3 Displaying and debugging VRRP 41.4 VRRP Configuration Example 41.4.1 VRRP Single Virtual Router Example Page 41.4.2 VRRP Tracking Interface Example 41.4.3 Multiple Virtual Routers Example Page 41.5 Troubleshooting VRRP I. Fault 1: Frequent prompts of configuration errors on the console II. Fault 2: More than one Masters existing within the same virtual router III. Fault 3: Frequent switchover of VRRP state Chapter 42 HA Configuration 42.1 Introduction to HA 42.2 Configuring HA 42.2.1 Restarting the Slave System Manually 42.2.2 Starting the Master-Slave Switchover Manually 42.2.3 Enabling/Disabling Automatic Synchronization 42.2.4 Synchronizing the Configuration File Manually 42.2.5 Configuring the Load Mode of the Fabric and Slave Board 42.3 Displaying and Debugging HA Configuration Chapter 43 File System Management 43.1 File System Configuration 43.1.1 File System Overview 43.1.2 Directory Operation 43.1.3 File Operation 43.1.4 Storage Device Operation 43.1.5 Setting the Prompt Mode of the File System 43.2 Configuration File Management 43.2.1 Configuration File Management Overview 43.2.2 Displaying the Current-Configuration and Saved-Configuration of Ethernet Switch 43.2.3 Modifying and Saving the Current-Configuration 43.2.4 Erasing Configuration Files from Flash Memory 43.2.5 Configuring the Name of the Configuration File Used for the Next Startup. 43.3 FTP Configuration 43.3.1 FTP Overview Switch PC Network SwitchSwitch PC Network 43.3.2 Enabling/Disabling FTP Server 43.3.3 Configuring the FTP Server Authentication and Authorization 43.3.4 Configuring the Running Parameters of FTP Server 43.3.5 Displaying and Debugging FTP Server 43.3.6 Disconnecting an FTP User 43.3.7 Introduction to FTP Client 43.3.8 FTP Client Configuration Example Switch PC SwitchSwitch PC 43.3.9 FTP Server Configuration Example SwitchSwitch PC Switch PC 43.4 TFTP Configuration 43.4.1 TFTP Overview Switch PC Network SwitchSwitch PC Network 43.4.2 Downloading Files by Means of TFTP 43.4.3 Uploading Files by Means of TFTP 43.4.4 TFTP Client Configuration Example Page Chapter 44 MAC Address Table Management 44.1 MAC Address Table Management Overview 44.2 MAC Address Table Management Configuration 44.2.1 Setting MAC Address Table Entries 44.2.2 Setting MAC Address Aging Time 44.3 Maximum MAC Address Number Learned by Ethernet Port and Forwarding Option Configuration 44.3.1 Maximum MAC Address Number Learned by a Port and Forwarding Option Configuration Tasks 44.4 Displaying and Debugging MAC Address Tables 44.5 Resetting MAC Addresses 44.6 MAC Address Table Management Configuration Example Page Chapter 45 Device management 45.1 Device Management Overview 45.2 Device Management Configuration 45.2.1 Rebooting the Ethernet Switch 45.2.2 Enabling the Timing Reboot Function 45.2.3 Designating the APP Adopted on Next Booting 45.2.4 Upgrading BootROM 45.2.5 Setting Slot Temperature Limit 45.2.6 Updating Service Processing Boards 45.3 Displaying and Debugging Device Management 45.4 Device Management Configuration Example 45.4.1 Using the Switch as an FTP Client to Implement the Remote Upgrade Page 45.4.2 Use the Switch as an FTP Server to Implement the Remote Upgrade Switch PC Network SwitchSwitch PC Network Page Chapter 46 System Maintenance and Debugging 46.1 Basic System Configuration 46.1.1 Setting a Name for a Switch 46.1.2 Setting the System Clock 46.1.3 Setting the Time Zone 46.2 Displaying the State and Information of the System 46.3 System Debugging 46.3.1 Enabling/Disabling the Terminal Debugging 46.3.2 Displaying Diagnostic Information 46.4 Testing Tools for Network Connection 46.4.1 ping 46.4.2 ping-distribute enable 46.4.3 tracert 46.5 Logging Function 46.5.1 Introduction to Info-center Page Page Page 46.5.2 Info-center Configuration Page Page Page 46.5.3 Sending the Configuration Information to the Loghost Page 46.5.4 Sending the Configuration Information to Console terminal Page Page 46.5.5 Sending the Configuration Information to Telnet Terminal or Dumb Terminal Page 46.5.6 Sending the Configuration Information to the Log Buffer Page 46.5.7 Sending the Configuration Information to the Trap Buffer Page 46.5.8 Sending the Configuration Information to SNMP Network Management Page 46.5.9 Displaying and Debugging Info-center 46.5.10 Configuration Examples of Sending Log to the Unix Loghost III. Configuration steps 46.5.11 Configuration examples of sending log to Linux loghost Page 46.5.12 Configuration Examples of Sending Log to the Console Terminal Chapter 47 SNMP Configuration 47.1 SNMP Overview 47.2 SNMP Versions and Supported MIB Page 47.3 Configuring SNMP 47.3.1 Setting Community Names 47.3.2 Setting the System Information 47.3.3 Enabling/Disabling SNMP Agent to Send Trap 47.3.4 Setting the Destination Address of Trap 47.3.5 Setting Lifetime of Trap Message 47.3.6 Setting the Engine ID of a Local or Remote Device 47.3.7 Setting/Deleting an SNMP Group 47.3.8 Setting the Source Address of Trap 47.3.9 Adding/Deleting a User to/from an SNMP Group 47.3.10 Creating/Updating View Information or Deleting a View 47.3.11 Setting the Size of the SNMP Packet Sent/Received by an Agent 47.3.12 Disabling SNMP Agent 47.4 Displaying and Debugging SNMP 47.5 SNMP Configuration Example II. Network diagram III. Configuration procedure IV. Configure network management system Page Chapter 48 RMON Configuration 48.1 RMON Overview 48.2 Configuring RMON 48.2.1 Adding/Deleting an Entry to/from the Event Table 48.2.2 Adding/Deleting an Entry to/from the Alarm Table 48.2.3 Adding/Deleting an Entry to/from the Extended RMON Alarm Table 48.2.4 Adding/Deleting an Entry to/from the History Control Table 48.2.5 Adding/Deleting an Entry to/from the Statistics Table 48.3 Displaying and Debugging RMON 48.4 RMON Configuration Example Page Chapter 49 NTP Configuration 49.1 Brief Introduction to NTP 49.1.1 NTP Functions 49.1.2 Basic Operating Principle of NTP 49.2 NTP Configuration 49.2.1 Configuring NTP Operating Mode I. Configuring NTP Server Mode II. Configuring NTP Peer Mode III. Configuring NTP Broadcast Server Mode IV. Configuring NTP Broadcast Client Mode V. Configuring NTP Multicast Server Mode VI. Configuring NTP Multicast Client Mode 49.2.2 Configuring NTP ID Authentication 49.2.3 Setting NTP Authentication Key 49.2.4 Setting Specified Key as Reliable 49.2.5 Designating an Interface to Transmit NTP Messages 49.2.6 Setting NTP Master Clock 49.2.7 Setting Authority to Access a Local Ethernet Switch 49.2.8 Setting Maximum Local Sessions 49.3 Displaying and Debugging NTP 49.4 NTP Configuration Example 49.4.1 Configuring a NTP Server 49.4.2 NTP Peer Configuration Example Page 49.4.3 Configure NTP Broadcast Mode 49.4.4 Configure NTP Multicast Mode Page 49.4.5 Configure Authentication-Enabled NTP Server Mode Page Chapter 50 SSH Terminal Service 50.1 SSH Terminal Service 50.1.1 SSH Overview Page 50.1.2 SSH Server Configuration Page I. Configuring the protocol the current user interface supports II. Generating or destroying an RSA key pair III. Configuring the user authentication mode IV. Configuring the updating cycle of the server key V. Configuring the authentication timeout VI. Configuring the number of authentication retries VII. Entering the public key view VIII. Entering the public key edit view IX. Generating the Client Public Key Page 3Com Switch 8800 Configuration Guide Chapter 50 SSH Terminal Service 50-10 Convert the file aaa.pub into key configuration data in Hex. Convert the converted result into the CLI of the switch unit Exit from editing the peer public key X. Exiting the public key edit view XI. Specifying the public key for an SSH user XII. Configuring the server compatibility mode 50.1.3 SSH Client Configuration I. Starting the SSH client II. Specifying the public key of the server III. Configuring the first-time authentication of the server 50.1.4 Displaying and Debugging SSH 50.1.5 SSH Server Configuration Example Page Page 50.1.6 SSH Client Configuration Example 50.2 SFTP Service 50.2.1 SFTP Overview 50.2.2 SFTP Server Configuration I. Configuring the service type to be used II. Starting the SFTP server 50.2.3 SFTP Client Configuration I. Starting the SFTP client II. Shutting down the SFTP client III. SFTP directory operations IV. SFTP file operations V. Displaying help information 50.2.4 SFTP Configuration Example 3Com Switch 8800 Configuration Guide Chapter 50 SSH Terminal Service 50-23 Establish the SSH connection between the client and the server. Establish a connection with the remote SFTP server and enter the SFTP client view. Page Page Chapter 51 PoE Configuration 51.1 PoE Overview 51.1.1 PoE on the Switch 51.1.2 External PSE4500-A Power System 51.2 PoE Configuration 51.2.1 PoE Configuration Tasks Page 51.3 Comprehensive Configuration Example Page Chapter 52 PoE PSU Supervision Configuration 52.1 Introduction to PoE PSU Supervision 52.2 AC Input Alarm Thresholds Configuration 52.2.1 AC Input Alarm Thresholds Configuration Tasks 52.2.2 AC Input Alarm Thresholds Configuration Example 52.3 DC Output Alarm Thresholds Configuration 52.3.1 DC Output Alarm Thresholds Configuration Tasks 52.3.2 DC Output Alarm Thresholds Configuration Example 52.4 Displaying PoE Supervision Information 52.5 PoE PSU Supervision Configuration Example