Manuals / 3Com / Computer Equipment / Switch

3Com WX3000 802.1x Authentication Procedure, Fields added for EAP authentication, EAP relay mode

Models: WX3000

1 715

Page 226

Fields added for EAP authentication

Two fields, EAP-message and Message-authenticator, are added to a RADIUS protocol packet for EAP authentication. (Refer to the Introduction to RADIUS protocol section in the AAA Operation Manual for information about the format of a RADIUS protocol packet.)

The EAP-message field, whose format is shown in Figure 1-6, is used to encapsulate EAP packets. The maximum size of the string field is 253 bytes. EAP packets with their size larger than 253 bytes are fragmented and are encapsulated in multiple EAP-message fields. The type code of the EAP-message field is 79.

Figure 1-6The format of an EAP-message field

The Message-authenticator field, whose format is shown in Figure 1-7, is used to prevent unauthorized interception to access requesting packets during authentications using CHAP, EAP, and so on. A packet with the EAP-message field must also have the Message-authenticator field. Otherwise, the packet is regarded as invalid and is discarded.

Figure 1-7The format of an Message-authenticator field

802.1x Authentication Procedure

The device can authenticate supplicant systems in EAP terminating mode or EAP relay mode.

EAP relay mode

This mode is defined in 802.1x. In this mode, EAP-packets are encapsulated in higher level protocol (such as EAPoR) packets to enable them to successfully reach the authentication server. Normally, this mode requires that the RADIUS server support the two newly-added fields: the EAP-message field (with a value of 79) and the Message-authenticator field (with a value of 80).

Four authentication ways, namely EAP-MD5, EAP-TLS (transport layer security), EAP-TTLS (tunneled transport layer security), and PEAP (protected extensible authentication protocol), are available in the EAP relay mode.

EAP-MD5 authenticates the supplicant system. The RADIUS server sends MD5 keys (contained in EAP-request/MD5 challenge packets) to the supplicant system, which in turn encrypts the passwords using the MD5 keys.

EAP-TLS allows the supplicant system and the RADIUS server to check each other’s security certificate and authenticate each other’s identity, guaranteeing that data is transferred to the right destination and preventing data from being intercepted.

1-5

Page 226

Image 226

3Com WX3000 operation manual 802.1x Authentication Procedure, Fields added for EAP authentication, EAP relay mode

Contents

3Com WX3000 Series Unified Switches Switching Engine Manual Version 6W100Environmental Statement About This Manual Part ContentsOrganization Convention Description Boldface ConventionsItalic Create Folder Related DocumentationConvention Description Manual DescriptionObtaining Documentation Table of Contents Command Hierarchy CLI ConfigurationIntroduction to the CLI Setting a user level switching password Switching User LevelsSwitching to a specific user level Configuration example Setting the Level of a Command in a Specific ViewSetting the level of a command in a specific view Quit CLI ViewsDisplay Execute Operation Quit or returnRegion-configuration Gigabitethernet commandVlan-interface command Peer-public-key commandPublic-key-code begin Public-key-cOde end Execute the radius schemeExecute Command should be first CLI FeaturesVlan-vpn enable Online HelpPartial online help Command HistoryTerminal Display Press Ctrl+CError Prompts Command EditPress… To… TabTable of Contents Page Introduction to the User Interface Logging In to the Switching EngineLogging In to the Switching Engine Supported User InterfacesCommon User Interface Configuration User Interface IndexType number number Display users allDisplay user-interface Display web usersLogging In Through OAP Logging In to the Switching Engine Through OAPPress Enter to enter user view of the switching engine OAP OverviewOap management-ip Configure the management IPNot configured by default Address of an OAP moduleReset the OAP software Resetting the OAP Software SystemOap reboot slot Logging In Through Telnet Common ConfigurationConfiguration Description IntroductionTelnet Configurations for Different Authentication Modes Authentication Telnet configuration Description ModeTelnet Configuration with Authentication Mode Being None Configuration ProcedureConfiguration procedure Configuration ExampleNetwork requirements Auto-execute command Password Set authenticationPassword cipher User privilege level levelCommand buffer can store up to Set the history command bufferDefault history command Commands by defaultTelnet Configuration with Authentication Mode Being Scheme History-command max-size Scheme commandAuthorization Protocol inbound all sshUser privilege level level command is Level level Service-typePrivilege # Create a local user named guest and enter local user view Telnetting to the Switching Engine Telnetting to the Switching Engine from a TerminalDeviceoap connect slot Connected to OAP Page Device telnet Network management system are configured Vlan interface of the switching engine is assigned an IPUser name and password for logging in to the Web-based Logging In from the Web-Based Network Management SystemSetting Up a Web Configuration Environment Configuring the Login Banner 3The login page of the Web-based network management systemBy default, no login banner is Header login textThrough Web Configured Enabling/Disabling the WEB Server Follow these steps to enable/disable the WEB serverEnable the Web server Ip http shutdownLogging In from NMS Connection Establishment Using NMSRelated information Configuration in user view Configuring Source IP Address for Telnet Service PacketsConfiguring Source IP Address for Telnet Service Packets Configuration in system viewDisplaying Source IP Address Configuration Interface-numberControlling Telnet Users Login mode Control method Implementation ReferenceUser Control PrerequisitesRule rule-id deny permit Match-order config autoAcl number acl-number Acl acl-number inboundRule rule-id deny Controlling Telnet Users by Source MAC AddressesPermit rule-string Controlling Network Management Users by Source IP Addresses Controlling Network Management Users by Source IP Addresses2Network diagram for controlling Snmp users using ACLs Controlling Web Users by Source IP AddressIp http acl acl-number Disconnecting a Web User by ForceControlling Web Users by Source IP Addresses Free web-users all user-idDevice ip http acl Table of Contents Types of configuration Configuration File ManagementIntroduction to Configuration File Format of configuration fileStartup with the configuration file Management of Configuration FileSaving the Current Configuration Modes in saving the configurationErasing the Startup Configuration File Three attributes of the configuration fileAssign backup attribute to the startup configuration file Specifying a Configuration File for Next StartupAssign main attribute to the startup configuration file Startup saved-configurationDisplaying and Maintaining Device Configuration Table of Contents Vlan Overview Vlan OverviewIntroduction to Vlan How Vlan Works Advantages of VLANsVlan tag MAC address learning mechanism of VLANs 2Encapsulation format of traditional Ethernet framesVlan Interface Port-Based VlanVlan Classification Encapsulation Format of Ethernet Data Protocol-Based VlanIntroduction to Protocol-Based Vlan Ethernet II and 802.2/802.3 encapsulationExtended encapsulation formats of 802.2/802.3 packets 6802.3 raw encapsulation formatImplementation of Protocol-Based Vlan Procedure for the Switch to Judge Packet ProtocolEncapsulation Formats Encapsulation Ethernet 802.3 raw 802.2 LLC Snap ProtocolPage Configuration Task List Vlan ConfigurationVlan Configuration Basic Vlan ConfigurationConfiguration prerequisites Basic Vlan Interface ConfigurationDisplaying and Maintaining Vlan Protocol-Based Vlan Configuration Example Configuring a Port-Based VlanConfiguring a Port-Based Vlan Port interface-list# Create Vlan 201, and add GigabitEthernet 1/0/2 to Vlan # Configure GigabitEthernet 1/0/10 of Switch B# Create Vlan 201, and add GigabitEthernet 1/0/12 to Vlan Configuring a Protocol-Based Vlan Configuring a Protocol Template for a Protocol-Based VlanPort hybrid protocol-vlan Associating a Port with a Protocol-Based VlanInterface interface-type Interface-number Vlan vlan-id protocol-indexDynamic static Displaying and Maintaining Protocol-Based VlanDisplay vlan vlan-id to vlan-id all Display protocol-vlan vlan vlan idVlan Protocol-Type Table of Contents Auto Detect Configuration Introduction to the Auto Detect FunctionAuto Detect Configuration Auto Detect Basic ConfigurationIp route-static ip-address mask Auto Detect Implementation in Vlan Interface BackupAuto Detect Implementation in Static Routing Preference-value reject blackholeVlan -id Auto Detect Configuration ExamplesStandby detect-group Is reachable # Configure a static route to Switch a# Create auto detected group Table of Contents Voice Vlan Overview Voice Vlan ConfigurationHow an IP Phone Works 1Network diagram for IP phones AgentHow the Device Identifies Voice Traffic Configuring Operation Mode for Voice VlanNumber OUI address Vendor Processing mode of tagged packets sent by IP voice devices Support for Voice Vlan on Various PortsPort type Supported or not Traffic type Mode Security Mode of Voice VlanPort voice Voice Configuration Prerequisites Voice Vlan ConfigurationConfiguring a Voice Vlan to Operate in Automatic Mode Undo voice vlan mode Configuring a Voice Vlan to Operate in Manual ModeEnable Voice vlan securityTagged untagged Port trunk permit vlanPort hybrid vlan vlan-id Port trunk pvid vlanVoice Vlan Configuration Example Automatic Mode Voice Vlan Configuration ExampleDisplaying and Maintaining Voice Vlan # Configure GigabitEthernet 1/0/1 as a hybrid port Voice Vlan Configuration Example Manual Mode# Enable the voice Vlan function globally # Enable the voice Vlan function on GigabitEthernet 1/0/1Verification # Create Vlan 2 and configure it as a voice Vlan# Configure GigabitEthernet 1/0/1 to operate in manual mode # Display the status of the current voice VlanTable of Contents Garp messages and timers Gvrp ConfigurationIntroduction to Gvrp Garp message format Operating mechanism of GarpGarp packets are in the following format 1Format of Garp packets Field Description ValueConfiguration Prerequisite Gvrp ConfigurationProtocol Specifications Enabling GvrpGarp timer hold join Configuring Gvrp TimersGarp timer leaveall GvrpConfiguring Gvrp Port Registration Mode Displaying and Maintaining GvrpConfigure Switch a # Enable Gvrp globally Gvrp Configuration ExampleGvrp Configuration Example # Enable Gvrp on GigabitEthernet 1/0/1# Enable Gvrp on GigabitEthernet 1/0/3 SwitchE-GigabitEthernet1/0/1 gvrp registration fixed Table of Contents Types and Numbers of Ethernet Ports Basic Port ConfigurationEthernet Port Overview Combo Ports Mapping RelationsConfiguring the Default Vlan ID for an Ethernet Port Link Types of Ethernet PortsAdding an Ethernet Port to Specified VLANs Configuring Ethernet PortsMaking Basic Port Configuration Vlan tagConfiguring Port Auto-Negotiation Speed Speed auto 10 100 Setting the Ethernet Port Broadcast Suppression RatioEnabling Flow Control on a Port Broadcast-suppressionConfiguring Hybrid Port Attribute Configuring Access Port AttributeConfiguring Trunk Port Attribute Configuration tasks Disabling Up/Down Log Output on a PortSystem-view Copy configuration source interface-type Copying Port Configuration to Other PortsConfiguring a Port Group Aggregation-group destination-agg-idSetting Loopback Detection for an Ethernet Port Loopback-detection per-vlan Configuring the Ethernet Port to Run Loopback TestConfigure the Ethernet port to run Loopback detection only on VLANs for the trunk and hybridVirtual-cable-test Enabling the System to Test Connected CableFlow-interval interval Ethernet Port Configuration Example Displaying and Maintaining Ethernet PortsTroubleshooting Ethernet Port Configuration # Configure the default Vlan ID of GigabitEthernet 1/0/1 asTable of Contents Introduction to Link Aggregation Link Aggregation ConfigurationIntroduction to Lacp Introduction to manual aggregation group Operation KeyManual Aggregation Group Port status in manual aggregation groupIntroduction to static Lacp aggregation Static Lacp Aggregation GroupPort status of static aggregation group Introduction to dynamic Lacp aggregation group Configuring system priorityDynamic Lacp Aggregation Group Port status of dynamic aggregation groupConfiguring port priority Aggregation Group CategoriesLink Aggregation Configuration Configuring a Manual Aggregation GroupPort link-aggregation group Configuring a Static Lacp Aggregation GroupDescription agg-name Agg-idLacp system -priority Configuring a Dynamic Lacp Aggregation GroupSystem-priority Link Aggregation Configuration Example Displaying and Maintaining Link AggregationSwitch a Link aggregation Switch B Page Table of Contents Port Isolation Overview Port Isolation ConfigurationPort Isolation Configuration Introduction to Port IsolationPort Isolation Configuration Example Displaying and Maintaining Port IsolationDevice-GigabitEthernet1/0/4 quit device Table of Contents Port Security Overview Port Security ConfigurationPort Security Features IntroductionPort Security Modes Security mode Description FeatureThis mode NeitherSecurity mode Description Feature Follow these steps to enable port security Port Security ConfigurationComplete the following tasks to configure port security Enabling Port SecurityPort-security max-mac-count Setting the Port Security ModePort-security oui OUI-value UserLoginWithOUI mode, a Count-valueConfiguring Port Security Features Configuring the NTK featureConfiguring intrusion protection Configuring the Trap featureConfiguring Security MAC Addresses Displaying and Maintaining Port Security Configuration Port Security Configuration Example# Set the port security mode to autolearn HostSwitch# Enable port security # Enter GigabitEthernet 1/0/1 port viewConfiguring Port Binding Port Binding ConfigurationDisplaying and Maintaining Port Binding Configuration Port Binding OverviewPort Binding Configuration Example Configure switch a as follows # Enter system viewTable of Contents Dldp Configuration Dldp OverviewDldp status Dldp FundamentalsStatus Description Timer Description Dldp timersDldp works with the following timers 2DLDP timers Interval of sending advertisement packets, which can beMode During neighbor Dldp operating modeEnhanced timer then sends one probe packets every one Entry aging Timer expire4Types of packets sent by Dldp Packet type Processing procedureNo Echo packet received from Processing procedure Neighbor Dldp status Packet typesDldp Configuration Tasks Dldp ConfigurationPrecautions During Dldp Configuration Dldp neighbor stateResetting Dldp Status This command only applies to the ports in Dldp down status Reset the Dldp status of a port Dldp resetDldp Network Example # Set the interval of sending Dldp packets to 15 seconds # Enable Dldp globally# Configure Dldp to work in enhanced mode # Display the Dldp statusTable of Contents Introduction to MAC Address Table MAC Address Table ManagementIntroduction to MAC Address Learning 1MAC address learning diagram Managing MAC Address Table Aging of MAC address tableConfiguring MAC Address Table Management Entries in a MAC address tableAdding a MAC address entry in Ethernet port view Configuring a MAC Address EntryAdding a MAC address entry in system view System-view Mac-address static dynamicMac-address timer aging Setting the Aging Time of MAC Address EntriesAge no-aging Max-mac-count count Disabling MAC Address learning for a VlanMac-address Max-mac-countAdding a Static MAC Address Entry Manually Configuration ExampleDisplaying and Maintaining MAC Address Table Display mac-addressTable of Contents Page STP Overview Mstp ConfigurationSTP Overview Classification Designated bridge Designated port All the ports on the root bridge are designated portsHow STP works Step DescriptionStep Description Device Port name Bpdu of port 5Comparison process and result on each device Device Comparison process Bpdu of port afterDevice Comparison process Bpdu of port after 3The final calculated spanning tree Background of Mstp Features of MstpMstp Overview Disadvantages of STP and RstpBasic Mstp Terminologies MST regionCommon root bridge Vlan mapping tableRegion root Port rolePort state MSTP, a port can be in one of the following three statesCalculate an Msti Principle of MstpCalculate the Cist Implement STP algorithmMstp Implementation on the Device STP-related Standards Configuring Root BridgeComplete the following tasks to configure a root bridge Bpdu guard Loop guard TC-BPDU attack guard Bpdu packet dropConfiguring an MST Region # Verify the above configuration Centi-seconds Stp instance instance-id root secondarySet the bridge priority for Configuring the Bridge Priority of the Current DeviceRequired Default bridge priority of a Current device Stp instance instance-idInterface-number compliance Stp interface interface-typeAuto dot1s legacy Stp compliance auto dot1s Configuring the Mstp Operation ModeStp mode stp rstp mstp LegacyConfiguring the Network Diameter of the Switched Network Configuring the Maximum Hop Count of an MST RegionStp max-hops hops Stp timer hello Configuring the Mstp Time-related ParametersStp timer forward-delay Stp timer max-ageConfiguring the Timeout Time Factor Transmit-limit packetnum Stp interface interface-listStp transmit-limit packetnum Configure a port as an edge port in Ethernet port view Configuring the Current Port as an Edge PortConfigure a port as an edge port in system view Edged-port enablePoint-to-point force-true Force-false autoEnabling Mstp Stp enableDisable Stp point-to-point force-trueStp disable Configuring Leaf NodesTask Remarks Configuring the MST Region Configuring a Port as an Edge PortStp pathcost-standard Configuring the Path Cost for a PortStandards for calculating path costs of ports Dot1d-1998 dot1t legacyConfiguration example a Configure the path cost for specific portsConfiguration example B Configure port priority in Ethernet port view Configuring Port PriorityConfigure port priority in system view Instance instance-id portPerform the mCheck operation in Ethernet port view Performing mCheck OperationPerform the mCheck operation in system view Stp interface interface-list mcheckRoot guard Configuring Guard FunctionsBpdu guard Stp mcheckTC-BPDU attack guard Loop guardBpdu dropping Root-protection Configuring Bpdu GuardConfiguring Root Guard Stp root-protectionStp loop-protection Configuring Loop GuardConfiguring TC-BPDU Attack Guard Stp tc-protectionInterface interface-name Configuring Digest SnoopingConfiguring Bpdu Dropping Bpdu-drop anyConfiguring Digest Snooping Stp config-digest-snoopingConfiguring Rapid Transition 6The Rstp rapid transition mechanism No-agreement-check Configuring Rapid TransitionStp no-agreement-check Configuring VLAN-VPN tunnel Configuring VLAN-VPN TunnelVlan-vpn tunnel Stp instance instance id STP Maintenance ConfigurationEnabling Log/Trap Output for Ports of Mstp Instance PortlogEnabling Trap Messages Conforming to 802.1d Standard Displaying and Maintaining MstpConfigure Switch a # Enter MST region view Mstp Configuration Example# Activate the settings of the MST region manually # Configure the MST region Configure Switch B # Enter MST region viewConfigure Switch C # Enter MST region view Configure Switch D # Enter MST region viewConfigure Switch B # Enable Mstp VLAN-VPN tunnel Configuration ExampleConfigure Switch a # Enable Mstp Configure Switch C # Enable MstpConfigure Switch D # Enable Mstp # Enable the VLAN-VPN tunnel function# Configure GigabitEthernet 1/0/2 as a trunk port # Configure GigabitEthernet 1/0/1 as a trunk portTable of Contents Architecture of 802.1x Authentication 802.1x ConfigurationIntroduction to Controlled port and uncontrolled port Port access entityPort access control method Valid direction of a controlled portEncapsulation of EAPoL Messages Mechanism of an 802.1x Authentication SystemFormat of an EAPoL packet Format of an EAP packet Fields added for EAP authentication 802.1x Authentication ProcedureEAP relay mode Describes the basic EAP-MD5 authentication procedure EAP terminating mode Timers Used 9802.1x authentication procedure in EAP terminating modeAdditional 802.1x Features Implemented Checking the supplicant systemChecking the client version Guest Vlan functionIntroduction to 802.1x Configuration Enabling 802.1x re-authenticationConfiguring Basic 802.1x Functions Basic 802.1x ConfigurationDot1x Dot1x interface interface-list Dot1x authentication-method chapDot1x handshake enable Dot1x port-control authorized-forceDot1x max-user user-number Timer and Maximum User Number ConfigurationDot1x retry max-retry-value Advanced 802.1x Configuration Configuring Proxy CheckingConfiguring Client Version Checking Dot1x dhcp-launch Enabling DHCP-triggered AuthenticationConfiguring Guest Vlan Dot1x port-method portbasedConfiguring the 802.1x Re-Authentication Timer Configuring 802.1x Re-AuthenticationDot1x re-authenticate 802.1x Configuration Example Displaying and Maintaining# Enable 802.1x globally # Enable 802.1x on GigabitEthernet 1/0/1 port# Create a local access user account # Set the default user domain to be aabbcc.net# Create the domain named aabbcc.net and enter its view Introduction to Quick EAD Deployment Quick EAD Deployment ConfigurationConfiguring Quick EAD Deployment Quick EAD Deployment OverviewDot1x url url-string Configuring a free IP rangeSetting the ACL timeout period Dot1x free-ip ip-addressDisplaying and Maintaining Quick EAD Deployment Quick EAD Deployment Configuration ExamplePeriod is 30 minutes Troubleshooting SolutionConfiguring the System-Guard Feature System-Guard ConfigurationConfiguring the System-Guard Feature System-Guard OverviewDisplaying and Maintaining System-Guard Table of Contents Page AAA Overview AuthenticationAuthorization Introduction to AAAAccounting Introduction to AAA ServicesWhat is Radius Introduction to ISP DomainBasic message exchange procedure in Radius 1Databases in a Radius serverDirection client-server Radius message formatCode Message type Message description Client transmits this message to the server to determine ifType field value Attribute type What is Hwtacacs Introduction to HwtacacsBasic message exchange procedure in Hwtacacs 5Network diagram for a typical Hwtacacs application6AAA implementation procedure for a telnet user Page AAA Configuration Task List AAA ConfigurationConfiguration Introduction Creating an ISP Domain and Configuring Its Attributes Messenger time enable limit Configuring an AAA Scheme for an ISP DomainConfiguring a combined AAA scheme Self-service-url disableRadius-scheme-name local Configuring separate AAA schemesDomain isp-name Hwtacacs-schemeLocal local none Authorization none Configuring Dynamic Vlan AssignmentAccounting none Vlan-assignment-mode Configuring the Attributes of a Local UserDomain isp-name Integer stringAuthorization vlan string Password-display-modeService-type ftp lan-access Access-limitFollow these steps to cut down user connections forcibly Radius Configuration Task ListCutting Down User Connections Forcibly Cut down userConfiguring ServersCreating a Radius Scheme Configuring Radius Authentication/Authorization ServersRadius client enable Radius schemeSecondary authentication Configuring Radius Accounting ServersPrimary authentication Ip-address port-numberStop-accounting-buffer Configuring Shared Keys for Radius MessagesSecondary accounting Retry stop-accountingKey authentication string Configuring the Type of Radius Servers to be SupportedKey accounting string Server-type extended Configuring the Status of Radius ServersOptional Servers to be supported Calling-station-id mode State primary authenticationAuthentication block Block activeKey password Configuring the Local Radius Authentication Server FunctionLocal-server enable Local-server nas-ip ip-addressConfiguring Timers for Radius Servers Enabling the User Re-Authentication at Restart Function Accounting-on enable send Hwtacacs Configuration Task ListTimes interval interval Creating a Hwtacacs Scheme Configuring Tacacs Authentication ServersHwtacacs scheme Secondary authorization Configuring Tacacs Authorization ServersPrimary authorization Ip-address portFollow these steps to configure Tacacs accounting servers Configuring Tacacs Accounting ServersConfiguring Shared Keys for Hwtacacs Messages Function is enabled Number of transmissionMega-byte Authentication stringKey accounting Data-flow-format packetOptional By default, the response timeout Tacacs servers Configuring the Timers Regarding Tacacs ServersScheme exists Set the response timeout time Optional By default, the real-time IntervalDisplaying and maintaining AAA information Displaying and Maintaining AAADisplaying and maintaining Radius protocol information Remote Radius Authentication of Telnet/SSH Users AAA Configuration ExamplesDisplaying and maintaining Hwtacacs protocol information # Configure a Radius scheme # Adopt AAA authentication for Telnet users# Configure an ISP domain # Associate the ISP domain with the Radius schemeLocal Authentication of FTP/Telnet Users # Create and configure a local user named telnetHwtacacs Authentication and Authorization of Telnet Users # Configure the domain name of the Hwtacacs scheme to hwtacTroubleshooting Hwtacacs Configuration Troubleshooting AAATroubleshooting Radius Configuration Possible reasons and solutionsIntroduction to EAD EAD ConfigurationTypical Network Application of EAD Security-policy-server EAD ConfigurationEAD Configuration Example Ip-address# Configure the IP address of the security policy server # Associate the domain with the Radius schemeTable of Contents Performing MAC Authentication on a Radius Server MAC Authentication ConfigurationMAC Authentication Overview Performing MAC Authentication LocallyMac-authentication Configuring Basic MAC Authentication FunctionsMAC Authentication Timers Related ConceptsMac-authentication authmode Mac-authentication interfaceMac-authentication Quit Uppercase fixedpassword passwordMAC Address Authentication Enhanced Function Configuration Configuring a Guest VlanGuest-vlan vlan-id Mac-authentication timerGuest-vlan-reauth interval MAC address authentication Number of MAC address Configure the maximum numberMax-auth-num user-number Display mac-authentication Displaying and Maintaining MAC AuthenticationMAC Authentication Configuration Example Reset mac-authentication statistics# Specify to perform local authentication # Add a local user Specify the username and passwordSet the service type to lan-access # Add an ISP domain named aabbcc.netTable of Contents IP Address Classes IP Addressing ConfigurationIP Addressing Overview Net-idSubnetting and Masking Special Case IP AddressesClass Address range Remarks Ip address ip-address mask Configuring IP AddressesMask-length sub Displaying and Maintaining IP Addressing IP Address Configuration ExamplesIP Address Configuration Example Network requirement4Network diagram for IP address configuration Page Configuring IP Performance IP Performance ConfigurationIP Performance Overview Disabling Sending of Icmp Error Packets Displaying and Maintaining IP Performance Configuration Table of Contents Dhcp IP Address Assignment Dhcp OverviewIntroduction to Dhcp IP Address Assignment PolicyObtaining IP Addresses Dynamically Dhcp Packet Format Updating IP Address LeaseProtocols and Standards Usage of Dhcp Relay Agent Dhcp Relay Agent ConfigurationIntroduction to Dhcp Relay Agent Dhcp Relay Agent FundamentalsDhcp Relay Agent Support for Option Padding content of OptionIntroduction to Option 2Padding contents for sub-option 1 of Option Mechanism of Option 82 supported on Dhcp relay agentDhcp-server groupNo ip Configuring the Dhcp Relay AgentDhcp Relay Agent Configuration Task List Ip-address &1-8Configuring Dhcp Relay Agent Security Functions Configuring address checkingDhcp-security static ip-address Address-check enableDhcp relay hand enable Mac-addressEnabling unauthorized Dhcp server detection Configuring the Dhcp Relay Agent to Support OptionConfiguring the Dhcp relay agent to support Option PrerequisitesDisplaying and Maintaining Dhcp Relay Agent Configuration Dhcp Relay Agent Configuration ExampleSolution Troubleshooting Dhcp Relay Agent ConfigurationSymptom AnalysisPage Dhcp Snooping Overview Dhcp Snooping ConfigurationFunction of Dhcp Snooping Padding content and frame format of Option Overview of Dhcp Snooping OptionMechanism of DHCP-snooping Option 2Extended format of the circuit ID sub-optionDhcp-snooping information format command or the default HEX Dhcp-snooping information format command orSub-option configuration Dhcp snooping device will… Overview of IP FilteringDHCP-snooping table Dhcp Snooping ConfigurationConfiguring Dhcp Snooping IP static binding tableEnable DHCP-snooping Option 82 support Configuring Dhcp Snooping to Support OptionDHCP-Snooping Option 82 Support Configuration Task List Required Specify the current port as aDhcp-snooping information Configure a handling policy for Dhcp packets with OptionConfigure the storage format of Option Strategy drop keep replaceVlan vlan-id circuit-id string Configure the circuit ID sub-optionConfigure the remote ID sub-option StringRemote-id sysname string Configuring IP FilteringConfigure the padding format for Option Vlan vlan-id remote-idDhcp Snooping Configuration Example DHCP-Snooping Option 82 Support Configuration Example# Enable DHCP-snooping Option 82 support IP Filtering Configuration Example# Enable Dhcp snooping on Switch # Specify GigabitEthernet 1/0/5 as the trusted port7Network diagram for IP filtering configuration # Specify GigabitEthernet 1/0/1 as the trusted portTrust Displaying and Maintaining Dhcp Snooping ConfigurationDisplay dhcp-snooping Display ip source staticConfiguring a DHCP/BOOTP Client DHCP/BOOTP Client ConfigurationIntroduction to Bootp Client Follow these steps to configure a DHCP/BOOTP clientIp address bootp-alloc Dhcp Client Configuration ExampleDhcp-alloc Bootp client Displaying and Maintaining DHCP/BOOTP Client ConfigurationDisplay bootp client interface Display related information on aTable of Contents ACL Overview ACL ConfigurationACL Matching Order Depth-first match order for rules of an advanced ACL Ways to Apply an ACL on a DeviceDepth-first match order for rules of a basic ACL Being applied to the hardware directlyConfiguring Time Range ACL ConfigurationTypes of ACLs Supported by Devices End-time end-date from start-time start-date to Time-range time-name start-time to end-timeDays-of-the-week from start-time start-date to End-time end-date to end-time end-dateAuto config Configuring Basic ACLRule-string Rule-string , refer to ACL Command Rule-string , refer to ACL Command Configuring Advanced ACLMatch-order auto config Rule rule-id permit denyConfiguring Layer 2 ACL Rule-string Refer to ACL CommandACL Assignment Assigning an ACL to a Vlan Configure procedureAssigning an ACL Globally Packet-filter inbound acl-ruleSystem-view Packet-filter vlan vlan-id Assigning an ACL to a Port GroupInbound acl-rule Displaying and Maintaining ACL Assigning an ACL to a PortSwitchPC Example for Controlling Telnet Login Users by Source IPExample for Controlling Web Login Users by Source IP Examples for Upper-layer Software Referencing ACLsAdvanced ACL Configuration Example Basic ACL Configuration ExampleExamples for Applying ACLs to Hardware Layer 2 ACL Configuration Example # Apply ACL 3000 on GigabitEthernet 1/0/1Example for Applying an ACL to a Vlan # Apply ACL 4000 on GigabitEthernet 1/0/1# Apply ACL 3000 to Vlan Table of Contents Page Introduction to QoS QoS ConfigurationTraditional Packet Forwarding Service New Applications and New RequirementsMajor Traffic Control Techniques QoS Supported by DevicesTraffic Classification IP precedence, ToS precedence, and Dscp precedence PrecedenceIP Precedence decimal IP Precedence binary Description 802.1p priority Dscp value decimal Dscp value binary DescriptionPriority Trust Mode 802.1p priority decimal 802.1p priority binary DescriptionTrusting the 802.1p precedence Trusting the Dscp precedenceDscp precedence Target Dscp precedence Traffic Policing and Traffic Shaping Protocol PriorityPriority Marking Token bucketTraffic policing Evaluating the traffic with the token bucketTraffic shaping Vlan Mapping Traffic RedirectingQueue Scheduling 7Diagram for SP queuing SP queuingSdwrr Flow-based Traffic Accounting QoS ConfigurationQoS Configuration Task List BurstPriority-trust cos automap Configuring Priority Trust ModePriority priority-level Priority-trust dscp automapQos cos-local-precedence-map Configuring Priority MappingQos cos-drop-precedence-map Qos dscp-drop-precedence-map dscp-list Qos cos-dscp-map cos0-map-dscpQos dscp-local-precedence-map dscp-list Qos dscp-cos-map dscp-list cos-valuePage Protocol-type Setting the Priority of Protocol PacketsSystem-view Protocol-priority Ip-precedenceDscp-value cos cos-value Marking Packet PriorityTraffic-priority inbound acl-rule dscp Traffic-priority vlan vlan-id inbound acl-ruleConfiguring Traffic Policing Required Matching specific ACL rulesTraffic-limit inbound acl-rule target-rate Reset traffic-limit inbound acl-ruleReset traffic-limit vlan vlan-id inbound Conform con-action exceedBy default, traffic policing is Policing Configuring Traffic ShapingView Configure traffic Disabled Clear the trafficTraffic-shape queue Configuring Traffic RedirectingConfiguration examples Traffic-redirect inbound acl-rule interfaceTraffic-redirect vlan vlan-id inbound acl-rule Traffic-remark-vlanid inbound Configuring Vlan MappingConfiguring Queue Scheduling Acl-rule remark-vlan vlan-idUndo queue-scheduler queue-id Queue-id queue-weight &1-8Group2 queue-id queue-weight Queue-scheduler wrr group1Collect the statistics on Packets matching specific ACL Reset traffic-statistic inboundCollecting/Clearing Traffic Statistics Traffic-statistic inbound acl-ruleReset traffic-statistic inbound acl-rule Reset traffic-statistic vlan vlan-idTraffic-statistic vlan vlan-id Enabling the Burst Function Configuring Traffic MirroringFollow these steps to enable the burst function Refer to Burst for information about the burst functionMonitor-interface Monitor-portMirrored-to inbound acl-rule Mirrored-to vlan vlan-idRequired Destination port Exit current view Traffic mirroring configurationRequired Mirroring for packets that Displaying and Maintaining QoS QoS Configuration Example Configuration Example of Traffic PolicingPage Dynamic application mode QoS Profile ConfigurationQoS Profile Application Mode Manual application modeConfiguring a QoS Profile QoS Profile ConfigurationQoS Profile Configuration Task List Applying a QoS ProfileUndo qos-profile port-based Displaying and Maintaining QoS ProfileQos-profile port-based System-view Apply qos-profileQoS Profile Configuration Example 1Network diagram for QoS profile configuration# Enable Table of Contents Mirroring Configuration Mirroring OverviewLocal Port Mirroring Remote Port MirroringVLAN-Based Mirroring Switch Ports involved FunctionMAC-Based Mirroring 1Ports involved in the mirroring operationMirroring Configuration Configuring Local Port MirroringConfiguring Remote Port Mirroring Configuration on the device acting as a source switchConfiguration on the device acting as a destination switch Remote-destination Configuring MAC-Based MirroringRemote-probe-vlan-id Monitor-port monitor-portLocal remote-source Configuring VLAN-Based MirroringMirroring-group group-id Mirroring-mac mac vlan Displaying and Maintaining Port Mirroring Mirroring Configuration ExampleLocal Port Mirroring Configuration Example Mirroring-group group-id Mirroring-vlan vlan-idRemote Port Mirroring Configuration Example Configure Switch C # Create a local mirroring group4Network diagram for remote port mirroring # Configure Vlan 10 as the remote-probe Vlan# Configure Vlan 10 as the remote-probe Vlan Page Table of Contents ARP Function ARP ConfigurationIntroduction to ARP ARP Message FormatExperimental Ethernet Field DescriptionValue Description Proteon ProNET Token RingARP Process ARP entry Generation Method Maintenance ModeARP Table ChaosMan-in-the-middle attack Introduction to ARP Attack DetectionARP attack detection Arp timer aging aging-time Configuring ARPConfiguring ARP Basic Functions Introduction to Gratuitous ARPArp detection enable Configuring ARP Attack DetectionArp check enable Arp detection trustArp restricted-forwarding Configuring Gratuitous ARPGratuitous-arp-learning ARP Attack Detection Configuration Example ARP Configuration ExampleARP Basic Configuration Example Displaying and Maintaining ARP# Enable Dhcp snooping on Switch a # Enable ARP attack detection on all ports in VlanTable of Contents Snmp Operation Mechanism Snmp ConfigurationSnmp Overview Snmp VersionsMIB II based on TCP/IP network device RFC MIB attribute MIB content Related RFCSupported MIBs Public MIBSnmp-agent Configuring Basic Snmp FunctionsConfiguring basic Snmp functions for SNMPv1 or SNMPv2c Snmp-agent sys-infoConfiguring basic Snmp functions for SNMPv3 Configuring Trap Parameters Configuring Basic TrapConfiguring Extended Trap Enabling Logging for Network Management Snmp Configuration ExamplesSnmp Configuration Examples Displaying and Maintaining SnmpNetwork procedure 2Network diagram for Snmp configurationConfiguring the NMS Introduction to Rmon Rmon ConfigurationWorking Mechanism of Rmon Commonly Used Rmon Groups Rmon Configuration Configuration procedures Rmon Configuration ExamplesDisplaying and Maintaining Rmon # Display the Rmon extended alarm entry numbered Table of Contents Multicast Overview Information Transmission in the Unicast ModeMulticast Overview Information Transmission in the Broadcast Mode 1Information transmission in the unicast modeInformation Transmission in the Multicast Mode 2Information transmission in the broadcast mode3Information transmission in the multicast mode Roles in MulticastAdvantages of multicast Multicast ModelsAdvantages and Applications of Multicast Application of multicastSFM model Multicast ArchitectureASM model SSM modelClass D address range Description IP multicast addressReserved multicast addresses IP addresses for permanent Ethernet multicast MAC address Multicast Protocols Layer 3 multicast protocolsLayer 2 multicast protocols 5Positions of Layer 3 multicast protocolsMulticast Packet Forwarding Mechanism Implementation of the RPF MechanismRPF Check 7RPF check processPage Principle of Igmp Snooping Igmp Snooping ConfigurationIgmp Snooping Overview Basic Concepts in Igmp SnoopingTimer Description Message before Action after expiry Expiry Work Mechanism of Igmp SnoopingWhen receiving a membership report When receiving a general queryWhen receiving a leave message Igmp Snooping Configuration Task List Igmp Snooping ConfigurationComplete the following tasks to configure Igmp Snooping Enabling Igmp Snooping Configuring the Version of Igmp SnoopingIgmp-snooping enable Igmp-snooping versionConfiguring Fast Leave Processing Configuring TimersEnabling fast leave processing in system view Required By default, the fast leave For specific VLANs Configuring a Multicast Group FilterEnable fast leave processing Enabling fast leave processing in Ethernet port viewIgmp -snooping group -policy Configuring a multicast group filter in system viewConfiguring a multicast group filter in Ethernet port view Acl-number vlan vlan-listIgmp-snooping group-limit limit Configuring Igmp QuerierVlan vlan list overflow-replace Configuring Static Member Port for a Multicast Group Suppressing Flooding of Unknown Multicast Traffic in a VlanVlan interface view Configuring a Static Router PortEthernet port view Multicast static-groupIgmp host-join group-address Configuring a Port as a Simulated Group MemberVlan view Source-ip source-addressConfiguring Multicast Vlan Configuring a Vlan Tag for Query MessagesVlan-mapping vlan Hybrid Port hybrid vlan vlan-id-list Igmp enableService-type multicast Port trunk permit vlan vlan-listConfiguring Igmp Snooping Igmp Snooping Configuration ExamplesDisplaying and Maintaining Igmp Snooping 3Network diagram for Igmp Snooping configuration Configure Switch a # Enable Igmp Snooping globallyInterface IP address of Vlan 20 is Device Device description Networking descriptionGigabitEthernet 1/0/1 is connected to the workstation 4Network diagram for multicast Vlan configuration # Configure VlanTroubleshooting Igmp Snooping Symptom Multicast function does not work on the deviceConfiguring a Multicast MAC Address Entry Common Multicast ConfigurationCommon Multicast Configuration Mac-address multicastUnknown-multicast drop Displaying and Maintaining Common Multicast ConfigurationConfiguring Dropping Unknown Multicast Packets Display mac-address multicastTable of Contents Introduction to NTP NTP ConfigurationApplications of NTP Implementation Principle of NTP NTP Implementation Modes 1Implementation principle of NTPSymmetric peer mode Server/client modeBroadcast mode Multicast mode NTP implementation Configuration on the device ModeConfiguring NTP Server/Client Mode NTP Configuration Task ListConfiguring NTP Implementation Modes Complete the following tasks to configure NTPConfiguring the NTP Symmetric Peer Mode Ntp-service broadcast-server Configuring NTP Broadcast ModeConfigure the device to work NTP broadcast serverConfiguring the device to work in the multicast server mode Configuring NTP Multicast ModeConfiguring the device to work in the multicast client mode Ntp-service access peer Configuring Access Control RightConfiguring NTP Authentication Server synchronizationConfiguring NTP authentication on the client Role of device Working modeConfiguring NTP authentication on the server Mode and NTP multicast Broadcast Configuring Optional NTP ParametersConfigure on NTP Broadcast Server While ConfiguringDisabling an Interface from Receiving NTP messages Displaying and Maintaining NTP ConfigurationNTP Configuration Examples Max-dynamic-sessions# Set Device a as the NTP server of Device B Configure Device C # Set Device a as the NTP server Configuring NTP Symmetric Peer Mode# Set Device C as the peer of Device B 8Network diagram for the NTP broadcast mode configuration Configure Device C # Enter system view # Set Device a as a broadcast client9Network diagram for NTP multicast mode configuration Configure Device B # Enter system view Configuring NTP Server/Client Mode with Authentication# Enable the NTP authentication function # Specify the key 42 as a trusted key Table of Contents Introduction to SSH SSH ConfigurationSSH Overview Algorithm and KeySSH Operating Process Asymmetric Key AlgorithmStages Description Version negotiation Authentication negotiationKey negotiation Session request Configuring the SSH ServerData exchange Authentication-mode scheme SSH Server Configuration TasksConfiguring the Protocol Support for the User Interface Command-authorizationGenerating/Destroying a RSA or DSA Key Pair Creating an SSH User and Specify an Authentication Type Exporting the RSA or DSA Public KeySsh user username service-type Specifying a Service Type for an SSH UserConfiguring SSH Management Stelnet sftp allConfiguring the Client Public Key on the Server Peer-public-key end Public-key-code endRsa peer-public-key keyname Ssh user username assign Assigning a Public Key to an SSH UserSpecifying a Source IP Address/Interface for the SSH Server Publickey rsa-key keynameSSH Client Configuration Tasks Configuring the SSH ClientConfiguring the SSH Client Using an SSH Client Software Generate a client key 2Generate a client key4Generate the client keys Specify the IP address of the Server Launch PuTTY.exe. The following window appearsSelect an SSH version Select a protocol for remote connectionAs shown in -7, select SSH under Protocol Open an SSH connection with publickey authentication 8SSH client configuration interface10SSH client interface Open an SSH connection with password authentication Configuring the SSH Client on an SSH2-Capable DeviceConfigure whether first-time authentication is supported Establish the connection between the SSH client and server Ssh2 source-ip ip-address Displaying and Maintaining SSH ConfigurationSpecifying a Source IP address/Interface for the SSH client Ssh2 source-interface# Enable the user interfaces to support SSH SSH Configuration Examples# Generate RSA and DSA key pairs Page 14SSH client interface # Set the client’s command privilege level to # Assign the public key Switch001 to client client001Page 18Generate a client key pair Page 22SSH client interface Device system-view Device interface vlan-interface # Establish a connection to the server # Assign the public key Switch001 to user client001 # Set the user command privilege level to# Generate a DSA key pair 25Network diagram of SSH client configuration # Configure the user interfaces to support SSH # Set AAA authentication on user interfaces# Assign public key Switch001 to user client001 # Specify the host public key pair name of the server # Establish the SSH connection to serverTable of Contents File System Configuration Tasks File System Management ConfigurationFile System Configuration Introduction to File SystemFile Operations Execute filename Prompt Mode ConfigurationFlash Memory Operations Format deviceFile System Configuration Example File prompt alert quietAttribute Description Feature Identifier File Attribute ConfigurationIntroduction to File Attributes Configuring File Attributes Table of Contents Introduction to FTP FTP and Sftp ConfigurationIntroduction to FTP and Sftp Description RemarksService-type ftp FTP ConfigurationFTP Configuration The Device Operating as an FTP Server Introduction to SftpFtp timeout minutes Configuring connection idle timeEnabling an FTP server Ftp-server source-ip ip-address Disconnecting a specified userFtp-server source-interface Ftp disconnect user-nameConfiguring the banner for an FTP server Basic configurations on an FTP client FTP Configuration The Device Operating as an FTP ClientDisplaying FTP server information Disconnect CdupLcd CloseConfiguration Example The Device Operating as an FTP Server # Upload the config.cfg file. ftp put config.cfg FTP Banner Display Configuration Example 4Network diagram for FTP banner display configuration # Enter the authorized directory on the FTP server Complete the following tasks to configure Sftp Sftp ConfigurationSftp Configuration The Device Operating as an Sftp Server Follow these steps to enable an Sftp serverFtp timeout time-out-value Sftp Configuration The Device Operating as an Sftp ClientBasic configurations on an Sftp client Time for the Sftp server Minutes by defaultDelete remotefile Help all command-nameSftp host-ip host-name Remove remote-fileSftp source-ip ip-address Sftp Configuration ExampleSftp source-interface Display sftp source-ip# Enable the Sftp server # Specify the SSH authentication mode as AAA# Specify the service type as Sftp # Create a local user client001Sftp-client # Exit Sftp Complete the following tasks to configure Tftp Tftp ConfigurationTftp Configuration Introduction to TftpTftp ascii binary Tftp Configuration The Device Operating as a Tftp ClientBasic configurations on a Tftp client Tftp-server acl acl-numberTftp source-ip ip-address Tftp Configuration ExampleTftp source-interface Display tftp source-ipDevice tftp 1.1.1.2 get config.cfg config.cfg Table of Contents Introduction to Information Center Information CenterInformation Center Overview Classification of system informationTen channels and six output directions of system information Outputting system information by source module Module name DescriptionSystem Information Format Timestamp PrioritySysname Information Center Configuration Introduction to the Information Center Configuration TasksConfiguring Synchronous Information Output Set for the systemSetting to Output System Information to the Console Setting to output system information to the consoleTerminal debugging Enabling system information display on the consoleTerminal monitor Terminal loggingEnabling system information display on a monitor terminal Setting to Output System Information to a Monitor TerminalSetting to output system information to a monitor terminal Info-center monitor channelInfo-center loghost Setting to Output System Information to a Log HostInfo-center loghost source Info-center trapbuffer Setting to Output System Information to the Trap BufferSetting to Output System Information to the Log Buffer Info-center sourceInfo-center logbuffer Setting to Output System Information to the Snmp NMSInfo-center snmp channel Displaying and Maintaining Information Center Information Center Configuration ExamplesLog Output to a Unix Log Host # mkdir /var/log/Switch # touch /var/log/Switch/information 2Network diagram for log output to a Linux log host Log Output to a Linux Log Host3Network diagram for log output to the console Log Output to the Console# Enable terminal display 4Network diagramTable of Contents Loading procedure using FTP client Host Configuration File LoadingRemote Loading Using FTP Introduction to Loading ApproachesLoading procedure using FTP server Restart Switch2Remote loading using FTP server Use the put command to upload the file config.cfg to Switch Remote Loading Using Tftp Basic System Configuration and Debugging Basic System ConfigurationEnabling/Disabling System Debugging Displaying the System StatusDebugging the System Display clockDisplaying Debugging Status Displaying Operating Information about Modules in SystemPing Network Connectivity TestNetwork Connectivity Test TracertRebooting the Device Device Management ConfigurationDevice Management Configuration Tasks Device ManagementSchedule reboot delay Scheduling a Reboot on the DeviceSchedule reboot at hhmm Schedule reboot regularityIntroduction to pluggable transceivers Identifying and Diagnosing Pluggable TransceiversIdentifying pluggable transceivers Diagnosing pluggable transceivers Table of Contents VLAN-VPN Overview VLAN-VPN ConfigurationIntroduction to VLAN-VPN Adjusting the Tpid Values of VLAN-VPN Packets Implementation of VLAN-VPNEnabling the VLAN-VPN Feature for a Port VLAN-VPN ConfigurationProtocol type Value Displaying and Maintaining VLAN-VPN Tpid Adjusting ConfigurationVlan-vpn uplink enable Vlan-vpn tpid valueVLAN-VPN Configuration Example 4Network diagram for VLAN-VPN configurationSwitchA vlan-vpn tpid Data transfer processPage Selective QinQ Overview Selective QinQ ConfigurationSelective QinQ Overview Inner-to-Outer Tag Priority Mapping Selective QinQ ConfigurationEnabling the Selective QinQ Feature for a Port Vlan-vpn vid vlan-idProcessing Private Network Packets by Their Types Selective QinQ Configuration ExampleConfiguring the Inner-to-Outer Tag Priority Mapping Feature Vlan-vpn priority2Network diagram for selective QinQ configuration # Enable the VLAN-VPN feature on GigabitEthernet 1/0/3SwitchA-GigabitEthernet1/0/3 vlan-vpn enable Page Table of Contents HWPing Overview HWPing ConfigurationIntroduction to HWPing Supported test types Description Test Types Supported by HWPingHWPing Test Parameters Test parameter DescriptionDns Username and passwordDns-server Configuration on a HWPing Server HWPing ConfigurationHWPing server configuration tasks HWPing server configuration HWPing Client ConfigurationHWPing client configuration Count times Timeout timeTest-enable Datasize sizeSource-port port-number Test-type dhcpTest-type ftp Username name Password passwordFtp-operation get put Filename file-nameTest-type http Destination-ip command toDns-server ip-address Http-operation get postDestination-port Test-type jitterJitter-interval interval Jitter-packetnum numberTest-type snmpquery Operation- tag Configure the destination Configured on the HWPingServer for listening services This IP address and the oneTest-type tcpprivate Hwping-serverTcpconnect ip-address7 TcppublicTest-type udpprivate UdppublicAddress is specified Time Three seconds Optional Configure the service typeTest-type dns Configuring HWPing client to send Trap messages Displaying and Maintaining HWPing HWPing Configuration ExampleAdministrator-name operation-tag Icmp TestDhcp Test # Display test results# Configure the test type as dhcp FTP Test # Set the probe timeout time to 30 seconds # Configure the source IP address# Configure the IP address of the Http server as # Configure the test type as httpHttp Test Jitter Test # Configure the test type as jitter Network diagramConfigure HWPing Client Switch a # Enable the HWPing client # Configure the IP address of the HWPing server asSnmp Test 7Network diagram for the Snmp test # Configure the test type as snmp8Network diagram for the Tcpprivate test TCP Test Tcpprivate Test on the Specified Ports# Configure the test type as tcpprivate # Configure the test type as udpprivate UDP Test Udpprivate Test on the Specified PortsDNS Test # Configure the test type as dns # Configure the IP address of the DNS server asIndex Table of Contents Dynamic Domain Name Resolution DNS ConfigurationStatic Domain Name Resolution Resolution procedureConfiguring Static Domain Name Resolution Configuring Domain Name ResolutionDNS suffixes Configuring Dynamic Domain Name Resolution DNS Configuration ExampleStatic Domain Name Resolution Configuration Example Dynamic Domain Name Resolution Configuration Example 2Network diagram for static DNS configuration# Configure the IP address 2.1.1.2 for the DNS server # Configure com as the DNS suffixTroubleshooting DNS Configuration Displaying and Maintaining DNSTable of Contents Basic Concepts in Smart Link Smart Link ConfigurationSmart Link Overview Smart Link groupFlush message Master portSlave port Control Vlan for sending flush messagesComplete the following tasks to configure Smart Link Configuring Smart LinkOperating Mechanism of Smart Link Configuring a Smart Link Device Flush enable control-vlan Configuring Associated DevicesPrecautions Smart-link flush enable control-vlan vlan-id portImplementing Link Redundancy Backup Smart Link Configuration ExampleDisplaying and Maintaining Smart Link # Configure to send flush messages within Vlan # Return to system viewSwitchD system-view Monitor Link Configuration Introduction to Monitor Link2Network diagram for a Monitor Link group implementation How Monitor Link WorksConfiguring the Uplink Port Configuring Monitor LinkCreating a Monitor Link Group Uplink Configuring a Downlink PortPort monitor-link group Monitor Link Configuration Example Displaying and Maintaining Monitor Link# Configure to send flush messages in Vlan # Create Smart Link group 1 and enter Smart Link group viewSwitchC monitor-link group Table of Contents Introduction to PoE PoE ConfigurationPoE Overview Advantages of PoEPoE Configuration Task List PoE ConfigurationPoE Features Supported by the Device Maximum Power Provided by Each Electrical PortPoe enable Enabling the PoE Feature on a PortSetting the Maximum Output Power on a Port Poe max-power max-powerPoe power-management Setting PoE Management Mode and PoE Priority of a PortSetting the PoE Mode on a Port Poe priority critical highPoe update refresh Configuring the PD Compatibility Detection FunctionPoe legacy enable Upgrading the PSE Processing Software OnlinePoE Configuration Example PoE Configuration ExampleDisplaying and Maintaining PoE Configuration Networking requirements1Network diagram for PoE # Upgrade the PSE processing software onlineConfiguring PoE Profile PoE Profile ConfigurationPoE Profile Configuration Introduction to PoE ProfileDisplay poe-profile Displaying and Maintaining PoE Profile ConfigurationPoE Profile to Port All-profile interfacePoE Profile Application Example PoE Profile Configuration Example# Create Profile1, and enter PoE profile view # Display detailed configuration information for Profile2 # Display detailed configuration information for Profile1# Create Profile2, and enter PoE profile view Table of Contents Page IP Route IP Routing Protocol OverviewIntroduction to IP Route and Routing Table Routing TablePage Classification of Dynamic Routing Protocols Routing Protocol OverviewStatic Routing and Dynamic Routing Routing Protocols and Routing PriorityRouting Information Sharing Load Sharing and Route BackupRoute backup Load sharingDisplaying and Maintaining a Routing Table Introduction to Static Route Static Route ConfigurationStatic Route Default Route Static Route ConfigurationConfiguring a Static Route Static Route Configuration Example Displaying and Maintaining Static Routes# Approach 1 Configure static routes on Switch B Troubleshooting a Static Route# Approach 2 Configure a static route on Switch a # Approach 2 Configure a static route on Switch BBasic Concepts RIP ConfigurationRIP Overview RIP routing databaseRIP Startup and Operation RIP timersRouting loops prevention Configuring Basic RIP Functions RIP Configuration Task ListBasic RIP Configuration RipRIP Route Control Setting the RIP operating status on an interfaceSpecifying the RIP version on an interface Configuring RIP route summarization Configuring RIP Route ControlSetting the additional routing metrics of an interface Rip metricin valueConfiguring RIP to filter incoming/outgoing routes Disabling the router from receiving host routesRIP Network Adjustment and Optimization Setting RIP preferenceConfiguring split horizon Configuration TasksConfiguring RIP timers Configuring RIP-1 packet zero field checkRip authentication-mode Setting RIP-2 packet authentication modeConfiguring RIP to unicast RIP packets Simple password md5Displaying and Maintaining RIP Configuration RIP Configuration ExampleConfigure Switch B # Configure RIP Troubleshooting RIP ConfigurationFailed to Receive RIP Updates Configure Switch C # Configure RIPIntroduction to IP Route Policy IP Route Policy ConfigurationIP Route Policy Overview FiltersFor ACL configuration, refer to the part discussing ACL IP Route Policy Configuration Task ListRoute Policy Configuration Route policyDefining a Route Policy Defining if-match Clauses and apply ClausesIf-match ip next-hop acl IP Route Policy Configuration ExampleDisplaying and Maintaining IP Route Policy Apply cost valueConfiguration considerations SwitchC-acl-basic-2000 quit SwitchC acl number Configuration verification Troubleshooting IP Route Policy PrecautionsTable of Contents Introduction to UDP Helper UDP Helper ConfigurationProtocol UDP port number Configuring UDP Helper Displaying and Maintaining UDP Helper UDP Helper Configuration Example# Enable UDP Helper on Switch a Cross-Network Computer Search Through UDP HelperTable of Contents Appendix a Acronyms Protocol Independent Multicast-Dense Mode Medium Access ControlNon Broadcast MultiAccess Protocol Independent Multicast-Sparse Mode