Basic message exchange procedure in Hwtacacs

Compared with RADIUS, HWTACACS provides more reliable transmission and encryption, and therefore is more suitable for security control. Table 1-3 lists the primary differences between HWTACACS and RADIUS.

Table 1-3Differences between HWTACACS and RADIUS

HWTACACS		RADIUS
Adopts TCP, providing more reliable network		Adopts UDP.
transmission.		Adopts UDP.
transmission.

Encrypts the entire message except the		Encrypts only the password field in
HWTACACS header.		authentication message.

Separates authentication from authorization. For
example, you can use one TACACS server for		Combines authentication and authorization.
authentication and another TACACS server for		Combines authentication and authorization.
authentication and another TACACS server for
authorization.

Is more suitable for security control.		Is more suitable for accounting.

Supports configuration command authorization.	Does not support.

In a typical HWTACACS application (as shown in Figure 1-5), a terminal user needs to log into the device to perform some operations. As a HWTACACS client, the device sends the username and password to the TACACS server for authentication. After passing authentication and being authorized, the user successfully logs into the switching engine to perform operations.

Figure 1-5Network diagram for a typical HWTACACS application

HWTACACS server

Host	HWTACACS client

HWTACACS server

Basic message exchange procedure in HWTACACS

The following text takes telnet user as an example to describe how HWTACACS implements authentication, authorization, and accounting for a user. Figure 1-6 illustrates the basic message exchange procedure:

1-7

Page 257

Image 257

3Com WX3000 Basic message exchange procedure in Hwtacacs, 5Network diagram for a typical Hwtacacs application

Contents

Manual Version 6W100 3Com WX3000 Series Unified Switches Switching Engine Environmental Statement Organization Part ContentsAbout This Manual Italic ConventionsConvention Description Boldface Convention Description Related DocumentationCreate Folder Manual Description Obtaining Documentation Table of Contents Introduction to the CLI CLI ConfigurationCommand Hierarchy Switching to a specific user level Switching User LevelsSetting a user level switching password Setting the level of a command in a specific view Setting the Level of a Command in a Specific ViewConfiguration example Display Execute Operation CLI ViewsQuit Quit or return Vlan-interface command Gigabitethernet commandRegion-configuration Peer-public-key command Ode end Public-key-cPublic-key-code begin Execute the radius scheme Vlan-vpn enable CLI FeaturesExecute Command should be first Online Help Terminal Display Command HistoryPartial online help Press Ctrl+C Command Edit Error Prompts Tab Press… To… Table of Contents Page Logging In to the Switching Engine Logging In to the Switching EngineIntroduction to the User Interface Supported User Interfaces User Interface Index Common User Interface Configuration Display user-interface Display users allType number number Display web users Press Enter to enter user view of the switching engine Logging In to the Switching Engine Through OAPLogging In Through OAP OAP Overview Not configured by default Configure the management IPOap management-ip Address of an OAP module Oap reboot slot Resetting the OAP Software SystemReset the OAP software Configuration Description Common ConfigurationLogging In Through Telnet Introduction Authentication Telnet configuration Description Mode Telnet Configurations for Different Authentication Modes Configuration Procedure Telnet Configuration with Authentication Mode Being None Network requirements Configuration ExampleConfiguration procedure Password cipher Password Set authenticationAuto-execute command User privilege level level Default history command Set the history command bufferCommand buffer can store up to Commands by default Telnet Configuration with Authentication Mode Being Scheme Authorization Scheme commandHistory-command max-size Protocol inbound all ssh Privilege Service-typeUser privilege level level command is Level level # Create a local user named guest and enter local user view Telnetting to the Switching Engine from a Terminal Telnetting to the Switching Engine Deviceoap connect slot Connected to OAP Page Device telnet User name and password for logging in to the Web-based Vlan interface of the switching engine is assigned an IPNetwork management system are configured Logging In from the Web-Based Network Management System Setting Up a Web Configuration Environment 3The login page of the Web-based network management system Configuring the Login Banner Through Web Configured Header login textBy default, no login banner is Enable the Web server Follow these steps to enable/disable the WEB serverEnabling/Disabling the WEB Server Ip http shutdown Related information Connection Establishment Using NMSLogging In from NMS Configuring Source IP Address for Telnet Service Packets Configuring Source IP Address for Telnet Service PacketsConfiguration in user view Configuration in system view Interface-number Displaying Source IP Address Configuration User Control Login mode Control method Implementation ReferenceControlling Telnet Users Prerequisites Acl number acl-number Match-order config autoRule rule-id deny permit Acl acl-number inbound Permit rule-string Controlling Telnet Users by Source MAC AddressesRule rule-id deny Controlling Network Management Users by Source IP Addresses Controlling Network Management Users by Source IP Addresses Controlling Web Users by Source IP Address 2Network diagram for controlling Snmp users using ACLs Controlling Web Users by Source IP Addresses Disconnecting a Web User by ForceIp http acl acl-number Free web-users all user-id Device ip http acl Table of Contents Introduction to Configuration File Configuration File ManagementTypes of configuration Format of configuration file Saving the Current Configuration Management of Configuration FileStartup with the configuration file Modes in saving the configuration Three attributes of the configuration file Erasing the Startup Configuration File Assign main attribute to the startup configuration file Specifying a Configuration File for Next StartupAssign backup attribute to the startup configuration file Startup saved-configuration Displaying and Maintaining Device Configuration Table of Contents Introduction to Vlan Vlan OverviewVlan Overview Vlan tag Advantages of VLANsHow Vlan Works 2Encapsulation format of traditional Ethernet frames MAC address learning mechanism of VLANs Vlan Classification Port-Based VlanVlan Interface Introduction to Protocol-Based Vlan Protocol-Based VlanEncapsulation Format of Ethernet Data Ethernet II and 802.2/802.3 encapsulation 6802.3 raw encapsulation format Extended encapsulation formats of 802.2/802.3 packets Encapsulation Formats Procedure for the Switch to Judge Packet ProtocolImplementation of Protocol-Based Vlan Encapsulation Ethernet 802.3 raw 802.2 LLC Snap ProtocolPage Vlan Configuration Vlan ConfigurationConfiguration Task List Basic Vlan Configuration Displaying and Maintaining Vlan Basic Vlan Interface ConfigurationConfiguration prerequisites Configuring a Port-Based Vlan Configuring a Port-Based VlanProtocol-Based Vlan Configuration Example Port interface-list # Create Vlan 201, and add GigabitEthernet 1/0/12 to Vlan # Configure GigabitEthernet 1/0/10 of Switch B# Create Vlan 201, and add GigabitEthernet 1/0/2 to Vlan Configuring a Protocol Template for a Protocol-Based Vlan Configuring a Protocol-Based Vlan Interface interface-type Interface-number Associating a Port with a Protocol-Based VlanPort hybrid protocol-vlan Vlan vlan-id protocol-index Display vlan vlan-id to vlan-id all Displaying and Maintaining Protocol-Based VlanDynamic static Display protocol-vlan vlan vlan id Vlan Protocol-Type Table of Contents Introduction to the Auto Detect Function Auto Detect Configuration Auto Detect Basic Configuration Auto Detect Configuration Auto Detect Implementation in Static Routing Auto Detect Implementation in Vlan Interface BackupIp route-static ip-address mask Preference-value reject blackhole Standby detect-group Auto Detect Configuration ExamplesVlan -id # Create auto detected group # Configure a static route to Switch aIs reachable Table of Contents How an IP Phone Works Voice Vlan ConfigurationVoice Vlan Overview Agent 1Network diagram for IP phones Number OUI address Vendor Configuring Operation Mode for Voice VlanHow the Device Identifies Voice Traffic Support for Voice Vlan on Various Ports Processing mode of tagged packets sent by IP voice devices Port voice Voice Security Mode of Voice VlanPort type Supported or not Traffic type Mode Configuring a Voice Vlan to Operate in Automatic Mode Voice Vlan ConfigurationConfiguration Prerequisites Enable Configuring a Voice Vlan to Operate in Manual ModeUndo voice vlan mode Voice vlan security Port hybrid vlan vlan-id Port trunk permit vlanTagged untagged Port trunk pvid vlan Displaying and Maintaining Voice Vlan Voice Vlan Configuration ExampleVoice Vlan Configuration Example Automatic Mode # Enable the voice Vlan function globally Voice Vlan Configuration Example Manual Mode# Configure GigabitEthernet 1/0/1 as a hybrid port # Enable the voice Vlan function on GigabitEthernet 1/0/1 # Configure GigabitEthernet 1/0/1 to operate in manual mode # Create Vlan 2 and configure it as a voice VlanVerification # Display the status of the current voice Vlan Table of Contents Introduction to Gvrp Gvrp ConfigurationGarp messages and timers Garp packets are in the following format Operating mechanism of GarpGarp message format Field Description Value 1Format of Garp packets Protocol Specifications Gvrp ConfigurationConfiguration Prerequisite Enabling Gvrp Garp timer leaveall Configuring Gvrp TimersGarp timer hold join Gvrp Displaying and Maintaining Gvrp Configuring Gvrp Port Registration Mode Gvrp Configuration Example Gvrp Configuration ExampleConfigure Switch a # Enable Gvrp globally # Enable Gvrp on GigabitEthernet 1/0/1 # Enable Gvrp on GigabitEthernet 1/0/3 SwitchE-GigabitEthernet1/0/1 gvrp registration fixed Table of Contents Ethernet Port Overview Basic Port ConfigurationTypes and Numbers of Ethernet Ports Combo Ports Mapping Relations Link Types of Ethernet Ports Configuring the Default Vlan ID for an Ethernet Port Making Basic Port Configuration Configuring Ethernet PortsAdding an Ethernet Port to Specified VLANs Vlan tag Configuring Port Auto-Negotiation Speed Enabling Flow Control on a Port Setting the Ethernet Port Broadcast Suppression RatioSpeed auto 10 100 Broadcast-suppression Configuring Trunk Port Attribute Configuring Access Port AttributeConfiguring Hybrid Port Attribute Disabling Up/Down Log Output on a Port Configuration tasks Configuring a Port Group Copying Port Configuration to Other PortsSystem-view Copy configuration source interface-type Aggregation-group destination-agg-id Setting Loopback Detection for an Ethernet Port Configure the Ethernet port to run Configuring the Ethernet Port to Run Loopback TestLoopback-detection per-vlan Loopback detection only on VLANs for the trunk and hybrid Flow-interval interval Enabling the System to Test Connected CableVirtual-cable-test Displaying and Maintaining Ethernet Ports Ethernet Port Configuration Example # Configure the default Vlan ID of GigabitEthernet 1/0/1 as Troubleshooting Ethernet Port Configuration Table of Contents Introduction to Lacp Link Aggregation ConfigurationIntroduction to Link Aggregation Manual Aggregation Group Operation KeyIntroduction to manual aggregation group Port status in manual aggregation group Port status of static aggregation group Static Lacp Aggregation GroupIntroduction to static Lacp aggregation Dynamic Lacp Aggregation Group Configuring system priorityIntroduction to dynamic Lacp aggregation group Port status of dynamic aggregation group Aggregation Group Categories Configuring port priority Configuring a Manual Aggregation Group Link Aggregation Configuration Description agg-name Configuring a Static Lacp Aggregation GroupPort link-aggregation group Agg-id System-priority Configuring a Dynamic Lacp Aggregation GroupLacp system -priority Displaying and Maintaining Link Aggregation Link Aggregation Configuration Example Switch a Link aggregation Switch B Page Table of Contents Port Isolation Configuration Port Isolation ConfigurationPort Isolation Overview Introduction to Port Isolation Displaying and Maintaining Port Isolation Port Isolation Configuration Example Device-GigabitEthernet1/0/4 quit device Table of Contents Port Security Features Port Security ConfigurationPort Security Overview Introduction This mode Security mode Description FeaturePort Security Modes Neither Security mode Description Feature Complete the following tasks to configure port security Port Security ConfigurationFollow these steps to enable port security Enabling Port Security Port-security oui OUI-value UserLoginWithOUI mode, a Setting the Port Security ModePort-security max-mac-count Count-value Configuring the NTK feature Configuring Port Security Features Configuring the Trap feature Configuring intrusion protection Configuring Security MAC Addresses Port Security Configuration Example Displaying and Maintaining Port Security Configuration # Enable port security HostSwitch# Set the port security mode to autolearn # Enter GigabitEthernet 1/0/1 port view Displaying and Maintaining Port Binding Configuration Port Binding ConfigurationConfiguring Port Binding Port Binding Overview Configure switch a as follows # Enter system view Port Binding Configuration Example Table of Contents Dldp Overview Dldp Configuration Status Description Dldp FundamentalsDldp status Dldp works with the following timers 2DLDP timers Dldp timersTimer Description Interval of sending advertisement packets, which can be Enhanced timer then sends one probe packets every one Dldp operating modeMode During neighbor Entry aging Timer expire No Echo packet received from Processing procedure Neighbor Packet type Processing procedure4Types of packets sent by Dldp Dldp status Packet types Precautions During Dldp Configuration Dldp ConfigurationDldp Configuration Tasks Dldp neighbor state Resetting Dldp Status Dldp Network Example Reset the Dldp status of a port Dldp resetThis command only applies to the ports in Dldp down status # Configure Dldp to work in enhanced mode # Enable Dldp globally# Set the interval of sending Dldp packets to 15 seconds # Display the Dldp status Table of Contents Introduction to MAC Address Learning MAC Address Table ManagementIntroduction to MAC Address Table 1MAC address learning diagram Aging of MAC address table Managing MAC Address Table Entries in a MAC address table Configuring MAC Address Table Management Adding a MAC address entry in system view Configuring a MAC Address EntryAdding a MAC address entry in Ethernet port view System-view Mac-address static dynamic Age no-aging Setting the Aging Time of MAC Address EntriesMac-address timer aging Mac-address Disabling MAC Address learning for a VlanMax-mac-count count Max-mac-count Displaying and Maintaining MAC Address Table Configuration ExampleAdding a Static MAC Address Entry Manually Display mac-address Table of Contents Page STP Overview Mstp ConfigurationSTP Overview All the ports on the root bridge are designated ports Classification Designated bridge Designated port Step Description How STP works Step Description Device Port name Bpdu of port Device Comparison process Bpdu of port after 5Comparison process and result on each device Device Comparison process Bpdu of port after 3The final calculated spanning tree Mstp Overview Features of MstpBackground of Mstp Disadvantages of STP and Rstp MST region Basic Mstp Terminologies Region root Vlan mapping tableCommon root bridge Port role MSTP, a port can be in one of the following three states Port state Calculate the Cist Principle of MstpCalculate an Msti Implement STP algorithm Mstp Implementation on the Device Complete the following tasks to configure a root bridge Configuring Root BridgeSTP-related Standards Bpdu guard Loop guard TC-BPDU attack guard Bpdu packet drop Configuring an MST Region # Verify the above configuration Stp instance instance-id root secondary Centi-seconds Required Default bridge priority of a Current device Configuring the Bridge Priority of the Current DeviceSet the bridge priority for Stp instance instance-id Auto dot1s legacy Stp interface interface-typeInterface-number compliance Stp mode stp rstp mstp Configuring the Mstp Operation ModeStp compliance auto dot1s Legacy Stp max-hops hops Configuring the Maximum Hop Count of an MST RegionConfiguring the Network Diameter of the Switched Network Stp timer forward-delay Configuring the Mstp Time-related ParametersStp timer hello Stp timer max-age Configuring the Timeout Time Factor Stp transmit-limit packetnum Stp interface interface-listTransmit-limit packetnum Configure a port as an edge port in system view Configuring the Current Port as an Edge PortConfigure a port as an edge port in Ethernet port view Edged-port enable Force-false auto Point-to-point force-true Disable Stp enableEnabling Mstp Stp point-to-point force-true Task Remarks Configuring Leaf NodesStp disable Configuring a Port as an Edge Port Configuring the MST Region Standards for calculating path costs of ports Configuring the Path Cost for a PortStp pathcost-standard Dot1d-1998 dot1t legacy Configuration example B Configure the path cost for specific portsConfiguration example a Configure port priority in system view Configuring Port PriorityConfigure port priority in Ethernet port view Instance instance-id port Perform the mCheck operation in system view Performing mCheck OperationPerform the mCheck operation in Ethernet port view Stp interface interface-list mcheck Bpdu guard Configuring Guard FunctionsRoot guard Stp mcheck Bpdu dropping Loop guardTC-BPDU attack guard Configuring Root Guard Configuring Bpdu GuardRoot-protection Stp root-protection Configuring TC-BPDU Attack Guard Configuring Loop GuardStp loop-protection Stp tc-protection Configuring Bpdu Dropping Configuring Digest SnoopingInterface interface-name Bpdu-drop any Stp config-digest-snooping Configuring Digest Snooping Configuring Rapid Transition 6The Rstp rapid transition mechanism Stp no-agreement-check Configuring Rapid TransitionNo-agreement-check Vlan-vpn tunnel Configuring VLAN-VPN TunnelConfiguring VLAN-VPN tunnel Enabling Log/Trap Output for Ports of Mstp Instance STP Maintenance ConfigurationStp instance instance id Portlog Displaying and Maintaining Mstp Enabling Trap Messages Conforming to 802.1d Standard # Activate the settings of the MST region manually Mstp Configuration ExampleConfigure Switch a # Enter MST region view Configure Switch C # Enter MST region view Configure Switch B # Enter MST region view# Configure the MST region Configure Switch D # Enter MST region view Configure Switch a # Enable Mstp VLAN-VPN tunnel Configuration ExampleConfigure Switch B # Enable Mstp Configure Switch C # Enable Mstp # Configure GigabitEthernet 1/0/2 as a trunk port # Enable the VLAN-VPN tunnel functionConfigure Switch D # Enable Mstp # Configure GigabitEthernet 1/0/1 as a trunk port Table of Contents Introduction to 802.1x ConfigurationArchitecture of 802.1x Authentication Port access control method Port access entityControlled port and uncontrolled port Valid direction of a controlled port Format of an EAPoL packet Mechanism of an 802.1x Authentication SystemEncapsulation of EAPoL Messages Format of an EAP packet EAP relay mode 802.1x Authentication ProcedureFields added for EAP authentication Describes the basic EAP-MD5 authentication procedure EAP terminating mode 9802.1x authentication procedure in EAP terminating mode Timers Used Checking the supplicant system Additional 802.1x Features Implemented Guest Vlan function Checking the client version Enabling 802.1x re-authentication Introduction to 802.1x Configuration Dot1x Basic 802.1x ConfigurationConfiguring Basic 802.1x Functions Dot1x handshake enable Dot1x authentication-method chapDot1x interface interface-list Dot1x port-control authorized-force Dot1x retry max-retry-value Timer and Maximum User Number ConfigurationDot1x max-user user-number Configuring Proxy Checking Advanced 802.1x Configuration Configuring Client Version Checking Configuring Guest Vlan Enabling DHCP-triggered AuthenticationDot1x dhcp-launch Dot1x port-method portbased Dot1x re-authenticate Configuring 802.1x Re-AuthenticationConfiguring the 802.1x Re-Authentication Timer Displaying and Maintaining 802.1x Configuration Example # Enable 802.1x on GigabitEthernet 1/0/1 port # Enable 802.1x globally # Create the domain named aabbcc.net and enter its view # Set the default user domain to be aabbcc.net# Create a local access user account Configuring Quick EAD Deployment Quick EAD Deployment ConfigurationIntroduction to Quick EAD Deployment Quick EAD Deployment Overview Setting the ACL timeout period Configuring a free IP rangeDot1x url url-string Dot1x free-ip ip-address Period is 30 minutes Quick EAD Deployment Configuration ExampleDisplaying and Maintaining Quick EAD Deployment Solution Troubleshooting Configuring the System-Guard Feature System-Guard ConfigurationConfiguring the System-Guard Feature System-Guard Overview Displaying and Maintaining System-Guard Table of Contents Page Authorization AuthenticationAAA Overview Introduction to AAA What is Radius Introduction to AAA ServicesAccounting Introduction to ISP Domain 1Databases in a Radius server Basic message exchange procedure in Radius Code Message type Message description Radius message formatDirection client-server Client transmits this message to the server to determine if Type field value Attribute type Introduction to Hwtacacs What is Hwtacacs 5Network diagram for a typical Hwtacacs application Basic message exchange procedure in Hwtacacs 6AAA implementation procedure for a telnet user Page Configuration Introduction AAA ConfigurationAAA Configuration Task List Creating an ISP Domain and Configuring Its Attributes Configuring a combined AAA scheme Configuring an AAA Scheme for an ISP DomainMessenger time enable limit Self-service-url disable Domain isp-name Configuring separate AAA schemesRadius-scheme-name local Hwtacacs-scheme Accounting none Configuring Dynamic Vlan AssignmentLocal local none Authorization none Domain isp-name Configuring the Attributes of a Local UserVlan-assignment-mode Integer string Service-type ftp lan-access Password-display-modeAuthorization vlan string Access-limit Cutting Down User Connections Forcibly Radius Configuration Task ListFollow these steps to cut down user connections forcibly Cut down user Servers Configuring Radius client enable Configuring Radius Authentication/Authorization ServersCreating a Radius Scheme Radius scheme Primary authentication Configuring Radius Accounting ServersSecondary authentication Ip-address port-number Secondary accounting Configuring Shared Keys for Radius MessagesStop-accounting-buffer Retry stop-accounting Key accounting string Configuring the Type of Radius Servers to be SupportedKey authentication string Optional Servers to be supported Configuring the Status of Radius ServersServer-type extended Authentication block State primary authenticationCalling-station-id mode Block active Local-server enable Configuring the Local Radius Authentication Server FunctionKey password Local-server nas-ip ip-address Configuring Timers for Radius Servers Enabling the User Re-Authentication at Restart Function Times interval interval Hwtacacs Configuration Task ListAccounting-on enable send Hwtacacs scheme Configuring Tacacs Authentication ServersCreating a Hwtacacs Scheme Primary authorization Configuring Tacacs Authorization ServersSecondary authorization Ip-address port Configuring Shared Keys for Hwtacacs Messages Configuring Tacacs Accounting ServersFollow these steps to configure Tacacs accounting servers Function is enabled Number of transmission Key accounting Authentication stringMega-byte Data-flow-format packet Scheme exists Set the response timeout time Configuring the Timers Regarding Tacacs ServersOptional By default, the response timeout Tacacs servers Optional By default, the real-time Interval Displaying and maintaining Radius protocol information Displaying and Maintaining AAADisplaying and maintaining AAA information Displaying and maintaining Hwtacacs protocol information AAA Configuration ExamplesRemote Radius Authentication of Telnet/SSH Users # Configure an ISP domain # Adopt AAA authentication for Telnet users# Configure a Radius scheme # Associate the ISP domain with the Radius scheme # Create and configure a local user named telnet Local Authentication of FTP/Telnet Users # Configure the domain name of the Hwtacacs scheme to hwtac Hwtacacs Authentication and Authorization of Telnet Users Troubleshooting Radius Configuration Troubleshooting AAATroubleshooting Hwtacacs Configuration Possible reasons and solutions Typical Network Application of EAD EAD ConfigurationIntroduction to EAD EAD Configuration Example EAD ConfigurationSecurity-policy-server Ip-address # Associate the domain with the Radius scheme # Configure the IP address of the security policy server Table of Contents MAC Authentication Overview MAC Authentication ConfigurationPerforming MAC Authentication on a Radius Server Performing MAC Authentication Locally MAC Authentication Timers Configuring Basic MAC Authentication FunctionsMac-authentication Related Concepts Mac-authentication Quit Mac-authentication interfaceMac-authentication authmode Uppercase fixedpassword password Configuring a Guest Vlan MAC Address Authentication Enhanced Function Configuration Guest-vlan-reauth interval Mac-authentication timerGuest-vlan vlan-id Max-auth-num user-number Configure the maximum numberMAC address authentication Number of MAC address MAC Authentication Configuration Example Displaying and Maintaining MAC AuthenticationDisplay mac-authentication Reset mac-authentication statistics Set the service type to lan-access # Add a local user Specify the username and password# Specify to perform local authentication # Add an ISP domain named aabbcc.net Table of Contents IP Addressing Overview IP Addressing ConfigurationIP Address Classes Net-id Class Address range Remarks Special Case IP AddressesSubnetting and Masking Mask-length sub Configuring IP AddressesIp address ip-address mask IP Address Configuration Example IP Address Configuration ExamplesDisplaying and Maintaining IP Addressing Network requirement 4Network diagram for IP address configuration Page IP Performance Overview IP Performance ConfigurationConfiguring IP Performance Disabling Sending of Icmp Error Packets Displaying and Maintaining IP Performance Configuration Table of Contents Introduction to Dhcp Dhcp OverviewDhcp IP Address Assignment IP Address Assignment Policy Obtaining IP Addresses Dynamically Updating IP Address Lease Dhcp Packet Format Protocols and Standards Introduction to Dhcp Relay Agent Dhcp Relay Agent ConfigurationUsage of Dhcp Relay Agent Dhcp Relay Agent Fundamentals Introduction to Option Padding content of OptionDhcp Relay Agent Support for Option Mechanism of Option 82 supported on Dhcp relay agent 2Padding contents for sub-option 1 of Option Dhcp Relay Agent Configuration Task List Configuring the Dhcp Relay AgentDhcp-server groupNo ip Ip-address &1-8 Configuring address checking Configuring Dhcp Relay Agent Security Functions Dhcp relay hand enable Address-check enableDhcp-security static ip-address Mac-address Configuring the Dhcp relay agent to support Option Configuring the Dhcp Relay Agent to Support OptionEnabling unauthorized Dhcp server detection Prerequisites Dhcp Relay Agent Configuration Example Displaying and Maintaining Dhcp Relay Agent Configuration Symptom Troubleshooting Dhcp Relay Agent ConfigurationSolution AnalysisPage Function of Dhcp Snooping Dhcp Snooping ConfigurationDhcp Snooping Overview Overview of Dhcp Snooping Option Padding content and frame format of Option 2Extended format of the circuit ID sub-option Mechanism of DHCP-snooping Option Sub-option configuration Dhcp snooping device will… Dhcp-snooping information format command orDhcp-snooping information format command or the default HEX Overview of IP Filtering Configuring Dhcp Snooping Dhcp Snooping ConfigurationDHCP-snooping table IP static binding table DHCP-Snooping Option 82 Support Configuration Task List Configuring Dhcp Snooping to Support OptionEnable DHCP-snooping Option 82 support Required Specify the current port as a Configure the storage format of Option Configure a handling policy for Dhcp packets with OptionDhcp-snooping information Strategy drop keep replace Configure the remote ID sub-option Configure the circuit ID sub-optionVlan vlan-id circuit-id string String Configure the padding format for Option Configuring IP FilteringRemote-id sysname string Vlan vlan-id remote-id DHCP-Snooping Option 82 Support Configuration Example Dhcp Snooping Configuration Example # Enable Dhcp snooping on Switch IP Filtering Configuration Example# Enable DHCP-snooping Option 82 support # Specify GigabitEthernet 1/0/5 as the trusted port # Specify GigabitEthernet 1/0/1 as the trusted port 7Network diagram for IP filtering configuration Display dhcp-snooping Displaying and Maintaining Dhcp Snooping ConfigurationTrust Display ip source static Introduction to Bootp Client DHCP/BOOTP Client ConfigurationConfiguring a DHCP/BOOTP Client Follow these steps to configure a DHCP/BOOTP client Dhcp-alloc Dhcp Client Configuration ExampleIp address bootp-alloc Display bootp client interface Displaying and Maintaining DHCP/BOOTP Client ConfigurationBootp client Display related information on a Table of Contents ACL Matching Order ACL ConfigurationACL Overview Depth-first match order for rules of a basic ACL Ways to Apply an ACL on a DeviceDepth-first match order for rules of an advanced ACL Being applied to the hardware directly Types of ACLs Supported by Devices ACL ConfigurationConfiguring Time Range Days-of-the-week from start-time start-date to Time-range time-name start-time to end-timeEnd-time end-date from start-time start-date to End-time end-date to end-time end-date Rule-string Rule-string , refer to ACL Command Configuring Basic ACLAuto config Match-order auto config Configuring Advanced ACLRule-string , refer to ACL Command Rule rule-id permit deny Rule-string Refer to ACL Command Configuring Layer 2 ACL ACL Assignment Assigning an ACL Globally Configure procedureAssigning an ACL to a Vlan Packet-filter inbound acl-rule Inbound acl-rule Assigning an ACL to a Port GroupSystem-view Packet-filter vlan vlan-id Assigning an ACL to a Port Displaying and Maintaining ACL Example for Controlling Web Login Users by Source IP Example for Controlling Telnet Login Users by Source IPSwitchPC Examples for Upper-layer Software Referencing ACLs Examples for Applying ACLs to Hardware Basic ACL Configuration ExampleAdvanced ACL Configuration Example # Apply ACL 3000 on GigabitEthernet 1/0/1 Layer 2 ACL Configuration Example # Apply ACL 4000 on GigabitEthernet 1/0/1 Example for Applying an ACL to a Vlan # Apply ACL 3000 to Vlan Table of Contents Page Traditional Packet Forwarding Service QoS ConfigurationIntroduction to QoS New Applications and New Requirements Traffic Classification QoS Supported by DevicesMajor Traffic Control Techniques IP Precedence decimal IP Precedence binary Description PrecedenceIP precedence, ToS precedence, and Dscp precedence Dscp value decimal Dscp value binary Description 802.1p priority 802.1p priority decimal 802.1p priority binary Description Priority Trust Mode Trusting the Dscp precedence Trusting the 802.1p precedence Dscp precedence Target Dscp precedence Priority Marking Protocol PriorityTraffic Policing and Traffic Shaping Token bucket Traffic shaping Evaluating the traffic with the token bucketTraffic policing Queue Scheduling Traffic RedirectingVlan Mapping SP queuing 7Diagram for SP queuing Sdwrr QoS Configuration Task List QoS ConfigurationFlow-based Traffic Accounting Burst Priority priority-level Configuring Priority Trust ModePriority-trust cos automap Priority-trust dscp automap Qos cos-drop-precedence-map Configuring Priority MappingQos cos-local-precedence-map Qos dscp-local-precedence-map dscp-list Qos cos-dscp-map cos0-map-dscpQos dscp-drop-precedence-map dscp-list Qos dscp-cos-map dscp-list cos-valuePage System-view Protocol-priority Setting the Priority of Protocol PacketsProtocol-type Ip-precedence Traffic-priority inbound acl-rule dscp Marking Packet PriorityDscp-value cos cos-value Traffic-priority vlan vlan-id inbound acl-rule Required Matching specific ACL rules Configuring Traffic Policing Reset traffic-limit vlan vlan-id inbound Reset traffic-limit inbound acl-ruleTraffic-limit inbound acl-rule target-rate Conform con-action exceed View Configure traffic Configuring Traffic ShapingBy default, traffic policing is Policing Disabled Clear the traffic Configuration examples Configuring Traffic RedirectingTraffic-shape queue Traffic-redirect inbound acl-rule interface Traffic-redirect vlan vlan-id inbound acl-rule Configuring Queue Scheduling Configuring Vlan MappingTraffic-remark-vlanid inbound Acl-rule remark-vlan vlan-id Group2 queue-id queue-weight Queue-id queue-weight &1-8Undo queue-scheduler queue-id Queue-scheduler wrr group1 Collecting/Clearing Traffic Statistics Reset traffic-statistic inboundCollect the statistics on Packets matching specific ACL Traffic-statistic inbound acl-rule Traffic-statistic vlan vlan-id Reset traffic-statistic vlan vlan-idReset traffic-statistic inbound acl-rule Follow these steps to enable the burst function Configuring Traffic MirroringEnabling the Burst Function Refer to Burst for information about the burst function Mirrored-to inbound acl-rule Monitor-portMonitor-interface Mirrored-to vlan vlan-id Required Mirroring for packets that Traffic mirroring configurationRequired Destination port Exit current view Displaying and Maintaining QoS Configuration Example of Traffic Policing QoS Configuration ExamplePage QoS Profile Application Mode QoS Profile ConfigurationDynamic application mode Manual application mode QoS Profile Configuration Task List QoS Profile ConfigurationConfiguring a QoS Profile Applying a QoS Profile Qos-profile port-based Displaying and Maintaining QoS ProfileUndo qos-profile port-based System-view Apply qos-profile 1Network diagram for QoS profile configuration QoS Profile Configuration Example # Enable Table of Contents Mirroring Overview Mirroring Configuration Remote Port Mirroring Local Port Mirroring MAC-Based Mirroring Switch Ports involved FunctionVLAN-Based Mirroring 1Ports involved in the mirroring operation Configuring Local Port Mirroring Mirroring Configuration Configuration on the device acting as a source switch Configuring Remote Port Mirroring Configuration on the device acting as a destination switch Remote-probe-vlan-id Configuring MAC-Based MirroringRemote-destination Monitor-port monitor-port Mirroring-group group-id Mirroring-mac mac vlan Configuring VLAN-Based MirroringLocal remote-source Local Port Mirroring Configuration Example Mirroring Configuration ExampleDisplaying and Maintaining Port Mirroring Mirroring-group group-id Mirroring-vlan vlan-id Configure Switch C # Create a local mirroring group Remote Port Mirroring Configuration Example # Configure Vlan 10 as the remote-probe Vlan 4Network diagram for remote port mirroring # Configure Vlan 10 as the remote-probe Vlan Page Table of Contents Introduction to ARP ARP ConfigurationARP Function ARP Message Format Value Description Field DescriptionExperimental Ethernet Proteon ProNET Token Ring ARP Table ARP entry Generation Method Maintenance ModeARP Process Chaos ARP attack detection Introduction to ARP Attack DetectionMan-in-the-middle attack Configuring ARP Basic Functions Configuring ARPArp timer aging aging-time Introduction to Gratuitous ARP Arp check enable Configuring ARP Attack DetectionArp detection enable Arp detection trust Gratuitous-arp-learning Configuring Gratuitous ARPArp restricted-forwarding ARP Basic Configuration Example ARP Configuration ExampleARP Attack Detection Configuration Example Displaying and Maintaining ARP # Enable ARP attack detection on all ports in Vlan # Enable Dhcp snooping on Switch a Table of Contents Snmp Overview Snmp ConfigurationSnmp Operation Mechanism Snmp Versions Supported MIBs MIB attribute MIB content Related RFCMIB II based on TCP/IP network device RFC Public MIB Configuring basic Snmp functions for SNMPv1 or SNMPv2c Configuring Basic Snmp FunctionsSnmp-agent Snmp-agent sys-info Configuring basic Snmp functions for SNMPv3 Configuring Basic Trap Configuring Trap Parameters Configuring Extended Trap Snmp Configuration Examples Snmp Configuration ExamplesEnabling Logging for Network Management Displaying and Maintaining Snmp 2Network diagram for Snmp configuration Network procedure Configuring the NMS Working Mechanism of Rmon Rmon ConfigurationIntroduction to Rmon Commonly Used Rmon Groups Rmon Configuration Displaying and Maintaining Rmon Rmon Configuration ExamplesConfiguration procedures # Display the Rmon extended alarm entry numbered Table of Contents Multicast Overview Information Transmission in the Unicast ModeMulticast Overview 1Information transmission in the unicast mode Information Transmission in the Broadcast Mode 2Information transmission in the broadcast mode Information Transmission in the Multicast Mode Roles in Multicast 3Information transmission in the multicast mode Advantages and Applications of Multicast Multicast ModelsAdvantages of multicast Application of multicast ASM model Multicast ArchitectureSFM model SSM model Reserved multicast addresses IP addresses for permanent IP multicast addressClass D address range Description Ethernet multicast MAC address Layer 3 multicast protocols Multicast Protocols 5Positions of Layer 3 multicast protocols Layer 2 multicast protocols Implementation of the RPF Mechanism Multicast Packet Forwarding Mechanism 7RPF check process RPF CheckPage Igmp Snooping Overview Igmp Snooping ConfigurationPrinciple of Igmp Snooping Basic Concepts in Igmp Snooping Work Mechanism of Igmp Snooping Timer Description Message before Action after expiry Expiry When receiving a leave message When receiving a general queryWhen receiving a membership report Complete the following tasks to configure Igmp Snooping Igmp Snooping ConfigurationIgmp Snooping Configuration Task List Igmp-snooping enable Configuring the Version of Igmp SnoopingEnabling Igmp Snooping Igmp-snooping version Enabling fast leave processing in system view Configuring TimersConfiguring Fast Leave Processing Enable fast leave processing Configuring a Multicast Group FilterRequired By default, the fast leave For specific VLANs Enabling fast leave processing in Ethernet port view Configuring a multicast group filter in Ethernet port view Configuring a multicast group filter in system viewIgmp -snooping group -policy Acl-number vlan vlan-list Vlan vlan list overflow-replace Configuring Igmp QuerierIgmp-snooping group-limit limit Suppressing Flooding of Unknown Multicast Traffic in a Vlan Configuring Static Member Port for a Multicast Group Ethernet port view Configuring a Static Router PortVlan interface view Multicast static-group Vlan view Configuring a Port as a Simulated Group MemberIgmp host-join group-address Source-ip source-address Vlan-mapping vlan Configuring a Vlan Tag for Query MessagesConfiguring Multicast Vlan Service-type multicast Igmp enableHybrid Port hybrid vlan vlan-id-list Port trunk permit vlan vlan-list Displaying and Maintaining Igmp Snooping Igmp Snooping Configuration ExamplesConfiguring Igmp Snooping Configure Switch a # Enable Igmp Snooping globally 3Network diagram for Igmp Snooping configuration GigabitEthernet 1/0/1 is connected to the workstation Device Device description Networking descriptionInterface IP address of Vlan 20 is # Configure Vlan 4Network diagram for multicast Vlan configuration Symptom Multicast function does not work on the device Troubleshooting Igmp Snooping Common Multicast Configuration Common Multicast ConfigurationConfiguring a Multicast MAC Address Entry Mac-address multicast Configuring Dropping Unknown Multicast Packets Displaying and Maintaining Common Multicast ConfigurationUnknown-multicast drop Display mac-address multicast Table of Contents Applications of NTP NTP ConfigurationIntroduction to NTP Implementation Principle of NTP 1Implementation principle of NTP NTP Implementation Modes Broadcast mode Server/client modeSymmetric peer mode NTP implementation Configuration on the device Mode Multicast mode Configuring NTP Implementation Modes NTP Configuration Task ListConfiguring NTP Server/Client Mode Complete the following tasks to configure NTP Configuring the NTP Symmetric Peer Mode Configure the device to work Configuring NTP Broadcast ModeNtp-service broadcast-server NTP broadcast server Configuring the device to work in the multicast client mode Configuring NTP Multicast ModeConfiguring the device to work in the multicast server mode Configuring NTP Authentication Configuring Access Control RightNtp-service access peer Server synchronization Role of device Working mode Configuring NTP authentication on the client Configuring NTP authentication on the server Configure on NTP Broadcast Server Configuring Optional NTP ParametersMode and NTP multicast Broadcast While Configuring NTP Configuration Examples Displaying and Maintaining NTP ConfigurationDisabling an Interface from Receiving NTP messages Max-dynamic-sessions # Set Device a as the NTP server of Device B # Set Device C as the peer of Device B Configuring NTP Symmetric Peer ModeConfigure Device C # Set Device a as the NTP server 8Network diagram for the NTP broadcast mode configuration # Set Device a as a broadcast client Configure Device C # Enter system view 9Network diagram for NTP multicast mode configuration # Enable the NTP authentication function Configuring NTP Server/Client Mode with AuthenticationConfigure Device B # Enter system view # Specify the key 42 as a trusted key Table of Contents SSH Overview SSH ConfigurationIntroduction to SSH Algorithm and Key Stages Description Asymmetric Key AlgorithmSSH Operating Process Key negotiation Authentication negotiationVersion negotiation Data exchange Configuring the SSH ServerSession request Configuring the Protocol Support for the User Interface SSH Server Configuration TasksAuthentication-mode scheme Command-authorization Generating/Destroying a RSA or DSA Key Pair Exporting the RSA or DSA Public Key Creating an SSH User and Specify an Authentication Type Configuring SSH Management Specifying a Service Type for an SSH UserSsh user username service-type Stelnet sftp all Configuring the Client Public Key on the Server Rsa peer-public-key keyname Public-key-code endPeer-public-key end Specifying a Source IP Address/Interface for the SSH Server Assigning a Public Key to an SSH UserSsh user username assign Publickey rsa-key keyname Configuring the SSH Client Using an SSH Client Software Configuring the SSH ClientSSH Client Configuration Tasks 2Generate a client key Generate a client key 4Generate the client keys Launch PuTTY.exe. The following window appears Specify the IP address of the Server As shown in -7, select SSH under Protocol Select a protocol for remote connectionSelect an SSH version 8SSH client configuration interface Open an SSH connection with publickey authentication 10SSH client interface Configure whether first-time authentication is supported Configuring the SSH Client on an SSH2-Capable DeviceOpen an SSH connection with password authentication Establish the connection between the SSH client and server Specifying a Source IP address/Interface for the SSH client Displaying and Maintaining SSH ConfigurationSsh2 source-ip ip-address Ssh2 source-interface # Generate RSA and DSA key pairs SSH Configuration Examples# Enable the user interfaces to support SSH Page 14SSH client interface # Assign the public key Switch001 to client client001 # Set the client’s command privilege level toPage 18Generate a client key pair Page 22SSH client interface Device system-view Device interface vlan-interface # Establish a connection to the server # Generate a DSA key pair # Set the user command privilege level to# Assign the public key Switch001 to user client001 25Network diagram of SSH client configuration # Assign public key Switch001 to user client001 # Set AAA authentication on user interfaces# Configure the user interfaces to support SSH # Establish the SSH connection to server # Specify the host public key pair name of the server Table of Contents File System Configuration File System Management ConfigurationFile System Configuration Tasks Introduction to File System File Operations Flash Memory Operations Prompt Mode ConfigurationExecute filename Format device File prompt alert quiet File System Configuration Example Introduction to File Attributes File Attribute ConfigurationAttribute Description Feature Identifier Configuring File Attributes Table of Contents Introduction to FTP and Sftp FTP and Sftp ConfigurationIntroduction to FTP Description Remarks FTP Configuration The Device Operating as an FTP Server FTP ConfigurationService-type ftp Introduction to Sftp Enabling an FTP server Configuring connection idle timeFtp timeout minutes Ftp-server source-interface Disconnecting a specified userFtp-server source-ip ip-address Ftp disconnect user-name Configuring the banner for an FTP server Displaying FTP server information FTP Configuration The Device Operating as an FTP ClientBasic configurations on an FTP client Lcd CdupDisconnect Close Configuration Example The Device Operating as an FTP Server # Upload the config.cfg file. ftp put config.cfg FTP Banner Display Configuration Example 4Network diagram for FTP banner display configuration # Enter the authorized directory on the FTP server Sftp Configuration The Device Operating as an Sftp Server Sftp ConfigurationComplete the following tasks to configure Sftp Follow these steps to enable an Sftp server Basic configurations on an Sftp client Sftp Configuration The Device Operating as an Sftp ClientFtp timeout time-out-value Time for the Sftp server Minutes by default Sftp host-ip host-name Help all command-nameDelete remotefile Remove remote-file Sftp source-interface Sftp Configuration ExampleSftp source-ip ip-address Display sftp source-ip # Specify the service type as Sftp # Specify the SSH authentication mode as AAA# Enable the Sftp server # Create a local user client001 Sftp-client # Exit Sftp Tftp Configuration Tftp ConfigurationComplete the following tasks to configure Tftp Introduction to Tftp Basic configurations on a Tftp client Tftp Configuration The Device Operating as a Tftp ClientTftp ascii binary Tftp-server acl acl-number Tftp source-interface Tftp Configuration ExampleTftp source-ip ip-address Display tftp source-ip Device tftp 1.1.1.2 get config.cfg config.cfg Table of Contents Information Center Overview Information CenterIntroduction to Information Center Classification of system information Ten channels and six output directions of system information Module name Description Outputting system information by source module System Information Format Sysname PriorityTimestamp Introduction to the Information Center Configuration Tasks Information Center Configuration Set for the system Configuring Synchronous Information Output Setting to output system information to the console Setting to Output System Information to the Console Terminal monitor Enabling system information display on the consoleTerminal debugging Terminal logging Setting to output system information to a monitor terminal Setting to Output System Information to a Monitor TerminalEnabling system information display on a monitor terminal Info-center monitor channel Info-center loghost source Setting to Output System Information to a Log HostInfo-center loghost Setting to Output System Information to the Log Buffer Setting to Output System Information to the Trap BufferInfo-center trapbuffer Info-center source Info-center snmp channel Setting to Output System Information to the Snmp NMSInfo-center logbuffer Log Output to a Unix Log Host Information Center Configuration ExamplesDisplaying and Maintaining Information Center # mkdir /var/log/Switch # touch /var/log/Switch/information Log Output to a Linux Log Host 2Network diagram for log output to a Linux log host Log Output to the Console 3Network diagram for log output to the console 4Network diagram # Enable terminal display Table of Contents Remote Loading Using FTP Host Configuration File LoadingLoading procedure using FTP client Introduction to Loading Approaches Restart Switch Loading procedure using FTP server 2Remote loading using FTP server Use the put command to upload the file config.cfg to Switch Remote Loading Using Tftp Basic System Configuration Basic System Configuration and Debugging Debugging the System Displaying the System StatusEnabling/Disabling System Debugging Display clock Displaying Operating Information about Modules in System Displaying Debugging Status Network Connectivity Test Network Connectivity TestPing Tracert Device Management Configuration Tasks Device Management ConfigurationRebooting the Device Device Management Schedule reboot at hhmm Scheduling a Reboot on the DeviceSchedule reboot delay Schedule reboot regularity Identifying pluggable transceivers Identifying and Diagnosing Pluggable TransceiversIntroduction to pluggable transceivers Diagnosing pluggable transceivers Table of Contents Introduction to VLAN-VPN VLAN-VPN ConfigurationVLAN-VPN Overview Implementation of VLAN-VPN Adjusting the Tpid Values of VLAN-VPN Packets Protocol type Value VLAN-VPN ConfigurationEnabling the VLAN-VPN Feature for a Port Vlan-vpn uplink enable Tpid Adjusting ConfigurationDisplaying and Maintaining VLAN-VPN Vlan-vpn tpid value 4Network diagram for VLAN-VPN configuration VLAN-VPN Configuration Example Data transfer process SwitchA vlan-vpn tpidPage Selective QinQ Overview Selective QinQ ConfigurationSelective QinQ Overview Enabling the Selective QinQ Feature for a Port Selective QinQ ConfigurationInner-to-Outer Tag Priority Mapping Vlan-vpn vid vlan-id Configuring the Inner-to-Outer Tag Priority Mapping Feature Selective QinQ Configuration ExampleProcessing Private Network Packets by Their Types Vlan-vpn priority # Enable the VLAN-VPN feature on GigabitEthernet 1/0/3 2Network diagram for selective QinQ configuration SwitchA-GigabitEthernet1/0/3 vlan-vpn enable Page Table of Contents Introduction to HWPing HWPing ConfigurationHWPing Overview HWPing Test Parameters Test Types Supported by HWPingSupported test types Description Test parameter Description Dns-server Username and passwordDns HWPing server configuration tasks HWPing ConfigurationConfiguration on a HWPing Server HWPing client configuration HWPing Client ConfigurationHWPing server configuration Test-enable Timeout timeCount times Datasize size Test-type ftp Test-type dhcpSource-port port-number Ftp-operation get put Password passwordUsername name Filename file-name Dns-server ip-address Destination-ip command toTest-type http Http-operation get post Test-type jitter Destination-port Test-type snmpquery Jitter-packetnum numberJitter-interval interval Server for listening services Configure the destination Configured on the HWPingOperation- tag This IP address and the one Tcpconnect ip-address7 Hwping-serverTest-type tcpprivate Tcppublic Udppublic Test-type udpprivate Test-type dns Time Three seconds Optional Configure the service typeAddress is specified Configuring HWPing client to send Trap messages Administrator-name operation-tag HWPing Configuration ExampleDisplaying and Maintaining HWPing Icmp Test # Display test results Dhcp Test # Configure the test type as dhcp FTP Test # Configure the source IP address # Set the probe timeout time to 30 seconds Http Test # Configure the test type as http# Configure the IP address of the Http server as Jitter Test Configure HWPing Client Switch a # Enable the HWPing client Network diagram# Configure the test type as jitter # Configure the IP address of the HWPing server as Snmp Test # Configure the test type as snmp 7Network diagram for the Snmp test TCP Test Tcpprivate Test on the Specified Ports 8Network diagram for the Tcpprivate test # Configure the test type as tcpprivate UDP Test Udpprivate Test on the Specified Ports # Configure the test type as udpprivate DNS Test # Configure the IP address of the DNS server as # Configure the test type as dns Index Table of Contents Static Domain Name Resolution DNS ConfigurationDynamic Domain Name Resolution Resolution procedure DNS suffixes Configuring Domain Name ResolutionConfiguring Static Domain Name Resolution Static Domain Name Resolution Configuration Example DNS Configuration ExampleConfiguring Dynamic Domain Name Resolution 2Network diagram for static DNS configuration Dynamic Domain Name Resolution Configuration Example # Configure com as the DNS suffix # Configure the IP address 2.1.1.2 for the DNS server Displaying and Maintaining DNS Troubleshooting DNS Configuration Table of Contents Smart Link Overview Smart Link ConfigurationBasic Concepts in Smart Link Smart Link group Slave port Master portFlush message Control Vlan for sending flush messages Operating Mechanism of Smart Link Configuring Smart LinkComplete the following tasks to configure Smart Link Configuring a Smart Link Device Precautions Configuring Associated DevicesFlush enable control-vlan Smart-link flush enable control-vlan vlan-id port Displaying and Maintaining Smart Link Smart Link Configuration ExampleImplementing Link Redundancy Backup # Return to system view # Configure to send flush messages within Vlan SwitchD system-view Introduction to Monitor Link Monitor Link Configuration How Monitor Link Works 2Network diagram for a Monitor Link group implementation Creating a Monitor Link Group Configuring Monitor LinkConfiguring the Uplink Port Port monitor-link group Configuring a Downlink PortUplink Displaying and Maintaining Monitor Link Monitor Link Configuration Example # Create Smart Link group 1 and enter Smart Link group view # Configure to send flush messages in Vlan SwitchC monitor-link group Table of Contents PoE Overview PoE ConfigurationIntroduction to PoE Advantages of PoE PoE Features Supported by the Device PoE ConfigurationPoE Configuration Task List Maximum Power Provided by Each Electrical Port Setting the Maximum Output Power on a Port Enabling the PoE Feature on a PortPoe enable Poe max-power max-power Setting the PoE Mode on a Port Setting PoE Management Mode and PoE Priority of a PortPoe power-management Poe priority critical high Poe legacy enable Configuring the PD Compatibility Detection FunctionPoe update refresh Upgrading the PSE Processing Software Online Displaying and Maintaining PoE Configuration PoE Configuration ExamplePoE Configuration Example Networking requirements # Upgrade the PSE processing software online 1Network diagram for PoE PoE Profile Configuration PoE Profile ConfigurationConfiguring PoE Profile Introduction to PoE Profile PoE Profile to Port Displaying and Maintaining PoE Profile ConfigurationDisplay poe-profile All-profile interface # Create Profile1, and enter PoE profile view PoE Profile Configuration ExamplePoE Profile Application Example # Create Profile2, and enter PoE profile view # Display detailed configuration information for Profile1# Display detailed configuration information for Profile2 Table of Contents Page Introduction to IP Route and Routing Table IP Routing Protocol OverviewIP Route Routing TablePage Static Routing and Dynamic Routing Routing Protocol OverviewClassification of Dynamic Routing Protocols Routing Protocols and Routing Priority Route backup Load Sharing and Route BackupRouting Information Sharing Load sharing Displaying and Maintaining a Routing Table Static Route Static Route ConfigurationIntroduction to Static Route Configuring a Static Route Static Route ConfigurationDefault Route Displaying and Maintaining Static Routes Static Route Configuration Example # Approach 2 Configure a static route on Switch a Troubleshooting a Static Route# Approach 1 Configure static routes on Switch B # Approach 2 Configure a static route on Switch B RIP Overview RIP ConfigurationBasic Concepts RIP routing database Routing loops prevention RIP timersRIP Startup and Operation Basic RIP Configuration RIP Configuration Task ListConfiguring Basic RIP Functions Rip Specifying the RIP version on an interface Setting the RIP operating status on an interfaceRIP Route Control Setting the additional routing metrics of an interface Configuring RIP Route ControlConfiguring RIP route summarization Rip metricin value Disabling the router from receiving host routes Configuring RIP to filter incoming/outgoing routes Setting RIP preference RIP Network Adjustment and Optimization Configuring RIP timers Configuration TasksConfiguring split horizon Configuring RIP-1 packet zero field check Configuring RIP to unicast RIP packets Setting RIP-2 packet authentication modeRip authentication-mode Simple password md5 RIP Configuration Example Displaying and Maintaining RIP Configuration Failed to Receive RIP Updates Troubleshooting RIP ConfigurationConfigure Switch B # Configure RIP Configure Switch C # Configure RIP IP Route Policy Overview IP Route Policy ConfigurationIntroduction to IP Route Policy Filters Route Policy Configuration IP Route Policy Configuration Task ListFor ACL configuration, refer to the part discussing ACL Route policy Defining if-match Clauses and apply Clauses Defining a Route Policy Displaying and Maintaining IP Route Policy IP Route Policy Configuration ExampleIf-match ip next-hop acl Apply cost value Configuration considerations SwitchC-acl-basic-2000 quit SwitchC acl number Configuration verification Precautions Troubleshooting IP Route Policy Table of Contents Protocol UDP port number UDP Helper ConfigurationIntroduction to UDP Helper Configuring UDP Helper # Enable UDP Helper on Switch a UDP Helper Configuration ExampleDisplaying and Maintaining UDP Helper Cross-Network Computer Search Through UDP Helper Table of Contents Appendix a Acronyms Non Broadcast MultiAccess Medium Access ControlProtocol Independent Multicast-Dense Mode Protocol Independent Multicast-Sparse Mode

3Com WX3000 operation manual Basic message exchange procedure in Hwtacacs

Models: WX3000

HWTACACS

RADIUS

Figure 1-5Network diagram for a typical HWTACACS application

Basic message exchange procedure in HWTACACS