Manuals / 3Com / Computer Equipment / Switch

3Com WX3000 AAA Configuration Examples, Remote Radius Authentication of Telnet/SSH Users

Models: WX3000

1 715

Page 285

Displaying and maintaining HWTACACS protocol information

To do…	Use the command…	Remarks
Display the configuration or
statistic information about one	display hwtacacs
specific or all HWTACACS	[ hwtacacs-scheme-name [ statistics ] ]
schemes		Available in any view.
		Available in any view.
Display buffered non-response	display stop-accounting-buffer
Display buffered non-response	hwtacacs-scheme
stop-accounting requests	hwtacacs-scheme
stop-accounting requests	hwtacacs-scheme-name
	hwtacacs-scheme-name

Clear HWTACACS message	reset hwtacacs statistics { accounting
statistics	authentication authorization all }	Available in user

	reset stop-accounting-buffer
Delete buffered non-response	reset stop-accounting-buffer	view.
Delete buffered non-response	hwtacacs-scheme
stop-accounting requests	hwtacacs-scheme
stop-accounting requests	hwtacacs-scheme-name
	hwtacacs-scheme-name

AAA Configuration Examples

Remote RADIUS Authentication of Telnet/SSH Users

The configuration procedure for remote authentication of SSH users by RADIUS server is similar to that for Telnet users. The following text only takes Telnet users as example to describe the configuration procedure for remote authentication.

Network requirements

In the network environment shown in Figure 2-1, you are required to configure the device so that the Telnet users logging into the switching engine are authenticated by the RADIUS server.

z z

A RADIUS authentication server with IP address 10.110.91.164 is connected to the device.

On the device, set the shared key it uses to exchange messages with the authentication RADIUS server to "aabbcc".

A IMC server is used as the RADIUS server. You can select extended as the server-type in a RADIUS scheme.

On the RADIUS server, set the shared key it uses to exchange messages with the device to "aabbcc," set the authentication port number, and add Telnet user names and login passwords.

The Telnet user names added to the RADIUS server must be in the format of userid@isp-nameif you have configured the device to include domain names in the user names to be sent to the RADIUS server in the RADIUS scheme.

2-26

Page 285

Image 285

3Com WX3000 operation manual AAA Configuration Examples, Remote Radius Authentication of Telnet/SSH Users

Contents

Manual Version 6W100 3Com WX3000 Series Unified Switches Switching EngineEnvironmental Statement Part Contents About This ManualOrganization Conventions Convention Description BoldfaceItalic Convention Description Related DocumentationCreate Folder Manual DescriptionObtaining Documentation Table of Contents CLI Configuration Command HierarchyIntroduction to the CLI Switching User Levels Setting a user level switching passwordSwitching to a specific user level Setting the Level of a Command in a Specific View Configuration exampleSetting the level of a command in a specific view Display Execute Operation CLI ViewsQuit Quit or returnVlan-interface command Gigabitethernet commandRegion-configuration Peer-public-key commandOde end Public-key-cPublic-key-code begin Execute the radius schemeVlan-vpn enable CLI FeaturesExecute Command should be first Online HelpTerminal Display Command HistoryPartial online help Press Ctrl+CCommand Edit Error PromptsTab Press… To…Table of Contents Page Logging In to the Switching Engine Logging In to the Switching EngineIntroduction to the User Interface Supported User InterfacesUser Interface Index Common User Interface ConfigurationDisplay user-interface Display users allType number number Display web usersPress Enter to enter user view of the switching engine Logging In to the Switching Engine Through OAPLogging In Through OAP OAP OverviewNot configured by default Configure the management IPOap management-ip Address of an OAP moduleResetting the OAP Software System Reset the OAP softwareOap reboot slot Configuration Description Common ConfigurationLogging In Through Telnet IntroductionAuthentication Telnet configuration Description Mode Telnet Configurations for Different Authentication ModesConfiguration Procedure Telnet Configuration with Authentication Mode Being NoneConfiguration Example Configuration procedureNetwork requirements Password cipher Password Set authenticationAuto-execute command User privilege level levelDefault history command Set the history command bufferCommand buffer can store up to Commands by defaultTelnet Configuration with Authentication Mode Being Scheme Authorization Scheme commandHistory-command max-size Protocol inbound all sshService-type User privilege level level command is Level levelPrivilege # Create a local user named guest and enter local user view Telnetting to the Switching Engine from a Terminal Telnetting to the Switching EngineDeviceoap connect slot Connected to OAP Page Device telnet User name and password for logging in to the Web-based Vlan interface of the switching engine is assigned an IPNetwork management system are configured Logging In from the Web-Based Network Management SystemSetting Up a Web Configuration Environment 3The login page of the Web-based network management system Configuring the Login BannerHeader login text By default, no login banner isThrough Web Configured Enable the Web server Follow these steps to enable/disable the WEB serverEnabling/Disabling the WEB Server Ip http shutdownConnection Establishment Using NMS Logging In from NMSRelated information Configuring Source IP Address for Telnet Service Packets Configuring Source IP Address for Telnet Service PacketsConfiguration in user view Configuration in system viewInterface-number Displaying Source IP Address ConfigurationUser Control Login mode Control method Implementation ReferenceControlling Telnet Users PrerequisitesAcl number acl-number Match-order config autoRule rule-id deny permit Acl acl-number inboundControlling Telnet Users by Source MAC Addresses Rule rule-id denyPermit rule-string Controlling Network Management Users by Source IP Addresses Controlling Network Management Users by Source IP AddressesControlling Web Users by Source IP Address 2Network diagram for controlling Snmp users using ACLsControlling Web Users by Source IP Addresses Disconnecting a Web User by ForceIp http acl acl-number Free web-users all user-idDevice ip http acl Table of Contents Introduction to Configuration File Configuration File ManagementTypes of configuration Format of configuration fileSaving the Current Configuration Management of Configuration FileStartup with the configuration file Modes in saving the configurationThree attributes of the configuration file Erasing the Startup Configuration FileAssign main attribute to the startup configuration file Specifying a Configuration File for Next StartupAssign backup attribute to the startup configuration file Startup saved-configurationDisplaying and Maintaining Device Configuration Table of Contents Vlan Overview Vlan OverviewIntroduction to Vlan Advantages of VLANs How Vlan WorksVlan tag 2Encapsulation format of traditional Ethernet frames MAC address learning mechanism of VLANsPort-Based Vlan Vlan InterfaceVlan Classification Introduction to Protocol-Based Vlan Protocol-Based VlanEncapsulation Format of Ethernet Data Ethernet II and 802.2/802.3 encapsulation6802.3 raw encapsulation format Extended encapsulation formats of 802.2/802.3 packetsEncapsulation Formats Procedure for the Switch to Judge Packet ProtocolImplementation of Protocol-Based Vlan Encapsulation Ethernet 802.3 raw 802.2 LLC Snap ProtocolPage Vlan Configuration Vlan ConfigurationConfiguration Task List Basic Vlan ConfigurationBasic Vlan Interface Configuration Configuration prerequisitesDisplaying and Maintaining Vlan Configuring a Port-Based Vlan Configuring a Port-Based VlanProtocol-Based Vlan Configuration Example Port interface-list# Configure GigabitEthernet 1/0/10 of Switch B # Create Vlan 201, and add GigabitEthernet 1/0/2 to Vlan# Create Vlan 201, and add GigabitEthernet 1/0/12 to Vlan Configuring a Protocol Template for a Protocol-Based Vlan Configuring a Protocol-Based VlanInterface interface-type Interface-number Associating a Port with a Protocol-Based VlanPort hybrid protocol-vlan Vlan vlan-id protocol-indexDisplay vlan vlan-id to vlan-id all Displaying and Maintaining Protocol-Based VlanDynamic static Display protocol-vlan vlan vlan idVlan Protocol-Type Table of Contents Introduction to the Auto Detect Function Auto Detect ConfigurationAuto Detect Basic Configuration Auto Detect ConfigurationAuto Detect Implementation in Static Routing Auto Detect Implementation in Vlan Interface BackupIp route-static ip-address mask Preference-value reject blackholeAuto Detect Configuration Examples Vlan -idStandby detect-group # Configure a static route to Switch a Is reachable# Create auto detected group Table of Contents Voice Vlan Configuration Voice Vlan OverviewHow an IP Phone Works Agent 1Network diagram for IP phonesConfiguring Operation Mode for Voice Vlan How the Device Identifies Voice TrafficNumber OUI address Vendor Support for Voice Vlan on Various Ports Processing mode of tagged packets sent by IP voice devicesSecurity Mode of Voice Vlan Port type Supported or not Traffic type ModePort voice Voice Voice Vlan Configuration Configuration PrerequisitesConfiguring a Voice Vlan to Operate in Automatic Mode Enable Configuring a Voice Vlan to Operate in Manual ModeUndo voice vlan mode Voice vlan securityPort hybrid vlan vlan-id Port trunk permit vlanTagged untagged Port trunk pvid vlanVoice Vlan Configuration Example Voice Vlan Configuration Example Automatic ModeDisplaying and Maintaining Voice Vlan # Enable the voice Vlan function globally Voice Vlan Configuration Example Manual Mode# Configure GigabitEthernet 1/0/1 as a hybrid port # Enable the voice Vlan function on GigabitEthernet 1/0/1# Configure GigabitEthernet 1/0/1 to operate in manual mode # Create Vlan 2 and configure it as a voice VlanVerification # Display the status of the current voice VlanTable of Contents Gvrp Configuration Garp messages and timersIntroduction to Gvrp Operating mechanism of Garp Garp message formatGarp packets are in the following format Field Description Value 1Format of Garp packetsProtocol Specifications Gvrp ConfigurationConfiguration Prerequisite Enabling GvrpGarp timer leaveall Configuring Gvrp TimersGarp timer hold join GvrpDisplaying and Maintaining Gvrp Configuring Gvrp Port Registration ModeGvrp Configuration Example Gvrp Configuration ExampleConfigure Switch a # Enable Gvrp globally # Enable Gvrp on GigabitEthernet 1/0/1# Enable Gvrp on GigabitEthernet 1/0/3 SwitchE-GigabitEthernet1/0/1 gvrp registration fixed Table of Contents Ethernet Port Overview Basic Port ConfigurationTypes and Numbers of Ethernet Ports Combo Ports Mapping RelationsLink Types of Ethernet Ports Configuring the Default Vlan ID for an Ethernet PortMaking Basic Port Configuration Configuring Ethernet PortsAdding an Ethernet Port to Specified VLANs Vlan tagConfiguring Port Auto-Negotiation Speed Enabling Flow Control on a Port Setting the Ethernet Port Broadcast Suppression RatioSpeed auto 10 100 Broadcast-suppressionConfiguring Access Port Attribute Configuring Hybrid Port AttributeConfiguring Trunk Port Attribute Disabling Up/Down Log Output on a Port Configuration tasksConfiguring a Port Group Copying Port Configuration to Other PortsSystem-view Copy configuration source interface-type Aggregation-group destination-agg-idSetting Loopback Detection for an Ethernet Port Configure the Ethernet port to run Configuring the Ethernet Port to Run Loopback TestLoopback-detection per-vlan Loopback detection only on VLANs for the trunk and hybridEnabling the System to Test Connected Cable Virtual-cable-testFlow-interval interval Displaying and Maintaining Ethernet Ports Ethernet Port Configuration Example# Configure the default Vlan ID of GigabitEthernet 1/0/1 as Troubleshooting Ethernet Port ConfigurationTable of Contents Link Aggregation Configuration Introduction to Link AggregationIntroduction to Lacp Manual Aggregation Group Operation KeyIntroduction to manual aggregation group Port status in manual aggregation groupStatic Lacp Aggregation Group Introduction to static Lacp aggregationPort status of static aggregation group Dynamic Lacp Aggregation Group Configuring system priorityIntroduction to dynamic Lacp aggregation group Port status of dynamic aggregation groupAggregation Group Categories Configuring port priorityConfiguring a Manual Aggregation Group Link Aggregation ConfigurationDescription agg-name Configuring a Static Lacp Aggregation GroupPort link-aggregation group Agg-idConfiguring a Dynamic Lacp Aggregation Group Lacp system -prioritySystem-priority Displaying and Maintaining Link Aggregation Link Aggregation Configuration ExampleSwitch a Link aggregation Switch B Page Table of Contents Port Isolation Configuration Port Isolation ConfigurationPort Isolation Overview Introduction to Port IsolationDisplaying and Maintaining Port Isolation Port Isolation Configuration ExampleDevice-GigabitEthernet1/0/4 quit device Table of Contents Port Security Features Port Security ConfigurationPort Security Overview IntroductionThis mode Security mode Description FeaturePort Security Modes NeitherSecurity mode Description Feature Complete the following tasks to configure port security Port Security ConfigurationFollow these steps to enable port security Enabling Port SecurityPort-security oui OUI-value UserLoginWithOUI mode, a Setting the Port Security ModePort-security max-mac-count Count-valueConfiguring the NTK feature Configuring Port Security FeaturesConfiguring the Trap feature Configuring intrusion protectionConfiguring Security MAC Addresses Port Security Configuration Example Displaying and Maintaining Port Security Configuration# Enable port security HostSwitch# Set the port security mode to autolearn # Enter GigabitEthernet 1/0/1 port viewDisplaying and Maintaining Port Binding Configuration Port Binding ConfigurationConfiguring Port Binding Port Binding OverviewConfigure switch a as follows # Enter system view Port Binding Configuration ExampleTable of Contents Dldp Overview Dldp ConfigurationDldp Fundamentals Dldp statusStatus Description Dldp works with the following timers 2DLDP timers Dldp timersTimer Description Interval of sending advertisement packets, which can beEnhanced timer then sends one probe packets every one Dldp operating modeMode During neighbor Entry aging Timer expireNo Echo packet received from Processing procedure Neighbor Packet type Processing procedure4Types of packets sent by Dldp Dldp status Packet typesPrecautions During Dldp Configuration Dldp ConfigurationDldp Configuration Tasks Dldp neighbor stateResetting Dldp Status Reset the Dldp status of a port Dldp reset This command only applies to the ports in Dldp down statusDldp Network Example # Configure Dldp to work in enhanced mode # Enable Dldp globally# Set the interval of sending Dldp packets to 15 seconds # Display the Dldp statusTable of Contents MAC Address Table Management Introduction to MAC Address TableIntroduction to MAC Address Learning 1MAC address learning diagram Aging of MAC address table Managing MAC Address TableEntries in a MAC address table Configuring MAC Address Table ManagementAdding a MAC address entry in system view Configuring a MAC Address EntryAdding a MAC address entry in Ethernet port view System-view Mac-address static dynamicSetting the Aging Time of MAC Address Entries Mac-address timer agingAge no-aging Mac-address Disabling MAC Address learning for a VlanMax-mac-count count Max-mac-countDisplaying and Maintaining MAC Address Table Configuration ExampleAdding a Static MAC Address Entry Manually Display mac-addressTable of Contents Page Mstp Configuration STP OverviewSTP Overview All the ports on the root bridge are designated ports Classification Designated bridge Designated portStep Description How STP worksStep Description Device Port name Bpdu of port Device Comparison process Bpdu of port after 5Comparison process and result on each deviceDevice Comparison process Bpdu of port after 3The final calculated spanning tree Mstp Overview Features of MstpBackground of Mstp Disadvantages of STP and RstpMST region Basic Mstp TerminologiesRegion root Vlan mapping tableCommon root bridge Port roleMSTP, a port can be in one of the following three states Port stateCalculate the Cist Principle of MstpCalculate an Msti Implement STP algorithmMstp Implementation on the Device Complete the following tasks to configure a root bridge Configuring Root BridgeSTP-related Standards Bpdu guard Loop guard TC-BPDU attack guard Bpdu packet dropConfiguring an MST Region # Verify the above configuration Stp instance instance-id root secondary Centi-secondsRequired Default bridge priority of a Current device Configuring the Bridge Priority of the Current DeviceSet the bridge priority for Stp instance instance-idStp interface interface-type Interface-number complianceAuto dot1s legacy Stp mode stp rstp mstp Configuring the Mstp Operation ModeStp compliance auto dot1s LegacyConfiguring the Maximum Hop Count of an MST Region Configuring the Network Diameter of the Switched NetworkStp max-hops hops Stp timer forward-delay Configuring the Mstp Time-related ParametersStp timer hello Stp timer max-ageConfiguring the Timeout Time Factor Stp interface interface-list Transmit-limit packetnumStp transmit-limit packetnum Configure a port as an edge port in system view Configuring the Current Port as an Edge PortConfigure a port as an edge port in Ethernet port view Edged-port enableForce-false auto Point-to-point force-trueDisable Stp enableEnabling Mstp Stp point-to-point force-trueConfiguring Leaf Nodes Stp disableTask Remarks Configuring a Port as an Edge Port Configuring the MST RegionStandards for calculating path costs of ports Configuring the Path Cost for a PortStp pathcost-standard Dot1d-1998 dot1t legacyConfigure the path cost for specific ports Configuration example aConfiguration example B Configure port priority in system view Configuring Port PriorityConfigure port priority in Ethernet port view Instance instance-id portPerform the mCheck operation in system view Performing mCheck OperationPerform the mCheck operation in Ethernet port view Stp interface interface-list mcheckBpdu guard Configuring Guard FunctionsRoot guard Stp mcheckLoop guard TC-BPDU attack guardBpdu dropping Configuring Root Guard Configuring Bpdu GuardRoot-protection Stp root-protectionConfiguring TC-BPDU Attack Guard Configuring Loop GuardStp loop-protection Stp tc-protectionConfiguring Bpdu Dropping Configuring Digest SnoopingInterface interface-name Bpdu-drop anyStp config-digest-snooping Configuring Digest SnoopingConfiguring Rapid Transition 6The Rstp rapid transition mechanism Configuring Rapid Transition No-agreement-checkStp no-agreement-check Configuring VLAN-VPN Tunnel Configuring VLAN-VPN tunnelVlan-vpn tunnel Enabling Log/Trap Output for Ports of Mstp Instance STP Maintenance ConfigurationStp instance instance id PortlogDisplaying and Maintaining Mstp Enabling Trap Messages Conforming to 802.1d StandardMstp Configuration Example Configure Switch a # Enter MST region view# Activate the settings of the MST region manually Configure Switch C # Enter MST region view Configure Switch B # Enter MST region view# Configure the MST region Configure Switch D # Enter MST region viewConfigure Switch a # Enable Mstp VLAN-VPN tunnel Configuration ExampleConfigure Switch B # Enable Mstp Configure Switch C # Enable Mstp# Configure GigabitEthernet 1/0/2 as a trunk port # Enable the VLAN-VPN tunnel functionConfigure Switch D # Enable Mstp # Configure GigabitEthernet 1/0/1 as a trunk portTable of Contents 802.1x Configuration Architecture of 802.1x AuthenticationIntroduction to Port access control method Port access entityControlled port and uncontrolled port Valid direction of a controlled portMechanism of an 802.1x Authentication System Encapsulation of EAPoL MessagesFormat of an EAPoL packet Format of an EAP packet 802.1x Authentication Procedure Fields added for EAP authenticationEAP relay mode Describes the basic EAP-MD5 authentication procedure EAP terminating mode 9802.1x authentication procedure in EAP terminating mode Timers UsedChecking the supplicant system Additional 802.1x Features ImplementedGuest Vlan function Checking the client versionEnabling 802.1x re-authentication Introduction to 802.1x ConfigurationBasic 802.1x Configuration Configuring Basic 802.1x FunctionsDot1x Dot1x handshake enable Dot1x authentication-method chapDot1x interface interface-list Dot1x port-control authorized-forceTimer and Maximum User Number Configuration Dot1x max-user user-numberDot1x retry max-retry-value Configuring Proxy Checking Advanced 802.1x ConfigurationConfiguring Client Version Checking Configuring Guest Vlan Enabling DHCP-triggered AuthenticationDot1x dhcp-launch Dot1x port-method portbasedConfiguring 802.1x Re-Authentication Configuring the 802.1x Re-Authentication TimerDot1x re-authenticate Displaying and Maintaining 802.1x Configuration Example# Enable 802.1x on GigabitEthernet 1/0/1 port # Enable 802.1x globally# Set the default user domain to be aabbcc.net # Create a local access user account# Create the domain named aabbcc.net and enter its view Configuring Quick EAD Deployment Quick EAD Deployment ConfigurationIntroduction to Quick EAD Deployment Quick EAD Deployment OverviewSetting the ACL timeout period Configuring a free IP rangeDot1x url url-string Dot1x free-ip ip-addressQuick EAD Deployment Configuration Example Displaying and Maintaining Quick EAD DeploymentPeriod is 30 minutes Solution TroubleshootingConfiguring the System-Guard Feature System-Guard ConfigurationConfiguring the System-Guard Feature System-Guard OverviewDisplaying and Maintaining System-Guard Table of Contents Page Authorization AuthenticationAAA Overview Introduction to AAAWhat is Radius Introduction to AAA ServicesAccounting Introduction to ISP Domain1Databases in a Radius server Basic message exchange procedure in RadiusCode Message type Message description Radius message formatDirection client-server Client transmits this message to the server to determine ifType field value Attribute type Introduction to Hwtacacs What is Hwtacacs5Network diagram for a typical Hwtacacs application Basic message exchange procedure in Hwtacacs6AAA implementation procedure for a telnet user Page AAA Configuration AAA Configuration Task ListConfiguration Introduction Creating an ISP Domain and Configuring Its Attributes Configuring a combined AAA scheme Configuring an AAA Scheme for an ISP DomainMessenger time enable limit Self-service-url disableDomain isp-name Configuring separate AAA schemesRadius-scheme-name local Hwtacacs-schemeConfiguring Dynamic Vlan Assignment Local local none Authorization noneAccounting none Domain isp-name Configuring the Attributes of a Local UserVlan-assignment-mode Integer stringService-type ftp lan-access Password-display-modeAuthorization vlan string Access-limitCutting Down User Connections Forcibly Radius Configuration Task ListFollow these steps to cut down user connections forcibly Cut down userServers ConfiguringRadius client enable Configuring Radius Authentication/Authorization ServersCreating a Radius Scheme Radius schemePrimary authentication Configuring Radius Accounting ServersSecondary authentication Ip-address port-numberSecondary accounting Configuring Shared Keys for Radius MessagesStop-accounting-buffer Retry stop-accountingConfiguring the Type of Radius Servers to be Supported Key authentication stringKey accounting string Configuring the Status of Radius Servers Server-type extendedOptional Servers to be supported Authentication block State primary authenticationCalling-station-id mode Block activeLocal-server enable Configuring the Local Radius Authentication Server FunctionKey password Local-server nas-ip ip-addressConfiguring Timers for Radius Servers Enabling the User Re-Authentication at Restart Function Hwtacacs Configuration Task List Accounting-on enable sendTimes interval interval Configuring Tacacs Authentication Servers Creating a Hwtacacs SchemeHwtacacs scheme Primary authorization Configuring Tacacs Authorization ServersSecondary authorization Ip-address portConfiguring Shared Keys for Hwtacacs Messages Configuring Tacacs Accounting ServersFollow these steps to configure Tacacs accounting servers Function is enabled Number of transmissionKey accounting Authentication stringMega-byte Data-flow-format packetScheme exists Set the response timeout time Configuring the Timers Regarding Tacacs ServersOptional By default, the response timeout Tacacs servers Optional By default, the real-time IntervalDisplaying and Maintaining AAA Displaying and maintaining AAA informationDisplaying and maintaining Radius protocol information AAA Configuration Examples Remote Radius Authentication of Telnet/SSH UsersDisplaying and maintaining Hwtacacs protocol information # Configure an ISP domain # Adopt AAA authentication for Telnet users# Configure a Radius scheme # Associate the ISP domain with the Radius scheme# Create and configure a local user named telnet Local Authentication of FTP/Telnet Users# Configure the domain name of the Hwtacacs scheme to hwtac Hwtacacs Authentication and Authorization of Telnet UsersTroubleshooting Radius Configuration Troubleshooting AAATroubleshooting Hwtacacs Configuration Possible reasons and solutionsEAD Configuration Introduction to EADTypical Network Application of EAD EAD Configuration Example EAD ConfigurationSecurity-policy-server Ip-address# Associate the domain with the Radius scheme # Configure the IP address of the security policy serverTable of Contents MAC Authentication Overview MAC Authentication ConfigurationPerforming MAC Authentication on a Radius Server Performing MAC Authentication LocallyMAC Authentication Timers Configuring Basic MAC Authentication FunctionsMac-authentication Related ConceptsMac-authentication Quit Mac-authentication interfaceMac-authentication authmode Uppercase fixedpassword passwordConfiguring a Guest Vlan MAC Address Authentication Enhanced Function ConfigurationMac-authentication timer Guest-vlan vlan-idGuest-vlan-reauth interval Configure the maximum number MAC address authentication Number of MAC addressMax-auth-num user-number MAC Authentication Configuration Example Displaying and Maintaining MAC AuthenticationDisplay mac-authentication Reset mac-authentication statisticsSet the service type to lan-access # Add a local user Specify the username and password# Specify to perform local authentication # Add an ISP domain named aabbcc.netTable of Contents IP Addressing Overview IP Addressing ConfigurationIP Address Classes Net-idSpecial Case IP Addresses Subnetting and MaskingClass Address range Remarks Configuring IP Addresses Ip address ip-address maskMask-length sub IP Address Configuration Example IP Address Configuration ExamplesDisplaying and Maintaining IP Addressing Network requirement4Network diagram for IP address configuration Page IP Performance Configuration Configuring IP PerformanceIP Performance Overview Disabling Sending of Icmp Error Packets Displaying and Maintaining IP Performance Configuration Table of Contents Introduction to Dhcp Dhcp OverviewDhcp IP Address Assignment IP Address Assignment PolicyObtaining IP Addresses Dynamically Updating IP Address Lease Dhcp Packet FormatProtocols and Standards Introduction to Dhcp Relay Agent Dhcp Relay Agent ConfigurationUsage of Dhcp Relay Agent Dhcp Relay Agent FundamentalsPadding content of Option Dhcp Relay Agent Support for OptionIntroduction to Option Mechanism of Option 82 supported on Dhcp relay agent 2Padding contents for sub-option 1 of OptionDhcp Relay Agent Configuration Task List Configuring the Dhcp Relay AgentDhcp-server groupNo ip Ip-address &1-8Configuring address checking Configuring Dhcp Relay Agent Security FunctionsDhcp relay hand enable Address-check enableDhcp-security static ip-address Mac-addressConfiguring the Dhcp relay agent to support Option Configuring the Dhcp Relay Agent to Support OptionEnabling unauthorized Dhcp server detection PrerequisitesDhcp Relay Agent Configuration Example Displaying and Maintaining Dhcp Relay Agent ConfigurationSymptom Troubleshooting Dhcp Relay Agent ConfigurationSolution AnalysisPage Dhcp Snooping Configuration Dhcp Snooping OverviewFunction of Dhcp Snooping Overview of Dhcp Snooping Option Padding content and frame format of Option2Extended format of the circuit ID sub-option Mechanism of DHCP-snooping OptionSub-option configuration Dhcp snooping device will… Dhcp-snooping information format command orDhcp-snooping information format command or the default HEX Overview of IP FilteringConfiguring Dhcp Snooping Dhcp Snooping ConfigurationDHCP-snooping table IP static binding tableDHCP-Snooping Option 82 Support Configuration Task List Configuring Dhcp Snooping to Support OptionEnable DHCP-snooping Option 82 support Required Specify the current port as aConfigure the storage format of Option Configure a handling policy for Dhcp packets with OptionDhcp-snooping information Strategy drop keep replaceConfigure the remote ID sub-option Configure the circuit ID sub-optionVlan vlan-id circuit-id string StringConfigure the padding format for Option Configuring IP FilteringRemote-id sysname string Vlan vlan-id remote-idDHCP-Snooping Option 82 Support Configuration Example Dhcp Snooping Configuration Example# Enable Dhcp snooping on Switch IP Filtering Configuration Example# Enable DHCP-snooping Option 82 support # Specify GigabitEthernet 1/0/5 as the trusted port# Specify GigabitEthernet 1/0/1 as the trusted port 7Network diagram for IP filtering configurationDisplay dhcp-snooping Displaying and Maintaining Dhcp Snooping ConfigurationTrust Display ip source staticIntroduction to Bootp Client DHCP/BOOTP Client ConfigurationConfiguring a DHCP/BOOTP Client Follow these steps to configure a DHCP/BOOTP clientDhcp Client Configuration Example Ip address bootp-allocDhcp-alloc Display bootp client interface Displaying and Maintaining DHCP/BOOTP Client ConfigurationBootp client Display related information on aTable of Contents ACL Configuration ACL OverviewACL Matching Order Depth-first match order for rules of a basic ACL Ways to Apply an ACL on a DeviceDepth-first match order for rules of an advanced ACL Being applied to the hardware directlyACL Configuration Configuring Time RangeTypes of ACLs Supported by Devices Days-of-the-week from start-time start-date to Time-range time-name start-time to end-timeEnd-time end-date from start-time start-date to End-time end-date to end-time end-dateConfiguring Basic ACL Auto configRule-string Rule-string , refer to ACL Command Match-order auto config Configuring Advanced ACLRule-string , refer to ACL Command Rule rule-id permit denyRule-string Refer to ACL Command Configuring Layer 2 ACLACL Assignment Assigning an ACL Globally Configure procedureAssigning an ACL to a Vlan Packet-filter inbound acl-ruleAssigning an ACL to a Port Group System-view Packet-filter vlan vlan-idInbound acl-rule Assigning an ACL to a Port Displaying and Maintaining ACLExample for Controlling Web Login Users by Source IP Example for Controlling Telnet Login Users by Source IPSwitchPC Examples for Upper-layer Software Referencing ACLsBasic ACL Configuration Example Advanced ACL Configuration ExampleExamples for Applying ACLs to Hardware # Apply ACL 3000 on GigabitEthernet 1/0/1 Layer 2 ACL Configuration Example# Apply ACL 4000 on GigabitEthernet 1/0/1 Example for Applying an ACL to a Vlan# Apply ACL 3000 to Vlan Table of Contents Page Traditional Packet Forwarding Service QoS ConfigurationIntroduction to QoS New Applications and New RequirementsQoS Supported by Devices Major Traffic Control TechniquesTraffic Classification Precedence IP precedence, ToS precedence, and Dscp precedenceIP Precedence decimal IP Precedence binary Description Dscp value decimal Dscp value binary Description 802.1p priority802.1p priority decimal 802.1p priority binary Description Priority Trust ModeTrusting the Dscp precedence Trusting the 802.1p precedenceDscp precedence Target Dscp precedence Priority Marking Protocol PriorityTraffic Policing and Traffic Shaping Token bucketEvaluating the traffic with the token bucket Traffic policingTraffic shaping Traffic Redirecting Vlan MappingQueue Scheduling SP queuing 7Diagram for SP queuingSdwrr QoS Configuration Task List QoS ConfigurationFlow-based Traffic Accounting BurstPriority priority-level Configuring Priority Trust ModePriority-trust cos automap Priority-trust dscp automapConfiguring Priority Mapping Qos cos-local-precedence-mapQos cos-drop-precedence-map Qos dscp-local-precedence-map dscp-list Qos cos-dscp-map cos0-map-dscpQos dscp-drop-precedence-map dscp-list Qos dscp-cos-map dscp-list cos-valuePage System-view Protocol-priority Setting the Priority of Protocol PacketsProtocol-type Ip-precedenceTraffic-priority inbound acl-rule dscp Marking Packet PriorityDscp-value cos cos-value Traffic-priority vlan vlan-id inbound acl-ruleRequired Matching specific ACL rules Configuring Traffic PolicingReset traffic-limit vlan vlan-id inbound Reset traffic-limit inbound acl-ruleTraffic-limit inbound acl-rule target-rate Conform con-action exceedView Configure traffic Configuring Traffic ShapingBy default, traffic policing is Policing Disabled Clear the trafficConfiguration examples Configuring Traffic RedirectingTraffic-shape queue Traffic-redirect inbound acl-rule interfaceTraffic-redirect vlan vlan-id inbound acl-rule Configuring Queue Scheduling Configuring Vlan MappingTraffic-remark-vlanid inbound Acl-rule remark-vlan vlan-idGroup2 queue-id queue-weight Queue-id queue-weight &1-8Undo queue-scheduler queue-id Queue-scheduler wrr group1Collecting/Clearing Traffic Statistics Reset traffic-statistic inboundCollect the statistics on Packets matching specific ACL Traffic-statistic inbound acl-ruleReset traffic-statistic vlan vlan-id Reset traffic-statistic inbound acl-ruleTraffic-statistic vlan vlan-id Follow these steps to enable the burst function Configuring Traffic MirroringEnabling the Burst Function Refer to Burst for information about the burst functionMirrored-to inbound acl-rule Monitor-portMonitor-interface Mirrored-to vlan vlan-idTraffic mirroring configuration Required Destination port Exit current viewRequired Mirroring for packets that Displaying and Maintaining QoS Configuration Example of Traffic Policing QoS Configuration ExamplePage QoS Profile Application Mode QoS Profile ConfigurationDynamic application mode Manual application modeQoS Profile Configuration Task List QoS Profile ConfigurationConfiguring a QoS Profile Applying a QoS ProfileQos-profile port-based Displaying and Maintaining QoS ProfileUndo qos-profile port-based System-view Apply qos-profile1Network diagram for QoS profile configuration QoS Profile Configuration Example# Enable Table of Contents Mirroring Overview Mirroring ConfigurationRemote Port Mirroring Local Port MirroringMAC-Based Mirroring Switch Ports involved FunctionVLAN-Based Mirroring 1Ports involved in the mirroring operationConfiguring Local Port Mirroring Mirroring ConfigurationConfiguration on the device acting as a source switch Configuring Remote Port MirroringConfiguration on the device acting as a destination switch Remote-probe-vlan-id Configuring MAC-Based MirroringRemote-destination Monitor-port monitor-portConfiguring VLAN-Based Mirroring Local remote-sourceMirroring-group group-id Mirroring-mac mac vlan Local Port Mirroring Configuration Example Mirroring Configuration ExampleDisplaying and Maintaining Port Mirroring Mirroring-group group-id Mirroring-vlan vlan-idConfigure Switch C # Create a local mirroring group Remote Port Mirroring Configuration Example# Configure Vlan 10 as the remote-probe Vlan 4Network diagram for remote port mirroring# Configure Vlan 10 as the remote-probe Vlan Page Table of Contents Introduction to ARP ARP ConfigurationARP Function ARP Message FormatValue Description Field DescriptionExperimental Ethernet Proteon ProNET Token RingARP Table ARP entry Generation Method Maintenance ModeARP Process ChaosIntroduction to ARP Attack Detection Man-in-the-middle attackARP attack detection Configuring ARP Basic Functions Configuring ARPArp timer aging aging-time Introduction to Gratuitous ARPArp check enable Configuring ARP Attack DetectionArp detection enable Arp detection trustConfiguring Gratuitous ARP Arp restricted-forwardingGratuitous-arp-learning ARP Basic Configuration Example ARP Configuration ExampleARP Attack Detection Configuration Example Displaying and Maintaining ARP# Enable ARP attack detection on all ports in Vlan # Enable Dhcp snooping on Switch aTable of Contents Snmp Overview Snmp ConfigurationSnmp Operation Mechanism Snmp VersionsSupported MIBs MIB attribute MIB content Related RFCMIB II based on TCP/IP network device RFC Public MIBConfiguring basic Snmp functions for SNMPv1 or SNMPv2c Configuring Basic Snmp FunctionsSnmp-agent Snmp-agent sys-infoConfiguring basic Snmp functions for SNMPv3 Configuring Basic Trap Configuring Trap ParametersConfiguring Extended Trap Snmp Configuration Examples Snmp Configuration ExamplesEnabling Logging for Network Management Displaying and Maintaining Snmp2Network diagram for Snmp configuration Network procedureConfiguring the NMS Rmon Configuration Introduction to RmonWorking Mechanism of Rmon Commonly Used Rmon Groups Rmon Configuration Rmon Configuration Examples Configuration proceduresDisplaying and Maintaining Rmon # Display the Rmon extended alarm entry numbered Table of Contents Information Transmission in the Unicast Mode Multicast OverviewMulticast Overview 1Information transmission in the unicast mode Information Transmission in the Broadcast Mode2Information transmission in the broadcast mode Information Transmission in the Multicast ModeRoles in Multicast 3Information transmission in the multicast modeAdvantages and Applications of Multicast Multicast ModelsAdvantages of multicast Application of multicastASM model Multicast ArchitectureSFM model SSM modelIP multicast address Class D address range DescriptionReserved multicast addresses IP addresses for permanent Ethernet multicast MAC address Layer 3 multicast protocols Multicast Protocols5Positions of Layer 3 multicast protocols Layer 2 multicast protocolsImplementation of the RPF Mechanism Multicast Packet Forwarding Mechanism7RPF check process RPF CheckPage Igmp Snooping Overview Igmp Snooping ConfigurationPrinciple of Igmp Snooping Basic Concepts in Igmp SnoopingWork Mechanism of Igmp Snooping Timer Description Message before Action after expiry ExpiryWhen receiving a general query When receiving a membership reportWhen receiving a leave message Igmp Snooping Configuration Igmp Snooping Configuration Task ListComplete the following tasks to configure Igmp Snooping Igmp-snooping enable Configuring the Version of Igmp SnoopingEnabling Igmp Snooping Igmp-snooping versionConfiguring Timers Configuring Fast Leave ProcessingEnabling fast leave processing in system view Enable fast leave processing Configuring a Multicast Group FilterRequired By default, the fast leave For specific VLANs Enabling fast leave processing in Ethernet port viewConfiguring a multicast group filter in Ethernet port view Configuring a multicast group filter in system viewIgmp -snooping group -policy Acl-number vlan vlan-listConfiguring Igmp Querier Igmp-snooping group-limit limitVlan vlan list overflow-replace Suppressing Flooding of Unknown Multicast Traffic in a Vlan Configuring Static Member Port for a Multicast GroupEthernet port view Configuring a Static Router PortVlan interface view Multicast static-groupVlan view Configuring a Port as a Simulated Group MemberIgmp host-join group-address Source-ip source-addressConfiguring a Vlan Tag for Query Messages Configuring Multicast VlanVlan-mapping vlan Service-type multicast Igmp enableHybrid Port hybrid vlan vlan-id-list Port trunk permit vlan vlan-listIgmp Snooping Configuration Examples Configuring Igmp SnoopingDisplaying and Maintaining Igmp Snooping Configure Switch a # Enable Igmp Snooping globally 3Network diagram for Igmp Snooping configurationDevice Device description Networking description Interface IP address of Vlan 20 isGigabitEthernet 1/0/1 is connected to the workstation # Configure Vlan 4Network diagram for multicast Vlan configurationSymptom Multicast function does not work on the device Troubleshooting Igmp SnoopingCommon Multicast Configuration Common Multicast ConfigurationConfiguring a Multicast MAC Address Entry Mac-address multicastConfiguring Dropping Unknown Multicast Packets Displaying and Maintaining Common Multicast ConfigurationUnknown-multicast drop Display mac-address multicastTable of Contents NTP Configuration Introduction to NTPApplications of NTP Implementation Principle of NTP 1Implementation principle of NTP NTP Implementation ModesServer/client mode Symmetric peer modeBroadcast mode NTP implementation Configuration on the device Mode Multicast modeConfiguring NTP Implementation Modes NTP Configuration Task ListConfiguring NTP Server/Client Mode Complete the following tasks to configure NTPConfiguring the NTP Symmetric Peer Mode Configure the device to work Configuring NTP Broadcast ModeNtp-service broadcast-server NTP broadcast serverConfiguring NTP Multicast Mode Configuring the device to work in the multicast server modeConfiguring the device to work in the multicast client mode Configuring NTP Authentication Configuring Access Control RightNtp-service access peer Server synchronizationRole of device Working mode Configuring NTP authentication on the clientConfiguring NTP authentication on the server Configure on NTP Broadcast Server Configuring Optional NTP ParametersMode and NTP multicast Broadcast While ConfiguringNTP Configuration Examples Displaying and Maintaining NTP ConfigurationDisabling an Interface from Receiving NTP messages Max-dynamic-sessions# Set Device a as the NTP server of Device B Configuring NTP Symmetric Peer Mode Configure Device C # Set Device a as the NTP server# Set Device C as the peer of Device B 8Network diagram for the NTP broadcast mode configuration # Set Device a as a broadcast client Configure Device C # Enter system view9Network diagram for NTP multicast mode configuration Configuring NTP Server/Client Mode with Authentication Configure Device B # Enter system view# Enable the NTP authentication function # Specify the key 42 as a trusted key Table of Contents SSH Overview SSH ConfigurationIntroduction to SSH Algorithm and KeyAsymmetric Key Algorithm SSH Operating ProcessStages Description Authentication negotiation Version negotiationKey negotiation Configuring the SSH Server Session requestData exchange Configuring the Protocol Support for the User Interface SSH Server Configuration TasksAuthentication-mode scheme Command-authorizationGenerating/Destroying a RSA or DSA Key Pair Exporting the RSA or DSA Public Key Creating an SSH User and Specify an Authentication TypeConfiguring SSH Management Specifying a Service Type for an SSH UserSsh user username service-type Stelnet sftp allConfiguring the Client Public Key on the Server Public-key-code end Peer-public-key endRsa peer-public-key keyname Specifying a Source IP Address/Interface for the SSH Server Assigning a Public Key to an SSH UserSsh user username assign Publickey rsa-key keynameConfiguring the SSH Client SSH Client Configuration TasksConfiguring the SSH Client Using an SSH Client Software 2Generate a client key Generate a client key4Generate the client keys Launch PuTTY.exe. The following window appears Specify the IP address of the ServerSelect a protocol for remote connection Select an SSH versionAs shown in -7, select SSH under Protocol 8SSH client configuration interface Open an SSH connection with publickey authentication10SSH client interface Configuring the SSH Client on an SSH2-Capable Device Open an SSH connection with password authenticationConfigure whether first-time authentication is supported Establish the connection between the SSH client and server Specifying a Source IP address/Interface for the SSH client Displaying and Maintaining SSH ConfigurationSsh2 source-ip ip-address Ssh2 source-interfaceSSH Configuration Examples # Enable the user interfaces to support SSH# Generate RSA and DSA key pairs Page 14SSH client interface # Assign the public key Switch001 to client client001 # Set the client’s command privilege level toPage 18Generate a client key pair Page 22SSH client interface Device system-view Device interface vlan-interface # Establish a connection to the server # Set the user command privilege level to # Assign the public key Switch001 to user client001# Generate a DSA key pair 25Network diagram of SSH client configuration # Set AAA authentication on user interfaces # Configure the user interfaces to support SSH# Assign public key Switch001 to user client001 # Establish the SSH connection to server # Specify the host public key pair name of the serverTable of Contents File System Configuration File System Management ConfigurationFile System Configuration Tasks Introduction to File SystemFile Operations Flash Memory Operations Prompt Mode ConfigurationExecute filename Format deviceFile prompt alert quiet File System Configuration ExampleFile Attribute Configuration Attribute Description Feature IdentifierIntroduction to File Attributes Configuring File Attributes Table of Contents Introduction to FTP and Sftp FTP and Sftp ConfigurationIntroduction to FTP Description RemarksFTP Configuration The Device Operating as an FTP Server FTP ConfigurationService-type ftp Introduction to SftpConfiguring connection idle time Ftp timeout minutesEnabling an FTP server Ftp-server source-interface Disconnecting a specified userFtp-server source-ip ip-address Ftp disconnect user-nameConfiguring the banner for an FTP server FTP Configuration The Device Operating as an FTP Client Basic configurations on an FTP clientDisplaying FTP server information Lcd CdupDisconnect CloseConfiguration Example The Device Operating as an FTP Server # Upload the config.cfg file. ftp put config.cfg FTP Banner Display Configuration Example 4Network diagram for FTP banner display configuration # Enter the authorized directory on the FTP server Sftp Configuration The Device Operating as an Sftp Server Sftp ConfigurationComplete the following tasks to configure Sftp Follow these steps to enable an Sftp serverBasic configurations on an Sftp client Sftp Configuration The Device Operating as an Sftp ClientFtp timeout time-out-value Time for the Sftp server Minutes by defaultSftp host-ip host-name Help all command-nameDelete remotefile Remove remote-fileSftp source-interface Sftp Configuration ExampleSftp source-ip ip-address Display sftp source-ip# Specify the service type as Sftp # Specify the SSH authentication mode as AAA# Enable the Sftp server # Create a local user client001Sftp-client # Exit Sftp Tftp Configuration Tftp ConfigurationComplete the following tasks to configure Tftp Introduction to TftpBasic configurations on a Tftp client Tftp Configuration The Device Operating as a Tftp ClientTftp ascii binary Tftp-server acl acl-numberTftp source-interface Tftp Configuration ExampleTftp source-ip ip-address Display tftp source-ipDevice tftp 1.1.1.2 get config.cfg config.cfg Table of Contents Information Center Overview Information CenterIntroduction to Information Center Classification of system informationTen channels and six output directions of system information Module name Description Outputting system information by source moduleSystem Information Format Priority TimestampSysname Introduction to the Information Center Configuration Tasks Information Center ConfigurationSet for the system Configuring Synchronous Information OutputSetting to output system information to the console Setting to Output System Information to the ConsoleTerminal monitor Enabling system information display on the consoleTerminal debugging Terminal loggingSetting to output system information to a monitor terminal Setting to Output System Information to a Monitor TerminalEnabling system information display on a monitor terminal Info-center monitor channelSetting to Output System Information to a Log Host Info-center loghostInfo-center loghost source Setting to Output System Information to the Log Buffer Setting to Output System Information to the Trap BufferInfo-center trapbuffer Info-center sourceSetting to Output System Information to the Snmp NMS Info-center logbufferInfo-center snmp channel Information Center Configuration Examples Displaying and Maintaining Information CenterLog Output to a Unix Log Host # mkdir /var/log/Switch # touch /var/log/Switch/information Log Output to a Linux Log Host 2Network diagram for log output to a Linux log hostLog Output to the Console 3Network diagram for log output to the console4Network diagram # Enable terminal displayTable of Contents Remote Loading Using FTP Host Configuration File LoadingLoading procedure using FTP client Introduction to Loading ApproachesRestart Switch Loading procedure using FTP server2Remote loading using FTP server Use the put command to upload the file config.cfg to Switch Remote Loading Using Tftp Basic System Configuration Basic System Configuration and DebuggingDebugging the System Displaying the System StatusEnabling/Disabling System Debugging Display clockDisplaying Operating Information about Modules in System Displaying Debugging StatusNetwork Connectivity Test Network Connectivity TestPing TracertDevice Management Configuration Tasks Device Management ConfigurationRebooting the Device Device ManagementSchedule reboot at hhmm Scheduling a Reboot on the DeviceSchedule reboot delay Schedule reboot regularityIdentifying and Diagnosing Pluggable Transceivers Introduction to pluggable transceiversIdentifying pluggable transceivers Diagnosing pluggable transceivers Table of Contents VLAN-VPN Configuration VLAN-VPN OverviewIntroduction to VLAN-VPN Implementation of VLAN-VPN Adjusting the Tpid Values of VLAN-VPN PacketsVLAN-VPN Configuration Enabling the VLAN-VPN Feature for a PortProtocol type Value Vlan-vpn uplink enable Tpid Adjusting ConfigurationDisplaying and Maintaining VLAN-VPN Vlan-vpn tpid value4Network diagram for VLAN-VPN configuration VLAN-VPN Configuration ExampleData transfer process SwitchA vlan-vpn tpidPage Selective QinQ Configuration Selective QinQ OverviewSelective QinQ Overview Enabling the Selective QinQ Feature for a Port Selective QinQ ConfigurationInner-to-Outer Tag Priority Mapping Vlan-vpn vid vlan-idConfiguring the Inner-to-Outer Tag Priority Mapping Feature Selective QinQ Configuration ExampleProcessing Private Network Packets by Their Types Vlan-vpn priority# Enable the VLAN-VPN feature on GigabitEthernet 1/0/3 2Network diagram for selective QinQ configurationSwitchA-GigabitEthernet1/0/3 vlan-vpn enable Page Table of Contents HWPing Configuration HWPing OverviewIntroduction to HWPing HWPing Test Parameters Test Types Supported by HWPingSupported test types Description Test parameter DescriptionUsername and password DnsDns-server HWPing Configuration Configuration on a HWPing ServerHWPing server configuration tasks HWPing Client Configuration HWPing server configurationHWPing client configuration Test-enable Timeout timeCount times Datasize sizeTest-type dhcp Source-port port-numberTest-type ftp Ftp-operation get put Password passwordUsername name Filename file-nameDns-server ip-address Destination-ip command toTest-type http Http-operation get postTest-type jitter Destination-portJitter-packetnum number Jitter-interval intervalTest-type snmpquery Server for listening services Configure the destination Configured on the HWPingOperation- tag This IP address and the oneTcpconnect ip-address7 Hwping-serverTest-type tcpprivate TcppublicUdppublic Test-type udpprivateTime Three seconds Optional Configure the service type Address is specifiedTest-type dns Configuring HWPing client to send Trap messages Administrator-name operation-tag HWPing Configuration ExampleDisplaying and Maintaining HWPing Icmp Test# Display test results Dhcp Test# Configure the test type as dhcp FTP Test # Configure the source IP address # Set the probe timeout time to 30 seconds# Configure the test type as http # Configure the IP address of the Http server asHttp Test Jitter Test Configure HWPing Client Switch a # Enable the HWPing client Network diagram# Configure the test type as jitter # Configure the IP address of the HWPing server asSnmp Test # Configure the test type as snmp 7Network diagram for the Snmp testTCP Test Tcpprivate Test on the Specified Ports 8Network diagram for the Tcpprivate test# Configure the test type as tcpprivate UDP Test Udpprivate Test on the Specified Ports # Configure the test type as udpprivateDNS Test # Configure the IP address of the DNS server as # Configure the test type as dnsIndex Table of Contents Static Domain Name Resolution DNS ConfigurationDynamic Domain Name Resolution Resolution procedureConfiguring Domain Name Resolution Configuring Static Domain Name ResolutionDNS suffixes DNS Configuration Example Configuring Dynamic Domain Name ResolutionStatic Domain Name Resolution Configuration Example 2Network diagram for static DNS configuration Dynamic Domain Name Resolution Configuration Example# Configure com as the DNS suffix # Configure the IP address 2.1.1.2 for the DNS serverDisplaying and Maintaining DNS Troubleshooting DNS ConfigurationTable of Contents Smart Link Overview Smart Link ConfigurationBasic Concepts in Smart Link Smart Link groupSlave port Master portFlush message Control Vlan for sending flush messagesConfiguring Smart Link Complete the following tasks to configure Smart LinkOperating Mechanism of Smart Link Configuring a Smart Link Device Precautions Configuring Associated DevicesFlush enable control-vlan Smart-link flush enable control-vlan vlan-id portSmart Link Configuration Example Implementing Link Redundancy BackupDisplaying and Maintaining Smart Link # Return to system view # Configure to send flush messages within VlanSwitchD system-view Introduction to Monitor Link Monitor Link ConfigurationHow Monitor Link Works 2Network diagram for a Monitor Link group implementationConfiguring Monitor Link Configuring the Uplink PortCreating a Monitor Link Group Configuring a Downlink Port UplinkPort monitor-link group Displaying and Maintaining Monitor Link Monitor Link Configuration Example# Create Smart Link group 1 and enter Smart Link group view # Configure to send flush messages in VlanSwitchC monitor-link group Table of Contents PoE Overview PoE ConfigurationIntroduction to PoE Advantages of PoEPoE Features Supported by the Device PoE ConfigurationPoE Configuration Task List Maximum Power Provided by Each Electrical PortSetting the Maximum Output Power on a Port Enabling the PoE Feature on a PortPoe enable Poe max-power max-powerSetting the PoE Mode on a Port Setting PoE Management Mode and PoE Priority of a PortPoe power-management Poe priority critical highPoe legacy enable Configuring the PD Compatibility Detection FunctionPoe update refresh Upgrading the PSE Processing Software OnlineDisplaying and Maintaining PoE Configuration PoE Configuration ExamplePoE Configuration Example Networking requirements# Upgrade the PSE processing software online 1Network diagram for PoEPoE Profile Configuration PoE Profile ConfigurationConfiguring PoE Profile Introduction to PoE ProfilePoE Profile to Port Displaying and Maintaining PoE Profile ConfigurationDisplay poe-profile All-profile interfacePoE Profile Configuration Example PoE Profile Application Example# Create Profile1, and enter PoE profile view # Display detailed configuration information for Profile1 # Display detailed configuration information for Profile2# Create Profile2, and enter PoE profile view Table of Contents Page Introduction to IP Route and Routing Table IP Routing Protocol OverviewIP Route Routing TablePage Static Routing and Dynamic Routing Routing Protocol OverviewClassification of Dynamic Routing Protocols Routing Protocols and Routing PriorityRoute backup Load Sharing and Route BackupRouting Information Sharing Load sharingDisplaying and Maintaining a Routing Table Static Route Configuration Introduction to Static RouteStatic Route Static Route Configuration Default RouteConfiguring a Static Route Displaying and Maintaining Static Routes Static Route Configuration Example# Approach 2 Configure a static route on Switch a Troubleshooting a Static Route# Approach 1 Configure static routes on Switch B # Approach 2 Configure a static route on Switch BRIP Overview RIP ConfigurationBasic Concepts RIP routing databaseRIP timers RIP Startup and OperationRouting loops prevention Basic RIP Configuration RIP Configuration Task ListConfiguring Basic RIP Functions RipSetting the RIP operating status on an interface RIP Route ControlSpecifying the RIP version on an interface Setting the additional routing metrics of an interface Configuring RIP Route ControlConfiguring RIP route summarization Rip metricin valueDisabling the router from receiving host routes Configuring RIP to filter incoming/outgoing routesSetting RIP preference RIP Network Adjustment and OptimizationConfiguring RIP timers Configuration TasksConfiguring split horizon Configuring RIP-1 packet zero field checkConfiguring RIP to unicast RIP packets Setting RIP-2 packet authentication modeRip authentication-mode Simple password md5RIP Configuration Example Displaying and Maintaining RIP ConfigurationFailed to Receive RIP Updates Troubleshooting RIP ConfigurationConfigure Switch B # Configure RIP Configure Switch C # Configure RIPIP Route Policy Overview IP Route Policy ConfigurationIntroduction to IP Route Policy FiltersRoute Policy Configuration IP Route Policy Configuration Task ListFor ACL configuration, refer to the part discussing ACL Route policyDefining if-match Clauses and apply Clauses Defining a Route PolicyDisplaying and Maintaining IP Route Policy IP Route Policy Configuration ExampleIf-match ip next-hop acl Apply cost valueConfiguration considerations SwitchC-acl-basic-2000 quit SwitchC acl number Configuration verification Precautions Troubleshooting IP Route PolicyTable of Contents UDP Helper Configuration Introduction to UDP HelperProtocol UDP port number Configuring UDP Helper # Enable UDP Helper on Switch a UDP Helper Configuration ExampleDisplaying and Maintaining UDP Helper Cross-Network Computer Search Through UDP HelperTable of Contents Appendix a Acronyms Non Broadcast MultiAccess Medium Access ControlProtocol Independent Multicast-Dense Mode Protocol Independent Multicast-Sparse Mode

Displaying and maintaining HWTACACS protocol information

display hwtacacs

hwtacacs-scheme

hwtacacs-scheme

AAA Configuration Examples

Remote RADIUS Authentication of Telnet/SSH Users

Network requirements