7Network diagram for IP filtering configuration

Figure 3-7Network diagram for IP filtering configuration

GE1/0/1

GE1/0/2

DHCP Server

Switch

DHCP Snooping

GE1/0/4

GE1/0/3

Host A	Client B	Client C
IP:1.1.1.1
MAC:0001-0001-0001

Configuration procedure

# Enable DHCP snooping on Switch.

<Switch> system-view

[Switch] dhcp-snooping

# Specify GigabitEthernet 1/0/1 as the trusted port.

[Switch] interface gigabitethernet 1/0/1

[Switch-GigabitEthernet1/0/1] dhcp-snooping trust

[Switch-GigabitEthernet1/0/1] quit

#Enable IP filtering on GigabitEthernet 1/0/2, GigabitEthernet 1/0/3, and GigabitEthernet 1/0/4 to filter packets based on the source IP addresses/MAC addresses.

[Switch] interface gigabitethernet 1/0/2 [Switch-GigabitEthernet1/0/2] ip check source ip-address mac-address

[Switch-GigabitEthernet1/0/2] quit [Switch] interface gigabitethernet 1/0/3

[Switch-GigabitEthernet1/0/3] ip check source ip-address mac-address

[Switch-GigabitEthernet1/0/3] quit [Switch] interface gigabitethernet 1/0/4

[Switch-GigabitEthernet1/0/4] ip check source ip-address mac-address

[Switch-GigabitEthernet1/0/4] quit

# Create static binding entries on GigabitEthernet 1/0/2 of Switch.

[Switch] interface gigabitethernet 1/0/2

[Switch-GigabitEthernet1/0/2] ip source static binding ip-address 1.1.1.1 mac-address 0001-0001-0001

3-12

Page 338

Image 338

3Com WX3000 7Network diagram for IP filtering configuration, # Specify GigabitEthernet 1/0/1 as the trusted port

Contents

3Com WX3000 Series Unified Switches Switching Engine Manual Version 6W100 Environmental Statement Organization Part ContentsAbout This Manual Italic ConventionsConvention Description Boldface Create Folder Related DocumentationConvention Description Manual Description Obtaining Documentation Table of Contents Introduction to the CLI CLI ConfigurationCommand Hierarchy Switching to a specific user level Switching User LevelsSetting a user level switching password Setting the level of a command in a specific view Setting the Level of a Command in a Specific ViewConfiguration example Quit CLI ViewsDisplay Execute Operation Quit or return Region-configuration Gigabitethernet commandVlan-interface command Peer-public-key command Public-key-code begin Public-key-cOde end Execute the radius scheme Execute Command should be first CLI FeaturesVlan-vpn enable Online Help Partial online help Command HistoryTerminal Display Press Ctrl+C Error Prompts Command Edit Press… To… Tab Table of Contents Page Introduction to the User Interface Logging In to the Switching EngineLogging In to the Switching Engine Supported User Interfaces Common User Interface Configuration User Interface Index Type number number Display users allDisplay user-interface Display web users Logging In Through OAP Logging In to the Switching Engine Through OAPPress Enter to enter user view of the switching engine OAP Overview Oap management-ip Configure the management IPNot configured by default Address of an OAP module Oap reboot slot Resetting the OAP Software SystemReset the OAP software Logging In Through Telnet Common ConfigurationConfiguration Description Introduction Telnet Configurations for Different Authentication Modes Authentication Telnet configuration Description Mode Telnet Configuration with Authentication Mode Being None Configuration Procedure Network requirements Configuration ExampleConfiguration procedure Auto-execute command Password Set authenticationPassword cipher User privilege level level Command buffer can store up to Set the history command bufferDefault history command Commands by default Telnet Configuration with Authentication Mode Being Scheme History-command max-size Scheme commandAuthorization Protocol inbound all ssh Privilege Service-typeUser privilege level level command is Level level # Create a local user named guest and enter local user view Telnetting to the Switching Engine Telnetting to the Switching Engine from a Terminal Deviceoap connect slot Connected to OAP Page Device telnet Network management system are configured Vlan interface of the switching engine is assigned an IPUser name and password for logging in to the Web-based Logging In from the Web-Based Network Management System Setting Up a Web Configuration Environment Configuring the Login Banner 3The login page of the Web-based network management system Through Web Configured Header login textBy default, no login banner is Enabling/Disabling the WEB Server Follow these steps to enable/disable the WEB serverEnable the Web server Ip http shutdown Related information Connection Establishment Using NMSLogging In from NMS Configuration in user view Configuring Source IP Address for Telnet Service PacketsConfiguring Source IP Address for Telnet Service Packets Configuration in system view Displaying Source IP Address Configuration Interface-number Controlling Telnet Users Login mode Control method Implementation ReferenceUser Control Prerequisites Rule rule-id deny permit Match-order config autoAcl number acl-number Acl acl-number inbound Permit rule-string Controlling Telnet Users by Source MAC AddressesRule rule-id deny Controlling Network Management Users by Source IP Addresses Controlling Network Management Users by Source IP Addresses 2Network diagram for controlling Snmp users using ACLs Controlling Web Users by Source IP Address Ip http acl acl-number Disconnecting a Web User by ForceControlling Web Users by Source IP Addresses Free web-users all user-id Device ip http acl Table of Contents Types of configuration Configuration File ManagementIntroduction to Configuration File Format of configuration file Startup with the configuration file Management of Configuration FileSaving the Current Configuration Modes in saving the configuration Erasing the Startup Configuration File Three attributes of the configuration file Assign backup attribute to the startup configuration file Specifying a Configuration File for Next StartupAssign main attribute to the startup configuration file Startup saved-configuration Displaying and Maintaining Device Configuration Table of Contents Introduction to Vlan Vlan OverviewVlan Overview Vlan tag Advantages of VLANsHow Vlan Works MAC address learning mechanism of VLANs 2Encapsulation format of traditional Ethernet frames Vlan Classification Port-Based VlanVlan Interface Encapsulation Format of Ethernet Data Protocol-Based VlanIntroduction to Protocol-Based Vlan Ethernet II and 802.2/802.3 encapsulation Extended encapsulation formats of 802.2/802.3 packets 6802.3 raw encapsulation format Implementation of Protocol-Based Vlan Procedure for the Switch to Judge Packet ProtocolEncapsulation Formats Encapsulation Ethernet 802.3 raw 802.2 LLC Snap ProtocolPage Configuration Task List Vlan ConfigurationVlan Configuration Basic Vlan Configuration Displaying and Maintaining Vlan Basic Vlan Interface ConfigurationConfiguration prerequisites Protocol-Based Vlan Configuration Example Configuring a Port-Based VlanConfiguring a Port-Based Vlan Port interface-list # Create Vlan 201, and add GigabitEthernet 1/0/12 to Vlan # Configure GigabitEthernet 1/0/10 of Switch B# Create Vlan 201, and add GigabitEthernet 1/0/2 to Vlan Configuring a Protocol-Based Vlan Configuring a Protocol Template for a Protocol-Based Vlan Port hybrid protocol-vlan Associating a Port with a Protocol-Based VlanInterface interface-type Interface-number Vlan vlan-id protocol-index Dynamic static Displaying and Maintaining Protocol-Based VlanDisplay vlan vlan-id to vlan-id all Display protocol-vlan vlan vlan id Vlan Protocol-Type Table of Contents Auto Detect Configuration Introduction to the Auto Detect Function Auto Detect Configuration Auto Detect Basic Configuration Ip route-static ip-address mask Auto Detect Implementation in Vlan Interface BackupAuto Detect Implementation in Static Routing Preference-value reject blackhole Standby detect-group Auto Detect Configuration ExamplesVlan -id # Create auto detected group # Configure a static route to Switch aIs reachable Table of Contents How an IP Phone Works Voice Vlan ConfigurationVoice Vlan Overview 1Network diagram for IP phones Agent Number OUI address Vendor Configuring Operation Mode for Voice VlanHow the Device Identifies Voice Traffic Processing mode of tagged packets sent by IP voice devices Support for Voice Vlan on Various Ports Port voice Voice Security Mode of Voice VlanPort type Supported or not Traffic type Mode Configuring a Voice Vlan to Operate in Automatic Mode Voice Vlan ConfigurationConfiguration Prerequisites Undo voice vlan mode Configuring a Voice Vlan to Operate in Manual ModeEnable Voice vlan security Tagged untagged Port trunk permit vlanPort hybrid vlan vlan-id Port trunk pvid vlan Displaying and Maintaining Voice Vlan Voice Vlan Configuration ExampleVoice Vlan Configuration Example Automatic Mode # Configure GigabitEthernet 1/0/1 as a hybrid port Voice Vlan Configuration Example Manual Mode# Enable the voice Vlan function globally # Enable the voice Vlan function on GigabitEthernet 1/0/1 Verification # Create Vlan 2 and configure it as a voice Vlan# Configure GigabitEthernet 1/0/1 to operate in manual mode # Display the status of the current voice Vlan Table of Contents Introduction to Gvrp Gvrp ConfigurationGarp messages and timers Garp packets are in the following format Operating mechanism of GarpGarp message format 1Format of Garp packets Field Description Value Configuration Prerequisite Gvrp ConfigurationProtocol Specifications Enabling Gvrp Garp timer hold join Configuring Gvrp TimersGarp timer leaveall Gvrp Configuring Gvrp Port Registration Mode Displaying and Maintaining Gvrp Configure Switch a # Enable Gvrp globally Gvrp Configuration ExampleGvrp Configuration Example # Enable Gvrp on GigabitEthernet 1/0/1 # Enable Gvrp on GigabitEthernet 1/0/3 SwitchE-GigabitEthernet1/0/1 gvrp registration fixed Table of Contents Types and Numbers of Ethernet Ports Basic Port ConfigurationEthernet Port Overview Combo Ports Mapping Relations Configuring the Default Vlan ID for an Ethernet Port Link Types of Ethernet Ports Adding an Ethernet Port to Specified VLANs Configuring Ethernet PortsMaking Basic Port Configuration Vlan tag Configuring Port Auto-Negotiation Speed Speed auto 10 100 Setting the Ethernet Port Broadcast Suppression RatioEnabling Flow Control on a Port Broadcast-suppression Configuring Trunk Port Attribute Configuring Access Port AttributeConfiguring Hybrid Port Attribute Configuration tasks Disabling Up/Down Log Output on a Port System-view Copy configuration source interface-type Copying Port Configuration to Other PortsConfiguring a Port Group Aggregation-group destination-agg-id Setting Loopback Detection for an Ethernet Port Loopback-detection per-vlan Configuring the Ethernet Port to Run Loopback TestConfigure the Ethernet port to run Loopback detection only on VLANs for the trunk and hybrid Flow-interval interval Enabling the System to Test Connected CableVirtual-cable-test Ethernet Port Configuration Example Displaying and Maintaining Ethernet Ports Troubleshooting Ethernet Port Configuration # Configure the default Vlan ID of GigabitEthernet 1/0/1 as Table of Contents Introduction to Lacp Link Aggregation ConfigurationIntroduction to Link Aggregation Introduction to manual aggregation group Operation KeyManual Aggregation Group Port status in manual aggregation group Port status of static aggregation group Static Lacp Aggregation GroupIntroduction to static Lacp aggregation Introduction to dynamic Lacp aggregation group Configuring system priorityDynamic Lacp Aggregation Group Port status of dynamic aggregation group Configuring port priority Aggregation Group Categories Link Aggregation Configuration Configuring a Manual Aggregation Group Port link-aggregation group Configuring a Static Lacp Aggregation GroupDescription agg-name Agg-id System-priority Configuring a Dynamic Lacp Aggregation GroupLacp system -priority Link Aggregation Configuration Example Displaying and Maintaining Link Aggregation Switch a Link aggregation Switch B Page Table of Contents Port Isolation Overview Port Isolation ConfigurationPort Isolation Configuration Introduction to Port Isolation Port Isolation Configuration Example Displaying and Maintaining Port Isolation Device-GigabitEthernet1/0/4 quit device Table of Contents Port Security Overview Port Security ConfigurationPort Security Features Introduction Port Security Modes Security mode Description FeatureThis mode Neither Security mode Description Feature Follow these steps to enable port security Port Security ConfigurationComplete the following tasks to configure port security Enabling Port Security Port-security max-mac-count Setting the Port Security ModePort-security oui OUI-value UserLoginWithOUI mode, a Count-value Configuring Port Security Features Configuring the NTK feature Configuring intrusion protection Configuring the Trap feature Configuring Security MAC Addresses Displaying and Maintaining Port Security Configuration Port Security Configuration Example # Set the port security mode to autolearn HostSwitch# Enable port security # Enter GigabitEthernet 1/0/1 port view Configuring Port Binding Port Binding ConfigurationDisplaying and Maintaining Port Binding Configuration Port Binding Overview Port Binding Configuration Example Configure switch a as follows # Enter system view Table of Contents Dldp Configuration Dldp Overview Status Description Dldp FundamentalsDldp status Timer Description Dldp timersDldp works with the following timers 2DLDP timers Interval of sending advertisement packets, which can be Mode During neighbor Dldp operating modeEnhanced timer then sends one probe packets every one Entry aging Timer expire 4Types of packets sent by Dldp Packet type Processing procedureNo Echo packet received from Processing procedure Neighbor Dldp status Packet types Dldp Configuration Tasks Dldp ConfigurationPrecautions During Dldp Configuration Dldp neighbor state Resetting Dldp Status Dldp Network Example Reset the Dldp status of a port Dldp resetThis command only applies to the ports in Dldp down status # Set the interval of sending Dldp packets to 15 seconds # Enable Dldp globally# Configure Dldp to work in enhanced mode # Display the Dldp status Table of Contents Introduction to MAC Address Learning MAC Address Table ManagementIntroduction to MAC Address Table 1MAC address learning diagram Managing MAC Address Table Aging of MAC address table Configuring MAC Address Table Management Entries in a MAC address table Adding a MAC address entry in Ethernet port view Configuring a MAC Address EntryAdding a MAC address entry in system view System-view Mac-address static dynamic Age no-aging Setting the Aging Time of MAC Address EntriesMac-address timer aging Max-mac-count count Disabling MAC Address learning for a VlanMac-address Max-mac-count Adding a Static MAC Address Entry Manually Configuration ExampleDisplaying and Maintaining MAC Address Table Display mac-address Table of Contents Page STP Overview Mstp ConfigurationSTP Overview Classification Designated bridge Designated port All the ports on the root bridge are designated ports How STP works Step Description Step Description Device Port name Bpdu of port 5Comparison process and result on each device Device Comparison process Bpdu of port after Device Comparison process Bpdu of port after 3The final calculated spanning tree Background of Mstp Features of MstpMstp Overview Disadvantages of STP and Rstp Basic Mstp Terminologies MST region Common root bridge Vlan mapping tableRegion root Port role Port state MSTP, a port can be in one of the following three states Calculate an Msti Principle of MstpCalculate the Cist Implement STP algorithm Mstp Implementation on the Device STP-related Standards Configuring Root BridgeComplete the following tasks to configure a root bridge Bpdu guard Loop guard TC-BPDU attack guard Bpdu packet drop Configuring an MST Region # Verify the above configuration Centi-seconds Stp instance instance-id root secondary Set the bridge priority for Configuring the Bridge Priority of the Current DeviceRequired Default bridge priority of a Current device Stp instance instance-id Auto dot1s legacy Stp interface interface-typeInterface-number compliance Stp compliance auto dot1s Configuring the Mstp Operation ModeStp mode stp rstp mstp Legacy Stp max-hops hops Configuring the Maximum Hop Count of an MST RegionConfiguring the Network Diameter of the Switched Network Stp timer hello Configuring the Mstp Time-related ParametersStp timer forward-delay Stp timer max-age Configuring the Timeout Time Factor Stp transmit-limit packetnum Stp interface interface-listTransmit-limit packetnum Configure a port as an edge port in Ethernet port view Configuring the Current Port as an Edge PortConfigure a port as an edge port in system view Edged-port enable Point-to-point force-true Force-false auto Enabling Mstp Stp enableDisable Stp point-to-point force-true Task Remarks Configuring Leaf NodesStp disable Configuring the MST Region Configuring a Port as an Edge Port Stp pathcost-standard Configuring the Path Cost for a PortStandards for calculating path costs of ports Dot1d-1998 dot1t legacy Configuration example B Configure the path cost for specific portsConfiguration example a Configure port priority in Ethernet port view Configuring Port PriorityConfigure port priority in system view Instance instance-id port Perform the mCheck operation in Ethernet port view Performing mCheck OperationPerform the mCheck operation in system view Stp interface interface-list mcheck Root guard Configuring Guard FunctionsBpdu guard Stp mcheck Bpdu dropping Loop guardTC-BPDU attack guard Root-protection Configuring Bpdu GuardConfiguring Root Guard Stp root-protection Stp loop-protection Configuring Loop GuardConfiguring TC-BPDU Attack Guard Stp tc-protection Interface interface-name Configuring Digest SnoopingConfiguring Bpdu Dropping Bpdu-drop any Configuring Digest Snooping Stp config-digest-snooping Configuring Rapid Transition 6The Rstp rapid transition mechanism Stp no-agreement-check Configuring Rapid TransitionNo-agreement-check Vlan-vpn tunnel Configuring VLAN-VPN TunnelConfiguring VLAN-VPN tunnel Stp instance instance id STP Maintenance ConfigurationEnabling Log/Trap Output for Ports of Mstp Instance Portlog Enabling Trap Messages Conforming to 802.1d Standard Displaying and Maintaining Mstp # Activate the settings of the MST region manually Mstp Configuration ExampleConfigure Switch a # Enter MST region view # Configure the MST region Configure Switch B # Enter MST region viewConfigure Switch C # Enter MST region view Configure Switch D # Enter MST region view Configure Switch B # Enable Mstp VLAN-VPN tunnel Configuration ExampleConfigure Switch a # Enable Mstp Configure Switch C # Enable Mstp Configure Switch D # Enable Mstp # Enable the VLAN-VPN tunnel function# Configure GigabitEthernet 1/0/2 as a trunk port # Configure GigabitEthernet 1/0/1 as a trunk port Table of Contents Introduction to 802.1x ConfigurationArchitecture of 802.1x Authentication Controlled port and uncontrolled port Port access entityPort access control method Valid direction of a controlled port Format of an EAPoL packet Mechanism of an 802.1x Authentication SystemEncapsulation of EAPoL Messages Format of an EAP packet EAP relay mode 802.1x Authentication ProcedureFields added for EAP authentication Describes the basic EAP-MD5 authentication procedure EAP terminating mode Timers Used 9802.1x authentication procedure in EAP terminating mode Additional 802.1x Features Implemented Checking the supplicant system Checking the client version Guest Vlan function Introduction to 802.1x Configuration Enabling 802.1x re-authentication Dot1x Basic 802.1x ConfigurationConfiguring Basic 802.1x Functions Dot1x interface interface-list Dot1x authentication-method chapDot1x handshake enable Dot1x port-control authorized-force Dot1x retry max-retry-value Timer and Maximum User Number ConfigurationDot1x max-user user-number Advanced 802.1x Configuration Configuring Proxy Checking Configuring Client Version Checking Dot1x dhcp-launch Enabling DHCP-triggered AuthenticationConfiguring Guest Vlan Dot1x port-method portbased Dot1x re-authenticate Configuring 802.1x Re-AuthenticationConfiguring the 802.1x Re-Authentication Timer 802.1x Configuration Example Displaying and Maintaining # Enable 802.1x globally # Enable 802.1x on GigabitEthernet 1/0/1 port # Create the domain named aabbcc.net and enter its view # Set the default user domain to be aabbcc.net# Create a local access user account Introduction to Quick EAD Deployment Quick EAD Deployment ConfigurationConfiguring Quick EAD Deployment Quick EAD Deployment Overview Dot1x url url-string Configuring a free IP rangeSetting the ACL timeout period Dot1x free-ip ip-address Period is 30 minutes Quick EAD Deployment Configuration ExampleDisplaying and Maintaining Quick EAD Deployment Troubleshooting Solution Configuring the System-Guard Feature System-Guard ConfigurationConfiguring the System-Guard Feature System-Guard Overview Displaying and Maintaining System-Guard Table of Contents Page AAA Overview AuthenticationAuthorization Introduction to AAA Accounting Introduction to AAA ServicesWhat is Radius Introduction to ISP Domain Basic message exchange procedure in Radius 1Databases in a Radius server Direction client-server Radius message formatCode Message type Message description Client transmits this message to the server to determine if Type field value Attribute type What is Hwtacacs Introduction to Hwtacacs Basic message exchange procedure in Hwtacacs 5Network diagram for a typical Hwtacacs application 6AAA implementation procedure for a telnet user Page Configuration Introduction AAA ConfigurationAAA Configuration Task List Creating an ISP Domain and Configuring Its Attributes Messenger time enable limit Configuring an AAA Scheme for an ISP DomainConfiguring a combined AAA scheme Self-service-url disable Radius-scheme-name local Configuring separate AAA schemesDomain isp-name Hwtacacs-scheme Accounting none Configuring Dynamic Vlan AssignmentLocal local none Authorization none Vlan-assignment-mode Configuring the Attributes of a Local UserDomain isp-name Integer string Authorization vlan string Password-display-modeService-type ftp lan-access Access-limit Follow these steps to cut down user connections forcibly Radius Configuration Task ListCutting Down User Connections Forcibly Cut down user Configuring Servers Creating a Radius Scheme Configuring Radius Authentication/Authorization ServersRadius client enable Radius scheme Secondary authentication Configuring Radius Accounting ServersPrimary authentication Ip-address port-number Stop-accounting-buffer Configuring Shared Keys for Radius MessagesSecondary accounting Retry stop-accounting Key accounting string Configuring the Type of Radius Servers to be SupportedKey authentication string Optional Servers to be supported Configuring the Status of Radius ServersServer-type extended Calling-station-id mode State primary authenticationAuthentication block Block active Key password Configuring the Local Radius Authentication Server FunctionLocal-server enable Local-server nas-ip ip-address Configuring Timers for Radius Servers Enabling the User Re-Authentication at Restart Function Times interval interval Hwtacacs Configuration Task ListAccounting-on enable send Hwtacacs scheme Configuring Tacacs Authentication ServersCreating a Hwtacacs Scheme Secondary authorization Configuring Tacacs Authorization ServersPrimary authorization Ip-address port Follow these steps to configure Tacacs accounting servers Configuring Tacacs Accounting ServersConfiguring Shared Keys for Hwtacacs Messages Function is enabled Number of transmission Mega-byte Authentication stringKey accounting Data-flow-format packet Optional By default, the response timeout Tacacs servers Configuring the Timers Regarding Tacacs ServersScheme exists Set the response timeout time Optional By default, the real-time Interval Displaying and maintaining Radius protocol information Displaying and Maintaining AAADisplaying and maintaining AAA information Displaying and maintaining Hwtacacs protocol information AAA Configuration ExamplesRemote Radius Authentication of Telnet/SSH Users # Configure a Radius scheme # Adopt AAA authentication for Telnet users# Configure an ISP domain # Associate the ISP domain with the Radius scheme Local Authentication of FTP/Telnet Users # Create and configure a local user named telnet Hwtacacs Authentication and Authorization of Telnet Users # Configure the domain name of the Hwtacacs scheme to hwtac Troubleshooting Hwtacacs Configuration Troubleshooting AAATroubleshooting Radius Configuration Possible reasons and solutions Typical Network Application of EAD EAD ConfigurationIntroduction to EAD Security-policy-server EAD ConfigurationEAD Configuration Example Ip-address # Configure the IP address of the security policy server # Associate the domain with the Radius scheme Table of Contents Performing MAC Authentication on a Radius Server MAC Authentication ConfigurationMAC Authentication Overview Performing MAC Authentication Locally Mac-authentication Configuring Basic MAC Authentication FunctionsMAC Authentication Timers Related Concepts Mac-authentication authmode Mac-authentication interfaceMac-authentication Quit Uppercase fixedpassword password MAC Address Authentication Enhanced Function Configuration Configuring a Guest Vlan Guest-vlan-reauth interval Mac-authentication timerGuest-vlan vlan-id Max-auth-num user-number Configure the maximum numberMAC address authentication Number of MAC address Display mac-authentication Displaying and Maintaining MAC AuthenticationMAC Authentication Configuration Example Reset mac-authentication statistics # Specify to perform local authentication # Add a local user Specify the username and passwordSet the service type to lan-access # Add an ISP domain named aabbcc.net Table of Contents IP Address Classes IP Addressing ConfigurationIP Addressing Overview Net-id Class Address range Remarks Special Case IP AddressesSubnetting and Masking Mask-length sub Configuring IP AddressesIp address ip-address mask Displaying and Maintaining IP Addressing IP Address Configuration ExamplesIP Address Configuration Example Network requirement 4Network diagram for IP address configuration Page IP Performance Overview IP Performance ConfigurationConfiguring IP Performance Disabling Sending of Icmp Error Packets Displaying and Maintaining IP Performance Configuration Table of Contents Dhcp IP Address Assignment Dhcp OverviewIntroduction to Dhcp IP Address Assignment Policy Obtaining IP Addresses Dynamically Dhcp Packet Format Updating IP Address Lease Protocols and Standards Usage of Dhcp Relay Agent Dhcp Relay Agent ConfigurationIntroduction to Dhcp Relay Agent Dhcp Relay Agent Fundamentals Introduction to Option Padding content of OptionDhcp Relay Agent Support for Option 2Padding contents for sub-option 1 of Option Mechanism of Option 82 supported on Dhcp relay agent Dhcp-server groupNo ip Configuring the Dhcp Relay AgentDhcp Relay Agent Configuration Task List Ip-address &1-8 Configuring Dhcp Relay Agent Security Functions Configuring address checking Dhcp-security static ip-address Address-check enableDhcp relay hand enable Mac-address Enabling unauthorized Dhcp server detection Configuring the Dhcp Relay Agent to Support OptionConfiguring the Dhcp relay agent to support Option Prerequisites Displaying and Maintaining Dhcp Relay Agent Configuration Dhcp Relay Agent Configuration Example Solution Troubleshooting Dhcp Relay Agent ConfigurationSymptom AnalysisPage Function of Dhcp Snooping Dhcp Snooping ConfigurationDhcp Snooping Overview Padding content and frame format of Option Overview of Dhcp Snooping Option Mechanism of DHCP-snooping Option 2Extended format of the circuit ID sub-option Dhcp-snooping information format command or the default HEX Dhcp-snooping information format command orSub-option configuration Dhcp snooping device will… Overview of IP Filtering DHCP-snooping table Dhcp Snooping ConfigurationConfiguring Dhcp Snooping IP static binding table Enable DHCP-snooping Option 82 support Configuring Dhcp Snooping to Support OptionDHCP-Snooping Option 82 Support Configuration Task List Required Specify the current port as a Dhcp-snooping information Configure a handling policy for Dhcp packets with OptionConfigure the storage format of Option Strategy drop keep replace Vlan vlan-id circuit-id string Configure the circuit ID sub-optionConfigure the remote ID sub-option String Remote-id sysname string Configuring IP FilteringConfigure the padding format for Option Vlan vlan-id remote-id Dhcp Snooping Configuration Example DHCP-Snooping Option 82 Support Configuration Example # Enable DHCP-snooping Option 82 support IP Filtering Configuration Example# Enable Dhcp snooping on Switch # Specify GigabitEthernet 1/0/5 as the trusted port 7Network diagram for IP filtering configuration # Specify GigabitEthernet 1/0/1 as the trusted port Trust Displaying and Maintaining Dhcp Snooping ConfigurationDisplay dhcp-snooping Display ip source static Configuring a DHCP/BOOTP Client DHCP/BOOTP Client ConfigurationIntroduction to Bootp Client Follow these steps to configure a DHCP/BOOTP client Dhcp-alloc Dhcp Client Configuration ExampleIp address bootp-alloc Bootp client Displaying and Maintaining DHCP/BOOTP Client ConfigurationDisplay bootp client interface Display related information on a Table of Contents ACL Matching Order ACL ConfigurationACL Overview Depth-first match order for rules of an advanced ACL Ways to Apply an ACL on a DeviceDepth-first match order for rules of a basic ACL Being applied to the hardware directly Types of ACLs Supported by Devices ACL ConfigurationConfiguring Time Range End-time end-date from start-time start-date to Time-range time-name start-time to end-timeDays-of-the-week from start-time start-date to End-time end-date to end-time end-date Rule-string Rule-string , refer to ACL Command Configuring Basic ACLAuto config Rule-string , refer to ACL Command Configuring Advanced ACLMatch-order auto config Rule rule-id permit deny Configuring Layer 2 ACL Rule-string Refer to ACL Command ACL Assignment Assigning an ACL to a Vlan Configure procedureAssigning an ACL Globally Packet-filter inbound acl-rule Inbound acl-rule Assigning an ACL to a Port GroupSystem-view Packet-filter vlan vlan-id Displaying and Maintaining ACL Assigning an ACL to a Port SwitchPC Example for Controlling Telnet Login Users by Source IPExample for Controlling Web Login Users by Source IP Examples for Upper-layer Software Referencing ACLs Examples for Applying ACLs to Hardware Basic ACL Configuration ExampleAdvanced ACL Configuration Example Layer 2 ACL Configuration Example # Apply ACL 3000 on GigabitEthernet 1/0/1 Example for Applying an ACL to a Vlan # Apply ACL 4000 on GigabitEthernet 1/0/1 # Apply ACL 3000 to Vlan Table of Contents Page Introduction to QoS QoS ConfigurationTraditional Packet Forwarding Service New Applications and New Requirements Traffic Classification QoS Supported by DevicesMajor Traffic Control Techniques IP Precedence decimal IP Precedence binary Description PrecedenceIP precedence, ToS precedence, and Dscp precedence 802.1p priority Dscp value decimal Dscp value binary Description Priority Trust Mode 802.1p priority decimal 802.1p priority binary Description Trusting the 802.1p precedence Trusting the Dscp precedence Dscp precedence Target Dscp precedence Traffic Policing and Traffic Shaping Protocol PriorityPriority Marking Token bucket Traffic shaping Evaluating the traffic with the token bucketTraffic policing Queue Scheduling Traffic RedirectingVlan Mapping 7Diagram for SP queuing SP queuing Sdwrr Flow-based Traffic Accounting QoS ConfigurationQoS Configuration Task List Burst Priority-trust cos automap Configuring Priority Trust ModePriority priority-level Priority-trust dscp automap Qos cos-drop-precedence-map Configuring Priority MappingQos cos-local-precedence-map Qos dscp-drop-precedence-map dscp-list Qos cos-dscp-map cos0-map-dscpQos dscp-local-precedence-map dscp-list Qos dscp-cos-map dscp-list cos-valuePage Protocol-type Setting the Priority of Protocol PacketsSystem-view Protocol-priority Ip-precedence Dscp-value cos cos-value Marking Packet PriorityTraffic-priority inbound acl-rule dscp Traffic-priority vlan vlan-id inbound acl-rule Configuring Traffic Policing Required Matching specific ACL rules Traffic-limit inbound acl-rule target-rate Reset traffic-limit inbound acl-ruleReset traffic-limit vlan vlan-id inbound Conform con-action exceed By default, traffic policing is Policing Configuring Traffic ShapingView Configure traffic Disabled Clear the traffic Traffic-shape queue Configuring Traffic RedirectingConfiguration examples Traffic-redirect inbound acl-rule interface Traffic-redirect vlan vlan-id inbound acl-rule Traffic-remark-vlanid inbound Configuring Vlan MappingConfiguring Queue Scheduling Acl-rule remark-vlan vlan-id Undo queue-scheduler queue-id Queue-id queue-weight &1-8Group2 queue-id queue-weight Queue-scheduler wrr group1 Collect the statistics on Packets matching specific ACL Reset traffic-statistic inboundCollecting/Clearing Traffic Statistics Traffic-statistic inbound acl-rule Traffic-statistic vlan vlan-id Reset traffic-statistic vlan vlan-idReset traffic-statistic inbound acl-rule Enabling the Burst Function Configuring Traffic MirroringFollow these steps to enable the burst function Refer to Burst for information about the burst function Monitor-interface Monitor-portMirrored-to inbound acl-rule Mirrored-to vlan vlan-id Required Mirroring for packets that Traffic mirroring configurationRequired Destination port Exit current view Displaying and Maintaining QoS QoS Configuration Example Configuration Example of Traffic PolicingPage Dynamic application mode QoS Profile ConfigurationQoS Profile Application Mode Manual application mode Configuring a QoS Profile QoS Profile ConfigurationQoS Profile Configuration Task List Applying a QoS Profile Undo qos-profile port-based Displaying and Maintaining QoS ProfileQos-profile port-based System-view Apply qos-profile QoS Profile Configuration Example 1Network diagram for QoS profile configuration # Enable Table of Contents Mirroring Configuration Mirroring Overview Local Port Mirroring Remote Port Mirroring VLAN-Based Mirroring Switch Ports involved FunctionMAC-Based Mirroring 1Ports involved in the mirroring operation Mirroring Configuration Configuring Local Port Mirroring Configuring Remote Port Mirroring Configuration on the device acting as a source switch Configuration on the device acting as a destination switch Remote-destination Configuring MAC-Based MirroringRemote-probe-vlan-id Monitor-port monitor-port Mirroring-group group-id Mirroring-mac mac vlan Configuring VLAN-Based MirroringLocal remote-source Displaying and Maintaining Port Mirroring Mirroring Configuration ExampleLocal Port Mirroring Configuration Example Mirroring-group group-id Mirroring-vlan vlan-id Remote Port Mirroring Configuration Example Configure Switch C # Create a local mirroring group 4Network diagram for remote port mirroring # Configure Vlan 10 as the remote-probe Vlan # Configure Vlan 10 as the remote-probe Vlan Page Table of Contents ARP Function ARP ConfigurationIntroduction to ARP ARP Message Format Experimental Ethernet Field DescriptionValue Description Proteon ProNET Token Ring ARP Process ARP entry Generation Method Maintenance ModeARP Table Chaos ARP attack detection Introduction to ARP Attack DetectionMan-in-the-middle attack Arp timer aging aging-time Configuring ARPConfiguring ARP Basic Functions Introduction to Gratuitous ARP Arp detection enable Configuring ARP Attack DetectionArp check enable Arp detection trust Gratuitous-arp-learning Configuring Gratuitous ARPArp restricted-forwarding ARP Attack Detection Configuration Example ARP Configuration ExampleARP Basic Configuration Example Displaying and Maintaining ARP # Enable Dhcp snooping on Switch a # Enable ARP attack detection on all ports in Vlan Table of Contents Snmp Operation Mechanism Snmp ConfigurationSnmp Overview Snmp Versions MIB II based on TCP/IP network device RFC MIB attribute MIB content Related RFCSupported MIBs Public MIB Snmp-agent Configuring Basic Snmp FunctionsConfiguring basic Snmp functions for SNMPv1 or SNMPv2c Snmp-agent sys-info Configuring basic Snmp functions for SNMPv3 Configuring Trap Parameters Configuring Basic Trap Configuring Extended Trap Enabling Logging for Network Management Snmp Configuration ExamplesSnmp Configuration Examples Displaying and Maintaining Snmp Network procedure 2Network diagram for Snmp configuration Configuring the NMS Working Mechanism of Rmon Rmon ConfigurationIntroduction to Rmon Commonly Used Rmon Groups Rmon Configuration Displaying and Maintaining Rmon Rmon Configuration ExamplesConfiguration procedures # Display the Rmon extended alarm entry numbered Table of Contents Multicast Overview Information Transmission in the Unicast ModeMulticast Overview Information Transmission in the Broadcast Mode 1Information transmission in the unicast mode Information Transmission in the Multicast Mode 2Information transmission in the broadcast mode 3Information transmission in the multicast mode Roles in Multicast Advantages of multicast Multicast ModelsAdvantages and Applications of Multicast Application of multicast SFM model Multicast ArchitectureASM model SSM model Reserved multicast addresses IP addresses for permanent IP multicast addressClass D address range Description Ethernet multicast MAC address Multicast Protocols Layer 3 multicast protocols Layer 2 multicast protocols 5Positions of Layer 3 multicast protocols Multicast Packet Forwarding Mechanism Implementation of the RPF Mechanism RPF Check 7RPF check processPage Principle of Igmp Snooping Igmp Snooping ConfigurationIgmp Snooping Overview Basic Concepts in Igmp Snooping Timer Description Message before Action after expiry Expiry Work Mechanism of Igmp Snooping When receiving a leave message When receiving a general queryWhen receiving a membership report Complete the following tasks to configure Igmp Snooping Igmp Snooping ConfigurationIgmp Snooping Configuration Task List Enabling Igmp Snooping Configuring the Version of Igmp SnoopingIgmp-snooping enable Igmp-snooping version Enabling fast leave processing in system view Configuring TimersConfiguring Fast Leave Processing Required By default, the fast leave For specific VLANs Configuring a Multicast Group FilterEnable fast leave processing Enabling fast leave processing in Ethernet port view Igmp -snooping group -policy Configuring a multicast group filter in system viewConfiguring a multicast group filter in Ethernet port view Acl-number vlan vlan-list Vlan vlan list overflow-replace Configuring Igmp QuerierIgmp-snooping group-limit limit Configuring Static Member Port for a Multicast Group Suppressing Flooding of Unknown Multicast Traffic in a Vlan Vlan interface view Configuring a Static Router PortEthernet port view Multicast static-group Igmp host-join group-address Configuring a Port as a Simulated Group MemberVlan view Source-ip source-address Vlan-mapping vlan Configuring a Vlan Tag for Query MessagesConfiguring Multicast Vlan Hybrid Port hybrid vlan vlan-id-list Igmp enableService-type multicast Port trunk permit vlan vlan-list Displaying and Maintaining Igmp Snooping Igmp Snooping Configuration ExamplesConfiguring Igmp Snooping 3Network diagram for Igmp Snooping configuration Configure Switch a # Enable Igmp Snooping globally GigabitEthernet 1/0/1 is connected to the workstation Device Device description Networking descriptionInterface IP address of Vlan 20 is 4Network diagram for multicast Vlan configuration # Configure Vlan Troubleshooting Igmp Snooping Symptom Multicast function does not work on the device Configuring a Multicast MAC Address Entry Common Multicast ConfigurationCommon Multicast Configuration Mac-address multicast Unknown-multicast drop Displaying and Maintaining Common Multicast ConfigurationConfiguring Dropping Unknown Multicast Packets Display mac-address multicast Table of Contents Applications of NTP NTP ConfigurationIntroduction to NTP Implementation Principle of NTP NTP Implementation Modes 1Implementation principle of NTP Broadcast mode Server/client modeSymmetric peer mode Multicast mode NTP implementation Configuration on the device Mode Configuring NTP Server/Client Mode NTP Configuration Task ListConfiguring NTP Implementation Modes Complete the following tasks to configure NTP Configuring the NTP Symmetric Peer Mode Ntp-service broadcast-server Configuring NTP Broadcast ModeConfigure the device to work NTP broadcast server Configuring the device to work in the multicast client mode Configuring NTP Multicast ModeConfiguring the device to work in the multicast server mode Ntp-service access peer Configuring Access Control RightConfiguring NTP Authentication Server synchronization Configuring NTP authentication on the client Role of device Working mode Configuring NTP authentication on the server Mode and NTP multicast Broadcast Configuring Optional NTP ParametersConfigure on NTP Broadcast Server While Configuring Disabling an Interface from Receiving NTP messages Displaying and Maintaining NTP ConfigurationNTP Configuration Examples Max-dynamic-sessions # Set Device a as the NTP server of Device B # Set Device C as the peer of Device B Configuring NTP Symmetric Peer ModeConfigure Device C # Set Device a as the NTP server 8Network diagram for the NTP broadcast mode configuration Configure Device C # Enter system view # Set Device a as a broadcast client 9Network diagram for NTP multicast mode configuration # Enable the NTP authentication function Configuring NTP Server/Client Mode with AuthenticationConfigure Device B # Enter system view # Specify the key 42 as a trusted key Table of Contents Introduction to SSH SSH ConfigurationSSH Overview Algorithm and Key Stages Description Asymmetric Key AlgorithmSSH Operating Process Key negotiation Authentication negotiationVersion negotiation Data exchange Configuring the SSH ServerSession request Authentication-mode scheme SSH Server Configuration TasksConfiguring the Protocol Support for the User Interface Command-authorization Generating/Destroying a RSA or DSA Key Pair Creating an SSH User and Specify an Authentication Type Exporting the RSA or DSA Public Key Ssh user username service-type Specifying a Service Type for an SSH UserConfiguring SSH Management Stelnet sftp all Configuring the Client Public Key on the Server Rsa peer-public-key keyname Public-key-code endPeer-public-key end Ssh user username assign Assigning a Public Key to an SSH UserSpecifying a Source IP Address/Interface for the SSH Server Publickey rsa-key keyname Configuring the SSH Client Using an SSH Client Software Configuring the SSH ClientSSH Client Configuration Tasks Generate a client key 2Generate a client key 4Generate the client keys Specify the IP address of the Server Launch PuTTY.exe. The following window appears As shown in -7, select SSH under Protocol Select a protocol for remote connectionSelect an SSH version Open an SSH connection with publickey authentication 8SSH client configuration interface 10SSH client interface Configure whether first-time authentication is supported Configuring the SSH Client on an SSH2-Capable DeviceOpen an SSH connection with password authentication Establish the connection between the SSH client and server Ssh2 source-ip ip-address Displaying and Maintaining SSH ConfigurationSpecifying a Source IP address/Interface for the SSH client Ssh2 source-interface # Generate RSA and DSA key pairs SSH Configuration Examples# Enable the user interfaces to support SSH Page 14SSH client interface # Set the client’s command privilege level to # Assign the public key Switch001 to client client001Page 18Generate a client key pair Page 22SSH client interface Device system-view Device interface vlan-interface # Establish a connection to the server # Generate a DSA key pair # Set the user command privilege level to# Assign the public key Switch001 to user client001 25Network diagram of SSH client configuration # Assign public key Switch001 to user client001 # Set AAA authentication on user interfaces# Configure the user interfaces to support SSH # Specify the host public key pair name of the server # Establish the SSH connection to server Table of Contents File System Configuration Tasks File System Management ConfigurationFile System Configuration Introduction to File System File Operations Execute filename Prompt Mode ConfigurationFlash Memory Operations Format device File System Configuration Example File prompt alert quiet Introduction to File Attributes File Attribute ConfigurationAttribute Description Feature Identifier Configuring File Attributes Table of Contents Introduction to FTP FTP and Sftp ConfigurationIntroduction to FTP and Sftp Description Remarks Service-type ftp FTP ConfigurationFTP Configuration The Device Operating as an FTP Server Introduction to Sftp Enabling an FTP server Configuring connection idle timeFtp timeout minutes Ftp-server source-ip ip-address Disconnecting a specified userFtp-server source-interface Ftp disconnect user-name Configuring the banner for an FTP server Displaying FTP server information FTP Configuration The Device Operating as an FTP ClientBasic configurations on an FTP client Disconnect CdupLcd Close Configuration Example The Device Operating as an FTP Server # Upload the config.cfg file. ftp put config.cfg FTP Banner Display Configuration Example 4Network diagram for FTP banner display configuration # Enter the authorized directory on the FTP server Complete the following tasks to configure Sftp Sftp ConfigurationSftp Configuration The Device Operating as an Sftp Server Follow these steps to enable an Sftp server Ftp timeout time-out-value Sftp Configuration The Device Operating as an Sftp ClientBasic configurations on an Sftp client Time for the Sftp server Minutes by default Delete remotefile Help all command-nameSftp host-ip host-name Remove remote-file Sftp source-ip ip-address Sftp Configuration ExampleSftp source-interface Display sftp source-ip # Enable the Sftp server # Specify the SSH authentication mode as AAA# Specify the service type as Sftp # Create a local user client001 Sftp-client # Exit Sftp Complete the following tasks to configure Tftp Tftp ConfigurationTftp Configuration Introduction to Tftp Tftp ascii binary Tftp Configuration The Device Operating as a Tftp ClientBasic configurations on a Tftp client Tftp-server acl acl-number Tftp source-ip ip-address Tftp Configuration ExampleTftp source-interface Display tftp source-ip Device tftp 1.1.1.2 get config.cfg config.cfg Table of Contents Introduction to Information Center Information CenterInformation Center Overview Classification of system information Ten channels and six output directions of system information Outputting system information by source module Module name Description System Information Format Sysname PriorityTimestamp Information Center Configuration Introduction to the Information Center Configuration Tasks Configuring Synchronous Information Output Set for the system Setting to Output System Information to the Console Setting to output system information to the console Terminal debugging Enabling system information display on the consoleTerminal monitor Terminal logging Enabling system information display on a monitor terminal Setting to Output System Information to a Monitor TerminalSetting to output system information to a monitor terminal Info-center monitor channel Info-center loghost source Setting to Output System Information to a Log HostInfo-center loghost Info-center trapbuffer Setting to Output System Information to the Trap BufferSetting to Output System Information to the Log Buffer Info-center source Info-center snmp channel Setting to Output System Information to the Snmp NMSInfo-center logbuffer Log Output to a Unix Log Host Information Center Configuration ExamplesDisplaying and Maintaining Information Center # mkdir /var/log/Switch # touch /var/log/Switch/information 2Network diagram for log output to a Linux log host Log Output to a Linux Log Host 3Network diagram for log output to the console Log Output to the Console # Enable terminal display 4Network diagram Table of Contents Loading procedure using FTP client Host Configuration File LoadingRemote Loading Using FTP Introduction to Loading Approaches Loading procedure using FTP server Restart Switch 2Remote loading using FTP server Use the put command to upload the file config.cfg to Switch Remote Loading Using Tftp Basic System Configuration and Debugging Basic System Configuration Enabling/Disabling System Debugging Displaying the System StatusDebugging the System Display clock Displaying Debugging Status Displaying Operating Information about Modules in System Ping Network Connectivity TestNetwork Connectivity Test Tracert Rebooting the Device Device Management ConfigurationDevice Management Configuration Tasks Device Management Schedule reboot delay Scheduling a Reboot on the DeviceSchedule reboot at hhmm Schedule reboot regularity Identifying pluggable transceivers Identifying and Diagnosing Pluggable TransceiversIntroduction to pluggable transceivers Diagnosing pluggable transceivers Table of Contents Introduction to VLAN-VPN VLAN-VPN ConfigurationVLAN-VPN Overview Adjusting the Tpid Values of VLAN-VPN Packets Implementation of VLAN-VPN Protocol type Value VLAN-VPN ConfigurationEnabling the VLAN-VPN Feature for a Port Displaying and Maintaining VLAN-VPN Tpid Adjusting ConfigurationVlan-vpn uplink enable Vlan-vpn tpid value VLAN-VPN Configuration Example 4Network diagram for VLAN-VPN configuration SwitchA vlan-vpn tpid Data transfer processPage Selective QinQ Overview Selective QinQ ConfigurationSelective QinQ Overview Inner-to-Outer Tag Priority Mapping Selective QinQ ConfigurationEnabling the Selective QinQ Feature for a Port Vlan-vpn vid vlan-id Processing Private Network Packets by Their Types Selective QinQ Configuration ExampleConfiguring the Inner-to-Outer Tag Priority Mapping Feature Vlan-vpn priority 2Network diagram for selective QinQ configuration # Enable the VLAN-VPN feature on GigabitEthernet 1/0/3 SwitchA-GigabitEthernet1/0/3 vlan-vpn enable Page Table of Contents Introduction to HWPing HWPing ConfigurationHWPing Overview Supported test types Description Test Types Supported by HWPingHWPing Test Parameters Test parameter Description Dns-server Username and passwordDns HWPing server configuration tasks HWPing ConfigurationConfiguration on a HWPing Server HWPing client configuration HWPing Client ConfigurationHWPing server configuration Count times Timeout timeTest-enable Datasize size Test-type ftp Test-type dhcpSource-port port-number Username name Password passwordFtp-operation get put Filename file-name Test-type http Destination-ip command toDns-server ip-address Http-operation get post Destination-port Test-type jitter Test-type snmpquery Jitter-packetnum numberJitter-interval interval Operation- tag Configure the destination Configured on the HWPingServer for listening services This IP address and the one Test-type tcpprivate Hwping-serverTcpconnect ip-address7 Tcppublic Test-type udpprivate Udppublic Test-type dns Time Three seconds Optional Configure the service typeAddress is specified Configuring HWPing client to send Trap messages Displaying and Maintaining HWPing HWPing Configuration ExampleAdministrator-name operation-tag Icmp Test Dhcp Test # Display test results # Configure the test type as dhcp FTP Test # Set the probe timeout time to 30 seconds # Configure the source IP address Http Test # Configure the test type as http# Configure the IP address of the Http server as Jitter Test # Configure the test type as jitter Network diagramConfigure HWPing Client Switch a # Enable the HWPing client # Configure the IP address of the HWPing server as Snmp Test 7Network diagram for the Snmp test # Configure the test type as snmp 8Network diagram for the Tcpprivate test TCP Test Tcpprivate Test on the Specified Ports # Configure the test type as tcpprivate # Configure the test type as udpprivate UDP Test Udpprivate Test on the Specified Ports DNS Test # Configure the test type as dns # Configure the IP address of the DNS server as Index Table of Contents Dynamic Domain Name Resolution DNS ConfigurationStatic Domain Name Resolution Resolution procedure DNS suffixes Configuring Domain Name ResolutionConfiguring Static Domain Name Resolution Static Domain Name Resolution Configuration Example DNS Configuration ExampleConfiguring Dynamic Domain Name Resolution Dynamic Domain Name Resolution Configuration Example 2Network diagram for static DNS configuration # Configure the IP address 2.1.1.2 for the DNS server # Configure com as the DNS suffix Troubleshooting DNS Configuration Displaying and Maintaining DNS Table of Contents Basic Concepts in Smart Link Smart Link ConfigurationSmart Link Overview Smart Link group Flush message Master portSlave port Control Vlan for sending flush messages Operating Mechanism of Smart Link Configuring Smart LinkComplete the following tasks to configure Smart Link Configuring a Smart Link Device Flush enable control-vlan Configuring Associated DevicesPrecautions Smart-link flush enable control-vlan vlan-id port Displaying and Maintaining Smart Link Smart Link Configuration ExampleImplementing Link Redundancy Backup # Configure to send flush messages within Vlan # Return to system view SwitchD system-view Monitor Link Configuration Introduction to Monitor Link 2Network diagram for a Monitor Link group implementation How Monitor Link Works Creating a Monitor Link Group Configuring Monitor LinkConfiguring the Uplink Port Port monitor-link group Configuring a Downlink PortUplink Monitor Link Configuration Example Displaying and Maintaining Monitor Link # Configure to send flush messages in Vlan # Create Smart Link group 1 and enter Smart Link group view SwitchC monitor-link group Table of Contents Introduction to PoE PoE ConfigurationPoE Overview Advantages of PoE PoE Configuration Task List PoE ConfigurationPoE Features Supported by the Device Maximum Power Provided by Each Electrical Port Poe enable Enabling the PoE Feature on a PortSetting the Maximum Output Power on a Port Poe max-power max-power Poe power-management Setting PoE Management Mode and PoE Priority of a PortSetting the PoE Mode on a Port Poe priority critical high Poe update refresh Configuring the PD Compatibility Detection FunctionPoe legacy enable Upgrading the PSE Processing Software Online PoE Configuration Example PoE Configuration ExampleDisplaying and Maintaining PoE Configuration Networking requirements 1Network diagram for PoE # Upgrade the PSE processing software online Configuring PoE Profile PoE Profile ConfigurationPoE Profile Configuration Introduction to PoE Profile Display poe-profile Displaying and Maintaining PoE Profile ConfigurationPoE Profile to Port All-profile interface # Create Profile1, and enter PoE profile view PoE Profile Configuration ExamplePoE Profile Application Example # Create Profile2, and enter PoE profile view # Display detailed configuration information for Profile1# Display detailed configuration information for Profile2 Table of Contents Page IP Route IP Routing Protocol OverviewIntroduction to IP Route and Routing Table Routing TablePage Classification of Dynamic Routing Protocols Routing Protocol OverviewStatic Routing and Dynamic Routing Routing Protocols and Routing Priority Routing Information Sharing Load Sharing and Route BackupRoute backup Load sharing Displaying and Maintaining a Routing Table Static Route Static Route ConfigurationIntroduction to Static Route Configuring a Static Route Static Route ConfigurationDefault Route Static Route Configuration Example Displaying and Maintaining Static Routes # Approach 1 Configure static routes on Switch B Troubleshooting a Static Route# Approach 2 Configure a static route on Switch a # Approach 2 Configure a static route on Switch B Basic Concepts RIP ConfigurationRIP Overview RIP routing database Routing loops prevention RIP timersRIP Startup and Operation Configuring Basic RIP Functions RIP Configuration Task ListBasic RIP Configuration Rip Specifying the RIP version on an interface Setting the RIP operating status on an interfaceRIP Route Control Configuring RIP route summarization Configuring RIP Route ControlSetting the additional routing metrics of an interface Rip metricin value Configuring RIP to filter incoming/outgoing routes Disabling the router from receiving host routes RIP Network Adjustment and Optimization Setting RIP preference Configuring split horizon Configuration TasksConfiguring RIP timers Configuring RIP-1 packet zero field check Rip authentication-mode Setting RIP-2 packet authentication modeConfiguring RIP to unicast RIP packets Simple password md5 Displaying and Maintaining RIP Configuration RIP Configuration Example Configure Switch B # Configure RIP Troubleshooting RIP ConfigurationFailed to Receive RIP Updates Configure Switch C # Configure RIP Introduction to IP Route Policy IP Route Policy ConfigurationIP Route Policy Overview Filters For ACL configuration, refer to the part discussing ACL IP Route Policy Configuration Task ListRoute Policy Configuration Route policy Defining a Route Policy Defining if-match Clauses and apply Clauses If-match ip next-hop acl IP Route Policy Configuration ExampleDisplaying and Maintaining IP Route Policy Apply cost value Configuration considerations SwitchC-acl-basic-2000 quit SwitchC acl number Configuration verification Troubleshooting IP Route Policy Precautions Table of Contents Protocol UDP port number UDP Helper ConfigurationIntroduction to UDP Helper Configuring UDP Helper Displaying and Maintaining UDP Helper UDP Helper Configuration Example# Enable UDP Helper on Switch a Cross-Network Computer Search Through UDP Helper Table of Contents Appendix a Acronyms Protocol Independent Multicast-Dense Mode Medium Access ControlNon Broadcast MultiAccess Protocol Independent Multicast-Sparse Mode

3Com WX3000 operation manual 7Network diagram for IP filtering configuration

Models: WX3000

Figure 3-7Network diagram for IP filtering configuration

Configuration procedure

# Enable DHCP snooping on Switch.

# Specify GigabitEthernet 1/0/1 as the trusted port.