Manual 4500

3Com
Switch 4500G Family

Configuration Guide
4500G 24-Port (3CR17761-91)
4500G 48-Port (3CR17762-91)
4500G 24-Port PWR (3CR17771-91)
4500G 48-Port PWR (3CR17772-91)
www.3Com.com
Part Number: 10014900 Rev. AC
Published: February 2008
3Com Corporation
350 Campus Drive
Marlborough, MA
USA 01752-3064
Copyright 2006, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form or
by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written
permission from 3Com Corporation.
3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time
without obligation on the part of 3Com Corporation to provide notification of such revision or change.
3Com Corporation provides this documentation without warranty, term, or condition of any kind, either implied or
expressed, including, but not limited to, the implied warranties, terms or conditions of merchantability, satisfactory quality,
and fitness for a particular purpose. 3Com may make improvements or changes in the product(s) and/or the program(s)
described in this documentation at any time.
If there is any software on removable media described in this documentation, it is furnished under a license agreement
included with the product as a separate document, in the hard copy documentation, or on the removable media in a
directory file named LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy, please contact 3Com and a copy will
be provided to you.
UNITED STATES GOVERNMENT LEGEND
If you are a United States government agency, then this documentation and the software described herein are provided to
you subject to the following:
All technical data and computer software are commercial in nature and developed solely at private expense. Software is
delivered as Commercial Computer Software as defined in DFARS 252.227-7014 (June 1995) or as a commercial item
as defined in FAR 2.101(a) and as such is provided with only such rights as are provided in 3Coms standard commercial
license for the Software. Technical data is provided with limited rights only as provided in DFAR 252.227-7015 (Nov 1995) or
FAR 52.227-14 (June 1987), whichever is applicable. You agree not to remove or deface any portion of any legend provided
on any licensed program or documentation contained in, or delivered to you in conjunction with, this User Guide.
Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not be registered
in other countries.
3Com and the 3Com logo are registered trademarks of 3Com Corporation.
Cisco is a registered trademark of Cisco Systems, Inc.
Funk RADIUS is a registered trademark of Funk Software, Inc.
Aegis is a registered trademark of Aegis Group PLC.
Intel and Pentium are registered trademarks of Intel Corporation. Microsoft, MS-DOS, Windows, and Windows NT are
registered trademarks of Microsoft Corporation. Novell and NetWare are registered trademarks of Novell, Inc. UNIX is a
registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd.
IEEE and 802 are registered trademarks of the Institute of Electrical and Electronics Engineers, Inc.
All other company and product names may be trademarks of the respective companies with which they are associated.
ENVIRONMENTAL STATEMENT
It is the policy of 3Com Corporation to be environmentally-friendly in all operations. To uphold our policy, we are committed
to:
Establishing environmental performance standards that comply with national legislation and regulations.
Conserving energy, materials and natural resources in all operations.
Reducing the waste generated by all operations. Ensuring that all waste conforms to recognized environmental standards.
Maximizing the recyclable and reusable content of all products.
Ensuring that all products can be recycled, reused and disposed of safely.
Ensuring that all products are labelled according to recognized environmental standards.
Improving our environmental record on a continual basis.
End of Life Statement
3Com processes allow for the recovery, reclamation and safe disposal of all end-of-life electronic components.
Regulated Materials Statement
3Com products do not contain any hazardous or ozone-depleting material.
CONTENTS
ABOUT THIS GUIDE
Organization of the Manual 15
Intended Readership 16
Conventions 16
Related Documentation 17
1 LOGGING INTO AN ETHERNET SWITCH
Logging into an Ethernet Switch 19
Introduction to the User Interface 19
2 LOGGING IN THROUGH THE CONSOLE PORT
Introduction 23
Setting up the Connection to the Console Port 23
Console Port Login Configuration 26
Console Port Login Configuration with Authentication Mode Being None 28
Console Port Login Configuration with Authentication Mode Being Password 31
Console Port Login Configuration with Authentication Mode Being Scheme 34
3 LOGGING IN THROUGH TELNET
Introduction 39
Telnet Configuration with Authentication Mode Being None 41
Telnet Configuration with Authentication Mode Being Password 44
Telnet Configuration with Authentication Mode Being Scheme 47
Telnet Connection Establishment 51
4 LOGGING IN USING MODEM
Introduction 55
Configuration on the Administrator Side 55
Configuration on the Switch Side 55
Modem Connection Establishment 56
5 LOGGING IN THROUGH WEB-BASED NETWORK MANAGEMENT SYSTEM
Introduction 59
HTTP Connection Establishment 59
Web Server Shutdown/Startup 61
4 CONTENTS
6 LOGGING IN THROUGH NMS
Introduction 63
Connection Establishment Using NMS 63
7 CONTROLLING LOGIN USERS
Introduction 65
Controlling Telnet Users 65
Controlling Network Management Users by Source IP Addresses 68
Controlling Web Users by Source IP Address 70
8 BASIC SYSTEM CONFIGURATION AND MAINTENANCE
Command Line Feature 73
Basic System Configuration 80
Displaying the System Status 85
9 SYSTEM MAINTENANCE AND DEBUGGING
System Maintenance and Debugging Overview 87
System Maintenance and Debugging Configuration 89
System Maintenance Example 90
10 DEVICE MANAGEMENT
Introduction to Device Management 91
BootROM and Host Software Loading 91
Device Management Configuration 104
Displaying the Device Management Configuration 106
Remote Switch Update Configuration Example 106
11 FILE SYSTEM MANAGEMENT
File System Management 109
Configuration File Management 111
FTP Configuration 116
TFTP Configuration 122
12 VLAN CONFIGURATION
VLAN Overview 125
Basic VLAN Configuration 126
Basic VLAN Interface Configuration 127
Port-Based VLAN Configuration 127
Displaying VLAN Configuration 131
VLAN Configuration Example 132
13 VOICE VLAN CONFIGURATION
Voice VLAN Overview 133
CONTENTS 5
Voice VLAN Configuration 135
Displaying and Maintaining Voice VLAN 137
Voice VLAN Configuration Example 138
14 GVRP CONFIGURATION
Introduction to GARP 141
Configuring GVRP 144
Displaying and Maintaining GVRP 145
GVRP Configuration Example 145
15 ETHERNET INTERFACE CONFIGURATION
General Ethernet Interface Configuration 151
Maintaining and Displaying an Ethernet Interface 159
16 LINK AGGREGATION CONFIGURATION
Link Aggregation Overview 161
Approaches to Link Aggregation 163
Configuring Link Aggregation 166
Displaying and Maintaining Link Aggregation 168
Link Aggregation Configuration Example 169
17 PORT ISOLATION CONFIGURATION
Port Isolation Overview 171
Port Isolation Configuration 171
Displaying Port Isolation Configuration 171
Port Isolation Configuration Example 172
18 MAC ADDRESS TABLE MANAGEMENT
Introduction to Managing MAC Address Table 173
Configuring the MAC Address Table 174
Displaying and Maintaining the MAC Address Table 176
MAC Address Table Management Configuration Example 176
19 MSTP CONFIGURATION
MSTP Overview 179
Configuring the Root Bridge 192
Configuring Leaf Nodes 204
Performing mCheck 208
MSTP Configuration Example 212
20 IP ADDRESSING CONFIGURATION
Configuring IP Addresses 219
Displaying IP Addressing 220
6 CONTENTS
21 IP PERFORMANCE CONFIGURATION
Introduction to IP performance 221
Configuring TCP attributes 221
Configuring sending ICMP error packets 222
Permitting Receiving and Forwarding of Directed Broadcast Packets 224
Displaying and maintaining IP performance 226
22 IPV4 ROUTING OVERVIEW
IP Routing and Routing Table 227
Routing Protocol Overview 229
Displaying and Maintaining a Routing Table 231
23 CONFIGURING IPV6
IPv6 Overview 233
Configuring Basic IPv6 Functions 242
Configuring IPv6 NDP 243
Configuring PMTU Discovery 246
Configuring IPv6 TCP Properties 247
Configuring the Maximum Number of IPv6 ICMP Error Packets Sent within a Specified
Time 248
Configuring IPv6 DNS 248
Displaying and Maintaining IPv6 249
IPv6 Configuration Example 250
24 CONFIGURING IPV6 APPLICATIONS
Introduction to IPv6 Application 255
Ping IPv6 255
Traceroute IPv6 255
IPv6 Telnet 257
Examples of Typical IPv6 Application Configurations 258
Troubleshooting IPv6 Application 260
25 STATIC ROUTING CONFIGURATION
Introduction 263
Configuring Static Route 264
Displaying and Maintaining Static Routes 265
Example of Static Routes Configuration 265
26 RIP CONFIGURATION
RIP Overview 269
RIP Basic Configuration 273
RIP Route Control 275
RIP Configuration Optimization 278
CONTENTS 7
Displaying and Maintaining RIP 280
RIP Configuration Example 281
Troubleshooting RIP Configuration 282
27 ROUTING POLICY CONFIGURATION
Introduction to Routing Policy 285
Defining Filtering Lists 287
Configuring a Routing Policy 287
Displaying and Maintaining the Routing Policy 290
Routing Policy Configuration Example 290
Troubleshooting Routing Policy Configuration 292
28 802.1X CONFIGURATION
802.1x Overview 293
Configuring 802.1x 302
Configuring GuestVlan 304
Displaying and Maintaining 802.1x 304
802.1x Configuration Example 305
Typical GuestVlan Configuration Example 307
29 HABP CONFIGURATION
Introduction to HABP 311
HABP Server Configuration 311
HABP Client Configuration 312
Displaying HABP 312
30 MAC AUTHENTICATION CONFIGURATION
MAC Authentication Overview 313
Configuring MAC Authentication 313
Displaying and Maintaining MAC Authentication 314
MAC Authentication Configuration Example 315
31 AAA, RADIUS, AND TACACS+ CONFIGURATION
Overview 317
Configuration Tasks 326
AAA Configuration 328
RADIUS Configuration 335
TACACS+ Configuration 342
Displaying and Maintaining AAA & RADIUS & TACACS+ Information 346
AAA & RADIUS & TACACS+ Configuration Example 347
Troubleshooting AAA & RADIUS & TACACS+ Configuration 353
32 IGMP SNOOPING CONFIGURATION
IGMP Snooping Overview 355
8 CONTENTS
IGMP Snooping Configuration Tasks 358
Configuring Basic Functions of IGMP Snooping 359
Configuring Port Functions 361
Configuring IGMP-Related Functions 364
Configuring a Multicast Group Policy 367
Displaying and Maintaining IGMP Snooping 370
IGMP Snooping Configuration Examples 371
Troubleshooting IGMP Snooping Configuration 374
33 MULTICAST VLAN CONFIGURATION
Multicast VLAN 377
34 ARP CONFIGURATION
ARP Overview 381
Configuring ARP 382
Configuring Gratuitous ARP 384
Displaying and Maintaining ARP 385
35 PROXY ARP CONFIGURATION
Proxy ARP Overview 387
Enabling Proxy ARP 387
Displaying and Maintaining Proxy ARP 388
36 DHCP OVERVIEW
Introduction to DHCP 389
DHCP Address Allocation 389
DHCP Message Format 391
Protocols and Standards 392
37 DHCP RELAY AGENT CONFIGURATION
Introduction to DHCP Relay Agent 393
Configuring the DHCP Relay Agent 394
Displaying and Maintaining the DHCP Relay Agent Configuration 400
DHCP Relay Agent Configuration Example 401
Troubleshooting DHCP Relay Agent Configuration 402
38 DHCP CLIENT CONFIGURATION
Introduction to DHCP Client 403
Enabling the DHCP Client on an Interface 403
Displaying the DHCP Client 404
DHCP Client Configuration Example 404
CONTENTS 9
39 DHCP SNOOPING CONFIGURATION
DHCP Snooping Overview 405
Configuring DHCP Snooping 406
Displaying DHCP Snooping 406
DHCP Snooping Configuration Example 406
40 BOOTP CLIENT CONFIGURATION
Introduction to BOOTP Client 409
Configuring an Interface to Dynamically Obtain an IP Address through BOOTP 410
Displaying BOOTP Client Configuration 410
41 ACL OVERVIEW
ACL Overview 411
Time-Based ACL 411
IPv4 ACL 411
42 IPV4 ACL CONFIGURATION
Creating a Time Range 415
Configuring a Basic IPv4 ACL 417
Configuring an Advanced IPv4 ACL 418
Configuring an Ethernet Frame Header ACL 420
Displaying and Maintaining IPv4 ACLs 422
IPv4 ACL Configuration Example 422
43 QOS OVERVIEW
Introduction 425
Traditional Packet Delivery Service 425
New Requirements Brought forth by New Services 425
Occurrence and Influence of Congestion and the Countermeasures 426
Major Traffic Management Techniques 427
LR Configuration 432
44 QOS POLICY CONFIGURATION
Overview 435
Configuring QoS Policy 435
Introducing Each QoS Policy 436
Displaying QoS Policy 441
45 CONGESTION MANAGEMENT
Overview 443
Congestion Management Policy 443
Configuring SP Queue Scheduling 445
10 CONTENTS
Configuring WRR Queue Scheduling 446
Configuring SP+WRR Queue Scheduling 447
46 PRIORITY MAPPING
Overview 449
Configuring Port Priority 450
Displaying Priority Mapping Table 451
47 VLAN POLICY CONFIGURATION
Overview 453
Applying VLAN Policies 453
Displaying and Maintaining VLAN Policy 454
VLAN Policy Configuration Example 454
48 TRAFFIC MIRRORING CONFIGURATION
Overview 455
Configuring Traffic Mirroring to Port 455
Displaying Traffic Mirroring Configuration 456
Traffic Mirroring Configuration Example 456
49 PORT MIRRORING CONFIGURATION
Introduction to Port Mirroring 459
Configuring Local Port Mirroring 460
Displaying Port Mirroring 460
Examples of Typical Port Mirroring Configuration 461
50 GMP V2 CONFIGURATION
Introduction to GMP V2 463
GMP V2 Configuration Task Overview 468
Management Device Configuration 469
Configuring Member Devices 476
Displaying and Maintaining a Cluster 477
GMP V2 Configuration Example 478
51 SNMP CONFIGURATION
SNMP Overview 481
Configuring Basic SNMP Functions 483
Trap Configuration 485
Displaying and Maintaining SNMP 486
SNMP Configuration Example 486
52 RMON CONFIGURATION
RMON Overview 489
CONTENTS 11
Configuring RMON 492
Displaying and Maintaining RMON 493
RMON Configuration 493
53 NTP CONFIGURATION
NTP Overview 495
Configuring the Operation Modes of NTP 499
Configuring Optional Parameters of NTP 502
Configuring Access-Control Rights 503
Configuring NTP Authentication 504
Displaying and Maintaining NTP 506
NTP Configuration Examples 506
54 DNS CONFIGURATION
DNS Overview 519
Configuring Static Domain Name Resolution 521
Configuring Dynamic Domain Name Resolution 521
Displaying and Maintaining DNS 522
Troubleshooting DNS Configuration 522
55 INFORMATION CENTER
Information Center Overview 523
Configuring Information Center 524
Displaying and Maintaining Information Center 530
Information Center Configuration Example 531
56 NQA CONFIGURATION
NQA Overview 537
Configuring NQA Tests 538
Configuring Optional Parameters for NQA Tests 555
Displaying and Maintaining NQA 558
57 SSH TERMINAL SERVICE
SSH Overview 559
Configuring the SSH Server 562
Configuring the SSH Client 567
Configuring the Device as an SSH Client 572
Displaying and Maintaining the SSH Protocol 573
SSH Configuration Example 573
SSH Client Configuration Example 576
58 SFTP SERVICE
SFTP Overview 579
Configuring the SFTP Server 579
12 CONTENTS
Configuring the SFTP Client 580
SFTP Configuration Example 584
59 UDP HELPER CONFIGURATION
Introduction to UDP Helper 587
Configuring UDP Helper 588
Displaying and Maintaining UDP Helper 588
UDP Helper Configuration Example 589
60 SSL CONFIGURATION
SSL Overview 591
Configuring an SSL Server Policy 592
Configuring an SSL Client Policy 594
Displaying and Maintaining SSL 594
Troubleshooting SSL Configuration 595
61 HTTPS SERVER CONFIGURATION
HTTPS Server Overview 597
Enabling the Functions of HTTPS Server 598
Associating HTTPS Server with Certificate Access Control Policy 599
Associating HTTPS Server with ACL 599
Displaying and Maintaining HTTPS Server 599
Configuration Examples for HTTPS Server 600
62 PKI CONFIGURATION
Introduction to PKI 603
Introduction to PKI Configuration Task 605
Configuring PKI Certificate Request 605
Configuring PKI Certificate Validation 612
Configuring a Certificate Attribute Access Control Policy 613
Displaying and Maintaining PKI 614
Typical Configuration Examples 614
Troubleshooting 617
63 POE CONFIGURATION
PoE Overview 619
PoE Configuration Tasks 620
Configuring the PoE Interface 620
Configuring PD Power Management 623
Configuring a Power Alarm Threshold for the PSE 624
Upgrading PSE Processing Software Online 624
Configuring a PD Disconnection Detection Mode 625
Enabling the PSE to Detect Nonstandard PDs 625
Displaying and Maintaining PoE 626
PoE Configuration Example 626
CONTENTS 13
Troubleshooting PoE 628
14 CONTENTS
ABOUT THIS GUIDE
This guide provides information about configuring your network using the
commands supported on the 3Com

Switch 4500G Family.
The descriptions in this guide applies to the Switch 4500G.
Organization of the
Manual
The Switch 4500G Family Configuration Guide consists of the following chapters:
Logging InProvides information on the different ways to log into the switch.
Basic System Configuration and Maintenance OperationDetails the
basic configuration and maintenance of a switch.
File System ManagementDetails how to manage storage devices.
VLAN OperationDetails VLAN, including Voice VLANS and GVRP
configuration.
Port Correlation ConfigurationDetails Ethernet interface, link aggregation
and port isolation configuration.
MAC Address Table ManagementDetails MAC address table
configuration.
MSTPDetails multiple spanning tree protocol configuration.
IP Address and Performance OperationDetails how to assign IP addresses
to interfaces and to adjust the parameters for the best IP performance.
IPV4 Routing OperationDetails IPV4 routing operation, static routing and
policy configuration and RIP configuration
802.1x HABP MAC Authorization OperationDetails HABP, 802.1x and
MAC Authentication Configuration.
AAA &RADIUSDetails AAA and RADIUS configuration.
Multicast ProtocolDetails multicast protocol configuration.
ARPDetails address resolution protocol table configuration.
DHCPDetails dynamic host configuration protocol.
ACL ConfigurationDetails ACL configuration.
QoSDetails quality of service configuration.
Port MirroringDetails local and remote port mirroring configuration.
ClusteringDetails clustering configuration.
SNMPDetails simple network management protocol configuration.
RMONDetails remote monitoring configuration.
NTPDetails network time protocol configuration.
16 ABOUT THIS GUIDE
DNSDetails domain name system configuration.
Information CenterDetails information center configuration.
NQADetails network quality analyzer configuration.
SSHDetails secure shell authentication.
UDPDetails UDP helper configuration.
SSLDetails secure socket layer configuration.
PKIDetails public key infrastructure configuration.
PoEDetails power over Ethernet configuration.
Intended Readership The manual is intended for the following readers:
Network administrators
Network engineers
Users who are familiar with the basics of networking
Conventions This manual uses the following conventions:
Table 1 Icons
Icon Notice Type Description
Information note Information that describes important features or instructions.
Caution Information that alerts you to potential loss of data or
potential damage to an application, system, or device.
Warning Information that alerts you to potential personal injury.
Table 2 Text conventions
Convention Description
Scr een
di spl ays
This typeface represents text as it appears on the screen.
Keyboard key
names
If you must press two or more keys simultaneously, the key names are
linked with a plus sign (+), for example:
Press Ctrl+Alt+Del
The words enter
and type
When you see the word enter in this guide, you must type something,
and then press Return or Enter. Do not press Return or Enter when an
instruction simply says type.
Fixed command
text
This typeface indicates the fixed part of a command text. You must type
the command, or this part of the command, exactly as shown, and press
Return or Enter when you are ready to enter the command.
Example: The command display history-command must be
entered exactly as shown.
Variable command
text
This typeface indicates the variable part of a command text. You must
type a value here, and press Return or Enter when you are ready to enter
the command.
Example: in the command super level, a value in the range 0 to 3 must
be entered in the position indicated by level.
Related Documentation 17
Related
Documentation
In addition to this guide, the Switch 4500G documentation set includes the
following:
3Com Switch 4500G Family Quick Reference Guide
This guide contains:
a list of the features supported by the switch.
a summary of the command line interface commands for the switch. This
guide is also available under the Help button on the web interface.
3Com Switch 4500G Family Command Reference Guide
This guide provides detailed information about the web interface and
command line interface that enable you to manage the switch. It is supplied in
PDF format on the CD-ROM that accompanies the switch.
3Com Switch 4500G Family Getting Started Guide
This guide provides preliminary information about hardware installation and
communication interfaces.
Release notes
These notes provide information about the current software release, including
new features, modifications, and known problems. The release notes are
supplied in hard copy with the switch.
{ x | y | } Alternative items, one of which must be entered, are grouped in braces
and separated by vertical bars. You must select and enter one of the
items.
Example: in the command flow-control { hardware | none |
software }, the braces and the vertical bars combined indicate that
you must enter one of the parameters. Enter either hardware, or
none, or software.
[ ] Items shown in square brackets [ ] are optional.
Example 1: in the command display users [ all ], the square brackets
indicate that the parameter all is optional. You can enter the command
with or without this parameter.
Example 2: in the command user-interface [ type ]
first-number [ last-number ] the square brackets indicate that
the parameters [ type] and [ last-number ] are both optional. You
can enter a value in place of one, both or neither of these parameters.
Alternative items, one of which can optionally be entered, are grouped
in square brackets and separated by vertical bars.
Example 3: in the command header [ shell | incoming | login ]
text, the square brackets indicate that the parameters shell,
incoming and login are all optional. The vertical bars indicate that
only one of the parameters is allowed.
Table 2 Text conventions (Continued)
Convention Description
18 ABOUT THIS GUIDE
1 LOGGING INTO AN ETHERNET SWITCH
Logging into an
Ethernet Switch
You can log into a Switch 4500G Ethernet switch in one of the following ways:
Log in locally through the Console port
Telnet locally or remotely to an Ethernet port
Telnet to the Console port using a modem
Log into the Web-based network management system
Log in through NMS (network management station)
Introduction to the
User Interface
Supported User
Interfaces
Switch 4500G Family Ethernet switch supports two types of user interfaces: AUX and
VTY.
As the AUX port and the Console port of a 3Com Switch 4500G Family series switch are
the same one, you will be in the AUX user interface if you log in through this port.
User Interface
Number
Two kinds of user interface index exist: absolute user interface index and relative user
interface index.
1 The absolute user interface indexes are as follows:
AUX user interface: 0
VTY user interfaces: Numbered after AUX user interfaces and increases in the step of
1
2 A relative user interface index can be obtained by appending a number to the identifier
of a user interface type. It is generated by user interface type. The relative user interface
indexes are as follows:
AUX user interface: AUX 0
VTY user interfaces: VTY 0, VTY 1, VTY 2, and so on.
Table 3 Description on user interface
User interface Applicable user Port used Description
AUX Users logging in through
the Console port
Console port Each switch can accommodate
one AUX user.
VTY Telnet users and SSH
users
Ethernet port Each switch can accommodate
up to five VTY users.
20 CHAPTER 1: LOGGING INTO AN ETHERNET SWITCH
Common User
Interface
Configuration
Table 4 Common User Interface Configuration
To do Use the command Remarks
Lock the current user
interface
lock Optional
Execute this command in user
view.
A user interface is not locked by
default.
Specify to send messages to
all user interfaces/a specified
user interface
send { all | number | type
number }
Optional
view.
Disconnect a specified user
interface
free user-interface [
type ] number
Optional
view.
Enter system view system-view
Set the banner header { incoming |
legal | login | shell |
motd } text
Optional
Set a system name for the
switch
sysname string Optional
Enter user interface view user-interface [ type ]
first-number [
last-number ]
Define a shortcut key for

aborting tasks
escape-key { default |
character }
Optional
The default shortcut key
combination for aborting tasks is
< Ctrl+C >.
Set the history command
buffer size
history-command
max-size value
Optional
The default history command
buffer size is 10. That is, a history
command buffer can store up to
10 commands by default.
Set the timeout time for the
user interface
idle-timeout minutes [
seconds ]
Optional
The default timeout time of a user
interface is 10 minutes.
With the timeout time being 10
minutes, the connection to a user
interface is terminated if no
operation is performed in the user
interface within 10 minutes.
You can use the
idle-timeout 0 command
to disable the timeout function.
Set the maximum number of
lines the screen can contain
screen-length
screen-length
Optional
By default, the screen can contain
up to 24 lines.
You can use the
screen-length 0
command to disable the function
to display information in pages.
Make terminal services
available
shell Optional
By default, terminal services are
available in all user interfaces.
Introduction to the User Interface 21
Set the display type of a
terminal
terminal type { ansi |
vt100 }
Optional
By default, the terminal display
type is ANSI. The device must use
the same type of display as the
terminal. If the terminal uses VT
100, the device should also use
VT 100.
Display the information about
the current user interface/all
user interfaces
display users [ all ] You can execute this command in
any view.
Display the physical attributes
and configuration of the
current/a specified user
interface
display
user-interface [ type
number | number ] [
summary ]
You can execute this command in
any view.
the current web users
display web users You can execute this command in
any view.
Table 4 Common User Interface Configuration (continued)
22 CHAPTER 1: LOGGING INTO AN ETHERNET SWITCH
2 LOGGING IN THROUGH THE CONSOLE
PORT
Introduction To log in through the Console port is the most common way to log into a switch. It is also
the prerequisite to configure other login methods. By default, you can log into a Switch
4500G Family Ethernet switch through its Console port only.
To log into an Ethernet switch through its Console port, the related configuration of the
user terminal must be in accordance with that of the Console port.
Table 5 lists the default settings of a Console port.
After logging into a switch, you can perform configuration for AUX users. Refer to
Console Port Login Configuration for more.
Setting up the
Connection to the
Console Port
Connect the serial port of your PC/terminal to the Console port of the switch, as
shown in Figure 1.
Figure 1 Diagram for setting the connection to the Console port
If you use a PC to connect to the Console port, launch a terminal emulation utility
(such as Terminal in Windows 3.X or HyperTerminal in Windows 9X/Windows
2000/Windows XP) and perform the configuration shown in Figure 2 through
Figure 4 for the connection to be created. Normally, the parameters of a terminal are
configured as those listed in Table 5.
Table 5 The default settings of a Console port
Setting Default
Baud rate 19,200 bps
Flow control Off
Check mode No check bit
Stop bits 1
Data bits 8
Console port
RS-232 port
Configuration cable
Console port
RS-232 port
Configuration cable
Console cable
24 CHAPTER 2: LOGGING IN THROUGH THE CONSOLE PORT
Figure 2 Create a connection
Figure 3 Specify the port used to establish the connection
Setting up the Connection to the Console Port 25
Figure 4 Set port parameters terminal window
Turn on the switch. The user will be prompted to press the Enter key if the switch
successfully completes POST (power-on self test). The prompt (such as <4200G>)
appears after the user presses the Enter key, as shown in Figure 5.
Figure 5 The terminal window
You can then configure the switch or check the information about the switch by
executing commands. You can also acquire help by type the ? character. Refer to the
following chapters for information about the commands.
Console Port Login
Configuration
Common
Configuration
Table 6 lists the common configuration of Console port login.
CAUTION: Changing of Console port configuration terminates the connection to the
Console port. To establish the connection again, you need to modify the configuration of
the termination emulation utility running on your PC accordingly. Refer to Setting up the
Connection to the Console Port for more information.
Table 6 Common configuration of Console port login
Configuration Description
Console port
configuration
Baud rate Optional
The default baud rate is 19200 bps.
Check mode Optional
By default, the check mode of the Console port is set
to none, which means no check bit.
Stop bits Optional
The default stop bits of a Console port is 1.
Data bits Optional
The default data bits of a Console port is 8.
AUX user
interface
configuration
starting terminal sessions
Optional
By default, pressing Enter key starts the terminal
session.
Configure the command
level available to the users
logging into the AUX user
interface
Optional
By default, commands of level 3 are available to the
users logging into the AUX user interface.
Terminal
configuration
aborting tasks
Optional
The default shortcut key combination for aborting
tasks is < Ctrl+C >.
available
Optional
By default, terminal services are available in all user
interfaces
Set the maximum number
of lines the screen can
contain
Optional
By default, the screen can contain up to 24 lines.
Set history command
buffer size
Optional
By default, the history command buffer can contain up
to 10 commands.
Set the timeout time of a
user interface
Optional
The default timeout time is 10 minutes.
Console Port Login Configuration 27
Console Port Login
Configurations for
Different
Authentication
Modes
Table 7 lists Console port login configurations for different authentication modes.
Changes of the authentication mode of Console port login will not take effect unless you
exit and enter again the CLI.
Table 7 Console port login configurations for different authentication modes
Authentication
mode Console port login configuration Description
None Perform common
configuration
Perform common
configuration for
Console port login
Optional
Refer to Common Configuration for
more.
Password Configure the
password
Configure the
password for local
authentication
Required
Perform common
configuration
Perform common
configuration for
Console port login
Optional
more.
Scheme Specify to
perform local
authentication or
RADIUS
authentication
AAA configuration
specifies whether to
perform local
authentication or
RADIUS
authentication
Optional
Local authentication is performed by
default.
Refer to the AAA, RADIUS, and
TACACS+ Configuration chapter for
more.
Configure user
name and
password
Configure user
names and
passwords for
local/remote users
Required
The user name and password of a
local user are configured on the
switch.
The user name and password of a
remote user are configured on the
DADIUS server. Refer to user
manual of RADIUS server for more.
Manage AUX
users
Set service type for
AUX users
Required
Perform common
configuration
Perform common
configuration for
Console port login
Optional
more.
Console Port Login
Configuration with
Authentication
Mode Being None
Configuration
Procedure
Table 8 Configuration Procedure
To Use the command Remarks
Enter AUX user interface view user-interface aux
0
Configure not to authenticate

users
authentication-mod
e none
Required
By default, users logging in through
the Console port are not
authenticated.
Configure the
Console port
Set the baud
rate
speed speed-value Optional
The default baud rate of an AUX
port (also the Console port) is 9,600
bps.
Set the check
mode
parity { even | mark |
none | odd | space }
Optional
By default, the check mode of a
Console port is set to none, that is,
no check bit.
Set the stop bits stopbits { 1 | 1.5 | 2 } Optional
The stop bits of a Console port is 1.
Set the data bits databits { 5 | 6 | 7 | 8 } Optional
The default data bits of a Console
port is 8.
Configure the command level
available to users logging into
the user interface
user privilege
level level
Optional
By default, commands of level 3 are
available to users logging into the
AUX user interface.
activation-key
character
Optional
By default, pressing Enter key starts
the terminal session.
aborting tasks
escape-key {
default | character }
Optional
The default shortcut key
combination for aborting tasks is
< Ctrl+C >.
Make terminal services available shell Optional
Console Port Login Configuration with Authentication Mode Being None 29
Note that the command level available to users logging into a switch depends on both
the authentication-mode none command and the user privilege level
level command, as listed in the following table.
Configuration
Example
Network requirements
Perform the following configuration for users logging in through the Console port:
Do not authenticate users logging in through the Console port.
Commands of level 2 are available to users logging into the AUX user interface.
The baud rate of the Console port is 19,200 bps.
The screen can contain up to 30 lines.
The history command buffer can contain up to 20 commands.
The timeout time of the AUX user interface is 6 minutes.
screen-length
screen-length
Optional
By default, the screen can contain up
to 24 lines.
You can use the
screen-length 0 command to
disable the function to display
information in pages.
Set the history command buffer
size
history-command
max-size value
Optional
The default history command buffer
size is 10. That is, a history command
buffer can store up to 10 commands
by default.
user interface
idle-timeout
minutes [ seconds ]
Optional
interface is terminated if no
operation is performed in the user
You can use the
idle-timeout 0 command to
disable the timeout function.
Table 9 Determine the command level (A)
Scenario
Command level
Authentication
mode User type Command
None
(authentication-
mode none)
Users logging in
through Console
ports
The user privilege
level level command not
executed
Level 3
The user privilege
level level command already
executed
Determined by
the level
argument
Table 8 Configuration Procedure (continued)
Network diagram
Figure 6 Network diagram for AUX user interface configuration (with the authentication mode
being none)
Configuration procedure
1 Enter system view.
<3Com> syst emvi ew
2 Enter AUX user interface view.
[ 3Com] user - i nt er f ace aux 0
3 Specify not to authenticate users logging in through the Console port.
[ 3Com- ui - aux0] aut hent i cat i on- mode none
4 Specify commands of level 2 are available to users logging into the AUX user interface.
[ 3Com- ui - aux0] user pr i vi l ege l evel 2
5 Set the baud rate of the Console port to 19,200 bps.
[ 3Com- ui - aux0] speed 19200
6 Set the maximum number of lines the screen can contain to 30.
[ 3Com- ui - aux0] scr een- l engt h 30
7 Set the maximum number of commands the history command buffer can store to 20.
[ 3Com- ui - aux0] hi st or y- command max- si ze 20
8 Set the timeout time of the AUX user interface to 6 minutes.
[ 3Com- ui - aux0] i dl e- t i meout 6
Console port
Console cable
RS-232
Console port
Console cable
RS-232
Console Port Login
Configuration with
Authentication
Mode Being
Password
Enter AUX user interface
view
user-interface
aux 0
Configure to authenticate
users using the local
password
authentication-mo
de password
Required
By default, users logging in through the
Console port are not authenticated.
Set the local password set
authentication
password { cipher |
simple } password
Required
Configure
the Console
port
Set the baud
rate
The default baud rate of an AUX port (also
the Console port) is 9,600 bps.
Set the
check mode
Optional
By default, the check mode of a Console
port is set to none, that is, no check bit.
Set the stop
bits
stopbits { 1 | 1.5 | 2
}
Optional
The default stop bits of a Console port is
1.
Set the data
bits
databits { 5 | 6 | 7 | 8
}
Optional
The default data bits of a Console port is
8.
level available to users
logging into the user
interface
user privilege
level level
Optional
available to users logging into the AUX
user interface.
activation-key
character
Optional
By default, pressing Enter key starts the
terminal session.
aborting tasks
escape-key {
Optional
The default shortcut key combination for
aborting tasks is < Ctrl+C >.
available to the user
interface
shell Optional
By default, terminal services are available
in all user interfaces.
Configuration
Procedure
Note that the level the commands of which are available to users logging into a switch
depends on both the authentication-mode password and the user
privilege level level command, as listed in the following table.
Configuration
Example
Authenticate users logging in through the Console port using the local password.
Set the local password to 123456 (in plain text).
The commands of level 2 are available to users logging into the AUX user interface.
The history command buffer can store up to 20 commands.
contain
screen-length
screen-length
Optional
By default, the screen can contain up to
24 lines.
You can use the screen-length 0
command to disable the function to
display information in pages.
Set history command
buffer size
history-command
max-size value
Optional
The default history command buffer size is
10. That is, a history command buffer can
store up to 10 commands by default.
Set the timeout time for
the user interface
idle-timeout
minutes [ seconds ]
Optional
With the timeout time being 10 minutes,
the connection to a user interface is
terminated if no operation is performed in
the user interface within 10 minutes.
You can use the idle-timeout 0
command to disable the timeout function.
Table 11 Determine the command level (B)
Scenario
Command level Authentication mode User type Command
Local authentication
(authentication-mode
password)
Users logging into
the AUX user
interface
The user privilege
level level command not
executed
Level 3
The user privilege
level level command
already executed
Determined by the
level argument
Network diagram
being password)
3 Specify to authenticate users logging in through the Console port using the local
password.
[ 3Com- ui - aux0] aut hent i cat i on- mode passwor d
4 Set the local password to 123456 (in plain text).
[ 3Com- ui - aux0] set aut hent i cat i on passwor d si mpl e 123456
5 Specify commands of level 2 are available to users logging into the AUX user interface.
[ 3Com- ui - aux0] user pr i vi l ege l evel 2
Console port
Console cable
RS-232
Console port
Console cable
RS-232
Console Port Login
Configuration with
Authentication
Mode Being
Scheme
Configuration
Procedure
Configure
the
authentica
tion mode
Enter the
default ISP
domain view
domain Domain name Optional
By default, the local AAA scheme is applied.
If you specify to apply the local AAA scheme,
you need to perform the configuration
concerning local user as well.
If you specify to apply an existing scheme by
providing the radius-scheme-name
argument, you need to perform the
following configuration as well:
Perform AAA & RADIUS configuration on
the switch. (Refer to the AAA, RADIUS,
and TACACS+ Configuration chapter
for more.)
Configure the user name and password
accordingly on the AAA server. (Refer to
the user manual of AAA server.)
Specify the
AAA
scheme to
be applied
to the
domain
authentication
default {
hwtacacs- scheme
hwtacacs-scheme-name
[ local ] | local |
none |
radius-scheme
radius-scheme-name [
local ] }
Quit to
system view
quit
Create a local user (Enter
local user view.)
local-user
user-name
Required
No local user exists by default.
Set the authentication
password for the local
user
password { simple |
cipher } password
Required
Specify the service type
for AUX users
service-type
terminal [ level
level ]
Required
Quit to system view quit
Enter AUX user interface
view
user-interface
aux 0
Configure to
authenticate users locally
or remotely
authentication-mo
de scheme [
command-
authorization ]
Required
The specified AAA scheme determines
whether to authenticate users locally or
remotely.
Users are authenticated locally by default.
Note that the level the commands of which are available to users logging into a switch
depends on the authentication-mode scheme [ command-authorization ]
command, the user privilege level level command, and the service-type
terminal [ level level ] command, as listed in Table 13.
Configure
the Console
port
Set the
baud rate
The default baud rate of the AUX port (also
the Console port) is 9,600 bps.
Set the
check
mode
Optional
By default, the check mode of a Console port
is set to none, that is, no check bit.
Set the
stop bits
stopbits { 1 | 1.5 | 2 } Optional
The default stop bits of a Console port is 1.
Set the
data bits
databits { 5 | 6 | 7 | 8
}
Optional
The default data bits of a Console port is 8.
interface
user privilege
level level
Optional
By default, commands of level 3 are available
to users logging into the AUX user interface.
activation-key
character
Optional
By default, pressing Enter key starts the
terminal session.
aborting tasks
escape-key {
Optional
available to the user
interface
shell Optional
By default, terminal services are available in
all user interfaces.
Set the maximum
number of lines the
screen can contain
screen-length
screen-length
Optional
By default, the screen can contain up to 24
lines.
You can use the screen-length 0
command to disable the function to display
information in pages.
Set history command
buffer size
history-command
max-size value
Optional
The default history command buffer size is
10. That is, a history command buffer can
store up to 10 commands by default.
Set the timeout time for
the user interface
idle-timeout
minutes [ seconds ]
Optional
The default timeout time of a user interface
is 10 minutes.
With the timeout time being 10 minutes, the
connection to a user interface is terminated
if no operation is performed in the user
command to disable the timeout function.
Configuration
Example
Configure the name of the local user to be guest.
Set the authentication password of the local user to 123456 (in plain text).
Set the service type of the local user to Terminal.
Configure to authenticate users logging in through the Console port in the scheme
mode.
The commands of level 2 are available to users logging into the AUX user interface.
Table 13 Determine the command level
Scenario
Command level
Authentication
authentication-mode
scheme [ command-
authorization ]
Users logging
into the
Console port
and pass
AAA&RADIUS
or local
authentication
The user privilege level
level command is not executed, and
the service-type terminal
[ level level ] command does not
specify the available command level.
Level 0
level command is not executed, and
the service-type terminal
[ level level ] command specifies
the available command level.
Determined by the
service-typ
e terminal [
level level ]
command
level command is executed, and the
service-type terminal [
level level ] command does not
Level 0
level command is executed, and the
service-type terminal [
level level ] command specifies
the available command level.
Determined by the
service-typ
e terminal [
level level ]
command
Network diagram
being scheme)
2 Create a local user named guest and enter local user view.
[ 3Com] l ocal - user guest
3 Set the authentication password to 123456 (in plain text).
[ 3Com- l user - guest ] passwor d si mpl e 123456
4 Set the service type to Terminal, Specify commands of level 2 are available to users
logging into the AUX user interface.
[ 3Com- l user - guest ] ser vi ce- t ype t er mi nal l evel 2
[ 3Com- l user - guest ] qui t
6 Configure to authenticate users logging in through the Console port in the scheme
mode.
[ 3Com- ui - aux0] aut hent i cat i on- mode scheme
Console port
Console cable
RS-232
Console port
Console cable
RS-232
3 LOGGING IN THROUGH TELNET
Introduction You can telnet to a remote switch to manage and maintain the switch. To achieve this,
you need to configure both the switch and the Telnet terminal properly.
Common
Configuration
Table 15 lists the common Telnet configuration.
Table 14 Requirements for Telnet to a switch
Item Requirement
Switch The management VLAN of the switch is created and the route between
the switch and the Telnet terminal is available. (Refer to the VLAN
module for more.)
The authentication mode and other settings are configured. Refer to
Table 15 and Table 16.
Telnet terminal Telnet is running.
The IP address of the management VLAN of the switch is available.
Table 15 Common Telnet configuration
Configuration Description
VTY user
interface
configuration
Configure the command level
available to users logging into the
VTY user interface
Optional
By default, commands of level 0 is available to
users logging into a VTY user interface.
Configure the protocols the user
interface supports
Optional
By default, Telnet and SSH protocol are
supported.
Set the command that is
automatically executed when a
user logs into the user interface
Optional
By default, no command is automatically
executed when a user logs into a user interface.
VTY terminal
configuration
Define a shortcut key for aborting
tasks
Optional
Make terminal services available Optional
By default, terminal services are available in all
user interfaces
Set the maximum number of lines
the screen can contain
Optional
By default, the screen can contain up to 24
lines.
Set history command buffer size Optional
By default, the history command buffer can
contain up to 10 commands.
Set the timeout time of a user
interface
Optional
The default timeout time is 10 minutes.
40 CHAPTER 3: LOGGING IN THROUGH TELNET
CAUTION:
The auto-execute command command may cause you unable to perform
common configuration in the user interface, so use it with caution.
Before executing the auto-execute command command and save your
configuration, make sure you can log into the switch in other modes and cancel the
configuration.
Telnet Configurations
for Different
Authentication
Modes
Table 16 lists Telnet configurations for different authentication modes.
Table 16 Telnet configurations for different authentication modes
Authentication
mode Telnet configuration Description
None Perform common
configuration
Perform common
Telnet configuration
Optional
Refer to Table 15.
Password Configure the
password
Configure the
password for local
authentication
Required
Perform common
configuration
Perform common
Optional
Refer to Table 15.
Scheme Specify to perform
local
authentication or
RADIUS
authentication
AAA configuration
specifies whether to
perform local
authentication or
RADIUS
authentication
Optional
Local authentication is performed
by default.
Refer to the AAA, RADIUS, and
TACACS+ Configuration chapter
for more information.
Configure user
name and
password
Configure user
names and
passwords for
local/remote users
Required
The user name and password of
a local user are configured on the
switch.
The user name and password of
a remote user are configured on
the DADIUS server. Refer to user
manual of RADIUS server for more.
Manage VTY users Set service type for
VTY users
Required
Perform common
configuration
Perform common
Optional
Refer to Table 15.
Telnet
Configuration with
Authentication
Mode Being None
Configuration
Procedure
Enter system view
system-view
Enter one or more VTY user

interface views
user-interface vty
first-number [
last-number ]
Configure not to
authenticate users logging
into VTY user interfaces
authentication-mod
e none
Required
By default, VTY users are authenticated
after logging in.
logging into VTY user
interface
user privilege
level level
Optional
available to users logging into VTY user
interfaces.
Configure the protocols to
be supported by the VTY
user interface
protocol inbound {
all | ssh | telnet }
Optional
By default, both Telnet protocol and SSH
protocol are supported.
automatically executed
when a user logs into the
user interface
auto-execute
command text
Optional
By default, no command is automatically
executed when a user logs into a user
interface.
aborting tasks
escape-key {
Optional
available
shell
Optional
By default, terminal services are available
in all user interfaces.
contain
screen-length
screen-length
Optional
24 lines.
You can use the screen-length
0 command to disable the function to
buffer size
history-command
max-size value
Optional
The default history command buffer size
is 10. That is, a history command buffer
can store up to 10 commands by default.
Note that if you configure not to authenticate the users, the command level available to
users logging into a switch depends on both the authentication-mode none
command and the user privilege level level command, as listed in Table 18.
Configuration
Example
Perform the following configuration for Telnet users logging into VTY 0:
Do not authenticate users logging into VTY 0.
Commands of level 2 are available to users logging into VTY 0.
Telnet protocol is supported.
The timeout time of VTY 0 is 6 minutes.
Set the timeout time of the
VTY user interface
idle-timeout
minutes [ seconds ]
Optional
With the timeout time being 10 minutes,
the connection to a user interface is
terminated if no operation is performed
in the user interface within 10 minutes.
command to disable the timeout
function.
Table 18 Determine the command level when users logging into switches are not authenticated
Scenario
Command level
Authentication
None (authentica-
tion-mode none)
VTY users The user privilege level
level command not executed
Level 0
level command already executed
Determined by the
level argument
Network diagram
Figure 9 Network diagram for Telnet configuration (with the authentication mode being none)
2 Enter VTY 0 user interface view.
[ 3Com] user - i nt er f ace vt y 0
3 Configure not to authenticate Telnet users logging into VTY 0.
[ 3Com- ui - vt y0] aut hent i cat i on- mode none
4 Specify commands of level 2 are available to users logging into VTY 0.
[ 3Com- ui - vt y0] user pr i vi l ege l evel 2
5 Configure Telnet protocol is supported.
[ 3Com- ui - vt y0] pr ot ocol i nbound t el net
[ 3Com- ui - vt y0] scr een- l engt h 30
[ 3Com- ui - vt y0] hi st or y- command max- si ze 20
8 Set the timeout time to 6 minutes.
[ 3Com- ui - vt y0] i dl e- t i meout 6
User PC running Telnet
Ethernet
GigabitEthernet1/0/1
Ethernet
Ethernet
Ethernet
Telnet
Configuration with
Authentication
Mode Being
Password
Configuration
Procedure
Enter system view
system-view

interface views
user-interface vty
first-number [
last-number ]
users logging into VTY user
interfaces using the local
password
authentication-mode
password
Required
Set the local password set authentication
password { cipher |
simple } password
Required
interface
user privilege level
level
Optional
available to users logging into VTY
user interface.
Configure the protocol to
be supported by the user
interface
protocol inbound {
Optional
By default, both Telnet protocol and
SSH protocol are supported.
automatically executed
when a user logs into the
user interface
auto-execute command
text
Optional
By default, no command is
automatically executed when a user
logs into a user interface.
aborting tasks
escape-key { default |
character }
Optional
The default shortcut key combination
for aborting tasks is < Ctrl+C >.
available
shell
Optional
Telnet Configuration with Authentication Mode Being Password 45
Note that if you configure to authenticate the users in the password mode, the
command level available to users logging into a switch depends on both the
authentication-mode password command and the user privilege level
level command, as listed in Table 20.
Configuration
Example
Authenticate users logging into VTY 0 using the local password.
Set the local password to 123456 (in plain text).
Commands of level 2 are available to users logging into VTY 0.
Telnet protocol is supported.
contain
screen-length
screen-length
Optional
By default, the screen can contain up
to 24 lines.
buffer size
history-command
max-size value
Optional
buffer can store up to 10 commands
by default.
Set the timeout time of the
user interface
idle-timeout minutes [
seconds ]
Optional
interface is terminated if no operation
is performed in the user interface
within 10 minutes.
You can use the idle-timeout
0 command to disable the timeout
function.
Table 20 Determine the command level when users logging into switches are authenticated in
the password mode
Scenario
Command level
Authentication
Password (authentica-
tion-mode password)
VTY users The user privilege level
level command not executed
Level 0
level command already executed
Determined by the
level argument
Network diagram
Figure 10 Network diagram for Telnet configuration (with the authentication mode being
password)
3 Configure to authenticate users logging into VTY 0 using the local password.
[ 3Com- ui - vt y0] aut hent i cat i on- mode passwor d
4 Set the local password to 123456 (in plain text).
[ 3Com- ui - vt y0] set aut hent i cat i on passwor d si mpl e 123456
5 Specify commands of level 2 are available to users logging into VTY 0.
[ 3Com- ui - vt y0] user pr i vi l ege l evel 2
Ethernet
Ethernet
Ethernet
Ethernet
Telnet
Configuration with
Authentication
Mode Being
Scheme
Configuration
Procedure
Enter system view
system-view
Configure
the
authenticatio
n scheme
Enter the
default ISP
domain view
domain Domain name Optional
By default, the local AAA scheme is
applied. If you specify to apply the local
AAA scheme, you need to perform the
configuration concerning local user as
well.
If you specify to apply an existing
scheme by providing the
radius-scheme-name argument, you
need to perform the following
configuration as well:
Perform AAA & RADIUS configuration
on the switch. (Refer to the AAA,
RADIUS, and TACACS+ Configuration
chapter for more information.
Configure the user name and password
accordingly on the AAA server. (Refer
to the user manual of the AAA server.)
Configure the
AAA scheme
to be applied
to the
domain
authentication
default {
hwtacacs-scheme
hwtacacs-scheme- name
[ local ] | local |
none | radius-scheme
local ] }
Quit to
system view
quit
Create a local user and enter
local user view
local-user
user-name
The admin, manager, and monitor
users exist by default.
Set the authentication
password for the local user
password { simple |
cipher } password
Required
Specify the service type for
VTY users
service-type
telnet [ level level ]
Required
Quit to system view
quit

interface views
user-interface vty
first-number [
last-number ]
users locally or remotely
authentication-mod
e scheme
Required
The specified AAA scheme determines
whether to authenticate users locally or
remotely.
Users are authenticated locally by
default.
interface
user privilege
level level
Optional
available to users logging into the VTY
user interfaces.
Configure the supported
protocol
protocol inbound {
Optional
Both Telnet protocol and SSH protocol
are supported by default.
Note that if you configure to authenticate the users in the scheme mode, the command
level available to users logging into a switch depends on the authentication-mode
scheme [ command-authorization ] command, the user privilege level
level command, and the service-type { ftp [ ftp-directory directory ] |
lan-access | { ssh | telnet | terminal }* [ level level ] } command, as listed in
Table 22.
automatically executed when
a user logs into the user
interface
auto-execute
command text
Optional
By default, no command is
automatically executed when a user
logs into a user interface.
aborting tasks
escape-key { default
| character }
Optional
The default shortcut key combination
for aborting tasks is < Ctrl+C >.
available
shell
Optional
Terminal services are available in all use
interfaces by default.
screen-length
screen-length
Optional
24 lines.
Set history command buffer
size
history-command
max-size value
Optional
buffer can store up to 10 commands by
default.
user interface
idle-timeout
minutes [ seconds ]
Optional
interface is terminated if no operation
is performed in the user interface
within 10 minutes.
command to disable the timeout
function.
Refer to the corresponding chapters in this guide for information about AAA, RADIUS,
TACACS+, and SSH.
Table 22 Determine the command level when users logging into switches are authenticated in
the scheme mode
Scenario
Command level
Authentication
Scheme
(authentication
-mode scheme
[
command-auth
orization ])
VTY users that
are
AAA&RADIUS
authenticated
or locally
authenticated
The user privilege level level
command is not executed, and the
service-type command does not
Level 0
service-type command specifies the
available command level.
Determined by the
service-typ
e command
command is executed, and the
Level 0
command is executed, and the service-type
command specifies the available command
level.
Determined by the
service-typ
e command
VTY users that
are
authenticated in
the RSA mode
of SSH
Level 0
Determined by the
user
privilege
level level
command
VTY users that
are
authenticated in
the password
mode of SSH
Level 0
Determined by the
service-typ
e command
Level 0
Determined by the
service-typ
e command
Configuration
Example
Configure the name of the local user to be guest.
Set the authentication password of the local user to 123456 (in plain text).
Set the service type of VTY users to Telnet.
Configure to authenticate users logging into VTY 0 in scheme mode.
The commands of level 2 are available to users logging into VTY 0.
Telnet protocol is supported in VTY 0.
Network diagram
Figure 11 Network diagram for Telnet configuration (with the authentication mode being
scheme)
2 Create a local user named guest and enter local user view.
[ 3Com] l ocal - user guest
3 Set the authentication password of the local user to 123456 (in plain text).
[ 3Com- l user - guest ] passwor d si mpl e 123456
4 Set the service type to Telnet, Specify commands of level 2 are available to users logging
into VTY 0.
[ 3Com- l user - guest ] ser vi ce- t ype t el net l evel 2
6 Configure to authenticate users logging into VTY 0 in the scheme mode.
[ 3Com- ui - vt y0] aut hent i cat i on- mode scheme
Ethernet
Ethernet
Ethernet
Ethernet
Telnet Connection
Establishment
Telneting to a Switch
from a Terminal
In order to Telnet to the switch, you need to configure an IP address on a VLAN interface.
Use the following procedure to establish a Telnet connection to a switch through the
management VLAN:
1 Log into the switch through the Console port and assign an IP address to the
management VLAN interface of the switch.
Connect to the Console port. Refer to the chapter Setting up the Connection to the
Console Port.
Execute the following commands in the terminal window to assign an IP address to
the management VLAN interface of the switch.
<3Com> syst em
a Enter management VLAN interface view.
[ 3Com] i nt er f ace Vl an- i nt er f ace 1
b Remove the existing IP address of the management VLAN interface.
[ 3Com- Vl an- i nt er f ace1] undo i p addr ess
c Configure the IP address of the management VLAN interface to be 202.38.160.92.
[ 3Com- Vl an- i nt er f ace1] i p addr ess 202. 38. 160. 92 255. 255. 255. 0
2 Configure the user name and password for Telnet on the switch. See the sections entitled
Telnet Configuration with Authentication Mode Being None,Telnet Configuration
with Authentication Mode Being Password, and Telnet Configuration with
Authentication Mode Being Scheme for additional information.
3 Connect your PC to the Switch, as shown in Figure 12. Make sure the Ethernet port to
which your PC is connected belongs to the management VLAN of the switch and the
route between your PC and the switch is available.
Figure 12 Network diagram for Telnet connection establishment
4 Launch Telnet on your PC, with the IP address of the management VLAN interface of the
switch as the parameter, as shown in the following figure.
Figure 13 Launch Telnet
5 Enter the password when the Telnet window displays Login authentication and
prompts for login password. The CLI prompt (such as <3Com>) appears if the password
is correct. If all VTY user interfaces of the switch are in use, you will fail to establish the
connection and receive the message that says All user interfaces are used, please try
later!. A 3Com Switch 4500G Family Ethernet switch can accommodate up to five
Telnet connections at same time.
6 After successfully Telneting to a switch, you can configure the switch or display the
information about the switch by executing corresponding commands. You can also type
? at any time for help. Refer to the following chapters for the information about the
commands.
A Telnet connection will be terminated if you delete or modify the IP address of the
VLAN interface in the Telnet session.
By default, commands of level 0 are available to Telnet users authenticated by
password. Refer to the Basic System Configuration and Maintenance module for
information about command hierarchy.
Workstation
Workstation
Server
PC with Telnet
running on it
(used to configure
the switch)
Ethernet port
Ethernet
Workstation
Workstation
Server
PC with Telnet
running on it
(used to configure
the switch)
Ethernet port
Ethernet

Telneting to Another
Switch from the
Current Switch
You can Telnet to another switch from the current switch. In this case, the current switch
operates as the client, and the other operates as the server. If the interconnected
Ethernet ports of the two switches are in the same LAN segment, make sure the IP
addresses of the two management VLAN interfaces to which the two Ethernet ports
belong to are of the same network segment, or the route between the two VLAN
interfaces is available.
As shown in Figure 14, after Telneting to a switch (labeled as Telnet client), you can
Telnet to another switch (labeled as Telnet server) by executing the telnet command
and then to configure the later.
Figure 14 Network diagram for Telneting to another switch from the current switch
1 Configure the user name and password for Telnet on the switch operating as the Telnet
server. Refer to the sections entitled Telnet Configuration with Authentication Mode
Being None, Telnet Configuration with Authentication Mode Being Password, and
Telnet Configuration with Authentication Mode Being Scheme for more information.
2 Telnet to the switch operating as the Telnet client.
3 Execute the following command on the switch operating as the Telnet client:
<3Com> t el net xxxx
Where xxxx is the IP address or the host name of the switch operating as the Telnet
server. You can use the ip host to assign a host name to a switch.
4 Enter the password. If the password is correct, the CLI prompt (such as <3Com>)
appears. If all VTY user interfaces of the switch are in use, you will fail to establish the
connection and receive the message that says All user interfaces are used, please try
later!.
5 After successfully Telneting to the switch, you can configure the switch or display the
information about the switch by executing corresponding commands. You can also type
? at any time for help. Refer to the following chapters for the information about the
commands.
Telnet client PC
Telnet server Telnet client PC
Telnet server
4 LOGGING IN USING MODEM
Introduction The administrator can log into the Console port of a remote switch using a modem
through PSTN (public switched telephone network) if the remote switch is connected to
the PSTN through a modem to configure and maintain the switch remotely. When a
network operates improperly or is inaccessible, you can log into the switches in the
network in this way to configure these switches, to query logs and warning messages,
and to locate problems.
To log into a switch in this way, you need to configure the terminal and the switch
properly, as listed in the following table.
Configuration on
the Administrator
Side
The PC can communicate with the modem connected to it. The modem is properly
connected to PSTN. And the telephone number of the switch side is available.
Configuration on
the Switch Side
Modem
Configuration
Perform the following configuration on the modem directly connected to the switch:
AT&F - - - - - - - - - - - - - - - - - - - - - - - Rest or e t he f act or y set t i ngs
ATS0=1- - - - - - - - - - - - - - - - - - - - - - - Conf i gur e t o answer aut omat i cal l y af t er t he
f i r st r i ng
AT&D - - - - - - - - - - - - - - - - - - - - - - - I gnor e DTR si gnal
AT&K0- - - - - - - - - - - - - - - - - - - - - - - Di sabl e f l ow cont r ol
AT&R1- - - - - - - - - - - - - - - - - - - - - - - I gnor e RTS si gnal
AT&S0- - - - - - - - - - - - - - - - - - - - - - - Set DSR t o hi gh l evel by f or ce
ATEQ1&W- - - - - - - - - - - - - - - - - - - - - - - Di sabl e t he modemf r omr et ur ni ng command
r esponse and t he r esul t , save t he changes
Table 23 Requirements for logging into a switch using a modem
Item Requirement
Administrator side The PC can communicate with the modem connected to it.
The modem is properly connected to PSTN.
The telephone number of the switch side is available.
Switch side The modem is connected to the Console port of the switch properly.
The modem is properly configured.
The modem is properly connected to PSTN and a telephone set.
The authentication mode and other related settings are configured on the switch.
Refer to Table 7.
56 CHAPTER 4: LOGGING IN USING MODEM
You can verify your configuration by executing the AT&V command.
The above configuration is unnecessary to the modem on the administrator side.
The configuration commands and the output of different modems may differ. Refer to
the user manual of the modem when performing the above configuration.
Switch Configuration
After logging into a switch through its Console port by using a modem, you will enter
the AUX user interface. The corresponding configuration on the switch is the same as
those when logging into the switch locally through its Console port except that:
When you log in through the Console port using a modem, the baud rate of the
Console port is usually set to a value lower than the transmission speed of the
modem. Otherwise, packets may get lost.
Other settings of the Console port, such as the check mode, the stop bits, and the data
bits, remain the default.
The configuration on the switch depends on the authentication mode the user is in.
Refer to Table 7 for the information about authentication mode configuration.
Configuration on switch when the authentication mode is none
Refer to Console Port Login Configuration with Authentication Mode Being None.
Configuration on switch when the authentication mode is password
Refer to Console Port Login Configuration with Authentication Mode Being Password.
Configuration on switch when the authentication mode is scheme
Refer to Console Port Login Configuration with Authentication Mode Being Scheme.
Modem Connection
Establishment
1 Configure the user name and password on the switch. Refer to Console Port Login
Configuration with Authentication Mode Being None, Console Port Login
Configuration with Authentication Mode Being Password, and Console Port Login
Configuration with Authentication Mode Being Scheme for more information.
2 Perform the following configuration on the modem directly connected to the switch.
AT&F - - - - - - - - - - - - - - - - - - - - - - - Rest or e t he f act or y set t i ngs
ATS0=1- - - - - - - - - - - - - - - - - - - Conf i gur e t o answer aut omat i cal l y af t er t he
f i r st r i ng
AT&D - - - - - - - - - - - - - - - - - - - - - - - I gnor e DTR si gnal
AT&K0- - - - - - - - - - - - - - - - - - - - - - - Di sabl e f l ow cont r ol
AT&R1- - - - - - - - - - - - - - - - - - - - - - - I gnor e RTS si gnal
AT&S0- - - - - - - - - - - - - - - - - - - - - - - Set DSR t o hi gh l evel by f or ce
ATEQ1&W- - - - - - - - - - - - - - - - - - - - - - - Di sabl e t he modemf r omr et ur ni ng command
r esponse and t he r esul t , save t he changes
You can verify your configuration by executing the AT&V command.
Modem Connection Establishment 57
The configuration commands and the output of different modems may differ. Refer
to the user manual of the modem when performing the above configuration.
Set the baud rate of the AUX port (also the Console port) to a value lower than the
transmission speed of the modem. Otherwise, packets may get lost.
3 Connect your PC, the modems, and the switch, as shown in the following figure.
Figure 15 Establish the connection by using modems
4 Launch a terminal emulation utility on the PC and set the telephone number to call the
modem directly connected to the switch, as shown in Figure 16 and Figure 17. Note that
you need to set the telephone number to that of the modem directly connected to the
switch.
Figure 16 Set the telephone number
Modem
Telephone line
Modem
Serial cable
Telephone number: 82882285 Console port
PSTN
PC
Modem
Telephone line
Modem
Serial cable
Telephone number: 82882285 Console port
PSTN
PC
58 CHAPTER 4: LOGGING IN USING MODEM
Figure 17 Call the modem
5 Provide the password when prompted. If the password is correct, the prompt (such as
<3Com>) appears. You can then configure or manage the switch. You can also enter the
character ? at anytime for help. Refer to the following chapters for information about
the configuration commands.
If you perform no AUX user-related configuration on the switch, the commands of level
3 are available to modem users. Refer to the Basic System Configuration and
Maintenance module for information about command level.
5 LOGGING IN THROUGH WEB-BASED
NETWORK MANAGEMENT SYSTEM
Introduction A Switch 4500G Series switch has a Web server built in. You can log into a Switch 4500G
series switch through a Web browser and manage and maintain the switch intuitively by
interacting with the built-in Web server.
To log into an Switch 4500G through the built-in Web-based network management
system, you need to perform the related configuration on both the switch and the PC
operating as the network management terminal.
HTTP Connection
Establishment
1 Log into the switch through the Console port and assign an IP address to the
management VLAN interface of the switch.
Connect to the Console port. Refer to Setting up the Connection to the Console
Port.
Execute the following commands in the terminal window to assign an IP address to
the management VLAN interface of the switch.
<3Com> syst em
a Enter management VLAN interface view.
b Remove the existing IP address of the management VLAN interface.
[ 3Com- Vl an- i nt er f ace1] undo i p addr ess
c Configure the IP address of the management VLAN interface to be 10.153.17.82.
Table 24 Requirements for logging into a switch through the Web-based network management
system
Item Requirement
Switch The management VLAN of the switch is configured. The route between
the switch and the network management terminal is available. (Refer
to the VLAN module for more.)
The user name and password for logging into the Web-based network
management system are configured.
PC operating as the network
management terminal
IE is available.
The IP address of the management VLAN interface of the switch is
available.
60 CHAPTER 5: LOGGING IN THROUGH WEB-BASED NETWORK MANAGEMENT SYSTEM
2 Configure the user name and the password for the Web-based network management
system.
a Configure the user name to be admin.
[ 3Com] l ocal - user admi n
b Set the user level to level 3.
[ 3Com- l user - admi n] ser vi ce- t ype t el net l evel 3
c Set the password to admin.
[ 3Com- l user - admi n] passwor d si mpl e admi n
3 Establish an HTTP connection between your PC and the switch, as shown in the
following figure.
Figure 18 Establish an HTTP connection between your PC and the switch
4 Log into the switch through IE. Launch IE on the Web-based network management
terminal (your PC) and enter the IP address of the management VLAN interface of the
switch (here it is http://10.153.17.82). (Make sure the route between the Web-based
network management terminal and the switch is available.)
5 When the login interface (shown in Figure 19) appears, enter the user name and the
password configured in step 2 and click <Login> to bring up the main page of the
Web-based network management system.
Figure 19 The login page of the Web-based network management system
PC
HTTP Connection
Switch
PC
HTTP Connection
PC
HTTP Connection
Switch
PC
HTTP connection
PC
HTTP Connection
Switch
PC
HTTP Connection
PC
HTTP Connection
Switch
PC
HTTP connection
Web Server Shutdown/Startup 61
Web Server
Shutdown/Startup
You can shut down or start up the Web server.
The Web server is started by default.
Table 25 Web Server Shutdown/Startup
Shut down the Web
server
ip http enable
Required
Execute this command in system
view.
Start the Web server undo ip http enable Required
Execute this command in system
view.
62 CHAPTER 5: LOGGING IN THROUGH WEB-BASED NETWORK MANAGEMENT SYSTEM
6 LOGGING IN THROUGH NMS
Introduction You can also log into a switch through an NMS (network management station), and then
configure and manage the switch through the agent module on the switch.
The agent here refers to the software running on network devices (switches) and as
the server.
SNMP (simple network management protocol) is applied between the NMS and the
agent.
To log into a switch through an NMS, you need to perform related configuration on both
the NMS and the switch.
Connection
Establishment
Using NMS
Figure 20 Network diagram for logging in through an NMS
Table 26 Requirements for logging into a switch through an NMS
Item Requirement
Switch The management VLAN of the switch is configured. The route between the
NMS and the switch is available. (Refer to the VLAN module for more.)
The basic SNMP functions are configured. (Refer to the SNMP-RMON module
for more.)
NMS The NMS is properly configured. (Refer to the user manual of your NMS for
more.)
Switch
PC
HTTP Connection
Switch
PC
HTTP Connection
64 CHAPTER 6: LOGGING IN THROUGH NMS
7 CONTROLLING LOGIN USERS
Introduction A switch provides ways to control different types of login users, as listed in Table 27.
Controlling Telnet
Users
Prerequisites The controlling policy against Telnet users is determined, including the source and
destination IP addresses to be controlled and the controlling actions (permitting or
denying).
Table 27 Ways to control different types of login users
Login mode Control method Implementation Related section
Telnet By source IP
addresses
Through basic ACLs Controlling Telnet Users by Source IP
Addresses
By source and
destination IP
addresses
Through advanced
ACLs
Controlling Telnet Users by Source and
Destination IP Addresses
By source MAC
addresses
Through Layer 2 ACLs Controlling Telnet Users by Source MAC
Addresses
SNMP
WEB
By source IP
addresses
Through basic ACLs Controlling Network Management Users
by Source IP Addresses
By source IP
addresses
Through basic ACLs Controlling Web Users by Source IP
Addresses
Disconnect Web
users by force
By executing
commands in CLI
Disconnecting a Web User by Force
66 CHAPTER 7: CONTROLLING LOGIN USERS
Controlling Telnet
Users by Source IP
Addresses
Controlling Telnet users by source IP addresses is achieved by applying basic ACLs, which
are numbered from 2000 to 2999.
Controlling Telnet
Users by Source and
Destination IP
Addresses
Controlling Telnet users by source and destination IP addresses is achieved by applying
advanced ACLs, which are numbered from 3000 to 3999. Refer to the ACL module for
information about defining an ACL.
Table 28 Controlling Telnet Users by Source IP Addresses
Enter system view
system-view
Create a basic ACL or

enter basic ACL view
acl number acl-number [
match-order { config | auto
} ]
As for the acl number
command, the config keyword is
specified by default.
Define rules for the
ACL
rule [ rule-id ] { permit |
deny } [ source { sour-addr
sour-wildcard | any } |
time-range time-name |
fragment | logging ]*
Required
Enter user interface
view
user-interface [ type ]
first-number [ last-number ]
Apply the ACL to

control Telnet users by
source IP addresses
acl acl-number { inbound |
outbound }
Required
The inbound keyword specifies to
filter the users trying to Telnet to
the current switch.
The outbound keyword specifies
to filter users trying to Telnet to
other switches from the current
switch.
Table 29 Controlling Telnet Users by Source and Destination IP Addresses
Enter system view
system-view
Create an advanced ACL

or enter advanced ACL
view
acl number
acl-number [
match-order { config
| auto } ]
As for the acl number command, the
config keyword is specified by default.
Define rules for the ACL rule [ rule-id ] {
permit | deny }
rule-string
Required
You can define rules as needed to filter by
specific source and destination IP addresses.
Enter user interface view user-interface [
type ] first-number [
last-number ]
Apply the ACL to control

Telnet users by specified
source and destination IP
addresses
acl acl-number {
inbound | outbound }
Required
The inbound keyword specifies to filter the
users trying to Telnet to the current switch.
The outbound keyword specifies to filter
users trying to Telnet to other switches
from the current switch.
Controlling Telnet Users 67
Controlling Telnet
Users by Source MAC
Addresses
Controlling Telnet users by source MAC addresses is achieved by applying Layer 2 ACLs,
which are numbered from 4000 to 4999. Refer to the ACL module for information about
defining an ACL.
Configuration
Example
Only the Telnet users sourced from the IP address of 10.110.100.52 and 10.110.100.46
are permitted to log into the switch.
Network diagram
Figure 21 Network diagram for controlling Telnet users using ACLs
1 Define a basic ACL.
[ 3Com] acl number 2000 mat ch- or der conf i g
[ 3Com- acl - basi c- 2000] r ul e 1 per mi t sour ce 10. 110. 100. 52 0
[ 3Com- acl - basi c- 2000] r ul e 3 deny sour ce any
[ 3Com- acl - basi c- 2000] qui t
2 Apply the ACL.
[ 3Com] user - i nt er f ace vt y 0 4
[ 3Com- ui - vt y0- 4] acl 2000 i nbound
Table 30 Controlling Telnet Users by Source MAC Addresses
Enter system view
system-view
Create a basic ACL

or enter basic ACL
view
match-order { config |
auto } ]
As for the acl number command,
the config keyword is specified by default.
Define rules for the
ACL
rule [ rule-id ] { permit |
deny } rule-string
Required
You can define rules as needed to filter by
specific source MAC addresses.
Quit to system view
quit
Enter user interface

view
user-interface [ type ]
first-number [ last-number
]
Apply the ACL to

control Telnet users
by source MAC
addresses
acl acl-number inbound Required
The inbound keyword specifies to filter
the users trying to Telnet to the current
switch.
Internet
Switch
Internet
Switch
Controlling
Network
Management Users
by Source IP
Addresses
You can manage a Switch 4500G Series Ethernet switch through network management
software. Network management users can access switches through SNMP.
You need to perform the following two operations to control network management
users by source IP addresses.
Defining an ACL
Applying the ACL to control users accessing the switch through SNMP
Prerequisites The controlling policy against network management users is determined, including the
source IP addresses to be controlled and the controlling actions (permitting or denying).
Controlling Network
Management Users
by Source IP
Addresses
Controlling network management users by source IP addresses is achieved by applying
basic ACLs, which are numbered from 2000 to 2999.
You can specify different ACLs while configuring the SNMP community name, the SNMP
group name and the SNMP user name.
Table 31 Controlling Network Management Users by Source IP Addresses
Create a basic ACL or
enter basic ACL view
match-order { config | auto } ]
command, the config
keyword is specified by
default.
Define rules for the ACL rule [ rule-id ] { permit | deny } [
source { sour-addr sour-wildcard
| any } | time-range time-name |
Required
Apply the ACL while
configuring the SNMP
community name
snmp-agent community { read |
write } community-name [ mib-view
view-name | acl acl-number ]*
Optional
Apply the ACL while
group name
snmp-agent group { v1 | v2c }
group-name [ read-view read-view
] [ write-view write-view ] [
notify-view notify-view ] [ acl
acl-number ]
snmp-agent group v3
group-name [ authentication |
privacy ] [ read-view read-view ]
[ write-view write-view ] [
notify-view notify-view ] [ acl
acl-number ]
Optional
Apply the ACL while
user name
snmp-agent usm-user { v1 | v2c }
user-name group-name [ acl
acl-number ]
snmp-agent usm-user v3
user-name group-name [
authentication-mode { md5 | sha
} auth-password ] [ privacy-mode
des56 priv-password ] [ acl
acl-number ]
Optional
Controlling Network Management Users by Source IP Addresses 69
As SNMP community name is a feature of SNMPv1 and SNMPv2c, the specified ACLs in
the command that configures SNMP community names (the snmp-agent community
command) take effect in the network management systems that adopt SNMPv1 or
SNMPv2c.
Similarly, as SNMP group name and SNMP user name are features of SNMPv2c and the
higher SNMP versions, the specified ACLs in the commands that configure SNMP group
names (the snmp-agent group command and the snmp-agent group v3
command) and SNMP user names (the snmp-agent usm-user command and the
snmp-agent usm-user v3 command) take effect in the network management
systems that adopt SNMPv2c or higher SNMP versions. If you configure both the SNMP
group name and the SNMP user name and specify ACLs in the two operations, the
switch will filter network management users by both SNMP group name and SNMP user
name.
Configuration
Example
Only SNMP users sourced from the IP addresses of 10.110.100.52 and 10.110.100.46
are permitted to access the switch.
Network diagram
Figure 22 Network diagram for controlling SNMP users using ACLs
2 Apply the ACL to only permit SNMP users sourced from the IP addresses of
10.110.100.52 and 10.110.100.46 to access the switch.
[ 3Com] snmp- agent communi t y r ead 3comacl 2000
[ 3Com] snmp- agent gr oup v2c 3comgr oup acl 2000
[ 3Com] snmp- agent usm- user v2c 3comuser 3comgr oup acl 2000
Internet
Switch
Internet
Switch
Controlling Web
Users by Source IP
Address
You can manage a Switch 4500G Series Ethernet switch remotely through Web. Web
users can access a switch through HTTP connections.
You need to perform the following two operations to control Web users by source IP
addresses.
Defining an ACL
Applying the ACL to control Web users
Prerequisites The controlling policy against Web users is determined, including the source IP addresses
to be controlled and the controlling actions (permitting or denying).
Controlling Web
Users by Source IP
Addresses
Controlling Web users by source IP addresses is achieved by applying basic ACLs, which
are numbered from 2000 to 2999.
Disconnecting a Web
User by Force
The administrator can disconnect a Web user by force using the related command.
Configuration
Example
Only the users sourced from the IP address of 10.110.100.46 are permitted to access the
switch.
Table 32 Controlling Web Users by Source IP Addresses
Create a basic ACL or enter
basic ACL view
match-order { config | auto
} ]
command, the config keyword
is specified by default.
Define rules for the ACL rule [ rule-id ] { permit |
deny } [ source { sour-addr
sour-wildcard | any } |
time-range time-name |
Required
Apply the ACL to control
Web users
ip http acl acl-number Optional
Table 33 Disconnecting a Web User by Force
Disconnect a Web user
by force
free web-users { all |
user-id user-id |
user-name user-name }
Required
Execute this command in user view.
Controlling Web Users by Source IP Address 71
Network diagram
Figure 23 Network diagram for controlling Web users using ACLs
2 Apply the ACL to only permit the Web users sourced from the IP address of
10.110.100.46 to access the switch.
[ 3Com] i p ht t p acl 2030
Internet
Switch
Internet
Switch
8 BASIC SYSTEM CONFIGURATION AND
MAINTENANCE
Command Line
Feature
Command Line
Interface Overview
Switch 4500G Family provides a series of configuration commands and command line
interface for you to configure and maintain the Ethernet switches. The command line
interface is featured by the following:
Configure the command levels to make sure that unauthorized users cannot use
related commands to configure a switch.
You can enter <?> at any time to get the online help.
Provide network test commands, such as tracert, and ping, to help you to
diagnose the network.
Provide plenty of detail debugging information to help you to diagnose and locate
the network failures.
Provide a function similar to Doskey to execute a history command.
Adopt the partial match method to search for the keywords of a command line. You
only need to enter a non-conflicting keyword to execute the command correctly.
Online Help of
Command Line
The command line interface provides the following online help modes.
Full help
Partial help
You can get the help information through these online help commands, which are
described as follows.
1 Input ? in any view to get all the commands in it and corresponding descriptions.
<Sysname> ?
User vi ew commands:
backup Backup next st ar t up- conf i gur at i on f i l e t o TFTP
ser ver
boot - l oader Set boot l oader
boot r om Updat e/ r ead/ backup/ r est or e boot r om
cd Change cur r ent di r ect or y
cl ock Speci f y t he syst emcl ock
cl ust er Run cl ust er command
copy Copy f r omone f i l e t o anot her
debuggi ng Enabl e syst emdebuggi ng f unct i ons
del et e Del et e a f i l e
di r Li st f i l es on a f i l e syst em
di spl ay Show r unni ng syst emi nf or mat i on
<Omi t >
74 CHAPTER 8: BASIC SYSTEM CONFIGURATION AND MAINTENANCE
2 Input a command with a ? separated by a space. If this position is for keywords, all the
keywords and the corresponding brief descriptions will be listed.
<Sysname> l anguage- mode ?
chi nese Chi nese envi r onment
engl i sh Engl i sh envi r onment
3 Input a command with a ? separated by a space. If this position is for parameters, all
the parameters and their brief descriptions will be listed.
<Sysname>syst emvi ew
Syst emVi ew: r et ur n t o User Vi ew wi t h Ct r l +Z.
[ Sysname] i nt er f ace vl an- i nt er f ace ?
<1- 4094> VLAN i nt er f ace number
[ Sysname] i nt er f ace vl an- i nt er f ace 1 ?
<cr >
<cr> indicates no parameter in this position. The next command line repeats the
command, you can press <Enter> to execute it directly.
4 Input a character string with a ?, then all the commands with this character string as
their initials will be listed.
<Sysname>pi ?
pi ng
5 Input a command with a character string and ?, then all the key words with this
character string as their initials in the command will be listed.
<Sysname> di spl ay ver ?
ver si on
6 Input the first letters of a keyword of a command and press <Tab> key. If no other
keywords are headed by this letters, then this unique keyword will be displayed
automatically. If other keywords headed by this letter exist, press <Tab> key repeatedly to
display these keywords
7 To switch to the Chinese display for the above information, perform the language-mode
command.
Displaying
Characteristics of
Command Line
Command line interface provides the following display characteristics:
For users convenience, the instruction and help information can be displayed in both
English and Chinese.
For the information to be displayed exceeding one screen, pausing function is
provided. In this case, users can have three choices, as shown in the table below.
Table 34 Functions of displaying
Key or Command Function
Press <Ctrl+C> when the display pauses Stop displaying and executing command.
Enter a space when the display pauses Continue to display the next screen of information.
Press <Enter> when the display pauses Continue to display the next line of information.
CTRL_E Move the cursor to the end of current line
History Command of
Command Line
Command line interface provides the function similar to that of DosKey. The CLI can
automatically save the commands that have been entered. You can invoke and
repeatedly execute them as needed. By default, the CLI can save up to ten commands for
each user. Table 35 lists the operation that you can perform.
Cursor keys can be used to retrieve the history commands in Windows 3.X Terminal and
Telnet. However, in Windows 9X HyperTerminal, the cursor keys ? and ? do not work,
because Windows 9X HyperTerminal defines the two keys differently. In this case, use the
combination keys <Ctrl+P> and <Ctrl+N> instead for the same purpose.
Common Command
Line Error Messages
The commands are executed only if they have no syntax error. Otherwise, error
information is reported. Table 36 lists some common errors.
Table 35 Retrieve history command
Operation Key Result
Display history command display history-command Display history command by user inputting
Retrieve the previous history
command
Up cursor key <?> or
<Ctrl+P>
Retrieve the previous history command, if
there is any.
Retrieve the next history
command
Down cursor key <?> or
<Ctrl+N>
Retrieve the next history command, if there
is any.
Table 36 Common command line error messages
Error messages Causes
Unrecognized command Cannot find the command.
Cannot find the keyword.
Wrong parameter type.
The value of the parameter exceeds the range.
Incomplete command The input command is incomplete.
Wrong parameter Enter Wrong parameter
Editing
Characteristics of
Command Line
Command line interface provides the basic command editing function and supports to
edit multiple lines. A command cannot longer than 256 characters. See the table below.
Command Line
view
Different command views are implemented according to different requirements. They are
related to one another. For example, after logging in the switch, you will enter user view,
in which you can only use some basic functions such as displaying the running state and
statistics information. In user view, key in system-view to enter system view, in which
you can key in different configuration commands and enter the corresponding views.
The command line provides the following views:
User view
System view
Ethernet Port view
NULL interface view
VLAN view
VLAN interface view
LoopBack interface view
Local-user view
User interface view
FTP Client view
MST region view
IGMP-Snooping view
Traffic classifier view
Traffic behavior view
QoS policy view
Cluster view
Table 37 Editing functions
Key Function
Common keys Insert from the cursor position and the cursor moves to the right, if the
edition buffer still has free space.
Backspace Delete the character preceding the cursor and the cursor moves
backward.
Leftwards cursor key <?> or
<Ctrl+B>
Move the cursor a character backward
Rightwards cursor key <?> or
<Ctrl+F>
Move the cursor a character forward
Up cursor key <?> or <Ctrl+P>
Down cursor key <?> or
<Ctrl+N>
Retrieve the history command.
<Tab> Press <Tab> after typing the incomplete key word and the system will
execute the partial help: If the key word matching the typed one is
unique, the system will replace the typed one with the complete key
word and display it in a new line; if there is not a matched key word or
the matched key word is not unique, the system will do no
modification but display the originally typed word in a new line.
Port group view
HWping view
TACACS+ scheme view
RSA public key view
RSA key code view
Route policy view
Basic ACL view
Advanced ACL view
Layer 2 ACL view
RADIUS scheme view
RIP view
RIPng view
ISP domain view
The following table describes the function features of different views and the ways to
enter or quit.
Table 38 Command view function list
Command
view Function Prompt Command to enter
Command to
exit
User view Show the basic
information about
operation and
statistics
<Sysname> Enter right after
connecting the switch
quit
disconnects
to the switch
System view Configure system
parameters
[Sysname] Key in
system-view in
user view
quit or
return
returns to
user view
Ethernet Port
view
Configure Ethernet
port parameters
[Sysname-
GigabitEthernet1/0
/1]
GigabitEthernet port
view
Key in interface
gigabitethernet
1/0/1 in system view
quit
returns to
system view
return
returns to
user view
NULL interface
view
Configure NULL
interface parameters
[Sysname-NULL0] Key in interface
null 0 in system view
quit
returns to
system view
return
returns to
user view
VLAN view Configure VLAN
parameters
[Sysname-vlan1] Key in vlan 1 in
system view
quit
returns to
system view
return
returns to
user view
VLAN interface
view
Configure IP interface
parameters for a
VLAN or a VLAN
aggregation
[Sysname-Vlan-
interface1]
Key in interface
vlan-interface
1 in system view
quit
returns to
system view
return
returns to
user view
LoopBack
interface view
Configure LoopBack
[Sysname-
LoopBack0]
Key in interface
loopback 0 in
system view
quit
returns to
system view
return
returns to
user view
Local-user view Configure local user
parameters
[Sysname-luser-
user1]
Key in local-user
user1 in system view
quit
returns to
system view
return
returns to
user view
User interface
view
Configure user
[Sysname-ui0] Key in
user-interface
0 in system view
quit
returns to
system view
return
returns to
user view
FTP Client view Configure FTP Client
parameters
[ftp] Key in ftp in user view quit
returns to
user view
MST region
view
Configure MST region
parameters
[Sysname-mst-
region]
Key in stp
region-configur
ation in system view
quit
returns to
system view
return
returns to
user view
IGMP-Snoopin
g view
Configure
IGMPSnooping
protocol parameters
[Sysname-igmp-
snooping]
Key in
igmp-snooping in
system view
quit
returns to
system view
return
returns to
user view
Traffic classifier
view
Configure traffic
classifier related
parameters
[Sysname-classifier-
test]
Key in traffic
classifier test in
system view
quit
returns to
system view
return
returns to
user view
Traffic
behavior view
Configure traffic
behavior related
parameters
[Sysname-behavior
- test]
Key in traffic
behavior test in
system view
quit
returns to
system view
return
returns to
user view
Table 38 Command view function list (continued)
Command
Command to
exit
QoS policy
view
Configure QoS policy
related parameters
[Sysname-qospolicy
- test]
Key in qos policy
test in system view
quit
returns to
system view
return
returns to
user view
Cluster view Configure cluster
parameters
[Sysname-cluster] Key in cluster in
system view
quit
returns to
system view
return
returns to
user view
Port group
view
Configure manual
port group
parameters
[Sysname-port-gro
up- manual-test]
Key in port-group
manual test in system
view
quit
returns to
system view
return
returns to
user view
Configure aggregate
port group
parameters
[Sysname-port-gro
up- aggregation-1]
Key in port-group
aggregation 1 in
system view
HWping view Configure HWping
test group parameters
[Sysname-hwping-
admin-test]
Key in hwping admin
test in system view
quit
returns to
system view
return
returns to
user view
TACACS
scheme view
Configure TACACS+
parameters
[Sysname-hwtacacs
- test]
Key in hwtacacs
scheme test in system
view
quit
returns to
system view
return
returns to
user view
RSA public key
view
Configure RSA public
key of SSH user
[Sysname-rsa-publi
c- key]
Key in rsa
peer-public-key
003 in system view
peer-pub
lic-key
end returns
to system
view
RSA key code
view
Edit RSA public key of
SSH user
[Sysname-rsa-key-
code]
Key in
public-key-code
begin in RSA public
key view
public-k
ey-code
end returns
to RSA public
key view
Route policy
view
Configure route
policy
[Sysname-route-pol
icy]
Key in
route-policy
policy1 permit
node 10 in system view
quit
returns to
system view
return
returns to
user view
Basic ACL view Define the sub rule of
the basic ACL (in the
range of 2,000 to
2,999)
[Sysname-acl-basic-
2000]
Key in acl number
2000 in system view
quit
returns to
system view
return
returns to
user view
Command
Command to
exit
Basic System
Configuration
Entering System
View from User View
When logging in to the switch, you are in the user view, and the corresponding prompt is
<Sysname>. Follow these operations and you can enter or exit the system view.
Advanced ACL
view
Define the sub rule of
the advanced ACL (in
the range of 3,000 to
3,999)
[Sysname-acl-adv-
3000]
Key in acl number
3000 in system view
quit
returns to
system view
return
returns to
user view
Layer 2 ACL
view
Define the sub rule of
the Layer 2 ACL (in
the range of 4,000 to
4,999)
[Sysname-acl-
ethernetframe-400
0]
Key in acl number
4000 in system view
quit
returns to
system view
return
returns to
user view
RADIUS
scheme view
Configure RADIUS
parameters
[Sysname-radius-1] Key in radius
scheme 1 in system
view
quit
returns to
system view
return
returns to
user view
RIP view Configure RIP
parameters
[Sysname-rip-1] Key in rip in system
view
quit
returns to
system view
return
returns to
user view
RIPng view Configure RIPng
parameters
[Sysname-ripng-1] Key in ripng 1 in
system view
quit
returns to
system view
return
returns to
user view
ISP domain
view
Configure ISP domain
parameters
[Sysname-isp-
aabbcc.net]
Key in domain
aabbcc.net in system
view
quit
returns to
system view
return
returns to
user view
Command
Command to
exit
Table 39 Enter or exit system view
Enter system view from user view system-view
Exit user view from system view quit
Use the quit command to return from current view to lower level view. Use the
return command to return from current view to user view. The composite key <Ctrl+Z>
has the same effect with the return command.
Setting the CLI
Language Mode
The switch can give prompt information either in Chinese or English. You can use the
following command to change the language.
Setting the System
Name of the Switch
You can define the system name, which corresponds to the prompts in CLI. For example,
if you define the system name, then the prompt for user view is <3Com>.
Setting the Date and
Time of the System
To ensure the coordination of the switch with other devices, you need to set correct
system time as follows:
Table 40 Set the CLI language mode
Set the CLI language mode language-mode { chinese |
english }
Optional
By default, the command
line interface (CLI)
language mode is English.
Table 41 Set the system name of the switch
Set the system name of the
switch
sysname sysname Optional
By default, the name is 3Com.
Table 42 Set the date and time of the system
Set the current date and
time of the system
clock datetime time date Optional
Set the local time zone clock timezone zone-name { add | minus }
time
Optional
Set the name and time
range of the summer time
clock summer-time zone_name one-off
start-time start-date end-time end-date
offset-time
clock summer-time zone_name repeating {
start-time start-date end-time end-date
| start-time start-year start-month
start-week start-day end-time end-year
end-month end-week end-day } offset-time
Optional
Set banner
Specifying Shortcut
Keys for Command
Lines
The system provides five shortcut keys for you to simplify the operating of common used
commands. As long as you enter the corresponding shortcut key, the system will execute
the corresponding command.
By default, the system specifies the corresponding command line for CTRL_G, CTRL_L,
and CTRL_O. The other two shortcut keys CTRL_T, and CTRL_U default to NULL.
CTRL_G corresponds to the display current-configuration command
(display the current configuration).
CTRL_L corresponds to the display ip routing-table command (display
information about IPv4 routing table).
CTRL_O corresponds to the undo debugging all command (disable the
debugging for all modules).
Table 43 Set banner
Sets the login banner for users that log in
through modems.
header incoming text Optional
Sets the authentication banner header legal text Optional
Sets the login banner. header login text Optional
Sets the session banner, which appears after
a session is established.
header shell text Optional
Sets the login banner. header motd text Optional
Table 44 Specify shortcut keys for command lines
Enter system view
system-view
Specify shortcut keys for

command lines
hotkey [ CTRL_G | CTRL_L | CTRL_O |
CTRL_T | CTRL_U ] command
Optional
By default, the system
specifies the
corresponding
command line for
CTRL_G, CTRL_L, and
CTRL_O.
Display the shortcut key
allocation information
display hotkey
You can execute the
command in any view.
Refer to Table 45 for
the shortcut keys
reserved by the
system.
Table 45 Shortcut keys reserved by the system
Shortcut key Function
CTRL_A Moves the cursor to the beginning of the current line
CTRL_B Moves the cursor one character left
CTRL_C Stops the current command function
CTRL_D Deletes the character in the cursor position
CTRL_E Moves the cursor to the end of the current line
CTRL_F Moves the cursor one character right
The above shortcut keys are defined by the system of the device. When you use terminal
software on the device, these shortcut keys may be defined as other instructions in the
terminal software. In this case, the shortcut keys defined in the terminal software take
effect.
User Level and
Command Level
Configuration
All the commands are defaulted to different views and categorized into four levels: visit,
monitor, system, and manage, identified respectively by 0 through 3. If a user wants to
acquire a higher privilege, he must switch to a higher user level, and it requires password
to do so for the securitys sake.
The following table describes the default level of the commands.
CTRL_H Deletes the character left of the cursor
CTRL_K Terminates an outgoing connection.
CTRL_N Displays the next command from the history command buffer.
CTRL_P Displays the previous command from the history command buffer.
CTRL_R Redisplays the current line.
CTRL_V Pastes the content from the clipboard.
CTRL_W Deletes the word left of the cursor.
CTRL_X Deletes all the characters up to the cursor
CTRL_Y Deletes all the characters after the cursor
CTRL_Z Returns to user view
CTRL_] Terminates an incoming connection or a redirect connection
ESC_B Moves the cursor one word back.
ESC_D Deletes remainder of word.
ESC_F Moves the cursor one word forward.
ESC_N Moves the cursor one line down (effective before the Enter key is hit)
ESC_P Moves the cursor one line up (effective before the Enter key is hit)
ESC_< Specifies the cursor position as the beginning of clipboard.
ESC_> Specifies the cursor position as the end of clipboard.
Table 45 Shortcut keys reserved by the system (continued)
Shortcut key Function
Table 46 Command level by default
Level Name Command
0 Visit Ping, tracert, telnet and so on
1 Monitor Refresh, reset, send and so on
2 System All configuration command (except Manage level)
3 Manage file system commands, FTP commands, TFTP commands and
XMODEM commands
User level determines which commands users can use after login. For example, if the user
level is defined as 3 and the command level for the VTY 0 user interface, the user can use
level 3 commands or lower levels when logging into the switch from VTY 0.
CAUTION: If you do not specify user level in the super password command, the
password is set for switching to the level 3 user.
Table 47 User level and command level configuration
Switch user level super [ level ] Optional
Enter system view
system-view
Password configuration super password [ level

user-level ] { simple | cipher
} password
Optional
Command privilege level
configuration
command-privilege level
level view view command
Optional
Displaying the System Status 85
Displaying the
System Status
You can use the following display commands to check the status and configuration
information about the system.
Only the display commands related to global configurations are listed here. For the
display commands about protocols and interfaces, refer to the corresponding
contents.
If the switch boots without using any configuration file, nothing will be displayed
when you use the display saved-configuration command; if you have save
the configuration after system booting, the command display
saved-configuration displays the configurations you saved last time.
Displaying Operating
Information about
System
When your Ethernet switch is in trouble, you may need to view a lot of operating
information to locate the problem. Each functional module has its own operating
information display command(s). You can use the command here to display the
current operating information about the modules (settled when this command is
designed) in the system for troubleshooting your system.
Perform the following operation in any view:
The display diagnostic-information command displays all the
configurations you defined with the following commands:
display clock
display version
display device
display current-configuration
display saved-configuration
Table 48 System display commands
To Use the command
Display the version of the system display version
Display the current date and time of the system display clock
Display the information about user terminal
interfaces
display users [ all ]
View the configuration files in the flash
memory of Ethernet Switch.
display saved-configuration [
by-linenum ]
Display the currently effective configuration
parameters of the switch.
display current-configuration [
interface interface-type [
interface-number ] | configuration [
configuration-type ] ] | [ by-linenum ] | [ | {
begin | include | exclude } text ] ]
display the running configuration of the current
view
display this [ by-linenum ]
Display clipboard information. display clipboard
Display memory information. display memory
Table 49 Display the current operation information about the modules in the system.
To Use the command
Display the current operation information
about the modules in the system.
display diagnostic-information
display interface
display fib
display ip interface
display ip statistics
display memory
display logbuffer
display history-command
9 SYSTEM MAINTENANCE AND DEBUGGING
System
Maintenance and
Debugging
Overview
System Maintenance
Overview
You can use the ping command and the tracert command to verify the current
network connectivity.
The ping command
Users can use the ping command to verify whether a device with a specified address is
reachable, and to examine the network connectivity.
Take the following steps when using the ping command:
1 The source device sends ICMP ECHO-REQUEST packets to the destination device.
2 If the network is functioning properly, the destination device will respond by sending the
source device ICMP ECHO-REPLY packets after receiving the ICMP ECHO-REQUEST
packets.
3 If there is network failure, the source device will display information indicating that the
address is unreachable.
4 Display the relative statistics after execution of the ping command.
Output of the ping command includes:
Information on how the destination device responds towards each ICMP
ECHO-REQUEST packet: if the source device has received the ICMP ECHO-REPLY
packet within the time-out timer, it will display the number of bytes of the
ECHO-REPLY packet, the packet sequence number, Time To Live (TTL), and the
response time.
If within the period set by the time-out timer, the destination device has not received
the response packets, it will display the Request time out. information.
The ping command applies to the name and IP address of a destination device, if the
device name is unknown, the Error: Ping: Unknown host host-name
information will be displayed.
The statistics from execution of the command, which include number of sent packets,
number of received ECHO-REPLY packets, percentage of packets that were not
received, the minimum, average, and maximum response time.
For a low-speed network, set a larger value for the time-out timer (indicated by the -t
parameter in the command) when configuring the ping command.
88 CHAPTER 9: SYSTEM MAINTENANCE AND DEBUGGING
The tracert command
Users can use the tracert command to trace the routers used while forwarding
packets from the source to the destination device. In the event of network failure, users
can identify the failed node(s) in this way.
Take the following steps when using the tracert command:
1 The source device sends a packet with a TTL value of 1 to the destination device.
2 The first hop (the router that has received the packet first) responds by sending a
TTL-expired ICMP message with its IP address encapsulated to the source. In this way, the
source device can get the address of the first router.
3 The source device sends a packet with a TTL value of 2 to the destination device.
4 The second hop responds with a TTL-expired ICMP message, which gives the source
device the address of the second router.
5 The above process continues until the ultimate destination device is reached. In this way,
the source device can trace the addresses of all the routers that have been used to get to
the destination device.
System Debugging
Overview
3Com Switch 4500G Family provides various ways for debugging most of the supported
protocols and functions and for you to diagnose and locate the problems.
The following switches control the outputs of the debugging information.
Protocol debugging switch controls the debugging output of a protocol.
Terminal debugging switch controls the debugging output on a specified user screen.
Figure 24 illustrates the relationship between the two switches.
Figure 24 Debugging output
123
Protocol debugging
switch
ON ON OFF
ON OFF
1
3
1
3
Screenoutput switch
1
3
Debugging
information
System Maintenance and Debugging Configuration 89
System
Maintenance and
Debugging
Configuration
System Maintenance
Configuration
System Debugging
Configuration
The debugging commands are normally used when the administrator is diagnosing
network failure.
Output of the debugging information may reduce system efficiency, especially during
execution of the debugging all command.
After the debugging is completed, users may use the undo debugging all
command to disable all the debugging functions simultaneously.
Use the command debuggingterminal debugging and display
debugging the debug information will display on the screen.
Table 50 System Maintenance Configuration
check the
network
connection
ping [ ip ] [ -a source-ip | -c count | -f | -h ttl | -i interface-type
interface-number | -m interval | -n | -p pad | -q | -r | -s packet-size
| -t timeout | -tos tos | -v] * { ip-address | hostname }
Any view
The tracert
command
tracert [ -a source-ip | -f first-ttl | -m max-ttl | -p
port | -q packet-num | -w timeout ] * { ip-address |
hostname }
Table 51 System debugging configuration
Enable specified module
debugging
debugging { all [ timeout time ] |
module-name [ option ] }
User view
Enable terminal debugging
terminal debugging
view the enabled
debugging process
display debugging [ interface
interface-type interface-number ] [
module-name ]
Any view
90 CHAPTER 9: SYSTEM MAINTENANCE AND DEBUGGING
System
Maintenance
Example
The destination IP address is 10.1.1.4.
Display the route from the source to the destination.
Network diagram (omitted here)
<3Com> t r acer t ni s. nsf . net
t r acer out e t o ni s. nsf . net ( 10. 1. 1. 4) 30 hops max, 40 byt es packet
1 128. 3. 112. 1 19 ms 19 ms 0 ms
2 128. 32. 216. 1 39 ms 39 ms 19 ms
3 128. 32. 136. 23 39 ms 40 ms 39 ms
4 128. 32. 168. 22 39 ms 39 ms 39 ms
5 128. 32. 197. 4 40 ms 59 ms 59 ms
6 131. 119. 2. 5 59 ms 59 ms 59 ms
7 129. 140. 70. 13 99 ms 99 ms 80 ms
8 129. 140. 71. 6 139 ms 239 ms 319 ms
9 129. 140. 81. 7 220 ms 199 ms 199 ms
10 10. 1. 1. 4 239 ms 239 ms 239 ms
10 DEVICE MANAGEMENT
You can define the file path and filename of .btm file.app file or .cfg file in the following
forms:
Path + filename. It is a full filename, a string of 1 to 63 characters, standing for the
file in the specified path.
Filename. It has only a filename, string of 1 to 56 characters, standing for the file in
the current path.
Those file (.btm file.app file or .cfg file) can only be stored in the root directory in
Flash memory.
Introduction to
Device
Management
Through the device management function, you can view the current working state of
devices, configure operation parameters, and perform daily device maintenance and
management.
Currently, the following device management functions are available:
Rebooting a device
Specifying a scheduled device reboot.
Specifying an .app file for the next device reboot
Upgrading a BootROM file.
BootROM and Host
Software Loading
Traditionally, the loading of switch software is accomplished through a serial port. This
approach is slow, inconvenient, and cannot be used for remote loading. To resolve these
problems, the TFTP and FTP modules are introduced into the switch. With these modules,
you can load/download software/files conveniently to the switch through an Ethernet
port.
This chapter introduces how to load BootROM and host software to a switch locally and
how to do this remotely.
Introduction to
Loading Approaches
You can load software locally by using:
XMODEM through Console port
TFTP through Ethernet port
FTP through Ethernet port
You can load software remotely by using:
FTP
TFTP
92 CHAPTER 10: DEVICE MANAGEMENT
The BootROM software version should be compatible with the host software version
when you load the BootROM and host software.
Local Software
Loading
If your terminal is directly connected to the switch, you can load the BootROM and host
software locally.
Before loading the software, make sure that your terminal is correctly connected to the
switch to insure successful loading.
The loading process of the BootROM software is the same as that of the host software,
except that during the former process, you should press <Ctrl+U> and <Enter> after
entering the Boot Menu and the system gives different prompts. The following text
mainly describes the BootROM loading process.
Boot Menu
St ar t i ng. . . . . .

***********************************************************
* *
* 3ComSwi t ch 4500G Fami l y BOOTROM, Ver si on 106 *
* *
***********************************************************

Copyr i ght ( c) 2004- 2006 3ComCor por at i on.
Cr eat i on dat e : May 10 2006, 15: 59: 18
CPU Cl ock Speed : 264MHz
BUS Cl ock Speed : 33MHz
Memor y Si ze : 128MB
Mac Addr ess : 00e0f c005502

Pr ess Ct r l - B t o ent er Boot Menu. . . 5
Pr ess <Ct r l +B>. The syst emdi spl ays:
Passwor d :
To enter the Boot Menu, you should press <Ctrl+B> within five seconds after the
information Press Ctrl-B to enter Boot Menu... appears. Otherwise, the system starts to
decompress the program; and if you want to enter the Boot Menu at this time, you will
have to restart the switch.
Input the correct BootROM password (no password is need by default). The system
enters the Boot Menu:
BOOT MENU
1. Downl oad appl i cat i on f i l e t o f l ash
2. Sel ect appl i cat i on f i l e t o boot
3. Di spl ay al l f i l es i n f l ash
4. Del et e f i l e f r omf l ash
5. Modi f y boot r ompasswor d
6. Ent er boot r omupgr ade menu
7. Ski p cur r ent conf i gur at i on f i l e
8. Set boot r ompasswor d r ecover y
9. Set swi t ch st ar t up mode
0. Reboot
Ent er your choi ce( 0- 9) :
Loading Software Using XMODEM through Console Port
XMODEM is a file transfer protocol that is widely used due to its simplicity and good
performance. XMODEM transfers files through the console port. It supports two types of
data packets (128 bytes and 1 KB), two check methods (checksum and CRC), and
multiple attempts of error packet retransmission (generally the maximum number of
retransmission attempts is ten).
The XMODEM transmission procedure is completed by a receiving program and a
sending program: The receiving program sends negotiation characters to negotiate a
packet checking method. After the negotiation, the sending program starts to transmit
data packets. When receiving a complete packet, the receiving program checks the
packet using the agreed method. If the check succeeds, the receiving program sends an
acknowledgement character and the sending program proceeds to send another packet;
otherwise, the receiving program sends a negative acknowledgement character and the
sending program retransmits the packet.
1 Loading BootROM software
a At the prompt "Enter your choice (0-9):" in the Boot Menu, press <6> or <Ctrl+U>,
and then press <Enter> to enter the BootROM update menu shown below:
Boot r omupdat e menu:
1. Set TFTP pr ot ocol par amet er
2. Set FTP pr ot ocol par amet er
3. Set XMODEM pr ot ocol par amet er
0. Ret ur n t o boot menu
b Enter 3 in the above menu to download the BootROM software using XMODEM. The
system displays the following download baud rate setting menu:
Pl ease sel ect your downl oad baudr at e:
1. * 9600
2. 19200
3. 38400
4. 57600
5. 115200
0. Ret ur n
Ent er your choi ce ( 0- 5) :
c Choose an appropriate download baud rate. For example, if you enter 5, the baud
rate 115200 bps is chosen and the system displays the following information:
Downl oad baudr at e i s 115200 bps
Pl ease change t he t er mi nal ' s baudr at e t o 115200 bps and sel ect XMODEM
pr ot ocol
Pr ess ent er key when r eady
If you have chosen 9600 bps as the download baud rate, you need not modify the
HyperTerminals baud rate, and therefore you can skip step d and step e below and
proceed to step f directly. In this case, the system will not display the above information.
Following are configurations on PC. Take the Hyperterminal using Windows operating
system as example.
d Choose [File/Properties] in HyperTerminal, click <Configure> in the pop-up dialog box,
and then select the baud rate of 115200 bps in the Console port configuration dialog
box that appears, as shown in Figure 25, Figure 26.
Figure 25 Properties dialog box
Figure 26 Console port configuration dialog box
e Click the <Disconnect> button to disconnect the HyperTerminal from the switch and
then click the <Connect> button to reconnect the HyperTerminal to the switch, as
shown in Figure 27.
Figure 27 Connect and disconnect buttons
The new baud rate takes effect only after you disconnect and reconnect the
HyperTerminal program.
f Press <Enter> to start downloading the program. The system displays the following
information:
Now pl ease st ar t t r ansf er f i l e wi t h XMODEM pr ot ocol .
I f you want t o exi t , Pr ess <Ct r l +X>.
Loadi ng . . . CCCCCCCCCC
g Choose [Transfer/Send File] in the HyperTerminals window, and click <Browse> in
pop-up dialog box, as shown in Figure 28. Select the software you need to download,
and set the protocol to XMODEM.
Figure 28 Send file dialog box
h Click <Send>. The system displays the page, as shown in Figure 29.
Figure 29 Sending file page
i After the download completes, the system displays the following information:
Loadi ng . . . CCCCCCCCCC done!
j Reset HyperTerminals baud rate to 9600 bps (refer to step d and step e). Then, press
any key as prompted. The system will display the following information when it
completes the loading.
Boot r omupdat i ng. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . done!
If the HyperTerminals baud rate is not reset to 9600 bps, the system prompts "Your
baudrate should be set to 9600 bps again! Press enter key when ready".
You need not reset the HyperTerminals baud rate and can skip the last step if you
have chosen 9600 bps. In this case, the system upgrades BootROM automatically and
prompts Bootrom updating now.....................................done!.
2 Loading host software
Follow these steps to load the host software:
a Select <1> in Boot Menu and press <Enter>. The system displays the following
information:
b Enter 3 in the above menu to download the host software using XMODEM.
The subsequent steps are the same as those for loading the BootROM software,
except that the system gives the prompt for host software loading instead of
BootROM loading.
Loading Software Using TFTP through Ethernet Port
TFTP, one protocol in TCP/IP protocol suite, is used for trivial file transfer between client
and server. It uses UDP to provide unreliable data stream transfer service.
Figure 30 Local loading using TFTP
a As shown in Figure 30, connect the switch through an Ethernet port to the TFTP
server, and connect the switch through the Console port to the configuration PC.
You can use one PC as both the configuration device and the TFTP server.
b Run the TFTP server program on the TFTP server, and specify the path of the program
to be downloaded.
CAUTION: TFTP server program is not provided with the 3Com Switch 4500G Family
Ethernet Switches.
c Run the HyperTerminal program on the configuration PC. Start the switch. Then enter
the Boot Menu.
At the prompt "Enter your choice(0-9):" in the Boot Menu, press <6> or <Ctrl+U>,
d Enter 1 to in the above menu to download the BootROM software using TFTP. Then
set the following TFTP-related parameters as required:
Load Fi l e name : 4500G. bt m
Swi t ch I P addr ess : 1. 1. 1. 2
Ser ver I P addr ess : 1. 1. 1. 1
e Press <Enter>. The system displays the following information:
Ar e you sur e t o updat e your boot r om? Yes or No( Y/ N)
f Enter Y to start file downloading or N to return to the Bootrom update menu. If you
enter Y, the system begins to download and update the BootROM software. Upon
completion, the system displays the following information:
Loadi ng. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . done
Boot r omupdat i ng. . . . . . . . . . done!
Switch
PC
Console port Ethernet port
TFTP server
Switch
PC
Switch
PC
TFTP client
Switch
PC
Switch
PC
TFTP server
Switch
PC
Switch
PC
TFTP client
Switch
PC
information:
b Enter 1 in the above menu to download the host software using TFTP.
The subsequent steps are the same as those for loading the BootROM program,
except that the system gives the prompt for host software loading instead of
BootROM loading.
CAUTION: When loading BootROM and host software using Boot menu, you are
recommended to use the PC directly connected to the device as TFTP server to promote
upgrading reliability.
Loading Software Using FTP through Ethernet Port
FTP is an application-layer protocol in the TCP/IP protocol suite. It is used for file transfer
between server and client, and is widely used in IP networks.
You can use the switch as an FTP client or a server, and download software to the switch
through an Ethernet port. The following is an example.
Figure 31 Local loading using FTP client
a As shown in Figure 31, connect the switch through an Ethernet port to the FTP server,
and connect the switch through the Console port to the configuration PC.
You can use one computer as both configuration device and FTP server.
b Run the FTP server program on the FTP server, configure an FTP user name and
password, and copy the program file to the specified FTP directory.
c Run the HyperTerminal program on the configuration PC. Start the switch. Then enter
the Boot Menu.
At the prompt "Enter your choice(0-9):" in the Boot Menu, press <6> or <Ctrl+U>,
FTP client
Switch
PC
FTP server
Switch
PC
Switch
PC
Switch
PC
FTP client
Switch
PC
FTP server
Switch
PC
Switch
PC
Switch
PC
d Enter 2 in the above menu to download the BootROM software using FTP. Then set
the following FTP-related parameters as required:
Load Fi l e name : 4500G. bt m
Swi t ch I P addr ess : 10. 1. 1. 2
Ser ver I P addr ess : 10. 1. 1. 1
FTP User Name : 4500G
FTP User Passwor d : abc
e Press <Enter>. The system displays the following information:
Ar e you sur e t o updat e your boot r om?Yes or No( Y/ N)
f Enter Y to start file downloading or N to return to the Bootrom update menu. If you
enter Y, the system begins to download and update the program. Upon completion,
the system displays the following information:
Loadi ng. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . done
Boot r omupdat i ng. . . . . . . . . . done!
Follow these steps to load the host software:
information:
b Enter 2 in the above menu to download the host software using FTP.
The subsequent steps are the same as those for loading the BootROM program, except
for that the system gives the prompt for host software loading instead of BootROM
loading.
When loading BootROM and host software using Boot menu, you are recommended to
use the PC directly connected to the device as TFTP server to promote upgrading
reliability.
Remote Software
Loading
If your terminal is not directly connected to the switch, you can telnet to the switch, and
use FTP or TFTP to load BootROM and host software remotely.
Remote Loading Using FTP
1 Loading Process Using FTP Client
As shown in Figure 32, a PC is used as both the configuration device and the FTP server.
You can telnet to the switch, and then execute the FTP commands to download the
BootROM program 4500G.btm from the remote FTP server (with an IP address 10.1.1.1)
to the switch.
Figure 32 Remote loading using FTP
a Download the software to the switch using FTP commands.
<3Com> f t p 10. 1. 1. 1
Tr yi ng . . .
Pr ess CTRL+K t o abor t
Connect ed.
220 FTP ser vi ce r eady.
User ( none) : abc
331 Passwor d r equi r ed f or abc.
Passwor d:
230 User l ogged i n.
[ f t p] get 4500G. bt m
200 Por t command okay.
150 Openi ng ASCI I mode dat a connect i on f or 4500G. bt m.
. . . . . . . . 226 Tr ansf er compl et e.
FTP: 184108 byt e( s) r ecei ved i n 10. 067 second( s) 18. 00K byt e( s) / sec.
[ f t p] bye
221 Ser ver cl osi ng.
When using different FTP server software on PC, different information will be output to
the switch.
b Update the BootROM program on the switch.
<3Com> boot r omupdat e f i l e 4500G. bt m
Thi s wi l l updat e Boot Romf i l e , Cont i nue? [ Y/ N] y
Upgr adi ng BOOTROM, pl ease wai t . . .
Upgr ade BOOTROM succeeded!
c Restart the switch.
<3Com> r eboot
Before restarting the switch, make sure you have saved all other configurations that you
want, so as to avoid losing configuration information.
Loading the host software is the same as loading the BootROM program, except for that
the file to be downloaded is the host software file, and that you need to use the
boot-loader command to select the host software at reboot of the switch.
After the above operations, the BootROM and host software loading is completed.

FTP Client
Switch
PC
Gigabit
FTP Server
10.1.1.1
Internet
FTP Client
Switch
PC
Ethernet port
FTP Server
10.1.1.1
Internet
FTP Client
Switch
PC
Gigabit
FTP Server
10.1.1.1
Internet
FTP Client
Switch
PC
Ethernet port
FTP Server
10.1.1.1
Internet
Pay attention to the following:
The loading of BootROM and host software takes effect only after you restart the
switch with the reboot command.
If the space of the Flash memory is not enough, you can delete the useless files in the
Flash memory before software downloading.
No power-down is permitted during software loading.
2 Loading Process Using FTP Server
As shown in Figure 33, the switch is used as the FTP server. You can telnet to the switch,
and then execute the FTP commands to download the BootROM program 4500G.btm
from the switch.
Figure 33 Remote loading using FTP server
a As shown in Figure 33, connect the switch through an Ethernet port to the PC (with IP
address 10.1.1.1)
b Configure the IP address of VLAN1 on the switch to 192.168.0.39, and subnet mask
to 255.255.255.0.
You can configure the IP address for any VLAN on the switch for FTP transmission.
However, before configuring the IP address for a VLAN interface, you have to make sure
whether the IP addresses of this VLAN and PC can be routed.
c Enable FTP service on the switch, configure the FTP user name to test and password to
pass.
[ 3Com- Vl an- i nt er f ace1] qui t
[ 3Com] f t p ser ver enabl e
[ 3Com] l ocal - user t est
New l ocal user added.
[ 3Com- l user - t est ] passwor d si mpl e pass
[ 3Com- l user - t est ] ser vi ce- t ype f t p

Switch
PC
Ethernet port
10.1.1.1
Internet
Switch
PC
10.1.1.1
Internet
192.168.0.39
Switch
PC
10.1.1.1
Internet
Switch
PC
Gigabit
10.1.1.1
Internet
192.168.0.39
Switch
PC
Ethernet port
10.1.1.1
Internet
Switch
PC
10.1.1.1
Internet
192.168.0.39
Switch
PC
10.1.1.1
Internet
FTP Server
Switch
PC
Gigabit
FTP Client
10.1.1.1
Internet
192.168.0.39
Switch
PC
Ethernet port
10.1.1.1
Internet
Switch
PC
10.1.1.1
Internet
192.168.0.39
Switch
PC
10.1.1.1
Internet
Switch
PC
Gigabit
10.1.1.1
Internet
192.168.0.39
Switch
PC
Ethernet port
10.1.1.1
Internet
Switch
PC
Ethernet port
10.1.1.1
Internet
Switch
PC
10.1.1.1
Internet
192.168.0.39
Switch
PC
10.1.1.1
Internet
Switch
PC
Gigabit
10.1.1.1
Internet
192.168.0.39
Switch
PC
Ethernet port
10.1.1.1
Internet
Switch
PC
10.1.1.1
Internet
192.168.0.39
Switch
PC
10.1.1.1
Internet
FTP Server
Switch
PC
Gigabit
FTP Client
10.1.1.1
Internet
192.168.0.39
d Enable FTP client software on PC. Refer to Figure 34 for the command line interface in
Windows operating system.
Figure 34 Command line interface
e Enter cd in the interface to switch to the path that the BootROM upgrade file is to be
stored, and assume the name of the path is D:\Bootrom, as shown in Figure 35.
Figure 35 Switch to BootROM
f Enter ftp 192.168.0.39 and enter the user name test, password pass, as shown in
Figure 36, to log on the FTP server.
Figure 36 Log on the FTP server
g Use the put command to upload the file 4500G.btm to the switch, as shown in
Figure 37.
Figure 37 Upload file 4500G.btm to the switch
h Configure 4500G.btm to be the BootROM at reboot, and then restart the switch.
<3Com> boot r omupdat e f i l e 4500G. bt m
Thi s wi l l updat e Boot r omon uni t 1. Cont i nue? [ Y/ N] y
Upgr adi ng Boot r om, pl ease wai t . . .
Upgr ade Boot r omsucceeded!
<3Com> r eboot
When rebooting the switch, use the file 4500G.btm as BootROM to finish BootROM
loading.
Loading the host software is the same as loading the BootROM program, except for that
the file to be downloaded is the host software file, and that you need to use the
boot-loader command to select the host software at reboot of the switch.
The steps listed above are performed in the Windows operating system, if you use
other FTP client software, refer to the corresponding users guide before operation.
Only the configurations steps concerning loading are illustrated here, for detailed
description on the corresponding configuration commands, refer to the chapter File
System Management .
Remote Loading Using TFTP
The remote loading using TFTP is similar to that using FTP. The only difference is that TFTP
is used instead off FTP to load software to the switch, and the switch can only act as a
TFTP client.
Device
Management
Configuration
Rebooting an
Ethernet Switch
When a fault occurs to a running device, you can remove the fault by rebooting it,
depending on the actual situation. You can also set a time at which the device can
automatically reboot.
The precision of switch timer is 1 minute. That is, with the timing reboot function
enabled, a switch reboots in one minute after the rebooting time is due.
CAUTION: The reboot, schedule reboot at and schedule reboot delay
commands all cause system rebooting and service interruption. Cautions should be taken
when using these commands.
Table 52 Reboot an Ethernet switch
To... Use the command Remarks
Reboot an Ethernet switch
reboot
Optional
Enable the timing reboot
function for the switch and set
the time and date
schedule reboot at
hh:mm [ date ]
Optional
By default, the timing reboot
function for the switch disabled.
Enable the timing reboot
function for the switch and set
the delay period
schedule reboot delay
{ hh:mm | mm }
Check the timing reboot
configuration
display schedule
reboot
Optional
Any view
Device Management Configuration 105
Specifying the App
File to be Used for
the Next Startup
If multiple .app files reside in the Flash, you can specify the one to be used for the next
startup by performing the operation listed in Table 53.
Upgrading BootROM During the operation of the device, you can use the Bootrom programs in the FLASH to
upgrade the running Bootrom programs.
Since the BootROM files of switching processing units (SRPUs) and line processing units
(LPUs) vary with devices, users are easily confused to make serious mistakes when
upgrading BootROM files. After the validity check function is enabled, the device will
strictly check the BootROM upgrade files for correctness and version configuration
information to ensure a successful upgrade. You are recommended to enable the validity
check function before upgrading BootROM files.
Clearing the Unused
16-Bit Interface Index
in the Current System
In real network, network management software requires the device to provide the
unified and stable 16-bit interface indexes, that is, it is best to keep one interface name
match one interface index on a device.
To ensure the stability of the interface index, the system will keep the 16-bit interface
index for the interface even if the logical interface or the card is removed from the
system. In this way, the interface index keeps unchanged when the interface is created
again.
Repeated insertion and removal of different sub cards or interface cards, or creating or
deleting large amount of logical interfaces of different types may use up the interface
indexes. If so, you may fail to create an interface. To avoid this, you can perform the
following configuration in user view to clear the saved but unused 16-bit interface
indexes in the current system.
After the configuration:
For new created interface, its new index cannot be ensured to be identical with the
original one.
For the existing interface, its interface index will not be changed.
Table 53 Specify the .app file to be used for the next startup
Specify the .app file to be used
for the next startup
boot-loader file file-url {
main | backup }
Required
Table 54 Upgrade BootROM
Enable file validity check
for upgrading
bootrom-update
security-check enable
Optional
By default, the file validity check
function is not enabled.
Return user view quit
Upgrade BootROM bootrom update file
file-url
Required
By default, all Boot ROM file contents
will be upgraded.
CAUTION: Your conformation is needed when the command is executed. If you do not
confirm during 30 seconds, or input N, the operation will be canceled.
Displaying the
Device
Management
Configuration
After the above configurations, you can execute the display command in any view to
display the operating status of the device management to verify the configuration
effects.
Remote Switch
Update
Configuration
Example
Configure an FTP user, whose name and password are switch and hello respectively.
Authorize the user with the read-write right of the Switch directory on the PC.
Make appropriate configuration so that the IP address of a VLAN interface on the
switch is 1.1.1.1, the IP address of the PC is 2.2.2.2, and the switch and the PC is
reachable to each other.
Telnet to the switch from a PC remotely and download applications from the FTP
server to the Flash memory of the switch to remotely update the switch software by
using the device management commands through CLI.
Table 55 Clear the unused 16-bit interface index in the current system
To... Use the command
Clear the unused 16-bit interface index in the current
system
reset unused porttag
Table 56 Display the operating status of the device management
Display the .app to be
adopted at reboot
display boot-loader Any view
Display the statistics of CPU
usage
display cpu-usage [ number [ offset
] [ verbose ] [ from-device ] ]
Display subslot information of
device
display device [ subslot subslot-no |
verbose ]
Display environment
information
display environment
Display the operating status
of the fan
display fan [ fan-id ]
Display memory state display memory
Display the operating status
of the power supply
display power [ power-id ]
Display reboot time display schedule reboot
Remote Switch Update Configuration Example 107
Network diagram
Figure 38 Network diagram of FTP configuration
1 Configure the FTP-Server
Set the FTP username to aaa and password to hello.
Configure users to have access to the directory.
2 Configure the switch as follows:
CAUTION: If the Flash memory of the switch is not sufficient, delete the original
applications in it before downloading the new ones.
1 Execute the telnet command on the PC to log into the switch.
<3Com> f t p 2. 2. 2. 2
Tr yi ng . . .
Connect ed.
User ( none) : swi t ch
331 Passwor d r equi r ed f or swi t ch.
Passwor d:
[ f t p]
2 Enter the authorized path on the FTP server.
[ f t p] cd swi t ch
3 Execute the get command to download the switch.app and boot.btm files on the FTP
server to the Flash memory of the switch.
[ f t p] get swi t ch. app
[ f t p] get boot . bt m
4 Execute the quit command to terminate the FTP connection and return to user view.
[ f t p] qui t
<3Com>
5 Enter system view
Switch
Network
Switch Switch
User
Network
FTP Client
FTP Server
Telnet
Switch
Network
Switch Switch
User
Network
FTP Client
FTP Server
Telnet
6 Enable file validity check for upgrading.
[ 3Com] boot r omupdat e secur i t y- check enabl e
[ 3Com] qui t
7 Update the BootROM.
<3Com> boot r omupdat e f i l e boot . bt m
8 Specified the application for next time.
<3Com> boot - l oader f i l e swi t ch. app
9 Restart the switch to update the host software of the switch.
<3Com> r eboot
11 FILE SYSTEM MANAGEMENT
Throughout this document, a filename can be entered as either of the following:
A fully qualified filename with the path included to indicate a file under a specific
path. The filename can be 1 to 135 characters in length.
A short filename with the path excluded to indicate a file in the current path. The
filename can be 1 to 91 characters in length.
File System
Management
Overview A major function of the file system is to manage storage devices. It allows you to perform
operations such as directory create and delete, and file copy and display.
If an operation, delete or overwrite for example, may cause problems such as data loss or
corruption, the file system will ask you to confirm the operation by default.
Depending on the managed object, file system operations fall into directory operations,
file operations, storage device operations, and file system prompt mode setting.
Directory Operations Directory operations include create, delete, display the current directory, display files or
subdirectories in a specific directory as shown in Table 57.
File Operations File operations include delete (removing files into the recycle bin), restore the deleted,
permanently delete (deleting files from the recycle bin), display, rename, copy, and move
as shown in Table 58.
CAUTION: You can create a file by using operations such as copy, download or save.
Table 57 Directory operations
Create a directory mkdir directory Optional
Available in user view
Remove a directory rmdir directory Optional
Display the current directory
pwd
Optional
Display files or directories dir [ /all ] [ file-url ] Optional
Change the current directory cd directory Optional
110 CHAPTER 11: FILE SYSTEM MANAGEMENT
CAUTION:
Empty the recycle bin timely with the reset recycle-bin command to save
memory space.
As the delete /unreserved file-url command deletes a file permanently
and the action cannot be undone, use it with caution.
You can only move a file on the same device. The move command fails if you try to
move a file to another device.
Storage Device
Operations
Storage device operations include disk fix and format as shown in Table 59. You may use
these two commands when some space of a storage device becomes inaccessible as the
result of some abnormal operations for example.
CAUTION: Use caution when formatting the storage device (usually the Flash) where the
configuration file is stored, as the operation can destroy all data on the storage device
and the action cannot be undone.
Table 58 File operations
Remove a file to the recycle bin
or delete it permanently
delete [ /unreserved ]
file-url
Optional
Restore a file from the recycle bin undelete file-url Optional
Empty the recycle bin reset recycle-bin
[ file-url ] [ /force ]
Optional
Display the contents of a file more file-url Optional
So far, this command is valid
only for txt files.
Rename a file rename fileurl-source
fileurl-dest
Optional
Copy a file copy fileurl-source
fileurl-dest
Optional
Move a file move fileurl-source
fileurl-dest
Optional
Display files or directories dir [ /all ] [ file-url ] Optional
Execute the batch file execute filename Optional
Available in system view
Table 59 Storage device operations
Restore the space of a storage
device
fixdisk device Optional
Format a storage device format device Optional
File System Prompt
Mode Setting
The file system provides the following two prompt modes:
Alert, where the system warns you about operations that may bring undesirable
consequence such as file corruption or data loss.
Quiet: where the system does not do that in any cases. To prevent undesirable
consequence resulted from mis-operations, the alert mode is preferred.
File System
Operations Example
1 Display the files under the root directory.
<3Com> di r
Di r ect or y of f l ash: /
0 - r w- 6648612 J an 01 2006 00: 00: 00 aabbcc. bi n
1 - r w- 31181 Apr 27 2000 11: 41: 08 conf i g. cf g
2 - r w- 234823 Apr 28 2000 12: 50: 32 def aul t . di ag
3 - r w- 31126 Apr 27 2000 11: 25: 14 t est . t xt
4 dr w- - Apr 27 2000 13: 00: 10 t est
15240 KB t ot al ( 8449 KB f r ee)
2 Create a new folder called mytest under the test directory.
<3Com> cd t est
<3Com> mkdi r myt est
.
%Cr eat ed di r f l ash: / t est / myt est .
3 Display the files under the test directory.
<3Com> di r
Di r ect or y of f l ash: / t est /
0 dr w- - Apr 27 2000 13: 01: 04 myt est
15240 KB t ot al ( 8448 KB f r ee)
4 Return to the upper directory.
<3Com> cd . .
Configuration File
Management
Overview Configuration type
The configuration of a device falls into two types:
Startup configuration, which is used for initialization. If no startup configuration is
available, the default parameters are used.
Running configuration, which takes effect during system operation and temporarily
saved in the RAM but cannot survive a reboot if not saved.
Table 60 File system prompt mode setting
Set the operation prompt mode
of the file system
file prompt { alert |
quiet }
Optional
The default is alert.
Configuration file format
Configuration files are saved as text files for consulting convenience. They:
Save configuration in the form of commands.
Save only non-default configuration settings.
List commands in sections by view in this view order: system, physical interface,
logical interface, routing protocol, and so on. Sections are separated with one or
multiple blank lines or comment lines that start with a pound sign (#).
End with a return.
The operating interface provided by the configuration file management function is
user-friendly. With it, you can easily manage your configuration files.
Main/backup attributes
The main and backup attributes allow configuration files that are of the corresponding
attributes. When the main configuration file is corrupted or gets lost, the backup
configuration files can be used to start or configure the device. Compared with the
systems supporting only one type of configuration file, the main/backup configuration
file mechanism enhances the security and reliability of the file system. The main keyword
represents the main attributes of the configuration file, and the backup keyword
represents the backup attribute of the configuration file. You can use corresponding
commands to configure the main/backup attributes of a configuration file. A
configuration file can be configured with both the main attribute and the backup
attribute at the same time. However, a device can have only one configuration file that is
of a specific attribute at a time.
The main and backup attributes are mainly used as follows in file system.
You can specify the main/backup/common attribute of the configuration file when
saving the current configuration.
You can specify to erase the main configuration file or the backup configuration file
when you erase the configuration file in the device. For the configuration file with
both the main attribute and the backup attribute, you can specify to erase the main
attribute or backup attribute of the configuration file.
You can specify the main/backup attribute of a configuration file when you specify
the configuration file to be used the next time.
Selection sequence of configuration files
Configuration files are selected according to the following rules when a device starts.
1 If the main configuration file exists, it is used to initialize the configuration.
2 If the backup configuration file exists while the main configuration file does not exist, the
backup configuration file is used to initialize the configuration.
3 If neither the main configuration file nor the backup configuration file exists, the
following selection sequence is adopted:
If the default configuration file exists, it is used to initialize the configuration.
If the default configuration file does not exist, the system is started without loading
any configuration.
Saving Running
Configuration
You can modify running configuration on your device at the command line interface
(CLI). To use it at next startup, you need to save it to the startup configuration file before
rebooting the system with the save command.
You can save the current configuration files in one of the following two ways:
Ways of saving the configuration files
Fast mode: If the safely keyword is not provided, the system saves the configuration
files in the fast mode. In this mode, the configuration files are saved fast. However,
the configuration files will be lost if the device is restarted or the power is off when
the configuration files are being saved.
Safe mode: If the safely keyword is provided, the system saves the configuration files
in the safe mode. In this mode, the configuration files are saved slowly. However, the
configuration files will be saved in the Flash if the device is restarted or the power is
off when the configuration files are being saved.
Attributes of the saved configuration files
The main attribute. When the save [ [ safely ] [ main ] command is used to save
the current configuration into a configuration file, the attribute of the configuration
file is main. If the configuration file is an existing configuration file with the backup
attribute, the configuration file will posses both the main attribute and the backup
attribute at the same time. If a main configuration file is existing in the system, the
main attribute of the existing configuration file will be replaced by the new one, so
that there is only one main configuration file in the system.
The backup attribute. When the save [ [ safely ] [ backup ] command is used to
save the current configuration into a configuration file, the attribute of the
configuration file is backup. If the configuration file is an existing configuration file
with the main attribute, the configuration file will posses both the main attribute and
the backup attribute at the same time. If a backup configuration file exists in the
system, the backup attribute of the existing configuration file will be replaced by the
new one, so that there is only one backup configuration file in the system.
The common attribute. When the save cfgfile command is used to save the
current configuration into a configuration file, if the configuration file named cfgfile
does not exist, the saved configuration file possesses neither the main attribute nor
the backup attribute; if the configuration file cfgfile exists, the attribute of the new
configuration file is determined by its attribute before the saving operation.
You are recommended to adopt the fast saving mode in the conditions of stable
power and adopt the safe mode in the conditions of unstable power or remote
maintenance.
The extension of a configuration file must be cfg.
Table 61 Saving running configuration
Save running configuration save [ cfgfile | [ safely ] [
main | backup ] ]
Available in any view
Erasing the Startup
Configuration File
You may erase the startup configuration file by using the command showed in Table 62 .
If no startup configuration is available, the default parameters are used.
You may need to erase the startup configuration file for one of these reasons:
After you upgrade software, the old configuration file does not match the new
software.
The startup configuration file is destroied or not the one you needed.
When you erase a configuration file, the following cases may occur:
If you use the reset saved-configuration [ main ] command to erase a
configuration file, if the configuration file possesses only the main attribute, the
configuration file will be removed completely; if the configuration file possesses both
the main attribute and the backup attribute, only the main attribute of the
configuration file is removed.
If you use the reset saved-configuration backup command to erase a
configuration file, if the configuration file possesses only the backup attribute, the
configuration file will be removed completely; if the configuration file possesses both
the main attribute and the backup attribute, only the backup attribute of the
configuration file is removed.
Specifying a
Configuration File for
Next Startup
You can set the main/backup attributes of a configuration file. The attribute of an
configuration file is generated in two ways, as described below.
Set the main attribute of the startup configuration file
When the current configuration is saved into the main configuration file, the system
will automatically adopt the main configuration file as the main startup configuration
file.
Use the startup saved-configuration cfgfile [ main ] command to set a
configuration file as the main startup configuration file.
Set the backup attribute of the startup configuration file
When the current configuration is saved into the backup configuration file, the
system will automatically adopt the backup configuration file as the backup startup
configuration file.
Use the startup saved-configuration cfgfile backup command to set a
configuration file as the backup startup configuration file.
Table 62 Erasing the startup configuration file
Erase the startup configuration
file from the storage device
reset
saved-configuration
[ main | backup ]
Table 63 Specifying a configuration file for next startup
Specify a configuration file for
next startup
startup
saved-configuration
cfgfile [ main| backup ]
CAUTION: This operation can delete the configuration file from the device permanently,
so be careful to perform this operation..
Backing Up/Restoring
the Configuration File
for Next Startup
Feature overview
Through this feature, you can back up and restore the configuration file for next startup
through the command line. TFTP is used to transmit data between the device and the
server. You can back up the configuration file for next startup to the TFTP server, and
download the configuration file saved on the TFTP server to the device and configure it as
the configuration file for next startup.
You can only back up and restore the main configuration file.
Backing up the configuration file for next startup
T
Before backing up the configuration file:
Make sure that the route between the device and the server is reachable, TFTP is
enabled at the server end, and the client on which you will perform the backup and
restoration operations obtains the corresponding read/write right.
Use the display startup command in user view to check whether the
configuration file for next startup is configured, and then use the dir command to
check whether the configuration file for next startup exists. If the configuration file is
configured as NULL or the configuration file does not exist, the backup operation will
fail.
Restoring the configuration file for next startup
Before restoring the configuration file, make sure that the route between the device
and the server is reachable, TFTP is enabled at the server end, and the client on which
you will perform the backup and restoration operations obtains the corresponding
read/write right.
After the command is executed successfully, use the display startup command
in user view to check whether the name of the configuration file for next startup is
consistent with the filename argument, and then use the dir command to check
whether the restored configuration file for next startup exists.
Table 64 Back up the configuration file for next startup
Back up the
configuration file for next
startup
backup
startup-configuration
to dest-addr [ filename ]
Required
This operation can be executed only
in user view
Table 65 Restore the configuration file for next startup
Restore the configuration
file for next startup
restore
startup-configuration
from src-addr filename
Required
This operation can be executed only
in user view
Displaying and
Maintaining Device
Configuration
Configuration files are displayed in the same format in which they are saved.
FTP Configuration
Overview FTP (file transfer protocol) is commonly used in IP-based networks to transmit files. Before
World Wide Web comes into being, files are transferred through command lines, and the
most popular application is FTP. At present, although E-mail and Web are the usual
methods for file transmission, FTP still has its strongholds.
An Ethernet switch can act as an FTP client or the FTP server in FTP-employed data
transmission:
FTP server
An Ethernet switch can operate as an FTP server to provide file transmission services for
FTP clients. You can log into a switch operating as an FTP server by running an FTP client
program on your PC to access files on the FTP server. Before you log into the FTP server,
the administrator must configure an IP address for it.
FTP client
A switch can operate as an FTP client, through which you can access files on FTP servers.
In this case, you need to establish a connection between your PC and the switch through
a terminal emulation program or Telnet and then execute the ftp command on your
PC.
Figure 39 Network diagram for FTP
Table 66 Displaying and maintaining device configuration
Display the contents of the
startup configuration file
display
saved-configuration
[ by-linenum ]
Display the configuration file
used for this and next startup
display startup
Display the running configuration
in current view
display this
[ by-linenum ]
Display running configuration display
current-configuration
[ configuration
[ configuration-type ] |
interface
[ interface-type ]
[ interface-number ] ]
[ by-linenum ] [ | { begin |
include | exclude } text ]
The configurations needed when a switch operates as an FTP client are showed in
Table 67.
The configurations needed when a switch operates as an FTP server are showed in
Table 68.
CAUTION: The FTP-related functions require that the route between a FTP client and the
FTP server is reachable.
Configuring the FTP
Client
Table 69 lists the operations that can be performed on an FTP client.
Table 67 Configurations needed when a switch operates as an FTP client
Device Configuration Default Description
Switch Run the ftp command to
log into a remote FTP server
directly
To log into a remote FTP server and operates
files and directories on it, you need to obtain
a user name and password first.
FTP server Enable the FTP server and
configure the corresponding
information including user
names, passwords, and user
authorities

Table 68 Configurations needed when a switch operates as an FTP server
Switch Enable the FTP server
function
The FTP server
function is
disabled by default
You can run the display
ftp-server command to view the
FTP server configuration on the switch.
Configure the
authentication information
on the FTP server
Configure user names and passwords.
Configure the connection
idle time
The default idle
time is 30 minutes.
PC Log into the switch through

an FTP client application.

Table 69 Configurations on an FTP client
Enter FTP Client view ftp [ ftp-server [ port ]
[ -a source-ip ] ]
Required
Use either command
The FTP client will build a
connection with a remote FTP
server first before entering FTP
Client view if ftp-server exists in
this command.
Connect to a remote FTP server
in FTP Client view
open ftp-server [ port ]
[ -a source-ip ]
Optional
Display the on-line help
information
remotehelp
[ protocol-command ]
Optional
Enable verbose function verbose Optional
The verbose function is enabled
by default.
CAUTION: FTP-based file transmission is performed in the following two modes: Binary
mode for program file transfer and ASCII mode for text file transfer.
The ls command can just query the name of all files and directories, while the dir
command can query the details of all files and directories.
Log into the FTP server again
using another username
user username [ password ] Optional
Specify to transfer files in ASCII
characters
ascii
Optional
By default, files are transferred
in ASCII characters.
Specify to transfer files in binary
streams
binary
Optional
By default, files are transferred
in ASCII characters.
Change the work directory on
the remote FTP server
cd pathname Optional
Change the work directory to be
the parent directory
cdup Optional
Query the details of all files and
directories
dir [remotefile [
localfile ] ]
Optional
Query the name of all files and
directories
ls [remotefile [
localfile ] ]
Optional
Download a remote file get remotefile [
localfile ]
Optional
Upload a local file to the remote
FTP server
put localfile [
remotefile ]
Optional
Display the work directory on
the FTP server
pwd
Optional
Get the local work path on the
FTP client
lcd Optional
Create a directory on the remote
FTP server
mkdir pathname Optional
Set the data transfer mode to
passive
passive
Optional
By default, the passive mode is
adopted.
Delete a specified file delete remotefile Optional
Remove a directory on the
remote FTP server
rmdir pathname Optional
Terminate the current FTP
connection without exiting FTP
client view
disconnect
Optional
connection without exiting FTP
client view
close Optional
control connection and data
connection
bye
Optional
connection and quit to user view
quit
Optional
It is equivalent to bye
command under FTP Client
view.
Table 69 Configurations on an FTP client (continued)
Configuring the FTP
Server
Configuring FTP server operating parameters
Follow these steps to configure the FTP server:
Configuring Parameters for FTP Users
To allow an FTP user to access certain directories on the FTP server, you need to create an
account for the user, authorizing access to the directories and associating the username
and password with the account.
Follow these steps to make configuration for an FTP user:
For more information about authentication and authorization commands, refer to the
AAA-RADIUS-TACACS+ chapter of this manual.
Table 70 Basic FTP Configurations as an FTP server
Enter system view
system-view
Enable the FTP server

ftp server enable
Required
Disabled by default.
Configure the idle-timeout timer ftp timeout minutes Optional
The default is 30 minutes.
Set the FTP update mode ftp update { fast |
normal }
Optional
Normal update is used by
default.
Table 71 Configuring parameters for FTP users
Enter system view
system-view
Enter or create a local user view local-user user-name Required

No local user exists by
default.
Assign a password to the user password { simple | cipher }
password
Required
Assign the FTP service to the local
user
service-type ftp
Required
Not assigned by
default.
Authorize the FTP users access
to a directory
service-type ftp [
ftp-directory directory]
Optional
Enter ISP domain view domain [isp-name ] [ default {
disable | enable isp-name } ]
Optional
Reference an authentication
scheme to the domain
authentication
{ radius-scheme
radius-scheme-name [ local ] |
hwtacacs-scheme
hwtacacs-scheme-name [ local ] |
local | none }
Optional
Reference an authorization
scheme to the domain
authorization
{ hwtacacs-scheme
hwtacacs-scheme-name | none }
Optional
Displaying and Maintaining the FTP Server
FTP Client
Configuration
Example
Use your device as an FTP client to download an application file (APP file, .bin file) for
upgrading purpose from the FTP server with the IP address 10.1.1.1/16.
On the FTP server, an FTP user account has been created for the FTP client, with the
username being abc and the password being pwd.
Network diagram
Figure 40 Network diagram for FTPing a startup file from an FTP Server
1 Check files on your device. Remove those redundant to ensure adequate space for the
APP file to be downloaded.
<3Com> di r
Di r ect or y of f l ash: /
0 dr w- - Dec 07 2005 10: 00: 57 f i l ename
1 dr w- - J an 02 2006 14: 27: 51 l ogf i l e
2 - r w- 1216 J an 02 2006 14: 28: 59 conf i g. cf g
3 - r w- 1216 J an 02 2006 16: 27: 26 backup. cf g
4 - r w- 184108 May 26 2006 18: 02: 16 aaa. bi n
15240 KB t ot al ( 2511 KB f r ee)
<3Com> del et e f l ash: / backup. cf g
2 Download the APP file from the server.
<3Com> f t p 10. 1. 1. 1
Tr yi ng 10. 1. 1. 1. . .
Connect ed t o 10. 1. 1. 1.
User ( 10. 1. 1. 1: ( none) ) : abc
331 Passwor d r equi r ed f or abc.
Passwor d:
[ f t p] bi nar y
200 Type set t o I
[ f t p] get aaa. bi n bbb. bi n
Table 72 Displaying and maintaining the FTP server
Display the configuration of the
FTP server
display ftp-server
Display information about
logged-in FTP users
display ftp-user

cable cable cable
200 Por t command okay.
150 Openi ng BI NARY mode dat a connect i on f or aaa. bi n.
. . . . . 226 Tr ansf er compl et e.
FTP: 184108 byt e( s) r ecei ved i n 5. 461 second( s) 33. 00K byt e( s) / sec.
[ f t p] bye
221 Ser ver cl osi ng.
3 Specify the main APP file for next startup with the boot-loader command.
<3Com> boot - l oader f i l e bbb. bi n mai n
<3Com> r eboot
The APP file for next startup specified by boot-loader command must be saved
under the root directory. You can use copy or move operation to change its path.
FTP Server
Configuration
Example
Use your device as an FTP server. Create a user account for an FTP user on it, setting the
username to abc and the password to pwd.
Upload an APP file from a PC to the FTP server.
Network diagram
Figure 41 Network diagram for FTPing a startup file to the FTP server
1 Configure the Ethernet Switch
a Create an FTP user account, setting its username and password.
[ 3Com] l ocal - user abc
[ 3Com- l user - abc] ser vi ce- t ype f t p
[ 3Com- l user - abc] passwor d si mpl e pwd
b Authorize the access of the user account to certain directory.
[ 3Com- l user - abc] ser vi ce- t ype f t p f t p- di r ect or y f l ash: /
c Validate the authorized directory.
[ 3Com- l user - abc] qui t
[ 3Com] domai n syst em
[ 3Com- i sp- syst em] aut hor i zat i on l ogi n l ocal
d Enable FTP server.
[ 3Com] f t p ser ver enabl e
[ 3Com] qui t
e Check files on your device. Remove those redundant to ensure adequate space for the
APP file to be uploaded.
<3Com> di r Di r ect or y of f l ash: /
0 dr w- - Dec 07 2005 10: 00: 57 f i l ename
1 dr w- - J an 02 2006 14: 27: 51 l ogf i l e
2 - r w- 1216 J an 02 2006 14: 28: 59 conf i g. cf g
3 - r w- 1216 J an 02 2006 16: 27: 26 back. cf g
4 dr w- - J an 02 2006 15: 20: 21 f t p
5 - r w- 184108 May 26 2006 18: 02: 16 aaa. bi n
15240 KB t ot al ( 2511 KB f r ee)
<3Com> del et e f l ash: / back. cf g
2 Configure the PC
a Upload the APP file to the FTP server.
c: \ > f t p 1. 1. 1. 1
f t p> put aaa. bi n bbb. bi n
When upgrading the configuration file with FTP, put the new file on under the root
directory.
When upgrading the Boot ROM program with FTP remotely, you must perform the
bootrom update command after the file transfer is completed.
b Specify the main APP file for next startup with the boot-loader command.
<3Com> boot - l oader f i l e bbb. bi n mai n
<3Com> r eboot
CAUTION: The APP file for next startup must be saved under the root directory.
TFTP Configuration
Overview The trivial file transfer protocol (TFTP) provides functions similar to those provided by FTP,
but it is not as complex as FTP in interactive access interface and authentication.
Therefore, it is more suitable where complex interaction is not needed between client
and server.
TFTP uses the UDP service for data delivery. In TFTP, file transfer is initiated by the client.
In a normal file downloading process, the client sends a read request to the TFTP server,
receives data from the server, and then sends the acknowledgement to the server.
In a normal file uploading process, the client sends a write request to the TFTP server,
sends data to the server, and receives the acknowledgement from the server.
TFTP transfers files in two modes: binary for programming files and ASCII for text files.
Before performing TFTP-related configurations, you need to configure IP addresses for
the TFPT client and the TFTP server, and make sure the route between the two is
reachable.
A switch can only operate as a TFTP client.
Figure 42 Network diagram for TFTP configuration
Table 73 describes the operations needed when a switch operates as a TFTP client.
Configuring the TFTP
Client
Follow these steps to configure the TFTP client:
TFTP Client
Configuration
Example
Use a PC as the TFTP server and your device as the TFTP client.
As shown in the following figure,
PC uses IP address 1.2.1.1/16 and a TFTP working directory has been defined for the
client.
On your device, VLAN interface 1 is assigned an IP address 1.1.1.1/16, making that
the port connected to PC belongs to the same VLAN.
TFTP an APP file from PC for upgrading and a configuration file to PC for backup.
Table 73 Configurations needed when a switch operates as a TFTP client
Switch Configure an IP address for the
VLAN interface of the switch so
that it is reachable for TFTP
server.
You can log into a TFTP server
directly for file accessing through
TFTP commands
TFTP applies to networks where
client-server interactions are
comparatively simple. It requires the
routes between TFTP clients TFTP
servers are reachable.
TFTP server The TFTP server is started and the
TFTP work directory is
configured.

Table 74 Configurations on an TFTP client
Enter system view
system-view
Reference an ACL to control

access to the TFTP server
tftp-server acl acl-number Optional
Back to user view quit
Download a file from a TFTP
server
tftp tftp-server get source-file [
dest-file | -a source-ip ]*
Required
Download a file from a TFTP
server in secure mode
tftp tftp-server sget source-file [
Optional
Upload a file to a TFTP server tftp tftp-server put source-file [
Optional
Network diagram
Figure 43 Network diagram for TFTP client configuration
1 On PC
Enable TFTP server and configure a TFTP working directory for the TFTP client.
2 On Device
CAUTION: If available space on the Flash memory of the switch is not enough to hold
the file to be uploaded, you need to delete files from the Flash memory to make room
for the new file.
a Enter system view.
<Sysname> syst emvi ew
b Assign VLAN interface 1 an IP address 1.1.1.1/16, making sure that the port
connected to PC belongs to the same VLAN.
[ Sysname] i nt er f ace vl an- i nt er f ace 1
[ Sysname- vl an- i nt er f ace1] i p addr ess 1. 1. 1. 1 255. 255. 0. 0
[ Sysname- vl an- i nt er f ace1] r et ur n
c Download an application file aaa.bin from the TFTP server. (Before that, make sure
that adequate memory is available.)
<Sysname> t f t p 1. 2. 1. 1 get aaa. bi n bbb. bi n
d Upload a configuration file config.cfg to the TFTP server.
<Sysname> t f t p 1. 2. 1. 1 put conf i g. cf g conf i g. cf g
e Specify the APP file for next startup with the boot-loader command.
<Sysname> boot - l oader f i l e bbb. bi n
<Sysname> r eboot
CAUTION: The APP file for next startup must be saved under the root directory. You can
use copy or move operation to change its path.
12 VLAN CONFIGURATION
VLAN Overview
Introduction to VLAN The virtual local area network (VLAN) technology is developed for switches to control
broadcast operations in LANs.
By creating VLANs in a physical LAN, you can divide the LAN into multiple logical LANs,
each of which has a broadcast domain of its own. Hosts in the same VLAN communicate
with each other as if they are in a LAN. However, hosts in different VLANs cannot
communicate with each other directly. In this way, broadcast packets are confined within
a VLAN. Figure 44 illustrates a VLAN implementation.
Figure 44 A VLAN implementation
A VLAN can span across multiple switches, or even routers. This enables hosts in a VLAN
to be dispersed in a more loose way. That is, hosts in a VLAN can belong to different
physical network segments.
VLAN enjoys the following advantages.
Broadcasts are confined to VLANs. This decreases bandwidth utilization and improves
network performance.
Network security is improved. VLANs cannot communicate with each other directly.
That is, hosts in different VLANs cannot communicate with each other directly. To
enable communications between different VLANs, network devices operating on
Layer 3 (such as routers or Layer 3 switches) are needed.
Configuration workload is reduced. VLAN can be used to group specific hosts. When
the physical position of a host changes, no additional network configuration is
required if the host still belongs to the same VLAN
VLAN A
VLAN B
VLAN A
VLAN B
VLAN A
VLAN B
LAN Switch
LAN Switch
Router
126 CHAPTER 12: VLAN CONFIGURATION
VLAN Classification Depending on how VLANs are established, VLANs fall into the following six categories:
Port-based VLAN
MAC-based VLAN
Protocol-based VLAN
IP sub network-based VLAN
Policy-based VLAN
Other VLAN
3Com Switch 4500G Ethernet Switch supports the port-based VLAN. This chapter
focuses on the port-based VLAN.
Basic VLAN
Configuration
Table 75 Basic VLAN configuration
Create VLAN vlan { vlan-id1 [ to
vlan-id2 ] }
Optional
This command is mainly used to create
multiple VLANs
Enter VLAN view vlan vlan-id Required
If the specified VLAN does not exist,
this command will first create the
VLAN, and then enter VLAN view.
Specify the description
string of the VLAN
description text Optional
By default, the description string of a
VLAN is its VLAN ID, such as VLAN
0001.
Exit VLAN view quit
Basic VLAN Interface Configuration 127
Basic VLAN
Interface
Configuration
VLAN interface is a virtual interface in Layer 3 mode, and mainly used in realizing the
Layer 3 connectivity between different VLANs.
Before creating a VLAN interface, the corresponding VLAN must exist. Otherwise, you
cannot create the VLAN interface successfully.
Port-Based VLAN
Configuration
Introduction of
Port-Based VLAN
Port-based VLAN is the simplest and most effective VLAN division method. It defines its
VLAN members according to the ports of a switch. After a specified port is added into a
specified VLAN, the port can forward the packets of the specified VLAN.
Link Type of the Ethernet Port
According to the different port-to-VLAN binding mode, the link type of the Ethernet port
falls into the following three ones:
Access port. An access port carries one VLAN only, used for connecting to the users
computer.
Trunk port. A trunk port can belong to more than one VLAN and receive/send the
packets on multiple VLANs, used for connection between the switches.
Hybrid port. A hybrid port can also carry more than one VLAN and receive/send the
packets on multiple VLANs, used for connecting both the switches and users
computers.
Table 76 Configure a VLAN interface
Enter system view
system-view
Enter VLAN interface view interface

vlan-interface
vlan-interface-id
Required
If the specified VLAN interface does
not exist, this command will create it
first and then enter VLAN interface
view.
Configure IP address of
VLAN interface
ip address ip-address {
mask | mask-length }
Optional
By default, the IP address of VLAN
interface is null
Specify the description
string for the current VLAN
interface
By default, the description string of a
VLAN interface is the name of this
VLAN interface, such as
Vlan-interface1 interface.
Enable the VLAN Interface
undo shutdown
Optional
By default, if all the ports under the
VLAN interface are down, the VLAN
interface is down; if one or more ports
under the VLAN interface are up, the
VLAN interface is up.
The difference between the hybrid port and the trunk port is that:
A hybrid port allows the packets from multiple VLANs to be sent without tags.
A trunk port only allows the packets from the default VLAN to be sent without tags.
Default VLAN
You can configure some VLANs allowed to pass through a port. In additional, you can
also configure a default VLAN for the port. By default, the default VLAN of all the ports is
VLAN 1. But you can configure it as needed.
An access port can only belong to one VLAN, so that its default VLAN is the VLAN it
belongs to, and it is not necessary for you to configure it.
Both of the trunk port and hybrid port allow multiple VLANs to pass through. You can
configure the default VLAN for them.
After you delete the default VLAN of a port through the undo vlan command, for
an access port, its default VLAN restore to VLAN 1; for a trunk or a hybrid port, its
default VLAN configuration remain unchanged, that is, a trunk port or hybrid port can
use the presently nonexistent VLAN as the default VLAN.
After the default VLAN is configured, a port receives and sends packets in different ways.
Refer to the following table for details:
Table 77 Receive and send packets
Port type
Receive packets
Send packets
When the received
packets are
without tag
When the received
packets are with tag
Access port Normally add the
default VLAN tag to
the packets
Receive the packet when the
VLAN ID (recorded in the
tag) is the same with the
default VLAN ID.
Drop the packet when the
VLAN ID is different with the
default VLAN ID.
Send the packet directly for the
VLAN ID is just the default VLAN
ID.
Trunk port Receive the packet when the
VLAN ID (recorded in the
tag) is the same with the
default VLAN ID.
Receive the packet when the
default VLAN ID but is
allowed to pass through the
port.
Drop the packet when the
default ID and is not allowed
to pass through the port.
When the VLAN ID is the same
with the default VLAN ID,
remove the tag of the packet
first and then send the packet.
When the VLAN ID is different
with the default VLAN ID, keep
the original tag and send the
packet.
Hybrid port When the VLAN ID is the same
with the default VLAN ID,
remove the tag of the packet
first and then send the packet.
When the VLAN ID is different
with the default VLAN ID, send
the packet, and you can
configure whether the sent
packet is with the tag or not
through the port hybrid
vlan vlan-id-list {
tagged | untagged }
command.
Port-Based VLAN Configuration 129
Configuring an
Access Port-Based
VLAN
You can add an access port to a specified VLAN in two ways: configure it in VLAN view,
or configure it in Ethernet port view/port group view.
You must add an access port to an existing VLAN.
Table 78 Configure an access port-based VLAN (in VLAN view)
Enter VLAN view vlan vlan-id Required
If the specified VLAN does not exist,
this command will create the VLAN
first and then enter VLAN view of the
VLAN.
Add an Ethernet port to a
specified VLAN
port interface-list Required
By default, the system adds all ports
to VLAN 1.
Table 79 Configure an access port-based VLAN (in Ethernet port view or port group view)
Enter
Ethernet port
view or port
group view
Enter Ethernet
port view
interface
interface-type
interface-number
Use either command
Configured in Ethernet port
view, the following settings are
effective on the current port
only; configured in port group
effective on all ports in the port
group
Enter port
group view
port-group { manual
port-group-name |
aggregation agg-id }
Configure a port as an access
port
port link-type access Optional
By default, a port is an access
port.
Add the current access port to
a specified VLAN
port access vlan
vlan-id
Optional
By default, the system adds all
ports to VLAN 1.
Configuring a Trunk
Port-Based VLAN
A trunk port allows multiple VLANs to pass, but you can only configure it in Ethernet port
view/port group view.
A trunk port and a hybrid port cannot switch to each other directly but must be
configured as an access port first. For example, a trunk port cannot be configured to
be a hybrid port directly; you must specify it as an access port first, and then specify it
as a hybrid port.
The default VLAN ID of the trunk port on the local switch must be the same as that of
the trunk port on the opposite switch. Otherwise, the packets cannot be transmitted
correctly.
Table 80 Configure a trunk port-based VLAN
Enter system view
system-view
Enter Ethernet
port view or
port group
view
Enter Ethernet
port view
interface
interface-type
interface-number
Use either command
effective on the current port
only; configured in port group
effective on all ports in the port
group
Enter port
group view
port-group { manual
port-group-name |
Configure a port as a trunk port port link-type trunk Required
Add the current trunk port to
specified VLANs
port trunk permit
vlan { vlan-id-list | all }
Required
By default, all trunk ports only
allow VLAN 1 to pass.
Set the default VLAN for the
trunk port
port trunk pvid vlan
vlan-id
Optional
By default, the default VLAN of
the trunk port is VLAN 1
Displaying VLAN Configuration 131
Configuring a Hybrid
Port-Based VLAN
A hybrid port allows multiple VLANs to pass, but you can only configure it in Ethernet
port view/port group view.
A trunk port and a hybrid port cannot switch to each other directly but must be
configured as an access port first. For example, a trunk port cannot be configured to
be a hybrid port directly. You must specify it as an access port first, and then specify it
to a hybrid port.
The VLANs configured to be permitted to pass through a hybrid port must exist.
The default VLAN ID of the hybrid port on the local switch must be the same as that
of the hybrid on the opposite switch. Otherwise, the packets cannot be transmitted
correctly.
Displaying VLAN
Configuration
After the above configuration, you can execute the display command in any view to
view the running of the VLAN configuration, and to verify the effect of the configuration.
Table 81 Configure a hybrid port-based VLAN
Enter
Ethernet port
view or port
group view
Enter
Ethernet port
view
interface interface-type
interface-number
Use either command
Configured in Ethernet port view,
the following settings are effective
on the current port only;
configured in port group view, the
following settings are effective on
all ports in the port group
Enter port
group view
port-group { manual
port-group-name |
Configure a port as a Hybrid
port
port link-type hybrid Required
Add the current hybrid port
to specified VLANs
port hybrid vlan
vlan-id-list { tagged |
untagged }
Required
You can configure a hybrid port to
or not to add a tag to specified
VLAN packets when it sends
packets.
Set the default VLAN for the
hybrid port.
port hybrid pvid vlan
vlan-id
Optional
By default, the default VLAN of
the hybrid port is VLAN 1
Table 82 Display the information about specified VLANs
specified VLANs
display vlan [ vlan-id1 [ to
vlan-id2 ] | all | static |
dynamic | reserved ]
specified VLAN interface
display interface
vlan-interface [
vlan-interface-id ]
VLAN
Configuration
Example
Network
Requirements
Switch A connects with Switch B through the trunk port GigabitEthernet1/0/1.
The default VLAN ID of the port is 100.
The port permits the packets from VLAN 2, VLAN 6 through 50, and VLAN 100 to
pass.
Network Diagram Figure 45 Configure packets to pass through the default VLAN
Configuration
Procedure
1 Configure Switch A
a Create VLAN 2, VLAN 6 through VLAN 50 and VLAN 100.
[ 3Com] vl an 2
[ 3Com- vl an2] vl an 100
[ 3Com- vl an100] vl an 6 t o 50
Pl ease wai t . . . Done.
b Enter Ethernet port view of GigabitEthernet1/0/1.
[ 3Com] i nt er f ace Gi gabi t Et her net 1/ 0/ 1
c Configure GigabitEthernet1/0/1 as a trunk port, and configure its default VLAN ID as
VLAN 100.
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] por t l i nk- t ype t r unk
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] por t t r unk pvi d vl an 100
d Configure GigabitEthernet1/0/1 to permit the packets from VLAN 2, VLAN 6 through
50, and VLAN 100 to pass.
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] por t t r unk per mi t vl an 2 6 t o 50 100
Pl ease wai t . . . Done.
2 Configuration on Switch B is the same as that on Switch A.
Switch B Switch A
Switch B Switch B Switch A
13 VOICE VLAN CONFIGURATION
Voice VLAN
Overview
Voice VLANs are VLANs configured specially for voice data stream. By adding the ports
with voice devices attached to voice VLANs, you can perform QoS (quality of
service)-related configuration for voice data, ensuring the transmission priority of voice
data stream and voice quality.
The Switch 4500G determines whether a received packet is a voice packet by checking
its source MAC address. If the source MAC addresses of packets comply with the
organizationally unique identifier (OUI) addresses configured by the system, the packets
are determined as voice packets and transmitted in voice VLAN.
You can configure an OUI address for voice packets or specify to use the default OUI
address.
The following table shows the five default OUI addresses of a switch.
An OUI address is a globally unique identifier assigned to a vendor by IEEE. You can
determine which vendor a device belongs to according to the OUI address which
forms the first 24 bits of a MAC address.
You can add or delete the default OUI address manually.
Automatic Mode and
Manual Mode of
Voice VLAN
A voice VLAN can operate in two modes: automatic mode and manual mode. You can
configure the operation mode for a voice VLAN according to data stream passing
through the ports of the voice VLAN.
In automatic mode, the system identifies the source MAC address contained in the
untagged packet sent when the IP phone is powered on and matches it against the
OUI addresses. If a match is found, the system will automatically add the port into the
Voice VLAN and send ACL rules to ensure the packet precedence. An aging time can
be configured on the device. The system will remove a port from the voice VLAN if no
voice packets are received from it within the aging time. The adding and deleting of
ports are automatically realized by the system.
Table 83 Default OUI addresses preset by the switch
Number OUI Address Vendor
1 0003-6b00-0000 Cisco phone
2 000f-e200-0000 3Com Aolynk phone
3 00d0-1e00-0000 Pingtel phone
4 00e0-7500-0000 Polycom phone
5 00e0-bb00-0000 3com phone
134 CHAPTER 13: VOICE VLAN CONFIGURATION
In manual mode, administrators add the IP phone access port directly to the voice
VLAN. It then identifies the source MAC address contained in the packet, matches it
against the OUI addresses, and decides whether to forward the packet in the voice
VLAN. The administrators send ACL rules while adding or deleting a port from the
voice VLAN. In this mode, the adding or deleting of ports is realized by the
administrators.
Both modes forward tagged packets in the same manner: forward them based on the
VLAN ID contained in the packets.
The above two working modes are only configured under Ethernet interface view. The
working modes for different voice VLAN vary and different ports can be configured to
work in different modes.
The following table lists the co-relation between the working modes of a voice VLAN, the
voice traffic type of an IP phone, and the interface modes of a VLAN interface.
Table 84 Port modes and voice stream types
Port voice
VLAN mode
Voice
stream
type Port type Supported or not
Automatic
mode
Tagged
voice stream
Access Not supported
Trunk Supported
Make sure the default VLAN of the port exists and is
not a voice VLAN. And the access port permits the
packets of the default VLAN.
Hybrid Supported
Make sure the default VLAN of the port exists and is in
the list of the tagged VLANs whose packets are
permitted by the access port.
Untagged
voice stream
Access Not supported., because the default VLAN of the port
must be a voice VLAN and the access port is in the
voice VLAN. To do so, you can also add the port to the
voice VLAN manually.
Trunk
Hybrid
Manual mode Tagged
voice stream
Access Not supported
Trunk Supported
Make sure the default VLAN of the port exists and is
not a voice VLAN. And the access port permits the
packets of the default VLAN.
Hybrid Supported
Make sure the default VLAN of the port exists and is in
the list of the tagged VLANs whose packets are
permitted by the access port.
Untagged
voice stream
Access Supported
Make sure the default VLAN of the port is a voice
VLAN.
Trunk Supported
VLAN and the port permits the packets of the VLAN.
Hybrid Supported
VLAN and is in the list of untagged VLANs whose
packets are permitted by the port.
Voice VLAN Configuration 135
CAUTION:
If the voice stream transmitted by your IP phone is with VLAN tag and the port which
the IP phone is attached to is enabled with 802.1x authentication and 802.1x guest
VLAN, assign different VLAN IDs for the voice VLAN, the default VLAN of the port,
and the 802.1x guest VLAN to ensure the two functions to operate properly.
If the voice stream transmitted by the IP phone is without VLAN tag, the default VLAN
of the port which the IP phone is attached can only be configured as a voice VLAN for
the voice VLAN function to take effect. In this case, 802.1x authentication is
unavailable.
The default VLAN of all ports is VLAN 1. You can use the corresponding command to
specify a default VLAN for a port, and allow certain VLAN to pass through the port.
Relate command 1.4 Port-Based VLAN.
Use the display interface command to display the VLANs allowed to pass
through a port and the default VLAN of the port.
Security Mode and
Ordinary Mode of
Voice VLAN
Voice VLAN works in security mode or ordinary mode according to the packet filtering
rule of the port enabled with voice VLAN function.
In security mode, the port with the voice VLAN function enabled allow only the voice
packets with source MAC address being recognizable OUI address. Other packets are
discarded (including some authentication packets, like 802.1x authentication
packets).
In ordinary mode, the port with voice VLAN function enabled allow both voice
packets and other types of packets to pass. Voice packets comply with the filtering
rule of the voice VLAN and other types of packets comply with the filtering rule of the
ordinary VLAN.
You are recommended not to transmit voice data and other service data in a voice VLAN
simultaneously. If you need to do so, make sure you have disabled the security mode of
the voice VLAN.
Voice VLAN
Configuration
Configuration
Prerequisites
Create the corresponding VLAN before configuring a voice VLAN.
VLAN 1 is the default VLAN and do not need to be created. But VLAN 1 does not
support the voice VLAN function.
Configuring a Voice
VLAN to Operate in
Automatic Mode
Execute the voice vlan security enable command and the undo voice
vlan security enable command before you enabled the voice VLAN function
globally. Otherwise, the two commands will not take effect.
Configuring a Voice
VLAN to Operate in
Manual Mode
Table 85 Configure a voice VLAN to operate in automatic mode
Set the aging time for the voice
VLAN
voice vlan aging
minutes
Optional
The default aging time is 1,440
minutes, and only effective for the
port in automatic mode.
Enable the voice VLAN security
mode
voice vlan security
enable
Optional
By default, the voice VLAN security
mode is enabled.
Set an OUI address that can be
identified by the voice VLAN
voice vlan
mac-address oui mask
oui-mask [ description text ]
Optional
A voice VLAN has five default OUI
addresses.
Enable the voice VLAN function
globally
voice vlan vlan-id
enable
Required
Enter port view interface
interface-type
interface-number
Set the voice VLAN operation

mode to automatic mode
voice vlan mode auto Optional
The default voice VLAN operation
mode is automatic mode.
for the port
voice vlan enable
Required
Table 86 Configure a voice VLAN to operate in manual mode
Set aging time for the voice
VLAN
voice vlan aging
minutes
Optional
The default aging time is 1,440
minutes, and only effective for
the port in automatic mode.
Enable the voice VLAN security
mode
voice vlan security
enable
Optional
By default, the voice VLAN
security mode is enabled.
Set an OUI address to be one
that can be identified by the
voice VLAN
voice vlan
mac-address oui mask
oui-mask [ description
text ]
Optional
If you do not set the address,
the default OUI address is used.
globally
voice vlan vlan-id
enable
Required
Enter port view interface
interface-type
interface-number
Displaying and Maintaining Voice VLAN 137

You can enable the voice VLAN function for only one VLAN on a switch at a time.
You cannot enable the voice VLAN function for a port if it has been enabled with the
link aggregation control protocol (LACP).
A dynamic VLAN will be changed to a static VLAN after the VLAN is enabled with the
voice VLAN function.
Execute the voice vlan security enable command and the undo voice
vlan security enable command before you enabled the voice VLAN function
globally. Otherwise, the two commands will not take effect.
Displaying and
Maintaining Voice
VLAN
After the above configurations, you can execute the display command in any view to
view the running status and verify the configuration effect.
Set voice VLAN operation
mode to manual mode
undo voice vlan mode
auto
Required
The default voice VLAN
operation mode is automatic
mode.
Add a manual mode port to a
voice VLAN
Refer to Port-Based VLAN
Configuration
Required
Specify the voice VLAN as the
default VLAN of a port
Refer to Port-Based VLAN
Configuration
Required
for the port
voice vlan enable Required
By default, the voice VLAN
function is disabled on a port.
Table 86 Configure a voice VLAN to operate in manual mode (continued)
Table 87 Display and debug a voice VLAN
To... Use the command... Remarks
Display the voice VLAN state
display voice vlan
state
Display the OUI addresses currently
supported by system
display voice vlan
oui
Voice VLAN
Configuration
Example
Voice VLAN
Configuration
Example (Automatic
Mode)
Create VLAN 2 and configure it as a voice VLAN with an aging time of 100 minutes.
Configure GigabitEthernet1/0/1 port as a trunk port, with VLAN 6 as the default port.
The device allows voice packets from GigabitEthernet 1/0/1 with an OUI address of
0011-2200-0000 and a mask of ffff-ff00-0000 to be forwarded through the voice
VLAN.
1 Create VLAN 2, VLAN 6.
[ 3Com] vl an 2
[ 3Com- vl an2] qui t
[ 3Com] vl an 6
2 Set aging time for the voice VLAN
[ 3Com] voi ce vl an agi ng 100
3 Set 0011-2200-0000 to be one that can be identified by the voice VLAN
[ 3Com] voi ce vl an mac- addr ess 0011- 2200- 0000 mask f f f f - f f 00- 0000
descr i pt i on t est
4 Enable the global voice VLAN feature.
[ 3Com] voi ce vl an 2 enabl e
5 Set the voice VLAN operation mode of GigabitEthernet1/0/1 to automatic mode.(It
default to automatic mode)
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] voi ce vl an mode aut o
6 Specify port GigabitEthternet1/0/1 as a Trunk port.
7 Set the default VLAN of the port to VLAN 6, and the port permits VLAN 6 to pass.
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] por t t r unk per mi t vl an 6
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] por t t r unk pvi d vl an 6
8 Enable the voice VLAN function for the port.
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] voi ce vl an enabl e
Voice VLAN Configuration Example 139
Voice VLAN
Configuration
Example (Manual
Mode)
Create VLAN 2 and configure it as a voice VLAN.
Set aging time for the voice VLAN to 100 minutes.
The voice stream transmitted by the IP phone is untagged, and the port which the IP
phone is attached to is a Hybrid port GigabitEthernet1/0/1.
GigbitEthernet1/0/1 works in manual mode, and only permits the voice packets with
the following features to pass: OUI address is 0011-2200-0000; network mask is
ffff-ff00-0000 and description string is test.
Network diagram
None
1 Set the voice VALN to work in security mode to permit the legal voice packets to pass
(optional, defaults to security mode).
[ 3Com] voi ce vl an secur i t y enabl e
2 Set aging time for the voice VLAN
[ 3Com] voi ce vl an agi ng 100
3 Set 0011-2200-0000 to be one that can be identified by the voice VLAN
[ 3Com] voi ce vl an mac- addr ess 0011- 2200- 0000 mask f f f f - f f 00- 0000
descr i pt i on t est
4 Create VLAN 2, and enable the voice VLAN function for it.
[ 3Com] vl an 2
[ 3Com] voi ce vl an 2 enabl e
5 Set GigabitEthernet1/0/1 to work in the manual mode.
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] undo voi ce vl an mode aut o
6 Configure GigabitEthernet1/0/1 as a Hybrid port.
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] por t l i nk- t ype hybr i d
7 Configure the voice VLAN as the default VLAN of port GigabitEthernet1/0/1.
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] por t hybr i d pvi d vl an 2
8 Manually add Hybrid port GigabitEthernet1/0/1 in the untagged format to the voice
VLAN.
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] por t hybr i d vl an 2 unt agged
9 Enable the voice VLAN function for the port GigabitEthernet1/0/1.
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] voi ce vl an enabl e
Displaying and verification
1 display the currently supported OUI addresses and the related information.
<3Com> di spl ay voi ce vl an oui
Oui Addr ess Mask Descr i pt i on
0003- 6b00- 0000 f f f f - f f 00- 0000 Ci sco phone
000f - e200- 0000 f f f f - f f 00- 0000 3ComAol ynk phone
0011- 2200- 0000 f f f f - f f 00- 0000 t est
00d0- 1e00- 0000 f f f f - f f 00- 0000 Pi ngt el phone
00e0- 7500- 0000 f f f f - f f 00- 0000 Pol ycomphone
00e0- bb00- 0000 f f f f - f f 00- 0000 3comphone
2 Display current voice vlan state.
<3Com> di spl ay voi ce vl an st at e
Voi ce VLAN st at us: ENABLE
Voi ce VLAN I D: 2
Voi ce VLAN conf i gur at i on mode: MANUAL
Voi ce VLAN secur i t y mode: Secur i t y
Voi ce VLAN agi ng t i me: 100 mi nut es
Voi ce VLAN enabl ed por t and i t s mode:
PORT MODE
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gi gabi t Et her net 1/ 0/ 1 MANUAL
14 GVRP CONFIGURATION
Introduction to
GARP
Introduction to GARP The generic attribute registration protocol (GARP), provides a mechanism that allows
participants in a GARP application to distribute, propagate, and register with other
participants in a bridged LAN the attributes specific to the GARP application, such as the
VLAN or multicast address attribute.
GARP-compliant application entities are called GARP applications. One example is
GVRP. When a GARP application entity is present on a port on your device, this port is
regarded a GARP application entity.
GARP messages and timers
1 GARP messages
GARP participants, which can be endstations or bridges, exchange attributes primarily by
sending the following three types of messages:
Join to announce the willingness to register attributes with other participants.
Leave to announce the willingness to deregister with other participants. Together with
Join messages, Leave messages guarantee attribute reregistration and deregistration.
LeaveAll to deregister all attributes. A LeaveAll message is sent upon expiration of a
LeaveAll timer which starts upon the startup of a GARP application entity.
Through message exchange, all attribute information that needs registration propagates
to all GARP participants throughout a bridged LAN.
2 GARP timers
GARP sets interval for sending GARP messages by using these four timers:
Hold timer When a GARP application entity receives the first registration request, it
starts a hold timer and collects succeeding requests. When the timer expires, the
entity sends all these requests in one Join message. This can thus help you save
bandwidth.
Join timer Each GARP application entity sends a Join message twice for reliability
sake and uses a join timer to set the sending interval.
Leave timer Starts upon receipt of a Leave message. When this timer expires, the
GARP application entity removes attribute information as requested.
Leaveall timer Starts when a GARP application entity starts. When this timer
expires, the entity sends a LeaveAll message so that other entities can re-register its
attribute information. Then, a leaveall timer starts again.
142 CHAPTER 14: GVRP CONFIGURATION
The settings of GARP timers apply to all GARP applications, such as GVRP, running on
a LAN.
Unlike other three timers which are set on a port basis, the leaveall timer is set in
system view and takes effect globally.
A GARP application entity may send LeaveAll messages at the interval set by its
LeaveAll timer or the leaveall timer of another GARP application entity on the
network, whichever is smaller.
Operating mechanism of GARP
The GARP mechanism allows the configuration of a GARP participant to propagate
throughout a LAN quickly. In GARP, a GARP participant registers or deregisters its
attributes with other participants by making or withdrawing declarations of attributes
and at the same time, based on received declarations or withdrawals handles attributes
of other participants.
GARP application entities send protocol data units (PDU) with a particular multicast MAC
address as destination. Based on this address, a device can identify to which GVRP
application, GVRP for example, should a GARP PDU be delivered.
GARP message format
The following figure illustrates the GARP message format.
Figure 46 GARP message format
Introduction to GARP 143
The following table describes the GARP message fields.
Introduction to GVRP GVRP enables a device to propagate local VLAN registration information to other
participant devices and dynamically update the VLAN registration information from other
devices to its local database. It thus ensures that all GVRP participants on a bridged LAN
maintain the same VLAN registration information. The VLAN registration information
propagated by GVRP includes both manually configured local static entries and dynamic
entries from other devices.
GVRP provides the following three registration types on a port:
Normal Enables a port to dynamically register and deregister VLANs, and to
propagate both dynamic and static VLAN information.
Fixed Disables the port to dynamically register/deregister VLANs or propagate
dynamic VLAN information, but allows the port to propagate static VLAN
information. A trunk port with fixed registration type thus allows only manually
configured VLANs to pass through even though it is configured to carry all VLANs.
Forbidden Disables the port to dynamically register/deregister VLANs, and to
propagate VLAN information except for VLAN 1. A trunk port with forbidden
registration type thus allows only VLAN 1 to pass through even though it is
configured to carry all VLANs.
Protocols and
Standards
IEEE 802.1Q specifies GVRP.
Table 88 Description on the GARP message fields
Field Description Value
Protocol ID Protocol identifier for GARP 1
Message One or multiple messages, each containing an
attribute type and an attribute list
Attribute Type Defined by the concerned GARP application 0x01 for GVRP,
indicating the VLAN ID
attribute
Attribute List Consists of one or multiple attributes
Attribute Consists of an Attribute Length, an Attribute
Event, and an Attribute Value. If the Attribute
Event is LeaveAll, Attribute Value is omitted
Attribute Length Number of octets occupied by an attribute,

inclusive of the attribute length field
2 to 255 in bytes
Attribute Event Event described by the attribute 0: LeaveAll
1: JoinEmpty
2: JoinIn
3: LeaveEmpty
4: LeaveIn
5: Empty
Attribute Value Attribute value VLAN ID for GVRP
End Mark Indicates the end of PDU
Configuring GVRP When configuring GVRP, you need to configure timers, enable GVRP, and configure
GVRP registration mode.
Configuration
Prerequisites
Use the port link-type trunk command to set the link type of the port on which
you want to use GVRP to trunk.
Configuration
Procedure
Follow these steps to configure GVRP on a trunk port:
On the port, BPDU TUNNEL is not compatible with GVRP.
Setting GARP Timer
Enable GVRP globally gvrp Required
Disabled by default
Enter
Ethernet
interface view
or port-group
view
Enter
Ethernet
interface view
interface-number
Perform either of the
commands.
Depending on the view you
accessed, the subsequent
configuration takes effect on a
port or all ports in a
port-group.
Enter
port-group
view
port-group { manual
port-group-name |
Enable GVRP on the port gvrp Required
Disabled by default
Configure GVRP registration
mode on the port
gvrp registration {
normal | fixed | forbidden }
Optional
The default is normal
Table 90 Set GARP timer
Set GARP LeaveAll timer garp timer leaveall
timer-value
Optional
By default, the LeaveAll timer is
set to 1,000 centiseconds.
Enter
Ethernet
interface view
or port-group
view
Enter
Ethernet
interface view
interface-number
Perform either of the
commands.
Depending on the view you
accessed, the subsequent
configuration takes effect on a
port or all ports in a
port-group.
Enter
port-group
view
port-group { manual
port-group-name |
Set GARP Hold timer, Join
timer and Leave timer
garp timer { hold | join |
leave } timer-value
Optional
By default, the Hold, Join, and
Leave timers are set to 10, 20,
and 60 centiseconds
respectively.
Displaying and Maintaining GVRP 145
When configuring GARP timers, note that their values are dependent on each other and
must be a multiplier of five centiseconds. If the value range for a timer is not desired, you
may change it by tuning the value of another timer as shown in the following table:
Displaying and
Maintaining GVRP
GVRP Configuration
Example
Example 1 Network requirements
Configure GVRP for dynamic VLAN information registration and update among devices.
Network diagram
Figure 47 Network diagram for GVRP configuration
Table 91 Dependencies of GARP timers
Timer Lower limit Upper limit
Hold 10 centiseconds Not greater than half of the join timer setting
Join Not less than two times the hold
timer setting
Less than half of the leave timer setting
Leave Greater than two times the join timer
setting
Less than the leaveall timer setting
Leaveall Greater than the leave timer setting 32,765 centiseconds
Table 92 Display and Maintain GVRP
Display statistics about
GARP
display garp statistics [
interface interface-list ]
Display GARP timers for all
or specified ports
display garp timer [
Display statistics about
GVRP
display gvrp statistics [
Display the global GVRP
state
display gvrp status
Clear the GARP statistics reset garp statistics [

Switch A
Switch B
Switch A
Switch B
GE1/0/1
Switch B
GE1/0/2
Switch B
Switch A
Switch B
Switch A
Switch B
GE1/0/1
Switch B
GE1/0/2
Switch B
Switch A
Switch B
Switch A
Switch B
GE1/0/1
Switch B
GE1/0/2
Switch B
Switch A
Switch B
Switch A
Switch B
GE1/0/1
Switch B
GE1/0/2
Switch B
Switch A
Switch B
Switch A
Switch B
GE1/0/1
Switch B
GE1/0/2
Switch B
Switch A
Switch B
Switch A
Switch B
GE1/0/1
Switch B
GE1/0/2
Switch B
a Enable GVRP globally.
[ 3Com] gvr p
b Configure port GigabitEthernet 1/0/1 as trunk, allowing all VLANs to pass.
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] por t t r unk per mi t vl an al l
c Enable GVRP on GigabitEthernet 1/0/1.
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] gvr p
d Display static VLAN2.
[ 3Com] vl an 2
2 Configure Switch B
[ 3Com] gvr p
b Configure port GigabitEthernet 1/0/2 as trunk, allowing all VLANs to pass.
c Enable GVRP on GigabitEthernet 1/0/2.
d Configure static VLAN3.
[ 3Com] vl an 3
e Display dynamic VLAN on Switch A.
[ 3Com] di spl ay vl an dynami c
Now, t he f ol l owi ng dynami c VLAN exi st ( s) :
3
f Display dynamic VLAN on Switch B
2
Example 2 Network requirements
Enable GVRP on devices and configure the port registration mode as fixed to realize
dynamic registration and update of some VLAN information between devices.
Network diagram
[ 3Com] gvr p
b Configure port GigabitEthernet1/0/1 as trunk, allowing all VLANs to pass.
c Enable GVRP on GigabitEthernet1/0/1
d Configure the GVRP registration mode as fixed.
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] gvr p r egi st r at i on f i xed
e Create static VLAN 2.
[ 3Com] vl an 2
[ 3Com] gvr p
b Configure port GigabitEthernet1/0/2 as trunk, allowing all VLANs to pass.
c Enable GVRP on GigabitEthernet1/0/2
d Create static VLAN 3.
[ 3Com] vl an 3
3 Display the configuration
a Display the dynamic VLAN information on Switch A
No dynami c vl ans exi st !

Switch A
Switch B
Switch A
Switch B
GE1/0/1
Switch B
GE1/0/2
Switch B
Switch A
Switch B
Switch A
Switch B
GE1/0/1
Switch B
GE1/0/2
Switch B
Switch A
Switch B
Switch A
Switch B
GE1/0/1
Switch B
GE1/0/2
Switch B
Switch A
Switch B
Switch A
Switch B
GE1/0/1
Switch B
GE1/0/2
Switch B
Switch A
Switch B
Switch A
Switch B
GE1/0/1
Switch B
GE1/0/2
Switch B
Switch A
Switch B
Switch A
Switch B
GE1/0/1
Switch B
GE1/0/2
Switch B
b Display the dynamic VLAN information on Switch B.
2
GVRP Configuration
Examples
Enable GVRP on devices and configure the port registration mode as forbidden to forbid
dynamic registration and update of VLAN information between devices.
Network diagram
[ 3Com] gvr p
b Configure GigabitEthernet1/0/1 as a trunk port, allowing all VLANs to pass.
c Enable GVRP on the trunk port.
d Configure the GVRP registration mode as forbidden.
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] gvr p r egi st r at i on f or bi dden
e Create static VLAN 2.
[ 3Com] vl an 2
[ 3Com] gvr p
b Configure GigabitEthernet1/0/2 as a trunk port, allowing all VLANs to pass.

Switch A
Switch B
Switch A
Switch B
GE1/0/1
Switch B
GE1/0/2
Switch B
Switch A
Switch B
Switch A
Switch B
GE1/0/1
Switch B
GE1/0/2
Switch B
Switch A
Switch B
Switch A
Switch B
GE1/0/1
Switch B
GE1/0/2
Switch B
Switch A
Switch B
Switch A
Switch B
GE1/0/1
Switch B
GE1/0/2
Switch B
Switch A
Switch B
Switch A
Switch B
GE1/0/1
Switch B
GE1/0/2
Switch B
Switch A
Switch B
Switch A
Switch B
GE1/0/1
Switch B
GE1/0/2
Switch B
c Enable GVRP on the trunk port.
d Create static VLAN 3.
[ 3Com] vl an 3
3 Display the configuration
a Display dynamic VLAN information on Switch A
b Display dynamic VLAN information on Switch B.
15 ETHERNET INTERFACE CONFIGURATION
General Ethernet
Interface
Configuration
Combo Port
Configuration
Introduction to Combo port
A Combo port refers to two Ethernet interfaces in a device panel (normally one is an
optical port and the other is an electrical port). Inside the device there is only one
forwarding interface. Combo port and its corresponding electrical port work in a TX/SFP
mode. Users can choose one to use depending on the actual network requirements, but
not two simultaneously. When one port is working, the other is disabled, and vice versa.
A Combo port is a logical port with two physical connections, one is called optical port,
the other electrical port. The Combo port corresponds to a single forwarding port inside
the device. Only one port can be active at a time. When one is active, the other is
automatically deactivated.
For ease of management, a Combo port can be categorized into one of the two
following types:
Single Combo port: the two Ethernet interfaces in the device panel correspond to
only one interface view, in which the state on the two interfaces can be realized. A
single Combo port can be a Layer 2 Ethernet interface or a Layer 3 Ethernet interface.
Double Combo port: the two Ethernet interfaces in the device panel correspond to
two interface views. The state switchover can be realized in users own interfaces
view. A double Combo port can only be a layer 2 Ethernet interface.
Currently, the Switch 4500G Family series support double combo ports.
152 CHAPTER 15: ETHERNET INTERFACE CONFIGURATION
Configuring Combo port state
Follow these steps to configure a double Combo port state:
Basic Ethernet
Interface
Configuration
Three types of duplex modes exist for Ethernet interfaces:
Full-duplex mode (full): in this mode, the sending and receiving of data packets
happen simultaneously;
Half-duplex mode (half): in this mode, at a particular time, either the sending or
receiving of data packets is allowed, but not both;
Autonegotiation mode (auto): in this mode, the transmission mode is negotiated
between peer Ethernet interfaces.
If you configure the transmission rate for an Ethernet interface to be auto, then the rate
will be automatically negotiated between peer Ethernet interfaces.
Follow these steps to make basic Ethernet interface configurations:
Table 93 Configuring Combo port state
Enter system view
system-view
Enter Ethernet interface view interface

interface-type
interface-number
Enable a specified double

Combo port
undo shutdown Optional
By default, out of the two ports
in a Combo port, the one with a
smaller port ID is enabled.
The port with the smaller port ID
is of electrical type.
Table 94 Basic Ethernet Interface Configuration
Enter system view
system-view

interface-type
interface-number
Enable an Ethernet interface undo shutdown Optional

Enabled by default. Use the
shutdown command to
disable a port.
Configure the description for
an Ethernet interface
Default to the current interface
name followed by the interface
string.
Configure the duplex mode for
an Ethernet interface
duplex { auto | full |
half }
Optional
Default to auto.
Configure the transmission
rate for an Ethernet interface
speed { 10 | 100 | 1000 |
auto }
Optional
Default to auto.
For the double combo port, the optical port goes up when you use the undo
shutdown command on it, and the electrical port in pair goes down, and vice versa.
The mdi and virtual-cable-test commands are not available on the optical
combo port.
The optical combo port cannot work in half-duplex mode, only supports two speed
options: 1000 Mbps and auto.
When the port works at 1000 Mbps, you cannot configure it in half-duplex mode,
and vice versa.
Configuring Flow
Control on an
Ethernet Interface
When flow control is turned on between peer Ethernet interfaces, if traffic congestion
occurs at the ingress interface, it will send a Pause frame notifying the egress interface to
temporarily suspend the sending of packets. The egress interface is expected to stop
sending any new packets when it receives the Pause frame. In this way, flow controls
helps to avoid the dropping of packets. Note that only after both the ingress and the
egress interfaces have turned on their flow control will this be possible.
Follow these steps to configure flow control on an Ethernet interface:
Currently, the Switch 4500G Family series only support flow control in inbound direction.
Configuring
Loopback Testing on
an Ethernet Interface
You can enable loopback testing to check whether the Ethernet interface is functioning
properly. Note that no data packets can be forwarded during the testing. Loopback
testing falls into the following two categories:
Internal loopback testing: The packets from an interface go inside the switch and
then back to the original interface. If the internal loopback test succeeds, the
interface is OK.
External loopback testing: a loopback plug needs to be plugged into an Ethernet
interface, if data packets sent from the interface is received by the same interface
through the loopback plug, the external loopback testing is successful indicating that
the interface is functioning properly.
Table 95 Configuring Flow Control on an Ethernet Interface
interface-type
interface-number
Turn on flow control on an

Ethernet interface
flow-control
Required
Turned off by default
Follow the following steps to configure Ethernet interface loopback testing:
The loopback testing is not applicable when the interface is in a shutdown state;
The speed, duplex, mdi, and shutdown commands are not applicable during a
loopback testing;
Loopback testing is not supported on certain interfaces. Performing a loopback
testing on these interfaces will trigger a system prompt indicating as such.
Configuring a Port
Group
To make the configuration task easier for users, certain devices allow users to configure
on a single port as well as on multiple ports in a port group. In port group view, the user
only needs to input the configuration command once on one port and that
configuration will apply to all ports in the port group. This effectively reduces redundant
configurations.
A Port group could belong to one of the following two categories:
Manual port group: manually created by users. Multiple Ethernet interfaces can be
added to the same port group;
Dynamic port group: dynamically created by system, currently mainly applied in link
aggregation port groups. A link aggregation port group is automatically created
together with the creation of a link aggregation group and cannot be created by
users through command line input. Adding or deleting of ports in a link aggregation
port group can only be achieved through operations on the link aggregation group.
Follow the following steps to enter port group view:
Table 96 Configuring Loopback Testing on an Ethernet Interface
Enter system view
system-view
Enter Ethernet interface view interface interface-type

interface-number
Configure to enable loopback

testing
loopback { external |
internal }
Optional
Disabled by default
Table 97 Configuring a Port Group
Enter system view
system-view
Enter port group

view
Enter manual port
group view
port-group manual
port-group-name
Enter aggregation
port group view
port-group aggregation
agg-id

Follow the following steps to configure manual port group:
For details on configuring link aggregation port group, refer to Link Aggregation.
The manual port groups cannot survive a system rebooting.
Configuring Storm
Suppression Ratio on
an Ethernet Interface
You can use the following commands to suppress the broadcast/multicast/unknown
unicast flow.
Traffic that has exceeded the configured threshold will be discarded so that it remains
below the configured threshold. This effectively prevents storms, avoids network
congestion, and ensures that the network functions properly.
Configure storm suppression ratio on an Ethernet interface:
Table 98 Configure Manual Port Group
Enter system view
system-view
Create a manual port group, and

enter manual port group view
port-group manual
port-group-name
Required
Add an Ethernet interface to a
specified manual port group
group-member interface-list Required
Display information for a
specified port group or all
manual port groups
display port-group manual
[all | name port-group-name ]
Table 99 Configuring Storm Suppression Ratio on an Ethernet Interface
Enter system view
system-view
Enter Ethernet
interface view
or port group
view
Enter Ethernet
interface view
interface-number
At least one required;
Configurations made under
Ethernet interface view apply
to the current port only
whereas configurations made
under port group view apply to
all ports in the group.
Enter port
group view
port-group { manual
port-group-name |
Configure broadcast storm
suppression ratio
broadcast-suppression {
ratio | pps pps }
Optional
Default to 100%, that is,
broadcast traffic is not
suppressed by default
Configure multicast storm
suppression ratio
multicast-suppression {
ratio | pps pps }
Optional
multicast traffic is not
Configure unknown unicast
storm suppression ratio
unicast-suppression {
ratio | pps pps }
Optional
unknown unicast traffic is not
Copying
Configurations from
a Specified Port to
Other Ports
Using the copy configuration command you can easily copy configurations from a
specified Ethernet interface to other Ethernet interfaces provided that they all work in
Layer 2 mode.
Configurations that can be copied include VLAN, QoS, STP, and port configurations, as
illustrated below:
VLAN configurations: VLANs that are allowed to pass through the port, default VLAN
ID;
QoS configurations: rate limiting, port priority, default 802.1p priorities;
STP configuration: STP enabled/disabled, link types (point-to-point or not), STP
priority, route cost, rate limit, looping, root protection, edge ports or not.
Port configuration: link type, rate, duplex mode.
Follow the following steps to copy configurations from a specified port to other ports:
Enabling the
Forwarding of Jumbo
Frames
Due to tremendous amount of traffic occurred in Ethernet, it is likely that some frames
might have a frame size greater than the standard Ethernet frame size. By allowing such
frames (called jumbo frames) to pass through Ethernet interfaces, you can forward
frames with a size greater than the standard Ethernet frame size and yet still within the
specified size range.
Follow the following steps to enable the forwarding of jumbo frames
Configuring an
Ethernet Interface to
Perform Loopback
Detection
The purpose of loopback detection is to detect loopbacks on an interface.
When loopback detection is enabled on an Ethernet interface, the device will routinely
check whether the ports have any external loopback. If it detects a loopback on a port,
the device will turn that port under loopback detection mode.
Table 100 Copying Configurations from a Specified Port to Other Ports
Enter system view
system-view
Copy configurations on a specified

Layer 2 Ethernet interface to other
Layer 2 Ethernet interfaces
copy configuration source
interface-type
interface-number destination
interface-list
Required
Table 101 Enabling the Forwarding of Jumbo Frames
Enter system view
system-view
Enable the
forwarding
of jumbo
frames
Enable the
forwarding on port
group ports
port-group { manual
port-group-name |
At least one required
jumboframe enable
Enable the
forwarding on a
specified port
interface-number
jumboframe enable
If an Access port has been detected with loopbacks, it will be shutdown. A Trap
message will be sent to the terminal and the corresponding MAC address forwarding
entries will be deleted.
If a Trunk port or Hybrid port has been detected with loopbacks, a Trap messag
loopback detection control feature is enabled on them. In addition, a Trap message
will be sent to the terminal and the corresponding MAC address forwarding entries
will be deleted.
Follow the following steps to configure loopback detection:
CAUTION:
Loopback detection on a given port is enabled only after the
loopback-detection enable command has been issued in both system view
and the interface view of the port.
Loopback detection on all ports will be disabled after the issuing of the undo
loopback-detection enable command under system view.
Table 102 Configuring an Ethernet Interface to Perform Loopback Detection
Enter system view
system-view
Enable global loopback

detection
loopback-detection
enable
Required
Disabled by default
Configure time interval for
external loopback detection
loopback-detection
interval-time time
Optional
Default to 30 seconds
interface-type
interface-number
Enable loopback detection on a

specified port
loopback-detection
enable
Required
Disabled by default
Enable loopback detection
control feature on the current
trunk or hybrid port
loopback-detection
control enable
Optional
Disabled by default
Enable loopback detection in all
VLANs with Trunk ports or
Hybrid ports
loopback-detection
per-vlan enable
Optional
Enabled only in the default
VLAN(s) with Trunk port or
Hybrid ports
Display loopback detection
information on a port
display
loopback-detection
Configuring Cable
Type on an Ethernet
Interface
Ethernet interfaces use two types of cable: cross-over cable and straight-through cable.
The former is normally used in connecting data terminal equipment (DTE) and Data
communication equipment (DCE) while the latter connects DTEs only.
Follow the following steps to configure cable type on Ethernet Interface:
The mdi command is not supported in a Combo optical port.
For the mdi command, only auto mode can be successfully implemented on the
Switch 4500G Family series.
Ethernet Interface
Cable Testing
Follow the following steps to test the current working state of Ethernet interface cables.
System will return the testing result within five seconds, indicating the receiving direction
(RX), the transmit direction (TX), any short cut or open cut, and the length of failed
cables.
The virtual-cable-test command is not supported in a Combo optical port.
Table 103 Configuring Cable Type on an Ethernet Interface
interface-type
interface-number
Configure the cable type for an

Ethernet interface
mdi { across | auto |
normal }
Optional
Defaults to auto, that is, system
automatically detects the type of
cable in use.
Table 104 Ethernet Interface Cable Testing
interface-type
interface-number
Test the current working state

of Ethernet interface cables
virtual-cable-test
Required
Maintaining and Displaying an Ethernet Interface 159
Maintaining and
Displaying an
Ethernet Interface
Table 105 Maintaining and Displaying an Ethernet Interface
Display the current state of a
specified interface and related
information
display interface [
interface-type [
interface-number ] ]
Display a summary of a specified
interface
display brief interface [
interface-type [
interface-number ] ] [ | { begin |
include | exclude}
regular-expression ]
Reset the statistics of a specified
interface
reset counters interface [
interface-type [
Display the current ports of a
specified type
display port { hybrid |
trunk I combo }
16 LINK AGGREGATION CONFIGURATION
Link aggregation aggregates multiple physical Ethernet ports into one logical link, also
called a logical group, to increase reliability and bandwidth.
When configuring this feature, use the following table to identify where to go for
interested information:
Link Aggregation
Overview
Link aggregation is used to group multiple Ethernet ports together to form an aggregate
group. An upper layer entity adopting link aggregation service considers multiple physical
links in an aggregation group as one logical link.
Link aggregation allows you to increase bandwidth by distributing incoming/outgoing
traffic on the member ports in an aggregation group. In addition, it provides reliable
connectivity because these member ports can dynamically back up each other.
To get more information about link aggregation, go to these topics:
Consistency Considerations for Ports in an Aggregation
LACP
Approaches to Link Aggregation
Load Sharing in a Link Aggregation Group
Aggregation Port Group
LACP The link aggregation control protocol (LACP) is defined in IEEE 802.3ad. Link aggregation
control protocol data unit (LACPDU) is used for exchanging information among
LACP-enabled devices.
Table 106 Information
If you need to Go to
Know how link aggregation functions, what protocol is
involved, and what approaches are adopted to link
aggregation
Link Aggregation Overview
Configure link aggregation Configuring Link Aggregation
Consult the display and reset commands
available for verifying and maintaining link aggregation
configuration
Displaying and Maintaining Link
Aggregation
See how to configure link aggregation in typical
scenarios
Link Aggregation Configuration Example
162 CHAPTER 16: LINK AGGREGATION CONFIGURATION
LACP is enabled automatically after the port is added to a static link aggregation group.
The port sends LACPDUs to notify the remote system of its system LACP priority, system
MAC address, port LACP priority, port number, and operational key. Upon receipt of an
LACPDU, the remote system compares the received information with the information
received on other ports to determine the ports that can operate as selected ports. This
allows the two systems to reach agreement on the states of the related ports
When aggregating ports, link aggregation control automatically assigns each port an
operational key based on its rate, duplex mode, and other basic configurations. In an
aggregation group, the selected ports share the same operational key.
Consistency
Considerations for
Ports in an
Aggregation
To participate in traffic sharing, member ports in an aggregation must use consistent
configurations with respect to STP, QoS, BPDU TUNNEL, GVRP, VLAN, and port attribute,
as shown in the following table.
Item Considerations
STP Enable/disable state of port-level STP
Attribute of the link (point-to-point or otherwise) connected to the port
Port rout metrics
STP priority
Maximum transmission rate
Enable/disable state of loop protection
Enable/disable state of root protection
Whether the port is an edge port
QoS Rate limiting
Default 802.1p priority
Bandwidth assurance
Congestion avoidance
Traffic policing, SP queueing, WRR queue scheduling, packet priority trust
mode, traffic-template
GVRP GVRP enable/disable state, GVRP registration type, GVRP timer value
VLAN VLANs carried on the port
Default VLAN ID on the port
Link type of the port, which can be trunk, hybrid, or access
Tagged VLAN packet or not
Port attribute Port rate
Duplex mode
Up/down state of the link
Inside the isolate group or not
Broadcast/Multicast/Unicast suppression ration
Jumbo frame enable/disable state
MAC address learning Whether limit the number of the MAC address learning
Approaches to Link
Aggregation
Manual aggregations are created manually. Member ports in a manual aggregation are
LACP-disabled.
Port states in a
manual aggregation
group
In a manual aggregation group, ports can be selected or unselected, where selected
ports can receive and transmit data frames whereas unselected ones cannot.
The port in the Selected state and with the least port ID is the master port of the
aggregation group, and other ports in the aggregation group are member ports.
When setting the state of the ports in a manual aggregation group, the system performs
the following:
When ports in up state are present in the group, select a master port in the order of
full duplex/high speed, full duplex/low speed, half duplex/high speed, and half
duplex/low speed, with the full duplex/high speed being the most preferred. When
two ports with the same duplex mode/speed pair are present, the one with the lower
port number wins out. Then, place those ports with the same speed/duplex pair, link
state and basic configuration in selected state and others in unselected state.
When all ports in the group are down, select the port with the lowest port number as
the master port and set all ports (including the master) in unselected state.
Place the ports that cannot aggregate with the master in unselected state.
Manual aggregation limits the number of selected ports in an aggregation group. When
the limit is exceeded, the system changes the state of selected ports with greater port
numbers to unselected until the number of selected ports drops under the limit.
In addition, to ensure the ongoing service on current selected ports, a port that joins the
group after the limit is reached will not be placed in selected state as it should be in
normal cases.
In addition, unless the master port should be selected, a port that joins the group after
the limit is reached will not be placed in selected state even if it should be in normal
cases. This is to prevent the ongoing service on selected ports from being interrupted.
You need to avoid the situation however as the selected/unselected state of a port may
become different after a reboot.
Port Configuration
Considerations in
manual aggregation
As mentioned above, in a manual aggregation group, only ports with configurations
consistent with those of the master port can become selected. These configurations
include port rate, duplex mode, link state and other basic configurations described in
section Consistency Considerations for Ports in an Aggregation on page 162.
You need to maintain the basic configurations of these ports manually to ensure
consistency. As one configuration change may involve multiple ports, this can become
troublesome if you need to do that port by port. As a solution, you may add the ports
into as described in Aggregation Port Group on page 165, where you can make
configuration for all member ports.
When the configuration of some port in a manual aggregation group changes, the
system does not remove the aggregation as it does in an aggregation group; instead, it
resets the selected/unselected state of the member ports and re-selects a master port.
Note:
Currently the Switch 4500G series switches support up to twelve valid aggregation
groups, each contains up to eight GE ports or two 10GE ports in Selected condition.
An aggregation group can be valid only when the number of selected member ports
is more than one.
Static LACP link
aggregation
Static aggregations are created manually. After you add a port to a static aggregation,
LACP is enabled on it automatically.
Port states in a static aggregation group
In a static aggregation group, ports can be selected or unselected, where both can
receive and transmit LACPDUs but only selected ports can receive and transmit data
frames. The selected port with the lowest port number is the master port as mentioned
in Consistency Considerations for Ports in an Aggregation on page 162.
All member ports that cannot aggregate with the master are placed in unselected state.
These ports include those using the basic configurations different from the master port.
Member ports in up state can be selected if they have the configuration same as that of
the master port. The number of selected ports however, is limited in a static aggregation
group. When the limit is exceeded, the local and remote systems negotiate the state of
their ports as follows:
1 Compare the actor and partner system IDs that each comprises a two-byte system LACP
priority plus a six-byte system MAC address as follow:
First compare the system LACP priorities.
If they are the same, compare the MAC addresses. The system with the smaller ID has
higher priority.
2 Compare the port IDs that each comprises a two-byte port LACP priority and a two-byte
port number on the system with higher ID as follows:
Compare the port LACP priorities
If two ports with the same port LACP priority are present, compare their port
numbers. The state of the ports with higher IDs then changes to unselected, so does
the state of the corresponding remote ports.
Port configuration considerations in static aggregation
Like in a manual aggregation group, in a static LACP aggregation group, only ports with
configurations consistent with those of the master port can become selected. These
configurations include port rate, duplex mode, link state and other basic configurations
described in Consistency Considerations for Ports in an Aggregation on page 162.
You need to maintain the basic configurations of these ports manually to ensure
consistency. As one configuration change may involve multiple ports, this can become
troublesome if you need to do that port by port. As a solution, you may add the ports
into an Aggregation Port Group where you can make configuration for all member ports.
When the configuration of some port in a static aggregation group changes, the system
does not remove the aggregation as it does in a aggregation group; instead, it re-sets the
selected/unselected state of the member ports and re-selects a master port.
Note:
Currently, the Switch 4500G Ethernet switches support up to 12 valid aggregation
groups, each supporting up to eight GE ports or two 10 GE ports to be in selected
state. When there are more than 12 aggregation groups, the device will select 12
valid aggregation groups by the aggregation group IDs.
An aggregation group takes effect only when there are more than one member ports
that are in selected state.
Load Sharing in a Link
Aggregation Group
Link aggregation groups fall into load sharing aggregation groups and non-load sharing
aggregation groups depending on their support to load sharing.
Link aggregation groups perform load sharing depending on availability of hardware
resources. When hardware resources are available, link aggregation groups created
containing at least two ports perform load sharing; and link aggregation groups created
with only one port perform non-load sharing. After hardware resources become
depleted, link aggregation groups work in non-load sharing mode.
Note:
When only one single port is left in an aggregation group, the group will be become
non-load sharing.
A load-sharing aggregation group contains at least two selected ports, but a
non-load-sharing aggregation group can only have one selected port at most, while
others are unselected ports.
The newly created aggregation group will be non-load sharing one when the valid
aggregation groups more than twelve.
When you delete an existing valid aggregation group, a new valid aggregation group
may be created automatically from the non-load sharing ones according to the port
speed and duplex, and the Selected ports in this aggregation group may be chosen
again.
Currently Switch 4500G series switches support up to twelve valid aggregation
groups.
Aggregation Port
Group
As mentioned earlier, in a manual or static aggregation group, a port can be selected
only when its configuration is the same as that of the master port in terms of
duplex/speed pair, link state, and other basic configurations. Their configuration
consistency requires administrative maintenance, which is troublesome after you change
some configuration.
To simplify configuration, port-groups are provided allowing you to configure for all ports
in individual groups at one time. One example of port-groups is aggregation port group.
Upon creation or removal of a link aggregation group, an aggregation port-group which
cannot be administratively created or removed is automatically created or removed. In
addition, you can only assign/remove a member port to/from an aggregation port-group
by assigning/removing it from the corresponding link aggregation group.
For more information about port-groups, refer to the Configuring a Port Group on
page 154.
Configuring Link
Aggregation
CAUTION:
When you change the configurations for a member port of an aggregation group in
the port view, the change will not be synchronized to other member ports of the
group; to realize configuration synchronization, you must make configuration in port
group view.
For two connected ports, they must both in the aggregation group.
Configuring a Manual
Link Aggregation
Group
Follow these steps to configure a manual aggregation group:
You may create a manual aggregation group by changing the type of a static or dynamic
aggregation group that has existed. If the specified group contains ports, its group type
changes to manual with LACP disabled on its member ports; if not, its group type directly
changes to manual.
When you create an aggregation group, consider the following:
The aggregation group type is changed to the new type you configured if there is no
port in the group.
If there are ports in the aggregation group, you can only change the static
aggregation group to the manual one.
When assigning an Ethernet port to a manual aggregation group, consider the following:
An aggregation group cannot include monitor ports in mirroring, ports with static
MAC addresses, or 802.1x-enabled ports.
You can remove all ports in a manual aggregation group by removing the group. If
this group contains only one port, you can remove the port only by removing the
group.
Note: To guarantee a successful aggregation, ensure that the ports at the two ends of
each link to be aggregated, are consistent in selected/unselected state.
Table 107 Configuring a Manual Link Aggregation Group
Create a manual aggregation
group
link-aggregation group
agg-id mode manual
Required
interface-number
Assign the Ethernet port to the

aggregation group
port link-aggregation
group agg-id
Required
Configuring Link Aggregation 167
Configuring a Static
LACP Link
Aggregation Group
Follow these steps to configure a static aggregation group:
You may create a static aggregation group by changing the type of an existing link
aggregation group.
When assigning an Ethernet port to a static aggregation group, consider the following:
An aggregation group cannot include ports with static MAC addresses, or
802.1x-enabled ports.
After you assign an LACP-disabled port to a static aggregation group, its LACP is
enabled.
For a LACP aggregation group that contains only one port, you can remove the port
from the aggregation group only by removing the aggregation group.
Note: When creating a configuration, be aware that after a load-balancing aggregation
group changes to a non-load balancing group due to resources exhaustion, either of the
following may happen:
Forwarding anomaly resulted from inconsistency of the two ends in the number of
selected ports.
Some protocols such as GVRP malfunction because the state of the remote port
connected to the master port is unselected.
Configuring an
Aggregation Group
Name
Follow these steps to configure a name for an aggregation group:
Table 108 Configuring a Static LACP Link Aggregation Group
Configure the system LACP
priority
lacp system-priority
system-priority-value
Optional
32768 by default
Create a static LACP
aggregation group
link-aggregation
group agg-id mode
static
Required
interface-type
interface-number
Configure the port LACP priority lacp port-priority

port-priority-value
Optional
32768 by default
Assign the Ethernet port to the
aggregation group
port
link-aggregation
group agg-id
Required
Table 109 Configuring an Aggregation Group Name
Configure a name for a link
aggregation group
link-aggregation
group agg-id
description agg-name
Required
None is configured by default.
Note:
When configuring a name or description for a link aggregation group, make sure that
the group exists. You may check for existing link aggregation groups with the
display link-aggregation summary command or the display
link-aggregation interface command.
If you save the current configuration using the save command, the manual/static
aggregation configuration (including aggregation groups created and aggregation
group names) remain valid even if the device restarts.
Entering Aggregation
Port Group View
In aggregation port group view, you can configure for all the member ports in a link
aggregation group at one time.
Follow these steps to enter aggregation port group view:
CAUTION: In aggregation port group view, you can configure aggregation related
settings such as STP, VLAN, QoS, GVRP, multicast, but cannot add or remove member
ports.
Displaying and
Maintaining Link
Aggregation
Table 110 Entering Aggregation Port Group View
Enter aggregation port group
view
port-group aggregation
agg-id
Table 111 Displaying and Maintaining Link Aggregation

Display the local system ID display lacp system-id Available in any view
Display detailed information on
link aggregation for the specified
port or ports
display
link-aggregation
interface-number [ to
interface-type
interface-number ]
Display summaries for all link
aggregation groups
display
link-aggregation
summary
Display detailed information
about specified or all link
aggregation groups
display
link-aggregation
verbose [ agg-id ]
Clear the statistics about LACP
for specified or all ports
reset lacp statistics [
interface-number [ to
interface-type
Link Aggregation Configuration Example 169
Link Aggregation
Configuration
Example
Switch A aggregates ports GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to form
one link connected to Switch B, achieving load sharing among these ports.
Network diagram
Figure 50 Network diagram for link aggregation
This example only describes how to configure on Switch A. To achieve link aggregation,
do the same on Switch B.
1 In manual aggregation approach
a Create manual aggregation group 1.
[ 3Com] sysname Swi t chA
[ Swi t chA] l i nk- aggr egat i on gr oup 1 mode manual
b Assign ports GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to the group.
[ Swi t chA] i nt er f ace Gi gabi t Et her net 1/ 0/ 1
[ Swi t chA- Gi gabi t Et her net 1/ 0/ 1] por t l i nk- aggr egat i on gr oup 1
[ Swi t chA- Gi gabi t Et her net 1/ 0/ 1] qui t
2 In static aggregation approach
a Create static aggregation group 1.
<Swi t chA> syst emvi ew
[ Swi t chA] l i nk- aggr egat i on gr oup 1 mode st at i c
b Assign ports GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to the group.

Switch A
Switch B
Link aggregation
The three ports can form one dynamic aggregation group only when they share the
same basic configuration.
17 PORT ISOLATION CONFIGURATION
Port Isolation
Overview
Through the port isolation feature, you can add the ports to be controlled into an
isolation group to isolate the Layer 2 and Layer 3 data between each port in the isolation
group. Thus, you can improve the network security and network in a more flexible way.
Currently, you can configure only one isolation group on a switch. The number of
Ethernet ports an isolation group can accommodate is not limited.
The port isolation function is independent of VLAN configuration.
Port Isolation
Configuration
Figure 51 lists the operations to add an Ethernet port to an isolation group
Displaying Port
Isolation
Configuration
display the running state after port isolation configuration. You can verify the
configuration effect through checking the displayed information.
Table 112 Configure port isolation
Operation Command Description
Enter system view
system-view
Enter Ethernet
interface view
or port group
view
Enter Ethernet
port view
interface
interface-type
interface-number
At least one required;
Configurations made under
Ethernet interface view apply to
the current port only whereas
configurations made under port
group view apply to all ports in
the group.
Enter port
group view
port-group { manual
port-group-name |
Add the Ethernet port to the
isolation group
port-isolate enable Required
By default, an isolation group
contains no port.
Table 113 Display port isolation configuration
the Ethernet ports added to the
isolation group
display port-isolate
group
You can execute the display
command in any view
172 CHAPTER 17: PORT ISOLATION CONFIGURATION
Port Isolation
Configuration
Example
PC 2, PC 3 and PC 4 are connected to GigabitEthernet1/0/2, GigabitEthernet1/0/3,
and GigabitEthernet1/0/4 ports.
The switch connects to the Internet through GigabitEthernet1/0/1 port.
It is desired that PC 2, PC 3 and PC 4 cannot communicate with each other.
Network diagram
Figure 51 Network diagram for port isolation configuration
1 Add GigabitEthernet1/0/2, GigabitEthernet1/0/3, and GigabitEthernet1/0/4 ports to the
isolation group.
[ 3Com- Gi gabi t Et her net 1/ 0/ 2] por t - i sol at e enabl e
[ 3Com- Gi gabi t Et her net 1/ 0/ 2] qui t
2 Display the information about the ports in the isolation group.
<3Com> di spl ay por t - i sol at e gr oup
Por t - i sol at e gr oup i nf or mat i on:
Upl i nk por t suppor t : NO
Gr oup I D: 1
Gi gabi t Et her net 1/ 0/ 2 Gi gabi t Et her net 1/ 0/ 3 Gi gabi t Et her net 1/ 0/ 4
Internet
PC2 PC3 PC4
Switch
Internet
GE1/0/2 GE1/0/4
GE1/0/1
PC2 PC3 PC4
GE1/0/3
Internet
PC2 PC3 PC4
Switch
Internet
GE1/0/2 GE1/0/4
GE1/0/1
PC2 PC3 PC4
GE1/0/3
18 MAC ADDRESS TABLE MANAGEMENT
Introduction to
Managing MAC
Address Table
A Ethernet switch needs to maintain a MAC address table to speed up packet
forwarding. A table entry includes the MAC address of a device connected to the
Ethernet switch, the interface number and VLAN ID of the Ethernet switch connected to
the device. A MAC address table includes both static and dynamic address entries. The
static entries are manually configured by users whereas the dynamic entries can be
manually configured by users, or dynamically learned by the Ethernet switch. The static
entries will not be aged whereas the dynamic entries can be aged (if the entry has its
aging time configured as aging, it will be aged; if it is configured as no-aging, it will not
be aged).
A Ethernet switch learns a MAC address in the following way: after receiving a data
frame from a port (assumed as port A), the Ethernet switch analyzes its source MAC
address (assumed as MAC-SOURCE) and considers that the packets destined for
MAC-SOURCE can be forwarded through port A. If the table contains the
MAC-SOURCE, the Ethernet switch will update the corresponding entry, otherwise, it will
add the new MAC address and the related forwarding port as a new entry to the table.
During MAC address learning, static MAC addresses that are manually configured by
users will not be overwritten by dynamic MAC addresses. However, the latter can be
overwritten by the former.
The Ethernet switch forwards packets whose destination MAC addresses can be found in
the MAC address table and broadcasts those whose destination MAC addresses are not
in the table. Upon receipt of the broadcast packet, the destination network device sends
a response packet back which contains the MAC address of the device. The Ethernet
switch learns and adds this new MAC address to the MAC address table of the device.
The consequent packets destined for the same MAC address can be forwarded directly
thereafter.
174 CHAPTER 18: MAC ADDRESS TABLE MANAGEMENT
Figure 52 A Ethernet switch forwards packets according to the MAC address tab
The Ethernet switch also provides the function of MAC address aging. If the Ethernet
switch does not receive a packet from a network device within a period of time, it will
delete the corresponding entry from the MAC address table.
You can configure (add or modify) the MAC address entries manually according to the
actual network environment. The entries can be static ones or dynamic ones.
Configuring the
MAC Address Table
Configuring MAC
Address Table Entries
Administrators can manually add, modify, or delete the entries in a MAC address table
according to actual needs.
MAC AddressPort
MACA 1
MACB 1
MACC 2
MACD 2
MACDMACA ......
Port 1
MACDMACA ......
Port 2

Table 114 Configure MAC Address Table Entries
Enter system view
system-view
Add/modify an address entry mac-address { blackhole |

dynamic | static }
mac-address interface
interface-type
interface-number vlan
vlan-id
Required
Enter the interface view of a
specified interface
interface-number
Add/modify address entries

under the specified interface
view
mac-address { blackhole |
dynamic | static }
mac-address vlan vlan-id
Required
Configuring the MAC Address Table 175
Configuring MAC
Address Aging Time
for the System
Setting the aging time too long results in a large number of outdated table entries being
kept in the MAC address table, and thereby exhausting the MAC address table resources
and making it impossible for the Ethernet switch to update the MAC address table
according to the network change. On the other hand, if the aging time is set too short,
valid MAC address table entries may be deleted by the the Ethernet switch, resulting in
flooding a large number of data packets and degrades the switch performance.
Therefore, it is important that subscribers set an appropriate aging time according to the
actual network environment in order to implement MAC address aging effectively.
This command takes effect on all ports. However, the address aging only functions on
the dynamic addresses (the learned or configured as age entries by the user).
Configuring the
Maximum MAC
Addresses that an
Ethernet Port or a
Port Group Can Learn
Use the following commands, users can set an amount limit on MAC address table
entries maintained by the Ethernet switch. Setting the number too big may degrade the
forwarding performance. If the maximum number of MAC address is set to count, then
after the number of learned MAC addresses has reached to count, the interface will no
longer learn any more MAC addresses.
Table 115 Configure MAC address aging time for the system
Configure the dynamic MAC
address aging time
mac-address timer {
aging seconds |
no-aging }
Optional
300 seconds by default
Table 116 Configuring the maximum MAC addresses that an Ethernet port or a port group can
learn
Enter system view
system-view
Enter the
interface
view of a
port or port
group view
of a port
group
Enter the interface
view of a specified
port
interface
interface-type
interface-number
The consequent configurations
apply to the current interface
only after entering its interface
view; the consequent
configurations apply to all ports
in a port group after entering
the port group view
Enter the port group
view of a specified
port group
port-group { maual
port-group-name |
Configure the maximum MAC
addresses that can be learned by
an Ethernet port. Configure
whether to forward packets when
the number of MAC addresses has
reached count.
mac-address
max-mac-count count
Required
By default, the Maximum MAC
Addresses that an Ethernet Port
or a Port Group Can Learn is not
configured
Displaying and
Maintaining the
MAC Address Table
MAC Address Table
Management
Configuration
Example
Network
requirements
The user logs on the switch through the Console port. Configure the MAC address table
management function. Configure the aging time for dynamic table entries to be 500
seconds. Add a static address table entry 00e0-fc35-dc71 to the interface Gigabit
Ethernet 1/0/7 in VLAN 1.
Network diagram Figure 53 Typical configuration of address table management
Table 117 Display and maintain the MAC address table
Display the information in the
address table
display mac-address [
mac-address [ vlan
vlan-id ] | [ blackhole |
dynamic | static ] [
interface
interface-type
interface-number ] [
vlan vlan-id ] [ count ] ]
Display the aging time of
dynamic address table entries
display mac-address
aging-time
Console Port
Network Port
Switch
Internet
MAC Address Table Management Configuration Example 177
Configuration
procedure
1 Enter the system view of the switch.
2 Add a static MAC address (specify the native VLAN, port, and state).
[ 3Com] mac- addr ess st at i c 00e0- f c35- dc71 i nt er f ace Gi gabi t Et her net 1/ 0/ 7
vl an 1
3 Configure the aging time for dynamic MAC address table entries to be 500 seconds.
[ 3Com] mac- addr ess t i mer agi ng 500
4 Display the MAC address configurations under any view.
[ 3Com] di spl ay mac- addr ess i nt er f ace gi gabi t Et her net 1/ 0/ 7
MAC ADDR VLAN I D STATE PORT I NDEX AGI NG
TI ME( s)
00e0- f c35- dc71 1 Conf i g st at i c Gi gabi t Et her net 1/ 0/ 7
NOAGED
- - - 1 mac addr ess( es) f ound - - -
19 MSTP CONFIGURATION
MSTP Overview
Introduction to STP Functions of STP
The spanning tree protocol (STP) is a protocol used to eliminate loops in a local area
network (LAN). Devices running this protocol detects any loop in the network by
exchanging information with one another and eliminate the loop by properly blocking
certain ports until the loop network is pruned into a loop-free tree, thereby avoiding
proliferation and infinite recycling of packets in a loop network.
Basic concepts in STP
1 Root bridge
A tree network must have a root; hence the concept of root bridge has been
introduced in STP.
There is one and only one root bridge in the entire network, and the root bridge can
change alone with changes of the network topology. Therefore, the root bridge is not
fixed.
Upon network convergence, the root bridge generates and sends out at a certain interval
a BPDU and other devices just forward this BPDU. This mechanism ensures the
topological stability.
2 Root port
On a non-root bridge device, the root port is the port with the lowest path cost to the
root bridge. The root port is responsible for forwarding data to the root bridge. A
non-root-bridge device has one and only one root port. The root bridge has no root port.
3 Designated bridge and designated port
Refer to the following table for the description of designated bridge and designated
port.
Table 118 Description of designated bridge and designated port
Classification Designated bridge Designated port
For a device The device directly connected with this
device and responsible for forwarding
BPDUs
The port through which the
designated bridge forwards
BPDUs to this device
For a LAN The device responsible for forwarding
BPDUs to this LAN segment
The port through which the
designated forwards BPDUs to
this LAN segment
180 CHAPTER 19: MSTP CONFIGURATION
Figure 54 shows designated bridges and designated ports. In the figure, AP1 and AP2,
BP1 and BP2, and CP1 and CP2 are ports on Switch A, Switch B, and Switch C
respectively.
If Switch A forwards BPDUs to Switch B through AP1, the designated bridge for
Switch B is Switch A, and the designated port is the port AP1 on Switch A.
Two devices are connected to the LAN: Switch B and Switch C. If Switch B forwards
BPDUs to the LAN, the designated bridge for the LAN is Switch B, and the designated
port is the port BP2 on Switch B.
Figure 54 A schematic diagram of designated bridges and designated ports
All the ports on the root bridge are designated ports.
How STP works
STP identifies the network topology by transmitting configuration BPDUs between
network devices. Configuration BPDUs contain sufficient information for network
devices to complete the spanning tree computing. Important fields in a configuration
BPDU include:
Root bridge ID: consisting of root bridge priority and MAC address.
Root path cost: the cost of the shortest path to the root bridge.
Designated bridge ID: designated bridge priority plus MAC address.
Designated port ID, designated port priority plus port name.
Message age: age of the configuration BPDU
Max age: maximum age of the configuration BPDU.
Hello time: configuration BPDU interval.
Forward delay: forward delay of the port.
Switch A
Switch C
Switch B
CP2
BP2
CP1 BP1
AP2 AP1
LAN
Switch A
Switch C
Switch B
CP2
BP2
CP1 BP1
AP2 AP1
LAN
MSTP Overview 181
For the convenience of description, the description and examples below involve only four
parts of a configuration BPDU:
Root bridge ID (in the form of device priority)
Root path cost
Designated bridge ID (in the form of device priority)
Designated port ID (in the form of port name)
1 Specific computing process of the STP algorithm
Initial state
Upon initialization of a device, each port generates a BPDU with itself as the root, in
which the root path cost is 0, designated bridge ID is the device ID, and the designated
port is the local port.
Selection of the optimum configuration BPDU
Each device sends out its configuration BPDU and receives configuration BPDUs from
other devices.
The process of selecting the optimum configuration BPDU is as follows:
Principle for configuration BPDU comparison:
The configuration BPDU that has the lowest root bridge ID has the highest priority.
If all the configuration BPDUs have the same root bridge ID, they will be compared for
their root path costs. If the root path cost in a configuration BPDU plus the path cost
corresponding to this port is S, the configuration BPDU with the smallest S value has
the highest priority.
If all configuration BPDU have the same root path cost, they will be compared for
their designated bridge IDs, then their designated port IDs, and then the IDs of the
ports on which they are received. The smaller the ID, the higher message priority.
Selection of the root bridge
At network initialization, each STP-compliant device on the network assumes itself to be
the root bridge, with the root bridge ID being their own device ID. By exchanging
configuration BPDUs, the devices compare one anothers root bridge ID. The device with
the smallest root bridge ID is elected as the root bridge.
Table 119 Selection of the optimum configuration BPDU
Step Description
1 Upon receiving a configuration BPDU on a port, the device performs the following
processing:
If the received configuration BPDU has a lower priority than that of the configuration
BPDU generated by the port, the device will discard the received configuration BPDU
without doing any processing on the configuration BPDU of this port.
If the received configuration BPDU has a higher priority than that of the configuration
BPDU generated by the port, the device will replace the content of the configuration
BPDU generated by the port with the content of the received configuration BPDU.
2 The device compares the configuration BPDUs of all the ports and chooses the optimum
configuration BPDU.
Selection of the root port and designated ports
The process of selecting the root port and designated ports is as follows:
When the network topology is stable, only the root port and designated ports forward
traffic, while other ports are all in the blocked state they only receive STP packets but
do not forward user traffic.
Once the root bridge, the root port on each non-root bridge and designated ports have
been successfully elected, the entire tree-shaped topology has been constructed.
The following is an example of how the STP algorithm works. The specific network
diagram is shown in Figure 55. In the feature, the priority of Switch A is 0, the priority of
Switch B is 1, the priority of Switch C is 2, and the path costs of these links are 5, 10 and
4 respectively.
Figure 55 Network diagram for STP algorithm
Table 120 Selection of the root port and designated ports
Step Description
1 The root port is the port on which the optimum configuration BPDU was received.
2 Based on the configuration BPDU and the path cost of the root port, the device calculates a
designated port configuration BPDU for each of the rest ports.
The root bridge ID is replaced with that of the configuration BPDU of the root port.
The root path cost is replaced with that of the configuration BPDU of the root port plus
the path cost corresponding to the root port.
The designated bridge ID is replaced with the ID of this device.
The designated port ID is replaced with the ID of this port.
3 The device compares the computed configuration BPDU with the configuration BPDU on
the corresponding port, and performs processing accordingly based on the comparison
result:
If the configuration BPDU is superior, the device will block this port without changing its
configuration BPDU, so that the port will only receive BPDUs, but not send any, and will
not forward data.
If the computed configuration BPDU is superior, this port will serve as the designated
port, and the configuration BPDU on the port will be replaced with the computed
configuration BPDU, which will be sent out periodically.
Switch A
0
Switch C
2
Switch B
1
CP2
BP2
CP1
BP1
AP2 AP1
4
10
5
Switch A
with priority 0
CP2
BP2
CP1
BP1
AP2 AP1
4
10
5
Switch B
with priority 1
Switch C
with priority 2
Switch A
0
Switch C
2
Switch B
1
CP2
BP2
CP1
BP1
AP2 AP1
4
10
5
Switch A
with priority 0
CP2
BP2
CP1
BP1
AP2 AP1
4
10
5
Switch B
with priority 1
Switch C
with priority 2
MSTP Overview 183
Initial state of each device
The following table shows the initial state of each device.
Comparison process and result on each device
Table 121 Initial state of each device
Device Port name BPDU of port
Switch A AP1 {0, 0, 0, AP1}
AP2 {0, 0, 0, AP2}
Switch B BP1 {1, 0, 1, BP1}
BP2 {1, 0, 1, BP2}
Switch C CP1 {2, 0, 2, CP1}
CP2 {2, 0, 2, CP2}
The following table shows the comparison process and result on each device.
Table 122 Comparison process and result on each device
Device Comparison process
BPDU of port after
comparison
Switch A Port AP1 receives the configuration BPDU of Switch B {1,
0, 1, BP1}. Switch A finds that the configuration BPDU of
the local port {0, 0, 0, AP1} is superior to the configuration
received message, and discards the received configuration
BPDU.
Port AP2 receives the configuration BPDU of Switch C {2,
0, 2, CP1}. Switch A finds that the BPDU of the local port
{0, 0, 0, AP2} is superior to the received configuration
BPDU, and discards the received configuration BPDU.
Switch A finds that both the root bridge and designated
bridge in the configuration BPDUs of all its ports are
Switch A itself, so it assumes itself to be the root bridge. In
this case, it does not make any change to the
configuration BPDU of each port, and starts sending out
configuration BPDUs periodically.
AP1: {0, 0, 0, AP1}
AP2: {0, 0, 0, AP2}
Switch B Port BP1 receives the configuration BPDU of Switch A {0,
0, 0, AP1}. Switch B finds that the received configuration
BPDU is superior to the configuration BPDU of the local
port {1, 0,1, BP1}, and updates the configuration BPDU of
BP1.
Port BP2 receives the configuration BPDU of Switch C {2,
0, 2, CP2}. Switch B finds that the configuration BPDU of
the local port {1, 0, 1, BP2} is superior to the received
configuration BPDU, and discards the received
configuration BPDU.
BP1: {0, 0, 0, AP1}
BP2: {1, 0, 1, BP2}
Switch B compares the configuration BPDUs of all its ports,
and determines that the configuration BPDU of BP1 is the
optimum configuration BPDU. Then, it uses BP1 as the root
port, the configuration BPDUs of which will not be
changed.
Based on the configuration BPDU of BP1 and the path cost
of the root port (5), Switch B calculates a designated port
configuration BPDU for BP2 {0, 5, 1, BP2}.
Switch B compares the computed configuration BPDU {0,
5, 1, BP2} with the configuration BPDU of BP2. If the
computed BPDU is superior, BP2 will act as the designated
port, and the configuration BPDU on this port will be
replaced with the computed configuration BPDU, which
will be sent out periodically.
Root port BP1:
{0, 0, 0, AP1}
Designated port BP2:
{0, 5, 1, BP2}
MSTP Overview 185
Switch C Port CP1 receives the configuration BPDU of Switch A {0,
0, 0, AP2}. Switch C finds that the received configuration
BPDU is superior to the configuration BPDU of the local
port {2, 0, 2, CP1}, and updates the configuration BPDU of
CP1.
Port CP2 receives the configuration BPDU of port BP2 of
Switch B {1, 0, 1, BP2} before the message was updated.
Switch C finds that the received configuration BPDU is
superior to the configuration BPDU of the local port {2, 0,
2, CP2}, and updates the configuration BPDU of CP2.
CP1: {0, 0, 0, AP2}
CP2: {1, 0, 1, BP2}
By comparison:
The configuration BPDUs of CP1 is elected as the optimum
configuration BPDU, so CP1 is identified as the root port,
the configuration BPDUs of which will not be changed.
Switch C compares the computed designated port
configuration BPDU {0, 10, 2, CP2} with the configuration
BPDU of CP2, and CP2 becomes the designated port, and
the configuration BPDU of this port will be replaced with
the computed configuration BPDU.
Root port CP1:
{0, 0, 0, AP2}
Designated port CP2:
{0, 10, 2, CP2}
Next, port CP2 receives the updated configuration BPDU
of Switch B {0, 5, 1, BP2}. Because the received
configuration BPDU is superior to its old one, Switch C
launches a BPDU update process.
At the same time, port CP1 receives configuration BPDUs
periodically from Switch A. Switch C does not launch an
update process after comparison.
CP1: {0, 0, 0, AP2}
CP2: {0, 5, 1, BP2}
By comparison:
Because the root path cost of CP2 (9) (root path cost of
the BPDU (5) + path cost corresponding to CP2 (4)) is
smaller than the root path cost of CP1 (10) (root path cost
of the BPDU (0) + path cost corresponding to CP2 (10)),
the BPDU of CP2 is elected as the optimum BPDU, and CP2
is elected as the root port, the messages of which will not
be changed.
After comparison between the configuration BPDU of CP1
and the computed designated port configuration BPDU,
port CP1 is blocked, with the configuration BPDU of the
port remaining unchanged, and the port will not receive
data from Switch A until a spanning tree computing
process is triggered by a new condition, for example, the
link from Switch B to Switch C becomes down.
Blocked port CP2:
{0, 0, 0, AP2}
Root port CP2:
{0, 5, 1, BP2}
Table 122 Comparison process and result on each device (continued)
Device Comparison process
BPDU of port after
comparison
After the comparison processes described in the table above, a spanning tree with
Switch A as the root bridge is stabilized, as shown in Figure 56
Figure 56 The final computed spanning tree
To facilitate description, the spanning tree computing process in this example is
simplified, while the actual process is more complicated.
2 The BPDU forwarding mechanism in STP
Upon network initiation, every switch regards itself as the root bridge, generates
configuration BPDUs with itself as the root, and sends the configuration BPDUs at a
regular interval of hello time.
If it is the root port that received the configuration BPDU and the received
configuration BPDU is superior to the configuration BPDU of the port, the device will
increase message age carried in the configuration BPDU by a certain rule and start a
timer to time the configuration BPDU while it sends out this configuration BPDU
through the designated port.
If the configuration BPDU received on the designated port has a lower priority than
the configuration BPDU of the local port, the port will immediately sends out its
better configuration BPDU in response.
If a path becomes faulty, the root port on this path will no longer receive new
configuration BPDUs and the old configuration BPDUs will be discarded due to
timeout. In this case, the device will generate a configuration BPDU with itself as the
root and sends out the BPDU. This triggers a new spanning tree computing process so
that a new path is established to restore the network connectivity.
However, the newly computed configuration BPDU will not be propagated throughout
the network immediately, so the old root ports and designated ports that have not
detected the topology change continue forwarding data through the old path. If the
new root port and designated port begin to forward data as soon as they are elected, a
temporary loop may occur. For this reason, STP uses a state transition mechanism.
Namely, a newly elected root port or designated port requires twice the forward delay
time before transitioning to the forwarding state, when the new configuration BPDU has
been propagated throughout the network.
Switch A
0
Switch C
2
Switch B
1
CP2
BP2
BP1
AP1
4
5
Switch B
with priority 1
CP2
BP2
BP1
AP1
4
5
Switch A
with priority 0
Switch C
with priority 2
Switch A
0
Switch C
2
Switch B
1
CP2
BP2
BP1
AP1
4
5
Switch B
with priority 1
CP2
BP2
BP1
AP1
4
5
Switch A
with priority 0
Switch C
with priority 2
MSTP Overview 187
Introduction to MSTP Why MSTP
1 Disadvantages of STP and RSTP
STP does not support rapid state transition of ports. A newly elected root port or
designated port must wait twice the forward delay time before transitioning to the
forwarding state, even if it is a port on a point-to-point link or it is an edge port, which
directly connects to a user terminal rather than to another device or a shared LAN
segment.
The rapid spanning tree protocol (RSTP) is an optimized version of STP. RSTP allows a
newly elected root port or designated port to enter the forwarding state much quicker
under certain conditions than in STP. As a result, it takes a shorter time for the network
to reach the final topology stability.
In RSTP, a newly elected root port can enter the forwarding state rapidly if this
condition is met: The old root port on the device has stopped forwarding data and
the upstream designated port has started forwarding data.
In RSTP, a newly elected designated port can enter the forwarding state rapidly if this
condition is met: The designated port is an edge port or a port connected with a
point-to-point link. If the designated port is an edge port, it can enter the forwarding
state directly; if the designated port is connected with a point-to-point link, it can
enter the forwarding state immediately after the device undergoes handshake with
the downstream device and gets a response.
Although RSTP support rapid network convergence, it has the same drawback as STP
does: All bridges within a LAN share the same spanning tree, so redundant links cannot
be blocked based on VLANs, and the packets of all VLANs are forwarded along the same
spanning tree.
2 Features of MSTP
The multiple spanning tree protocol (MSTP) overcomes the shortcomings of STP and
RSTP. In addition to support for rapid network convergence, it also allows data flows of
different VLANs to be forwarded along their own paths, thus providing a better load
sharing mechanism for redundant links.
MSTP features the following:
MSTP supports mapping VLANs to MST instances by means of a VLAN-to-instance
mapping table.
MSTP divides a switched network into multiple regions, each containing multiple
spanning trees that are independent of one another.
MSTP prunes loop networks into a loop-free tree, thus avoiding proliferation and
endless recycling of packets in a loop network. In addition, it provides multiple
redundant paths for data forwarding, thus supporting load balancing of VLAN data in
the data forwarding process.
MSTP is compatible with STP and RSTP.
Some concepts in MSTP
As shown in Figure 57 there are four multiple spanning tree (MST) regions, each made
up of four switches running MSTP. In light with the diagram, the following paragraphs
will present some concepts of MSTP.
Figure 57 Basic concepts in MSTP
1 MST region
An MST region is composed of multiple devices in a switched network and network
segments among them. These devices have the following characteristics:
All are MSTP-enabled,
They have the same region name,
They have the same VLAN-to-instance mapping configuration,
They have the same MSTP revision level configuration, and
They are physically linked with one another.
In area A0 in Figure 57, for example, all the device have the same MST region
configuration: the same region name, the same VLAN-to-instance mapping (VLAN1 is
mapped to MST instance 1, VLAN2 to MST instance 2, and the rest to the command and
internal spanning tree (CIST). CIST refers to MST instance 0), and the same MSTP revision
level (not shown in the figure).
Multiple MST regions can exist in a switched network. You can use an MSTP command to
group multiple devices to the same MST region.
2 VLAN-to-instance mapping table
As an attribute of an MST region, the VLAN-to-instance mapping table describes the
mapping relationships between VLANs and MST instances. In Figure 57, for example, the
VLAN-to-instance mapping table of region A0 describes that the same region name, the
same VLAN-to-instance mapping (VLAN1 is mapped to MST instance 1, VLAN2 to MST
instance 2, and the rest to CIST.
C
A
B
D
BPDU
BPDU
BPDU
Region A0
VLAN 1 mapped to instance 1
Other VLANs mapped CIST
CST
C
A
B
D
Region B0
Region C0
VLANs 2 and 3 mapped to instance 2
Region D0
VLAN 1 mapped to instance 1,
B as regional root bridge
VLAN 2 mapped to instance 2,
C as regional root bridge
MSTP Overview 189
3 IST
Internal spanning tree (IST) is a spanning tree that runs in an MSTP region, with the
instance number of 0. ISTs in all MST regions the common spanning tree (CST) jointly
constitute the common and internal spanning tree (CIST) of the entire network. An IST is
a section of the CIST in an MST region. In Figure 57, for example, the CIST has a section
is each MST region, and this section is the IST in each MST region.
4 CST
The CST is a single spanning tree that connects all MST regions in a switched network. If
you regard each MST region as a device, the CST is a spanning tree computed by these
devices through MSTP. For example, the red lines in Figure 57 describe the CST.
5 CIST
Jointly constituted by ISTs and the CST, the CIST is a single spanning tree that connects all
devices in a switched network. In Figure 57, for example, the ISTs in all MST regions plus
the inter-region CST constitute the CIST of the entire network.
6 MSTI
Multiple spanning trees can be generated in an MST region through MSTP, one spanning
tree being independent of another. Each spanning tree is referred to as a multiple
spanning tree instance (MSTI). In Figure 57, for example, multiple spanning tree can exist
in each MST region, each spanning tree corresponding to a VLAN. These spanning trees
are called MSTIs.
7 Regional root bridge
The root bridge of the IST or an MSTI within an MST region is the regional root bridge of
the MST or that MSTI. Based on the topology, different spanning trees in an MST region
may have different regional roots. For example, in region D0 in Figure 57, the regional
root of instance 1 is device B, while that of instance 2 is device C.
8 Common root bridge
The root bridge of the CIST is the common root bridge. In Figure 57, for example, the
common root bridge is a device in region A0.
9 Boundary port
A boundary port is a port that connects an MST region to another MST configuration, or
to a single spanning-tree region running STP, or to a single spanning-tree region running
RSTP.
During MSTP computing, a boundary port assumes the same role on the CIST and on
MST instances. Namely, if a boundary port is master port on the CIST, it is also the master
port on all MST instances within this region. In Figure 57, for example, if a device in
region A0 is interconnected with the first port of a device in region D0 and the common
root bridge of the entire switched network is located in region A0, the first port of that
device in region D0 is the boundary port of region D0.
10 Roles of ports
In the MSTP computing process, port roles include designated port, root port, master
port, alternate port, backup port, and so on.
Root port: a port responsible for forwarding data to the root bridge.
Designated port: a port responsible for forwarding data to the downstream network
segment or device.
Master port: A port on the shortest path from the entire region to the common root
bridge, connect the MST region to the common root bridge.
Alternate port: The standby port for a root port or master port. If a root port or
master port is blocked, the alternate port becomes the new root port or master port.
Backup port: If a loop occurs when two ports of the same device are interconnected,
the device will block either of the two ports, and the backup port is that port to be
blocked.
A port can assume different roles in different MST instances.
Figure 58 Port roles
Figure 58 helps understand these concepts. Where,
Devices A, B, C, and D constitute an MST region.
Port 1 and port 2 of device A connect to the common root bridge.
Port 5 and port 6 of device C form a loop.
Port 3 and port 4 of device D connect downstream to other MST regions.
MSTP Overview 191
How MSTP works
MSTP divides an entire Layer 2 network into multiple MST regions, which are
interconnected by a computed CST. Inside an MST region, multiple spanning trees are
generated through computing, each spanning tree called a MST instance. Among these
MST instances, instance 0 is the IST, while all the others are MSTIs. Similar to RSTP, MSTP
uses configuration BPDUs to compute spanning trees. The only difference between the
two protocols being in that what is carried in an MSTP BPDU is the MSTP configuration
on the device from which this BPDU is sent.
1 CIST computing
By comparison of configuration BPDUs, one device with the highest priority is elected
as the root bridge of the CIST. MSTP generates an IST within each MST region through
computing, and, at the same time, MSTP regards each MST region as a single device and
generates a CST among these MST regions through computing. The CST and ISTs
constitute the CIST of the entire network.
2 MSTI computing
Within an MST region, MSTP generates different MSTIs for different VLANs based on the
VLAN-to-instance mappings.
MSTP performs a separate computing process, which is similar to spanning tree
computing in STP, for each spanning tree. For details, refer to How STP works.
In MSTP, a VLAN packet is forwarded along the following paths:
Within an MST region, the packet is forwarded along the corresponding MSTI.
Between two MST regions, the packet is forwarded along the CST.
Implementation of MSTP on devices
MSTP is compatible with STP and RSTP. STP and RSTP protocol packets can be recognized
by devices running MSTP and used for spanning tree computing.
In addition to basic MSTP functions, many management-facilitating special functions
are provided, as follows:
Root bridge hold
Root bridge backup
Root guard
BPDU guard
Loop guard
Support for hot swapping of interface cards and active/standby changeover.
Configuring the
Root Bridge
Configuration Tasks Before configuring the root bridge, you need to know the position of each device in each
MST instances: root bridge or leave node. In each instance, one, and only one device acts
as the root bridge, while all others as leaf nodes. Complete these tasks to configure a
device that acts as the root bridge:
If both GVRP and MSTP are enabled on a device at the same time, GVRP packets will be
forwarded along the CIST. Therefore, if both GVRP and MSTP are running on the same
device and you wish to advertise an certain VLAN within the network through GVRP,
make sure that this VLAN is mapped to the CIST (instance 0) when configuring the
VLAN-to-instance mapping table.
Table 123 Configuration Tasks
Task Remarks
Configuring an MST Region Required
Specifying the Root Bridge or a Secondary Root Bridge Optional
Configuring the Work Mode of MSTP Optional
Configuring the Priority of the Current Device Optional
Configuring the Maximum Hops of an MST Region Optional
Configuring the Network Diameter of a Switched Network Optional
Configuring Timers of MSTP Optional
Configuring the Timeout Factor Optional
Configuring the Maximum Transmission Rate of Ports Optional
Configuring Ports as Edge Ports Optional
Configuring Whether Ports Connect to Point-to-Point Links Optional
Configuring the MSTP Packet Format for Ports Optional
Enabling the MSTP Feature Required
Configuring an MST
Region
Follow these steps to configure an MST region:
CAUTION: Two device belong to the same MST region only if they are configure to have
the same MST region name, the same VLAN-to-instance mapping entries in the MST
region and the same MST region revision level, and they are interconnected via a physical
link.
Your configuration of MST regionrelated parameters, especially the VLAN-to-instance
mapping table, will cause MSTP to launch a new spanning tree computing process,
which may result in network topology instability. To reduce the possibility of topology
instability caused by configuration, MSTP will not immediately launch a new spanning
tree computing process when processing MST regionrelated configurations; instead,
such configurations will take effect only if you:
activate the MST regionrelated parameters suing the active
region-configuration command, or
enable MSTP using the stp enable command.
Configuration example
1 Configure the MST region name to be info, the MSTP revision level to be 1, and VLAN
2 through VLAN 10 to be mapped to instance 1 and VLAN 20 through VLAN 30 to
instance 2.
[ 3Com] st p r egi on- conf i gur at i on
[ 3Com- mst - r egi on] r egi on- name i nf o
[ 3Com- mst - r egi on] i nst ance 1 vl an 2 t o 10
[ 3Com- mst - r egi on] i nst ance 2 vl an 20 t o 30
[ 3Com- mst - r egi on] r evi si on- l evel 1
[ 3Com- mst - r egi on] act i ve r egi on- conf i gur at i on
Table 124 Configuring an MST Region
Enter system view
system-view
Enter MST region view

stp region-configuration
Configure the MST region

name
region-name name Required
The MST region name is the
MAC address by default
Configure the
VLAN-to-instance mapping
table
instance instance-id vlan
vlan-list
Use either command
All VLANs in an MST region
are mapped to MST instance 0 vlan-mapping modulo modulo
Configure the MSTP
revision level of the MST
region
revision-level level Optional
0 by default
Activate MST region
configuration manually
active
region-configuration
Required
Display all the
configuration information
of the MST region
check
Optional
Display the currently
effective MST region
display stp
The display command can
be executed in any view
Specifying the Root
Bridge or a Secondary
Root Bridge
MSTP can determine the root bridge of a spanning tree through MSTP computing.
Alternatively, you can specify the current device as the root bridge using the commands
provided by the system.
Specifying the current device as the root bridge of a specific spanning tree
Follow these steps to specify the current device as the root bridge of a specific spanning
tree:
Specifying the current device as a secondary root bridge of a specific spanning
tree
Follow these steps to specify the current device as a secondary root bridge of a specific
spanning tree:
Note that:
Upon specifying the current device as the root bridge or a secondary root bridge, you
cannot change the priority of the device.
You can configure the current device as the root bridge or a secondary root bridge of
an MST instance, which is specified by instance instance-id in the command. If
you set instance-id to 0, the current device will be the root bridge or a secondary root
bridge of the CIST.
The current device has independent roles in different instances. It can act as the root
bridge or a secondary root bridge of one instance while it can also act as the root
bridge or a secondary root bridge of another instance. However, the same device
cannot be the root bridge and a secondary root bridge in the same instance at the
same time.
You can specify the current device as the root bridge of different MST instances, but
you cannot specify two or more root bridges for the same instance at the same time.
Namely, do not use the same command on two or more devices to specify root
bridges for the same instance.
You can specify multiple secondary root bridges for the same instance. Namely, you
can specify secondary root bridges for the same instance on two or more than two
device.
Table 125 Specifying the current device as the root bridge of a specific spanning tree
Enter system view
system-view
Specify the current device as

the root bridge of a specific
spanning tree
stp [ instance instance-id ]
root primary [ bridge-diameter
bridge-number ] [ hello-time
centi-seconds ]
Required
Table 126 Specifying the current device as a secondary root bridge of a specific spanning tree
Specify the current device as a
secondary root bridge of a
specific spanning tree
stp [ instance instance-id ] root
secondary [ bridge-diameter
bridge-number ] [ hello-time
centi-seconds ]
Required
When the root bridge of an instance fails or is shut down, the secondary root bridge
(if you have specified one) can take over the role of the instance. However, if you
specify a new root bridge for the instance at this time, the secondary root bridge will
not become the root bridge. If you have specified multiple secondary root bridges for
an instance, when the root bridge fails, MSTP will select the secondary root bridge
with the lowest MAC address as the new root bridge.
When specifying the root bridge or a secondary root bridge, you can specify the
network diameter and hello time. However, these two options are effective only for
MST instance 0, namely the CIST. If you include these two options in your command
for any other instance, your configuration can succeed, but they will not actually
work. For the description of network diameter and hello time, refer to Configuring
the Network Diameter of a Switched Network and Configuring Timers of MSTP.
Alternatively, you can also specify the current device as the root bridge by setting by
priority of the device to 0. For the device priority configuration, refer to Configuring
the Priority of the Current Device.
1 Specify the current device as the root bridge of MST instance 1 and a secondary root
bridge of MST instance 2.
[ 3Com] st p i nst ance 1 r oot pr i mar y
[ 3Com] st p i nst ance 2 r oot secondar y
Configuring the
Work Mode of
MSTP Device
MSTP and RSTP can recognize each others protocol packets, so they are mutually
compatible. However, STP is unable to recognize MSTP packets. For hybrid networking
with legacy STP devices and full inter operability with RSTP-compliant devices, MSTP
supports three work modes: STP-compatible mode, RSTP mode, and MSTP mode.
In STP-compatible mode, all ports of the device send out STP BPDUs,
In RSTP mode, all ports of the device send out RSTP BPDUs. If the device detects that
it is connected with a legacy STP device, the port connecting with the legacy STP
device will automatically migrate to STP-compatible mode.
In MSTP mode, all ports of the device send out MSTP BPDUs. If the device detects that
it is connected with a legacy STP device, the port connecting with the legacy STP
device will automatically migrate to STP-compatible mode.
Follow these steps to configure the MSTP work mode:
1 Configure MSTP to work in STP-compatible mode.
[ 3Com] st p mode st p
Table 127 Configuring the Work Mode of MSTP Device
Configure the work mode
of MSTP
stp mode { stp | rstp | mstp } Optional
MSTP mode by default
Configuring the
Priority of the
Current Device
The priority of a device determines whether it can be elected as the root bridge of a
spanning tree. A lower value indicates a higher priority. By setting the priority of a device
to a low value, you can specify the device as the root bridge of spanning tree. An
MSTP-compliant device can have different priorities in different MST instances.
Follow these steps to configure the priority of the current device:
CAUTION:
Upon specifying the current device as the root bridge or a secondary root bridge, you
cannot change the priority of the device.
During root bridge selection, if all devices in a spanning tree have the same priority,
the one with the lowest MAC address will be selected as the root bridge of the
spanning tree.
1 Set the device priority in MST instance 1 to 4096.
[ 3Com] st p i nst ance 1 pr i or i t y 4096
Configuring the
Maximum Hops of
an MST Region
By setting the maximum hops of an MST region, you can restrict the region size. The
maximum hops setting configured on the regional root bridge will be used as the
maximum hops of the MST region.
After a configuration BPDU leaves the root bridge of the spanning tree in the region, its
hop count is decremented by 1 whenever it passes a device. When its hop count reaches
0, it will be discarded by the device that has received it. As a result, devices beyond the
maximum hops are unable to take part in spanning tree computing, and thereby the size
of the MST region is restricted.
Follow these steps to configure the maximum hops of the MST region
A larger maximum hops setting means a larger size of the MST region. Only the
maximum hops configured on the regional root bridge can restrict the size of the MST
region.
Table 128 Configuring the Priority of the Current Device
Enter system view
system-view
Configure the priority of

the current device
stp [ instance instance-id ]
priority priority
Optional
32768 by default
Table 129 Configuring the Maximum Hops of an MST Region
Enter system view
system-view
Configure the maximum

hops of the MST region
stp max-hops hops Optional
20 by default
1 Set the maximum hops of the MST region to 30.
[ 3Com] st p max- hops 30
Configuring the
Network Diameter of
a Switched Network
Any two stations in a switched network are interconnected through specific paths, which
are composed of a series of devices. Represented by the number of devices on a path,
the network diameter is the path that comprises more devices than any other among
these paths.
Follow these steps to configure the network diameter of the switched network:
CAUTION: Network diameter is a parameter that indicates network size. A bigger
network diameter represents a larger network size.
Based on the network diameter you configured, MSTP automatically sets an optimal
hello time, forward delay, and max age for the device.
The configured network diameter is effective for the CIST only, and not for MSTIs.
1 Set the network diameter of the switched network to 6.
[ 3Com] st p br i dge- di amet er 6
Configuring Timers of
MSTP
MSTP involves three timers: forward delay, hello time and max age.
Forward delay: the time a device will wait before changing states. A link failure can
trigger a spanning tree computing process, and the spanning tree structure will
change accordingly. However, as a new configuration BPDU cannot be propagated
throughout the network immediately, if the new root port and designated port begin
to forward data as soon as they are elected, a temporary loop may occur. For this
reason, the protocol uses a state transition mechanism. Namely, a newly elected root
port or designated port must wait twice the forward delay time before transitioning
to the forwarding state, when the new configuration BPDU has been propagated
throughout the network.
Hello time is sued to detect whether a link is faulty. A device sends a hello packet to
the devices around it at a regular interval of hello time to check whether any link is
faulty.
Max time is a used for determining whether a configuration BPDU has expired. A
BPDU that has expired will be discarded by the device.
Table 130 Configuring the Network Diameter of a Switched Network
Enter system view
system-view
Configure the network

diameter of the switched
network
stp bridge-diameter
bridge-number
Optional
7 by default
Follow these steps to configure the timers of MSTP:
These three timers set on the root bridge of the CIST apply on all the devices on the
entire switched network.
CAUTION:
The length of the forward delay time is related to the network diameter of the
switched network. Typically, the larger the network diameter is, the longer the
forward delay time should be. Note that if the forward delay setting is too small,
temporary redundant paths may be introduced; if the forward delay setting is too big,
it may take a long time for the network to resume connectivity. We recommend that
you use the default setting.
An appropriate hello time setting enables the device to timely detect link failures on
the network without using excessive network resources. If the hello time is set too
long, the device will take packet loss on a link for link failure and trigger a new
spanning tree computing process; if the hello time is set too short, the device will
send repeated configuration BPDUs frequently, which adds to the device burden and
causes waste of network resources. We recommend that you use the default setting.
If the max age time setting is too small, the network devices will frequently launch
spanning tree computing and may take network congestion to a link failure; if the
max age setting is too large, the network may fail to timely detect link failures and fail
to timely launch spanning tree computing, thus reducing the auto-sensing capability
of the network. We recommend that you use the default setting.
The setting of hello time, forward delay and max age must meet the following formulae;
otherwise network instability will frequently occur.
2 (forward delay 1 second) max age
Max age 2 (hello time + 1 second)
We recommend that you specify the network diameter in the stp root primary
command and let MSTP automatically calculate an optimal setting of these three timers.
Table 131 Configuring Timers of MSTP
Enter system view
system-view
Configure the forward

delay timer
stp timer
forward-delay
centiseconds
Optional
1,500 centiseconds (15 seconds) by
default
Configure the hello time
timer
stp timer hello
centiseconds
Optional
200 centiseconds (2 seconds) by default
Configuring the max age
timer
stp timer max-age
centiseconds
Optional
2,000 centiseconds (20 seconds) by
default
1 Set the forward delay to 1,600 centiseconds, hello time to 300 centiseconds, and max
age to 2,100 centiseconds.
[ 3Com] st p t i mer f or war d- del ay 1600
[ 3Com] st p t i mer hel l o 300
[ 3Com] st p t i mer max- age 2100
Configuring the
Timeout Factor
A device sends a BPDU to the devices around it at a regular interval of hello time to check
whether any link is faulty. Typically, if a device does not receive a BPDU from the
upstream device within nine times the hello time, it will assume that the upstream device
has failed and start a new spanning tree computing process.
In a very stable network, this kind of spanning tree computing may occur because the
upstream device is busy. In this case, you can avoid such unwanted spanning tree
computing by lengthening the timeout time.
Follow these steps to configure the timeout factor:
Timeout time = timeout factor 3 hello time.
Typically, we recommend that you set the timeout factor to 5, or 6, or 7 for a stable
network.
1 Set the timeout factor to 6.
[ 3Com] st p t i mer - f act or 6
Configuring the
Maximum
Transmission Rate of
Ports
The maximum transmission rate of a port refers to the maximum number of MSTP
packets that the port can send within each hello time.
The maximum transmission rate of an Ethernet port is related to the physical status of
the port and the network structure. You can make your configuration based on the
actual networking condition.
Table 132 Configuring the Timeout Factor
Enter system view
system-view
Configure the timeout factor of

the device
stp timer-factor number Optional
3 by default
Following these steps to configure the maximum transmission rate of a port or a group
of ports:
If the maximum transmission rate setting of a port is too big, the port will send a large
number of MSTP packets within each hello time, thus using excessive network resources.
We recommend that you use the default setting.
1 Set the maximum transmission rate of port GigabitEthernet 1/0/1 to 5.
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] st p t r ansmi t - l i mi t 5
Configuring Ports
as Edge Ports
If a port directly connects to a user terminal rather than another device or a shared LAN
segment, this port is regarded as an edge port. When the network topology changes, an
edge port will not cause a temporary loop. Therefore, if you specify a port as an edge
port, this port can transition rapidly from the blocked state to the forwarding state
without delay.
Following these steps to specify a port or a group of ports as edge port(s):
Table 133 Configuring the Maximum Transmission Rate of Port
Enter
Ethernet port
view or port
group view
Enter
Ethernet port
view
interface
interface-type
interface-number
User either command
Configured in Ethernet port view, the
setting is effective on the current port
only; configured in port group view, the
setting is effective on all ports in the port
group
Enter port
group view
port-group {
manual
port-group-name |
transmission rate of the
port(s)
stp
transmit-limit
packet-number
Optional
3 by default
Table 134 Configuring Ports as Edge Ports
Enter system view
system-view
Enter
Ethernet
port view or
port group
view
Enter
Ethernet port
view
interface
interface-type
interface-number
User either command
only; configured in port group view,
the setting is effective on all ports in
the port group
Enter port
group view
port-group { manual
port-group-name |
Configure the port(s) as
edge port(s)
stp edged-port
enable
Required
All Ethernet ports are non-edge ports
by default
With BPDU guard disabled, when a port set as an edge port receives a BPDU from
another port, it will become a non-edge port again. In this case, you must reset the
port before you can configure it to be an edge port again.
If a port directly connects to a user terminal, configure it to be an edge port and
enable BPDU guard for it. This enables the port to transition to the forwarding state
while ensuring network security.
1 Configure GigabitEthernet1/0 /1to be an edge port.
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] st p edged- por t enabl e
Configuring Whether
Ports Connect to
Point-to-Point Links
A point-to-point link is a link directly connecting with two devices. If the two ports across
a point-to-point link are root ports or designated ports, the ports can rapidly transition to
the forwarding state by transmitting synchronization packets.
Following these steps to configure whether a port or a group of ports connect to
point-to-point links:
As for aggregated ports, all ports can be configured as connecting to point-to-point
links. If a port works in auto-negotiation mode and the negotiation result is full
duplex, this port can be configured as connecting to a point-to-point link.
If a port is configured as connecting to a point-to-point link, the setting takes effect
for the port in all MST instances. If the physical link to which the port connects is not
a point-to-point link and you force it to be a point-to-point link by configuration, your
configuration may incur a temporary loop.
1 Configure port GigabitEthernet 1/0/1 as connecting to a point-to-point link.
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] st p poi nt - t o- poi nt f or ce- t r ue
Table 135 Configuring Whether Ports Connect to Point-to-Point Links
Enter
Ethernet
port view
or port
group view
Enter Ethernet
port view
interface
interface-type
interface-number
User either command
group
Enter port
group view
port-group { manual
port-group-name |
Configure whether the
port(s) connect to
point-to-point links
stp point-to-point
{ force-true |
force-false | auto
}
Optional
The default setting is auto; namely the
device automatically detects whether an
Ethernet port connects to a
point-to-point link
Configuring the
MSTP Packet
Format for Ports
A port support two types of MSTP packets:
02.1s-compliant standard format
Compatible format
The default packet format setting is auto, namely a port recognizes the two MSTP
packet formats automatically. You can configure the MSTP packet format to be used by a
port on your command line. After your configuration, when working in MSTP mode, the
port sends and receives only MSTP packets of the format you have configured.
Follow these steps to configure the MSTP packet format for a port or a group of ports:
If the port is configured not to detect the packet format automatically while it works
in the MSTP mode, and if it receives a packet in the format other than as configured,
that port will become a designated port, and the port will remain in the discarding
state to prevent the occurrence of a loop.
If a port receives MSTP packets of different formats frequently, this means that the
MSTP packet formation configuration contains error. In this case, if the port is
working in MSTP mode, it will be disabled for protection. Those ports closed thereby
can be restored only by the network administers.
1 Configure port GigabitEthernet 1/0/1 to receive and send standard-format MSTP
packets.
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] st p compl i ance dot 1s
Table 136 Configuring the MSTP Packet Format for Ports
Enter system view
system-view
Enter
Ethernet
port view
or port
group view
Enter Ethernet
port view
interface
interface-type
interface-number
User either command
group
Enter port
group view
port-group { manual
port-group-name |
Configure the MSTP packet
format for the port(s)
stp compliance {
auto | dot1s | legacy
}
Optional
auto by default
Enabling the MSTP
Feature
Follow these steps to enable the MSTP feature:
You must enable MSTP for the device before any other MSTP-related configuration can
take effect.
1 Enable MSTP for the device and disable MSTP for port GigabitEthernet 1/0/1.
[ 3Com] st p enabl e
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] st p di sabl e
Table 137 Enabling the MSTP Feature
Enter system view
system-view
Enable the MSTP feature

for the device
stp enable
Required
Whether a device is MSTP-enabled by
default depends on the specific device
model.
Enter
Ethernet
port view
or port
group view
Enter
Ethernet port
view
interface
interface-type
interface-number
User either command
setting is effective on the current port only;
configured in port group view, the setting is
effective on all ports in the port group
Enter port
group view
port-group {
manual
port-group-name |
aggregation agg-id
}
Enable the MSTP feature
for the port(s)
stp enable Optional
By default, MSTP is enabled for all ports
after it is enabled for the device globally
Disable the MSTP feature
for the port(s)
stp disable
or undo stp
Optional
To control MSTP flexibly, you can disable
the MSTP feature for certain Ethernet ports
so that these ports will not take part in
spanning tree computing and thus to save
the devices CPU resources
Configuring Leaf
Nodes
Configuration Tasks Before configuring the root bridge, you need to know the position of each device in each
MST instances: root bridge or leaf node. In each instance, one and only one device acts
as the root bridge, while all others as leaf nodes. Complete these tasks to configure a
device that acts as a leaf node:
If both GVRP and MSTP are enabled on a device, GVRP packets will be forwarded along
the CIST. Therefore, if both GVRP and MSTP are running on the same device and you
wish to advertise an certain VLAN within the network through GVRP, make sure that this
VLAN is mapped to the CIST (instance 0) when configuring the VLAN-to-instance
mapping table.
Configuring an MST
Region
Refer to section Configuring an MST Region.
Configuring the Work
Mode of MSTP
Refer to section Configuring the Work Mode of MSTP Device.
Configuring the
Timeout Factor
Refer to section Configuring the Timeout Factor.
Configuring the
Maximum
Transmission Rate of
Ports
Refer to section Configuring the Maximum Transmission Rate of Ports.
Configuring Ports as
Edge Ports
Refer to section Configuring Ports as Edge Ports.
Configuring Path
Costs of Ports
Path cost is a parameter related to the rate of port-connected links. On an
MSTP-compliant device, ports can have different priorities in different MST instances.
Setting an appropriate path cost allows VLAN traffic flows to be forwarded along
different physical links, thus to enable per-VLAN load balancing.
Table 138 Configuring Leaf Nodes
Task Remarks
Configuring an MST Region Required
Configuring the Work Mode of MSTP Optional
Configuring the Timeout Factor Optional
Configuring the Maximum Transmission Rate of Ports Optional
Configuring Ports as Edge Ports Optional
Configuring Path Costs of Ports Optional
Configuring Port Priority Optional
Configuring Whether Ports Connect to Point-to-Point Links Optional
Configuring the MSTP Packet Format for Ports Optional
Enabling the MSTP Feature Required
The device can automatically calculate the default path cost; alternatively, you can also
configure the path cost for ports.
Specifying a standard that the device uses when calculating the default path
cost
You can specify a standard for the device to use in automatic calculation for the default
path cost. The device supports the following standards:
dot1d-1998: The device calculates the default path cost for ports based on IEEE
802.1D-1998.
dot1t: The device calculates the default path cost for ports based on IEEE 802.1t.
legacy: The device calculates the default path cost for ports based on a private
standard.
Follow these steps to specify a standard for the device to use when calculating the
default path cost:
Table 139 Specifying a standard that the device uses when calculating the default path cost
Enter system view
system-view
Specify a standard for the

device to use when
calculating the default path
cost of the link connected
with the device
stp
pathcost-standard {
dot1d-1998 | dot1t |
legacy }
Optional
The default standard used by the device
depends on the specific device model.
Table 140 Link speed vs. path cost
Link speed Duplex state 802.1D-1998 802.1t
Private
standard
0 65535 200,000,000 200,000
10Mbit/s Half-Duplex/Full-Duplex
Aggregated Link 2 Ports
100
100
100
100
2,000,000
1,000,000
666,666
500,000
2,000
1,800
1,600
1,400
100Mbit/s Half-Duplex/Full-Duplex
19
19
19
19
200,000
100,000
66,666
50,000
200
180
160
140
1000Mbit/s Full-Duplex
4
4
4
4
20,000
10,000
6,666
5,000
20
18
16
14
10Gbit/s Full-Duplex
2
2
2
2
2,000
1,000
666
500
2
1
1
1
In the calculation of the path cost value of an aggregated link, 802.1D-1998 does not
take into account the number of ports in the aggregated link. Whereas, 802.1T takes the
number of ports in the aggregated link into account. The calculation formula is: Path
Cost = 200,000,000/link speed in 100 kbps, where link speed is the sum of the link
speed values of the non-blocked ports in the aggregated link.
Configuring Path Costs of Ports
Follow these steps to configure the path cost of ports:
CAUTION:
If you change the standard that the device uses in calculating the default path cost,
the port path cost value set through the stp cost command will be out of effect.
When the path cost of a port is changed, MSTP will re-compute the role of the port
and initiate a state transition. If you use 0 as instance-id, you are setting the path cost
of the CIST.
Configuration example(1)
1 Set the path cost of GigabitEthernet 1/0/1 in MST instance 1 to 2000.
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] st p i nst ance 1 cost 2000
Configuration example (2)
1 Configure the path cost of GigabitEthernet 1/0/1 in MST instance 1 to be calculated by
MSTP as per IEEE 802.1D-1998.
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] undo st p i nst ance 1 cost
[ 3Com] st p pat hcost - st andar d dot 1d- 1998
Configuring Port
Priority
The priority of a port is an import basis that determines whether the port can be elected
as the root port of device. If all other conditions are the same, the port with the highest
priority will be elected as the root port.
Table 141 Configuring Path Costs of Ports
Enter system view
system-view
Enter Ethernet
port view or
port group
view
Enter Ethernet
port view
interface
interface-type
interface-number
User either command
view, the setting is effective on
the current port only;
configured in port group view,
the setting is effective on all
ports in the port group
Enter port
group view
port-group { manual
port-group-name |
Configure the path cost of the
port(s)
stp [ instance
instance-id ] cost cost
Required
By default, MSTP automatically
calculates the path cost of
each port
On an MSTP-compliant device, a port can have different priorities in different MST
instances, and the same port can play different roles in different MST instances, so that
data of different VLANs can be propagated along different physical paths, thus
implementing per-VLAN load balancing. You can set port priority values based on the
actual networking requirements.
Follow these steps to configure the priority of a port or a group of ports:
When the priority of a port is changed, MSTP will re-compute the role of the port and
initiate a state transition.
Generally, a lower configured value priority indicates a higher priority of the port. If
you configure the same priority value for all the Ethernet ports on the a device, the
specific priority of a port depends on the index number of that port. Changing the
priority of an Ethernet port triggers a new spanning tree computing process.
1 Set the priority of port GigabitEthernet 1/0/1 to 16 in MST instance 1.
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] st p i nst ance 1 por t pr i or i t y 16
Configuring Whether
Ports Connect to
Point-to-Point Links
Refer to Configuring Whether Ports Connect to Point-to-Point Links.
Configuring the
MSTP Packet Format
for Ports
Refer to Configuring the MSTP Packet Format for Ports.
Enabling the MSTP
Feature
Refer to Enabling the MSTP Feature.
Table 142 Configuring Port Priority
Enter system view
system-view
Enter
Ethernet
port view
or port
group view
Enter Ethernet
port view
interface
interface-type
interface-number
User either command
group
Enter port
group view
port-group { manual
port-group-name |
Configure port priority stp [ instance
instance-id ] port
priority priority
Optional
128 for all Ethernet ports by default
Performing mCheck Ports on an MSTP-compliant device have three working modes: STP compatible mode,
RSTP mode, and MSTP mode.
In a switched network, if a port on the device running MSTP (or RSTP) connects to a
device running STP, this port will automatically migrate to the STP-compatible mode.
However, if the device running STP is removed, this will not be able to migrate
automatically to the MSTP (or RSTP) mode, but will remain working in the
STP-compatible mode. In this case, you can perform an mCheck operation to force the
port to migrate to the MSTP (or RSTP) mode.
You can perform mCheck on a port through two approaches, which lead to the same
result.
Configuration prerequisites
MSTP has been correctly configured on the device.
Performing mCheck globally
Follow these steps to perform mCheck:
Performing mCheck in Ethernet port view
Follow these steps to perform mCheck in Ethernet port view:
CAUTION: The stp mcheck command is meaningful only when the device works in
the MSTP (or RSTP) mode, not in the STP-compatible mode.
1 Perform mCheck on port GigabitEthernet 1/0/1.
a Method 1: Perform mCheck globally.
[ 3Com] st p mcheck
b Method 2: Perform mCheck in Ethernet port view
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] st p mcheck
Table 143 Performing mCheck globally
Enter system view
system-view
Perform mCheck stp mcheck Required

Table 144 Performing mCheck in Ethernet port view
Enter Ethernet port view interface interface-type
interface-number
Perform mCheck stp mcheck Required

Configuring
Protection Functions
An MSTP-compliant device supports the following protection functions:
BPDU guard
Root guard
Loop guard
TC-BPDU attack guard
Among loop guard, root guard and edge port setting, only one function can take effect
on the same port at the same time.
The purposes of these protection functions are as follows:
BPDU guard
For access layer devices, the access ports generally connect directly with user terminals
(such as PCs) or file servers. In this case, the access ports are configured as edge ports to
allow rapid transition of these ports. When these ports receive configuration BPDUs, the
system will automatically set these ports as non-edge ports and starts a new spanning
tree computing process. This will cause network topology instability. Under normal
conditions, these ports should not receive configuration
BPDUs. However, if someone forges configuration BPDUs maliciously to attack the
devices, network instability will occur.
MSTP provides the BPDU guard function to protect the system against such attacks.
With the BPDU guard function enabled on the devices, when edge ports receive
configuration BPDUs, the system will close these ports and notify the NMS that these
ports have been closed by MSTP.Those ports closed thereby can be restored only by the
network administers.
Root guard
The root bridge and secondary root bridge of a panning tree should be located in the
same MST region. Especially for the CIST, the root bridge and secondary root bridge are
generally put in a high-bandwidth core region during network design. However, due to
possible configuration errors or malicious attacks in the network, the legal root bridge
may receive a configuration BPDU with a higher priority. In this case, the current root
bridge will be superseded by another device, causing undesired change of the network
topology. As a result of this kind of illegal topology change, the traffic that should go
over high-speed links is drawn to low-speed links, resulting in network congestion.
To prevent this situation from happening, MSTP provides the root guard function to
protect the root bridge. If the root guard function is enabled on a port, this port will
keep playing the role of designated port on all MST instances. Once this port receives a
configuration BPDU with a higher priority from an MST instance, it immediate sets that
instance port to the listening state, without forwarding the packet (this is equivalent to
disconnecting the link connected with this port). If the port receives no BPDUs with a
higher priority within a sufficiently long time, the port will revert to its original state.
Loop guard
By keeping receiving BPDUs from the upstream device, a device can maintain the state of
the root port and other blocked ports. However, due to link congestion or unidirectional
link failures, these ports may fail to receive BPDUs from the upstream device. In this case,
the downstream device will reselect the port roles: those ports failed to receive upstream
BPDUs will become designated ports and the blocked ports will transition to the
forwarding state, resulting in loops in the switched network. The loop guard function
can suppress the occurrence of such loops.
If a loop guardenabled port fails to receive BPDUs from the upstream device, and if the
port took part in STP computing, all the instances on the port, no matter what roles they
play, will be set to, and stay in, the Discarding state.
TC-BPDU attack guard
When receiving a TC-BPDU packet (a packet used as notification of topology change),
the device will delete the corresponding MAC address entry and ARP entry. If someone
forges TC-BPDUs to attack the device, the device will receive a larger number of
TC-BPDUs within a short time, and frequent deletion operations bring a big burden to
the device and hazard network stability.
With the TC-BPDU guard function enabled, the device performs a deletion operation
only once within a certain period of time (typically 10 seconds) after it receives a
TC-BPDU, and monitors whether a new TC-BPDU is received within that period of time. If
a new TC-BPDU is received within that period of time, the device will perform another
deletion operation after that period of time elapses. This prevents frequent deletion of
MAC address entries and ARP entries.
Configuration
prerequisites
MSTP has been correctly configured on the device.
Enabling BPDU Guard
The support for this feature depends on the specific device model.
We recommend that you enable BPDU guard if your device supports this function.
Following these steps to enable BPDU guard:
1 Enable BPDU protection.
[ 3Com] st p bpdu- pr ot ect i on
Table 145 Enabling BPDU Guard
Enter system view
system-view
Enable the BPDU guard

function for the device
stp bpdu-protection
Required
Disabled by the default
Enabling Root Guard
We recommend that you enable root guard if your device supports this function.
Follow these steps to enable root guard:
1 Enable the root guard function for port GigabitEthernet 1/0/1.
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] st p r oot - pr ot ect i on
Enabling Loop Guard
We recommend that you enable loop guard if your device supports this function.
Follow these steps to enable loop guard:
Table 146 Enabling Root Guard
Enter system view
system-view
Enter Ethernet
port view or
port group
view
Enter Ethernet
port view
interface
interface-type
interface-number
User either command
Enter port
group view
port-group { manual
port-group-name |
Enable the root guard function
for the ports(s)
stp root-protection Required
Table 147 Enabling Loop Guard
Enter system view
system-view
Enter Ethernet
port view or
port group
view
Enter Ethernet
port view
interface
interface-type
interface-number
User either command
Enter port
group view
port-group { manual
port-group-name |
Enable the loop guard function
for the ports(s)
stp loop-protection Required
1 Enable the loop guard function for port GigabitEthernet 1/0/1.
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] st p l oop- pr ot ect i on
Enabling TC-BPDU
Attack Guard
Follow these steps to enable TC-BPDU attack guard
We recommend that this function should not be disabled.
1 Enable the TC-BPDU attack guard function.
[ 3Com] st p t c- pr ot ect i on enabl e
Displaying and
Maintaining MSTP
MSTP
Configuration
Example
Configure MSTP so that packets of different VLANs are forwarded along different
spanning trees. The specific configuration requirements are as follows:
All devices on the network are in the same MST regions.
Packets of VLAN 10 are forwarded along MST region 1, those of VLAN 30 are
forwarded along MST instance 3, those of VLAN 40 are forwarded along MST
instance 4, and those of VLAN 20 are forwarded along MST instance 0.
Switch A and Switch B are convergence layer devices, while Switch C and Switch D
are access layer devices. VLAN 10 and VLAN 30 are terminated on the convergence
layer devices, and VLAN 40 is terminated on the access layer devices, so the root
bridges of MST instance 1 and MST instance 3 are Switch A and Switch B respectively,
while the root bridge of MST instance 4 is Switch C.
Table 148 Enabling TC-BPDU Attack Guard
Enter system view
system-view
Enable the TC-BPDU attack

guard function
stp tc-protection
enable
Optional
Enabled by the default
Table 149 Displaying and Maintaining MSTP
View the status information
and statistics information of
MSTP
display stp [ instance
instance-id ] [ interface
interface-list | slot slot-number ] [
brief ]
Available in any
view
View the MST region
configuration information that
has taken effect
display stp
Available in any
view
Clear the statistics information
of MSTP
reset stp [ interface
interface-list ]
Available in user
view
Network diagram
Figure 59 Network diagram for MSTP configuration
Permit: beside each link in the figure is followed by the VLANs the packets of which are
permitted to pass this link.
1 Configuration on Switch A
a Configure an MST region.
[ 3Com- mst - r egi on] r egi on- name exampl e
[ 3Com- mst - r egi on] i nst ance 1 vl an 10
b Activate MST region configuration manually.
c Define Switch A as the root bridge of MST instance 1.
d View the MST region configuration information that has taken effect.
[ 3Com] di spl ay st p r egi on- conf i gur at i on
Oper conf i gur at i on
For mat sel ect or : 0
Regi on name : exampl e
Revi si on l evel : 0
I nst ance Vl ans Mapped
0 1 t o 9, 11 t o 29, 31 t o 39, 41 t o 4094
1 10
3 30
4 40

Switch A
Switch C
Switch B
Switch D
Permit :
VLAN 10, 20
Permit :
VLAN 10, 20
Permit :
VLAN 20, 30
Permit :
VLAN 20, 30
Permit :all VLAN
Permit :VLAN 20, 40
Switch A
Switch C
Switch B
Switch D
Permit :
VLAN 10, 20
Permit :
VLAN 10, 20
Permit :
VLAN 20, 30
Permit :
VLAN 20, 30
Permit :all VLAN
Permit :VLAN 20, 40
2 Configuration on Switch B
c Define Switch B as the root bridge of MST instance 3.
0 1 t o 9, 11 t o 29, 31 t o 39, 41 t o 4094
1 10
3 30
4 40
3 Configuration on Switch C
c Define Switch C as the root bridge of MST instance 4.
0 1 t o 9, 11 t o 29, 31 t o 39, 41 t o 4094
1 10
3 30
4 40
4 Configuration on Switch D
c View the MST region configuration information that has taken effect.
0 1 t o 9, 11 t o 29, 31 t o 39, 41 t o 4094
1 10
3 30
4 40
20 IP ADDRESSING CONFIGURATION
IP addressing uses a 32-bit address to identify each host on the network.
This chapter tells you how to assign IP addresses to interfaces on your device. When
doing that, use the following table to identify where to go for interested information.
IP Addressing
Overview
To get more information about IP addressing, go to these topics:
IP Address Classes
Subnetting and Masking
IP Address Classes IP addresses are represented in dotted decimal notation, each being four octets in length,
for example, 10.1.1.1.
Each IP address breaks down into two parts:
Net-id, the first several bits of the IP address defining a network, also known as class
bits.
Host-id, identifies a host on a network.
For administration sake, IP addresses are divided into five classes. Which class an IP
address belongs to depends on the first one to four bits of the net-id, as shown in the
following figure.
Know how IP addresses are expressed and classified, how
subnetting works, and what IP unnumbered is
IP Addressing Overview
Assign IP addresses to interfaces Configuring IP Addresses
Consult the display commands available for verifying IP
addressing configuration
Displaying and Maintaining IP
Addressing
218 CHAPTER 20: IP ADDRESSING CONFIGURATION
Figure 60 IP address classes
The following table describes the address ranges of these five classes.
Subnetting and
Masking
In 1980s, subnetting was developed to address the risk of IP address exhaustion resulted
from fast expansion of the Internet. The idea is to break a network down into smaller
networks called subnets by using some bits of the host-id to create a subnet-id. To
identify the boundary between the net-id and the host-id, masking is used.
Each subnet mask comprises 32 bits related to the corresponding bits in an IP address. In
a mask, the part containing consecutive ones identifies the net-id whereas the part
containing consecutive zeros identifies the host-id.
Figure 61 shows how a Class B address is subnetted.
Figure 61 Subnetting a Class B address
Table 151 IP address classes
Class Address range Description
A 0.0.0.0 to 127.255.255.255 Addresses starting with 127 are reserved for
loopback test. Packets destined to these
addresses are processed internally as input
packets rather than sent to the line.
B 128.0.0.0 to 191.255.255.255
C 192.0.0.0 to 223.255.255.255
D 224.0.0.0 to 239.255.255.255 Unlike Class A, B, and C addresses, Class D
addresses are used for multicast addressing.
E 240.0.0.0 to 255.255.255.255 Reserved for future use except for the broadcast
address 255.255.255.255

0 1 2 3 4 5 6 7 8 9 10 11 121314 15 16 171819 20 21 22 23 24 25 26 27 2829 30 31
0
1 0
1 1 0
1 1 1 0
1 1 1 1 0
Net-id
Net-id
Net-id
Multicast address
Reserved address
Host-id
Host-id
Host-id
Class A
Class B
Class C
Class D
Class E

Net-id Host-id
Net-id
0 7 15
21
31
Class B address
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 1 1 1 1 1 0 0 0 0 0 0 0 0
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Subneting
Mask
Mask
Subnet-id Host-id
Configuring IP Addresses 219
While allowing you to create multiple logical networks within a single Class A, B, or C
network, subnetting is transparent to the rest of the Internet. All these networks still
appear as one. As subnetting adds an additional level, subnet-id, to the two-level
hierarchy with IP addressing, IP routing now involves three steps: delivery to the site,
delivery to the subnet, and delivery to the host.
Subnetting is a trade-off between subnets and accommodated hosts. For example, a
Class B network can accommodate 65,534 hosts before being subnetted. After you
break it down into 64 subnets by using the first 6 bits of the host-id for the subnet, you
have only 10 bits for the host-id and thus have only 1022 (2
10
2) hosts in each subnet.
The maximum number of hosts is thus 65,408 (64 x 1022), 126 less after the network is
subnetted.
Class A, B, and C networks, before being subnetted, use these default masks (also called
natural masks): 255.0.0.0, 255.255.0.0, and 255.255.255.0 respectively.
Configuring IP
Addresses
For a VLAN interface, an IP address can be obtained in one of the three ways:
Manually configured by using the IP address configuration command
Allocated by the BOOTP server
Allocated by the DHCP server
The three methods are mutually exclusive and the use of a new method will result in the
IP address obtained by the old method being released. For example, if you obtain an IP
address by using the IP address configuration command, and then use the ip address
bootp-alloc command to apply for an IP address, the originally configured IP address
is deleted and a new IP address will be allocated by BOOTP for the VLAN interface.
This chapter only covers how to assign an IP address manually.
This chapter only introduces how to configure an IP address manually. For the other two
methods of obtaining IP addresses, refer to the DHCP module.
This section includes:
Assigning an IP Address to an Interface
IP Addressing Configuration Example
Assigning an IP
Address to an
Interface
Follow these steps to assign an IP address to an interface:
Table 152 Assigning an IP Address to an Interface
Enter interface view interface
interface-type
interface-number
Assign an IP address to the

Interface
ip address ip-address
{ mask | mask-length }
Required
No IP address is assigned by
default.
220 CHAPTER 20: IP ADDRESSING CONFIGURATION
You can configure IP addresses for VLAN interface and Loopback interface on Switch
4500G Switches.
IP Addressing
Configuration
Example
Set the IP address and subnet mask of VLAN interface 1 to 129.2.2.1 and 255.255.255.0
respectively.
Network diagram
Figure 62 IP address configuration
Configure an IP address for VLAN interface 1.
Displaying IP
Addressing

Console cable
Switch
PC
Console cable
Switch
PC
Table 153 Displaying IP Addressing
about the IP configuration of a
specified interface
display ip interface [
interface-type
interface-number ]
Display brief information about
the basic IP configuration of a
specified or all interfaces
display ip interface
brief [ interface-type
interface-number ]
21 IP PERFORMANCE CONFIGURATION
Introduction to IP
performance
In some network environments, you need to adjust the parameters for the best IP
performance. IP performance configuration includes:
TCP timer
Size of TCP receiving/sending buffer
Sending ICMP error packets
Permitting Receiving and Forwarding of Directed Broadcast Packets
Configuring TCP
attributes
TCP attributes that can be configured include:
synwait timer: Before sending a SYN packet, TCP starts the synwait timer. If no
response packets are received before synwait timeout, TCP connection is not
successfully created.
finwait timer: When the TCP connection is in FIN_WAIT_2 state, finwait timer will be
started. If no FIN packets are received before the timer timeouts, the TCP connection
will be terminated. If FIN packets are received, the TCP connection state changes to
TIME_WAIT, and it recounts time from receiving the last non-FIN packet until the
connection is broken after the timer timeouts.
Size of TCP receiving/sending buffer
Table 154 Configuring TCP attributes
Configure TCP synwait
timers timeout value
tcp timer syn-timeout
time-value
Optional
By default, the timeout value is 75
seconds.
Configure TCP finwait
timers timeout value
tcp timer fin-timeout
time-value
Optional
By default, the timeout value is
675 seconds.
Configure the size of TCP
receiving/sending buffer
tcp window window-size Optional
By default, the buffer is 8k bytes.
222 CHAPTER 21: IP PERFORMANCE CONFIGURATION
Configuring
sending ICMP error
packets
Sending error packets is a major function of ICMP protocol. ICMP packets are typically
sent by protocols on the network or transfer layer to notify corresponding devices so as
to facilitate control and management.
Advantage of sending ICMP error packets
There are three kinds of ICMP error packets: redirection packets, timeout packets and
destination unreachable packets. Their sending conditions and functions are as follows.
1 Sending ICMP redirect packets
It may have only one default route to the default gateway in the routing table when the
host starts. The default gateway will send ICMP redirect packets to the source host and
notify it to reselect a correct router for the next hop in order to send the following
packets, if the following conditions are satisfied:
The device finds that the receiving and sending interfaces are the same while
forwarding data packets.
The selected router has not been created or modified by ICMP redirect packets.
The selected router is not the default router of the host.
The source IP address of the data packets and the next hops IP address in the selected
router belong to the same network section.
You can use ICMP redirect packets to simplify host administration and find out the best
routing by establishing a sound routing table for hosts with little routing information.
2 Sending ICMP timeout packets
Sending ICMP timeout packet will enable the device to drop the data packet and send an
ICMP error packet to the source when there is a timeout error after a device received an
IP data packet.
The device will send an ICMP timeout packet under the following conditions:
If a device finds the destination of the packet is not local after receiving a data packet
whose TTL field is 1, it will send a TTL timeout ICMP error message.
When the device receives the first fragment IP packets whose destination address is
local, it will start the timer. If the timer timeouts before receiving all the fragments,
the device will send a reassembly timeout ICMP error packets.
3 Sending ICMP destination unreachable packets
Sending ICMP destination unreachable packet means when there happens a destination
timeout error after a device received an IP data packet, the device will drop the data
packet and send an ICMP error packet to the source.
The device will send an ICMP destination unreachable packet under the following
conditions:
When forwarding a packet, if the device finds no corresponding forward route and
default route in the routing table, it will send a network unreachable ICMP error
packets.,
Configuring sending ICMP error packets 223
When receiving a data packet whose destination address is local, if the transfer layer
protocol is unavailable for the device, then the device sends a protocol
unreachable ICMP error packets.
When receiving a data packet with the destination address as local and transfer layer
as UDP, if the packets port number does not match with the running process, the
device will send source a port unreachable ICMP error packet.
When sending packets using strict source routing", if the intermediate finds that the
source point to a device not directly connected to the network, it will send source a
source routing fails ICMP error packets.
When forwarding a packet, if the MTU of the forward interface is smaller than the
packet but the packet has been set unfragmentable, the device sends the source a
fragmenting is required but unavailable ICMP error packet.
Disadvantage of sending ICMP error packets
Although sending ICMP error packets facilitate control and management, it still has the
following disadvantage:
Sending a lot of ICMP packets will increase network traffic.
If the device receives a lot of malicious packets that sends much ICMP error packets, it
will reduce the device's performance.
As redirecting increases a hosts routing, it will reduce the hosts performance if there
is a great increase in the hosting.
As ICMP destination unreachable packets are unreachable to users' process, if there
are malicious attacks, end users may be affected.
In order to prevent such phenomena, you can disable the device sending ICMP error
packets to reduce network flows and avoid malicious attacks.
The device stops sending network unreachable and source route unsuccessful
ICMP error packets after sending ICMP destination unreachable packets is disabled.
But other destination unreachable packets will be sent normally.
The device stops sending TTL timeout ICMP error packets after sending ICMP
timeout packets is disabled. But reassembly timeout error packets will be sent
normally.
Table 155 Disable sending ICMP error packets
Disable sending ICMP redirect
packets
undo ip redirects Required
Sending a devices ICMP redirection
packet is enabled by default
Disable sending ICMP timeout
packets
undo ip
ttl-expires
Required
Sending a devices ICMP timeout
packet is enabled by default.
Disable sending ICMP
destination unreachable
packets
undo ip
unreachables
Required
Sending a devices ICMP destination
unreachable packet is enabled by
default
Permitting
Receiving and
Forwarding of
Directed Broadcast
Packets
Permitting Receiving
and Forwarding of
Directed Broadcast
Packets
Directed broadcasts packets include: network directed broadcast packets, subnetwork
directed broadcast packets and all-subnetwork directed broadcast packets. As specified
in RFC 2644, the device can receive and forward directed broadcast packets by default.
However, hackers can use such packets to attack the network system, thus bringing forth
great potential dangers to the network.
Switch 4500G series switches do not receive and forward directed broadcast packets by
default. You can configure to permit Switch 4500G series switches to receive and
forward directed broadcast packets.
If ACL rules are configured when VLAN interfaces are enabled to forward directed
broadcast packets, the directed broadcast packets to be forwarded must be filtered by
the configured ACL rule. The directed broadcast packets which do not match the ACL
rule will be dropped.
CAUTION: If the ip forward-broadcast [ acl acl-number ] command is
configured on one interface repeatedly, the latest configured acl-number argument will
replace these configured previously. If the acl-number argument is not provided in this
command, the acl-number arguments configured previously will be disabled.
Configuration
Example
As shown in Figure 63, PC1 and PC2 are in the same network segment 1.1.1.0/24 with
VLAN-interface 1 of Switch A, while VLAN-interface 2 of Switch A and VLAN-interface 2
of Switch B are in the network segment 2.2.2.0/24. Static routes are configured on
Switch B. As a result, both PC 1 and PC 2 are reachable to Switch B.
Table 156 Configure to permit the receiving and forwarding of directed broadcast packets
Enable the switch to receive
directed broadcast packets
ip forward-broadcast Optional
By default, directed broadcast
packets are not received.
Vlan-interface
vlan-id
Enable the specified VLAN

interface to forward directed
broadcast packets
ip forward-broadcast
[ acl-number ]
Optional
By default, directed broadcast
packets are not forwarded on
VLAN interfaces.
Permitting Receiving and Forwarding of Directed Broadcast Packets 225
Configure Switch A and Switch B with the purpose that:
When the ping 2.2.2.255 command is executed on PC 1, PC 1 can receive response
packets from both Switch A and Switch B.
When the ping 2.2.2.255 command is executed on PC 2, PC 2 can receive response
packets from only Switch A.
Network diagram
Figure 63 Network diagram for permitting receiving and forwarding of directed broadcast
packets
a Permit the receiving of directed broadcast packets.
[ 3Com] i p f or war d- br oadcast
b Define ACL 2000.
[ 3Com] acl number 2000
[ 3Com- acl - basi c- 2000] r ul e per mi t sour ce 1. 1. 1. 1 0
[ 3Com- acl - basi c- 2000] r ul e deny sour ce any
c Configure to permit VLAN-interface 2 to forward directed broadcast packets matching
ACL 2000.
[ 3Com] i nt er f ace vl an- i nt er f ace 2
[ 3Com- Vl an- i nt er f ace2] i p f or war d- br oadcast acl 2000
a Permit the receiving of directed broadcast packets.
[ 3Com] i p f or war d- br oadcast
After this configuration, use the ping command on PC 1 to ping the broadcast address
2.2.2.255 of the subnetwork segment where VLAN-interface 2 of Switch A resides, as a
result, PC 1 receives response packets from both Switch A and Switch B; use the ping
command on PC 2 to ping the broadcast address 2.2.2.255 of the subnetwork segment
where VLAN-interface 2 of Switch A resides, as a result, PC 2 receives response packets
from only Switch A.
1.1.1.2/24
Switch A
Switch B
VLAN2
2.2.2.2/24
VLAN1
1.1.1.3/24
VLAN2
2.2.2.1/24 1.1.1.2/24
Switch A
Switch B
VLAN2
2.2.2.2/24
VLAN1
1.1.1.1/24
VLAN2
2.2.2.1/24
PC
PC PC
1.1.1.2/24
Switch A
Switch B
VLAN2
2.2.2.2/24
VLAN1
1.1.1.3/24
VLAN2
2.2.2.1/24 1.1.1.2/24
Switch A
Switch B
VLAN2
2.2.2.2/24
VLAN1
1.1.1.1/24
VLAN2
2.2.2.1/24
PC1
PC PC PC PC2
1.1.1.2/24
Switch A
Switch B
VLAN2
2.2.2.2/24
VLAN1
1.1.1.3/24
VLAN2
2.2.2.1/24 1.1.1.2/24
Switch A
Switch B
VLAN2
2.2.2.2/24
VLAN1
1.1.1.1/24
VLAN2
2.2.2.1/24
PC
PC PC
1.1.1.2/24
Switch A
Switch B
VLAN2
2.2.2.2/24
VLAN1
1.1.1.3/24
VLAN2
2.2.2.1/24 1.1.1.2/24
Switch A
Switch B
VLAN2
2.2.2.2/24
VLAN1
1.1.1.1/24
VLAN2
2.2.2.1/24
PC1
1.1.1.2/24
Switch A
Switch B
VLAN2
2.2.2.2/24
VLAN1
1.1.1.3/24
VLAN2
2.2.2.1/24 1.1.1.2/24
Switch A
Switch B
VLAN2
2.2.2.2/24
VLAN1
1.1.1.1/24
VLAN2
2.2.2.1/24
PC
PC PC
1.1.1.2/24
Switch A
Switch B
VLAN2
2.2.2.2/24
VLAN1
1.1.1.3/24
VLAN2
2.2.2.1/24 1.1.1.2/24
Switch A
Switch B
VLAN2
2.2.2.2/24
VLAN1
1.1.1.1/24
VLAN2
2.2.2.1/24
PC1
PC PC PC PC2
Displaying and
maintaining IP
performance
After finishing the configuration, run the display command in any view to display
running status and configuration effect of the IP performance.
In user view, you can run the reset command to clear statistics of IP, TCP and UDP
flows.
Table 157 Displaying and maintaining IP performance
To do Use the command
Display current TCP connection state display tcp status
Display statistics of TCP connection display tcp statistics
Display statistics of UDP flows display udp statistics
Display statistics of IP packets display ip statistics
Display statistics of ICMP flows display icmp statistics
Display current socket information of the
system
display ip socket [ socktype
sock-type ] [ task-id socket-id ]
Display FIB forward information display fib [ | { begin | include |
exclude } text | acl number | ip-prefix
listname ]
Display FIB forward information matching
the specified destination IP address
display fib ip-address1 [ { mask1 |
mask-length1 } [ ip-address2 { mask2 |
mask-length2 } | longer ] | longer ]
Display statistics about the FIB items display fib statistics
Clear statistics of IP packets reset ip statistics
Clear statistics of TCP flows reset tcp statistics
Clear statistics of UDP flows reset udp statistics
22 IPV4 ROUTING OVERVIEW
Go to these sections for information about IP routing that you are interested in:
IP Routing and Routing Table
Routing Protocol Overview
Displaying and Maintaining a Routing Table
A router in this chapter refers to a generic router or a Layer 3 switch running routing
protocols. To improve readability, this will not be described in the present manual again.
IP Routing and
Routing Table
Routing Routing in the Internet is achieved through routers. Upon receiving a packet, a router
identifies an optimal route based on the destination address and forwards the packet to
the next router in the path until the packet reaches the last router, which forwards the
packet to the intended destination host.
Routing Through a
Routing Table
Routing table
Routing table plays a key role in allowing routers to forward packets. Each router
maintains a routing table, and each entry in the table specifies which physical interface a
packet destined for a certain destination should go out to reach the next hop (the next
router) or the directly connected destination.
Routes in a routing table can be divided into three categories by origin:
Direct routes: Routes discovered by data link protocols, also known as interface
routes.
Static routes: Routes that are manually configured.
Dynamic routes: Routes that are discovered dynamically by routing protocols.
Contents of a routing table
A routing table includes the following key items:
Destination address: Indicates the destination address or destination network of an IP
packet.
Network mask: Specifies, in company with the destination address, the address of the
destination network. A logical AND operation between the destination address and
the network mask yields the address of the destination network. For example, if the
destination address is 129.102.8.10 and the mask 255.255.0.0, the address of the
destination network is 129.102.0.0. A network mask is made of a certain number of
consecutive 1s. It can be expressed in dotted decimal format or by the number of the
1s.
228 CHAPTER 22: IPV4 ROUTING OVERVIEW
Outbound interface: Specifies the interface through which the IP packets are to be
forwarded.
IP address of the next hop: Specifies the address of the next router on the route. If
only the outbound interface is configured, its address will be the IP address of the
next hop.
Priority for the route. Multiple routes may exist to the same destination, each of
which has a different next hop and may be generated by various routing protocols or
be manually configured. The optimal route is the one with the highest priority (with
the smallest metric).
Routes can be divided into two categories by destination:
Subnet routes: The destination is a subnet.
Host routes: The destination is a host.
Based on whether the destination is directly connected to a given router, routes can be
divided into:
Direct routes: The destination is directly connected to the router.
Indirect routes: The destination is not directly connected to the router.
To prevent the routing table from getting too large, you can configure a default route. All
packets with no matching entry in the routing table will be forwarded through the
default route.
In Figure 64, the IP address on each cloud represents the address of the network. Router
R8 resides in three networks and therefore has three IP addresses for its three physical
interfaces. Its routing table is shown on the right of the network topology.
Figure 64 A sample routing table
Routing Protocol Overview 229
Routing Protocol
Overview
Static Routing and
Dynamic Routing
Static routing is easy to configure and requires less system resources. It works well in
small, stable networks with simple topologies. Its major drawback is that you must
perform routing configuration again whenever the network topology changes; it cannot
adjust to network changes by itself.
Dynamic routing, on the other hand, is based on dynamic routing protocols, which can
detect network topology changes and recalculate the routes accordingly. Therefore,
dynamic routing is suitable for large networks. Its disadvantages are that it is complicated
to configure, and that it not only imposes higher requirements on the system, but also
eats away a certain amount of network resources.
Classification of
Dynamic Routing
Protocols
Dynamic routing protocols can be classified based on the following standards:
Operational scope
Interior gateway protocols (IGPs): Work within an autonomous system, typically
includes RIP, OSPF, and IS-IS.
Exterior gateway protocols (EGPs): Work between autonomous systems. The most
popular one is BGP.
An autonomous system refers to a group of routers that share the same routing policy
and work under the same administration.
Routing algorithm
Distance-vector protocols: Includes mainly RIP and BGP. BGP is also considered a
path-vector protocol.
Link-state protocols: Includes mainly OSPF and IS-IS.
The main differences between the above two types of routing algorithms lie in the way
routes are discovered and calculated.
Type of the destination address
Unicast routing protocols: Includes RIP, OSPF, BGP, and IS-IS.
Multicast routing protocols: Includes PIM-SM and PIM-DM.
This chapter focuses on unicast routing protocols. For information on multicast routing
protocols, refer to Multicast Configuration.
Routing Protocols
and Routing Priority
Different routing protocols may find different routes to the same destination. However,
not all of those routes are optimal. In fact, at a particular moment, only one protocol can
uniquely determine the current optimal routing to the destination. For the purpose of
route selection, every route (including static routes) is assigned a priority according to its
origin. The route with the highest priority is preferred.
The following table lists some routing protocols and the default priorities for routes
found by them:
The smaller the priority value, the higher the priority.
The priority for a direct route is always 0, which you cannot change. Any other type of
routes can have their priorities manually configured.
Each static route can be configured with a different priority.
Load Balancing and
Route Backup
Load Balancing
In multi-route mode, multiple routes from the same routing protocol may exist to the
same destination. These routes have the same priority and will all be used to accomplish
load balancing if there is no other route with a higher priority available.
A given routing protocol may find several routes with the same metric to the same
destination, and if this protocol has the highest priority among all the active protocols,
then all its routes will be regarded as valid current routes. Therefore, realizes load
balancing of network traffic.
In current implementations, routing protocols supporting load balancing are RIP, OSPF,
and IS-IS. In addition, load balancing is also supported for static routes.
The number of routes for load balancing varies by device.
Route backup
Route backup can help in improving network reliability. With route backup, you can
configure multiple routes to the same destination, expecting the one with the highest
priority to be the main routes and all the rest backup routes.
Under normal circumstances, packets are forwarded through the main route. When the
main route goes down, the route with the highest priority among the backup routes is
selected to forward packets. When the main route recovers, the route selection process is
performed again and the main route is selected again to forward packets.
Table 158 Routing Protocols and Routing Priority
Routing approach Priority
DIRECT 0
OSPF 10
IS-IS 15
STATIC 60
RIP 100
OSPF ASE 150
OSPF NSSA 150
IBGP 256
EBGP 256
UNKNOWN 255
Displaying and Maintaining a Routing Table 231
Sharing of Routing
Information
As different routing protocols use different algorithms to calculate routes, they may find
different routes. In a large network with multiple routing protocols, routing protocols
must share their routing information. Each routing protocol has its own route
redistribution mechanism. For detailed information, refer to IP Routing Configuration.
Displaying and
Maintaining a
Routing Table
Table 159 Displaying and Maintaining a Routing Table
Display summary information
about the active routes in the
routing table
display ip routing-table Available in any view
about the specified routes in the
routing table
display ip routing-table
ip-address [ mask ] [
longer-match ] [ verbose ]| | {
begin | exclude | include }
regular-expression]
Display information about routes
to the specified destination
ip-address [ mask-length | mask ]
[ longer-match ] [ verbose ]
with destination addresses in the
specified range
ip-address1 { mask-length |
mask } ip-address2 {
mask-length | mask } [ verbose ]
permitted by a specified basic
ACL
acl acl-number [ verbose ]
selected by a specified prefix list
ip-prefix ip-prefix-name [
verbose ]
Display protocol specific routes display ip routing-table
protocol protocol [ inactive
| verbose ]
Display statistics about the
routing table
statistics
Clear statistics for the routing
table
reset ip routing-table
statistics protocol { all
| protocol }
23 CONFIGURING IPV6
The descriptions and examples in the text applies to both switches and routers, unless
there is a warning.
IPv6 Overview Internet protocol version 6 (IPv6), also called IP next generation (IPng), was designed by
the Internet Engineering Task Force (IETF) as the successor to Internet protocol version 4
(IPv4).The significant difference between IPv6 and IPv4 is that IPv6 increases the IP
address size from 32 bits to 128 bits.
IPv6 Features IPv6 provides the following features:
Header Format SimplificationIPv6 cuts down some IPv4 header fields or move
them to extension headers to reduce the load of basic IPv6 headers, thus making IPv6
packet handling simple and improving the forwarding efficiency.Although the IPv6
address size is four times that of IPv4 addresses, the size of basic IPv6 headers is only
twice that of IPv4 headers (excluding the Options field).
Figure 65 Comparison between IPv4 header format and IPv6 header format
Adequate Address SpaceThe source IPv6 address and the destination IPv6
address are both 128 bits (16 bytes) long.IPv6 can provide 3.4 x 1038 addresses to
completely meet the requirements of hierarchical address division as well as allocation
of public and private addresses.
Hierarchical Address StructureIPv6 adopts the hierarchical address structure to
quicken route search and reduce the system source occupied by the IPv6 routing table
by means of route aggregation.
Automatic address configurationTo simplify the host configuration, IPv6
supports stateful address configuration and stateless address configuration.Stateful
address configuration means that a host acquires an IPv6 address and related
information from the server (for example, DHCP server). Stateless address
Ver
Traffic
class
Flow label
Payload length
Next
header
Hop limit
Source address
128 bits
Destination address
128 bits
Ver IHL Total length
Identification F Fragment offset
TTL
Source address (32 bits)
TOS
Header checksum
Destination address (32 bits)
Protocol
IPv4 header
IPv6 header
Options Padding
0 7 15 31 0 7 15 31
234 CHAPTER 23: CONFIGURING IPV6
configuration means that the host automatically configures an IPv6 address and
related information based on its own link-layer address and the prefix information
issued by the router.In addition, a host can generate a link-local address based on its
own link-layer address and the default prefix (FE80::/64) to communicate with other
hosts on the link.
Built-in securityIPv6 uses IPSec as its standard extension header to provide
end-to-end security.This feature provides a standard for network security solutions
and improves the interoperability between different IPv6 applications.
Support for QoSThe Flow Label field in the IPv6 header allows the device to label
packets in a flow and provide special handling for these packets.
Enhanced neighbor discovery mechanismThe IPv6 neighbor discovery protocol
means a group of Internet control message protocol version 6 (ICMPv6) messages
manages the interaction between neighbor nodes (nodes on the same link).The
group of ICMPv6 messages takes the place of address resolution protocol (ARP),
Internet control message protocol version 4 (ICMPv4), and ICMPv4 redirection
messages to provide a series of other functions.
Flexible extension headersIPv6 cancels the Options field in IPv4 packets but
introduces multiple extension headers. In this way, IPv6 enhances the flexibility greatly
to provide scalability for IP while improving the processing efficiency.The Options field
in IPv4 packets contains only 40 bytes, while the size of IPv6 extension headers is
restricted by that of IPv6 packets.
Introduction to IPv6
Address
IPv6 address format
An IPv6 address is represented as a series of 16-bit hexadecimals, separated by colons.An
IPv6 address is divided into eight groups, 16 bits of each group are represented by four
hexadecimal numbers which are separated by colons, for example,
2001:0000:130F:0000:0000:09C0:876A:130B.
To simplify the representation of IPv6 addresses, zeros in IPv6 addresses can be handled
as follows:
Leading zeros in each group can be removed. For example, the above-mentioned
address can be represented in shorter format as 2001:0:130F:0:0:9C0:876A:130B.
If an IPv6 address contains two or more consecutive groups of zeros, they can
replaced by the double-colon :: option. For example, the above-mentioned address
can be represented in the shortest format as 2001:0:130F::9C0:876A:130B.
Caution: The double-colon :: can be used only once in an IPv6 address. Otherwise, the
device is unable to determine how many zeros the double-colon represents when
converting it to zeros to restore the IPv6 address to a 128-bit address.
An IPv6 address consists of two parts: address prefix and interface ID.The address prefix
and the interface ID are respectively equivalent to the network ID to the host ID in an IPv4
address.
An IPv6 address prefix is written in IPv6-address/prefix-length notation,where
IPv6-address is an IPv6 address in any of the notations and prefix-length is a decimal
number indicating how many bits from the utmost left of an IPv6 address are the address
prefix.
IPv6 Overview 235
IPv6 address classification
The type of an IPv6 address is designated by the first several bits called format prefix.
Table 160 lists the mapping between major address types and format prefixes.
IPv6 addresses mainly fall into three types: unicast address, multicast address and anycast
address.
Unicast address: An identifier for a single interface, similar to an IPv4 unicast
address.A packet sent to a unicast address is delivered to the interface identified by
that address.
Multicast address: An identifier for a set of interfaces (typically belonging to different
nodes), similar to an IPv4 multicast address.A packet sent to a multicast address is
delivered to all interfaces identified by that address.
Anycast address: An identifier for a set of interfaces (typically belonging to different
nodes).A packet sent to an anycast address is delivered to one the interfaces
identified by that address (the nearest one, according to the routing protocols'
measure of distance).
There are no broadcast addresses in IPv6. Their function is superseded by multicast
addresses.
Unicast address
There are several forms of unicast address assignment in IPv6, including aggregatable
global unicast address, link-local address, and site-local address.
The aggregatable global unicast address, equivalent to an IPv4 public address, is used
for aggregatable links and provided for network service providers.The structure of
such a type of address allows efficient routing aggregation to restrict the number of
global routing entries.
The link-local address is used for communication between link-local nodes in
neighbor discovery and stateless autoconfiguration.Routers must not forward any
packets with link-local source or destination addresses to other links.
IPv6 unicast site-local addresses are similar to private IPv4 addresses.Routers must not
forward any packets with site-local source or destination addresses outside of the site
(equivalent to a private network).
Loopback address: The unicast address 0:0:0:0:0:0:0:1 (represented in shorter format
as ::1) is called the loopback address and may never be assigned to any physical
Table 160 Mapping between address types and format prefixes
Type Format prefix (binary) IPv6 prefix ID
Unicast
address
Unassigned address 00...0 (128 bits) ::/128
Loopback address 00...1 (128 bits) ::1/128
Link-local address 1111111010 FE80::/10
Site-local address 1111111011 FEC0::/10
Global unicast address other forms -
Multicast address 11111111 FF00::/8
Anycast address Anycast addresses are taken from unicast address space and
are not syntactically distinguishable from unicast addresses.
interface.Like the loopback address in IPv4, it may be used by a node to send an IPv6
packet to itself.
Unassigned address: The unicast address :: is called the unassigned address and may
not be assigned to any node.Before acquiring a valid IPv6 address, a node may fill this
address in the source address field of an IPv6 packet, but may not use it as a
destination IPv6 address.
Multicast address
Multicast addresses listed in Table 161 are reserved for special purpose.
Besides, there is another type of multicast address: solicited-node address.The
solicited-node multicast address is used to acquire the link-layer addresses of neighbor
nodes on the same link and is also used for duplicate address detection.Each IPv6 unicast
or anycast address has one corresponding solicited-node address.The format of a
solicited-node multicast address is as follows:
FF02:0:0:0:0:1:FFXX:XXXX
Where, FF02:0:0:0:0:1:FF is permanent and consists of 104 bits, and XX:XXXX is the last
24 bits of an IPv6 address.
Interface identifier in IEEE EUI-64 format
Interface identifiers in IPv6 unicast addresses are used to identify interfaces on a link and
they are required to be unique on that link.Interface identifiers in IPv6 unicast addresses
are currently required to be 64 bits long.An interface identifier is derived from the
link-layer address of that interface.Interface identifiers in IPv6 addresses are 64 bits long,
while MAC addresses are 48 bits long. Therefore, the hexadecimal number FFFE needs to
be inserted in the middle of MAC addresses (behind the 24 high-order bits).To ensure the
interface identifier obtained from a MAC address is unique, it is necessary to set the
universal/local (U/L) bit (the seventh high-order bit) to "1".Thus, an interface identifier in
EUI-64 format is obtained.
Table 161 Reserved IPv6 multicast addresses
Address Application
FF01::1 Node-local scope all-nodes multicast address
FF02::1 Link-local scope all-nodes multicast address
FF01::2 Node-local scope all-routers multicast address
FF02::2 Link-local scope all-routers multicast address
FF05::2 Site-local scope all-routers multicast address
IPv6 Overview 237
Figure 66 Convert a MAC address into an EUI-64 address
Neighbor Discovery
Protocol
The IPv6 neighbor discovery protocol (NDP) uses five types of ICMPv6 messages to
implement the following functions:
Address resolution
Neighbor unreachability detection
Duplicate address detection
Router/prefix discovery and address autoconfiguration
Redirection
Table 162 lists the types and functions of ICMPv6 messages used by the NDP.
00000000 00010010 00110100 00000000 10101011 11001101
00000000 00010010 00110100 11111111 11111110 00000000 10101011 11001101
0012-3400-ABCD
00000010 00010010 00110100 11111111 11111110 00000000 10101011 11001101
0212:34FF:FE00:ABCD
MAC address:
Represented in binary:
Insert FFFE:
Set U/L bit:
EUI-64 address:
Table 162 Types and functions of ICMPv6 messages
ICMPv6 message Function
Neighbor solicitation (NS) message Used to acquire the link-layer address of a
neighbor
Used to verify whether the neighbor is
reachable
Used to perform a duplicate address
detection
Neighbor advertisement (NA) message Used to respond to a neighbor solicitation
message
When the link layer changes, the local node
initiates a neighbor advertisement message
to notify neighbor nodes of the node
information change.
Router solicitation (RS) message After started, a host sends a router
solicitation message to request the router for
an address prefix and other configuration
information for the purpose of
autoconfiguration.
The NDP mainly provides the following functions:
Address resolution
Similar to the ARP function in IPv4, a node acquires the link-layer address of neighbor
nodes on the same link through NS and NA messages. Figure 67 shows how node A
acquires the link-layer address of node B.
Figure 67 Address resolution
The address resolution procedure is as follows:
1 Node A multicasts an NS message.The source address of the NS message is the IPv6
address for the interface of node A and the destination address is the solicited-node
multicast address of node B. The NS message contains the link-layer address of node A.
2 After receiving the NS message, node B judges whether the destination address of the
packet is the corresponding solicited-node multicast address of its own IPv6 address.If
yes, node B returns an NA message containing the link-layer address of node B.
3 Node A acquires the link-layer address of node B fro the NA message.After that, node A
and node B can communicate.
Router advertisement (RA) message Used to respond to a router solicitation
message
With the RA message suppression disabled,
the router regularly sends a router
advertisement message containing
information such as address prefix and flag
bits
Redirect message When a certain condition is satisfied, the
default gateway sends a redirect message to
the source host so that the host can reselect a
correct next hop router to forward packets.
Table 162 Types and functions of ICMPv6 messages
ICMPv6 message Function
NS
NA
ICMP Type = 135
Src = A
Dst = solicited-node multicast of B
NS
NA
Data = link-layer address of A
ICMP Type = 136
Src = B
Dst = A
Data = link-layer address of B
A B
IPv6 Overview 239
Neighbor unreachability detection
After node A acquires the link-layer address of its neighbor node B, node A can verify
whether node B is reachable according to NS and NA messages.
1 Node A sends an NS message whose destination address is the IPv6 address of node B.
2 If node A receives an NA message from node B, node A considers that node B is
reachable. Otherwise, node B is unreachable.
Duplicate address detection
After node A acquires an IPv6 address, it should perform the duplicate address detection
to determine whether the address is being used by other nodes (similar to the gratuitous
ARP function).The duplication address detection is accomplished through NS and NA
messages. Figure 68 shows the duplicate address detection procedure.
Figure 68 Duplicate address detection
The duplicate address detection procedure is as follows:
1 Node A sends an NS message whose source address is the unassigned address :: and
destination address is the corresponding solicited-node multicast address of the IPv6
address to be detected. The NS message contains the IPv6 address.
2 If node B uses this IPv6 address, node B returns an NA message.The NA message
contains the IPv6 address of node B.
3 Node A learns that the IPv6 address is being used by node B after receiving the NA
message from node B.Otherwise, node B is not using the IPv6 address and node A can
use it.
Router/prefix discovery and address autoconfiguration
Router/prefix discovery means that a host acquires the neighbor router, the prefix of the
network where the router is located, and other configuration parameters from the
received RA message.
Stateless address autoconfiguration means that a host automatically configure an IPv6
address according to the information obtained through router/prefix discovery.
NS
NA
ICMP Type = 135
Src = ::
Dst = FF02::1:FF00:1
NS
NA
Data = 2000::1
ICMP Type = 136
Src = 2000::1
Dst = FF02::1
Target Address = 2000::1
A B
The router/prefix discovery and address autoconfiguration is implemented through RS
and RA messages.The router/prefix discovery and address autoconfiguration procedure is
as follows:
1 After started, a host sends an RS message to request the router for the address prefix and
other configuration information for the purpose of autoconfiguration.
2 The router returns an RA message containing information such as address prefix and flag
bits. (The router also regularly sends an RA message.)
3 The host automatically configures an IPv6 address and other information for its interface
according to the address prefix and other configuration parameters in the RA message.
Redirection
When a host is started, its routing table may contain only the default route to the
gateway.When certain conditions are satisfied, the gateway sends an ICMPv6 redirect
message to the source host so that the host can select a better next hop router to
forward packets (similar to the ICMP redirection function in IPv4).
The gateway will send an IPv6 ICMP redirect message when the following conditions are
satisfied:
The receiving interface and the forwarding interface are the same.
The selected route itself is not created or modified by an IPv6 ICMP redirect message.
The selected route is not the default route.
The forwarded IPv6 packet does not contain any extension header carrying the
routing information of intermediate nodes on the forwarding path.
IPv6 PMTU Discovery The links that a packet passes from the source to the destination may have different
MTUs.In IPv6, when the packet size exceeds the MTU of a link, the packet will be
fragmented at the source so as to reduce the processing pressure of the forwarding
device and utilize network resources rationally.
The path MTU (PMTU) discovery mechanism is to find the minimum MTU on the path
from the source to the destination. Figure 69 shows the working procedure of the PMTU
discovery.
Figure 69 Working procedure of the PMTU discovery

lC lC
MTU=1500 MTU=1500 MTU=1350 MTU=1400
Sou
Packet with MTU=1500
ICMP error:packet too big;use MTU=1350
Packet with MTU=1350
Packet received
D:t`uut`ou

IPv6 Overview 241
The working procedure of the PMTU discovery is as follows:
1 The source host uses its MTU to fragment packets and then sends them to the
destination host.
2 If the MTU supported by the packet forwarding interface is less than the size of a packet,
the forwarding device will discard the packet and return an ICMPv6 error packet
containing the interface MTU to the source host.
3 After receiving the ICMPv6 error packet, the source host uses the returned MTU to
fragment the packet again and then sends it.
4 Step 2 to step 3 are repeated until the destination host receives the packet. In this way,
the minimum MTU on the path from the source host to the destination host is
determined.
DNS
In the IPv6 network, a domain name system (DNS) supporting IPv6 converts domain
names into IPv6 addresses.Different from an IPv4 DNS, an IPv6 DNS converts domain
names into IPv6 addresses, instead of IPv4 addresses.
However, just like an IPv4 DNS, an IPv6 DNS also covers static domain name resolution
and dynamic domain name resolution.The function and implementation of these two
types of domain name resolution are the same as those of an IPv4 DNS.For details, refer
to DNS module.
Usually, the DNS server connecting IPv4 and IPv6 networks contain not only A records
(IPv4 addresses) but also AAAA records (IPv6 addresses). The DNS server can convert
domain names into IPv4 addresses or IPv6 addresses.In this way, the DNS server has the
functions of both IPv6 DNS and IPv4 DNS.
Protocol
Specifications
Protocol specifications related to IPv6 include:
RFC 1881: IPv6 Address Allocation Management
RFC 1887: An Architecture for IPv6 Unicast Address Allocation
RFC 1981: Path MTU Discovery for IP version 6
RFC 2375: IPv6 Multicast Address Assignments
RFC 2460: Internet Protocol, Version 6 (IPv6) Specification.
RFC 2461: Neighbor Discovery for IP Version 6 (IPv6)
RFC 2462: IPv6 Stateless Address Autoconfiguration
RFC 2463: Internet Control Message Protocol (ICMPv6) for the Internet Protocol
Version 6 (IPv6) Specification
RFC 2464: Transmission of IPv6 Packets over Ethernet Networks
RFC 2526: Reserved IPv6 Subnet Anycast Addresses
RFC 3307: Allocation Guidelines for IPv6 Multicast Addresses
RFC 3513: Internet Protocol Version 6 (IPv6) Addressing Architecture
RFC 3596: DNS Extensions to Support IP Version 6
Configuring Basic
IPv6 Functions
Configuring the IPv6
Packet Forwarding
Function
Before IPv6-related configurations, you must enable the IPv6 packet forwarding function
for an interface.Otherwise, the interface cannot forward IPv6 packets even if an IPv6
address is configured, resulting in interworking failures in the IPv6 network.
Follow the steps in Table 163 to configure the IPv6 packet forwarding function.
Configuring an IPv6
Unicast Address
IPv6 site-local addresses and aggregatable global unicast addresses can be configured in
either of the following ways:
EUI-64 format: When the EUI-64 format is adopted to form IPv6 addresses, the IPv6
address prefix of an interface is the configured prefix and the interface identifier is
derived from the link-layer address of the interface.
Manual configuration: IPv6 site-local addresses or aggregatable global unicast
addresses are configured manually.
IPv6 link-local addresses can be acquired in either of the following ways:
Automatic generation: The device automatically generates a link-local address for
an interface according to the link-local address prefix (FE80::/64) and the link-layer
address of the interface.
Manual assignment: IPv6 link-local addresses can be assigned manually.
After an IPv6 site-local address or aggregatable global unicast address is configured
for an interface, a link-local address will be generated automatically.The automatically
generated link-local address is the same as the one generated by using the ipv6
address auto link-local command. If a link-local address is manually assigned to an
interface, this link-local address takes effect.If the manually assigned link-local
address is deleted, the automatically generated link-local address takes effect.
The manual assignment takes precedence over the automatic generation. That is, if
you first adopt the automatic generation and then the manual assignment, the
manually assigned link-local address will overwrite the automatically generated one. If
you first adopt the manual assignment and then the automatic generation, the
automatically generated link-local address will not take effect and the link-local
address of an interface is still the manually assigned one. You must delete the
manually assigned link-local address before adopting the automatic generation.
You must issue the ipv6 address auto link-local command before you issue the
undo ipv6 address auto link-local command. However, if an IPv6 site-local address
or aggregatable global unicast address is already configured for an interface, the
interface still has a link-local address because the system automatically generates one
for the interface. If no IPv6 site-local address or aggregatable global unicast address is
configured, the interface has no link-local address.
Table 163 Configuring the IPv6 packet forwarding function
Enter system view system-view -
Enable the IPv6 packet
forwarding function
ipv6 Required
Follow the steps in Table 164 to configure an IPv6 link-local address:
Only one aggregatable global unicast address or site-local address can be configured on
an interface at a time.
Configuring IPv6
NDP
Neighbor Entry
The IPv6 address of a neighbor node can be resolved into a link-layer address dynamically
through NS and NA messages or statically through manual configuration.
The device uniquely identifies a static neighbor entry according to the IPv6 address and
the layer 3 interface ID.
Configure the corresponding IPv6 address and link-layer address for a layer 3 interface.
Follow the steps in Table 165 to configure a static neighbor entry.
Table 164 Configuring an IPv6 link-local address
Enter interface view interface interface-type
interface-number
Configure an IPv6
aggregatable
global unicast
address or
site-local address
Manually assign
an IPv6 address
ipv6 address { ipv6-address
prefix-length |
ipv6-address/prefix-length }
Alternative
By default, no site-local address
or aggregatable global unicast
address is configured for an
interface.
Note that the prefix length
specified by the prefix-length
argument cannot be greater
than 64.
Adopt the EUI-64
format to form
an IPv6 address
ipv6 address
ipv6-address/prefix-length
eui-64
Configure an IPv6
link-local address
Automatically
generate a
link-local address
ipv6 address auto
link-local
Optional
By default, after an IPv6
site-local address or
aggregatable global unicast
address is configured for an
interface, a link-local address
will be generated
automatically.
Manually assign a
link-local address
for an interface.
ipv6 address ipv6-address
link-local
Table 165 Configuring a static neighbor entry
Configure a static neighbor
entry
ipv6 neighbor ipv6-address mac-address {
vlan-id port-type port-number | interface
interface-type interface-number }
Required
Configuring the
Maximum Number of
Neighbors
Dynamically Learned
The device can dynamically acquire the link-layer address of a neighbor node through NS
and NA messages.Too large a neighbor table from which neighbor entries can be
dynamically acquired may lead to the forwarding performance degradation of the
device.Therefore, you can restrict the size of the neighbor table by setting the maximum
number of neighbors that an interface can dynamically learn.When the number of
dynamically learned neighbors reaches the threshold, the interface will stop learning
neighbor information.
Follow the steps in Table 166 to configure the maximum number of neighbors
dynamically learned.
Configuring
Parameters Related
to an RA Message
You can configure whether the interface sends an RA message, the interval for sending
RA messages, and parameters in RA messages.After receiving an RA message, a host can
use these parameters to perform corresponding operations. Table 167 lists the
configurable parameters in an RA message and their descriptions.
Table 166 Configuring the maximum number of neighbors dynamically learned
interface-number
-
Configure the maximum number
of neighbors dynamically learned
by an interface
ipv6 neighbors
max-learning-num number
Optional
The default value is 1024
Table 167 Parameters in an RA message and their descriptions
Parameters Description
Cur hop limit When sending an IPv6 packet, a host uses the value of this parameter to
fill the Hop Limit field in IPv6 headers.Meanwhile, the value of this
parameter is equal to the value of the Cur Hop Limit field in response
messages of the device.
Prefix information
options
After receiving the prefix information, the hosts on the same link can
perform stateless autoconfiguration operations.
M flag This field determines whether hosts use the stateful autoconfiguration to
acquire IPv6 addresses.
If the M flag is set to 1, hosts use the stateful autoconfiguration to
acquire IPv6 addresses. Otherwise, hosts use the stateless
autoconfiguration to acquire IPv6 addresses, that is, hosts configure IPv6
addresses according to their own link-layer addresses and the prefix
information issued by the router.
O flag This field determines whether hosts use the stateful autoconfiguration to
acquire information other than IPv6 addresses.
If the O flag is set to 1, hosts use the stateful autoconfiguration (for
example, DHCP server) to acquire information other than IPv6 addresses.
Otherwise, hosts use the stateless autoconfiguration to acquire
information other than IPv6 addresses.
The values of the retrans timer field and the reachable time field configured for an
interface are sent to hosts via RA messages. Furthermore, the interface sends NS
messages at intervals of the value of the retrans timer field and considers a neighbor
reachable in the time of the value of the reachable time field.
Follow the steps in Table 168 to configure parameters related to an RA message:
Router lifetime This field is used to set the lifetime of the router that sends RA messages
to serve as the default router of hosts.According to the router lifetime in
the received RA messages, hosts determine whether the router sending
RA messages can serve as the default router of hosts.
Retrans timer If a node fails to receive a response message within the specified time
after sending an NS message, the node will retransmit it.
Reachable time After the neighbor unreachability detection shows that a neighbor is
reachable, a node considers the neighbor is reachable within the
reachable time. If the node needs to send a packet to a neighbor after
the reachable time expires, the node will again confirm whether the
neighbor is reachable.
Table 168 Configuring parameters related to an RA message
Configure the current hop
limit
ipv6 nd hop-limit value Optional
64 by default.
interface-number
-
Disable the RA message
suppression.
undo ipv6 nd ra halt Optional
By default, RA messages are
suppressed.
Configure the interval for
sending RA messages
ipv6 nd ra interval
max-interval-value min-
interval-value
Optional
The device issues RA messages at
intervals of a random value between
the maximum interval and the
minimum interval.
By default, the maximum interval for
sending RA messages is 600
seconds, and the minimum interval
is 200 seconds.
Configure the prefix
information options in RA
messages
ipv6 nd ra prefix { ipv6-address
prefix-length |
ipv6-address/prefix-length }
valid-lifetime preferred-lifetime [
no-autoconfig | off-link ]*
Optional
By default, no prefix information is
configured in RA messages and the
IPv6 address of the interface sending
RA messages is used as the prefix
information.
Set the M flag to 1 ipv6 nd autoconfig
managed-address-flag
Optional
By default, the M flag bit is set to 0,
that is, hosts acquire IPv6 addresses
through stateless autoconfiguration.
Table 167 Parameters in an RA message and their descriptions
Parameters Description
Caution:The maximum interval for sending RA messages should be less than or equal to
the router lifetime in RA messages.
Configuring the
Attempts to Send an
NS Message for
Duplicate Address
Detection
The device sends a neighbor solicitation (NS) message for duplicate address detection. If
the device does not receive a response within a specified time (set by the ipv6 nd ns
retrans-timer value command), the device continues to send an NS message. If the device
still does not receive a response after the number of attempts to send an NS message
reaches the maximum, the device judges the acquired address is available
Follow the steps in Table 169 to configure the attempts to send an NS message for
duplicate address detection:
Configuring PMTU
Discovery
PMTU for a Specified
IPv6 Address
You can configure a static PMTU for a specified IPv6 address.When forwarding packets,
an interface compares the MTU of the interface with the static PMTU of the specified
destination IPv6 address, and uses the smaller one to fragment packets.
Set the O flag bit to 1. ipv6 nd autoconfig other-flag Optional
By default, the O flag bit is set to 0,
that is, hosts acquire other
information through stateless
autoconfiguration.
Configure the router
lifetime in RA messages
ipv6 nd ra router-lifetime value Optional
1,800 seconds by default.
Set the retrans timer ipv6 nd ns retrans-timer value Optional
By default, the local interface sends
NS messages at intervals of 1,000
milliseconds and the Retrans Timer
field in RA messages sent by the
local interface is equal to 0.
Set the reachable time ipv6 nd nud reachable-time
value
Optional
By default, the neighbor reachable
time on the local interface is 30,000
milliseconds and the Reachable
Timer field in RA messages is 0.
Table 168 Configuring parameters related to an RA message
Table 169 Configuring the attempts to send an NS message for duplicate address detection
interface-number
-
Configure the attempts to
send an NS message for
duplicate address detection
ipv6 nd dad attempts value Optional
1 by default. When the value
argument is set to 0, the duplicate
address detection is disabled.
Configuring IPv6 TCP Properties 247
Follow the steps in Table 170 to configure a static PMTU for a specified address:
Configuring the
Aging Time for PMTU
After the MTU of the path from the source host to the destination host is dynamically
determined, the source host uses this MTU to send subsequent packets to the
destination host.After the aging time expires, the dynamically determined PMTU is
deleted and the source host re-determines the MTU to send packets according to the
PMTU mechanism.
The aging time is invalid for static PMTU.
Follow the steps Table 171 to configure the aging time for PMTU:
Configuring IPv6
TCP Properties
The IPv6 TCP properties you can configure include:
synwait timer: When a SYN packet is sent, the synwait timer is triggered. If no
response packet is received before the synwait timer expires, the IPv6 TCP connection
establishment fails.
finwait timer: When the IPv6 TCP connection status is FIN_WAIT_2, the finwait timer
is triggered. If no packet is received before the finwait timer expires, the IPv6 TCP
connection is terminated. If FIN packets are received, the IPv6 TCP connection status
becomes TIME_WAIT. If other packets are received, the finwait timer is reset from the
last packet and the connection is terminated after the finwait timer expires.
Size of the IPv6 TCP buffer.
Follow the steps in Table 172 to configure IPv6 TCP properties:
Table 170 Configuring a static PMTU for a specified address
Configure a static PMTU for a
specified IPv6 address
ipv6 pathmtu
ipv6-address [ value ]
Required
By default, no static PMTU is
configured.
Table 171 Configuring the aging time for PMTU
Configure the aging time for PMTU ipv6 pathmtu age age-time Optional
10 minutes by default.
Table 172 Configuring IPv6 TCP properties
Configuring the
Maximum Number
of IPv6 ICMP Error
Packets Sent within
a Specified Time
If too many IPv6 ICMP error packets are sent within a short time in a network, network
congestion may occur.To avoid network congestion, you can control the maximum
number of IPv6 ICMP error packets sent within a specified time. Currently, the token
bucket algorithm is adopted.
You can set the capacity of a token bucket, namely, the number of tokens in the bucket.
In addition, you can set the update period of the token bucket, namely, the interval for
updating the number of tokens in the token bucket to the configured capacity.One
token allows one IPv6 ICMP error packet to be sent. Each time an IPv6 ICMP error packet
is sent, the number of tokens in a token bucket decreases by 1.If the number of IPv6
ICMP error packets successively sent exceeds the capacity of the token bucket, the
subsequent IPv6 ICMP error packets cannot be sent out until the number of tokens in the
token bucket is updated and new tokens are added to the bucket.
Follow the steps in Table 173 to configure the maximum number of IPv6 ICMP error
packets sent within a specified time period:
Configuring IPv6
DNS
Configuring Static
IPv6 DNS
You can establish the mapping between host name and IPv6 address through the
following configuration.You can directly use a host name when applying telnet
applications and the system will resolve the host name into an IPv6 address.Each host
name can correspond to eight IPv6 addresses at most.
Set the finwait timer of IPv6 TCP
packets
tcp ipv6 timer fin-timeout
wait-time
Optional
Set the synwait timer of IPv6 TCP
packets
tcp ipv6 timer syn-timeout
wait-time
Optional
Set the size of the IPv6 TCP buffer tcp ipv6 window size Optional
8 kB by default
Table 172 Configuring IPv6 TCP properties
Table 173 Configuring the maximum number of IPv6 ICMP error packets sent within a specified
time period
Configure the capacity of the token
bucket controlling the number of
IPv6 ICMP error packets sent within a
specified time as well as the update
period
ipv6 icmp-error {
bucket bucket-size |
ratelimit interval }*
Optional
By default, the capacity of a token
bucket is 10 and the update period
to 100 milliseconds. That is, at most
10 IPv6 ICMP error packets can be
sent within 100 milliseconds.
Displaying and Maintaining IPv6 249
Follow the steps in Table 174 to configure a host name and the corresponding IPv6
address:
Configuring Dynamic
IPv6 DNS
If you want to use the dynamic domain name function, you can use the following
command to enable the dynamic domain name resolution function. In addition, you
should configure a DNS server so that a query request message can be sent to the correct
server for resolution.The system can support at most six DNS servers.
You can configure a domain name suffix so that you only need to enter some fields of a
domain name and the system automatically adds the preset suffix for address
resolution.The system can support at most 10 domain name suffixes.
Follow the steps Table 175 to configure dynamic IPv6 DNS:
The dns resolve and dns domain commands are the same as those of IPv4 DNS.
Displaying and
Maintaining IPv6
Use the commands in Table 176 to display and maintain IPv6 information.
Table 174 Configuring a host name and the corresponding IPv6 address
Configure a host name and the
corresponding IPv6 address
ipv6 host hostname ipv6-address Required
Table 175 Configuring dynamic IPv6 DNS
Enable the dynamic
domain name resolution
function
dns resolve Required
Configure an IPv6 DNS
server
dns server ipv6
ipv6-address [ interface-type
interface-number ]
Required
Configure the domain
suffix.
dns domain domain-name Required
By default, no domain name suffix is
configured, that is, the domain name
is resolved according to the input
information.
Table 176 Displaying and maintaining IPv6 information
Display DNS domain name suffix
information
display dns domain [ dynamic ] Any view
Display IPv6 dynamic domain
name cache information.
display dns ipv6 dynamic-host Any view
Display DNS server information display dns server [ dynamic ] Any view
Display the FIB entries display ipv6 fib [ ipv6-address ] Any view
Display the mapping between
host name and IPv6 address
display ipv6 host Any view
The display dns domain and display dns server commands are the same as those of
the IPv4 DNS. For details about the commands, refer to DNS module.
IPv6 Configuration
Example
Network
requirements
Two switches are directly connected through two GigabitEthernet ports. The
GigabitEthernet ports belong to VLAN1. Different types of IPv6 addresses are configured
for the VLAN 1 interface to verify the connectivity between two switches. The
aggregatable global unicast address of Switch A is 3001::1/64, and the aggregatable
global unicast address of Switch B is 3001::2/64.
Display the brief IPv6
information of an interface
display ipv6 interface [ interface-type
interface-number | brief ]
Any view
Display neighbor information display ipv6 neighbors [ ipv6-address | all |
dynamic | interface interface-type
interface-number | static | vlan vlan-id ] [ | {
begin | exclude | include } text ]
Any view
Display the total number of
neighbor entries satisfying the
specified conditions
display ipv6 neighbors { all | dynamic |
static | interface interface-type
interface-number | vlan vlan-id } count
Any view
Display the PMTU information of
an IPv6 address
display ipv6 pathmtu { ipv6-address | all |
dynamic | static }
Any view
Display information related to a
specified socket
display ipv6 socket [ socktype socket-type ]
[ task-id socket-id ]
Any view
Display the statistics of IPv6
packets and IPv6 ICMP packets
display ipv6 statistics Any view
Display the statistics of IPv6 TCP
packets
display tcp ipv6 statistics Any view
Display the IPv6 TCP connection
status
display tcp ipv6 status Any view
Display the statistics of IPv6 UDP
packets
display udp ipv6 statistics Any view
Clear IPv6 dynamic domain
name cache information
reset dns ipv6 dynamic-host In user view
Clear IPv6 neighbor information reset ipv6 neighbors [ all | dynamic |
interface interface-type interface-number |
static ]
In user view
Clear the corresponding PMTU reset ipv6 pathmtu { all | static | dynamic} In user view
Clear the statistics of IPv6
packets
reset ipv6 statistics In user view
Clear the statistics of all IPv6 TCP
packets
reset tcp ipv6 statistics In user view
Clear the statistics of all IPv6
UDP packets
reset udp ipv6 statistics In user view
Table 176 Displaying and maintaining IPv6 information
Network diagram
Figure 70 Network diagram for IPv6 address configuration
1 Configure Switch A.
# Enable the IPv6 packet forwarding function on Switch A.
[ Swi t chA] i pv6
# Configure an automatically generated link-local address for the VLAN 1 interface.
[ Swi t chA] i nt er f ace vl an- i nt er f ace 1
[ Swi t chA- Vl an- i nt er f ace1] i pv6 addr ess aut o l i nk- l ocal
# Configure an aggregatable global unicast address for the VLAN 1 interface.
[ Swi t chA- Vl an- i nt er f ace1] i pv6 addr ess 3001: : 1/ 64
2 Configure Switch B.
# Enable the IPv6 packet forwarding function.
<Swi t chB> syst emvi ew
[ Swi t chB] i pv6
# Configure an automatically generated link-local address for the VLAN 1 interface.
[ Swi t chB] i nt er f ace vl an- i nt er f ace 1
[ Swi t chB- Vl an- i nt er f ace1] i pv6 addr ess aut o l i nk- l ocal
# Configure an aggregatable global unicast address for the VLAN 1 interface.
[ Swi t chB- Vl an- i nt er f ace1] i pv6 addr ess 3001: : 2/ 64
Verification
# Display the brief IPv6 information of an interface on Switch A.
<Swi t chA> di spl ay i pv6 i nt er f ace vl an- i nt er f ace 1
Vl an- i nt er f ace1 cur r ent st at e : UP
Li ne pr ot ocol cur r ent st at e : UP
I Pv6 i s enabl ed, l i nk- l ocal addr ess i s FE80: : 7D6C: 0: 5C0C: 1
Gl obal uni cast addr ess( es) :
3001: : 1, subnet i s 3001: : / 64
J oi ned gr oup addr ess( es) :
FF02: : 1: FF0C: 1
FF02: : 1: FF00: 1
FF02: : 2
FF02: : 1
MTU i s 1500 byt es
VLAN 1 Interface
Switch A Switch B
VLAN 1 interface
ND DAD i s enabl ed, number of DAD at t empt s: 1
ND r eachabl e t i me i s 30000 mi l l i seconds
ND r et r ansmi t i nt er val i s 1000 mi l l i seconds
Host s use st at el ess aut oconf i g f or addr esses
# Display the brief IPv6 information of the interface on switch B.
<Swi t chB> di spl ay i pv6 i nt er f ace vl an- i nt er f ace 1
Vl an- i nt er f ace1 cur r ent st at e : UP
Li ne pr ot ocol cur r ent st at e : UP
I Pv6 i s enabl ed, l i nk- l ocal addr ess i s FE80: : E525: 0: F01D: 1
Gl obal uni cast addr ess( es) :
3001: : 2, subnet i s 3001: : / 64
J oi ned gr oup addr ess( es) :
FF02: : 1: FF00: 2
FF02: : 1: FF1D: 1
FF02: : 2
FF02: : 1
MTU i s 1500 byt es
ND DAD i s enabl ed, number of DAD at t empt s: 1
ND r eachabl e t i me i s 30000 mi l l i seconds
ND r et r ansmi t i nt er val i s 1000 mi l l i seconds
Host s use st at el ess aut oconf i g f or addr esses
# On Switch A, ping the link-local address and aggregatable global unicast address of
Switch B.If the configurations are correct, the above two types of IPv6 addresses can be
pinged.
Caution: When you ping the link-local address, you should use the "-i" parameter to
specify the interface for a link-local address.
<Swi t chA> pi ng i pv6 FE80: : E525: 0: F01D: 1 - i vl an- i nt er f ace 1
PI NG FE80: : E525: 0: F01D: 1 : 56 dat a byt es, pr ess CTRL_C t o br eak
Repl y f r omFE80: : E525: 0: F01D: 1
byt es=56 Sequence=1 hop l i mi t =255 t i me = 80 ms
Repl y f r omFE80: : E525: 0: F01D: 1
Repl y f r omFE80: : E525: 0: F01D: 1
Repl y f r omFE80: : E525: 0: F01D: 1
Repl y f r omFE80: : E525: 0: F01D: 1
- - - FE80: : E525: 0: F01D: 1 pi ng st at i st i cs - - -
5 packet ( s) t r ansmi t t ed
5 packet ( s) r ecei ved
0. 00%packet l oss
r ound- t r i p mi n/ avg/ max = 60/ 66/ 80 ms
<Swi t chA> pi ng i pv6 3001: : 2
PI NG 3001: : 2 : 56 dat a byt es, pr ess CTRL_C t o br eak
Repl y f r om3001: : 2
- - - 3001: : 2 pi ng st at i st i cs - - -
0. 00%packet l oss
24 CONFIGURING IPV6 APPLICATIONS
Application
IPv6 has become widely used as it is developing with time. Most of IPv6 application are
the same as those of IPv4, including:
Ping
Traceroute
FTP
TFTP
Telnet
Ping IPv6 To ping IPv6, use the following command(which is available in any view):
ping ipv6 [ -a source-ipv6-address | -c echonum | -m interval | -s bytenum | -t timeout ]*
{ destination-ipv6-address | hostname } [ -i interface-type interface-number ]
Caution: You must specify the -i parameter when the destination address is a link local
address or multicast address.
Traceroute IPv6 Traceroute IPv6 is used to record the route of IPv6 packets from source to destination, so
as to check whether the link is available and determine the point of trouble.
Figure 71 Tracerout process
As Figure 71 shows, the traceroute process is as follows:
The source sends a IP datagram with TTL as 1 (the UDP port number of the carrier
UDP packet is a port number that is not available to any application in the destination.
RTA RTB
Hop Limit = 1
Hop Limit = n
UDP port unreachable
RTC

RTD
TTL exceeded
Hop Limit = 2
TTL exceeded
256 CHAPTER 24: CONFIGURING IPV6 APPLICATIONS
If the first device receiving the datagram reads the TTL as 1, it will discard the packet
and return a ICMP timeout error message. Thus, the source can get the first device's
address in the route.
The source sends a datagram with TTL as 2 and the second hop device returns a ICMP
timeout error message. And the source gets the second device's address in the route.
This process continues until the datagram reaches the destination host. As there is no
application using the UDP port, the destination returns a "port unreachable" ICMP
error message.
The source receives the "port unreachable" ICMP error message and understands
that the packet has reached the destination, thus determines the route of the packet
from source to destination.
To traceroute IPv6, iussue the following command (which is available in any view):
tracert ipv6 [ -f first-hop-limit | -m max-hop-limit | -p port-number | -q probenum | -w
wait-time ]* { ipv6-address | hostname }
FTP Configuration IPv6 supports file transfer protocol (FTP) applications. You can log into the switch (serving
as an FTP client) by running the terminal emulation program on your PC or by using
Telnet. Then, you can use the ftp command to connects the switch to a remote FTP server
and access the files on the remote FTP server.
Configuration
Prerequisites
The FTP server is started, with the related parameters, such as username, password, and
user rights, configured. Refer to File System Management module for detailed
procedures.
FTP Configuration You can perform the following configuration task on an authorized directory when the
device serves as an FTP client
Caution: Make sure you use the -i keyword to specify the interface for a link-local
address.
TFTP Configuration IPv6 supports TFTP (Trival File Transfer Protocol). As a client, the device can download files
from or upload files to a TFTP server.
Configuration
Preparation
Start the TFTP server and specify the route to download or upload files. Refer to TFTP
server configuration specifications for specific instructions.
Table 177 Configure FTP
Establish a control
connection with a
remote FTP server
ftp ipv6 [ [ { ipv6-address | hostname } [
port-number ] ] [ -a source-ipv6 ] [ -i
interface-type interface-number ] ]
Required
Use this command in
user view.
IPv6 Telnet 257
TFTP Configuration Manage users' access to TFTP servers
Follow the steps in Table 178 to configure the ACL for the TFTP application.
Download files
Following the following steps to download files from TFTP servers
Caution: Make sure to specify the -i parameter when the destination address is a link
local address.
Upload files
Follow the following steps to upload files to TFTP servers:
To doUse the commandRemarks
Upload files to TFTP serverstftp ipv6 { tftp-server-ipv6-address | hostname } [-i
interface-type interface-number ] put source-filename [ destination-filename ]Required
Caution: Make sure to specify the -i parameter when the destination address is a link
local address.
IPv6 Telnet Telnet protocol belongs to application layer protocols of the TCP/IP protocol suite, and is
used to provide remote login and virtual terminals. The device can be used either as a
Telnet client or a Telnet server.
As the following figure shows, the Host is running Telnet client application of IPv6 to set
up an IPv6 Telnet connection with Device A, which serves as the Telnet server. If Device A
again connects to Device B through Telnet, the Device A is the Telnet client and Device B
is the Telnet server.
Table 178 Configuring the ACL for the TFTP application
Configure the ACL for the TFTP
application to enable or disable
access to a specific TFTP server
tftp-server ipv6 acl
acl-number
Required
ACL is not related to TFTP
application by default.
Table 179
Download files from
TFTP server
tftp ipv6 { ipv6-address | hostname } [ -i
interface-type interface-number ] get
source-filename [ destination-filename ]
Required
Figure 72 Providing Telnet services
Configuration
Prerequisites
Telnet has three kinds of authentications: None, Password and Scheme, with the default
as Password. Refer to Login module for specific instructions.
Setting up IPv6 Telnet
Connections
Follow the following steps to set up IPv6 Telnet connections:
Perform the Telnet command at the Telnet client to login and manage other devices
telnet ipv6 { ipv6-address | hostname } [ -i interface-type interface-name] [ port-number ]
Required
Caution: Make sure you specify the -i parameter when the destination address is a link
local address.
Displaying and
Maintaining IPv6
Telnet
Follow the following steps to display and debug IPv6 Telnet:
Display the use information of the user's interfacedisplay users [ all ]Available in any view
Examples of Typical
IPv6 Application
Configurations
Network
requirements
In Figure 73, SWA, SWB and SWC represent three switchs in the public domain. In the
same LAN, there is a Telnet server and a TFTP server for providing Telnet service and TFTP
service to the switch respectively.
Telnet Client
Telnet Client
Telnet Client Telnet Server
Telnet Server
Host
Device A Device B
Examples of Typical IPv6 Application Configurations 259
Network diagram Figure 73 IPv6 application network diagram
Configuration
procedure
Configure the IPv6 address at the switch's and server's interfaces and ensure that the
route between the switch and the server is accessible before the following configuration.
# Ping SWB's IPv6 address from SWA.
<SWA> pi ng i pv6 3003: : 1
PI NG 3003: : 1 : 56 dat a byt es, pr ess CTRL_C t o br eak
- - - 3003: : 1 pi ng st at i st i cs - - -
0. 00%packet l oss
# Trace the IPv6 route from SWA to SWC.
<SWA> t r acer t i pv6 3002: : 1
t r acer out e t o 3002: : 1 30 hops max, 60 byt es packet
1 3003: : 1 30 ms 0 ms 0 ms
2 3002: : 1 10 ms 10 ms 0 ms
# SWC download a file from TFTP server 3001::3.
<SWC> t f t p i pv6 3001: : 3 get f i l et oget f l ash: / f i l egot her e
Tr ansf er f i l e i n bi nar y mode.
Telnet_Server
3001::2
TFTP_Server
3001::3
SWA
SWB
SWC
3001::4 /64
3002::1/64
3002::2/64
3003::1/64
3003::2 /64
Telnet_Server
3001::2
TFTP_Server
3001::3
SWA
SWB
SWC
3001::4 /64
3002::1/64
3002::2/64
3003::1/64
3003::2 /64
Telnet_Server
3001::2
TFTP_Server
3001::3
SWA
SWB
SWC
3001::4 /64
3002::1/64
3002::2/64
3003::1/64
3003::2 /64
Now begi n t o downl oad f i l e f r omr emot e t f t p ser ver , pl ease wai t f or a
whi l e. . .
TFTP: 11369 byt es r ecei ved i n 1 seconds.
Fi l e downl oaded successf ul l y.
# Connect to Telnet server 3001::2.
<SWA> t el net i pv6 3001: : 2
Tr yi ng 3001: : 2. . .
Connect ed t o 3001: : 2 . . .
Tel net Ser ver >
# Set up a Telnet connection from SWA to SWC.
<SWA> t el net i pv6 3002: : 1
Tr yi ng 3002: : 1 . . .
Connect ed t o 3002: : 1 . . .
*********************************************************************
* Copyr i ght ( c) 2007- 2008 3ComCor por at i on.
* Wi t hout t he owner ' s pr i or wr i t t en consent , *
* no decompi l i ng or r ever se- engi neer i ng shal l be al l owed. *
*********************************************************************
<SWC>
Troubleshooting
IPv6 Application
Unable to Ping a
Remote Destination
Symptom
Unable to Ping a remote destination and return an error message.
Solution
Use the display ipv6 interface command to determine the interfaces of the source and
the destination and the link-layer protocol between them are in the up state.
Use the display current-configuration command to check whether the IPv6 forward
function is enabled. If not, enable it with the ipv6 command.
Use the ping ipv6 -t timeout { destination-ipv6-address | hostname } [ -i interface-type
interface-number ] command to increase the timeout time limit, so as to determine
whether it is due to the timeout limit is too small.
Use the debugging ipv6 icmpv6 command to enable ICMPv6 debugging and check
the request and response packets.
Unable to Run
Traceroute
Symptom
Unable to trace the route by performing Traceroute operations.
Solution
Determine whether you can Ping the destination host.
Troubleshooting IPv6 Application 261
If yes, check whether the UDP port used by Traceroute has the required application in
the destination host If yes again, specify a UDP port that is unreachable in the tracert
ipv6 command.
Use the debugging udp ipv6 packet command to enable UDP packet debugging to
send and receive UDP packets.
Use the debugging ipv6 icmpv6 command to check the ICMPv6 packets received
from different devices.
Unable to Run TFTP Symptom
Unable to download and upload files by performing TFTP operations.
Solution
Determine that the ACL configured for the TFTP server does not block the connection
to the TFTP server.
Determine that the file system of the device is usable. You can check it by running the
dir command under the user view.
Use the debugging udp ipv6 packet command to enable UDP packet debugging to
send and receive UDP packets under the user view.
Unable to Run Telnet Symptom
Unable to login to Telnet server by performing Telnet operations.
Solution
Determine the Telnet server application is running on the server. Check the
configuration allows the server reachable.
Run the debugging telnet command to debug Telnet under the user view.
Run the debugging tcp ipv6 packet command to check the packet information under
the user view.
25 STATIC ROUTING CONFIGURATION
A router in this chapter refers to a generic router or a Layer 3 switch running routing
protocols. To improve readability, this will not be described in the present manual again.
Introduction
Static Routing A static route is a special route that is manually configured by the network administrator.
If a network is relatively simple, you only need to configure static routes for the network
to work normally. The proper configuration and usage of static routes can improve a
networks performance and ensure bandwidth for important network applications.
The disadvantage of static routing is that, if a fault or a topological change occurs to the
network, the route will be unreachable and the network breaks. In this case, the network
administrator has to modify the configuration manually.
Default Routes A default route is another special route generated from a static route or some dynamic
routes, such as OSPF and IS-IS.
Generally, a router selects the default route only when it cannot find any matching entry
in the routing table. In a routing table, the default route is in the form of the route to the
network 0.0.0.0 (with the mask 0.0.0.0). You can check whether a default route has
been configured by running the display ip routing-table command.
If the destination address of a packet fails to match any entry in the routing table, the
router selects the default route to forward the packet. If there is no default route and the
destination address of the packet is not in the routing table, the packet will be discarded
and an ICMP packet is sent to the source reporting that the destination or the network is
unreachable.
Application
Environment of Static
Routing
Switch 4500G Family supports general static routing.
You need to be familiar with the following contents while configuring static routes:
1 Destination address and masks
In the ip route-static command, the IPv4 address is in dotted decimal format and
the mask can be in either dotted decimal format or the mask length (the digits of
consecutive 1s in the mask).
2 Output interface and the next hop address
While configuring static routes, you can specify either the output interface or next hop
address. Whether you should specify the output interface or the next hop address
depends on the specific occasion.
264 CHAPTER 25: STATIC ROUTING CONFIGURATION
In fact, all the route entries must specify the next hop address. While forwarding a
packet, the corresponding route is determined by searching the routing table for the
packets destination address. Only after the next hop address is specified, the
corresponding link-layer address can be found for the link-layer to forward the packet.
3 Other attributes
You can configure different preferences for different static routes for the purpose of easy
routing management policy. For example, while configuring multiple routes to the same
destination, using identical preference allows for load sharing while using different
preference allows for routing backup.
While running the ip route-static command to configure static, configuring
all-zero destination address and mask specifies using the default route.
Switch 4500G Family does not support load sharing.
Configuring Static
Route
Configuration
Prerequisites
Before configuring a static route, you need to finish the following tasks:
Configuring the physical parameters for relative interfaces
Configuring the link-layer attribute for relative interfaces
Configuring the IP address for relative interfaces
Configuring Static
Routes
Follow these steps to configure a static route:
While configuring a static route, it will use the default preference if no value is
specified. After resetting the default preference, it is valid only for the newly created
static route.
The description text can describe the usage and function of some specific routes, thus
make it easy for you to classify and manage different static routes.
You can easily control the routes by using the tag set in the routing policy.
Table 180 Configuring Static Routes
Configure a static route ip route-static
ip-address { mask |
mask-length } { [
vlan-interface
vlan-id ] nexthop-address
| NULL interface-number } [
preference preference |
description
description-info | tag
tag-value ]*
Required
Configure the default preference
for a static route
ip route-static
default-preference
default-preference-value
Optional
The preference is 60 by
default.
Displaying and Maintaining Static Routes 265
Displaying and
Maintaining Static
Routes
After the configuration, you can run the display command in any view to display the
running status and configuration effect of the static route configuration.
You can use the delete command in the system view to delete all the static routes
configured.
Follow these steps to display and maintain a static route:
You can use the undo ip route-static demand in the system view to delete a static route,
and use the delete state-routes all demand in the system view to delete all the static
routes configured (including the default IPv4 routes configured manually) at the same
time.
Example of Static
Routes
Configuration
The switches interfaces and the hosts IP addresses and masks are shown in the
following figure. It requires static routes to connect the hosts for inter-communication.
Network diagram
Figure 74 Network diagram for static routes
Table 181 Displaying and Maintaining Static Routes
Operation Command
Display the current configuration display current-configuration
Display the summary of the IP routing table display ip routing-table
Display the details of the IP routing table display ip routing-table verbose
Display the information of a static route display ip routing-table protocol
static [ inactive | verbose ]
Delete all static routes delete static-routes all
PC1
1.1.1.2/24
SwitchA
SwitchB
SwitchC
Vlan-interface200
1.1.1.1/24
Vlan-interface100
1.1.4.1/30
Vlan-interface100
1.1.4.2/30
Vlan-interface102
1.1.2.1/24
Vlan-interface101
1.1.4.5/30
Vlan-interface101
1.1.4.6/30
Vlan-interface300
1.1.3.1/24
PC2
1.1.2.2/24
PC3
1.1.3.2/24
1 Configuring the interfaces IP addresses
Omitted.
2 Configuring the static route
a Configure a default route on Switch A.
[ Swi t ch A] i p r out e- st at i c 0. 0. 0. 0 0. 0. 0. 0 1. 1. 4. 2
b Configure two static routes on Switch B.
[ Swi t ch B] i p r out e- st at i c 1. 1. 1. 0 255. 255. 255. 0 1. 1. 4. 1
c Configure a default route on Switch C.
3 Configure the hosts
The default gateways for the three hosts PC1, PC2 and PC3 are configured as 1.1.1.1,
1.1.2.1 and 1.1.3.1 respectively.
4 Display the configuration result
a Display the IP route table of Switch A.
[ Swi t ch A] di spl ay i p r out i ng- t abl e
Rout i ng Tabl es: Publ i c
Dest i nat i ons : 7 Rout es : 7
Dest i nat i on/ Mask Pr ot o Pr e Cost Next Hop I nt er f ace
0. 0. 0. 0/ 0 St at i c 60 0 1. 1. 4. 2 Vl an100
1. 1. 1. 0/ 24 Di r ect 0 0 1. 1. 1. 1 Vl an200
1. 1. 1. 1/ 32 Di r ect 0 0 127. 0. 0. 1 I nLoop0
1. 1. 4. 0/ 30 Di r ect 0 0 1. 1. 4. 1 Vl an100
1. 1. 4. 1/ 32 Di r ect 0 0 127. 0. 0. 1 I nLoop0
127. 0. 0. 0/ 8 Di r ect 0 0 127. 0. 0. 1 I nLoop0
127. 0. 0. 1/ 32 Di r ect 0 0 127. 0. 0. 1 I nLoop0
b Use the ping command to check the connectivity.
[ Swi t ch A] pi ng 1. 1. 3. 1
PI NG 1. 1. 3. 1: 56 dat a byt es, pr ess CTRL_C t o br eak
Repl y f r om1. 1. 3. 1: byt es=56 Sequence=1 t t l =254 t i me=62 ms
- - - 1. 1. 3. 1 pi ng st at i st i cs - - -
0. 00%packet l oss
Example of Static Routes Configuration 267
c Use the tracert command to check the connectivity.
[ Swi t ch A] t r acer t 1. 1. 3. 1
t r acer out e t o 1. 1. 3. 1( 1. 1. 3. 1) 30 hops max, 40 byt es packet
1 1. 1. 4. 2 31 ms 32 ms 31 ms
2 1. 1. 4. 6 62 ms 63 ms 62 ms
26 RIP CONFIGURATION
The term "router" in this document refers to a router in a generic sense or a Layer 3
switch. To improve readability, this will not be described in the present manual again.
RIP Overview RIP is a simple Interior Gateway Protocol (IGP), which is mainly used in small-size
networks, such as academic networks and simple structured LANs.
RIP is still widely used in practical networking due to its simple implementation, and
easier configuration and maintenance than OSPF and IS-IS.
RIP Mechanism Basic concept of RIP
RIP is a distance-vector-based routing protocol, using UDP messages for exchanging
information on port 520.
RIP uses a routing metric (Hop Count) to measure the distance to the destination. The
Hop Count value of a router to its directly connected network is 0. Networks which are
reachable through one other router are one hop etc. To reduce the convergence time, RIP
limits the metric value from 0 to 15. It is considered infinity if the value is equal or larger
than 16, which means the destination network is unreachable. That is why RIP cannot be
used in large scale networks.
RIP prevents routing loops by implementing Split Horizon and Poison Reverse functions.
RIP routing table
Each RIP router has a routing table, containing routing entries of all reachable
destinations.
Destination address: the IP address of a host or a network.
Next hop: IP address of the adjacent router to the destination network.
Interface: The interface for forwarding
Metric: Cost from the local router to the destination
Routing time: The amount of time since the entry was last updated. The time is reset
to 0 when the routing entry is updated every time.
Route change tag: Indicates that the information about this route has changed.
RIP timers
RIP uses four timers to control its operation. They are Update, Timeout, Suppress, and
Garbage-Collect.
Update timer triggers sending new update messages periodically.
270 CHAPTER 26: RIP CONFIGURATION
Timeout timer controls the validity of a route. A route is considered as unreachable
when the RIP router does not receive update messages within the aged time from any
neighbor.
Suppress timer. A route changes to the suppress status when no updated messages
are send within the timeout-value or the metric value reaches 16. In the suppress
status, the router only accepts update messages with the metric value less than 16
and from the same neighbor to replace the unreachable route.
Garbage-Collect timer. The period from the metric value of a route reaches 16 to the
route is purged from the table is defined as the garbage collection time in RFC.
During the Garbage-Collect time, RIP keeps advertising the route with a metric value
of 16. Once the Garbage-Collect time expires and the route is not updated, the route
is deleted from the table.
RIP initialization and running procedure
Following procedures describe how RIP works.
1 After enabling RIP, the router sends Request messages to neighboring routers.
Neighboring routers return Response messages including all information about the
routing table.
2 The router updates its local routing table, and broadcasts the routing updates to its
neighbors with triggered updating messages. All routers on the network do the same to
keep the latest routing table.
In RIP, the routing table on each router is updated upon receipt of RIP messages
periodically advertised by neighboring routers. The aged routes are deleted to make sure
routes are always valid. The procedure is as follows: RIP periodically advertises the local
routing table to neighboring routers, which update their local routes upon receipt of the
packets. This procedure repeats on all RIP-enabled routers.
Routing loops prevention
RIP is a D-V based routing protocol. Each router calculates the distance to a destination
based on the routing information from its neighbors. When a connection to a
destination goes down, there is no way for the router on that connection to notify the
others about its metric changes. The other routers still use the old routing information to
calculate the distance to that destination. Therefore, routing loops can occur in this case.
RIP uses the following mechanisms to prevent routing loops.
Counting to infinity. The metric value of 16 is defined as infinity. When a routing loop
occurs, the route is considered as unreachable when the metric value reaches 16.
Split Horizon. The router does not send the routing table to neighboring routers via
the same interface on which it receives. Split Horizon can definitely prevent routing
loops and save the bandwidth.
Poison Reverse. The router sends routing tables through the same interface from
which the tables are received with a metric value of 16 (means infinite). This method
can remove useless information in routing tables of neighboring routers.
Triggered Updates. Each router sends out its new routing table as long as it receives
an update, rather than waiting until the usual update period expires. This can speed
up the network convergence.
RIP Overview 271
RIP Version RIP has two versions: RIP-1 and RIP-2.
RIP-1, a Classful Routing Protocol, supports broadcasting protocol messages. RIP-1
protocol messages do not carry mask information, which means it can only recognize
routing information on segments with natural addresses such as Class A, B, and C. That
is why RIP-1 does not support routing convergence and Discontiguous Subnet.
RIP-2 is a Classless Routing Protocol. Compared with RIP-1, RIP-2 has the following
advantages.
Supports Route Tag. The Route Tag is intended to differentiate the internal RIP routes
from the external RIP routes.
Supports masks, route summarization and CIDR (Classless Inter-Domain Routing).
Supports next hop, which must be directly reachable on the broadcast network.
Supports multicasting to reduce unnecessary load on hosts that do not need to listen
to RIP-2 messages.
Supports authentication to enhance security. Plain text authentication and MD5
(Message Digest 5) are two authentication methods.
RIP-2 has two types of message transmission: broadcasting and multicasting.
Multicasting is the default type using 224.0.0.9 as the multicast address. The interfaces
running RIP-2 broadcasting can also receive RIP-1 messages.
RIP Message Format RIP-1 message format
A RIP message consists of Header and Route Entries which can be up to 25.
The format of RIP-1 message is shown in Figure 75.
Figure 75 RIP-1 Message Format
Command: The type of message. 1 indicates Request, 2 indicates Response.
Version: The version of RIP. RIP-1 is 0x01.
AFI (Address Family Identifier): The family of protocol. 2 is for IP.
IP Address: IP address of the destination. Only natural addresses are acceptable here.
Metric: The cost of the route.
metric
0 7 15 31
command
address family identifier
IP address
must be zero version
must be zero
must be zero
must be zero
Route
Entries
Header
RIP-2 message format
The format of RIP-2 message is similar with RIP-1, as shown in Figure 76.
Figure 76 RIP-2 Message Format
The differences from RIP-1 are stated as following.
Version: The version of RIP. For RIP-2 the value is 0x02.
Route Tag: An attribution to indicate from where the routes are imported.
IP Address: The destination IP address. It could be a natural address, subnet address or
host address.
Subnet Mask: Mask of the destination address.
Next Hop: The address of the best next hop. 0.0.0.0 indicates that the originator of
the route is the best next hop.
RIP-2 authentication
RIP-2 supports plain text authentication, which uses the first Route Entry for
authentication. The value of 0xFFFF indicates that the entry is authentication information
rather than routing information. See Figure 77
Figure 77 RIP-2 Authentication Message
Authentication Type: 2 represents plain text authentication, while 3 represents MD5.
Authentication: The actual authentication data. It includes the password information
when using plain text authentication.
FC 1723 only defines plain text authentication. For information about MD5
authentication, see RFC2082 RIP-2 MD5 Authentication.
RIP Feature
Supported
Currently, Comware 5.0 supports the following RIP features.
RIP-1
RIP-2
Metric
0 7 15 31
Command
Address Family Identifier
IP Address
unused Version
Next Hop
Subnet Mask
Route Tag
Route
Entries
Header
0 7 15 31
command
0xFFFF
Authentication (16 octets)
unused version
Authentication Type
RIP Basic Configuration 273
RIP Related RFC RFC 1058: Routing Information Protocol
RFC 1723: RIP Version 2 - Carrying Additional Information
RFC 1721: RIP Version 2 Protocol Analysis
RFC 1722: RIP Version 2 Protocol Applicability Statement
RFC 1724: RIP Version 2 MIB Extension
RFC 2082: RIP-2 MD5 Authentication
RIP Basic
Configuration
In this section, you are presented with the information needed to configure the basic RIP
features.
Configuration
Prerequisites
Before configuring RIP features, please first configure IP address on each interface, and
make sure all routers are reachable.
Configuring RIP Basic
Function
Enabling RIP and specify networks
Follow these steps to enable RIP:
If you perform some RIP configurations in interface view before enabling RIP, those
configurations will take effect after RIP is enabled.
The router does not send, receive or forward any routing information if you do not
enable RIP on that network.
You can enable RIP on all interfaces of the network by using the network 0.0.0.0
command.
Table 182 Configuring RIP Basic Function
Enter system view
system-view
Enable RIP and enter RIP view rip [ process-id ]

Enable RIP on specified network network network-address Required
Disabled by default
Configuring the interface behavior
Follow these steps to configure interface behavior:
Stopping routing updates means that the router receives routing updates without
forwarding them.
Configuring the RIP version
Follow these steps to configure the RIP version:
If the RIP version specified on the interface and the global RIP version are inconsistent,
the RIP version specified on the interface is used.
If no RIP version is specified on the interface, the global RIP version is used.
Table 183 Configuring the interface behavior
Enter system view
system-view
Enter RIP view rip [ process-id ]

Stop routing updates on all
interfaces
silent-interface all
Optional
All interfaces can receive
routing updates by default Stop routing updates on one
interface
silent-interface
interface-type
interface-number
interface-number
Configure an interface to
receive routing updates
rip input
Optional
By default, the router receives
and send RIP messages Configure an interface to
send routing updates
rip output
Table 184 Configuring the RIP version
Enter system view
system-view

Specify a global RIP version version { 1 | 2 } Optional
RIP-1 by default
interface-number
Specify a RIP version on the

interface
rip version { 1 | 2 [
broadcast | multicast ] }
Optional
By default, the router receives
RIP-1 and RIP-2 messages, but
only sends RIP-1 messages. If
the RIP version is 2, you can
specify the message is
broadcast or multicast.
RIP Route Control In some complex network environments, you need to make the RIP configuration more
precise.
This section covers the following topics:
Configuring additional routing metrics to affect routing options.
Configuring the route summarization to reduce the size of routing tables.
Configuring host routes to reduce the size of routing tables
Configuring default routes
Configuring filtering policies
Configuring the protocol priority
Redistributing routes
Before configuring RIP routing information, finish the following tasks first:
Configure IP address on each interface, and make sure all routers are reachable.
Configure basic RIP functions
Configuring RIP
Route Control
Configuring additional routing metric
To increase the value of routing metrics, you can add a value to the incoming or outgoing
routing metric learned by RIP.
Follow these steps to configure additional routing metrics:
rip metricout is only applied to its own routing and those learned by RIP. For those
imported from other routing protocols, this command is not applicable.
Configuring route summarization
The route summarization is that subnet routes in a natural network are summarized until
the whole network is advertised as a single natural mask route. This function can reduce
the size of the routing tables so that to reduce the network load.
RIP-1 does not support route summarization. So when RIP-2 is running, you need to
disable the route summarization function if you want to advertise all subnet routes.
Table 185 Configuring RIP Route Control
Enter system view
system-view

interface-number
Define an additional routing

metric for incoming routes
rip metricin value Optional
0 by default
Define an additional routing
metric for outgoing routes
rip metricout value Optional
1 by default
Follow these steps to configure RIP route summarization:
Disabling the receiving of host routes
In some cases, the router can get lots of routing information from the same network
hosts, which are not helpful for routing but taking large of the network resources. After
disabling the host route function, the router discards the host route information.
Follow these steps to configure host route:
Configuring default route
Follow these steps to configure RIP default route:
Table 186 Configuring route summarization
Enter system view
system-view

Enable RIP-2 automatic
route summarization
summary
Optional
Enabled by default
interface-number
Assign an IP address and

network mask for the
summarized routes to be
advertised
rip summary-address
network-address network-mask
Optional
Table 187 Disabling the receiving of host routes
Enter system view
system-view

Disabling the receiving of host
routes
undo host-route
Optional
Enabled by default
Table 188 Configuring default rout
Configure a RIP default route default-route originate
cost value
Required
Configuring route filtering
Route filtering is supported by the router. You can filter incoming and outgoing routes by
setting the inbound and outbound filter policies in the access list and IP address prefixes
list. You can also specify the incoming routes from particular neighbors.
Follow these steps to configure route filtering:
Configuring protocol priority
Follow these steps to configure protocol priorities:
Redistributing route
Follow these steps to import exterior route:
Table 189 Configuring route filtering
Define the filtering policy filter-policy { acl-number |
ip-prefix ip-prefix-name [
gateway ip-prefix-name ] } import [
interface-type interface-number ]
Required
Table 190 Configuring protocol priority
Enter system view
system-view

Set the protocol priority preference [ route-policy
route-policy-name ] value
Optional
100 by default
Table 191 Redistributing route
Enter system view
system-view

Define a value for the
default cost of the imported
route
default-cost value Optional
If no value is set during
importing, use this default
value as the route cost.
Import a route import-route protocol [
process-id ] [ cost cost-value |
route-policy
route-policy-name | tag
tag-value ]*
Required
Define the filtering policy for
the redistributed route
filter-policy { acl-number |
ip-prefix ip-prefix-name }
export [ protocol [ process-id ]
| interface-type
interface-number ]
Optional
When advertising routing information, you can set the protocol parameter to filter those
routing information imported from other protocols. If the no protocol parameter is set,
all routing information including RIP routes (directly connected routes) and imported
routes are advertised.
RIP Configuration
Optimization
In special network environment, you need to configure some other RIP features to
optimize the network performance.
This section covers the following topics:
Configuring RIP timer
Configuring split horizon and poison reverse
Configuring RIP updating message validation
Configuring RIP-2 message authentication
Configuring RIP peer
Finish the following tasks before starting RIP optimization.
Configure network addresses on interfaces, make sure neighboring nodes are
reachable
Configure RIP basic functions.
Configuration
Procedure
Configuring RIP timer
Follow these steps to configure the RIP timer:
When configuring the values of RIP timers, you should take network performance into
consideration and perform consistent configuration on all routers running RIP to avoid
unnecessary network traffic and network route oscillation.
Table 192 Configuring RIP timer
Enter system view
system-view

Assign a value to each
timer
timers { garbage-collect
garbage-collect-value |
suppress suppress-value |
timeout timeout-value |
update update-value }
Optional
By default, 30s for update timer,
180s for timeout timer, 180s for
Suppress timer, 240s for
Garbage-collect timer
RIP Configuration Optimization 279
Configuring split horizon and poison reverse
Follow these steps to configure split horizon and poison reverse:
Configuring RIP updating message validation
Follow these steps to configure RIP updating message check
Some fields in RIP-1 message must be zero, which is called zero fields. The RIP-1
message is not processed if the value in the zero field is not zero. As a RIP-2 packet
has no zero fields, this configuration is invalid for RIP-2.
The RIP router checks the source address when receiving messages. For messages
received on the Ethernet interface, if the source address and the routers interface
address are not in the same network, the router discards the message.
Disable the source address validation when RIP is not running on the neighboring
routers.
Configuring RIP-2 message authentication
RIP-2 supports two authentication modes: plain text and MD5.
In plain text authentication, the authentication information is sent with the RIP message,
which cannot provide high security guarantee.
Follow these steps to configure RIP-2 message authentication
Table 193 Configuring split horizon and poison reverse
Enter system view
system-view

interface-number
Enable split horizon

rip split-horizon
If both are enabled, routers
only use poison reverse
Enable poison reverse
rip poison-reverse
Table 194 Configuring RIP updating message validation
Configure zero field check for RIP-1
message
checkzero Optional
Enabled by default
Configure source address
validation
validate-source-add
ress
Optional
Enabled by default
Configuring RIP peer
Follow these steps to configure RIP peer:
Displaying and
Maintaining RIP
Table 195 Configuring RIP-2 message authentication
Enter system view
system-view

interface-number
Configure RIP-2
authentication mode
rip authentication-mode {
simple password | md5 { rfc2082
password key-id | rfc2453
password } }
If the authentication mode is
MD5, you must specify the
message type defined in
either RFC 2453 or RFC 2082.
Table 196 Configuring RIP peer
Enter system view
system-view

Configure RIP peer peer ip-address Required
Usually, RIP broadcast or
multicast messages
Disable source address
validation
undo
validate-source-addres
s
Required if neighboring routers
which are defined by peer
command are not directly
connected with the local router.
Enabled by default
Table 197 Displaying and Maintaining RIP
Display RIP current status and
display rip [ process-id | Available in any view
Display RIP database display rip process-id
database
Display RIP interface information display rip process-id
interface [ interface-type
interface-number ]
Display active and inactive RIP
routes
display rip process-id
route
Display RIP routing table display rip process-id
route [ statistics |
ip-address mask | peer
ip-address ]
Clear statistic data maintained
by certain RIP processes
reset rip process-id
statistics
RIP Configuration Example 281
RIP Configuration
Example
Configuring RIP
Version
As shown in Figure 78, enable RIP-2 on all interfaces on Switch A and Switch B.
Network diagram
Figure 78 Network diagram for RIP configuration
1 Configure IP address for each interface (only the VLAN configuration procedures are
given in the following examples)
a Configure Switch A.
<Swi t ch A> syst emvi ew
[ Swi t ch A] vl an 100
[ Swi t ch A- vl an100] qui t
[ Swi t ch A] i nt er f ace Gi gabi t Et her net 1/ 0/ 1
[ Swi t ch A- Gi gabi t Et her net 1/ 0/ 1] por t access vl an 100
[ Swi t ch A- Gi gabi t Et her net 1/ 0/ 1] qui t
[ Swi t ch A] i nt er f ace vl an- i nt er f ace 100
[ Swi t ch A- Vl an- i nt er f ace100] i p- addr ess 192. 168. 1. 1 24
b Configure Switch B.
<Swi t ch B> syst emvi ew
[ Swi t ch B] vl an 100
[ Swi t ch B- vl an100] qui t
[ Swi t ch B] i nt er f ace Gi gabi t Et her net 1/ 0/ 1
[ Swi t ch B- Gi gabi t Et her net 1/ 0/ 1] por t access vl an 100
[ Swi t ch B- Gi gabi t Et her net 1/ 0/ 1] qui t
[ Swi t ch B] i nt er f ace vl an- i nt er f ace 100
[ Swi t ch B- Vl an- i nt er f ace100] i p- addr ess 192. 168. 1. 2 24
2 Configure basic RIP function
a Configure Switch A.
[ Swi t ch A] r i p
[ Swi t ch A- r i p- 1] net wor k 192. 168. 1. 0
b Configure Switch B.
[ Swi t ch B] r i p
[ Swi t ch B- r i p- 1] net wor k 192. 168. 1. 0
SwitchA SwitchB
Vlan-interface100
192.168.1.1/24
Vlan-interface100
192.168.1.2/24
Loopback0
172.16.1.1/24
Loopback1
172.17.1.1/24
Loopback1
10.2.1.1/24
Loopback0
10.1.1.1/24
GE 1/0/1
GE 1/0/1
SwitchA SwitchB
Vlan-interface100
192.168.1.1/24
Vlan-interface100
192.168.1.2/24
Loopback0
172.16.1.1/32
Loopback1
172.17.1.1/32
Loopback1
10.2.1.1/32
Loopback0
10.1.1.1/32
GE 1/0/1
GE 1/0/1
SwitchA SwitchB
Vlan-interface100
192.168.1.1/24
Vlan-interface100
192.168.1.2/24
Loopback0
172.16.1.1/24
Loopback1
172.17.1.1/24
Loopback1
10.2.1.1/24
Loopback0
10.1.1.1/24
GE 1/0/1
GE 1/0/1
SwitchA SwitchB
Vlan-interface100
192.168.1.1/24
Vlan-interface100
192.168.1.2/24
Loopback0
172.16.1.1/32
Loopback1
172.17.1.1/32
Loopback1
10.2.1.1/32
Loopback0
10.1.1.1/32
GE 1/0/1
GE 1/0/1
c Display routing table of Switch A.
<Swi t ch A> di spl ay r i p 1 r out e
Rout e Fl ags: R - RI P, T - TRI P
P - Per manent , A - Agi ng, S - Suppr essed, G - Gar bage- col l ect
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Peer 192. 168. 1. 2 on Vl an- i nt er f ace100
Dest i nat i on/ Mask Next hop Cost Tag Fl ags Sec
10. 0. 0. 0/ 8 192. 168. 1. 2 1 0 RA 15
Fr omt he r out i ng t abl e, you can see RI P- 1 use nat ur al mask.
3 Configure RIP version
a Configure RIP-2 of Switch A.
[ Swi t ch A] r i p
[ Swi t ch A- r i p- 1] ver si on 2
b Configure RIP-2 on Switch B.
[ Swi t ch B] r i p
[ Swi t ch B- r i p- 1] ver si on 2
[ Swi t ch B- r i p- 1] undo summar y
c Display routing table on Switch A.
<Swi t ch A> di spl ay r i p 1 r out e
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
10. 2. 1. 0/ 24 192. 168. 1. 2 1 0 RA 15
10. 1. 1. 0/ 24 192. 168. 1. 2 1 0 RA 15
From the routing table, you can see RIP-2 use classless subnet mask.
Due to the long aging time of the routing information, RIP-1 routing information can
exist in the routing table after RIP-2 is configured.
Troubleshooting RIP
Configuration
Symptom 1 The device cannot get any RIP updating messages with all connections are alive.
Analysis: After enabling RIP, make sure you use the network command to enable corresponding
interfaces. If the interface behavior is configured, make sure you do not disable the
interface or forbid receiving and forwarding RIP messages.
If RIP messages are multicast on the other end of the router, multicast should be used on
the local router as well.
Solution Use the display current-configuration command to check RIP
configuration.
Use the display rip command to check the interface is enabled.
Troubleshooting RIP Configuration 283
Symptom 2 With all connections alive, route shaking happens, which means that sometimes you
cannot see some of the routes in the routing table.
Analysis In the RIP network, make sure all timers within the whole network are set to coordinate
each other. For example, the timeout value should be greater than the update value.
Solution Use the display rip command to check the configuration of RIP timers
Use the timers command to adjust timers where appropriate.
27 ROUTING POLICY CONFIGURATION
A routing policy is used on the router for route inspection, filtering, attributes modifying
when routes are received, advertised, or redistributed.
When configuring routing policy, go to these sections for information you are interested
in:
Introduction to Routing Policy
Defining Filtering Lists
Configuring a Routing Policy
Displaying and Maintaining the Routing Policy
Routing Policy Configuration Example (on routers)
Routing Policy Configuration Example (on switches)
Troubleshooting Routing Policy Configuration
The term router in this document refers to a router in a generic sense or a Layer 3 switch.
To improve readability, this will not be described in the present manual again.
Introduction to
Routing Policy
Routing Policy and
Policy Routing
By modifying route attributes (including reachability), routing policy is adopted to change
routing paths for network traffic.
Policy routing is used to direct packet forwarding.
When distributing or receiving routing information, a router can apply some policy to
filter routing information, for example, a router handles only routing information that
matches some rules, or a routing protocol redistributes from other protocols only routes
matching some rules and modifies some attributes of these routes to satisfy its needs.
To implement routing policy, first define the features of routing information, namely, a
set of matching rules. You can make definitions according to attributes in routing
information, such as destination address, advertising routers address. The matching rules
can be set beforehand and then apply them to a routing policy for route distribution,
reception and redistribution.
Filters Routing protocols can use three filters: ACL, IP prefix list and route policy.
ACL
When defining an ACL, you can specify IP addresses and subnet segments for matching
destinations or next hops of routing information.
286 CHAPTER 27: ROUTING POLICY CONFIGURATION
For ACL configuration, refer to IPv4 ACL Configuration.
IP prefix list
IP-prefix list plays a role similar to ACL, but it is more flexible than ACL and easier to
understand. When IP-prefix list is applied for routing information filtering, its matching
object is the destination address information field of routing information. Moreover, you
can specify the gateway option to specify that only routing information advertised by
certain routers will be received.
An IP-prefix list is identified by the IP-prefix list name. Each IP-prefix list can comprise
multiple items, and each item, which is identified by an index number, can specify a
matching range in network prefix format. The index number indicates the matching
sequence in the IP-prefix list.
During matching, a router checks list items identified by index number in ascending
order. If an item is matched, the IP-prefix list filtering is passed, without the need of
matching the next item.
Routing policy
A routing policy is used for matching some attributes in given routing information and
modifying the attributes of the information if matching conditions are satisfied. A
routing policy can utilize the above filters to define its own matching rules.
A routing policy can comprise multiple nodes, which are in logic OR relationship. Each
node is a matching unit, and the system checks nodes in the order of node sequence
number. Once the matching test of a node is passed, the route-policy is passed without
needing to match other nodes.
Each node comprises a set of if-match and apply clauses. The if-match clauses define
the matching rules. The matching objects are some attributes of routing information. The
different if-match clauses on the same node is in logic AND relationship. Only when the
matching conditions specified by all the if-match clauses on a node are satisfied, can
routing information passes the matching test of the node. The apply clauses specify the
actions performed after the node matching test passed, concerning the attribute settings
for the routing information.
Routing Policy
Application
Routing policy applies in two ways:
When redistributing routes from other routing protocols, a routing protocol
redistributes only routes matching rules defined in a routing policy.
When receiving or advertising routing information, a routing protocol uses a routing
policy to filter routing information.
Defining Filtering Lists 287
Defining Filtering
Lists
Configuration
Prerequisites
Before configuring this task, prepare the following data:
IP-prefix list name
Matching address range
Defining IPv4 Prefix
List
Identified by name, each IPv4 prefix list can comprise multiple items. Each item specifies a
matching address range in the form of network prefix, which is identified by index
number. For example, the following IPv4 prefix list named abcd:
i p i p- pr ef i x abcd i ndex 10 per mi t 1. 0. 0. 0 8
i p i p- pr ef i x abcd i ndex 20 per mi t 2. 0. 0. 0 8
During matching, the system checks list items identified by index number in the
ascending order. If one item matched, IP-prefix list filtering is passed, without needing to
match other items.
To define an IPv4 prefix list, use the following commands:
If all items are set to the deny mode, no route can pass the IPv4 prefix list. In order to
allow other IPv4 routing information to pass, define the permit 0.0.0.0 0 less-equal 32
item following multiple deny mode items.
If more than one ip-prefix item is defined, the match mode of at least one item should be
the permit mode.
Configuring a
Routing Policy
Routing policy is used to match attributes in given routing information, and modify some
attributes of the routing information after rules satisfied. Matching rules can be
configured using filters above mentioned.
A routing policy can comprise multiple nodes, each node contains:
if-match clauses: define the matching rules routing information must satisfy. The
matching objects are some attributes of routing information.
apply clauses: specifies the actions performed after specified matching rules satisfied,
concerning attribute settings for passed routing information.
Table 198 Defining IPv4 Prefix List
Enter system view
system-view
Define an IPv4 prefix list ip ip-prefix ip-prefix-name [

index index-number ] { permit |
deny } network-address len [
greater-equal greater-equal
| less-equal less-equal ]
Required
Not defined by default
Configuration
Prerequisites
Before configuring this task, you have completed:
Filtering list configuration
Routing protocol configuration
You also need to decide on:
Name of routing policy, node sequence numbers
Matching rules
Attributes to be modified
Creating a Routing
Policy
To create a routing policy, use the following commands:
If a node is specified as permit mode using permit, routing information meeting the
nodes conditions will be handled using the apply clauses of this node, without
needing to match the next node. If routing information does meet the nodes
conditions, it will go to the next node for matching.
If a node specified as deny mode using deny, the apply clauses of the node will not
be executed. When routing information meets all if-match clauses, it cannot pass the
node, nor can it go to the next node. If route information cannot meet some
if-match clause of the node, it will go to the next node for matching.
When a routing policy defined with more than one node, at least one node should be
configured using the permit keyword. If the routing policy is applied for filtering
routing information, routing information that does not meet any nodes conditions
cannot pass the routing policy. If all nodes of the routing policy are set using the
deny keyword, no routing information can pass it.
Table 199 Creating a Routing Policy
Enter system view
system-view
Create a routing policy

and enter its view
route-policy
route-policy-name { permit |
deny } node node-number
Required
Not created by default
Configuring a Routing Policy 289
Defining if-match
Clauses for the
Routing Policy
To define if-match clauses for a route-policy, use the following commands:
The if-match clauses of a route-policy are in logic AND relationship, namely, routing
information has to satisfy all if-match clauses before executed with apply clauses.
If no if-match clause specified, all routing information can pass the node.
You can specify no if-match clause or multiple if-match clauses for a node.
Defining apply
Clauses for the
Routing Policy
To define apply clauses for a route-policy, use the following commands:
Table 200 Defining if-match Clauses for the Routing Policy
Enter system view
system-view
Create a routing policy and

enter its view
route-policy
route-policy-name { permit |
deny } node node-number
Required
Match route cost of routing
information
if-match cost value Optional
Not configured by default
Match outbound interface of
routing information
if-match interface {
interface-type
interface-number }
Optional
Define if-match clauses to
match IPv4 routing information
(source/destination address,
next hop)
if-match ip { next-hop |
route-source } { acl
acl-number | ip-prefix
ip-prefix-name }
Optional
Match the tag of RIP route if-match tag value Optional
Table 201 Defining apply Clauses for the Routing Policy
Enter system view
system-view
Create a routing policy and enter

its view
route-policy
route-policy-name {
permit | deny } node
node-number
Required
Set the cost of routing
information
apply cost [ + | - ] value Optional
Not set by default
Set the next hop
for IPv4 routing information
apply ip-address
next-hop ip-address
Optional
Not set by default
The next hop set using the
apply ip-address
next-hop command does
not take effect for route
redistribution.
Set routing protocol preference apply preference
preference
Optional
Not set by default
Set the tag field of routing
information
apply tag value Optional
Displaying and
Maintaining the
Routing Policy
Routing Policy
Configuration
Example
Applying Routing
Policy When
Redistributing IPv4
Routes
Network Requirements
Switch A and Switch B communicate with each other, both using RIP.
Configure RIP process and static routes on Switch A.
Apply a routing policy when redistributing static routes, redistributing routes in
20.0.0.0/8 and 40.0.0.0/8 and filtering routes in 30.0.0.0/8
Display RIP routing table information on Switch B to verify the configuration.
Network diagram
Figure 79 Network diagram for routing policy application to route redistribution
1 Configure Switch A.
a Configure IP addresses for interfaces.
[ Swi t ch A- Vl an- i nt er f ace100] i p addr ess 10. 0. 0. 1 255. 0. 0. 0
[ Swi t ch A- Vl an- i nt er f ace100] qui t
[ Swi t ch A- Vl an- i nt er f ace200] i p addr ess 12. 0. 0. 1 255. 0. 0. 0
[ Swi t ch A- Vl an- i nt er f ace200] qui t
b Configure three static routes.
Table 202 Displaying and Maintaining the Routing Policy
Display IPv4 prefix list statistics display ip ip-prefix [
ip-prefix-name ]
Available in all views
Display routing policy information display route-policy [
route-policy-name ]
Clear IPv4 prefix list statistics reset ip ip-prefix [
ip-prefix-name ]
static 20.0.0.0/8
30.0.0.0/8
40.0.0.0/8
Vlan-interface200
12.0.0.1/8
Switch A Switch B
Vlan-interface100
10.0.0.1/8
Vlan-interface100
10.0.0.2/8
static 20.0.0.0/8
30.0.0.0/8
40.0.0.0/8
Vlan-interface200
12.0.0.1/8
Switch A Switch B
Vlan-interface100
10.0.0.1/8
Vlan-interface100
10.0.0.2/8
Routing Policy Configuration Example 291
c Enable RIP.
[ Swi t ch A] r i p
[ Swi t ch A- r i p- 1] qui t
d Configure an ACL.
[ Swi t ch A] acl number 2000
[ Swi t ch A- acl - basi c- 2000] r ul e deny sour ce 30. 0. 0. 0 0. 255. 255. 255
[ Swi t ch A- acl - basi c- 2000] r ul e per mi t sour ce any
[ Swi t ch A- acl - basi c- 2000] qui t
e Configure a routing policy.
[ Swi t ch A] r out e- pol i cy ospf per mi t node 10
[ Swi t ch A- r out e- pol i cy] i f - mat ch acl 2000
[ Swi t ch A- r out e- pol i cy] qui t
f Apply the routing policy for static route redistribution.
[ Swi t ch A] r i p
[ Swi t ch A- r i p- 1] i mpor t - r out e st at i c r out e- pol i cy r i p
a Configure IP addresses for interfaces.
[ Swi t ch B] i nt er f ace vl an- i nt er f ace 100
[ Swi t ch B- Vl an- i nt er f ace100] i p addr ess 10. 0. 0. 2 255. 0. 0. 0
[ Swi t ch B- Vl an- i nt er f ace100] qui t
b Enable RIP.
[ Swi t ch B] r i p
c Display RIP routing table information to verify the configuration on Switch B.
<Swi t ch B>di spl ay r i p 1 r out e
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
40. 0. 0. 0/ 8 10. 0. 0. 1 1 0 RA 29
20. 0. 0. 0/ 8 10. 0. 0. 1 1 0 RA 29
Troubleshooting
Routing Policy
Configuration
IPv4 Routing
Information Filtering
Failed
Symptom
Filtering routing information failed, while routing protocol runs normally.
Analysis
At least one item of the IP prefix list should be configured as permit mode, and at least
one node in the Route-policy should be configured as permit mode.
Processing procedure
1 Use the display ip ip-prefix command to display IP prefix list.
2 Use the display route-policy command to display route policy information.
28 802.1X CONFIGURATION
The 802.1x protocol was proposed by IEEE802 LAN/WAN committee for security
problems on wireless LANs (WLAN). Currently, it is used on Ethernet as a common port
access control mechanism.
When configuring 802.1x, use the following table to identify where to go for interested
information:
802.1x Overview 802.1x is a port-based access control protocol. It authenticates and controls accessing
devices at the level of port. A device connecting to an 802.1x-enabled port of an access
device can access the resources behind only after passing authentication. A user failing
the authentication is physically disconnected.
To get more information about 802.1x, go to these topics:
Architecture of 802.1x
Operation of 802.1x
EAP Encapsulation over LANs
EAP Encapsulation over RADIUS
Authentication Process of 802.1x
802.1x Timers
Implementation of 802.1x
Features Working Together with 802.1x
Get familiar with the basic concepts involved in
802.1x, its architecture, how it operates, and how
it authenticate users
802.1x Overview
Know how to configure 802.1x Configuring 802.1x
Consult the display commands available for
verifying 802.1x configuration
Displaying and Maintaining 802.1x
See how to configure 802.1x in typical scenarios 802.1x Configuration Example
294 CHAPTER 28: 802.1X CONFIGURATION
Architecture of
802.1x
802.1x operates in the typical client/server model and defines three entities: supplicant
system, authenticator system, and authentication server system, as shown in Figure 80.
Figure 80 Architecture of 802.1x
Supplicant system: A system at one end of the LAN segment, which is authenticated
by the system at the other end. A supplicant system is usually a user-end device and
initiates 802.1x authentication through 802.1x client software supporting the EAP
over LANs (EAPOL) protocol.
Authenticator system: A system at one end of the LAN segment, which authenticates
the system at the other end. An authenticator system is usually an 802.1x-enabled
network device and provides ports (physical or logical) for supplicants to access the
LAN.
Authentication server system: The system providing authentication, authorization,
and accounting services for the authenticator system.
The above systems involve three basic concepts: PAE, controlled port, control direction.
PAE
Port access entity (PAE) refers to the entity on a given port of a device that performs the
802.1x algorithm and protocol operations. The authenticator PAE uses the
authentication server to authenticate the supplicant trying to access the LAN and
controls the status of the controlled port (authorized or unauthorized) according to the
authentication result. The supplicant PAE responds to the authentication request of the
authenticator PAE and provides authentication information. The supplicant PAE can also
send authentication requests and logoff requests to the authenticator.
Controlled port
An authenticator provides ports for supplicants to access the LAN. Each of the ports can
be regarded as two virtual ports: a controlled port and an uncontrolled port.
The uncontrolled port is always open in both the inbound and outbound directions to
allow EAPOL protocol frames to pass, guaranteeing that the supplicant can always
send or receive authentication frames.
The controlled port is open to allow normal traffic to pass only when it is in the
authorized state.
The controlled port and uncontrolled port are two parts of the same port. Any frames
arriving at the port are visible to both of them.
Supplicant
PAE
Supplicant
system
Authentication
server
Authentication
server system
Services offered by
Authenticator system
Authenticator
PAE
Authenticator
system
Controlled
port
Port
unauthorized
Uncontrolled
port
LAN/WLAN
802.1x Overview 295
Control direction
In the unauthorized state, the controlled port can be set to deny traffic to and from the
supplicant or just the traffic from the supplicant. Currently, Devices support only denying
the traffic from the supplicant.
Operation of 802.1x The 802.1x authentication system employs the extensible authentication protocol (EAP)
to support authentication information exchange between the supplicant PAE,
authenticator PAE, and authentication server.
Figure 81 Operation of 802.1x
Between the supplicant PAE and authenticator PAE, EAP protocol packets are
encapsulated using EAPOL and transferred over LANs.
Between the authenticator PAE and authentication server, EAP protocol packets can
be encapsulated using the EAP attributes of RADIUS and then relayed to the RADIUS
server, or terminated at the authenticator PAE, repackaged in the PAP or CHAP
attributes of RADIUS, and then transferred to the RADIUS server. The former is
referred to as EAP relay mode, and the latter as EAP termination mode.
The authentication server is usually a RADIUS server. It maintains information about
users, such as the account, password, VLAN to which the user belongs, CAR
parameters, priority level, and ACL.
After a user passes the authentication, the authentication server passes information
about the user to the authenticator, which controls the status of the controlled port
according to the instruction of the authentication server.
EAP Encapsulation
over LANs
EAPOL frame format
EAPOL, defined by 802.1x, is intended to carry EAP protocol packets between
supplicants and authenticators over LANs. Figure 82 shows the EAPOL frame format.
Figure 82 EAPOL frame format
PAE Ethernet Type: Protocol type. It takes the value 0x888E.
Protocol version: Version of the EAPOL protocol supported by the EAPOL frame sender.
Type: Type of the packet. The following types are defined:
EAP-Packet (a value of 0x00), frame for carrying authentication information.
EAPOL-Start (a value of 0x01), frame for initiating authentication.
EAPOL-Logoff (a value of 0x02), frame for logoff request.
EAPOL-Key (a value of 0x03), frame for carrying key information.
Supplicant
PAE
Authenticator
PAE
Authentication
server
EAPOL
RADIUS

PAE Ethernet type Protocol version Length
0 2 3 4
Packet body
6 N
Type
bytes
EAPOL-Encapsulated-ASF-Alert (a value of 0x04), frame for carrying alerting
information conforming to Alert Standard Forum (ASF).
Length: Length of the data, that is, length of the Packet body field, in bytes. If the value
of this field is 0, no subsequent data field is present.
Packet body: The format of this field varies with the value of the Type field.
A frame with a type of EAPOL-Start, EAPOL-Logoff, or EAPOL-Key exists between a
supplicant and an authenticator. A frame with a type of EAP-Packet is repackaged and
transferred over RADIUS to get through complex networks to reach the authentication
server. A frame with a type of EAPOL-Encapsulated-ASF-Alert encapsulates network
management-related information (for example, various warning messages) and is
terminated at the authenticator.
EAP packet format
An EAPOL frame with a type of EAP-Packet carries an EAP packet in its Packet body field.
The structure of the EAP packet is shown in Figure 83.
Figure 83 EAP packet format
Code: Type of the EAP packet, which can be Request, Response, Success, or Failure.
Identifier: Allows matching of responses with requests.
Length: Length of the EAP packet, including the Code, Identifier, Length, and Data fields.
Data: This field is zero or more bytes and its format is determined by the Code field.
An EAP packet of the type of Success or Failure has no Data field, and has a length of 4.
An EAP packet of the type of Request or Response is in the format shown in Figure 84
Figure 84 Format of the EAP request/response packet
Type: EAP authentication type. A value of 1 represents Identity, indicating that the packet
is for querying the identity of the supplicant. A value of 4 represents MD5-Challenge,
which corresponds closely to the PPP CHAP protocol.
EAP Encapsulation
over RADIUS
Two attributes of RADIUS are intended for supporting EAP authentication: EAP-Message
and Message-Authenticator. For information about RADIUS packet format, refer to the
RADIUS overview section in theAAA, RADIUS, and TACACS+ Configuration chapter.
EAP-Message
The EAP-Message attribute is used to encapsulate EAP packets. Figure 85 shows its
encapsulation format. The value of the Type field is 79. The String field can be up to 253
bytes. If the EAP packet is longer than 253 bytes, it can be fragmented and encapsulated
into multiple EAP-Message attributes.
Code Identifier Length Data
0 1 2 4
N by
Type Type data
802.1x Overview 297
Figure 85 Encapsulation format of the EAP-Message attribute
Message-Authenticator
The Message-Authenticator attribute is used to prevent access requests from being
snooped during EAP authentication. It must be included in any packet with the
EAP-Message attribute; otherwise, the packet will be considered invalid and get
discarded. Figure 86 shows the encapsulation format of the Message-Authenticator
attribute.
Figure 86 Encapsulation format of the Message-Authenticator attribute
Authentication
Process of 802.1x
802.1x authentication can be initiated by either a user or the authenticator system. A
user initiates authentication by launching the 802.1x client software to send an
EAPOL-Start frame to the authenticator system, while the authenticator system sends an
EAP-Request/Identity frame to an unauthenticated user when detecting that the user is
trying to login. An 802.1x authenticator system communicates with a remotely located
RADIUS server in two modes: EAP relay and EAP termination. The following description
takes the first case as an example to show the 802.1x authentication process.
EAP relay
EAP relay is an IEEE 802.1x standard mode. In this mode, EAP packets are carried in a
high layer protocol, such as RADIUS, so that they can go through complex networks and
reach the authentication server. Generally, EAP relay requires that the RADIUS server
support the EAP attributes of EAP-Message and Message-Authenticator. See Figure 87
for the message exchange procedure.
Type Length String...
0 1 2
EAP-Packets
bytes

Type=80 Length=18 String...
0 1 2 18 bytes
Figure 87 Message exchange in EAP relay mode
3 When a user launches the 802.1x client software and enters the registered username and
password, the 802.1x client software generates an EAPOL-Start frame and sends it to the
authenticator to initiate an authentication process.
4 Upon receiving the EAPOL-Start frame, the authenticator responds with an
EAP-Request/Identity packet for the identity of the supplicant.
5 When the supplicant receives the EAP-Request/Identity packet, it encapsulates the
identity information in an EAP-Response/Identity packet and sends the packet to the
authenticator.
6 Upon receiving the EAP-Response/Identity packet, the authenticator relays the packet in
a RADIUS Access-Request packet to the authentication server.
7 When receiving the RADIUS Access-Request packet, the authentication server compares
the identify information against its user information table to obtain the corresponding
password information. Then, it encrypts the password information using a randomly
generated challenge, and sends the challenge information through a RADIUS
Access-Challenge packet to the authenticator.
8 After receiving the RADIUS Access-Challenge packet, the authenticator relays the
contained EAP-Request/MD5 Challenge packet to the supplicant.
9 When receiving the EAP-Request/MD5 Challenge packet, the supplicant uses the offered
challenge to encrypt the password part (this process is not reversible), creates an
EAP-Response/MD5 Challenge packet, and then sends the packet to the authenticator.
Supplicant
PAE
Authenticator
PAE
RADIUS server
EAPOL EAPOR
EAPOL-Start
EAP-Request/Identity
EAP-Response/Identity
EAP-Request/MD5 Challenge
EAP-Success
EAP-Response/MD5 Challenge
RADIUS Access-Request
(EAP-Response/Identity)
RADIUS Access-Challenge
(EAP-Request/MD5 Challenge)
RADIUS Access-Accept
(EAP-Success)
(EAP-Response/MD5 Challenge)
Port
authorized
The handshake
timer expires.
Handshake request
[EAP-Request/Identity]
Handshake response
[EAP-Response/Identity]
EAPOL-Logoff
......
Port unauthorized
802.1x Overview 299
10 After receiving the EAP-Response/MD5 Challenge packet, the authenticator relays the
packet in a RADIUS Access-Request packet to the authentication server.
11 When receiving the RADIUS Access-Request packet, the authentication server compares
the password information encapsulated in the packet with that generated by itself. If the
two are identical, the authentication server considers the user valid and sends to the
supplicant a RADIUS Access-Accept packet, instructing the authenticator to open the
port to permit the access request of the supplicant.
12 After the supplicant gets online, the authenticator periodically sends
EAP-Request/Identity packets to the supplicant to check whether the supplicant is still
online. By default, if two consecutive handshake attempts end up with failure, the
authenticator concludes that the supplicant has gone offline and performs the necessary
operations, guaranteeing that the authenticator always knows when a supplicant goes
offline.
13 The supplicant can also sends an EAPOL-Logoff frame to the authenticator to terminate
the authenticated status. In this case, the authenticator changes the status of the port
from authorized to unauthorized.
EAP termination
In EAP termination mode, EAP packets are terminated at the authenticator and then
repackaged into the PAP or CHAP attributes of RADIUS and transferred to the RADIUS
server for authentication, authorization, and accounting. See Figure 88 for the message
exchange procedure.
Figure 88 Message exchange in EAP termination mode
Different from the authentication process in EAP relay mode, it is the authenticator that
generates the random challenge for encrypting the user password information in EAP
termination authentication process. Consequently, the authenticator sends the challenge
together with the username and encrypted password information from the supplicant to
the authentication server for authentication.
802.1x Timers Several timers are used in the 802.1x authentication process to guarantee that the
accessing users, the authenticators, and the RADIUS server interact with each other in a
reasonable manner. The following are the major 802.1x timers:
Identity request timeout timer (tx-period): Once an authenticator sends an
EAP-Request/Identity frame to a supplicant, it starts this timer. If this timer expires but
it receives no response from the supplicant, it retransmits the request.
Password request timeout timer (supp-timeout): Once an authenticator sends an
EAP-Request/MD5 Challenge frame to a supplicant, it starts this timer. If this timer
expires but it receives no response from the supplicant, it retransmits the request.
Authentication server timeout timer (server-timeout): Once an authenticator sends a
RADIUS Access-Request packet to the authentication server, it starts this timer. If this
timer expires but it receives no response from the server, it retransmits the request.
Handshake timer (handshake-period): After a supplicant passes authentication, the
authenticator sends to the supplicant handshake requests at this interval to check
Supplicant
PAE
Authenticator
PAE
RADIUS server
EAPOL RADIUS
EAPOL-Start
EAP-Request/Identity
EAP-Response/Identity
EAP-Request/MD5 Challenge
EAP-Success
EAP-Response/MD5 Challenge
(CHAP-Response/MD5 Challenge)
RADIUS Access-Accept
(CHAP-Success)
Port
authorized
The handshake
timer expires.
Handshake request
[EAP-Request/Identity]
Handshake response
[EAP-Response/Identity]
EAPOL-Logoff
......
Port
unauthorized
802.1x Overview 301
whether the supplicant is online. If the authenticator receives no response after
sending the allowed maximum number of handshake requests, it considers that the
supplicant is offline.
Quiet timer (quiet-period): When a supplicant fails the authentication, the
authenticator refuses further authentication requests from the supplicant in this
period of time.
Implementation of
802.1x
Devices extend and optimize the mechanism that the 802.1x protocol specifies by:
Allowing multiple users to access network services through the same physical port.
Supporting two authentication methods: portbased and macbased. With the
portbased method, after the first user of a port passes authentication, all other users
of the port can access the network without authentication, and when the first user
goes offline, all other users get offline at the same time. With the macbased method,
each user of a port must be authenticated separately, and when an authenticated
user goes offline, no other users are affected.
These extensions can help improve network security and manageability dramatically.
Features Working
Together with 802.1x
VLAN Assignment (Auto VLAN)
After an 802.1x supplicant passes authentication, the authentication server sends
authorization information to the authenticator. If the authorization information contains
VLAN authorization information, the authenticator adds the port connecting the
supplicant to the assigned VLAN. This neither changes nor affects the configurations of
the port. The only result is that the assigned VLAN takes precedence over the manually
configured one, that is, the assigned VLAN takes effect.
For information on how to configure CAMS or Windows 2000 Server for VLAN
assignment, refer to the configuration guides for CAMS or Windows 2000 server.
Auto VLAN requires three attributes to be returned by the RADIUS server to dynamically
assign VLSN(s) to a port as the user logs in .
Table 204 Auto VLAN
For the Switch 4500G, currently the VLAN assignment function is available only for the
ports whose link type is ACCESS.
GuestVlan
If you fail to pass authentication for many reasons such as there is no proprietary
authentication Client or lower Client version, you will be added into GuestVlan.
GuestVlan is a default VLAN that you can access it without authentication. You can
access the resources in the VLAN, like Client download and upgrade. After installing or
upgrading the authentication Client, with these resources, you can carry out the
authentication procedure so as to access network resources.
Auto VLAN Return String Comment
Tunnel-Medium-type 802
Tunnel-Private-Group-ID 2 VLAN value
Tunnel-Type VLAN
After 802.1x is enabled and GuestVlan is configured correctly, the switch sends
authentication-triggering packet (EAP-Request/identity) through a port. The port will be
added in GuestVlan when the switch sends authentication-triggering packet
(EAP-Request/Identity) beyond the maximum times before it receives no response packet.
At this point, you initiate an authentication. If you fail to pass the authentication, the
port is still in GuestVlan. If you pass the authentication, there are two following cases:
The authentication server delivers a VLAN. In this case, the port leaves from GuestVlan
and joins the delivered VLAN. After you disconnect the Internet, the port first returns
back to the configured VLAN (the one where the port locates before it joins
GuestVlan, i.e. original VLAN).
The authentication server does not deliver a VLAN. In this case, the port leaves from
GuestVLan and joins the configured VLAN. After you disconnect the Internet, the port
is still in the configured VLAN.
Configuring 802.1x Except the configuration of enabling 802.1x globally or on ports, other configurations of
802.1 x are optional. You can perform these configurations as required. For specific
parameters and parameter meanings, see 802.1x-HABP-MAC Authentication Command
Manual.
Configuration
Prerequisites
802.1x provides a user identity authentication scheme. However, 802.1x cannot
implement the authentication scheme solely by itself. RADIUS or local authentication
must be configured to work with 802.1x:
For remote RADIUS authentication, the username and password information must be
configured on the RADIUS server and the relevant configurations must be performed
on the authenticator.
For local authentication, the username and password information must be configured
on the authenticator and the service type must be set to lan-access.
For details about these configuration tasks, refer to AAA, RADIUS, and TACACS+
Configuration.
Configuration
Procedure
Follow these steps to configure 802.1x:
Enable 802.1x globally dot1x Required
Disabled by default
Enable 802.1x for specified
ports
dot1x interface
interface-list
Required
Disabled by default
In Ethernet interface view, use
interface-number
dot1x
quit
Configuring 802.1x 303
CAUTION:
802.1x must be enabled both globally in system view and definitely for the intended
ports in system view or Ethernet interface view. Otherwise, it does not function.
Some 802.1x timers are configurable. This makes sense in some special or extreme
network environments. Normally, leave the defaults unchanged.
With 802.1x enabled on a port, you cannot configure the maximum number of MAC
addresses that the port can learn (by using the mac-address max-mac-count
command), and vice versa.
802.1x-related configurations can all be performed in system view. Enable 802.1x
,Port access control mode, port access method, and the maximum number of
accessing users can also be configured in port view.
If you perform a configuration in system view and do not specify the interface-list
argument, the configuration applies to all ports. Configurations performed in
Set the port access control
mode for specified or all ports
dot1x port-control {
authorized-force | unauthorized-force |
auto } [ interface interface-list ]
Optional
auto by default
Set the port access control
method for specified or all
ports
dot1x port-method {
macbased | portbased } [
Optional
macbased by default
accessing users for specified or
all ports
dot1x max-user
user-number [ interface
interface-list ]
Optional
256 per port by default
Set the 802.1x authentication
method
dot1x
authentication-method {
chap | pap | eap }
Optional
CHAP by default
attempts for sending
authentication requests to the
supplicant
dot1x retry
max-retry-value
Optional
2 by default
Set timers dot1x timer {
handshake-period
handshake-period-value |
quiet-period
quiet-period-value |
tx-period tx-period-value |
supp-timeout
supp-timeout-value |
server-timeout
server-timeout-value }
Optional
The defaults are as follows:
15 seconds for the
handshake timer,
60 seconds for the quiet
timer,
30 seconds for the identity
request timeout timer,
30 seconds for the password
request timeout timer,
100 seconds for the
authentication server
timeout timer.
Enable the quiet timer
dot1x quiet-period
Optional
Disabled by default
interface-num
Enable online user handshake

dot1x handshake
Optional
Enabled by default
Ethernet port view apply to the current Ethernet port only and the interface-list
argument is not needed in this case.
If EAP authentication is used for 802.1x users, the contents you enter on the client
will be directly sent to the server after encapsulation. In this case, the configuration
with the user-name-format command is invalid.
If version number included is configured on the client or you enter a username with a
blank character included, you cannot search or release user connections by username.
However, you can search or release user connections in other ways, such as using IP
addresses or connection indexes.
If 802.1x is enabled on a port, the port cannot be added in an aggregation group. If a
port is added into an aggregation group, you cannot enable 802.1x on the port.
802.1x cannot block cluster handshake packets.
Currently 10GE ports of the Switch 4500G does not support 802.1x.
Configuring
GuestVlan
Configuration
Prerequisites
Enable 802.1x.
Configure the way of access control on the port as portbased.
Configure the mode of access control on the port as auto.
Configure the link type of the port as access.
A VLAN is already created, which will be configured as GuestVlan.
Configuring
GuestVlan
Follow these steps to configure GuestVlan
Displaying and
Maintaining 802.1x
Figure 89 Configuring GuestVlan
Operation Command Remarks
Configure GuestVlan of
the specified port
dot1x guest-vlan
vlan-id [ interface
interface-list ]
Required
By default, GuestVlan is not
configured on the port.
Table 206 Displaying and Maintaining 802.1x
Display 802.1x session
information, statistics, or
configuration information of
specified or all ports
display dot1x [
sessions | statistics ]
[ interface
interface-list ]
Clear 802.1x statistics reset dot1x
statistics [
interface
interface-list ]
802.1x Configuration Example 305
802.1x
Configuration
Example
As shown in Figure 90, a host is connected to port GigabitEthernet1/0/1 on the
switch.
The access control method of macbased is required on the port to control accessing
users.
All AAA accessing users belong to default domain aabbcc.net, which can
accommodate up to 30 users. For authentication, RADIUS authentication is
performed at first, and then local authentication when no response from the RADIUS
server is received. For accounting, get a user offline if the RADIUS accounting fails.
Whenever a user remains idle for over 20 minutes, tear down the connection.
A server group with two RADIUS servers is connected to the switch. The IP addresses
of the servers are 10.11.1.1 and 10.11.1.2 respectively. Use the former as the primary
authentication/secondary accounting server, and the latter as the secondary
authentication/primary accounting server.
Set the shared key for the device to exchange packets with the authentication server
as name, and that for the device to exchange packets with the accounting server as
money.
Specify the device to try up to five times at an interval of 5 seconds in transmitting a
packet to the RADIUS server until it receives a response from the server, and to send
real time accounting packets to the accounting server every 15 minutes.
Specify the device to remove the domain name from the username before passing the
username to the RADIUS server.
Set the username of the 802.1x user as localuser and the password as localpass and
specify to use clear text mode. Enable the idle cut function.
Network diagram
Figure 90 Network diagram for 802.1x configuration
Supplicant
Authentication Servers
(RADIUS Server Cluster
IP Address: 10.11.1.1
10.11.1.2)
Internet
Authenticator
Switch
Supplicant
10.11.1.2)
Internet
Authenticator
Switch
Supplicant
10.11.1.2)
Internet
Authenticator
Switch
Supplicant
10.11.1.2)
Internet
Authenticator
Switch
Supplicant
10.11.1.2)
Internet
Authenticator
Switch
The following configuration procedure covers most AAA/RADIUS configuration
commands for the authenticator, while configuration on the supplicant and RADIUS
server are omitted.
For information about AAA/RADIUS configuration commands, refer to the AAA,
RADIUS, and TACACS+ Configuration chapter.
1 Enable 802.1x globally.
[ 3Com] dot 1x
2 Enable 802.1x for port GigabitEthernet1/0/1.
[ 3Com] dot 1x i nt er f ace Gi gabi t Et her net 1/ 0/ 1
3 Set the port access control method. (Optional. The default answers the requirement.)
[ 3Com] dot 1x por t - met hod macbased i nt er f ace Gi gabi t Et her net 1/ 0/ 1
4 Create RADIUS scheme radius1 and enter its view.
[ 3Com] r adi us scheme r adi us1
5 Configure the IP addresses of the primary authentication and accounting RADIUS servers.
[ 3Com- r adi us- r adi us1] pr i mar y aut hent i cat i on 10. 11. 1. 1
[ 3Com- r adi us- r adi us1] pr i mar y account i ng 10. 11. 1. 2
6 Configure the IP addresses of the secondary authentication and accounting RADIUS
servers.
[ 3Com- r adi us- r adi us1] secondar y aut hent i cat i on 10. 11. 1. 2
[ 3Com- r adi us- r adi us1] secondar y account i ng 10. 11. 1. 1
7 Specify the shared key for the device to exchange packets with the authentication server.
[ 3Com- r adi us- r adi us1] key aut hent i cat i on name
8 Specify the shared key for the device to exchange packets with the accounting server.
[ 3Com- r adi us- r adi us1] key account i ng money
9 Set the interval for the device to retransmit packets to the RADIUS server and the
maximum number of transmission attempts.
[ 3Com- r adi us- r adi us1] t i mer r esponse- t i meout 5
[ 3Com- r adi us- r adi us1] r et r y 5
10 Set the interval for the device to send real time accounting packets to the RADIUS server.
[ 3Com- r adi us- r adi us1] t i mer r eal t i me- account i ng 15
11 Specify the device to remove the domain name of any username before passing the
username to the RADIUS server.
[ 3Com- r adi us- r adi us1] user - name- f or mat wi t hout - domai n
[ 3Com- r adi us- r adi us1] qui t
12 Create default user domain aabbcc.net and enter its view.
[ 3Com] domai n aabbcc. net
[ 3Com- i sp- aabbcc. net ] qui t
[ 3Com] domai n def aul t enabl e aabbcc. net
13 Set radius1 as the RADIUS scheme for users of the domain and specify to use local
authentication as the secondary scheme.
[ 3Com- i sp- aabbcc. net ] aut hent i cat i on def aul t r adi us- scheme r adi us1
l ocal
[ 3Com- i sp- aabbcc. net ] aut hor i zat i on def aul t r adi us- scheme r adi us1 l ocal
[ 3Com- i sp- aabbcc. net ] account i ng def aul t r adi us- scheme r adi us1 l ocal
14 Set the maximum number of users for the domain as 30.
[ 3Com- i sp- aabbcc. net ] access- l i mi t enabl e 30
15 Enable the idle cut function and set the idle interval.
[ 3Com- i sp- aabbcc. net ] i dl e- cut enabl e 20
16 Add local access user localuser, Enable the idle cut function and set the idle interval.
[ 3Com] l ocal - user l ocal user
[ 3Com- l user - l ocal user ] ser vi ce- t ype l an- access
[ 3Com- l user - l ocal user ] passwor d si mpl e l ocal pass
[ 3Com- l user - l ocal user ] at t r i but e i dl e- cut 20
Typical GuestVlan
Configuration
Example
Network requirement
As shown in Figure 91, a PC connects to the network through 802.1x authentication.
The authentication server is radius server. GigabitEthernet1/0/3 of the Supplicant access
switch belongs to VLAN 1; Authentication Server belongs to VLAN 2; Update Server
belongs to VLAN 10 which is used for Client download and upgrade;
GigabitEthernet1/0/8 through which the switch accesses the Internet belongs to VLAN 5.
Figure 91 Typical network diagram
Internet Internet
Authentication Server
Internet
VLAN 2
Internet
Supplicant Supplicant Supplicant Supplicant Supplicant
Internet
UpdateServer
VLAN 5
VLAN 1
VLAN 10
Internet Internet
Internet
VLAN 2
Internet
Supplicant Supplicant Supplicant Supplicant Supplicant Supplicant Supplicant Supplicant Supplicant Supplicant
Internet
UpdateServer
VLAN 5
VLAN 1
VLAN 10
As shown in Figure 92, enable 802.1x and GuestVlan 10 on GigabitEthernet1/0/3.
When the switch transmits authentication-triggering packet (EAP-Request/Identity)
through the port beyond the maximum times before it receives any response packet,
GigabitEthernet1/0/3 is added in GuestVlan 10. In this case, Supplicant and Update
Server belong to VLAN 10. So Supplicant can access Update Server and download 1x
Client.
Figure 92 Enable GuestVlan

Internet Internet
Internet
VLAN 2
Internet
Internet
Update Server
VLAN 5
Guest VLAN 10
VLAN 10
VLAN10
Internet Internet
Internet
VLAN 2
Internet
Internet
Update Server
VLAN 5
Guest VLAN 10
VLAN 10
VLAN10
As shown in Figure 93, Authentication Server delivers Vlan 5 after you pass
authentication and access the Internet . In this case, Supplicant and GigabitEthernet1/0/8
belong to VLAN 5. Supplicant can access the Internet.
Figure 93 User online and VLAN delivery
1 Enable 802.1x globally.
[ 3Com] dot 1x
2 Enable 802.1x on the specified port. .
[ 3Com- Gi gabi t Et her net 1/ 0/ 3] dot 1x
3 Configure the way of access control on the port as portbased.
[ 3Com- et her net 1/ 0/ 3] dot por t - met hod por t based
4 Configure the mode of access control on the port as auto.
[ 3Com- et her net 1/ 0/ 3] dot 1x por t - cont r ol aut o
5 Configure the link type of the port as access.
[ 3Com- et her net 1/ 0/ 3] por t l i nk- t ype access
[ 3Com- et her net 1/ 0/ 3] qui t
6 Create VLAN 10.
[ 3Com] vl an 10
7 Configure GuestVlan of the specified port.
[ 3Com] dot 1x guest - vl an 10 i nt er f ace Gi gabi t Et her net 1/ 0/ 3

Internet Internet
Internet
VLAN 2
Internet
Internet
Update Server
VLAN 5
VLAN 5
VLAN 10
VLAN 5
Internet Internet
Internet
VLAN 2
Internet
Internet
Update Server
VLAN 5
VLAN 5
VLAN 10
VLAN 5
8 Configure a Radius Scheme.
[ 3Com] r adi us scheme 2000
[ 3Com- r adi us- 2000] pr i mar y aut hent i cat i on 10. 11. 1. 1 1812
[ 3Com- r adi us- 2000] pr i mar y accout i ng 10. 11. 1. 1 1813
[ 3Com- r adi us- 2000] key aut hor cat i on nec
[ 3Com- r adi us- 2000] key accout i ng nec
[ 3Com- r adi us- 2000] user - name- f or mat wi t hout - domai n
[ 3Com- r adi us- 2000] qui t
9 Configure a domain which uses the just configured Radius Scheme.
[ 3Com] domai msyst em
[ 3Com- i sp- syst em] aut hent i cat i on def aul t r adi us- scheme 2000
[ 3Com- i sp- syst em] aut hor i zat i on def aul t r adi us- scheme 2000
[ 3Com- i sp- syst em] account i ng def aul t r adi us- scheme 2000
Use the display current-configuration or display interface
GigabitEthernet1/0/3 command to display GuestVlan configuration. In some
cases such as you disconnect the Internet or fail to pass authentication, when the switch
transmits authentication-triggering packet (EAP-Request/Identity) beyond the maximum
times you set, you can use the display vlan 10 command to view whether the
GuestVlan configured on the specified port takes effect.
29 HABP CONFIGURATION
Introduction to
HABP
With 802.1x (or MAC authentication) enabled, a switch authenticates 802.1x-enabled
(or MAC authentication-enabled) ports. Packets can be forwarded only by authorized
ports. If ports connected to the switch are not authenticated, their received packets will
be filtered.
This means that users can no longer manage the attached switches. To address this
problem, authentication bypass protocol (HABP) has been developed.
An HABP packet carries the MAC addresses of the attached switches with it. It can
bypass the 802.1x authentications or MAC authentications when traveling between
HABP-enabled switches, through which management devices can obtain the MAC
addresses of the attached switches and thus the management of the attached switches is
feasible.
HABP is implemented by HABP server and HABP client. Normally, an HABP server sends
HABP request packets regularly to HABP clients to collect the MAC addresses of the
attached switches. HABP clients respond to the HABP request packets and forward the
HABP request packets to lower-level switches. HABP servers usually reside on
management devices and HABP clients usually on attached switches.
For ease of switch management, enable HABP for 802.1x-enabled (or MAC
authentication-enabled) switches.
HABP Server
Configuration
With the HABP server launched, a management device sends HABP request packets
regularly to the attached switches to collect their MAC addresses. You need also to
configure the interval on the management device for an HABP server to send HABP
request packets.
Table 207 Configure an HABP server
Enable HABP habp enable Optional
HABP is enabled by default.
Configure the current
switch to be an HABP
server
habp server vlan vlan-id Required
By default, a switch operates as an
HABP client after you enable HABP
on the switch.
Configure the interval to
send HABP request
packets.
habp timer interval-time Optional
The default interval for an HABP
server to send HABP request packets
is 20 seconds.
312 CHAPTER 29: HABP CONFIGURATION
HABP Client
Configuration
HABP clients reside on switches attached to HABP servers. After you enable HABP for a
switch, the switch operates as an HABP client by default. So you only need to enable
HABP on a switch to make it an HABP client.
Displaying HABP After performing the above configuration, you can display and verify your HABP-related
configuration by execute the display command in any view.
Table 208 Configure an HABP client
Enable HABP habp enable Optional
HABP is enabled by default. And a
switch operates as an HABP client
after you enable HABP for it.
Set the current switch to
be an HABP Client
undo apb server Optional
by default. And a switch operates as
an HABP client
Table 209 Display HABP
Display HABP configuration and
status information
display habp You can execute the display
command in any view
Display the MAC address table
maintained by HABP
display habp table
Display statistics on HABP traffic display habp traffic
30 MAC AUTHENTICATION CONFIGURATION
MAC authentication is a method for authenticating users based on port and MAC
address.
When configuring MAC authentication, use the following table to identify where to go
for interested information:
MAC
Authentication
Overview
MAC authentication controls user network access based on port and MAC address. It
does not require users to have any supplicant system software installed. The MAC
address of the host is used as the user name and password for authentication. Once a
switch detects a new MAC address, it initiates the authentication process.
Ethernet switches support remote RADIUS authentication and local authentication:
With RADIUS authentication, the switch serves as a RADIUS client. It forwards a
detected user MAC address to the RADIUS server as the user name and password for
authentication and, if the user passes authentication, permits the user to access the
network.
With local authentication, MAC addresses of users must be manually configured on
the switch to be used as user names and passwords for authentication.
Configuring MAC
Authentication
Configuration
Prerequisites
Create and configure the ISP domain.
For local authentication, create a local user and configure the password.
For RADIUS authentication, ensure that the switch and the RADIUS server can reach
each other.
Get an overall idea of MAC authentication MAC Authentication Overview
Know the normal procedure to configure MAC
authentication
Configuring MAC Authentication
Learn how to display and maintain MAC
authentication
Displaying and Maintaining MAC Authentication
See an example of how to configure MAC
authentication
MAC Authentication Configuration Example
314 CHAPTER 30: MAC AUTHENTICATION CONFIGURATION
CAUTION: For local authentication:
The MAC address to be used as the user name and password of a local user must be
in the format of HHH.
The service type of the local user must be configured as lan-access.
Configuration
Procedure
Follow these steps to configure MAC authentication:
CAUTION:
You can enable MAC authentication for specified ports or set MAC authentication
parameters before enabling MAC authentication globally. However, your
configuration takes effect only after you enable MAC authentication globally.
MAC authentication cannot coexist with 802.1x authentication on the same port.
If MAC authentication is enabled on a port, you cannot configure the maximum
number of MAC addresses to be learned on the port. You can use the mac-address
max-mac-count command to configure the maximum number of MAC addresses to
be learned on the port. If the maximum number of MAC addresses to be learned is
configured on a port, you cannot enable MAC authentication on the port.
Displaying and
Maintaining MAC
Authentication
Table 211 Configuring MAC Authentication
Enable MAC authentication
globally
mac-authentication Required
Disabled by default
Enable MAC authentication
for specified ports
mac-authentication
interface interface-list
Required
Disabled by default
Specify the ISP domain for
MAC authentication
mac-authentication
domain isp-name
Optional
The default ISP domain is used by
default
Set the offline-detect timer mac-authentication
timer offline-detect
offline-detect-value
Optional
Set the quiet timer mac-authentication
timer quiet quiet-value
Optional
1 minute by default
Set the server timeout timer mac-authentication
timer server-timeout
server-timeout-value
Optional
Table 212 Displaying and Maintaining MAC Authentication
Display the global MAC
authentication information or
the MAC authentication
information about specified
interfaces
display
mac-authentication [
interface
interface-list ]
MAC Authentication Configuration Example 315
MAC
Authentication
Configuration
Example
For local authentication, you configure the MAC address of a host as the user name
and password on the switch.
For RADIUS authentication, you configure the MAC address of a host as the user
name and password on the RADIUS server.
As shown in Figure 94, a user is connected to the switch through port GigabitEthernet
1/0/1.
MAC authentication is required on every port to control user access to the Internet.
All users belong to domain aabbcc.net.
Set the offline-detect timer to 180 seconds and the quiet timer to 3 minutes.
Configure the switch to perform local authentication.
Network diagram
Figure 94 Network diagram for MAC authentication
1 Add a local user.
[ 3Com] l ocal - user 00e0f c010101
[ 3Com- l user - 00e0f c010101] passwor d si mpl e 00e0f c010101
[ 3Com- l user - 00e0f c010101] ser vi ce- t ype l an- access
[ 3Com- l user - 00e0f c010101] qui t
2 Configure ISP domain aabbcc.net, and specify to perform local authentication.
[ 3Com- i sp- aabbcc. net ] aut hent i cat i on l an- access l ocal
3 Enable MAC authentication globally.
[ 3Com] mac- aut hent i cat i on
4 Enable MAC authentication on port GigabitEthernet 1/0/1.
[ 3Com] mac- aut hent i cat i on i nt er f ace Gi gabi t Et her net 1/ 0/ 1
5 Specify the ISP domain for centralized MAC authentication.
[ 3Com] mac- aut hent i cat i on domai n aabbcc. net

Internet
Authenticator
Switch
Internet
Authenticator
Internet
Authenticator
GigabitEthernet 1/0/1
Internet
Authenticator
PC
Internet
Authenticator
Internet
Authenticator
Switch
Internet
Authenticator
Internet
Authenticator
Internet
Authenticator
PC
Internet
Authenticator
316 CHAPTER 30: MAC AUTHENTICATION CONFIGURATION
6 Set the MAC authentication timers.
[ 3Com] mac- aut hent i cat i on t i mer of f l i ne- det ect 180
[ 3Com] mac- aut hent i cat i on t i mer qui et 3
31 AAA, RADIUS, AND TACACS+
CONFIGURATION
Overview
Introduction to AAA AAA is shortened from the three security functions: authentication, authorization and
accounting. It provides a uniform framework for you to configure the three security
functions to implement the network security management.
The network security mentioned here mainly refers to access control. It mainly controls:
Which users can access the network,
Which services the users can have access to,
How to charge the users who are using network resources.
Accordingly, AAA provides the following services:
Authentication
AAA supports the following authentication methods:
None authentication: Users are trusted and are not authenticated. Generally, this
method is not recommended.
Local authentication: User information (including user name, password, and
attributes) is configured on this device. Local authentication is fast and requires lower
operational cost. But the information storage capacity is limited by device hardware.
Remote authentication: Users are authenticated remotely through the RADIUS
protocol or TACACS+ protocol. This device (for example, a 3Com series switch) acts
as the client to communicate with the RADIUS server or TACACS server. For RADIUS
protocol, both standard and extended RADIUS protocols can be used.
Authorization
AAA supports the following authorization methods:
Direct authorization: Users are trusted and directly authorized. Users have the default
rights now.
Local authorization: Users are authorized according to the related attributes
configured for their local accounts on the device.
RADIUS authorization: Users are authorized after they pass the RADIUS
authentication. The authentication and authorization of RADIUS protocol are bound
together, and you cannot perform RADIUS authorization alone without RADIUS
authentication.
TACACS+ authorization: Users are authorized by TACACS server.
318 CHAPTER 31: AAA, RADIUS, AND TACACS+ CONFIGURATION
Accounting
AAA supports the following accounting methods:
None accounting: No accounting is performed for users.
Remote accounting: User accounting is performed on the remote RADIUS server or
TACACS server.
Local accounting: This function can count the accessed users, for a purpose of
limiting access of local users.
Generally, AAA adopts the client/server structure, where the client acts as the managed
resource and the server stores user information. This structure has good scalability and
facilitates the centralized management of user information. AAA can be based on
multiple protocols, and currently RADIUS or TACACS+ is used.
Introduction to ISP
Domain
An Internet service provider (ISP) domain is a group of users who belong to the same ISP.
For a user name in the format of userid@isp-name, the isp-name following the @
character is the ISP domain name. The access device uses userid as the user name for
authentication, and isp-name as the domain name.
In a multi-ISP environment, the users connected to the same access device may belong to
different domains. Since the users of different ISPs may have different attributes (such as
different compositions of user name and password, different service types/rights), it is
necessary to distinguish the users by setting ISP domains.
You can configure a set of ISP domain attributes (including AAA policy, RADIUS scheme,
and so on) for each ISP domain independently in ISP domain view.
Introduction to
RADIUS
AAA is a management framework. It can be implemented by not only one protocol. But
in practice, the most commonly used protocol for AAA is RADIUS.
What is RADIUS
RADIUS (remote authentication dial-in user service) is a distributed information exchange
protocol in client/server structure. It can prevent unauthorized access to the network and
is commonly used in network environments where both high security and remote user
access service are required.
The RADIUS service involves three components:
Protocol: Based on the UDP/IP layer, RFC 2865 and 2866 define the frame format and
message transfer mechanism of RADIUS, and define 1812 as the authentication port
and 1813 as the accounting port.
Server: The RADIUS server runs on a computer or workstation at the center. It stores
and maintains the information on user authentication and network service access.
Client: The RADIUS clients run on the dial-in access server device. They can be
deployed anywhere in the network.
RADIUS is based on client/server model. Acting as a RADIUS client, the switch passes user
information to a designated RADIUS server, and makes processing (such as
connecting/disconnecting users) depending on the responses returned from the server.
The RADIUS server receives user's connection requests, authenticates users, and returns
all required information to the switch.
Overview 319
Generally, the RADIUS server maintains the following three databases (as shown in
Figure 95):
Users: This database stores information about users (such as user name, password,
adopted protocol and IP address).
Clients: This database stores the information about RADIUS clients (such as shared
keys).
Dictionary: This database stores the information used to interpret the attributes and
attribute values of the RADIUS protocol.
Figure 95 Databases in RADIUS server
In addition, the RADIUS server can act as the client of some other AAA server to provide
the authentication or accounting proxy service.
Basic message exchange procedure of RADIUS
The messages exchanged between a RADIUS client (a switch, for example) and the
RADIUS server are verified by using a shared key. This enhances the security. The RADIUS
protocol combines the authentication and authorization processes together by sending
authorization information in the authentication response message. Figure 96 depicts the
message exchange procedure between user, switch and RADIUS server.
Figure 96 Basic message exchange procedure of RADIUS
The basic message exchange procedure of RADIUS is as follows:
1 The user enters the user name and password.
2 The RADIUS client receives the user name and password, and then sends an
authentication request (Access-Request) to the RADIUS server.
3 The RADIUS server compares the received user information with that in the Users
database to authenticate the user. If the authentication succeeds, the RADIUS server
sends back an authentication response (Access-Accept), which contains the information
of users rights, to the RADIUS client. If the authentication fails, it returns an
Access-Reject response.
4 The RADIUS client accepts or denies the user depending on the received authentication
result. If it accepts the user, the RADIUS client sends a start-accounting request
(Accounting-Request, with the Status-Type filed set to start) to the RADIUS server.
5 The RADIUS server returns a start-accounting response (Accounting-Response).
6 The user starts to access the resources.
7 The RADIUS client sends a stop-accounting request (Accounting-Request, with the
Status-Type field set to stop) to the RADIUS server.
8 The RADIUS server returns a stop-accounting response (Accounting-Response).
9 The resource access of the user is ended.
Overview 321
RADIUS packet structure
RADIUS uses UDP to transmit messages. It ensures the correct message exchange
between RADIUS server and client through the following mechanisms: timer
management, retransmission, and backup server. Figure 97 depicts the structure of the
RADIUS packets.
Figure 97 RADIUS packet structure
1 The Code field decides the type of the RADIUS packet, as shown in Table 213.
2 The Identifier field (one byte) identifies the request and response packets. It is subject to
the Attribute field and varies with the received valid responses, but keeps unchanged
during retransmission.

Code
Identifier Length
Authenticator
Attribute
Table 213 Description on major values of the Code field
Code Packet type Packet description
1 Access-Request Direction: client->server.
The client transmits this packet to the server to determine if the
user can access the network.
This packet carries user information. It must contain the
User-Name attribute and may contain the following attributes:
NAS-IP-Address, User-Password and NAS-Port.
2 Access-Accept Direction: server->client.
The server transmits this packet to the client if all the attribute
values carried in the Access-Request packet are acceptable (that
is, the user passes the authentication).
3 Access-Reject Direction: client->server.
The client transmits this packet to the server to determine if the
user can access the network.
This packet carries user information. It must contain the
User-Name attribute and may contain the following attributes:
NAS-IP-Address, User-Password and NAS-Port.
4 Accounting-Request Direction: client->server.
The client transmits this packet to the server to request the
server to start or end the accounting (whether to start or to end
the accounting is determined by the Acct-Status-Type attribute
in the packet).
This packet carries almost the same attributes as those carried
in the Access-Request packet.
5 Accounting-Response Direction: server->client.
The server transmits this packet to the client to notify the client
that it has received the Accounting-Request packet and has
correctly recorded the accounting information.
3 The Length field (two bytes) specifies the total length of the packet (including the Code,
Identifier, Length, Authenticator and Attribute fields). The bytes beyond the length will
be regarded as padding bytes and are ignored upon receiving the packet. If the received
packet is shorter than the value of this field, it will be discarded.
4 The Authenticator field (16 bytes) is used to verify the packet returned from the RADIUS
server; it is also used in the password hiding algorithm. There are two kinds of
authenticators: Request and Response.
5 The Attribute field contains special authentication, authorization, and accounting
information to provide the configuration details of a request or response packet. This
field is represented by a field triplet (Type, Length and Value):
The Type field (one byte) specifies the type of the attribute. Its value ranges from 1 to
255. Table 214 lists the attributes that are commonly used in RADIUS authentication
and authorization.
The Length field (one byte) specifies the total length of the Attribute field in bytes
(including the Type, Length and Value fields).
The Value field (up to 253 bytes) contains the information about the attribute. Its
content and format are determined by the Type and Length fields.
The RADIUS protocol takes good scalability. Attribute 26 (Vender-Specific) defined in this
protocol allows a device vendor to extend RADIUS to implement functions that are not
defined in standard RADIUS.
Table 214 RADIUS attributes
Value of the Type
field Attribute type
Value of the Type
field Attribute type
1 User-Name 23 Framed-IPX-Network
2 User-Password 24 State
3 CHAP-Password 25 Class
4 NAS-IP-Address 26 Vendor-Specific
5 NAS-Port 27 Session-Timeout
6 Service-Type 28 Idle-Timeout
7 Framed-Protocol 29 Termination-Action
8 Framed-IP-Address 30 Called-Station-Id
9 Framed-IP-Netmask 31 Calling-Station-Id
10 Framed-Routing 32 NAS-Identifier
11 Filter-ID 33 Proxy-State
12 Framed-MTU 34 Login-LAT-Service
13 Framed-Compression 35 Login-LAT-Node
14 Login-IP-Host 36 Login-LAT-Group
15 Login-Service 37 Framed-AppleTalk-Link
16 Login-TCP-Port 38 Framed-AppleTalk-Network
17 (unassigned) 39 Framed-AppleTalk-Zone
18 Reply-Message 40-59 (reserved for accounting)
19 Callback-Number 60 CHAP-Challenge
20 Callback-ID 61 NAS-Port-Type
21 (unassigned) 62 Port-Limit
22 Framed-Route 63 Login-LAT-Port
Overview 323
Figure 98 depicts the structure of attribute 26. The Vendor-ID field representing the code
of the vendor occupies four bytes. The first byte is 0, and the other three bytes are
defined in RFC1700. Here, the vendor can encapsulate multiple customized
sub-attributes (containing Type, Length and Value) to obtain extended RADIUS
implementation.
Figure 98 Part of the RADIUS packet containing extended attribute
Introduction to
TACACS+
What is TACACS+
Terminal Access Controller Access Control System Plus (TACACS+) is an enhanced
security protocol based on TACACS. Similar to the RADIUS protocol, it implements AAA
for different types of users (such as PPP/VPDN login users and terminal users) through
communications with TACACS servers in the Client-Server mode. Switch 4500G switches
support authentication, authorization, and accounting for telnet, FTP, Aux, and SSH
users.
Compared with RADIUS, TACACS+ provides more reliable transmission and encryption,
and therefore is more suitable for security control. Table 215 lists the primary differences
between TACACS+ and RADIUS protocols.
Table 215 Comparison between TACACS+ and RADIUS
TACACS+ RADIUS
Adopts TCP, providing more reliable network
transmission.
Adopts UDP.
Encrypts the entire packet except the TACACS+
header.
Encrypts only the password field in an
authentication packets.
Separates authentication from authorization. For
example, you can provide authentication and
authorization on different TACACS servers.
Brings together authentication and authorization.
Suitable for security control. Suitable for accounting.
Supports to authorize the use of configuration
commands.
Not support.
In a typical TACACS+ application, a dial-up or terminal user needs to log in to the device
for operations. As the client of TACACS+ in this case, the switch sends the username and
password to the TACACS server for authentication. After passing authentication and
being authorized, the user can log in to the switch to perform operations, as shown in
Figure 99.
Figure 99 Network diagram for a typical TACACS+ application
TACACS server
ISDN /PSTN
Dial - up user
HWTACACS client
Terminal user
TACACS server
ISDN/PSTN
Dial - up user
HWTACACS client
Terminal user
TACACS server
ISDN /PSTN
Dial - up user
HWTACACS client
Terminal user
TACACS server
ISDN/PSTN
Dial - up user
129.7.66.66
Terminal user
TACACS server TACACS server TACACS server TACACS server
129.7.66.67
TACACS server
ISDN /PSTN
Dial - up user
HWTACACS client
Terminal user
TACACS server
ISDN /PSTN
Dial - up user

Terminal user
TACACS server
ISDN/PSTN
Dial - up user
129.7.66.66
Terminal user
TACACS server TACACS server TACACS server TACACS server TACACS server TACACS server TACACS server TACACS server
129.7.66.67
Overview 325
Basic message exchange procedure in TACACS+
For example, use TACACS+ to implement authentication, authorization, and accounting
for a telnet user. Figure 100 illustrates the basic message exchange procedure:
Figure 100 The AAA implementation procedure for a telnet user
The basic message exchange procedure is as follows:
1 A user requests access to the switch; the TACACS client sends an authentication start
request packet to TACACS server upon receipt of the request.
2 The TACACS server sends back an authentication response requesting for the username;
the TACACS client asks the user for the username upon receipt of the response.
3 The TACACS client sends an authentication continuance packet carrying the username
after receiving the username from the user.
4 The TACACS server sends back an authentication response, requesting for the password.
Upon receipt of the response, the TACACS client requests the user for the login
password.
5 After receiving the login password, the TACACS client sends an authentication
continuance packet carrying the login password to the TACACS server.
U ser
H WTA C ACS
C lient
H WTA C ACS
S erv er
U ser logs in
A uth en tica ti on S t ar t Req ues t p acke t
A uth en tica ti on r esp ons e pack e t,
req ues ti ng f or th e use r nam e
Req ues t U ser fo r th e us er n ame
U ser ent ers t he user nam e
A uth en tica ti on co n tin ua nce p acke t
carry ing th e use r nam e
req ues ti ng f or th e passw or d
Req ues t U ser fo r th e p assw ord
U ser ent ers t he passw or d
carry ing th e passw or d
A uth en tica ti on succ ess p acke t
A uth oriz ati on r eq ues t p acke t
A uth oriz ati on s uccess p acke t
U ser is permi tt ed
A ccoun tin g st ar t re qu est p acke t
A ccoun tin g st ar t res po nse p acke t
U ser quits
A ccoun tin g st op p acke t
A ccoun tin g st op r esp ons e pack et
U ser
H WTA C ACS
C lient
H WTA C ACS
S erv er
U ser logs in
A uth en tica ti on S t ar t Req ues t p acke t
req ues ti ng f or th e use r nam e
Req ues t U ser fo r th e us er n ame
U ser ent ers t he user nam e
carry ing th e use r nam e
req ues ti ng f or th e passw or d
Req ues t U ser fo r th e p assw ord
U ser ent ers t he passw or d
carry ing th e passw or d
A uth en tica ti on succ ess p acke t
A uth oriz ati on r eq ues t p acke t
A uth oriz ati on s uccess p acke t
U ser is permi tt ed
A ccoun tin g st ar t re qu est p acke t
A ccoun tin g st ar t res po nse p acke t
U ser quits
A ccoun tin g st op p acke t
A ccoun tin g st op r esp ons e pack et
TACACS+
Client
TACACS+
Server
6 The TACACS server sends back an authentication response indicating that the user has
passed the authentication.
7 The TACACS client sends the user authorization request packet to the TACACS server.
8 The TACACS server sends back the authorization response, indicating that the user has
passed the authorization.
9 Upon receipt of the response indicating an authorization success, the TACACS client
pushes the configuration interface of the switch to the user.
10 The TACACS client sends an accounting start request packet to the TACACS server.
11 The TACACS server sends back an accounting response, indicating that it has received
the accounting start request.
12 The user logs out; the TACACS client sends an accounting stop request to the TACACS
server.
13 The TACACS server sends back an accounting stop packet, indicating that the
accounting stop request has been received.
Configuration Tasks
Table 216 Configuration tasks
Operation Description Related section
AAA
configuration
Create an ISP domain Required Creating an ISP Domain
Configure the attributes
of the ISP domain
Optional Configuring the Attributes of
an ISP Domain
Configuring the
authentication scheme
for the ISP domain
Required If local
authentication is adopted.
Refer to Configuring the
Attributes of a Local User.
If RADIUS authenticati on is
adopted, refer to RADIUS
Configuration.
If HWTACAC authentication
is adopted, refer to
TACACS+ Configuration.
Configuring AAA
Authentication of an ISP
Domain
Configure an AAA
authorization scheme
for the ISP domain
Optional Configuring AAA
Authorization of an ISP
Domain
Configure an AAA
accounting scheme for
the ISP domain
Optional Configuring AAA Accounting
of an ISP Domain
of a local user
Optional Configuring the Attributes of
a Local User
Cut down user
connections forcibly
Optional Cutting Down User
Connections Forcibly
Configuration Tasks 327
RADIUS
configuration
Create a RADIUS
scheme
Required Creating a RADIUS Scheme
Configure RADIUS
authentication/authoriz
ation servers
Required Configuring RADIUS Authen-
tication/Authorization Servers
Configure RADIUS
accounting servers
Required Configuring RADIUS
Accounting Servers
Configure shared keys
for RADIUS packets
Required Configuring Shared Keys for
RADIUS Packets
Configure the
maximum number of
transmission attempts
of RADIUS requests
Optional Configuring the Maximum
Number of Transmission
Attempts of RADIUS
Requests
Configure the
supported RADIUS
server type
Optional Configuring the Supported
RADIUS Server Type
Configure the status of
RADIUS servers
Optional Configuring the Status of
RADIUS Servers
for data to be sent to
RADIUS servers
Optional Configuring the Attributes
for Data to be Sent to
RADIUS Servers
Configure a local
RADIUS authentication
server
Optional Configuring a Local RADIUS
Configure the timers for
RADIUS servers
Optional Configuring the Timers of
RADIUS Servers
TACACS+
configuration
Create a TACAS+
scheme
Required Creating a TACACS+ Scheme
Configure TACACS+
authentication servers
Required Configuring TACACS+
Configure TACACS+
authorization servers
Required Configuring TACACS+
Authorization Servers
Configure TACACS+
accounting servers
Optional Configuring TACACS+
Accounting Servers
Configure shared keys
for RADIUS packets
Optional Configuring Shared Keys for
RADIUS Packets
for data to be sent to
TACACS servers
Optional Configuring the Attributes
for Data to be Sent to
TACACS+ Servers
Configure the timers of
TACACS servers
Optional Configuring the Timers of
TACACS Servers
Table 216 Configuration tasks (continued)
AAA Configuration The goal of AAA configuration is to protect network devices against unauthorized access
and at the same time provide network access services to authorized users. If you need to
use ISP domains to implement AAA management on access users, you need to configure
the ISP domains.
Configuration
Prerequisites
If you want to adopt remote AAA method, you must create a RADIUS or TACACS+
scheme.
RADIUS scheme (radius-scheme): You can reference a configured RADIUS scheme
to implement AAA services. For the configuration of RADIUS scheme, refer to section
RADIUS Configuration.
TACACS+ scheme (tacacs+-scheme): You can reference a configured TACACS+
scheme to implement AAA services. For the configuration of TACACS+ scheme, refer
to section TACACS+ Configuration.
Creating an ISP
Domain
To remove the default ISP domain you define, you must first use the domain default
disable command.
Configuring the
Attributes of an ISP
Domain
Table 217 Create an ISP domain
Enter system view
system-view
Create an ISP domain and enter
its view, enter the view of an
existing ISP domain,
domain isp-name Required
configure the default ISP domain domain default {
disable |enable
isp-name}
Optional
The default ISP domain is
"system".
Table 218 Configure the attributes of an ISP domain
Enter system view
system-view
Create an ISP domain or enter

the view of an existing ISP
domain
Activate/deactivate the ISP
domain
state { active | block } Optional
By default, once an ISP domain is
created, it is in the active
state and all the users in this
domain are allowed to access
the network.
The self-service server location function must cooperate with a self-service-supported
RADIUS server (such as CAMS). Through self-service, users can manage and control their
accounts or card numbers by themselves. A server installed with the self-service software
is called a self-service server.
Configuring AAA
Authentication of an
ISP Domain
Authentication, authorization and accounting are three independent service procedures
in AAA. Authentication fulfills interactive authentication of user name/password/user
profile to meet individual access or service requests. It neither delivers authorization
message to the users who make service requests nor triggers accounting. In AAA, you
can use only authentication rather than authorization or accounting. Without any
configuration, by default the authentication of the domain is local. You can configure
authentication according to the following three steps:
1 To use RADIUS solution for authentication, you first need to configure a RADIUS scheme
to cite; to use local or none solution for authentication, you do not need to configure a
scheme.
2 Determine the access ways or service types to configure. You can configure
authentication based on different access ways and service types, and restrict the
authentication protocols available for access through configuration.
3 Determine whether to configure a default authentication for all access ways or service
types.
access users that can be
contained in the ISP domain
access-limit {
disable | enable
max-user-number }
Optional
After an ISP domain is created,
the number of access users it can
contain is unlimited by default.
Set the user idle-cut function idle-cut { disable |
enable minute flow
Optional
By default, user idle-cut function
is disabled.
Set the self-service server
location function
self-service-url {
disable | enable
url-string }
Optional
By default, the self-service server
location function is disabled.
Table 218 Configure the attributes of an ISP domain
There are three types of users for AAA: login, command authorization, and
lan-access. You can configure authentication/authorization/accounting policy
independently according to the real requirements of users.
The authentication configured by the authentication default command is
applicable to all users. That is, the configuration takes effect for all users. But its
priority is lower than that configured in the specified access mode.
If you have configured RADIUS as the solution for authentication, AAA only receives
authentication results from RADIUS Server. Although it is carried in the packet
responded for authentication success, but RADIUS authorization information is not
handled in the process of authentication response.
If you have configured the radius-scheme radius-scheme-name local
command, or hwtacacs-scheme hwtacacs-scheme-name local command, local is
used as the alternative authentication when the RADIUS Server or TACACS server
fails. That is, the local authentication is used only when the RADIUS Server or TACACS
server does not work.
In the case of that local or none is used as the first solution for authentication, you
can only use the local authentication or unauthentication. You cannot use RADIUS
solution simultaneously.
Configuring AAA
Authorization of an
ISP Domain
Authorization is an independent procedure at the same level as authentication and
accounting in AAA, which is responsible for sending authorization requests to the
configured authorization server and delivering relevant authorization messages to users
after authorization. It is optional in the AAA configuration of an ISP domain.
Table 219 Configure AAA authentication of an ISP domain
Enter system view
system-view

the created ISP domain view
Configure authentication for all
users
authentication
default {
radius-scheme
local ] |
hwtacacs-scheme
hwtacacs-scheme-name [
local ] | local | none }
Optional
By default, local authentication is
used.
Configure authentication for
login user
authentication login
{ radius-scheme
local ] |
hwtacacs-scheme
Optional
Configure authentication for
lan-access user
authentication
lan-access {
radius-scheme
Optional
By fault, the authorization scheme for an ISP domain is local. If you configure the
authorization scheme as none, no authorization is required. In this case, the
authenticated users have only default right. For example, by default ECEC users (for
instance, Telnet users) have the lowest visit right. And FTP users are authorized to use the
root directory. You can configure authorization according to the following three steps:
1 If you choose TACACS+ authorization scheme, you should first define the TACACS+
scheme to be used. For RADIUS authorization, it takes effect only when the RADIUS
scheme of authentication and authorization are configured similarly.
2 Determine the access ways or service types to configure. You can configure authorization
based on different access ways and service types, and restrict the authorization protocols
available for access through configuration.
3 Determine whether to configure a default authorization for all access ways or service
types.
The authorization configured by the authorization default command is
applicable to all users. That is, the configuration takes effect for all users. But its
priority is lower than that configured in the specified access mode.
RADIUS authorization, a special procedure, takes effect as long as the RADIUS
scheme of authentication and authorization are similar. In case of failure to RADIUS
authorization, the reason returned to NAS is that the server does not respond.
If the radius-scheme radius-scheme-name local or hwtacacs-scheme
hwtacacs-scheme-name local command is configured, the local is used as the
alternative authorization when the RADIUS Server or TACACS server fails. That is, the
local authorization is used only when the RADIUS Server or TACACS server does not
work.
Table 220 Configure AAA authorization of an ISP Domain
Enter system view
system-view
Configure default
authorization for all users
Create an ISP domain or
enter the created ISP domain
view
authorization default {
radius-scheme
hwtacacs-scheme
hwtacacs-scheme-name [ local ] |
local | none }
Optional
Configure authorization for
login users
authorization login
{ radius-scheme
hwtacacs-scheme
[ local ] | local | none }
Optional
lan-access users
authorization lan-access {
radius-scheme
local | none }
Optional
CLI users
authorization command
hwtacacs-scheme
Optional
In the case of that local or none is used as the first solution for authorization, you
can only use the local authorization or unauthorization. You cannot use RADIUS
Since the authorization information of the RADIUS server is transmitted to the
RADIUS client together with the authentication response packet, if you specify both
authentication and authorization schemes as RADIUS scheme, you must ensure that
the RADIUS authorization server and the RADIUS authentication server run on the
same device; otherwise the system will give an error prompt.
Configuring AAA
Accounting of an ISP
Domain
Accounting is an independent procedure at the same level as authentication and
authorization in AAA, which sends a request of starting/updating/ending accounting to
the configured accounting server. Accounting is not required in the AAA configuration of
an ISP domain. Without accounting, users accessing the domain do not need to go the
accounting procedure. You can configure accounting according to the following three
procedures:
1 To use RADIUS or TACACS+ solution for accounting, you need to first configure the
RADIUS scheme or TACACS+ scheme to cite; to use local or none solution for
accounting, you do need to configure a scheme.
2 Determine the access ways or service types to configure. You can configure accounting
based on different access ways and service types, and restrict the accounting protocols
available for access through configuration.
3 Determine whether to configure a default accounting for all access ways or service types.
Table 221 Configure AAA accounting of an ISP domain
the created ISP domain view
domain isp-name
Open/close the
accounting-optional switch
accounting-optional
Optional
By default, once an ISP domain is
created, the accounting-optional
switch is closed.
Configure accounting for all
users
accounting default {
radius-scheme
local ] |
hwtacacs-scheme
Optional
Configure accounting for login
users
accounting login {
radius-scheme
local ] |
hwtacacs-scheme
local ] |
local | none }
Optional
Configure accounting for
lan-access users
accounting
lan-access {
radius-scheme
local ] |local | none }
Optional
When charging a user, if the system does not find any available accounting server or
fails to communicate with any accounting server, it will not disconnect the user as
long as the accounting optional command has been executed.
The accounting configured by the accounting default command is applicable to
all users. That is, the configuration takes effect for users. But its priority is lower than
that configured in the specified access mode.
Local accounting is only used to manage the connections of local users. It has no real
statistics function. The management of local connections only has effect to local
accounting, not local authentication and authorization.
If the radius-scheme radius-scheme-name local or hwtacacs-scheme
hwtacacs-scheme-name local command is configured, the local is used as the
alternative accounting when the RADIUS Server or TACACS server fails. That is, the
local accounting is used only when the RADIUS Server or TACACS server does not
work.
In the case of that local or none is used as the first solution for accounting, you can
only use the local accounting or no accounting. You cannot use RADIUS or TACACS+
FTP does not support accounting for login.
Configuring the
Attributes of a Local
User
When local scheme is chosen as the AAA scheme, you should create local users on the
switch and configure the relevant attributes.
The local users are users set on the switch, with each user uniquely identified by a user
name. To make a user who is requesting network service pass through the local
authentication, you should add an entry in the local user database on the switch for the
user.
Table 222 Configure the attributes of a local user
Enter system view
system-view
Set the password display mode of all

local users
local-user
password-display-
m ode {
cipher-force auto
}
Optional
By default, the password
display mode of all access
users is auto, indicating the
passwords of access users are
displayed in the modes set
with the password
command.
Add a local user and enter local user
view
local-user
user-name
Required
By default, there is no local
user in the system.
Set a password for the specified user password { simple |
cipher } password
Optional
Set the state of the specified user state { active |
block }
Optional
By default, the local users are
in the active state once they
are created, that is, they are
allowed to request network
services.
After the local-user password-display-mode cipher-force command is
executed, all passwords will be displayed in cipher mode even through you specify to
display user passwords in plain text by using the password command.
If the configured authentication method (local or RADIUS) requires a user name and a
password, the command level that a user can access after login is determined by the
priority level of the user. For SSH users, when they use RSA shared keys for
authentication, the commands they can access are determined by the levels set on
their user interfaces.
If the configured authentication method is none or requires a password, the
command level that a user can access after login is determined by the level of the user
interface.
If a user is not authorized with any service type, he or she cannot pass the
authentication of a specific service type. By default, no service type is authorized to
users.
Authorize the user
to access the
specified type(s) of
service(s)
configure the
service type
service-type {
lan-access | { telnet
| ssh | terminal } * [
level level ] }
Required
By default, the system does
not authorize the user to
access any service.
configure the FTP
service type and
accessible
directories for
users
service-type ftp [
ftp-directory
directory]
Optional
By default, anonymous users
cannot access the switch
using FTP or are not
authorized with any FTP
service; authorized FTP users
can only access the root
directory.
Set the priority level of the user level level Optional
By default, the priority level
of the user is 0.
Set the attributes of the user whose
service type is lan-access
attribute { ip
ip-address | mac
mac-address |
idle-cut minute |
access-limit
max-user-number |
vlan vlan-id |
location { nas-ip
ip-address port
portnum | port portnum
} } *
Optional
If the user is bound to a
remote port, you must
specify the nas-ip parameter
(the following ip-address is
127.0.0.1 by default,
representing this device). If
the user is bound to a local
port, you do not need to
specify the nas-ip parameter.
Table 222 Configure the attributes of a local user (continued)
Cutting Down User
Connections Forcibly
RADIUS
Configuration
The RADIUS protocol configuration is performed on a RADIUS scheme basis. In an actual
network environment, you can either use a single RADIUS server or two RADIUS servers
(primary and secondary servers with the same configuration but different IP addresses) in
a RADIUS scheme. After creating a new RADIUS scheme, you should configure the IP
address and UDP port number of each RADIUS server you want to use in this scheme.
These RADIUS servers fall into two types: authentication/authorization, and accounting.
And for each kind of server, you can configure two servers in a RADIUS scheme: primary
server and secondary server. A RADIUS scheme has the following attributes: IP addresses
of the primary and secondary servers, shared keys, and types of the RADIUS servers.
Actually, the RADIUS protocol configuration only defines the parameters used for
information exchange between the switch and the RADIUS servers. To make these
parameters take effect, you must reference the RADIUS scheme configured with these
parameters in an ISP domain view. For specific configuration commands, refer to section
AAA Configuration.
Creating a RADIUS
Scheme
The RADIUS protocol configuration is performed on a RADIUS scheme basis. You should
first create a RADIUS scheme and enter its view before performing other RADIUS
protocol configurations.
A RADIUS scheme can be referenced by multiple ISP domains simultaneously.
Table 223 Cut down user connection forcibly
Cut down user
connections forcibly
cut connection { all
|access-type { dot1x
|mac-authentication } | domain
domain-name | interface
interface-type interface-number
| ip ip-address | mac mac-address |
vlan vlan-id | ucibindex
ucib-index | user-name
user-name }
Required
This command is only
available for service-type of
lan-access
Table 224 Create a RADIUS scheme
Create a RADIUS scheme and
enter its view
radius scheme
radius-scheme-name
Required
By default, a RADIUS scheme
named "system" has already
been created in the system.
Configuring RADIUS
Authentication/Auth
orization Servers
The authentication response sent from the RADIUS server to the RADIUS client carries
the authorization information. Therefore, no separate authorization server can be
specified.
In an actual network environment, you can either specify two RADIUS servers as the
primary and secondary authentication/authorization servers respectively, or specify
only one server as both the primary and secondary authentication/authorization
servers.
The IP address and port number of the primary authentication server used by the
default RADIUS scheme "system" are 127.0.0.1 and 1645.
You are not allowed to assign the same IP address to both primary and secondary
authentication/authorization servers; otherwise, unsuccessful operation is prompted
Table 225 Configure RADIUS authentication/authorization server
enter its view
radius scheme
radius-scheme-name
Required
Set the IP address and port
number of the primary RADIUS
authentication/authorization
server
primary
authentication
ip-address [
port-number ]
Required
By default, the IP address and
UDP port number of the primary
server are 0.0.0.0 and 1812
respectively.
number of the secondary
RADIUS
server
secondary
authentication
ip-address [
port-number ]
Optional
UDP port number of the
secondary server are 0.0.0.0 and
1812 respectively.
Configuring RADIUS
Accounting Servers
In an actual network environment, you can either specify two RADIUS servers as the
primary and secondary accounting servers respectively, or specify only one server as
both the primary and secondary accounting servers. In addition, because RADIUS
adopts different UDP ports to transceive authentication/authorization packets and the
accounting packets, you must set a port number for accounting different from that
set for authentication/authorization.
Stop-accounting requests are critical to billing and will eventually affect the charges
of the users; they are important for both the users and the ISP. Therefore, the switch
should do its best to transmit them to the RADIUS accounting server. If the RADIUS
server does not respond to such a request, the switch should first buffer the request
on itself, and then retransmit the request to the RADIUS accounting server until it
gets a response, or the maximum number of transmission attempts is reached (in this
case, it discards the request).
You can set the maximum number of real-time accounting request attempts in the
case that the accounting fails. If the switch makes all the allowed real-time
accounting request attempts but fails to perform accounting, it cuts down the
connection of the user.
Table 226 Configure RADIUS accounting server
enter its view
radius scheme
radius-scheme-name
Required
number of the primary RADIUS
accounting server
primary accounting
ip-address [ port-number
]
Required
UDP port number of the primary
accounting server are 0.0.0.0
and 1813.
RADIUS accounting server
secondary accounting
ip-address [ port-number ]
Optional
UDP port number of the
secondary accounting server are
0.0.0.0 and 1813.
Enable stop-accounting packet
buffering
stop-accounting-buf
fer enable
Optional
By default, stop-accounting
packet buffering is enabled.
Enable stop-accounting packet
retransmission and set the
maximum number of
transmission attempts of the
buffered stop-accounting
packets
retry
stop-accountingretry
-times
Optional
By default, the system tries at
most 500 times to transmit a
buffered stop-accounting
request.
Set the maximum
number of
real-time
accounting request
attempts
retry
realtime-accounting
retry-times
Optional
By default, the maximum
number of real-time accounting
request attempts is 5. After that,
the user connection is cut down.
The IP address and the port number of the default primary accounting server
"system" are 127.0.0.1 and 1646.
Currently, RADIUS does not support the accounting of FTP users.
You are not allowed to assign the same IP address to both primary and secondary
accounting servers; otherwise, unsuccessful operation is prompted
Configuring Shared
Keys for RADIUS
Packets
The RADIUS client and server adopt MD5 algorithm to encrypt the RADIUS packets
exchanged with each other. The two parties verify the validity of the exchanged packets
by using the shared keys that have been set on them, and can accept and respond to the
packets sent from each other only if both of them have the same shared keys.
Configuring the
Maximum Number of
Transmission
Attempts of RADIUS
Requests
The communication in RADIUS is unreliable because this protocol adopts UDP packets to
carry data. Therefore, it is necessary for the switch to retransmit a RADIUS request if it
gets no response from the RADIUS server after the response timeout timer expires. If the
maximum number of transmission attempts is reached and the switch still receives no
answer, the switch considers that the request fails.
The product of the retry-times here and the seconds of the timer
response-timeout command can be greater than 75.
Table 227 Configure shared keys for RADIUS packets
Enter system view
system-view

enter its view
radius scheme
radius-scheme-name
Required
Set a shared key for the RADIUS
packets
key authentication
string
Required
By default, no key is set for any
RADIUS server.
Set a shared key for the RADIUS
accounting packets
key accounting string Required
By default, no key is set for any
RADIUS server.
Table 228 Configure the maximum transmission attempts of RADIUS request
Enter system view
system-view

enter its view
radius scheme
radius-scheme-name
Required
transmission attempts of RADIUS
requests
retry retry-times Optional
By default, the system tries three
times to transmit a RADIUS
request.
Configuring the
Supported RADIUS
Server Type
Configuring the
Status of RADIUS
Servers
For the primary and secondary servers (authentication/authorization servers, or
accounting servers) in a RADIUS scheme:
When the switch fails to communicate with the primary server due to some server
trouble, the switch will actively exchange packets with the secondary server.
After the time the primary server keeps in the block state exceeds the time set with the
timer quiet command, the switch will try to communicate with the primary server
again when it receives a RADIUS request. If the primary server recovers, the switch
immediately restores the communication with the primary server instead of
communicating with the secondary server, and at the same time restores the status of
the primary server to the active state while keeping the status of the secondary server
unchanged.
When both the primary and secondary servers are in active or block state, the switch
sends packets only to the primary server.
Table 229 Configure the supported RADIUS server type
enter its view
radius scheme
radius-scheme-name
Required
Specify the type of RADIUS
server supported by the switch
server-type {
extended | standard }
Optional
By default, the switch supports
the standard type of RADIUS
server. The type of RADIUS
server in the default RADIUS
scheme "system" is extended.
Table 230 Set the status of RADIUS servers
Enter system view
system-view

enter its view
radius scheme
radius-scheme-name
Required
Set the status of the primary
RADIUS
server
state primary
authentication {
block | active }
Optional
By default, all the RADIUS servers
in a customized RADIUS scheme
are in the active state
Set the status of the primary
state primary
accounting { block |
active }
Set the status of the secondary
RADIUS authentication/aut
horization server
state secondary
authentication {
block | active }
Set the status of the secondary
state secondary
accounting { block |
active }
Configuring the
Attributes for Data to
be Sent to RADIUS
Servers
Generally, the access users are named in the userid@isp-name format. Where,
isp-name behind the @ character represents the ISP domain name, by which the
device determines which ISP domain it should ascribe the user to. However, some old
RADIUS servers cannot accept the user names that carry ISP domain names. In this
case, it is necessary to remove the domain names carried in the user names before
sending the user names to the RADIUS server. For this reason, the user-name-format
command is designed for you to specify whether or not ISP domain names are carried
in the user names sent to the RADIUS server.
For a RADIUS scheme, if you have specified that no ISP domain names are carried in
the user names, you should not adopt this RADIUS scheme in more than one ISP
domain. Otherwise, such errors may occur: the RADIUS server regards two different
users having the same name but belonging to different ISP domains as the same user
(because the usernames sent to it are the same).
In the default RADIUS scheme "system", no ISP domain names are carried in the user
names by default.
The nas-ip command in RADIUS scheme view only takes effect for the current
RADIUS scheme, while that in system view is for all RADIUS schemes. The former one
takes priority in implementation.
Table 231 Configure the attributes for data to be sent to the RADIUS servers
enter its view
radius scheme
radius-scheme-name
Required
Set the format of the user names
to be sent to RADIUS servers
user-name-format
{ with-domain
without-domain }
Optional
By default, the user names sent
from the switch to RADIUS
servers carry ISP domain names.
Set the units of measure for data
flows sent to RADIUS servers
data-flow-format {
data { byte | giga-byte
| kilo-byte |
mega-byte } | packet {
giga-packet |
kilo-packet | mega-
packet | one-packet } }*
Optional
By default, in a RADIIUS scheme,
the unit of measure for data is
byte and that for packets is
one-packet.
Set the source IP address used by
the switch to send RADIUS
packets
RADIUS scheme view
nas-ip ip-address
Optional
By default, no source IP address
is specified; and the IP address of
the outbound interface is used
as the source IP address.
System view
radius nas-ip
ip-address
Configuring a Local
RADIUS
Authentication
Server
When you use the local RADIUS authentication server function, the UDP port number
for the authentication/authorization service must be 1645, the UDP port number for
the accounting service is 1646, and the IP addresses of the servers must be set to the
addresses of the switch.
The packet encryption key set by the local-server command with the key
password parameter must be identical with the authentication/authorization packet
encryption key set by the key authentication command in RADIUS scheme
view.
The switch supports up to 16 local RADIUS authentication servers (including the
default local RADIUS authentication server).
Configuring the
Timers of RADIUS
Servers
If the switch gets no response from the RADIUS server after sending out a RADIUS
request (authentication/authorization request or accounting request) and waiting for a
period of time, it should retransmit the packet to ensure that the user can obtain the
RADIUS service. This wait time is called response timeout time of RADIUS servers; and the
timer in the switch system that is used to control this wait time is called the response
timeout timer of RADIUS servers.
The product of the retry-times of retry command and the seconds of the timer
response-timeout command can be greater than 75.
Table 232 Configure local RADIUS authentication server
Create a local RADIUS
authentication server
local-server nas-ip
ip-address key password
Required
By default, a local RADIUS
authentication server, with
NAS-IP 127.0.0.1, has already
been created.
Table 233 Set the timers of RADIUS server
enter its view
radius scheme
radius-scheme-name
Required
Set the response timeout time of
RADIUS servers
timer
response-timeout
seconds
Optional
By default, the response timeout
timer of RADIUS servers expires
in three seconds.
Set the wait time for the primary
server to restore the active state
timer quiet minutes Optional
By default, the primary server
waits five minutes before
restoring the active state.
Set the real-time accounting
interval
timer
realtime-accounting
minutes
Optional
By default, the real-time
accounting interval is 12
minutes.
TACACS+
Configuration
Creating a TACACS+
Scheme
TACACS+ protocol is configured scheme by scheme. Therefore, you must create a
TACACS+ scheme and enter TACACS+ view before you perform other configuration
tasks.
The system supports up to 16 TACACS+ schemes. You can only delete the schemes that
are not being used.
Configuring TACACS+
Authentication
Servers
The primary and secondary authentication servers cannot use the same IP address.
Otherwise, the system will prompt unsuccessful configuration.
You can remove a server only when it is not used by any active TCP connection for
sending authentication packets.
Table 234 Create a TACACS+ scheme
Create a TACACS+ scheme and
enter TACACS+ view
hwtacacs scheme
Required
By default, no TACACS+ scheme
exists.
Table 235 Configure TACACS+ authentication servers
enter its view
hwtacacs scheme
Required
exists.
number of the primary
TACACS+ authentication server
primary
authentication
ip-address [ port ]
Required
By default, the IP address of the
primary authentication server is
0.0.0.0, and the port number is
49
TACACS+ authentication server
secondary
authentication
ip-address [ port ]
Required
secondary authentication server
is 0.0.0.0, and the port number
is 49.
Configuring TACACS+
Authorization Servers
The primary and secondary authorization servers cannot use the same IP address.
sending authorization packets.
Configuring TACACS+
Accounting Servers
Table 236 Configure TACACS+ authorization servers
enter its view
hwtacacs scheme
Required
exists.
TACACS+ authorization server
primary
authorization
ip-address [ port ]
Required
primary authorization server is
49
TACACS+ authorization server
secondary
authorization
ip-address [ port ]
Required
secondary authorization server is
49.
Table 237 Configure TACACS+ accounting servers
enter its view
hwtacacs scheme
Required
exists.
TACACS+ accounting server
primary accounting
ip-address [ port ]
Required
primary accounting server is
49.
TACACS+ accounting server
secondary accounting
ip-address [ port ]
Required
secondary accounting server is
49.
enable the switch to buffer the
stop-accounting requests that
bring no response.
stop-accounting-buf
fer enable
Optional
By default, the switch is enabled
to buffer the stop-accounting
requests that bring no response.
Enable the stop-accounting
packets retransmission function
and set the maximum number of
attempts
retry
stop-accounting
retry-times
Optional
By default, the stop-accounting
packets retransmission function
is enabled and the system can
transmit a stop-accounting
request for 100 times.
The primary and secondary accounting servers cannot use the same IP address.
sending accounting packets.
Currently, RADIUS and TACACS+ does not support the accounting of FTP users
Configuring Shared
Keys for RADIUS
Packets
When using a TACACS+ server as an AAA server, you can set a key to improve the
communication security between the router and the TACACS+ server.
The TACACS+ client and server adopt MD5 algorithm to encrypt the exchanged
TACACS+ packets. The two parties verify the validity of the exchanged packets by using
the shared keys that have been set on them, and can accept and respond to the packets
sent from each other only if both of them have the same shared keys.
Configuring the
Attributes for Data to
be Sent to TACACS+
Servers
Table 238 Configure shared keys for TACACS+ packets
Enter system view
system-view

enter its view
hwtacacs scheme
Required
exists.
Set a shared key for the
TACACS+
accounting/authentication/autho
rization packets
key { accounting |
authorization |
authentication }
string
Required
By default, the TACACS server
does not have a key.
Table 239 Configure the attributes for data to be sent to TACACS servers
Enter system view
system-view

enter its view
hwtacacs scheme
Required
exists.
Set the format of the user names
to be sent to TACACS servers
user-name-format {
with-domain |
without-domain }
Optional
By default, the user names sent
from the switch to TACACS
servers carry ISP domain names.
Set the units of measure for data
flows sent to TACACS servers
data-flow-format
data { byte | giga-byte
| kilo-byte | ega-byte
} m
Optional
By default, in a TACACS scheme,
the unit of measure for data is
byte and that for packets is
one-packet. data-flow-format
packet { giga-packet |
kilo-packet |
mega-packet |
one-packet }
Set the source IP address used by
the switch to send TACACS+
packets
TACACS+ view
nas-ip ip-address
Optional
By default, no source IP address
is specified; the IP address of the
outbound interface is used as the
source IP address.
System view
hwtacacs nas-ip
ip-address
Generally, the access users are named in the userid@isp-name format. Where,
isp-name behind the @ character represents the ISP domain name. If the TACACS
server does not accept the user name carrying isp domain name, it is necessary to
remove the domain name from the user names before they are sent to the TACACS
server.
The nas-ip command in TACACS+ scheme view only takes effect for the current
TACACS+ scheme, while that in system view is for all TACACS+ schemes. The former
one takes priority in implementation.
Configuring the
Timers of TACACS
Servers
The setting of real-time accounting interval is indispensable to real-time accounting.
After an interval value is set, the device transmits the accounting information of
online users to the TACACS accounting server at intervals of this value. Even if the
server does not respond, the device does not cut down the online user.
The interval must be a multiple of 3.
The setting of real-time accounting interval somewhat depends on the performance
of the device and the TACACS server: A shorter interval requires higher device
performance.
Table 240 Configure the timers of TACACS servers
Enter system view
system-view

enter its view
hwtacacs scheme
Required
exists.
Set the response timeout time of
TACACS servers
timer
response-timeout
seconds
Optional
By default, the response timeout
time is five seconds.
Set the wait time for the primary
server to restore the active state
timer quiet minutes Optional
By default, the primary server
waits five minutes before
restoring the active state.
Set the real-time accounting
interval
timer
realtime-accounting
minutes
Optional
By default, the real-time
accounting interval is 12
minutes.
Displaying and
Maintaining AAA &
RADIUS & TACACS+
Information
After the above configurations, you can execute the display commands in any view
to view the operation of AAA, RADIUS and TACACS+ and verify your configuration.
You can use the reset command in user view to clear the corresponding statistics.
Table 241 Display AAA information
Display the configuration
information about one
specific or all ISP domains
display domain [ isp-name ] You can execute the
display command
in any view
Display the information
about user connections
display connection [
access-type { dot1x |
mac-authentication } | domain
domain-name | interface
interface-type interface-number |
ip ip-address | mac mac-address |
vlan vlan-id | ucibindex
ucib-index | user-name user-name ]
Display the information
about local users
display local-user [ domain
isp-name | idle-cut { disable |
enable } | vlan vlan-id |
service-type { lan-access |
telnet | ssh | terminal | ftp } |
state { active | block } | user-name
user-name ]
Table 242 Display and maintain RADIUS protocol information
Display the statistics about
local RADIUS authentication
server
display local-server
statistics
You can execute the
display command
in any view
information about one
specific or all RADIUS
schemes
display radius scheme [
radius-scheme-name ]
Display the statistics about
RADIUS packets
display radius statistics
Display the buffered
no-response
stop-accounting request
packets
display
stop-accounting-buffer {
radius-scheme
radius-scheme-name | session-id
session-id | time-range
start-time stop-time | user-name
user-name }
Delete the buffered
no-response
stop-accounting request
packets
reset stop-accounting-buffer
{ radius-scheme
radius-scheme-name | session-id
session-id | time-range
start-time stop-time | user-name
user-name }
You can execute the
reset command in
user view
Clear the statistics about the
RADIUS protocol
reset radius statistics
AAA & RADIUS &
TACACS+
Configuration
Example
Remote RADIUS
Authentication of
Telnet/SSH Users
The configuration procedure for the remote authentication of SSH users through
RADIUS server is similar to that of Telnet users. The following description only takes
the remote authentication of Telnet users as example.
Currently, RADIUS and TACACS+ does not support the accounting of FTP users.
In the network environment shown in Figure 101, you are required to configure the
switch so that the Telnet users logging into the switch are authenticated by the RADIUS
server.
A RADIUS server with IP address 10.110.91.164 is connected to the switch. This
server will be used as the authentication server.
On the switch, set the shared key that is used to exchange packets with the
authentication RADIUS server to "expert".
Table 243 Display and maintain TACACS+ protocol information
Display the configuration or
statistic information about one
specific or all TACACS+ schemes
display hwtacacs [
statistics] ]
You can execute the
display command
in any view
Display the buffered
stop-accounting request packets
that are not responded to
display
hwtacacs-scheme
hwtacacs-scheme-name |
session-id session-id |
time-range start-time
stop-time | user-name
user-name }
TACACS protocol
reset hwtacacs statistics
{ accounting |
authentication |
authorization | all }
You can execute the
reset command in
user view
Delete the buffered
stop-accounting request packets
that are not responded to
reset
hwtacacs-scheme
hwtacacs-scheme-name |
session-id session-id |
time-range start-time
stop-time | user-name
user-name }
You can use a CAMS server as the RADIUS server. If you use a third-party RADIUS server,
you can select standard or extended as the server type in the RADIUS scheme. When you
use a CAMS server, you should select extended for server-type in the RADIUS scheme.
On the RADIUS server:
Set the shared key it uses to exchange packets with the switch to "expert".
Set the port number for authentication.
Add Telnet user names and login passwords.
The Telnet user name added to the RADIUS server must be in the format of
userid@isp-name if you have configure the switch to include domain names in the user
names to be sent to the RADIUS server.
Network diagram
Figure 101 Remote RADIUS authentication of Telnet users
[ 3Com]
2 Adopt AAA authentication for Telnet users.
[ 3Com- ui - vt y0- 4] aut hent i cat i on- mode scheme
[ 3Com- ui - vt y0- 4] qui t
3 Configure an ISP domain.
[ 3Com] domai n cams
[ 3Com- i sp- cams] access- l i mi t enabl e 10
[ 3Com- i sp- cams] qui t
4 Configure optional accounting. This configuration is required if the CAMS server also
serves as the RADIUS severer, since the CAMS server does not respond to accounting
packets. If independent RADIUS server, Windows 2000 for example, is used, this
configuration is not required.
[ 3Com- i sp- cams] account i ng opt i onal
[ 3Com- i sp- cams] qui t
5 Configure a RADIUS scheme.
[ 3Com] r adi us scheme cams
[ 3Com- r adi us- cams] pr i mar y aut hent i cat i on 10. 110. 91. 164 1812
[ 3Com- r adi us- cams] pr i mar y account i ng 10. 110. 91. 164 1813
[ 3Com- r adi us- cams] key aut hent i cat i on exper t
[ 3Com- r adi us- cams] key account i ng exper t
[ 3Com- r adi us- cams] ser ver - t ype ext ended
[ 3Com- r adi us- cams] user - name- f or mat wi t h- domai n
[ 3Com- r adi us- cams] qui t
6 Configure AAA scheme for the domain. If authentication, authorization and accounting
all are required, you need to configure authentication scheme, authorization scheme and
accounting scheme. If only one or two types of services are required, you just configure
the corresponding items accordingly.
[ 3Com- i sp- cams] aut hent i cat i on l ogi n r adi us- scheme cams
[ 3Com- i sp- cams] aut hor i zat i on l ogi n r adi us- scheme cams
[ 3Com- i sp- cams] account i ng l ogi n r adi us- scheme cams
7 Configure default AAA scheme, in which user type is not check.
[ 3Com- i sp- cams] aut hent i cat i on def aul t r adi us- scheme cams
[ 3Com- i sp- cams] aut hor i zat i on def aul t r adi us- scheme cams
[ 3Com- i sp- cams] account i ng def aul t r adi us- scheme cams
Local Authentication,
Authorization and
Accounting for
FTP/Telnet of Users
For FTP users, no accounting is required and their local authentication and authorization
are the same as those of Telnet users. Therefore, the following only describes the
configurations for Telnet users.
Make local authentication, authorization and accounting schemes on the switch for
Telnet users.
Networking diagram
Figure 102 Local authentication, authorization and accounting configuration for Telnet users

telnet user
Internet
telnet user
Internet
1 Method 1: Using local authentication, authorization and accounting.
a Set Telnet users to use AAA scheme.
b Create local user telnet.
[ 3Com] l ocal - user t el net
[ 3Com- l user - t el net ] ser vi ce- t ype t el net
[ 3Com- l user - t el net ] passwor d si mpl e 3Com
[ 3Com- l user - t el net ] at t r i but e i dl e- cut 5 access- l i mi t 5
[ 3Com- l user - t el net ] qui t
[ 3Com] domai n syst em
[ 3Com- i sp- syst em] aut hent i cat i on l ogi n l ocal
[ 3Com- i sp- syst em] aut hor i zat i on l ogi n l ocal
[ 3Com- i sp- syst em] account i ng l ogi n l ocal
c Configure default AAA schemes, in which user type is not checked.
[ 3Com- i sp- syst em] aut hent i cat i on def aul t l ocal
[ 3Com- i sp- syst em] aut hor i zat i on def aul t l ocal
[ 3Com- i sp- syst em] account i ng def aul t l ocal
The user enters the username userid @system, to use the authentication of the system
domain.
2 Method 2: using a local RADIUS server
This method is similar to the remote authentication method described in section
Remote RADIUS Authentication of Telnet/SSH Users . You only need to change the
server IP address, the authentication password, and the UDP port number for
authentication service in configuration step "Configure a RADIUS scheme" in section
Remote RADIUS Authentication of Telnet/SSH Usersto 127.0.0.1, 3Com, and 1645
respectively, and configure local users
TACACS Authentica-
tion/Authorization
and Accounting of
Telnet Users
You are required to configure the switch so that the Telnet users logging in to the
TACACS server are authenticated, authorized and accounted. Configure the switch to A
TACACS server with IP address 10.110.91.164 is connected to the switch. This server is
used as the AAA server. On the switch, set the shared key that is used to exchange
packets with the AAA TACACS server to "expert". Configure the switch to strip off the
domain name in the user name to be sent to the TACACS server.
Configure the shared key to expert on the TACACS server for exchanging packets with
the switch.
Networking diagram
Figure 103 Remote TACACS authentication authorization and accounting of Telnet users
1 Set Telnet users to use AAA scheme
2 Configure TACACS+ scheme
[ 3Com] hwt acacs scheme hwt ac
[ 3Com- hwt acacs- hwt ac] pr i mar y aut hent i cat i on 10. 110. 91. 164 49
[ 3Com- hwt acacs- hwt ac] pr i mar y aut hor i zat i on 10. 110. 91. 164 49
[ 3Com- hwt acacs- hwt ac] pr i mar y account i ng 10. 110. 91. 164 49
[ 3Com- hwt acacs- hwt ac] key aut hent i cat i on exper t
[ 3Com- hwt acacs- hwt ac] key aut hor i zat i on exper t
[ 3Com- hwt acacs- hwt ac] key account i ng exper t
[ 3Com- hwt acacs- hwt ac] user - name- f or mat wi t hout - domai n
[ 3Com- hwt acacs- hwt ac] qui t
3 Configure AAA scheme for the domain
[ 3Com] domai n hwt acacs
[ 3Com- i sp- hwt acacs] aut hent i cat i on l ogi n hwt acacs- scheme hwt ac
[ 3Com- i sp- hwt acacs] aut hor i zat i on l ogi n hwt acacs- scheme hwt ac
[ 3Com- i sp- hwt acacs] account i ng l ogi n hwt acacs- scheme hwt ac
4 Configure default AAA schemes, in which user type is not checked.
[ 3Com] domai n hwt acacs
[ 3Com- i sp- hwt acacs] aut hent i cat i on def aul t hwt acacs- scheme hwt ac
[ 3Com- i sp- hwt acacs] aut hor i zat i on def aul t hwt acacs- scheme hwt ac
[ 3Com- i sp- hwt acacs] account i ng def aul t hwt acacs- scheme hwt ac
Local Authentication,
TACACS+
Authorization and
RADIUS Accounting
of Telnet users
Set the switch to perform local authentication, TACACS+ authorization and RADIUS
accounting. The username and password both are telnet.
Configure the switch to A TACACS server with IP address 10.110.91.165 is connected to
the switch. This server will be used as the Accounting server. On the switch, set the
shared key that is used to exchange packets with the Accounting TACACS server to
"expert".
For the AAA applications of users of other access types, their AAA configurations on the
domain are similar to those of Telnet users, except different access types.
Networking diagram
Figure 104 Local authentication, TACACS+ authorization and RADIUS accounting of Telnet users
1 Set Telnet users to use AAA scheme
2 Configure a TACACS+ scheme.
[ 3Com] hwt acacs scheme hwt ac
[ 3Com- hwt acacs- hwt ac] pr i mar y aut hor i zat i on 10. 110. 91. 164 49
[ 3Com- hwt acacs- hwt ac] key aut hor i zat i on exper t
[ 3Com- hwt acacs- hwt ac] user - name- f or mat wi t hout - domai n
[ 3Com- hwt acacs- hwt ac] qui t
3 Configure a RADIUS scheme.
[ 3Com] r adi us scheme cams
[ 3Com- r adi us- cams] pr i mar y account i ng 10. 110. 91. 165 1813
[ 3Com- r adi us- cams] key account i ng exper t
[ 3Com- r adi us- cams] ser ver - t ype ext ended
[ 3Com- r adi us- cams] user - name- f or mat wi t h- domai n
[ 3Com- r adi us- cams] qui t
4 Create local user telnet.
[ 3Com] l ocal - user t el net
[ 3Com- l user - t el net ] ser vi ce- t ype t el net
[ 3Com- l user - t el net ] passwor d si mpl e t el net
Troubleshooting AAA & RADIUS & TACACS+ Configuration 353
5 Configure AAA scheme for the domain
[ 3Com] domai n t est
[ 3Com- i sp- t est ] aut hent i cat i on l ogi n l ocal
[ 3Com- i sp- t est ] aut hor i zat i on l ogi n hwt acacs- scheme hwt ac
[ 3Com- i sp- t est ] account i ng l ogi n r adi us- scheme cams
6 Configure default AAA schemes, in which user type is not checked.
[ 3Com] domai n t est
[ 3Com- i sp- t est ] aut hent i cat i on def aul t l ocal
[ 3Com- i sp- t est ] aut hor i zat i on def aul t hwt acacs- scheme hwt ac
[ 3Com- i sp- t est ] account i ng def aul t r adi us- scheme cams
Troubleshooting
AAA & RADIUS &
TACACS+
Configuration
Troubleshooting the
RADIUS Protocol
The RADIUS protocol is at the application layer in the TCP/IP protocol suite. This protocol
prescribes how the switch and the RADIUS server of the ISP exchange user information
with each other.
Symptom 1 User authentication/authorization always fails.
Possible reasons and
solutions
The user name is not in the userid@isp-name format, or no default ISP domain is
specified on the switch - Use the correct user name format, or set a default ISP
domain on the switch.
The user is not configured in the database of the RADIUS server - Check the database
of the RADIUS server, make sure that the configuration information about the user
exists.
The user input an incorrect password - Be sure to input the correct password.
The switch and the RADIUS server have different shared keys - Compare the shared
keys at the two ends, make sure they are identical.
The switch cannot communicate with the RADIUS server (you can determine by
pinging the RADIUS server from the switch) - Take measures to make the switch
communicate with the RADIUS server normally.
Symptom 2 RADIUS packets cannot be sent to the RADIUS server.
solutions
The communication links (physical/link layer) between the switch and the RADIUS
server is disconnected/blocked - Take measures to make the links
connected/unblocked.
None or incorrect RADIUS server IP address is set on the switch - Be sure to set a
correct RADIUS server IP address.
One or all AAA UDP port settings are incorrect - Be sure to set the same UDP port
numbers as those on the RADIUS server.
Symptom 3 The user passes the authentication and gets authorized, but the accounting information
cannot be transmitted to the RADIUS server.
solutions
The accounting port number is not properly set - Be sure to set a correct port number
for RADIUS accounting.
The switch requests that both the authentication/authorization server and the
accounting server use the same device (with the same IP address), but in fact they are
not resident on the same device - Be sure to configure the RADIUS servers on the
switch according to the actual situation.
Troubleshooting the
TACACS+ Protocol
See the previous section if you encounter a TACACS+ fault.
32 IGMP SNOOPING CONFIGURATION
IGMP Snooping
Overview
Internet Group Management Protocol Snooping (IGMP Snooping) is a multicast
constraining mechanism that runs on Layer 2 devices to manage and control multicast
groups.
Principle of IGMP
Snooping
By analyzing received IGMP messages, a Layer 2 device running IGMP Snooping
establishes mappings between ports and MAC multicast groups and forwards multicast
data based on these mappings.
As shown in Figure 105, when IGMP Snooping is not running, multicast packets are
broadcast to all devices at Layer 2. When IGMP Snooping runs, multicast packets for
known multicast groups are multicast to the receivers at Layer 2.
Figure 105 Multicast forwarding before and after IGMP Snooping runs
Basic Concepts in
IGMP Snooping
IGMP Snooping related ports
As shown in Figure 106, Router A connects to the multicast source, IGMP Snooping runs
on Switch A and Switch B, Host A and Host C are receiver hosts (namely, multicast group
members).
Source
Host A
Layer 2 Ethernet
Swit ch
Host B
Recei ver
Host C
Mul ti cast
Router
Multicast packet transmission
without IGMP Snooping
Multicast packet transmission
when IGMP Snooping runs
Multicast Packets
Source
Host A
Host B
Recei ver
Host C
Mul ti cast
Router
Layer 2 Ethernet
Swit ch
Recei ver Recei ver
356 CHAPTER 32: IGMP SNOOPING CONFIGURATION
Figure 106 IGMP Snooping related ports
Ports involved in IGMP Snooping, as shown in Figure 106, are described as follows:
Router port: On an Ethernet switch, a router port connects the switch to a multicast
router. In the figure, GigabitEthernet1/0/1 of Switch A and GigabitEthernet1/0/1 of
Switch B are router ports. A switch registers all its local router ports in its router port
list.
Member port: On an Ethernet switch, a member port (also known as multicast group
member port) connects the switch to a multicast group member. In the figure,
GigabitEthernet1/0/2 and GigabitEthernet1/0/3 of Switch A and GigabitEthernet1/0/2
of Switch B are member ports.
Whenever mentioned in this document, a router port is a router-connecting port on a
switch, rather than a port on a router.
Port aging timers in IGMP Snooping and related messages and actions
Table 244 Port aging timers in IGMP Snooping and related messages and actions
Timer Description
Message before
expiry Action after expiry
Router port
aging timer
For each router port, the switch
sets a timer initialized to the aging
time of the route port
IGMP general query or
PIM hello message
The switch removes this
port from its router
port list
Member port
aging timer
When a port joins an multicast
group, the switch sets a timer for
the port, which is initialized to the
member port aging time
IGMP report message The switch removes this
port from the multicast
group forwarding table
Sour ce
Receiver
Host A
Router A
Switch A
Host B
Receiver
Host C
Host D
Switch B
Multicast Packets
Router Port
Member Port
GigabitEthernet
GigabitEthernet
GigabitEthernet
GigabitEthernet
GigabitEthernet
1/0/1
1/0/2
1/0/3
1/0/2 1/0/1
IGMP Snooping Overview 357
Work Mechanism of
IGMP Snooping
A switch running IGMP Snooping processes IGMP messages as follows:
IGMP general queries
The IGMP periodically sends IGMP general queries to all hosts and routers on the local
subnet to find out whether multicast group members exist on the subnet.
Upon receiving an IGMP general query, the switch forwards it to all ports in the VLAN
except the receiving port and performs the following to the receiving port:
If the receiving port is a router port existing in its router port list, the switch resets the
aging timer of this router port.
If the receiving port is not a router port existing in its router port list, the switch adds
it into its router port list and sets an aging timer for this router port.
IGMP reports
A host sends an IGMP report to the multicast router in the following circumstances:
Upon receiving an IGMP query, a multicast group member host responds with an
IGMP report.
When intended to join a multicast group, a host sends an IGMP report to the
multicast router to announce that it is to join the multicast group.
Upon receiving the IGMP report, the switch forwards it to all the router ports in the VLAN
and performs the following to the receiving port:
Resolves the address of the multicast group that the host is to join and add a
forwarding entry for this port in the forwarding table.
Sets or resets a member port aging timer for this port.
A switch will not an IGMP report to a non-router port in the VLAN for the following
reason: When IGMP report suppression is enabled, if member hosts of that multicast
group still exist under other non-router ports, the switch will stop sending IGMP reports
when it receives the message. Thus, the switch will not know that members of that
multicast group are still attached to these ports.
IGMP leave messages
When an IGMPv1 host leaves an multicast group, the host does not send an IGMP leave
message, so the switch cannot know immediately that the host has left the multicast
group. However, as the host stops sending IGMP reports as soon as it leaves a multicast
group, the switch deletes the forwarding entry for the member port corresponding to
the host from the forwarding table when its aging timer expires.
When an IGMPv2 or IGMPv3 host leaves a multicast group, the host sends an IGMP leave
message to the multicast router to announce that it has leaf the multicast group.
Upon receiving an IGMP leave message, a switch forwards it to all router ports in the
VLAN. Because the switch does not know whether any other member hosts of that
multicast group still exists under the port to which the IGMP leave message arrived, the
switch does not immediately delete the forwarding entry corresponding to that port
from the forwarding table; instead, it resets the aging timer of the member port.
IGMP group-specific queries
Upon receiving the IGMP leave message from a host, the IGMP determines the address
of the multicast group that the host just left, and sends an IGMP group-specific query to
that multicast group through the port from which it received the leave message.
Upon receiving the IGMP group-specific query, a switch forwards it to all the router ports
in the VLAN and all member ports of that multicast group, and performs the following to
the receiving port:
If a response to an IGMP report from that multicast group is arrives to the member
port before its aging timer expires, this means that some other members of that
multicast group still exist under that port: the switch resets the aging timer of the
member port.
If no IGMP report from that multicast group arrives to this member port before its
aging timer expires as a response to the IGMP group-specific query , this means that
no members of that multicast group still exist under the port: the switch deletes the
forwarding entry corresponding to the port from the forwarding table when the
aging timer expires.
IGMP Snooping
Configuration Tasks
Complete these tasks to configure IGMP Snooping:
Configurations performed in IGMP Snooping view are effective for all VLANs, while
configurations made in VLAN view are effective only for ports belonging to the
current VLAN. However, configurations made in VLAN view override the
corresponding configurations made in IGMP Snooping view.
Configurations performed in IGMP Snooping view are globally effective;
configurations performed in port view are effective only for the current port;
Table 245 IGMP Snooping Configuration Tasks
Task Remarks
Configuring Basic Functions of
IGMP Snooping
Enabling IGMP Snooping Required
Configuring the Version of IGMP Snooping Optional
Configuring Port Aging Timers Optional
Configuring Port Functions Configuring Static Ports Optional
Enabling Simulated Host Joining Optional
Enabling Port Fast Leave Optional
Configuring IGMP Report Suppression Optional
Configuring IGMP-Related
Functions
Enabling IGMP Querier Optional
Configuring IGMP Timers Optional
Configuring Source IP Address of IGMP
Queries
Optional
Configuring the Function of Dropping
Unknown Multicast Data
Optional
Configuring a Multicast Group
Policy
Configuring a Multicast Group Filter Optional
Configuring Multicast Source Port Filtering Optional
Configuring Maximum Multicast Groups that
Can Pass Ports
Optional
Configuring Multicast Group Replacement Optional
Configuring Basic Functions of IGMP Snooping 359
configurations performed in port group view are effective only for all the ports in the
current port group.
The system gives priority to configurations made in port view or port group view.
Configurations made in IGMP Snooping view are used only if the corresponding
configurations have not been carried out in port view or port group view.
Configuring Basic
Functions of IGMP
Snooping
Configuration
Prerequisites
Before configuring the basic functions of IGMP Snooping, complete the following tasks:
Configure the corresponding VLANs
Configure the corresponding port groups
Before configuring the basic functions of IGMP Snooping, prepare the following data:
Version of IGMP Snooping
Aging time of router ports
Aging timer of member ports
Enabling IGMP
Snooping
Follow these steps to enabling IGMP Snooping:
Before enabling IGMP Snooping in a VLAN, be sure to enable IGMP Snooping globally
in system view; otherwise the IGMP Snooping setting will not take effect.
If you enable IGMP Snooping in a specified VLAN, this function takes effect for
Ethernet ports in this VLAN only.
Configuring the
Version of IGMP
Snooping
By configuring the IGMP Snooping version, you are actually configuring the version of
IGMP messages that can be analyzed and processed by IGMP Snooping.
If the current version is 2, IGMP Snooping can analyze and process IGMPv1 and
IGMPv2 messages, but cannot analyze and process IGMPv3 messages: in this case,
IGMPv3 messages will be broadcast in the VLAN.
If the current is 3, IGMP Snooping can analyze and process IGMPv1, IGMPv2 and
IGMPv3 messages.
Table 246 Enabling IGMP Snooping
Enable IGMP Snooping globally
and enter IGMP Snooping view
igmp-snooping Required
Not globally enabled by default
Exit IGMP Snooping view quit
Enter VLAN view vlan vlan-id
Enable IGMP Snooping in the
VLAN
igmp-snooping enable Required
Not enabled in a VLAN by
default
Follow these steps to configure the version of IGMP Snooping:
CAUTION: If you switch IGMP Snooping from version 3 to version 2, the system will
automatically delete all the IGMP Snooping entries and re-effectuate the valid static
configurations.
Configuring Port
Aging Timers
If the switch does not receive an IGMP general query or an PIM hello message before the
aging timer of a router port expires, the switch deletes this router port from the router
port list when the aging timer times out.
If the switch does not receive an IGMP report from a multicast group before the aging
timer of a member port expires, the switch deletes this member port from the
forwarding table for that multicast group when the aging timers times out.
If multicast group memberships change frequently, you can set a relatively small value for
the member port aging timer, and vice versa.
Configuring port aging timers globally
Follow these steps to configure port aging timers globally:
Configuring port aging timers in a VLAN
Follow these steps to configure port aging timers in a VLAN:
Table 247 Configuring the Version of IGMP Snooping
Configure the version of IGMP
Snooping
igmp-snooping
version version-number
Optional
Version 2 by default
Table 248 Configuring port aging timers globally
Enter IGMP Snooping view igmp-snooping
Configure router port aging time router-aging-time
seconds
Optional
Configure member port aging
time
host-aging-time
seconds
Optional
Table 249 Configuring port aging timers in a VLAN
Configure router port aging time igmp-snooping
router-aging-time
seconds
Optional
Configure member port aging
time
igmp-snooping
host-aging-time
seconds
Optional
Configuring Port
Functions
Configuration
Prerequisites
Before configuring port functions, complete the following tasks:
Enable IGMP Snooping in the VLAN or enable IGMP on the desired VLAN interface
Before configuring port functions, prepare the following data:
Multicast group and multicast source addresses
Whether to enable port fast leave function
Whether to enabled IGMP report suppression
Configuring Static
Ports
If the host attached to a port needs to receive multicast data addressed to a particular
multicast group or from a particular multicast source/group, you can configure this port
to be a static member port of that multicast group or multicast source/group.
In a network with a stable topology structure, you can configure router ports of a switch
into static router ports, through which the switch can receive IGMP messages from
routers or Layer 3 switches.
Follow these steps to configure static ports:
The function of static joining to a multicast source/group is available only for IGMP
Snooping version 3.
When you configure or remove a port as a static member port of a multicast group or
multicast source/group, the port will not initiate an IGMP report or an IGMP leave
message.
Static member ports and static router ports never age out. To delete such a port, you
need to use the corresponding command.
Enabling Simulated
Host Joining
Generally, a host running IGMP responds to IGMP queries from a multicast router. If a
host fails to respond due to some reasons, the multicast router will deem that no
member of this multicast group exists on the network segment, and therefore will
remove the corresponding forwarding path.
Table 250 Configuring Static Ports
Enter
the
correspo
nding
view
Enter Ethernet
port view
interface-number
Use either command
Enter port
group view
port-group { manual
port-group-name | aggregation
agg-id }
Configure a static
member port
igmp-snooping static-group
group-address [ source-ip
source_address ] vlan vlan-id
Required
Disabled by default
Configuring a static
router port
igmp-snooping
static-router-port vlan vlan-id
Required
Disabled by default
To avoid this situation from happing, you can configure a port of the switch as a member
of the multicast group. When an IGMP query arrives, that member port will give a
response. As a result, the switch can continue receive multicast data.
A simulated host can implement the following multicast functions of a real host:
When simulated host joining is enabled on an Ether port, the simulated sends an
IGMP report to this port.
When receiving an IGMP general query, the simulated host responds with an IGMP
report.
When simulated host joining is disabled on an Ether port, the simulated sends an
IGMP leave message to this port.
Follow these steps to enable simulated host joining:
Each simulated host is equivalent to an independent host. For example, when
receiving an IGMP query, the simulated host corresponding to each configuration
responds respectively.
The IGMP version of the simulated host is the same as the IGMP Snooping version
current running on the device.
Enabling Port Fast
Leave
By default, when receiving an IGMP leave message from host announcing its leaving a
multicast group, the switch sends an IGMP group-specific query message through the
receiving port rather than directly deleting the port from the multicast forwarding table.
If the switch receives no response within a certain period of waiting time, it deletes the
port from the forwarding table.
With the port fast leave function enabled, when the switch receive an IGMP leave
message from a host announcing its leaving a multicast group, the switch directly deletes
this port from the forwarding table. From then on, when receiving an IGMP query
specific to that multicast group, the switch will not forward the IGMP message to that
port.
Table 251 Enabling Simulated Host Joining
Enter
the
correspo
nding
view
Enter Ethernet
port view
interface-number
Use either command
Enter port
group view
port-group { manual
agg-id }
Enable simulated host
joining to a multicast
group or multicast
source/group
igmp-snooping host-join
group-address [ source-ip
source_address ] vlan vlan-id
Required
Disabled by default
Configuring port fast leave globally
Follow these steps to configure port fast leave globally:
Configuring fast leave on a port or a group ports
Follow these steps to configure fast leave on a port or a group ports:
Configuring IGMP
Report Suppression
When a Layer 2 device receives an IGMP report from a multicast group member, the
switch forwards the message to the Layer 3 device directly connected with it. Thus, when
multiple members belonging to a multicast group exit on the Layer device, the Layer 3
device directly connected with it will receive identical IGMP reports from the multiple
members of the same group.
With the IGMP report suppression function enabled, within a query interval, the Layer 2
device forwards only the first IGMP report of a multicast group to the Layer device and
discards the rest IGMP reports from the same multicast group.
Follow these steps to configure IGMP report suppression:
Table 252 Configuring port fast leave globally
Enable port fast leave fast-leave [ vlan vlan-list ] Required
Disabled by default
Table 253 Configuring fast leave on a port or a group ports
Enter
the
correspo
nding
view
Enter Ethernet port
view
interface-number
Use either command
Enter port group
view
port-group { manual
agg-id }
Enable port fast leave igmp-snooping fast-leave [
vlan vlan-list ]
Required
Disabled by default
Table 254 Configuring IGMP Report Suppression
Enable IGMP report suppression report-aggregation Optional
Enabled by default
Configuring
IGMP-Related
Functions
Configuration
Prerequisites
Before configuring IGMP-related functions, complete the following tasks:
Enable IGMP Snooping in the VLAN
Before configuring IGMP-related functions, prepare the following data:
IGMP general query interval
IGMP last-member query interval
Maximum response time for IGMP general queries
Source address of IGMP general queries
Source address of IGMP group-specific queries
Whether to enable the function of dropping unknown multicast data
Enabling IGMP
Snooping Querier
On a multicast network running IGMP, a Layer 3 multicast device may exist that serves as
an IGMP querier responsible for sending IGMP query messages.
On a network without Layer 3 multicast device, however, no IGMP querier-related
function can be implemented because a Layer 2 device does not support IGMP. To
address this issue, you can enable an IGMP Snooping querier on a Layer 2 device so that
the device can generate and maintain multicast forwarding entries at data link layer,
thereby implementing IGMP querier-related functions.
Follow these steps to configure IGMP Snooping querier:
CAUTION:
An IGMP Snooping querier does not take part in IGMP querier election.
Configuring an IGMP Snooping querier on a multicast network running IGMP makes
no sense. Moreover, IGMP querier election may be affected adversely because of the
source IP address of the IGMP general query messages sent by the IGMP Snooping
querier configured is too small.
Table 255 Enabling IGMP Snooping Query
Enable the IGMP Snooping
querier in the VLAN
igmp-snooping
querier
Required
Disabled by default
Configuring IGMP-Related Functions 365
Configuring IGMP
Timers
You can tune the IGMP general query interval based on actual condition of the network.
Upon receiving an IGMP query (general query or group-specific query), a host starts a
timers for each multicast group it has joined. This timer is initialized to a random value in
the range of 0 to the maximum response time (the host obtains the value of the
maximum response time from the Max Response Time field in the IGMP query it
received). When the timer value comes down to 0, the host sends an IGMP report to the
corresponding multicast group.
An appropriate setting of the maximum response time for IGMP queries allows hosts to
respond to queries quickly and avoids burstiness of IGMP traffic on the network caused
by reports simultaneously sent by a large number of hosts when corresponding timers
expires simultaneously.
For IGMP general queries, you can configure the maximum response time to fill their
Max Response time field.
For IGMP group-specific queries, you can configure the IGMP last-member query
interval to fill their Max Response time field. Namely, for IGMP group-specific queries,
the maximum response time equals to the IGMP last-member query interval.
Configuring IGMP timers globally
Follow these steps to configure IGMP timers globally:
Configuring IGMP timers in a VLAN
Follow these steps to configure IGMP timers in a VLAN:
CAUTION: In the configuration, make sure that the IGMP general query interval is larger
than the maximum response time for IGMP general queries.
Table 256 Configuring IGMP timers globally
response time for IGMP general
queries
max-response-time
seconds
Optional
Configure the IGMP
last-member query interval
last-member-query-i
nterval seconds
Optional
1 second by default
Table 257 Configuring IGMP timers in a VLAN
Configure IGMP general query
interval
igmp-snooping
query-interval
seconds
Optional
60 second by default
response time for IGMP general
queries
igmp-snooping
max-response-time
seconds
Optional
Configure the IGMP
last-member query interval
igmp-snooping
last-member-query-i
nterval seconds
Optional
1 second by default
Configuring Source IP
Address of IGMP
Queries
We recommend that you configure a valid IP address as the source IP address of IGMP
queries to prevent some switches from automatically dropping messages whose source IP
address is 0.0.0.0.
Follow these steps to configure source IP address of IGMP queries:
CAUTION: The source address of IGMP query messages may affect IGMP querier
selection within the segment.
Configuring the
Function of Dropping
Unknown Multicast
Data
Unknown multicast data refers to multicast data whose forwarding entries do not exist in
the corresponding multicast forwarding table.
Follow these steps to configure the function of dropping unknown multicast data in a
VLAN:
Table 258 Configuring Source IP Address of IGMP Queries
Configure the source address of
IGMP general queries
igmp-snooping
general-query source-ip {
current-interface |
ip-address }
Optional
0.0.0.0 by default
Configure the source IP address
of IGMP group-specific queries
igmp-snooping
special-query source-ip {
current-interface |
ip-address }
Optional
0.0.0.0 by default
Table 259 Configuring the Function of Dropping Unknown Multicast Data
Enable the function of dropping
unknown multicast data
igmp-snooping
drop-unknown
Required
Disabled by default
Configuring a
Multicast Group
Policy
Configuration
Prerequisites
Before configuring a multicast group filtering policy, complete the following tasks:
Enable IGMP Snooping in the VLAN or enable IGMP on the desired VLAN interface
Before configuring a multicast group filtering policy, prepare the following data:
ACL rule for multicast group filtering
Whether to enable multicast source port filtering
The maximum number of multicast groups that can pass the ports
Whether to enable multicast group replacement
Configuring a
Multicast Group Filter
On an IGMP Snoopingenabled switch, the configuration of a multicast group allows the
service provider to define limits of multicast programs available to different users, so that
different video on demand (VOD) users can be differentiated based on different program
groups.
In actual application, when a user requests a multicast program, the users host initiates
an IGMP report. After the message reaches the switch, the switch checks the report
against the ACL rule configured on the receiving port. If this port can join this multicast
group, the switch adds this port to the IGMP Snooping multicast group list; otherwise
the switch drops this report message. Thus, the multicast data will not be sent to this
port. In this way, the service provider can control the VOD programs provided for
multicast users.
Configuring a multicast group filter globally
Follow these steps to configure a multicast group filter globally:
Table 260 Configuring a multicast group filter globally
Configure a multicast group
filter
group-policy
acl-number [ vlan
vlan-list ]
Required
No filter configured by default
Configuring a multicast group filter on a port or a group ports
Follow these steps to configuring a multicast group filter on a port or a group ports:
Configuring Multicast
Source Port Filtering
When enabled to filter multicast based on the source ports, the switch filters multicast
data received on the router ports.
Configuring multicast source port filtering globally
Follow these steps to configure multicast source port filtering globally:
Configuring multicast source port filtering on a port or a group ports
Follow these steps to configure multicast source port filtering on a port or a group ports:
Configuring
Maximum Multicast
Groups that Can Pass
Ports
By configuring the maximum number of multicast groups that can pass a port or a group
of ports, you can limit the number of number of multicast programs available to VOD
users, thus to control the port bandwidth.
When the number of multicast groups an Ethernet port has joined exceeds the maximum
number configured, the system deletes all IGMP Snooping entries related to that port
and restarts to add new entries to the IGMP Snooping multicast group list.
Table 261 Configuring a multicast group filter on a port or a group ports
Enter
the
correspo
nding
view
Enter
Ethernet port
view
interface-number
Use either command
Enter port
group view
port-group { manual
port-group-name | aggregation agg-id }
Configure a multicast
group filter
igmp-snooping group-policy
acl-number [ vlan vlan-list ]
Required
No filter configured by
default
Table 262 Configuring multicast source port filtering globally
Enable multicast source port
filtering
source-deny port
interface-list
Required
Disabled by default
Table 263 Configuring multicast source port filtering on a port or a group ports
Enter
the
correspo
nding
view
Enter Ethernet port
view
interface-number
Use either command
Enter port group
view
port-group { manual
agg-id }
Enable multicast source port
filtering
igmp-snooping source-deny Required
Disabled by default
Follow these steps to configure the maximum number of multicast groups that can pass
the port(s):
If you have configured a port to be as static member port or enabled simulated host
joining, the system deletes all IGMP Snooping entries related to that port and
re-effectuate these configurations, until the number of multicast groups the has joined
exceeds the maximum number configured.
Group Replacement
For some special reasons, the number of multicast groups passing through a switch or
Ethernet port may exceed the number configured for the switch or the port. To address
this situation, you can enable the multicast group replacement function on the switch or
certain Ethernet ports. When the number of multicast groups an Ethernet port has joined
exceeds the limit,
If the multicast group replacement is enabled, the newly joined multicast group
automatically replaces an existing multicast group with the lowest address.
If the multicast group replacement is not enabled, new IGMP reports will be
automatically discarded.
Configuring multicast group replacement globally
Follow these steps to configure multicast group replacement globally:
Table 264 Configuring Maximum Multicast Groups that Can Pass Ports
Enter
the
correspo
nding
view
Enter
Ethernet port
view
interface interface-type interface-number Use either
command
Enter port
group view
port-group { manual port-group-name |
number of multicast
groups that can pass the
port(s)
igmp-snooping group-limit limit [
vlan vlan-list ]
Optional
128 by default
Table 265 Configuring multicast group replacement globally
Configure multicast group
replacement
overflow-replace [ vlan
vlan-list ]
Required
Disabled by default
Configuring multicast group replacement on a port or a group port
Follow these steps to configure multicast group replacement on a port or a group ports:
Displaying and
Maintaining IGMP
Snooping
The reset igmp-snooping group command works only on an IGMP
Snoopingenabled VLAN, but not on a VLAN with IGMP enabled on its VLAN interface.
Table 266 Configuring multicast group replacement on a port or a group port
Enter
the
correspo
nding
view
Enter Ethernet
port view
interface-number
Use either command
Enter port group
view
port-group { manual
agg-id }
Configure multicast group
replacement
igmp-snooping
overflow-replace [ vlan
vlan-list ]
Required
Disabled by default
Table 267 Displaying and Maintaining IGMP Snooping
View the information of
multicast groups learned by
IGMP Snooping
display igmp-snooping
group [ vlan vlan-id ] [
verbose ]
View the statistics information of
IGMP messages learned by IGMP
Snooping
display igmp-snooping
statistics
Clear IGMP Snooping entries reset igmp-snooping
group { group-address | all }
[ vlan vlan-id ]
Clear the statistics information
of all kinds of IGMP messages
learned by IGMP Snooping
reset igmp-snooping
statistics
IGMP Snooping
Configuration
Examples
Simulated Host
Joining
After the configuration, Host A and Host B, regardless of whether they have joined the
multicast group 224.1.1.1, can receive multicast data from the multicast group 224.1.1.1
to the multicast group 1.1.1.1/24.
Network diagram
Figure 107 Network diagram for simulated host joining configuration
1 Configuring a VLAN
a Create VLAN 100.
[ Swi t chA] vl an 100
b Add ports GigabitEthernet1/01 through GigabitEthernet1/0/4 into VLAN 100.
[ Swi t chA- vl an100] por t Gi gabi t Et her net 1/ 0/ 1 t o Gi gabi t Et her net 1/ 0/ 4
[ Swi t chA- vl an100] qui t
2 Enabling simulated host joining to a multicast source/group
a Enable IGMP Snooping in VLAN 100, and set its version to 3.
[ Swi t chA] i gmp- snoopi ng
[ Swi t chA- i gmp- snoopi ng] qui t
[ Swi t chA- vl an100] i gmp- snoopi ng enabl e
[ Swi t chA- vl an100] i gmp- snoopi ng ver si on 3

Source
Multicast Packets
Host A
Host B
Swi tch A
Router A
Recei v er
1.1.1.1/24
Recei v er
Host C
GigabitEthernet
GigabitEthernet
GigabitEthernet
1/0/1
1/0/2
1/0/3
b Enable the simulated host to join the multicast source/group on GigabitEthernet1/0/3.
[ Swi t chA- Gi gabi t Et her net 1/ 0/ 3] i gmp- snoopi ng host - j oi n 224. 1. 1. 1
sour ce- i p 1. 1. 1. 1 vl an 100
[ Swi t chA- Gi gabi t Et her net 1/ 0/ 4] i gmp- snoopi ng host - j oi n 224. 1. 1. 1
sour ce- i p 1. 1. 1. 1 vl an 100
3 Verifying the configuration
a View the detailed information of the multicast group in VLAN 100.
[ Swi t chA] di spl ay i gmp- snoopi ng gr oup vl an 100 ver bose
Tot al 1 I P Gr oup( s) .
Tot al 1 I P Sour ce( s) .
Tot al 1 MAC Gr oup( s) .
Por t f l ags: D- Dynami c por t , S- St at i c por t , A- Aggr egat i on por t , C- Copy
por t
Subvl an f l ags: R- Real VLAN, C- Copy VLAN
Vl an( i d) : 100.
Rout er por t ( s) : t ot al 1 por t .
Gi gabi t Et her net 1/ 0/ 1 ( D)
( 00: 01: 30 )
I P gr oup( s) : t he f ol l owi ng i p gr oup( s) mat ch t o one mac gr oup.
I P gr oup addr ess: 224. 1. 1. 1
( 1. 1. 1. 1, 224. 1. 1. 1) :
At t r i but e: Host Por t
Host por t ( s) : t ot al 2 por t .
( 00: 03: 23 )
( 00: 03: 23 )
MAC gr oup( s) :
MAC gr oup addr ess: 0100- 5e01- 0101
Gi gabi t Et her net 1/ 0/ 3
Static Router Port
Configuration
No multicast protocol is running on Router B. After the configuration, Switch A should
be able to forward multicast data to the router.
Network diagram
Figure 108 Network diagram for static router port configuration
1 Configuring a VLAN
a Create VLAN 100.
b Add ports GigabitEthernet1/0/1 through GigabitEthernet1/0/4 into VLAN 100.
[ Swi t chA- vl an100] por t Gi gabi t Et her net 1/ 0/ 1 t o Gi gabi t Et her net 1/ 0/ 4
2 Configuring a static router port
a Enable IGMP Snooping in VLAN 100.
[ Swi t chA] i gmp- snoopi ng
[ Swi t chA- i gmp- snoopi ng] qui t
[ Swi t chA- vl an100] i gmp- snoopi ng enabl e
b Configure GigabitEthernet1/0/4 to be a static router port.
[ Swi t chA- Gi gabi t Et her net 1/ 0/ 4] i gmp- snoopi ng st at i c- r out er - por t vl an
100
3 Verifying the configuration
a View the detailed information of the multicast group in VLAN 100.
[ Swi t chA] di spl ay i gmp- snoopi ng gr oup vl an 100 ver bose
Source
Multicast Packets
Host A
Host B
Switch A
Router A
Router B
Receiver
1.1.1.1/24
GigabitEthernet
GigabitEthernet
GigabitEthernet
GigabitEthernet
1/0/3
1/0/2
1/0/1
1/0/4
Por t f l ags: D- Dynami c por t , S- St at i c por t , A- Aggr egat i on por t , C- Copy
por t
Subvl an f l ags: R- Real VLAN, C- Copy VLAN
Vl an( i d) : 100.
Rout er por t ( s) : t ot al 2 por t .
Gi gabi t Et her net 1/ 0/ 1 ( D) (
00: 01: 30 )
Gi gabi t Et her net 1/ 0/ 4 ( S)
( 00: 01: 30 )
I P gr oup( s) : t he f ol l owi ng i p gr oup( s) mat ch t o one mac gr oup.
I P gr oup addr ess: 224. 1. 1. 1
( 1. 1. 1. 1, 224. 1. 1. 1) :
At t r i but e: Host Por t
( 00: 03: 23 )
MAC gr oup( s) :
MAC gr oup addr ess: 0100- 5e01- 0101
Troubleshooting
IGMP Snooping
Configuration
Switch Fails in Layer 2
Multicast Forwarding
Symptom A switch fails to implement Layer 2 multicast forwarding.
Analysis IGMP Snooping is not enabled.
Solution
1 Enter the display current-configuration command to view the running status
of IGMP Snooping.
2 If IGMP Snooping is not enabled, use the igmp-snooping command to enable IGMP
Snooping globally and then use igmp-snooping enable command to enable IGMP
Snooping in VLAN view.
3 If IGMP Snooping is disabled only for the corresponding VLAN, just use the
igmp-snooping enable command in VLAN view to enable IGMP Snooping in the
corresponding VLAN.
Troubleshooting IGMP Snooping Configuration 375
Configured Multicast
Group Policy Fails to
Take Effect
Symptom Although a multicast group policy has been configured to allow hosts to join specific
multicast groups, the hosts can still receive multicast data from other groups than these
multicast groups.
Analysis The ACL rule is incorrectly configured
The multicast group policy is not applied
The function of dropping unknown multicast data is not enabled, so unknown
multicast data is broadcast
Certain ports have been configured as static member ports of multicast groups, and
this configuration conflicts with the configured multicast group policy.
Solution
1 Use the display acl command to check the configured ACL rule. Make sure that the
ACL rule conforms to the multicast group policy to be implemented.
2 Use the display this command to whether the multicast group policy has been
applied. If not, use the igmp-snooping group-policy command to apply the
multicast group policy.
3 Use the display current-configuration command to whether the function of
dropping unknown multicast data is enabled. If not, use the drop-unknown or
igmp-snooping drop-unknown command to enable the function of dropping
unknown multicast data.
4 Use the display igmp-snooping group command to check whether any port has
been configured as a static member port of any multicast group. If so, check whether this
configuration conflicts with the configured multicast group policy. If any conflict exists,
remove the configuration.
33 MULTICAST VLAN CONFIGURATION
Multicast VLAN Based on the current multicast-on-demand mode, when users in different VLANs request
the service, a multicast flow is duplicated in each VLAN. This mode causes waste of a
great deal of bandwidth.
By configuring multicast VLAN, you can add switch ports to a multicast VLAN and enable
IGMP Snooping to allow users in different VLANs to share the same multicast VLAN, with
the multicast flow transferred in only one multicast VLAN, thus saving bandwidth.
As multicast VLAN is isolated from user VLANs, this guarantees both data security and
enough bandwidth. Therefore, the multicast VLAN function ensures continuous
transmission of multicast information flow to users.
VLAN
Multicast VLAN configuration tasks include:
Create VLAN
Globally enable IGMP-Snooping.
Enable multicast VLAN.
Configure the relationship between a multicast VLAN and multicast sub-VLANs.
To delete a configuration, use the corresponding undo command.
CAUTION:
You cannot configure a multicast VLAN as a multicast sub-VLAN.
You cannot configure a multicast sub-VLAN as a multicast VLAN.
A multicast sub-VLAN can correspond to only one multicast VLAN.
If you have enabled multicast routing in the system by means of the
multicast-routing-enable command, you cannot configure the multicast
VLAN function.
Table 268 Configure multicast VLAN
Enable IGMP-Snooping in the
system
igmp-snooping enable Required
Multicast VLAN is
disabled by default.
In system view, configure the
correspondence between a
multicast VLAN and multicast
sub-VLANs.
multicast-vlan vlan-id
subvlan vlan-list
Required
A multicast VLAN does
not have a sub-VLAN
by default.
378 CHAPTER 33: MULTICAST VLAN CONFIGURATION
Multicast VLAN
Configuration
Example
The following table lists the devices to be configured in the network. Suppose port types,
VLAN division, and so on, have been configured.
Network diagram
Figure 109 Network diagram for multicast VLAN
Table 269 Network devices to be configured
Device ID
Device
type Port to configure
Device
connected
to the port Description
Router A Router Ethernet0/0/0 Switch B Ethernet0/0/0 belongs to
VLAN1024. Enable PIM SM
and IGMP on Ethernet0/0/0.
Switch B Layer 3
switch
Router A
Switch C
Switch D
GigabitEthernet1/0/1 belongs
to VLAN1024.
Configure
GigabitEthernet1/0/2 as a
TRUNK port belonging to
VLAN1 through VLAN3.
Configure
GigabitEthernet1/0/3 as a
TRUNK port belonging to
VLAN4 through VLAN6.
Switch C Layer 2
switch
Connected to users belonging
to VLAN1 through VLAN3,
and configured to support
IGMP-Snooping
Switch D Layer 2
switch
Connected to users belonging
to VLAN4 through VLAN6,
and configured to support
IGMP-Snooping
Layer3 Switch
SwitchB
Layer2 Switch
SwitchC
HostA
(VLAN 1)
HostB
(VLAN 2)
Ethernet 0/0/0
VLAN 1024
Layer2 Switch
SwitchD
HostC
(VLAN 3)
HostC
(VLAN 4)
HostC
(VLAN 5)
HostC
(VLAN 6)
VLAN 1~VLAN 3
VLAN 4~VLAN 6
RouterA
Layer3 Switch
SwitchB
Layer2 Switch
SwitchC
HostA
(VLAN 1)
HostB
(VLAN 2)
Ethernet 0/0/0
VLAN 1024
Layer2 Switch
SwitchD
HostC
(VLAN 3)
HostC
(VLAN 4)
HostC
(VLAN 5)
HostC
(VLAN 6)
VLAN 1~VLAN 3 VLAN 4~VLAN 6
RouterA
Multicast VLAN 379
1 Configure Router A.
<Rout er - A> syst emvi ew
Ent er syst emvi ew, r et ur n t o user vi ew wi t h Ct r l +Z
[ Rout er - A] mul t i cast r out i ng- enabl e
[ Rout er - A] i nt er f ace Et her net 0/ 0/ 0
[ Rout er - A- Et her net 0/ 0/ 0] pi msm
[ Rout er - A- Et her net 0/ 0/ 0] i gmp enabl e
[ Rout er - A- Et her net 0/ 0/ 0] qui t
[ Rout er - A]
Ent er syst emvi ew, r et ur n t o user vi ew wi t h Ct r l +Z
[ 3Com] i gmp- snoopi ng enabl e
[ 3Com] vl an 1024
[ 3Com- vl an1024] mul t i cast - vl an enabl e
[ 3Com] mul t i cast - vl an 1024 subvl an 1 t o 6
380 CHAPTER 33: MULTICAST VLAN CONFIGURATION
34 ARP CONFIGURATION
When configuring ARP, go to these sections for information you are interested in:
ARP Overview
Configuring ARP
Configuring Gratuitous ARP
Displaying and Maintaining ARP
ARP Overview Address resolution protocol (ARP) is used for resolution from IP address to MAC address.
For a host on an Ethernet to send an IP packet to another host, it must know the MAC
address of the latter. This is where ARP comes into play.
With ARP, each host on an Ethernet maintains an ARP mapping table to keep the IP
addresses and the corresponding MAC addresses of the hosts that it recently
communicated with. This table is empty whenever the host boots up.
As shown in Figure 110, the ARP protocol resolves an IP address in the following steps:
Figure 110 ARP process
Host A
192 .168 .1.1
0002 -6779 -0f 4 c
Host B
192 . 168 .1 .2
00 a0 -2470 -febd
Source MAC address
0002 - 6779 -0f 4c 192 .168 .1 .1
00 a0 -2470 -febd 192 .168 .1 .2 0002 -6779 -0f4c 192 .168 . 1 .1
192 .168 . 1. 2 00 a0 -2470 -febd
Source IP address Destination MAC address Destination IP address
Source MAC address Source IP address Destination MAC address Destination IP address
Host A
192 .168 .1.1
0002 -6779 -0f 4 c
Host B
192 . 168 .1 .2
00 a0 -2470 -febd
Source MAC address
0002 - 6779 -0f 4c 192 .168 .1 .1
00 a0 -2470 -febd 192 .168 .1 .2 0002 -6779 -0f4c 192 .168 . 1 .1
192 .168 . 1. 2 00 a0 -2470 -febd
Source IP address Destination MAC address Destination IP address
Source MAC address Source IP address Destination MAC address Destination IP address
382 CHAPTER 34: ARP CONFIGURATION
1 When Host A wants to send an IP packet to Host B on the same segment, it looks in its
ARP mapping table to see whether there is a mapping entry for Host B. If it finds the
entry, it uses the MAC address in the entry to encapsulate the IP packet into a data link
layer frame and sends the frame to Host B.
2 If Host A finds no entry for Host B, it pushes the packet to the ARP outbound waiting
queue and creates an ARP request, which contains the IP address of Host B and the IP
address and MAC address of Host A. Then, it broadcasts the request on the Ethernet.
Since the ARP request is broadcast, all hosts on the Ethernet except for Host A will
receive the request. However, only the requested host (Host B) responds to the request.
3 Upon receiving the ARP request from Host A, Host B saves the IP address and MAC
address of Host A into its ARP mapping table, encapsulates its MAC address into an ARP
response, and unicasts the response to Host A.
4 After receiving the ARP response, Host A adds the MAC address and IP address of Host B
into its ARP mapping table, and sends all data packets for Host B in the waiting queue
out to Host B.
Normally, ARP dynamically resolves IP addresses to MAC addresses automatically without
the interference of an administrator.
Configuring ARP ARP entries fall into two categories: dynamic and static.
1 A dynamic entry is automatically created and maintained by the ARP protocol. It can get
aged, be updated by a new ARP packet, or be overwritten by a static ARP entry. When
the aging timer expires, the interface goes down, or the VLAN interface goes down, the
corresponding dynamic ARP entries will be removed.
2 A static ARP entry is configured and maintained manually. It can be permanent or
non-permanent.
A permanent static ARP entry can be directly used to forward data and never gets
aged or overwritten by a dynamic ARP entry. When configuring a permanent static
ARP entry, you must configure the IP address and MAC address, as well as the VLAN
and outbound interface for the entry.
A non-permanent static ARP entry is initially in the state of unresolved and cannot be
directly used to forward data. When configuring a non-permanent static ARP entry,
you only need to configure the IP address and MAC address; the VLAN and outbound
interface will be dynamically resolved by ARP packets. A resolved non-permanent
static ARP entry can be used to forward data and does not get aged. When the
interface or VLAN interface goes down, or something like that occurs, the entry
becomes unresolved again. Non-permanent static ARP entries are used primarily
when IP and MAC binding is required.
By default, the ARP mapping table of a device is empty and ARP entries are added by
automatically the ARP protocol. The ARP mapping table is usually maintained by the
dynamic ARP protocol and requires manual configuration only in some special cases. In
addition, the ARP mapping table is used within a LAN, and address resolution on a WAN
depends on other configurations or methods, such as reverse address resolution of frame
relay.
Configuring ARP 383
Adding a Static ARP
Entry
Follow these steps to add a static ARP entry:
A static ARP mapping is effective when the device works normally. However, when
the VLAN or VLAN interface to which an ARP entry of a switch corresponds is deleted,
the entry is deleted accordingly.
The default active time of a dynamic ARP entry is 20 minutes.
The vlan-id argument is used to configure ARP entries on Ethernet switches and
must be the ID of an existing VLAN interface. In addition, the Ethernet interface
following the argument must belong to that VLAN.
Setting the Maximum
Number of ARP
Entries for a VLAN
Interface
Follow these steps to set the maximum number of ARP entries that a VLAN interface can
learn:
Setting the Aging
Time for Dynamic
ARP Entries
Follow these steps to set the aging time for dynamic ARP entries:
Table 270 Adding a Static ARP Entry
To do Use the Remarks
Enter system view
system-view
Configure a permanent static

ARP entry
arp static ip-address
mac-address vlan-id
interface-type
interface-number
Required
No permanent static ARP entry is
configured by default
Configure a non-permanent
static ARP entry
arp static ip-address
mac-address
Required
No non-permanent static ARP
entry is configured by default
Table 271 Setting the Maximum Number of ARP Entries for a VLAN Interface
Enter system view
system-view
Vlan-interface
vlan-id
ARP entries that an interface can
learn
arp max-learning-num
number
Optional
2048 by default
Table 272 Setting the Aging Time for Dynamic ARP Entries
Enter system view
system-view
Set the aging time for dynamic

ARP entries
arp timer aging
aging-time
Optional
20 minutes by default
Enabling ARP Entry
Checking
The ARP entry checking function can prevent the device from learning multicast MAC
addresses.
Follow these steps to enable ARP entry checking:
Configuring
Gratuitous ARP
Introduction to
Gratuitous ARP
Gratuitous ARP means that the device sends gratuitous ARP packets. Gratuitous ARP
packets are a kind of special packets. The source IP address and destination IP address
carried in such packets are both the address of the local device, the source MAC address
is the MAC address of the local device, and the destination MAC address is the broadcast
address.
With gratuitous ARP, a device can implement the following functions by sending
gratuitous ARP packets:
Determining whether its IP address is already used by another node.
Informing other nodes about the change of its MAC address so that they can update
their cached ARP entries with its new MAC address in time. This occurs when, for
example, the device is turned off, has its interface card replaced, and is then turned
on.
Through learning gratuitous ARP packets, the device implements the following
functions:
When the device receives a gratuitous ARP packet, it will add the information carried in
the gratuitous ARP packet into the local dynamic ARP mapping table if no ARP entry in
the cache is corresponding to the packet.
Configuring
Gratuitous ARP
Follow these steps to configure gratuitous ARP:
Table 273 Enabling ARP Entry Checking
Enter system view
system-view
Enable ARP entry checking

arp check enable
Optional
Enabled by default
Table 274 Configuring Gratuitous ARP
Enter system view
system-view
Enable the gratuitous ARP

packet sending function
gratuitous-arp-sendi
ng enable
Optional
A device cannot send gratuitous
ARP packets by default
Enable the gratuitous ARP
packet learning function
gratuitous-arp-learn
ing enable
Required
Disabled by default
Displaying and Maintaining ARP 385
Displaying and
Maintaining ARP
Table 275 Displaying and Maintaining ARP
Display information about ARP
entries in the ARP mapping
table
display arp { { all | static |
dynamic } | vlan vlan-id |
interface-number } [ [ | { begin |
include | exclude } text ] |
count ]
Display the ARP entries
corresponding to the specified
IP address
display arp ip-address [ | {
begin | include | exclude }
text ]
Display the aging time for
dynamic ARP entries
display arp timer aging
Clear ARP entries from the ARP
mapping table
reset arp { all | dynamic |
static | interface
interface-type
interface-number }
35 PROXY ARP CONFIGURATION
When configuring proxy ARP, go to these sections for information you are interested in:
Proxy ARP Overview
Enabling Proxy ARP
Displaying and Maintaining Proxy ARP
Proxy ARP
Overview
If a host in a network sends an ARP request to another host in the same network
segment but not in the same physical network, the proxy-ARP-enabled device
connecting the two hosts can respond to this ARP request. This process is named proxy
ARP.
Proxy ARP includes normal proxy ARP and local proxy ARP.
In the same network segment, the hosts connected to different VLAN interfaces of the
device can use the normal proxy ARP function of the device to interwork with each other
through forwarding on Layer 3.
In the following case, the local proxy ARP function must be enabled to interwork
interfaces on Layer 3.
Interfaces belonging to the same VLAN are isolated on Layer 2.
Enabling Proxy ARP Follow these steps to enable proxy ARP:
Through configuring the proxy-arp enable command, you can enable hosts
connected to different VLAN interfaces of the device to interwork with each other
through forwarding on Layer 3.
Table 276 Enabling Proxy ARP
Enter Ethernet interface view or
VLAN interface view
interface
interface-type
interface-number
Required
Enable proxy ARP
proxy-arp enable
Required
Disabled by default
Enable local proxy ARP
local-proxy-arp
enable
Required
Disabled by default
388 CHAPTER 35: PROXY ARP CONFIGURATION
By configuring the local-proxy-arp enable command, you can enable a switch
to check the received ARP request to see whether the outbound interface is the same
one as the inbound interface and, if this is the case, allow the device to respond to the
request.
Displaying and
Maintaining Proxy
ARP
Table 277 Displaying and Maintaining Proxy ARP
Display whether proxy ARP is
enabled
display proxy-arp [
interface-number ]
Display whether local proxy ARP
is enabled
display
local-proxy-arp [
interface-number ]
36 DHCP OVERVIEW
Introduction to
DHCP
The fast expansion and growing complexity of networks result in scarce IP addresses
assignable to hosts. Meanwhile, with the wide application of the wireless network, the
frequent movement of laptops across the network requires that the IP addresses be
changed accordingly. Therefore, related configurations on hosts become more complex.
Dynamic host configuration protocol (DHCP) was introduced to ease network
configuration by providing a framework for passing configuration information to hosts
on a TCP/IP network.
DHCP is built on a client-server model, in which the client sends a configuration request
and then the server returns a reply to send configuration parameters such as an IP
address to the client.
A typical DHCP application, as shown in Figure 111, includes a DHCP server and multiple
clients (PCs and laptops).
Figure 111 A typical DHCP application
DHCP Address
Allocation
Allocation
Mechanisms
DHCP supports three mechanisms for IP address allocation.
Manual allocation: The network administrator assigns an IP address to a client like a
WWW server, and DHCP conveys the assigned address to the client.
Automatic allocation: DHCP assigns a permanent IP address to a client.
Dynamic allocation: DHCP assigns an IP address to a client for a limited period of time,
which is called a lease. Most clients obtain their addresses in this way.

LAN
DHCP Server
DHCP Client DHCP Client
LAN
DHCP Server
LAN
DHCP Server
390 CHAPTER 36: DHCP OVERVIEW
Dynamic IP Address
Allocation Procedure
For dynamic allocation, a DHCP client obtains an IP address from a DHCP server via four
steps:
1 The client broadcasts a DHCP-DISCOVER message to locate a DHCP server.
2 A DHCP server offers configuration parameters such as an IP address to the client in a
DHCP-OFFER message.
3 If several DHCP servers send offers to the client, the client accepts the first received offer,
and broadcasts it in a DHCP-REQUEST message to formally request the IP address.
4 All DHCP servers receive the DHCP-REQUEST message, but only the server to which the
client sent a formal request for the offered IP address returns a DHCP-ACK message to
the client confirming that the IP address has been allocated to the client, or returns a
DHCP-NAK unicast message denying the IP address allocation.
If the client receives the DHCP-ACK message, it will probe the IP address using
gratuitous ARP with destination address as the IP address assigned by the server to
check whether the IP address is in use. If the client receives no response within the
specified time, the client can use this IP address.
If there are multiple DHCP servers in the network, the IP addresses offered by other
DHCP servers are still assignable to other clients.
IP Address Lease
Extension
The IP address dynamically allocated by a DHCP server to a client has a lease. After the
lease duration elapses, the IP address will be reclaimed by the DHCP server. If the client
wants to use the IP address again, it has to extend the lease duration.
After the half lease duration elapses, the DHCP client will send the DHCP server a
DHCP-REQUEST unicast message to extend the lease duration. Upon availability of the IP
address, the DHCP server returns a DHCP-ACK unicast confirming that the clients lease
duration has been extended, or a DHCP-NAK unicast denying the request.
If the client receives the DHCP-NAK message, it will broadcast another DHCP-REQUEST
message for lease extension after 7/8 lease duration elapses. The DHCP server will handle
the request as above mentioned.
DHCP Message Format 391
DHCP Message
Format
The figure below gives the DHCP message format, which is based on the BOOTP
message format and involves eight types. These types of messages have the same format
except that some fields have different values. The numbers in parentheses indicate the
size of each field in octets
Figure 112 .DHCP Message Format
op: Message type defined in option field. 1 =REQUEST, 2 =REPLY
htype, hlen: Hardware address type and length of a DHCP client.
hops: Number of relay agents a request message traveled.
xid: Transaction ID, a 32 bit random number chosen by the client to identify an IP
address allocation.
secs: Filled in by the client, the number of seconds elapsed since the client began
address acquisition or renewal process. Currently this field is reserved and set to 0.
flags: The leftmost bit is defined as the BROADCAST (B) flag. If this flag is set to 1, the
DHCP server sent a reply back by broadcast. The remaining bits of the flags field are
reserved for future use. Currently, the BROADCAST flag is always set to 1.
ciaddr: Client IP address.
yiaddr: 'your' (client) IP address, assigned by the server.
siaddr: Server IP address, from which the clients obtained configuration parameters.
giaddr: The first relay agent IP address a request message traveled.
chaddr: Client hardware address.
sname: The server host name, from which the client obtained configuration
parameters.
file: Bootfile name and routing information, defined by the server to the client.
options: Optional parameters field that is variable length; parameters include the
message type, lease, DNS IP address, WINS IP address and so forth.
392 CHAPTER 36: DHCP OVERVIEW
Protocols and
Standards
RFC2131: Dynamic Host Configuration Protocol
RFC2132: DHCP Options and BOOTP Vendor Extensions
RFC1542: Clarifications and Extensions for the Bootstrap Protocol
RFC3046: DHCP Relay Agent Information Option
37 DHCP RELAY AGENT CONFIGURATION
When configuring the DHCP relay agent, go to these sections for information you are
interested in:
Introduction to DHCP Relay Agent
Configuring the DHCP Relay Agent
Displaying and Maintaining the DHCP Relay Agent Configuration
DHCP Relay Agent Configuration Example
Troubleshooting DHCP Relay Agent Configuration
Please note the following:
The DHCP relay agent configuration is supported only on VLAN interface.
DHCP Snooping must be disabled on the DHCP relay agent.
Introduction to
DHCP Relay Agent
Application
Environment
Since DHCP clients request IP addresses via broadcast messages, the DHCP sever and
clients must be on the same subnet. Therefore, a DHCP server must be available on each
subnet. It is not practical.
DHCP relay agent solves the problem. Via a relay agent, DHCP clients communicate with
a DHCP server on another subnet to obtain configuration parameters. Thus, DHCP clients
on different subnets can contact the same DHCP server for ease of centralized
management and cost reduction.
Fundamentals A typical application of the DHCP relay agent is shown below.
394 CHAPTER 37: DHCP RELAY AGENT CONFIGURATION
Figure 113 DHCP relay agent application
No matter whether a relay agent exists or not, the DHCP server and client interact with
each other in a similar way (see Dynamic IP Address Allocation Procedure). The following
describes the forwarding process on the DHCP relay agent.
The DHCP client broadcasts the DHCP-DISCOVER or DHCP-REQUEST packet. After
receiving the packet, the DHCP relay-enabled network device unicasts the packet to a
specified DHCP server based on the configuration.
The DHCP server returns an IP address to the relay agent, which conveys it to the
client via broadcast.
Configuring the
DHCP Relay Agent
Configuration Task
List
In order to configure the DHCP relate agent, complete the following tasks.
Enabling DHCP Enable DHCP before performing other DHCP-related configurations.
Ethernet Internet
DHCP client
DHCP client DHCP client
DHCP client
Switch ( DHCP Relay)
DHCP Server
Ethernet Internet
DHCP client
DHCP client DHCP client
DHCP client
Switch ( DHCP Relay)
DHCP Server
Table 278 Configuration Task List
Task Remarks
Enabling DHCP Required
Enabling the DHCP Relay Agent on Interfaces Required
Correlating a DHCP Server Group with Relay Agent Interfaces Required
Configuring the DHCP Relay Agent to Send the IP Address Release Request Optional
Configuring the DHCP Relay Agent Security Functions Optional
Configuring the DHCP Relay Agent to Support Option 82 Optional
Table 279 Enabling DHCP
Enable DHCP dhcp enable Required
Disabled by default
Enabling the DHCP
Relay Agent on
Interfaces
With this task completed, upon receiving a DHCP request from an enabled interface, the
relay agent will forward the request to an outside DHCP server for address allocation.
To enable the DHCP relay agent on interfaces, use the following commands:
When a DHCP client obtains an IP address from a DHCP server through the DHCP relay,
an IP address pool with the same network segment (network number and mask) as that
of the IP address of the DHCP relay interface connecting the client must has already been
configured on the DHCP server. Otherwise, the DHCP client cannot obtain a correct IP
address.
Correlating a DHCP
Server Group with
Relay Agent
Interfaces
To improve reliability, you can specify several DHCP servers as a group on the DHCP relay
agent and correlate a relay agent interface with the server group. When the interface
receives requesting messages from clients, the relay agent will forward them to all the
DHCP servers of the group.
To correlate a DHCP server group with relay agent interfaces, use the following
commands:
You can specify up to twenty DHCP server groups on the relay agent.
You can configure up to eight DHCP servers for a server group.
The IP address of any DHCP server in a DHCP server group cannot be on the same
network segment with that of a DHCP relay interface connecting with DHCP clients;
otherwise, the DHCP clients may not be able to obtain IP addresses.
A DHCP server group can correlate with one or multiple DHCP relay agent interfaces,
while a relay agent interface can only correlate with one DHCP server group. Using
the dhcp relay server-select command repeatedly overwrites the previous
configuration. However, if the specified DHCP server group does not exist, the
interface still uses the previous correlation.
The group-id in the dhcp relay server-select command was specified by the
dhcp relay server-group command.
Table 280 Enabling the DHCP Relay Agent on Interfaces
Enable the DHCP relay agent on

the current interface
dhcp select relay Required
Not enabled by default
Table 281 Correlating a DHCP Server Group with Relay Agent Interfaces
Specify a DHCP server group
number and servers in the group
dhcp relay server-group
group-id ip ip-address
Required
Not specified by default
interface-number
Correlate the DHCP server group

with the current interface
dhcp relay server-select
group-id
Required
Not correlated by default
Configuring the Relay
Agent to Forward a
DHCP-Release
Request
Sometimes, you need to release a clients IP address manually on the DHCP relay agent.
With this task completed, the DHCP relay agent can actively send a DHCP-RELEASE
request that contains the clients IP address to the DHCP server. The DHCP server then
releases the IP address for the client.
Configure the release of a clients IP address through the DHCP relay (in system
view)
In system view, when you configure to release a client's IP address through DHCP relay, if
you do not specify the IP address of the DHCP server, the DHCP relay will send a
DHCP-RELEASE request to the DHCP servers of DHCP server groups that correspond to all
interfaces working in the DHCP relay mode.
Configure to release a clients IP address through the DHCP relay (in interface
view)
In interface view, when you configure to release a client's IP address through DHCP relay,
if you do not specify a DHCP server, the DHCP relay will send a DHCP-RELEASE request to
all the DHCP servers of DHCP server group that correspond to the interface. If you specify
a DHCP server, the DHCP relay will send the DHCP-RELEASE request to the specified
DHCP server only.
Configuring the DHCP
Relay Agent Security
Functions
Creating static bindings and enabling invalid IP addresses check
The DHCP relay agent can dynamically record IP-to-MAC bindings after clients got IP
addresses. You can also create static bindings on the DHCP relay agent.
For avoidance of invalid IP address configuration, you can configure the DHCP relay
agent to check whether a requesting client's IP and MAC addresses match a binding on
it (both dynamic and static bindings). If not, the client cannot access outside networks via
the DHCP relay agent.
To create a static binding and enable invalid IP address check, use the following
commands:
Table 282 Configure to release a clients IP address through the DHCP relay (in system view)
Request DHCP server to release the IP
address applied and used by a client
dhcp relay release client-ip
client-mac [ server-ip ]
Required
Table 283 Configure to release a clients IP address through the DHCP relay (in interface view)
interface-number
Request DHCP server to release

the IP address applied and used
by a client
dhcp relay release client-ip
client-mac [ server-ip ]
Required
The dhcp relay address-check command is independent of other commands of the
DHCP relay agent. That is, the invalid address check takes effect when this command
is executed, regardless of whether other commands are used.
Before executing the dhcp relay address-check enable command on the DHCP relay
interface connected to the DHCP server, you need to configure the static binding
between the IP address and MAC address of the DHCP server. Otherwise, the DHCP
client will fail to obtain an IP address.
Configuring dynamic binding update interval
Via the DHCP relay agent, a DHCP client sends a DHCP-RELEASE unicast message to the
DHCP server to relinquish its IP address. In this case the DHCP relay agent simply conveys
the message to the DHCP server, thus it does not remove the IP address from its bindings.
To solve this, system provides for refreshing relay agent binding entries at a specified
interval.
The DHCP relay agent regularly sends a DHCP-REQUEST message using its own MAC
address and a clients IP address to the DHCP server. If the server returns a DHCP-ACK
message, which means the clients IP address is assignable now, the DHCP relay agent
will refresh its bindings by aging out the binding entry of the clients IP address. If the
server returns a DHCP-NAK message, which means the IP address is still in use, the relay
agent will not age out it.
To configure dynamic binding refreshing interval, use the following commands:
Table 284 Creating static bindings and enabling invalid IP addresses check
Create a static binding dhcp relay security
static ip-address
mac-address
Optional
interface-number
Enable invalid IP address

check
dhcp relay address-check
{ disable | enable}
Required
Disabled by default
Table 285 Configuring dynamic binding refreshing interval
Configure binding refreshing
interval
dhcp relay security
tracker { interval |
auto }
Optional
auto by default (auto
interval is calculated by the relay
agent according to the number
of bindings)
Enabling pseudo DHCP servers detection
There are illegal DHCP servers on networks, which reply DHCP clients with wrong IP
addresses. These illegal DHCP servers are pseudo DHCP servers.
With this task completed, upon receiving a DHCP-REQUEST message from a client, the
DHCP relay agent will record from the message the IP addresses of servers that have ever
offered IP addresses to the client and the receiving interface address. The administrator
can use this information to check out any DHCP pseudo servers.
To enable pseudo DHCP server detection, use the following commands:
With pseudo DHCP server detection enabled, the device puts a record once for each
DHCP server. The administrator needs to find pseudo DHCP servers from the records.
Relay Agent to
Support Option 82
Introduction to option 82
Option 82 is the relay agent option in the Options field of the DHCP message. It involves
255 sub-options. At least one sub-option must be defined. Now the DHCP relay agent
supports two sub-options: sub-option 1 and sub-option 2.
Option 82 has no unified definition. Its padding formats vary with venders. Currently the
device supports two padding formats: normal and verbose.
The padding contents for sub-options in the normal padding format are:
sub-option 1: padded with the number of the port that receives the DHCP client's
request, and the number of the VLAN where the port belongs.
sub-option 2: padded with the MAC address of the interface that received the client's
request.
The padding contents for sub-options in the verbose padding format are:
sub-option 1: padded with specified access node identifier, the type and number of
the port that receives the DHCP client's request, and the number of the VLAN where
the port belongs.
sub-option 2: padded with the MAC address of the interface that received the client's
request.
Handling strategies for option 82 on the relay agent
If the DHCP relay agent supports option 82, it will handle a clients requesting message
according to the contents defined in option 82, if any. The handling strategies are
described in the table below.
If a reply returned by the DHCP server contains option 82, the DHCP relay agent will
remove the option 82 before forwarding the reply to the client.
Table 286 Enabling pseudo DHCP servers detection
Enable pseudo DHCP server
detection
dhcp relay
server-detect
Required
Prerequisites
You need to complete the following tasks before configuring the DHCP relay agent to
support option 82
Enabling DHCP
Enabling the DHCP relay agent on the specified interface
Configure network parameters for DHCP relay agent to ensure the route between the
DHCP relay and the DHCP server is reachable
Configuring the DHCP relay agent to support option 82
Use the following commands for this configuration:
Table 287 Handling strategies for option 82 on the relay agent
If a clients
requesting message
has
Handling
strategy
Padding
format The DHCP relay agent will
Option 82 Drop Drop the message.
Keep Forward the message without changing Option
82.
Replace Normal Forward the message after replacing the
original Option 82 with the Option 82 padded
in normal format.
Verbose Forward the message after replacing the
original Option 82 with the Option 82 padded
in verbose format.
no option 82 Normal Forward the message after adding the Option
82 padded in normal format.
Verbose Forward the message after adding the Option
82 padded in verbose format.
Table 288 Configure the DHCP relay agent to support option 82
interface-number
Enable the relay agent to

support option 82
dhcp relay information
enable
Required
Disabled by default
Configure the handling
strategy for requesting
messages containing
option 82
strategy { drop | keep | replace }
Optional
replace by default
Configure the padding
format for option 82
format { normal | verbose [
node-identifier { mac |
sysname | user-defined
node-identifier } ] }
Optional
normal by default
To support option 82, you must perform related configurations on both the DHCP
server and relay agent. Since the DHCP server configuration varies with devices, it is
not mentioned here.
If the handling strategy of the DHCP relay agent is configured as replace, you need to
configure a padding format for option 82. If the handling strategy is keep or drop,
you need not configure any padding format.
Displaying and
Maintaining the
DHCP Relay Agent
Configuration
Table 289 Displaying and Maintaining the DHCP Relay Agent
Display information about DHCP
server groups correlated to a
specified interface or all interfaces
display dhcp relay { all |
interface-number }
bindings of DHCP relay agents
display dhcp relay
security [ ip-address |
dynamic | static ]
Display statistics information
about bindings of DHCP relay
agents
display dhcp relay
security statistics
Display information about the
refreshing interval for entries of
dynamic IP-to-MAC bindings
display dhcp relay
security tracker
Display information about the
configuration of a specified or all
DHCP server groups
display dhcp relay
server-group { group-id | all
}
Display packet statistics on relay
agent
display dhcp relay
statistics [ server-group {
group-id | all } ]
Clear packet statistics from relay
agent
reset dhcp relay
statistics [ server-group
group-id ]
DHCP Relay Agent Configuration Example 401
DHCP Relay Agent
Configuration
Example
Vlan-interface1 on the DHCP relay agent (a switch) connects to the network where DHCP
clients reside. The IP address of Vlan-interface1 is 10.10.1.1/24 and IP address of
Vlan-interface2 is 10.1.1.2/24 that communicates with the DHCP server 10.1.1.1/24. As
shown in the figure below, the DHCP relay agent forwards messages between DHCP
clients and the DHCP server.
Network diagram
Figure 114 Network diagram for DHCP relay agent
1 Enable DHCP.
[ Sysname] dhcp enabl e
2 Enable the DHCP relay agent on Vlan-interface1.
[ Sysname- Vl an- i nt er f ace1] dhcp sel ect r el ay
[ Sysname- Vl an- i nt er f ace1] qui t
3 Configure the DHCP server group 1 with the DHCP server 10.1.1.1, and correlate the
DHCP server group 1 to Vlan-interface1.
[ Sysname] dhcp r el ay ser ver - gr oup 1 i p 10. 1. 1. 1
[ Sysname- Vl an- i nt er f ace1] dhcp r el ay ser ver - sel ect 1
Performing the configuration on the DHCP server is also required to guarantee the
client-to-server communication via the relay agent. Since the DHCP server
configuration varies with devices, it is not mentioned here.
In this example, the DHCP relay agent and server are on the same subnet. If they are
on different subnets, the routes in between must be reachable.
E thernet
IP network
DHC P client DHC P client
DHC P relay
DHC P
s erver
10.1.1.1/24
10.10.1.1/24
Vlan-interface1
E thernet
10.1.1.2/24
Vlan-interface2
Troubleshooting
DHCP Relay Agent
Configuration
Symptom DHCP clients cannot obtain any configuration parameters via the DHCP relay agent.
Analysis Some problems may occur with the DHCP relay agent or server configuration. Enable
debugging and execute the display command on the DHCP relay agent to view the
debugging information and interface state information for locating the problem.
Solution Verify that:
The DHCP is enabled on the DHCP server and relay agent.
The address pool on the same subnet where DHCP clients reside is available on the
DHCP server.
The routes between the DHCP server and DHCP relay agent are reachable.
The relay agent interface connected to DHCP clients is correlated with correct DHCP
server group and IP addresses for the group members are correct.chapter title (24 pt.)
38 DHCP CLIENT CONFIGURATION
When configuring the DHCP client, go to these sections for information you are
interested in:
Introduction to DHCP Client
Enabling the DHCP Client on an Interface
Displaying and Maintaining the DHCP Client
DHCP Client Configuration Example
The DHCP client configuration is supported only on VLAN interfaces.
When multiple VLAN interfaces with the same MAC address use DHCP for IP address
acquisition via a relay agent, the DHCP server cannot be a Windows 2000 Server or
Windows 2003 Server.
DHCP Snooping must be disabled on the DHCP client.
Introduction to
DHCP Client
With the DHCP client enabled on an interface, the interface will use DHCP to obtain
configuration parameters such as an IP address from the DHCP server.
Enabling the DHCP
Client on an
Interface
Follow these steps to enable the DHCP client on an interface:
An interface can be configured to acquire an IP address in multiple ways, but these
ways are exclusive. The IP address obtained in a new way overwrites the IP address
obtained in the previous way.
After the DHCP client is enabled on an interface, no secondary IP address is
configurable for the interface
Table 290 Configuring DHCP Snooping
interface-number
Enable the DHCP client on

the interface
ip address dhcp-alloc
[ client-identifier mac interface-type
interface-number ]
Required
Disabled by default
404 CHAPTER 38: DHCP CLIENT CONFIGURATION
Displaying the
DHCP Client
DHCP Client
Configuration
Example
On a LAN, the DHCP client (4500G) contacts the DHCP server through the
Vlan-interface1 to obtain an IP address.
Figure 115 A DHCP network (4500G as the DHCP client)
The following is the configuration on the client switch shown in Figure 115.
1 Enable the DHCP client on Vlan-interface1.
[ Sysname- Vl an- i nt er f ace1] i p addr ess dhcp- al l oc
To implement the DHCP client-server model, you need to perform related configuration
on the DHCP server. Since the DHCP server configuration varies with devices, it is not
mentioned here.
Table 291 Displaying DHCP Client
Display the specified
configuraiton information
display dhcp client [
verbose ] [ interface
interface-type
interface-number ]
DHCP Server
VLAN-interface1
10.1.1.1/25
VLAN-interface1
LAN
WINS Server
DNS Server
Client
Client
DHCP Server
LAN
DNS Server
Client
Client
DHCP Server DHCP Server
VLAN-interface1
10.1.1.1/25
VLAN-interface1
LAN
WINS Server
DNS Server
Client
Client
DHCP Server
LAN
DNS Server
Client
Client
DHCP Server DHCP Server
VLAN-interface1
10.1.1.1/25
VLAN-interface1
LAN
WINS Server
DHCP Server
VLAN-interface1
10.1.1.1/25
VLAN-interface1
LAN
WINS Server
DNS Server
Client
Client
DHCP Server
DNS Server
Client
Client
DHCP Server
LAN LAN
DNS Server
Client
Client
DHCP Server
39 DHCP SNOOPING CONFIGURATION
When configuring DHCP snooping, refer to these sections for information:
DHCP Snooping Overview
Configuring DHCP Snooping
Displaying and Maintaining DHCP Snooping
DHCP Snooping Configuration Example
The DHCP Snooping supports no link aggregation. If an Ethernet port is added into an
aggregation group, DHCP Snooping configuration on it will not take effect. When the
port is removed from the group, DHCP Snooping can take effect.
The DHCP snooping enabled device does not work if it is between the DHCP relay
agent and DHCP server, and it can work when it is between the DHCP client and relay
agent or between the DHCP client and server.
The DHCP Snooping enabled device cannot be a DHCP server, DHCP relay agent,
DHCP client, or BOOTP client. Therefore, DHCP Snooping must be disabled on a DHCP
server, relay agent, DHCP relay agent, DHCP client, and BOOTP client.
DHCP Snooping
Overview
Function of DHCP
Snooping
DHCP snooping is a DHCP security feature for preventing DHCP clients from receiving IP
addresses provided by untrusted DHCP servers. It allows a device to:
Drop DHCP responses received on untrusted ports, preventing DHCP clients from
receiving IP addresses provided by untrusted DHCP servers.
Listen to DHCP-REQUEST and DHCP-ACK messages, record and maintain binding
information about MAC addresses of DHCP clients and the obtained IP addresses, so
that network administrators can easily see which IP addresses are assigned to the
DHCP clients.
How Does DHCP
Snooping Work
On a network, DHCP servers fall into two categories: valid and invalid. With DHCP
snooping, the ports of a device can be differentiated by whether they are trusted or
untrusted:
Trusted: A trusted port is connected to a valid DHCP server directly or indirectly. It
forwards DHCP messages normally, guaranteeing that DHCP clients can obtain valid
IP addresses.
Untrusted: An untrusted port is connected to an invalid DHCP server. The DHCP-ACK
or DHCP-OFFER packets received from the port are discarded, preventing DHCP
clients from receiving invalid IP addresses.
406 CHAPTER 39: DHCP SNOOPING CONFIGURATION
Configuring DHCP
Snooping
Follow these steps to configure DHCP snooping:
You must specify the ports connected to the valid DHCP servers as trusted to ensure that
DHCP clients can obtain valid IP addresses. The trusted port and the port connected to
the DHCP client must be in the same VLAN.
Displaying DHCP
Snooping
DHCP Snooping
Configuration
Example
A device is connected to a DHCP server through GigabitEthernet1/0/1, and to two
DHCP clients through GigabitEthernet1/0/2 and GigabitEthernet1/0/3.
GigabitEthernet1/0/1 forwards DHCP server responses while the other two do not.
Figure 116 Network diagram for DHCP snooping configuration
Table 292 Configuring DHCP Snooping
Enable DHCP snooping dhcp-snooping Required
Disabled by default
Enter Ethernet port view interface
interface-type
interface-number
Specify the port as trusted dhcp-snooping trust Required

Untrusted by default.
Table 293 Displaying DHCP Snooping
Display DHCP snooping address
binding information
display dhcp-snooping Available in any view
trusted ports
display dhcp-snooping
trust
DHCP Client
DHCP Snooping
DHCP Server
GE1/0/3
GE1/0/1
DHCP Client
GE1/0/2
DHCP Client
DHCP Snooping
DHCP Server
GE1/0/3
GE1/0/1
DHCP Client
GE1/0/2
DHCP Snooping Configuration Example 407
1 Enable DHCP snooping.
[ Sysname] dhcp- snoopi ng
2 Specify GigabitEthernet1/0/1 as trusted.
[ Sysname] i nt er f ace Gi gabi t Et her net 1/ 0/ 1
[ Sysname- Gi gabi t Et her net 1/ 0/ 1] dhcp- snoopi ng t r ust
All of the DHCP clients and DHCP servers must be configured for the DHCP clients to
obtain IP addresses. The configuration details, varying with the device type, are omitted
here.
408 CHAPTER 39: DHCP SNOOPING CONFIGURATION
40 BOOTP CLIENT CONFIGURATION
While configuring a bootstrap protocol (BOOTP) client, go to these sections for
information you are interested in:
Introduction to BOOTP Client
Configuring an Interface to Dynamically Obtain an IP Address through BOOTP
Displaying and Maintaining BOOTP Client Configuration
BOOTP client configuration only applies to VLAN interfaces.
If several VLAN interfaces sharing the same MAC address obtain IP addresses through
a BOOTP relay agent, the BOOTP server cannot be a Windows 2000 Server or
Windows 2003 Server.
DHCP Snooping must be disabled on the BOOTP client.
Introduction to
BOOTP Client
This section covers these topics:
BOOTP Application
Obtaining an IP address dynamically
Protocols and Standards
BOOTP Application After you specify an interface of the device as a BOOTP client, the interface can use
BOOTP to get information (such as IP address) from the BOOTP server, which simplifies
your configuration.
Before using BOOTP, an administrator needs to configure a BOOTP parameter file for
each BOOTP client on the BOOTP server. The parameter file contains information such as
MAC address and IP address of a BOOTP client. When a BOOTP client originates a
request to the BOOTP server, the BOOTP server will search for the BOOTP parameter file
and return the corresponding configuration information.
Because you need to configure a parameter file for each client on the BOOTP server,
BOOTP usually runs under a relatively stable environment. If the network changes
frequently, dynamic host configuration protocol (DHCP) can be applied. For an
introduction to DHCP, refer to Chapter 1 DHCP Overview
Because a DHCP server can interact with a BOOTP client, you can use the DHCP server to
configure IP address for the BOOTP client without any BOOTP server.
410 CHAPTER 40: BOOTP CLIENT CONFIGURATION
Obtaining an IP
Address Dynamically
A DHCP server can take the place of the BOOTP server in the following dynamic IP
address acquisition.
A BOOTP client dynamically obtains an IP address from a BOOTP server in the following
ways:
1 The BOOTP client broadcasts a BOOTP request, which contains its own the BOOTP clients
MAC address.
2 The BOOTP server receives the request and searches the configuration file for the
corresponding IP address according to the MAC address of the BOOTP client. The BOOTP
server then returns a BOOTP response to the BOOTP client.
3 The BOOTP client obtains the IP address from the received response.
Protocols and
Standards
Some protocols and standards related to BOOTP include:
RFC 951: Bootstrap Protocol (BOOTP)
RFC 2132: DHCP Options and BOOTP Vendor Extensions
RFC 1542: Clarifications and Extensions for the Bootstrap Protocol
Configuring an
Interface to
Dynamically Obtain
an IP Address
through BOOTP
Follow these steps to configure an interface to dynamically obtain an IP address:
Displaying BOOTP
Client
Configuration
Table 294 Configuring an Interface to Dynamically Obtain IP Address through BOOTP Protocol
interface-number
Configure an interface to
dynamically obtain IP
address through BOOTP
ip address bootp-alloc Required
By default, an interface does
not use BOOTP to obtain an IP
address.
Table 295 Displaying BOOTP Client Configuration
Display related information
on a BOOTP client
display bootp client [
interface-number ]
41 ACL OVERVIEW
ACL Overview An access control list (ACL) is used primarily to identify traffic flows. In order to filter data
packets, a series of match rules must be configured on the network device to identify the
packets to be filtered. After the specific packets are identified, and based on the
predefined policy, the network device can permit/prohibit the corresponding packets to
pass.
ACLs classify packets based on a series of match conditions, which can be the source
addresses, destination addresses and port numbers carried in the packets.
The packet match rules defined by ACLs can be referenced by other functions that need
to differentiate traffic flows, such as the definition of traffic classification rules in QoS.
Time-Based ACL A time range-based ACL enables you to implement ACL control over packets by
differentiating the time ranges.
A time range can be specified in each rule in an ACL. If the time range specified in a rule
is not configured, the system will give a prompt message and allow such a rule to be
successfully created. However, the rule does not take effect immediately. It takes effect
only when the specified time range is configured and the system time is within the time
range. If you remove the time range of an ACL rule, the ACL rule becomes invalid the
next time the ACL rule timer refreshes.
IPv4 ACL This section covers these topics:
IPv4 ACL Classification
IPv4 ACL Match Order
IP Fragments Filtering with IPv4 ACL
IPv4 ACL
Classification
IPv4 ACLs are numbered ACLs. Depending on the header fields used for filtering, they
fall into the following three types:
Basic ACL, based on source IP address.
Advanced ACL, based on source IP address, destination IP address, upper layer
protocol carried on IP, and other Layer 3 or Layer 4 protocol header fields.
Ethernet frame header ACL, based on Layer 2 protocol header fields such as source
MAC address, destination MAC address, 802.1p priority, and link layer protocol type.
IPv4 ACL Match Order Each ACL is a sequential collection of rules defined with different matching criteria. The
order in which a packet is matched against the rules may thus affect how the packet is
handled.
412 CHAPTER 41: ACL OVERVIEW
At present, the following two match orders are available:
config: where rules are compared against in the order in which they are configured.
auto: where depth-first match is performed.
In a basic or advanced IPv4 ACL, depth-first match works as follows:
1 Sort rules first by the wildcard length of source IP address, with the one configured with
shorter wildcard being compared first.
2 When two rules with the same source IP address wildcard are present, the one with
shorter destination IP address wildcard is compared first.
3 If the lengths of their destination IP address wildcards are the same, the one configured
first is compared prior to the other.
For example, the rule with the source IP address wildcard 0.0.0.255 is compared prior to
the rule with the source IP address wildcard 0.0.255.255.
In an Ethernet frame header ACL, depth-first match works as follows:
1 Sort rules first by the mask length of source MAC address, with the one configured with
longer mask length being compared first.
2 When two rules with the same source MAC address mask length are present, the one
with shorter destination MAC address mask length is compared prior to the other.
3 If the lengths of their destination MAC address masks are the same, the one configured
first is compared prior to the other.
For example, the rule with MAC address mask FFFF-FFFF-0000 is compared prior to the
rule with the source MAC address mask FFFF-0000-0000.
The display acl command displays ACL rules in their match order rather than the
configuration order.
The comparison of a packet against an ACL stops once a match is found. The packet is
then processed as per the rule.
IP Fragments Filtering
with IPv4 ACL
Traditionally, ACL does not check all IP fragments but first ones. All non-first fragments
are handled the way the first fragments are handled. This causes security risk as attackers
may fabricate non-first fragments to attack your network.
Note that ACL rules configured with the fragment keyword only apply to non-first
fragments, and those configured without the keyword apply to all packets (including first
fragments) but non-first fragments.
Look at the following commands:
[ 3Com- basi c- 2000] r ul e 1 deny sour ce 202. 101. 1. 0 0. 0. 0. 255 f r agment
[ 3Com- basi c- 2000] r ul e 2 per mi t sour ce 202. 101. 2. 0 0. 0. 0. 255
[ 3Com- adv- 3001] r ul e 3 per mi t i p dest i nat i on 171. 16. 23. 1 0 f r agment
[ 3Com- adv- 3001] r ul e 4 deny i p dest i nat i on 171. 16. 23. 2 0
Among these rules, the first and the third rules only apply to non-first fragments while
the second and the fourth apply to all packets but non-first fragments.
IPv4 ACL 413
IPv4 ACL Creation An IPv4 ACL consists of a set of rules. Before you can configure ACL rules, you must first
create an IPv4 ACL.
When creating an IPv4 ACL:
You must specify an ACL number (numeric type), and
You can optionally specify the match order of the IPv4 ACL.
After an IPv4 ACL is created, the IPv4 ACL view is displayed.
414 CHAPTER 41: ACL OVERVIEW
42 IPV4 ACL CONFIGURATION
This chapter covers these topics:
Creating a Time Range
Configuring a Basic IPv4 ACL
Configuring an Advanced IPv4 ACL
Configuring an Ethernet Frame Header ACL
Configuring a User-Defined IPv4 ACL
Displaying and Maintaining IPv4 ACLs
IPv4 ACL Configuration Example
Creating a Time
Range
Three types of time ranges are available:
Periodic time range, which recurs periodically on the day or days of the week.
Absolute time range, which takes effect only in a period of time and does not recur.
Compound time range, which recurs on the day or days of the week within a period.
CAUTION: On the Switch 4500G, the start time of an absolute time range cannot be
earlier than 1970/1/1 00:00 and the end time of an absolute time range cannot be later
than 2100/12/31 24:00.
Configuration
Procedure
Follow these steps to create a time range:
If only a periodic time section is defined in a time range, the time range is active only
within the defined periodic time section.
If only an absolute time section is defined in a time, the time range is active only within
the defined absolute time section.
Table 296 Creating a Time Range
Create a time range time-range time-name {
start-time to end-time days [ from
time1 date1 ] [ to time2 date2 ] | from
time1 date1 [ to time2 date2 ] | to
time2 date2 }
Required
Display the configuration and
state of a specified or all time
ranges
display time-range { all |
time-name }
Optional
416 CHAPTER 42: IPV4 ACL CONFIGURATION
If both a periodic time section and an absolute time section are defined in a time range,
the time range is active only when the periodic time range and the absolute time range
are both matched. Assume that a time range defines an absolute time section from
00:00 January 1, 2004 to 23:59 December 31, 2004, and a periodic time section from
12:00 to 14:00 every Wednesday. This time range is active only from 12:00 to 14:00
every Wednesday in 2004.
If the start time is specified, the time range starts on the current date and ends on the
end date.
If the end date is note specified, the time range is from the date of configuration till the
largest date available in the system.
Configuration
Example
1 Create a time range that spans from 8:00 to 18:00 every working day.
[ 3Com] t i me- r ange t est 8: 00 t o 18: 00 wor ki ng- day
[ 3Com] di spl ay t i me- r ange t est
Cur r ent t i me i s 13: 27: 32 4/ 16/ 2005 Sat ur day
Ti me- r ange : t est ( I nact i ve )
08: 00 t o 18: 00 wor ki ng- day
2 Create an absolute time range that spans from 15:00 2000/1/28 to 15:00 2004/1/28.
[ 3Com] t i me- r ange t est f r om15: 00 2000/ 1/ 28 t o 15: 00 2004/ 1/ 28
[ 3Com] di spl ay t i me- r ange t est
Cur r ent t i me i s 13: 27: 32 4/ 16/ 2005 Sat ur day
Ti me- r ange : t est ( I nact i ve )
f r om15: 00 1/ 28/ 2000 t o 15: 00 1/ 28/ 2004
Configuring a Basic IPv4 ACL 417
Configuring a Basic
IPv4 ACL
Basic IPv4 ACLs filter packets based on source IP address. They are numbered in the
range 2000 to 2999.
Configuration
Prerequisites
If you want to reference a time range to a rule, define it with the time-range
command first.
Configuration
Procedure
Follow these steps to configure a basic IPv4 ACL:
When configuring a rule, note that:
1 In case the match order is config
If you specify a rule ID but a rule with the same rule ID already exists, the existing rule
will be displayed and you can edit the rule.
If you specify a rule ID and no existing rule has the same rule ID, a new rule will be
defined and created.
The content of the rule you are editing or defining cannot be identical with that of
any existing rule. Otherwise, the editing or creating operation will fail, and the system
will prompt that the rule already exists.
If you do not specify a rule ID, a new rule will be defined and created, and the system
will automatically assign the following ID to the rule: the smallest multiple of
step-value that is greater than the largest ID of existing rules. For example, suppose
the step-value is 5 and the largest ID of existing rules is 28; if you do not specify an ID
when defining a rule, the system will automatically assign ID 30 to the rule.
2 In case the match order is auto
You can add a new rule, delete an existing rule. But you are not allowed to edit an
existing rule (if you do this, an error will be prompted).
A newly defined rule cannot be identical with any existing rule, otherwise the rule
cannot be successfully created (the system will prompt the rule already exists)
Table 297 Configuring a Basic IPv4 ACL
Create and enter a basic
IPv4 ACL view
match-order { config | auto } ]
Required
The default match order is
config.
Create or modify a rule rule [ rule-id ] { permit | deny }
[ rule-string ]
Required
To create multiple rules,
repeat this step.
Set a rule numbering step step step-value Optional
The default step is 5.
Create an ACL description description text Optional
Create a rule description rule rule-id comment text Optional
a specified or all IPv4 ACLs
display acl { all | acl-number } Optional
The system will insert a newly created rule between existing rules in depth-first order,
without changing the ID of any rule.
CAUTION:
You can modify the match order of an ACL only when it does not contain any rules.
You can use the rule comment command only for existing ACL rules.
Configuration
Example
1 Create IPv4 ACL 2000 to deny the packets with the source address 1.1.1.1 to pass.
[ 3Com- acl - basi c- 2000] r ul e deny sour ce 1. 1. 1. 1 0
2 Verify the configuration.
[ 3Com- acl - basi c- 2000] di spl ay acl 2000
Basi c ACL 2000, 1 r ul e,
Acl ' s st ep i s 5
r ul e 0 deny sour ce 1. 1. 1. 1 0 ( 0 t i mes mat ched)
Configuring an
Advanced IPv4 ACL
Advanced IPv4 ACLs filter packets based on source IP address, destination IP address,
upper protocol carried on IP, and other protocol header fields, such as the TCP/UDP
source port, TCP/UDP destination port, TCP flag, ICMP message type, and ICMP message
code.
In addition, advanced ACLs allow you to filter packets based on three priority criteria:
type of service (ToS), IP precedence, and differentiated services codepoint (DSCP) priority.
Advanced ACLs are numbered in the range 3000 to 3999. Compared to basic ACLs, they
allow of more flexible and accurate filtering.
When you configure both IP priority and ToS priority for a rule, both priorities are
valid.
When you configure both IP/ToS priority and DSCP for a rule, only DSCP is valid.
Configuration
Prerequisites
command first.
Configuring an Advanced IPv4 ACL 419
Configuration
Procedure
Follow these steps to configure an advanced IPv4 ACL:
Table 298 Configuring an Advanced IPv4 ACL
Create and enter an advanced
IPv4 ACL view
acl number acl-number
[ match-order { config
| auto } ]
Required
config.
Create or modify a rule rule [ rule-id ] { permit
| deny } protocol [
rule-string ]
Required
To create multiple rules, repeat
this step.
Create a rule description rule rule-id comment
text
Optional
Display information about a
specified or all IPv4 ACLs
display acl { all |
acl-number }
Optional
CAUTION:
Configuration
Example
1 Create IPv4 ACL 3000 to permit TCP packets with port number 80 sent from 129.9.0.0
to 202.38.160.0.
[ 3Com- acl - adv- 3000] r ul e per mi t t cp sour ce 129. 9. 0. 0 0. 0. 255. 255
dest i nat i on 202. 38. 160. 0 0. 0. 0. 255 dest i nat i on- por t eq 80
[ 3Com- acl - adv- 3000] di spl ay acl 3000
Advanced ACL 3000, 1 r ul e,
Acl ' s st ep i s 5
r ul e 0 per mi t t cp sour ce 129. 9. 0. 0 0. 0. 255. 255 dest i nat i on 202. 38. 160. 0
0. 0. 0. 255 dest i nat i on- por t eq www ( 0 t i mes mat ched)
Configuring an
Ethernet Frame
Header ACL
Ethernet frame header ACLs filter packets based on Layer 2 protocol header fields such
as source MAC address, destination MAC address, 802.1p priority, and link layer protocol
type. They are numbered in the range 4000 to 4999.
Configuration
Prerequisites
command first.
Configuration
Procedure
Follow these steps to configure an Ethernet frame header ACL:
Table 299 Configuring an Ethernet Frame Header ACL
Create and enter an Ethernet
frame header ACL view
match-order { config |
auto } ]
Required
config.
Create or modify a rule rule [ rule-id ] { permit
| deny } [ rule-string ]
Required
To create multiple rules, repeat
this step.
Create a rule description rule rule-id comment
text
Optional
display acl { all |
acl-number }
Optional
Configuring an Ethernet Frame Header ACL 421
CAUTION:
Configuration
Example
1 Create IPv4 ACL 4000 to deny frames with the 802.1p priority of 3.
[ 3Com- acl - et her net f r ame- 4000] r ul e deny cos 3
[ 3Com- acl - et her net f r ame- 4000] di spl ay acl 4000
Et her net f r ame ACL 4000, 1 r ul e,
Acl ' s st ep i s 5
r ul e 0 deny cos excel l ent - ef f or t ( 0 t i mes mat ched)
Displaying and
Maintaining IPv4
ACLs
IPv4 ACL
Configuration
Example
Network
Requirements
Different departments of an enterprise are interconnected on the intranet through the
ports of a switch. The IP address of the wage query server is 192.168.1.2. Devices of the
R&D department are connected to the GigabitEthernet1/0/1 port of the switch. Apply an
ACL to deny requests sourced from the R&D department and destined for the wage
server during the working hours (8:00 to 18:00).
Network Diagram Figure 117 Network diagram for ACL configuration
Configuration
Procedure
1 Create a time range for office hours
a Create a periodic time range spanning 8:00 to 18:00 in working days.
[ 3Com] t i me- r ange t r name 8: 00 t o 18: 00 wor ki ng- day
2 Define an ACL to control accesses to the salary server
a Create and enter the view of advanced IPv4 ACL 3000.
b Create a rule to control accesses of the R&D Department to the salary server.
[ 3Com- acl - adv- 3000] r ul e 0 deny i p sour ce any dest i nat i on 192. 168. 1. 2
0. 0. 0. 0 t i me- r ange t r name
[ 3Com- acl - adv- 3000] qui t
Table 300 Displaying and Maintaining IPv4 ACLs
display acl { all | acl-number
}
Display the configuration and
state of a specified or all time
ranges
display time-range { all |
time-name }
specified or all ACLs
reset acl counter { all |
acl-number }

R&D Department
Salary server
192.168.1.2
Switch
#1
#3
To a router
#2
R&D Department
Salary server
192.168.1.2
Switch
#1
#3
To a router
#2
IPv4 ACL Configuration Example 423
3 Apply the ACL
Apply IPv4 ACL 3000 to the inbound direction of interface GigabitEthernet1/0/1.
[ 3Com] t r af f i c cl assi f i er t est
[ 3Com- cl assi f i er - t est ] i f - mat ch acl 3000
[ 3Com- cl assi f i er - t est ] qui t
[ 3Com] t r af f i c behavi or t est
[ 3Com- behavi or - t est ] f i l t er deny
[ 3Com- behavi or - t est ] qui t
[ 3Com] qos pol i cy t est
[ 3Com- qospol i cy- t est ] cl assi f i er t est behavi or t est
[ 3Com- qospol i cy- t est ] qui t
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] qos appl y pol i cy t est i nbound
43 QOS OVERVIEW
Introduction Quality of Service (QoS) is a concept generally existing in occasions where service
supply-demand relations exist. QoS measures the ability to meet the service needs of
customers. Generally, the evaluation is not to give precise grading. The purpose of the
evaluation is to analyze the conditions where the services are good and the conditions
where the services still need to be improved, so that specific improvements can be
implemented.
In Internet, QoS measures the ability of the network to deliver packets. The evaluation on
QoS can be based on different aspects because the network provides diversified services.
Generally speaking, QoS is the evaluation on the service ability to support the critical
indexes such as delay, delay jitter and packet loss rate in packet delivery.
Traditional Packet
Delivery Service
The traditional IP network treats all the packets equally. The switch adopts the first in first
out (FIFO) policy in packet processing and assigns resources necessary for packet
forwarding according to the arrival time of the packet. All the packets share the network
and router resources. The resources that the packet can get depend completely on the
chance at packets arrival.
This service policy is called Best-Effort. The switch makes its best effort to deliver the
packets to the destination but it cannot provide any guarantee for delay, delay jitter,
packet loss rate, and reliability in packet delivery.
The traditional Best-Effort service policy is only applicable to services such as WWW, FTP,
and E-mail, which are not sensitive to the bandwidth and the delay performance.
New Requirements
Brought forth by
New Services
With the fast development of computer networks, more and more networks are
connected into Internet. Internet extends very quickly in scale, coverage and the number
of users. More and more users use the Internet as a platform for data transmission and
develop various applications on it.
Besides traditional applications such as WWW, E-mail, and FTP, Internet users also try to
develop new services on Internet, such as tele-education, tele-medicine, video phones,
video conferencing, and video on demand (VOD). Enterprise users also hope to connect
their branch offices in different locations through the VPN technology to develop some
transaction applications, such as to access to the database of the company or to manage
remote switches through Telnet.
426 CHAPTER 43: QOS OVERVIEW
The new services have one thing in common: they all have special requirements for
delivery performances such as bandwidth, delay, and delay jitter. For example, video
conferencing and VOD require the guarantee of high bandwidth, low delay and low
delay jitter. Some key services such as the transaction handling and the Telnet do not
necessarily require high bandwidth but they are highly dependent on low delay and need
to be processed preferentially in case of congestion.
The emergence of new services brings forward higher requirements for the service
capability of the IP network. In the delivery process, users hope to get better services,
such as dedicated bandwidth for users, reduced packet loss rate, management and
avoidance of network congestion, control of network traffic, provision of packet priority,
and so on, instead of just having packets delivered to the destination. To meet these
requirements, the network service capability need to be further improved.
Occurrence and
Influence of
Congestion and the
Countermeasures
QoS issues that traditional networks face are mainly caused by congestion. Congestion
means reduced service rate and extra delay introduced because of relatively insufficient
resource provisioned.
Occurrence of
Congestion
Congestion is very common in a complicated environment of packet switching on
Internet. The diagram below gives two examples:
Figure 118 Traffic congestion
1 Packets enter a router over a high-speed link and are forwarded out over a low-speed
link.
2 Packets enter a router through multiple interfaces of the same rate at the same time and
are forwarded out on an interface of the same rate.
If the traffic arrives at the wire speed, the traffic will encounter the bottleneck of
resources and congestion occurs.
Besides bandwidth bottleneck, any insufficiency of resources for packet forwarding, such
as insufficiency of assignable processor time, buffer size, and memory resources can
cause congestion. In addition, congestion will also occur if the traffic that arrives within a
certain period of time is improperly controlled and the traffic goes beyond the assignable
network resources.
1000M 100M
100M
100M 100M
100M
Traffic congestion on interfaces
of different rates
of the same rates
1000M 100M
100M
100M 100M
100M
of different rates
of the same rates
Influence of
Congestion
Congestion may cause a series of negative influences:
Congestion increases delay and delay jitter in packet delivery.
Excessively high delay will cause retransmission of packets.
Congestion decreases the effective throughput of the network and the utilization of
the network resources.
Aggravated congestion will consume a large amount of network resources (especially
memory resources), and unreasonable resource assignment will even lead to system
resource deadlock and cause the system breakdown.
It is obvious that congestion is the root of service performance declination because
congestion makes traffic unable to get resources timely. However, congestion is common
in a complicated environment where packet switching and multi-user services coexist.
Therefore, congestion must be treated carefully.
Countermeasures Increasing network bandwidth is a direct way to solve the problem of resource
insufficiency, but it cannot solve all the problems that cause network congestion.
A more effective way to solve network congestion problems is to enhance the function
of the network layer in traffic control and resource assignment, to provide differentiated
services for different requirements, and to assign and utilize resources correctly. In the
process of resource assignment and traffic control, the direct or indirect factors that may
cause network congestion must be properly controlled so as to reduce the probability of
congestion. When congestion occurs, the resource assignment should be balanced
according to the features and requirements of all the services to minimize the influence
of congestion on QoS.
Major Traffic
Management
Techniques
Traffic classification, traffic policing (TP), traffic shaping (TS), congestion management,
and congestion avoidance are the foundation for providing differentiated services. Their
main functions are as follows:
Traffic classification: Identifies packets according to certain match rules. Traffic
classification is the prerequisite of providing differentiated services.
TP: Monitors and controls the specifications of specific traffic entering the device.
When the traffic exceeds the threshold, restrictive or punitive measures can be taken
to protect the business interests and network resources of the operator from being
damaged.
Congestion management: Congestion management is necessary for solving resource
competition. Congestion management is generally to cache packets in the queues
and arrange the forwarding sequence of the packets based on a certain scheduling
algorithm.
Congestion avoidance: Excessive congestion will impair the network resources.
Congestion avoidance is to supervise the network resource usage. When it is found
that congestion is likely to become worse, the congestion avoidance mechanism will
drop packets and regulate traffic to solve the overload of the network.
TS: TS is a traffic control measure to regulate the output rate of the traffic actively. TS
regulates the traffic to match the network resources that can be provided by the
downstream devices so as to avoid unnecessary packet loss and congestion.
Among the traffic management techniques, traffic classification is the basis because it
identifies packets according to certain match rules, which is the prerequisite of providing
differentiated services. TP, TS, congestion management, and congestion avoidance
control network traffic and assigned resources from different approaches, and are the
concrete ways of providing differentiated services.
Switch 4500G Switches support the following functions:
Traffic classification
Access control
TP
Congestion management
Traffic Classification Traffic classification is to identify packets conforming to certain characters according to
certain rules. It is the basis and prerequisite for proving differentiated services.
A traffic classification rule can use the precedence bits in the type of service (ToS) field of
the IP packet header to identify traffic with different precedence characteristics. A traffic
classification rule can also classify traffic according to the traffic classification policy set by
the network administrator, such as the combination of source addresses, destination
addresses, MAC addresses, IP protocol or the port numbers of the applications. Traffic
classification is generally based on the information in the packet header and rarely based
on the content of the packet. The classification result is unlimited in range. They can be a
small range specified by a quintuplet (source address, source port number, protocol
number, destination address, and destination port number), or all the packets to a certain
network segment.
Generally, the precedence of bits in the ToS field of the packet header is set when
packets are classified on the network border. Thus, IP precedence can be used directly as
the classification criterion inside the network. Queue techniques can also process packets
differently according to IP precedence. The downstream network can either accept the
classification results of the upstream network or re-classify the packets according to its
own criterion.
The purpose of traffic classification is to provide differentiated services, so traffic
classification is significant only when it is associated with a certain traffic control or
resource assignment action. The specific traffic control action to be adopted depends on
the phase and the current load status. For example, when the packets enter the network,
TP is performed on the packets according to CIR; before the packets flow out of the
node, TS is performed on the packets; when congestion occurs, queue scheduling is
performed on the packets; when congestion get worse, congestion avoidance is
performed on the packets.
Precedence The following describes several types of precedence:
1 IP precedence, ToS precedence and DSCP precedence
Figure 119 DS field and ToS byte
As shown in the figure above, the ToS field in the IP header contains 8 bits, which are
described as follows:
The first three bits indicate IP precedence, in the value range of 0 to 7.
Bit 3 to bit 6 indicate ToS precedence, in the value range of 0 to 15.
RFC2474 re-defines the ToS field in the IP packet header, and it is called the DS field. The
first six bits in the DS field indicate DSCP precedence, in the value rang of 0 to 63. The
last two bits (bit6 and bit7) are reserved.
2 2802.1p priority
802.1p priority lies in the layer 2 packet header. It is suitable for occasions where it is not
necessary to analyze the Layer 3 packet headers and QoS is needed in Layer 2.
Figure 120 The format of an Ethernet frame with an 802.1Q tag header
As shown in the figure above, each host supporting 802.1Q protocol adds a 4-bit
802.1Q tag header after the source address in the original Ethernet frame header when
sending a packet.
The 4-bit 802.1Q tag header contains a 2-bit Tag Protocol Identifier (TPID) whose value is
8100 and a 2-bit Tag Control Information (TCI). TPID is a new type defined by IEEE to
indicate a packet with a 802.1Q tag. The following figure shows the detailed contents of
an 802.1Q tag header.
Figure 121 The format of an 802.1Q tag header
In the figure above, the 3-bit Priority field in the TCI byte is the 802.1p priority, in the
value range of 0 to 7.These three bits represent the priority of the frame. There are a
total of eight priority levels to determine which packet is to be sent in priority when
congestion occurs to the switch. These precedence levels fall in 802.1p priority because
the applications related to these precedence levels are all defined in detail in the 802.1p
specification.
Introduction to TP If the traffic from users is not limited, a large amount of continuous burst packets will
result in worse network congestion. The traffic of users must be limited in order to make
better use of the limited network resources and provide better service for more users. For
example, if a traffic flow obtains only the resources committed to it within a certain
period of time, network congestion due to excessive burst traffic can be avoided.
TP is traffic control policies to limit the traffic and its resource usage through supervision
of the traffic specification. The regulation policy is implemented according to the
evaluation result on the premise of the awareness of whether the traffic exceeds the
specification when TP is implemented. Generally, the token bucket algorithm is adopted
for the evaluation of traffic specification.
Traffic Evaluation and
Token Bucket
The features of the token bucket
The token bucket can be considered as a container with a certain capacity to hold
tokens. The system puts tokens into the bucket at the set rate. When the token bucket is
full, the tokens in excess will overflow and the number of tokens in the bucket stops
increasing, as shown in Figure 122.
Figure 122 Evaluate the traffic with the token bucket
Evaluate the traffic with the token bucket
The evaluation of the traffic specification is based on whether the number of tokens in
the bucket can meet the need of packet forwarding. If the number of tokens in the
bucket is enough for forwarding the packets, the traffic is compliant with the
specification; otherwise the traffic is incompliant with, or in excess of, the specification.
Packet to be sent on this interface

Continue to send
Token bucket
Put tokens into the bucket at the set rate
Classify
Drop

Continue to send
Packet sent via this interface

Continue to send
Token bucket
Classify
Drop

Continue to send

Continue to send
Token bucket
Classify
Drop

Continue to send
Packet sent via this interface

Continue to send
Token bucket
Classify
Drop
The parameters of token bucket for traffic evaluation include:
Average rate: The rate at which tokens are put into the bucket, namely, the average
rate of permitted traffic flows. It is typically set to the committed information rate
(CIR).
Burst size: The capacity of the token bucket, namely, the maximum traffic size that is
permitted in each burst. It is typically set to the committed burst size (CBS). The set
burst size must be bigger than the maximum packet length.
An evaluation is performed on the arrival of each packet. In each evaluation, if the
bucket has enough tokens for use, the traffic is controlled within the specification and a
number of tokens equivalent to the packet forwarding authority must be taken out;
otherwise, this means too many tokens have been used the traffic is in excess of the
specification.
TP
A typical application of TP is to supervise the specification of a certain traffic flow into the
network and limit the specification within a reasonable range, or to punish the traffic in
excess. Thus, the network resources and the interests of the carriers are protected. For
example, you can limit the bandwidth usage of HTTP packets to 50% of the network
bandwidth. If the traffic of a certain connection is in excess, TP can choose either to drop
packets or to reset the priority of the packets.
TP is widely used in policing the traffic into the network of Internet service provider (ISP).
In addition, TP can classify the policed traffic and perform pre-defined policing actions
according to different evaluation results. These actions include:
Forward: Forward the packets whose evaluation result is compliant.
Drop: Drop the packets whose evaluation result is incompliant.
Modify the precedence and forward: Modify the precedence of the packets whose
evaluation result is partially compliant and forward them.
Introduction to LR
You can use line rate (LR) to limit the total rate of sending packets (including emergent
packets) on a physical interface.
LR also uses token buckets for traffic control. If LR is enabled on a certain interface of the
device, all packets sent via this interface must be firstly processed in the token bucket of
LR. If the token bucket has enough tokens, the packets can be sent. Otherwise, packets
will enter QoS queues for congestion management. Thus, traffic via this physical
interface is controlled.
Figure 123 LR processing procedure
Because the token bucket is adopted for traffic control, when the token bucket has
tokens, burst transmission of packets is allowed; when the token bucket does not have
tokens, packets cannot be sent until new tokens are created in the token bucket. Thus,
the traffic of packets cannot be bigger than the rate of creating tokens, so the traffic is
limited and burst traffic is permitted.
Compared with TP, LR controls packets sent via physical interfaces. When you just want
to limit the rate of all packets, LR is simpler than TP.
LR Configuration
LR Configuration
Procedure
Configuring LR is to limit the rate of inbound packets or outbound packets via physical
interfaces.
Packets to be sent via this interface
Packets sent
Token bucket
Classify
Buffer
Queue
Packets to be sent via this interface
Packets sent
Token bucket
Classify
Buffer
Queue
Table 301 LR configuration procedure
Enter
interface
view or
port group
view
Enter port
view
interface-number
Enter either view.
For Ethernet interface view, the
following configuration takes
effect only on the current
interface. For entering port group
view, the following configuration
takes effect on all the ports.
Enter port
group view
port-group { manual
port-group-name |
Set LR qos lr { inbound | outbound
} cir
committed-information-rate [
cbs committed-burst-size ]
Required
Display the LR
configuration and
statistics of an interface
display qos lr interface
[ interface-type
interface-number ]
LR Configuration 433
LR Configuration
Example
Limit the outbound rate of GigabitEthernet1/0/1 to 640 kbps.
a Enter system view
b Enter interface view
c Configure LR parameter and limit the outbound rate to 640 kbps
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] qos l r out bound ci r 640
44 QOS POLICY CONFIGURATION
Overview QoS policy includes the following three elements: class, traffic behavior and policy. You
can bind the specified class to the specified traffic behavior through QoS policies to
facilitate the QoS configuration.
Class
Class is used for identifying traffic.
The elements of a class include the class name and classification rules.
You can use commands to define a series of rules to classify packets. Additionally, you
can use commands to define the relationship among classification rules: and and or.
and: The devices considers a packet to be of a specific class when the packet matches
all the specified classification rules.
or: The device considers a packet be of a specific class when the packet matches one
of the specified classification rules.
Traffic behavior
Traffic behavior is used to define all the QoS actions performed on packets.
The elements of a QoS behavior include traffic behavior name and actions defined in
traffic behavior.
You can use commands to define multiple actions in a traffic behavior.
Policy
Policy is used to bind the specified class to the specified traffic behavior.
The elements of a policy include the policy name and the name of the
classification-to-behavior binding.
Configuring QoS
Policy
The procedure for configuring QoS policy is as follows:
1 Define a class and define a group of traffic classification rules in class view.
2 Define a traffic behavior and define a group of QoS actions in traffic behavior view.
3 Define a policy and specify a traffic behavior corresponding to the class in policy view.
4 Apply the QoS policy in Ethernet port view.
436 CHAPTER 44: QOS POLICY CONFIGURATION
Introducing Each
QoS Policy
Configuring QoS
Policy
Configuration
Prerequisites
The class name and classification rules are specified in the policy.
The traffic behavior name and the actions in the traffic behavior are specified.
The policy name is specified.
Where and how to apply the policy is specified.
Defining a Class Create a class name first and then configure match rules in this class view.
Table 302 Introduce each QoS policy
Policy Class Command
Accounting Use the if-match match-criteria
command to define a required class
accounting
CAR (traffic policing) Use the if-match match-criteria
car
Traffic filtering Use the if-match match-criteria
filter
Traffic mirroring Use the if-match match-criteria
mirror-to
Traffic redirection Use the if-match match-criteria
redirect
Priority remark Use the if-match match-criteria
remark
Table 303 Define a class
Define a class and enter class
mapping view
traffic classifier
tcl-name [ operator {
and | or } ]
Required
The operator is and by default,
that is, the relationship among
all the match rules is logic and.
Define a rule to match all
packets
if-match
match-criteria
Required
the class
display traffic
classifier
user-defined [ tcl-name
]
Optional
match-criteria: Match rule for a class, see Table 304 for its range.
Please obey the following restrictions when defining a match rule; otherwise, you will fail
to apply the policies.
If the customer-vlan-id, dot1p, dscp, ip-precedence or
service-vlan-id is to be matched, do not configure multiple values in a rule at
the same time when you use the if-match command to define match rules.
When you specify the logic relationship as and, you can configure only one ACL rule.
1 Network requirements
Configure a class named test and define a rule to match packets whose IP precedence
is 6.
2 Configuration procedure
b Define the class and enter class mapping view
[ 3Com] t r af f i c cl assi f i er t est
c Configure classification rules.
[ 3Com- cl assi f i er - t est ] i f - mat ch i p- pr ecedence 6
Defining a Traffic
Behavior
To define a traffic behavior, create a traffic behavior name first and then configure its
features in this traffic behavior view.
Table 304 The value range of the match rule for a class
Value Description
acl access-list-number Defines an ACL rule. The value of the
access-list-number argument is in the range of
2,000 to 4,999.
any Defines a rule to match all packets
customer-vlan-id vlan-id-list Defines a rule to match VLAN IDs of the user
network. The vlan-id-list argument is the list of
VLAN IDs in the range of 1 to 4,094.
destination-mac mac-address Defines a rule to match destination MAC
addresses
dot1p Defines a rule to match 802.1p protocol. The
dot1p-list argument is the list of COS values in the
range of 0 to 7.
dscp dscp-list Defines a rule to match DSCP precedence. The
dscp-list argument is the list of DSCP values in the
range of 0 to 63.
ip-precedence ip-precedence-list Defines a rule to match IP precedence. The
ip-precedence-list argument is the list of IP
precedence values in the range of 0 to 7.
service-vlan-id vlan-id-list Defines a rule to match VLAN IDs of the operators
network. The vlan-id-list argument is the list of
VLAN IDs in the range of 1 to 4,094.
source-mac mac-address Defines a rule to match source MAC addresses
The red action keyword in the traffic behavior car defines some actions for the packet
not conforming to committed access rate (CAR). The actions include:
discard: Drops the packet.
pass: Forwards the packet.
remark-dscp-pass new-dscp: Remarks the DSCP precedence of the packet and
forwards the packet to the destination address. The DSCP precedence is in the range
of 0 to 63.
CAUTION: Please obey the following restrictions when defining traffic behaviors;
otherwise, you will fail to apply the policies.
remark dot1p and remark local-precedence cannot be configured at the
same time.
filter deny cannot be configured together with any other action except
accounting.
Table 305 Define a traffic behavior
Define a traffic behavior and
enter traffic behavior view
traffic behavior
behavior-name
Required
behavior-name: Traffic
behavior name
Configure the accounting action accounting Required
You can configure
corresponding traffic behaviors
as required
Configure to use TP car cir
committed-information-r
ate [ cbs
committed-burst-size ] [
red action ]
Configure the traffic filtering
action
filter { deny | permit }
Configure the traffic mirror
action
mirror-to
interface-type
interface-number
Configure the traffic redirect
action
redirect interface
interface-type
interface-number
Mark the 802.1p priority of the
packet
remark dot1p dot1p
Mark the DSCP precedence of
the packet
remark dscp dscp-value
Mark the IP precedence of the
packet
remark ip-precedence
ip-precedence-value
Mark the local precedence of the
packet
remark
local-precedence
local-precedence
Display the traffic behavior
information
display traffic
behavior
user-defined [
behavior-name ]
Optional
When you configure the car action or accounting action in the traffic behavior, each
rule defined in traffic classification carries out the action defined in the traffic
behavior, rather than all the rules execute the same action. For example, CAR is set to
64 kbps. For a traffic classification including 10 rules, 64 kbps is CAR for packets
matching each rule rather than the total CAR for packets matching all the ten rules.
After traffic mirroring, packets will not go through port mirroring, that is, if you
configure the destination port of traffic mirroring as the source port of a port
mirroring group, the destination port in the port mirroring group cannot receive the
packets after traffic mirroring.
When you configure the ingress port (it belongs to this VLAN according to the VLAN
policy) of packets as the source port of both traffic mirroring and the port mirroring
group at the same time, port mirroring configuration will be replaced by traffic
mirroring configuration. The packets matching the rule are mirrored to the
destination port of traffic mirroring, whereas the packets that do not match the rule
are mirrored to the destination port of the port mirroring group.
Before configuring redirection, you can configure multiple STP instances. If the home
VLAN of the source port for redirection and the home VLAN of the destination port
for redirection belong to different instances, redirection will fail. The packet will be
dropped and will not be forwarded on any port.
Configure a traffic behavior named test, enable TP, and set committed information
rate (CIR) to 6,400 kbps.
b Define a traffic and enter traffic behavior view
[ 3Com] t r af f i c behavi or t est
c Define the classification rule.
[ 3Com- behavi or - t est ] car ci r 6400
Configuring a Policy A policy defines the traffic-behaviorto-class mappings in the policy. Each traffic behavior
consists of a group of QoS actions.
Applying a Policy Configuration procedure
Use the qos apply policy command to map a policy to the specified port. A policy
mapping can be applied to multiple ports or port groups.
Table 306 Specify the traffic behavior for a class in the policy
Define a policy and enter
policy view
qos policy policy-name
Specify the traffic
behavior for a class in the
policy
classifier tcl-name
behavior behavior-name
Required
tcl-name: Class name. The class
must be a defined class, either
system-defined or user-defined.
behavior-name: Traffic
behavior name. The traffic
behavior must be a defined traffic
behavior, either system-defined or
user-defined
information of the
specified classes in the
specified policy and the
configuration
information of traffic
behaviors associated
with these classes.
display qos policy
user-defined [ policy-name ]
[ classifier tcl-name ]
Optional
Table 307 Apply a policy on the port
Enter port
view or
port group
view
Enter port
view
interface-number
One of them is required.
In Ethernet port view, the
following configuration
takes effect only on the
current port. In port group
view, the following
configuration takes effect on
all the ports in the port
group.
Enter port
group view
port-group { manual
agg-id }
Apply the associated
policy
qos apply policy policy-name
inbound
Required
information and running
status of the policy on
the specified port or all
the ports
display qos policy
interface [ interface-type
interface-number ] [ inbound ]
Optional
You can execute the
display command in any
view.
information of the
specified class or all
classes in the specified
policy or all policies and
the configuration
information of the
behavior(s) associated
with the class(es)
display qos policy
user-defined [ policy-name ] [
classifier tcl-name ]
Displaying QoS Policy 441
CAUTION: When the configured policy is applied to a port group, if the car or
accounting action is not included in the user-defined traffic behavior, the policy of
multiple ports occupies only one share of hardware resource, that is, resource
multiplexing is implemented. If the car action or accounting action is included in the
user-defined traffic behavior, the policy will occupy n shares of hardware resources,
where n is the number of ports in the port group.
Configure a policy named test. Specify the traffic behavior test_behavior for the
packets belonging to the test_class in the policy and apply the policy on the inbound
direction of GigabitEtherenet1/0/1.
b Define the policy and enter policy view.
c Specify the traffic behavior for the class.
[ 3Com- qospol i cy- t est ] cl assi f i er t est _cl ass behavi or t est _behavi or
d Enter Ethernet port view.
e Apply the policy on the interface.
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] qos appl y pol i cy t est i nbound
Displaying QoS
Policy
After finishing the configurations mentioned above, you can execute the display
command in any view to check the running status of QoS Policy to verify the
configuration.
Table 308 Display QoS Policy
information of the specified class
or all classes in the specified
policy or all policies and the
configuration information of the
behavior associated with the
class or all classes
display qos policy
user-defined [
policy-name [
classifier tcl-name ] ]
information and running status
of the policy on the specified
port or all ports
display qos policy
interface [
interface-type
interface-number ] [
inbound ]
Display the configured traffic
behavior information
display traffic
behavior
user-defined [
behavior-name ]
Display the configured class
information
display traffic
classifier
user-defined [ tcl-name
]
45 CONGESTION MANAGEMENT
Overview When the rate at which the packets arrive is higher than the rate at which the packets
are transmitted on an interface, congestion occurs on this interface. If there is not
enough storage space to store these packets, parts of them will be lost. Packet loss may
cause the transmitting device to retransmit the packets because the lost packets time
out, which causes a malicious cycle.
The core of congestion management is how to schedule the resources and determine the
sequence of forwarding packets when congestion occurs.
Congestion
Management Policy
Queuing technology is generally adopted to solve the congestion problem. The queuing
technology is to classify the traffic according to a specified queue-scheduling algorithm
and then use the specified priority algorithm to forward the traffic. Each queuing
algorithm is used to solve specific network traffic problems and affects the parameters
such as bandwidth allocation, delay and delay jitter.
The following paragraphs describe strict-priority (SP) queue-scheduling algorithm, and
weighted round robin (WRR) queue-scheduling algorithm.
1 SP queue-scheduling algorithm
Figure 124 Diagram for SP queues
The SP queue-scheduling algorithm is specially designed for critical service applications.
An important feature of critical services is that they demand preferential service in
congestion in order to reduce the response delay. Assume that there are four output
queues on the port and the four output queues on the port are classified into four
classes, which are high queue, middle queue, normal queue and bottom queue (namely,
queue 3, queue 2, queue 1 and queue 0). Their priority levels decrease in order.
Packet sent via
this interface
high queue
middle queue
Classify
Packet sent
normal queue
bottom queue
Sending queue
Dequeue
Packet sent via
this interface
high queue
middle queue
Classify
Packet sent
normal queue
bottom queue
Sending queue
Dequeue
444 CHAPTER 45: CONGESTION MANAGEMENT
During queue scheduling, the SP algorithm sends packets in higher-priority queues
strictly following the high-to-low priority order. When the queues with higher priority
levels are empty, packets in the queues with lower priority levels are sent. You can put
packets of critical service into the queues with higher priority levels and put packets of
non-critical services (such as E-mail) into the queues with lower priority levels, so that
packets of critical services are sent in priority and packets of non-critical services are sent
when packets of critical services are not sent.
SP queue-scheduling algorithm does have its disadvantage: if packets exist for a long
time in the queues with higher priority levels during congestion, the packets in the
queues with lower priority levels will be starved to death because they are not served.
2 WRR queue-scheduling algorithm
A port of the switch supports eight outbound queues. The WRR queue-scheduling
algorithm schedules all the queues in turn to ensure that every queue can be assigned a
certain service time. Assume there are eight priority queues on the port. The eight weight
values (namely, w 7, w 6, w 5, w 4, w 3, w 2, w 1, and w 0) indicating the proportion of
assigned resources are assigned to the eight queues respectively. On a 100M port, you
can configure the weight values of WRR queue-scheduling algorithm to 50, 30, 10, 10,
50, 30, 10, and 10 (corresponding to w7, w6, w5, w4, w3, w2, w1, and w0
respectively). In this way, the queue with the lowest priority can be assured of 5 Mbps of
bandwidth at least, thus avoiding the disadvantage of SP queue-scheduling algorithm
that packets in low-priority queues are possibly not to be served for a long time. Another
advantage of WRR queue-scheduling algorithm is that though the queues are scheduled
in turn, the service time for each queue is not fixed, that is to say, if a queue is empty, the
next queue will be scheduled immediately. In this way, the bandwidth resources are fully
utilized.
The 3Com Switch 4500G Switches support the following three queue scheduling
algorithms:
All the queues are scheduled through the SP algorithm.
All the queues are scheduled through the WRR algorithm.
Some queues are scheduled through the SP algorithm, while other queues are
scheduled through the WRR algorithm.
Configuring SP Queue Scheduling 445
Configuring SP
Queue Scheduling
SP queues include multiple queues. They correspond to different priorities and are
scheduled based on the priorities in descending order.
Configuration
Procedure
Configuration
Example
Configure GigabitEthernet1/0/1 to adopt the SP queue-scheduling algorithm.
2 Configure GigabitEthernet1/0/1 to adopt the SP queue-scheduling algorithm.
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] qos sp
Table 309 Configure SP queue scheduling
Enter system view
system-view
Enter port
view or port
group view
Enter port
view
interface-number
effect only on the current port.
In port group view, the
effect on all the ports in the port
group.
Enter port
group view
port-group { manual
port-group-name |
Configure SP
queue-scheduling algorithm
qos sp
Required
Configuring WRR
Queue Scheduling
By default, all ports adopt the WRR queue-scheduling algorithm. The queues which are
not configured on the port adopt the default WRR priority.
Configuration
Procedure
Configuration
Example
Configure queue 1, queue 3, queue 4 on GigabitEthernet1/0/1 to adopt the WRR
queue-scheduling algorithm, with the weight value of 1, 5, and 10 respectively.
Configure queue 5 and queue 6 on GigabitEthernet1/0/1 to adopt the WRR
queue-scheduling algorithm, with the weight value of 2 and 10 respectively.
b Configure WRR queues on GigabitEthernet1/0/1.
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] qos wr r 1 gr oup 1 wei ght 1
Table 310 Configure WRR queue scheduling
Enter system view
system-view
Enter port
view or port
group view
Enter port
view
interface-number
effect only on the current port. In
port group view, the following
configuration takes effect on all
the ports in the port group.
Enter port
group view
port-group { manual
port-group-name |
Enable the WRR queue
scheduling on the port
qos wrr
Required
Configure WRR queue
scheduling
qos wrr queue-id group 1
weight schedule-value
Required
Display the configuration of
WRR queue scheduling
display qos wrr
interface [
interface-type
interface-number ]
Optional
Configuring SP+WRR Queue Scheduling 447
Configuring
SP+WRR Queue
Scheduling
As required, you can configure part of the queues on the port to adopt the SP
queue-scheduling algorithm and parts of queues to adopt the WRR queue-scheduling
algorithm. Through adding the queues on a port to the SP scheduling group and WRR
scheduling group (namely, group 1), the SP+WRR queue scheduling is implemented.
During the queue scheduling process, the queues in the SP scheduling group is
scheduled preferentially. When no packet is to be sent in the queues in the SP scheduling
group, the queues in the WRR scheduling group are scheduled. The queues in the SP
scheduling group are scheduled according to the strict priority of each queue, while the
queues in the WRR queue scheduling group are scheduled according the weight value of
each queue.
Configuration Procedure
Configuration
Example
SP+WRR queue scheduling algorithm is adopted on GigabitEthernet1/0/1.
Queue 0 and queue 1 on GigabitEthernet1/0/1 belong to the SP scheduling group.
Queue 2, queue 3 and queue 4 on GigabitEthernet1/0/1 belong to the WRR
scheduling group, with the weight value of 2, 7 and 10 respectively. Other queues are
scheduled by the WRR queue-scheduling algorithm according to the default weight
values.
Table 311 Configure the SP+WRR queue scheduling
Enter system view
system-view
Enter port
view or
port group
view
Enter port
view
interface
interface-type
interface-number
In Ethernet port view, the following
configuration takes effect only on the
current port. In port group view, the
following configuration takes effect on
all the ports in the port group.
Enter port
group view
port-group { manual
port-group-name |
Enable the WRR
queue-scheduling on the
port
qos wrr
Required
Configure SP queue
scheduling
qos wrr queue-id group
sp
Required
Configure WRR queue
scheduling
qos wrr queue-id group
1 weight
schedule-value
Required
of WRR queue
scheduling
display qos wrr
interface [
interface-type
interface-number ]
Optional
2 Configure the queues on GigabitEthernet1/0/1 to adopt the SP+WRR queue-scheduling
algorithm.
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] qos wr r 0 gr oup sp
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] qos wr r 1 gr oup sp
46 PRIORITY MAPPING
Overview When a packet enters the switch, the switch will assign a series of parameters (including
802.1p priority, local precedence and so on) to it according to the precedence that the
switch supports and corresponding rules. The local precedence is the precedence the
switch assigns to the packet locally, which is corresponding to the outbound queue ID on
the port.
The Switch 4500G switches always trust the packet priority instead of port priority. For
tagged packets, the switch performs dot1p-to-lp mapping according to the 802.1p
priority carried in the tags; for untagged packets, all the packets are tagged with 802.1p
priority after they enter the switch. The 802.1p priority is the port priority, according to
which the dot1p-to-lp mapping is performed.
The switch provides the dot1p-to-lp mapping table, as shown in Table 312.
The 3Com Switch 4500G Switches do not support editing dot1p-to-lp (802.1p
priority-to-local priority) mapping table.
Table 312 The default dot1p-to-lp mapping
802.1p priority (dot1p) Local precedence (LP)
0 2
1 0
2 1
3 3
4 4
5 5
6 6
7 7
450 CHAPTER 46: PRIORITY MAPPING
Configuring Port
Priority
An untagged packet is tagged after it enters the switch. Its 802.1p priority is port priority.
You can assign the packet to different outbound queues on the port according to the
port priority to be set. The port priority is in the range of 0 to 7.
The port priority takes effect only on untagged packets instead of tagged packets.
Configuration
Prerequisites
The port priority of each port is specified.
Configuration
Procedure
Configuration
Example
Department 1 and department 2 of the company are interconnected through
Ethernet switches.
The switch generates different local precedence values for the packets from
department 1 and department 2 through mapping according to the priorities of the
access ports.
Network diagram
Figure 125 Network diagram for port priority
Table 313 Configure port priority
Enter the corresponding
Ethernet port view
interface-number
Configure port priority qos priority priority-value Required

By default, the port priority is
10.
GE1/0/2
Department 2
To the router
Department 1
Switch
GE1/0/1
GE1/0/2 GE1/0/2
Switch
GE1/0/1
GE1/0/2 GE1/0/2
Department 2
GE1/0/2
Department 2
To the router
Department 1
To the router
Department 1
Switch
GE1/0/1
Switch
GE1/0/1
GE1/0/2 GE1/0/2 GE1/0/2 GE1/0/2
Switch
GE1/0/1
Switch
GE1/0/1
GE1/0/2
Displaying Priority Mapping Table 451
2 Configure the port priority of GigabitEthernet1/0/1 to 3, and map the priorities of
packets from department 1 to local precedence 3.
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] qos pr i or i t y 3
3 Configure the port priority of GigabitEthernet1/0/2 to 7, and map the priorities of
packets from department 2 to local precedence 7.
[ 3Com- Gi gabi t Et her net 1/ 0/ 2] qos pr i or i t y 7
Displaying Priority
Mapping Table
Use the display qos map-table command to display the detailed configuration
information of a priority mapping table.
Table 314 Display and debug a priority mapping table
Display the detailed information
of the specified priority mapping
table
display qos
map-table [ dot1p-lp ]
command in any view
452 CHAPTER 46: PRIORITY MAPPING
47 VLAN POLICY CONFIGURATION
Overview QoS polices support the following application modes:
Port-based application: QoS policies are effective for inbound packets on a port.
VLAN-based application: QoS policies are effective for inbound traffic on a VLAN.
VLAN-based QoS policies are also known as VLAN policies for short. VLAN policies can
facilitate the application and management of QoS policies on the switch.
VLAN policies are not effective on dynamic VLANs. VLAN policies will not be applied to
dynamic VLANs. For example, the device may create VLANs dynamically when GVRP
protocol is running. In this case, the corresponding VLAN policies are not effective on
dynamic VLANs.
Applying VLAN
Policies
Configuration
Prerequisites
VLAN polices have been configured. Refer to Chapter 2 QoS Policy Configuration for
how to define policies.
The VLAN to which VLAN polices are applied is specified.
Configuration
Procedure
Table 315 Apply VLAN policies
Apply VLAN policies to the
specified VLAN
qos vlan-policy
policy-name vlan
vlan-id-list inbound
Required
vlan-id-list: VLAN ID list in the
form of vlan-id to vlan-id. You
can enter multiple discontinuous VLAN
IDs. The device allows you to specify
up to eight VLAN IDs at the same time
VLAN policies
display qos
vlan-policy { name
policy-name | vlan [
vlan-id ] }
Optional
command in any view
name policy-name: Displays the
VALN policy information about the
VLAN policy name
vlan vlan-id: Displays the VLAN
policy applied to the specified VLAN
454 CHAPTER 47: VLAN POLICY CONFIGURATION
Displaying and
Maintaining VLAN
Policy
After the configuration above, you can execute the display command in any view to
display the running status of VLAN policy and verify the configuration.
You can execute the reset command in user view to clear the statistics about VLAN
policies.
VLAN Policy
Configuration
Example
Network
Requirements
Configure VLAN policy named test to perform TP for packets matching with ACL
2000. CIR is 64.
Apply the VLAN policy named test to the inbound direction of VLAN 200, VLAN 300,
VLAN 400, VLAN 500, VLAN 600, VLAN 700, VLAN 800 and VLAN 900.
Configuration
Procedure
[ 3Com] t r af f i c cl assi f i er cl 1 oper at or or
[ 3Com- cl assi f i er - cl 1] i f - mat ch acl 2000
[ 3Com- cl assi f i er - cl 1] qui t
[ 3Com] t r af f i c behavi or be1
[ 3Com- behavi or - be1] car ci r 64
[ 3Com- behavi or - be1] qui t
[ 3Com- qospol i cy- t est ] cl assi f i er cl 1 behavi or be1
[ 3Com] qos vl an- pol i cy t est vl an 200 300 400 500 600 700 800 900 i nbound
Table 316 Display and maintain VLAN policy
Display VLAN policy information display qos vlan-policy { name
policy-name | vlan [
vlan-id
] }
Clear the statistics about VLAN policies reset qos vlan-policy [ vlan
vlan-id ]
48 TRAFFIC MIRRORING CONFIGURATION
Overview Traffic mirroring is to replicate the specified packets to the specified destination. It is
generally used for testing and troubleshooting the network. .
Depending on different types of mirroring destinations, there are three types of traffic
mirroring:
Mirroring to port: The desired traffic on a mirrored port is replicated and sent to a
destination port (that is, a mirroring port).
Mirroring to CPU: The desired traffic on a mirrored port is replicated and sent to the
CPU on the board of the port for further analysis.
Mirroring to VLAN: The desired traffic on a mirrored port is replicated and sent to a
VLAN, where the traffic is broadcast and all the ports (if available) in the VLAN will
receive the traffic. If the destination VLAN does not exist, you can still configure the
function, and the function will automatically take effect after the VLAN is created and
a port is added to it.
Currently, the 3Com Switch 4500G Switches only support traffic mirroring to port.
Configuring Traffic
Mirroring to Port
Before you can configure traffic mirroring, you should first enter the traffic behavior view
of an existing traffic behavior.
Table 317 Configure traffic mirroring to port
Enter system view
system-view
Enter traffic behavior view traffic behavior

behavior-name
Required
Configure a destination mirroring
port for the traffic behavior
mirror-to interface
Required
456 CHAPTER 48: TRAFFIC MIRRORING CONFIGURATION
Displaying Traffic
Mirroring
Configuration
display the operation status of traffic mirroring and verify your configuration.
Traffic Mirroring
Configuration
Example
Network
Requirements
The network connection is as follows:
PC A is connected to GigabitEthernet 1/0/1 on Switch A.
The server is connected to GigabitEthernet 1/0/2 on Switch A.
You must use the server to monitor and analyze all the packets from PC A.
Network Diagram Figure 126 Network diagram for traffic mirroring to port
Table 318 Display traffic mirroring configuration
information of one or all
user-defined traffic behaviors
display traffic
behavior
user-defined [
behavior-name ]
information of one or all
user-defined QoS policies
display qos policy
user-defined [
policy-name ]
Server
Server
Server
Switch A
Server
Server
PC A
Server
PC B
Server
Server
Server
Server
Server
Switch A
Server
Switch A
Server
Server
Server Server
PC A
Server
PC B
Traffic Mirroring Configuration Example 457
Configuration
Procedure
Configure Switch A:
b Configure ACL 2000 to permit all packets.
[ 3Com- acl - basi c- 2000] r ul e 1 per mi t
c Configure a traffic classification rule to use ACL 2000 for traffic classification.
[ 3Com] t r af f i c cl assi f i er 1
[ 3Com- cl assi f i er - 1] i f - mat ch acl 2000
[ 3Com- cl assi f i er - 1] qui t
d Configure a traffic behavior to define the action of mirroring traffic to GigabitEthernet
1/0/2.
[ 3Com] t r af f i c behavi or 1
[ 3Com- behavi or - 1] mi r r or - t o i nt er f ace Gi gabi t Et her net 1/ 0/ 2
[ 3Com- behavi or - 1] qui t
e Configure a QoS policy to adopt traffic behavior 1 for traffic classification rule 1.
[ 3Com] qos pol i cy 1
[ 3Com- pol i cy- 1] cl assi f i er 1 behavi or 1
[ 3Com- pol i cy- 1] qui t
f Apply the QoS policy to the inbound direction of GigabitEthernet 1/0/1.
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] qos appl y pol i cy 1 i nbound
After the above configuration, you can monitor and analyze all the packets from PC A on
the server.
458 CHAPTER 48: TRAFFIC MIRRORING CONFIGURATION
49 PORT MIRRORING CONFIGURATION
Introduction to Port
Mirroring
Classification of Port
Mirroring
There are two kinds of port mirroring: local port mirroring and remote port mirroring.
Local port mirroring is to copy packets at one or more ports (source ports) of a device
to a monitor port (destination port) for analysis and monitoring. In this case, the
source ports and the destination port locate at the same device.
Remote port mirroring breaks the restriction that source and destination ports should
locate at the same device, and allows them to spread through several network
devices. At present, remote port mirroring can pass through up to 2 layers of
network.
Implementing Port
Mirroring
Port mirroring is implemented through mirroring groups, which includes local mirroring
groups, remote source mirroring groups and remote destination mirroring groups.
Port Mirroring can be implemented as follows:
Local port mirroring is implemented through local mirroring groups. In this case, the
device copies the packets from mirroring ports and forwards them to monitor ports.
Remote port mirroring is implemented through remote source mirroring group and
remote destination mirroring groups. In this case, the device copies the packets from
mirroring ports and broadcasts them to remote mirroring VLAN through reflector
port. When a remote device receives a packet, it will compare the packets VLAN
number with remote mirroring VLAN of the remote destination mirroring groups. If
they are identical, then the device will forward them to the monitor ports of the
remote destination mirroring groups.
The mirroring group supports monitoring multiple mirroring ports by one monitor
port.
Switch 4500G Switches only support local port mirroring.
460 CHAPTER 49: PORT MIRRORING CONFIGURATION
Configuring Local
Port Mirroring
Follow these steps to configure a local port mirroring:
You are recommended not to enable STP, MSTP or RSTP on the destination port.
A monitor port cant enable MSTP or RSTP; otherwise it will affect the devices normal
functions. And vice versa.
A monitor port cannot be a member port of the current mirroring group or a trunk
port.
You can configure multiple mirroring ports for a mirroring group, but only one
monitor port.
A port can be configured under one mirroring group only.
Displaying Port
Mirroring
Follow these steps to display and maintain port mirroring:
Create local mirroring group mirroring-group groupid
local
Required
Configure
mirroring
port for the
mirroring
group
Configure
mirroring port
under system
view
mirroring-group groupid
mirroring-port
mirroring-port-list {
inbound | outbound | both }
You can configure multiple
mirroring ports at the same
time under system view, or
configure a mirroring port
under a specific interface
view.
Configure
mirroring port
under interface
view
interface-number
[ mirroring-group groupid ]
mirroring-port { inbound |
outbound | both }
quit
Configure
monitor port
for the
mirroring
group
Configure
monitor port
under system
view
mirroring-group groupid
monitor-port
monitor-port-id
The two ways of
configuration are the same.
Configure
monitor port
under interface
view
interface-number
[ mirroring-group groupid ]
monitor-port
information of local mirroring
group
display mirroring-group {
groupid | local }
Optional
The display command
can be used under any view
Table 319 Displaying Port Mirroring
Display the configuration information of port
mirroring group
display mirroring-group {
groupid | local }
Examples of Typical Port Mirroring Configuration 461
Examples of Typical
Port Mirroring
Configuration
The users network is described as follows:
The packets of Department 1 are connected to Switch C through port
GigabitEthernet1/0/1.
The packets of Department 2 are connected to Switch C through port
The Server is connected to Switch C through port GigabitEthernet1/0/3.
The demand is to monitor packets of Department 1 and Department 2 through the
Server.
For implementing the demand using local port mirroring, run the following configuration
on Switch C:
Configure GigabitEthernet1/0/1 and GigabitEthernet1/0/2 as the mirroring port.
Connect the Servers port GigabitEthernet1/0/3 as the monitor port.
Network diagram
Figure 127 Configuring Local Port Mirroring Network Diagram
Configuring Switch C:
2 Create local mirroring group
[ 3Com] mi r r or i ng- gr oup 1 l ocal
3 Configure mirroring and monitor ports for local mirroring group.
[ 3Com] mi r r or i ng- gr oup 1 mi r r or i ng- por t Gi gabi t Et her net 1/ 0/ 1 t o
Gi gabi t Et her net 1/ 0/ 2 bot h
[ 3Com] mi r r or i ng- gr oup 1 moni t or - por t Gi gabi t Et her net 1/ 0/ 3
Switch A
Switch B
Department 2
Server
GEthernet1/0/3
GEthernet1/0/2
GEthernet1/0/1
Switch C
Department 1
Switch A
Switch B
Department 2
Server
Switch C
Department 1
Switch A
Switch B
Department 2
Server
GEthernet1/0/3
GEthernet1/0/2
GEthernet1/0/1
Switch A
Switch B
Department 2
Server
GEthernet1/0/3
GEthernet1/0/2
GEthernet1/0/1
Switch C
Department 1
Switch A
Switch B
Department 2
Switch C
Department 1
Switch A
Switch B
Department 2
Server
Switch C
Department 1
462 CHAPTER 49: PORT MIRRORING CONFIGURATION
4 Display configuration information of mirroring group 1.
[ 3Com] di spl ay mi r r or i ng- gr oup 1
mi r r or i ng- gr oup 1:
t ype: l ocal
st at us: act i ve
mi r r or i ng por t :
moni t or por t : Gi gabi t Et her net 1/ 0/ 3
After finishing the configuration, the user can monitor all the packets received and sent
by Department 1 and Department 2 on the Server.
50 GMP V2 CONFIGURATION
Introduction to
GMP V2
Group Management Protocol (GMP) V2 is communications protocol that enables a
management process to manage proxy processes centrally and control Layer 2
multicast/broadcast. It comprises a management process that manages multiple proxy
processes at the same time, with GMP V2 running on the management process and the
proxy processes.
Therefore, GMP V2 is a layer 2 protocol that enables the management of devices without
lay 3 protocol stack or not configured with any IP address.
GMP V2 offers the following advantages:
The procedures to configure multiple switches remarkably simplified. When the
management device is assigned a public IP address, you can configure/manage a
specific member device on the management device instead of logging into it in
advance.
Functions of topology discovery and display provided, which assist network
monitoring and debugging
Software upgrading and parameter configuring can be performed simultaneously on
multiple switches.
Free of topology and distance limitations
Saving IP address resource
Cluster Overview By employing GMP V2, a network administrator can manage multiple switches using the
public IP address of a switch known as a management device. The switches under the
management of the management device are member devices. Normally, a cluster
member device is not assigned a public IP address, and the network administrator
manages and maintains member devices through the management device. The
management device, along with the member devices, forms a cluster.Figure 128 shows a
typical cluster implementation.
464 CHAPTER 50: GMP V2 CONFIGURATION
Figure 128 Typical cluster implementation
A cluster has one (and only one) management device. Note the following when creating
a cluster:
You need to designate the management device first. The management device of a
cluster is the portal of the cluster. That is, any operations performed in external
networks and intended for the member devices of a cluster, such as accessing,
configuring, managing, and monitoring, can be implemented through the
management device only.
The management device of a cluster recognizes and controls all the member devices
in the cluster, no matter where they are located on the network or how they are
connected.
The management device collects topology information about all the member and
candidate devices to provide useful information for users to build a cluster.
A management device manages and monitors the devices in the cluster by collecting
and processing (neighbor discovery protocol) NDP/(neighbor topology discovery
protocol) NTDP packets that carry network topology information.
Switch Roles in a
Cluster
According to their functions and status in a cluster, switches in the cluster play different
roles. You can specify the role a switch plays. A switch also changes its role according to
specific rules.
The following three switch roles exist in a cluster: management device, member device,
and candidate device.
Network
Management
device
Member device
Member device
Member device
Cluster
69.110 .1.1
69.110 .1.100
Network management device
Candidate device
Network
Management
device
Member device
Member device
Member device
Cluster
69.110 .1.1
69.110 .1.100
Network management device
Candidate device
Switch Role Changes
in a Cluster
Figure 129 Rules for switch role changes
A cluster has one (and only one) management device. After a management device is
designated, it collects NDP/NTDP information to discover and determine candidate
devices, which can be then added to the cluster through manual configurations.
A candidate device becomes a member device after being added to a cluster.
A member device becomes a candidate device after being removed from the cluster.
Table 320 Switch roles in the cluster
Role Configuration Description
Management device Configured with a public IP
address.
Receive management commands
that a user sends through the
public network and process the
received commands
Provide management interfaces for all
switches in the cluster
Manage member devices by redirecting
commands, that is, forward the
commands to the intended member
devices for processing
Provide the following functions,
including neighbor discovery, topology
information collection, cluster
management, and cluster state
maintenance, and support all types of
FTP servers and SNMP host proxies
Member device Normally, a member device is not
configured with a public IP address
Member in the cluster
Neighbor discovery, being managed by
the management device, running
commands forwarded by proxies, and
failure/log reporting
Candidate device Normally, a member device is not
configured with a public IP address
A candidate device is a switch that does
not belong to any cluster, although it
can be added to a cluster
Management device
Member device
Candidate device
D
e
s
i
g
n
a
t
e
d

a
s

t
h
e

n
e
w

m
a
n
a
g
e
m
e
n
t

d
e
v
ic
e

a
f
t
e
r

t
h
e

o
r
i
g
i
n
a
l

o
n
e

f
a
i
l
s

a
n
d

t
h
e

c
l
u
s
t
e
r

i
s

u
n
g
r
o
u
p
e
d
.
D
e
s
i
g
n
a
t
e
d

a
s

m
a
n
a
g
e
m
e
n
t

d
e
v
i
c
e
Removed from the cluster
J oins the cluster
D
e
s
i
g
n
a
t
e
s

a
n
o
t
h
e
r

d
e
v
i
c
e

a
s

t
h
e

n
e
w

m
a
n
a
g
e
m
e
n
t

d
e
v
i
c
e

a
f
t
e
r

t
h
e

c
l
u
s
t
e
r

is

r
e
g
r
o
u
p
e
d
C
a
n
c
e
l
s

d
e
s
i
g
n
a
t
i
o
n

a
s
m
a
n
a
g
e
m
e
n
t

d
e
v
ic
e
Management device
Member device
Candidate device
D
e
s
i
g
n
a
t
e
d

a
s

t
h
e

n
e
w

m
a
n
a
g
e
m
e
n
t

d
e
v
ic
e

a
f
t
e
r

t
h
e

o
r
i
g
i
n
a
l

o
n
e

f
a
i
l
s

a
n
d

t
h
e

c
l
u
s
t
e
r

i
s

u
n
g
r
o
u
p
e
d
.
D
e
s
i
g
n
a
t
e
d

a
s

m
a
n
a
g
e
m
e
n
t

d
e
v
i
c
e
Removed from the cluster
J oins the cluster
D
e
s
i
g
n
a
t
e
s

a
n
o
t
h
e
r

d
e
v
i
c
e

a
s

t
h
e

n
e
w

m
a
n
a
g
e
m
e
n
t

d
e
v
i
c
e

a
f
t
e
r

t
h
e

c
l
u
s
t
e
r

is

r
e
g
r
o
u
p
e
d
C
a
n
c
e
l
s

d
e
s
i
g
n
a
t
i
o
n

a
s
m
a
n
a
g
e
m
e
n
t

d
e
v
ic
e
Cluster Principle and
Implementation
Procedure of building a cluster
Network neighbor discovery: It uses NDP to discover the information about the
directly connected neighbor devices.
Network topology discovery. It uses NTDP to collect the information about the
network topology, including device connections and candidate device information in
the network. The hop range for topology discovery can be adjusted manually.
Member recognition: The management device recognizes each member in the cluster
by locating each member and then distributes configuration and management
commands to the members.
Member management: The following events are managed through the management
device: adding/removing a member, the members authentication on the
management device, and handshake interval.
Introduction to NDP
NDP is the protocol for discovering the information about the adjacent nodes. NDP
operates on the data link layer, so it supports different network layer protocols.
NDP is used to discover the information about directly connected neighbors, including
the device type, software/hardware version, and connecting port of the adjacent devices.
It can also provide the information concerning device ID, port simplex/duplex status,
product version, Bootrom version and so on.
An NDP-enabled device maintains an NDP information table. Each entry in an NDP table
ages with time. You can also clear the current NDP information manually to have
adjacent information collected again.
An NDP-enabled device broadcasts NDP packets regularly to all ports in up state. An NDP
packet carries the holdtime field, which indicates the period for the receiving devices to
keep the NDP data. Receiving devices only store the information carried in the received
NDP packets rather than forward them. The corresponding data entry in the NDP table is
updated when the received information is different from the existing one. Otherwise,
only the holdtime of the corresponding entry is updated.
Introduction to NTDP
NTDP is a protocol for network topology information collection. NTDP provides the
information about the devices that can be added to clusters and collects the topology
information within the specified hops for cluster management.
Based on the NDP information table created by NDP, NTDP transmits and forwards NTDP
topology collection request to collect the NDP information and neighboring connection
information of each device in a specific network range for the management device or the
network administrator to implement needed functions.
Upon detecting a change occurred on a neighbor, a member device informs the
management device of the change through handshake packets. The management device
then collects the specified topology information through NTDP. Such a mechanism
enables topology changes to be tracked in time.
Handshake packets
Handshake packets are used primarily to maintain the states of the members in a cluster.
Figure 130 Cluster state machine
After a cluster is built, a member device initiates the handshake process and sends
packets at the default interval of ten seconds. The management device also sends
handshake packets to the member device at the default interval of ten seconds. The
management device and member devices do not respond to the handshake packets
they received but switch to or remain in the Active state.
If the management switch receives no handshake packet from a member switch for
three consecutive times, it changes the state of the member device to Connect.
Likewise, if a member device receives no handshake response packet from the
management device for three consecutive times, the state of the member device
changes from Active to Connect.
If the member device in the Connect state receives no handshake packet or
management packet within the holdtime (60 seconds by default) that switches its
state to Active, the member device changes to the Disconnect state, and the
management device considers the member to be disconnected. A member device in
the Active or Connect state is connected.
In addition, handshake packets are used to notify the management device of topology
changes of neighboring devices.
Management VLAN No device connected to a port not belonging to the management VLAN can join the
cluster. Therefore, the management VLAN of candidate devices needs to be modified
through auto-negotiation if the management device and candidate devices in the cluster
belong to different management VLANs. In this case, the candidate devices must ensure
that the management VLAN exists. If a new VLAN must be created, the devices limit on
the number of VLANs must be satisfied.
The ports in the management VLAN of a device must be configured to permit the
packets of the management VLAN to pass with tags (the packets from VLAN1 can pass
without tags); otherwise, the cluster will not work properly.
You can specify the management VLAN only before building a cluster. You cannot modify
the management VLAN after a device has joined the cluster. To modify the management
VLAN after the cluster is built, delete the cluster configuration on the current device
before designating the new management VLAN and finally building the cluster.
GMP V2
Configuration Task
Overview
Table 321 GMP V2 configuration task overview
Configure the
management
device
Enable NDP globally and for
specific ports
Required Enabling NTDP Globally and on
Specific Ports
Configure NDP-related
parameters
Optional Configuring NDP-related
Parameters.
Enable NTDP globally and for
specific ports
Required Enabling NTDP Globally and for
Specific Ports
Configure NTDP-related
parameters
Optional Configuring NTDP-related
Parameters
Enable the cluster function Required Enabling the Cluster Function
Build a cluster Required Building a Cluster
Configure cluster
management
Required Configuring Cluster Management.
Configure cluster parameters Optional Configuring Cluster Parameters
Configure interaction for the
cluster
Optional Configuring Interaction for the
Cluster
Configure
member devices
Enable NDP globally and for
specific ports
Required Enabling NDP Globally and on
Specific Ports
Enable NTDP globally and for
specific ports
Required Enabling NTDP Globally and on
Specific Ports
Enable the cluster function Required Enabling the Cluster Function
Configure to add a member
to the cluster
Optional Configuring to Add a Candidate
Device to the Cluster
Management
Device
Configuration
Enabling NDP
Globally and for
Specific Ports
CAUTION: NDP works only if it is enabled globally and on the ports.
Configuring
NDP-related
Parameters
Enabling NTDP
Globally and for
Specific Ports
CAUTION: NTDP works only if it is enabled globally and on the ports.
Table 322 Enable NDP globally and for specific ports
Enable NDP globally ndp enable Required
By default, NDP is enabled
globally.
Enable NDP for
the Ethernet
port
system view ndp enable interface
interface-list
Either is required.
on all ports. Ethernet port
view
interface-number
ndp enable
Table 323 Configure NDP-related parameters
Configure the holdtime of
NDP information
ndp timer aging
aging-time
Optional
By default, the aging time of NDP packets is
180 seconds
send NDP packets
ndp timer hello
hello-time
Optional
By default, the interval of sending NDP
packets is 60 seconds
Table 324 Enabling NDP globally and for specific ports
Enable NTDP globally ntdp enable Optional
By default, NTDP is enabled
globally.
Enable NTDP for
the Ethernet
port
System view ntdp enable
interfaceinterface-list
Optional
on all ports. Ethernet port
view
interface-number
ntdp enable
Configuring
NTDP-related
Parameters
Enabling the Cluster
Function
The ntdp enable command in cluster management is not compatible with the
bpdu-tunnel enable command in BPDU TUNNEL. You cannot configure these two
commands at the same time. For BPDU TUNNEL, refer to VLAN VPN Configuration.
Building a Cluster Before building a cluster, you must configure a private IP address pool available for the
member devices in the cluster. When a candidate device joins the cluster, the
management device dynamically assigns the candidate device a private IP address for
inner-cluster communication. This enables the management device to manage and
maintain member devices.
Table 325 Configure NTDP parameters
Configure the range
topology information
within which is to be
collected
ntdp hop hop-value Optional
By default, the hop range for
topology collection is 3 hops
collect topology
information
ntdp timer interval-time Optional
By default, the interval of
topology collection is 1 minute.
Configure the hop delay
to forward
topology-collection
request packets
ntdp timer hop-delay
time
Optional
By default, the delay of the device
is 200 ms
Configure the port delay
to forward topology
collection request packets
ntdp timer port-delay
time
Optional
By default, the port delay is 20 ms
Quit system view. quit
Start topology
information collection
ntdp explore
Optional
Table 326 Enable the cluster function
Enter system view
system-view
Enable the cluster

function globally
cluster enable
Optional
By default, the cluster function is
enabled
Configuring cluster parameters manually
CAUTION:
For a non-VLAN1 management VLAN, if the port on the management device that is
connected to member devices are trunk or hybrid port, to implement cluster
management, you must configure the port to permit the packets of management
VLAN to pass with tags. In addition, you cannot manually change its default VLAN to
the management VLAN. If the port on the management device that is connected to
member devices is an access port, to implement cluster management, you must
manually configure the port as a hybrid port and configure the port to permit the
packets of management VLAN to pass with tags. See the VLAN Operation section for
details.
When the management VLAN is configured as VLAN1, if the port on the member
device that is connected to the management device permits the packets from the
management VLAN to pass with tags, configure the management device by following
the previous description. If the port on the member device that is connected to
management device permits the packets of management VLAN to pass without tags,
to implement cluster management, you must perform one of the following
configuration tasks: configure the corresponding port on the management device as
the access type, or configure the port as trunk and the default VLAN of the port as
VLAN1, or configure the port as hybrid and the default VLAN of the port as VLAN1
and permits the packets of management VLAN to pass the port without tags. See the
VLAN Operation section for details.
You can configure an IP address pool only before the cluster is built. Moreover, you
can perform the configuration on the management device only. You cannot change
the IP address pool for an existing cluster.
Table 327 Configuring cluster parameters manually
Enter system view
system-view
Specify the management VLAN management-vlan vlan-id Optional

By default, VLAN1 is the
management VLAN.
Enter cluster view
Cluster
Configure a private IP address

pool on the device to be used as
the management device for the
member devices in the cluster
ip-pool
administrator-ip-address {
ip-mask | ip-mask-length }
Required
Do not configure the IP
addresses of the VLAN
interfaces of the
management device and
member devices on the
same network segment.
Otherwise, the cluster will
not work.
Set the current device as the
management device and assign
a cluster name
build name Required
By default, a device is not
the management device.
Building a cluster automatically
Besides allowing you to build a cluster manually, the system also enables a cluster to be
built automatically. You can build a cluster by using the following commands on the
management device and following the steps prompted.
First, the system prompts you to enter a name for the cluster.
Then, the system lists the candidate devices discovered within the specified hop range
and asks you to confirm whether to add these devices to the cluster.
After you confirm, the system adds all listed candidate devices to the cluster built.
You can press <CTRL+C> to exit automatic cluster establishment. After this operation, no
new device will be added and the added devices remain in the cluster.
Configuring Cluster
Management
Configuring member management
Member management covers the following:
You can manually designate the candidate device to join a cluster or manually remove
the designated member device from the cluster. You must add/remove a member on
the management device; otherwise, an error message will be returned.
If a member device fails due to incorrect configuration, you can control the member
device remotely by using the remote control function of the management device. For
example, you can delete the start configuration file and reboot the member device to
recover the normal communication between the management device and member
devices.
Blacklist management
Device location based on MAC address or IP address
On the management device, you can configure and manage the specified member
device by switching to the view of the member device. After the configuration is
complete, you can switch back to the management device from the member device.
Table 328 Building a cluster automatically
Enter system view
system-view
Specify the management VLAN management-vlan

vlan-id
Optional
By default, VLAN1 is the
management VLAN.
Enter cluster view
cluster
Configure an IP address pool

for the cluster
ip-pool
administrator-ip-addres
s { ip-mask |
ip-mask-length }
Required
Do not configure the IP addresses
of the VLAN interfaces of the
management device and member
devices on the same network
segment. Otherwise, the cluster
will not work.
Build a cluster automatically auto-build [ recover ] Required
Configuring topology management
White lists and black lists provide basis for topology management. Their meanings are
described as follows:
White list for topology management: Correct network topology confirmed to be
correct by network administrators. The information of nodes and their relationship
with their neighbors at any give moment can be extracted from the current network
topology. Meanwhile, the white list can be maintained based on the current network
topology, such as adding, removing, and modifying nodes.
Blacklist for topology management: Any device in the blacklist is not allowed to join a
cluster automatically. The network Administrator needs blacklist a device manually,
including device MAC address. If a device is blacklisted and connected to the network
through another device not blacklisted, the access devices information and the access
port will be automatically recorded.
The white list and black list are mutually exclusive: nodes in the white list must not be in
the black list, and vice versa. Note that a topology node can be neither in the white list
nor the black list. These are usually new nodes and need to be authenticated by
administrators.
Table 329 Configure member management
Enter system view
system-view
Enter cluster view

cluster
Add a candidate device to a

cluster
add-member [ member-number
] mac-address mac-address
[ password password ]
Optional
Generally, member numbers
are assigned sequentially. The
original numbers of the
members with the same MAC
address are recorded by the
management device.
Remove a member device
from the cluster
delete-member
member-number [
to-black-list ]
Optional
Reboot a specified member
device
reboot member {
member-number |
mac-address mac-address }
[ eraseflash ]
Optional
Return to system view
quit
Return to user view

quit
Switch between the

management device view and
a member device view
cluster switch-to {
member-number | mac-address
mac-address |
administrator }
Optional
At present, before using this
command, you need to enable
"telnet server" on the peer
device and avoid ring
switching.
The white list and black list and will not disappear even if the management switch is
powered off. They implement two backup and recovery mechanisms: backups on the FTP
server or the Flash of the management switch. In either backup mode, you need to
restore the white list or blacklist manually. When the management switch restarts or the
cluster management is reconfigured, the management switch restores the white list and
blacklist from the Flash.
Configuring Cluster
Parameters
Cluster parameters include multicast MAC address for cluster management, interval for
sending multicast packets, device holdtime, and handshake interval.
If the interval for the management device to send multicast packets is 0, the
management device does not send multicast packets to any member device in the
cluster.
The state of a member device will be shown as "Disconnect" if it receives no message
from another device within the holdtime. After the communication recovers, the
corresponding member device needs to join the cluster again (automatically). If the
fault is removed within the specified holdtime, the member device does not need to
join the cluster again and remains normal.
Handshake packets maintain the real-time communication between the management
device and member devices in a cluster. The management device monitors the states
of the members and link states in the cluster by exchanging handshake packets with
member devices.
Table 330 Configure member management
Enter system view
system-view
Enter cluster view

cluster
Blacklist a device black-list add-mac

mac-address
Optional
Remove a device from the backlist black-list delete-mac
{ all | mac-address }
Optional
Confirm the current topology of
the cluster and save it as base
topology
topology accept { all [
save-to { ftp-server |
local-flash } ] |
mac-address mac-address |
member-id member-number }
Optional
Save the base topology
information to the FTP server or
the local Flash
topology save-to {
ftp-server |
local-flash }
Optional
Restore the topology from the
base topology information on the
FTP server or in the local Flash
topology restore-from
{ftp-server |
local-flash }
Optional
Ensure the original topology
is correct because the device
cannot process incorrect
base topology saved.
Configuring
Interaction for the
Cluster
After building a cluster, you can configure a server, NMS host, and log host universally on
the management device for the cluster. A member device in the cluster will access the
server configured through the management device.
All logs of the member devices in the cluster will be output to the log host configured:
when member devices output logs, the logs are directly sent to the management device,
which then translates the address of the logs and sends them to the log host configured
for the cluster. Likewise, all Trap messages sent by member devices are output to the
NMS host configured for the cluster.
CAUTION: The log host configured for the cluster takes effect only after you use the
info-center loghost command in system view. For more about the
info-center loghost command, see the "Information Center Commands".
Table 331 Configure cluster parameters
Enter system view
system-view
Enter cluster view

cluster
Configure the holdtime

for a device
holdtime seconds Optional
By default, the holdtime is 60 seconds.
Configure a handshake
interval
timer interval-time Optional
By default, the handshake interval 10
seconds.
Table 332 Configure interaction for the cluster
Enter system view
system-view
Enter cluster view

cluster
Configure the public FTP server

for the cluster
ftp-server ip-address [
user-name username
password { simple | cipher }
password ]
Optional
By default, the cluster has
no public FTP server.
Configure the TFTP server for
the cluster
tftp-server ip-address Optional
no public TFTP server.
Configure the log host for the
cluster
logging-host ip-address Optional
no public log host.
Configure the SNMP host for
the cluster
snmp-host ip-address [
community-string read
string1 write string2 ]
Optional
no SNMP host.
Configure the network
management (NM) interface for
the cluster
nm-interface
vlan-interface vlan-id
Optional
Configuring
Member Devices
Enabling NDP
Globally and on
Specific Ports
Enabling NTDP
Globally and on
Specific Ports
Enabling the Cluster
Function
Table 333 Enable NDP globally and on specific ports
Enter system view
system-view
Enable NDP globally

ndp enable
Optional
globally.
Enable NDP for
specified ports
In system view ndp enable
interfaceinterface-list
Either is required
on all ports. Enter Ethernet
port view
interface-number
ndp enable
Table 334 Enable NTDP globally and on specific ports
Enable NTDP globally ntdp enable Optional
globally.
Enable NTDP for
specified ports
In system view ntdp enable
interfaceinterface-
list
Optional
By default, NTDP is enabled on all
ports.
Enter Ethernet
port view
interface
interface-type
interface-number
ntdp enable
Table 335 Enable the cluster function
Enable the cluster function cluster enable Optional
By default, the cluster function is
enabled.
Displaying and Maintaining a Cluster 477
Configuring to Add a
Candidate Device to
the Cluster
Displaying and
Maintaining a
Cluster
After the configuration above, you can execute the display command to display the
running status after the cluster configuration. You can verify the configuration effect
through checking the displayed information.
You can use the reset command in user view to clear NDP statistics.
Table 336 Configure to add a member to the cluster
Enter cluster view cluster
Add a candidate device to the
cluster
administrator-address
mac-address name name
Optional
By default, a device is not a
member of any cluster.
Table 337 Display and maintain cluster configurations
Operation Command
Display NDP configuration display ndp [ interface port-list ]
Display the global NTDP information
display ntdp
Display device information collected
through NTDP
display ntdp device-list [ verbose ]
Display state and statistics information
about a cluster
display cluster
Display the base topology of the cluster display cluster base-topology [
mac-address mac-address | member-id
member-number ]
Display the current blacklist of the cluster
display cluster black-list
Display the information about the
candidate devices of a cluster
display cluster candidates [
mac-address mac-address | verbose ]
Display the current topology of the cluster
or the topological path between two
nodes
display cluster current-topology [
mac-address mac-address [
to-mac-address mac-address ] | member-id
member-number [ to-member-id
member-number ] ]
Display the information about the cluster
members
display cluster members [
member-number | verbose ]
Clear the NDP statistics on a port reset ndp statistics [ interface
interface-list ]
GMP V2
Configuration
Example
Network
requirements
Three switches form a cluster, in which:
The management device is an Switch 4500G series switch.
The rest are member devices.
The 4500G switch manages the rest two member devices as the management device.
The detailed information about the cluster is as follows.
The two member devices are connected to GigabitEthernet1/0/2 and
GigabitEthernet1/0/3 ports of the management device.
The management device is connected to the external network through its
GigabitEthernet1/0/1 port.
GigabitEthernet1/0/1 port of the management device belongs to VLAN2, whose
interface IP address is 163.172.55.1.
All the devices in the cluster use the same FTP server and TFTP server.
The FTP server and TFTP server share one IP address: 63.172.55.1.
The SNMP site and log host share one IP address: 69.172.55.4.
Blacklist the device whose MAC address is 00e0-fc01-0013.
Network diagram
Figure 131 Network diagram for GMP cluster configuration
GMP V2 Configuration Example 479
1 Configure the management device
a Enable NDP globally and for the GigabitEthernet1/0/2 and GigabitEthernet1/0/3 ports.
[ 3Com] ndp enabl e
[ 3Com- Gi gabi t Et her net 1/ 0/ 2] ndp enabl e
b Configure the holdtime of NDP information to be 200 seconds.
[ 3Com] ndp t i mer agi ng 200
c Configure the interval to send NDP packets to be 70 seconds.
[ 3Com] ndp t i mer hel l o 70
d Enable NTDP globally and for GigabitEthernet1/0/2 and GigabitEthernet1/0/3 ports.
[ 3Com] nt dp enabl e
[ 3Com- Gi gabi t Et her net 1/ 0/ 2] nt dp enabl e
e Configure the hop count to collect topology to be 2.
[ 3Com] nt dp hop 2
f Configure the delay time for topology-collection request packets to be forwarded on
member devices to be 150 ms.
[ 3Com] nt dp t i mer hop- del ay 150
g Configure the delay time for topology-collection request packets to be forwarded
through the ports of member devices to be 15 ms.
[ 3Com] nt dp t i mer por t - del ay 15
h Configure the interval to collect topology information to be 3 minutes.
[ 3Com] nt dp t i mer 3
i Enable the cluster function.
[ 3Com] cl ust er enabl e
j Enter cluster view.
[ 3Com] cl ust er
[ 3Com- cl ust er ]
k Configure an IP address pool for the cluster. The IP address pool contains six IP
addresses, starting from 172.16.0.1.
[ 3Com- cl ust er ] i p- pool 172. 16. 0. 1 255. 255. 255. 248
l Specify a name for the cluster and create the cluster.
[ 3Com- cl ust er ] bui l d aaa
[ aaa_0. 3Com- cl ust er ]
m Configure the holdtime of the member device information to be 100 seconds.
[ aaa_0. 3Com- cl ust er ] hol dt i me 100
n Configure the interval to send handshake packets to be 10 seconds.
[ aaa_0. 3Com- cl ust er ] t i mer 10
o Configure the FTP Server, TFTP Server, Log host and SNMP host for the cluster.
[ aaa_0. 3Com- cl ust er ] f t p- ser ver 63. 172. 55. 1
[ aaa_0. 3Com- cl ust er ] t f t p- ser ver 63. 172. 55. 1
[ aaa_0. 3Com- cl ust er ] l oggi ng- host 69. 172. 55. 4
[ aaa_0. 3Com- cl ust er ] snmp- host 69. 172. 55. 4
p Blacklist the device whose MAC address is 00e0-fc01-0013.
[ aaa_0. Swi t ch- cl ust er ] bl ack- l i st add- mac 00e0- f c01- 0013
2 Configure the member devices (taking one member as an example)
a Enable NDP globally and for GigabitEthernet1/0/1.
[ 3Com] ndp enabl e
b Enable NTDP globally and for GigabitEthernet1/0/1.
[ 3Com] nt dp enabl e
c Enable the cluster function.
[ 3Com] cl ust er enabl e
Upon the completion of the above configurations, you can execute the cluster
switch-to { member-num | mac-address H-H-H } command on the management
device to switch to member device view to maintain and manage a member device. You
can then execute the cluster switch-to administrator command to resume
the management device view.
51 SNMP CONFIGURATION
SNMP Overview Simple Network Management Protocol (SNMP for short) offers a framework to monitor
network devices through TCP/IP protocol suite. It provides a set of basic operations in
monitoring and maintaining the Internet and has the following characteristics:
Automatic network management: SNMP enables network administrators to search
and modify information on any network node, find and diagnose network problems,
plan for network growth, and generate reports.
SNMP shields network administrators from the physical differences between various
devices and thus provides automatic management of products from different
manufacturers. SNMP only offers the basic set of functions. With SNMP enabled, the
management tasks and the physical features of the managed devices are not affected
by lower layer network protocols. Thus, SNMP achieves effective management of
devices from different manufactures, especially so in small, fast and low cost network
environments.
SNMP Mechanism An SNMP managed network are comprised of Network Management Station (NMS for
short) and Agent.
NMS is a station that runs the SNMP client software. It offers a friendly man-machine
interface, making it easier for network administrators to perform most network
management tasks. Currently, the most commonly used NMS include Quidview, Sun
NetManager, and IBM NetView.
Agent is a device that runs the SNMP server software. It can be a PC, a station, a
normal server, or a router.
NMS manages an SNMP managed network, whereas agents are managed network
devices. They exchange management information through the SNMP protocol.
SNMP provides the following four basic operations:
Get operation: NMS gets the behavior information of Agent through this operation.
Set operation: NMS can reconfigure certain values in the Agent MIB by means of this
set operation to make the Agent perform certain tasks
Trap operation: Agent sends Trap information to the NMS through this operation.
Inform operation: NMS sends Trap information to other NMS through this operation.
482 CHAPTER 51: SNMP CONFIGURATION
SNMP Protocol
Version
Currently, 3Com SNMP agents support SNMPv3 and are compatible with SNMPv1 and
SNMPv2c.
SNMPv1 and SNMPv2c perform authentication by means of community name, which
defines the relationship between an SNMP NMS and an SNMP Agent. SNMP packets
with community names that are not acceptable to the device will simply be discarded. A
community name performs a similar role as a key word and can be used to regulate
access from an NMS to the Agent.
SNMPv3 offers an authentication mechanism that is implemented with a User-Based
Security Model (USM for short), which can be authentication with privacy, authentication
without privacy, or no authentication no privacy. USM regulates the access from an NMS
to the Agent in a more efficient way.
Overview Management Information Base (MIB for short) is a collection of all the objects that can be
managed by NMS. It defines a set of characteristics of the managed objects, such as the
object identifier (OID for short), access right and data type of the objects.
MIB stores data using a tree structure. The node of the tree is the managed object and
can be uniquely identified by a path starting from the root node. As illustrated in the
following figure, the managed object B can be uniquely identified by a string of numbers
{1.2.1.1}. This string of numbers is the OID of the managed object B.
Figure 132 MIB tree
A
2
6
1
5
2
1
1
2
1
B
Configuring Basic SNMP Functions 483
Configuring Basic
SNMP Functions
As configurations of SNMPv3 differ substantially from those of SNMPv1 and SNMPv2c,
their SNMP functionalities will be introduced separately below. See Table 338 and
Table 339 for details.
Table 338 Follow these steps to configure SNMPv3
Enable SNMP Agent snmp-agent Optional
Disabled by default
You can enable SNMP Agent
through this command or any
commands that begin with
snmp-agent.
Configure SNMP Agent system
information
snmp-agent sys-info
{ contact sys-contact |
location sys-location |
version { all | { v1 | v2c
| v3 }* } }
Optional
3Com Corporation for contact,
Marlborough, MA for location,
v3 for the version.
Configure an SNMP group snmp-agent group v3
group-name [
authentication |
privacy ] [ read-view
read-view ] [ write-view
write-view ] [
notify-view
notify-view ] [ acl
acl-number ]
Required
Add a new user to an SNMP
agent group
snmp-agent usm-user
v3 user-name group-name
[ authentication-mode
{ md5 | sha } auth-password
[ privacy-mode des56
priv-password ] ] [ acl
acl-number ]
Required
Configure the maximum size of
an SNMP packet that can be
received or sent by an SNMP
agent
snmp-agent packet
max-size byte-count
Optional
1,500 bytes by default
Configure the engine ID for an
SNMP agent
snmp-agent
local-engineid
engineid
Optional
Company ID and device ID by
default
Create or update the MIB view
information for an SNMP agent
snmp-agent mib-view
{ included | excluded }
view-name oid-tree [
mask mask-value ]
Optional
By default, MIB view name is
ViewDefault. NMS is allowed to
access the nodes below the MIB
subtree iso, except for
snmpUsmMIB, snmpVacmMIB,
and snmpModules.18
This device does not support the remote-engineid function.:
Table 339 Follow these steps to configure SNMPv1 and SNMPv2c:
Enable SNMP Agent snmp-agent Optional
Disabled by default
You can enable SNMP Agent
through this command or
any commands that begin
with snmp-agent.
Configure SNMP Agent system
information
snmp-agent sys-info {
contact sys-contact |
location sys-location |
version { { v1 | v2c | v3 }* |
all } }
Required
R&D Hangzhou, 3Com
Technologies Co., Ltd. for
contact,
Hangzhou China for
location.
Config-
ure SNMP
NMS
access
right
Direct
configura
tion
Configur
e a
communi
ty name
snmp-agent community {
read | write }
community-name [ acl
acl-number | mib-view
view-name ]*
Required
Both commands can be used
to configure SNMP NMS
access rights. The second
command was introduced
for compatibility with
SNMPv3.
Config-
ure indi-
rectly
Configur
e an
SNMP
group
snmp-agent group { v1 |
v2c } group-name [
read-view read-view ] [
write-view write-view ] [
notify-view notify-view ]
[ acl acl-number ]
Add a
new user
to an
SNMP
group
snmp-agent usm-user {
v1 | v2c } user-name
group-name [ acl acl-number
]
Configure the maximum size of
an SNMP packet that can be
received or sent by an ANMP
agent
snmp-agent packet
max-size byte-count
Optional
1,500 bytes be default
Configure the engine ID for an
SNMP agent
snmp-agent
local-engineid engineid
Optional
Company ID and device ID
by default
Create or update MIB view
information
snmp-agent mib-view {
included | excluded }
view-name oid-tree [ mask
mask-value ]
Optional
ViewDefault by default. NMS
is allowed to access the
nodes below the MIB
subtreee iso, except for
snmpUsmMIB,
snmpVacmMIB, and
snmpModules.18.
Trap Configuration 485
Trap Configuration SNMP Agent sends Trap messages to NMS to alert the latter of some critical and
important events (such as restart of the managed device).
Configuration
Prerequisites
Basic SNMP configurations have been completed.
Configuration
Procedure
Follow these steps to configure Trap:
Table 340 Trap Configuration
Enable device Traps snmp-agent trap enable
[configuration | flash |
standard [
authentication |
coldstart | linkdown |
linkup | warmstart ]* |
system ]
Optional
All types of Traps are enabled
by default
Enable port
Traps
Enter Interface
view
interface-number
Enable port Traps enable snmp trap
updown
Return to system
view
quit
Configure target host address
for Trap messages
snmp-agent target-host
trap address
udp-domain { ip-address } [
udp-port port-number ]
params securityname
security-string [ v1 | v2c |
v3 {authentication |
privacy } ]
Required
Configure the source address
for Trap messages
snmp-agent trap source
{ interface-type
interface-number } [
subinterface-type ]
Optional
Configure the size of Trap
queue
snmp-agent trap
queue-size size
Optional
100 by default
Configure the life time of Traps snmp-agent trap life
seconds
Optional
Displaying and
Maintaining SNMP
SNMP
Configuration
Example
The NMS is connected with a switch, witch serves as an SNMP agent, through an
Ethernet
The IP address of the NMS is 129.102.149.23/16.
The IP address of VLAN interface on the switch is 129.102.0.1/16.
On the switch, configure the following: community name, access right, administrator
ID, and contact information, location, and enable Traps Network diagram
Figure 133 Network diagram for SNMP configuration
Table 341 Displaying and Maintaining SNMP
Display SNMP-agent
system information,
including the contact,
location, and version of
the SNMP
display snmp-agent sys-info
[ contact | location | version ]*
Display SNMP packet
statistics
display snmp-agent
statistics
Display the engine ID of
the device
display snmp-agent {
local-engineid |
remote-engineid }
Display SNMP group
information
display snmp-agent group [
group-name ]
Display SNMP user
information
display snmp-agent usm-user
[ engineid engineid | username
user-name | group group-name ] *
Display SNMP community
information
display snmp-agent
community [ read | write ]
Display MIB view
information
display snmp-agent mib-view
[ exclude | include | viewname
view-name ]

Ethernet
NMS
Ethernet
NMS
129.102.0.1/16
Switch
Ethernet
NMS
Ethernet
NMS
129.102.0.1/16
129.102.149.23/16
Switch
Ethernet
NMS
Ethernet
NMS
129.102.0.1/16
Switch
Ethernet
NMS
Ethernet Ethernet
NMS
Ethernet
NMS
129.102.0.1/16
Switch
Ethernet
NMS
Ethernet
NMS
129.102.0.1/16
129.102.149.23/16
Switch
SNMP Configuration Example 487
1 Configure SNMP Agent
a Configure the community the SNMP Agent group, and SNMP Agent user.
<3Com>syst emvi ew
[ 3Com] snmp- agent sys- i nf o ver si on al l
[ 3Com] snmp- agent communi t y r ead publ i c
[ 3Com] snmp- agent communi t y wr i t e pr i vat e
[ 3Com] snmp- agent mi b- vi ew i ncl uded i nt er net 1. 3. 6. 1
[ 3Com] snmp- agent gr oup v3 managev3gr oup wr i t e- vi ew i nt er net
[ 3Com] snmp- agent usm- user v3 managev3user managev3gr oup
b Specify VLAN interface 2 as the VLAN interface for network management use. Add
the port GigabitEthernet 1/0/3 to VLAN 2. Set the IP address of VLAN 2 interface to
129.102.0.1.
[ 3Com] vl an 2
[ 3Com- vl an2] por t Gi gabi t Gi gabi t Et her net 1/ 0/ 3
[ 3Com- vl an2] i nt er f ace Vl an- i nt er f ace 2
c Configure the ID, contact of the administrator, and the location of the switch.
[ 3Com] snmp- agent sys- i nf o cont act Mr . Wang- Tel : 3306
[ 3Com] snmp- agent sys- i nf o l ocat i on t el ephone- cl oset , 3r d- f l oor
d Enable the device to send Traps to the NMS with an IP address of 129.102.149.23/16,
using public as the community name.
[ 3Com] snmp- agent t r ap enabl e
[ 3Com] snmp- agent t ar get - host t r ap addr ess udp- domai n 129. 102. 149. 23
udp- por t 5000 par ams secur i t yname publ i c
2 Configure SNMP NMS
SNMPv3 uses the authentication and privacy security model. On the NMS, you need to
specify user name and security level, and based on that level, configure the
authentication mode, authentication password, privacy mode, and privacy password. In
addition, the time-out time and number of retries should also be configured. You can
inquire and configure the switch through NMS. For detailed information, refer to the
NMS manuals.
The configurations on the device and the NMS must be consistent before you can
perform related operations
52 RMON CONFIGURATION
Remote Network Monitoring (RMON) is a type of IETF-defined MIB. It is the most
important enhancement to the MIB II standard. It allows you to monitor traffic on
network segments and even the entire network.
When configuring RMON, use the following table to identify where to go for interested
information.
RMON Overview This section covers these topics:
Introduction
RMON Groups
Introduction RMON is implemented based on the simple network management protocol (SNMP) and
is fully compatible with the existing SNMP framework. This is beneficial because it needs
no modification to support the latter.
RMON provides an efficient means of monitoring subnets and allows SNMP to monitor
remote network devices in a more proactive and effective way. It reduces traffic between
network management station (NMS) and agent, facilitating large network management.
RMON comprises two parts: NMSs and agents running on network devices.
Each RMON NMS administers the agents within its administrative domain.
An RMON agent resides on a network monitor or probe for an interface. It monitors
and gathers information about traffic over the network segment connected to the
interface to provide statistics about packets over a specified period and good packets
sent to a host for example.
RMON allows multiple monitors. It provides two ways of data gathering:
Using RMON probes. NMSs can obtain management information from RMON probes
directly and control network resources. In this approach, RMON NMSs can obtain all
RMON MIB information.
Get familiar with RMON RMON Overview
Configure RMON Configuring RMON
Consult the display commands available for
verifying RMON configuration
Displaying and Maintaining RMON
See how to configure RMON on a switch RMON Configuration Example (on a Switch)
See how to configure RMON on a router RMON Configuration Example (on a Router)
490 CHAPTER 52: RMON CONFIGURATION
Embedding RMON agents in network devices such as routers, switches, and hubs to
provide the RMON probe function. RMON NMSs exchange data with SNMP agents
with basic SNMP commands to gather network management information, which, due
to system resources limitation, may not cover all MIB information but four groups of
information, alarm, event, history, and statistics, in most cases.
By using RMON enabled SNMP agents on network monitors, an NMS can obtain
information about traffic size, error statistics, and performance statistics for network
management.
RMON Groups RMON categorizes objects into groups. This section describes only the major
implemented groups.
Event group
The event group defines event indexes and controls the generation and notifications of
the events triggered by the alarms defined in the alarm group and the private alarm
group. The events can be handled in one of the following ways:
Logging events in the event log table
Sending traps to NMSs
Both logging and sending traps
Alarm group
The RMON alarm group monitors specified alarm variables, such as statistics on a port. If
the monitored variable crosses a threshold, an event is triggered. The event is then
handled as defined in the event group.
The following is how the system handles entries in the RMON alarm table:
1 Sample the alarm variables at the specified interval.
2 Compare the sampled values with the predefined threshold and trigger events if all
triggering conditions are met.
If a monitored variable crosses the same threshold multiple times, only the first one can
cause an alarm event.
Private alarm group
The private alarm group calculates the sampled values of alarm variables and compares
the result with the defined threshold, thereby realizing a more comprehensive alarming
function.
System handles the prialarm alarm table entry (as defined by the user) in the following
ways:
Periodically takes statistical samples on the defined prialarm alarm variables as
defined in the prialarm formula.
Calculate the sampled values based on the prialarm formula.
Compare the result with the defined threshold and generate an appropriate event.
RMON Overview 491
History control group
The history control group controls the periodic statistical sampling of data, such as
bandwidth utilization, number of errors, and total number of packets.
Note that each value provided by the group is a cumulative sum during a sampling
period.
Ethernet statistics group
The statistics group monitors port utilization and records errors. It provides statistics
about network collisions, CRC alignment errors, undersize/oversize packets, broadcasts,
multicasts, bytes received, packets received, and so on.
Unlike values provided by the history control group, each value provided in this group is a
cumulative sum counted starting from the creation of a valid event entry.
Configuring RMON
Configuration
Prerequisites
Before configuring RMON, configure the SNMP agent as described in the SNMP
Configuration part.
Configuration
Procedure
Table 343 Follow these steps to configure RMON:
Create an event entry in the
event table
rmon event event-entry [
description string ] { log | trap
trap-community | log-trap
log-trapcommunity | none } [ owner text ]
Required
interface-number
Create an entry in the

history table
rmon history entry-number buckets
number interval sampling-interval [
owner text-string ]
Optional
statistics table
rmon statistics entry-number [
owner text-string ]
Optional
Exist Ethernet interface view quit Required
Create an entry in the alarm
table
rmon alarm entry-number
alarm-variable sampling-time {
absolute | delta } rising-threshold
threshold-value1 event-entry1
falling-threshold threshold-value2
event-entry2 [ owner text ]
Optional
private alarm table
rmon prialarm entry-number
prialarm-formula prialarm-des
sampling-timer { absolute |
changeratio | delta }
rising_threshold threshold-value1
event-entry1 falling_threshold
threshold-value2 event-entry2
entrytype { forever | cycle
cycle-period } [ owner text ]
Optional
Displaying and Maintaining RMON 493
Displaying and
Maintaining RMON
RMON
Configuration
A monitored switch is connected to a configuration terminal through its console port and
to a remote NMS across the Internet.
Create an entry in the RMON Ethernet statistics table to gather statistics on an Ethernet
port for NMS query.
Network diagram
Figure 134 Network diagram for RMON (on a switch)
Table 344 Displaying and Maintaining RMON
Display RMON statistics display rmon statistics
[interface-type
interface-number]
Display RMON history
information
display rmon history
[interface-type
interface-number ]
Display RMON alarm
information
display rmon alarm [alarm
-entry -number ]
Display RMON prialarm
information
display rmon prialarm
[prialarm-entry -number ]
Display RMON events display rmon event [event
-entry -number ]
Display RMON event log display rmon eventlog [
event-number ]
Console Port
Network Port
Switch
Internet
NMS
Agent
Console Port
Network Port
Agent
Internet
NMS
Terminal
Console Port
Network Port
Switch
Internet
NMS
Agent
Console Port
Network Port
Agent
Internet
NMS
Terminal
Console Port
Network Port
Switch
Internet
NMS
Agent
Console port
Network port
Switch
Internet
NMS
Terminal
Console Port
Network Port
Switch
Internet
NMS
Agent
Console Port
Network Port
Agent
Internet
NMS
Terminal
Console Port
Network Port
Switch
Internet
NMS
Agent
Console Port
Network Port
Agent
Internet
NMS
Terminal
Console Port
Network Port
Switch
Internet
NMS
Agent
Console port
Network port
Switch
Internet
NMS
Terminal
1 Configure RMON to gather statistics for interface GigabitEthernet 1/0/1.
[ 3Com- Gi gabi t Et her net 1/ 0/ 1] r mon st at i st i cs 1 owner user 1- r mon
2 Display RMON statistics for interface GigabitEthernet 1/0/1.
<3Com> di spl ay r mon st at i st i cs Gi gabi t Et her net 1/ 0/ 1
St at i st i cs ent r y 1 owned by user 1- r mon i s VALI D.
Gat her s st at i st i cs of i nt er f ace Gi gabi t Et her net 1/ 0/ 1. Recei ved:
oct et s : 270149 , packet s : 1954
br oadcast packet s : 1570 , mul t i cast packet s : 365
under si zed packet s : 0 , over si zed packet s: 0
f r agment s packet s : 0 , j abber s packet s : 0
CRC al i gnment er r or s: 0 , col l i si ons : 0
Dr opped packet event s ( due t o l ack of r esour ces) : 0
Packet s r ecei ved accor di ng t o l engt h ( i n oct et s) :
64 : 644 , 65- 127 : 518 , 128- 255 : 688
256- 511: 101 , 512- 1023: 3 , 1024- 1518: 0
53 NTP CONFIGURATION
NTP Overview Defined in RFC 1305, the network time protocol (NTP) synchronizes timekeeping among
distributed time servers and clients. NTP runs over the user datagram protocol (UDP),
using port 123.
The purpose of using NTP is to keep consistent timekeeping among all clock-dependent
devices within the network so that the devices can provide diverse applications based on
the consistent time.
For a local system running NTP, its time can be synchronized by other reference sources
and can be used as a reference source to synchronize other clocks.
Applications of NTP NTP is used when all devices within the network must be consistent in timekeeping, for
example:
In analysis of the log information and debugging information collected from different
devices in network management, time must be used as reference basis.
All devices must use the same reference clock in a charging system.
To implement certain functions, such as scheduled restart of all devices within the
network, all devices must be consistent in timekeeping.
When multiple systems process a complex event in cooperation, these systems must
use that same reference clock to ensure the correct execution sequence.
For increment backup between a backup server and clients, timekeeping must be
synchronized between the backup server and all the clients.
An administrator can by no means keep synchronized time among all the devices within
a network by changing the system clock on each station, because this is a huge amount
of workload and cannot guarantee the clock precision. NTP, however, allows quick clock
synchronization within the entire network while it ensures a high clock precision.
Advantages of NTP:
NTP uses a stratum to describe the clock precision, and is able to synchronize time
among all devices within the network.
NTP supports access control and MD5 authentication.
NTP can unicast, multicast or broadcast protocol messages.
496 CHAPTER 53: NTP CONFIGURATION
How NTP Works Figure 135 shows the basic work flow of NTP. Device 1 and Device 2 are interconnected
over a network. They have their own independent system clocks, which need to be
automatically synchronized through NTP. For an easy understanding, we assume that:
Prior to system clock synchronization between Device 1 and Device 2, the clock of
Device 1 is set to 10:00:00am while that of Device 2 is set to 11:00:00am.
Device 2 is used the NTP time server, namely Device 1 synchronizes its clock to that of
Device 2.
It takes 1 second for an NTP message to travel from one device to the other.
Figure 135 Basic work flow of NTP
The process of system clock synchronization is as follows:
Device 1 sends Device 2 an NTP message, which is timestamped when it leaves
Device 1. The time stamp is 10:00:00am (T
1
).
When this NTP message arrives at Device 2, it is timestamped by Device 2. The
timestamp is 11:00:01am (T
2
).
When the NTP message leaves Device 2, Device 2 timestamps it. The timestamp is
11:00:02am (T
3
).
When Device 1 receives the NTP message, the local time of Device 1 is 10:00:03am
(T
4
).
Up to now, Device has sufficient information to calculate the following two important
parameters:
The round-trip delay of NTP message: Delay = (T
4
T
1
) (T
3
-T
2
) = 2 seconds.
Time difference between Device 1 and Device 2: Offset = ((T2-T1) + (T3-T4))/2 = 1 hour.
Based on these parameters, Device 1 can synchronize its own clock to the clock of
Device 2.

Network
Network
NTP ? ? ? 10:00:00am
Network
Network
11:00:01am
NTP ? ? ? 10:00:00am 11:00:01am 11:00:02am
NTP ? ? ?
10:00:00am
1.
2.
3.
4.
Device1 Device2
Network
Network
NTP ? ? ? 10:00:00am
Network
Network
11:00:01am
NTP ? ? ? 10:00:00am 11:00:01am 11:00:02am
NTP
10:00:00am
Network
Network
10:00:00am
Network
Network
11:00:01am
10:00:00am 11:00:01am 11:00:02am
NTP message 10:00:00am
NTP message received at10:00:03 am
NTP message
Device 2
Device 2
Device 2
Device 1
Device 1
Device 1
NTP message
NTP Overview 497
This is only a brief description of the work mechanism of NTP. For details, refer to
RFC 1305.
NTP Message Format NTP uses two types of messages, clock synchronization message and NTP control
message. An NTP control message is used in environments where network management
needed. As it is not a must for clock synchronization, it will not be discussed in this
document.
All NTP messages mentioned in this document refer to NTP clock synchronization
messages.
A clock synchronization message is encapsulated in a UDP message, in the format shown
in Figure 136.
Figure 136 Clock synchronization message format
Main fields are described as follows:
LI: 2-bit leap indicator. When set to 11, it warns of an alarm condition (clock
unsynchronized); when set to any other value, it is not to be processed by NTP.
VN: 3-bit version number, indicating the version of NTP. The latest version is version 3.
Mode: a 3-bit code indicating the work mode of NTP. This field can be set to these
values: 0 reserved; 1 symmetric active; 2 symmetric passive; 3 client; 4 server;
5 broadcast or multicast; 6 NTP control message; 7 reserved for private use.
Stratum: an 8-bit integer indicating the stratum level of the local clock, with the value
ranging 1 to 16. The clock precision decreases from stratum 1 to stratum 16. A
stratum 1 clock has the highest precision, and a stratum 16 clock is not synchronized
and cannot be used as a reference clock.
Poll: 8-bit signed integer indicating the poll interval, namely the maximum interval
between successive messages.
Precision: an 8-bit signed integer indicating the precision of the local clock.
Root Delay: round-trip delay to the primary reference source.
Root Dispersion: the maximum error of the local clock relative to the primary
reference source.
Reference Identifier: Identifier of the particular reference source.
Reference Timestamp: the local time at which the local clock was last set or corrected.

Precision
Transmit Timestamp (64 octets)
VN
Authenticator (optional) (96 octets)
Reference Timestamp (64 octets)
0 7 15 31
Root Delay (32 octets)
Root Dispersion (32 octets)
Poll Stratum
Originate Timestamp (64 octets)
Reference Identifier (32 octets)
Receive Timestamp (64 octets)
LI Mode
Originate Timestamp: the local time at which the request departed the client for the
service host.
Receive Timestamp: the local time at which the request arrived at the service host.
Transmit Timestamp: the local time at which the reply departed the service host for
the client.
Authenticator: authentication information.
Operation Modes of
NTP
A network device can get its clock synchronized in one of the following two ways:
Synchronized to the local clock, which as the reference source. Synchronized to
another device on the network in any of the four NTP operation modes previously
described.
After the 3Com Switch 4500G has been synchronized, it can work in Symmetric peers
mode, Broadcast server mode and Multicast mode. Devices running NTP can
implement clock synchronization in one of the following modes:
Devices running NTP can implement clock synchronization in one of the following
modes:
Server/client mode
When working in the server/client mode, a client sends a clock synchronization message
to servers, with the Mode field in the message set to 3 (client mode). Upon receiving the
message, the servers automatically work in the server mode and send a reply, with the
Mode field in the messages set to 4 (server mode). Upon receiving the replies from the
servers, the client performs clock filtering and selection, and synchronizes its local clock
to that of the optimal reference source.
In this mode, a client can be synchronized to a server, but not vice versa.
Symmetric peers mode
A device working in the symmetric active mode periodically sends clock synchronization
messages, with the Mode field in the message set to 1 (symmetric active); the device that
receives this message automatically enters the symmetric passive mode and sends a reply,
with the Mode field in the message set to 2 (symmetric passive). By exchanging
messages, the symmetric peers mode is established between the two devices. Then, the
two devices can synchronize, or be synchronized by, each other. If the clocks of both
devices have been already synchronized, the device whose local clock has a lower
stratum level will synchronize the clock of the other device.
Broadcast mode
In the broadcast mode, a server periodically sends clock synchronization messages to the
broadcast address 255.255.255.255, with the Mode field in the messages set to 5
(broadcast mode). Clients listen to the broadcast messages from servers. After a client
receives the first broadcast message, the client and the server start to exchange
messages, with the Mode field set to 3 (client mode) and 4 (server mode) to calculate the
network delay between client and the server. Then, the client enters the broadcast client
mode and continues listening to broadcast messages, and synchronizes its local clock
based on the received broadcast messages.
Multicast mode
In the multicast mode, a server periodically sends clock synchronization messages to the
user-configured multicast address, or, if no multicast address is configured, to the default
NTP multicast address 224.0.1.1, with the Mode field in the messages set to 5 (multicast
mode). Clients listen to the multicast messages from servers. After a client receives the
first multicast message, the client and the server start to exchange messages, with the
Mode field set to 3 (client mode) and 4 (server mode) to calculate the network delay
between client and the server. Then, the client enters the multicast client mode and
continues listening to multicast messages, and synchronizes its local clock based on the
received multicast messages.
Configuring the
Operation Modes
of NTP
Devices can implement clock synchronization in one of the following modes:
Server/client mode
Symmetric mode
Broadcast mode
Multicast mode
For the server/client mode or symmetric mode, you need to configure only clients or
symmetric-active peers; for the broadcast or multicast mode, you need to configure both
servers and clients.
A single device can have a maximum of 128 connections at the same time, including
static connections and dynamic connections. A static connection refers to a connection
that a user has manually created by using an NTP command, while a dynamic connection
is a temporary connection created by the system during operation. A dynamic
connection will be removed if the system fails to receive messages from it over a specific
long time. In the server/client mode, for example, when you carry out a command to
synchronize the time to a server, the system will create a static connection, and the server
will just respond passively upon the receipt of a message, rather than creating a
connection (static or dynamic). In the broadcast or multicast mode, static connections
will be created at the server side, and dynamic connections will be created at the client
side.
Configuring NTP
Server/Client Mode
For devices working in the server/client mode, you only need to make configurations on
the clients, and not on the servers.
Follow these steps to configure an NTP client:
In the ntp-service unicast-server command, ip-address must be a host
address, rather than a broadcast address, a multicast address or the IP address of the
local clock.
Table 345 Configuring NTP Server/Client Mode
Specify an NTP server for
the device
ntp-service unicast-server {
ip-address | server-name } [ version
number | authentication-keyid keyid |
source-interface interface-type
interface-number | priority ] *
Required
A device can act as a server to synchronize the clock of other devices only after its
clock has been synchronized. If the clock of a server has a stratum level higher than or
equal to that of a clients clock, the client will not synchronize its clock to the servers.
You can configuring multiple servers by repeating the ntp-service
unicast-server command. The clients will choose the optimal reference source
Configuring the NTP
Symmetric Mode
For devices working in the symmetric mode, you only need to make configurations on
the symmetric-active device, and not on symmetric-passive devices.
Following these steps to configure a symmetric-active device:
In the ntp-service unicast-peer command, ip-address must be a host
address, rather than a broadcast address, a multicast address or the IP address of the
local clock.
Typically, at least one of the symmetric-active and symmetric-passive peers has been
synchronized; otherwise the clock synchronization will not proceed.
You can configure multiple symmetric-passive peers by repeating the ntp-service
unicast-peer command.
Configuring NTP
Broadcast Mode
For devices working in the broadcast mode, you need to configure both the server and
clients. The broadcast server periodically sends NTP broadcast messages to the broadcast
address 255.255.255.255. Because an interface need to be specified on the broadcast
server for sending NTP broadcast messages and an interface also needs to be specified
on each broadcast client for receiving broadcast messages, the NTP broadcast mode can
be configured only in the specific interface view.
Configuring a broadcast client
Follow these steps to configure an NTP broadcast client:
Table 346 Configuring the NTP Symmetric Mode
Specify an symmetric-passive
peer for the device
ntp-service unicast-peer {
ip-address | peer-name } [ version
number | authentication-keyid
keyid | source-interface
interface-type interface-number |
priority ] *
Required
Table 347 Configuring a broadcast client
interface-type
interface-number
Required
Enter the interface used to
receive NTP broadcast messages
Configure the device to work in
the NTP broadcast client mode
ntp-service
broadcast-client
Required
Configuring the broadcast server
Follow these steps to configure the NTP broadcast server:
A broadcast server can synchronize broadcast clients only after its clock has been
synchronized.
Configuring NTP
Multicast Mode
For devices working in the multicast mode, you need to configure both the server and
clients. The multicast server periodically sends NTP multicast messages to multicast
clients. The NTP multicast mode must be configured in the specific interface view. You
can configure a maximum of 1,024 multicast clients, among which 128 can take effect
at the same time.
Configuring a multicast client
Follow these steps to configure an NTP multicast client:
Configuring the multicast server
Follow these steps to configure the NTP multicast server:
Table 348 Configuring the broadcast server
interface-number
Required
Enter the interface used to send
NTP broadcast messages
Configure the device to
work in the NTP broadcast
server mode
ntp-service
broadcast-server [
authentication-keyid
keyid | version number ]*
Required
Table 349 Configuring a multicast client
interface-type
interface-number
Required
Enter the interface used to
receive NTP multicast messages
the NTP multicast client mode
ntp-service
multicast-client [
ip-address ]
Required
Table 350:
interface-type
interface-number
Required
Enter the interface used to send
NTP multicast message
the NTP multicast server mode
ntp-service
multicast-server [
ip-address ] [
keyid | ttl ttl-number |
version number ]*
Required
A multicast server can synchronize broadcast clients only after its clock has been
synchronized.
Configuring
Optional
Parameters of NTP
Configuring the
Interface to Send NTP
Messages
Following these steps to configure the interface used to send NTP messages:
CAUTION: If you have specified an interface in the ntp-service unicast-server
or ntp-service unicast-peer command, this interface will be used for sending
NTP messages.
Disabling an Interface
from Receiving NTP
Messages
Follow these steps to disable an interface from receiving NTP messages:
Configuring the
Allowable Maximum
Number of Dynamic
Sessions
Follow these steps to configure the allowable maximum number of dynamic sessions:
Table 351 Configuring the Interface to Send NTP Messages
Configure the interface used to
send NTP messages
ntp-service
source-interface
Required
Table 352 Disabling an Interface from Receiving NTP Messages
interface-type
interface-number
Disable the interface from

receiving NTP messages
ntp-service
in-interface disable
Required
An interface is enabled to receive
NTP messages by default
Table 353 Configuring the Allowable Maximum Number of Dynamic Sessions
Configure the allowable
maximum number of dynamic
sessions
ntp-service
max-dynamic-sessions
number
Required
100 by default
Configuring Access-Control Rights 503
Configuring
Access-Control
Rights
With the following command, you can configure the NTP service access-control right to
the local device. There are four access-control rights, as follows:
query: control query permitted. This level of right permits the peer device to perform
control query to the NTP service on the local device but does not permit the peer
device to synchronize its clock to the local device. The so-called control query refers
to query of some states of the NTP service, including alarm information,
authentication status, clock source information, and so on.
synchronization: server access only. This level of right permits the peer device to
synchronize its clock to the local device but does not permit the peer device to
perform control query.
server: server access and query permitted. This level of right permits the peer device
to perform synchronization and control query to the local device but does not permit
the local device to synchronize its clock to the peer device.
peer: full access. This level of right permits the peer device to perform
synchronization and control query to the local device and also permits the local device
to synchronize its clock to the peer device.
From the highest NTP service access-control right to the lowest one are peer, server,
synchronization, and query. When a device receives an NTP request, it will perform an
access-control right match and will use the first matched right.
Configuration
Prerequisites
Prior to configuring the NTP service access-control right to the local device, you need to
create and configure an ACL associated with the access-control right.
Configuration
Procedure
Follow these steps to configure the NTP service access-control right to the local device:
The access-control right mechanism provides only a minimum degree of security
protection for the system running NTP. A more secure method is identity authentication.
Table 354 Configure the NTP Service Access-control
Configure the NTP service
access-control right to the local
device
ntp-service access { query |
synchronization | server |
peer } acl-number
Required
peer by default
Configuring NTP
Authentication
The NTP authentication feature should be enabled for a system running NTP in a network
where there is a high security demand. This feature enhances the network security by
means of client-server key authentication, which prohibits a client from synchronizing
with a device that has failed authentication.
Configuration
Prerequisites
The configuration NTP authentication involves configuration tasks to be implemented on
the client and on the server.
When configuring the NTP authentication feature, pay attention to the following
principles:
In the server/client mode, if the NTP authentication feature has not been enabled for
the client, the client can synchronize with the server regardless the NTP authentication
feature has been enabled for the server or not.
For all synchronization modes, when you enable the NTP authentication feature, you
should configure an authentication key and specify it as a trusted key. Namely, the
ntp-service authentication enable command must work together with
the ntp-service authentication-keyid command and the ntp-service
reliable authentication-keyid command.
For all synchronization modes, the server side and the client side must be consistently
configured.
If the NTP authentication is enabled on a client, the client can be synchronized only to
a server that can provide a trusted authentication key.
Configuration
Procedure
Configuring NTP Authentication for a Client
Follow these steps to configure NTP authentication for a client:
Table 355 Configuring NTP Authentication for a Client
Enable NTP authentication ntp-service authentication
enable
Required
Disabled by default
Configure an NTP
authentication key
ntp-service
authentication-keyid keyid
authentication-mode md5
value
Required
No NTP authentication key
by default
Configure the key as a
trusted key
ntp-service reliable
Required
No authentication key is
configured to be trusted by
default
Associate the specified key
with an NTP server
Server/client mode:
ntp-service unicast-server
{ ip-address | server-name }
Required
Symmetric peers mode:
ntp-service unicast-peer {
ip-address | peer-name }
Configuring NTP Authentication 505
After you enable the NTP authentication feature for the client, make sure that you
configure for the client an authentication key that is the same as on the server and
specify that the authentication is trusted; otherwise, the client cannot be
synchronized to the server. For the server/client mode or symmetric mode, you need
to associate the specified authentication key on the client (symmetric-active peer if in
the symmetric peers mode) with the corresponding NTP server (symmetric-passive
peer if in the symmetric peers mode). In these two modes, multiple servers may have
been specified on a client, so the authentication key will be used to determine the
server to which the client is to be synchronized.
For the broadcast server mode or multicast server mode, you need to associate the
specified authentication key on the broadcast server or multicast server with the
corresponding NTP server.
Configuring NTP Authentication for a Server
Follow these steps to configure NTP authentication for a server:
The procedure of configuring NTP authentication on a server is the same as that on a
client, and the same authentication key must be configured on both the server and client
sides.
Table 356 Configuring NTP Authentication for a Server
Enable NTP authentication ntp-service
authentication enable
Required
Disabled by default
Configure an NTP
authentication key
ntp-service
keyid
authentication-mode
md5 value
Required
No NTP authentication key by
default
Configure the key as a
trusted key
ntp-service reliable
keyid
Required
No authentication key is
configured to be trusted by
default
interface-number
Associate the specified key

with an NTP server
Broadcast server mode:
ntp-service
broadcast-server
keyid
Required
Multicast server mode:
ntp-service
multicast-server
keyid
Displaying and
Maintaining NTP
NTP Configuration
Examples
The 3Com Switch 4500G cannot configure the local clock as a reference source for other
devices.
Configuring NTP
Server/Client Mode
The local clock of Device 1 is to be used as a reference source, with the stratum level of
2. Device 1 is to be used as the NTP server of Device 2, with Device 2 as the client.
Network diagram
Figure 137 Network diagram for NTP server/client mode configuration
1 Configuration on Device 1:
Specify the local clock as the reference source, with the stratum level of 2.
a View the NTP status of Device 2 before clock synchronization.
<Devi ce2> di spl ay nt p- ser vi ce st at us
Cl ock st at us: unsynchr oni zed
Cl ock st r at um: 16
Ref er ence cl ock I D: none
Nomi nal f r equence: 100. 0000 Hz
Act ual f r equence: 100. 0000 Hz
Cl ock pr eci si on: 2^18
Cl ock of f set : 0. 0000 ms
Root del ay: 0. 00 ms
Root di sper si on: 0. 00 ms
Peer di sper si on: 0. 00 ms
Ref er ence t i me: 00: 00: 00. 000 UTC J an 1 1900 ( 00000000. 00000000)
Table 357 Displaying and Maintaining NTP
To... Use the command...
View the information of NTP service status display ntp-service status
View the information of NTP sessions display ntp-service sessions [
verbose ]
View the brief information of the NTP servers from
the local device back to the primary reference
source
display ntp-service trace

1.0.1.12/24 1.0.1.11/24
VLAN-interface2
1.0.1.12/24
VLAN-interface2
Device1
Device2
1.0.1.12/24 1.0.1.11/24
VLAN-interface2
1.0.1.12/24
VLAN-interface2
b Specify Device 1 as the NTP server of Device 2 so that Device 2 is synchronized to
Device 1.
<Devi ce2> syst emvi ew
[ Devi ce2] nt p- ser vi ce uni cast - ser ver 1. 0. 1. 11
c View the NTP status of Device 2 after clock synchronization.
[ Devi ce2] di spl ay nt p- ser vi ce st at us
Cl ock st at us: synchr oni zed
Ref er ence cl ock I D: 1. 0. 1. 11
Ref er ence t i me: 14: 53: 27. 371 UTC Sep 19 2005 ( C6D94F67. 5EF9DB22)
As shown above, Devi ce 2 has been synchr oni zed t o Devi ce 1, and t he
cl ock st r at uml evel of Devi ce 2 i s 3, whi l e t hat of Devi ce 1 i s 2.
d View the NTP session information of Device 2, which shows that an association has
been set up between Device 2 and Device 1.
[ Devi ce2] di spl ay nt p- ser vi ce sessi ons
sour ce r ef er ence st r a r each pol l now of f set del ay di sper
************************************************************************
[ 12345] 1. 0. 1. 11 127. 127. 1. 0 2 63 64 3 - 75. 5 31. 0 16. 5
not e: 1 sour ce( mast er ) , 2 sour ce( peer ) , 3 sel ect ed, 4 candi dat e, 5 conf i gur ed
Tot al associ at i ons : 1
Configuring the NTP
Symmetric Mode
The local clock of Device 3 is to be configured as a reference source, with the stratum
level of 2. Device 3 is to be used as the NTP server of Device 4, with Device 4 as the
client. At the same time, Device 4 will act as peer of Device 5, Device 5 in the
symmetric-active mode while Device 4 in the symmetric-passive mode.
Network diagram
Figure 138 Network diagram for NTP symmetric peers mode configuration
3.0.1.32/24 3.0.1.33/24
Device5
3.0.1.31/24
3.0.1.32/24 3.0.1.33/24
VLAN-interface2
VLAN-interface2 VLAN-interface2
3.0.1.32/24 3.0.1.33/24
Device3
Device4
3.0.1.31/24
3.0.1.32/24 3.0.1.33/24
VLAN-interface2
Specify Device 3 as the NTP server of Device 4.
[ Devi ce4] nt p- ser vi ce uni cast - ser ver 3. 0. 1. 31
3 Configuration on Device 5 (after Device 4 is synchronized to Device 3):
4 Configure Device 4 as a symmetric peer after local synchronization.
[ Devi ce5] nt p- ser vi ce uni cast - peer 3. 0. 1. 32
In the step above, Device 4 and Device 5 are configured as symmetric peers, with Device
5 in the symmetric-active mode and Device 4 in the symmetric-passive mode. Because
the stratus level of Device 5 is 1 while that of Device 4 is 3, Device 4 is synchronized to
Device 5.
5 View the NTP status of Device 4 after clock synchronization.
Nomi nal f r equency: 100. 0000 Hz
Act ual f r equency: 100. 0000 Hz
Cl ock of f set : - 21. 1982 ms
Ref er ence t i me: 15: 22: 47. 083 UTC Sep 19 2005 ( C6D95647. 153F7CED)
As shown above, Device 4 has been synchronized to Device 5, and the clock stratum
level of Device 4 is 2, while that of Device 5 is 1.
6 View the NTP session information of Device 4, which shows that an association has been
set up between Device 4 and Device 5.
*************************************************************************
[ 245] 3. 0. 1. 31 127. 127. 1. 0 2 15 64 24 10535. 0 19. 6 14. 5
[ 12345] 3. 0. 1. 33 LOCL 1 14 64 27 - 77. 0 16. 0 14. 8
Configuring NTP
Broadcast Mode
Device 3s local clock is to be used as a reference source, with the stratum level of 2, and
Device 3 sends out broadcast messages from VLAN interface 2. Device 4 and Device 1
receive broadcast messages through their respective VLAN interface 2.
Network diagram
Figure 139 Network diagram for NTP broadcast mode configuration
a Specify the local clock as the reference source, with the stratum level of 2.
b Configure Device 3 to work in the broadcast server mode and send broadcast
messages through VLAN interface 2.
[ Devi ce3] i nt er f ace Vl an- i nt er f ace 2
[ Devi ce3- Vl an- i nt er f ace2] nt p- ser vi ce br oadcast - ser ver
Configure Device 4 to work in the broadcast client mode and receive broadcast messages
on VLAN interface 2.
[ Devi ce4] i nt er f ace vl an- i nt er f ace 2
[ Devi ce4- Vl an- i nt er f ace2] nt p- ser vi ce br oadcast - cl i ent
a Configure Device 1 to work in the broadcast client mode and receive broadcast
messages on VLAN interface 2.
Because Device 1 and Device 3 are on different subnets, Device 1 cannot receive the
broadcast messages from Device 3. Device 4 gets synchronized upon receiving a
broadcast message from Device 3.

3.0.1.32/24
3.0.1.31/24
1.0.1.11/24
VLAN -interface2
VLAN -interface2
VLAN -interface2
Device1 Device0
Device4
Device3
3.0.1.32/24
3.0.1.31/24
1.0.1.11/24
VLAN -interface2
VLAN -interface2
VLAN -interface2
3.0.1.32/24
3.0.1.31/24
1.0.1.11/24
VLAN -interface2
VLAN -interface2
VLAN -interface2
Device1 Device0
Device4
Device3
3.0.1.32/24
3.0.1.31/24
1.0.1.11/24
VLAN -interface2
VLAN -interface2
VLAN -interface2
b View the NTP status of Device 4 after clock synchronization.
Ref er ence t i me: 16: 01: 51. 713 UTC Sep 19 2005 ( C6D95F6F. B6872B02)
c View the NTP session information of Device 4, which shows that an association has
*************************************************************************
[ 1234] 3. 0. 1. 31 127. 127. 1. 0 2 254 64 62 - 16. 0 32. 0 16. 6
Configuring NTP
Multicast Mode
Device 3 sends out multicast messages from VLAN interface 2. Device 4 and Device 1
receive multicast messages through their respective VLAN interface 2.
Network diagram
Figure 140 Network diagram for NTP multicast mode configuration
3.0.1.32/24
3.0.1.31/24
1.0.1.11/24
VLAN -interface2
VLAN -interface2
VLAN -interface2
Device0
Device4
Device3
3.0.1.32/24
3.0.1.31/24
1.0.1.11/24
VLAN -interface2
VLAN -interface2
VLAN -interface2
Device1
3.0.1.32/24
3.0.1.31/24
1.0.1.11/24
VLAN -interface2
VLAN -interface2
VLAN -interface2
Device0
Device4
Device3
3.0.1.32/24
3.0.1.31/24
1.0.1.11/24
VLAN -interface2
VLAN -interface2
VLAN -interface2
Device1
b Set Device 3 to work in the multicast server mode and send multicast messages
through VLAN interface 2.
[ Devi ce3] i nt er f ace Vl an- i nt er f ace 2
[ Devi ce3- Vl an- i nt er f ace2] nt p- ser vi ce mul t i cast - ser ver
a Set Device 4 to work in the multicast client mode and receive multicast messages on
VLAN interface 2.
[ Devi ce4- Vl an- i nt er f ace2] nt p- ser vi ce mul t i cast - cl i ent
Because Device 4 and Device 3 are on the same subnet, Device 4 can receive the
multicast messages from Device 3 without being IGMP-enabled and can be synchronized
to Device 3.
b View the NTP status of Device 4 after clock synchronization.
c View the NTP session information of Device 4, which shows that an association has
*************************************************************************
[ 1234] 3. 0. 1. 31 127. 127. 1. 0 2 254 64 62 - 16. 0 31. 0 16. 6
Because Device 1 and Device 3 are on different subnets, you must enable IGMP on
Device 1 and Device 0 before Device 1 can receive multicast messages from Device 3.
Enable IP multicast routing and IGMP.
[ Devi ce0] mul t i cast r out i ng- enabl e
[ Devi ce0- Vl an- i nt er f ace2] pi mdm
[ Devi ce0- Vl an- i nt er f ace2] qui t
[ Devi ce0- Vl an- i nt er f ace3] pi mdm
[ Devi ce0- Vl an- i nt er f ace3] i gmp enabl e
4 Configuration on Device 1
a Enable IP multicast routing and IGMP.
[ Devi ce1] mul t i cast r out i ng- enabl e
[ Devi ce1- Vl an- i nt er f ace2] i gmp enabl e
[ Devi ce1- Vl an- i nt er f ace2] i gmp st at i c- gr oup 224. 0. 1. 1
b Configure Device 1 to work in the multicast client mode and receive multicast
messages on VLAN interface 2.
[ Devi ce1- Vl an- i nt er f ace2] nt p- ser vi ce mul t i cast - cl i ent
[ Devi ce1- Vl an- i nt er f ace2] di spl ay nt p- ser vi ce st at us
[ Devi ce1- Vl an- i nt er f ace2] di spl ay nt p- ser vi ce sessi ons
*************************************************************************
[ 1234] 3. 0. 1. 31 127. 127. 1. 0 2 255 64 26 - 16. 0 40. 0 16. 6
Refer to Multicast Protocol volume for how to configure IGMP.
Configuring NTP
Server/Client Mode
with Authentication
client. NTP authentication is to be enabled for Device 1 and Device 2 at the same time.
Network diagram
Figure 141 Network diagram for configuration of NTP server/client mode with authentication
a Enable NTP authentication on Device 2.
[ Devi ce2] nt p- ser vi ce aut hent i cat i on enabl e
b Set an authentication key.
[ Devi ce2] nt p- ser vi ce aut hent i cat i on- keyi d 42 aut hent i cat i on- mode md5
aNi ceKey
c Specify the key as key as a trusted key.
[ Devi ce2] nt p- ser vi ce r el i abl e aut hent i cat i on- keyi d 42
d Specify Device 1 as the NTP server.
[ Devi ce2] nt p- ser vi ce uni cast - ser ver 1. 0. 1. 11 aut hent i cat i on- keyi d 42
Before Device 2 can synchronize its clock to that of Device 1, you need to enable NTP
authentication for Device 1.
Perform the following configuration on Device 1:
e Enable NTP authentication.
f Set an authentication key.
aNi ceKey
g Specify the key as key as a trusted key.

Device1
1.0.1.12/24 1.0.1.11/24
VLAN-interface2
1.0.1.12/24
VLAN-interface2
1.0.1.12/24 1.0.1.11/24
VLAN-interface2
1.0.1.12/24
VLAN-interface2
Device2
h View the NTP status of Device 2 after clock synchronization.
Ref er ence t i me: 14: 53: 27. 371 UTC Sep 19 2005 ( C6D94F67. 5EF9DB22)
i View the NTP session information of Device 2, which shows that an association has
been set up Device 2 and Device 1.
*************************************************************************
[ 12345] 1. 0. 1. 11 127. 127. 1. 0 2 63 64 3 - 75. 5 31. 0 16. 5
Configuring the NTP
Symmetric Mode
with Authentication
client. At the same time, Device 4 will act as peer of Device 5, Device 5 in the
symmetric-active mode while Device 4 in the symmetric-passive mode, with NTP
authentication enabled on every peer.
Network diagram
Figure 142 Network diagram for NTP symmetric peers mode configuration with authentication
3.0.1.32/24 3.0.1.33/24
Device5
3.0.1.31/24
3.0.1.32/24 3.0.1.33/24
VLAN-interface2
3.0.1.32/24 3.0.1.33/24
Device3
Device4
3.0.1.31/24
3.0.1.32/24 3.0.1.33/24
VLAN-interface2
b Configure NTP authentication
c Enable NTP authentication on Device 3.
d Set an authentication key.
aNi ceKey
e Specify the key as key as a trusted key.
a Specify Device 3 as the NTP server of Device 4.
[ Devi ce4] nt p- ser vi ce uni cast - ser ver 3. 0. 1. 31 aut hent i cat i on- keyi d 42
b Enable NTP authentication
aNi ceKey
c Specify the key as key as a trusted key.
3 Configuration on Device 5 (after Device 4 is synchronized to Device 3):
b Configure Device 4 as a symmetric peer after local synchronization.
[ Devi ce5] nt p- ser vi ce uni cast - peer 3. 0. 1. 32 aut hent i cat i on- keyi d 42
c Enable NTP authentication
aNi ceKey
d Set an authentication key.
In the step above, Device 4 and Device 5 are configured as symmetric peers, with
Device 5 in the symmetric-active mode and Device 4 in the symmetric-passive mode.
Because the stratus level of Device 5 is 1 while that of Device 4 is 3, Device 4 is
synchronized to Device 5.
e View the NTP status of Device 4 after clock synchronization.
Cl ock of f set : - 21. 1982 ms
Ref er ence t i me: 15: 22: 47. 083 UTC Sep 19 2005 ( C6D95647. 153F7CED)
f View the NTP session information of Device 4, which shows that an association has
*************************************************************************
[ 245] 3. 0. 1. 31 127. 127. 1. 0 2 15 64 24 10535. 0 19. 6 14. 5
[ 12345] 3. 0. 1. 33 LOCL 1 14 64 27 - 77. 0 16. 0 14. 8
Configuring NTP
Broadcast Mode with
Authentication
Device 3 sends out broadcast messages from VLAN interface 3. Device 4 is to receive
broadcast client through VLAN interface 2, with NTP authentication enabled on both the
server and client.
Network diagram
Figure 143 Network diagram for configuration of NTP broadcast mode with authentication

3.0.1.32/24
3.0.1.31/24
1.0.1.11/24
VLAN -interface2
VLAN -interface2
VLAN -interface2
Device 0
Device 4
3.0.1.32/24
3.0.1.31/24
1.0.1.11/24
VLAN -interface2
VLAN -interface2
VLAN -interface2
Device 1
Device 3
3.0.1.32/24
3.0.1.31/24
1.0.1.11/24
VLAN -interface2
VLAN -interface2
VLAN -interface2
Device 0
Device 4
3.0.1.32/24
3.0.1.31/24
1.0.1.11/24
VLAN -interface2
VLAN -interface2
VLAN -interface2
Device 1
Device 3
b Configure NTP authentication
123456
c Specify Device 3 as an NTP broadcast server, and specify an authentication key.
[ Devi ce3- Vl an- i nt er f ace2] nt p- ser vi ce br oadcast - ser ver
aut hent i cat i on- keyi d 88
a Configure NTP authentication
123456
b Configure Device 4 to work in the NTP broadcast client mode
Now, Device 4 can receive broadcast messages through VLAN interface 2, and Device
3 can send broadcast messages through VLAN interface 2. Upon receiving a
broadcast message from Device 3, Device 4 synchronizes its clock to that of Device 3.
*************************************************************************
[ 1234] 3. 0. 1. 31 127. 127. 1. 0 3 254 64 62 - 16. 0 32. 0 16. 6
54 DNS CONFIGURATION
When configuring DNS, go to these sections for information you are interested in:
DNS Overview
Configuring Static Domain Name Resolution
Configuring Dynamic Domain Name Resolution
Displaying and Maintaining DNS
Troubleshooting DNS Configuration
DNS Overview Domain name system (DNS) is a mechanism used for TCP/IP applications such as Telnet to
convert Internet addresses in mnemonic form into the equivalent numeric IP addresses.
There are two types of DNS services, static and dynamic. Each time the DNS Server
receives a name query it checks its static database before using dynamic domain name
resolution. Reduction of the searching time in the dynamic database would increase
efficiency. Some frequently used addresses can be put in the static database.
Static Domain Name
Resolution
The static domain name resolution manually sets up mappings between names and IP
addresses. IP addresses of the corresponding names can be found in the static domain
name resolution database for applications.
Dynamic Domain
Name Resolution
Resolving procedure
The 3Com router supports the following dynamic domain name resolution procedures.
The relationships of the user program, DNS Client and DNS Server are shown in
Figure 144.
1 A user program sends a name query to the resolver in the DNS Client.
2 The DNS resolver looks up its cache for a match. If one is found, it sends the
corresponding IP address back. If not, it sends a query to the DNS Server.
3 The DNS Server looks up its database for a match. If no match is found, it sends a query
to its parent DNS Server. If the parent DNS Server does not have the information, it sends
the query to yet another server. This process continues until a result is found, either
successful or fail.
4 The DNS Client performs the next operation according to the result.
520 CHAPTER 54: DNS CONFIGURATION
Figure 144 Dynamic domain name resolution
The resolver and cache comprise the DNS Client. The user program can run on the same
machine as the DNS Client, while the DNS Server and the DNS Client must run on
different machines.
Dynamic domain name resolution allows the DNS Client to store latest mappings
between name and IP address in the dynamic domain name cache. There is no need to
send a request to the DNS Server for the same mapping next time. The aged mappings
are removed from the cache after some time, and latest entries are required from the
DNS Server. The DNS Server decides how long a mapping is valid, and the DNS Client
gets the information from the DNS messages.
DNS suffixes
The DNS Client normally holds a list of suffixes which can be defined by the users. It is
used when the name to be resolved is not complete. The resolver can supply the missing
part. For example, a user can configure com as the suffix for aabbcc.com. The user only
needs to type aabbcc to get the IP address of aabbcc.com. The resolver can add the suffix
and delimiter before passing the name to the DNS Server.
If there is no dot in the domain name, such as aabbcc, the resolver will consider
this as a host name and add the suffix before processing. The original name such as
aabbcc is used if all DNS lookups fail.
If there is a dot in the domain name, such as www.aabbcc, the resolver will use this
domain name to do DNS lookup first before adding any suffix.
If the dot is at the end of the domain name, such as aabbcc.com., the resolver will
consider this as a fully qualified domain name and return the result whether it is a
success or a failure. Hence, the dot (.) is called the terminating symbol.
Currently, the Switch 4500G supports static and dynamic domain name services on the
DNS Client.
User program Resolver
Cache
Request
Response
Save Read
DNS Server
DNS Client
Request
Response
User program Resolver
Cache
Request
Response
Save Read
DNS Server
DNS Client
Request
Response
Configuring Static Domain Name Resolution 521
Configuring Static
Domain Name
Resolution
Follow these steps to configure static domain name resolution:
The last IP address you assigned to the host name can overwrite the old one if there is
any.
You may create up to 50 entries for the domain name resolution.
Configuring
Dynamic Domain
Name Resolution
Configuration
Procedure
Follow these steps to configure dynamic domain name resolution:
You may configure up to 6 DNS Servers and 10 DNS suffixes.
DNS Configuration
Example
As shown in Figure 145, a router is used as a DNS Client with dynamic domain name
resolution to visit host 1 with IP address 1.1.1.2/16. The DNS Server has IP address
2.1.1.2/16. The DNS suffixes are com and net.
Network diagram
Figure 145 Network diagram for dynamic domain name resolution
Table 358 Configuring Static Domain Name Resolution
Enter system view
system-view
Create a hostname to IP
address mapping entry
ip host hostname
ip-address
Required
No IP address is assigned to the host
name by default.
Table 359 Configuring Dynamic Domain Name Resolution
Enter the system view
system-view
Enable dynamic domain name

resolution
dns resolve
Required
Disabled by default
Configure an IP address to the
DNS Server
dns server ip-address Required
No IP address is assigned by
default.
Configure DNS suffixes dns domain domain-name Optional
No DNS suffix by default
DNS Client
DNS Server
2.1.1.2/16
2.1.1.1/16 1.1.1.1/16
1.1.1.2/16
host1
DNS Client
DNS Server
2.1.1.2/16
2.1.1.1/16 1.1.1.1/16
1.1.1.2/16
host1
522 CHAPTER 54: DNS CONFIGURATION
Before doing the following configuration, make sure the route between the router and
host 1 is reachable, and configurations are done on both devices. The IP address of each
interface is shown on Figure 145. Make sure the DNS Server works well and has a
mapping between host 1 and IP address 1.1.1.2/16.
1 Enable dynamic domain name resolution.
[ 3Com] dns r esol ve
2 Configure IP address 2.1.1.2 to the DNS Server
[ 3Com] dns ser ver 2. 1. 1. 2
3 Configure net as the DNS suffix
[ 3Com] dns domai n net
4 Configure com as the DNS suffix
[ 3Com] dns domai n com
Ping host 1 to verify the configuration and the corresponding IP address should be
1.1.1.2.
Displaying and
Maintaining DNS
Troubleshooting
DNS Configuration
Symptom After enabling the dynamic domain name resolution, the user cannot get the IP address
or the IP address is incorrect.
Solution Use the display dns dynamic-host command to check that the specified
domain name is in the cache.
If there is no defined domain name, check that dynamic domain name resolution is
enabled and the DNS Client can communicate with the DNS Server.
If the specified domain name is in the cache, but the IP address is wrong, make sure
the DNS Client has the correct IP address of the DNS Server.
Check the mapping list is correct on the DNS Server.
Table 360 Displaying and Maintaining DNS
Display static DNS list
display ip host
Display the DNS Server
information
display dns server [
dynamic ]
Display the DNS suffixes display dns domain [
dynamic ]
Display the caching information
of dynamic domain name
resolution
display dns
dynamic-host
Reset the caching memory of
dynamic domain name resolution
reset dns
dynamic-host
55 INFORMATION CENTER
Information Center
Overview
Introduction to
Information Center
Acting as the system information hub, information center classifies and manages system
information. Together with the debugging functionality, information center offers a
powerful support to the network administrators and developers in monitoring network
performance and diagnosing network problems.
System Information
Format
System information has the following format:
<pr i or i t y>t i mest amp sysname modul e/ l evel / di gest : cont ent
The closing set of angel brackets, the space, the forward slash, and the colon are all
required in the above format.
Below is the format of log information to be output to a log host:
<188>Sep 28 15: 33: 46: 235 2005 3ComSHELL/ 5/ LOGI N: Consol e l ogi n f r omcon0
What follows is a detailed explanation of the fields involved:
Priority
The priority is calculated using the following format: facility*8+severity-1, in which
facility is local7 by default and the range of severity is 1 to 8. Table 361 details the value
and meaning associated with each severity.
Note that there is no space between the priority and timestamp fields and that the
priority only takes effect when the information has been sent to the log host.
Timestamp
Timestamp records the time when system information is generated to allow users check
and identify system events.
Note that there is a space between the timestamp and sysname (host name) fields.
Sysname
Sysname is the system name of the current host. Users can use the sysname command
to modify the sysname.
Note that there is a space between the sysname and module fields.
Module
The module field represents the name of the module that generates system information.
524 CHAPTER 55: INFORMATION CENTER
Note that there is a forward slash between the module and level (severity) fields.
Level (Severity)
System information falls into three categories: log information, debug information, and
trap information. Each kind of information can be further divided into eight levels based
on its severity, as detailed in Table 361. Note that the smaller the severity value, the
higher the severity.
Information filtering by severity works this way: information with severity value greater
than the configured threshold will not be output during the filtering.
If the threshold is set to 1, only information with the severity being emergencies will
be output;
If the threshold is set to 8, information of all severities will be output.
Note that there is a forward slash between the level (severity) and digest fields.
Digest
The digest field is a string of up to 32 characters, outlining the system information.
Note that there is a colon between the digest and content fields.
Content
This field provides the content of the system information.
Configuring
Information Center
Information center has the following characteristics:
Supports information output to the console, the monitor, the log host, the trap
buffer, the log buffer, and the SNMP agent. A default channel is allocated to each
individual output direction, as illustrated in Table 362.
System information is classified into eight categories according to severity and filtered
by severity;
System information is categorized and filtered by source module;
The output information can be in English or Chinese.
Table 361 Severity Description
Severity Severity Value Description
emergencies 1 The most emergent errors
alerts 2 Errors that demand prompt correction
critical 3 Critical errors
errors 4 Errors that are not critical but demand attention
warnings 5 Warnings that suggest possible errors
notifications 6 Normal errors with important prompts
informational 7 Normal prompts
debugging 8 Debugging prompts
Configurations for the seven output directions function independently and take effect
only after the information center has been enabled.
Configuring to
Output System
Information to the
Console
Configuring to Output System Information to the Console
Table 362 Information channels for different output directions
Output direction Information channel No. Default channel name
Console 0 console
Monitor terminal 1 monitor
Log host 2 loghost
Trap buffer 3 trapbuffer
Log buffer 4 logbuffer
SNMP NMS 5 snmpagent
Note: NMS = Network Management Station
Table 363 Configure to output system information to the console
Enable information center info-center enable Optional
Enabled by default
Name the channel with a
specified channel number
info-center channel
channel-number name
channel-name
Optional
Refer to Table 362 for default
channel names
Configure the channel through
which system information can
be output to the console
info-center console
channel {
channel-number |
channel-name }
Optional
System information is output to
the console by default with
channel 0 as the default channel
Configure the source of the
output information
info-center source {
modu-name | default }
channel {
channel-number |
channel-name } [ debug {
level severity | state
state }* | log { level
severity | state state }*
| trap { level severity |
state state }* ]*
Required
Configure the format of the time
stamp
info-center
timestamp { log | trap |
debugging } { boot |
date | none }
Optional
By default, the time stamp for
log and trap information is
date whereas that for debug
information is boot.
Enabling the display of system information on the console
After configuring to output system information to the console, you need to enable the
associated display function in order to display the output information on the console.
Perform the following configurations in user view:
Configuring to
Output System
Information to a
Monitor Terminal
System information can also be output to a monitor terminal, which is a user terminal
that has login connections through the AUX, VTY, or TTY user interface.
Configuring to output system information to a monitor terminal
Table 364 Enable the display of system information on the console
Enable the monitoring of system
information on the console
terminal monitor Optional
Enabled by default
Enable the display of debug
terminal debugging Optional
Disabled by default
Enable the display of log
terminal logging Optional
Enabled by default
Enable the display of trap
terminal trapping Optional
Enabled by default
Table 365 Configure to output system information to a monitor terminal
Enabled by default
info-center channel
channel-number name
channel-name
Optional
default channel names
Configure the channel
through which system
information can be output
to a monitor terminal
info-center monitor
channel { channel-number |
channel-name }
Optional
System information is output
to the monitor terminal by
default with channel 1 as the
default channel
Configure the source of
the output information
modu-name | default } channel {
channel-number | channel-name }
[ debug { level severity | state
state }* | log { level severity |
state state }* | trap { level
severity | state state }* ]*
Required
Configure the format of
the time stamp
info-center timestamp { log |
trap | debugging } { boot | date |
none }
Optional
By default, the time stamp
for log and trap information
is date whereas that for
debug information is boot.
Enabling the display of system information on a monitor terminal
After configuring to output system information to a monitor terminal, you need to
enable the associated display function in order to display the output information on the
monitor terminal.
Configuring to
Output System
Information to a Log
Host
Table 366 Enable the display of system information on a monitor terminal
Enable the monitoring of system
information on a monitor terminal
terminal monitor Required
Disabled by default
Enable the display of debug
information on a monitor terminal
terminal debugging Optional
Disabled by default
Enable the display of log information
on a monitor terminal
terminal logging Optional
Enabled by default
Enable the display of trap information
on a monitor terminal
terminal trapping Optional
Enabled by default
Table 367 Configure to output system information to a log host
Enabled by default
info-center channel
channel-number name
channel-name
Optional
default channel names
Specify a log host and
configure the channel
through which system
information can be output to
the log host
info-center loghost
host-ip [ channel {
channel-number | channel-name }
| facility local-number |
language { chinese | english
} ]*
Required
Disabled by default with
channel 2 as the default
channel when enabled
Configure the source
interface through which log
information can be output to
a log host
info-center loghost
source interface-type
interface-number
Required
No source interface
configured by default
output information
modu-name | default } channel
{ channel-number | channel-name
} [ debug { level severity |
state state }* | log { level
severity | state state }* | trap
{ level severity | state state
}* ]*
Required
Configure one of the three
options for system
information to be output to a
log host:
including year information in;
excluding year information;
not providing any time stamp
information.
info-center timestamp
loghost { date |
no-year-date | none }
Optional
The year information is
included by default
Configuring to
Output System
Information to the
Trap Buffer
Configuring to
Output System
Information to the
Log Buffer
Table 368 Configure to output system information to the trap buffer
Enabled by default
info-center channel
channel-number name
channel-name
Optional
channel names
which system information can be
output to a trap buffer and
specify the buffer size
info-center
trapbuffer [ size
buffersize | channel {
channel-number |
channel-name } ]*
Optional
the trap buffer by default with
channel 3 (known as trapbuffer)
as the default channel and a
default buffer size of 256
output information
channel {
channel-number |
severity | state state }* |
trap { level severity |
state state }* ]*
Required
Configure the format of the time
stamp
info-center
date | none }
Optional
Table 369 Configure to output system information to the log buffer
Enabled by default
info-center channel
channel-number name
channel-name
Optional
channel names
Configuring to
Output System
Information to the
SNMP NMS
be output to the log buffer and
specify the buffer size
info-center
logbuffer [ channel {
channel-number |
channel-name } | size
buffersize ]*
Optional
the log buffer by default with
channel 4 (known as logbuffer)
as the default channel and a
default buffer size of 512.
output information
channel {
channel-number |
state state }* ]*
Required
Configure the format of the
timestamp
info-center
date | none }
Optional
Table 369 Configure to output system information to the log buffer (continued)
Table 370 Configure to output system information to the SNMP NMS
Enabled by default
info-center channel
channel-number name
channel-name
Optional
channel names
be output to the SNMP NMS
info-center snmp
channel {
channel-number |
channel-name }
Optional
the SNMP NMS by default with
channel 5 (known as
snmpagent) as the default
channel
output information
channel {
channel-number |
state state }* ]*
Required
Configure the format of the
timestamp
info-center
date | none }
Optional
To ensure that system information can be output to the SNMP NMS, you need to make
the necessary configurations on the SNMP agent and the NMS. For detailed information
on SNMP&RMON, refer to SNMP Configuration.
Configuring
Synchronous
Information Output
Synchronous information output refers to the feature that if the users input is
interrupted by system output such as log, trap, or debug information, then after the
completion of system output the system will display a command line prompt (in
command editing mode a prompt, or a [Y/N] string in interaction mode) and the users
input so far.
This command is intended for the scenarios when the users input is interrupted by a
large amount of system output. With this feature enabled, the user can continue their
operations from where they were stopped.
If no information is input from the user following the current command line prompt,
the system will not display any command line prompt after system information
output.
In the interaction mode, the user is prompted for some information input. If the input
is interrupted by system output, no system prompt will be made, rather only the
users input will be displayed in a new line.
Displaying and
Maintaining
Information Center
Table 371 Configuring Synchronous Information Output
Enable synchronous
information output
info-center synchronous Required
Disabled by default
Table 372 Display and maintain information center
Display channel
information for a
specified channel
display channel [ channel-number
| channel-name ]
Display the
configurations for all
information channels
except channel 6 to 8.
display info-center Available in any view
Display the state of the
log buffer and the log
information recorded
display logbuffer [ level
severity | size buffersize ]* [ | {
begin | exclude | include } text ]
Display a summary of
the log buffer
display logbuffer summary [
level severity ]
Display the state of the
trap buffer and the trap
information recorded
display trapbuffer [ size
buffersize ]
Reset the log buffer reset logbuffer Available in user view
Reset the trap buffer
reset trapbuffer
Information Center
Configuration
Example
Configuration
Example 1
Outputting Log
Information to a Unix
Log Host
Send log information to a Unix log host;
The log host has an IP address of 1.2.0.1/16;
Log information with severity higher than informational will be output to the log
host;
The log information is in English and the source modules are ARP and CMD.
Network diagram
Figure 146 Network diagram for outputting log information to a Unix log host
1 Configuring the device
a Enable information center.
[ 3Com] i nf o- cent er enabl e
%I nf or mat i on cent er i s enabl ed
b Specify the channel to output log information to the log host (loghost by default,
optional).
[ 3Com] i nf o- cent er l oghost 1. 2. 0. 1 channel l oghost
c Disable the output of log, trap, and debug information of all modules to the log host.
[ 3Com] i nf o- cent er sour ce def aul t channel l oghost debug st at e of f l og
st at e of f t r ap st at e of f
CAUTION: As the default system configurations for different channels vary, ensure that
the outputting of log, trap, and debug information for the specified channel (loghost in
this example) of all modules is disabled before the system information can be output to
meet the current network requirements.
Use the display channel command to display the state of a channel.

Switch PC
Network
Switch Switch PC
Network
1.2.0.1/16
1.1.0.1/16
Switch PC
Network
Switch Switch PC
Network
Switch PC
Network
Switch Switch PC
Network
1.2.0.1/16
1.1.0.1/16
d Set the host with an IP address of 1.2.0.1/16 to be the log host, set the severity to
informational, the output language to English, and the source modules to ARP and
CMD.
[ 3Com] i nf o- cent er l oghost 1. 2. 0. 1 f aci l i t y l ocal 4 l anguage engl i sh
[ 3Com] i nf o- cent er sour ce ar p channel l oghost l og l evel i nf or mat i onal
[ 3Com] i nf o- cent er sour ce cmd channel l oghost l og l evel i nf or mat i onal
2 Configuring the log host
The following configurations were made on SunOS 4.0 which has similar configurations
to the Unix operating systems implemented by other vendors.
a issue the following commands as a root user.
# mkdi r / var / l og/ 3Com
# t ouch / var / l og/ 3Com/ i nf or mat i on
b Edit the file /etc/syslog.conf as a root user and add the following selector/action pair.
# 3Comconf i gur at i on messages
l ocal 4. i nf o / var / l og/ 3Com/ i nf or mat i on
Be aware of the following issues while editing the /etc/syslog.conf file:
Comments must be on a separate line and must begin with the # sign.
The selector/action pair must be separated with a tab key, rather than a space.
No redundant spaces are allowed in the file name.
The device name and the accepted severity of log information specified by the
/etc/syslog.conf file must match those on the device using the info-center
loghost host-ip [ channel { channel-number | channel-name } | facility
local-number | language { chinese | english } ]*command, otherwise the
log information may not be output properly to the log host.
c after the log file information has been created and the configuration file
/etc/syslog.conf has been modified, ensure that the configuration file /etc/syslog.conf
is reread:
# ps - ae | gr ep sysl ogd
147
# ki l l - HUP 147
# sysl ogd - r &
After the above configurations, the system will be able to keep log information in the
related file.
Configuration
Example 2
Outputting Log
Information to a
Linux Log Host
Send log information to a Linux log host; the log host has an IP address of 1.2.0.1/16;
Log information with severity higher than informational will be output to the log
host;
The log information is in English and all modules can output information.
Network diagram
Figure 147 Network diagram for outputting log information to a Linux log host
1 Configuring the device
a Enable information center.
b Specify the channel to output log information to the log host (optional, loghost by
default).
[ 3Com] i nf o- cent er l oghost 1. 2. 0. 1 channel l oghost
c Disable the output of log, trap, and debug information of all modules to the log host.
[ 3Com] i nf o- cent er sour ce def aul t channel l oghost debug st at e of f l og
the output of log, trap, and debug information for the specified channel (loghost in this
example) of all modules is disabled before the system information can be output to meet
the current network requirements.
d Set the host with an IP address of 1.2.0.1/16 to be the log host, set the severity to
informational, the output language to English, and the source modules to be all
modules.
[ 3Com] i nf o- cent er l oghost 1. 2. 0. 1 f aci l i t y l ocal 7 l anguage engl i sh
[ 3Com] i nf o- cent er sour ce def aul t channel l oghost l og l evel
i nf or mat i onal
2 Configuring the log host
a issue the following commands as a root user.
# mkdi r / var / l og/ 3Com
# t ouch / var / l og/ 3Com/ i nf or mat i on
b Edit the file /etc/syslog.conf as a root user and add the following selector/action pair.
# 3Comconf i gur at i on messages
l ocal 7. i nf o / var / l og/ 3Com/ i nf or mat i on
Switch PC
Network
Switch Switch PC
Network
1.2.0.1/16
1.1.0.1/16
Switch PC
Network
Switch Switch PC
Network
Switch PC
Network
Switch Switch PC
Network
1.2.0.1/16
1.1.0.1/16
Be aware of the following issues while editing the /etc/syslog.conf file:
Comments must be on a separate line and must begin with the # sign.
The selector/action pair must be separated with a tab key, rather than a space.
No redundant spaces are allowed in the file name.
The facility name and the accepted severity of the log information specified by the
/etc/syslog.conf file must match those on the device using the info-center
loghost host-ip [ channel { channel-number | channel-name }| facility
local-number | language { chinese | english } ]* command, otherwise the log
information may not be output properly to the log host.
c after the log file information has been created and the /etc/syslog.conf file has been
modified, issue the following commands to display the process ID of syslogd,
terminate a syslogd process, and to restart syslogd using the r option.
# ps - ae | gr ep sysl ogd
147
# ki l l - 9 147
# sysl ogd - r &
Ensure that the syslogd process is started with the r option on a Linux log host.
After the above configurations, system will be able to keep log information in the related
file.
Configuration
Example 3
Outputting Log
Information to the
Console
Log information with a severity higher than informational will be output to the
console;
The source modules are ARP and CMD.
Network diagram
Figure 148 Network diagram for sending log information to the console
1 Enable information center.
2 Specify the channel to output log information to the console (optional, console by
default).
[ 3Com] i nf o- cent er consol e channel consol e

console
PC
Switch
console
PC
Switch
console
PC
Switch
console
PC
Switch
3 Disable the output of log, trap, and debug information of all modules to the log host.
[ 3Com] i nf o- cent er sour ce def aul t channel consol e debug st at e of f l og
the output of log, trap, and debug information for the specified channel (console in this
example) of all modules is disabled before the system information can be output to meet
the current network requirements.
4 Enable system information output for the ARP and CMD modules, with information
severity ranging from emergencies to informational.
[ 3Com] i nf o- cent er sour ce ARP channel consol e l og l evel i nf or mat i onal
[ 3Com] i nf o- cent er sour ce cmd channel consol e l og l evel i nf or mat i onal
[ 3Com] qui t
5 Enable the display of log information on a monitor terminal.
<3Com> t er mi nal moni t or
%Cur r ent t er mi nal moni t or i s on
<3Com> t er mi nal l oggi ng
%Cur r ent t er mi nal l oggi ng i s on
56 NQA CONFIGURATION
When configuring Network Quality Analyzer (NQA), go to these sections for information
you are interested in:
NQA Overview
Configuring NQA Tests
Configuring Optional Parameters for NQA Tests
Displaying and Maintaining NQA
NQA Overview This section covers these topics:
Introduction to NQA
NQA Server and NQA Client
NQA Test Operation
Introduction to NQA Ping can use only the Internet control message protocol (ICMP) to test the reachability of
the destination host and the round-trip time of a packet to the destination. NQA is an
enhanced Ping tool used for testing the performance of protocols running on networks.
Besides the Ping functions, NQA can provide the following functions:
Detecting the availability and the response time of DHCP, FTP, HTTP, and SNMP
services.
Testing the delay jitter of the network.
Verifying the availability of TCP, UDP, and DLSw packets.
Different from Ping, NQA does not display the round-trip time or time-out time of each
packet on the console terminal in a realtime way. In this case, you have to carry out the
display nqa results command to view NQA test results. In addition, NQA can help
you to set parameters for various tests and start these tests through the network
management system (NMS).
NQA Server and NQA
Client
In most NQA test systems, you only need to configure an NQA client. However, when
you perform a TCP, UDP, or jitter test, you need to configure an NQA server.Figure 149
shows the relationship between an NQA client and an NQA server.
Figure 149 Relationship between NQA client and NQA server
Switch
Switch B
IP Network
Switch
Switch B
IP Network
Switch
NQA Client
Switch A
Switch B
IP Network
Switch B
NQA Server
IP Network
Switch
Switch B
IP Network
Switch
Switch B
IP Network
Switch
NQA Client
Switch A
Switch B
IP Network
Switch B
NQA Server
IP Network
538 CHAPTER 56: NQA CONFIGURATION
The NQA server listens to test requests originated by the NQA client and makes a
response to these requests. The NQA server can respond to requests originated by the
NQA client only when the NQA server is enabled and the corresponding destination
address and port number are configured on the server. The IP address and port number
specified for a listening service on the server must be consistent with those on the client.
You can create multiple TCP or UDP listening services on the NQA server, with each
listening service corresponding to a specified destination address and port number.
NQA Test Operation NQA can test multiple protocols. A test group must be created for each type of NQA test.
Each test group can be related to only one type of NQA test. Each test group has an
administrator name and an operation tag. The administrator name and the operation tag
uniquely identify a test group.
After you create a test group and enter test group view, you can configure related test
parameters. Test parameters vary with the test type. For details, see the configuration
procedure below.
For optional parameters common to different types of tests, refer to Configuring
Optional Parameters for NQA Tests .
To perform an HW test successfully, proceed as follows:
1 Enable the NQA client.
2 Create a test group and configure test parameters according to the test type.
3 Perform the NQA test through the related enable command.
4 View the test results through the related display or debugging command.
After you enable the NQA client, you can create multiple test groups to perform tests. In
this way, you do not need to enable the NQA client repeatedly.
Configuring NQA
Tests
You need to configure the NQA server only for jitter, TCP-Private, TCP-Public,
UDP-Private, and UDP-Public tests.
You are recommended not to use a known port for NQA Jitter/UDP/TCP test.
Otherwise, NQA probe may fail or the service paired with the known port may
become unavailable.
Configuring the ICMP Test
Configuring the DHCP Test
Configuring the FTP Test
Configuring the HTTP Test
Configuring the Jitter Test
Configuring SNMP Query Test
Configuring the TCP Test
Configuring the UDP Test
Configuring the DLSw Test
Configuring the ICMP
Test
The ICMP test is mainly used to test whether packets from an NQA client can reach a
specified destination and test the round-trip time of packets.
Follow these steps to configure the ICMP test:
Use the NQA ICMP function to test whether packets from the NQA client (SwitchA) can
reach the specified destination (SwitchB) and test the round-trip time of packets.
SwitchA serves as the NQA client and the IP address is 10.1.1.1/16.
Table 373 Configuring the ICMP Test
Enable the NQA client nqa-agent enable Required
Create an NQA test
group and enter test
group view
nqa admin-name
operation-tag
Set the test type to ICMP

test-type icmp
Optional
ICMP by default.
Configure a destination
address
destination-ip
ip-address
Required
Equivalent to a destination address in
the Ping command.
Configure the size of test
packets
datasize size Optional
56 bytes by default.
Configure a string of fill
characters of a test
packet
datafill text Optional
No string of fill characters by default.
interface of a test
request packet
source-interface
interface-type
interface-number
Optional
If you want to send a test request
packet from a specified outbound
interface, you need to configure this
interface. Otherwise, the outbound
interface will be determined by routes.
The interface in the command must be
a VLAN interface. In addition, the
interface must be up and directly
connected with the destination.
Otherwise, the test will fail.
Configure common
optional parameters
Refer to Configuring Optional
Parameters for NQA Tests.
Optional
Enable the NQA test
test-enable
Required
View the test results display nqa results [
admin-name
operation-tag ]
Required
You can carry out the command in any
view.
SwitchB serves as the object that is to be pinged from SwitchA and the IP address is
10.2.2.2/16.
2 Network diagram
Figure 150 Network diagram for the ICMP test
Perform the following configurations on SwitchA:
a Enable the NQA client, create an ICMP test group, and configure related test
parameters.
[ 3Com] nqa- agent enabl e
[ 3Com] nqa admi n i cmp
[ 3Com- nqa- admi n- i cmp] t est - t ype i cmp
[ 3Com- nqa- admi n- i cmp] dest i nat i on- i p 10. 2. 2. 2
b Configure optional parameters.
c [3Com-nqa-admin-icmp] count 10
d [3Com-nqa-admin-icmp] timeout 5
e Enable the ICMP test.
[ 3Com- nqa- admi n- i cmp] t est - enabl e
f View the test results.
[ 3Com- nqa- admi n- i cmp] di spl ay nqa r esul t s admi n i cmp
Test
The DHCP test is mainly used to test the existence of a DHCP server on the network as
well as the time necessary for the DHCP server to respond to a client request and assign
an IP address to the client.
The specified source interface in the source-interface command must be up, that is
to say, an IP address is configured for the source interface. The IP address can be
configured manually or obtained dynamically.
Before the DHCP test, you need to perform some configurations on the DHCP server. For
example, you need to enable the DHCP service and configure an address pool. If the
NQA (DHCP) client and DHCP server are in different network segments, you need
configure DHCP relay also. For detailed configurations, refer to DHCP Operation.

SwitchA
NQA Client
IP Network
10.2.2.2/16
SwitchB
SwitchA
10.1.1.1/16
IP Network
SwitchB
SwitchA
IP Network
10.2.2.2/16
SwitchB
SwitchA
10.1.1.1/16
IP Network
SwitchB
SwitchA
NQA Client
IP Network
10.2.2.2/16
SwitchB
SwitchA
10.1.1.1/16
IP Network
SwitchB
SwitchA
IP Network
10.2.2.2/16
SwitchB
SwitchA
10.1.1.1/16
IP Network
SwitchB
SwitchA
NQA Client
IP Network
10.2.2.2/16
SwitchB
SwitchA
10.1.1.1/16
IP Network
SwitchB
SwitchA
IP Network
10.2.2.2/16
SwitchB
SwitchA
10.1.1.1/16
IP Network
SwitchB
Follow these steps to configure the DHCP test:
Configure SwitchB as a DHCP server and use the NQA DHCP function to test the time
necessary for SwitchA to obtain an IP address from SwtichB.
2 Network diagram
Figure 151 Network diagram for the DHCP test
a Enable the NQA client, create a DHCP test group, and configure related test
parameters.
[ 3Com] nqa admi n dhcp
[ 3Com- nqa- admi n- dhcp] t est - t ype dhcp
[ 3Com- nqa- admi n- dhcp] sour ce- i nt er f ace Vl an- i nt er f ace 3
b Enable the DHCP test.
[ 3Com- nqa- admi n- dhcp] t est - enabl e
c View the test results.
[ 3Com- nqa- admi n- dhcp] di spl ay nqa r esul t s admi n dhcp
Table 374 Configuring the DHCP Test
Enter system view
system-view
Enable the NQA client

nqa-agent enable
Required
Create an NQA test group
and enter test group view
nqa admin-name operation-tag Required
Set the test type to DHCP
test-type dhcp
Required
interface of a test request
packet
source-interface
interface-type
interface-number
Required
The interface in the command
must be a VLAN interface.
Configure common
optional parameters
Parameters for NQA Tests
Optional
Enable the NQA test
test-enable
Required
admin-name operation-tag ]
Required
You can carry out the

Switch
IP Network
10.2.2.2/16
SwitchB
DHCP Server
Switch
vlan3
IP Network
SwitchB
DHCP Server
Switch
IP Network
SwitchB
DHCP Server
Switch
vlan3
IP Network
SwitchB
DHCP Server
Switch
10.1.1.1/16
IP Network
SwitchB
DHCP Server
Switch
vlan3
IP Network
SwitchB
DHCP Server
Switch
IP Network
SwitchB
DHCP Server
Switch
vlan3
IP Network
SwitchB
DHCP Server
Switch
IP Network
10.2.2.2/16
SwitchB
DHCP Server
Switch
vlan3
IP Network
SwitchB
DHCP Server
Switch
IP Network
SwitchB
DHCP Server
Switch
vlan3
IP Network
SwitchB
DHCP Server
Switch
10.1.1.1/16
IP Network
SwitchB
DHCP Server
Switch
vlan3
IP Network
SwitchB
DHCP Server
Switch
IP Network
SwitchB
DHCP Server
Switch
NQA Client
vlan3
IP Network
SwitchB
DHCP Server
Switch
IP Network
10.2.2.2/16
SwitchB
DHCP Server
Switch
vlan3
IP Network
SwitchB
DHCP Server
Switch
IP Network
SwitchB
DHCP Server
Switch
vlan3
IP Network
SwitchB
DHCP Server
Switch
10.1.1.1/16
IP Network
SwitchB
DHCP Server
Switch
vlan3
IP Network
SwitchB
DHCP Server
Switch
IP Network
SwitchB
DHCP Server
Switch
vlan3
IP Network
SwitchB
DHCP Server
Switch
IP Network
10.2.2.2/16
SwitchB
DHCP Server
Switch
vlan3
IP Network
SwitchB
DHCP Server
Switch
IP Network
SwitchB
DHCP Server
Switch
vlan3
IP Network
SwitchB
DHCP Server
Switch
10.1.1.1/16
IP Network
SwitchB
DHCP Server
Switch
vlan3
IP Network
SwitchB
DHCP Server
Switch
IP Network
SwitchB
DHCP Server
SwitchA
NQA Client
vlan3
IP Network
SwitchB
DHCP Server
Switch
IP Network
10.2.2.2/16
SwitchB
DHCP Server
Switch
vlan3
IP Network
SwitchB
DHCP Server
Switch
IP Network
SwitchB
DHCP Server
Switch
vlan3
IP Network
SwitchB
DHCP Server
Switch
10.1.1.1/16
IP Network
SwitchB
DHCP Server
Switch
vlan3
IP Network
SwitchB
DHCP Server
Switch
IP Network
SwitchB
DHCP Server
Switch
vlan3
IP Network
SwitchB
DHCP Server
Switch
IP Network
10.2.2.2/16
SwitchB
DHCP Server
Switch
vlan3
IP Network
SwitchB
DHCP Server
Switch
IP Network
SwitchB
DHCP Server
Switch
vlan3
IP Network
SwitchB
DHCP Server
Switch
10.1.1.1/16
IP Network
SwitchB
DHCP Server
Switch
vlan3
IP Network
SwitchB
DHCP Server
Switch
IP Network
SwitchB
DHCP Server
Switch
NQA Client
vlan3
IP Network
SwitchB
DHCP Server
Switch
IP Network
10.2.2.2/16
SwitchB
DHCP Server
Switch
vlan3
IP Network
SwitchB
DHCP Server
Switch
IP Network
SwitchB
DHCP Server
Switch
vlan3
IP Network
SwitchB
DHCP Server
Switch
10.1.1.1/16
IP Network
SwitchB
DHCP Server
Switch
vlan3
IP Network
SwitchB
DHCP Server
Switch
IP Network
SwitchB
DHCP Server
Switch
vlan3
IP Network
SwitchB
DHCP Server
Switch
IP Network
10.2.2.2/16
SwitchB
DHCP Server
Switch
vlan3
IP Network
SwitchB
DHCP Server
Switch
IP Network
SwitchB
DHCP Server
Switch
vlan3
IP Network
SwitchB
DHCP Server
Switch
10.1.1.1/16
IP Network
SwitchB
DHCP Server
Switch
vlan3
IP Network
SwitchB
DHCP Server
Switch
IP Network
SwitchB
DHCP Server
SwitchA
NQA Client
vlan3
IP Network
SwitchB
DHCP Server
Configuring the FTP
Test
The FTP test is mainly used to test the connection with a specified FTP server and the time
necessary for the FTP client to transfer a file to the FTP server.
Before the FTP test, you need to perform some configurations on the FTP server. For
example, you need to configure the username and password used to log in to the FTP
server. For the FTP server configurations.
Follow these steps to configure the FTP test:
Transfer a small file for the FTP test. If the file is too large, the test may fail because of time-out.
When you perform a put operation, a file-name file with a fixed size and contents will be created on
the FTP server, but the uploaded file will not be saved.
When you perform a get operation, the file obtained from the FTP server will not be saved on the
device, either. If there is no such file-name file on the FTP server, the FTP test will fail.
Table 375 Configuring the FTP Test
nqa admin-name
operation-tag
Required
Set the test type to FTP
test-type ftp
Required
address
destination-ip
ip-address
Required
Equivalent to a destination address in the
Ping command. Here it is the IP address
of the FTP server.
Configure the source IP
address of a test request
packet
source-ip ip-address Required
The source IP address must be that of an
interface on the device and the interface
must be up. Otherwise, the test will fail.
Configure the operation
type
ftp-operation { get |
put }
Optional
get by default
Configure a login
username
username name Required
Configure a login
password
password password Required
Specify a file to be
transferred between the
FPT server and the FTP
client.
filename file-name Required
Configure common
optional parameters
Optional
Enable the NQA test
test-enable
Required
View the test results display nqa results
[ admin-name
operation-tag ]
Required
You can carry out the command in any
view.
Use the NQA FTP function to test the connection with a specified FTP server and the time
necessary for the FTP client to upload a file to the FTP server. The login username is
admin, the login password is nqa, and the file to be transferred to the FTP server is
config.txt.
2 Network diagram
Figure 152 Network diagram for the FTP test
a Enable the NQA client, create an FTP test group, and configure related test
parameters.
[ 3Com] nqa admi n f t p
[ 3Com- nqa- admi n- f t p] t est - t ype f t p
[ 3Com- nqa- admi n- f t p] dest i nat i on- i p 10. 2. 2. 2
[ 3Com- nqa- admi n- f t p] sour ce- i p 10. 1. 1. 1
[ 3Com- nqa- admi n- f t p] f t p- oper at i on put
[ 3Com- nqa- admi n- f t p] user name admi n
[ 3Com- nqa- admi n- f t p] passwor d nqa
[ 3Com- nqa- admi n- f t p] f i l ename conf i g. t xt
b Enable the FTP test.
[ 3Com- nqa- admi n- f t p] t est - enabl e
[ 3Com- nqa- admi n- f t p] di spl ay nqa r esul t s admi n f t p
S witch A
NQA C lient
10.1.1.1/16
IP Network
10.2.2.2/16
S witchB
F TP Server
S witch A
IP Network
S witchB
F TP Server
S witch A
IP Network
S witchB
F TP Server
S witch A
IP Network
S witchB
F TP Server
S witch A
10.1.1.1/16
IP Network
10.2.2.2/16
S witchB
F TP Server
S witch A
IP Network
S witchB
F TP Server
S witch A
IP Network
S witchB
F TP Server
S witch A
IP Network
S witchB
F TP Server
S witch A
NQA C lient
10.1.1.1/16
IP Network
10.2.2.2/16
S witchB
F TP Server
S witch A
IP Network
S witchB
F TP Server
S witch A
IP Network
S witchB
F TP Server
S witch A
IP Network
S witchB
F TP Server
S witch A
10.1.1.1/16
IP Network
10.2.2.2/16
S witchB
F TP Server
S witch A
IP Network
S witchB
F TP Server
S witch A
IP Network
S witchB
F TP Server
S witch A
IP Network
S witchB
F TP Server
Configuring the HTTP
Test
The HTTP test is mainly used to test the connection with a specified HTTP server and the
time required to obtain data from the HTTP server.
Follow these steps to configure the HTTP test:
Use the HTTP function to test the connection with a specified HTTP server and the time
required to obtain data from the HTTP server.
2 Network diagram
Figure 153 Network diagram for the HTTP test
Table 376 Configuring the HTTP Test
Enter system view
system-view

nqa-agent enable
Required
Create an NQA test
group view
nqa admin-name
operation-tag
Required
Set the test type to HTTP test-type http Required
address
destination-ip ip-address Required
Equivalent to a destination
address in the Ping command.
Here it is the IP address of the
HTTP server.
Configure the HTTP
operation type
http-operation { get |
post }
Optional
get by default
Configure an HTTP
operation string
http-string string version Required
Configure common
optional parameters
Optional
Enable the NQA test
test-enable
Required
View the test results display nqa results
[ admin-name operation-tag ]
Required
You can carry out the command
in any view.

Switch
A
NQA Client
10.1.1.1/16
IP Network
10.2.2.2/16
SwitchB
HTTP Server
Switch
A
IP Network
SwitchB
HTTP Server
Switch
A
IP Network
SwitchB
HTTP Server
Switch
A
IP Network
SwitchB
HTTP Server
Switch
A
10.1.1.1/16
IP Network
10.2.2.2/16
SwitchB
HTTP Server
Switch
A
IP Network
SwitchB
HTTP Server
Switch
A
IP Network
SwitchB
HTTP Server
Switch
A
IP Network
SwitchB
HTTP Server
Switch
A
NQA Client
10.1.1.1/16
IP Network
10.2.2.2/16
SwitchB
HTTP Server
Switch
A
IP Network
SwitchB
HTTP Server
Switch
A
IP Network
SwitchB
HTTP Server
Switch
A
IP Network
SwitchB
HTTP Server
Switch
A
10.1.1.1/16
IP Network
10.2.2.2/16
SwitchB
HTTP Server
Switch
A
IP Network
SwitchB
HTTP Server
Switch
A
IP Network
SwitchB
HTTP Server
Switch
A
IP Network
SwitchB
HTTP Server
Perform the following configurations on SwtichA:
a Enable the NQA client, create an HTTP test group, and configure related test
parameters.
[ 3Com] nqa admi n ht t p
[ 3Com- nqa- admi n- ht t p] t est - t ype ht t p
[ 3Com- nqa- admi n- ht t p] dest i nat i on- i p 10. 2. 2. 2
[ 3Com- nqa- admi n- ht t p] ht t p- oper at i on get
[ 3Com- nqa- admi n- ht t p] ht t p- st r i ng / i ndex. ht mHTTP/ 1. 0
b Enable the HTTP test.
[ 3Com- nqa- admi n- ht t p] t est - enabl e
[ 3Com- nqa- admi n- ht t p] di spl ay nqa r esul t s admi n ht t p
Configuring the Jitter
Test
You are recommended not to use a known port for NQA Jitter test. Otherwise, NQA
probe may fail or the service paired with the known port may become unavailable.
The jitter test is used to make statistics of delay jitter of UDP packet transmission. Delay
jitter refers to the difference between the interval of receiving two packets consecutively
and the interval of sending these two packets. During the test, the source port sends
data packets to the destination port at regular intervals. The destination port affixes a
time stamp to each packet that it receives and then sends it back to the source port.
After the source port receives the data packet, the delay jitter can be calculated.
To improve the accuracy of the statistics results, you must send multiple test packets
when you perform a test. The more test packets are sent, the more accuracy the statistics
results are. However, it takes a longer time to complete the test. You can quicken a jitter
test by reducing the interval of sending test packets. Doing so will cause an impact on
the network.
The error in the statistics results of a jitter test is big since there is a delay in both sending
and receiving data packets.
A jitter test requires cooperation between the NQA server and the NQA client. You must
configure the UDP listening function on the NQA server, and a destination address and a
destination port on the NQA client, and ensure that the destination address and
destination port on the NQA client are respectively the listening IP address and port on
the NQA server.
1 Configure the NQA server.
Follow these steps to configure the NQA server for a jitter test:
2 Configure the NQA client.
Follow these steps to configure the NQA client for a jitter test:
Table 377 Configuring the Jitter Test
Enter system view
system-view
Enable the NQA server nqa-server enable Required

Disabled by default
Configure the UDP listening
function on the NQA server
nqa-server udpecho
ip-address port-number
Required
The listening IP address and port
number must be the same as the
destination IP address and port on the
NQA client.
Table 378 Configure the NQA Client
Enter system view
system-view

nqa-agent enable
Required
nqa admin-name
operation-tag
Required
Set the test type to jitter
test-type jitter
Required
address
destination-ip
ip-address
Required
the Ping command. The destination
address is the listening IP address on
the NQA server.
port
destination-port
port-number
Required
The destination port is the listening
port on the NQA server.
Configure the number of
jitter test packets sent in a
probe
jitter-packetnum
number
Optional
10 by default.
Configure the interval of
sending jitter test packets
jitter-interval
interval
Optional
20 ms by default.
Configure common
optional parameters
Parameters for NQA Tests .
Optional
The number of probes made in a jitter test depends on the count command, while the
number of test packets sent in each probe depends on the jitter-packetnum
command.
Use the NQA jitter function to test the delay jitter of packet transmission between the
local port (SwitchA) and the specified destination port (SwitchB).
2 Network diagram
Figure 154 Network diagram for the jitter test
3 Configuration procedure for SwitchB
a Enable the NQA server and configure the listening IP address and port number.
[ 3Com] nqa- ser ver enabl e
[ 3Com] nqa- ser ver udpecho 10. 2. 2. 2 9000
Conf i gur e Swt i chA.
b Enable the NQA client, create a jitter test group, and configure related test
parameters.
[ 3Com] nqa admi n j i t t er
[ 3Com- nqa- admi n- j i t t er ] t est - t ype j i t t er
[ 3Com- nqa- admi n- j i t t er ] dest i nat i on- i p 10. 2. 2. 2
[ 3Com- nqa- admi n- j i t t er ] dest i nat i on- por t 9000
c Enable the jitter test.
[ 3Com- nqa- admi n- j i t t er ] t est - enabl e
Enable the NQA test test-enable Required
admin-name operation-tag
]
Required
You can carry out the command in
any view.
View the recorded delay
jitter of UDP packet
transmission in the last
NQA jitter test
display nqa jitter [
admin-name operation-tag
]
Optional
any view. The information displayed
by carrying out the display
nqa results command
contains all information displayed by
carrying out the display nqa
jitter command.
Table 378 Configure the NQA Client (continued)

Switch A
NQA Client
10.1.1.1/16
IP Network
10.2.2.2/16
SwitchB
Switch A
IP Network
SwitchB
Switch A
10.1.1.1/16
IP Network
10.2.2.2/16
SwitchB
NQA Server
Switch A
IP Network
SwitchB
Switch A
NQA Client
10.1.1.1/16
IP Network
10.2.2.2/16
SwitchB
Switch A
IP Network
SwitchB
Switch A
10.1.1.1/16
IP Network
10.2.2.2/16
SwitchB
NQA Server
Switch A
IP Network
SwitchB
d View the test results.
[ 3Com- nqa- admi n- j i t t er ] di spl ay nqa r esul t s admi n j i t t er
[ 3Com- nqa- admi n- j i t t er ] di spl ay nqa j i t t er admi n j i t t er
Configuring SNMP
Query Test
The SNMP query test is mainly used to test the time the NQA client takes to send an
SNMP query packet to the SNMP agent and then receive a response packet.
The SNMP agent function must be enabled on the device serving as an SNMP agent.
Follow these steps to configure the SNMP query test:
Use the NQA SNMP query function to test the time it takes SwitchA to send an SNMP
query packet to SwitchB and receive a response packet.
2 Network diagram
Figure 155 Network diagram for the SNMP query test
Table 379 Configuring SNMP Query Test
Enter system view
system-view

nqa-agent enable
Required
Create an NQA test
group view
nqa admin-name operation-tag Required
Set the test type to SNMP
query
test-type snmpquery Required
address
Equivalent to a destination
address in the Ping command.
Configure common
optional parameters
Refer to Configuring Optional Parameters
for NQA Tests
Optional
Required
You can carry out the

Switch A
NQA Client
10.1.1.1/16
I P Network
10.2.2.2/16
SwitchB
SNMP Agent
Switch A
I P Network
SwitchB
SNMP Agent
Switch A
10.1.1.1/16
I P Network
10.2.2.2/16
SwitchB
SNMP Agent
Switch A
I P Network
SwitchB
SNMP Agent
Switch A
NQA Client
10.1.1.1/16
I P Network
10.2.2.2/16
SwitchB
SNMP Agent
Switch A
I P Network
SwitchB
SNMP Agent
Switch A
10.1.1.1/16
I P Network
10.2.2.2/16
SwitchB
SNMP Agent
Switch A
I P Network
SwitchB
SNMP Agent
Perform the following configurations on SwitchB which serves as the SNMP agent.
a Enable the SNMP agent service and set the SNMP version to V2C, the read community
to public, and the community write to private.
[ 3Com] snmp- agent sys- i nf o ver si on v2c
[ 3Com] snmp- agent communi t y r ead publ i c
[ 3Com] snmp- agent communi t y wr i t e pr i vat e
The SNMP must be enabled on the device specified by the destination address.
Otherwise, no response packet will be received.
In this example, the configuration is based on the SNMP V2C. If the SNMP of other
versions is enabled, the configuration may be different. For details, refer to SNMP
&RMON Operation.
b Enable the NQA client, create an SNMP query test group, and configure related test
parameters.
[ 3Com] nqa admi n snmp
[ 3Com- nqa- admi n- snmp] t est - t ype snmpquer y
[ 3Com- nqa- admi n- snmp] dest i nat i on- i p 10. 2. 2. 2
c Enable the SNMP query test.
[ 3Com- nqa- admi n- snmp] t est - enabl e
[ 3Com] di spl ay nqa r esul t s admi n snmp
Configuring the TCP
Test
You are recommended not to use a known port fro NQA TCP test. Otherwise, NQA
The TCP test is mainly used to test the TCP connection between the client and the
specified server and the setup time for the connection.
The TCP test includes TCP-Public test and TCP-Private test. The differences between the
TCP-Public test and the TCP-Private test are as follows:
For the TCP-Public test, a connection setup request is permanently initiated to TCP
port 7 of the destination address, no destination port needs to be configured on the
client, but TCP port 7 used for listening needs to be configured on the server. Even if
a port is configured on the client, the port does not take effect.
For the TCP-Private test, a connection setup request is initiated to the specified port of
the destination address.
Follow these steps to configure the NQA server for the TCP test:
Follow these steps to configure NQA client for the TCP test:
Table 380 Configuring the TCP Test
Enter system view
system-view
Enable the NQA server

nqa-server enable
Required
Disabled by default
Configure the TCP listening
nqa-server
tcpconnect ip-address
port-number
Required
destination IP address and port on
the NQA client. If the test type is
TCP-Public, the port number must be
set to 7.
Table 381 Configure the NQA Client.
nqa admin-name
operation-tag
Required
Set the test type to TCP test-type { tcpprivate |
tcppublic }
Required
address
destination-ip
ip-address
Required
Equivalent to a destination address
in the Ping command. The
destination address must be the
same as the listening IP address on
the NQA server.
Configure a destination port destination-port
port-number
If the test type is TCP-Public, no
port needs to be configured. If the
test type is TCP-Private, a port
must be configured and it must be
the same as the listening port
configured on the NQA server.
Configure common optional
parameters
1.3 Configuring Optional
Optional
Required
any view.
Use the NQA TCP-Private function to test the setup time for the TCP connection between
the local port (SwitchA) and the specified destination port (SwitchB). The port number
used is 9000.
2 Network diagram
Figure 156 Network diagram for the TCP-Private test
Configure SwitchB.
[ 3Com] nqa- ser ver t cpconnect 10. 2. 2. 2 9000
Configure SwitchA.
b Enable the NQA client, create a TCP test group, and configure related test parameters.
[ 3Com] nqa admi n t cppr i vat e
[ 3Com- nqa- admi n- t cppr i vat e] t est - t ype t cppr i vat e
[ 3Com- nqa- admi n- t cppr i vat e] dest i nat i on- i p 10. 2. 2. 2
[ 3Com- nqa- admi n- t cppr i vat e] dest i nat i on- por t 9000
c Enable the TCP test.
[ 3Com- nqa- admi n- t cppr i vat e] t est - enabl e
[ 3Com] di spl ay nqa r esul t s admi n t cppr i vat e

Switch A
NQA Client
IP Network
10.2.2.2/16
SwitchB
NQA Server
Switch A
10.1.1.1/16
IP Network
SwitchB
Switch A
IP Network
10.2.2.2/16
SwitchB
Switch A
10.1.1.1/16
IP Network
SwitchB
Switch A
NQA Client
IP Network
10.2.2.2/16
SwitchB
NQA Server
Switch A
10.1.1.1/16
IP Network
SwitchB
Switch A
IP Network
10.2.2.2/16
SwitchB
Switch A
10.1.1.1/16
IP Network
SwitchB
Switch A
NQA Client
IP Network
10.2.2.2/16
SwitchB
NQA Server
Switch A
10.1.1.1/16
IP Network
SwitchB
Switch A
IP Network
10.2.2.2/16
SwitchB
Switch A
10.1.1.1/16
IP Network
SwitchB
Configuring the UDP
Test
You are recommended not to use a known port for NQA UDP test. Otherwise, NQA
The UDP test is mainly used to test the round-trip time of a UDP packet from the client to
the specified server.
The UDP test includes UDP-Public test and TCP-Private test. The differences between the
UDP-Public test and the UDP-Private test are as follows:
For the UDP-Public test, a connection setup request is permanently initiated to UDP
port 7 of a destination address, no port needs to be configured on the client, but port
7 for listening needs to be configured on the server. Even if a port is configured on
the client, the port does not take effect.
For the UDP-Private test, a connection setup request is initiated to the specified port
of the destination address.
Follow these steps to configure the NQA server for the UDP test:
Table 382 Configuring the UDP Test
Enter system view
system-view
Enable the NQA server

nqa-server enable
Required
Disabled by default
Configure the UDP listening
nqa-server udpecho
ip-address port-number
Required
destination IP address and port on
the NQA client. If the test type is
UDP-Public, the port number must
be set to 7.
Follow these steps to configure the NQA client for the UDP test:
Use the NQA UDP-Private function to test the setup time for the UDP connection
between the local port (SwitchA) and the specified destination port (SwitchB). The port
number used is 8000.
2 Network diagram
Figure 157 Network diagram for the UDP-Private test
Table 383 Configure the NQA Client
Enter system view
system-view

nqa-agent enable
Required
Create an NQA test
group view
nqa admin-name
operation-tag
Required
Set the test type to UDP test-type { udpprivate |
udppublic }
Required
address
Equivalent to a destination address
in the Ping command. The
destination address must be the
listening IP address configured on
the NQA server.
port
destination-port
port-number
If the test type is UDP-Public, no
port needs to be configured. If the
test type is UDP-Private, a port
must be configured and it must be
the listening port configured on
the NQA server.
Configure the size of
test packets
datasize size Optional
100 bytes by default.
Configure a string of fill
characters of a test
packet
datafill text Optional
No string of fill characters by
default.
Configure common
optional parameters
Refer to section 1.3 Configuring
Optional Parameters for NQA Tests
Optional
Enable the NQA test
test-enable
Required
Required
any view.

Switch A
NQA Client
IP Network
10.2.2.2/16
SwitchB
NQA Server
Switch A
10.1.1.1/16
IP Network
SwitchB
Switch A
IP Network
10.2.2.2/16
SwitchB
Switch A
10.1.1.1/16
IP Network
SwitchB
Switch A
NQA Client
IP Network
10.2.2.2/16
SwitchB
NQA Server
Switch A
10.1.1.1/16
IP Network
SwitchB
Switch A
IP Network
10.2.2.2/16
SwitchB
Switch A
10.1.1.1/16
IP Network
SwitchB
Switch A
NQA Client
IP Network
10.2.2.2/16
SwitchB
NQA Server
Switch A
10.1.1.1/16
IP Network
SwitchB
Switch A
IP Network
10.2.2.2/16
SwitchB
Switch A
10.1.1.1/16
IP Network
SwitchB
Configure SwitchB.
[ 3Com] nqa- ser ver udpecho 10. 2. 2. 2 8000
Configure SwitchA.
b Enable the NQA client, create a UDP test group, and configure related test
parameters.
[ 3Com] nqa admi n udppr i vat e
[ 3Com- nqa- admi n- udppr i vat e] t est - t ype udppr i vat e
[ 3Com- nqa- admi n- udppr i vat e] dest i nat i on- i p 10. 2. 2. 2
[ 3Com- nqa- admi n- udppr i vat e] dest i nat i on- por t 8000
c Enable the TCP test.
[ 3Com- nqa- admi n- udppr i vat e] t est - enabl e
[ 3Com] di spl ay nqa r esul t s admi n udppr i vat e
Configuring the
DLSw Test
The DLSw test is mainly used to test the response time of the DLSw device.
Before the DLSw test, a TCP connection can be set up between the NQA client and the
specified device and the DLSw function must be enabled on the specified device.
Follow these steps to configure the DLSw test:
Table 384 Configuring the DLSw Test
Create an NQA test
group view
nqa admin-name
operation-tag
Required
Set the test type to DLSw
test-type dlsw
Required
address
destination-ip
ip-address
Required
the Ping command.
Configure common
optional parameters
Optional
Required
any view.
Use the NQA DLSw function to test the response time of the DLSw device.
2 Network diagram
Figure 158 Network diagram for the DLSw test
a Enable the NQA client, create a DLSw test group, and configure related test
parameters.
[ 3Com] nqa admi n dl sw
[ 3Com- nqa- admi n- dl sw] t est - t ype dl sw
[ 3Com- nqa- admi n- dl sw] dest i nat i on- i p 10. 2. 2. 2
b Enable the DLSw test.
[ 3Com- nqa- admi n- dl sw] t est - enabl e
[ 3Com- nqa- admi n- dl sw] di spl ay nqa r esul t s admi n dl sw
Configuring
Optional
Parameters for NQA
Tests
Unless otherwise specified, the following parameters are applicable to all test types and
they can be configured according to the actual conditions. Optional parameters common
to NQA are valid for all NQA tests, while those common to an NQA test group are valid
only for tests in this test group.
Configuring Optional Parameters Common to NQA
Configuring Optional Parameters Common to an NQA Test Group
Configuring Trap
Configuring Optional
Parameters Common
to NQA
Follow these steps to configure optional parameters common to NQA:

Switch A
NQA Client
10.1.1.1/16
IP Network
10.2.2.2/16
SwitchB
DLSw
Switch A
IP Network
SwitchB
DLSw
Switch A
10.1.1.1/16
IP Network
10.2.2.2/16
SwitchB
DLSw
A
IP Network
SwitchB
DLSw
Switch A
NQA Client
10.1.1.1/16
IP Network
10.2.2.2/16
SwitchB
DLSw
Switch A
IP Network
SwitchB
DLSw
Switch A
10.1.1.1/16
IP Network
10.2.2.2/16
SwitchB
DLSw
A
IP Network
SwitchB
DLSw
Table 385 Configuring Optional Parameters Common to NQA
Enter system view
system-view

number of tests that the
NQA client can
simultaneously perform
nqa-agent
max-requests number
Optional
5 by default
Configuring Optional
Parameters Common
to an NQA Test Group
Follow these steps to configure the optional parameters common to an NQA test group:
Table 386 Configuring Optional Parameters Common to an NQA Test Group
Enter system view
system-view
Enter NQA test group view nqa admin-name

operation-tag
Required
Configure a descriptive
string for a test group
No descriptive string by default.
Configure the interval of
performing a cyclic test
frequency interval Optional
0 seconds by default. That is, the test
isnt cycled.
This command is invalid for the DHCP
test.
probes in a test
count times Optional
1 by default. For the TCP test, a probe
means a connection. For the jitter test,
the number of test packets sent in a
probe is determined by the
jitter-packetnum command.
For the SNMP protocol, three test
packets are sent in a probe. For the
other tests, one test packet is sent in a
probe.
Configure the NQA probe
time-out time
timeout time Optional
3 seconds by default. If no response
packet is received within the time-out
time of a request packet, the probe
fails.
number of history records
that can be saved in a test
group
history-records
number
Optional
50 by default If the number of history
records exceeds this value, the earliest
test results are discarded.
number of hops a test
request packet traverses in
the network
ttl number Optional
20 by default.
test.
Configure the type of
service, namely, the ToS
field in an IP packet header
tos value Optional
0 by default.
test.
Configure the source IP
address of a test request
packet
source-ip ipaddress This command is required for the FTP
test but optional for the other tests.
You can specify an IP address as the
source IP address of a test request
packet. Otherwise, the IP address most
approximate to the destination address
serves as the source IP address of the
test request packet.
The source IP address in the command
must be the IP address of an interface
on the device and the interface must
be up. Otherwise, the test will fail.
test.
Configure the source port
of a test request packet
source-port
port-number
Optional
You can specify a port as the source
port of a test request packet.
Otherwise, the system automatically
assign a port to serve as the source port
of the test request packet.
This command is invalid for the ICMP,
DHCP, TCP-Public, TCP-Private, DLSw,
FTP, and HTTP tests.
Enable the routing table
bypass function
sendpacket
passroute
Optional
Disabled by default. If you want to test
the connectivity between the local
address and the destination address,
you can enable this function. After this
function is enabled, the routing table
will not be searched, and the packet is
directly sent to the destination in the
directly connected network. If the
destination is not in the directly
connected network, an error will be
prompted.
test.
Table 386 Configuring Optional Parameters Common to an NQA Test Group (continued)
Configuring Trap
Delivery
A trap message is generated no matter whether an NQA test succeeds or fails. You can
set a switch to control the delivery of the trap message to the network management
server.
Follow these steps to configure Trap:
Displaying and
Maintaining NQA
Table 387 Configuring Trap Delivery
nqa admin-name
operation-tag
Required
Enable trap debugging to
send a trap message to the
network management
server
send-trap { all | {
probefailure |
testcomplete |
testfailure }* }
Optional
No trap message is sent to the
network management server by
default.
Configure the minimum
number of probe failures in
an NQA test before a test
failure trap message is sent
test-failtimes times Optional
1 by default.
consecutive probe failures
in an NQA test before a
trap message is sent to
indicate a probe failure
probe-failtimes times Optional
1 by default.
Table 388 Displaying and Maintaining NQA
Display history information of tests. display nqa history [
Display the results of the last NQA
jitter test.
display nqa jitter [
Display the results of the last test. display nqa results [
57 SSH TERMINAL SERVICE
When configuring SSH, go to these sections for information you are interested in:
SSH Overview
Configuring the SSH Server
Configuring the SSH Client
Configuring the Device as an SSH Client
Displaying and Maintaining the SSH Protocol
SSH Configuration Example
SSH Client Configuration Example
SSH Overview Secure shell (SSH) offers an approach to securely logging into a remote device. It can
protect devices against attacks such as IP spoofing and plain text password interception.
In a typical SSH scenario, a device running SSH server works as an SSH server and accepts
connections from SSH clients, which run SSH client. The connections are called SSH
connections and can be established either on the local network or over WANs, as shown
in Figure 159 and Figure 160.
Figure 159 SSH channel on the local network
Server
SSH Client
Workstation
Laptop
Ethernet
SSH Server
Server
SSH Client
Workstation
Laptop
Ethernet
SSH Server
560 CHAPTER 57: SSH TERMINAL SERVICE
Figure 160 SSH channel over a WAN
At the beginning, the server opens port 22 to wait for connection requests from clients,
while the client sends a TCP connection request to the server and interacts with the
server to establish a TCP connection. Then, the server and the client go through the
following five phases to establish an SSH connection:
1 Version number negotiation
If the server and the client reach agreement, they continue with the key algorithm
negotiation phase. Otherwise, the server tears down the TCP connection.
2 Key algorithm negotiation
The server and the client send key algorithm negotiation packets to each other, which
include the supported server-side public key algorithm list, encryption algorithm list,
MAC algorithm list, and compression algorithm list.
Based on the received algorithm negotiation packets, the server and the client figure
out the algorithms to be used. For information about the algorithms, refer to the SSH
draft.
The server and the client use the DH key exchange algorithm to generate the session
key.
Through the above steps, the server and the client get the same session key, which is to
be used to encrypt and decrypt data exchanged between the server and the client later.
3 Authentication method negotiation
The client sends to the server an authentication request, which includes the username
and authentication method.
If the server is configured not to perform authentication of the client, the server and
the client enter the session request phase. Otherwise, the server initiates a process to
authenticate the client.
The server authenticates the client until the client passes authentication or gets
disconnected due to timeout.
Server
SSH client
Workstation
Laptop
Local Ethernet
WAN
Workstation
Laptop
Remote Ethernet
PC Server
Local router
Remote router
SSH sever
Server
SSH client
Workstation
Laptop
Local Ethernet
WAN
Workstation
Laptop
Remote Ethernet
PC Server
Local router
Remote router
SSH sever
SSH Overview 561
SSH provides two authentication methods: password authentication and RSA
authentication.
For password authentication:
The client encrypts the username and password, encapsulates them into a password
authentication request, and sends the request to the server.
Upon receiving the request, the server decrypts the username and password,
compares them against those it maintains, and then informs the client of the
authentication result.
For RSA authentication:
The client sends RSA request and its own public key modulus to the server. Then the
server performs validity check on the received information. If the information is not valid,
the server sends failure message to the client. Otherwise, a 32-byte random number is
generated, and an MP (multiple precision) integer is derived from the number in the MSB
(most significant bit) first order. The server encrypts the integer with the public key of the
client and sends a challenge to the client. When the client receives the challenge
message, it decrypts it to obtain the MP integer. The client uses the integer and session
ID to generate the MD5 value, then encrypts the 16-byte MD5 value and sends it to the
server. (The session ID is generated in the key-algorithm negotiation phase, session
ID=MD5 (host public key modulus || server public key modulus || 8-byte cookie, where || is
a connector)). After the server receives the message, it decrypts the message to get the
MD5 value and compares the MD5 value with that calculated by itself. If the two MD5
values are the same, the authentication succeeds and the server sends the success
message; otherwise it sends the failure message.
Besides password authentication and RSA authentication, SSH2.0 provides another two
authentication methods:
password-publickey: Performs both password authentication and RSA
authentication of the client. A client running SSH1 client only needs to pass either
type of the two, while a client running SSH2 client must pass both of them to log in.
all: Performs either password authentication or RSA authentication. The client tries
RSA authentication first.
4 Session request
After passing authentication, the client sends a session request to the server, while the
server listens to and processes the request from the client and sends back to the client
the result, which can be an SSH_SMSG_SUCCESS packet for successful processing or an
SSH_SMSG_FAILURE packet if the processing fails or it cannot resolve the request. In the
former case, the server and the client enter the interactive session phase.
5 Interactive session
The server and the client exchanges data in this way:
The client encrypts the command to be executed and sends it to the server.
The server decrypts and executes the command, and then encrypts and sends the
result to the client.
The client decrypts the result and displays the result on the terminal.
During the interactive session phase, a client user can issue the commands to be
executed by pasting command text on the client. Note that the text must be no more
than 2,000 bytes in length and the commands pasted had better be in the same view;
otherwise, the server may be unable to execute the commands correctly.
If the text to be pasted is more than 2,000 bytes in length, the user can put it in a
configuration file, upload the configuration file to the server, and then reboot the
server with this new configuration file.
Configuring the
SSH Server
Enabling SSH Server Follow these steps to enable SSH server:
Configuring the
Protocols for the
Current User
Interface to Support
After enabling SSH server, you must configure the device to support the remote SSH
login protocol. By default, the device supports Telnet, and SSH. Note that the
configuration takes effect at next login.
Follow these steps to configure the protocols for the current user interface to support:
CAUTION:
If you configure a user interface to support SSH, be sure to configure the
authentication-mode scheme command.
For a user interface configured to support SSH, you cannot configure the
authentication-mode password or authentication-mode none
command.
Table 389 Enabling SSH Server
Enable SSH server ssh server enable Required
Disabled by default
Table 390 Configuring the Protocols for the Current User Interface to Support
Enter single-user interface view
or multi-user interface view
user-interface [
type-keyword ] number [
ending-number ]
Required
Set the login authentication
method
authentication-mode
scheme [
command-authorizati
on ]
Required
Specify the protocols for the user
interfaces to support
protocol inbound {
Optional
All of the two are supported by
default
Creating/Destroying/
Exporting RSA Keys
Creating RSA keys
The length of a server/host key must be in the range 512 to 2048 bits. After you enter
the rsa local-key-pair create command, the system prompts you to enter the
length of the key:
In SSH1.x, the length of a key ranges from 512 to 2048 bits.
In SSH2.0, the length of a key ranges from 512 to 2048 bits. However, some clients
require that the keys generated by the server must be at least or more than 768 bits.
Follow these steps to create the host key pair and server key pair:
CAUTION: For a successful SSH login, you must generate the host key pair and server
key pair first
Destroying RSA keys
Follow these steps to destroy the host key pair and server key pair:
Displaying/exporting the public host key
Once created, the public host key can be displayed on the screen or exported to a
specified file.
Follow these steps to export the host key pair:
CAUTION:
For successful SSH login, you must create the RSA key pairs at first.
The configuration of the rsa local-key-pair create command can survive a reboot. You
only need to configure it once.
If the key pair already exists, the system will ask you whether you want to overwrite it.
To choose display the RSA host public key on the screen or export it to a specified file
when exporting the RSA host public key
Table 391 Creating RSA Keys
Create the RSA host key pair and
server key pair
rsa local-key-pair
create
Required
Table 392 Destroying RSA Keys
Destroy the RSA host key pair
and server key pair
rsa local-key-pair
destroy
Required
Table 393 Exporting RSA Keys
Display the RSA host public key
on the screen or export it to a
specified file
rsa local-key-pair
export { ssh1 | ssh2 |
openssh } [ filename ]
Required
You can configure the command
in any view.
Configuring the
Authentication
Method for an SSH
User
You must specify the authentication method for SSH users; otherwise, the users cannot
log in. The configured authentication method takes effect when the user logs in next
time.
Follow these steps to configure the authentication method for an SSH user:
CAUTION: For a user using RSA authentication, you must configure the username and
public keys on the device. For a user using password authentication, you can configure
the accounting information on the device or remote authentication server.
Specifying the Service
Type of an SSH User
Follow these steps to specify the service type of an SSH user:
CAUTION: The service type of an SSH user can only be set to stelnet if the user does not
need SFTP service.
Setting the SSH
Management
Parameters
Setting the server key pair update interval can help secure your SSH connections.
Setting the SSH user authentication timeout period.
Setting the maximum number of SSH authentication attempts can assist in avoiding
malicious connection requests.
Table 394 Configuring the Authentication Method for an SSH User
Specify the authentication
method for an SSH user
ssh user username
authentication-type {
password | rsa |
password-publickey |
all }
Required
RSA authentication by default
Table 395 Specifying the Service Type of an SSH User
Specify the service types of an
SSH user
ssh user username
service-type {
stelnet | sftp | all }
Optional
stelnet by default
Follow these steps to set the SSH management parameters:
Configuring the RSA
Public Key for a User
These configurations are required for an SSH user using RSA authentication. For an SSH
user using password authentication, they are not required.
This configuration task is for configuring the RSA public key of a client with an SSH user.
The RSA private key for the SSH user must be configured on the client. The client key pair
is generated randomly by the SSH2.0 client software.
You can also import an RSA public key from a public key file. When you import a public
key, the system automatically converts the public key in SSH1, SSH2, or OpenSSH format
to a string coded using the PKCS standard. Before importing the public key, you must
upload the public key file to the server through FTP or TFTP.
You can use either of the following two ways to configure the RSA public key of an
SSH user.
You configure any of these three commands to create an SSH user: ssh user
assign rsa-key, ssh user authentication-type, and ssh user
service-type. Up to 20 SSH users can be created. By default, the authentication
method for an SSH user is RSA and the service type is stelnet.
With no SSH users created, when a client logs in, the system performs password
authentication and only the service type of stelnet is supported.
Table 396 Setting the SSH Management Parameters
Enable the SSH server to work
with SSH1.x clients
ssh server
compatible-ssh1x
enable
Optional
By default, the SSH server can
work with SSH1.x clients.
Set the server key pair update
interval
ssh server
rekey-interval hours
Optional
By default, that is, the server key
pair is not updated.
Set the SSH user authentication
timeout period
ssh server
authentication-timeo
ut time-out-value
Optional
SSH authentication attempts
ssh server
authentication-retri
es times
Optional
3 by default
Configuring the RSA public key manually
Follow these steps to configure the RSA public key manually:
Importing the RSA public key from a public key file
Follow these steps to import the RSA public key from a public key file:
Table 397 Configuring the RSA Public Key Manually
Enter public key view rsa peer-public-key
keyname
Required
Enter public key code view public-key-code
begin
Spaces and carriage returns are
allowed between the
PKCS-coded characters that
comprises the key.
Configuring the RSA public key To enter the contents of the RSA
public key
allowed between the
comprises the key.
Return from public key code
view to public key view
public-key-code end When you exit public key code
view, the system automatically
saves the public key.
Return from public key view to
system view
peer-public-key end
Assign a public key to a user ssh user username
assign rsa-key
keyname
Required
The public key must exist. If the
user has already a public key, the
new public key overwrites the
old one.
Table 398 Importing the RSA Public Key from a Public Key File
Import the RSA public key from a
public key file
rsa peer-public-key
keyname import sshkey
filename
Required
Configuring the
SSH Client
Configuring the SSH
Client
A variety of SSH client software are available, such as PuTTY and FreeBSD. For an SSH
client to establish a connection with an SSH server, you must complete these
configuration tasks:
Specifying the IP address of the server.
Selecting the protocol for remote connection. Usually, a client can use a variety of
remote connection protocols, such as Telnet, Rlogin, SSH. To establish an SSH
connection, you must select SSH.
Selecting the SSH version. Multiple SSH versions are available. However, since the
device supports SSH Server 2.0 now, select 2.0 or lower for the client.
Specifying the RSA private key file. The RSA keys for an SSH user include a public key
and a private key, which are generated by the tool accompanied with the client
software. The public key must be configured on the server, while the private key must
be configured on the client.
The following takes the client software of PuTTY as an example to illustrate how to
configure the SSH client:
Specifying the IP address of the server
Launch PuTTY. The following window appears.
Figure 161 SSH client interface 1
In the [Host Name (or IP address)] text box, enter the IP address of the server, for
example, 10.110.28.10. Note that the IP address can be the IP address of any interface
on the server that has SSH in the state of up and a route to the client.
Selecting the protocol for remote connection
As shown in Figure 161, select the [SSH] option from the [Protocol] section.
Selecting the SSH version
From the category on the left of the window, click [Connection/SSH]. The following
window appears.
As shown in Figure 162, select [2] from the [Preferred SSH protocol version] section.
Specifying the RSA private key file
If the client needs to use RSA authentication, you must specify the RSA private key file. If
the client needs to use password authentication, this is not required.
From the category on the left of the window, click [Connection/SSH/Auth]. The following
window appears.
Click <Browse> to bring up the file selection window, navigate to the private key file and
click <OK>.
Initiating an SSH connection
1 Click <Open>. The following SSH client interface appears. If the connection is normal,
you will be prompted to enter the username and password, as shown in Figure 164.
2 Enter the username and password. The SSH connection should be created.
3 To log out, enter the quit command.
Configuring the
Device as an SSH
Client
Configuration
Prerequisites
Complete the configuration of the SSH server. For detailed configuration information,
refer to Configuring the SSH Server.
Configuration
Procedure
Follow these steps to configure the device as an SSH server:
Table 399 Configuring the Device as an SSH Client
Disable the first-time
authentication function
undo ssh client
first-time
Optional
Enabled by default
Enter public key view rsa peer-public-key
keyname
Optional
Enter public key code view public-key-code
begin
allowed between the
comprises the key.
Return from public key code view
to public key view
public-key-code end When you exit public key code
view, the system automatically
saves the public key.
Return from public key view to
system view
peer-public-key end
Configure the host public key of
the server so that the client can
determine whether the server is
reliable
ssh client
authentication
server { server-ip |
server-name } assign
rsa-key keyname
Optional
Specify the
source IP
address or
source
interface of the
SSH client
Specify the
source IPv4
address or
source
interface of the
SSH client
ssh client source {
ip ip-address |
interface
interface-type
interface-number }
Optional
IP address or interface specified
by the route by default
Initiate a
connection to
an SSH server
and specify the
preferred key
exchange
algorithm,
encryption
algorithms, and
HMAC
algorithms of
the client and
the server
Initiate a
connection
between the
SSH client and
an IPv4 server,
and specify the
preferred key
exchange
algorithm,
encryption
algorithm, and
HMAC
algorithm of
the client and
the server
ssh2 { host-ip | host-name
} [ port-num ] [
prefer_kex {
dh_group1 |
dh_exchange_group } |
prefer_ctos_cipher {
des | aes128 | 3des } |
prefer_stoc_cipher {
des | aes128 | 3des } |
prefer_ctos_hmac {
sha1 | sha1_96 | md5 |
md5_96 } |
prefer_stoc_hmac {
sha1 | sha1_96 | md5 |
md5_96 } ]*
Displaying and Maintaining the SSH Protocol 573

When an SSH client tries to access a server whose public host key it does not know for
the first time, the first-time authentication function enables it to access the server and
obtain and save the public host key of the server. When the client accesses the server
later, it can use the locally saved public host key of the server to authenticate the server.
With the first-time authentication function enabled on a client, you do not need to
configure the public host key of a server to be accessed on the client.
Displaying and
Maintaining the
SSH Protocol
SSH Configuration
Example
As shown in Figure 165, a local connection is established between the configuration
terminal (SSH client) and the Switch. Users log in to the switch via the SSH protocol to
ensure that data is exchanged in a secure way. The username of the SSH client is
client001 and the password is aabbcc.
Network diagram
Figure 165 Network diagram for SSH configuration
Table 400 Displaying and Maintaining the SSH Protocol
Display the public keys of the
host key pair and server key pair
display rsa
local-key-pair
public
Display the peer RSA public keys display rsa
peer-public-key [
brief | name keyname ]
Display the source IP address or
interface currently set for the
SFTP client
display sftp client
source
Display the source IP address or
interface currently set for the
SFTP server
display ssh client
source
Display the status information or
session information of the SSH
server
display ssh server {
status | session }
Display the mapping between the
host public key and the SSH
server saved on the client.
display ssh
server-info
Display the information of the
SSH user
display ssh
user-information [
username ]

SSH client
Switch
192.168.0.2/24
Vlan-interface1
192.168.0.1/24
The configuration procedure varies with login authentication modes. However, you must
complete the following three configuration tasks before any configuration procedure.
First, create an RSA host key pair and server key pair and enable the SSH server.
[ 3Com] r sa l ocal - key- pai r cr eat e
The r ange of publ i c key si ze i s ( 512 ~ 2048) .
NOTES: I f t he key modul us i s gr eat er t han 512,
I t wi l l t ake a f ew mi nut es.
I nput t he bi t s i n t he modul us[ def aul t = 512] :
Gener at i ng keys. . .
. . . . . ++++++++++++
. . . ++++++++++++
. . . . . . . . . . . . . . . . ++++++++
. . . . . . . . . . . . . ++++++++
. . . . . . Done!
[ 3Com] ssh ser ver enabl e
If you have created an RSA host key pair and server key pair, you can skip this step.
Then, you must create a VLAN interface on the switch and assign an IP address, through
which the SSH client will be connected with the switch.
Finally, you must configure an IP address (192.168.0.2) for the SSH client. This IP address
and that of the VLAN interface on the switch must be in the same network segment.
Set the SSH authentication mode to password
1 Set the authentication mode on the user interface to AAA. (AAA adopts the default ISP
domain system and the default scheme local.)
2 Set the protocol that a remote user uses to log in to the switch to SSH.
[ 3Com- ui - vt y0- 4] pr ot ocol i nbound ssh
3 Create a local user client001.
[ 3Com] l ocal - user cl i ent 001
[ 3Com- l user - cl i ent 001] passwor d si mpl e aabbcc
[ 3Com- l user - cl i ent 001] ser vi ce- t ype ssh
[ 3Com- l user - cl i ent 001] qui t
[ 3Com] ssh user cl i ent 001 aut hent i cat i on- t ype passwor d
The SSH authentication timeout time, number of SSH authentication attempts, and
server key update period can be default values. After the above configurations, run
SSH2.0 on the client to be connected with the switch, and log in to the switch with
username as client001 and password as aabbcc.
Set the SSH authentication mode to RSA
SSH Configuration Example 575
4 Set the authentication mode on the user interface to AAA.
5 Set the protocol that a remote user uses to log in to the switch to SSH.
6 Set the SSH user authentication mode to RSA on the switch.
[ 3Com] ssh user cl i ent 001 aut hent i cat i on- t ype RSA
Here an RSA key pair (including the public and private keys) needs to be generated
randomly on the SSH2.0 supporting client software. And you should input the RSA
public key (which is a hexadecimal string obtained after using the SSHKEY.EXE software
to perform the PKCS coding) to the public key specified by the rsa
peer-public-key command on the SSH server in the following way.
7 Set the RSA keys on the switch.
[ 3Com] r sa peer - publ i c- key Swi t ch001
[ 3Com- r sa- publ i c- key] publ i c- key- code begi n
[ 3Com- r sa- key- code] 30818602 818078C4 32AD7864 BB0137AA 516284BB 3F55F0E3
[ 3Com- r sa- key- code] F6DD9FC2 4A570215 68D2B3F7 5188A1C3 2B2D40BE D47A08FA
[ 3Com- r sa- key- code] CF41AF4E 8CCC2ED0 C5F9D1C5 22FC0625 BA54BCB3 D1CBB500
[ 3Com- r sa- key- code] A177E917 642BE3B5 C683B0EB 1EC041F0 08EF60B7 8B6ED628
[ 3Com- r sa- key- code] 9830ED46 0BA21FDB F55E7C81 5D1A2045 54BFC853 5358E5CF
[ 3Com- r sa- key- code] 7D7DDF25 03C44C00 E2F49539 5C4B0201 25
[ 3Com- r sa- key- code] publ i c- key- code end
[ 3Com- r sa- publ i c- key] peer - publ i c- key end
8 Directly import the public key of the client if it is stored in the format of a file named
Switch001 on the server.
[ 3Com] r sa peer - publ i c- key Swi t ch001 i mpor t sshkey Swi t ch001
9 Specify a public key Switch001 for the user client001.
[ 3Com] ssh user cl i ent 001 assi gn r sa- key Swi t ch001
On the client, you need to specify the corresponding RSA private key of the RSA public
key for the SSH user client001.
By now, you can run SSH2.0 on the terminal containing the RSA private key and perform
corresponding configuration to establish an SSH connection.
SSH Client
Configuration
Example
As shown in Figure 166, Switch A serves as the SSH client and is connected to Switch B
through the SSH protocol. The username of the SSH client is client001 and the password
is aabbcc.
Network diagram
Figure 166 Network diagram for SSH client configuration
1 Configuration on Switch B
a Create an RSA host key pair and server key pair and enable the SSH server.
b Create a VLAN interface on Switch B and assign an IP address, through which the SSH
client will be connected with the switch.
c Set the authentication mode on the user interface to AAA. (AAA adopts the default
ISP domain system and the default scheme local.)
d Set the protocol that a remote user uses to log in to the switch to SSH.
e Create a local user client001.
PC
SSH server
SSH client
Switch B
Switch A
Vlan-interface1
10.165.87.136/24
Vlan-interface1
10.165.87.137/24
SSH Client Configuration Example 577
f Set the SSH authentication mode to password. The SSH authentication timeout time,
number of SSH authentication attempts and server key update period can be default
values.)
If you set the SSH authentication mode to RSA, you need to configure a host public key
of Switch A. For the specific configuration, refer to SSH Configuration Example
2 Configuration on Switch A
a Configure an IP address (10.165.87.137) for the VLAN interface on Switch A.
This IP address and that of the VLAN interface on Switch B must be in the same
network segment.
b Configure the client so that the server will not perform the first authentication for the
client.
[ 3Com] ssh cl i ent f i r st - t i me
c Adopt the password authentication and enable the authentication according to the
default algorithm.
[ 3Com] ssh2 10. 165. 87. 136
User name: cl i ent 001
Tr yi ng 10. 165. 87. 136
Connect ed t o 10. 165. 87. 136. . .
The Ser ver i s not aut her ncat ed. Do you cont i nue access i t ?[ Y/ N] : y
Do you want t o save t he ser ver ' s publ i c key?[ Y/ N] : y
Ent er passwor d:
*********************************************************
* Al l r i ght s r eser ved ( 1997- 2005) *
* Wi t hout t he owner ' s pr i or wr i t t en consent , *
*no decompi l i ng or r ever se- engi neer i ng shal l be al l owed. *
*********************************************************
<3Com>
58 SFTP SERVICE
When configuring SFTP, go to these sections for information you are interested in:
SFTP Overview
Configuring the SFTP Server
Configuring the SFTP Client
SFTP Configuration Example
SFTP Overview The secure file transfer protocol (SFTP) is a new feature in SSH 2.0.
SFTP is established on SSH connections to provide secured data transfer. The device can
serve as both SFTP server and SFTP client. A remote user can log in to the SFTP server
securely to manage and transfer files for system upgrade. In addition, a user can log in to
a remote device to transfer files in a secure way.
Configuring the
SFTP Server
Configuration
Prerequisites
You have configured the SSH server. For the detailed configuration procedure, refer to
Configuring the SSH Server.
You have used the ssh user service-type command to set the service type of
SSH users to sftp or all.
Enabling the FTP
Server
This configuration task is to enable the SFTP service so that clients can log in to the SFTP
server in an SFTP mode.
Follow these steps to enable the SFTP server:
Table 401 Enabling the FTP Server
Enable the SFTP server sftp server enable Required
By default, the SFTP server is
disabled.
580 CHAPTER 58: SFTP SERVICE
Configuring the SFTP
Connection Idle
Timeout Time
After the SFTP connection idle timeout time exceeds the threshold, the system will
automatically disconnect the SFTP user.
Follow these steps to configure the SFTP connection idle timeout time:
Configuring the
SFTP Client
Specifying a Source IP
Address or Interface
for the SFTP Client
Follow these steps to specify a source IP address or interface for the SFTP client:
Establishing a
Connection with the
SFTP Server
This configuration task is to enable the SFTP client to establish a connection with the
remote SFTP server and enter SFTP client view.
Follow these steps to enable the SFTP client:
Table 402 Configuring the SFTP Connection Idle Timeout Time
Configure the SFTP connection
idle timeout time
sftp server
idle-timeout
time-out-value
Required
By default, the SFTP connection
idle timeout time is 10 minutes.
Table 403 Specifying a Source IP Address or Interface for the SFTP Client
Specify a source
IP address or
interface for the
SFTP client
Specify the
source IPv4
address or
source interface
of the SFTP
client
sftp client source {
ip ip-address | interface
interface-type
interface-number }
Optional
By default, the SFTP client
uses the port address
specified by the route of the
device to access the SFTP
server.
Table 404 Establishing a Connection with the SFTP Server
Initiate a
connection to a
remote SFTP
server and
enter SFTP
client view
Initiate a
connection to a
remote IPv4
SFTP server and
enter SFTP
client view
sftp { host-ip | host-name } [
port-num ] [ prefer_kex {
dh_group1 | dh_exchange_group
} | prefer_ctos_cipher { des |
aes128 | 3des } |
prefer_stoc_cipher { des |
aes128 | 3des } |
prefer_ctos_hmac { sha1 |
sha1_96 | md5 | md5_96 } |
prefer_stoc_hmac { sha1 |
sha1_96 | md5 | md5_96 } ]*
Either is required.
Operating the SFTP
Directories
SFTP directory operations include:
Changing or displaying the current working directory
Creating or deleting a directory
Displaying files under a specified directory or the directory information
Changing the name of a specified directory on the server
Follow these steps to operate the SFTP directories:
Table 405 Operating the SFTP Directories
Establish a connection with the
remote SFTP server and enter
SFTP client view.
sftp { host-ip |
host-name } [ port-num ] [
prefer_kex {
dh_group1 |
des | aes128 | 3des } |
des | aes128 | 3des } |
prefer_ctos_hmac {
sha1 | sha1_96 | md5 |
md5_96 } |
prefer_stoc_hmac {
sha1 | sha1_96 | md5 |
md5_96 } ]*
Required
Change the specified working
directory on the server
cd [ remote-path ] Optional
You unnecessarily follow this
sequence to carry out the
commands. The dir command
functions as the ls command
does.
Return to the upper-level
directory
cdup
Display the current working
pwd
Display the file list under a
specified directory
dir [ remote-path ]
ls [ remote-path ]
Change the name of a specified
rename oldname newname
Create a new directory on the
server
mkdir remote-path
Delete a directory from the
server
rmdir remote-path
Operating SFTP Files SFTP file operations include:
Changing a file name
Downloading a file
Uploading a file
Displaying the file list
Deleting a file
Follow these steps to operate SFTP files:
Table 406 Operating SFTP Files
SFTP client view.
sftp { host-ip |
host-name } [ port-num ] [
prefer_kex {
dh_group1 |
des | aes128 | 3des } |
des | aes128 | 3des } |
prefer_ctos_hmac {
sha1 | sha1_96 | md5 |
md5_96 } |
prefer_stoc_hmac {
sha1 | sha1_96 | md5 |
md5_96 } ]*
Required
Change the name of a specified
file on the server
rename old-name
new-name
Optional
You unnecessarily follow this
sequence to carry out the
commands. The dir and ls
commands functions in the same
way. So do the delete and
remove commands.
Download a file from the remote
server
get remote-file [
local-file ]
Upload a file to the remote
server
put local-file [
remote-file ]
Display the file list under a
specified directory
dir [ remote-path ]
ls [ remote-path ]
Delete a file from the server delete remote-file
remove remote-file
Displaying Help
Information
This configuration task is to display the help information about related commands, such
as command format and parameter configuration.
Follow these steps to display the help information about client commands:
Disabling the SFTP
Client
This configuration task is to disable the SFTP client.
Follow these steps to disable the SFTP client:
Table 407 Displaying Help Information
SFTP client view.
sftp { host-ip | host-name } [
port-num ] [ prefer_kex {
dh_group1 |
prefer_ctos_cipher { des |
aes128 | 3des } |
prefer_stoc_cipher { des |
aes128 | 3des } |
prefer_ctos_hmac { sha1 |
sha1_96 | md5 | md5_96 } |
prefer_stoc_hmac { sha1 |
sha1_96 | md5 | md5_96 } ]*
Required
Display the help information
about client commands
help [ all | command-name ] Optional
Table 408 Disabling the SFTP Client
Enter system view
system-view
Establish a connection
with the remote SFTP
server and enter SFTP
client view.
sftp { host-ip | host-name } [ port-num ]
[ prefer_kex { dh_group1 |
prefer_ctos_cipher { des | aes128 |
3des } | prefer_stoc_cipher { des |
aes128 | 3des } | prefer_ctos_hmac {
sha1 | sha1_96 | md5 | md5_96 } |
prefer_stoc_hmac { sha1 | sha1_96 |
md5 | md5_96 } ]*
Disable the SFTP client

bye
Required.
Use any command.
These three commands
function in the same way.
exit
quit
SFTP Configuration
Example
As shown in Figure 167, an SSH connection is established between Switch A and Switch
B. Switch A, an SFTP client uses the username client001 and password aabbcc to log in
to Switch B for file management and file transfer.
Network diagram
Figure 167 Network diagram for SFTP configuration
1 Configuration on the SFTP server (Switch B)
a Create an RSA host key pair and server key pair and enable the SSH server.
b Create a VLAN interface on Switch B and assign an IP address, through which the SSH
client will be connected with the switch.
c Set the authentication mode on the user interface to AAA. (AAA adopts the default
ISP domain system and the default scheme local.)
d Set the protocol that a remote user uses to log in to the switch to SSH.
[ Swi t chB- ui - vt y0- 4] pr ot ocol i nbound ssh
[ Swi t chB- ui - vt y0- 4] qui t
e Create a local user client001.
PC
SFTP server
SFTP client
Switch B
Switch A
Vlan-interface1
11.111.27.91/24
Vlan-interface1
11.111.27.92/24
SFTP Configuration Example 585
f Set the SSH authentication mode to password. The SSH authentication timeout time,
number of SSH authentication attempts and server key update period can be default
values.
If you set the SSH authentication mode to RSA, you need to configure a host public key
of Switch A. For the specific configuration, refer section SFTP Configuration Example.
g Enable the SFTP server.
[ 3Com] sf t p ser ver enabl e
h Specify the service type of the user as SFTP.
[ 3Com] ssh user cl i ent 001 ser vi ce- t ype sf t p
2 Configuration on the SFTP client (Switch A)
a Configure an IP address (11.111.27.92) for the VLAN interface on Switch A.
This IP address and that of the VLAN interface on Switch B must be in the same
network segment.
[ Swi t chA- Vl an- i nt er f ace1] qui t
b Establish a connection with the remote SFTP server and enter SFTP client view.
[ 3Com] sf t p 11. 111. 27. 91
I nput User name: cl i ent 001
Tr yi ng 11. 111. 27. 91 . . .
Connect ed t o 11. 111. 27. 91 . . .
Ent er passwor d:
sf t p- cl i ent >
c Display the current directory on the server, delete the z file, and check that the file is
deleted successfully.
sf t p- cl i ent > di r
- r wxr wxr wx 1 noone nogr oup 1759 Aug 23 06: 52 conf i g. cf g
- r wxr wxr wx 1 noone nogr oup 225 Aug 24 08: 01 pubkey2
dr wxr wxr wx 1 noone nogr oup 0 Sep 01 06: 22 new
- r wxr wxr wx 1 noone nogr oup 225 Sep 01 06: 55 pub
- r wxr wxr wx 1 noone nogr oup 0 Sep 01 08: 00 z
sf t p- cl i ent > del et e z
The f ol l owi ng Fi l e wi l l be del et ed:
/ z
Ar e you sur e t o del et e i t ?( Y/ N) : y
Thi s oper at i on may t ake a l ong t i me. Pl ease wai t . . .
Fi l e successf ul l y Removed
d Add the new1 directory and check that it is created successfully.
sf t p- cl i ent > mkdi r new1
New di r ect or y cr eat ed
dr wxr wxr wx 1 noone nogr oup 0 Sep 02 06: 30 new1
e Change the directory name from new1 to new2 and check that the directory name is
changed successfully.
sf t p- cl i ent > r ename new1 new2
Fi l e successf ul l y r enamed
f Download the pubkey2 file from the server and save it as public.
sf t p- cl i ent > get pubkey2 publ i c
Remot e f i l e: / pubkey2 - - - > Local f i l e: publ i c
Downl oadi ng f i l e successf ul l y ended
g Upload the pu file to the server, save it as puk, and check the file is uploaded
successfully.
sf t p- cl i ent > put pu puk
Local f i l e: pu - - - > Remot e f i l e: / puk
Upl oadi ng f i l e successf ul l y ended
- r wxr wxr wx 1 noone nogr oup 283 Sep 02 06: 36 puk
sf t p- cl i ent >
h Exit from the SFTP.
sf t p- cl i ent > qui t
Bye
[ 3Com]
59 UDP HELPER CONFIGURATION
When configuring UDP Helper, go to these sections for information you are interested in:
Introduction to UDP Helper
Configuring UDP Helper
Displaying and Maintaining UDP Helper
UDP Helper Configuration Example
By default, the Switch 4500G Family of Ethernet switches do not forward IP broadcast
packets. To ensure that UDP Helper is available, you must use the ip
forward-broadcast command in system view first.
Introduction to UDP
Helper
UDP Helper functions as a relay that converts UDP broadcast packets into unicast packets
and forwards them to a specified server.
With UDP Helper enabled, the device decides whether to forward a received UDP
broadcast packet according to the port number of the packet. If the packet needs to be
forwarded, the device modifies the destination IP address in the IP header and then sends
the packet to the specified destination server. Otherwise, the device sends the packet to
its upper layer.
When relaying BOOTP/DHCP broadcast packets, the device broadcasts a response packet
if the client specifies that it needs to receive a broadcast response; otherwise, the device
unicasts a response packet.
With UDP Helper enabled, the device relays broadcast packets of six default UDP ports by
default. The default UDP ports are listed in.Table 409
Table 409 List of default UDP ports
Protocol UDP port number
TFTP (trivial file transfer protocol) 69
DNS (domain name system) 53
Time service 37
NetBIOS-NS (NetBIOS name service) 137
NetBIOS-DS (NetBIOS datagram service) 138
TACACS (terminal access controller access control system) 49
588 CHAPTER 59: UDP HELPER CONFIGURATION
Configuring UDP
Helper
Follow these steps to configure UDP Helper:
CAUTION:
The dns, netbios-ds, netbios-ns, tacacs, tftp, and time keywords
correspond to the six default ports. You can configure the default ports by specifying
port numbers or the corresponding parameters. For example, udp-helper port
53 and udp-helper port dns specify the same port.
When you view the configuration information by using the display
current-configuration command, the default UDP port numbers will not be
displayed. A port number shows only when it is disabled to use UDP Helper.
The configuration of all UDP ports (including the default ports) is removed if you
disabled UDP Helper.
The device supports up to 256 UDP ports of which UDP packets are to be forwarded.
An interface corresponds to a maximum of 20 destination servers.
If the destination server is configured on a VLAN interface, the broadcast packets
from a VLAN port to a specific UDP port will be unicast to the destination server
configured on that VLAN interface after UDP Helper is enabled.
Displaying and
Maintaining UDP
Helper
Table 410 Configuring UDP Helper
Enter system view
system-view
Enable UDP Helper

udp-helper enable
Required
Disabled by default
Specify a UDP port udp-helper port { port
| dns | netbios-ds |
netbios-ns | tacacs |
tftp | time }
Optional
By default, the UDP helper
enabled device converts and
forwards broadcast packets of
ports 69, 53, 37, 137, 138, and
49.
interface-type
interface-number
Configure the destination server

to which the UDP packets are to
be forwarded
udp-helper server
ip-address
Required
No destination server is
configured by default.
Table 411 Displaying and Maintaining UDP Helper
Display the information of the
destination server and the
number of packets forwarded by
UDP relay
display udp-helper
server [ interface
interface-type
interface-number ]
Clear statistics about packets
forwarded by UDP relay
reset udp-helper packet Available in user view
UDP Helper Configuration Example 589
UDP Helper
Configuration
Example
The VLAN interface of a device has an IP address of 10.110.1.1/16, connecting to
network segment 10.110.0.0/16. Specify to forward broadcast packets with destination
UDP port 55 to destination server 202.38.1.2/24.
Network diagram
Figure 168 Network diagram for UDP Helper configuration
The following configuration assumes that the port connecting to the Internet belongs to
VLAN1, and the route to network segment 202.38.1.0/24 is up.
1 Enable UDP Helper.
[ 3Com] udp- hel per enabl e
2 Specify to forward the broadcast packets with destination UDP port being 55.
[ 3Com] udp- hel per por t 55
3 Specify the server with the IP address of 202.38.1.2 as the destination server to which
UDP packets are to be forwarded.
[ 3Com] i nt er f ace vl an 1
[ 3Com- Vl an- i nt er f ace1] i p addr ess 10. 110. 1. 1 16
[ 3Com- Vl an- i nt er f ace1] udp- hel per ser ver 202. 38. 1. 2
Ethernet
Ethernet
Internet
Switch ( UDP Helper )
10.110.0.0/16
Server
202.38.1.2/24
10.110.1.1/16
VLAN-Interface1
202.38.1.0/24
590 CHAPTER 59: UDP HELPER CONFIGURATION
60 SSL CONFIGURATION
When configuring SSL, go to these sections for information you are interested in:
SSL Overview
Configuring SSL Server Policy
Configuring SSL Client Policy
Displaying and Maintaining SSL
Troubleshooting SSL Configuration
SSL Overview SSL (Secure Socket Layer) is a security protocol providing secure connection for
TCP-based application layer protocols. The secure connection provided by SSL can
implement the following:
Confidentiality: SSL encrypts data using symmetric encryption algorithm with the key
generated during handshake phase.
Authentication: SSL performs certificate-based authentication on both the server and
the client, and the authentication on the client is optional.
Reliability: SSL uses key-based MAC (message authentication code) to verify the
integrity of messages.
SSL protocol includes two layers: SSL record protocol at the lower layer and handshake
protocol, SSL password change protocol and SSL alert protocol at the upper layer.
SSL record protocol: It fragments, compresses and computes data from the upper
layer and then adds MAC to the data and encrypts the data, and in turn transmits the
records to the peer end.
SSL handshake protocol: A session is initiated between the client and the server with
the handshake protocol. The session includes a group of parameters as session ID,
peer certificate, cipher suite (including key exchange algorithm, data encryption
algorithm and MAC algorithm), compression algorithm and main key. An SSL session
can be shared by multiple connections to reduce session negotiation cost.
SSL password change protocol: The client and the server inform each other of the
password change through password change protocol. The packets will be protected
and transmitted with the newly negotiated encryption suite and key pair.
SSL alert protocol: Permits one entity to report alert message containing the alert level
and description to the other.
592 CHAPTER 60: SSL CONFIGURATION
Configuring an SSL
Server Policy
SSL server policy is SSL parameters used when the server is started, which can be valid
only when associated with an application layer protocol (for example, HTTP protocol).
Configuration
Prerequisites
Before configuring the SSL server policy you should configure PKI (public key
infrastructure) domain. For the details of PKI domain configuration, see PKI
Configuration module .
Configuring an SSL
Server Policy
Follow these steps to configure an SSL server policy
Configuration
Example for SSL
Server Policy
A device works as the HTTPS server.
A host works as the client interacting with the HTTP server through SSL-based HTTP
protocol.
Table 412 Configuring an SSL Server Policy
Create an SSL server
policy and enter its view
ssl server-policy
policy-name
Required
Configure the PKI domain
to which the SSL server
policy belongs
pki-domain domain-name Required
Configure the cipher
suite supported by the
SSL server policy
ciphersuite [
rsa_3des_ede_cbc_sha |
rsa_aes_128_cbc_sha |
rsa_des_cbc_sha |
rsa_rc4_128_md5 |
rsa_rc4_128_sha ] *
Optional
An SSL server policy supports six
types of cipher suite by default.
Configure handshake
timeout time for the SSL
server
handshake timeout time Optional
3600 seconds by default.
Configure close mode for
SSL connection
close-mode wait Optional
The close mode for SSL
connection is non wait by
default.
number and timeout time
of buffered sessions
session { cachesize size |
timeout time }*
Optional
The maximum number is 500 and
the timeout time is 3600 seconds
by default.
Enable certificate-based
SSL client authentication
client-verify enable Optional
Configuring an SSL Server Policy 593
Network diagram
Figure 169 Network diagram for SSL server policy
1 Configure SSL server policy.
<3Com> syst em
[ 3Com] ssl ser ver - pol i cy myssl
[ 3Com- ssl - ser ver - pol i cy- myssl ] pki - domai n 1
[ 3Com- ssl - ser ver - pol i cy- myssl ] cl ose- mode wai t
[ 3Com- ssl - ser ver - pol i cy- myssl ] qui t
2 Configure the SSL policy adopted by the HTTPS server as myssl.
[ 3Com] i p ht t ps ssl - ser ver - pol i cy myssl
3 Enable HTTPS service.
[ 3Com] i p ht t ps enabl e
IP Network
Host
HTTPS Client
Device
HTTPS Server
Configuring an SSL
Client Policy
SSL client policy is SSL parameters used by the client being connected with the server,
which can be valid only when associated with an application layer protocol (for example,
HTTP protocol).
Configuration
Prerequisites
Before configuring the SSL client policy you should configure PKI domain first.
Configuring an SSL
Client Policy
Follow these steps to configure an SSL client policy:
If the server needs to perform certificate-based authentication to the client, a local
certificate for the SSL client must be acquired in the clients PKI domain.
Displaying and
Maintaining SSL
Table 413 Configuring an SSL Client Policy
Create an SSL client
policy and enter its
view
ssl client -policy policy-name Required
Configure the PKI
domain to which the
SSL client policy
belongs
pki-domain domain-name Required
Configure the
preferred encryption
suite for the SSL client
policy
prefer-cipher {
rsa_3des_ede_cbc_sha |
rsa_des_cbc_sha |
rsa_rc4_128_md5 |
rsa_rc4_128_sha }
Optional
The preferred encryption suite
is rsa_rc4_128_md5 by
default.
Configure the SSL
protocol version
adopted by the SSL
client policy
version { ssl3.0 | tls1.0 } Optional
The SSL protocol version is
TLS1.0 by default.
Table 414 Displaying and Maintaining SSL
Display SSL server policy information display ssl
server-policy {
policy-name | all }
Display SSL client policy information display ssl
client-policy {
policy-name | all }
Troubleshooting SSL Configuration 595
Troubleshooting
SSL Configuration
SSL Handshake
Failure
Symptom When the device works as the SSL server, its handshake with the SSL client fails.
Analysis SSL handshake failure may result from the following:
Network connection fault, for example a broken cable or interface looseness.
SSL server certificate does not exist, or the certificate cannot be trusted.
The server is configured as that it must authenticate the client, but the certificate of
the SSL client does not exist or cannot be trusted.
The encryption suite supported by the SSL server and client does not match.
Solution
1 Use the ping command to check the network connection.
2 Use the debugging ssl command to view the debugging information:
If the SSL server certificate does not exist, apply one for it.
If the server certificate cannot be trusted, on the SSL client install a CA server root
certificate that issues the certificate to the SSL server, or enable the server to reapply a
certificate from the CA server trusted by the SSL client.
If the server is configured as that it must authenticate the client, but the certificate of
the SSL client does not exist or cannot be trusted, apply and install a certificate for the
client.
3 Use the display ssl server-policy command to view the encryption suite supported
by the SSL server policy. If the encryption suite supported by the SSL server does not
match that by the client, use the ciphersuite command to modify the encryption suite
supported by the SSL server.
61 HTTPS SERVER CONFIGURATION
When configuring HTTPS server, go to these sections for information you are interested
in:
HTTPS Server Overview
Associating HTTPS Server with SSL Server-end Policy
Enabling the Functions of HTTPS Server
Associating HTTPS Server with Certificate Access Control Policy
Associating HTTPS Server with ACL
Displaying and Maintaining HTTPS Server
Configuration Examples for HTTPS Server
HTTPS Server
Overview
The HTTP Security (HTTPS) server refers to the HTTP server that support the Security
Socket Layer (SSL) protocol.
In addition to the two security measures provided by the HTTP server, the HTTPS further
enhances the security of the HTTP server in the following aspects:
Use the SSL protocol to ensure that the legal clients to access the HTTPS server
securely and prohibit the illegal clients;
Encrypt the data exchanged between the HTTPS client and the HTTPS server to ensure
the data security and integrity, thus realizing the security management of the device;
Defines certificate attribute-based access control policy for the HTTPS server to control
the access right of the client, in order to further avoid the attack of illegal clients.
The total number of HTTP connections and HTTPS connections on a device cannot
exceed ten.
598 CHAPTER 61: HTTPS SERVER CONFIGURATION
Associating HTTPS
Server with SSL
Server-end Policy
Associate the HTTPS server with an SSL server-end policy before enabling functions of the
HTTPS server.
Follow these steps to associate the HTTPS server with an SSL server-end policy:
If the ip https ssl-server-policy command is executed repeatedly, the
HTTPS server is only associated with the last SSL server-end policy having been
configured.
When the functions of the HTTPS server are disabled, to enable them again, you need
to re-associate the HTTPS server with an SSL server-end policy.
When the functions of the HTTPS server are enabled, any modification of its
associated SSL server-end policy will not take effect.
Enabling the
Functions of HTTPS
Server
Before configuring the HTTPS server, make sure that the functions of the HTTPS server
are enabled. Otherwise, other related configurations cannot take effect.
Follow these steps to enable the functions of the HTTPS server:
To enable the functions of the HTTPS server will trigger an SSL handshake negotiation
process. During the process, if a local certificate of the device already exists, the SSL
negotiation is successfully performed, and the HTTPS server can be started normally. If no
local certificate exists, a certificate application process will be triggered by the SSL
negotiation. Since the application process takes much time, the SSL negotiation often
fails and the HTTPS server cannot be started normally. Therefore, the ip https
enable command must be executed for multiple times to ensure normal startup of the
HTTPS server.
Table 415 Associating HTTPS Server with SSL Server-end Policy
Associate the HTTPS
server with an SSL
server-end policy
ip https
ssl-server-policy
policy-name
Required
The HTTPS server is not associated
with an SSL server-end policy by
default.
Table 416 Enabling the Functions of HTTPS Server
Enable functions of the
HTTPS server
ip https enable Optional
The functions of the HTTPS server
are disabled by default.
Associating HTTPS Server with Certificate Access Control Policy 599
Associating HTTPS
Server with
Certificate Access
Control Policy
Associating the HTTPS server with the client certificate access control policy helps control
the access right of the client, thus to provide the server with enhanced security.
Follow these steps to associate the HTTPS server with a certificate access control policy:
If the ip https certificate access-control-policy command is
executed repeatedly, the HTTPS server is only associated with the last certificate
access control policy having been configured.
If the HTTPS server is associated with a certificate access control policy, the
client-verify enable command must be configured in the SSL server-end
policy associated with the HTTPS server. Otherwise, the client cannot log onto the
server.
Associating HTTPS
Server with ACL
By associating the HTTPS server with an ACL, requests from some clients can be filtered
out. Only the clients that pass ACL filtering are allowed to access the server.
Follow these steps to associate the HTTPS server with and ACL:
If the ip https acl command is executed repeatedly, the HTTPS server is only
associated with the last ACL having been configured.
Displaying and
Maintaining HTTPS
Server
After completing the above configurations, execute the display command in any view
to display the operation status after the HTTPS server has been configured, and view the
effect of information authentication configuration.
Follow these steps to display and maintain the HTTPS server:
Table 417 Associating HTTPS Server with Certificate Access Control Policy
Associate the HTTPS
server with a certificate
access control policy
ip https certificate
access-control-policy
policy-name
Optional
with a certificate access control
policy by default.
Table 418 Associating HTTPS Server with ACL
Associate the HTTPS
server with an ACL
ip https acl acl-number Optional
with an ACL by default.
Table 419 Displaying and Maintaining HTTPS Server
Display the status information about the HTTPS server display ip https
Configuration
Examples for HTTPS
Server
When a server running Windows operating system is used as the CA, the Simple
Certificate Enrollment Protocol plug-in is required. In this case, you need to specify the
entity to apply for the certificate from RA by using the certificate request from ra
command when configuring the PKI domain.
The Simple Certificate Enrollment Protocol plug-in is not needed when RSA Keon
software is used. In this case, you need to specify the entity to apply for the certificate
from CA by using the certificate request from ca command when configuring the PKI
domain.
This section assumes Windows operating system is used on the CA server.
The HTTPS client logs on to the HTTPS server to access the device through Web
network management and control the device.
CA (Certificate Authority) issues certificate to the HTTPS server.
Network diagram
Figure 170 Network diagram for HTTPS configuration
Perform the following configurations on the HTTPS server:
1 Apply for a certificate for the HTTPS server.
a Configure a PKI (Public Key Interface) entity.
[ 3Com] pki ent i t y en
[ 3Com- pki - ent i t y- en] common- name ht t p- ser ver 1
[ 3Com- pki - ent i t y- en] f qdn ssl . secur i t y. com
[ 3Com- pki - ent i t y- en] qui t
b Configure a PKI domain.
[ 3Com] pki domai n 1
[ 3Com- pki - domai n- 1] ca i dent i f i er ca1
CA
10 . 1.2.2 /24
HTTPS Server
10 . 1 . 1 . 1 / 24
HTTPS Client
10 . 1 . 1 . 2 / 24
10. 1.2.1 / 24
CA
10 . 1.2.2 /24
HTTPS Server
10 . 1 . 1 . 1 / 24
HTTPS Client
10 . 1 . 1 . 2 / 24
10. 1.2.1 / 24
Configuration Examples for HTTPS Server 601
[ 3Com- pki - domai n- 1] cer t i f i cat e r equest ur l
ht t p: / / 10. 1. 2. 2/ cer t sr v/ mscep/ mscep. dl l
[ 3Com- pki - domai n- 1] cer t i f i cat e r equest f r omr a
[ 3Com- pki - domai n- 1] cer t i f i cat e r equest ent i t y en
[ 3Com- pki - domai n- 1] qui t
c Generate a key pair locally by using the RSA (Revest-Shamir-Adleman) algorithm.
d Obtain a server certificate from CA.
[ 3Com] pki r et r i eval - cer t i f i cat e ca domai n 1
e Request for a local certificate.
[ 3Com] pki r equest - cer t i f i cat e domai n 1
2 Configure a SSL server-end policy associated with the HTTPS server.
a Create a server-end policy named myssl.
[ 3Com] ssl ser ver - pol i cy myssl
b Configure the name of the PKI domain at the server end to 1.
[ 3Com- ssl - ser ver - pol i cy- myssl ] pki - domai n 1
c Configure that the server requires client authentication.
[ 3Com- ssl - ser ver - pol i cy- myssl ] cl i ent - ver i f y enabl e
[ 3Com- ssl - ser ver - pol i cy- myssl ] qui t
3 Configure the SSL server-end policy referenced by the HTTPS server.
Specify the SSL server-end policy used in the HTTPS server policy.
[ 3Com] i p ht t ps ssl - ser ver - pol i cy myssl
4 Enable functions of the HTTPS server.
[ 3Com] i p ht t ps enabl e
For details of PKI commands, refer to PKI module
For details of the rsa local-key-pair create command, refer to SSH
Terminal Service module
62 PKI CONFIGURATION
When configuring PKI, go to these sections for information you are interested in:
Introduction to PKI
Introduction to PKI Configuration Task
PKI Certificate Request Configuration
PKI Certificate Validation Configuration
Display and Debug
Typical Configuration Examples
Troubleshooting
Introduction to PKI
The term router in this document refers a Layer 3 switch running routing protocols. To
improve readability, this will not be noted additionally in the document.
Overview Public key infrastructure (PKI) is a system which uses public key technology and digital
certificate to ensure system security and authenticate digital certificate users. It provides
a whole set of security mechanism by combining software/hardware systems and security
policies together. PKI uses certificates to manage public keys: It binds user public keys
with other identifying information through a trustworthy association, so that online
authentication is possible. PKI provides safe network environment and enables an easy
use of encryption and digital signature technologies under many application
environments, to assure confidentiality, integrity and validity of online data.
Confidentiality means that the data are accessible only to authorized parties during data
transmission. Integrity means that only authorized parties can modify the data. Validity
means that the data are available to authorized parities when needed.
A PKI system consists of public key algorithm, certificate authority, registration authority,
digital certificate, and PKI repository.
Figure 171 PKI components block diagram
PKI application
CA RA PKI repository
Digital certificate
604 CHAPTER 62: PKI CONFIGURATION
Certificate authority issues and manages certificates. Registration authority authenticates
user identity and manages certificate revocation list. PKI repository stores and manages
such information as certificates and logs, and provides query function. Digital certificate,
also called Public Key Certificate (PKC), underlies the security of PKI system and the trust
in application. Adopting an authentication technology based on public key technology, it
is a file duly signed by certificate authority that contains public key and owner
information. It can be used as an identity proof for online information exchange and
commercial activities. A certificate has its lifetime, which is specified in issuing. Of course,
certificate authority can revoke a certificate before its expiration date.
Terminology Public key algorithm: Key algorithm that involves different encryption key and
decryption key. The keys are generated for users in pairs: One is publicized as public
key; the other is reserved as private key. The information encrypted by one key has to
be decrypted by the other; the key pair therefore is generally used in signature and
authentication. In communication, if the sender signs with its private key, the receiver
needs to authenticate this signature with the senders public key. If the sender encrypt
the information with the receivers public key, then only the receivers private is
capable of decryption.
Certificate authority (CA): Trustworthy entity issuing certificates to persons, PCs or
any other entities. CA deals with certificate requests, and checks applicant
information according to certificate management policy. Then it signs the certificate
with its private key and issues the certificate.
Registration authority (RA): Extension of CA. It forwards the entities' certificate
requests to CA, and digital certificates and certificate revocation list to directory
server, for directory browsing and query.
Light-weight directory access protocol (LDAP) server: LDAP provides a means to access
PKI repository, with the purpose of accessing and managing PKI information. LDAP
server supports directory browsing and enlists the user information and digital
certificates from a RA server. Then the user can get his or others certificates when
accessing the LDAP server.
Certificate revocation list (CRL): A certificate has its lifetime, but CA can revoke a
certificate before its expiration date if the private key leaks or if the service ends. Once
a certificate is revoked, a CRL is released to announce its invalidity, where lists a set of
serial numbers of invalid certificates. CRL, stored in LDAP server, provides an effective
way to check the validity of certificates, and offers centralized management of user
notification and other applications.
Applications PKI includes a set of security services provided using the technologies of public key and
X.509 certification in distributed computing systems. It can issue certificates for various
purposes, such as Web user identity authentication, Web server identity authentication,
secure Email using S/MIME (secure/multipurpose internet mail extensions), virtual private
network (VPN), IP Security, Internet key exchange (IKE), and secure sockets
layer/transaction layer security (SSL/TLS). One CA can issue certificates to another CA, to
establish certification hierarchies.
Introduction to PKI Configuration Task 605
Introduction to PKI
Configuration Task
The purpose to configure PKI is to apply a local certificate from CA for the specified
device, so as to enable the device to check the validity of the certificate.
Configuring PKI
Certificate Request
Certificate request is a process when an entity introduces itself to CA. The identity
information the entity provides will be contained in the certificate issued later. CA uses a
set of criteria to check applicant creditability, request purpose and identity reliability, to
ensure that certificates are bound to correct identity. Offline and non-auto out-of-band
(phone, storage disk and Email, for example) identity checkup may be required in this
process. If this process goes smooth, CA issues a certificate to the user and displays it
along with some public information on the LDAP server for directory browsing. The user
can then download its own public-key digital certificate from the notified position, and
obtain those of others through the LDAP server.
Entering PKI Domain
View
A PKI domain resides in local device and is invisible to CA and other devices. It does not
interfere with the relationship between user management and the multi users. The
purpose of using PKI domain is to provide other applications with easy reference to PKI
configuration (such as IKE and SSL).
Follow these steps to enter PKI domain view:
Table 420 Introduction to PKI Configuration Task
Configuration Task Remarks
Configure a PKI
certificate request
Entering PKI Domain View Required
Configuring a Trustworthy CA Required
Configuring Parameters for PKI
Domain
Required
Configuring Entity Name Space Required
Creating a Local Public Private
Key Pair
Required
Configuring Polling Interval and
Count
Optional
Configuring Certificate Request
Mode
Optional
Delivering a Certificate Request
Manually
Optional
Retrieving a Certificate Manually Optional
Importing a Certificate Optional
Deleting a Certificate Optional
Configure PKI certificate validation Optional
Configure a certificate attribute access control policy Optional
Table 421 Entering PKI Domain View
Enter system view
system-view
Specify a PKI domain name and

enter domain view
pki domain name Optional
No PKI domain name is
specified by default.
Typically, a device may belong to two or more PKI domains. Then independent
configuration information is required for each domain. Parameter configuration in PKI
domain view is for this purpose. But currently, one device supports only two PKI domain,
Such being the case that one device have belonged to two PKI domains. you need to
delete the existing domain first if you wan to use a new one.
Configuring a
Trustworthy CA
Trustworthy CAs function to provide registration service and issue certificates for entities.
They are essential to PKI. Only when a CA trusted by everyone is available, can users
enjoy the security services with public key technology.
Follow these steps to configure a trustworthy CA:
The standard set CA uses in request processing, certificate issuing and revoking, and CRL
releasing is called CA policy. In general, CA uses files, called certification practice
statements (CPS), to advertise its policy. CA policy can be obtained in out-of-band or
other mode. You should understand CA policies before choosing a CA, for different CAs
may use different methods to authenticate the public key -- subject binding.
You need CA identifiers only when obtaining CA certificates but not when applying for
local certificates.
Table 422 Configuring a Trustworthy CA
enter domain view
pki domain name
Specify a trustworthy CA ca identifier name Optional
No trustworthy CA is specified by
default.
Configuring
Parameters for PKI
Domain
Follow these steps to configure the certificate request server:
An entity is required for certificate request; it is used to prove the identity to the CA. For
information about the entity-name argument, refer to Configuring Entity Name Space.
Registration management is often implemented by an independent registration authority
(RA), which is responsible for coping with certificate request, examining entity
qualification and determining for CA whether or not to issue the digital certificate. It
does not issue the certificate, as is performed by CA. Sometimes no independent RA is
set. It doesn't mean that registration function of PKI is disabled, since CA takes over the
registration management.
The registration server location (that is, URL) needs to be specified. Then entities can
present to this server the certificate request using simple certification enrollment protocol
(SCEP, a protocol to communicate with certification authority).
Storage of entity certificates and CRL information is essential to a PKI system. Usually, this
is done using a LDAP directory server.
When receiving the identity certificate from the CA, the router needs to use the root
certificate of the CA to verify the authenticity and validity of the identify certificate.
When receiving the root certificate from the CA, the router needs to authenticate the
fingerprint of the CA root certificate, which is a unique hashed value of the content of
the root certificate. If the fingerprint of the CA root certificate is not identical to the one
configured by using the command described here, the router rejects the root certificate.
Table 423 Configuring Parameters for PKI Domain
Enter system view
system-view

enter domain view
pki domain name
Specify the entity for certificate
request
certificate request
entity entity-name
Required
By default, no entity is specified
for certificate request.
Choose between CA and RA as
the registration organization
certificate request
from { ca | ra }
Required
By default, no registration
organization is specified.
Specify the location of a
registration server
certificate request
url url-string
Required
By default, no registration server
location is specified.
Specify the IP address of an
LDAP server
ldap-server ip
ip-address [ port
port-number ] [ version
version-number ]
Optional
By default, no IP address or port
is specified for LDAP server.
Currently it is LDAP version2.
Configure the fingerprint for
authenticating the root
certificate
root-certificate
fingerprint { md5 | sha1
} string
Optional
By default, no fingerprint is
configured for authenticating
the root certificate.
Configuring Entity
Name Space
Entity name space specifies the set of name available to entities. Each CA details about
an entity with the information it considers important. A unique identifier (also called
DN-distinguished name) can be used to identify an entity. It consists of several parts, such
as user common name, organization, country and owner name. It must be unique
among the network.
Entity configuration information must comply with CA certificate issue policy, for
example, in determining mandatory and optional parameters. Otherwise, certificate
request may be rejected.
Follow these steps to configure an entity name:
The entity name must be consistent with that specified by registration organization using
the certificate request entity entity-name command. Otherwise, the
certificate request fails. name-str is just for the convenience in referencing, and appears
not as a certificate field.
Windows 2000 CA server has some restrictions on data length of certificates. If the
configured entity length goes beyond certain limit, the Windows 2000 CA server does
not respond to certificate requests.
Table 424 Configuring Entity Name Space
Specify an entity name and enter
the entity view
pki entity name
Specify the FQDN name for an
entity
fqdn name-str Optional
By default, no entity FQDN is
specified.
Specify the IP address for an
entity
ip ip-address Optional
By default, no IP address is
specified.
Specify the country code for an
entity
country
country-code-str
Optional
By default, no country code is
specified.
Specify the state or province for
an entity
state state-name Optional
By default, no state name is
specified.
Specify the geographic locality
for an entity
locality locality-name Optional
By default, no locality name is
specified.
Specify the organization name
for an entity
organization org-name Optional
By default, no organization is
specified.
Specify the unit name for an
entity
organization-unit
org-unit-name
Optional
By default, no unit name is
specified.
Specify the common name for an
entity
common-name name Optional
By default, no common name is
specified.
Fully qualified domain name (FQDN) is the unique identifier of the entity among the
network, for example, Email address. It is often in the format of user domain and can be
resolved to IP address. FQDN is equivalent to IP address in function. This configuration is
optional.
Country code uses two standard characters, for example, CN for China and US for the
United States.
Creating a Local
Public Private Key
Pair
A key pair is generated during certificate request: one public and the other private. The
private key is held by the user, while the public key and other information are transferred
to CA center for signature and then the generation of the certificate. Each CA certificate
has a lifetime that is determined by the issuing CA. When the private key leaks or the
current certificate is about to expire, you have to delete the old key pair. Then another
key pair can be generated for a new certificate.
If an RSA key pair already exists when you create a local key pair, the system prompts
whether to replace it.The minimum length of a host key is 512 bits and the maximum
length is 2048 bits.
Follow these steps to create a local RSA key pair:
Follow these steps to destroy a local RSA key pair:
For detailed configuration, see the related commands in the SSH Terminal Service
module.
CAUTION:
If a local certificate already exists, do not create another key pair. To ensure
consistency between key pair and existing certificate, first delete the existing
certificate and then create a new key pair.
If a local RSA key pair exists, the newly-generated key pair will overwrite the existing
one.
The key pairs are originally for the use in SSH. Local server regularly updates local
server key pair. However, the host key pair we use in certificate request remains
unchanged.
Table 425 Create a Local RSA key Pair
Create an RSA key pair rsa local-key-pair
create
Required
By default, there is no existent local
RSA key pair.
Table 426 Destroy a Local RSA Key Pair
Enter system view
system-view
Destroy an RSA key pair

rsa local-key-pair
destroy
Optional
Configuring Polling
Interval and Count
If CA examines certificate request in manual mode, then a long time may be required
before the certificate is issued. In this period, you need to query the request status
periodically, so that you may get the certificate right after it is issued.
Follow these steps to configure polling interval and count:
Configuring
Certificate Request
Mode
Request mode can be manual or auto. Auto mode enables the automatic request for a
certificate through SCEP when there is none and for a new one when the old one is
about to expire. For manual mode, all the related configuration and operation need to be
carried out manually.
Follow these steps to configure certificate request mode:
Delivering a
Certificate Request
Manually
A certificate request completes with user public key and other registered information. All
configured, you can deliver the certificate request to a PKI RA.
Follow these steps to deliver a certificate request:
Table 427 Configuring Polling Interval and Count
Specify PKI domain name and
enter domain view
pki domain name Required
By default, no PKI domain name
is specified.
Configure polling interval and
count
certificate request
polling { interval
minutes | count count }
Optional
By default, the request polling
message is sent for 50 times at
an interval of 20 minutes.
Table 428 Configuring Certificate Request Mode
Enter system view
system-view

enter domain view
pki domain name
Configure certificate request
mode
certificate request
mode { manual | auto [
key-length key-length |
password { simple | cipher
} password ]* }
Optional
By default, manual mode is
selected.
Table 429 Delivering a Certificate Request Manually
Deliver a certificate request. pki
request-certificate
domain domain-name [
password ] [ pkcs10 [
filename filename ] ]
Required
CAUTION: If a local certificate already exists, certificate request operation is disallowed
to eliminate inconsistency between certificate and registration information resulted from
configuration change. To request a new certificate, you should first delete the existing
local certificate and all the CA certificates locally stored using the pki
delete-certificate command.
If you cannot send certificate request to CA using SCEP, you can select the parameter
pkcs10 to print out the request information, copy it and send one to CA in
out-of-band mode.
Before you deliver the certificate request, make sure the clocks of entity and CA are
synchronous. Otherwise, fault occurs to the certificate validation period.
This operation will not be saved.
Retrieving a
Certificate Manually
Certificate retrieval serves two purposes: store locally the certificate related to local
security domain to improve query efficiency; prepare for certificate validation.
When downloading a digital certificate, select the local keyword for a local certificate
and ca keyword for a CA certificate.
Follow these steps to retrieve a certificate:
CAUTION:
If a CA certificate already exists locally, CA certificate request operation is disallowed
to eliminate inconsistency between certificate and registration information resulted
from configuration change. To request a new certificate, you should first delete the
existing CA and local certificates using the pki delete-certificate command.
This operation will not be saved.
Importing a
Certificate
In out-of-band mode, you can import an existing local certificate of CA certificate by
performing the following configuration.
Follow these steps to import a certificate:
Table 430 Retrieving a Certificate Manually
Enter system view
system-view
Retrieve a certificate and

download it locally
pki retrieval-certificate {
local | ca } domain domain-name
Required
Table 431 Importing a Certificate
Import a certificate pki import-certificate { local |
ca } domain domain-name { der | p12 | pem
} [ filename filename ]
Required
Deleting a Certificate You can delete an existing local certificate or CA certificate.
Follow these steps to delete a certificate:
Configuring PKI
Certificate
Validation
At every stage of data communication, both parties should verify the validity of
corresponding certificates, including issue time, issuer and certificate validity. The core is
to verify the signature of CA and to make sure the certificate is still valid. It is believed
that CA never issues fake certificates, so every certificate with an authentic CA signature
will pass the verification. For example, if you receive an E-mail containing a certificate
with a public key. The mail is encrypted using the public key, and is signed with the
private key. You need verify the validity of this certificate, to determine whether it is valid
and trustworthy.
Follow these steps to configure PKI certificate validation:
Table 432 Deleting a Certificate
Enter system view
system-view
Delete a certificate pki delete-certificate { local

| ca } domain domain-name
Required
Table 433 Configuring PKI Certificate Validation
Enter system view
system-view

enter domain view
pki domain name
Specify CRL distribution point
location
crl url url-string Required
By default, no CRL distribution
point location is specified.
Specify CRL update period crl update period
hours
Optional
By default, CRLs are updated
according to their validity
period.
Enable/disable CRI check crl check {enable |
disable }
Optional
By default, CRL check is
enabled.
Exit to system view quit
Retrieve a CRL and download it
locally
pki retrieval-crl
domain domain-name
Optional
Verify the validity of a local
certificate
pki
validate-certificate
{ local | ca } domain
domain-name
Optional
Configuring a Certificate Attribute Access Control Policy 613
CRL update period refers to the interval to download CRLs from CRL access server to a
local machine. CRL update period configured manually takes priority over that specified
in CRLs.
Similar to certificate validity, CRL validity is a field in a CRL file.
The purpose of downloading CRL is to verify the validity of the certificates on a local
device. This operation will not be saved in configuration.
You can verify the validity of a local certificate using the parameter local or a CA
certificate using the parameter ca.
The CRL file is not saved in the configuration.
Configuring a
Certificate
Attribute Access
Control Policy
CAUTION: Alternate certificate subject name attribute is not displayed in the form of
domain name; therefore, the dn keyword is not available when you configure the
alternate certificate subject name attribute.
When creating a certificate attribute control rule by using the rule command, make
sure the certificate attribute group identified by the group-name argument exists.
Table 434 Configure a certificate attribute-based access control policy
Create a certificate
attribute group and enter
certificate attribute group
view
pki certificate
attribute-group
group-name
Required
By default, no certificate attribute
group is created.
Configure the attribute
rule for certificate issuer
name, subject name of the
certificate, and alternate
subject name of the
certificate
attribute id {
alt-subject-name { fqdn |
ip } | { issuer-name |
subject-name } { dn | fqdn |
ip } } { ctn | equ | nctn |
nequ} attribute-value
Optional
By default, there is no rule for
certificate issuer name, subject
name of the certificate, or
alternate subject name of the
certificate.
Quit to system view
quit
attribute access control
policy and enter certificate
policy view
pki certificate
access-control-policy
policy-name
Required
access control policy is created.
attribute control rule
rule [ id ] { permit | deny }
group-name
Optional
control rule is created.
Displaying and
Maintaining PKI
Follow these steps to display and maintain PKI:
Certificate format and fields comply with X.509 standard. All kinds of identifying
information about user and CA are included, such as user email address; public key of the
certificate holder; issuer, serial number, and validity (period) of the certificate, etc.
CRL complies with X.509 standard, covering version, signature (algorithm), issuer name,
this update, next update, user public key, signature value, serial number, and revocation
date, etc.
Typical
Configuration
Examples
CAUTION:
When a server running Windows operating system is used as the CA, the Simple
Certificate Enrollment Protocol plug-in is required. In this case, you need to specify
the entity to apply for the certificate from RA by using the certificate request
from ra command when configuring the PKI domain.
The Simple Certificate Enrollment Protocol plug-in is not needed when RSA Keon
software is used. In this case, you need to specify the entity to apply for the certificate
from CA by using the certificate request from ca command when
configuring the PKI domain.
This section assumes RSA Keon software is used on the CA server.
PKI Certificate
Request to CA
The device is connected to the CA server through an IP network and is configured to
request for a certificate from RSA CA.
Network diagram
Figure 172 Network datagram for PKI certificate request to CA
Table 435 Displaying and Maintaining PKI
Display certificates display pki certificate { {
ca | local } domain domain-name
| request-status }
Display CRLs display pki crl domain
domain-name
Display a certificate
attribute group
display pki certificate
attribute-group {
group-name | all }
Display a certificate
policy
display pki certificate
access-control-policy {
policy-name | all }
Typical Configuration Examples 615
1 Configure entity name space.
<SysnameCA> syst emvi ew
[ SysnameCA] pki ent i t y t or sa
[ SysnameCA- pki - ent i t y- t or sa] common- name 1
[ SysnameCA- pki - ent i t y- t or sa] qui t
2 Configure parameters for PKI domain (The URLs of registration organization servers for
certificate requests vary depending on the CA servers used. The configuration mentioned
here is used as an example only. Perform configuration based on actual conditions).
[ SysnameCA] pki domai n t or sa
[ SysnameCA- pki - domai n- t or sa] ca i dent i f i er r sa
[ SysnameCA- pki - domai n- t or sa] cer t i f i cat e r equest ur l
ht t p: / / 4. 4. 4. 133: 446/ 6953bf 7f b5b1cf 514376243ce67ebed1209c292a
[ SysnameCA- pki - domai n- t or sa] cer t i f i cat e r equest f r omca
[ SysnameCA- pki - domai n- t or sa] cer t i f i cat e r equest ent i t y t or sa
[ SysnameCA- pki - domai n- t or sa] cr l ur l
ht t p: / / 4. 4. 4. 133: 447/ secur i t y_r sa. cr l
[ SysnameCA- pki - domai n- t or sa] qui t
3 Create a local key pair by using RSA.
[ SysnameCA] r sa l ocal - key- pai r cr eat e
4 Request for a certificate.
[ SysnameCA] pki r et r i eval - cer t i f i cat e ca domai n t or sa
[ SysnameCA] pki r et r i eval - cr l domai n t or sa
[ SysnameCA] pki r equest - cer t i f i cat e domai n t or sa chal l enge- wor d
ACL Policy Based on
Certificate Attribute
Clients accessing the device remotely with HTTP Security (HTTPS) protocol
Ensuring authorized clients login to HTTPS server securely with SSL protocol
Creating ACL policy based on certificate attribute for HTTPS server to restrict access of
the clients
Networking diagram
Figure 173 Networking diagram of ACL policy based on certificate attribute
IP Network
Host
HTTPS Client
Device
HTTPS Server
For SSL configuration, refer to SSL Configuration.
For HTTPS configuration, refer to HTTPS Server Configuration.
1 Configure HTTPS server
a Configure the SSL policy used by the HTTPS server. The PKI domain to be referred must
be already created.
<SysnameCA> syst emvi ew
[ SysnameCA] ssl ser ver - pol i cy myssl
[ SysnameCA- ssl - ser ver - pol i cy- myssl ] pki - domai n 1
[ SysnameCA- ssl - ser ver - pol i cy- myssl ] cl ose- mode wai t
[ SysnameCA- ssl - ser ver - pol i cy- myssl ] cl i ent - ver i f y enabl e
[ SysnameCA- ssl - ser ver - pol i cy- myssl ] qui t
2 Configure the certificate attribute group
a Configure the certificate attribute group mygroup1 and create two attribute rules. The
first rule defines that the DN of the subject name includes the string aabbcc, and the
second rule defines that the IP address of the certificate issuer is 10.0.0.1.
[ SysnameCA] pki cer t i f i cat e at t r i but e- gr oup mygr oup1
[ SysnameCA- pki - cer t - at t r i but e- gr oup- mygr oup1] at t r i but e 1 subj ect - name
dn ct n aabbcc
[ SysnameCA- pki - cer t - at t r i but e- gr oup- mygr oup1] at t r i but e 2 i ssuer - name
i p equ 10. 0. 0. 1
[ SysnameCA- pki - cer t - at t r i but e- gr oup- mygr oup1] qui t
b Configure the certificate attribute group mygroup2 and create two attribute rules. The
first rule defines that the FQDN of the subject name does not include the string apple,
and the second rule defines that the DN of the certificate issuer name includes the
string aabbcc.
[ SysnameCA] pki cer t i f i cat e at t r i but e- gr oup mygr oup2
[ SysnameCA- pki - cer t - at t r i but e- gr oup- mygr oup2] at t r i but e 1
al t - subj ect - name f qdn nct n appl e
[ SysnameCA- pki - cer t - at t r i but e- gr oup- mygr oup2] at t r i but e 2 i ssuer - name
dn ct n aabbcc
[ SysnameCA- pki - cer t - at t r i but e- gr oup- mygr oup2] qui t
3 Configure the certificate ACL policy
Configure the certificate attribute group myacp and create two ACL rules.
[ SysnameCA] pki cer t i f i cat e access- cont r ol - pol i cy myacp
[ SysnameCA- pki - cer t - acp- myacp] r ul e 1 deny mygr oup1
[ SysnameCA- pki - cer t - acp- myacp] r ul e 2 per mi t mygr oup2
[ SysnameCA- pki - cer t - acp- myacp] qui t
4 Configure the HTTPS server to relate with corresponding policies, and start the HTTPS
server.
a Configure the SSL policy specifying HTTPS server as myssl.
[ SysnameCA] i p ht t ps ssl - ser ver - pol i cy myssl
b Configure the certificate ACL specifying HTTPS as myacp.
[ SysnameCA] i p ht t ps cer t i f i cat e access- cont r ol - pol i cy myacp
c Start the HTTPS server.
[ SysnameCA] i p ht t ps enabl e
Troubleshooting 617
Troubleshooting
Failed to Retrieve a
CA Certificate
Troubleshooting: If you fail to obtain a CA certificate, the reasons might include:
1 Software problems
No trustworthy CA is specified.
Verify that the Simple Certificate Enrollment Protocol) SCEP is installed.
Server URL for the certificate request through SCEP is not correct or not configured.
You can check if the server is well connected by using the ping command.
No RA is specified.
System clock is not correct.
2 Hardware problems
Network connection faults, such as broken network cable and loose interface.
Failed to Request a
Local Certificate
Troubleshooting: If you fail to request a local certificate when the router has finished the
configuration of PKI domain parameters and entity DN, and has created a new RSA key
pair, the reasons might include:
1 Software problems
No CA/RA certificate has been retrieved.
No key pair is created, or the current key pair has had a certificate.
No trustworthy CA is specified.
Verify that the Simple Certificate Enrollment Protocol) SCEP is installed.
Server URL for the certificate request through SCEP is not correct or not configured.
You can check if the server is well connected by using the ping command.
No certificate authority is configured.
The necessary attributes of entity DN are not configured. You can configure the
relevant attributes by checking CA/RA authentication policy.
2 Hardware problems
Failed to Retrieve a
CRL
Troubleshooting: If you fail to retrieve a CRL, the reasons might include:
1 Software problems
The devices are not synchronized to the CA server.
No local certificate exists when you try to retrieve a CRL.
IP address of LDAP server is not configured.
CRL distribution point location is not configured.
LDAP server version is wrong.
2 Hardware problems
63 POE CONFIGURATION
PoE Overview
Introduction to PoE Power over Ethernet (PoE) means that power sourcing equipment (PSE) supplies power
to powered devices (PD) such as IP telephone, wireless LAN access point, and web
camera from Ethernet interfaces through twisted pair cables.
Advantages
Reliable: Power is supplied in a centralized way so that it is very convenient to provide
a backup power supply.
Easy to connect: A network terminal requires only one Ethernet cable, but no external
power supply.
Standard: In compliance with IEEE 802.3af, a globally uniform power interface is
adopted.
Promising: It can be applied to IP telephones, wireless LAN access points, portable
chargers, card readers, web cameras, and data collectors.
Composition
A PoE system consists of PoE power, PSE, and PD.
PoE power
The whole PoE system is powered by the PoE power, which includes external PoE power
and internal PoE power.
The support for the PoE power type depends on the device model.
PSE
PSE is a card or subcard. PSE manages its own PoE interfaces independently. PSE
examines the Ethernet cables connected to PoE interfaces, searches for the devices that
comply with the specification, classifies them, and supplies power to them. When
detecting a PD is unplugged, the PSE stops supplying the power to the PD.
An Ethernet interface with the PoE capability is called PoE interface. Currently, a PoE
interface can be an FE or GE interface.
PD
A PD is a device accepting power from the PSE. There are standard PDs and nonstandard
PDs. A standard PD refers to the one that complies with IEEE 802.3af. The PD that is
being powered by the PSE can be connected to other power supply unit for redundancy
backup.
620 CHAPTER 63: POE CONFIGURATION
Protocol Specification The protocol specification related to PoE is IEEE 802.3af.
PoE Configuration
Tasks
Complete these tasks to configure PoE:
Configuring the PoE
Interface
You can configure a PoE interface in either of the following two ways:
Adopt the command line.
Configure a PoE configuration file and apply the file to the specified PoE interface(s).
Usually, you can adopt the command line to configure a single PoE interface, and adopt
a PoE configuration file to batch configure PoE interfaces.
You can adopt either mode to configure, modify, or delete a PoE configuration
parameter under the same PoE interface.
The PSE applies power to a PoE interface in two modes. For a device with only signal
cables, power is supplied over signal cables. For a device with spare cables and signal
cables, power can be supplied over spare cables or signal cables.
To clearly identify the PD connected to a PoE interface, you can give a PD description.
Table 436 PoE Configuration Tasks
Task Remarks
Configuring the PoE Interface Required
Configuring PoE Power Management Optional
Configuring a Power Alarm Threshold for the PSE Optional
Upgrading PSE Processing Software Online Optional
Configuring a PD Disconnection Detection Mode Optional
Enabling the PSE to Detect Nonstandard PDs Optional
Configuring the PoE Interface 621
Configuring a PoE
Interface through the
Command Line
Follow these steps to configure a PoE interface through the command line:
Configuring PoE
Interfaces through a
PoE Configuration
File
A PoE configuration file is used to batch configure PoE interfaces with the same
attributes to simplify operations. This configuration method is a supplement to the
common command line configuration.
Commands in a PoE configuration file are called configurations.
Table 437 Configuring a PoE Interface through the Command Line
Enter PoE interface view interface
interface-type
interface-number
Enable PoE poe enable Required

By default, PoE is disabled on the
PoE interface.
power for the PoE interface
poe max-power max-power Optional
By default, the maximum power
on the PoE interface is 15,400
milliwatts.
Configure the PoE mode for
the PoE interface
poe mode signal Optional
By default, the PoE mode is
signal (power over signal
cables).
Configure a description for
the PD connected to the PoE
interface
poe pd-description
string
Optional
Follow these steps to configure PoE interfaces through a PoE configuration file:
After a PoE configuration file is applied to a PoE interface, other PoE configuration
files can not take effect on this PoE interface.
If a PoE configuration file is already applied to a PoE interface, you must execute the
undo apply poe-profile command to remove the application to the interface
before deleting or modifying the PoE configuration file.
If you have configured a PoE interface through the command line, you cannot
configure it through a PoE configuration file again. If you want to reconfigure the
interface through a PoE configuration file, you must first remove the command line
configuration on the PoE interface.
You must use the same mode (command line or PoE configuration file) to configure
the poe max-power max-power and poe priority { critical | high | low }
commands.
Table 438 Configuring PoE Interfaces through a PoE Configuration File
Create a PoE configuration file
and enter PoE configuration file
view
poe-profile profile-name [
index ]
Required
Enable PoE for the PoE interface poe enable Required
By default, PoE is
disabled on a PoE
interface.
Configure the maximum power
for the PoE interface
poe max-power max-power Optional
By default, the
maximum power on the
PoE interface is 15,400
milliwatts.
Configure the PoE mode for the
PoE interface
poe mode signal Optional
By default, the PoE
mode is signal
(power over signal
cables).
Return to system view quit
Apply the
PoE
configura
tion file
to the
PoE
interface(
s)
Apply the PoE
configuration file to
one or more PoE
interfaces
apply poe-profile { index
index | name profile-name }
interface interface-range
Use either approach
Apply the PoE
configuration file to
the current PoE
interface in PoE
interface view
interface-number
apply poe-profile { index
index | name profile-name }
Configuring PD Power Management 623
Configuring PD
Power
Management
The power priority of a PD depends on the priority of the PoE interface. The priority levels
of PoE interfaces include critical, high and low in descending order. Power supply to a PD
is subject to PD power management policies.
All PSEs implement the same PD power management policies. When the PSE supplies
power to a PD,
By default, no power will be supplied to a new PD if the PSE power is overloaded.
Under the control of a priority policy, the PD with a lower priority is first powered off
to guarantee the power supply to the new PD with a higher priority when the PSE
power is overloaded.
If the guaranteed remaining PSE power (maximum PSE power power allocated to the
critical PoE interface, regardless of whether PoE is enabled for the PoE interface) is lower
than the maximum power of the PoE interface, you will fail to set the priority of the PoE
interface to critical. Otherwise, you can succeed in setting the priority to critical, this
PoE interface will preempt the power of other PoE interfaces with a lower priority level.
In the latter case, the PoE interfaces whose power is preempted will be powered off, but
their configurations will remain unchanged. When you change the priority of a PoE
interface from critical to a lower level, the PDs connecting to other PoE interfaces will
have an opportunity of seizing power.
Enable PoE for PoE interfaces.
Follow these steps to configure PD power management:
Table 439 Configuring PD Power Management
Enter system view
system-view
Configure
the power
priority for a
PoE
interface.
Configure the
power priority for
the PoE interface in
PoE interface view
interface-number
poe priority { critical |
high | low }
Use either approach.
By default, the power
priority of a PoE
interface is low.
Configure the
power priority for
the PoE interface in
PoE configuration
file view
poe-profile profile-name [
index ]
poe priority { critical |
high | low }
Configure a PD power
management priority policy
poe pd-policy priority Optional
By default, no PD
power management
priority policy is
configured.
Configuring a
Power Alarm
Threshold for the
PSE
When the current power utilization of the PSE is above or below the alarm threshold
for the first time, the system will send a Trap message.
When the PSE starts or stops supplying power to a PD, the system will send a Trap
message, too.
Follow these steps to configure a power alarm threshold for the PSE:
Upgrading PSE
Processing
Software Online
You can upgrade the PSE processing software online in either of the following modes:
Refresh mode
Normally, you can upgrade the PSE processing software in the Refresh mode through the
command line.
Full mode
When an exception, such as interruption (power failure) or error, occurs during the
upgrade in Refresh mode, you can upgrade the PSE processing software in Full mode.
When the PSE processing software is damaged (in this case, you can execute none of PoE
commands successfully), you can upgrade the PSE software processing software in Full
mode to restore the PSE function. Online PSE processing software upgrade may be
unexpectedly interrupted (for example, an error results in device reboot). If you fail to
upgrade the PSE processing software in Full mode after reboot, you can power off the
device and restart it before upgrading it again. After upgrade, restart the device
manually to make the original PoE configurations take effect. The support for this
upgrade method depends on the device model.
Follow these steps to upgrade the PSE processing software online:
Table 440 Configuring a Power Alarm Threshold for the PSE
Configure a power alarm
threshold for the PSE
poe
utilization-thresho
ld
utilization-threshold-v
alue
Optional
By default, the power alarm
threshold for the PSE is 80%.
Table 441 Upgrading PSE Processing Software Online
Upgrade the PSE processing software
online
poe update { full |
refresh } filename
Optional
Configuring a PD Disconnection Detection Mode 625
Configuring a PD
Disconnection
Detection Mode
To detect the PD connection with PSE, PoE provides two detection modes: AC detection
and DC detection. The AC detection mode is energy saving relative to the DC detection
mode.
Follow these steps to configure a PD disconnection detection mode:
If you adjust the PD disconnection detection mode when the device is running, the
connected PDs will be powered off. Therefore, be cautious to do so!
Enabling the PSE to
Detect Nonstandard
PDs
There are standard PDs and nonstandard PDs. Usually, the PSE can detect only standard
PDs and supply power to them. The PSE can detect nonstandard PDs and supply power
to them only after the PSE is enabled to detect nonstandard PDs.
Follow these steps to enable the PSE to detect nonstandard PDs:
Table 442 Configuring a PD Disconnection Detection Mode
Configure a PD
disconnection
detection mode
poe disconnect { ac | dc } Optional
The default PD disconnection detection
mode depends on the device model.
Table 443 Enabling the PSE to Detect Nonstandard PDs
Enable the PSE to supply
power to the detected
nonstandard PDs
poe legacy enable Optional
By default, the PSE is disabled
from supplying power to the
detected nonstandard PDs.
Displaying and
Maintaining PoE
PoE Configuration
Example
GigabitEthernet1/0/1 and GigabitEthernet1/0/2 are connected to IP telephones.
GigabitEthernet1/0/5 and GigabitEthernet1/0/6 are connected to access point (AP)
devices.
The power priority of GigabitEthernet1/0/2 is critical.
The power of the AP device connected to GigabitEthernet1/0/5 does not exceed
9,000 milliwatts.
Table 444 Displaying and Maintaining PoE
Display the mapping between
ID, module, and slot of all PSEs.
display poe device Available in any view
Display the power state and
information of the specified PoE
interface
display poe interface [
interface-type
interface-number ]
Display the power information of
a PoE interface(s)
display poe interface
power [ interface-type
interface-number ]
Display the information of PSE display poe pse [ pse-id ] Available in any view
Display the power state and
information of PoE interfaces
connected with the PSE
display poe interface [
interface-type
interface-number ]
Display the power of all PoE
interfaces connected with the
PSE
display poe interface
power [ interface-type
interface-number ]
Display all information of the
configurations and applications
of the PoE configuration file
display poe-profile [
index index | name
profile-name ]
Display all information of the
configurations and applications
of the PoE configuration file
applied to the specified PoE
interface
display poe-profile
interface-number
PoE Configuration Example 627
Network diagram
Figure 174 Network diagram for PoE
1 Enable PoE on GigabitEthernet1/0/1, GigabitEthernet1/0/2, GigabitEthernet1/0/5, and
[ Sysname] i nt er f ace gi gabi t et her net 1/ 0/ 1
[ Sysname- Gi gabi t Et her net 1/ 0/ 1] poe enabl e
[ Sysname- Gi gabi t Et her net 1/ 0/ 1] qui t
2 Set the power priority level of GigabitEthernet1/0/2 to critical.
<Sysname> syst emvi ew
[ Sysname- Gi gabi t Et her net 1/ 0/ 2] poe pr i or i t y cr i t i cal
3 Set the maximum power of GigabitEthernet1/0/5 to 9,000 milliwatts.
[ Sysname- Gi gabi t Et her net 1/ 0/ 5] poe max- power 9000

IP Phone
IP Phone
AP
AP
IP Phone
AP
AP
IP Phone
AP
AP
Network Network
GigabitEthernet1/0/2 GigabitEthernet1/0/6
IP Phone
IP Phone
AP
AP
IP Phone
AP
AP
IP Phone
AP
AP
Network Network
IP Phone
IP Phone
AP
AP
IP Phone
AP
AP
IP Phone
AP
AP
Network Network
GigabitEthernet1/0/2 GigabitEthernet1/0/6
IP Phone
IP Phone
AP
AP
IP Phone
AP
AP
IP Phone
AP
AP
Network Network
Troubleshooting
PoE
Symptom: Setting the priority of a PoE interface to critical fails.
Analysis: The guaranteed remaining power of the PSE is lower than the maximum power of the
PoE interface.
The priority of the PoE interface is already set.
Solution: In the former case, you can solve the problem by increasing the maximum PSE power,
or by reducing the maximum power of the PoE interface when the guaranteed
remaining power of the PSE cannot be modified.
In the latter case, you should first remove the priority already configured.
Symptom: Applying a PoE configuration file to a PoE interface fails.
Analysis: Some configurations in the PoE configuration file are already configured.
Some configurations in the PoE configuration file do not meet the configuration
requirements of the PoE interface.
Another PoE configuration file is already applied to the PoE interface.
Solution: In case 1, you can solve the problem by removing the original configurations of those
configurations.
In case 2, you need to need to modify some configurations in the PoE configuration
file.
In case 3, you need to remove the application of the undesired PoE configuration file
to the PoE interface.
Symptom: Provided that parameters are valid, configuring an AC input under-voltage threshold
fails.
Analysis: The AC input under-voltage threshold is greater than or equal to the AC input
over-voltage threshold.
Solution: You can drop the AC input under-voltage threshold below the AC input over-voltage
threshold.

Manual 4500

Uploaded by

Copyright:

Available Formats

You might also like

Manual 4500

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Manual 4500

Uploaded by

Copyright:

Available Formats

3Com

Switch 4500G Family

Define a shortcut key for

Configure not to authenticate

Enter one or more VTY user

Enter one or more VTY user

Enter one or more VTY user

Create a basic ACL or

Apply the ACL to

Create an advanced ACL

Apply the ACL to control

Create a basic ACL

Enter user interface

Apply the ACL to

Specify shortcut keys for

Password configuration super password [ level

PC Log into the switch through

Enable the FTP server

Enter or create a local user view local-user user-name Required

Reference an ACL to control

Enter VLAN interface view interface

Set the voice VLAN operation

Displaying and Maintaining Voice VLAN 137

Attribute Length Number of octets occupied by an attribute,

Enter Ethernet interface view interface

Enable a specified double

Enter Ethernet interface view interface

Enable an Ethernet interface undo shutdown Optional

Turn on flow control on an

Enter Ethernet interface view interface interface-type

Configure to enable loopback

Enter port group

General Ethernet Interface Configuration 155

Create a manual port group, and

Copy configurations on a specified

Enable global loopback

Enable loopback detection on a

Configure the cable type for an

Test the current working state

Assign the Ethernet port to the

Configure the port LACP priority lacp port-priority

Table 111 Displaying and Maintaining Link Aggregation

Add/modify an address entry mac-address { blackhole |

Add/modify address entries

Enter MST region view

Configure the MST region

Specify the current device as

Configure the priority of

Configure the maximum

Configure the network

Configure the forward

Configure the timeout factor of

Enable the MSTP feature

Specify a standard for the

Perform mCheck stp mcheck Required

Perform mCheck stp mcheck Required

Enable the BPDU guard

Enable the TC-BPDU attack

Assign an IP address to the