H3c-technologies H3C WX6000 Series Access Controllers Manual de usuario

H3C WX6103 Access Controller SwitchInterface BoardConfiguration GuideHangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document Version: 6

v Port Security Configuration Task List····································································································19-3 Enabl

12-1 12 QinQ Configuration The term switch in this document refers to a switch in a generic sense or an access controller configured with the swit

12-2 Figure 12-1 Single-tagged frame structure vs. double-tagged Ethernet frame structure Advantages of QinQ: z Addresses the shortage of public

12-3 For a WX6103 access controller switch interface board with both basic QinQ function and selective QinQ function enabled, packets received are p

12-4 Protocol type Value MPLS 0x8847/0x8848 IPX/SPX 0x8137 IS-IS 0x8000 LACP 0x8809 802.1x 0x888E Cluster 0x88A7 Reserved 0xFFFD/0xFFFE/0xFFFF Conf

12-5 To do... Use the command... Remarks Enter system view system-view — Enter Ethernet port view interface interface-type interface-number Enter

12-6 z Frames of VLAN 10 of Customer A and frames of VLAN 10 of Customer B can be forwarded to each other through VLAN 1000 of the provider network;

12-7 [ProviderA-GigabitEthernet0/0/1] qinq vid 1000 [ProviderA-GigabitEthernet0/0/1-vid-1000] raw-vlan-id inbound 10 [ProviderA-GigabitEthernet0/0/1-

12-8 GigabitEthernet 0/0/3 of Provider A and the device connecting with GigabitEthernet 0/0/1 of Provider B so that their corresponding ports send ta

13-1 13 BPDU Tunneling Configuration When configuring BPDU tunneling, go to these sections for information you are interested in: z Introduction to

13-2 each customer network to implement independent spanning tree calculation, without affecting each other. Refer to Configuring BPDU Transparent Tr

vi Enabling the Output of Port State Transition Information····························································20-27 Enabling the MSTP Featur

13-3 To do... Use the command... Remarks Enter Ethernet port view interface interface-type interface-number Enter Ethernet port view or port group

13-4 z BPDU tunneling must be enabled globally before the BPDU tunnel configuration for a port can take effect. z The BPDU tunneling feature is i

13-5 Network diagram Figure 13-2 Network diagram for BPDU tunneling configuration GE0/0/1 GE0/0/2VLAN 2 VLAN 4VLAN 2VLAN 2GE0/0/3GE0/0/4TrunkTrunkTru

13-6 [ProviderC] interface GigabitEthernet 0/0/4 [ProviderC-GigabitEthernet0/0/4] port access vlan 2 [ProviderC-GigabitEthernet0/0/4] stp disable [P

14-1 14 Port Correlation Configuration The term switch in this document refers to a switch in a generic sense or an access controller configured w

14-2 Similarly, if you configure the transmission rate for an Ethernet port by using the speed command with the auto keyword specified, the transmiss

14-3 Currently, only Dual-Combo ports are supported on WX6103 access controller switch boards. Configuring Combo port state Follow these steps to

14-4 Follow these steps to enable Ethernet port loopback test: To do... Use the command... Remarks Enter system view system-view — Enter Ethernet p

14-5 To do... Use the command... Remarks Enter system view system-view — Create a manual port group and enter manual port group view port-group man

14-6 To do... Use the command... Remarks Configure unknown unicast storm suppression ratio unicast-suppression { ratio | pps max-pps } Optional By

vii Displaying and Maintaining a Routing Table·························································································21-5 22 GR Ove

14-7 z If loops are detected on a port that is of trunk or hybrid type, trap messages are sent to the terminal. If the loopback detection control fu

14-8 Follow these steps to configure the cable type for an Ethernet Port: To do... Use the command... Remarks Enter system view system-view — Enter

14-9 Although the storm suppression function and the storm constrain function can all be used to control specific type of traffic, they conflict wit

14-10 z For network stability consideration, configure the interval for generating traffic statistics to a value that is not shorter than the defau

15-1 15 Port Isolation Configuration When configuring port isolation, go to these sections for information you are interested in: z Introduction to

15-2 Displaying Isolation Groups To do… Use the command… Remarks Display an isolation group and its information display port-isolate group Availab

15-3 <AC> display port-isolate group Port-isolate group information: Uplink port support: No Group ID: 1 GigabitEthernet0/0/1 Gigabit

16-1 16 Link Aggregation Overview The term switch in this document refers to a switch in a generic sense or an access controller configured with t

16-2 Table 16-1 Consistency considerations for ports in an aggregation Category Considerations STP State of port-level STP (enabled or disabled) Att

16-3 Port states in a manual aggregation In a manual aggregation group, ports are either selected or unselected. Selected ports can receive and trans

viii RIP Configuration Examples···············································································································24-14 C

16-4 When setting the state of the ports in the local and remote static aggregation groups, the local and remote systems do the following: 1) Compar

16-5 Link aggregation groups perform load sharing depending on availability of hardware resources. When hardware resources are available, link aggreg

17-1 17 Link Aggregation Configuration When configuring link aggregation, go to these sections for information you are interested in: z Configuring

17-2 To do… Use the command… Remarks Enter system view system-view –– Configure the system LACP priority lacp system-priority system-priority Optio

17-3 Configuring an Aggregation Group Name Follow these steps to configure a name for an aggregation group: To do… Use the command… Remarks Enter

17-4 form one link connected to AC B and performs load sharing among these ports. Network diagram Figure 17-1 Network diagram for link aggregation

18-1 18 MAC Address Table Management Configuration When configuring MAC address table management, go to these sections for information you are inter

18-2 Dynamically learned MAC addresses cannot overwrite static MAC address entries, but the latter can overwrite the former. As shown in Figure 18-

18-3 Follow these steps to configure the MAC address aging timer: To do… Use the command… Remarks Enter system view system-view — Configure the agi

18-4 MAC Address Table Management Configuration Example Network requirements Log onto your device from the Console port to configure MAC address tabl

ix Making External Route Selection Rules Defined in RFC1583 Compatible·································25-32 Logging Neighbor State Changes ·········

19-1 19 Port Security Configuration When configuring port security, go to these sections for information you are interested in: z Introduction to P

19-2 Intrusion protection The intrusion protection feature checks the source MAC addresses in inbound frames and takes a pre-defined action according

19-3 Security mode Description Features userLoginSecure In this mode, a port performs 802.1x authentication of users in portbased mode and services

19-4 Task Remarks Enabling Port Security Required Setting the Maximum Number of Secure MAC Addresses Optional Setting the Port Security Mode Requ

19-5 3) Port security cannot be disabled if there is any user present on a port. For configuration information about 802.1x authentication and MAC

19-6 z With port security disabled, you can configure the port security mode but your configuration does not take effect. z With port security en

19-7 To do… Use the command… Remarks Enter Ethernet port view interface interface-type interface-number — Enable the userLoginWithOUI mode port-sec

19-8 To do… Use the command… Remarks Configure the NTK feature port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkonly } Require

19-9 Secure MAC addresses can be learned by a port working in autoLearn mode. You can also manually configure them through the command line interface

19-10 Displaying and Maintaining Port Security To do… Use the command… Remarks Display port security configuration information, operation informati

x 28 Multicast Overview ·····························································································································

19-11 [AC-GigabitEthernet0/0/1] port-security intrusion-mode disableport-temporarily [AC-GigabitEthernet0/0/1] quit [AC] port-security timer disablep

19-12 In addition, you will see that the port security feature has disabled the port if you issue the following command: <AC-GigabitEthernet0/0/1&

19-13 1) Configure the RADIUS protocol # Create a RADIUS scheme named radsun. <AC> system-view [AC] radius scheme radsun # Set the IP addresse

19-14 After completing the above configurations, you can use the following command to view the configuration information of the RADIUS scheme named r

19-15 Stored MAC address number is 0 Authorization is permitted After an 802.1x user gets online, you can see that the number of secure MAC add

19-16 Port Security Configuration for macAddressElseUserLoginSecure Mode Network requirements The client is connected to the switch through GigabitEt

19-17 Disableport Timeout: 20s OUI value: GigabitEthernet0/0/1 is link-up Port mode is macAddressElseUserLoginSecure NeedToKnow mode is Nee

19-18 Total current used 802.1X resource number is 1 GigabitEthernet0/0/1 is link-up 802.1X protocol is enabled Handshake is enabled The

19-19 Error:Can not operate security MAC address for current port mode is not autoLearn! Analysis No secure MAC address can be configured on a port

20-1 20 MSTP Configuration The term switch in this document refers to a switch in a generic sense or an access controller configured with the swit

xi Troubleshooting IGMP Snooping Configuration ·················································································29-24 Switch Fails in

20-2 z Topology change notification (TCN) BPDUs, used for notifying concerned devices of network topology changes, if any. Basic concepts in STP 1)

20-3 Figure 20-1 A schematic diagram of designated bridges and designated ports LANDevice ADevice B Device CAP 2BP 1BP 2CP 1CP 2AP 1 Path cost Path

20-4 For the convenience of description, the description and examples below involve only four parts of a configuration BPDU: z Root bridge ID (in

20-5 compare one another’s root bridge ID. The device with the smallest root bridge ID is elected as the root bridge. z Selection of the root port

20-6 Figure 20-2 Network diagram for the STP algorithm z Initial state of each device The following table shows the initial state of each device.

20-7 Device Comparison process BPDU of port after comparison z Port BP1 receives the configuration BPDU of Device A {0, 0, 0, AP1}. Device B find

20-8 Figure 20-3 The final calculated spanning tree To facilitate description, the spanning tree calculation process in this example is simplifi

20-9 z Forward delay is the delay time for device state transition. A path failure will cause re-calculation of the spanning tree, and the spanning

20-10 description about VLANs, refer to VLAN in H3C WX6103 Access Controller Switch Interface Board Configuration Guide. MSTP features the following

20-11 z They have the same VLAN-to-instance mapping configuration, z They have the same MSTP revision level configuration, and z They are physic

xii Enabling the ARP Entry Check ·····································································································33-5 ARP Config

20-12 8) Common root bridge The common root bridge is the root bridge of the CIST. In Figure 20-4, for example, the common root bridge is a device

20-13 Figure 20-5 Port roles Connecting to the common root bridgeEdge portsPort 1Port 2Master port Alternate portDesignated portPort 3 Port 4Port 5AB

20-14 Table 20-6 Ports states supported by different port roles Role State Root port/Master port Designated port Alternate port Backup port Forwar

20-15 z IEEE 802.1w: Rapid Spanning Tree Protocol z IEEE 802.1s: Multiple Spanning Tree Protocol Configuration Task List Before configuring MSTP, y

20-16 Task Remarks Configuring No Agreement Check Optional Configuring Protection Functions Optional In a network containing switches with both

20-17 z MSTP-enabled switches are in the same region only when they have the same format selector (a 802.1s-defined protocol selector, which is 0

20-18 Specifying the current device as a secondary root bridge of a specific spanning tree Follow these steps to specify the current device as a sec

20-19 Configuring the Work Mode of MSTP Device MSTP and RSTP can recognize each other’s protocol packets, so they are mutually compatible. However,

20-20 z Upon specifying the current device as the root bridge or a secondary root bridge, you cannot change the priority of the device. z During

20-21 Configuring the Network Diameter of a Switched Network Any two stations in a switched network are interconnected through specific paths, which

xiii Displaying and Maintaining the DHCP Client ·······················································································37-2 DHCP Clie

20-22 These three timers set on the root bridge of the CIST apply on all the devices on the entire switched network. z The length of the forward

20-23 Configuring the Timeout Factor After the network topology is stabilized, each non-root-bridge device forwards configuration BPDUs to the surrou

20-24 To do... Use the command... Remarks Configure the maximum transmission rate of the port(s) stp transmit-limit packet-number Optional 10 by de

20-25 z With BPDU guard disabled, when a port set as an edge port receives a BPDU from another port, it will become a non-edge port again. In this

20-26 z In the case of link aggregation, every port in the aggregation group can be configured to connect to a point-to-point link. If a port work

20-27 z In MSTP mode, if a port is configured to recognize/send MSTP packets in a mode other than auto, and if it receives a packet in the format

20-28 To do... Use the command... Remarks Enable the MSTP feature on the port(s) stp enable Optional MSTP is disabled on ports by default and autom

20-29 Configuring Path Costs of Ports Path cost is a parameter related to the rate of port-connected links. On an MSTP-compliant device, ports can ha

20-30 In the calculation of the path cost value of an aggregated link, 802.1d-1998 does not take into account the number of ports in the aggregated

20-31 To do... Use the command... Remarks Enter system view system-view — Enter Ethernet interface view interface interface-type interface-number E

xiv Configuration Procedure················································································································41-2 Confi

20-32 Performing mCheck Ports on an MSTP-compliant device have three working modes: STP compatible mode, RSTP mode, and MSTP mode. In a switched net

20-33 2) Method 2: Perform mCheck in Ethernet interface view. <Sysname> system-view [Sysname] interface GigabitEthernet 0/0/1 [Sysname-Gigabit

20-34 z You can only enable the Digest Snooping feature on the device connected to another vendor’s device that uses a private key to calculate the

20-35 [AC A-GigabitEthernet0/0/1] quit [AC A] stp config-digest-snooping 2) Enable Digest Snooping on AC B (the same as above, omitted) Configuring

20-36 and does not support RSTP mode, the root port on the downstream device receives no agreement packet from the upstream device and thus sends no

20-37 Network diagram Figure 20-9 No Agreement Check configuration Root portDesignated portGE0/0/1GE0/0/1ACThird-party device Configuration procedur

20-38 ports as non-edge ports and start a new spanning tree calculation process. This will cause a change of network topology. Under normal condition

20-39 To do... Use the command... Remarks Enter system view system-view — Enter Ethernet interface view interface interface-type interface-number E

20-40 Enabling TC-BPDU Attack Guard When receiving a TC-BPDU (a PDU used as notification of topology change), the device will delete the correspondi

20-41 To do... Use the command... Remarks View root bridge information of all MSTP instances display stp root Available in any view Clear the stat

Copyright © 2008-2010, Hangzhou H3C Technologies Co., Ltd. and its licensors All Rights Reserved No part of this manual may be reproduced or transmi

xv 44 Traffic Classification, Traffic Policing, and Line Rate Configuration···············································44-1 Traffic Classification

20-42 # Configure the region name, VLAN-to-instance mappings and revision level of the MST region. [AC A-mst-region] region-name example [AC A-mst-r

20-43 3 30 4 40 3) Configuration on AC C # Enter MST region view. <AC C> system-view [AC C] stp region-configuration

20-44 Revision level :0 Instance Vlans Mapped 0 1 to 9, 11 to 29, 31 to 39, 41 to 4094 1 10 3 30

21-1 21 IP Routing Overview Go to these sections for information you are interested in: z IP Routing and Routing Table z Routing Protocol Overvie

21-2 made of a certain number of consecutive 1s. It can be expressed in dotted decimal format or by the number of the 1s. z Outbound interface: Spec

21-3 Routing Protocol Overview Static Routing and Dynamic Routing Static routing is easy to configure and requires less system resources. It works we

21-4 Routing Protocols and Routing Priority Different routing protocols may find different routes to the same destination. However, not all of those

21-5 Route Recursion The nexthops of some static routes configured with nexthops may not be directly connected. To forward the packets, the outgoing

21-6 To do… Use the command… Remarks Display the information of recursive routes display ip relay-route Display IPv6 recursive route information di

22-1 22 GR Overview Go to these sections for information you are interested in: z Introduction to Graceful Restart z Basic Concepts in Graceful Re

xvi Configuration Procedure················································································································47-4 Confi

22-2 Graceful Restart Communication Procedure Configure a device as GR Restarter in a network. This device and its GR Helper must support GR or be GR

22-3 2) GR Restarter restarting Figure 22-2 Restarting process for the GR Restarter As illustrated in Figure 22-2. The GR Helper detects that the

22-4 Figure 22-4 The GR Restarter obtains topology and routing information from the GR Helper As illustrated in Figure 22-4, the GR Restarter obtai

23-1 23 Static Routing Configuration When configuring a static route, go to these sections for information you are interested in: z Introduction z

23-2 1) Destination address and mask In the ip route-static command, an IPv4 address is in dotted decimal format and a mask can be either in dotted

23-3 z When configuring a static route, the static route does not take effect if you specify the next hop address first and then configure it as th

23-4 z To configure this feature for an existing static route, simply associate the static route with a track entry. For a non-existent static rout

23-5 Configuration procedure 1) Configuring IP addresses for interfaces (omitted) 2) Configuring static routes # Configure a default route on Switc

23-6 # From Host A, use the ping command to verify the network layer reachability to Host B and Host C.

24-1 24 RIP Configuration z The term “router” in this document refers to a router in a generic sense or a Layer 3 switch. z The switch interfac

xvii SNMP Protocol Version·················································································································52-2 MIB O

24-2 z Next hop: IP address of the adjacent router’s interface to reach the destination. z Egress interface: Packet outgoing interface. z Metric:

24-3 4) RIP ages out routes by adopting an aging mechanism to keep only valid routes. RIP Version RIP has two versions, RIPv1 and RIPv2. RIPv1, a cl

24-4 RIPv2 message format The format of RIPv2 message is similar with RIPv1. Figure 24-2 shows it. Figure 24-2 RIPv2 Message Format The differences

24-5 z RFC 1723 only defines plain text authentication. For information about MD5 authentication, refer to RFC2082 “RIPv2 MD5 Authentication”. z

24-6 z If you make some RIP configurations in interface view before enabling RIP, those configurations will take effect after RIP is enabled. z R

24-7 To do… Use the command… Remarks Specify a global RIP version version { 1 | 2 } Optional By default, if an interface has a RIP version specifie

24-8 To do… Use the command… Remarks Define an inbound additional routing metric rip metricin value Optional 0 by default Define an outbound additi

24-9 Disabling Host Route Reception Sometimes a router may receive many host routes from the same network, which are not helpful for routing and occu

24-10 To do… Use the command… Remarks Configure the filtering of incoming routes filter-policy { acl-number | gateway ip-prefix-name | ip-prefix ip

24-11 Configuring RIP Network Optimization Complete the following tasks before configuring RIP network optimization: z Configure network addresses f

xviii NTP Configuration Examples··············································································································54-15 C

24-12 Disabling the split horizon function on a point-to-point link does not take effect. Enabling poison reverse The poison reverse function allow

24-13 To do… Use the command… Remarks Enter system view system-view –– Enter RIP view rip [ process-id ] –– Enable source IP address check on inco

24-14 You need not use the peer ip-address command when the neighbor is directly connected; otherwise the neighbor may receive both the unicast and

24-15 [AC-rip-1] network 172.17.0.0 [AC-rip-1] quit # Configure Switch. <Switch> system-view [Switch] rip [Switch-rip-1] network 192.168.1.0 [

24-16 Troubleshooting RIP No RIP Updates Received Symptom: No RIP updates are received when the links work well. Analysis: After enabling RIP, you m

25-1 25 OSPF Configuration z The term “router” in this document refers to a router in a generic sense or a Layer 3 switch. z The WX6103 access

25-2 z Fast convergence: Transmits updates instantly after network topology changes for routing information synchronization in the AS. z Loop-free:

25-3 z LSR (link state request) packet: Requests needed LSAs from the neighbor. After exchanging the DD packets, the two routers know which LSAs of

25-4 OSPF Area Partition and Route Summarization Area partition When a large number of OSPF routers are present on a network, LSDBs may become so lar

25-5 4) Autonomous System Border Router (ASBR) The router exchanging routing information with another AS is an ASBR, which may not reside on the boun

xix Configuring the FTP Server ··················································································································57-6

25-6 Another application of virtual links is to provide redundant links. If the backbone area cannot maintain internal connectivity due to a physical

25-7 On the left of the figure, RIP routes are translated into Type-5 LSAs by the ASBR of Area 2 and distributed into the OSPF AS. However, Area 1 is

25-8 z Type-1 external route z Type-2 external route The intra-area and inter-area routes describe the network topology of the AS, while external r

25-9 z NBMA is the default network type, while P2MP is a conversion from other network types, such as NBMA in general. z On NBMA networks, packets

25-10 z The DR election is available on broadcast, NBMA interfaces rather than P2P, or P2MP interfaces. z A DR is an interface of a router and belo

25-11 MD5 authentication data is added following an OSPF packet rather than contained in the Authentication field. Hello packet A router sends hel

25-12 LSA). The LSA header occupies small part of an LSA to reduce traffic between routers. The recipient checks whether the LSA is available using t

25-13 Figure 25-12 LSR packet format Major fields: z LS type: Type number of the LSA to be requested. Type 1 for example indicates the Router LSA.

25-14 Figure 25-14 LSAck packet format ... LSA header format All LSAs have the same header, as shown in the following figure. Figure 25-15 LSA heade

25-15 Formats of LSAs 1) Router LSA Figure 25-16 Router LSA format Major fields: z Link State ID: ID of the router that originated the LSA. z V (

xx CLI Display ··································································································································60-1

25-16 Figure 25-17 Network LSA format Major fields: z Link State ID: The interface address of the DR z Network Mask: The mask of the network (a b

25-17 A Type-3 LSA can be used to advertise a default route, having the Link State ID and Network Mask set to 0.0.0.0. 4) AS external LSA An AS e

25-18 An NSSA external LSA originates from the ASBR in a NSSA and is flooded in the NSSA area only. It has the same format as the AS external LSA. Fi

25-19 After the restart, the GR Restarter will send an OSPF GR signal to its neighbors that will not reset their adjacencies with it. In this way, th

25-20 Task Remarks Logging Neighbor State Changes Optional Configuring OSPF Network Management Optional Enabling the Advertisement and Reception

25-21 To do… Use the command… Remarks Specify a network to enable OSPF on the interface attached to the network network ip-address wildcard-mask Re

25-22 z IP addresses for interfaces, making neighboring nodes accessible with each other at the network layer. z OSPF basic functions. Configuratio

25-23 z OSPF basic functions z Corresponding filters if routing information filtering is needed. Configuring OSPF Route Summarization OSPF route su

25-24 Configuring ABR Type-3 LSA Filtering Follow these steps to configure Type-3 LSA filtering on an ABR: To do… Use the command… Remarks Enter sy

25-25 To do… Use the command… Remarks Enter system view system-view — Enter OSPF view ospf [ process-id | router-id router-id ] * — Configure the m

xxi ICMP-echo Test Configuration Example·····················································································63-18 DHCP Test Configur

25-26 To do… Use the command… Remarks Configure OSPF to redistribute routes from another protocol import-route protocol [ process-id ] [ cost cost

25-27 Prerequisites Before configuring OSPF network optimization, you have configured: z IP addresses for interfaces; z OSPF basic functions. Confi

25-28 Specifying an LSA Transmission Delay Since OSPF packets need time for traveling on links, extending LSA age time with a delay is necessary, esp

25-29 To do… Use the command… Remarks Configure the LSA minimum repeat arrival interval lsa-arrival-interval interval Optional Defaults to 1000 mil

25-30 z Different OSPF processes can disable the same interface from sending OSPF packets. Use of the silent-interface command disables only the i

25-31 To do… Use the command… Remarks Configure the authentication mode authentication-mode { simple | md5 } Required Not configured by default Exi

25-32 Making External Route Selection Rules Defined in RFC1583 Compatible The selection of an external route from multiple LSAs defined in RFC2328 is

25-33 Enabling the Advertisement and Reception of Opaque LSAs With this feature enabled, the OSPF router can receive and advertise Type 9, Type 10 a

25-34 To do… Use the command… Remarks Enable the use of link-local signaling enable link-local-signaling Required Disabled by default Enable out-of

25-35 To do… Use the command… Remarks Trigger OSPF Graceful Restart reset ospf [ process-id ] process graceful-restart Required Available in user v

xxii Displaying Help Information ··········································································································65-4 Termi

25-36 OSPF Configuration Examples These examples only cover commands for OSPF configuration. Configuring OSPF Basic Functions Network requirements

25-37 [SwitchA] ospf [SwitchA-ospf-1] area 0 [SwitchA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 [SwitchA-ospf-1-area-0.0.0.0] quit [SwitchA-osp

25-38 # Display OSPF routing information on AC. [AC] display ospf routing OSPF Process 1 with Router ID 10.2.1.1 Routin

25-39 10.4.1.0/24 25 Inter 10.3.1.1 10.3.1.1 0.0.0.2 10.5.1.0/24 10 Stub 10.5.1.1 10.5.1.1

25-40 [SwitchC] ip route-static 3.1.2.1 24 10.5.1.2 [SwitchC] ospf [SwitchC-ospf-1] import-route static [SwitchC-ospf-1] quit # Display ABR/ASBR info

25-41 # Configure Switch B. [SwitchB] ospf [SwitchB-ospf-1] area 1 [SwitchB-ospf-1-area-0.0.0.1] stub [SwitchB-ospf-1-area-0.0.0.1] quit [SwitchB-osp

25-42 Intra Area: 2 Inter Area: 1 ASE: 0 NSSA: 0 After this configuration, routing entries on the stub router are further reduced, containing

25-43 [SwitchB-ospf-1-area-0.0.0.1] quit [SwitchB-ospf-1] quit It is recommended to configure the nssa command with the keyword default-route-adve

25-44 Intra Area: 2 Inter Area: 3 ASE: 1 NSSA: 0 You can see on Switch C an external route imported from the NSSA area. Configuring OSPF DR E

25-45 # Configure Switch B. <SwitchB> system-view [SwitchB] router id 3.3.3.3 [SwitchB] ospf [SwitchB-ospf-1] area 0 [SwitchB-ospf-1-area-0.0.0

xxiii Configuring a PKI Entity to Request a Certificate from a CA ······················································68-12 Configuring a Certifica

25-46 [AC-Vlan-interface1] quit # Configure Switch A. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ospf dr-priority 0 [SwitchA-Vlan

25-47 Neighbors Area 0.0.0.0 interface 192.168.1.4(Vlan-interface1)'s neighbors Router ID: 1.1.1.1 Address: 192.168

25-48 Area: 0.0.0.0 IP Address Type State Cost Pri DR BDR 192.168.1.2 Broadcast DROther 1 0 192.168.1.1

25-49 [Switch-ospf-1] area 2 [Switch–ospf-1-area-0.0.0.2] network 172.16.0.0 0.0.255.255 [Switch–ospf-1-area-0.0.0.2] quit # Display OSPF routing inf

25-50 OSPF Graceful Restart Configuration Example Network requirements z AC, Switch A and Switch B that belong to the same autonomous system and the

25-51 [SwitchA-ospf-100] area 0 [SwitchA-ospf-100-area-0.0.0.0] network 192.1.1.0 0.0.0.255 [SwitchA-ospf-100-area-0.0.0.0] quit 3) Configure Switch

25-52 Analysis The backbone area must maintain connectivity to all other areas. If a router connects to more than one area, at least one area must be

26-1 26 IP Source Guard Configuration The term switch in this document refers to a switching device in a generic sense or an access controller con

26-2 Configuring a Static Binding Entry Follow these steps to configure a static binding entry: To do… Use the command… Remarks Enter system view s

26-3 IP Source Guard Configuration Examples Static Binding Entry Configuration Example Network requirements As shown in Figure 26-1, an access contro

1-1 1 Logging In Through an OAP Board When logging in through an OAP board, go to these sections for information you are interested in: z OAP Board

26-4 [AC-GigabitEthernet0/0/1] user-bind ip-address 192.168.0.1 mac-address 0001-0203-0406 2) Configure Switch # Configure the IP addresses of variou

26-5 For detailed configuration of DHCP Server, refer to DHCP in H3C WX6103 Access Controller Switch Interface Board Configuration Guide. Network

26-6 Troubleshooting Failed to Configure Static Binding Entries and Dynamic Binding Function Symptom Configuring static binding entries and dynamic b

27-1 27 DLDP Configuration When performing DLDP configuration, go to these sections for information you are interested in: z Overview z DLDP Confi

27-2 Figure 27-1 Unidirectional fiber link: cross-connected fiber Device AGE1/0/50 GE1/0/51Device BPCGE1/0/50GE1/0/51 Figure 27-2 Unidirectional fib

27-3 DLDP Fundamentals DLDP link states A device is in one of these DLDP link states: Initial, Inactive, Active, Advertisement, Probe, Disable, and D

27-4 DLDP timer Description Entry timer When a new neighbor joins, a neighbor entry is created and the corresponding entry timer is triggered. And w

27-5 device, the situation shown in Figure 27-3 may occur, where Port B is actually down but the state of Port B cannot be detected by common data li

27-6 DLDP implementation 1) On a DLDP-enabled link that is in up state, DLDP sends DLDP packets to the peer device and processes the DLDP packets re

27-7 Packet type Processing procedure If the corresponding neighbor entry does not exist, creates the neighbor entry, triggers the Entry timer, and

Preface The H3C WX6103 Access Controller Switch Interface Board Configuration Guide describes the software features for the H3C WX6103 access control

1-2 the system and application software on the OAP board. After the switch, you can press Ctrl+K to return to the command line interface on the devic

27-8 DLDP neighbor state Description Unidirectional A neighbor is in this state when the link connecting it is detected to be a unidirectional link.

27-9 To do… Use the command… Remarks Enter Ethernet port view interface interface-type interface-number Enter Ethernet port view or port group view

27-10 z Set the interval for sending Advertisement packets to a value not longer than one-third of the STP convergence time. If the interval is too

27-11 z On a port with both remote OAM loopback and DLDP enabled, if the port shutdown mode is auto mode, the port will be shut down by DLDP when i

27-12 To do… Use the command… Remarks Enter system view system-view — Reset DLDP state dldp reset Required Resetting DLDP State in Port view/Port

27-13 Network diagram Figure 27-4 Network diagram for DLDP configuration Configuration procedure 1) Configuration on AC # Enable DLDP on GigabitEt

27-14 DLDP port state : disable DLDP link state : down The neighbor number of the port is 0. Interface GigabitEthernet0/0/26 DLDP port state : d

28-1 28 Multicast Overview z This manual chiefly focuses on the IP multicast technology and device operations. Unless otherwise stated, the term

28-2 Figure 28-1 Unicast transmission Assume that Hosts B, D and E need this information. The information source establishes a separate transmissio

28-3 Figure 28-2 Broadcast transmission Assume that only Hosts B, D, and E need the information. If the information source broadcasts the informati

2-1 2 Logging In Through Telnet When logging in through Telnet, go to these sections for information you are interested in: z Introduction z Telne

28-4 Figure 28-3 Multicast transmission Assume that Hosts B, D and E need the information. To receive the information correctly, these hosts need t

28-5 Table 28-1 An analogy between TV transmission and multicast transmission Step TV transmission Multicast transmission 1 A TV station transmit

28-6 information addressed to that multicast group. In this model, receivers are not aware of the position of multicast sources in advance. However,

28-7 Table 28-2 Class D IP address blocks and description Address block Description 224.0.0.0 to 224.0.0.255 Reserved permanent group addresses. Th

28-8 Address Description 224.0.0.18 Virtual Router Redundancy Protocol (VRRP) IPv6 Multicast Addresses As defined in RFC 4291, the format of an IPv

28-9 As defined by IANA, the high-order 24 bits of an IPv4 multicast MAC address are 0x01005e, bit 25 is 0x0, and the low-order 23 bits are the low-o

28-10 Multicast Protocols z Generally, we refer to IP multicast working at the network layer as Layer 3 multicast and the corresponding multicast

28-11 In the ASM model, multicast routes come in intra-domain routes and inter-domain routes. z An intra-domain multicast routing protocol is used t

28-12 Multicast Packet Forwarding Mechanism In a multicast model, a multicast source sends information to the host group identified by the multicast

29-1 29 IGMP Snooping Configuration When configuring IGMP Snooping, go to the following sections for information you are interested in: z IGMP Snoo

2-2 z After you log in to the access controller switch interface board through Telnet, you can issue commands to the board by way of pasting sessio

29-2 Basic Concepts in IGMP Snooping IGMP Snooping related ports As shown in Figure 29-2, Router A connects to the multicast source, IGMP Snooping r

29-3 Aging timers for dynamic ports in IGMP Snooping and related messages and actions Table 29-1 Aging timers for dynamic ports in IGMP Snooping and

29-4 z If a forwarding table entry exists for the reported group and the port is included in the outgoing port list, which means that this port is a

29-5 Protocols and Standards IGMP Snooping is documented in: RFC 4541: Considerations for Internet Group Management Protocol (IGMP) and Multicast Li

29-6 Configuring Basic Functions of IGMP Snooping Configuration Prerequisites Before configuring the basic functions of IGMP Snooping, complete the f

29-7 If you switch IGMP Snooping from version 3 to version 2, the system will clear all IGMP Snooping forwarding entries from dynamic joins, and wil

29-8 Configuring aging timers for dynamic ports in a VLAN Follow these steps to configure aging timers for dynamic ports in a VLAN: To do... Use t

29-9 Configuring Simulated Joining Generally, a host running IGMP responds to IGMP queries from the IGMP querier. If a host fails to respond due to

29-10 Configuring fast leave processing globally Follow these steps to configure fast leave processing globally: To do... Use the command... Rema

29-11 Enabling IGMP Snooping Querier In an IP multicast network running IGMP, a multicast router or Layer 3 multicast switch is responsible for send

2-3 z The auto-execute command command may cause you unable to perform common configuration in the user interface, so use it with caution. z Befor

29-12 Configuring IGMP queries and responses globally Follow these steps to configure IGMP queries and responses globally: To do... Use the command

29-13 To do... Use the command... Remarks Configure the source address of IGMP general queries igmp-snooping general-query source-ip { current-in

29-14 Configuring a multicast group filter on a port or a group of ports Follow these steps to configuring a multicast group filter on a port or a g

29-15 When enabled to filter IPv4 multicast data based on the source ports, the device is automatically enabled to filter IPv6 multicast data based

29-16 To do... Use the command... Remarks Enter system view system-view — Enter IGMP Snooping view igmp-snooping — Enable IGMP report suppressio

29-17 To address such situations, you can enable the multicast group replacement function on the switch or certain ports. When the number of multicas

29-18 To do... Use the command... Remarks Clear IGMP Snooping multicast group information reset igmp-snooping group { group-address | all } [ vlan

29-19 Configuration procedure 1) Configure the IP address of each interface Configure an IP address and subnet mask for each interface as per Figure

29-20 GE0/0/1 (D) ( 00:01:30 ) IP group(s):the following ip group(s) match to one mac group. IP group address:224

29-21 Network diagram Figure 29-4 Network diagram for static router port configuration Source1.1.1.1/24RouterIGMP querierGE0/0/110.1.1.1/24GE0/0/21.1

2-4 To do… Use the command… Remarks Enable the Telnet server function telnet server enable Required Enter one or more VTY user interface views user

29-22 # Configure GigabitEthernet 0/0/3 to be a static router port. [AC] interface GigabitEthernet 0/0/3 [AC-GigabitEthernet0/0/3] igmp-snooping sta

29-23 MAC group(s): MAC group address:0100-5e01-0101 Host port(s):total 1 port. GE0/0/2 As shown above, GigabitEthern

29-24 [AC-vlan100] igmp-snooping general-query source-ip 192.168.1.1 [AC-vlan100] igmp-snooping special-query source-ip 192.168.1.1 2) Configure Swi

29-25 Solution 1) Enter the display current-configuration command to view the running status of IGMP Snooping. 2) If IGMP Snooping is not enabled,

30-1 30 Multicast VLAN Configuration Introduction to Multicast VLAN As shown in Figure 30-1, in the traditional multicast programs-on-demand mode, w

30-2 To do… Use the command… Remarks Configure sub-VLANs for a specific multicast VLAN multicast-vlan vlan-id subvlan vlan-list Required No sub-VLA

30-3 Network diagram Figure 30-2 Network diagram for multicast VLAN configuration Configuration procedure 1) Configure an IP address for each inte

30-4 # Create VLAN 1024, assign GigabitEthernet 0/0/1 to this VLAN and enable IGMP Snooping in the VLAN. [AC] vlan 1024 [AC-vlan1024] port GigabitEt

31-1 31 LLDP Configuration When configuring LLDP, go to these sections for information you are interested in: z LLDP Configuration Tasks List z Pe

31-2 Sending LLDPDUs An LLDP-enabled device operating in the TxRx mode or Tx mode sends LLDPDUs to its directly connected devices periodically. It al

2-5 Table 2-4 Determine the command level when users logging in to access controller switch interface board are not authenticated Scenario Authentica

31-3 Table 31-1 Basic LLDP TLVs Type Description Remarks End of LLDPDU TLV Marks the end of an LLDPDU. Chassis ID TLV Carries the bridge MAC add

31-4 MED related LLDP TLVs z LLDP-MED capabilities TLV, which carries the MED type of the current device and the types of the LLDP MED TLVs that can

31-5 Performing Basic LLDP Configuration Enabling LLDP Follow these steps to enable LLDP: To do… Use the command… Remarks Enter system view system-

31-6 To do… Use the command… Remarks Enter system view system-view — Set the TTL multiplier lldp hold-multiplier value Optional 4 by default. Enter

31-7 z To enable MED related LLDP TLV sending, you need to enable LLDP-MED capabilities TLV sending first. Conversely, to disable LLDP-MED capabili

31-8 To do… Use the command… Remarks Set the delay period to send LLDPDUs lldp timer tx-delay value Optional 2 seconds by default To enable local

31-9 Displaying and Maintaining LLDP To do… Use the command… Remarks Display the global LLDP information or the information contained in the LLDP T

31-10 <AC> system-view # Enable LLDP globally. [AC] lldp enable # Enable LLDP on GigabitEthernet 0/0/1 and GigabitEthernet 0/0/2, setting the L

31-11 Trap flag : No Roll time : 0s Number of neighbors : 1 Number of MED neighbors

32-1 32 sFlow Configuration When configuring sFlow, go to these sections for information you are interested in: z sFlow Overview z Configuring sFl

2-6 # Set the maximum number of lines the screen can contain to 30. [H3C-ui-vty0] screen-length 30 # Set the maximum number of commands the history c

32-2 2) The sFlow agent periodically collects interface statistics on all sFlow enabled ports. 3) When the sFlow packet buffer overflows or the one

32-3 sFlow Configuration Example Network requirements z Host A and Server are connected to AC through GigabitEthernet 0/0/1 and GigabitEthernet 0/0/

32-4 GE0/0/1 Both 100000 Random Active Troubleshooting sFlow Configuration The Remote sFlow Collector Cannot Re

33-1 33 ARP Configuration When configuring ARP, go to these sections for information you are interested in: z ARP Overview z Configuring ARP z Co

33-2 ARP Message Format Figure 33-1 ARP message format The following explains the fields in Figure 33-1. z Hardware type: This field specifies the

33-3 2) If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request, in which the source IP address and source MAC

33-4 z A non-permanent static ARP entry cannot be directly used for forwarding data. When configuring a non-permanent static ARP entry, you only nee

33-5 To do… Use the command… Remarks Enter system view system-view — Enter VLAN interface view interface Vlan-interface vlan-id — Set the maximum n

33-6 [Sysname] arp timer aging 10 [Sysname] vlan 10 [Sysname-vlan10] port gigabitethernet 0/0/10 [Sysname-vlan10] quit [Sysname] interface vlan-inter

33-7 To do… Use the command… Remarks Clear ARP entries from the ARP mapping table reset arp { all | dynamic | static | interface interface-type int

2-7 To do… Use the command… Remarks Set the timeout time of the user interface idle-timeout minutes [ seconds ] Optional The default timeout time o

34-1 34 Proxy ARP Configuration When configuring proxy ARP, go to these sections for information you are interested in: z Proxy ARP Overview z Ena

34-2 Proxy ARP Configuration Examples Proxy ARP Configuration Example Network requirements Host A and Host D have IP addresses of the same network se

34-3 z GigabitEthernet 0/0/2 and GigabitEthernet 0/0/3 isolated at Layer 2 can implement Layer 3 communication. Network diagram Figure 34-2 Network

34-4 Ping Host B on Host A to verify that the two hosts can be pinged through, which indicates Layer 3 communication is implemented.

35-1 35 DHCP Overview When configuring ARP, go to these sections for information you are interested in: z Introduction to DHCP z DHCP Address Allo

35-2 When residing in a different subnet from the DHCP server, the DHCP client can get the IP address and other configuration parameters from the se

35-3 4) All DHCP servers receive the DHCP-REQUEST message, but only the server to which the client sent a formal request for the offered IP address

35-4 Figure 35-3 DHCP message format z op: Message type defined in option field. 1 = REQUEST, 2 = REPLY z htype,hlen: Hardware address type and l

35-5 Figure 35-4 DHCP option format Introduction to DHCP Options The common DHCP options are: z Option 6: DNS server option. It specifies the DNS

35-6 Figure 35-5 Sub-option 1 in normal padding format z sub-option 2: Padded with the MAC address of the interface that received the client’s req

2-8 Configuration procedure # Enter the OAP board view from the user view of the WX6103 main control board. <WX6103> oap connect slot 0 Connect

35-7 z Sub-option 2: IP address of the backup network calling processor that DHCP clients will contact when the primary one is unreachable. z Sub-o

36-1 36 DHCP Relay Agent Configuration When configuring the DHCP relay agent, go to these sections for information you are interested in: z Introdu

36-2 Figure 36-1 DHCP relay agent application IP networkDHCP serverDHCP relay agentDHCP client DHCP clientDHCP clientDHCP client No matter whether a

36-3 If a reply returned by the DHCP server contains Option 82, the DHCP relay agent will remove the Option 82 before forwarding the reply to the cli

36-4 Enabling the DHCP Relay Agent on an Interface With this task completed, upon receiving a DHCP request from the enabled interface, the relay agen

36-5 z You can specify at most twenty DHCP server groups on the relay agent and at most eight DHCP server addresses for each DHCP server group. z

36-6 To do… Use the command… Remarks Enter interface view interface interface-type interface-number — Enable invalid IP address check dhcp relay ad

36-7 With this feature enabled, upon receiving a DHCP request, the DHCP relay agent will record the IP address of the DHCP server which assigned an I

36-8 z To support Option 82, it is required to perform related configuration on both the DHCP server and relay agent. Since the DHCP server configu

36-9 Network diagram Figure 36-3 Network diagram for DHCP relay agent Configuration procedure # Enable DHCP. <AC> system-view [AC] dhcp enabl

2-9 To do… Use the command… Remarks Enter the default ISP domain view domain domain-name Configure the AAA scheme to be applied to the domain authe

36-10 Analysis Some problems may occur with the DHCP relay agent or server configuration. Enable debugging and execute the display command on the DHC

37-1 37 DHCP Client Configuration When configuring the DHCP client, go to these sections for information you are interested in: z Introduction to D

37-2 z An interface can be configured to acquire an IP address in multiple ways, but these ways are exclusive. The latest configuration will overwr

37-3 [AC-Vlan-interface1] ip address dhcp-alloc To implement the DHCP client-server model, you need to perform related configuration on the DHCP se

38-1 38 DHCP Snooping Configuration When configuring DHCP snooping, go to these sections for information you are interested in: z DHCP Snooping Ove

38-2 z Trusted: A trusted port forwards DHCP messages, ensuring that DHCP clients can obtain valid IP addresses. z Untrusted: The DHCP-ACK or DHCP-

38-3 Figure 38-2 Configure trusted ports in a cascaded network DHCP Snooping Support for Option 82 Option 82 records the location information of th

38-4 The handling strategy and padding format for Option 82 on the DHCP-Snooping device are the same as those on the relay agent. Configuring DHCP

38-5 To do… Use the command… Remarks Configure the handling strategy for requesting messages containing Option 82 dhcp-snooping information strateg

38-6 Network diagram Figure 38-3 Network diagram for DHCP snooping configuration Configuration procedure # Enable DHCP snooping. <AC> system-

Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text rep

2-10 To do… Use the command… Remarks Set the maximum number of lines the screen can contain screen-length screen-length Optional By default, the sc

39-1 39 BOOTP Client Configuration While configuring a BOOTP client, go to these sections for information you are interested in: z Introduction to

39-2 Because a DHCP server can interact with a BOOTP client, you can use the DHCP server to configure an IP address for the BOOTP client, without an

39-3 Displaying and Maintaining BOOTP Client Configuration To do… Use the command… Remarks Display related information on a BOOTP client display bo

40-1 40 ACL Overview In order to filter traffic, network devices use sets of rules, called access control lists (ACLs), to identify and handle packe

40-2 z Software-based application: An ACL is referenced by a piece of upper layer software. For example, an ACL can be referenced to configure login

40-3 An IPv4 ACL can have only one name. Whether to specify a name for an ACL is up to you. After creating an ACL, you cannot specify a name for it,

40-4 2) If two rules are present with the same number of ones in their source MAC address masks, look at the destination MAC address masks. Then, co

40-5 z IPv6 ACL Classification z IPv6 ACL Naming z IPv6 ACL Match Order z IPv6 ACL Step z Effective Period of an IPv6 ACL IPv6 ACL Classificatio

40-6 Depth-first match for an advanced IPv6 ACL The following shows how your switch performs depth-first match in an advanced IPv6 ACL: 1) Sort rul

41-1 41 IPv4 ACL Configuration When configuring an IPv4 ACL, go to these sections for information you are interested in: z Creating a Time Range z

2-11 Table 2-6 Determine the command level when users logging in to the access controller switch interface board are authenticated in the scheme mode

41-2 2004 23:59, you may use the time-range test 12:00 to 14:00 wednesday from 00:00 01/01/2004 to 23:59 12/31/2004 command. z You may create indiv

41-3 To do… Use the command… Remarks Create or modify a rule rule [ rule-id ] { deny | permit } [ fragment | logging | source { sour-addr sour-wil

41-4 In addition, advanced IPv4 ACLs allow you to filter packets based on three priority criteria: type of service (ToS), IP precedence, and differen

41-5 z You can modify the match order of an ACL with the acl number acl-number [ name acl-name ] match-order { auto | config } command but only wh

41-6 To do… Use the command… Remarks Create or modify a rule rule [ rule-id ] { deny | permit } [ cos vlan-pri | dest-mac dest-addr dest-mask | ls

41-7 Copying an IPv4 ACL This feature allows you to copy an existent IPv4 ACL to generate a new one, which is of the same type and has the same match

41-8 Network Diagram Figure 41-1 Network diagram for IPv4 ACL configuration GE0/0/4GE0/0/1GE0/0/2 GE0/0/3192.168.1.0/24192.168.4.1ACR&D departme

41-9 [AC-classifier-c_market] if-match acl 3001 [AC-classifier-c_market] quit # Configure traffic behavior b_ market to deny matching packets. [AC] t

42-1 42 IPv6 ACL Configuration When configuring IPv6 ACLs, go to these sections for information you are interested in: z Creating a Time Range z

42-2 To do… Use the command… Remarks Create an IPv6 ACL description description text Optional By default, no IPv6 ACL description is present. Cre

2-12 Configuration Example Network requirements Assume that you are a level 3 Console user and want to perform the following configuration for Telnet

42-3 Configuration Prerequisites If you want to reference a time range to a rule, define it with the time-range command first. Configuration Procedu

42-4 z You can modify the match order of an IPv6 ACL with the acl ipv6 number acl6-number [ name acl6-name ] match-order { auto | config } command

42-5 Displaying and Maintaining IPv6 ACLs To do… Use the command… Remarks Display information about a specified or all IPv6 ACLs display acl ipv6 {

42-6 [AC-behavior-b_rd] filter deny [AC-behavior-b_rd] quit # Configure QoS policy p_rd to use traffic behavior b_rd for class c_rd. [AC] qos policy

43-1 43 QoS Overview The term switch in this document refers to a switch in a generic sense or an access controller configured with the switching

43-2 locations through the VPN technology to develop some transaction applications, such as to access to the database of the company or to manage rem

43-3 z Excessively high delay will cause retransmission of packets. z Congestion decreases the effective throughput of the network and the utilizat

43-4 assigned resources from different approaches, and are the concrete ways of providing differentiated services.

44-1 44 Traffic Classification, Traffic Policing, and Line Rate Configuration When configuring traffic classification, traffic policing, and line ra

44-2 1) IP precedence, ToS precedence, and DSCP precedence Figure 44-1 DS field and ToS field The ToS field in an IP header contains eight bits, w

2-13 # Set the timeout time to 6 minutes. [H3C-ui-vty0] idle-timeout 6 Telnet Connection Establishment Telnetting to the Access controller Switch Int

44-3 Table 44-2 Description on DSCP precedence values DSCP value (decimal) DSCP value (binary) Description 46 101110 ef 10 001010 af11 12 001100 af

44-4 Figure 44-3 802.1Q tag headers In the figure above, the 3-bit priority field in TCI is 802.1p precedence in the range of 0 to 7. In the figure

44-5 Traffic Evaluation and Token Bucket Token Bucket A token bucket can be considered as a container with a certain capacity to hold tokens. The sys

44-6 z Excess burst size (EBS) Two token buckets are used in this evaluation. Their rates of putting tokens into the buckets are CIR and PIR respect

44-7 Line Rate Configuration Line Rate Configuration Procedure Follow these steps to configure line rate: To do… Use the command… Remarks Enter sy

45-1 45 QoS Policy Configuration When configuring QoS policy, go to these sections for information that you are interested in: z Overview z Config

45-2 z The policy name is determined. z Apply the QoS policy in Ethernet port view/port group view. Defining a Class To define a class, you need t

45-3 Form Description ip-precedence ip-precedence-list Specifies to match packets by IP precedence. The ip-precedence-list argument is a list of IP

45-4 Configuration procedure Follow these steps to define a traffic behavior: To do… Use the command… Remarks Enter system view system-view — Creat

45-5 # Configure traffic policing action for the traffic behavior. [Sysname-behavior-test] car cir 640 Defining a Policy A policy associates a class

2-14 Figure 2-5 Network diagram for Telnet connection establishment Step 4: Launch Telnet on your PC, input the IP address of the management Ethern

45-6 [Sysname-GigabitEthernet0/0/1] # Apply the policy to the port. [Sysname-GigabitEthernet0/0/1] qos apply policy test inbound Displaying and Main

46-1 46 Congestion Management When configuring congestion management, go to these section for information that you are interested in: z Overview z

46-2 Figure 46-1 Diagram for SP queuing SP queue-scheduling algorithm is specially designed for critical service applications. An important feature

46-3 Figure 46-2 Diagram for WRR queuing A port of the switch supports eight outbound queues. The WRR queue-scheduling algorithm schedules all the

46-4 Configuring an SP Queue Configuration Procedure Follow these steps to configure SP queues: To do… Use the command… Remarks Enter system view s

46-5 To do… Use the command… Remarks Enter system view system-view — Enter port view interface interface-type interface-number Enter port view or p

46-6 To do… Use the command… Remarks Enter system view system-view — Enter port view interface interface-type interface-number Enter port view or p

47-1 47 Priority Mapping When configuring priority mapping, go to these sections for information you are interested in: z Priority Mapping Overview

47-2 Imported priority value dot1p-lp mapping dot1p-dp mapping 1 0 0 2 1 0 3 3 0 4 4 0 5 5 0 6 6 0 7 7 0 Table 47-2 The default values of dscp-dp

47-3 To do… Use the command… Remarks Enter system view system-view — Enter priority mapping table view qos map-table { dot1p-dp | dot1p-lp | dscp-d

2-15 Telnetting to Another Access controller from the Current One You can Telnet to another access controller switch interface board from the current

47-4 received packets, and then marks the received packets with the corresponding local precedence and drop precedence. Port priority is in the range

47-5 To do… Use the command… Remarks Enter system view system-view — Enter port view interface interface-type interface-number Enter port view or p

48-1 48 Applying a QoS Policy to VLANs When applying a QoS policy to VLANs, go to these sections for information that you are interested in: z Over

48-2 Configuration Examples Network Requirements z The QoS policy test is defined to perform traffic policing for the packets matching basic IPv4 AC

49-1 49 Traffic Mirroring Configuration When configuring traffic mirroring, go to these sections for information that you are interested in: z Over

49-2 Displaying and Maintaining Traffic Mirroring To do… Use the command… Remarks Display the configuration information about the user-defined traf

49-3 [Sysname] traffic behavior 1 [Sysname-behavior-1] mirror-to interface GigabitEthernet 0/0/2 [Sysname-behavior-1] quit # Configure a QoS policy a

50-1 50 Port Mirroring Configuration The term switch in this document refers to a switch in a generic sense or an access controller configured wit

50-2 z Local port mirroring copies packets passing through one or more ports (known as source ports) of a device to the monitor port (also destinati

50-3 Destination device contains destination mirroring port, and remote destination port mirroring groups are created on destination devices. Upon re

3-1 3 Logging In Through the Web-Based Network Management System When logging in through the Web-based network management system, go to these sectio

50-4 Configuring Remote Port Mirroring You can configure a remote source port mirroring group as well as a remote destination port mirroring group

50-5 z All ports in a remote mirroring group belong to the same device. A remote source mirroring group can have only one outbound mirroring port.

50-6 z The remote destination mirroring port cannot be a member port of the current mirroring group. z The remote destination mirroring port can b

50-7 Network diagram Figure 50-3 Network diagram for local port mirroring configuration Configuration procedure Configure AC. # Create a local port

50-8 The administrator wants to monitor the packets sent from Department 1 and 2 through the data monitoring device. Use the remote port mirroring fu

50-9 [AC-GigabitEthernet0/0/3] port link-type trunk [AC-GigabitEthernet0/0/3] port trunk permit vlan 2 2) Configure Switch A (the intermediate devic

51-1 51 UDP Helper Configuration The term switch in this document refers to a switch in a generic sense or an access controller configured with th

51-2 To do… Use the command… Remarks Enter VLAN interface view interface Vlan-interface vlan-id — Specify the destination server to which UDP packe

51-3 Configuration procedure The following configuration assumes that a route from AC to the network segment 10.2.0.0/16 is available. # Enable UD

52-1 52 SNMP Configuration The term switch in this document refers to a switch in a generic sense or an access controller configured with the swit

3-2 2) Establish an HTTP connection between your PC and the switch interface board, as shown in the following figure. Figure 3-1 Establish an HTTP c

52-2 z NMS manages an SNMP enabled network, whereas Agent is the managed network device. They exchange management information through the SNMP proto

52-3 B can be uniquely identified by a string of numbers {1.2.1.1}. This string of numbers is the OID of the managed object B. Figure 52-2 MIB tree A

52-4 To do… Use the command… Remarks Configure the maximum size of an SNMP packet that can be received or sent by an SNMP agent snmp-agent packet m

52-5 The validity of a USM user depends on the engine ID of the SNMP agent. If the engine ID used for USM user creation is not identical to the curr

52-6 z Logs occupy storage space of the device, thus affecting the performance of the device. Therefore, you are recommended to disable SNMP loggin

52-7 To enable an interface to send SNMP Traps when its state changes, you need to enable the Link up/down Trap packet transmission function on an i

52-8 Displaying and Maintaining SNMP To do… Use the command… Remarks Display SNMP-agent system information, including the contact, location, and ve

52-9 [Sysname] snmp-agent community write private # Configure VLAN-interface 2 (with the IP address of 1.1.1.1/24). Add the port GigabitEthernet 0/0/

52-10 Configuration procedure The configurations for NMS and Agent are omitted. # Enable logging display on the terminal (optional, enabled by def

52-11 The system information of the information center can be output to the terminal or to the log buffer. In this example, SNMP log is output to th

4-1 4 Logging In from an NMS When logging in from an NMS, go to these sections for information you are interested in: z Introduction z Connection

53-1 53 RMON Configuration When configuring RMON, go to these sections for information you are interested in: z RMON Overview z Configuring RMON z

53-2 RMON Groups Among the ten RMON groups defined by RMON specifications (RFC 1757), H3C series Ethernet switches support the event group, alarm gro

53-3 If the count result overpasses the same threshold multiple times, only the first one can cause an alarm event. That is, the rising alarm and fa

53-4 To do… Use the command… Remarks Create an entry in the private alarm table rmon prialarm entry-number prialarm-formula prialarm-des sampling-

53-5 To do… Use the command… Remarks Display RMON prialarm configuration information display rmon prialarm [ entry-number ] Available in any view D

53-6 # Configure an alarm group to sample received bytes on GigabitEthernet 0/0/1. When the received bytes exceed the upper or below the lower limit,

54-1 54 NTP Configuration z The term switch in this document refers to a switch in a generic sense or an access controller configured with the sw

54-2 z All devices must use the same reference clock in a charging system. z To implement certain functions, such as scheduled restart of all devic

54-3 The process of system clock synchronization is as follows: z Switch A sends Switch B an NTP message, which is timestamped when it leaves Switch

54-4 Figure 54-2 Clock synchronization message format LI VN Mode Stratum Poll Precision0 7 15 23 31Root delay (32 bits)Root dispersion (32 bits)Refer

5-1 5 Configuring Source IP Address for Telnet Service Packets Go to these sections for information you are interested in: z Overview z Configurin

54-5 Operation Modes of NTP Switches running NTP can implement clock synchronization in one of the following modes: Server/client mode Figure 54-3 Se

54-6 Broadcast mode Figure 54-5 Broadcast mode In the broadcast mode, a server periodically sends clock synchronization messages to the broadcast a

54-7 In symmetric peers mode, broadcast mode and multicast mode, the client (or the symmetric active peer) and the server (the symmetric passive pee

54-8 A single switch can have a maximum of 128 associations at the same time, including static associations and dynamic associations. A static asso

54-9 Configuring the NTP Symmetric Mode For switches working in the symmetric mode, you need to specify a symmetric-passive on a symmetric-active pee

54-10 Configuring a broadcast client To do… Use the command… Remarks Enter system view system-view — Enter interface view interface interface-type

54-11 To do… Use the command… Remarks Configure the switch to work in the NTP multicast server mode ntp-service multicast-server [ ip-address ] [ a

54-12 Configuring the Maximum Number of Dynamic Sessions Allowed To do… Use the command… Remarks Enter system view system-view — Configure the maxi

54-13 The access-control right mechanism provides only a minimum degree of security protection for the system running NTP. A more secure method is i

54-14 To do… Use the command… Remarks Configure an NTP authentication key ntp-service authentication-keyid keyid authentication-mode md5 value Requ

Convention Description Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or

5-2 Configuration in system view Table 5-2 Configure a source IP address for service packets in system view To do… Use the command… Remarks Enter s

54-15 The procedure of configuring NTP authentication on a server is the same as that on a client, and the same authentication key must be configure

54-16 Clock offset: 0.0000 ms Root delay: 0.00 ms Root dispersion: 0.00 ms Peer dispersion: 0.00 ms Reference time: 00:00:00.000 UTC Jan 1 1900 (0000

54-17 Network diagram Figure 54-8 Network diagram for NTP symmetric peers mode configuration Configuration procedure 1) Configuration on AC A: #

54-18 # View the NTP session information of AC B, which shows that an association has been set up between AC B and AC C. [AC B] display ntp-service s

54-19 <AC C> system-view [AC C] interface vlan-interface 2 [AC C-Vlan-interface2] ntp-service broadcast-client 3) Configuration on AC A: # Co

54-20 Network diagram Figure 54-10 Network diagram for NTP multicast mode configuration Vlan-int31.0.1.11/24Vlan-int31.0.1.10/24Vlan-int23.0.1.31/24V

54-21 As shown above, AC D has been synchronized to AC C, and the clock stratum level of AC D is 3, while that of AC C is 2. # View the NTP session

54-22 As shown above, AC A has been synchronized to AC C, and the clock stratum level of AC A is 3, while that of AC C is 2. # View the NTP session

54-23 [AC B] ntp-service unicast-server 1.0.1.11 authentication-keyid 42 Before AC B can synchronize its clock to that of AC A, you need to enable NT

54-24 Network diagram Figure 54-12 Network diagram for configuration of NTP broadcast mode with authentication Configuration procedure 1) Configur

6-1 6 Controlling Login Users To control login users, go to these sections for information you are interested in: z Introduction z Controlling Tel

54-25 Clock precision: 2^7 Clock offset: 0.0000 ms Root delay: 31.00 ms Root dispersion: 8.31 ms Peer dispersion: 34.30 ms Reference time:

55-1 55 DNS Configuration When configuring DNS, go to these sections for information you are interested in: z DNS Overview z Configuring the DNS

55-2 1) A user program sends a name query to the resolver of the DNS client. 2) The DNS resolver looks up the local domain name cache for a match.

55-3 Currently, the device supports static and dynamic DNS services. If an alias is configured for a domain name on the DNS server, the device can

55-4 To do… Use the command… Remarks Enter system view system-view –– Configure a mapping between a host name and IP address in the static name res

55-5 Displaying and Maintaining DNS To do… Use the command… Remarks Display the static domain name resolution table display ip host Display DNS ser

55-6 round-trip min/avg/max = 2/2/2 ms Dynamic Domain Name Resolution Configuration Example Network requirements z The IP address of the DNS ser

55-7 Figure 55-5 Create a zone # Create a mapping between the host name and IP address. Figure 55-6 Add a host In Figure 55-6, right click zone c

55-8 Figure 55-7 Add a mapping between domain name and IP address 2) Configure the DNS client # Enable dynamic domain name resolution. <AC>

55-9 DNS Proxy Configuration Example Network requirements z Specify AC A as the DNS server of AC B (the DNS client). z AC A acts as a DNS proxy. Th

6-2 To do… Use the command… Remarks Quit to system view quit — Enter user interface view user-interface [ type ] first-number [ last-number ] — App

55-10 [AC B] dns server 2.1.1.2 4) Configuration verification # Execute the ping host.com command on AC B to verify that the host can be pinged after

56-1 56 File System Management Configuration z The term switch in this document refers to a switch in a generic sense or an access controller con

56-2 Directory Operations Directory operations include create, delete, display the current path, display specified directory or file information as s

56-3 To do… Use the command… Remarks Copy a file copy fileurl-source fileurl-dest Optional Available in user view Move a file move fileurl-source f

56-4 Currently, the storage device on an H3C WX6103 access controller switch interface board is the Flash only, which is named flash:. Memory space

56-5 Directory of flash:/ 0 drw- - Feb 16 2006 11:45:36 logfile 1 -rw- 1218 Feb 16 2006 11:46:19 config.cfg 2 drw-

56-6 z Current configuration, which refers to the user’s configuration during the operation of a device. This configuration is stored in the flash.

56-7 Deleting the Startup Configuration File With the configuration file deleted, your device will boot up with the default configuration next time i

56-8 For an H3C WX6103 access controller switch interface board, the file to be backed up or restored is the main configuration file for next startu

56-9 Displaying and Maintaining Device Configuration To do… Use the command… Remarks Display the configuration file saved in the storage device dis

6-3 To do… Use the command… Remarks Enter system view system-view — Create a basic ACL or enter basic ACL view acl number acl-number [ name acl-nam

57-1 57 FTP Configuration When configuring FTP, go to these sections for information you are interested in: z FTP Overview z Configuring the FTP C

57-2 z The FTP function is available when a route exists between the FTP server and the FTP client. z When a device serving as the FTP server logs

57-3 To do… Use the command… Remarks Log onto the remote FTP server directly in user view ftp [ server-address [ service-port ] [ source { interfac

57-4 To do… Use the command… Remarks Set the file transfer mode to binary binary Optional ASCII by default Change the working path on the remote FT

57-5 z On the FTP server, an FTP user account has been created for the FTP client, with the username being abc and the password being pwd. z The PC

57-6 [ftp] bye # You can use the boot-loader command to specify the downloaded file as the main startup file for next startup. Then restart the devic

57-7 Follow these steps to configure authentication and authorization for FTP server: To do… Use the command… Remarks Enter system view system-view

57-8 Network diagram Figure 57-3 Smooth upgrading using the FTP server Configuration procedure 1) Configure access controller (FTP Server) # Creat

57-9 z When upgrading the configuration file with FTP, put the new file under the root directory. z After you finish upgrading the Boot ROM progra

58-1 58 TFTP Configuration When configuring TFTP, go to these sections for information you are interested in: z TFTP Overview z Configuring the TF

6-4 z Defining an ACL z Applying the ACL to control users accessing the access controller through SNMP Prerequisites The controlling policy against

58-2 Before using TFTP, the administrator needs to configure IP addresses for the TFTP client and server, and make sure that there is a route between

58-3 To do… Use the command… Remarks Download or upload a file in IPv4 network tftp server-address { get | put | sget } source-filename [ destinati

58-4 z Configure a TFTP working directory 2) Configure the device (TFTP Client) If the free memory space of the device is not big enough, you sho

59-1 59 Information Center Configuration The term switch in this document refers to a switch in a generic sense or an access controller configured

59-2 Table 59-1 Severity description Severity Severity value Description emergencies 0 The system is unavailable. alerts 1 Information that dem

59-3 Configurations for the six output destinations function independently and take effect only after the information center is enabled. Outputting

59-4 Module name Description OSPF Open Shortest Path First module QoS Quality of Service module RDS Radius module RM Routing Management module RM

59-5 What follows is a detailed explanation of the fields involved: Priority The priority is calculated using the following formula: facility*8+sever

59-6 Task Remarks Setting to Output System Information to the Trap Buffer Optional Setting to Output System Information to the Log Buffer Optional S

59-7 LOG TRAP DEBUG Output destination Modules allowed Enabled/disabled Severity Enabled/disabled Severity Enabled/disabled Severity SNMP NMS defau

6-5 As SNMP community name is a feature of SNMPv1 and SNMPv2c, the specified ACLs in the command that configures SNMP community names (the snmp-agent

59-8 To do… Use the command… Remarks Configure the format of the time stamp info-center timestamp { debugging | log | trap } { boot | date | none }

59-9 To do… Use the command… Remarks Configure the output rules of the system information info-center source { module-name | default } channel { ch

59-10 To do… Use the command… Remarks Configure the channel through which system information can be output to the log buffer and specify the buffer

59-11 Configuring Synchronous Information Output Synchronous information output refers to the feature that if the user’s input is interrupted by syst

59-12 Support for the display logfile buffer and display logfile summary commands varies with devices. Information Center Configuration Examples Ou

59-13 [Sysname] info-center source ip channel loghost log level informational state on 2) Configuring the log host The following configurations were

59-14 1) Configuring the device # Enable information center. <Sysname> system-view [Sysname] info-center enable # Specify the host with IP add

59-15 # ps -ae | grep syslogd 147 # kill -9 147 # syslogd -r & Ensure that the syslogd process is started with the -r option on a Linux log hos

59-16 # Enable the display of log information on a monitor terminal. <Sysname> terminal monitor % Current terminal monitor is on <Sysname>

60-1 60 Basic Configurations The term switch in this document refers to a switch in a generic sense or an access controller configured with the sw

7-1 7 VLAN Configuration The term switch in this document refers to a switch in a generic sense or an access controller configured with the switch

60-2 Configuring the Device Name To do… Use the command… Remarks Enter system view system-view — Configure the device name sysname sysname Option

60-3 Configuration System clock displayed by the display clock command Example [1], 2 and 1 date-time Configure: clock timezone zone-time add 1 and c

60-4 Configuration System clock displayed by the display clock command Example If the value of "date-time"±"zone-offset" is not i

60-5 the same but are not part of the banner information. In this case, the input text, together with the command keywords, cannot exceed 510 charact

60-6 By default, the <Ctrl+G>, <Ctrl+L> and <Ctrl+O> hotkeys are configured with command line and the <Ctrl+T> and <Ctrl+

60-7 These hotkeys are defined by the device. When you interact with the device from terminal software, these keys may be defined to perform other o

60-8 z When you configure the password for switching user level with the super password command, the user level is defaulted to 3 if no user level

60-9 z For the detailed description of the display users command, refer to the Login in H3C WX6103 Access Controller Switch Interface Board Command

60-10 <Sysname> ? User view commands: backup Backup next startup-configuration file to TFTP server boot-loader Set boot

60-11 You can use the info-center synchronous command to enable synchronous information output. For the detailed description of this function, refer

7-2 Figure 7-1 A VLAN diagram VLAN 2VLAN 5Switch BSwitch ARouter A VLAN is not restricted by physical factors, that is to say, hosts that reside in

60-12 The regular expression is a string of 1 to 256 characters, case sensitive, and space allowed. It supports multiple mapping rules: z begin: Dis

60-13 Saving History Commands The CLI can automatically save the commands that have been used. You can invoke and repeatedly execute them as needed.

61-1 61 System Maintaining and Debugging When maintaining and debugging the system, go to these sections for information you are interested in: z S

61-2 3) The source device sends a packet with a TTL value of 2 to the destination device. 4) The second hop responds with a TTL-expired ICMP messag

61-3 System Maintaining and Debugging System Maintaining To do… Use the command… Remarks ping [ ip ] [ -a source-ip | -c count | -f | -h ttl | -i i

61-4 z The debugging commands are usually used by administrators in diagnosing network failure. z Output of the debugging information may reduce s

62-1 62 Device Management When configuring device management, go to these sections for information you are interested in: z Device Management Overv

62-2 To do… Use the command… Remarks Enable the scheduled reboot function and specify a specific reboot time and date schedule reboot at hh:mm [ da

62-3 Upgrading Boot ROM During the operation of the device, you can use Boot ROM in the storage device to upgrade Boot ROM programs that are running

62-4 A confirmation is required when you execute this command. If you fail to make a confirmation within 30 seconds or enter “N” to cancel the opera

7-3 IEEE802.1Q defines a four-byte VLAN Tag between the DA&SA field and the Type field to carry VLAN-related information, as shown in Figure 7-3.

63-1 63 NQA Configuration When configuring NQA, go to these sections for information you are interested in: z NQA Overview z NQA Configuration Tas

63-2 At present, NQA supports nine test types: ICMP-echo, DHCP, FTP, HTTP, UDP-jitter, SNMP, TCP, UDP-echo and DLSw. In an NQA test, the client sends

63-3 For the detailed description of the Track module, refer to Track in H3C WX6103 Access Controller Switch Interface Board Configuration Guide. S

63-4 specified for a listening service on the server must be consistent with those on the client and must be different from those of an existing list

63-5 To do… Use the command… Remarks Enter system view system-view — Enable the NQA server nqa server enable Required Disabled by default. Configu

63-6 Follow these steps to configure the ICMP-echo test: To do… Use the command… Remarks Enter system view system-view — Enter NQA test group view

63-7 Configuring the DHCP Test The DHCP test is mainly used to test the existence of a DHCP server on the network as well as the time necessary for t

63-8 To do… Use the command… Remarks Enter system view system-view — Enter NQA test group view nqa entry admin-name operation-tag — Configure the t

63-9 To do… Use the command… Remarks Enter system view system-view — Enter NQA test group view nqa entry admin-name operation-tag — Configure the t

63-10 Delay jitter refers to the difference between the interval of receiving two packets consecutively and the interval of sending these two packets

7-4 z Other types The H3C WX6103 access controller switch interface boards support port-based VLAN and MAC address-based VLAN. Configuring Basic VL

63-11 To do… Use the command… Remarks Configure the time for waiting for a response in a UDP-jitter test probe packet-timeout packet-timeout Option

63-12 To do… Use the command… Remarks Configure the source IP address of a probe request in a test operation source ip ip-address Optional By defau

63-13 To do… Use the command… Remarks Configure the destination port destination port port-number Required By default, no destination port number i

63-14 To do… Use the command… Remarks Configure the destination address for a test operation destination ip ip-address Required By default, no dest

63-15 To do… Use the command… Remarks Configure the test type as DLSw and enter test type view type dlsw Required Configure the destination addres

63-16 Configuring Trap Delivery Traps can be sent to the network management server when test is completed, test fails or probe fails. Configuration p

63-17 To do… Use the command… Remarks Configure the number of probes in a test probe count times Optional By default, one probe is performed in a t

63-18 After an NQA test group is scheduled, you cannot enter the test group view or test type view. Displaying and Maintaining NQA To do… Use the

63-19 Square-Sum of round trip time: 256 Last succeeded probe time: 2007-03-14 17:21:07.8 Extend results: Packet lost in test:

63-20 FTP Test Configuration Example Network requirements Use the NQA FTP function to test the connection with a specified FTP server and the time ne

i Table of Contents 1 Logging In Through an OAP Board ·······························································································

7-5 Follow these steps to configure VLAN interface basic attributes: To do… Use the command… Remarks Enter system view system-view — Create a VLAN

63-21 HTTP Test Configuration Example Network requirements Use the HTTP function to test the connection with a specified HTTP server and the time req

63-22 Network diagram Figure 63-7 Network diagram for UDP-jitter test Configuration procedure 1) Configure Switch. # Enable the NQA server and conf

63-23 Positive SD square sum: 2 Positive DS square sum: 226 Min negative SD: 1 Min negative DS: 1

63-24 Extend results: Packet lost in test: 0% Failures due to timeout: 0 Failures due to disconnect: 0 Failures due to no

63-25 Failures due to timeout: 0 Failures due to disconnect: 0 Failures due to no connection: 0 Failures due to sequence erro

63-26 Failures due to no connection: 0 Failures due to sequence error: 0 Failures due to internal error: 0 Failures due to ot

64-1 64 SSH Configuration When configuring SSH, go to these sections for information you are interested in: z SSH2.0 Overview z Configuring the De

64-2 Figure 64-1 Encryption and decryption Key-based algorithm is usually classified into symmetric key algorithm and asymmetric key algorithm. Asy

64-3 Version negotiation z The server opens port 22 to listen to connection requests from clients. z The client sends a TCP connection request to t

64-4 z The server authenticates the client. If the authentication fails, the server informs the client by sending a message, which includes a list o

7-6 Default VLAN You can configure the default VLAN for a port. By default, VLAN 1 is the default VLAN for all ports. However, this can be changed as

64-5 z During interactive session, the client can send the commands to be performed by pasting the text, which must be within 2000 bytes. It is re

64-6 Configuring the User Interfaces for SSH Clients An SSH client accesses the device through a VTY user interface. Therefore, you need to configure

64-7 z Configuration of the rsa local-key-pair create and public-key local create dsa command can survive a reboot. You only need to configure it o

64-8 automatically converts the public key to a string coded using the PKCS standard. Before importing the public key, you must upload the public key

64-9 To do… Use the command… Remarks Enter system view system-view — For stelnet users ssh user username service-type stelnet authentication-type {

64-10 For users using publickey authentication: z You must configure on the device the corresponding username and public keys. z After login, the

64-11 Configuring the Device as an SSH Client SSH Client Configuration Task List Complete the following tasks to configure an SSH client: Task Remar

64-12 Disable first-time authentication For successful authentication of an SSH client not supporting first-time authentication, the server host publ

64-13 To do… Use the command… Remarks Display the source IP address or interface currently set for the SSH client display ssh client source Availab

64-14 [AC-luser-client001] password simple aabbcc [AC-luser-client001] service-type ssh level 3 [AC-luser-client001] quit # Specify the service type

7-7 Configuring an Access-Port-Based VLAN There are two ways to configure Access-port-based VLAN: one way is to configure in VLAN view, the other way

64-15 When Using Publickey Authentication Network requirements z As shown in Figure 64-4, a local SSH connection is established between the host (SS

64-16 # Specify the authentication type for user “client002” as publickey, and assign the public key “AC001” for the user. [AC] ssh user client002 se

64-17 Figure 64-6 Generate a client key pair (2) After the key pair is generated, click Save public key to save the key in a file by entering a fil

64-18 Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any p

64-19 Figure 64-10 SSH client configuration interface (2) From the window shown in Figure 64-10, click Open. The following SSH client interface app

64-20 Configuration procedure 1) Configure the SSH server # Create an RSA and DSA key pair and enable the SSH server. <Switch> system-view [Sw

64-21 [AC-pkey-key-code]B374E16DD00132CE71B020217091AC717B612391C76C1FB2E 88317C1BD8171D41ECB83E210C03CC9 [AC-pkey-key-code]B32E810561C21621C73D6DAAC

64-22 <Switch> system-view [Switch] public-key local create rsa [Switch] public-key local create dsa [Switch] ssh server enable # Configure an

64-23 After generating a key pair on a client, you need to transmit the saved public key file to the server through FTP or TFTP and have the configu

65-1 65 SFTP Service When configuring SFTP, go to these sections for information you are interested in: z SFTP Overview z Configuring an SFTP Serv

7-8 Follow these steps to configure the Trunk-port-based VLAN: To do… Use the command… Remarks Enter system view system-view — Enter Ethernet port

65-2 When the device functions as the SFTP server, only one client can access the SFTP server at a time. If the SFTP client uses WinSCP, a file on t

65-3 To do… Use the command… Remarks Establish a connection to the remote IPv4 SFTP server and enter SFTP client view sftp server [ port-number ] [

65-4 Working with SFTP Files SFTP file operations include: z Changing the name of a file z Downloading a file z Uploading a file z Displaying a l

65-5 To do… Use the command… Remarks Display a list of all commands or the help information of an SFTP client command help [ all | command-name ] R

65-6 # Configure an IP address for VLAN interface 1, which the SSH client uses as the destination for SSH connection. [Switch] interface Vlan-interfa

65-7 # Display files under the current directory of the server, delete the file named “z”, and check if the file is deleted successfully. sftp-client

65-8 Uploading file successfully ended sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone

66-1 66 SSL Configuration When configuring SSL, go to these sections for information you are interested in: z SSL Overview z SSL Configuration Tas

66-2 algorithm, and master key. An SSL session can be used to establish multiple connections, reducing session negotiation cost. z SSL change cipher

66-3 To do... Use the command... Remarks Configure the SSL connection close mode close-mode wait Optional Not wait by default Set the maximum numbe

7-9 To do… Use the command… Remarks Enter system view system-view — Enter Ethernet port view interface interface-type interface-number Enter Ethern

66-4 Configuration procedure 1) Request a certificate for AC # Create a PKI entity named en and configure it. <Sysname> system-view [Sysname]

66-5 z For details about PKI configuration commands, refer to PKI in H3C WX6103 Access Controller Switch Interface Board Command Reference. z For

66-6 Displaying and Maintaining SSL To do... Use the command... Remarks Display SSL server policy information display ssl server-policy { policy-n

67-1 67 HTTPS Configuration When configuring HTTPS, go to these sections for information you are interested in: z HTTPS Overview z HTTPS Configura

67-2 Follow these steps to associate the HTTPS service with an SSL server policy: To do… Use the command… Remarks Enter system view system-view —

67-3 Associating the HTTPS Service with a Certificate Attribute Access Control Policy Associating the HTTPS service with a configured certificate acc

67-4 Displaying and Maintaining HTTPS To do… Use the command… Remarks Display information about HTTPS display ip https Available in any view HTTPS

67-5 [AC-pki-domain-1] certificate request entity en [AC-pki-domain-1] quit # Generate a key pair locally by using the RSA algorithm. [AC] public-key

68-1 68 PKI Configuration When configuring PKI, go to these sections for information you are interested in: z Introduction to PKI z PKI Configura

68-2 the name of the CA and the sequence number of the certificate. A digital certificate must comply with the international standard of ITUTX.5.9. T

7-10 The ways to create MAC address-based VLANs A MAC address-based VLAN can be created in one of the following two ways. z Static configuration (th

68-3 CA A CA is a trusted entity responsible for issuing and managing digital certificates. A CA issues certificates, specifies the validity period o

68-4 4) The RA receives the certificate from the CA, sends it to the LDAP server to provide directory navigation service, and notifies the entity th

68-5 The configuration of an entity DN must comply with the CA certificate issue policy. You need to determine, for example, which entity DN paramet

68-6 A PKI domain is defined by these parameters: z Trusted CA An entity requests a certificate from a trusted CA. z Entity A certificate applican

68-7 To do… Use the command… Remarks Configure the polling interval and maximum number of attempts for querying the certificate request status cert

68-8 Generating an RSA key pair is an important step in certificate request. The key pair includes a public key and a private key. The private key is

68-9 Retrieving a Certificate Manually You can download an existing CA certificate or local certificate from the CA server and save it locally. To do

68-10 To do… Use the command… Remarks Set the CRL update period crl update-period hours Optional By default, the CRL update period depends on the n

68-11 To do… Use the command… Remarks Enter system view system-view — Destroy a local RSA key pair public-key local destroy rsa Required For deta

68-12 A certificate attribute group must exist to be associated with a rule. Displaying and Maintaining PKI To do… Use the command… Remarks Displ

7-11 Displaying and Maintaining VLAN To do... Use the command… Remarks Display the information about specific VLANs display vlan [ vlan-id1 [ to vl

68-13 Network diagram Figure 68-2 Diagram for configuring a PKI entity to request a certificate from a CA Configuration procedure On the CA server,

68-14 [AC-pki-domain-torsa] certificate request from ca # Specify the entity for certificate request as aaa. [AC-pki-domain-torsa] certificate reques

68-15 Signature Algorithm: sha1WithRSAEncryption Issuer: C=cn O=org OU=test CN=myca

68-16 Networking diagram Figure 68-3 Diagram for configuring a certificate attribute-based access control policy Configuration procedure z For d

68-17 3) Configure the certificate attribute-based access control policy # Create the certificate attribute-based access control policy of myacp and

68-18 z The current key pair has been bound to a certificate. z No trusted CA is specified. z The URL of the enrollment server for certificate req

69-1 69 Track Configuration The term switch in this document refers to a switch in a generic sense or an access controller configured with the swi

69-2 The Track module works between the application modules and the detection modules and is mainly used to obscure the difference of various detecti

69-3 To do… Use the command… Remarks Enter system view system-view — Create a Track object and associate it with the specified Reaction entry of th

69-4 z For the configuration of Track-Static Routing collaboration, the specified static route can be an existent or nonexistent one. For an existe

7-12 # Configure packets from VLAN 2, VLAN 6 through VLAN 50, and VLAN 100 to pass through GigabitEthernet 0/0/1. [AC-GigabitEthernet0/0/1] port trun

69-5 Configuration procedure 1) Configure the IP address of each interface as shown in Figure 69-2. 2) Configure a static route on AC A and associa

69-6 The output information above indicates the NQA test result, that is, the next hop 10.2.1.1 is reachable (the status of the Track object is Posit

70-1 70 Index A Aggregation Port Group 16-5 Applying a QoS Policy to VLANs 48-1 Approaches to Link Aggregation 16-2 ARP Overview 33-1 Associating t

70-2 Configuring DHCP Snooping Basic Functions 38-4 Configuring DHCP Snooping to Support Option 82 38-4 Configuring Digest Snooping 20-33 Configuring

70-3 Controlling Telnet Users 6-1 Copying an IPv4 ACL 41-7 Copying an IPv6 ACL 42-4 Creating a Time Range 42-1 Creating a Time Range 41-1 Creating

70-4 Displaying and Maintaining Static Routes 23-4 Displaying and Maintaining the DHCP Client 37-2 Displaying and Maintaining the TFTP Client 58-3 Di

70-5 Introduction to QinQ 12-1 Introduction to UDP Helper 51-1 Introduction to VLAN 7-1 Introduction to Voice VLAN 8-1 Introduction 2-1 Introduction

70-6 Port Security Configuration Examples 19-10 Port Security Configuration Task List 19-3 Port-Based VLAN Configuration 7-5 Priority Mapping Overvie

70-7 Troubleshooting 26-6 Troubleshooting 27-14 U UDP Helper Configuration Example 51-2 V VLAN Configuration Example 7-11 Voice VLAN Configuration Ex

7-13 z The port permits packets of VLAN 2, VLAN 6 through VLAN 50, and VLAN 100 (VLAN permitted: 2, 6-50, 100). So the configuration is successful.

8-1 8 Voice VLAN Configuration When configuring Voice VLAN, go to these sections for information you are interested in: z Introduction to Voice VLA

ii Prerequisites····································································································································6

8-2 Voice VLAN Modes on a Port There are two voice VLAN modes on a port: automatic and manual (the mode here refers to the way of adding a port to a

8-3 If the voice traffic sent by an IP phone is tagged and that the access port has 802.1x authentication and Guest VLAN enabled, assign different V

8-4 Configuring Voice VLAN Mode on a Port to Automatic Mode Follow these steps to set the port voice VLAN mode to automatic: To do... Use the comman

8-5 To do... Use the command... Remarks Enable the voice VLAN feature globally voice vlan vlan-id enable Required Enter Ethernet port view interfa

8-6 z The voice traffic sent by the IP phones is tagged. Configure GigabitEthernet 0/0/1 as a Hybrid port and as the access port, with VLAN 6 as the

8-7 Verification # Display information about the OUI addresses, OUI address masks, and descriptive strings. <AC> display voice vlan oui Oui Add

8-8 Network diagram Figure 8-2 Network diagram for manual voice VLAN mode configuration Configuration procedure # Configure the voice VLAN to work

8-9 00e0-7500-0000 ffff-ff00-0000 Polycom phone 00e0-bb00-0000 ffff-ff00-0000 3com phone # Display the current voice VLAN state. <AC> displ

9-1 9 GVRP Configuration GARP VLAN Registration Protocol (GVRP) is a GARP application. It functions based on the operating mechanism of GARP to main

9-2 2) GARP timers The interval of sending of GARP messages is controlled by the following four timers: z Hold timer –– A GARP participant usually

iii GVRP Configuration Example III·····································································································9-9 10 IP Addr

9-3 Figure 9-1 GARP message format Table 9-1 describes the GARP message fields. Table 9-1 Description on the GARP message fields Field Descriptio

9-4 GVRP GVRP enables a device to propagate local VLAN registration information to other participant devices and dynamically update the VLAN registr

9-5 Configuring GVRP Enabling GVRP Follow these steps to enable GVRP on a trunk port: To do… Use the command… Remarks Enter system view system-vie

9-6 z The setting of each timer must be a multiple of five (in centiseconds). z The settings of the timers are correlated. If you fail to set a ti

9-7 Configuration procedure 1) Configure AC # Enable GVRP globally. <AC> system-view [AC] gvrp # Configure port GigabitEthernet 0/0/1 as a Tru

9-8 GVRP Configuration Example II Network requirements Configure GVRP for dynamic VLAN information registration and update among devices. Specify fix

9-9 [Device] display vlan dynamic Now, the following dynamic VLAN exist(s): 2 Device in this configuration example refers to a device that suppo

9-10 # Enable GVRP on GigabitEthernet 0/0/1. [Device-GigabitEthernet0/0/1] gvrp [Device-GigabitEthernet0/0/1] quit # Create VLAN 3 (a static VLAN).

10-1 10 IP Addressing Configuration When assigning IP addresses to interfaces on your device, go to these sections for information you are intereste

10-2 Figure 10-1 IP address classes Table 10-1 describes the address ranges of these five classes. Currently, the first three classes of IP address

iv Configuring the Broadcast/Multicast/Unknown Unicast Storm Suppression Ratio for an Ethernet Port··················································

10-3 combination of net-id and subnet-id, masking is used. (When subnetting is not adopted, a mask identifies the boundary between the host-id and th

10-4 z Assigning an IP Address to an Interface z IP Addressing Configuration Example Assigning an IP Address to an Interface You may assign an inte

10-5 Network diagram Figure 10-3 Network diagram for IP addressing configuration GE0/0/1172.16.1.1/24172.16.2.1/24 sub172.16.1.0/24172.16.1.2/24172.

10-6 Reply from 172.16.2.2: bytes=56 Sequence=1 ttl=255 time=25 ms Reply from 172.16.2.2: bytes=56 Sequence=2 ttl=255 time=26 ms Reply fr

11-1 11 IP Performance Configuration When configuring IP performance, go to these sections for information you are interested in: z IP Performance

11-2 Follow these steps to enable the device to receive directed broadcasts: To do… Use the command… Remarks Enter system view system-view — Enable

11-3 # Enable AC to receive directed broadcasts. <AC> system-view [AC] ip forward-broadcast # Configure IP addresses for VLAN-interface 3 and V

11-4 To do… Use the command… Remarks Configure TCP finwait timer’s timeout value tcp timer fin-timeout time-value Optional By default, the timeout

11-5 If the device receives an IP packet with the destination unreachable, it will drop the packet and send an ICMP destination unreachable error pac

11-6 z The device stops sending “network unreachable” and “source route failure” ICMP error packets after sending ICMP destination unreachable pack