Page 1: User Guide
HP 1920 Gigabit Ethernet Switch Series User Guide Part number: 5998-5627 Software version: Release 1102 Document version: 5W100-20140620 Downloaded from www.Manualslib.com manuals search engine...
Page 2 The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
Page 3: Table Of Contents
Contents Overview ······································································································································································ 1 Configuring the switch in the Web interface ············································································································· 2 Restrictions and guidelines ··············································································································································· 2 Operating system requirements ······························································································································ 2 Web browser requirements ····································································································································· 2 Others ········································································································································································ 5 Overview ············································································································································································ 6 Logging in to the Web interface······································································································································ 6 Logging out of the Web interface ···································································································································...
Page 4 Displaying system and device information ··············································································································· 47 Displaying system information ······································································································································ 47 Displaying basic system information ··················································································································· 47 Displaying the system resource state ··················································································································· 48 Displaying recent system logs ······························································································································ 48 Setting the refresh period ····································································································································· 48 Displaying device information ······································································································································ 48 Configuring basic device settings ·····························································································································...
Page 5 Mirroring source ···················································································································································· 79 Mirroring destination ············································································································································ 79 Mirroring direction ················································································································································ 79 Mirroring group ····················································································································································· 79 Local port mirroring ······················································································································································· 79 Configuration restrictions and guidelines ···················································································································· 80 Recommended configuration procedures ···················································································································· 80 Configuring a mirroring group ····································································································································· 80 Configuring ports for the mirroring group ··················································································································· 81 Local port mirroring configuration example ················································································································...
Page 6 Configuring an SNMP user ········································································································································· 120 Configuring SNMP trap function ································································································································ 121 Displaying SNMP packet statistics ····························································································································· 123 SNMPv1/v2c configuration example ························································································································ 124 SNMPv3 configuration example ································································································································ 127 Displaying interface statistics ································································································································· 132 Configuring VLANs ················································································································································· 133 Overview ······································································································································································· 133 VLAN fundamentals·············································································································································...
Page 7 Creating a static MAC address entry················································································································ 176 Configuring MSTP ··················································································································································· 177 Overview ······································································································································································· 177 Introduction to STP ······················································································································································· 177 STP protocol packets ··········································································································································· 177 Basic concepts in STP ·········································································································································· 178 Calculation process of the STP algorithm ········································································································· 179 Introduction to RSTP ····················································································································································· 184 Introduction to MSTP ····················································································································································...
Page 8 Configuring Switch A ·········································································································································· 236 Configuring Switch B ·········································································································································· 239 Verifying the configuration ································································································································· 239 LLDP configuration guidelines ····································································································································· 241 Configuring ARP ······················································································································································ 242 Overview ······································································································································································· 242 ARP message format ··········································································································································· 242 ARP operating mechanism ································································································································· 242 ARP table ······························································································································································ 243 Gratuitous ARP ·····················································································································································...
Page 9 Static route ··························································································································································· 278 Default route ························································································································································· 279 Displaying the IPv4 active route table ······················································································································· 279 Creating an IPv4 static route ······································································································································· 280 Displaying the IPv6 active route table ······················································································································· 281 Creating an IPv6 static route ······································································································································· 281 IPv4 static route configuration example ····················································································································· 283 Network requirements ·········································································································································...
Page 10 Configuring 802.1X ··············································································································································· 321 802.1X overview ························································································································································· 321 802.1X architecture ············································································································································ 321 Access control methods ······································································································································ 321 Controlled/uncontrolled port and port authorization status ··········································································· 322 Packet formats ······················································································································································ 322 EAP over RADIUS ················································································································································ 323 Initiating 802.1X authentication ························································································································ 324 802.1X authentication procedures ···················································································································· 325 802.1X timers ······················································································································································...
Page 11 PKI applications ··················································································································································· 386 Recommended configuration procedures ·················································································································· 386 Recommended configuration procedure for manual request ·········································································· 386 Recommended configuration procedure for automatic request ······································································ 388 Creating a PKI entity ···················································································································································· 388 Creating a PKI domain ················································································································································ 390 Generating an RSA key pair······································································································································· 393 Destroying the RSA key pair ·······································································································································...
Page 12 Configuring loopback detection ···························································································································· 447 Recommended configuration procedure···················································································································· 447 Configuring loopback detection globally ·················································································································· 447 Configuring loopback detection on a port ················································································································ 448 Configuring ACLs ···················································································································································· 450 Overview ······································································································································································· 450 ACL categories ···················································································································································· 450 Match order ························································································································································· 450 Implementing time-based ACL rules ··················································································································· 452 IPv4 fragments filtering with ACLs ·····················································································································...
Page 13 Configuring non-standard PD detection ············································································································ 499 Displaying information about PSE and PoE ports ···························································································· 500 PoE configuration example ········································································································································· 501 Support and other resources ·································································································································· 503 Contacting HP ······························································································································································ 503 Subscription service ············································································································································ 503 Related information ······················································································································································ 503 Documents ···························································································································································· 503 Websites ·······························································································································································...
Page 14: Overview
Overview The HP 1920 Switch Series can be configured through the command line interface (CLI), Web interface, and SNMP/MIB. These configuration methods are suitable for different application scenarios. The Web interface supports all 1920 Switch Series configurations. • • The CLI provides configuration commands to facilitate your operation. To perform other configurations not supported by the CLI, use the Web interface.
Page 15: Configuring The Switch In The Web Interface
TCP connections. When the limit is reached, you cannot log in to the Web interface. Web browser requirements • HP recommends that you use the following Web browsers: Internet Explorer 6 SP2 or higher Mozilla Firefox 3 or higher Google Chrome 2.0.174.0 or higher If you are using a Microsoft Internet Explorer browser, you must enable the security settings (see •...
Page 16 Figure 1 Internet Explorer settings (1) Click Custom Level. In the Security Settings dialog box, enable Run ActiveX controls and plug-ins, Script ActiveX controls marked safe for scripting, and Active scripting. Downloaded from www.Manualslib.com manuals search engine...
Page 17 Figure 2 Internet Explorer settings (2) Click OK to save your settings. Enabling JavaScript in a Firefox browser Launch the Firefox browser, and select Tools > Options. In the Options dialog box, click the Content icon, and select Enable JavaScript. Downloaded from www.Manualslib.com manuals search engine...
Page 18: Others
Figure 3 Firefox browser settings Click OK to save your settings. Others • The Web interface does not support the Back, Next, and Refresh buttons provided by the browser. Using these buttons might result in abnormal display of Web pages. •...
Page 19: Overview
Overview The device provides web-based configuration interfaces for visual device management and maintenance. Figure 4 Web-based network management operating environment Logging in to the Web interface You can use the following default settings to log in to the web interface through HTTP: •...
Page 20: Logging Out Of The Web Interface
For security purposes, log out of the Web interface after you finish your operations. Save the current configuration. Because the system does not save the current configuration automatically, HP recommends that you perform this step to avoid loss of configuration.
Page 21: Web User Level
Navigation tree—Organizes the Web-based NM functions as a navigation tree, where you can • select and configure functions as needed. The result is displayed in the body area. • Body area—Allows you to configure and display features. • Title area—On the left, displays the path of the current configuration interface in the navigation area;...
Page 22 Function menu Description User level Electronic Display the electronic label of the device. Monitor Label Diagnostic Generate diagnostic information file and view or Management Information save the file to local host. System Time Display and configure the system date and time. Configure System Time Display the synchronization status of the system...
Page 23 Function menu Description User level Switch To Switch the current user level to the management Visitor Management level. Loopback Loopback Perform loopback tests on Ethernet interfaces. Configure Check the status of the cables connected to Ethernet Configure ports. Display the average rate at which the interface Flow Port Traffic receives and sends packets within a specified time...
Page 24 Function menu Description User level Select VLAN Select a VLAN range. Monitor Create Create VLANs. Configure Port Detail Display the VLAN-related details of a port. Monitor Display the member port information about a Detail Monitor VLAN VLAN. Modify the description and member ports of a Modify VLAN Configure VLAN.
Page 25 Function menu Description User level Display information about LACP-enabled ports and Summary Monitor their partner ports. LACP Setup Set LACP priorities. Configure Display the LLDP configuration information, local information, neighbor information, statistics Monitor Port Setup information, and status information about a port. Modify LLDP configuration on a port.
Page 26 Function menu Description User level Summary Display the IPv6 active route table. Monitor IPv6 Routing Create Create an IPv6 static route. Configure Remove Delete the selected IPv6 static routes. Configure Display information about the DHCP status, advanced configuration information about the DHCP relay agent, DHCP server group Monitor configuration, DHCP relay agent interface...
Page 27 Function menu Description User level Display the accounting method configuration Monitor information about an ISP domain. Accounting Specify accounting methods for an ISP domain. Management RADIUS Server Display and configure RADIUS server information. Management RADIUS RADIUS Setup Display and configure RADIUS parameters. Management Display configuration information about local Monitor...
Page 28 Function menu Description User level Link Setup Create a rule for a link layer ACL. Configure Remove Delete an IPv4 ACL or its rules. Configure Summary Display IPv6 ACL configuration information. Monitor Create Create an IPv6 ACL. Configure Basic Setup Configure a rule for a basic IPv6 ACL.
Page 29: Common Items On The Web Pages
Function menu Description User level Display PSE information and PoE interface Summary Monitor information. PSE Setup Configure a PoE interface. Configure Port Setup Configure a port. Configure Common items on the Web pages Buttons and icons Table 2 Commonly used buttons and icons Button and icon Function Applies the configuration on the current page.
Page 30 Figure 7 Content display by pages Search function The Web interface provides you with the basic and advanced searching functions to display only the entries that match specific searching criteria. Basic search—As shown in Figure 7, type the keyword in the text box above the list, select a search •...
Page 31 Figure 9 Advanced search Take the LLDP table shown in Figure 7 as an example. To search for the LLDP entries with LLDP Work Mode TxRx, and LLDP Status Disabled: Click the Advanced Search link, specify the search criteria on the advanced search page as shown Figure 10, and click Apply.
Page 32 Figure 12 Advanced search function example (3) Sort function On some list pages, the Web interface provides the sorting function to display the entries in a certain order. The Web interface provides you with the sorting functions to display entries in certain orders. On a list page, you can click the blue heading item of each column to sort the entries based on the heading item you selected.
Page 33: Configuring The Switch At The Cli
Configuring the switch at the CLI The HP 1920 Switch Series can be configured through the CLI, Web interface, and SNMP/MIB, among which the Web interface supports all 1920 Switch Series configurations. These configuration methods are suitable for different application scenarios. As a supplementary to the Web interface, the CLI provides some configuration commands to facilitate your operation, which are described in this chapter.
Page 34: Setting Terminal Parameters
NOTE: The serial port on a PC does not support hot swapping. When you connect a PC to a powered-on switch, • connect the DB-9 connector of the console cable to the PC before connecting the RJ-45 connector to the switch.
Page 35 Figure 16 Setting the serial port used by the HyperTerminal connection Set Bits per second to 38400, Data bits to 8, Parity to None, Stop bits to 1, and Flow control to None, and click OK. Figure 17 Setting the serial port parameters Select File >...
Page 36 Figure 18 HyperTerminal window Click the Settings tab, set the emulation to VT100, and click OK in the Switch Properties dialog box. Figure 19 Setting terminal emulation in Switch Properties dialog box Downloaded from www.Manualslib.com manuals search engine...
Page 37: Logging In To The Cli
Username:admin Press Enter. The Password prompt appears. Password: The login information is verified, and the following CLI menu appears: <HP 1920 Switch> If the password is invalid, the following message appears and process restarts. % Login failed! CLI commands This section contains the following commands:...
Page 38: Initialize
initialize Syntax initialize Parameters None Description Use initialize to delete the configuration file to be used at the next startup and reboot the device with the default configuration being used during reboot. Use the command with caution because this command deletes the configuration file to be used at the next startup and restores the factory default settings.
Page 39: Ipsetup Ipv6
# Create VLAN-interface 1 and assign 192.168.1.2 to the interface, and specify 192.168.1.1 as the default gateway. <Sysname> ipsetup ip-address 192.168.1.2 24 default-gateway 192.168.1.1 ipsetup ipv6 Syntax ipsetup ipv6 { auto | address { ipv6-address prefix-length | ipv6-address/prefix-length } [ default-gateway ipv6-address ] } Parameters auto: Enables the stateless address autoconfiguration function.
Page 40: Ping
Change password for user: admin Old password: *** Enter new password: ** Retype password: ** The password has been successfully changed. ping Syntax ping host Parameters host: Destination IPv4 address (in dotted decimal notation) or host name (a string of 1 to 255 characters). Description Use ping to ping a specified destination.
Page 41: Quit
Examples # Ping IPv6 address 2001::4. <Sysname> ping ipv6 2001::4 PING 2001::4 : 56 data bytes, press CTRL_C to break Reply from 2001::4 bytes=56 Sequence=1 hop limit=64 time = 15 ms Reply from 2001::4 bytes=56 Sequence=2 hop limit=64 time = 2 ms Reply from 2001::4 bytes=56 Sequence=3 hop limit=64 time = 11 ms...
Page 42: Reboot
reboot Syntax reboot Parameters None Description Use reboot to reboot the device and run the main configuration file. Use the command with caution because reboot results in service interruption. If the main configuration file is corrupted or does not exist, the device cannot be rebooted with the reboot command.
Page 43: Upgrade
Next backup boot app is: flash:/test.bin HP Comware Platform Software Comware Software, Version 5.20.99, ESS 1101 Copyright (c) 2010-2014 Hewlett-Packard Development Company, L.P. HP 1920-24G Switch uptime is 0 week, 0 day, 1 hour, 25 minutes HP 1920-24G Switch 128M bytes DRAM...
Page 44: Upgrade Ipv6
To validate the downloaded software package file, reboot the device. NOTE: The HP 1920 Switch Series does not provide an independent Boot ROM image; instead, it integrates the Boot ROM image with the system software image file together in a software package file with the extension name of .bin.
Page 45: Configuration Example For Upgrading The System Software Image At The Cli
Examples # Download software package file main.bin from the TFTP server and use the Boot ROM image in the package as the startup configuration file. <Sysname> upgrade ipv6 2001::2 main.bin bootrom # Download software package file main.bin from the TFTP server and use the system software image file in the package as the startup configuration file.
Page 46 Deleting the old file, please wait... File will be transferred in binary mode Downloading file from remote TFTP server, please wait.../ TFTP: 10262144 bytes received in 61 second(s) File downloaded successfully. BootRom file updating finished! # Reboot the switch. <Switch> reboot After getting the new image file, reboot the switch to validate the upgraded image.
Page 47: Configuration Wizard
Configuration wizard The configuration wizard guides you through configuring the basic service parameters, including the system name, system location, contact information, and management IP address. Basic service setup Entering the configuration wizard homepage Select Wizard from the navigation tree. Figure 21 Configuration wizard homepage Configuring system parameters On the wizard homepage, click Next.
Page 48 Figure 22 System parameter configuration page Configure the parameters as described in Table Table 3 Configuration items Item Description Specify the system name. The system name appears at the top of the navigation tree. Sysname You can also set the system name in the System Name page you enter by selecting Device >...
Page 49: Configuring Management Ip Address
Configuring management IP address CAUTION: Modifying the management IP address used for the current login terminates the connection to the device. Use the new management IP address to re-log in to the system. On the system parameter configuration page, click Next. Figure 23 Management IP address configuration page Configure the parameters as described in Table...
Page 50: Finishing Configuration Wizard
Item Description Enable or disable the VLAN interface. When errors occurred in the VLAN interface, disable the interface and then enable the port to bring the port to operate correctly. By default, the VLAN interface is down if no Ethernet ports in the VLAN is up. The VLAN Admin status is in the up state if one or more ports in the VLAN are up.
Page 51 Figure 24 Configuration complete Downloaded from www.Manualslib.com manuals search engine...
Page 52: Configuring Stack
Configuring stack Overview The stack management feature allows you to configure and monitor a group of connected devices by logging in to one device in the stack, as shown in Figure Figure 25 Stacking devices To set up a stack for a group of connected devices, you must log in to one device to create the stack. This device is the master device for the stack.
Page 53: Configuring Global Parameters Of A Stack
Task Remarks Configuring member devices of a stack: Required. Configure a port of a member device that connects to the master Configuring stack ports device or another member device as a stack port. By default, a port is not a stack port. Optional.
Page 54: Configuring Stack Ports
Figure 26 Setting up Table 6 Configuration items Item Description Configure a private IP address pool for the stack. The master device of a stack must be configured with a private IP address pool to make sure it can automatically allocate an available IP address to a member device when the device joints the stack.
Page 55: Displaying Topology Summary Of A Stack
Displaying topology summary of a stack Select Stack from the navigation tree and click the Topology Summary tab to enter the page shown Figure Figure 27 Topology Summary tab Table 7 Field description Fields Description Member ID of the device in the stack: •...
Page 56: Stack Configuration Example
Figure 29 Device summary (a member device) Stack configuration example Network requirements As shown in Figure 30, Switch A, Switch B, Switch C, and Switch D are connected to one another. Create a stack, where Switch A is the master device, and Switch B, Switch C, and Switch D are member devices.
Page 57 Figure 31 Configuring global parameters for the stack on Switch A Switch A becomes the master device. Configure a stack port on Switch A: In the Port Settings area on the Setup tab, select GigabitEthernet1/0/1. Click Enable. Figure 32 Configuring a stack port on Switch A On Switch B, configure GigabitEthernet 1/0/2 (connected to Switch A), GigabitEthernet 1/0/1 (connected to Switch C), and GigabitEthernet 1/0/3 (connected to Switch D) as stack ports: Select Stack from the navigation tree of Switch B.
Page 58 Figure 33 Configuring stack ports on Switch B Switch B becomes a member device. On Switch C, configure GigabitEthernet 1/0/1 (the port connected to Switch B) as a stack port: Select Stack from the navigation tree of Switch C. In the Port Settings area on the Setup tab, select GigabitEthernet1/0/1. Click Enable.
Page 59: Configuration Guidelines
Verifying the configuration To verify the stack topology on Switch A: Select Stack from the navigation tree of Switch A. Click the Topology Summary tab. Figure 35 Verifying the configuration Configuration guidelines When you configure a stack, follow these guidelines: •...
Page 60: Displaying System And Device Information
Displaying system and device information Displaying system information Select Summary from the navigation tree to enter the System Information page to view the basic system information, system resource state, and recent system logs. Figure 36 System information Displaying basic system information Table 8 Field description Item Description...
Page 61: Displaying The System Resource State
Displaying the system resource state The System Resource State area displays the most recent CPU usage, memory usage, and temperature. Displaying recent system logs Table 9 Field description Field Description Time Time when the system logs were generated. Level Severity of the system logs. Description Description for the system logs.
Page 62 Figure 37 Device information To set the interval for refreshing device information, select one of the following options from the Refresh Period list: If you select a certain period, the system refreshes device information at the specified interval. • • If you select Manual, the system refreshes device information only when you click the Refresh button.
Page 63: Configuring Basic Device Settings
Configuring basic device settings The device basic information feature provides the following functions: Set the system name of the device. The configured system name is displayed on the top of the • navigation bar. • Set the idle timeout period for logged-in users. The system logs an idle user off the Web for security purpose after the configured period.
Page 64 Set the idle timeout period for logged-in users. Click Apply. Downloaded from www.Manualslib.com manuals search engine...
Page 65: Maintaining Devices
Maintaining devices Software upgrade CAUTION: Software upgrade takes some time. Avoid performing any operation on the Web interface during the upgrading procedure. Otherwise, the upgrade operation may be interrupted. A boot file, also known as the system software or device software, is an application file used to boot the device.
Page 66: Device Reboot
Item Description Specify whether to overwrite the file with the same name. If a file with the same name already exists, If you do not select the option, when a file with the same name exists, a dialog box overwrite it without any appears, telling you that the file already exists and you cannot continue the prompt upgrade.
Page 67: Electronic Label
Electronic label Electronic label allows you to view information about the device electronic label, which is also known as the permanent configuration data or archive information. The information is written into the storage medium of a device or a card during the debugging and testing processes, and includes card name, product bar code, MAC address, debugging and testing dates, and manufacture name.
Page 68 Figure 44 The diagnostic information file is created The generation of the diagnostic file takes a period of time. During this process, do not perform any operation on the Web page. After the diagnostic file is generated successfully, you can view this file on the page you enter by selecting Device >...
Page 69: Configuring System Time
Configuring system time Overview You must configure a correct system time so that the device can operate correctly with other devices. The system time module allows you to display and set the device system time on the Web interface. You can set the system time through manual configuration or network time protocol (NTP) automatic synchronization.
Page 70: Configuring System Time By Using Ntp
Figure 46 Calendar page Enter the system date and time in the Time field, or select the date and time in the calendar. To set the time on the calendar page, select one of the following methods: Click Today. The date setting in the calendar is synchronized to the current local date configuration, and the time setting does not change.
Page 71: System Time Configuration Example
Table 11 Configuration items Item Description Clock status Display the synchronization status of the system clock. Source Interface Set the source interface for an NTP message. This configuration makes the source IP address in the NTP messages the primary IP address of this interface. If the specified source interface is down, the source IP address is the primary IP address of the egress interface.
Page 72: Configuring The System Time
Figure 48 Network diagram Configuring the system time Configure the local clock as the reference clock, with the stratum of 2. Enable NTP authentication, set the key ID to 24, and specify the created authentication key aNiceKey as a trusted key. (Details not shown.) On Switch B, configure Device A as the NTP server: Select Device >...
Page 73 The synchronization process takes some time. The clock status might be displayed as • unsynchronized after your configuration. In this case, refresh the page to view the clock status and system time later on. • If the system time of the NTP server is ahead of the system time of the device, and the time gap exceeds the Web idle time specified on the device, all online Web users are logged out because of timeout after the synchronization finishes.
Page 74: Configuring Syslog
Configuring syslog System logs record network and device information, including running status and configuration changes. With system logs, administrators can take corresponding actions against network problems and security problems. The system sends system logs to the following destinations: • Console •...
Page 75: Setting The Log Host
Table 12 Field description Field Description Time/Date Displays the time/date when the system log was generated. Source Displays the module that generated the system log. Displays the severity level of the system log. The information is classified into eight levels by severity: •...
Page 76: Setting Buffer Capacity And Refresh Interval
Click Apply. Table 13 Configuration items Item Description IPv4/Domain Specify the IPv4 address or domain name of the log host. Loghost IP/Domain IMPORTANT: IPv6 You can specify up to four log hosts. Set the IPv6 address of the log host. Loghost IP Setting buffer capacity and refresh interval Select Device >...
Page 77: Managing The Configuration
Back up the configuration files for the next startup to your local host. • IMPORTANT: HP recommends backing up both the .cfg and .xml files. If you back up only the .cfg file, some configuration information might not be restored when, for example, the configuration is mistakenly removed.
Page 78: Saving The Configuration
To restore the configuration: Select Device > Configuration from the navigation tree. Click the Restore tab. Figure 54 Restoring the configuration Click the upper Browse button. The file upload dialog box appears. Select the .cfg file to be uploaded, and click OK. Click the lower Browse button.
Page 79: Resetting The Configuration
Figure 55 Saving the configuration Common mode. • To save the configuration in common mode: Select Device > Configuration from the navigation tree. Click the Save tab. Click Save Current Settings. Resetting the configuration Resetting the configuration restores the device's factory defaults, deletes the current configuration files, and reboots the device.
Page 80: Managing Files
Managing files The device requires a series of files for correct operation, including boot files and configuration files. These files are saved on the storage media. You can display files on the storage media, download, upload, or remove a file, or specify the main boot file. Displaying files Select Device >...
Page 81: Uploading A File
Open the file or save the file to a path. Uploading a file IMPORTANT: Uploading a file takes some time. HP recommends not performing any operation on the Web interface during the upload. Select Device > File Management from the navigation tree to enter the file management page...
Page 82: Managing Ports
Managing ports You can use the port management feature to set and view the operation parameters of a Layer 2 Ethernet port and an aggregate interface. For a Layer 2 Ethernet port, these operation parameters include its state, speed, duplex mode, link •...
Page 83 Figure 58 The Setup tab Set the operation parameters for the port as described in Table Click Apply. Table 15 Configuration items Item Description Enable or disable the port. Port State Sometimes, after you modify the operation parameters of a port, you must disable and then enable the port to have the modifications take effect.
Page 84 Item Description Set the transmission speed of the port: • 10—10 Mbps. • 100—100 Mbps. • 1000—1000 Mbps. • Auto—Autonegotiation. • Auto 10—Autonegotiated to 10 Mbps. Speed • Auto 100—Autonegotiated to 100 Mbps. • Auto 1000—Autonegotiated to 1000 Mbps. • Auto 10 100—Autonegotiated to 10 or 100 Mbps.
Page 85 Item Description Enable or disable flow control on the port. With flow control enabled at both sides, when traffic congestion occurs on the ingress port, the ingress port sends a Pause frame notifying the egress port to temporarily suspend Flow Control the sending of packets.
Page 86: Displaying Port Operation Parameters
Item Description Set unicast suppression on the port: • ratio—Sets the maximum percentage of unicast traffic to the total bandwidth of an Ethernet port. When you select this option, you must enter a percentage in the box below. Unicast • pps—Sets the maximum number of unicast packets that can be forwarded on an Suppression Ethernet port per second.
Page 87: Displaying All The Operation Parameters For A Port
Figure 59 The Summary tab Displaying all the operation parameters for a port Select Device > Port Management from the navigation tree Click the Detail tab. Select a port whose operation parameters you want to view in the chassis front panel. The operation parameter settings of the selected port are displayed on the lower part of the page.
Page 88: Port Management Configuration Example
Port management configuration example Network requirements As shown in Figure Server A, Server B, and Server C are connected to GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, • and GigabitEthernet 1/0/3 of the switch, respectively. The rates of the network adapters of these servers are all 1000 Mbps.
Page 89 Figure 62 Configuring the speed of GigabitEthernet 1/0/4 Batch configure the autonegotiation speed range on GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 as 100 Mbps: On the Setup tab, select Auto 100 from the Speed list. Select 1, 2, and 3 on the chassis front panel. 1, 2, and 3 represent ports GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3.
Page 90 Figure 63 Batch configuring the port speed Display the speed settings of ports: Click the Summary tab. Click the Speed button to display the speed information of all ports on the lower part of the page, as shown in Figure Downloaded from www.Manualslib.com manuals search engine...
Page 91 Figure 64 Displaying the speed settings of ports Downloaded from www.Manualslib.com manuals search engine...
Page 92: Configuring Port Mirroring
Configuring port mirroring Port mirroring refers to the process of copying the packets passing through a port/VLAN/CPU to the monitor port connecting to a monitoring device for packet analysis. Terminology Mirroring source The mirroring source can be one or more monitored ports, called source ports. The device where the ports reside is called a "source device."...
Page 93: Configuration Restrictions And Guidelines
Figure 65 Local port mirroring implementation As shown in Figure 65, the source port GigabitEthernet 1/0/1 and monitor port GigabitEthernet 1/0/2 reside on the same device. Packets of GigabitEthernet 1/0/1 are copied to GigabitEthernet 1/0/2, which then forwards the packets to the data monitoring device for analysis. Configuration restrictions and guidelines When you configure port mirroring, follow these restrictions and guidelines: •...
Page 94: Configuring Ports For The Mirroring Group
Click Add to enter the page for adding a mirroring group. Figure 66 Adding a mirroring group Configure the mirroring group as described in Table Click Apply. Table 16 Configuration items Item Description Mirroring Group ID ID of the mirroring group to be added. Specify the type of the mirroring group to be added as Local, which indicates Type adding a local mirroring group.
Page 95 Figure 67 Modifying ports Configure ports for the mirroring group as described in Table Click Apply. A progress dialog box appears. After the success notification appears, click Close. Table 17 Configuration items Item Description ID of the mirroring group to be configured. Mirroring The available groups were added previously.
Page 96: Local Port Mirroring Configuration Example
Local port mirroring configuration example Network requirements As shown in Figure 68, configure local port mirroring on Switch A so the server can monitor the packets received and sent by the Marketing department and Technical department. Figure 68 Network diagram Configuration procedure Adding a local mirroring group From the navigation tree, select Device >...
Page 97 Enter 1 for Mirroring Group ID, and select Local from the Type list. Click Apply. Configuring GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as the source ports Click Modify Port. Select 1 – Local from the Mirroring Group ID list. Select Mirror Port from the Port Type list. Select both from the Stream Orientation list.
Page 98 Figure 71 Configuring the monitor port Click Apply. A configuration progress dialog box appears. After the success notification appears, click Close. Downloaded from www.Manualslib.com manuals search engine...
Page 99: Managing Users
Managing users The user management function allows you to do the following: Adding a local user, and specifying the password, access level, and service types for the user. • • Setting the super password for non-management level users to switch to the management level. •...
Page 100: Setting The Super Password
Item Description Select an access level for the user. Users of different levels can perform different operations. User levels, in order from low to high, are as follows: • Visitor—A visitor level user can perform only ping and traceroute operations. They cannot access the data on the device or configure the device.
Page 101: Switching To The Management Level
Click Apply. Table 19 Configuration items Item Description Select the operation type: • Create/Remove Create—Configure or change the super password. • Remove—Remove the current super password. Password Set the password for non-management level users to switch to the management level. Confirm Password Enter the same password again.
Page 102: Configuring A Loopback Test
Configuring a loopback test You can check whether an Ethernet port operates correctly by performing Ethernet port loopback test. During the test time, the port cannot forward data packets correctly. Ethernet port loopback test has the following types: • Internal loopback test—Establishes self loop in the switching chip and checks whether there is a chip failure related to the functions of the port.
Page 103 Click Test. After the test is complete, the system displays the loopback test result. Figure 76 Loopback test result Downloaded from www.Manualslib.com manuals search engine...
Page 104: Configuring Vct
Configuring VCT Overview You can use the Virtual Cable Test (VCT) function to check the status of the cable connected to an Ethernet port on the device. The result is returned in less than 5 seconds. The test covers whether short circuit or open circuit occurs on the cable and the length of the faulty cable.
Page 105: Configuring The Flow Interval
Configuring the flow interval With the flow interval module, you can view the number of packets and bytes sent and received by a port, and the bandwidth use of the port over the specified interval. Viewing port traffic statistics Select Device > Flow interval from the navigation tree. By default, the Port Traffic Statistics tab is displayed.
Page 106: Configuring Rmon
RMON groups Among the RFC 2819 defined RMON groups, HP implements the statistics group, history group, event group, and alarm group supported by the public MIB. HP also implements a private alarm group, which enhances the standard alarm group. Ethernet statistics group...
Page 107 History group The history group defines that the system periodically collects traffic statistics on interfaces and saves the statistics in the history record table (ethernetHistoryTable). The statistics include bandwidth utilization, number of error packets, and total number of packets. The history statistics table record traffic statistics collected for each sampling interval. The sampling interval is user-configurable.
Page 108: Rmon Configuration Task List
RMON configuration task list Configuring the RMON statistics function The RMON statistics function can be implemented by either the Ethernet statistics group or the history group, but the objects of the statistics are different, as follows: A statistics object of the Ethernet statistics group is a variable defined in the Ethernet statistics table, •...
Page 109 Table 22 RMON alarm configuration task list Task Remarks Required. You can create up to 100 statistics entries in a statistics table. As the alarm variables that can be configured through the Web interface are MIB variables that defined in the history group or the statistics group, configure the RMON Ethernet statistics function or the RMON history statistics function on the monitored Ethernet interface.
Page 110: Configuring A Statistics Entry
Task Remarks If you configure the system to log an event after the event is triggered Displaying RMON event logs when you configure the event group, the event is recorded in the RMON log. Perform this task to display the details of the log table. Configuring a statistics entry Select Device >...
Page 111: Configuring A History Entry
Configuring a history entry Select Device > RMON from the navigation tree. Click the History tab. Figure 82 History entry Click Add. Figure 83 Adding a history entry Configure a history entry as described in Table Click Apply. Table 25 Configuration items Item Description Interface Name...
Page 112: Configuring An Event Entry
Configuring an event entry Select Device > RMON from the navigation tree. Click the Event tab. Figure 84 Event entry Click Add. Figure 85 Adding an event entry Configure an event entry as described in Table Click Apply. Table 26 Configuration items Item Description Description...
Page 113: Configuring An Alarm Entry
Configuring an alarm entry Select Device > RMON from the navigation tree. Click the Alarm tab. Figure 86 Alarm entry Click Add. Figure 87 Adding an alarm entry Configure an alarm entry as described in Table Click Apply. Table 27 Configuration items Item Description Alarm variable:...
Page 114: Displaying Rmon Statistics
Item Description Interval Set the sampling interval. Set the sampling type: • Absolute—Absolute sampling to obtain the value of the variable when the sampling time is reached. Sample Type • Delta—Delta sampling to obtain the variation value of the variable during the sampling interval when the sampling time is reached.
Page 115 Figure 88 RMON statistics Table 28 Field description Field Description Total number of octets received by the interface, Number of Received Bytes corresponding to the MIB node etherStatsOctets. Total number of packets received by the interface, Number of Received Packets corresponding to the MIB node etherStatsPkts.
Page 116: Displaying Rmon History Sampling Information
Field Description Total number of collisions received on the interface, Number of Network Conflicts corresponding to the MIB node etherStatsCollisions. Total number of drop events received on the interface, Number of Packet Discarding Events corresponding to the MIB node etherStatsDropEvents. Total number of received packets with 64 octets on the interface, corresponding to the MIB node Number of Received 64 Bytes Packets...
Page 117: Displaying Rmon Event Logs
Table 29 Field description Field Description Number of the entry in the system buffer. Statistics are numbered chronologically when they are saved to the system buffer. Time Time at which the information is saved. Dropped packets during the sampling period, corresponding to the MIB DropEvents node etherHistoryDropEvents.
Page 118: Rmon Configuration Example
Figure 90 Log tab In this example, event 1 has generated one log, which is triggered because the alarm value (11779194) exceeds the rising threshold (10000000). The sampling type is absolute. RMON configuration example Network requirements As shown in Figure 91, create an entry in the RMON Ethernet statistics table to gather statistics on GigabitEthernet 1/0/1 with the sampling interval being 10 seconds.
Page 119 Figure 92 Adding a statistics entry Display RMON statistics for GigabitEthernet 1/0/1: Click the icon corresponding to GigabitEthernet 1/0/1. Display this information as shown in Figure Figure 93 Displaying RMON statistics Create an event to start logging after the event is triggered: Click the Event tab.
Page 120 Figure 94 Configuring an event group Figure 95 Displaying the index of an event entry Configure an alarm group to sample received bytes on GigabitEthernet 1/0/1. When the received bytes exceed the rising or falling threshold, logging is enabled: Click the Alarm tab. Click Add.
Page 121 Figure 96 Configuring an alarm group Verifying the configuration After the above configuration, when the alarm event is triggered, you can display log information for event 1 on the Web interface. Select Device > RMON from the navigation tree. Click the Log tab. The log page appears.
Page 122: Configuring Energy Saving
Configuring energy saving Energy saving enables a port to operate at the lowest transmission speed, disable PoE, or go down during a specific time range on certain days of a week. The port resumes when the effective time period ends. Configuring energy saving on a port Select Device >...
Page 123 Item Description Set the port to transmit data at the lowest speed. Lowest Speed If you configure the lowest speed limit on a port that does not support 10 Mbps, the configuration cannot take effect. Shut down the port. Shutdown An energy saving policy can have all the three energy saving schemes configured, of which the shutdown scheme takes the highest priority.
Page 124: Configuring Snmp
Configuring SNMP This chapter provides an overview of the Simple Network Management Protocol (SNMP) and guides you through the configuration procedure. Overview SNMP is an Internet standard protocol widely used for a management station to access and operate the devices on a network, regardless of their vendors, physical characteristics and interconnect technologies. SNMP enables network administrators to read and set the variables on managed devices for state monitoring, troubleshooting, statistics collection, and other management purposes.
Page 125: Snmp Protocol Versions
The device supports only traps. SNMP protocol versions HP supports SNMPv1, SNMPv2c, and SNMPv3. An NMS and an SNMP agent must use the same SNMP version to communicate with each other. SNMPv1—Uses community names for authentication. To access an SNMP agent, an NMS must use •...
Page 126: Enabling Snmp Agent
Table 32 SNMPv3 configuration task list Task Remarks Required. The SNMP agent function is disabled by default. Enabling SNMP agent IMPORTANT: If SNMP agent is disabled, all SNMP agent-related configurations are removed. Optional. Configuring an SNMP view After creating SNMP views, you can specify an SNMP view for an SNMP group to limit the MIB objects that can be accessed by the SNMP group.
Page 127 Figure 101 Setup tab Configure SNMP settings on the upper part of the page as described in Table Click Apply. Table 33 Configuration items Item Description SNMP Specify to enable or disable SNMP agent. Configure the local engine ID. The validity of a user after it is created depends on the engine ID of the Local Engine ID SNMP agent.
Page 128: Configuring An Snmp View
Item Description Location Set a character string to describe the physical location of the device. SNMP Version Set the SNMP version run by the system. Configuring an SNMP view Creating an SNMP view Select Device > SNMP from the navigation tree. Click the View tab.
Page 129: Adding Rules To An Snmp View
Repeat steps 6 and 7 to add more rules for the SNMP view. Click Apply. To cancel the view, click Cancel. Figure 104 Creating an SNMP view (2) Table 34 Configuration items Item Description View Name Set the SNMP view name. Select to exclude or include the objects in the view range determined by the MIB Rule subtree OID and subtree mask.
Page 130: Configuring An Snmp Community
Figure 105 Adding rules to an SNMP view Configure the parameters as described in Table Click Apply. NOTE: You can also click the icon corresponding to the specified view on the page as shown in Figure 102, and then you can enter the page to modify the view. Configuring an SNMP community Select Device >...
Page 131: Configuring An Snmp Group
Figure 107 Creating an SNMP Community Configure the SNMP community as described in Table Click Apply. Table 35 Configuration items Item Description Community Name Set the SNMP community name. Configure SNMP NMS access right: • Read only—The NMS can perform read-only operations to the MIB objects Access Right when it uses this community name to access the agent.
Page 132 Click Add. The Add SNMP Group page appears. Figure 109 Creating an SNMP group Configure SNMP group as described in Table Click Apply. Table 36 Configuration items Item Description Group Name Set the SNMP group name. Select the security level for the SNMP group: •...
Page 133: Configuring An Snmp User
Configuring an SNMP user Select Device > SNMP from the navigation tree. Click the User tab. The User tab appears. Figure 110 SNMP user Click Add. The Add SNMP User page appears. Figure 111 Creating an SNMP user Configure the SNMP user as described in Table Click Apply.
Page 134: Configuring Snmp Trap Function
Table 37 Configuration items Item Description User Name Set the SNMP user name. Select the security level for the SNMP group. The available security levels are: • NoAuth/NoPriv—No authentication no privacy. Security Level • Auth/NoPriv—Authentication without privacy. • Auth/Priv—Authentication and privacy. Select an SNMP group to which the user belongs: •...
Page 135 Figure 112 Traps configuration Select Enable SNMP Trap. Click Apply to enable the SNMP trap function. Click Add. The page for adding a target host of SNMP traps appears. Figure 113 Adding a target host of SNMP traps Configure the settings for the target host as described in Table Click Apply.
Page 136: Displaying Snmp Packet Statistics
Item Description Set the security name, which can be an SNMPv1 community name, an Security Name SNMPv2c community name, or an SNMPv3 user name. Set UDP port number. IMPORTANT: UDP Port The default port number is 162, which is the SNMP-specified port used for receiving traps on the NMS.
Page 137: Snmpv1/V2C Configuration Example
SNMPv1/v2c configuration example Network requirements As shown in Figure 1 15, the NMS at 1.1.1.2/24 uses SNMPv1 or SNMPv2c to manage the switch (agent) at 1.1.1.1/24, and the switch automatically sends traps to report events to the NMS. Figure 115 Network diagram Configuring the agent Enable SNMP: Select Device >...
Page 138 Figure 117 Configuring an SNMP read-only community Configure a read and write community: Click Add on the Community tab page. The Add SNMP Community page appears. Enter private in the Community Name field, and select Read and write from the Access Right list.
Page 139 Figure 119 Enabling SNMP traps Configure a target host SNMP traps: Click Add on the Trap tab page. The page for adding a target host of SNMP traps appears. Select the IPv4/Domain option and type 1.1.1.2 in the following field, type public in the Security Name field, and select v1 from the Security Model list.
Page 140: Snmpv3 Configuration Example
For information about how to configure the NMS, see the NMS manual. Verifying the configuration After the above configuration, an SNMP connection is established between the NMS and the agent. The NMS can get and configure the values of some parameters on the agent through MIB nodes. Disable or enable an idle interface on the agent, and you can see the interface state change traps on the NMS.
Page 141 Configure an SNMP view: Click the View tab. Click Add. The page for creating an SNMP view appears. Type view1 in the View Name field. Click Apply. Figure 123 Creating an SNMP view (1) On the page that appears, select the Included option, type the MIB subtree OID interfaces, and click Add.
Page 142 Figure 125 Creating an SNMP group Configure an SNMP user: Click the User tab. Click Add. The page in Figure 126 appears. Type user1 in the User Name field, select Auth/Priv from the Security Level list, select group1 from the Group Name list, select MD5 from the Authentication Mode list, type authkey in the Authentication Password and Confirm Authentication Password fields, select DES56 from the Privacy Mode list, and type prikey in the Privacy Password and Confirm Privacy Password fields.
Page 143 Figure 126 Creating an SNMP user Enable SNMP traps: Click the Trap tab. The Trap tab page appears. Select Enable SNMP Trap. Click Apply. Figure 127 Enabling SNMP traps Configure a target host SNMP traps: Click Add on the Trap tab page. The page for adding a target host of SNMP traps appears.
Page 144 Select the IPv4/Domain option and type 1.1.1.2 in the following field, type user1 in the Security Name field, select v3 from the Security Model list, and select Auth/Priv from the Security Level list. Click Apply. Figure 128 Adding a trap target host Configuring the NMS The configuration on NMS must be consistent with that on the agent.
Page 145: Displaying Interface Statistics
Displaying interface statistics The interface statistics module displays statistics about the packets received and sent through interfaces. To display interface statistics, select Device > Interface Statistics from the navigation tree. Figure 129 Interface statistics display page Table 39 describes the fields on the page. Table 39 Field description Field Description...
Page 146: Configuring Vlans
Configuring VLANs Overview Ethernet is a network technology based on the CSMA/CD mechanism. As the medium is shared, collisions and excessive broadcasts are common on an Ethernet. To address the issue, virtual LAN (VLAN) was introduced to break a LAN down into separate VLANs. VLANs are isolated from each other at Layer 2.
Page 147: Vlan Types
Figure 131 Traditional Ethernet frame format IEEE 802.1Q inserts a four-byte VLAN tag after the DA&SA field, as shown in Figure 132. Figure 132 Position and format of VLAN tag A VLAN tag comprises the following fields: • Tag protocol identifier (TPID)—The 16-bit TPID field indicates whether the frame is VLAN-tagged and is 0x8100 by default.
Page 148: Port-Based Vlan
Port-based VLAN Port-based VLANs group VLAN members by port. A port forwards traffic for a VLAN only after it is assigned to the VLAN. Port link type You can configure the link type of a port as access, trunk, or hybrid. The link types use the following VLAN tag handling methods: Access port—An access port belongs to only one VLAN and sends traffic untagged.
Page 149 However, deleting the VLAN specified as the PVID of a trunk or hybrid port does not affect the PVID setting on the port. HP recommends that you set the same PVID for local and remote ports. • Make sure a port permits its PVID. Otherwise, when the port receives frames tagged with the PVID •...
Page 150: Recommended Vlan Configuration Procedures
Recommended VLAN configuration procedures Recommended configuration procedure for assigning an access port to a VLAN Step Remarks Required. Creating VLANs. Create one or multiple VLANs. Optional. Configuring the link type of a port. Configure the link type of the port as access. By default, the link type of a port is access.
Page 151: Recommended Configuration Procedure For Assigning A Hybrid Port To A Vlan
Step Remarks Configure the PVID of the Setting the PVID for a port. Required. trunk port. A trunk port has only one Configure the trunk port as an untagged untagged VLAN and the member of the specified VLANs: untagged VLAN is its PVID. a.
Page 152: Creating Vlans
Step Remarks Optional. Setting the PVID for a port. Configure the PVID of the hybrid port. By default, the PVID of a hybrid port is VLAN 1. Configure the hybrid port as an untagged member of the specified VLANs: a. Selecting VLANs Required.
Page 153: Configuring The Link Type Of A Port
Figure 134 Creating VLANs Table 40 Configuration items Item Description VLAN IDs IDs of the VLANs to be created. • ID—Select the ID of the VLAN whose description string is to be modified. Click the ID of the VLAN to be modified in the list in the middle of the page. Modify the description of the selected VLAN •...
Page 154: Setting The Pvid For A Port
Figure 135 Modifying ports Setting the PVID for a port You can also configure the PVID of a port on the Setup tab of Device > Port Management. For more information, see "Managing ports." To set the PVID for a port: From the navigation tree, select Network >...
Page 155: Selecting Vlans
Figure 136 Modifying the PVID for a port Selecting VLANs From the navigation tree, select Network > VLAN. The Select VLAN tab is displayed by default for you to select VLANs. Figure 137 Selecting VLANs Select the Display all VLANs option to display all VLANs, or select the Display a subnet of all configured VLANs option to enter the VLAN IDs to be displayed.
Page 156: Modifying A Vlan
Modifying a VLAN From the navigation tree, select Network > VLAN. Click Modify VLAN to enter the page for modifying a VLAN. Figure 138 Modifying a VLAN Modify the member ports of a VLAN as described in Table Click Apply. A progress dialog box appears.
Page 157: Modifying Ports
Item Description Select the ports to be modified in the selected VLAN. Select ports to be modified and When you configure an access port as a tagged member of a VLAN, the link type of the assigned to this VLAN port is automatically changed into hybrid.
Page 158: Vlan Configuration Example
Item Description Set the member types of the selected ports to be modified in the specified VLANs: • Untagged—Configures the ports to send the traffic of the VLANs after removing the VLAN Select tags. membership • Tagged—Configures the ports to send the traffic of the VLANs without removing the VLAN type tags.
Page 159 Figure 141 Configuring GigabitEthernet 1/0/1 as a trunk port and its PVID as 100 Create VLAN 2, VLAN 6 through VLAN 50, and VLAN 100: From the navigation tree, select Network > VLAN. Click Create to enter the page for creating VLANs. Enter VLAN IDs 2, 6-50, 100.
Page 160 Figure 142 Creating VLAN 2, VLAN 6 through VLAN 50, and VLAN 100 Assign GigabitEthernet 1/0/1 to VLAN 100 as an untagged member: Click Select VLAN to enter the page for selecting VLANs. Select the option before Display a subnet of all configured VLANs, and enter 1-100 in the field. Click Select.
Page 161 A configuration progress dialog box appears. After the configuration process is complete, click Close. Figure 144 Assigning GigabitEthernet 1/0/1 to VLAN 100 as an untagged member Assign GigabitEthernet 1/0/1 to VLAN 2, and VLAN 6 through VLAN 50 as a tagged member: Click Modify Port to enter the page for modifying the VLANs to which a port belongs.
Page 162: Configuring Switch B
Figure 145 Assigning GigabitEthernet 1/0/1 to VLAN 2 and to VLANs 6 through 50 as a tagged member Configuring Switch B Configure Switch B in the same way Switch A is configured. (Details not shown.) Configuration guidelines When you configure VLANs, follow these guidelines: As the default VLAN, VLAN 1 can be neither created nor removed manually.
Page 163: Configuring Vlan Interfaces
Configuring VLAN interfaces Before creating a VLAN interface, you must create the corresponding VLAN in Network > VLAN. For more information, see "Configuring VLANs." Overview For hosts of different VLANs to communicate, you must use a router or Layer 3 switch to perform layer 3 forwarding.
Page 164 Figure 146 Creating a VLAN interface Configure the VLAN interface as described in Table Click Apply. Table 43 Configuration items Item Description Enter the ID of the VLAN interface to be created. Before creating a VLAN interface, Input a VLAN ID: make sure the corresponding VLAN exists.
Page 165: Modifying A Vlan Interface
Item Description Auto Configure the way in which the VLAN interface gets an IPv6 link-local address. These items Select the Auto or Manual option: are available • Auto—The device automatically assigns a link-local address to the Configure after you Manual VLAN interface based on the link-local address prefix (FE80::/64) IPv6 Link select the...
Page 166 Figure 147 Modifying a VLAN interface Modify a VLAN interface as described in Table Click Apply. Table 44 Configuration items Item Description Select the VLAN interface to be configured. Select VLAN Interface The VLAN interfaces available for selection in the list are those created on the page for creating VLAN interfaces.
Page 167 Item Description DHCP Configure the way in which the VLAN interface gets an IPv4 address. Allow the VLAN interface to get an IP address automatically by selecting the DHCP or BOOTP BOOTP option, or manually assign the VLAN interface an IP address by selecting the Manual option.
Page 168: Configuration Guidelines
Configuration guidelines When you configure VLAN interfaces, follow these guidelines: • A link-local address is automatically generated for an IPv6 VLAN interface after an IPv6 site-local address or global unicast address is configured for the VLAN interface. This generated link-local address is the same as the one generated in the Auto mode.
Page 169: Configuring A Voice Vlan
Configuring a voice VLAN Overview The voice technology is developing quickly, and more and more voice devices are in use. In broadband communities, data traffic and voice traffic are usually transmitted in the network at the same time. Usually, voice traffic needs higher priority than data traffic to reduce the transmission delay and packet loss ratio. A voice VLAN is configured for voice traffic.
Page 170 automatically assigns the receiving port to a voice VLAN, issues ACL rules and configures the packet precedence. You can configure an aging timer for the voice VLAN. The system will remove the port from the voice VLAN when the aging timer expires if no voice packet is received on the port during the aging timer.
Page 171: Security Mode And Normal Mode Of Voice Vlans
Table 46 Required configurations on ports of different link types for them to support tagged voice traffic Voice VLAN assignment mode Port link type supported for tagged voice Configuration requirements traffic Access Manual Configure the PVID of the port as the voice VLAN. In automatic mode, the PVID of the port cannot be the voice VLAN.
Page 172: Recommended Voice Vlan Configuration Procedure
In a safe network, you can configure the voice VLANs to operate in normal mode, reducing the consumption of system resources due to source MAC addresses checking. HP recommends not transmitting both voice packets and non-voice packets in a voice VLAN. If you have to, first make sure that the voice VLAN security mode is disabled.
Page 173: Configuring Voice Vlan Globally
Recommended configuration procedure for a port in automatic voice VLAN assignment mode Step Remarks (Optional.) Configuring voice VLAN globally Configure the voice VLAN to operate in security mode and configure the aging timer (Required.) Configure the voice VLAN assignment mode of a port as automatic Configuring voice VLAN on ports and enable the voice VLAN function on the port.
Page 174: Configuring Voice Vlan On Ports
Configure the global voice VLAN settings as described in Table Click Apply. Table 49 Configuration items Item Description Select Enable or Disable in the list to enable or disable the voice VLAN security mode. Voice VLAN security By default, the voice VLANs operate in security mode. Set the voice VLAN aging timer.
Page 175: Adding Oui Addresses To The Oui List
Item Description Select Enable or Disable in the list to enable or disable the voice VLAN function Voice VLAN port state on the port. Voice VLAN ID Set the voice VLAN ID of a port when the voice VLAN port state is set to Enable. Select the port on the chassis front panel.
Page 176: Voice Vlan Configuration Examples
Voice VLAN configuration examples Configuring voice VLAN on a port in automatic voice VLAN assignment mode Network requirements As shown in Figure 153: Configure VLAN 2 as the voice VLAN allowing only voice traffic to pass through. • The IP phone connected to hybrid port GigabitEthernet 1/0/1 sends untagged voice traffic. •...
Page 177 Figure 154 Creating VLAN 2 Configure GigabitEthernet 1/0/1 as a hybrid port: Select Device > Port Management from the navigation tree. Click the Setup tab. Select Hybrid from the Link Type list. Select GigabitEthernet 1/0/1 from the chassis front panel. Click Apply.
Page 178 Figure 155 Configuring GigabitEthernet 1/0/1 as a hybrid port Configure the voice VLAN function globally: Select Network > Voice VLAN from the navigation tree. Click the Setup tab. Select Enable in the Voice VLAN security list. Set the voice VLAN aging timer to 30 minutes. Click Apply.
Page 179 Click the Port Setup tab. Select Auto in the Voice VLAN port mode list. Select Enable in the Voice VLAN port state list. Enter voice VLAN ID 2. Select GigabitEthernet 1/0/1 on the chassis front panel. Click Apply. Figure 157 Configuring voice VLAN on GigabitEthernet 1/0/1 Add OUI addresses to the OUI list: Click the OUI Add tab.
Page 180: Configuring A Voice Vlan On A Port In Manual Voice Vlan Assignment Mode
Verifying the configuration When the preceding configurations are completed, the OUI Summary tab is displayed by default, as shown in Figure 159. You can view the information about the newly-added OUI address. Figure 159 Displaying the current OUI list of the device Click the Summary tab, where you can view the current voice VLAN information.
Page 181 001 1-2200-0000 and mask ffff-ff00-0000 to pass through. The description of the OUI address entry is test. Figure 161 Network diagram Configuring Switch A Create VLAN 2: Select Network > VLAN from the navigation tree. Click the Create tab. Enter VLAN ID 2. Click Create.
Page 182 Select the PVID box and enter 2 in the field. Select GigabitEthernet 1/0/1 from the chassis front panel. Click Apply. Figure 163 Configuring GigabitEthernet 1/0/1 as a hybrid port Assign GigabitEthernet 1/0/1 to VLAN 2 as an untagged member: Select Network > VLAN from the navigation tree. Click the Modify Port tab.
Page 183 Figure 164 Assigning GigabitEthernet 1/0/1 to VLAN 2 as an untagged member Configure voice VLAN on GigabitEthernet 1/0/1: Select Network > Voice VLAN from the navigation tree. Click the Port Setup tab. Select Manual in the Voice VLAN port mode list. Select Enable in the Voice VLAN port state list.
Page 184 Figure 165 Configuring voice VLAN on GigabitEthernet 1/0/1 Add OUI addresses to the OUI list: Click the OUI Add tab. Enter OUI address 0011-2200-0000. Select FFFF-FF00-0000 as the mask. Enter description string test. Click Apply. Figure 166 Adding OUI addresses to the OUI list Verifying the configuration When the preceding configurations are complete, the OUI Summary tab is displayed by default, as shown in...
Page 185: Configuration Guidelines
Figure 167 Displaying the current OUI list of the device Click the Summary tab, where you can view the current voice VLAN information. Figure 168 Displaying the current voice VLAN information Configuration guidelines When you configure the voice VLAN function, follow these guidelines: To remove a VLAN functioning as a voice VLAN, disable its voice VLAN function first.
Page 186: Configuring The Mac Address Table
Configuring the MAC address table MAC address configurations related to interfaces apply to Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces only. This document covers only the configuration of unicast MAC address entries, including static, dynamic, and blackhole entries. Overview To reduce single-destination packet flooding in a switched LAN, an Ethernet device uses a MAC address table to forward frames.
Page 187: Types Of Mac Address Entries
Types of MAC address entries A MAC address table can contain the following types of entries: • Static entries—Manually added and never age out. Dynamic entries—Manually added or dynamically learned, and might age out. • Blackhole entries—Manually configured and never age out. They are configured for filtering out •...
Page 188: Setting The Aging Time Of Mac Address Entries
Item Description Set the type of the MAC address entry: • Static—Static MAC address entries that never age out. • Dynamic—Dynamic MAC address entries that will age out. • Blackhole—Blackhole MAC address entries that never age out. Type The MAC tab (see Figure 169) displays the following types of MAC address entries: •...
Page 189: Creating A Static Mac Address Entry
Creating a static MAC address entry Select Network > MAC from the navigation tree. By default, the MAC tab is displayed. Click Add. Configure a MAC address entry: Type MAC address 00e0-fc35-dc71. Select static from the Type list. Select 1 from the VLAN list. Select GigabitEthernet1/0/1 from the Port list.
Page 190: Configuring Mstp
Configuring MSTP Overview Spanning tree protocols eliminate loops in a physical link-redundant network by selectively blocking redundant links and putting them in a standby state. The recent versions of STP include the Rapid Spanning Tree Protocol (RSTP) and the Multiple Spanning Tree Protocol (MSTP).
Page 191: Basic Concepts In Stp
Forward delay—Delay that STP bridges use to transit port state. • The descriptions and examples in this chapter only use the following fields in the configuration BPDUs: • Root bridge ID (represented by device priority) • Root path cost • Designated bridge ID (represented by device priority) Designated port ID (represented by port name) •...
Page 192: Calculation Process Of The Stp Algorithm
Figure 173 Designated bridges and designated ports Path cost Path cost is a reference value used for link selection in STP. STP calculates path costs to select the most robust links and block redundant links that are less robust, to prune the network into a loop-free tree. All the ports on the root bridge are designated ports.
Page 193 Step Description Based on the configuration BPDU and the path cost of the root port, the device calculates a designated port configuration BPDU for each of the other ports. • The root bridge ID is replaced with that of the configuration BPDU of the root port. •...
Page 194 Figure 174 STP network As shown in Figure 174, the priority values of Device A, Device B, and Device C are 0, 1, and 2, and the path costs of links among the three devices are 5, 10, and 4, respectively. Device state initialization.
Page 195 Table 56 Comparison process and result on each device Configuration BPDU on Device Comparison process ports after comparison • Port AP1 receives the configuration BPDU of Device B {1, 0, 1, BP1}. Device A finds that the configuration BPDU of the local port {0, 0, 0, AP1} is superior to the received configuration BPDU, and it discards the received configuration BPDU.
Page 196 Configuration BPDU on Device Comparison process ports after comparison After comparison: • The configuration BPDU of CP1 is elected as the optimum configuration BPDU, so CP1 is identified as the root port, the • Root port CP1: {0, 0, configuration BPDUs of which will not be changed. 0, AP2} •...
Page 197: Introduction To Rstp
The configuration BPDU forwarding mechanism of STP The configuration BPDUs of STP are forwarded according to these guidelines: • Upon network initiation, every device regards itself as the root bridge, generates configuration BPDUs with itself as the root, and sends the configuration BPDUs at a regular hello interval. •...
Page 198: Introduction To Mstp
Introduction to MSTP MSTP overcomes the following STP and RSTP limitations: • STP limitations—STP does not support rapid state transition of ports. A newly elected port must wait twice the forward delay time before it transits to the forwarding state, even if it connects to a point-to-point link or is an edge port.
Page 199 Figure 176 Basic concepts in MSTP MST region A multiple spanning tree region (MST region) consists of multiple devices in a switched network and the network segments among them. All these devices have the following characteristics: A spanning tree protocol enabled. •...
Page 200 VLAN-to-instance mapping table As an attribute of an MST region, the VLAN-to-instance mapping table describes the mapping relationships between VLANs and MSTIs. Figure 176, the VLAN-to-instance mapping table of region A0 is: VLAN 1 is mapped to MSTI 1, VLAN 2 to MSTI 2, and the rest to CIST.
Page 201 Figure 177 Port roles MSTP calculation involves the following port roles: Root port—Forwards data for a non-root bridge to the root bridge. The root bridge does not have • any root port. Designated port—Forwards data to the downstream network segment or device. •...
Page 202: How Mstp Works
port state is available for the corresponding port role, and a dash [—] indicates that the port state is not available for the corresponding port role.) Table 57 Ports states supported by different port roles Port role Port state Root port/master Designated Boundary Alternate port...
Page 203: Protocols And Standards
Loop guard • • TC-BPDU (a message that notifies the device of topology changes) guard • Support for the hot swapping of interface boards and switchover of the active and standby main boards. Protocols and standards MSTP is documented in the following protocols and standards: IEEE 802.1d, Spanning Tree Protocol •...
Page 204: Configuring An Mst Region
Step Remarks Optional. Displaying MSTP Display MSTP information of a port in MSTI 0, the MSTI to which the port information of a port. belongs, and the path cost and priority of the port. Configuring an MST region From the navigation tree, select Network > MSTP. By default, the Region tab is displayed.
Page 205: Configuring Mstp Globally
Table 58 Configuration items Item Description MST region name. Region Name The MST region name is the bridge MAC address of the device by default. Revision Level Revision level of the MST region. Manual (Instance ID and Manually add VLAN-to-instance mappings. Click Apply to add the VLAN ID) VLAN-to-instance mapping entries to the list.
Page 206 Figure 180 Configuring MSTP globally Configure the global MSTP configuration as described in Table 59, and then click Apply. Table 59 Configuration items Item Description Selects whether to enable STP globally. Enable STP Globally Other MSTP configurations take effect only after you enable STP globally. Selects whether to enable BPDU guard.
Page 207 • The settings of hello time, forward delay and max age must meet a certain formula. Otherwise, the network topology will not be stable. HP recommends you to set the network diameter and then have the device automatically calculate the forward delay, hello time, and max age.
Page 208: Configuring Mstp On A Port
This affects network stability. With the TC-BPDU guard function, you can prevent frequent flushing of forwarding address entries. HP recommends not disabling this function. Sets the maximum number of immediate forwarding address entry flushes the tc-protection threshold device can perform within a certain period of time after receiving the first TC-BPDU.
Page 209 • Transmit Limit—Configures the maximum number of MSTP packets that can be sent during each Hello interval. The larger the transmit limit is, the more network resources will be occupied. HP recommends that you use the default value. • MSTP Mode—Sets whether the port migrates to the MSTP mode.
Page 210: Displaying Mstp Information Of A Port
Protection type Description Enables the root guard function. Configuration errors or attacks might result in configuration BPDUs with their Root Protection priorities higher than that of a root bridge, which causes a new root bridge to be elected and network topology change to occur. The root guard function is used to address such a problem.
Page 211 Table 62 Field description Field Description The port is in forwarding state, so the port learns MAC addresses and [FORWARDING] forwards user traffic. The port is in learning state, so the port learns MAC addresses but does not [LEARNING] forward user traffic. The port is in discarding state, so the port does not learn MAC addresses or [DISCARDING] forward user traffic.
Page 212: Mstp Configuration Example
Field Description Major parameters for the port: • Hello—Hello timer. • MaxAge—Max Age timer. PortTimes • FWDly—Forward delay timer. • MsgAge—Message Age timer. • Remain Hop—Remaining hops. BPDU Sent Statistics on sent BPDUs. BPDU Received Statistics on received BPDUs. Protocol Status Whether MSTP is enabled.
Page 213: Configuration Procedure
Figure 183 Network diagram Switch A Switch B Permit: all VLAN Permit: Permit: VLAN 10, 40 VLAN 20, 40 Permit: Permit: VLAN 10, 40 VLAN 20, 40 Permit: VLAN 30, 40 Switch C Switch D "Permit:" next to a link in the figure is followed by the VLANs the packets of which are permitted to pass this link.
Page 214 Click Activate. Figure 185 Configuring an MST region Configure MSTP globally: From the navigation tree, select Network > MSTP. Click the Global tab. Select Enable from the Enable STP Globally list. Select MSTP from the Mode list. Select the box before Instance. Set the Instance ID field to 1.
Page 215 Figure 186 Configuring MSTP globally (on Switch A) Configuring Switch B Configure an MST region on the switch in the same way the MST region is configured on Switch Configure MSTP globally: From the navigation tree, select Network > MSTP. Click the Global tab.
Page 216 Configuring Switch C Configure an MST region on the switch in the same way the MST region is configured on Switch Configure MSTP globally: From the navigation tree, select Network > MSTP. Click Global. Select Enable from the Enable STP Globally list. Select MSTP from the Mode list.
Page 217 Figure 187 Configuring MSTP globally (on Switch D) Downloaded from www.Manualslib.com manuals search engine...
Page 218: Configuring Link Aggregation And Lacp
Configuring link aggregation and LACP Overview Ethernet link aggregation bundles multiple physical Ethernet links into one logical link, called an aggregate link. Link aggregation has the following benefits: • Increased bandwidth beyond the limits of any single link. In an aggregate link, traffic is distributed across the member ports.
Page 219: Link Aggregation Modes
Configuration classes Port configurations include the following classes: • Class-two configurations—A member port can be placed in the Selected state only if it has the same class-two configurations as the aggregate interface. Table 63 Class-two configurations Type Considerations Whether a port has joined an isolation group, and the isolation group to which Port isolation the port belongs.
Page 220 exceeded, places the ports with smaller port numbers in the Selected state and those with greater port numbers in the Unselected state. Places the member ports in the Unselected state if all the member ports are down. Places the ports that cannot aggregate with the reference port in the Unselected state, for example, as a result of the inter-board aggregation restriction.
Page 221: Configuration Procedures
Configuration procedures Configuring a static aggregation group Step Remarks Create a static aggregate interface and configure member ports for the static aggregation group. Creating a link aggregation group. By default, no link aggregation group exists. (Optional.) Displaying aggregate Display detailed information of an existing aggregation interface information.
Page 222: Displaying Aggregate Interface Information
Figure 188 Creating a link aggregation group Configure a link aggregation group as described in Table Click Apply. Table 64 Configuration items Item Description Assign an ID to the link aggregation group to be created. Enter Link Aggregation Interface ID You can view the result in the Summary area at the bottom of the page.
Page 223 Choose an aggregate interface from the list. The list on the lower part of the page displays the detailed information about the member ports of the link aggregation group. Figure 189 Displaying information of an aggregate interface Table 65 Field description Field Description Type and ID of the aggregate interface.
Page 224: Setting Lacp Priority
Setting LACP priority From the navigation tree, select Network > LACP. Click Setup. In the Set LACP enabled port(s) parameters area, set the port priority, and select the ports in the chassis front panel. Click Apply in the area. Figure 190 Setting the LACP priority Table 66 Configuration items Item Description...
Page 225 Detailed information about the peer port appears on the lower part of the page. Table 68 describes the fields. Figure 191 Displaying the information of LACP-enabled ports Table 67 Field description Field Description Unit ID of a device in a stack. Port Port where LACP is enabled.
Page 226: Link Aggregation And Lacp Configuration Example
Field Description Partner Port ID of the peer port. States of the peer port: • A—LACP is enabled. • B—LACP short timeout. If B does not appear, it indicates LACP long timeout. • C—The sending system considers the link is aggregatable. •...
Page 227 Enter link aggregation interface ID 1. Select Static (LACP Disabled) for the aggregate interface type. Select GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 on the chassis front panel. Click Apply. Figure 193 Creating static link aggregation group 1 Method 2: Create dynamic link aggregation group 1 From the navigation tree, select Network >...
Page 228: Configuration Guidelines
Figure 194 Creating dynamic link aggregation group 1 Configuration guidelines When you configure a link aggregation group, follow these guidelines: • In an aggregation group, a Selected port must have the same port attributes and class-two configurations as the reference port. To keep these configurations consistent, you should configure the port manually.
Page 229 Do not assign the following types of ports to Layer 2 aggregate groups: • MAC address authentication-enabled ports. port security-enabled ports. packet filtering-enabled ports. Ethernet frame filtering-enabled ports. IP source guard-enabled ports. 802.1X-enabled ports. Deleting a Layer 2 aggregate interface also deletes its aggregation group and causes all member •...
Page 230: Configuring Lldp
Configuring LLDP Overview In a heterogeneous network, a standard configuration exchange platform makes sure different types of network devices from different vendors can discover one another and exchange configuration. The Link Layer Discovery Protocol (LLDP) is specified in IEEE 802.1AB. The protocol operates on the data link layer to exchange device information between directly connected devices.
Page 231 Field Description Data LLDPDU. Frame check sequence, a 32-bit CRC value used to determine the validity of the received Ethernet frame. LLDP frames encapsulated in SNAP • Figure 196 LLDP frame encapsulated in SNAP Table 70 Fields in a SNAP-encapsulated LLDP frame Field Description MAC address to which the LLDP frame is advertised.
Page 232 Basic management TLVs • • Organizationally (IEEE 802.1 and IEEE 802.3) specific TLVs • LLDP-MED (media endpoint discovery) TLVs Basic management TLVs are essential to device management. Organizationally specific TLVs and LLDP-MED TLVs are used for improved device management. They are defined by standardization or other organizations and are optional to LLDPDUs.
Page 233 • PSE/PD power. The power stateful control TLV is defined in IEEE P802.3at D1.0. The later versions no longer support this TLV. HP devices send this type of TLVs only after receiving them. • LLDP-MED TLVs LLDP-MED TLVs provide multiple advanced applications for VoIP, such as basic configuration, network policy configuration, and address and directory management.
Page 234: Lldp Operating Modes
Type Description Extended Allows a network device or terminal device to advertise power supply Power-via-MDI capability. This TLV is an extension of the Power Via MDI TLV. Hardware Revision Allows a terminal device to advertise its hardware version. Firmware Revision Allows a terminal device to advertise its firmware version.
Page 235: Protocols And Standards
A new neighbor is discovered. A new LLDP frame is received carrying device information new to the • local device. • The LLDP operating mode of the port changes from Disable or Rx to TxRx or Tx. This is the fast sending mechanism of LLDP. With this mechanism, the specified number of LLDP frames is sent successively at the 1-second interval.
Page 236: Enabling Lldp On Ports
Step Remarks Optional. Displaying global LLDP information. You can display the local global LLDP information and statistics. Displaying LLDP Optional. information received You can display the LLDP information received from LLDP neighbors. from LLDP neighbors. Enabling LLDP on ports From the navigation tree, select Network > LLDP. By default, the Port Setup tab is displayed.
Page 237: Setting Lldp Parameters On Ports
Setting LLDP parameters on ports The Web interface allows you to set LLDP parameters for a single port or for multiple ports in batch. Setting LLDP parameters for a single port From the navigation tree, select Network > LLDP. By default, the Port Setup tab is displayed. Click the icon for the port.
Page 238 Item Description Set the encapsulation for LLDP frames: • ETHII—Encapsulates outgoing LLDP frames in Ethernet II frames and processes an incoming LLDP frame only if its encapsulation is Ethernet II. Encapsulation Format • SNAP—Encapsulates outgoing LLDP frames in Ethernet II frames and processes an incoming LLDP frame only if its encapsulation is Ethernet II.
Page 239 Item Description Port VLAN ID Select the box to include the PVID TLV in transmitted LLDP frames. Select the box to include port and protocol VLAN ID TLVs in transmitted LLDP frames and specify the VLAN IDs to be advertised. Protocol VLAN ID DOT1 If no VLAN is specified, the lowest protocol VLAN ID is transmitted.
Page 240: Setting Lldp Parameters For Ports In Batch
Setting LLDP parameters for ports in batch From the navigation tree, select Network > LLDP. By default, the Port Setup tab is displayed. Select one or multiple ports on the port list. Click Modify Selected to enter the page for modifying these ports in batch. Figure 200 Modifying LLDP settings on ports in batch Set the LLDP settings for these ports as described in Table...
Page 241 Figure 201 The global setup tab Set the global LLDP setup as described in Table Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds. Table 76 Configuration items Item Description LLDP Enable...
Page 242: Displaying Lldp Information For A Port
Item Description Set the TTL multiplier. The TTL TLV carried in an LLDPDU determines how long the device information carried in the LLDPDU can be saved on a recipient device. You can configure the TTL of locally sent LLDPDUs to determine how long information about the local device can be saved on a neighbor device by setting the TTL multiplier.
Page 243 By default, the Local Information tab is displayed. Table 77 describes the fields. Figure 202 The local information tab Table 77 Field description Field Description Port ID subtype: • Interface alias. • Port component. • MAC address. Port ID subtype •...
Page 244 Field Description PSE power source type: • PoE PSE power source Primary. • Backup. PoE power supply priority of PSE ports: • Unknown—Unknown PSE priority. • Port PSE priority Critical—Priority level 1. • High—Priority level 2. • Low—Priority level 3. Click the Neighbor Information tab to display the LLDP neighbor information.
Page 245 Field Description Port ID type: • Interface alias. • Port component. • MAC address. Port ID type • Network address. • Interface name. • Agent circuit ID. • Locally assigned—Locally-defined port ID type other than those listed above. Port ID Port ID value.
Page 246 Field Description Media policy type: • Unknown. • Voice. • Voice signaling. • Guest voice. Media policy type • Guest voice signaling. • Soft phone voice. • Videoconferencing. • Streaming video. • Video signaling. Unknown Policy Indicates whether the media policy type is unknown. VLAN tagged Indicates whether packets of the media VLAN are tagged.
Page 247: Displaying Global Lldp Information
Figure 204 The statistic information tab Click the Status Information tab to display the LLDP status information. Figure 205 The status information tab Displaying global LLDP information From the navigation tree, select Network > LLDP. Click the Global Summary tab to display global local LLDP information and statistics. Table 79 describes the fields.
Page 248 Figure 206 The global summary tab Table 79 Field description Field Description Chassis ID Local chassis ID depending on the chassis type defined. Capabilities supported on the system: • Repeater. System capabilities supported • Bridge. • Router. Capabilities enabled on the system: •...
Page 249: Displaying Lldp Information Received From Lldp Neighbors
Displaying LLDP information received from LLDP neighbors From the navigation tree, select Network > LLDP. Click the Neighbor Summary tab to display the global LLDP neighbor information, as shown Figure 207. Figure 207 The neighbor summary tab LLDP configuration example Network requirements As shown in Figure...
Page 250 The page shown in Figure 210 appears. Figure 209 The port setup tab Select Rx from the LLDP Operating Mode list. Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
Page 251 Figure 210 Setting LLDP on multiple ports Enable global LLDP: Click the Global Setup tab, as shown in Figure 211. Select Enable from the LLDP Enable list. Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
Page 252: Configuring Switch B
Configuring Switch B (Optional.) Enable LLDP on port GigabitEthernet 1/0/1. By default, LLDP is enabled on Ethernet ports. Set the LLDP operating mode to Tx on GigabitEthernet 1/0/1: From the navigation tree, select Network > LLDP. By default, the Port Setup tab is displayed. Click the icon for port GigabitEthernet 1/0/1.
Page 253 Click the GigabitEthernet1/0/1 port name in the port list. Click the Status Information tab at the lower half of the page. The output shows that port GigabitEthernet 1/0/1 is connected to an MED neighbor device. Figure 213 The status information tab (1) Display the status information of port GigabitEthernet 1/0/2 on Switch A: Click the GigabitEthernet1/0/2 port name in the port list.
Page 254: Lldp Configuration Guidelines
LLDP configuration guidelines When you configure LLDP, follow these guidelines: • To make LLDP take effect on a port, enable LLDP both globally and on the port. To advertise LLDP-MED TLVs other than the LLDP-MED capabilities TLV, include the LLDP-MED •...
Page 255: Configuring Arp
Configuring ARP Overview ARP resolves IP addresses into MAC addresses on Ethernet networks. ARP message format ARP uses two types of messages: ARP request and ARP reply. Figure 216 shows the format of the ARP request/reply messages. Numbers in the figure refer to field lengths. Figure 216 ARP message format Hardware type—Hardware address type.
Page 256: Arp Table
If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request. The payload of the ARP request contains the following information: Sender IP address and sender MAC address—Host A's IP address and MAC address. Target IP address—Host B's IP address.
Page 257: Gratuitous Arp
Dynamic ARP entry ARP automatically creates and updates dynamic entries. A dynamic ARP entry is removed when its aging timer expires or the output interface goes down. In addition, a dynamic ARP entry can be overwritten by a static ARP entry. Static ARP entry A static ARP entry is manually configured and maintained.
Page 258: Creating A Static Arp Entry
Creating a static ARP entry From the navigation tree, select Network > ARP Management. The default ARP Table page appears, as shown in Figure 218. Click Add. The New Static ARP Entry page appears. Figure 219 Add a static ARP entry Configure the static ARP entry as described in Table Click Apply.
Page 259: Configuring Gratuitous Arp
Configuring gratuitous ARP From the navigation tree, select Network > ARP Management. Click the Gratuitous ARP tab. Figure 220 Gratuitous Configuring ARP page Configure gratuitous ARP as described in Table Click Apply. Table 81 Configuration items Item Description Disable learning of ARP entries from gratuitous ARP packets. Disable gratuitous ARP packets learning function Gratuitous ARP packet learning is enabled by default.
Page 260 Figure 221 Network diagram Configuring Switch A Create VLAN 100: From the navigation tree, select Network > VLAN. Click the Add tab. Enter 100 in the VLAN ID field. Click Create. Figure 222 Creating VLAN 100 Add GigabitEthernet 1/0/1 to VLAN 100: Click the Modify Port tab.
Page 261 Select Untagged for Select membership type. Enter 100 in the VLAN IDs field. Click Apply. A configuration process dialog box appears. After the configuration process is complete, click Close. Figure 223 Adding GigabitEthernet 1/0/1 to VLAN 100 Create VLAN-interface 100: From the navigation tree, select Network >...
Page 262 Figure 224 Creating VLAN-interface 100 Create a static ARP entry: From the navigation tree, select Network > ARP Management. The default ARP Table page appears. Click Add. Enter 192.168.1.1 in the IP Address field. Enter 00e0-fc01-0000 in the MAC Address field. Select Advanced Options.
Page 263: Configuring Arp Attack Protection
Configuring ARP attack protection Overview Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks. The ARP detection feature enables access devices to block ARP packets from unauthorized clients to prevent user spoofing and gateway spoofing attacks. ARP detection provides user validity check and ARP packet validity check.
Page 264 Figure 226 ARP detection configuration page Configure ARP detection as described in Table Click Apply. Table 82 Configuration items Item Description Select VLANs on which ARP detection is to be enabled. To add VLANs to the Enabled VLANs list, select one or multiple VLANs from the Disabled VLAN Settings VLANs list and click the <<...
Page 265: Configuring Igmp Snooping
Configuring IGMP snooping Overview IGMP snooping runs on a Layer 2 switch as a multicast constraining mechanism to improve multicast forwarding efficiency. It creates Layer 2 multicast forwarding entries from IGMP packets that are exchanged between the hosts and the router. As shown in Figure 227, when IGMP snooping is not enabled, the Layer 2 switch floods multicast packets...
Page 266 Figure 228 IGMP snooping related ports The following describes the ports involved in IGMP snooping: Router port—Layer 3 multicast device-side port. Layer 3 multicast devices include designated • routers and IGMP queriers. In Figure 228, GigabitEthernet 1/0/1 of Switch A and GigabitEthernet 1/0/1 of Switch B are router ports.
Page 267: How Igmp Snooping Works
Message received before Action after the timer Timer Description the timer expires expires When a port dynamically joins a multicast group, the The switch removes this Dynamic switch starts or resets an aging port from the IGMP member port IGMP membership report. timer for the port.
Page 268: Protocols And Standards
switch cannot determine whether the reported multicast group still has active members attached to that port. Leave message An IGMPv1 host silently leaves a multicast group and the switch is not notified of the leaving. However, because the host stops sending IGMP reports as soon as it leaves the multicast group, the switch removes the port that connects to the host from the forwarding entry for the multicast group when the aging timer for the port expires.
Page 269: Enabling Igmp Snooping Globally
Step Remarks Required. Enable IGMP snooping in the VLAN and configure the IGMP snooping version and querier feature. Configuring IGMP By default, IGMP snooping is disabled in a VLAN. snooping in a VLAN When you enable IGMP snooping, follow these guidelines: •...
Page 270: Configuring Igmp Snooping In A Vlan
Configuring IGMP snooping in a VLAN From the navigation tree, select Network > IGMP snooping. Click the icon for the VLAN. Figure 230 Configuring IGMP snooping in a VLAN Configure the parameters as described in Table Click Apply. Table 83 Configuration items Item Description Enable or disable IGMP snooping in the VLAN.
Page 271: Configuring Igmp Snooping Port Functions
Item Description Enable or disable the IGMP snooping querier function. On an IP multicast network that runs IGMP, a Layer 3 device acts as an IGMP querier to send IGMP queries and establish and maintain multicast forwarding entries, ensuring correct multicast traffic forwarding at the network layer. Querier On a network without Layer 3 multicast devices, IGMP querier cannot work because a Layer 2 device does not support IGMP.
Page 272: Displaying Igmp Snooping Multicast Forwarding Entries
Table 84 Configuration items Item Description Select the port on which advanced IGMP snooping features will be configured. The port can be an GigabitEthernet port or Layer 2 aggregate interface. After a port is selected, advanced features configured on this port are displayed at the lower part of this page.
Page 273: Igmp Snooping Configuration Example
Figure 233 Displaying detailed information about the entry Table 85 Field description Field Description VLAN ID ID of the VLAN to which the entry belongs. Multicast source address. If no multicast sources are specified, this field displays Source Address 0.0.0.0. Group Address Multicast group address.
Page 274: Configuration Procedure
Figure 234 Network diagram VLAN 100 Host B 1.1.1.1/24 GE1/0/2 GE1/0/2 GE1/0/1 GE1/0/1 GE1/0/3 Router A Switch A Host A Source IGMP querier Receiver Configuration procedure Configuring Router A Enable IP multicast routing globally, enable PIM-DM on each interface, and enable IGMP on GigabitEthernet 1/0/1.
Page 275 Figure 235 Creating VLAN 100 Assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to VLAN 100: Click the Modify Port tab. Select GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 in the Select Ports area. Select Untagged for Select membership type. Enter 100 as the VLAN ID. Click Apply.
Page 276 Figure 236 Assigning ports to the VLAN Enable IGMP snooping globally: From the navigation tree, select Network > IGMP snooping. Select Enable. Click Apply. Figure 237 Enabling IGMP snooping globally Enable IGMP snooping for VLAN 100: Click the icon for VLAN 100. Select Enable for IGMP snooping.
Page 277: Verifying The Configuration
Figure 238 Configuring IGMP snooping in VLAN 100 Verifying the configuration From the navigation tree, select Network > IGMP snooping. Click Show Entries in the basic VLAN configuration page to display information about IGMP snooping multicast forwarding entries. Figure 239 Displaying IGMP snooping multicast forwarding entries Click the icon for the multicast entry (0.0.0.0, 224.1.1.1) to display detailed information about this entry.
Page 278 The output shows that GigabitEthernet 1/0/3 of Switch A is listening to the multicast streams destined for multicast group 224.1.1.1. Downloaded from www.Manualslib.com manuals search engine...
Page 279: Configuring Mld Snooping
Configuring MLD snooping Overview MLD snooping runs on a Layer 2 switch as an IPv6 multicast constraining mechanism to improve multicast forwarding efficiency. It creates Layer 2 multicast forwarding entries from MLD messages that are exchanged between the hosts and the router. As shown in Figure 241, when MLD snooping is not enabled, the Layer 2 switch floods IPv6 multicast...
Page 280 Figure 242 MLD snooping related ports The following describes the ports involved in MLD snooping: Router port—Layer 3 multicast device-side port. Layer 3 multicast devices include designated • routers and MLD queriers. As shown in Figure 242, GigabitEthernet 1/0/1 of Switch A and GigabitEthernet 1/0/1 of Switch B are router ports.
Page 281: How Mld Snooping Works
Message received Action after the timer Timer Description before the timer expires expires When a port dynamically joins an IPv6 multicast group, the The switch removes this Dynamic member switch starts or resets an aging port from the MLD MLD membership report. port aging timer timer for the port.
Page 282: Protocols And Standards
the reported IPv6 multicast group address to suppress their own reports. In this case, the switch cannot determine whether the reported IPv6 multicast group still has active members attached to that port. Done message When a host leaves an IPv6 multicast group, the host sends an MLD done message to the multicast router. When the switch receives an MLD done message on a member port, the switch first examines whether a forwarding entry matches the IPv6 group address in the message, and, if a match is found, determines whether the forwarding entry contains the dynamic member port.
Page 283: Enabling Mld Snooping Globally
Step Remarks Required. Enable MLD snooping in the VLAN and configure the MLD snooping version and querier. Configuring MLD snooping in By default, MLD snooping is disabled in a VLAN. a VLAN When you enable MLD snooping, follow these guidelines: •...
Page 284 Click the icon for the VLAN. Figure 244 Configuring MLD snooping in a VLAN Configure the parameters as described in Table Click Apply. Table 86 Configuration items Item Description Enable or disable MLD snooping in the VLAN. MLD snooping You can proceed with the subsequent configurations only if Enable is selected here. The default setting is MLDv1.
Page 285: Configuring Mld Snooping Port Functions
Configuring MLD snooping port functions Select Network > MLD snooping from the navigation tree. Click the Advanced tab. Figure 245 Configuring MLD snooping port functions Configure the parameters as described in Table Click Apply. Table 87 Configuration items Item Description Select the port on which advanced MLD snooping features will be configured.
Page 286: Displaying Mld Snooping Multicast Forwarding Entries
Item Description Enable or disable fast-leave processing on the port. When a port that is enabled with the MLD snooping fast-leave processing feature receives an MLD done message, the switch immediately deletes that port from the IPv6 forwarding table entry for the multicast group specified in the message. When the switch receives Fast Leave MLD multicast-address-specific queries for that multicast group, it does not forward them to that port.
Page 287: Mld Snooping Configuration Example
Field Description Member Ports All member ports. MLD snooping configuration example Network requirements As shown in Figure 247, MLDv1 runs on Router A and MLDv1 snooping runs on Switch A. Router A acts as the MLD querier. Perform the configuration so that Host A can receive the IPv6 multicast packets destined for the IPv6 multicast group FF1E::101.
Page 288 Figure 248 Creating VLAN 100 Assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to VLAN 100: Click the Modify Port tab. Select GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 in the Select Ports area. Select Untagged for Select membership type. Enter 100 as the VLAN ID. Click Apply.
Page 289 Figure 249 Assigning ports to VLAN 100 Enable MLD snooping globally: Select Network > MLD snooping from the navigation tree. Select Enable. Click Apply. Figure 250 Enabling MLD snooping globally Enable MLD snooping: Click the icon for VLAN 100. Select Enable for MLD snooping. Select 1 for Version.
Page 290: Verifying The Configuration
Click Apply. Figure 251 Enabling MLD snooping in VLAN 100 Verifying the configuration Select Network > MLD snooping from the navigation tree. Click Show Entries in the basic VLAN configuration page to display information about MLD snooping multicast forwarding entries. Figure 252 Displaying MLD snooping multicast forwarding entries Click the icon for the multicast entry (::, FF1E::101) to display detailed information about this...
Page 291: Configuring Ipv4 And Ipv6 Routing
Configuring IPv4 and IPv6 routing The term "router" in this chapter refers to both routers and Layer 3 switches. Overview A router selects an appropriate route according to the destination address of a received packet and forwards the packet to the next router. The last router on the path is responsible for sending the packet to the destination host.
Page 292: Default Route
Static routes cannot adapt to network topology changes. If a fault or a topological change occurs in the network, the network administrator must modify the static routes manually. Default route A default route is used to forward packets that do not match any specific routing entry in the routing table. Without a default route, packets that do not match any routing entries are discarded.
Page 293: Creating An Ipv4 Static Route
Creating an IPv4 static route Select Network > IPv4 Routing from the navigation tree. Click the Create tab. The page for configuring an IPv4 static route appears. Figure 255 Creating an IPv4 static route Create an IPv4 static route as described in Table Click Apply.
Page 294: Displaying The Ipv6 Active Route Table
Item Description Select the output interface. Interface You can select any available Layer 3 interface, for example, a virtual interface, of the device. If you select NULL 0, the destination IP address is unreachable. Displaying the IPv6 active route table Select Network >...
Page 295 The page for configuring an IPv6 static route appears. Figure 257 Creating an IPv6 static route Create an IPv6 static route as described in Table Click Apply. Table 93 Configuration items Item Description Enter the destination host or network IP address, in the X:X::X:X format. The 128-bit destination IPv6 address is a hexadecimal address with eight parts Destination IP Address separated by colons (:).
Page 296: Ipv4 Static Route Configuration Example
IPv4 static route configuration example Network requirements As shown in Figure 258, configure IPv4 static routes on Switch A, Switch B, and Switch C for any two hosts to communicate with each other. Figure 258 Network diagram Configuration considerations On Switch A, configure a default route with Switch B as the next hop. On Switch B, configure one static route with Switch A as the next hop and the other with Switch C as the next hop.
Page 297 Figure 259 Configuring a default route Configure a static route to Switch A and Switch C on Switch B: Select Network > IPv4 Routing from the navigation tree of Switch B. Click the Create tab. The page for configuring a static route appears. Enter 1.1.2.0 for Destination IP Address, 24 for Mask, and 1.1.4.1 for Next Hop.
Page 298 Figure 260 Configuring a static route Enter 1.1.3.0 for Destination IP Address, enter 24 for Mask, and enter 1.1.5.6 for Next Hop. Click Apply. Configure a default route to Switch B on Switch C: Select Network > IPv4 Routing from the navigation tree of Switch C. Click the Create tab.
Page 299: Verifying The Configuration
Figure 261 Configuring a default route Verifying the configuration Display the routing table. Enter the IPv4 route page of Switch A, Switch B, and Switch C to verify that the newly configured static routes are displayed as active routes on the pages. Ping Host C from Host A (assuming both hosts run Windows XP): C:\Documents and Settings\Administrator>ping 1.1.3.2 Pinging 1.1.3.2 with 32 bytes of data:...
Page 300: Ipv6 Static Route Configuration Example
IPv6 static route configuration example Network requirements As shown in Figure 262, configure IPv6 static routes on Switch A, Switch B, and Switch C for any two hosts to communicate with each other. Figure 262 Network diagram Host B 2::2/64 Vlan-int400 2::1/64 Vlan-int200...
Page 301 Figure 263 Configuring a default route Configure a static route to Switch A and Switch C on Switch B: Select Network > IPv6 Routing from the navigation tree of Switch B. Click the Create tab. The page for configuring a static route appears. Enter 1:: for Destination IP Address, select 64 from the Prefix Length list, and enter 4::1 for Next Hop.
Page 302 Figure 264 Configuring a static route Enter 3:: for Destination IP Address, select 64 from the Prefix Length list, and enter 5::1 for Next Hop. Click Apply. Configure a default route to Switch B on Switch C: Select Network > IPv6 Routing from the navigation tree of Switch C. Click the Create tab.
Page 303: Verifying The Configuration
Figure 265 Configuring a default route Verifying the configuration Display the routing table. Enter the IPv6 route page of Switch A, Switch B, and Switch C to verify that the newly configured static routes are displayed as active routes on the pages. Ping Host C from Switch A: <SwitchA>...
Page 304: Configuration Guidelines
round-trip min/avg/max = 62/62/63 ms Configuration guidelines When you configure a static route, follow these guidelines: If you do not specify the preference, the default preference will be used. Reconfiguration of the • default preference applies only to newly created static routes. The Web interface does not support configuration of the default preference.
Page 305: Dhcp Overview
DHCP overview The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices. DHCP uses the client-server model. Figure 266 shows a typical DHCP application. A DHCP client can obtain an IP address and other configuration parameters from a DHCP server on another subnet through a DHCP relay agent.
Page 306: Ip Address Allocation Process
IP address allocation process Figure 267 Dynamic IP address allocation process The client broadcasts a DHCP-DISCOVER message to locate a DHCP server. A DHCP server offers configuration parameters such as an IP address to the client in a DHCP-OFFER message. The sending mode of the DHCP-OFFER is determined by the flag field in the DHCP-DISCOVER message.
Page 307: Dhcp Message Format
DHCP message format Figure 268 shows the DHCP message format. DHCP uses some of the fields in significantly different ways. The numbers in parentheses indicate the size of each field in bytes. Figure 268 DHCP message format op (1) htype (1) hlen (1) hops (1) xid (4)
Page 308: Dhcp Options
DHCP options DHCP defines the message format as an extension to BOOTP for compatibility. DHCP uses the Option field to carry information for dynamic address allocation and to provide additional configuration information to clients. Figure 269 DHCP option format Common DHCP options The following are common DHCP options: Option 3—Router option.
Page 309: Protocols And Standards
The administrator can use Option 82 to locate the DHCP client and further implement security control and accounting. The DHCP server can use Option 82 to provide individual configuration policies for the clients. Option 82 can include up to 255 sub-options and must have one sub-option at least. Option 82 supports two sub-options: sub-option 1 (Circuit ID) and sub-option 2 (Remote ID).
Page 310: Configuring Dhcp Relay Agent
Configuring DHCP relay agent Overview Since the DHCP clients request IP addresses through broadcast messages, the DHCP server and clients must be on the same subnet. Through a DHCP relay agent, DHCP clients can get IP addresses from a DHCP server on another subnet. This feature avoids deploying a DHCP server for each subnet to centralize management and reduce investment.
Page 311: Recommended Configuration Procedure
Figure 273 DHCP relay agent operation Recommended configuration procedure Task Remarks Required. Enabling DHCP and configuring advanced parameters for the DHCP Enable DHCP globally and configure advanced DHCP parameters. relay agent By default, global DHCP is disabled. Required. To improve reliability, you can specify several DHCP servers as a group on the DHCP relay agent and correlate a relay agent interface Creating a DHCP server group with the server group.
Page 312: Enabling Dhcp And Configuring Advanced Parameters For The Dhcp Relay Agent
Enabling DHCP and configuring advanced parameters for the DHCP relay agent From the navigation tree, select Network > DHCP to enter the default DHCP Relay page. Click Display Advanced Configuration to expand the advanced DHCP relay agent configuration area, as shown in Figure 274.
Page 313: Creating A Dhcp Server Group
Click Apply. Table 94 Configuration items Item Description DHCP Service Enable or disable global DHCP. Enable or disable unauthorized DHCP server detection. There are unauthorized DHCP servers on networks, which reply DHCP clients with wrong IP addresses. With this feature enabled, upon receiving a DHCP request, the DHCP relay agent Unauthorized Server records the IP address of any DHCP server that assigned an IP address to the DHCP Detect...
Page 314: Enabling The Dhcp Relay Agent On An Interface
Configure the DHCP server group as shown in Table Click Apply. Table 95 Configuration items Item Description Enter the ID of a DHCP server group. Server Group ID You can create up to 20 DHCP server groups. Enter the IP address of a server in the DHCP server group. IP Address The server IP address cannot be on the same subnet as the IP address of the DHCP relay agent.
Page 315: Configuring And Displaying Clients' Ip-To-Mac Bindings
Configuring and displaying clients' IP-to-MAC bindings From the navigation tree, select Network > DHCP to enter the default DHCP Relay page shown Figure 274. In the User Information area, click User Information to view static and dynamic bindings, as shown Figure 277.
Page 316: Dhcp Relay Agent Configuration Example
DHCP relay agent configuration example Network requirements As shown in Figure 279, VLAN-interface 1 on the DHCP relay agent (Switch A) connects to the network where DHCP clients reside. The IP address of VLAN-interface 1 is 10.10.1.1/24 and the IP address of VLAN-interface 2 is 10.1.1.1/24. VLAN-interface 2 is connected to the DHCP server whose IP address is 10.1.1.1/24.
Page 317 Figure 280 Enabling DHCP Configure a DHCP server group: In the Server Group area, click Add and then perform the following operations, as shown Figure 281. Enter 1 for Server Group ID. Enter 10.1.1.1 for IP Address. Click Apply. Figure 281 Adding a DHCP server group Downloaded from www.Manualslib.com manuals search engine...
Page 318 Enable the DHCP relay agent on VLAN-interface 1: In the Interface Config field, click the icon of VLAN-interface 1, and then perform the following operations, as shown in Figure 282. Select the Enable option next to DHCP Relay. Select 1 for Server Group ID. Click Apply.
Page 319: Configuring Dhcp Snooping
Configuring DHCP snooping DHCP snooping works between the DHCP client and server, or between the DHCP client and DHCP relay agent. It guarantees that DHCP clients obtain IP addresses from authorized DHCP servers. Also, it records IP-to-MAC bindings of DHCP clients (called DHCP snooping entries) for security purposes. DHCP snooping does not work between the DHCP server and DHCP relay agent.
Page 320 Figure 283 Trusted and untrusted ports In a cascaded network as shown in Figure 284, configure each DHCP snooping device's ports connected to other DHCP snooping devices as trusted ports. To save system resources, you can disable the untrusted ports that are not directly connected to DHCP clients from generating DHCP snooping entries.
Page 321: Dhcp Snooping Support For Option 82
Trusted port disabled from Trusted port enabled to Device Untrusted port recording binding entries record binding entries GigabitEthernet 1/0/3 and Switch B GigabitEthernet 1/0/1 GigabitEthernet 1/0/2 GigabitEthernet 1/0/4 GigabitEthernet GigabitEthernet 1/0/3 and Switch C GigabitEthernet 1/0/2 1/0/1 GigabitEthernet 1/0/4 DHCP snooping support for Option 82 Option 82 records the location information about the DHCP client so the administrator can locate the DHCP client for security and accounting purposes.
Page 322: Enabling Dhcp Snooping
Task Remarks Optional. Displaying clients' IP-to-MAC bindings Display clients' IP-to-MAC bindings recorded by DHCP snooping. Enabling DHCP snooping From the navigation tree, select Network > DHCP. Click the DHCP Snooping tab to enter the page shown in Figure 285. Select the Enable option next to DHCP Snooping to enable DHCP Snooping. Figure 285 DHCP snooping configuration page Configuring DHCP snooping functions on an interface...
Page 323: Displaying Clients' Ip-To-Mac Bindings
Figure 286 DHCP snooping interface configuration page Configure DHCP snooping on the interface as described in Table 100. Click Apply. Table 100 Configuration items Item Description Interface Name This field displays the name of a specific interface. Interface State Configure the interface as trusted or untrusted. Option 82 Support Configure DHCP snooping to support Option 82 or not.
Page 324: Dhcp Snooping Configuration Example
Item Description Displays the client type: • Dynamic—The IP-to-MAC binding is generated dynamically. Type • Static—The IP-to-MAC binding is configured manually. Static bindings are not supported. Interface Name Displays the device interface to which the client is connected. VLAN Displays the VLAN to which the device belongs. Remaining Lease Time Displays the remaining lease time of the IP address.
Page 325 Figure 289 Enabling DHCP snooping Configure DHCP snooping functions on GigabitEthernet 1/0/1: Click the icon of GigabitEthernet 1/0/1 on the interface list. Select the Trust option next to Interface State as shown in Figure 290. Click Apply. Figure 290 Configuring DHCP snooping functions on GigabitEthernet 1/0/1 Configure DHCP snooping functions on GigabitEthernet 1/0/2: Click the icon of GigabitEthernet 1/0/2 on the interface list.
Page 326 Configure DHCP snooping functions on GigabitEthernet 1/0/3: Click the icon of GigabitEthernet 1/0/3 on the interface list. Select the Untrust option for Interface State as shown in Figure 292. Select the Enable option next to Option 82 Support. Select Replace for Option 82 Strategy. Click Apply.
Page 327: Managing Services
Managing services Overview Service management allows you to manage the following types of services: FTP, Telnet, SSH, SFTP, HTTP and HTTPS. You can enable or disable the services, modify HTTP and HTTPS port numbers, and associate the FTP, HTTP, or HTTPS service with an ACL to block illegal users. FTP service FTP is an application layer protocol for sharing files between server and client over a TCP/IP network.
Page 328: Managing Services
Managing services Select Network > Service from the navigation tree to enter the service management configuration page, as shown in Figure 293. Figure 293 Service management Enable or disable services on the page. Table 102 describes the detailed configuration items. Click Apply.
Page 329 Item Description Set the port number for HTTP service. You can view this configuration item by clicking the expanding button in front of HTTP. Port Number IMPORTANT: When you modify a port, make sure the port is not used by any other service.
Page 330: Using Diagnostic Tools
Using diagnostic tools This chapter describes how to use the ping and traceroute utilities. Ping Use the ping utility to determine if a specific address is reachable. A ping operation involves the following steps: The source device sends ICMP echo requests to the destination device. The destination device responds by sending ICMP echo replies to the source device after receiving the ICMP echo requests.
Page 331: Ping Operation
The first hop device responds with an ICMP TTL-expired message to the source. In this way, the source device gets the address of the first device. The source device sends a packet with a TTL value of 2 to the destination device. The second hop responds with an ICMP TTL-expired message.
Page 332: Traceroute Operation
Figure 295 Ping operation result Traceroute operation The Web interface does not support IPv6 traceroute. Before performing a traceroute operation, perform the following tasks: Enable sending of ICMP timeout packets by executing the ip ttl-expires enable command on • intermediate devices. Enable sending of ICMP destination unreachable packets by executing the ip unreachables enable •...
Page 333 Enter the IP address or host name of the destination device in the Trace Route field. Click Start. View the output in the Summary area. Figure 297 Traceroute operation result Downloaded from www.Manualslib.com manuals search engine...
Page 334: Configuring 802.1X
802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports. This chapter describes how to configure 802.1X on an HP device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network (for example, a WLAN) that requires different authentication methods for different users on a port.
Page 335: Controlled/Uncontrolled Port And Port Authorization Status
MAC-based access control—Each user is separately authenticated on a port. When a user logs off, • no other online users are affected. Controlled/uncontrolled port and port authorization status 802.1X defines two logical ports for the network access port: controlled port and uncontrolled port. Any packet arriving at the network access port is visible to both logical ports.
Page 336: Eap Over Radius
• Protocol version—The EAPOL protocol version used by the EAPOL packet sender. • Type—Type of the EAPOL packet. Table 103 lists the types of EAPOL packets supported by HP implementation of 802.1X. Table 103 Types of EAPOL packets Value Type...
Page 337: Initiating 802.1X Authentication
01-80-C2-00-00-03 or the broadcast MAC address. If any intermediate device between the client and the authentication server does not support the multicast address, you must use an 802.1X client (for example, the HP iNode 802.1X client) that can send broadcast EAPOL-Start packets. Access device as the initiator The access device initiates authentication, if a client cannot send EAPOL-Start packets.
Page 338: 802.1X Authentication Procedures
802.1X authentication procedures 802.1X provides the following methods for authentication: • EAP relay. EAP termination. • You choose either mode depending on the support of the RADIUS server for EAP packets and EAP authentication methods. EAP relay mode: • EAP relay is defined in IEEE 802.1X. In this mode, the network device uses EAPOR packets to send authentication information to the RADIUS server, as shown in Figure 304.
Page 339 "username + Works with any RADIUS password" EAP authentication initiated by EAP termination server that supports PAP or an HP iNode 802.1X client. CHAP authentication. • The processing is complex on the network access device. EAP relay Figure 306 shows the basic 802.1X authentication procedure in EAP relay mode, assuming that...
Page 340 The authentication server uses the identity information in the RADIUS Access-Request to search its user database. If a matching entry is found, the server uses a randomly generated challenge (EAP-Request/MD5 challenge) to encrypt the password in the entry, and sends the challenge in a RADIUS Access-Challenge packet to the network access device.
Page 341: 802.1X Timers
Figure 307 802.1X authentication procedure in EAP termination mode In EAP termination mode, the network access device rather than the authentication server generates an MD5 challenge for password encryption (see Step 4). The network access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.
Page 342: Using 802.1X Authentication With Other Features
Handshake timer—Sets the interval at which the access device sends client handshake requests to • check the online status of a client that has passed authentication. If the device receives no response after sending the maximum number of handshake requests, it considers that the client has logged off.
Page 343 Authentication status VLAN manipulation The device assigns the 802.1X guest VLAN to the port as the PVID. All No 802.1X user has 802.1X users on this port can access only resources in the guest VLAN. performed authentication within 90 seconds after If no 802.1X guest VLAN is configured, the access device does not 802.1X is enabled.
Page 344: Configuration Prerequisites
Authentication status VLAN manipulation A user fails 802.1X The device assigns the Auth-Fail VLAN to the port as the PVID. All 802.1X authentication. users on this port can access only resources in the Auth-Fail VLAN. A user in the Auth-Fail VLAN The Auth-Fail VLAN is still the PVID on the port, and all 802.1X users on fails 802.1X this port are in this VLAN.
Page 345: Recommended Configuration Procedure
Recommended configuration procedure Step Remarks Required. This function enables 802.1X authentication globally. It also Configuring 802.1X globally configures the authentication method and advanced parameters.By default, 802.1X authentication is disabled globally. Required. This function enables 802.1X authentication on the specified port and Configuring 802.1X on a port configures 802.1X parameters for the port.By default, 802.1X authentication is disabled on a port.
Page 346: Configuring 802.1X On A Port
The support of the RADIUS server for EAP packets. The authentication methods supported by the 802.1X client and the RADIUS server. Click Advanced to expand the advanced 802.1X configuration area. Figure 309 Configuring advanced 802.1X parameters Configure advanced 802.1X settings as described in Table 104, and then click Apply.
Page 347 Figure 310 Configuring 802.1X on a port Table 105 describes the configuration items. Table 105 Configuration items Item Description Selects a port where you want to enable 802.1X. Only ports not enabled with 802.1X authentication are available. Port 802.1X configuration takes effect on a port only after 802.1X is enabled both globally and on the port.
Page 348: Configuring An 802.1X Guest Vlan
Item Description Specifies whether to enable periodic online user re-authentication on the port. Periodic online user re-authentication tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL, and VLAN. The re-authentication interval is specified by the Re-Authentication Period setting in Table 104.
Page 349: Configuring An Auth-Fail Vlan
Table 106 Relationships of the 802.1X guest VLAN and other security features Feature Relationship description Only the 802.1X guest VLAN take effect. A user that MAC authentication guest VLAN on a port that fails MAC authentication will not be assigned to the performs MAC-based access control MAC authentication guest VLAN.
Page 350 Use RADIUS servers to perform authentication, authorization, and accounting for the 802.1X users. If RADIUS accounting fails, the access device logs the user off. The RADIUS servers run CAMS or IMC. Configure the host at 10.1.1.1 as the primary authentication and secondary accounting servers, and the host at 10.1.1.2 as the secondary authentication and primary accounting servers.
Page 351 Configure 802.1X for GigabitEthernet 1/0/1: In the Ports With 802.1X Enabled area, click Add. Select GigabitEthernet1/0/1 from the Port list, select Enable Re-Authentication, and click Apply. Figure 313 Configuring 802.1X for GigabitEthernet 1/0/1 Configuring the RADIUS scheme for the switch Configure authentication and accounting attributes for the RADIUS scheme: From the navigation tree, select Authentication >...
Page 352 Figure 314 Configuring the RADIUS scheme Configure the primary authentication server in the RADIUS scheme: In the RADIUS Server Configuration area, click Add. Select the server type Primary Authentication. Enter the IP address 10.1.1.1, and enter the port number 1812. Downloaded from www.Manualslib.com manuals search engine...
Page 353 Click Apply. The RADIUS Server Configuration area displays the primary authentication server you have configured. Configure the backup authentication server in the RADIUS scheme: In the RADIUS Server Configuration area, click Add. Select the server type Backup Authentication. Enter the IP address 10.1.1.2, and enter the port number 1812. Click Apply.
Page 354 Figure 315 Creating an ISP domain Configure AAA authentication method for the ISP domain: Click the Authentication tab. Select test from the Select an ISP domain list. Select Default AuthN, select authentication method RADIUS from the Default AuthN list, and select the authentication scheme system from the Name list, as shown in Figure 316.
Page 355 Figure 317 Configuration progress dialog box After the configuration process is complete, click Close. Configure AAA authorization method for the ISP domain: Click the Authorization tab. Select test from the Select an ISP domain list. Select Default AuthZ, select the authorization method RADIUS from the Default AuthZ list, and select the authorization scheme system from the Name list, as shown in Figure 318.
Page 356: 802.X With Acl Assignment Configuration Example
Figure 319 Configuring the AAA accounting method for the ISP domain Click Apply. After the configuration process is complete, click Close. 802.X with ACL assignment configuration example Network requirements As shown in Figure 320, perform 802.1X authentication on port GigabitEthernet 1/0/1. Use the RADIUS server at 10.1.1.1 as the authentication and authorization server and the RADIUS server at 10.1.1.2 as the accounting server.
Page 357 Select Without domain name from the Username Format list. Click Apply. Configure the primary authentication server in the RADIUS scheme: In the RADIUS Server Configuration area, click Add. Select the server type Primary Authentication. Enter the IP address 10.1.1.1, and enter the port number 1812. Enter expert in the Key and Confirm Key fields.
Page 358 Figure 323 Configuring the RADIUS scheme Click Apply. Configuring AAA Create an ISP domain: From the navigation tree, select Authentication > AAA. The Domain Setup page appears. Enter test from the Domain Name list, and select Enable from the Default Domain list. Click Apply.
Page 359 Figure 324 Creating an ISP domain Configure AAA authentication method for the ISP domain: Click the Authentication tab. Select test from the Select an ISP domain list. Select Default AuthN, select RADIUS as the default authentication method, and select the authentication scheme system from the Name list, as shown in Figure 325.
Page 360 Figure 326 Configuration progress dialog box After the configuration process is complete, click Close. Configure AAA authorization method for the ISP domain: Click the Authorization tab. Select test from the Select an ISP domain list. Select Default AuthZ, select RADIUS as the default authorization method, and select the authorization scheme system from the Name list, as shown in Figure 327.
Page 361 Figure 328 Configuring the AAA accounting method for the ISP domain After the configuration process is complete, click Close. Configuring an ACL From the navigation tree, select QoS > ACL IPv4. Click the Add tab. Enter the ACL number 3000, and click Apply. Figure 329 Creating ACL 3000 Click the Advanced Setup tab.
Page 362 In the IP Address Filter area, select Destination IP Address: − Enter 10.0.0.1 as the destination IP address. − Enter 0.0.0.0 as the destination IP address wildcard. Click Add. Figure 330 ACL rule configuration Configuring 802.1X Configure 802.1X globally: From the navigation tree, select Authentication > 802.1X. Select Enable 802.1X.
Page 363 Select the authentication method CHAP. Click Apply. Figure 331 Configuring 802.1X globally Configure 802.1X for GigabitEthernet 1/0/1: In the Ports With 802.1X Enabled area, click Add. Select GigabitEthernet1/0/1 from the Port list. Click Apply. Figure 332 Configuring 802.1X for GigabitEthernet 1/0/1 Verifying the configuration After the user passes authentication and gets online, use the ping command to test whether ACL 3000 takes effect.
Page 364 Figure 333 shows the ping operation summary. Figure 333 Ping operation summary Downloaded from www.Manualslib.com manuals search engine...
Page 365: Configuring Aaa
Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It provides the following security functions: • Authentication—Identifies users and determines whether a user is valid. Authorization—Grants user rights and controls user access to resources and services. For example, •...
Page 366: Domain-Based User Management
AAA can be implemented through multiple protocols. The device supports RADIUS, which is most often used. For more information about RADIUS, see "Configuring RADIUS." Domain-based user management A NAS manages users based on ISP domains. On a NAS, each user belongs to one ISP domain. A NAS determines the ISP domain for a user by the username entered by the user at login.
Page 367: Configuring An Isp Domain
Step Remarks Optional. Configuring authorization Specify the authorization methods for various types of users. methods for the ISP domain By default, all types of users use local authorization. Required. Configuring accounting methods Specify the accounting methods for various types of users. for the ISP domain By default, all types of users use local accounting.
Page 368: Configuring Authentication Methods For The Isp Domain
Item Description Specify whether to use the ISP domain as the default domain. Options include: • Enable—Uses the domain as the default domain. Default Domain • Disable—Uses the domain as a non-default domain. There can only be one default domain at a time. If you specify another domain as the default domain, the original default domain becomes a non-default domain.
Page 369: Configuring Authorization Methods For The Isp Domain
Item Description Configure the authentication method and secondary authentication method for LAN access users. Options include: LAN-access AuthN • Local—Local authentication. Name • None—No authentication. This method trusts all users and is not for general use. Secondary Method • RADIUS—RADIUS authentication. You must specify the RADIUS scheme to be used. •...
Page 370: Configuring Accounting Methods For The Isp Domain
Table 110 Configuration items Item Description Select an ISP domain Select the ISP domain for which you want to specify authentication methods. Configure the default authorization method and secondary authorization method for all types of users. Options include: • HWTACACS—HWTACACS authorization. You must specify the HWTACACS Default AuthZ scheme to be used.
Page 371 Figure 338 Accounting method configuration page Select the ISP domain and specify accounting methods for the ISP domain, as described in Table 111. Click Apply. Table 111 Configuration items Item Description Select an ISP domain Select the ISP domain for which you want to specify authentication methods. Specify whether to enable the accounting optional feature.
Page 372: Aaa Configuration Example
Item Description Configure the accounting method and secondary accounting method for login users. Options include: • HWTACACS—HWTACACS accounting. You must specify the HWTACACS Login Accounting scheme to be used. Name • Local—Local accounting. • None—No accounting. Secondary Method • RADIUS—RADIUS accounting. You must specify the RADIUS scheme to be used. •...
Page 373 Figure 340 Configuring a local user Configure ISP domain test: Select Authentication > AAA from the navigation tree. The domain configuration page appears. Enter the domain name test. Click Apply. Figure 341 Configuring ISP domain test Downloaded from www.Manualslib.com manuals search engine...
Page 374 Configure the ISP domain to use local authentication: Select Authentication > AAA from the navigation tree. Click the Authentication tab. Select the domain test. Select Login AuthN and select the authentication method Local. Figure 342 Configuring the ISP domain to use local authentication Click Apply.
Page 375 After the configuration progress is complete, click Close. Figure 344 Configuring the ISP domain to use local authorization Configure the ISP domain to use local accounting: Select Authentication > AAA from the navigation tree. Click the Accounting tab. Select the domain test. Select Login Accounting and select the accounting method Local.
Page 376: Configuring Radius
Configuring RADIUS Overview Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model to implement AAA. It can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access. For more information about AAA, see "Configuring AAA."...
Page 377: Security And Authentication Mechanisms
Security and authentication mechanisms The RADIUS client and the RADIUS server use a shared key to authenticate RADIUS packets and encrypt user passwords exchanged between them. For security, this key must be manually configured on the client and the server. RADIUS servers support multiple authentication protocols, including PPP PAP and CHAP.
Page 378: Radius Packet Format
The host requests the RADIUS client to tear down the connection and the RADIUS client sends a stop-accounting request (Accounting-Request) to the RADIUS server. The RADIUS server returns an acknowledgement (Accounting-Response) and stops accounting for the user. RADIUS packet format RADIUS uses UDP to transmit messages.
Page 379 The Length field (2 bytes long) indicates the length of the entire packet, including the Code, • Identifier, Length, Authenticator, and Attribute fields. Bytes beyond this length are considered padding and are neglected upon reception. If the length of a received packet is less than this length, the packet is dropped.
Page 380: Extended Radius Attributes
Attribute Attribute Framed-IPX-Network ARAP-Password State ARAP-Features Class ARAP-Zone-Access Vendor-Specific ARAP-Security Session-Timeout ARAP-Security-Data Idle-Timeout Password-Retry Termination-Action Prompt Called-Station-Id Connect-Info Calling-Station-Id Configuration-Token NAS-Identifier EAP-Message Proxy-State Message-Authenticator Login-LAT-Service Tunnel-Private-Group-id Login-LAT-Node Tunnel-Assignment-id Login-LAT-Group Tunnel-Preference Framed-AppleTalk-Link ARAP-Challenge-Response Framed-AppleTalk-Network Acct-Interim-Interval Framed-AppleTalk-Zone Acct-Tunnel-Packets-Lost Acct-Status-Type NAS-Port-Id Acct-Delay-Time Framed-Pool Acct-Input-Octets (unassigned) Acct-Output-Octets...
Page 381: Protocols And Standards
Figure 349 Format of attribute 26 Protocols and standards RFC 2865, Remote Authentication Dial In User Service (RADIUS) • RFC 2866, RADIUS Accounting • RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support • • RFC 2868, RADIUS Attributes for Tunnel Protocol Support •...
Page 382: Configuring Common Parameters
Figure 351 RADIUS scheme configuration page Configure the parameters as described in Table 114. Click Apply. Table 114 Configuration items Item Description Scheme Name Enter a name for the RADIUS scheme. Configure the common parameters for the RADIUS scheme, including the server type, the username format, and the shared keys for authentication and Common Configuration accounting packets.
Page 383 Figure 352 Common configuration Configure the parameters, as described in Table 115. Table 115 Configuration items Item Description Select the type of the RADIUS servers supported by the device, which can be: • Standard—Standard RADIUS servers. The RADIUS client and RADIUS server communicate by using the standard RADIUS protocol and packet Server Type format defined in RFC 2138/2139 or later.
Page 384 Item Description Select the format of usernames to be sent to the RADIUS server. Typically, a username is in the format of userid@isp-name, of which isp-name is used by the device to determine the ISP domain for the user. If a RADIUS server (such as a RADIUS server of some early version) does not accept a username that contains an ISP domain name, you can configure the device to remove the domain name of a username before sending it to the RADIUS...
Page 385 RADIUS server. RADIUS Packet Source IP HP recommends you to use a loopback interface address instead of a physical interface address as the source IP address. If the physical interface is down, the response packets from the server cannot reach the device.
Page 386: Adding Radius Servers
Item Description Set the maximum number of stop-accounting attempts. The maximum number of stop-accounting attempts, together with some other parameters, controls how the NAS deals with stop-accounting request packets. Suppose that the RADIUS server response timeout period is three seconds, the maximum number of transmission attempts is five, and the maximum Stop-Accounting Attempts number of stop-accounting attempts is 20.
Page 387: Radius Configuration Example
Table 116 Configuration items Item Description Select the type of the RADIUS server to be configured. Options include primary authentication Server Type server, primary accounting server, secondary authentication server, and secondary accounting server. Specify the IPv4 or IPv6 address of the RADIUS server. The IP addresses of the primary and secondary servers for a scheme must be different.
Page 388 Select Without domain name for the username format. In the RADIUS Server Configuration area, click Add to configure the primary authentication server: Select Primary Authentication as the server type. Enter 10.110.91.146 as the IP address. Enter 1812 as the port. Enter expert as the key and enter expert again to confirm the key.
Page 389 Figure 357 RADIUS scheme configuration Configuring AAA Select Authentication > AAA in the navigation tree. The domain setup page appears. On the domain setup page, configure a domain: Enter test for Domain Name. Click Enable to use the domain as the default domain. Click Apply.
Page 390 Select the Authentication tab to configure the authentication scheme: Select the domain name test. Select Default AuthN and select RADIUS as the authentication mode. Select system from the Name list to use it as the authentication scheme. Click Apply. A configuration progress dialog box appears. After the configuration process is complete, click Close.
Page 391: Configuration Guidelines
Figure 361 Configuring the AAA authorization method for the ISP domain Select the Accounting tab to configure the accounting scheme: Select the domain name test. Select Accounting Optional and select Enable from the list. Select Default Accounting and select RADIUS as the accounting mode. Select system from the Name list to use it as the accounting scheme.
Page 392 If you remove the accounting server used for online users, the device cannot send real-time • accounting requests and stop-accounting messages for the users to the server, and the stop-accounting messages are not buffered locally. • The status of RADIUS servers, blocked or active, determines which servers the device will communicate with or turn to when the current servers are not available.
Page 393: Configuring Users
Configuring users You can configure local users and create groups to manage them. A local user represents a set of user attributes configured on a device (such as the user password, use type, service type, and authorization attribute), and is uniquely identified by the username. For a user to pass local authentication, you must add an entry for the user in the local user database of the device.
Page 394 Figure 364 Local user configuration page Configure the local user as described in Table 118. Click Apply. Table 118 Configuration items Item Description Username Specify a name for the local user. Specify and confirm the password of the local user. Password The settings of these two fields must be the same.
Page 395: Configuring A User Group
Item Description Specify an expiration time for the local user, in the HH:MM:SS-YYYY/MM/DD format. Expire-time To authenticate a local user with the expiration time configured, the access device checks whether the expiration time has passed. If it has not passed, the device permits the user to log in.
Page 396 Figure 366 User group configuration page Configure the user group as described in Table 119. Click Apply. Table 119 Configuration items Item Description Group-name Specify a name for the user group. Select an authorization level for the user group: Visitor, Monitor, Configure, or Level Management, in ascending order of priority.
Page 397: Managing Certificates
Managing certificates Overview The Public Key Infrastructure (PKI) offers an infrastructure for securing network services through public key technologies and digital certificates, and for verifying the identities of the digital certificate owners. A digital certificate is a binding of certificate owner identity information and a public key. Users can get certificates, use certificates, and revoke certificates.
Page 398: How Pki Works
Figure 367 PKI architecture Entity An entity is an end user of PKI products or services, such as a person, an organization, a device like a router or a switch, or a process running on a computer. A CA is a trusted authority responsible for issuing and managing digital certificates. A CA issues certificates, specifies the validity periods of certificates, and revokes certificates as needed by publishing CRLs.
Page 399: Pki Applications
The RA receives the certificate from the CA, sends it to the LDAP server to provide directory navigation service, and notifies the entity that the certificate is successfully issued. The entity retrieves the certificate. With the certificate, the entity can communicate with other entities safely through encryption and digital signature.
Page 400 Step Remarks Required. Create a PKI domain, setting the certificate request mode to Manual. Before requesting a PKI certificate, an entity needs to be configured with Creating a PKI domain some enrollment information, which is called a PKI domain. A PKI domain is intended only for convenience of reference by other applications like IKE and SSL, and has only local significance.
Page 401: Recommended Configuration Procedure For Automatic Request
Step Remarks Optional. Destroy the existing RSA key pair and the corresponding local certificate. Destroying the RSA key pair If the certificate to be retrieved contains an RSA key pair, you must destroy the existing key pair. Otherwise, the retrieving operation will fail. Optional.
Page 402 Figure 368 PKI entity list Click Add on the page. Figure 369 PKI entity configuration page Configure the parameters, as described in Table 120. Click Apply. Table 120 Configuration items Item Description Entity Name Enter the name for the PKI entity. Common Name Enter the common name for the entity.
Page 403: Creating A Pki Domain
Item Description State Enter the state or province for the entity. Locality Enter the locality for the entity. Organization Enter the organization name for the entity. Organization Unit Enter the unit name for the entity. Creating a PKI domain From the navigation tree, select Authentication > Certificate Management. Click the Domain tab.
Page 404 Figure 371 PKI domain configuration page Configure the parameters, as described in Table 121. Click Apply. Table 121 Configuration items Item Description Domain Name Enter the name for the PKI domain. Enter the identifier of the trusted CA. An entity requests a certificate from a trusted CA. The trusted CA takes the responsibility CA Identifier of certificate registration, distribution, and revocation, and query.
Page 405 Item Description Enter the URL of the RA. The entity will submit the certificate request to the server at this URL through the SCEP protocol. The SCEP protocol is intended for communication between an entity and an authentication authority. Requesting URL In offline mode, this item is optional.
Page 406: Generating An Rsa Key Pair
Item Description Enter the URL of the CRL distribution point. The URL can be an IP address or a domain name. CRL URL This item is available after you click the Enable CRL Checking box. If the URL of the CRL distribution point is not set, you should get the CA certificate and a local certificate, and then get a CRL through SCEP.
Page 407: Destroying The Rsa Key Pair
Figure 373 Key pair parameter configuration page Destroying the RSA key pair From the navigation tree, select Authentication > Certificate Management. Click the Certificate tab. Click Destroy Key. Click Apply to destroy the existing RSA key pair and the corresponding local certificate. Figure 374 Key pair destruction page Retrieving and displaying a certificate You can retrieve an existing CA certificate or local certificate from the CA server and save it locally.
Page 408 Figure 375 PKI certificate retrieval page Configure the parameters, as described in Table 122. Click Apply. Table 122 Configuration items Item Description Domain Name Select the PKI domain for the certificate. Certificate Type Select the type of the certificate to be retrieved, which can be CA or local. Click this box to retrieve a certificate in offline mode (that is, by an out-of-band means like Enable Offline FTP, disk, or email), and then import the certificate into the local PKI system.
Page 409: Requesting A Local Certificate
Figure 376 Certificate information Requesting a local certificate From the navigation tree, select Authentication > Certificate Management. Click the Certificate tab. Click Request Cert. Downloaded from www.Manualslib.com manuals search engine...
Page 410 Figure 377 Local certificate request page Configure the parameters, as described in Table 123. Table 123 Configuration items Item Description Domain Name Select the PKI domain for the certificate. Password Enter the password for certificate revocation. Select this box to request a certificate in offline mode, that is, by an out-of-band Enable Offline Mode means like FTP, disk, or email.
Page 411: Retrieving And Displaying A Crl
Retrieving and displaying a CRL From the navigation tree, select Authentication > Certificate Management. Click the CRL tab. Figure 379 CRL page Click Retrieve CRL to retrieve the CRL of a domain. Click View CRL for the domain to display the contents of the CRL. Figure 380 CRL information Table 124 Field description Field...
Page 412: Pki Configuration Example
Field Description Last Update Last update time. Next Update Next update time. X509v3 CRL Number CRL sequence number Identifier of the CA that issued the certificate and the certificate version X509v3 Authority Key Identifier (X509v3). Pubic key identifier. keyid A CA might have multiple key pairs, and this field identifies which key pair is used for the CRL signature.
Page 413 Configuring the switch Create a PKI entity: From the navigation tree, select Authentication > Certificate Management. The PKI entity list page is displayed by default. Click Add. Enter aaa as the PKI entity name, enter ac as the common name, and click Apply. Figure 382 Creating a PKI entity Create a PKI domain: Click the Domain tab.
Page 414 Figure 383 Creating a PKI domain Generate an RSA key pair: Click the Certificate tab. Click Create Key. Enter 1024 as the key length, and click Apply to generate an RSA key pair. Figure 384 Generating an RSA key pair Retrieve the CA certificate: Click the Certificate tab.
Page 415 Figure 385 Retrieving the CA certificate Request a local certificate: Click the Certificate tab. Click Request Cert. Select torsa as the PKI domain, select Password , and enter challenge-word as the password. Click Apply. The system displays "Certificate request has been submitted." Click OK to finish the operation.
Page 416: Configuration Guidelines
Authentication > Certificate Management > CRL from the navigation tree to view detailed information about the retrieved CRL. Configuration guidelines When you configure PKI, follow these guidelines: Make sure the clocks of entities and the CA are synchronous. Otherwise, the validity period of •...
Page 417: Configuring Mac Authentication
Configuring MAC authentication Overview MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software. A user does not need to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication enabled port.
Page 418: Mac Authentication Timers
MAC authentication timers MAC authentication uses the following timers: • Offline detect timer—Sets the interval that the device waits for traffic from a user before it regards the user idle. If a user connection has been idle for two consecutive intervals, the device logs the user out and stops accounting for the user.
Page 419: Configuration Prerequisites
If a user in the Auth-Fail VLAN passes MAC authentication, it is removed from the Auth-Fail VLAN and can access all authorized network resources. If not, the user is still in the Auth-Fail VLAN. A hybrid port is always assigned to an Auth-Fail VLAN as an untagged member. After the assignment, do not re-configure the port as a tagged member in the VLAN.
Page 420 Figure 388 MAC authentication configuration page Configure MAC authentication global settings as described in Table 125, and then click Apply. Table 125 Configuration items Item Description Enable MAC Authentication Specifies whether to enable MAC authentication globally. Sets the period that the device waits for traffic from a user before it Offline Detection Period regards the user idle.
Page 421: Configuring Mac Authentication On A Port
Configuring MAC authentication on a port From the navigation tree, select Authentication > MAC Authentication. In the Ports With MAC Authentication Enabled area, click Add. Figure 389 Configuring MAC authentication on a port Configure MAC authentication for a port as described in Table 126, and then click Apply.
Page 422 Configure all users to belong to the domain aabbcc.net, and specify local authentication for users • in the domain. • Use the MAC address of each user as the username and password for authentication, and require that the MAC addresses is hyphenated and in lower case. •...
Page 423 Figure 392 Configuring the authentication method for the ISP domain Click Apply. A configuration progress dialog box appears, as shown in Figure 393. Figure 393 Configuration progress dialog box After the configuration process is complete, click Close. Configuring MAC authentication Configure MAC authentication globally: From the navigation tree, select Authentication >...
Page 424: Acl Assignment Configuration Example
Figure 394 Configuring MAC authentication globally Configure MAC authentication for GigabitEthernet 1/0/1: In the Ports With MAC Authentication Enabled area, click Add. Select GigabitEthernet1/0/1 from the Port list, and click Apply. Figure 395 Enabling MAC authentication for port GigabitEthernet 1/0/1 ACL assignment configuration example Network requirements As shown in...
Page 425 Figure 396 Network diagram RADIUS servers Auth:10.1.1.1 Acct:10.1.1.2 GE1/0/1 Internet Host Switch FTP server 192.168.1.10 10.0.0.1 Configuring IP addresses # Assign an IP address to each interface. Make sure the RADIUS servers, host, and switch can reach each other. (Details not shown.) Configuring the RADIUS servers # Add a user account with the host MAC address unhyphenated as both the username and password, and specify ACL 3000 as the authorization ACL for the user account.
Page 426 Figure 397 Configuring a RADIUS authentication server Configure the primary accounting server in the RADIUS scheme: In the RADIUS Server Configuration area, click Add. Configure the primary accounting server: Select the server type Primary Accounting. − Enter the IP address 10.1.1.2, and enter the port number 1813. −...
Page 427 Figure 399 RADIUS configuration Configuring AAA for the scheme Create an ISP domain: From the navigation tree, select Authentication > AAA. On the Domain Setup page, enter test in the Domain Name field and click Apply. Downloaded from www.Manualslib.com manuals search engine...
Page 428 Figure 400 Creating an ISP domain Configure AAA authentication method for the ISP domain: Click the Authentication tab. Select the ISP domain test. Select Default AuthN, select the authentication method RADIUS, and select the authentication scheme system from the Name list. Figure 401 Configuring the authentication method for the ISP domain Click Apply.
Page 429 Figure 402 Configuration progress dialog box After the configuration process is complete, click Close. Configure AAA authorization method for the ISP domain: Click the Authorization tab. Select the ISP domain test. Select Default AuthZ, select the authorization mode RADIUS, and select the authorization scheme system from the Name list.
Page 430 Figure 404 Configuring the accounting method for the ISP domain After the configuration process is complete, click Close. Configuring an ACL From the navigation tree, select QoS > ACL IPv4. Click the Add tab. Enter the ACL number 3000, and then click Apply. Figure 405 Adding ACL 3000 Click the Advanced Setup tab.
Page 431 Select the action Deny. In the IP Address Filter area, select Destination IP Address: − Enter the destination IP address 10.0.0.1. − Enter the destination address wildcard 0.0.0.0. Click Add. Figure 406 Configuring an ACL rule Configuring MAC authentication Configure MAC authentication globally: From the navigation tree, select Authentication >...
Page 432 Select Enable MAC Authentication. Click Advanced. Select the authentication ISP domain test, select the authentication information format MAC without hyphen, and click Apply. Figure 407 Configuring MAC authentication globally Configure MAC authentication for GigabitEthernet 1/0/1: In the Ports With MAC Authentication Enabled area, click Add. Select the port GigabitEthernet1/0/1, and click Apply.
Page 433 Request timed out. Request timed out. Ping statistics for 10.0.0.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), Downloaded from www.Manualslib.com manuals search engine...
Page 434: Configuring Port Security
This automatic mechanism enhances network security and reduces human intervention. For scenarios that require only 802.1X authentication or MAC authentication, HP recommends you configure 802.1X authentication or MAC authentication rather than port security for simplicity.
Page 435 Basic mode—In this mode, a port can learn the specified number of MAC addresses and save those • addresses as secure MAC addresses. It permits only frames whose source MAC addresses are secure MAC addresses or configured static MAC addresses. When the number of secure MAC addresses reaches the upper limit, no more secure MAC addresses can be added.
Page 436: Configuration Guidelines
The maximum number of users a port supports equals the maximum number of secure MAC addresses that port security allows or the maximum number of concurrent users the authentication mode in use allows, whichever is smaller. An OUI is a 24-bit number that uniquely identifies a vendor, manufacturer, or organization. In MAC addresses, the first three octets are the OUI.
Page 437: Configuring Global Settings For Port Security
Step Remarks Required. Configuring global settings for This function enables port security globally and configures intrusion port security protection actions. By default, port security is disabled globally. Required. This function configures the advanced port security mode, intrusion Configuring advanced port protection action, or outbound restriction, and selects whether to security control ignore the authorization information from the RADIUS server.
Page 438: Configuring Basic Port Security Control
Figure 410 Port security configuration Configure global port security settings as described in Table 128. Click Apply. Table 128 Configuration items Item Description Specifies whether to enable the port security feature globally. Enable Port Security By default, port security is disabled. Configures intrusion protection actions globally.
Page 439 The page for applying port security control appears. Figure 412 Configuring basic port security control Configure basic port security control settings as described in Table 129. Click Apply. Table 129 Configuration items Item Description Selects a port where you want to configure port security. Port By default, port security is disabled on all ports, and access to the ports is not restricted.
Page 440: Configuring Secure Mac Addresses
Item Description Specifies whether to enable outbound traffic control, and selects a control method. Available control methods: • Only MAC-Known Unicasts—Allows only unicast frames with their destination MAC addresses being authenticated to pass through. Enable Outbound • Only Broadcasts and MAC-Known Unicasts—Allows only broadcast and Restriction unicast packets with their destination MAC addresses being authenticated to pass through.
Page 441: Configuring Advanced Port Security Control
Table 130 Configuration items Item Description Port Selects a port where the secure MAC address is configured. Secure MAC Address Enters the MAC address that you want to configure as a secure MAC address. Enters the ID of the VLAN in which the secure MAC address is configured. VLAN ID The VLAN must already exist on the selected port.
Page 442: Configuring Permitted Ouis
Item Description Specifies whether to enable intrusion protection, and selects an action to be taken upon detection of illegal frames. Available actions: • Disable Port Temporarily—Disables the port for a period of time. The period can be configured in the global settings. For more information, see "Configuring global Enable Intrusion settings for port...
Page 443: Port Security Configuration Examples
Port security configuration examples Basic port security mode configuration example Network requirements As shown in Figure 418, configure port GigabitEthernet 1/0/3 of the switch as follows: Allow up to three users to access the port without authentication, and permit the port to learn the •...
Page 444 Figure 419 Configuring port security Configuring the basic port security control In the Security Ports And Secure MAC Address List area, click Add. On the page that appears, select GigabitEthernet1/0/3. Enter 3 as the maximum number of MAC addresses. Select Enable Intrusion Protection, and select Disable Port Temporarily from the list. Click Apply.
Page 445 Figure 421 Secure MAC address list When the maximum number of MAC addresses is reached, intrusion protection is triggered. Select Device > Port Management from the navigation tree, and then select the Detail tab. On the page, click the target port (GigabitEthernet 1/0/3 in this example) to view details. Figure 422 shows that the port state is inactive.
Page 446: Advanced Port Security Mode Configuration Example
Figure 423 Displaying port state If you remove MAC addresses from the secure MAC address list, the port can continue to learn MAC addresses. Advanced port security mode configuration example Network requirements As shown in Figure 424, the switch authenticates the client with a RADIUS server. If the authentication succeeds, the client is authorized to access the Internet.
Page 447 NOTE: Configurations on the host and RADIUS servers are not shown. Configuring a RADIUS scheme Create a RADIUS scheme: From the navigation tree, select Authentication > RADIUS. Click Add. On the page that appears, configure a RADIUS scheme: Enter the scheme name system. −...
Page 448 Figure 426 Configuring the RADIUS accounting server Click Apply. The RADIUS Server Configuration area displays the servers you have configured, as shown Figure 427. Figure 427 Configuring the RADIUS scheme Click Apply. Configuring AAA Configure AAA authentication method: From the navigation tree, select Authentication > AAA. Click the Authentication tab.
Page 449 Figure 428 Configuring AAA authentication Click Apply. A dialog box appears, displaying the configuration progress, as shown in Figure 429. Figure 429 Configuration progress dialog box When the configuration process is complete, click Close. Configure AAA authorization method: Click the Authorization tab. Select the ISP domain system.
Page 450 Figure 430 Configuring AAA authorization When the configuration process is complete, click Close. Configure AAA accounting method: Click the Accounting tab. Select the ISP domain system. Select Default Accounting, select the accounting method RADIUS from the list, and select the accounting scheme system from the Name list.
Page 451 Figure 432 Configuring global port security settings Configure advanced port security control: In the Advanced Port Security Configuration area, click Ports Enabled With Advanced Features, and then click Add. Select GigabitEthernet1/0/1 from the Port list, and select 802.1X MAC Based Or OUI from the Security Mode list.
Page 452 Figure 434 Configuring permitted OUI values Repeat previous three steps to add the OUI values of the MAC addresses 1234-0200-0000 and 1234-0300-0000. Downloaded from www.Manualslib.com manuals search engine...
Page 453: Configuring Port Isolation
Configuring port isolation The port isolation feature isolates Layer 2 traffic for data privacy and security without using VLANs. You can also use this feature to isolate the hosts in a VLAN from one another. The switch supports only one isolation group that is automatically created as isolation group 1. You cannot remove the isolation group or create other isolation groups on the device.
Page 454: Port Isolation Configuration Example
Port isolation configuration example Network requirements As shown in Figure 436: Campus network users Host A, Host B, and Host C are connected to GigabitEthernet 1/0/2, • GigabitEthernet 1/0/3, and GigabitEthernet 1/0/4 of Switch. Switch is connected to the external network through GigabitEthernet 1/0/1. •...
Page 455 Figure 437 Assigning ports to the isolation group Click Apply. A configuration progress dialog box appears. After the configuration process is complete, click Close. Viewing information about the isolation group Click Summary. Display port isolation group 1, which contains ports GigabitEthernet 1/0/2, GigabitEthernet 1/0/3, and GigabitEthernet 1/0/4.
Page 456: Configuring Authorized Ip
Configuring authorized IP The authorized IP function associates the HTTP or Telnet service with an ACL to filter the requests of clients. Only the clients that pass the ACL filtering can access the device. Configuration procedure From the navigation tree, select Security > Authorized IP. Click Setup to enter the authorized IP configuration page.
Page 457: Authorized Ip Configuration Example
Authorized IP configuration example Network requirements Figure 440, configure Switch to deny Telnet and HTTP requests from Host A, and permit Telnet and HTTP requests from Host B. Figure 440 Network diagram Configuration procedure Create an ACL: From the navigation tree, select QoS > ACL IPv4. Click Create.
Page 458 Click Basic Setup. The page for configuring an ACL rule appears. Select 2001 from the ACL list, select Permit from the Action list, select the Source IP Address box and enter 10.1.1.3, and then enter 0.0.0.0 in the Source Wildcard field. Click Add.
Page 459 Figure 443 Configuring authorized IP Downloaded from www.Manualslib.com manuals search engine...
Page 460: Configuring Loopback Detection
Configuring loopback detection A loop occurs when a port receives a packet sent by itself. Loops might cause broadcast storms. The purpose of loopback detection is to detect loops on ports. With loopback detection enabled on an Ethernet port, the device periodically checks for loops on the port.
Page 461: Configuring Loopback Detection On A Port
Figure 444 Loopback detection configuration page Configure the global loopback detection settings as described in Table 134, and then click Apply. Table 134 Configuration items Item Description Enable loopback detection on the system Sets whether to enable loopback detection globally. Loopback Detection Interval Sets the loopback detection interval.
Page 462 Item Description Sets whether the system performs loopback detection in all VLANs for the target trunk or hybrid port. Detection in VLAN If you select Disable, the system performs loopback detection only in the default VLAN of the target trunk or hybrid port. This configuration item is available only for a trunk or hybrid port.
Page 463: Configuring Acls
Configuring ACLs Unless otherwise stated, ACLs refer to both IPv4 and IPv6 ACLs throughout this document. Grayed-out options on Web configuration pages cannot be configured. Overview An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on criteria such as source IP address, destination IP address, and port number.
Page 464 Table 136 Depth-first match for ACLs ACL category Sequence of tie breakers More 0s in the source IP address wildcard (more 0s means a narrower IP address range). IPv4 basic ACL Smaller rule ID. Specific protocol number. More 0s in the source IP address wildcard mask. More 0s in the destination IP address wildcard.
Page 465: Implementing Time-Based Acl Rules
For example, if the numbering step is 5 (the default), and there are five ACL rules numbered 0, 5, 9, 10, and 12, the newly defined rule is numbered 15. If the ACL does not contain any rule, the first rule is numbered 0.
Page 466: Recommended Ipv6 Acl Configuration Procedure
Step Remarks Configuring a rule for a basic IPv4 ACL. Required. Configuring a rule for an advanced IPv4 ACL. Complete one of the following tasks according to the ACL category. Configuring a rule for an Ethernet frame header ACL. Recommended IPv6 ACL configuration procedure Step Remarks Optional.
Page 467: Adding An Ipv4 Acl
Click Apply. Table 137 Configuration items Item Description Time Range Name Set the name for the time range. Start Time Set the start time of the periodic time range. You can define Set the end time of the periodic time range. The end time must both a periodic End Time be greater than the start time.
Page 468: Configuring A Rule For A Basic Ipv4 Acl
Table 138 Configuration items Item Description ACL Number Set the number of the IPv4 ACL. Set the match order of the ACL. Available values are: • Config—Packets are compared against ACL rules in the order that the rules are Match Order configured.
Page 469: Configuring A Rule For An Advanced Ipv4 Acl
Table 139 Configuration items Item Description Select the basic IPv4 ACL for which you want to configure rules. Available ACLs are basic IPv4 ACLs. Select the Rule ID box and enter a number for the rule. If you do not specify the rule number, the system will assign one automatically. Rule ID If the rule number you specify already exists, the following operations modify the configuration of the rule.
Page 470 Figure 448 Configuring an advanced IPv4 ACL Configure a rule for an advanced IPv4 ACL as described in Table 140. Click Add. Table 140 Configuration items Item Description Select the advanced IPv4 ACL for which you want to configure rules. Available ACLs are advanced IPv4 ACLs.
Page 471 Item Description Select the Rule ID box and enter a number for the rule. If you do not specify the rule number, the system will assign one Rule ID automatically. If the rule number you specify already exists, the following operations modify the configuration of the rule.
Page 472: Configuring A Rule For An Ethernet Frame Header Acl
Item Description Select this box to make the rule match packets used for establishing and maintaining TCP connections. TCP Connection Established These items are available only when you select 6 TCP from the Protocol list. Operator Select the operators and enter the source port numbers and Source destination port numbers as required.
Page 473 Figure 449 Configuring a rule for an Ethernet frame header ACL Configure a rule for an Ethernet frame header IPv4 ACL as described in Table 141. Click Add. Table 141 Configuration items Item Description Select the Ethernet frame header IPv4 ACL for which you want to configure rules.
Page 474: Adding An Ipv6 Acl
Item Description Source MAC Select the Source MAC Address box and enter a source MAC address and Address a mask. Source Mask Address Destination MAC Filter Select the Destination MAC Address box and enter a destination MAC Address address and a mask. Destination Mask COS(802.1p priority) Specify the 802.1p priority for the rule.
Page 475: Configuring A Rule For A Basic Ipv6 Acl
Table 142 Configuration items Item Description ACL Number Enter a number for the IPv6 ACL. Select a match order for the ACL. Available values are: • Config—Packets are compared against ACL rules in the order the rules are Match Order configured.
Page 476: Configuring A Rule For An Advanced Ipv6 Acl
Item Description Select the Rule ID box and enter a number for the rule. If you do not specify the rule number, the system will assign one automatically. Rule ID If the rule number you specify already exists, the following operations modify the configuration of the rule.
Page 477 Figure 452 Configuring a rule for an advanced IPv6 ACL Add a rule for an advanced IPv6 ACL as described in Table 144. Click Add. Table 144 Configuration items Item Description Select Access Control List (ACL) Select the advanced IPv6 ACL for which you want to configure rules. Select the Rule ID box and enter a number for the rule.
Page 478 Item Description Select this box to apply the rule to only non-first fragments. Check Fragment If you do no select this box, the rule applies to all fragments and non-fragments. Select this box to keep a log of matched IPv6 packets. A log entry contains the ACL rule number, operation for the matched Check Logging packets, protocol number, source/destination address,...
Page 479: Configuring Qos
Configuring QoS Grayed-out options on Web configuration pages cannot be configured. Overview Quality of Service (QoS) reflects the ability of a network to meet customer needs. In an internet, QoS evaluates the ability of the network to forward packets of different services. The evaluation can be based on different criteria because the network might provide various services.
Page 480: Congestion: Causes, Impacts, And Countermeasures
Congestion: causes, impacts, and countermeasures Network congestion is a major factor contributed to service quality degrading on a traditional network. Congestion is a situation where the forwarding rate decreases due to insufficient resources, resulting in extra delay. Causes Congestion easily occurs in complex packet switching circumstances in the Internet. Figure 453 shows two common cases:...
Page 481: End-To-End Qos
End-to-end QoS Figure 454 End-to-end QoS model Traffic classification Traffic classification Traffic policing Traffic policing Traffic policing Traffic policing Congestion management Congestion management Congestion management Congestion management Congestion avoidance Congestion avoidance Congestion avoidance Congestion avoidance Traffic shaping Traffic shaping Traffic shaping Traffic shaping As shown in Figure...
Page 482: Packet Precedences
When packets are classified on the network boundary, the precedence bits in the ToS field of the IP packet header are generally re-set. In this way, IP precedence can be directly used to classify the packets in the network. IP precedence can also be used in queuing to prioritize traffic. The downstream network can either use the classification results from its upstream network or classify the packets again according to its own criteria.
Page 483 Table 146 Description on DSCP values DSCP value (decimal) DSCP value (binary) Description 101110 001010 af11 001100 af12 001110 af13 010010 af21 010100 af22 010110 af23 011010 af31 011100 af32 011110 af33 100010 af41 100100 af42 100110 af43 001000 010000 011000 100000 101000...
Page 484: Queue Scheduling
Figure 457 802.1Q tag header Byte 1 Byte 2 Byte 3 Byte 4 TPID (Tag protocol identifier) TCI (Tag control information) 1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 Priority VLAN ID 5 4 3 2 1 0 7 5 4 3 2 1 0 5 4 3 2 1 0 7 5 4 3 2 1 0...
Page 485 Figure 458 SP queuing A typical switch provides eight queues per port. As shown in Figure 458, SP queuing classifies eight queues on a port into eight classes, numbered 7 to 0 in descending priority order. SP queuing schedules the eight queues strictly according to the descending order of priority. It sends packets in the queue with the highest priority first.
Page 486: Rate Limit
A typical switch provides eight output queues per port. WRR assigns each queue a weight value (represented by w7, w6, w5, w4, w3, w2, w1, or w0) to decide the proportion of resources assigned to the queue. On a 100 Mbps port, you can set the weight values of WRR queuing to 25, 25, 15, 15, 5, 5, 5, and 5 (corresponding to w7, w6, w5, w4, w3, w2, w1, and w0, respectively).
Page 487: Priority Mapping
specification, and the traffic is called "conforming traffic." Otherwise, the traffic does not conform to the specification, and the traffic is called "excess traffic." A token bucket has the following configurable parameters: • Mean rate—Rate at which tokens are put into the bucket, or the permitted average rate of traffic. It is usually set to the committed information rate (CIR).
Page 488: Introduction To Priority Mapping Tables
For more information about 802.1p priority and DSCP values, see "Packet precedences." • • Local precedence is a locally significant precedence that the device assigns to a packet. A local precedence value corresponds to an output queue. Packets with the highest local precedence are processed preferentially.
Page 489: Configuration Guidelines
Table 149 Default DSCP to Queue mapping table Input DSCP value Local precedence (Queue) 0 to 7 8 to 15 16 to 23 24 to 31 32 to 39 40 to 47 48 to 55 56 to 63 Configuration guidelines When an ACL is referenced by a QoS policy for traffic classification, the action (permit or deny) in the ACL is ignored, and the actions in the associated traffic behavior are performed.
Page 490 Table 150 Recommended QoS policy configuration procedure Step Remarks Required. Adding a class Add a class and specify the logical relationship between the match criteria in the class. Required. Configuring classification rules Configure match criteria for the class. Required. Adding a traffic behavior Add a traffic behavior.
Page 491: Adding A Class
Recommended priority trust mode configuration procedure Step Remarks Required. Configuring priority trust mode on a port Set the priority trust mode of a port. Adding a class Select QoS > Classifier from the navigation tree. Click the Add tab to enter the page for adding a class. Figure 463 Adding a class Add a class as described in Table...
Page 492: Configuring Classification Rules
Configuring classification rules Select QoS > Classifier from the navigation tree. Click Setup to enter the page for setting a class. Figure 464 Configuring classification rules Configure classification rules for a class as described in Table 152. Click Apply. Downloaded from www.Manualslib.com manuals search engine...
Page 493: Adding A Traffic Behavior
Table 152 Configuration items Item Description Define a rule to match customer VLAN IDs. If multiple such rules are configured for a class, the new configuration does not overwrite the previous one. VLAN Customer VLAN You can configure only one VLAN ID at a time. Otherwise, the relevant QoS policy fails to be applied.
Page 494: Configuring Traffic Mirroring And Traffic Redirecting For A Traffic Behavior
Configuring traffic mirroring and traffic redirecting for a traffic behavior Select QoS > Behavior from the navigation tree. Click Port Setup to enter the port setup page for a traffic behavior. Figure 466 Port setup page for a traffic behavior Configure traffic mirroring and traffic redirecting as described in Table 154.
Page 495 Figure 467 Setting a traffic behavior Configure other actions for a traffic behavior as described in Table 155. Click Apply. Table 155 Configuration items Item Description Please select a behavior Select an existing behavior in the list. Enable/Disable Enable or disable CAR. Downloaded from www.Manualslib.com manuals search engine...
Page 496: Adding A Policy
Item Description Set the committed information rate (CIR), the average traffic rate. Set the committed burst size (CBS), number of bytes that can be sent in each interval. This function is not supported in the current software version, and it is reserved for future support. Set the action to perform for exceeding packets.
Page 497: Configuring Classifier-Behavior Associations For The Policy
Table 156 Configuration items Item Description Specify a name for the policy to be added. Policy Name Some devices have their own system-defined policies. The policy name you specify cannot overlap with system-defined ones. The system-defined policy is the policy default. Configuring classifier-behavior associations for the policy Select QoS >...
Page 498: Configuring Queue Scheduling On A Port
Figure 470 Applying a policy to a port Apply a policy to a port as described in Table 158. Click Apply. Table 158 Configuration items Item Description Please select a policy Select an existing policy in the list. Set the direction in which the policy is to be applied. •...
Page 499: Configuring Rate Limit On A Port
Table 159 Configuration items Item Description Enable or disable the WRR queue scheduling mechanism on selected ports. The following options are available: • Enable—Enables WRR on selected ports. • Not Set—Restores the default queuing algorithm on selected ports. Select the queue to be configured. Queue The value range for a queue ID is 0 to 7.
Page 500: Configuring Priority Mapping Tables
Item Description Rate Limit Enable or disable rate limit on the specified port. Select a direction in which the rate limit is to be applied. • Inbound—Limits the rate of packets received on the specified port. Direction • Outbound—Limits the rate of packets sent by the specified port. •...
Page 501: Configuring Priority Trust Mode On A Port
Configuring priority trust mode on a port Select QoS > Port Priority from the navigation tree. Figure 474 Configuring port priorities Click the icon for a port. Figure 475 Modifying the port priority Configure the port priority for a port as described in Table 162.
Page 502: Acl And Qos Configuration Example
ACL and QoS configuration example Network requirements As shown in Figure 476, the FTP server (10.1.1.1/24) is connected to the Switch, and the clients access the FTP server through GigabitEthernet 1/0/1 of the Switch. Configure an ACL and a QoS policy as follows to prevent the hosts from accessing the FTP server from 8:00 to 18:00 every day: Add an ACL to prohibit the hosts from accessing the FTP server from 8:00 to 18:00 every day.
Page 503 Figure 477 Defining a time range covering 8:00 to 18:00 every day Add an advanced IPv4 ACL: Select QoS > ACL IPv4 from the navigation tree. Click the Add tab. Enter the ACL number 3000. Click Apply. Figure 478 Adding an advanced IPv4 ACL Define an ACL rule for traffic to the FTP server: Click the Advanced Setup tab.
Page 504 Select the Rule ID box, and enter rule ID 2. Select Permit in the Action list. Select the Destination IP Address box, and enter IP address 10.1.1.1 and destination wildcard 0.0.0.0. Select test-time in the Time Range list. Click Add. Figure 479 Defining an ACL rule for traffic to the FTP server Add a class: Select QoS >...
Page 505 Enter the class name class1. Click Add. Figure 480 Adding a class Define classification rules: Click the Setup tab. Select the class name class1 in the list. Select the ACL IPv4 box, and select ACL 3000 in the following list. Downloaded from www.Manualslib.com manuals search engine...
Page 506 Figure 481 Defining classification rules Click Apply. A progress dialog box appears, as shown in Figure 482. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds. Downloaded from www.Manualslib.com manuals search engine...
Page 507 Figure 482 Configuration progress dialog box Add a traffic behavior: Select QoS > Behavior from the navigation tree. Click the Add tab. Enter the behavior name behavior1. Click Add. Figure 483 Adding a traffic behavior Configure actions for the traffic behavior: Click the Setup tab.
Page 508 Figure 484 Configuring actions for the behavior Add a policy: Select QoS > QoS Policy from the navigation tree. Click the Add tab. Enter the policy name policy1. Click Add. Figure 485 Adding a policy Configure classifier-behavior associations for the policy: Downloaded from www.Manualslib.com manuals search engine...
Page 509 Click the Setup tab. Select policy1. Select class1 from the Classifier Name list. Select behavior1 from the Behavior Name list. Click Apply. Figure 486 Configuring classifier-behavior associations for the policy Apply the QoS policy in the inbound direction of interface GigabitEthernet 1/0/1: Select QoS >...
Page 510: Configuring Poe
(Midspan). A built-in PSE is integrated into a switch or router, and an external PSE is independent of a switch or router. The HP PSEs are built-in. Only one PSE is available on the device, so the entire device is considered as a PSE.
Page 511: Configuring Poe
Configuring PoE Before configuring PoE, make sure the PoE power supply and PSE are operating correctly. Otherwise, either you cannot configure PoE or the PoE configuration does not take effect. Configuring PoE ports Select PoE > PoE from the navigation tree. Click the Port Setup tab.
Page 512: Configuring Non-Standard Pd Detection
Item Description Set the maximum power for the PoE port. The maximum PoE interface power is the maximum power that the PoE interface Power Max can provide to the connected PD. If the PD requires more power than the maximum PoE interface power, the PoE interface does not supply power to the PD.
Page 513: Displaying Information About Pse And Poe Ports
Figure 490 PSE Setup tab Enabling the non-standard PD detection function for a PSE Select Enable in the corresponding Non-Standard PD Compatibility column. Click Apply. Disabling the non-standard PD detection function for a PSE Select Disable in the corresponding Non-Standard PD Compatibility column. Click Apply.
Page 514: Poe Configuration Example
PoE configuration example Network requirements As shown in Figure 492, GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 are connected to IP telephones. GigabitEthernet 1/0/1 1 is connected to AP whose maximum power does not exceed 9000 milliwatts. The IP telephones have a higher power supply priority than the AP so the PSE supplies power to the IP telephones first if the PSE power is overloaded.
Page 515 Figure 493 Configuring the PoE ports supplying power to the IP telephones Enable PoE on GigabitEthernet 1/0/11 and set the maximum power of the port to 9000 milliwatts: Click the Setup tab. On the tab, click to select port GigabitEthernet 1/0/11 from the chassis front panel, select Enable from the Power State list, and select the box before Power Max and enter 9000.
Page 516: Support And Other Resources
Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...
Page 517: Conventions
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
Page 518 Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Page 519: Index
Index Numerics RADIUS Message-Authentication attribute, timers, 802.1X using authentication with other features, access control methods, VLAN assignment, ACL assignment, 802.x architecture, 802.1 LLDPDU TLV types, authentication, 802.3 LLDPDU TLV types, authentication (access device initiated), QoS packet 802.1p priority, authentication (client initiated), authentication configuration, authentication initiation, Auth-Fail VLAN,...
Page 520 match order, QoS policy to port, packet fragment filtering, architecture rule numbering step, security 802.1X, security MAC authentication, 41 1 time range configuration, attack protection. See ARP attack protection time-based ACL rules, configuration, adding dynamic table entry, IPv4 ACL, entry configuration, IPv6 ACL, entry display, NMM local port mirroring local group,...
Page 521 port security advanced mode AAA ISP domain authorization methods configuration, configuration, port security authentication modes, security 802.1X port authorization status, port security basic control configuration, auto port security basic mode configuration, DHCP automatic address allocation, port security configuration, 421, 423, automatic port security configuration (global), ACL automatic rule numbering, 451,...
Page 522 choosing ACL, Ethernet link aggregation selected state, QoS, Ethernet link aggregation unselected state, configuration wizard CIST basic service setup, calculation, configuring network device connection, 802.1X ACL assignment, class (Ethernet link aggregation port 802.1X Auth-Fail VLAN, configuration), 802.1X guest VLAN, class-two AAA, 352, Ethernet link aggregation MAC address AAA accounting methods for ISP domain,...
Page 523 IGMP snooping port function, port security basic control, IP routing (IPv4), port security basic mode, IP routing (IPv6), port security permitted OUIs, IP services ARP entry, port-based VLAN, isolation group, priority mapping table, LLDP, 217, priority trust mode, LLDP (globally), PVID, local user, QoS,...
Page 524 system time (by using NTP), 57, configuring MAC authentication (port-specific), system time (manually), DHCP overview, user group, DHCP relay agent configuration, VCT, idle timeout period configuration, VLAN interface, LLDP configuration, 217, Web device configuration management, MAC authentication timers, Web device user management, NMM local port mirroring configuration, Web interface, NMM local port mirroring group monitor port,...
Page 525 Web stack configuration, snooping configuration, 306, 308, 31 1 Web user level, snooping Option 82 support, Web-based NM functions, snooping trusted port, 306, device information snooping untrusted port, 306, displaying device information, 47, diagnostic device management tools, device reboot, direction diagnostic information, NMM port mirroring (bidirectional), electronic label,...
Page 526 Web device file, IPv6 multicast MLD snooping (in a VLAN), DSCP LLDP on ports, QoS packet IP precedence and DSCP PSE detect nonstandard PDs, values, SNMP agent, 1 13 dst-mac validity check (ARP), encapsulating dynamic LLDP frame encapsulated in Ethernet II, ARP table entry, LLDP frame encapsulated in SNAP format, DHCP address allocation,...
Page 527 group configuration, security 802.1X EAPOL packet format, group creation, security 802.1X packet, LACP, forwarding LACP priority, 21 1 ACL configuration, LACP-enabled port, 21 1 ACL configuration (advanced), 456, member port state, ACL configuration (basic), 455, modes, ACL configuration (Ethernet frame header), operational key, ACL configuration (IPv4), port configuration class,...
Page 528 NMM local port mirroring group monitor enabling IGMP snooping (globally), port, enabling IGMP snooping (in a VLAN), NMM local port mirroring group port, general query, NMM local port mirroring group source how it works, port, leave message, NMM port mirroring group, membership report, NMM RMON, protocols and standards,...
Page 529 IP services ARP entry configuration, active route table, IP services ARP entry removal, static route creation, security ARP attack protection static routing configuration, configuration, IPv6 multicast traceroute, configuring MLD snooping, IP routing displaying MLD snooping multicast forwarding configuration (IPv4), entries, configuration (IPv6), enabling MLD snooping (globally), displaying active route table (IPv4),...
Page 530 Ethernet link aggregation group creation, enable (on ports), Ethernet link dynamic aggregation group how it works, configuration, LLDP frame format, Ethernet link static aggregation group LLDP frame reception, configuration, LLDP frame transmission, LLDP configuration, LLDPDU management address TLV, loopback detection configuration, 447, LLDPDU TLV types, loopback test configuration, 89, LLDPDU TLVs,...
Page 531 MSTP configuration, 177, 190, MAC addressing loopback detection port security secure MAC address configuration, configuration, 447, MAC authentication configuration (global), ACL assignment, 405, 41 1 configuration (port-specific), Auth-Fail VLAN, loopback test configuration, 404, 406, configuration, 89, configuration (global), guidelines, configuration (port-specific), local authentication, 404, PoE interface power management, port security advanced control configuration,...
Page 532 membership report LLDP Rx, IGMP snooping, LLDP Tx, MLD snooping, LLDP TxRx, message port security advanced mode, ARP configuration, port security basic mode, ARP message format, security 802.1X EAP relay/termination comparison, ARP static configuration, security 802.1X multicast trigger mode, DHCP format, security 802.1X unicast trigger mode, gratuitous ARP configuration, modifying...
Page 533 displaying IGMP snooping multicast forwarding Ethernet link aggregation LACP-enabled port, 21 1 entries, Ethernet link aggregation modes, enabling IGMP snooping (globally), Ethernet link aggregation operational key, enabling IGMP snooping (in a VLAN), Ethernet link aggregation static mode, IGMP snooping configuration, gratuitous ARP packet, IGMP snooping port function configuration, gratuitous ARP packet learning,...
Page 534 Web device file upload, PoE power, Web device local user adding, port isolation configuration, Web device main boot file specifying, port management, 69, Web device privilege level switching, port security advanced control configuration, Web device super password setting, port security advanced mode configuration, Web interface, port security basic control configuration, Web interface HTTP login,...
Page 535 Web service management, 314, Option 53 (DHCP);Option 053 (DHCP), Web stack configuration, 39, Option 55 (DHCP);Option 055 (DHCP), Web user level, Option 6 (DHCP);Option 006 (DHCP), Web-based NM functions, Option 60 (DHCP);Option 060 (DHCP), Option 66 (DHCP);Option 066 (DHCP), local port mirroring configuration, Option 67 (DHCP);Option 067 (DHCP), local port mirroring group, Option 82 (DHCP);Option 082 (DHCP)
Page 536 ping Ethernet link aggregation static mode, address reachability determination, 317, Ethernet link dynamic aggregation group configuration, system maintenance, Ethernet link static aggregation group configuration, configuration, 497, 501, IGMP snooping configuration, detect nonstandard PDs enable, IGMP snooping member port, displaying, IGMP snooping port function configuration, interface power management configure, IGMP snooping related ports, maximum PoE interface power configure,...
Page 537 security MAC authentication configuration (global), configuration, 404, 406, configuration guidelines, security MAC local authentication features, configuration, intrusion protection feature, specified operation parameter for all ports, outbound restriction, STP designated port, permitted OUIs configuration, STP root port, secure MAC address configuration, VLAN port link type, trap feature, port isolation...
Page 538 configuring AAA authentication methods for ISP configuring MAC authentication (global), domain, configuring MAC authentication configuring AAA authorization methods for ISP (port-specific), domain, configuring MAC-based 802.1X, configuring AAA ISP domain, configuring management IP address, configuring ACL, configuring maximum PoE interface power, configuring ACL (Ethernet frame header), configuring MLD snooping, configuring advanced ACLs, 456,...
Page 539 configuring QoS traffic redirecting, creating VLAN interface, configuring queue scheduling, displaying active route table (IPv4), configuring queue scheduling on displaying active route table (IPv6), port, 485, displaying all operation parameters for a port, configuring RADIUS common parameters, displaying basic system information, configuring RADIUS scheme, displaying client's IP-to-MAC bindings, 302, configuring rate limit,...
Page 540 enabling PSE detect nonstandard PDs, SNMP versions, 1 12 enabling SNMP agent, 1 13 STP protocol packets, entering configuration wizard homepage, finishing configuration wizard, detect nonstandard PDs, identifying node failure with traceroute, PVID logging in to member device from master, configuration, logging in to Web interface through HTTP, PVID (port-based VLAN),...
Page 541 AAA implementation, 363, removing assigning MAC authentication ACL IP services ARP entry, assignment, Web device file, assigning MAC authentication VLAN reporting assignment, IGMP snooping membership, client/server model, MLD snooping membership, common parameter configuration, resetting configuration, 363, Web device configuration, configuration guidelines, restoring extended attributes, Web device configuration,...
Page 542 IGMP snooping router port, searching MLD snooping router port, Web search function, routing Web sort function, ACL configuration, security ACL configuration (advanced), 456, 802.1X authentication configuration, ACL configuration (basic), 455, AAA configuration, 352, ACL configuration (Ethernet frame header), ACL configuration, ACL configuration (IPv4), ACL configuration (advanced), 456, ACL configuration (IPv6),...
Page 543 buffer capacity and refresh interval, configuring DHCP snooping functions on interface, configuration environment, DHCP snooping Option 82 support, LACP priority, 21 1 sorting LLDP parameters for a single port, ACL auto match order sort, LLDP parameters for ports in batch, ACL config match order sort, log host, source...
Page 544 algorithm calculation, syslog basic concepts, configuration, BPDU forwarding, display, CIST, setting buffer capacity and refresh interval, CST, setting log host, designated bridge, system administration designated port, basic device settings configuration, IST, CLI configuration, loop detection, configuration wizard, MST common root bridge, device idle timeout period configuration, MST port roles, device system name configuration,...
Page 545 configuring system time (manually), IP address retrieval, 317, displaying current system time, node failure detection, 317, system maintenance, traffic table ACL configuration, active route table (IPv4), ACL configuration (Ethernet frame header), active route table (IPv6), NMM RMON configuration, ARP static entry creation, QoS policy configuration, IP routing, QoS priority map table,...
Page 546 user level MLD snooping configuration, Web user level, MLD snooping port function configuration, user management modification, AAA management by ISP domains, MSTP VLAN-to-instance mapping table, NMM local port mirroring group monitor port, NMM local port mirroring group port, validity check NMM local port mirroring group source port, security ARP packet, NMM port mirroring configuration,...
Page 547 device file management, device file removing, device file upload, device idle timeout period configuration, device local user adding, device main boot file specifying, device management, device privilege level switching, device reboot, device software upgrade, device stack configuration, 39, device super password setting, device system name configuration, device user management, displaying interface statistics,...

HP 1920 Series User Manual

Overview

Configuring the Switch in the Web Interface

Configuring the Switch at the CLI

Configuration Wizard

Configuring Stack

Displaying System and Device Information

Configuring Basic Device Settings

Maintaining Devices

Configuring System Time

Configuring Syslog

Managing the Configuration

Managing Files

Managing Ports

Configuring Port Mirroring

Managing Users

Configuring a Loopback Test

Configuring VCT

Configuring the Flow Interval

Configuring RMON

Configuring Energy Saving

Configuring SNMP

Displaying Interface Statistics

Configuring Vlans

Configuring VLAN Interfaces

Configuring a Voice VLAN

Configuring the MAC Address Table

Configuring MSTP

Configuring Link Aggregation and LACP

Configuring LLDP

Configuring ARP

Configuring ARP Attack Protection

Configuring IGMP Snooping

Configuring MLD Snooping

Quick Links

User Guide

Related Manuals for HP 1920 Series

Summary of Contents for HP 1920 Series