3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time
without obligation on the part of 3Com Corporation to provide notification of such revision or change.
3Com Corporation provides this documentation without warranty, term, or condition of any kind, either implied or
expressed, including, but not limited to, the implied warranties, terms or conditions of merchantability, satisfactory quality,
and fitness for a particular purpose. 3Com may make improvements or changes in the product(s) and/or the program(s)
described in this documentation at any time.
If there is any software on removable media described in this documentation, it is furnished under a license agreement
included with the product as a separate document, in the hard copy documentation, or on the removable media in a
directory file named LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy, please contact 3Com and a copy will
be provided to you.
UNITED STATES GOVERNMENT LEGEND
If you are a United States government agency, then this documentation and the software described herein are provided to
you subject to the following:
All technical data and computer software are commercial in nature and developed solely at private expense. Software is
delivered as “Commercial Computer Software” as defined in DFARS 252.227-7014 (June 1995) or as a “commercial item”
as defined in FAR 2.101(a) and as such is provided with only such rights as are provided in 3Com’s standard commercial
license for the Software. Technical data is provided with limited rights only as provided in DFAR 252.227-7015 (Nov 1995) or
FAR 52.227-14 (June 1987), whichever is applicable. You agree not to remove or deface any portion of any legend provided
on any licensed program or documentation contained in, or delivered to you in conjunction with, this User Guide.
Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not be registered
in other countries.
3Com and the 3Com logo are registered trademarks of 3Com Corporation.
Cisco is a registered trademark of Cisco Systems, Inc.
Funk RADIUS is a registered trademark of Funk Software, Inc.
Aegis is a registered trademark of Aegis Group PLC.
Intel and Pentium are registered trademarks of Intel Corporation. Microsoft, MS-DOS, Windows, and Windows NT are
registered trademarks of Microsoft Corporation. Novell and NetWare are registered trademarks of Novell, Inc. UNIX is a
registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd.
IEEE and 802 are registered trademarks of the Institute of Electrical and Electronics Engineers, Inc.
All other company and product names may be trademarks of the respective companies with which they are associated.
ENVIRONMENTAL STATEMENT
It is the policy of 3Com Corporation to be environmentally-friendly in all operations. To uphold our policy, we are committed
to:
Establishing environmental performance standards that comply with national legislation and regulations.
Conserving energy, materials and natural resources in all operations.
Reducing the waste generated by all operations. Ensuring that all waste conforms to recognized environmental standards.
Maximizing the recyclable and reusable content of all products.
Ensuring that all products can be recycled, reused and disposed of safely.
Ensuring that all products are labelled according to recognized environmental standards.
Improving our environmental record on a continual basis.
End of Life Statement
3Com processes allow for the recovery, reclamation and safe disposal of all end-of-life electronic components.
Regulated Materials Statement
3Com products do not contain any hazardous or ozone-depleting material.
CONTENTS
ABOUT THIS GUIDE
Conventions9
Related Documentation9
Products Supported by this Document10
1LOGIN CONFIGURATION GUIDE
Logging In from the Console Port13
Logging In Through Telnet15
Configuring Login Access Control18
Configuring Port Security autolearn Mode47
Configuring Port Security mac-authentication Mode48
Configuring Port Security userlogin-withoui Mode51
Configuring Port Security mac-else-userlogin-secure-ext Mode55
Configuring the Switch to Act as the SSH Server and Use Password
Authentication279
Configuring the Switch to Act as the SSH Server and Use RSA Authentication283
Configuring the Switch to Act as the SSH Client and Use Password
Authentication290
Configuring the Switch to Act as the SSH Client and Use RSA Authentication292
Configuring the Switch to Act as the SSH Client and Not to Support First-Time
Authentication295
Configuring SFTP300
33FTP AND TFTP CONFIGURATION GUIDE
Configuring a Switch as FTP Server305
Contents7
Configuring a Switch as FTP Client307
Configuring a Switch as TFTP Client309
34INFORMATION CENTER CONFIGURATION GUIDE
Outputting Log Information to a Unix Log Host311
Outputting Log Information to a Linux Log Host313
Outputting Log and Trap Information to a Log Host Through the Same Channel314
Outputting Log Information to the Console317
Displaying the Time Stamp with the UTC Time Zone318
Use of the Facility Argument in Log Information Output319
Provides advanced configuration examples for the 3Com stackable switches,
which includes the following:
■ 3Com Switch 5500
■ 3Com Switch 5500G
■ 3Com Switch 4500
■ 3Com Switch 4200G
■ 3Com Switch 4210
This guide is intended for Qualified Service personnel who are responsible for
configuring, using, and managing the switches. It assumes a working knowledge
of local area network (LAN) operations and familiarity with communication
protocols that are used to interconnect LANs.
n
Always download the Release Notes for your product from the 3Com World Wide
Web site and check for the latest updates to software and product
documentation:
http://www.3com.com
ConventionsTable 1 lists icon conventions that are used throughout this guide.
Tab l e 1 Notice Icons
IconNotice TypeDescription
Information noteInformation that describes important features or
Related
Documentation
n
CautionInformation that alerts you to potential loss of data
c
WarningInformation that alerts you to potential personal
w
The following manuals offer additional information necessary for managing your
Stackable Switch. Consult the documents that apply to the switch model that you
are using.
instructions.
or potential damage to an application, system, or
device.
injury.
■ 3Com Switch Family Command Reference Guides — Provide detailed
descriptions of command line interface (CLI) commands, that you require to
manage your Stackable Switch.
10ABOUT THIS GUIDE
■ 3Com Switch Family ConfigurationGuides— Describe how to configure your
Stackable Switch using the supported protocols and CLI commands.
■ 3Com Switch Family Quick Reference Guides — Provide a summary of
command line interface (CLI) commands that are required for you to manage
your Stackable Switch .
■ 3Com Stackable Switch Family Release Notes — Contain the latest information
about your product. If information in this guide differs from information in the
release notes, use the information in the Release Notes.
These documents are available in Adobe Acrobat Reader Portable Document
Format (PDF) on the 3Com World Wide Web site:
Unless otherwise specified, all the switches used in the following configuration
examples and configuration procedures are Switch 5500 (release V03.02.04).
You can log in locally from the console port to configure and maintain your switch,
including configuring other login modes. The default login mode on the Switch
5500 is local console login.
Figure 1 Logging in from the console port to configure Telnet login
As shown in Figure 1, use a console cable to connect the serial port of your
PC/terminal to the console port of the switch. Log into the switch from the AUX
user interface on the console port to configure Telnet login. The current user level
is manage level (level 3).
Product series Software version Hardware version
Switch 5500 Release V03.02.04 All versions
Switch 5500GRelease V03.02.04 All versions
Switch 4500Release V03.03.00 All versions
Switch 4210 Release V03.01.00 All versions
Configuration Procedure
■ Configure common attributes for Telnet login
# Set the level of commands accessible to the VTY 0 user to 2.
[3Com] user-interface vty 0
[3Com-ui-vty0] user privilege level 2
# Enable the Telnet service on VTY 0.
[3Com-ui-vty0] protocol inbound telnet
# Set the number of lines that can be viewed on the screen of the VTY 0 user to
30.
[3Com-ui-vty0] screen-length 30
14CHAPTER 1: LOGIN CONFIGURATION GUIDE
# Set the history command buffer size to 20 for VTY 0.
[3Com-ui-vty0] history-command max-size 20
# Set the idle-timeout time of VTY 0 to 6 minutes.
[3Com-ui-vty0] idle-timeout 6
■ Configure an authentication mode for Telnet login
The following three authentication modes are available for Telnet login: none,
password, and scheme.
The configuration procedures for the three authentication modes are described
below:
1 Configure not to authenticate Telnet users on VTY 0.
You can telnet to your switch to manage and maintain it remotely.
16CHAPTER 1: LOGIN CONFIGURATION GUIDE
Network DiagramFigure 2 Telneting to the switch to configure console login
Ethernet
User PC running Telnet
Ethernet1/0/ 1
Networking and
Configuration
Requirements
Applicable Products
Configuration Procedure
As shown in Figure 2, telnet to the switch to configure console login. The current
user level is manage level (level 3).
Product series Software version Hardware version
Switch 5500 Release V03.02.04 All versions
Switch 5500GRelease V03.02.04 All versions
Switch 4500Release V03.03.00 All versions
Switch 4210 Release V03.01.00 All versions
■ Common configuration for console login
# Specify the level of commands accessible to the AUX 0 user interface to 2.
[3Com] user-interface aux 0
[3Com-ui-aux0] user privilege level 2
# Set the baud rate of the console port to 19200 bps.
[3Com-ui-aux0] speed 19200
# Set the number of lines that can be viewed on the screen of the AUX 0 user to
30.
[3Com-ui-aux0] screen-length 30
# Set the history command buffer size to 20 for AUX 0.
[3Com-ui-aux0] history-command max-size 20
# Set the idle-timeout time of AUX 0 to 6 minutes.
[3Com-ui-aux0] idle-timeout 6
■ Configure the authentication mode for console login
Logging In Through Telnet17
The following three authentication modes are available for console login: none,
password, and scheme. The configuration procedures for the three authentication
modes are described below:
1 Configure not to authenticate console login users.
[3Com] user-interface aux 0
[3Com-ui-aux0] authentication-mode none
2 Configure password authentication for console login, and set the password to
123456 in plain text.
[3Com] user-interface aux 0
[3Com-ui-aux0] authentication-mode password
[3Com-ui-aux0] set authentication password simple 123456
3 Configure local authentication in scheme mode for console login.
# Create a local user named guest and enter local user view.
[3Com] local-user guest
# Set the authentication password to 123456 in plain text.
[3Com-luser-guest] password simple 123456
# Set the service type to Terminal and the user level to 2 for the user guest.
■ Configuration for SNMP login control by source IP address
#
acl number 2000
rule 1 permit source 10.110.100.52 0
rule 2 permit source 10.110.100.46 0
rule 3 deny
#
snmp-agent community read aaa acl 2000
snmp-agent group v2c groupa acl 2000
snmp-agent usm-user v2c usera groupa acl 2000
■ Configuration for WEB login control by source IP address
#
ip http acl 2000
#
acl number 2000
rule 1 permit source 10.110.100.52 0
rule 2 permit source 10.110.100.46 0
rule 3 deny
PrecautionsNone
20CHAPTER 1: LOGIN CONFIGURATION GUIDE
2
Server
Eth1/0/12Eth1/0/11
Et h1/0 /10
Eth1/0/1Eth1/0/2
Et h1/0 /3
ServerHost
Host
VLAN CONFIGURATION GUIDE
Configuring
Port-Based VLAN
Network Diagram
Networking and
Configuration
Requirements
The VLAN technology allows you to divide a broadcast LAN into multiple distinct
broadcast domains, each as a virtual workgroup. Port-based VLAN is the simplest
approach to VLAN implementation. The idea is to assign the ports on a switch to
different VLANs, confining the propagation of the packets received on a port
within the particular VLAN. Thus, separation of broadcast domains and division of
virtual groups are achieved.
Figure 4 Network diagram for port-based VLAN configuration
Switch A and Switch B are connected each to a server and workstation. To
guarantee data security for the servers, you need to isolate the servers from the
workstations by creating VLANs. Allow the devices within a VLAN to communicate
with each other but not directly with the devices in another VLAN.
Applicable Products
Configuration Procedure# Create VLAN 101 on Switch A and add Ethernet 1/0/1 to VLAN 101.
Product series Software version Hardware version
Switch 5500Release V03.02.04 All versions
Switch 5500GRelease V03.02.04 All versions
Switch 4500Release V03.03.00 All versions
Switch 4210 Release V03.01.00 All versions
[SwitchA] vlan 101
[SwitchA-vlan101] port Ethernet 1/0/1
# Create VLAN 201 on Switch A and add Ethernet 1/0/2 to VLAN 201.
22CHAPTER 2: VLAN CONFIGURATION GUIDE
[SwitchA-vlan101] quit
[SwitchA] vlan 201
[SwitchA-vlan201] port Ethernet 1/0/2
# Configure Ethernet 1/0/3 of Switch A to be a trunk port and to permit the
packets carrying the tag of VLAN 101 or VLAN 201 to pass through.
[SwitchA-vlan201] quit
[SwitchA] interface Ethernet 1/0/3
[SwitchA-Ethernet1/0/3] port link-type trunk
[SwitchA-Ethernet1/0/3] port trunk permit vlan 101 201
# Create VLAN 101 on Switch B, and add Ethernet 1/0/11 to VLAN 101.
[SwitchB] vlan 101
[SwitchB-vlan101] port Ethernet 1/0/11
# Create VLAN 201 on Switch B, and add Ethernet 1/0/12 to VLAN 201.
[SwitchB-vlan101] quit
[SwitchB] vlan 201
[SwitchB-vlan201] port Ethernet 1/0/12
# Configure Ethernet 1/0/10 of Switch B to be a trunk port and to permit the
packets carrying the tag of VLAN 101 or VLAN 201 to pass through.
[SwitchB-vlan201] quit
[SwitchB] interface Ethernet 1/0/10
[SwitchB-Ethernet1/0/10] port link-type trunk
[SwitchB-Ethernet1/0/10] port trunk permit vlan 101 201
Complete Configuration■ Configuration on Switch A
#
vlan 101
#
vlan 201
#
interface Ethernet1/0/1
port access vlan 101
#
interface Ethernet1/0/2
port access vlan 201
#
interface Ethernet1/0/3
port link-type trunk
port trunk permit vlan 1 101 201
■ Configuration on Switch B
#
vlan 101
#
vlan 201
#
interface Ethernet1/0/10
port link-type trunk
port trunk permit vlan 1 101 201
Configuring Protocol-Based VLAN23
IP Host
Eth 1/0/10
Et h1/0 /11Et h1/0 /12
Workroom
AppleTalk Host
IP ServerAppleTalk Server
#
interface Ethernet1/0/11
port access vlan 101
#
interface Ethernet1/0/12
port access vlan 201
Precautions■ After you assign the servers and the workstations to different VLANs, they
cannot communicate with each other. For them to communicate, you need to
configure a Layer 3 VLAN interface for each of them on the switches.
■ After you telnet to an Ethernet port on a switch to make configuration, do not
remove the port from its current VLAN. Otherwise, your Telnet connection will
be disconnected.
Configuring
Protocol-Based VLAN
Network Diagram
Protocol-based VLAN, or protocol VLAN, is another approach to VLAN
implementation other than port-based VLAN. With protocol VLAN, the switch
compares each packet received without a VLAN tag against the protocol templates
based on the encapsulation format and the specified field. If a match is found, the
switch tags the packet with the corresponding VLAN ID. Thus, the switch can
assign packets to a VLAN by protocol.
Figure 5 Network diagram for protocol-based VLAN configuration
Networking and
Configuration
Requirements
Applicable Products
Configure the switch to automatically assign IP packets and Appletalk packets of
the workroom to different VLANs, ensuring that the workstations can
communicate with their respective servers properly.
Product series Software version Hardware version
Switch 5500Release V03.02.04 All versions
Switch 5500GRelease V03.02.04 All versions
Switch 4500Release V03.03.00 All versions
24CHAPTER 2: VLAN CONFIGURATION GUIDE
Configuration Procedure# Create VLAN 100 and VLAN 200; add Ethernet 1/0/11 to VLAN 100 and
Ethernet 1/0/12 to VLAN 200.
1 Create VLAN 100 and add Ethernet1/0/11 to VLAN 100.
[3Com] vlan 100
[3Com-vlan100] port Ethernet 1/0/11
2 Create VLAN 200 and add Ethernet 1/0/12 to VLAN 200.
[3Com-vlan100] quit
[3Com] vlan 200
[3Com-vlan200] port Ethernet 1/0/12
# Configure protocol templates and bind them to ports.
3 Create a protocol template for VLAN 200 to carry Appletalk and a protocol
template for VLAN 100 to carry IP.
[3Com-vlan200] protocol-vlan at
[3Com-vlan200] quit
[3Com] vlan 100
[3Com-vlan100] protocol-vlan ip
4 Create a user-defined protocol template for VLAN 100 to carry ARP for IP
communication, assuming that Ethernet_II encapsulation is used.
5 Configure Ethernet 1/0/10 to be a hybrid port and to remove the outer VLAN tag
6 Bind Ethernet 1/0/10 to protocol template 0 and protocol template 1 of VLAN
n
Complete Configuration#
when forwarding packets of VLAN 100 and VLAN 200.
[3Com-vlan100] quit
[3Com] interface Ethernet 1/0/10
[3Com-Ethernet1/0/10] port link-type hybrid
[3Com-Ethernet1/0/10] port hybrid vlan 100 200 untagged
100, and protocol template 0 of VLAN 200.
When configuring a protocol template, you can assign a number to the template.
If you fail to do that, the system automatically assigns the lowest available number
to the template. Thus, in this configuration example, the two protocol templates
for VLAN 100 are automatically numbered 0 and 1, and the protocol template for
VLAN 200 is numbered 0.
[3Com-Ethernet1/0/10] port hybrid protocol-vlan vlan 100 0 to 1
[3Com-Ethernet1/0/10] port hybrid protocol-vlan vlan 200 0
port hybrid protocol-vlan vlan 200 0
#
interface Ethernet1/0/11
port access vlan 100
#
interface Ethernet1/0/12
port access vlan 200
PrecautionsBecause IP depends on ARP for address resolution in Ethernet, you are
recommended to configure the IP and ARP templates in the same VLAN and
associate them with the same port to prevent communication failure.
Up to five protocol templates can be bound to a port.
26CHAPTER 2: VLAN CONFIGURATION GUIDE
3
Vlan-int1
172.16.1.1/ 24
172.16.2.1/ 24 sub
172.16.1.0/24
172.16.1.2/24
172.16.2.0/24
172.16. 2.2/24
Host A
Host B
Switch
IP ADDRESS CONFIGURATION GUIDE
IP Address
Configuration Guide
Network Diagram
If you want to manage a remote Ethernet switch through network management
or telnet, you need to configure an IP address for the remote switch and ensure
that the local device and the remote switch are reachable to each other.
A 32-bit IP address identifies a host on the Internet. Generally, a VLAN interface on
a switch is configured with one primary and four secondary IP addresses.
Figure 6 Network diagram for IP address configuration
Networking and
Configuration
Requirements
Applicable Products
As shown in the above figure, the port in VLAN 1 on Switch is connected to a LAN
in which hosts belong to two network segments: 172.16.1.0/24 and
172.16.2.0/24. It is required to enable the hosts in the LAN to communicate with
external networks through Switch, and to enable the hosts in the two network
segments to communicate with each other.
Product series Software version Hardware version
Switch 5500 Release V03.02.04 All versions
Switch 5500GRelease V03.02.04 All versions
Switch 4500Release V03.03.00 All versions
28CHAPTER 3: IP ADDRESS CONFIGURATION GUIDE
Configuration ProcedureAssign a primary and secondary IP addresses to VLAN-interface 1 of Switch to
ensure that all the hosts on the LAN can access external networks through Switch.
Set Switch as the gateway on all the hosts of the two network segments to ensure
that they can communicate with each other.
# Assign a primary IP address and a secondary IP address to VLAN-interface 1.
<Switch> system-view
[Switch] interface Vlan-interface 1
[Switch-Vlan-interface1] ip address 172.16.1.1 255.255.255.0
[Switch-Vlan-interface1] ip address 172.16.2.1 255.255.255.0 sub
# Set the gateway address to 172.16.1.1 on the hosts in subnet 172.16.1.0/24,
and to 172.16.2.1 on the hosts in subnet 172.16.2.0/24.
# Ping Host B on Host A to verify the connectivity.
Complete Configuration#
interface Vlan-interface 1
ip address 172.16.1.1 255.255.255.0
ip address 172.16.2.1 255.255.255.0 sub
#
Precautions■ You can assign at most five IP addresses to an interface, among which one is
the primary IP address and the others are secondary IP addresses. A newly
specified primary IP address overwrites the previous one.
■ The primary and secondary IP addresses of an interface cannot reside on the
same network segment; an IP address of a VLAN interface must not be on the
same network segment as that of a loopback interface on a device.
■ A VLAN interface cannot be configured with a secondary IP address if the
interface has obtained an IP address through BOOTP or DHCP.
4
VOICE VLAN CONFIGURATION GUIDE
Configuring Voice
VLAN
Network Diagram
In automatic mode, the switch configured with voice VLAN checks the source
MAC address of each incoming packet against the voice device vendor OUI. If a
match is found, the switch assigns the receiving port to the voice VLAN and tags
the packet with the voice VLAN ID automatically.
When the port joins the voice VLAN, a voice VLAN aging timer starts. If no voice
packets have been received before the timer expires, the port leaves the voice
VLAN.
In manual mode, you need to manually assign a port to or remove the port from
the voice VLAN.
Figure 7 Network diagram for voice VLAN in automatic mode
PC
IP Phone1
(Tag)
000f-e234-1234
Gateway
Eth1/0/1
SwitchASwitchB
Eth1/0/2
Voice
VoIP Network
Networking and
Configuration
Requirements
Server
IP Phone2
(Untag)
Oui:000f-2200-0000
As shown in Figure 7, PC is connected to Ethernet 1/0/1 of Switch A through IP
phone 1, and IP phone 2 is connected to Ethernet 1/0/2 of Switch A. IP phone 1
sends out voice traffic with the tag of the voice VLAN, while IP phone 2 sends out
voice traffic without any VLAN tag. Configure voice VLAN to satisfy the following
requirements:
■ VLAN 2 functions as the voice VLAN for transmitting voice traffic, and set the
aging time of the voice VLAN to 100 minutes. VLAN 6 transmits user service
data.
■ Ethernet 1/0/1 and Ethernet 1/0/2 can recognize voice traffic automatically.
Service data from PC and voice traffic are assigned to different VLANs and then
transmitted to the server and the voice gateway respectively through Switch B.
30CHAPTER 4: VOICE VLAN CONFIGURATION GUIDE
■ As the OUI address of IP phone 2 is not in the default voice device vendor OUI
list of the switch, you need to add its OUI address 000f-2200-0000. In addition,
configure its description as IP Phone2.
Applicable Products
Product series Software version Hardware version
Switch 5500 Release V03.02.04 All versions
Switch 5500GRelease V03.02.04 All versions
Switch 4500Release V03.03.00 All versions
Configuration Procedure# Create VLAN 2 and VLAN 6.
# Add 000f-2200-0000 to the OUI address list and configure its description as IP
Phone2.
[SwitchA] voice vlan mac-address 000f-2200-0000 mask ffff-ff00-0000
description IP Phone2
# Configure VLAN 2 as the voice VLAN.
[SwitchA] voice vlan 2 enable
# Set the voice VLAN operation mode on Ethernet 1/0/1 to automatic. This step is
optional, because the default operation mode of the voice VLAN is automatic.
[SwitchA] interface Ethernet 1/0/1
[SwitchA-Ethernet1/0/1] voice vlan mode auto
# Configure Ethernet 1/0/1 as a trunk port.
[SwitchA-Ethernet1/0/1] port link-type trunk
# Set VLAN 6 as the default VLAN of Ethernet 1/0/1 and configure Ethernet 1/0/1
to permit the packets of VLAN 6 to pass through. (PC data will be transmitted in
the VLAN.)
n
[SwitchA-Ethernet1/0/1] port trunk pvid vlan 6
[SwitchA-Ethernet1/0/1] port trunk permit vlan 6
# Enable voice VLAN on Ethernet 1/0/1.
[SwitchA-Ethernet1/0/1] voice vlan enable
■ After the configuration above, PC data is automatically assigned to the default
VLAN of Ethernet 1/0/1 (namely the service VLAN) for transmission. When IP
Loading...
+ 306 hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.