No part of this manual may be reproduced or transmitted in any form or by any means
without prior written consent of Hangzhou H3C Technologies Co., Ltd.
Trademarks
H3C, , Aolynk, , H3Care,
Neocean, NeoVTL, SecPro, SecPoint, SecEngine, SecPath, Comware, Secware,
Storware, NQA, VVG, V
HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd.
All other trademarks that may be mentioned in this manual are the property of their
respective owners.
Notice
The information in this document is subject to change without notice. Every effort has
been made in the preparation of this document to ensure accuracy of the content s, but
all statements, information, and recommendations in this document do not constitute
the warranty of any kind, express or implied.
Technical Support
customer_service@h3c.com
http://www.h3c.com
, TOP G, , IRF, NetPilot,
2
G, VnG, PSPT, XGbus, N-Bus, TiGem, InnoVision and
About This Manual
Organization
H3C S3100 Series Ethernet Switches Operation Manual is organized as follows:
Part Contents
0 Product Overview
1 CLI
2 Login
3 Configuration File
Management
4 VLAN
5 Management VLAN Introduces the management VLAN configuration.
6 IP Address-IP Performance
7 Voice VLAN
8 GVRP Introduces GVRP and the related configuration.
9 Port Basic Configuration Introduces basic port configuration.
10 Link Aggregation
Introduces the characteristics and
implementations of the Ethernet switch.
Introduces the command hierarchy, command
view and CLI features of the Ethernet switch.
Introduces the ways to log into an Ethernet
switch.
Introduces the ways to manage configuration
files.
Introduces VLAN fundamental and the related
configuration.
Introduces IP address and IP performance
fundamental and the related configuration.
Introduces voice VLAN fundamental and the
related configuration.
Introduces link aggregation and the related
configuration.
11 Port Isolation
12 Port Security-Port Binding
13 DLDP Introduces DLDP and the related configuration.
14 MAC Address Table
Management
15 MSTP Introduces STP and the related configuration.
16 Multicast Introduces the configuration of IGMP Snooping.
17 802.1x-System Guard
Introduces port isolation and the related
configuration.
Introduces port security, port binding, and the
related configuration.
Introduces MAC address forwarding table and
the related configuration.
Introduces 802.1x, System-Guard and the
related configuration.
Part Contents
18 AAA
19 MAC Address
Authentication
Introduces AAA, RADIUS, HWTACACS, EAD,
and the related configurations.
Introduces MAC address authentication and the
related configuration.
20 ARP Introduces ARP and the related configuration.
21 DHCP
Introduces DHCP, DHCP-Snooping, and the
related configurations.
22 ACL Introduces ACL and the related configuration.
23 QoS-QoS Profile
24 Mirroring
25 Stack-Cluster
26 PoE-PoE Profile
27 SNMP-RMON
Introduces QoS, QoS profile and the related
configuration.
Introduces port mirroring and the related
configuration.
Introduces the configuration to form clusters
using HGMP V2.
Introduces PoE, PoE profile and the related
configuration.
Introduces the configuration to manage network
devices through SNMP and RMON.
28 NTP Introduces NTP and the related configuration.
29 SSH Introduces SSH and the related configuration.
30 File System Management
31 FTP-SFTP-TFTP
32 Information Center
33 System Maintenance and
Debugging
34 VLAN-VPN
Introduces basic configuration for file system
management.
Introduces basic configuration for FTP, SFTP,
TFTP, and the applications.
Introduces the configuration to analyze and
diagnose networks using the information center.
Introduces daily system maintenance and
debugging.
Introduces VLAN VPN and the related
configuration.
35 HWPing Introduces HWPing and the related configuration.
36 IPv6 Management
Introduces IPv6 Management and the related
configuration.
37 DNS Introduces DNS and the related config uration.
38 Smart Link-Monitor Link
Introduces Smart Link, Monitor Link and the
related configuration.
39 Appendix Lists the acronyms used in this manual.
Conventions
The manual uses the following conventions:
I. Command conventions
Convention Description
Boldface
italic
[ ]
{ x | y | ... }
[ x | y | ... ]
{ x | y | ... } *
[ x | y | ... ] *
&<1-n>
# A line starting with the # sign is comments.
The keywords of a command line are in Boldface.
Command arguments are in italic.
Items (keywords or arguments) in square brackets [ ] are
optional.
Alternative items are grouped in braces and separated by
vertical bars. One is selected.
Optional alternative items are grouped in square brackets
and separated by vertical bars. One or none is selected.
Alternative items are grouped in braces and separated by
vertical bars. A minimum of one or a maximum of all can be
selected.
Optional alternative items are grouped in square brackets
and separated by vertical bars. Many or none can be
selected.
The argument(s) before the ampersand (&) sign can be
entered 1 to n times.
II. GUI conventions
Convention Description
Boldface
>
III. Symbols
Convention Description
Warning
Caution
Window names, button names, field names, and menu
items are in Boldface. For example, the New User window
appears; click OK.
Multi-level menus are separated by angle brackets. For
example, File > Create > Folder.
Means reader be extremely careful. Improper operation
may cause bodily injury.
Means reader be careful. Improper operation may cause
data loss or damage to equipment.
Convention Description
Note Means a complementary description.
Related Documentation
In addition to this manual, each H3C S3100 Series Ethernet Switches documentation
set includes the following:
Manual Description
H3C S3100 Series Ethernet Switches
Installation Manual
H3C S3100 Series Ethernet Switches
Command Manual
H3C S3100 Series Ethernet Switches
Compliance and Safety Manual
Obtaining Documentation
You can access the most up-to-date H3C product documentation on the World Wide
Web at this URL: http://www.h3c.com.
The following are the columns from which you can obtain different categories of product
documentation:
[Products & Solutions]: Provides information about products and technologies.
[Technical Support & Document > Technical Documents]: Provides several categories
of product documentation, such as installation, operation, and maintenance.
It provides information for the system
installation.
It is used for assisting the users in using
various commands.
It lists the regulatory compliance
statements and provides the safety
information of H3C S3100 series
Ethernet switches.
[Technical Support & Document > Product Support > Software]: Provides the
documentation released with the software version.
Documentation Feedback
You can e-mail your comments about product documentation to info@h3c.com.
We appreciate your comments.
Operation Manual – Product Overview
H3C S3100 Series Ethernet Switches Table of Contents
Table of Contents
Chapter 1 Obtaining the Documentation ....................................................................................1-1
Operation Manual – Product Overview
H3C S3100 Series Ethernet Switches Chapter 1 Obtaining the Documentation
Chapter 1 Obtaining the Documentation
Hangzhou H3C Technologies Co., Ltd. provides various ways for you to obtain
documentation, through which you can obtain the product documentations and those
concerning newly added new features. The document ations are available in on e of the
following ways:
z CD-ROMs shipped with the devices
z H3C website
z Software release notes
1.1 CD-ROM
H3C delivers a CD-ROM together with each device. The CD-ROM contains the
operation manual and command manual. After installing the reader program provided
by the CD-ROM, you can search for the desired contents in a convenient way through
the reader interface.
The contents in the manual are subject to update on an irregular basis due to product
version upgrade or some other reasons. Therefore, the contents in the CD-ROM may
not be the latest version. This manual serves the purpose of user guide only. Unless
otherwise noted, all the information in the document set does not claim or imply any
warranty. For the latest software documentation, go to the H3C website.
1.2 H3C Website
Perform the following steps to query and download the product do cumentation from the
H3C website.
Table 1-1 Acquire product documentation from the H3C website
Registering
Acquire product
documentation
Access the homepage of H3C at http:// www.h3c.com and click
on Registration at the top right. In the displayed page, provide
your information and click on Submit to register.
Approach 1:
In the homepage of H3C at http:// www.h3c.com, select Technical
Support & Document > Technical Documents from the navigation
menu at the top. Then select a product for its documents.
Approach 2:
In the homepage of H3C at http:// www.h3c.com, select Support >
Technical Documents. Then select a product for its documents.
1-1
Operation Manual – Product Overview
H3C S3100 Series Ethernet Switches Chapter 1 Obtaining the Documentation
1.3 Software Release Notes
With software upgrade, new software features may be added. You can acquire the
information about the newly added software features through software release notes.
1-2
Operation Manual – Product Overview
H3C S3600 Series Ethernet Switches
Chapter 2 Correspondence Between
Documentation and Software
2.1 Manual List
Chapter 2 Correspondence Between Documentation
and Software
H3C S3100 Series Ethernet Switches Installation Manual
H3C S3100 Series Ethernet Switches Quick Start
H3C S3100 Series Ethernet Switches Compliance and
Safety Manual
H3C S3100 Series Ethernet Switches Operation Manual
H3C S3100 Series Ethernet Switches Command Manual
2.2 Software Version
H3C S3100 Series Ethernet Switches Operation Manual and H3C S3100 Series
Ethernet Switches Command Manual are for the software versions list in
the S3100-SI series and S3100-EI series switches.
Table 2-1 Corresponding software versions of this manual
Switch Software Version
Manual name
Corresponding
Product
S3100-SI series
S3100-EI series
Table 2-1 of
S3100-SI series Release2102, Release2107
S3100-EI series Release2104, Release2107, Release2107P01
The supported features are different between these softwa re versions.
zCompared with Release 2102, some new features are added in Release 2107 of
the S3100-SI series switches. For details, refer to
zCompared with Release 2104, some new features are added in Release 2107 and
Release 2107P01 of the S3100-EI series switches. For details, refer to
2-1
Table 2-2.
Table 2-3.
Operation Manual – Product Overview
H3C S3600 Series Ethernet Switches
Table 2-2 Added features compared with the earlier software version of S3100-SI
Chapter 2 Correspondence Between Documentation
and Software
Software
Version
Added Features Compared With The
Earlier Version
Assigning MAC Addresses for Ethernet
Ports
ARP Source MAC Address Consistency
Check
Local authentication after failed of
remote authentication
For the convenience of users, units of Mega bps/1000 Mega bps in the following
chapters are simplified as M/G.
3.1 Overview
The H3C S3100 Series Ethernet Switches are high-performance, high-density,
easy-to-install, NMS-manageable intelligent Ethernet switches which support
wire-speed Layer 2 switching.
3.2 Software Features
S3100 Series Ethernet Switches have abundant software features and can meet the
requirements of different applications.
each module.
Table 3-1 Software features of the S3100 series
Part Features
1 CLI
2 Login
3 Configuration File
Management
4 VLAN
5 Management VLAN
Table 3-1 summarizes the features provided by
z CLI
z Hierarchically grouped commands
z CLI online help
z Logging into a switch through the Console port
z Logging into a switch through an Ethernet port by
using Telnet or SSH
zLogging into a switch through the Console port by
using modem
z Logging into a switch through Web or NMS
z Saving and deleting the configuration file
z Specifying the configuration file to be used the next
time the device boots and the file attribute
z IEEE 802.1Q-compliant VLAN
z Port-based VLAN
z Protocol-based VLAN (Supported by only S3100-EI
series switches)
z Management VLAN configuration
z Management VLAN interface configuration
The S3100 series can be flexibly deployed in networks. They can be used in enterprise
networks, or serve as broadband access points. The following examples are three
typical networks using the S3100 series.
4.1 MAN Access Solution
In a metropolitan area network (MAN), the S3100 series can serve as access devices.
In the downlink direction, they directly connect to users through 100 Mbps interfaces;
and in the uplink direction, they connect to an aggregation layer (Layer 3) switches or
MA5200 intelligent service gateways, which further connect to the core of the MAN
through routers. This provides you a comprehensive gigabit-to-backbone
100-Mbps-to-desktop MAN solution.
Figure 4-1 Network diagram for a MAN using S3100 series
4.2 Education Network Solution
In a campus network, the S3100 series can serve as desktop switching devices at the
access layer. They directly connect to users in education buildings through 100 Mbps
downlink interfaces; and connect to the core switch in the campus throu gh a 1000 Mbps
uplink interface; the core switch further connects to the education network through a
router. This enables the users in the campus to exchange information and share
resources in the scope of the education network.
SeverCoursewareNMS
Network center
1000/100M
S3100
100M
Video classroom/conference room
S3100
100M
1000M1000M
1000M1000M
AR28
S5600
Education
network
Classroom/laboratory
Figure 4-2 Network diagram for an education network using S3100 series
4.3 Multi-Service Carrier VLAN Solution
Note:
S3100
100M
School building
S3100
100M
School building
Only S3100-EI series Ethernet switches support this multi-service carrier VLAN
solution.
With development of various application technologies, enterprise users are
increasingly relying on network services. They hope the networks can offer secure,
reliable leased lines, VOIP and video conference services, thus reducing their
operating costs. Additionally, apart from simple Internet surfing, individual users expect
more abundant services from the networks, e.g., IPTV, video chatting, real-time gaming,
etc. Meanwhile, construction of the NGN/3G carrier network will draw huge attention of
carriers. If NGN/3G services can be carried on the broadband access network, the
costs of the entire network solution can be lowered dramatically.
T o carry such services with different QOS requi rements, the broadband access netwo rk
needs to have effective service identification and isolation capacity. VLAN is the best
service identification and isolation technology at present, and is the basis for
multi-service deployment. As broadband users increase explosively and services
appear continuously, however, the traditional VLAN technology cannot meet the
requirements of service deployments. In this situation, QinQ, VLAN mapping, etc
become new choices.
The figure below shows a typical application: The IPTV service requires that the
DSLAM be moved downwards into the campus to enhance users’ access bandwidth.
S3100-EI acts as the DSLAM convergence switch. Selective QinQ is configured on the
device, with the service VLAN identifying the DSLAM or the campus position and the
customer VLAN identifying the customer. In this way, carriers can implement uniform
planning and precise management: VLAN layout is simple, and is not affected by the
customer side.
IP MAN
End office Switch
Campus Switch
(S3100-EI)
DSLAM
…………
Figure 4-3 DSLAM convergence application
Another more complicated configuration example is when the LAN is connected to
dense Home Gateways (HG). Generally, the ex-factory setting of an HG is simple as it
uses a fixed VLAN tag to identify the attached service type (data service, IPTV, etc).
Thus, precise division and management for users and services can be implemented.
And VLAN mapping is then implemented on the access device S3100-EI. In this way,
respective service VLANs are “translated” into the VLANs that com ply with the carrier’s
deployment. In addition, QinQ is used on the upstream device to identify the campus
position. Such uniform configuration implements carriers’ precise PUPSPV (respective
users and respective services use their own VLANs) management.
A command li ne interface (CLI) is a user interfa ce to interact with a switch. Throug h the
CLI on a switch, a user can enter commands to configure the switch and check output
information to verify the configuration. Each S3100 series Ethernet switch provides an
easy-to-use CLI and a set of configuration commands for the convenience of the user
to configure and manage the switch.
The CLI on S3100 series Ethernet switches provides the following features, and so has
good manageability and operability.
zHierarchical command protection: After users of different levels log in, they can
only use commands at their own, or lower, levels. This prevents users from using
unauthorized commands to configure switches.
zOnline help: Users can gain online help at any time by entering a question mark
(?).
zDebugging: Abundant and detailed debugging information is provided to help
users diagnose and locate network problems.
zCommand history function: This enables users to check the commands that they
have lately executed and re-execute the commands.
zPartial matching of commands: The system will use partially matching method to
search for commands. This allows users to execute a command by entering
partially-spelled command keywords as long as the keywords entered can be
uniquely identified by the system.
1.2 Command Hierarchy
1.2.1 Command Level and User Privilege Level
I. Command level
The S3100 series Ethernet switches use hierarchical command protection for
command lines, so as to inhibit users at lower levels from using higher-level command s
to configure the switches.
Based on user privilege, commands are classified into four levels, which default to:
zVisit level (level 0): Commands at this level are mainly used to diagnose network,
and they cannot be saved in configuration file. For example, ping, tracert and
telnet are level 0 commands.
zMonitor level (level 1): Commands at this level are mainly used to maintain the
system and diagnose service faults, and they cannot be saved in configuration fil e.
Such commands include debugging and terminal.
zSystem level (level 2): Commands at this level are mainly used to configure
services. Commands concerning routing and network layers are at this level.
These commands can be used to provide network services directly.
zManage level (level 3): Commands at this level are associated with the basic
operation modules and support modules of the system. These commands p rovide
support for services. Commands concerning file system, FTP/TFTP/XModem
downloading, user management, and level setting are at this level.
II. User privilege level
Users logged into the switch fall into four user privilege levels, which correspond to the
four command levels respectively. Users at a specific level can only use the commands
at the same level or lower levels.
By default, the Console user (a user who logs into the switch through the Console port)
is a level-3 user, and Telnet users are level-0 users.
Y ou can use the user privilege level command to set the default user privilege level for
users logging in through a certain user interface. For details, refer to Login Operation.
Note:
If a user logs in using AAA authentication, the user privilege level depends on the
configuration of the AAA scheme. For details, refer to AAA Operation.
1.2.2 Modifying the Command Level
I. Modifying the Command Level
Commands fall into four levels: visit (level 0), monitor (level 1), system (level 2), and
manage (level 3). By using the following command, the administrator can change the
level of a command in a specific view as required.
Table 1-1 Set the level of a command in a specific view
zIt is recommended not to change the level of a command arbitrarily, for it may cause
inconvenience to maintenance and operation.
zWhen you change the level of a command with multiple keywords, you should input
the keywords one by one in the order they appear in the command syntax.
Otherwise, your configuration will not take effect.
II. Configuration example
The network administrator (a level 3 user) wants to change some TFTP commands
(such as tftp get) from level 3 to level 0, so that general Telnet users (level 0 users) are
able to download files through TFTP.
# Change the tftp get command in user view (shell) from level 3 to level 0. (Originally,
only level 3 users can change the level of a command.)
After the above configuration, general Telnet users can use the tftp get command to
download file bootrom.btm and other files from TFTP server 192.168.0.1 and other
TFTP servers.
1.2.3 Switching User Level
Table 1-2 User level switching configuration task list
Specifying the authentication mode for user level switching Optional
Adopting super password authentication for user level switching Required
Adopting HWTACACS authentication for user level switching Required
Switching to a specific user level Required
Operation Remarks
I. Specifying the authentication mode for user level switching
You can switch between user levels through corresponding commands after logging
into a switch successfully. The high-to-low user level switching is unlimited. However,
the low-to-high user level switching requires the corresponding authentication. The
super password authentication mode and HWTACACS authentication mode are
available at the same time to provide authentication redundancy.
The configuration of authentication mode for user level switching is performed by
Level-3 users, as described in
Table 1-3.
Table 1-3 Specify the authentication mode for user level switching
Operation Command Remarks
Enter system view
Enter user interface view
Super password
authentication
HWTACACS
authentication
Super password
Specify the
authentication
mode for user
level
switching
authentication
preferred (with the
HWTACACS
authentication as the
backup authentication
mode)
HWTACACS
authentication
preferred (with the
super password
authentication as the
backup authentication
mode)
system-view
user-interface [ type ]
first-number
[ last-number ]
super
authentication-mode
super-password
super
authentication-mode
scheme
super
authentication-mode
super-password
scheme
super
authentication-mode
scheme
super-password
—
—
Optional
By default,
super
password
authentication
is adopted for
user level
switching.
Note:
When both the super password authentication and the HWTACACS authentication are
specified, the device adopts the preferred authentication mode first. If the preferred
authentication mode cannot be implemented (for example, the super password is not
configured or the HWTACACS authentication server is unreachable), the backup
authentication mode is adopted.
II. Adopting super password authentication for user level switching
With the super password set, you can pass the super password authentication
successfully only when you provide the super password as prompted. If no super
password is set, the system prompts “%Password is not set” when you attempt to
switch to a higher user level. In this case, you cannot pass the super password
authentication.
Table 1-4 lists the operations to configure super password authentication for user level
switching, which can only be performed by level-3 users.
Table 1-4 Set a password for use level switching
Operation Command Remarks
Enter system view
Set the super password
for user level switching
system-view
super password [ level
level ] { cipher | simple }
password
—
Required
By default, the super
password is not set.
III. Adopting HWTACACS authentication for user level switching
To implement HWTACACS authentication for user level switching, a level-3 user must
perform the commands listed in
Table 1-5 to configure the HWTACACS authentication
scheme used for low-to-high user level switching. With HWTACACS authentication
enabled, you can pass the HWTACACS authentication successfully only after you
provide the right user name and the corresponding password as pr ompted. Note that if
you have passed the HWTACACS authentication when logging in to the switch, only
the password is required.
Table 1-5 lists the operations to configure HWTACACS authentication for user level
switching, which can only be performed by Level-3 users.
Table 1-5 Set the HWTACACS authentication scheme for user level switching
Operation Command Description
Enter system view
Enter ISP domain view
Set the HWTACACS
authentication scheme
for user level switching
system-view
domain domain-name
authentication super
hwtacacs-scheme
hwtacacs-scheme-name
1-5
—
—
Required
By default, the HWTACACS
authentication scheme for user
level switching is not set.
When setting the HWTACACS authentication scheme for user level switchin g using the
authenticationsuper hwtacacs-scheme command, make sure the HWTACACS
authentication scheme identified by the hwtacacs-scheme-name argument already
exists. Refer to AAA Operation for information about HWTACACS authentication
scheme.
IV. Switching to a specific user level
Table 1-6 Switch to a specific user level
Operation Command Remarks
Switch to a specified user
level
super [ level ]
Required
Execute this command in user view.
Note:
z If no user level is specified in the super password command or the super
command, level 3 is used by default.
zFor security purpose, the password entered is not displayed when you switch to
another user level. You will remain at the original user level if you have tried three
times but failed to enter the correct authentication information.
V. Configuration example
After a general user telnets to the switch, his/her user level is 0. Now, the network
administrator wants to allow general users to switch to level 3, so that they are able to
configure the switch.
1) Super password authentication co nfiguration example
# A level 3 user sets a switching password for user level 3.
<Sysname> system-view
[Sysname] super password level 3 simple 123
# A general user telnet s to the switch, and then uses the set p assword to switch to user
level 3.
<Sysname> super 3
Password:
User privilege level is 3, and only those commands can be used
whose level is equal or less than this.
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE
# Af ter configuring the switch, the general user switches back to user level 0.
<Sysname> super 0
User privilege level is 0, and only those commands can be used
whose level is equal or less than this.
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE
2) HWTACACS authentication configuration example
# Configure a HWTACACS authentication scheme named acs, and specify the user
name and password used for user level switching on the HWTACACS server defined in
the scheme. Refer to AAA Operation for detailed configuration procedures.
# Enable HWTACACS authentication for VTY 0 user level switching.
# Specify to adopt the HWTACACS authentication scheme named acs for user level
switching in the ISP domain named system.
[Sysname] domain system
[Sysname-isp-system] authentication super hwtacacs-scheme acs
# Switch to user level 3 (assuming that you log into the switch as a VTY 0 user by
Telnet).
<Sysname> super 3
Username: user@system
Password:
User privilege level is 3, and only those commands can be used
whose level is equal or less than this.
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE
1.3 CLI Views
CLI views are designed for different configuration tasks. They are both correlated and
distinguishing. For example, once a user logs into a switch successfully , the user enters
user view, where the user can perform some simple operations such as checking the
operation status and statistics information of the switch. After executing the
system-view command, the user enters system view, where the user can go to other
views by entering corresponding commands.
Table 1-7 lists the CLI views provided by S3100 series Ethernet switches, operations
that can be performed in different CLI views and the commands used to enter specific
CLI views.