HEWLETT PACKARD ENTERPRISE HP 1950-12XGT User guide

HPE OfficeConnect 1950 Switch Series
User Guide
P Document version: 6W104-20190520
art number: 5998-8111b
Enterprise products and services are set f ort h i n the express warranty statements accompany i ng such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for techni cal or editorial errors or omissions contained herein.
Confidential computer software. Valid li cense from Hewlett Packa rd Enterprise required for posse ssion, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer S oftware Documentation, and Te chnical Data for Commercial Items are licen sed to the U.S. Government under vendor’s standard commercial license.
Links to third-party websites take you out side the Hewlett Packard Enterprise website. Hewlett Packard Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise website.
Acknowledgments
Intel®, Itanium®, Pentium®, Intel I nside®, and the Intel Inside logo are trademar ks of Intel Corporation in the United States and other countries.
Microsoft® and Windows® are trademarks of the Microsoft group of companies. Adobe® and Acrobat® are trademarks of Adobe Systems Incorpor ated. Java and Oracle are registered trademarks of O racle and/or its affiliates. UNIX® is a registered trademark of The Open Group.

Contents

Overview ························································································ 1 Restrictions: Applicable hardware platforms and software versions ············· 1 Logging in to the Web interface ··························································· 2
Restrictions and guidelines ·········································································································· 2
Web browser requirements ···································································································· 2 Default login settings ············································································································ 2
Concurrent login users ········································································································· 3 Logging in to the Web interface for the first time ··············································································· 3 Logging out of the Web interface ··································································································· 4
Using the Web interface ···································································· 5
Types of webpages ···················································································································· 6
Using a feature page ············································································································ 6
Using a table page ··············································································································· 6
Using a configuration page ···································································································· 7 Icons and buttons ······················································································································ 8 Performing basic tasks ················································································································ 9
Saving the configuration ······································································································· 9
Displaying or modifying settings of a table entry ········································································· 9
Rebooting the device ········································································································· 10
Feature navigator ··········································································· 11
Dashboard menu ····················································································································· 11 Device menu ··························································································································· 11 Network menu ························································································································· 12 Resources menu ····················································································································· 16 QoS menu ······························································································································ 17 Security menu ························································································································· 17 PoE menu ······························································································································ 18 Log menu ······························································································································· 18
Device management ······································································· 19
Settings ································································································································· 19
System time sources ·········································································································· 19
Clock synchronization protocols ··························································································· 19
NTP/SNTP operating modes ································································································ 19
NTP/SNTP time source authentication ··················································································· 20 Administrators ························································································································· 20
User account management ·································································································· 21
Role-based access control ·································································································· 21
Password control ··············································································································· 22 HPE OfficeConnect 1950 stacking (IRF) ······················································································· 24
Stack member roles ··········································································································· 25
Stack port ························································································································ 25
Stack physical interfaces ····································································································· 25
Stack domain ID ················································································································ 25
Stack split and stack merge ································································································· 25
Member priority ················································································································· 26
Network services features ································································ 27
Link aggregation ······················································································································ 27
Aggregation group ············································································································· 27
Link aggregation modes ······································································································ 28 Storm control ·························································································································· 31 Port isolation ··························································································································· 31
i
VLAN ···································································································································· 31
Port-based VLANs ············································································································· 31
VLAN interface ················································································································· 32 Voice VLAN ···························································································································· 32
OUI addresses ·················································································································· 32
QoS priority setting mode for voice traffic ················································································ 32
Voice VLAN assignment modes ··························································································· 33
Security mode and normal mode of voice VLANs ····································································· 33 MAC ····································································································································· 33
Types of MAC address entries ····························································································· 33
Aging timer for dynamic MAC address entries ········································································· 34
MAC address learning ········································································································ 34 STP ······································································································································ 34
Spanning tree modes ········································································································· 35
MSTP basic concepts ········································································································· 35
Port roles ························································································································· 35
Port states ······················································································································· 36 LLDP ····································································································································· 36
LLDP agent ······················································································································ 36
Transmitting LLDP frames ··································································································· 36
Receiving LLDP frames ······································································································ 37
LLDP reinitialization delay ··································································································· 37
LLDP trapping ·················································································································· 37
LLDP TLVs ······················································································································ 37
CDP compatibility ·············································································································· 38 DHCP snooping ······················································································································· 38 IP ········································································································································· 39
IP address classes ············································································································ 39
Subnetting and masking ····································································································· 39
IP address configuration methods ························································································· 40
MTU for an interface ·········································································································· 40 ARP ······································································································································ 40
Types of ARP table entries ·································································································· 40
Gratuitous ARP ················································································································· 41
ARP attack protection ········································································································· 41 DNS ······································································································································ 44
Dynamic domain name resolution ························································································· 44
Static domain name resolution ····························································································· 45
DNS proxy ······················································································································· 45
DDNS ····························································································································· 45 IPv6 ······································································································································ 46
IPv6 address formats ········································································································· 46
IPv6 address types ············································································································ 46
EUI-64 address-based interface identifiers ·············································································· 47
IPv6 global unicast address configuration methods ··································································· 47
IPv6 link-local address configuration methods ········································································· 48 ND ········································································································································ 49
Neighbor entries ················································································································ 49
RA messages ··················································································································· 49
ND proxy ························································································································· 51 Port mirroring ·························································································································· 52 Static routing ··························································································································· 52 Policy-based routing ················································································································· 52
Policy ······························································································································ 52
PBR and Track ················································································································· 53 IGMP snooping ······················································································································· 53 MLD snooping ························································································································· 53 DHCP ···································································································································· 53
DHCP server ···················································································································· 53
DHCP relay agent ············································································································· 55 HTTP/HTTPS ·························································································································· 56 SSH ······································································································································ 56
ii
FTP ······································································································································ 57 Telnet ···································································································································· 57 NTP ······································································································································ 57 SNMP ··································································································································· 57
MIB ································································································································ 57
SNMP versions ················································································································· 58
SNMP access control ········································································································· 58
Resources features ········································································ 60
ACL ······································································································································ 60
ACL types and match criteria ······························································································· 60
Match order ······················································································································ 60
Rule numbering ················································································································ 61 Time range ····························································································································· 62 SSL ······································································································································ 62 Public key ······························································································································ 62
Managing local key pairs ····································································································· 63
Managing peer public keys ·································································································· 63 PKI ······································································································································· 64
PKI architecture ················································································································ 64
Managing certificates ········································································································· 65 Certificate access control ··········································································································· 66
Certificate access control policies ························································································· 66
Attribute groups ················································································································ 66
QoS features ················································································· 68
QoS policies ··························································································································· 68
Traffic class ······················································································································ 68
Traffic behavior ················································································································· 68
QoS policy ······················································································································· 68
Applying a QoS policy ········································································································ 68 Hardware queuing ···················································································································· 68
SP queuing ······················································································································ 69
WRR queuing ··················································································································· 69
WFQ queuing ··················································································································· 70
Queue scheduling profile ···································································································· 71 Priority mapping ······················································································································ 71
Port priority ······················································································································ 71
Priority map ······················································································································ 72 Rate limit ································································································································ 72
Security features ············································································ 73
Packet filter ···························································································································· 73 IP source guard ······················································································································· 73
Overview ························································································································· 73
Interface-specific static IPv4SG bindings ················································································ 73
802.1X ··································································································································· 73
802.1X architecture ············································································································ 73
802.1X authentication methods ···························································································· 74
Access control methods ······································································································ 74
Port authorization state ······································································································· 74
Periodic online user reauthentication ····················································································· 75
Online user handshake ······································································································· 75
Authentication trigger ········································································································· 75
Auth-Fail VLAN ················································································································· 75
Guest VLAN ····················································································································· 76
Critical VLAN ···················································································································· 76
Mandatory authentication domain ························································································· 77
EAD assistant ··················································································································· 77 MAC authentication ·················································································································· 78
Overview ························································································································· 78
MAC authentication configuration on a port ············································································· 78
iii
Port security ··························································································································· 79
Overview ························································································································· 79
Port security settings ·········································································································· 80
Port security features ········································································································· 82
Secure MAC addresses ······································································································ 83 Portal ···································································································································· 83
Portal authentication server ································································································· 84
Portal Web server ·············································································································· 85
Local portal Web server ······································································································ 86
Portal-free rules ················································································································ 88
Interface policy ················································································································· 88 ISP domains ··························································································································· 89 RADIUS ································································································································· 90
RADIUS protocol ··············································································································· 90
Enhanced RADIUS features ································································································ 91
Log features ·················································································· 92
Log levels ························································································································ 92
Log destinations ················································································································ 92
Configuration examples ··································································· 93
Device maintenance examples ··································································································· 93
System time configuration example ······················································································· 93
Administrators configuration example ···················································································· 93
Stack configuration example ································································································ 94
NTP configuration example ································································································· 96
SNMP configuration example ······························································································· 97 Network services configuration examples ······················································································ 97
Ethernet link aggregation configuration example ······································································ 97
Port isolation configuration example ······················································································ 98
VLAN configuration example ································································································ 99
Voice VLAN configuration example ····················································································· 100
MAC address entry configuration example ············································································ 101
MSTP configuration example ····························································································· 101
LLDP configuration example ······························································································ 103
DHCP snooping configuration example ················································································ 103
Static ARP entry configuration example················································································ 104
Static DNS configuration example ······················································································· 105
Dynamic DNS configuration example ··················································································· 106
DDNS configuration example with www.3322.org ··································································· 107
Static IPv6 address configuration example ············································································ 108
ND configuration example ································································································· 109
Port mirroring configuration example ··················································································· 110
IPv4 static route configuration example ················································································ 111
IPv4 local PBR configuration example·················································································· 112
IGMP snooping configuration example ················································································· 112
MLD snooping configuration example ·················································································· 114
DHCP configuration example ····························································································· 115
Password authentication enabled Stelnet server configuration example ······································ 117 QoS configuration example ······································································································ 118 Security configuration examples ································································································ 119
ACL-based packet filter configuration example ······································································ 119
Static IPv4 source guard configuration example ····································································· 120
802.1X RADIUS authentication configuration example ···························································· 121
802.1X local authentication configuration example ·································································· 123
RADIUS-based MAC authentication configuration example ······················································ 124
RADIUS-based port security configuration example ································································ 126
Direct portal authentication configuration example ·································································· 127
Re-DHCP portal authentication configuration example ···························································· 129
Cross-subnet portal authentication configuration example ························································ 132
Direct portal authentication using local portal Web server configuration example ··························· 134
AAA for SSH users by a TACACS server configuration example ··············································· 135
iv
PoE configuration example ······································································································ 137
Network requirements ······································································································ 137
Configuration procedure ··································································································· 137
Appendix A Managing the device from the CLI ··································· 138
display poe pse ··············································································································· 139
initialize ························································································································· 140
ipsetup dhcp ··················································································································· 141
ipsetup ip address ··········································································································· 141
ipsetup ipv6 address ········································································································ 142
ipsetup ipv6 auto ············································································································· 143
password ······················································································································· 144
ping ······························································································································ 144
ping ipv6 ························································································································ 145
poe update ····················································································································· 145
quit ······························································································································· 146
reboot ··························································································································· 146
summary ······················································································································· 147
telnet ···························································································································· 149
telnet ipv6 ······················································································································ 150
transceiver phony-alarm-disable ························································································· 150
upgrade ························································································································· 151
xtd-cli-mode ··················································································································· 153
Document conventions and icons ···················································· 155
Conventions ························································································································· 155 Network topology icons ··········································································································· 156
Support and other resources ·························································· 157
Accessing Hewlett Packard Enterprise Support ············································································ 157 Accessing updates ················································································································· 157
Websites ······················································································································· 158
Customer self repair ········································································································· 158
Remote support ·············································································································· 158
Documentation feedback ·································································································· 158
Index ························································································· 160
v

Overview

This user guide provides the following information:
Information Section
How to log in to the Web interface for the first time. Logging in to the Web interface for the first time How to use the Web interface. Using the Web interface What features you can configure from the Web
interface. How to access the page for a feature or task.
How to use features in typical scenarios. Configuration examples How to manage the device from the CLI. Appendix A Managing the device from the CL I
This user guide does not include step-by-step configuration procedures, because the webpages are task oriented by design. A configuration page typically provides links to any pages that are required to complete the task. Users do not have to navigate to multiple pages. For tasks that require navigation to multiple pages, this user guide provides configuration examples.
Feature navigator
This user guide also does not provide detailed information about parameters. You can obtain sufficient online help, feature i nformation, and parameter information from the webpages.
1

Restrictions: Applicable hardware platforms and software versions

Product code HPE description Software version
JG960A HPE OfficeConnect 1950 24G 2SFP+ 2XGT Switch JG961A HPE OfficeConnect 1950 48G 2SFP+ 2XGT Switch
Release 3111P02 Release 3113P05
JG962A
HPE OfficeConnect 1950 24G 2SFP+ 2XGT PoE+(370W) Switch
JG963A
JH295A HPE OfficeConnect 1950 12XGT 4SFP+ Switch Release 5103P03
HPE OfficeConnect 1950 48G 2SFP+ 2XGT PoE+(370W) Switch
1
admin
NOTE:
If the network has a DHCP server, you must use the DHCP assigned IP address to access the device. For more information, see "Logging in to the Web interface for the first time."

Logging in to the Web interface

Log in to the Web interface through HTTP or HTTPS.

Restrictions and guidelines

To ensure a successful login, verify that your operating system and Web browser meet the requirements, and follow the guidelines in this section.

Web browser requirements

As a best practice, use one of the following Web browsers to log in:
Internet Explorer 8 or higher.
Google Chrome 10 or higher.
Mozilla Firefox 4 or higher.
Opera 11.11 or higher.
Safari 5.1 or higher.
To access the Web interface, you must use the following browser settings:
Accept the first-party cookies (cookies from the site you are accessing).
T o ensure co rrect display of webpage contents after sof tware upgrade or downgrade, clear data
cached by the browser before you log in.
Enable active scripting or JavaScript, depending on the Web browser .
If you are using a Microsoft Internet Expl orer browser, you must enable the following security
settings:
Run ActiveX controls and plug-ins. Script ActiveX controls marked safe for scripting.

Default login settings

Use the settings in Table 1 for the first login.
Table 1 Default login settings
Item Setting
Device IP (VLAN-interface 1) IP address mask Username
See "Logging in to the Web interfac e for the first
time."
Password None User role network-admin
2
IMPORTANT:
As a best practice, the first successful login for security purposes.

Concurrent login users

The Web interface allows a maximum of 32 concurrent accesses. If this limit is reached, login attempts will fail.

Logging in to the Web interface for the first time

change the login information and assign a cc ess permissions immediately after
By default, HTTP and HTTPS are enabled. To log in to the Web interface:

1. Use an Ethernet cable to connect the configuration ter m inal to an Ethernet port on the device.

2. Identify the IP address and mask of the device.

If the device is not connected to the network, or no DHCP server e xi sts on the network, the
device uses the default IP address an d mask. The default mas k is 255.255. 0.0. The defa ult IP address is 169.254.xxx.xxx, where xxx.xxx depends on the last two bytes of the MAC address. Find the MAC address label on the device and use the following rules to determine the last two bytes for the IP addre ss:
Last two bytes of the MAC address
All 0s 0.1 All Fs 255.1 Not all 0s or all Fs Decimal values of the last two bytes of the MAC address
Last two bytes for the IP address
For example:
MAC address IP address
08004E080000 169.254.0.1 08004E08FFFF 169.254.255.1
08004E082A3F
If a DHCP server is available, the device obtains an IP address from the server. To identify
the address, log in to the device through the console port , and then execute the summary command. The following is the sample output:
<Sysname> summary Select menu option: Summary IP Method: DHCP IP address: 10.153.96.86 Subnet mask: 255.255.255.0 Default gateway: 0.0.0.0
For more information about console login, see the getting started guide for the device.

3. Assign the login host an IP address in the same subnet as the device.

4. Open the browser, and then enter login informatio n:

169.254.42.63 (The decimal value of 2A is 42. The value of 3F is 63.)
3
IMPORTANT:
hen you log out of the Web i nterfa ce.
To prevent the loss of configuration when the device reboots, you m ust save the configuration.

a. In the address bar, enter the IP address of the device.

HTTP access—Enter the address in the http://ip-address:port or ip-address:port format.
HTTPS access—Enter the address in the https://ip-address:port format.
The ip-address argument represents the IP address of the device. The port argument represents the HTTP or HTTPS service port. The default port number is 80 for HTTP and 443 for HTTPS. You do not need to enter the port number if you have not changed the service port setting.

b. On the login page, enter the default username (admin) and the verification code.

You do not need to enter a password at the fi rst logi n.

c. Click Login.

5. Change the login information:

To change the password of the login user (admin at the first login), click the Admin icon
.
To add ne w user accounts and a ssign access permis sions to dif ferent users, s elect Device >
Maintenance > Administrators.

Logging out of the Web interface

For security purposes, log out of the Web interface immediately after you finish your tasks. You cannot log out by closing the browser. The device does not automatically save the configuration w

1. Use one of the following methods to save the curre nt configuration.

Click the Save icon in the left corner. Select Device > Maintenance > Configuration to access the configuration management
page.
2. Click Logout in the upper-left corner of the Web interface.
4
1) Banner and auxiliary area
2) Navigation tree
3) Content pane
(
1
)
(2)
(3)

Using the Web interface

The Web interface contains the following areas:
Area Description
Contains the following items:
Basic information, including the Hewlett Packard Enterprise logo, device name, and information about the current login user.
Basic management icons:
(1) Banner and auxiliary area
Admin icon —Click this icon to change the login
password.
Logout icon —Click this icon to log out. Save icon —Click this icon to save the configurat i on.
(2) Navigation tree Organizes feature menus in a tree.
Displays information and provides an area for you to configure features. Depending on the content in this pane, the webpages include the following
types:
(3) Content pane
Feature page—Contains functions or featur es that a feature module can provide (see "Using a featur e page").
Table page—Displays entries in a table (see "Using a table page").
Configuration page—Contains parameters for you to configure a
feature or function (see "Using a configuration page").
Figure 1 Web interface layout
5

Types of webpages

Webpages include feature, table, and configuration pages. This section provides basic information about these pages. For more information about using the icons and butt ons on the pages, see "Icons
and buttons."

Using a feature page

As shown in Figure 2, a feature page contains info rmation about a feature module, i ncluding its table entry statistics, features, and functions. From a feature page, you c an configure features prov ided by a feature module.
Figure 2 Sample feature page

Using a table page

As shown in Figure 3, a table page displays entries in a tabl e. To sort entries by a field in ascending or descending order, click the field. For example, click MAC Address to sort entries by MAC address.
6
Figure 3 Sample table page

Using a configuration page

As shown in Figure 4, one configuration page contains all parameters for a configuration task. If a parameter must be configured on another page, the conf iguration page ty pically provides a link. You do not need to navigate to the destination page.
For example, you must use an ACL when you configure a packet filter . If no ACLs are available when you perform the task, you can click the Add icon to create an ACL. In this situation, you do not
need to navigate to the ACL management page.
7
Counter icon
Status control icon
Search icons
Figure 4 Sample configuration page

Icons and buttons

Table 2 describes icons and buttons you can use to configure and manage the d evice.
Table 2 Icons and buttons
Icon/button
Help icons
Navigation icon
Icon/button name
Help Obtain help information for a feature.
Hint Obtain help information for a funct ion or parameter.
Counter Identify the total number of table entries.
Next
Status control
Task
Access the lower-level page to display information or configure settings.
Control the enable status of the featur e.
If ON is displayed, the feature is enabled. To disable the feature, click the button.
If OFF is displayed, the feature is disabled. To enable the feature, click the button.
Search
Enter a search expression in the search box, and then click this icon to perform a basic search.
8
icon
Icon/button
Entry management icons
Advanced settings
Icon/button name
Advanced search
Refresh Refresh t able entries manually.
Add
Detail
Delete
Bulk-delete
Field selector Select fields to be displayed.
Task
Click this icon, and then enter a combi nation of criteria to perform an advanced search.
Add a new entry.
Confirm the addition of an entry and continue to add an
additional entry.
Display or modify settings of an entry. This icon appears at the end of an entry when you hover
over the entry. Delete an entry.
This icon appears at the end of an entry when you hover over the entry.
Select one or multiple entries, and then click this icon to delete the selected entries.
Advanced settings Access the configuration page to configure settings.

Performing basic tasks

This section describes the basic tasks that must be frequently performed when you configure or manage the device.

Saving the configuration

Typically, settings take effect immediately after you create them. However, the system does not automatically save the settings to the configuration file. They are lost when the device reboots.
To prevent settings from being lost, use one of the following methods to sav e the configuration:
Click the Save icon in the left corner.
Select Device > Maintenance > Configuration to access the configuration management
page.

Displaying or modifying settings of a table entry

1. Hover over the entry.
2. Click the Detail icon at the end of the entry.
9

Rebooting the device

Reboot is required for some settings (for exam pl e, the stack setup) to take effect. To reboot the device:
1. Save the configuration.
2. Select Device > Maintenance > Reboot.
3. On the reboot page, click the reboot button.
10
NOTE:
In the navigator tables, a menu is in boldface if it has submenus.

Feature navigator

Menu items and icons available to you depend on the user roles you have. By default, you can use any user roles to display information. To configure features, you must have the network-admin user role.
This chapter describes all menus available for the network-admin user role. The top-level menu includes Dashboard, Device, Network, Resources, QoS, Security, PoE, and Log. For each top menu, a navigator table is provided. Use the navigator tables to navigate to the pages for the tasks you want to perform.
For example:
To change the default device name, select Device > Maintenance > Settings from the navigation tree.
To delete an IPv4 ACL, sel ect Resources > ACL > IPv4 from the navigation tree.

Dashboard menu

The dashboard menu provides an overview of t he sy stem and its running status, including:
System logs.
System utilization.
System info.
This menu does not contain submenus.

Device menu

Use Table 3 to navigate to the tasks you can perform from the Device menu.
Table 3 Device menu navigator
Menus Tasks
Maintenance
Settings
Administrators
Configure basic device settings, including the device name, location, and contact.
Configure the system time settings. You can manually set the system time, or configure the device to obtain the UTC time from a trusted time source and calculate the system time.
Create, modify, or delete user roles.
Create, modify, or delete user accounts.
Assign user roles to administrators for access control.
Manage passwords.
11
Menus Tasks
Save the running configuration.
Import configuration and export the running configuration. This task is
Configuration
File System
Upgrade
not supported in Release 3111P02.
Display the running configuration.
Restore the factory-default configuration.
Display storage medium information.
Display file and folder information.
Delete files.
Download and upload files
Upgrade software images.
Display software image lists, incl uding:
Current software images. Main and backup startup software images.
Diagnostics
Reboot Reboot the device.
About
Virtualization
IRF

Network menu

Use Table 4 to navigate to the tasks you can perform from the Network menu.
Collect diagnostic information used for system diagnostics and troubleshooting.
Display basic device information, including:
Device name.
Serial number.
Version information.
Electronic label.
Legal statement.
Configure the following settings to set up an HPE OfficeConnect 1950
stack:
Member ID. Priority. Domain ID. Stack port bindings.
Display the stack topology.
Table 4 Network menu navigator
Menus Tasks
Probe
Ping
Tracert
Interfaces
Test the connectivity to a device in an IPv4 network.
Test the connectivity to a device in an IPv6 network.
IPv4 Tracert.
IPv6 Tracert.
12
Menus Tasks
Display interfaces and their attributes, including:
Interface status. IP address.
Interfaces
Speed and duplex mode. Interface description.
Change interface settings.
Delete logical interfaces.
Link Aggregation Create, modify, or delete Layer 2 aggregation groups.
Set the statistics polling interval.
Storm Constrain
Set storm control parameters.
Display storm control informati on.
Isolation
Links
VLAN
Create isolation groups.
Modify isolation groups.
Configure port-based VLANs.
Create VLAN-interfaces.
Assign ports to voice VLANs.
Set the port mode to manual or automatic.
Voice VLAN
Set the voice VLAN mode to normal or security.
Configure the QoS settings for voice packets.
Add OUI addresses.
Create or delete static MAC entries, dynamic MAC entries, and
MAC
blackhole MAC entries.
Display existing MAC entries.
Enable or disable STP globally.
Enable or disable STP on interfaces.
STP
Configure the STP operating mode as STP, RSTP, PVST, or MSTP.
Configure instance priorities.
Configure MST regions.
Enable or disable LLDP.
LLDP
Modify the LLDP operating mode.
Modify the interface mode.
Configure LLDP to advertise the specified TLVs.
Configure a port as a trusted or untrusted port.
Record and back up DHCP snooping entries.
Configure the following features for DHCP snooping ports:
MAC address check.
DHCP Snooping
DHCP-REQUEST check. DHCP packet rate limit. Max DHCP snooping entries.
Enable support for Option 82. If Option 82 is enabled, you can configure the handling strategy, the padding format, and the padding contents for Option 82.
IP
IP
Configure the method to obtain an IP address (DHCP or static).
Configure the IP address or MTU of an interfac e.
Create a loopback interface.
13
Menus Tasks
Manage dynamic ARP entries and static ARP entries.
ARP
DNS
Configure ARP proxy.
Configure gratuitous ARP .
Configure ARP attack protection.
Configure IPv4 static domain name resolut ion.
Configure IPv4 dynamic domain name resolution.
Configure the DNS proxy.
Configure IPv4 domain name suffixes.
Dynamic DNS
IPv6
IPv6
ND
DNS
Manage dynamic DNS policies.
Configure an interface to be associat ed with the dynamic DNS policy.
Configure the method to obtain an IPv6 address (manual assignment,
dynamic assignment, or auto generati on).
Configure the IPv6 address of an interface.
Create a loopback interface.
Manage dynamic ND entries and static ND entries.
Configure the aging time for stale ND entries.
Minimize link-local ND entries.
Configure hop limit.
Configure RA prefix attributes, including:
Address prefix. Prefix length. Valid lifetime. Preferred lifetime.
Configure RA settings for an interface, including:
RA message suppression. Maximum and minimum intervals for sending RA messages. Hop limit. M-flag. O-flag. Router lifetime. NS retransmission interval. Router preference. Neighbor reachable time.
Enable common and local ND proxy on an interface.
Configure ND rules for the interface.
Configure static and dynamic IPv 6 domain name resolution.
Configure the IPv6 DNS proxy.
Configure IPv6 domain name suffixes.
Mirroring
Port Mirroring
Routing
Routing Table
Configure local mirroring groups.
Configure remote mirroring groups.
Display IPv4 and IPv6 routing table information, including brief routin g table information and route statistics.
14
Menus Tasks
Static Routing
Policy-Based Routing
Multicast
IGMP Snooping
MLD Snooping
Service
DHCP
HTTP/HTTPS
SSH (not available in Release 3111P02)
FTP
Display IPv4 and IPv6 static route ent ries.
Create, modify, and delete IPv4 and IPv6 static route entries.
Create, modify, and delete IPv4 and IPv6 policies.
Configure interface PBR.
Configure local PBR.
Configure IGMP snooping functions, including:
Enable dropping unknown mul ticast data. Configure the IGMP snooping querier. Enable fast-leave processing. Set the maximum number of multicas t groups on a port.
Configure MLD snooping functions, including:
Enable dropping unknown IPv 6 m ul ticast data. Configure the MLD snooping querier. Enable fast-leave processing. Set the maximum number of IPv6 multi c ast groups on a port.
Configure DHCP server functions, including:
Configure DHCP services. Configure the interface to operate in the DHCP server mode. Configure DHCP address pools. Configure the IP address conflict detection.
Configure DHCP relay agent functions, including:
Configure DHCP services. Configure the DHCP relay agent mode Configure the IP address of the DHCP server
Configure settings for DHCP relay entry, include:
Recording of DHCP relay entries. Periodic refreshing of DHCP relay entr i es . Interval for refreshing DHCP relay ent r i es .
Enable or disable HTTP service.
Enable or disable HTTPS service.
Set the Web connection idle timeout.
Set the HTTP service port number.
Set the HTTPS service port number.
Specify Web access control ACLs.
Enable the Stelnet, SFTP, and SCP services.
Set the DSCP in packets sent by the device.
Filter SSH clients by using an ACL.
Set the SFTP connection idle timeout time.
Enable or disable FTP service.
Set the DSCP value for the device to use for outgoing FTP packets.
Specify the FTP access control ACL.
Set the FTP connection idle timeout.
15
Public key
NOTE:
You can create ACLs from ACL pages or during th e process of configuring a featu re that uses ACLs. However, to modify or delete an ACL, you must access the ACL menu.
Menus Tasks
Telnet
NTP Configure the device to use the local cloc k as the reference clock.
SNMP

Resources menu

The Resources menu contains common resources that can be used by multiple features. For example, you can use an ACL both in a p acket filter to filter traffic and in a QoS pol icy to match traf fic.
Use Table 5 to navigate to the tasks you can perform from the Resources menu.
Table 5 Resources menu navigator
Enable or disable Telnet service.
Set the DSCP values for the device to use for outgoing IPv4 or IPv6
Telnet packets.
Specify Telnet access control ACLs.
Enable SNMP.
Configure SNMP parameters such as version, community name, group,
and users.
Configure the notification sendi ng function.
Menus Tasks
ACLs
IPv4
IPv6
Ethernet Create, modify, or delete an Ethernet frame header ACL.
Time Range
Time Range
SSL
SSL
Public key
PKI
PKI
Certificate Access Control
Create, modify, or delete an IPv4 basic ACL.
Create, modify, or delete an IPv4 advanced ACL.
Create, modify, or delete an IPv6 basic ACL.
Create, modify, or delete an IPv6 advanced ACL.
Create, modify, or delete an SSL client policy.
Create, modify, or delete an SSL server policy.
Manage local asymmetric key pairs.
Manage peer host public keys.
Manage CA and local certificates.
Create, modify, or delete a PKI domain or PKI entity.
Create, modify, or delete a certificate access control policy.
Create, modify, or delete a certificate attribute group.
16
QoS
Packet Filter

QoS menu

Use Table 6 to navigate to the tasks you can perform from the QoS menu.
Table 6 QoS menu navigator
Menus
QoS Policies
Hardware Queuing Modify hardware queuing configuration.
Priority Mapping
Rate Limit Create, modify, or delete rate limit.
Tasks

Security menu

Use Table 7 to navigate to the tasks you can perform from the Security menu.
Table 7 Security menu navigator
Create, modify, or delete interface QoS policies.
Create, modify, or delete VLAN QoS policies.
Create, modify, or delete global QoS policies.
Configure the port priority.
Configure the priority trust mode for a port.
Configure priority maps:
Apply and reset the 802.1p-to-local priority map. Apply and reset the DSCP-to-802.1p pr iority map. Apply and reset the DSCP-to-DSCP priorit y map.
Menus Tasks
Create, modify, or delete a packet filter for an interface, a VLAN, or the
Packet Filter
IP Source Guard Configure an interface-specific static IPv4 source guard binding.
Access Control
802.1X
MAC Authentication
Port Security
system.
Configure the default action for t he packet filter.
Enable or disable 802.1X.
Configure the 802.1X authentication method.
Configure the port access control met hod.
Configure the port authorization state.
Configure the authentication ISP domain on a por t.
Enable or disable MAC authentication.
Configure the username format.
Configure the MAC authentication IS P domain.
Enable or disable port security
Configure the port security mode.
Configure the intrusion protection action.
Configure the NTK mode.
Configure secure MAC aging mode.
17
Authentication
Menus Tasks
Configure a portal authentication server.
Configure a portal Web server.
Portal
ISP Domains Conf igure ISP domains.
Configure a local portal Web server.
Create portal-free rules.
Create interface policies.
RADIUS Configure RADIUS schemes. TACACS Configure TACACS schemes. Local Users Configure local users.

PoE menu

Use Table 8 to navigate to the tasks you can perform from the PoE menu.
Table 8 PoE menu navigator
Menus Tasks
PoE

Log menu

Use Table 9 to navigate to the tasks you can perform from the Log menu.
Configure the maximum PoE power and power alarm threshold for the device.
Enable or disable PoE on an interface.
Configure the maximum PoE power, power supply priority, PD
description, and fault descript ion for an interface.
Table 9 Log menu navigator
Menus Tasks
Log
System Log
Settings
Display log information.
Query, collect, and delete log information.
Enable or disable log output to the log buffer, and configure the
Configure the address and port number of log hosts.
maximum number of logs in the log buffer.
18

Device management

Settings

Access the Settings page to change the device name, location, and system time.

System time sources

Correct system time is essential to network managem ent and communic ation. Configur e the system time correctly before you run the device on the network.
The device can use the manually set system time, or obtain the UTC time fr om a time source on the network and calculate the system time.
When using the locally set system time, the device uses the clock signals generated by its built-in crystal oscillator to maintain the system time.
If you change the time zone or daylight saving settings without changing the date or time, the device adjusts the system time based on the new settings.
After obtaining the UTC time from a time source, the dev i ce uses the UTC time and the time zone and daylight saving settings to calculate the system time. Then, the device periodically synchronizes the UTC time and recalculates the sy st em time.
If you change the time zone or daylight saving settings, the device recalculates the system time.
The system time calculated by using the UTC time from a time source is more precise. Make sure the time zone and daylight saving setting are the same as the parameters of the place
where the device resides. If the system time does not change accordingly when the daylight saving period ends, refresh the
Web interface.

Clock synchronization protocols

The device supports the following clock synchronization protocols:
NTP—Network Time Protocol. NTP is typically used in large networks to dynamically synchronize time among network devices. It provides higher clock accuracy than manual system time configuration.
SNTP—Simple NTP, a simpler implementation of NTP. SNTP uses the same packet formats and exchange procedures as NTP. However, SNTP simplifies the clock synchronization procedure. Compared with NTP, SNTP uses less resources and implements clock synchronization in shorter time, but it is not as accurate as NTP.

NTP/SNTP operating modes

NTP supports two operating modes: client/server mode and symmetric active/passive mode. The device can act only as a client in client/server mode or the active peer in symmetr ic active/passive mode.
SNTP supports only the client/server mode. The device can act only as a client.
19
Table 10 NTP/SNTP operating modes
Mode Operating process Principle Application scenario
1. A client sends a clock
synchronization message to the NTP servers.
2. Upon receiving the message, the servers automatically operate in server mode and send a
Client/server
Symmetric active/passive
reply.
3. If the client is synchronized to multiple time servers, it selects an optimal clock and synchronizes its local clock to the optimal reference source.
You can configure multiple time servers for a client.
This operating mode requires that you specify the IP address of the NTP server on the client.
1. A symmetric active peer periodically sends clock synchronization messages to a symmetric passive peer.
2. The symmetric passive peer automatically operates in symmetric passive mode and sends a reply.
3. If the symmetric active peer can be synchronized to multiple time servers, it selects an optimal clock and synchronizes its local clock to the optimal reference source.
You must specify the IP address of the symmetric passive peer on the symmetric active peer.
A client can synchronize to a server, but a server cannot synchronize to a client.
A symmetric active peer and a symmetric passive peer can be synchronized to each other. If both of them are synchronized, the peer with a higher stratum is synchronized to the peer with a lower stratum.
This mode is intended for scenarios where devices of a higher stratum synchronize to devices with a lower stratum.
This mode is most often used between servers with the same stratum to operate as a backup for one another. If a server fails to communicate with all the servers of a lower stratum, the server can still synchronize to the servers of the same stratum.

NTP/SNTP time source authentication

The time source authentication function enables the device to authenticate the received NTP or SNTP packets. This feature ensures that the device obtains the correct GMT.

Administrators

An administrator configures and manages the device from the following aspects:
User account management—Manages user account i nformat ion a nd att ribute s ( for ex ample, username and password).
Role-based access control—Manages user access permissions by user role.
Password control—Manages user passwords and controls user login status based on
predefined policies.
20
IMPORTANT:
The security supported on the current Web interface, so do not assign the security-audit user role to any users.
The service type of an administrator can be SSH, Telnet, FTP, HTTP, HTTPS, PAD, or terminal. A terminal user can access the device through the console, Aux, or Async port.

User account management

A user account on the device manages attributes for users who log in to the device with the same username. The attributes include the username, password, services, and password control parameters.

Role-based access control

Assign users user roles to control the users' access to functions and system resources. Assigning permissions to a user role includes the following:
Defines a set of rules to determine accessible or i naccessible functions for the user role.
Configures resource access policies to s pecify which interfaces and VLANs are accessible to
the user role.
To configure a function related to a resource (an interface or VLAN), a user role must have access to both the function and the resource.
Resource access policies
Resource access policies control access of user roles to syst em resources and include the following types:
Interface policy—Controls access to interfaces.
VLAN policy—Controls access to VLANs.
You can perform the following tasks on an accessible interface, VLAN:
Create or remove the interface or VLAN.
Configure attributes for the interface or VLA N.
Apply the interface or VLAN to other parameters.
Predefined user roles
The system provides predefined user roles. These user roles have access to all system resources (interfaces and VLANs). Their access permissions differ.
If the predefined user roles cannot meet t he access requirements, you can define new user roles to control the access permissions for users.
-audit user role has access only to securit y log menus. Security log menus are not
Assigning user roles
Depending on the authentication method, user role assignment has the following methods:
Local authorization—If the user passes local authorization, the device assigns the user roles specified in the local user account.
Remote authorization—If the user passes remote authorization, the remote AAA server assigns the user roles specified on the server.
A user who fails to obtain a user role is logged out of the device. If multiple user roles are assigned to a user, the user can use the collection of functions and
resources accessible to all the user roles.
21

Password control

Password control allows you to implement the following features:
Manage login and super password setup, ex pi rat i ons, and updates for device management users.
Control user login status based on predefined policies.
Local users are divided into device management users and network access users. This feature applies only to device management users.
Minimum password length
You can define the minimum length of user passwords. If a user enters a password that is shorter than the minimum length, the system rejects the password.
Password composition policy
A password can be a combination of characters from the following types:
Uppercase letters A to Z.
Lowercase letters a to z.
Digits 0 to 9.
Special characters. See Table 11.
Table 11 Special characters
Character name Symbol Character name Symbol
Ampersand sign & Apostrophe ' Asterisk * At sign @ Back quote ` Back slash \ Blank space N/A Caret ^ Colon : Comma , Dollar sign $ Dot . Equal sign = Exclamation point ! Left angle bracket < Left brace { Left bracket [ Left parenthesis (
Minus sign - Percent sign % Plus sign + Pound sign # Quotation marks " Right angle bracket > Right brace } Right brac k et ] Right parenthesis ) Semi-colon ; Slash / Tilde ~ Underscore _ Vertical bar |
Depending on the system's security requirements, you can set the minimum number of character types a password must contain and the minimum number of characters for each type, as shown in
Table 12.
22
Loading...
+ 151 hidden pages