How it Works
Planet
Loading...
EM-XGS-6350
User Manual
582 pgs4.32 Mb0

Planet EM-XGS-6350 User Manual

Download
PLANET Layer 3 24-/48-Port 10G
SFP+ plus 4-Port 100G QSFP28
XGS-6350-24X4C XGS-6350-48X2Q4C
1
Copyright © PLANET Technology Corp. 2022. Contents are subject to revision without prior notice. PLANET is a registered trademark of PLANET Technology Corp. All other trademarks belong to their respective owners.
Disclaimer
PLANET Technology does not warrant that the hardware will work properly in all environments and applications, and makes no warranty and representation, either implied or expressed, with respect to the quality, performance, merchantability, or fitness for a particular purpose. PLANET has made every effort to ensure that this User's Manual is accurate; PLANET disclaims liability for any inaccuracies or omissions that may have occurred.
Information in this User's Manual is subject to change without notice and does not represent a commitment on the part of PLANET. PLANET assumes no responsibility for any inaccuracies that may be contained in this User's Manual. PLANET makes no commitment to update or keep current the information in this User's Manual, and reserves the right to make improvements to this User's Manual and/or to the products described in this User's Manual, at any time without notice.
If you find information in this manual that is incorrect, misleading, or incomplete, we would appreciate your comments and suggestions.
FCC Warning
This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the Instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at whose own expense.
CE Mark Warning
This device is compliant with Class A of CISPR 32. In a residential environment this equipment may cause radio interference.
WEEE Warning
To avoid the potential effects on the environment and human health as a result of the presence of hazardous substances in electrical and electronic equipment, end users of electrical and electronic equipment should understand the meaning of the crossed-out wheeled bin symbol. Do not dispose of WEEE as unsorted municipal waste and have to collect such WEEE separately.
Energy Saving Note of the Device
This power required device does not support Standby mode operation. For energy saving, please remove the power cable to disconnect the device from the power circuit. Without removing power cable, the device will still consuming power from the power source. In the view of
Saving the Energy and reduce the unnecessary power consuming, it is strongly suggested to remove the power connection for the device if this device is not intended to be active.
Revision
User’s Manual of PLANET Layer 3 24-/48-Port 10G SFP+ plus 4-Port 100G QSFP28 Managed Switch
Models: XGS-6350-24X4C, XGS-6350-48X2Q4C Revision: 1.0 Part No: EM-XGS-6350 Series Configuration Guide_v1.0
2
Contents
CHAPTER 1 INTRODUCTION .......................................................................................... 30
1.1 PACKET CONTENTS .............................................................................................................................. 30
1.2 PRODUCT DESCRIPTION ........................................................................................................................ 31
1.3 PRODUCT FEATURES ............................................................................................................................ 34
1.4 PRODUCT SPECIFICATIONS .................................................................................................................... 37
CHAPTER 2 INSTALLATION ............................................................................................ 43
2.1 HARDWARE DESCRIPTION ..................................................................................................................... 43
2.1.1 Switch Front Panel ................................................................................................................... 43
2.1.2 LED Indications ........................................................................................................................ 44
2.2 SWITCH INSTALLATION .......................................................................................................................... 47
2.2.1 Desktop Installation .................................................................................................................. 47
2.2.2 Rack Mounting ......................................................................................................................... 48
CHAPTER 3 CONFIGURATION PREPARATION ............................................................. 50
3.1 PORT NUMBER OF THE SWITCH ............................................................................................................. 50
3.2 PREPARATION BEFORE SWITCH START UP .............................................................................................. 50
3.3 ACQUIRING HELP .................................................................................................................................. 50
3.4 COMMAND MODES ................................................................................................................................ 51
3.5 CANCELING A COMMAND ....................................................................................................................... 52
3.6 SAV IN G CONFIGURATION ....................................................................................................................... 52
CHAPTER 4 SYSTEM MANAGEMENT CONFIGURATION ............................................. 53
4.1 FILE MANAGEMENT CONFIGURATION ..................................................................................................... 53
4.1.1 Managing the file system ......................................................................................................... 53
4.1.2 Commands for the file system ................................................................................................. 53
4.1.3 Starting up from a file manually ............................................................................................... 53
4.1.4 Updating software .................................................................................................................... 55
4.1.5 Updating configuration ............................................................................................................. 58
4.1.6 Using ftp to perform the update of software and configuration ................................................ 59
4.2 BASIC SYSTEM MANAGEMENT CONFIGURATION ..................................................................................... 61
4.2.1 Configuring Ethernet IP Address .............................................................................................. 61
4.2.2 Setting the Default Route ......................................................................................................... 63
4.2.3 Using Ping to Test Network Connection State ......................................................................... 65
CHAPTER 5 TERMINAL CONFIGURATION .................................................................... 68
5.1 VTY CONFIGURATION OVERVIEW .......................................................................................................... 68
3
5.2
CONFIGURATION TASKS ........................................................................................................................ 68
5.2.1 Relationship between Line and Interface ................................................................................. 68
5.3 MONITOR AND MAINTENANCE ................................................................................................................ 69
5.4 BROWSING LOGS .................................................................................................................................. 69
5.5 VTY CONFIGURATION EXAMPLE ............................................................................................................ 69
CHAPTER 6 SSH CONFIGURATION COMMANDS ......................................................... 70
6.1 SSH OVERVIEW .................................................................................................................................... 70
6.1.1 SSH Server .............................................................................................................................. 70
6.1.2 SSH Client ................................................................................................................................ 70
6.1.3 Attribute Realization ................................................................................................................. 70
6.2 CONFIGURATION TASKS ........................................................................................................................ 70
6.2.1 Configuring the Authentication Method List ............................................................................. 70
6.2.2 Configuring Access List ............................................................................................................ 70
6.2.3 Configuring the Authentication Timeout Time .......................................................................... 70
6.2.4 Configuring the Authentication Retry Times ............................................................................. 71
6.2.5 Configuring the Login Silence Period ....................................................................................... 71
6.2.6 Enabling Encryption Key Saving Function ............................................................................... 71
6.2.7 Enabling SFTP Function .......................................................................................................... 71
6.2.8 Enabling SSH Server ............................................................................................................... 72
6.3 CONFIGURATION EXAMPLE OF SSH SERVER .......................................................................................... 72
6.3.1 ACL ........................................................................................................................................... 72
6.3.2 Global Configuration ................................................................................................................ 72
CHAPTER 7 NETWORK MANAGEMENT CONFIGURATION ......................................... 73
7.1 SNMP CONFIGURATION ........................................................................................................................ 73
7.1.1 Overview .................................................................................................................................. 73
7.2 SNMP TASKS ...................................................................................................................................... 74
7.3 LLC2 CONFIGURATION TAST ................................................................................................................ 74
7.3.1 Configuring Idle Time Value ..................................................................................................... 74
7.3.2 Configuring the Time Value of Waiting for Acknowledgement ................................................. 75
7.3.3 Configuring Busy Time Value of Remote Terminal ................................................................... 75
7.3.4 Configuring Time Value of Response ....................................................................................... 75
7.3.5 Configuring the Time of Rejection ............................................................................................ 76
7.3.6 Configuring the Redial Times ................................................................................................... 76
7.3.7 Configuring the Size Of Window for Resending ...................................................................... 77
7.3.8 Configuring the Size of Accumulated Data Packet .................................................................. 77
7.3.9 Setting the Acknowledgement Time-Delay .............................................................................. 77
7.3.10 Setting the Maximum Numbers of Acknowledgement ........................................................... 78
7.3.11 Showing LLC2 Link Information ............................................................................................. 78
7.3.12 Debugging LLC2 Link Information ......................................................................................... 78
7.4 EXAMPLE OF LLC2 CONFIGURATION ..................................................................................................... 79
4
7.4.1 Configuring SDLC as Two-Way and Concurrent Mode ........................................................... 79
7.4.2 Configuring SDLC Timer and Re-Sending Times .................................................................... 79
7.4.3 Configuring the Number of SDLC Frame and Information Frame ........................................... 80
7.4.4 Controlling the Size of Cache .................................................................................................. 80
7.4.5 Controlling the polling of slave station ..................................................................................... 80
7.4.6 Configuring SDLC Interface as Half-Duplex Mode .................................................................. 81
7.4.7 Configuring XID Value .............................................................................................................. 81
7.4.8 Configuring the Maximum Value of SDLC Information Frame ................................................. 81
7.4.9 Monitoring SDLC Workstation .................................................................................................. 82
CHAPTER 8 AAA CONFIGURATION ............................................................................... 83
8.1 AAA OVERVIEW ................................................................................................................................... 83
8.1.1 AAA Security Service ............................................................................................................... 83
8.1.2 Benefits of Using AAA .............................................................................................................. 83
8.1.3 AAA Principles .......................................................................................................................... 84
8.1.4 AAA Method List ....................................................................................................................... 84
8.1.5 AAA Configuration Process ...................................................................................................... 85
8.2 AUTHENTICATION CONFIGURATION ........................................................................................................ 85
8.2.1 AAA Authentication Configuration Task List ............................................................................. 85
8.2.2 AAA Authentication Configuration Task .................................................................................... 86
8.2.3 AAA Authentication Configuration Example ............................................................................. 96
8.3 AUTHORIZATION CONFIGURATION .......................................................................................................... 97
8.3.1 AAA Authorization Configuration Task List ............................................................................... 97
8.3.2 AAA Authorization Configuration Task ...................................................................................... 97
8.3.3 AAA Authorization Examples .................................................................................................... 99
8.4 AAA ACCOUNTING CONFIGURATION ................................................................................................... 100
8.4.1 AAA Accounting Configuration Task List ................................................................................ 100
8.4.2 AAA Accounting Configuration Task ....................................................................................... 100
8.5 LOCAL ACCOUNT POLICY CONFIGURATION .......................................................................................... 105
8.5.1 Local Account Policy Configuration Task List ......................................................................... 105
8.5.2 Local Account Policy Configuration Task ............................................................................... 105
8.5.3 Local Account Policy Example ............................................................................................... 108
CHAPTER 9 CONFIGURING RADIUS ........................................................................... 110
9.1 OVERVIEW ........................................................................................................................................... 110
9.1.1 RADIUS Overview ................................................................................................................... 110
9.1.2 RADIUS Operation .................................................................................................................. 111
9.2 RADIUS CONFIGURATION STEPS ......................................................................................................... 111
9.3 RADIUS CONFIGURATION TASK LIST ................................................................................................... 111
9.4 RADIUS CONFIGURATION TASK .......................................................................................................... 111
9.4.1 Configuring Switch to RADIUS Server Communication .......................................................... 111
9.4.2 Configuring Switch to Use Vendor-Specific RADIUS Attributes .............................................. 112
5
9.4.3 Specifying RADIUS Authentication ......................................................................................... 112
9.4.4 Specifying RADIUS Authorization ........................................................................................... 113
9.4.5 Specifying RADIUS Accounting .............................................................................................. 113
9.5 RADIUS CONFIGURATION EXAMPLES .................................................................................................. 113
9.5.1 RADIUS Authentication Example ............................................................................................ 113
9.5.2 RADIUS Application in AAA .................................................................................................... 113
CHAPTER 10 TACACS+ CONFIGURATION .................................................................. 114
10.1 TACACS+ OVERVIEW ....................................................................................................................... 114
10.1.1 The Operation of TACACS+ Protocol ................................................................................... 114
10.2 TACACS+ CONFIGURATION PROCESS ............................................................................................... 116
10.3 TACACS+ CONFIGURATION TASK LIST .............................................................................................. 116
10.4 TACACS+ CONFIGURATION TASK ..................................................................................................... 116
10.4.1 Assigning TACACS+ Server .................................................................................................. 116
10.4.2 Setting up TACACS+ Encrypted Secret Key ......................................................................... 117
10.4.3 Assigning to Use TACACS+ for Authentication ..................................................................... 117
10.4.4 Assigning to Use TACACS+ for Authorization ....................................................................... 117
10.4.5 Assigning to Use TACACS+ for Accounting .......................................................................... 117
10.5 TACACS+ CONFIGURATION EXAMPLE ............................................................................................... 118
10.5.1 TACACS+ Authentication Examples ..................................................................................... 118
10.5.2 TACACS+ Authorization Examples ....................................................................................... 118
10.5.3 TACACS+ Accounting Examples .......................................................................................... 119
CHAPTER 11 HTTP SWITCH CONFIGURATION .......................................................... 120
11.1 HTTP CONFIGURATION ..................................................................................................................... 120
11.1.1 Choosing the Prompt Language .......................................................................................... 120
11.1.2 Setting the HTTP Port .......................................................................................................... 120
11.1.3 Enabling the HTTP Service .................................................................................................. 120
11.1.4 Setting the HTTP Access Mode ........................................................................................... 120
11.1.5 Setting the Maximum Number of VLAN Entries on Web Page ............................................ 121
11.1.6 Setting the Maximum Number of Multicast Entries Displayed on a Web Page ................... 121
11.2 HTTPS CONFIGURATION ................................................................................................................... 121
11.2.1 Setting the HTTP Access Mode ........................................................................................... 121
11.2.2 It is used to set the HTTPS port. .......................................................................................... 121
CHAPTER 12 CONFIGURATION PREPARATION ......................................................... 122
12.1 ACCESSING THE SWITCH THROUGH HTTP ......................................................................................... 122
12.1.1 Initially Accessing the Switch ............................................................................................... 122
12.1.2 Upgrading to the Web-Supported Version ........................................................................... 122
12.2 ACCESSING A SWITCH THROUGH SECURE LINKS................................................................................ 123
12.3 INTRODUCTION OF WEB INTERFACE ................................................................................................... 123
12.3.1 Top Control Bar .................................................................................................................... 124
6
12.3.2 Navigation Bar ...................................................................................................................... 125
12.3.3 Configuration Area ............................................................................................................... 125
12.3.4 Bottom Control Bar ............................................................................................................... 126
12.3.5 Configuration Area ............................................................................................................... 126
CHAPTER 13 BASIC CONFIGURATION ....................................................................... 127
13.1 HOSTNAME CONFIGURATION ............................................................................................................. 127
13.2 TIME MANAGEMENT .......................................................................................................................... 127
CHAPTER 14 CONFIGURATION OF THE PHYSICAL INTERFACE ............................. 129
14.1 CONFIGURING PORT DESCRIPTION .................................................................................................... 129
14.2 CONFIGURING THE ATTRIBUTES OF THE PORT .................................................................................... 129
14.3 RATE CONTROL ................................................................................................................................. 130
14.4 PORT MIRRORING .............................................................................................................................. 130
14.5 LOOPBACK DETECTION ..................................................................................................................... 131
14.6 PORT SECURITY ................................................................................................................................ 131
14.6.1 IP Binding Configuration ...................................................................................................... 131
14.6.2 MAC Binding Configuration .................................................................................................. 131
14.6.3 Setting the Static MAC Filtration Mode ................................................................................ 132
14.6.4 Static MAC Filtration Entries ................................................................................................ 132
14.6.5 Setting the Dynamic MAC Filtration Mode ........................................................................... 132
14.7 STORM CONTROL .............................................................................................................................. 133
14.7.1 Broadcast Storm Control ...................................................................................................... 133
14.7.2 Multicast Storm Control ........................................................................................................ 133
14.7.3 Unknown Unicast Storm Control .......................................................................................... 134
14.8 PORT PROTECT GROUP CONFIGURATION ........................................................................................... 134
14.8.1 Port Protect Group List ......................................................................................................... 134
14.8.2 Port Protect Group Interface Configuration.......................................................................... 135
CHAPTER 15 LAYER-2 CONFIGURATION .................................................................... 136
15.1 VLAN SETTINGS .............................................................................................................................. 136
15.1.1 VLAN List ............................................................................................................................. 136
15.1.2 VLAN Settings ...................................................................................................................... 137
15.2 GVRP CONFIGURATION .................................................................................................................... 137
15.2.1 GVRP Global Attribute Configuration ................................................................................... 137
15.2.2 Global Interface Attribute Configuration ............................................................................... 138
15.3 STP CONFIGURATION ....................................................................................................................... 138
15.3.1 STP Status Information ........................................................................................................ 138
15.3.2 Configuring the Attributes of the STP Port ........................................................................... 139
15.4 IGMP-SNOOPING CONFIGURATION .................................................................................................... 140
15.4.1 IGMP-Snooping Configuration ............................................................................................. 140
7
15.4.2 IGMP-Snooping VLAN List................................................................................................... 140
15.4.3 Static Multicast Address ....................................................................................................... 141
15.4.4 Multicast List ........................................................................................................................ 141
15.5 SETTING STATIC ARP ....................................................................................................................... 142
15.6 STATIC MAC ADDRESS CONFIGURATION ........................................................................................... 142
15.7 LLDP CONFIGURATION ..................................................................................................................... 143
15.7.1 Configuring the Global Attributes of LLDP ........................................................................... 143
15.7.2 LLDP Port Attribute Configuration ........................................................................................ 144
15.8 DDM CONFIGURATION ...................................................................................................................... 144
15.9 LINK AGGREGATION CONFIGURATION ................................................................................................ 144
15.9.1 Port Aggregation Configuration ............................................................................................ 144
15.9.2 Configuring Load Balance of Port Aggregation Group ......................................................... 145
15.10 EAPS RING PROTECTION CONFIGURATION ...................................................................................... 145
15.10.1 EAPS Ring List ................................................................................................................... 145
15.10.2 EAPS Ring Configuration ................................................................................................... 146
15.11 MEAPS CONFIGURATION ................................................................................................................ 146
15.11.1 MEAPS Ring Configuration ................................................................................................ 146
15.11.2 MEAPS Ring Configuration ................................................................................................ 147
15.12 BACKUP LINK PROTOCOL CONFIGURATION ...................................................................................... 147
15.12.1 Backup Link Protocol Global Configuration ....................................................................... 147
15.12.2 Backup Link Protocol Interface Configuration .................................................................... 148
15.13 DHCP SNOOPING CONFIGURATION ................................................................................................. 149
15.13.1 DHCP Snooping Global Attribute Configuration ................................................................. 149
15.13.2 DHCP Snooping VLAN Attribute Configuration .................................................................. 149
15.13.3 DHCP Snooping Interface Attribute Configuration ............................................................. 150
15.13.4 DHCP Snooping Manual Binding Configuration ................................................................ 150
15.14 MTU CONFIGURATION .................................................................................................................... 151
15.15 PDP CONFIGURATION ..................................................................................................................... 151
15.15.1 Configuring the Global Attributes of PDP ........................................................................... 151
15.15.2 Configuring the Attributes of the PDP Port ......................................................................... 151
15.16 STP CONFIGURATION ..................................................................................................................... 152
15.16.1 STP Status Information ...................................................................................................... 152
15.16.2 Configuring the Attributes of the STP Port ......................................................................... 152
15.17 IGMP-SNOOPING CONFIGURATION .................................................................................................. 153
15.17.1 IGMP-Snooping Configuration ........................................................................................... 153
15.17.2 IGMP-Snooping VLAN List ................................................................................................ 153
15.17.3 Static Multicast Address ..................................................................................................... 154
15.17.4 Multicast List ...................................................................................................................... 155
15.18 SETTING STATIC ARP ..................................................................................................................... 155
8
15.19
RING PROTECTION CONFIGURATION ................................................................................................ 156
15.19.1 EAPS Ring List ................................................................................................................... 156
15.19.2 EAPS Ring Configuration ................................................................................................... 156
15.20 EVC CONFIGURATION ..................................................................................................................... 157
15.20.1 Global QinQ Configuration ................................................................................................. 157
15.20.2 Configuring the QinQ Port .................................................................................................. 157
15.21 DDM CONFIGURATION .................................................................................................................... 157
CHAPTER 16 LAYER 3 CONFIGURATION .................................................................... 159
16.1 CONFIGURING THE VLAN INTERFACE ................................................................................................ 159
16.2 SETTING THE STATIC ROUTE ............................................................................................................. 160
16.3 IGMP AGENT ................................................................................................................................... 161
16.3.1 Enabling the IGMP Agent ..................................................................................................... 161
16.3.2 Setting the IGMP Agent ........................................................................................................ 161
CHAPTER 17 ADVANCED CONFIGURATION ............................................................... 162
17.1 QOS CONFIGURATION ....................................................................................................................... 162
17.1.1 Configuring QoS Port ........................................................................................................... 162
17.1.2 Global QoS Configuration .................................................................................................... 163
17.2 MAC ACCESS CONTROL LIST ........................................................................................................... 163
17.2.1 Setting the Name of the MAC Access Control List .............................................................. 163
17.2.2 Setting the Rules of the MAC Access Control List ............................................................... 164
17.2.3 Applying the MAC Access Control List ................................................................................. 164
17.3 IP ACCESS CONTROL LIST ................................................................................................................ 165
17.3.1 Setting the Name of the IP Access Control List ................................................................... 165
17.3.2 Setting the Rules of the IP Access Control List .................................................................... 165
17.3.3 Applying the IP Access Control List ..................................................................................... 167
CHAPTER 18 NETWORK MANAGEMENT CONFIGURATION ..................................... 168
18.1 SNMP CONFIGURATION .................................................................................................................... 168
18.1.1 SNMP Community Management.......................................................................................... 168
18.1.2 SNMP Host Management .................................................................................................... 169
18.2 RMON ............................................................................................................................................. 169
18.2.1 RMON Statistic Information Configuration ........................................................................... 169
18.2.2 RMON History Information Configuration ............................................................................ 170
18.2.3 RMON Alarm Information Configuration .............................................................................. 170
18.2.4 RMON Event Configuration ................................................................................................. 171
CHAPTER 19 DIAGNOSIS TOOLS ................................................................................ 173
19.1 PING ................................................................................................................................................ 173
19.1.1 Ping ...................................................................................................................................... 173
9
CHAPTER 20 SYSTEM MANAGEMENT ........................................................................ 175
20.1 USER MANAGEMENT ......................................................................................................................... 175
20.1.1 User List ............................................................................................................................... 175
20.1.2 Establishing a New User ...................................................................................................... 176
20.2 LOG MANAGEMENT ........................................................................................................................... 176
20.2.1 Managing the Configuration Files ........................................................................................ 177
20.2.2 Exporting the Configuration Information .............................................................................. 177
20.2.3 Importing the Configuration Information ............................................................................... 177
20.3 SOFTWARE MANAGEMENT ................................................................................................................ 178
20.3.1 Backing up the IOS Software ............................................................................................... 178
20.3.2 Upgrading the IOS Software ................................................................................................ 178
20.4 RESUMING INITIAL CONFIGURATION ................................................................................................... 179
20.5 REBOOTING THE DEVICE ................................................................................................................... 179
CHAPTER 21 INTERFACE CONFIGURATION OVERVIEW .......................................... 180
21.1 SUPPORTED INTERFACE TYPES ......................................................................................................... 180
21.2 INTERFACE CONFIGURATION INTRODUCTION ...................................................................................... 180
CHAPTER 22 INTERFACE CONFIGURATION .............................................................. 182
22.1 CONFIGURING INTERFACE COMMON ATTRIBUTE ................................................................................. 182
22.2 ADDING DESCRIPTION ....................................................................................................................... 182
22.2.1 Configuring Bandwidth ......................................................................................................... 182
22.2.2 Configuring Time Delay ........................................................................................................ 182
22.3 MONITORING AND MAINTAINING THE PORT ......................................................................................... 182
22.3.1 Browsing the State of an Interface ....................................................................................... 183
22.3.2 Initializing and Deleting the Port .......................................................................................... 183
22.3.3 Closing and Restarting the Port ........................................................................................... 183
22.4 SETTING THE ETHERNET INTERFACE .................................................................................................. 183
22.4.1 Choosing an Ethernet Interface ........................................................................................... 184
22.4.2 Setting the Rate ................................................................................................................... 184
22.4.3 Setting the Duplex Mode of an Interface .............................................................................. 184
22.4.4 Setting Flow Control on an Interface .................................................................................... 184
22.5 CONFIGURING LOGICAL INTERFACE ................................................................................................... 185
22.5.1 Configuring Null Interface..................................................................................................... 185
22.5.2 Configuring Loopback Interface ........................................................................................... 185
22.5.3 Configuring Aggregation Interface ....................................................................................... 185
22.5.4 Configuring VLAN Interface ................................................................................................. 186
22.5.5 Configuring SuperVLAN Interface ........................................................................................ 186
CHAPTER 23 INTERFACE CONFIGURATION EXAMPLE ............................................ 187
23.1 CONFIGURING PUBLIC ATTRIBUTE OF INTERFACE ............................................................................... 187
10
23.1.1 Example for Interface Description ........................................................................................ 187
23.1.2 Example of Interface Shutdown ........................................................................................... 187
CHAPTER 24 INTERFACE RANGE CONFIGURATION ................................................ 188
24.1 INTERFACE RANGE CONFIGURATION TASK ......................................................................................... 188
24.1.1 Understanding Interface Range ........................................................................................... 188
24.1.2 Entering Interface Range Mode ........................................................................................... 188
24.1.3 Configuration Example ......................................................................................................... 188
CHAPTER 25 PORT ADDITIONAL CHARACTERISTICS CONFIGURATION ............... 189
25.1 STORM BLOCK ................................................................................................................................. 189
25.2 PORT ISOLATION ............................................................................................................................... 189
25.3 STORM CONTROL ............................................................................................................................. 190
25.4 RAT E LIMIT ....................................................................................................................................... 190
25.5 LOOPBACK DETECTION ..................................................................................................................... 191
25.6 MAC ADDRESS LEARNING ................................................................................................................ 191
25.7 PORT SECURITY ............................................................................................................................... 191
25.8 PORT BINDING .................................................................................................................................. 192
25.9 VLAN MAC ADDRESS LEARNING ..................................................................................................... 193
25.10 VLAN MAC ADDRESS LEARNING NUMBER ..................................................................................... 193
25.11 PORT FEC ..................................................................................................................................... 194
25.12 CONFIGURING LINK SCAN ................................................................................................................ 194
25.12.1 Overview ............................................................................................................................ 194
25.12.2 Link Scan Configuration Task............................................................................................. 194
25.12.3 Configuration Example ....................................................................................................... 195
25.13 CONFIGURING SYSTEM MTU ............................................................................................................. 195
25.13.1 Overview ............................................................................................................................ 195
25.13.2 Configuration Task ............................................................................................................. 195
25.13.3 Configuration Example ....................................................................................................... 196
CHAPTER 26 INTERFACE CONFIGURATION .............................................................. 197
26.1 CONFIGURING THE ETHERNET INTERFACE .......................................................................................... 197
26.1.1 Configuring Flow Control for the Port ................................................................................... 197
26.1.2 Comfiguring the Rate Unit for the Port ................................................................................. 197
26.1.3 Configuring the Storm Control on the Port ........................................................................... 198
CHAPTER 27 SECURE PORT CONFIGURATION ......................................................... 199
27.1 OVERVIEW ........................................................................................................................................ 199
27.2 CONFIGURATION TASK OF THE SECURE PORT .................................................................................... 199
11
27.3
CONFIGURING THE SECURE PORT ..................................................................................................... 199
27.3.1 Configuring the Secure Port Mode ....................................................................................... 199
27.3.2 Configuring the Static MAC Address of the Secure Port ..................................................... 200
CHAPTER 28 CONFIGURING PORT MIRRORING ....................................................... 201
28.1 CONFIGURING PORT MIRRORING TASK LIST ...................................................................................... 201
28.2 CONFIGURING PORT MIRRORING TASK .............................................................................................. 201
28.2.1 Configuring Port Mirroring .................................................................................................... 201
28.2.2 Displaying Port Mirroring Information ................................................................................... 201
28.3 REMOTE MIRRORING CONFIGURATION EXAMPLE ................................................................................ 201
CHAPTER 29 CONFIGURING MAC ADDRESS ATTRIBUTE ........................................ 204
29.1 MAC ADDRESS CONFIGURATION TASK LIST ...................................................................................... 204
29.2 MAC ADDRESS CONFIGURATION TASK .............................................................................................. 204
29.2.1 Configuring Static Mac Address ........................................................................................... 204
29.2.2 Configuring MAC Address Aging Time ................................................................................. 204
29.2.3 Displaying MAC Address Table ............................................................................................ 205
29.2.4 Clearing Dynamic MAC Address .......................................................................................... 205
CHAPTER 30 CONFIGURING MAC LIST ...................................................................... 206
30.1 MAC LIST CONFIGURATION TASK ..................................................................................................... 206
30.1.1 Creating MAC List ................................................................................................................ 206
30.1.2 Configuring Items of MAC List ............................................................................................. 206
30.1.3 Applying MAC List ................................................................................................................ 207
30.2 802.1X CONFIGURATION EXAMPLE .................................................................................................... 207
CHAPTER 31 VLAN CONFIGURATION ......................................................................... 213
31.1 VLAN INTRODUCTION ....................................................................................................................... 213
31.2 DOT1Q TUNNEL OVERVIEW............................................................................................................... 213
31.2.1 Preface ................................................................................................................................. 213
31.2.2 Dot1Q Tunnel Realization Mode .......................................................................................... 214
31.2.3 Modifying Attributes Through TPID Value ............................................................................ 214
31.3 VLANCONFIGURATION TASK LIST ..................................................................................................... 215
31.4 VLAN CONFIGURATION TASK ........................................................................................................... 215
31.4.1 Adding/Deleting VLAN .......................................................................................................... 215
31.4.2 Configuring the Port of the Switch ....................................................................................... 216
31.4.3 Creating/deleting the VLAN interface ................................................................................... 216
31.4.4 Configuring the Super VLAN Interface ................................................................................. 217
31.4.5 Monitoring the VLAN Configuration and VLAN State .......................................................... 217
31.4.6 Enabling or disabling Dot1 Q Tunnel globally and configuring TPID globally ...................... 218
31.4.7 enable/disable globalflat-translation ..................................................................................... 218
31.4.8 Configuring VLAN translation mode and items on a port ..................................................... 218
12
31.4.9 Setting MAC-Based VLAN ................................................................................................... 219
31.4.10 Setting IP Subnet-Based VLAN ......................................................................................... 219
31.4.11 Setting Protocol-Based VLAN ............................................................................................ 220
31.5 CONFIGURATION EXAMPLE ................................................................................................................ 221
31.5.1 SuperVLAN Configuration Example ..................................................................................... 221
31.5.2 Dot1Q Tunnel Configuration Examples ................................................................................ 221
31.6 APPENDIX A ABBREVIATIONS .......................................................................................................... 226
CHAPTER 32 CONFIGURING GVRP ............................................................................. 227
32.1 INTRODUCTION ................................................................................................................................. 227
32.2 CONFIGURING TASK LIST .................................................................................................................. 227
32.2.1 GVRP Configuration Task List .............................................................................................. 227
32.3 GVRP CONFIGURATION TASK ........................................................................................................... 227
32.3.1 Enabling/Disabling GVRP Globally ...................................................................................... 227
32.3.2 Dynamic VLAN to Validate only on a Registered Port ......................................................... 227
32.3.3 Enabling/Disabling GVRP on the Interface .......................................................................... 227
32.3.4 Monitoring and Maintenance of GVRP ................................................................................ 228
32.4 CONFIGURATION EXAMPLE ................................................................................................................ 229
CHAPTER 33 PRIVATE VLAN SETTINGS ..................................................................... 230
33.1 OVERVIEW OF PRIVATE VLAN ........................................................................................................... 230
33.2 PRIVATE VLAN TYPE AND PORT TYPE IN PRIVATE VLAN ................................................................... 230
33.2.1 Having One Primary VLAN Type ......................................................................................... 230
33.2.2 Having Two Secondary VLAN Types ................................................................................... 230
33.2.3 Port Types Under the Private VLAN Port ............................................................................. 230
33.2.4 Modifying the Fields in VLAN TAG ....................................................................................... 230
33.3 PRIVATE VLAN CONFIGURATION TASK LIST ...................................................................................... 231
33.4 PRIVATE VLAN CONFIGURATION TASKS ............................................................................................ 231
33.4.1 Configuring Private VLAN .................................................................................................... 231
33.4.2 Configuring the Association of Private VLAN Domains ....................................................... 231
33.4.3 Configuring the L2 Port of Private VLAN to Be the Host Port .............................................. 232
33.4.4 Configuring the L2 Port of Private VLAN to Be the Promiscuous Port ................................ 232
33.4.5 Modifying Related Fields of Egress Packets in Private VLAN ............................................. 233
33.4.6 Displaying the Configuration Information of Private VLAN .................................................. 233
33.5 CONFIGURATION EXAMPLE ................................................................................................................ 234
CHAPTER 34 CONFIGURING STP ................................................................................ 237
34.1 STP INTRODUCTION .......................................................................................................................... 237
34.2 SSTPCONFIGURATION TASK LIST ..................................................................................................... 238
34.3 SSTP CONFIGURATION TASKS .......................................................................................................... 238
34.3.1 Choosingthe STP Mode ....................................................................................................... 238
13
34.3.2 Disabling/Enabling STP ....................................................................................................... 238
34.3.3 Disabling/Enabling STP on a Port ........................................................................................ 238
34.3.4 Settingthe Bridge Priority ..................................................................................................... 239
34.3.5 Setting the Hello Time .......................................................................................................... 239
34.3.6 Setting the Max Age ............................................................................................................. 239
34.3.7 Setting the Forward Delay ................................................................................................... 239
34.3.8 Setting the PortPriority ......................................................................................................... 240
34.3.9 Value of the path cost of a port ............................................................................................ 240
34.3.10 Monitoring the STP state .................................................................................................... 240
34.3.11 Setting the SNMP Trap ....................................................................................................... 240
34.4 SETTING THE SPANNING TREE OF VLAN ........................................................................................... 241
34.4.1 Overview .............................................................................................................................. 241
34.4.2 VLAN STP Configuration Tasks ........................................................................................... 241
CHAPTER 35 CONFIGURING RSTP.............................................................................. 243
35.1 RSTP CONFIGURATION TASK LIST .................................................................................................... 243
35.2 RSTP CONFIGURATION TASKS .......................................................................................................... 243
35.2.1 Enabling/disabling RSTP of the Switch ................................................................................ 243
35.2.2 Settingthe Bridge Priority ..................................................................................................... 243
35.2.3 Setting the Forward Time ..................................................................................................... 243
35.2.4 Setting the Hello Time .......................................................................................................... 244
35.2.5 Setting the Max Age ............................................................................................................. 244
35.2.6 Value of the path cost of a port ............................................................................................ 245
35.2.7 Setting the Port Priority ........................................................................................................ 245
35.2.8 Setting the Edge Port ........................................................................................................... 245
35.2.9 Setting the Port Connection Type ........................................................................................ 246
35.2.10 Restarting the protocol conversion check .......................................................................... 246
CHAPTER 36 CONFIGURING MSTP ............................................................................. 247
36.1 MSTP INTRODUCTION ....................................................................................................................... 247
36.1.1 Overview .............................................................................................................................. 247
36.1.2 MST Region ......................................................................................................................... 247
36.1.3 IST, CST, CIST and MSTI .................................................................................................... 247
36.1.4 Port Role .............................................................................................................................. 252
36.1.5 MSTP BPDU ........................................................................................................................ 259
36.1.6 Stable State .......................................................................................................................... 260
36.1.7 Hop Count ............................................................................................................................ 261
36.1.8 STP Compatibility ................................................................................................................. 261
36.2 MSTP CONFIGURATION TASK LIST .................................................................................................... 261
36.3 MSTP CONFIGURATION TASKS ......................................................................................................... 262
36.3.1 Default MSTP Configuration ................................................................................................ 262
36.3.2 Enabling and disabling MSTP .............................................................................................. 262
36.3.3 Configuring MSTP region ..................................................................................................... 263
14
36.3.4 Configuring network root ...................................................................................................... 263
36.3.5 Configuring secondary root .................................................................................................. 264
36.3.6 Configuring Bridge Priority ................................................................................................... 265
36.3.7 Configuring time parameters of STP .................................................................................... 265
36.3.8 Configuring network diameter .............................................................................................. 266
36.3.9 Configuring maximum hop count ......................................................................................... 267
36.3.10 Setting the Port Priority ...................................................................................................... 267
36.3.11 Value of the path cost of a port ........................................................................................... 267
36.3.12 Setting the Edge Port ......................................................................................................... 268
36.3.13 Setting the Port Connection Type ...................................................................................... 268
36.3.14 Activating MST-compatible mode ....................................................................................... 268
36.3.15 Restarting the protocol conversion check .......................................................................... 269
36.3.16 Configuring role restriction of the port ................................................................................ 270
36.3.17 Configuring TCN restriction of the port .............................................................................. 270
36.3.18 Check MSTP information ................................................................................................... 270
CHAPTER 37 CONFIGURING STP OPTIONAL CHARACTERISTIC ............................ 271
37.1 STP OPTIONAL CHARACTERISTIC INTRODUCTION .............................................................................. 271
37.1.1 Port Fast ............................................................................................................................... 271
37.1.2 BPDU Guard ........................................................................................................................ 272
37.1.3 BPDU Filter .......................................................................................................................... 272
37.1.4 Uplink Fast ........................................................................................................................... 273
37.1.5 Backbone Fast ..................................................................................................................... 274
37.1.6 Root Guard ........................................................................................................................... 275
37.1.7 Loop Guard .......................................................................................................................... 276
37.2 CONFIGURING STP OPTIONAL CHARACTERISTIC................................................................................ 276
37.2.1 STP Optional Characteristic Configuration Task .................................................................. 276
37.2.2 Configuring Port Fast ........................................................................................................... 277
37.2.3 Configuring BPDU Guard ..................................................................................................... 277
37.2.4 Configuring BPDU Filter ....................................................................................................... 278
37.2.5 Configuring Uplink Fast ........................................................................................................ 279
37.2.6 Configuring Backbone Fast .................................................................................................. 279
37.2.7 Configuring Root Guard ....................................................................................................... 279
37.2.8 Configuring Loop Guard ....................................................................................................... 280
37.2.9 Configuring Loop Fast .......................................................................................................... 280
37.2.10 Configuring Address Table Aging Protection ...................................................................... 281
37.2.11 Configuring FDB-Flush ....................................................................................................... 282
37.2.12 Configuring BPDU Terminal ............................................................................................... 282
CHAPTER 38 CONFIGURING PORT AGGREGATION .................................................. 283
38.1 OVERVIEW ........................................................................................................................................ 283
38.2 PORT AGGREGATION CONFIGURATION TASK ...................................................................................... 283
38.3 PORT AGGREGATION CONFIGURATION TASK ...................................................................................... 283
38.3.1 Configuring Logical Channel Used to Aggregation .............................................................. 283
15
38.3.2 Aggregation of Physical Port ................................................................................................ 283
38.3.3 Selecting Load Balance Method After Port Aggregation ...................................................... 284
38.3.4 Monitoring the Concrete Conditions of Port Aggregation ..................................................... 285
CHAPTER 39 PDP OVERVIEW ...................................................................................... 286
39.1 OVERVIEW ........................................................................................................................................ 286
39.2 PDP CONFIGURATION TASKS ............................................................................................................ 286
39.2.1 Default PDP Configuration ................................................................................................... 286
39.2.2 Setting the PDP Clock and Information Storage .................................................................. 286
39.2.3 Setting the PDP Version ....................................................................................................... 287
39.2.4 Starting PDP on a Switch ..................................................................................................... 287
39.2.5 Starting PDP on a Port ......................................................................................................... 287
39.2.6 PDP Monitoring and Management ....................................................................................... 287
39.3 PDP CONFIGURATION EXAMPLE ........................................................................................................ 287
CHAPTER 40 LINK LAYER 2 DISCOVERY PROTOCOL (LLDP) .................................. 289
40.1 LLDP OVERVIEW ............................................................................................................................. 289
40.2 INITIALIZING THE PROTOCOL .............................................................................................................. 289
40.2.1 Initializing LLDP Transmit Mode........................................................................................... 289
40.2.2 Initializing LLDP Reception Mode ........................................................................................ 290
40.2.3 LLDP PDU Packet Structure Description ............................................................................. 290
40.3 LLDP CONFIGURATION TASK LIST .................................................................................................... 291
40.4 LLDP CONFIGURATION TASKS .......................................................................................................... 291
40.4.1 Disabling/enabling LLDP ...................................................................................................... 291
40.4.2 Configuring holdtime ............................................................................................................ 291
40.4.3 Configuring Timer ................................................................................................................. 292
40.4.4 Configuring Reinit ................................................................................................................. 292
40.4.5 Configuring the To-Be-Sent TLV .......................................................................................... 293
40.4.6 Specifying the Port’s Configuration and Selecting the To-Be-Sent Expanded TLV ............. 294
40.4.7 Configuring the Transmission or Reception Mode ............................................................... 296
40.4.8 Specifying the Management IP Address of a Port ............................................................... 296
40.4.9 Sending Trap Notification to mib Database .......................................................................... 297
40.4.10 Configuring the Location Information ................................................................................. 297
40.4.11 Specifying a Port to Set the Location Information .............................................................. 299
40.4.12 Configuring Show-Relative Commands ............................................................................. 299
40.4.13 Configuring the Delete Commands .................................................................................... 300
40.5 CONFIGURATION EXAMPLE ................................................................................................................ 300
40.5.1 Network Environment Requirements ................................................................................... 300
40.5.2 Network Topology ................................................................................................................. 300
40.5.3 Configuration Procedure ...................................................................................................... 300
CHAPTER 41 INTRODUCTION OF FAST ETHERNET RING PROTECTION ............... 308
16
41.1
OVERVIEW ........................................................................................................................................ 308
41.2 RELATED CONCEPTS OF FAST ETHER-RING PROTECTION .................................................................. 308
41.2.1 Roles of Ring’s Nodes .......................................................................................................... 308
41.2.2 Role of the Ring’s Port ......................................................................................................... 309
41.2.3 Control VLAN and Data VLAN ............................................................................................. 309
41.2.4 Aging of the MAC Address Table ......................................................................................... 310
41.2.5 Symbol of a Complete Ring Network ................................................................................... 310
41.3 TYPES OF EAPS PACKETS ............................................................................................................... 310
41.4 FAST ETHERNET RING PROTECTION MECHANISM ............................................................................... 310
41.4.1 Ring Detection and Control of Master Node ........................................................................ 310
41.4.2 Notification of Invalid Link of Transit Node ............................................................................ 311
41.4.3 Resuming the Link of the Transit Node ................................................................................. 3 1 1
41.5 FAST ETHERNET RING PROTECTION CONFIGURATION ......................................................................... 311
41.6 DEFAULT EAPS SETTINGS ................................................................................................................. 311
41.7 REQUISITES BEFORE CONFIGURATION ............................................................................................... 312
41.8 MEAPS CONFIGURATION TASKS ...................................................................................................... 312
41.9 FAST ETHERNET RING PROTECTION CONFIGURATION ........................................................................ 312
41.9.1 Configuring the Master Node ............................................................................................... 312
41.9.2 Configuring the Transit Node ............................................................................................... 313
41.9.3 Configuring the Ring Port ..................................................................................................... 313
41.9.4 Browsing the State of the Ring Protection Protocol ............................................................. 314
41.10 MEAPS CONFIGURATION ............................................................................................................... 314
41.10.1 Configuration Example ....................................................................................................... 314
CHAPTER 42 IGMP SNOOPING CONFIGURATION ..................................................... 316
42.1 IGMP SNOOPING CONFIGURATION TASK ........................................................................................... 316
42.1.1 Enabling/Disabling IGMP Snooping of VLAN ...................................................................... 316
42.1.2 Adding/Deleting Static Multicast Address of VLAN .............................................................. 317
42.1.3 Configuring Immediate-leave of VLAN ................................................................................. 317
42.1.4 Configuring Static Routing Interface of VLAN ...................................................................... 317
42.1.5 Configuring IPACL of Generating Multicast Forward Table .................................................. 317
42.1.6 Configuring the Function to Filter Multicast Message Without Registered Destination
Addresss ......................................................................................................................................... 318
42.1.7 Configuring Router Age Timer of IGMP Snooping ............................................................... 318
42.1.8 Configuring Response Time of IGMP Snooping. ................................................................. 318
42.1.9 Configuring Querier of IGMP Snooping ............................................................................... 319
42.1.10 Configuring IGMP Snooping’s Querier Time ...................................................................... 319
42.1.11 Configuring Filter of IGMP Snooping.................................................................................. 320
42.1.12 Configuring Clear-group of IGMP Snooping ...................................................................... 320
42.1.13 Configuring quick-query of IGMP-snooping ....................................................................... 320
42.1.14 Configuring Decrease-query-report-for-mvc of IGMP Snooping ........................................ 321
42.1.15 Configuring no-send-special-query of IGMP-snooping ...................................................... 321
17
42.1.16 Configuring Forward-L3-to-Mrouter of IGMP Snooping to Forward the Data Packets to the
Routing Port .................................................................................................................................... 321
42.1.17 Configuring Sensitive mode and Value for IGMP Snooping .............................................. 322
42.1.18 Configuring IGMP Snooping’s v3-leave-check Function ................................................... 322
42.1.19 Configuring IGMP Snooping’s forward-wrongiif-within-vlan Function ................................ 323
42.1.20 Configuring IGMP-snooping’s IPACL function at port ........................................................ 323
42.1.21 Configuring maximum multicast IP address quantity function at IGMP-snooping’s port ... 323
42.1.22 Monitoring and Maintaining IGMP-Snooping ..................................................................... 324
42.1.23 IGMP-Snooping Configuration Example ............................................................................ 325
CHAPTER 43 IGMP PROXY CONFIGURATION ............................................................ 327
43.1 IGMP PROXY CONFIGURATION TASKS ............................................................................................... 327
43.1.1 Enabling/Disabling IGMP-Proxy ........................................................................................... 327
43.1.2 Adding/Deleting VLAN Agent Relationship .......................................................................... 327
43.1.3 Adding/Deleting Static Multicast Source Entries .................................................................. 328
43.1.4 Monitoring and Maintaining IGMP-Proxy ............................................................................. 328
43.1.5 IGMP Proxy Configuration Example .................................................................................... 329
CHAPTER 44 CHAPTER 1 DHCP SNOOPING CONFIGURATION ............................... 330
44.1 IGMP SNOOPING CONFIGURATION TASKS ......................................................................................... 330
44.1.1 Enabling/Disabling DHCP Snooping .................................................................................... 330
44.1.2 Enabling DHCP Snooping in a VLAN .................................................................................. 331
44.1.3 Enabling DHCP Anti-attack in a VLAN. ................................................................................ 331
44.1.4 Setting an Interface to a DHCP-Trusting Interface .............................................................. 331
44.1.5 Enabling/Disabling Binding Table Fast Update Function ..................................................... 332
44.1.6 Enabling DAI in a VLAN ....................................................................................................... 332
44.1.7 Setting an Interface to an ARP-Trusting Interface ............................................................... 332
44.1.8 Enabling Source IP Address Monitoring in a VLAN ............................................................. 332
44.1.9 Setting an Interface to the One Which is Trusted by IP Source Address Monitoring ........... 333
44.1.10 Setting DHCP Snooping Option 82 .................................................................................... 333
44.1.11 Setting the Policy of DHCP Snooping Option82 Packets .................................................. 335
44.1.12 Setting the TFTP Server for Backing Up Interface Binding ............................................... 335
44.1.13 Setting a File Name for Interface Binding Backup ............................................................. 336
44.1.14 Setting the Interval for Checking Interface Binding Backup ............................................... 336
44.1.15 Setting Interface Binding Manually .................................................................................... 337
44.1.16 Monitoring and Maintaining DHCP-Snooping .................................................................... 337
44.1.17 Example of DHCP Snooping Configuration ....................................................................... 338
CHAPTER 45 CONFIGURING LAYER 2 PROTOCOL TUNNEL .................................... 341
45.1 INTRODUCTION ................................................................................................................................. 341
45.2 CONFIGURING LAY E R 2 PROTOCOL TUNNEL....................................................................................... 341
45.3 CONFIGURATION EXAMPLE OF LAY ER 2 PROTOCOL TUNNEL ............................................................... 341
CHAPTER 46 QOS CONFIGURATION ........................................................................... 343
18
46.1
QOS OVERVIEW ............................................................................................................................... 343
46.1.1 QoS Concept ........................................................................................................................ 343
46.1.2 Terminal-To-Terminal QoS Model ......................................................................................... 343
46.1.3 Queue Algorithm of QoS ...................................................................................................... 345
46.1.4 Weighted Random Early Detection ...................................................................................... 349
46.2 QOS CONFIGURATION TASK LIST ...................................................................................................... 351
46.3 QOS CONFIGURATION TASKS ............................................................................................................ 352
46.3.1 Setting the Global CoS Priority Queue ................................................................................ 352
46.3.2 Setting Global Cos to Local Priority Mapping ...................................................................... 352
46.3.3 Setting the Bandwidth of the CoS Priority Queue ................................................................ 353
46.3.4 Setting the Schedule Policy of the CoS Priority Queue ....................................................... 353
46.3.5 Configuring the Minimum and Maximum Bandwidths of CoS Priority Queue ..................... 354
46.3.6 Setting the Default CoS Value of a Port ............................................................................... 354
46.3.7 Setting the CoS Priority Queue of a Port ............................................................................. 354
46.3.8 Setting Cos Priority Queue Based on dscp.......................................................................... 355
46.3.9 Setting QoS Policy Mapping ................................................................................................ 355
46.3.10 Setting the Description of the QoS Policy Mapping ........................................................... 356
46.3.11 Setting the Matchup Data Flow of the QoS Policy Mapping .............................................. 356
46.3.12 Setting the Actions of the Match-up Data Flow of the QoS Policy Mapping ...................... 357
46.3.13 Applying the QoS Policy on a Port ..................................................................................... 358
46.3.14 Configuring the Trust Mode ................................................................................................ 359
46.3.15 Displaying the QoS Policy Mapping Table ......................................................................... 359
46.4 QOS CONFIGURATION EXAMPLE ....................................................................................................... 360
46.4.1 Example for Applying the QoS Policy on a Port ................................................................... 360
46.5 DOS ATTACK OVERVIEW ................................................................................................................... 360
CHAPTER 47 DOS ATTACK PREVENTION CONFIGURATION .................................... 361
47.1 CONCEPT OF DOS ATTACK ............................................................................................................... 361
47.2 DOS ATTACK TYPE ........................................................................................................................... 361
47.3 DOS ATTACK PREVENTION CONFIGURATION TASK LIST ..................................................................... 365
47.4 DOS ATTACK PREVENTION CONFIGURATION TASKS ........................................................................... 365
47.4.1 Configuring Global DoS Attack Prevention .......................................................................... 365
47.4.2 Displaying All DoS Attack Prevention Configurations .......................................................... 366
47.5 DOS ATTACK PREVENTION CONFIGURATION EXAMPLE ....................................................................... 366
CHAPTER 48 ATTACK PREVENTION INTRODUCTION ............................................... 367
48.1 OVERVIEW OF FILTER ........................................................................................................................ 367
48.2 THE MODE OF FILTER ........................................................................................................................ 367
CHAPTER 49 ATTACK PREVENTION CONFIGURATION ............................................ 368
49.1 ATTACK PREVENTION CONFIGURATION TASKS ................................................................................... 368
19
49.2
ATTACK PREVENTION CONFIGURATION .............................................................................................. 368
49.3 CONFIGURING THE ATTACK FILTER PARAMETERS .............................................................................. 368
49.3.1 Configuring the Attack Prevention Type ............................................................................... 369
49.3.2 Enabling the Attack Prevention Function ............................................................................. 370
49.3.3 Checking the State of Attack Prevention .............................................................................. 370
CHAPTER 50 ATTACK PREVENTION CONFIGURATION EXAMPLE .......................... 371
50.1 USING FILTER ARP TO PROTECT THE LAN ........................................................................................ 371
50.2 USING FILTER IP TO PROTECT LAY ER -3 NETWORK............................................................................. 372
CHAPTER 51 CONFIGURING IP ADDRESSING ........................................................... 373
51.1 IP INTRODUCTION ............................................................................................................................. 373
51.1.1 IP .......................................................................................................................................... 373
51.1.2 IP Routing Protocol .............................................................................................................. 373
51.2 CONFIGURING IP ADDRESS TASK LIST .............................................................................................. 374
51.3 CONFIGURING IP ADDRESS ............................................................................................................... 374
51.3.1 Configuring IP Address at the Network Interface ................................................................. 374
51.3.2 Configuring Multiple IP Addresses at the Network Interface ................................................ 375
51.3.3 Configuring Address Resolution ........................................................................................... 376
51.3.4 Configuring Routing Process ............................................................................................... 379
51.3.5 Configuring Broadcast Packet Process ............................................................................... 379
51.3.6 Detecting and Maintaining IP Address ................................................................................. 381
51.4 IP ADDRESSING EXAMPLE................................................................................................................. 381
CHAPTER 52 CONFIGURING DHCP ............................................................................. 382
52.1 OVERVIEW ........................................................................................................................................ 382
52.1.1 DHCP Application ................................................................................................................. 382
52.1.2 Advantages of DHCP ........................................................................................................... 382
52.1.3 DHCP Terms ........................................................................................................................ 382
52.2 CONFIGURING DHCP CLIENT ............................................................................................................ 383
52.2.1 Configuration Task List of DHCP Client ............................................................................... 383
52.2.2 DHCP Client Configuration Tasks ........................................................................................ 383
52.2.3 DHCP Client Configuration Example ................................................................................... 384
52.3 CONFIGURING DHCP SERVER........................................................................................................... 385
52.3.1 DHCP Server Configuration Tasks ....................................................................................... 385
52.3.2 Setting the Address Pool of DHCP Server ........................................................................... 385
52.3.3 DHCP Server Configuration Example .................................................................................. 391
52.4 CONFIGURING DHCP RELAY ............................................................................................................. 392
52.4.1 Configuration Task List of DHCP Relay ............................................................................... 392
52.4.2 DHCP Relay Configuration Tasks ........................................................................................ 392
52.4.3 DHCP Relay Configuration Example ................................................................................... 392
20
CHAPTER 53 CHAPTER 3 IP SERVICE CONFIGURATION ......................................... 393
53.1 CONFIGURING IP SERVICE ................................................................................................................. 393
53.1.1 Managing IP Connection ...................................................................................................... 393
53.1.2 Configuring Performance Parameters ................................................................................. 397
53.1.3 Detecting and Maintaining IP Network ................................................................................. 398
53.2 CONFIGURING ACCESS LIST .............................................................................................................. 399
53.2.1 Filtering IP Packet ................................................................................................................ 399
53.2.2 Creating Standard and Extensible IP Access List ................................................................ 400
53.2.3 Applying the Access List to the Routing Interface ................................................................ 401
53.2.4 Applying the Access List to the Global Mode ....................................................................... 402
53.2.5 Applying the Access List to the Physical Interface ............................................................... 402
53.2.6 Extensible Access List Example .......................................................................................... 402
CHAPTER 54 APPLICATION OF IP ACCESS CONTROL LIST .................................... 404
54.1 APPLYING THE IP ACCESS CONTROL LIST ......................................................................................... 404
54.1.1 Applying ACL on Ports ......................................................................................................... 404
CHAPTER 55 ROUTING PROTOCOL OVERVIEW ........................................................ 405
55.1 IP ROUTING PROTOCOL .................................................................................................................... 405
55.2 CHOOSING ROUTING PROTOCOL ....................................................................................................... 405
55.2.1 Interior Gateway Router Protocol ......................................................................................... 405
55.2.2 Exterior Gateway Routing Protocol ...................................................................................... 406
CHAPTER 56 CONFIGURING VRF ................................................................................ 407
56.1 OVERVIEW ........................................................................................................................................ 407
56.2 VRF CONFIGURATION TASK LIST ...................................................................................................... 407
56.3 CONFIGURATION TASK ...................................................................................................................... 407
56.3.1 Creating VRF Table .............................................................................................................. 407
56.3.2 Relating the interface to VRF ............................................................................................... 407
56.3.3 Configuring the Target VPN Expansion Attribute of VRF ..................................................... 408
56.3.4 Configuring Description of VRF ........................................................................................... 408
56.3.5 Configuring Static Route of VRF .......................................................................................... 409
56.3.6 Monitoring VRF .................................................................................................................... 409
56.3.7 Maintaining VRF ................................................................................................................... 409
56.4 EXAMPLE OF THE VRF CONFIGURATION ............................................................................................ 410
CHAPTER 57 STATIC ROUTING CONFIGURATION ..................................................... 414
57.1 OVERVIEW ........................................................................................................................................ 414
57.2 STATIC ROUTING CONFIGURATION TASK LIST ..................................................................................... 414
57.3 STATIC ROUTING CONFIGURATION TASK ............................................................................................. 415
57.3.1 Configure the Static Routing ................................................................................................. 415
21
57.4
EXAMPLE OF THE STATIC ROUTING CONFIGURATION ........................................................................... 415
CHAPTER 58 CONFIGURING RIP ................................................................................. 416
58.1 OVERVIEW ........................................................................................................................................ 416
58.2 RIP CONFIGURATION TASK LIST ........................................................................................................ 416
58.3 RIP CONFIGURATION TASK ............................................................................................................... 417
58.3.1 Starting the RIP .................................................................................................................... 417
58.3.2 Allowing the mono-broadcasting updtaed and grouped by RIP Router ............................... 417
58.3.3 Using the Offsets on the Route metric ................................................................................. 417
58.3.4 Regulating the Timer ............................................................................................................ 417
58.3.5 Appointing the RIP Version Number .................................................................................... 418
58.3.6 Enabling the RIP Authentication .......................................................................................... 418
58.3.7 Activating the ‘Passive’ and ‘Deaf’ of the Interface .............................................................. 419
58.3.8 Activating RIP Authentication ............................................................................................... 419
58.3.9 Prohibitting the Route summary ........................................................................................... 420
58.3.10 Prohibitting the Authentication of Source IP Address ........................................................ 420
58.3.11 Maximum Number of Routes .............................................................................................. 421
58.3.12 Activating or Prohibit the Horizontal Split ........................................................................... 421
58.3.13 Monitoring and Maintainance of RIP .................................................................................. 422
58.4 EXAMPLE OF THE RIP CONFIGURATION.............................................................................................. 422
CHAPTER 59 BEIGRP CONFIGURATION ..................................................................... 424
59.1 OVERVIEW ........................................................................................................................................ 424
59.2 BEIGRP CONFIGURATION TASK LIST ................................................................................................ 424
59.2.1 Activating BEIGRP Protocol ................................................................................................. 425
59.2.2 Configuring the Sharable Percentage of Bandwidth ............................................................ 425
59.2.3 Adjusting the Arithmetic Coefficient of BEIGRP Composite Distance .................................. 425
59.2.4 Using “Offset” to Adjust the Composite Distance of the Router ........................................... 425
59.2.5 Turning off Auto-Summary ................................................................................................... 426
59.2.6 Customizing Route Summary .............................................................................................. 426
59.2.7 Redistributing Other Routes into the BEIGRP Process ....................................................... 426
59.2.8 Configuring Other Parameters of BEIGRP .......................................................................... 427
59.2.9 Monitoring and Maintaining BEIGRP ................................................................................... 430
59.3 EXAMPLES OF BEIGRP CONFIGURATION ........................................................................................... 430
CHAPTER 60 CONFIGURING OSPF ............................................................................. 431
60.1 OVERVIEW ........................................................................................................................................ 431
60.2 OSPF CONFIGURATION TAST LIST .................................................................................................... 431
60.3 OSPF CONFIGURATION TAST ............................................................................................................ 432
60.3.1 Starting OSPF ...................................................................................................................... 432
60.3.2 Configuring the Interface Parameter of OSPF ..................................................................... 432
60.3.3 Configuring OSPF Network Type ......................................................................................... 432
22
60.3.4 Configuring One-to-Multiple Broadcast Network ................................................................. 433
60.3.5 Configuring Non-Broadcasting Network ............................................................................... 434
60.3.6 Configure OSPF domain ...................................................................................................... 435
60.3.7 Configuring the NSSA Area of OSPF ................................................................................... 435
60.3.8 Configuring Route Summary Within OSPF Domain ............................................................ 435
60.3.9 Configuring the Gathering of a Forwarding Router .............................................................. 436
60.3.10 Creating Default Route ....................................................................................................... 436
60.3.11 Selecting Router ID Through Loopback Interface .............................................................. 436
60.3.12 Configuring the Management Distance of OSPF ............................................................... 436
60.3.13 Configuring the Route Calculation Timer ........................................................................... 437
60.3.14 Configuring the On-Demand Link ...................................................................................... 437
60.3.15 Monitoring and Maintaining OSPF ..................................................................................... 438
60.4 EXAMPLES OF OSPF CONFIGURATION .............................................................................................. 438
60.4.1 Examples of OSPF one-to-multi Point Configuration ........................................................... 438
60.4.2 Examples of OSPF point to multipoints, non-broadcasting configuration ............................ 440
60.4.3 Examples of the configuration of variable length sub-network masks ................................. 440
60.4.4 Examples of the configuration of OSPF route and route distribution ................................... 441
CHAPTER 61 CONFIGURE BGP ................................................................................... 449
61.1 OVERVIEW ........................................................................................................................................ 449
61.1.1 The BGP implementation of the router ................................................................................ 449
61.1.2 How does BGP select the path ............................................................................................ 449
61.2 BGP CONFIGURATION TASK LIST ...................................................................................................... 450
61.2.1 Basic configuration task list of BGP ..................................................................................... 450
61.2.2 Advanced BGP configuration tasks list ................................................................................ 450
61.3 CONFIGURE BASIC BGP FEATURES TAST ........................................................................................... 451
61.3.1 Configuring Basic BGP Features ......................................................................................... 451
61.3.2 Configuring advanced BGP features ................................................................................... 455
61.4 MONITORING AND MAINTAINING BGP ................................................................................................ 459
61.4.1 Deleting the BGP Routing Table and the BGP Database. ................................................... 460
61.4.2 Displaying the Routing Table and the System Statistics Information ................................... 460
61.4.3 Tracking the BGP Information .............................................................................................. 461
61.5 EXAMPLES OF BGP CONFIGURATION ................................................................................................ 461
61.5.1 Example of BGP Route Map ................................................................................................ 461
61.5.2 Example of Neighbour Configuration ................................................................................... 462
61.5.3 Example of BGP Route Filtration based on the Neighbor ................................................... 462
61.5.4 Examples of BGP Route Filtration based on the Interface .................................................. 463
61.5.5 Examples of Using Prefix List to Configure Route Filtration ................................................ 463
61.5.6 Example of BGP Route Aggregation .................................................................................... 464
61.5.7 Example of BGP Route Reflector ........................................................................................ 464
61.5.8 Example of BGP Confederation ........................................................................................... 466
61.5.9 Example of Route Map with BGP Group Attribute ............................................................... 468
23
CHAPTER 62 CONFIGURING RSVP ............................................................................. 470
62.1 OVERVIEW ........................................................................................................................................ 470
62.2 RSVP CONFIGURATION TASK LIST .................................................................................................... 470
62.3 RSVP CONFIGURATION TASK ........................................................................................................... 470
62.3.1 Enable a RSVP on a Router ................................................................................................ 470
62.3.2 Start RSVP in an IP Phone Module Configuration ............................................................... 471
62.3.3 Use RSVP to Configure Command ...................................................................................... 471
62.3.4 Configure TOS and Precedence for RSVP flow .................................................................. 471
62.3.5 Use Access List in RSVP Module ........................................................................................ 472
CHAPTER 63 CONFIGURING PBR ............................................................................... 473
63.1 OVERVIEW ........................................................................................................................................ 473
63.2 PBR CONFIGURATION TASK LIST ...................................................................................................... 473
63.3 PBR CONFIGURATION TASK.............................................................................................................. 473
63.3.1 Create STANDARD Access List ........................................................................................... 473
63.3.2 Create ROUTE-map ............................................................................................................. 473
63.3.3 Apply route-MAP on interface .............................................................................................. 474
63.3.4 Debug PBR .......................................................................................................................... 474
63.4 PBR CONFIGUTION EXAMPLE ............................................................................................................ 474
CHAPTER 64 CONFIGURING DNS ............................................................................... 476
64.1 OVERVIEW ........................................................................................................................................ 476
64.1.1 DNS APPLICATION ............................................................................................................. 476
64.1.2 DNS Term ............................................................................................................................. 476
64.2 DNS CONFIGURATION TASK LIST ...................................................................................................... 477
64.3 DNS CONFIGURATION TASK.............................................................................................................. 477
64.3.1 Enable DNS-based host name-to-address translation ........................................................ 477
64.3.2 Specify the IP address of a domain name server ................................................................ 478
64.3.3 Set a default domain name .................................................................................................. 478
64.3.4 Define a list of domains ........................................................................................................ 478
64.3.5 Define static host name-to-address mapping ...................................................................... 479
64.3.6 Specify times to retry a DNS query ...................................................................................... 479
64.3.7 Specify timeout waiting for response to a DNS query ......................................................... 479
64.3.8 Delete the mapping of a host name to IP address in cache ................................................ 479
64.3.9 Specify the IP address of a primary server .......................................................................... 480
64.3.10 Enable update function of dynamic DNS ........................................................................... 480
64.3.11 Set the period of DNS update ............................................................................................ 480
64.3.12 Bind the domain name to a IP address or IP address of interface .................................... 480
64.3.13 The function of information showing or debug showing ..................................................... 481
64.4 EXAMPLES OF BGP CONFIGURATION ................................................................................................. 482
CHAPTER 65 IP HARDWARE SUBNET ROUTING CONFIGURATION ........................ 483
24
65.1
IP HARDWARE SUBNET CONFIGURATION TASK .................................................................................. 483
65.1.1 Overview .............................................................................................................................. 483
65.1.2 Configuring IP Hardware Subnet Routing ............................................................................ 483
65.2 CONFIGURATION EXAMPLE ................................................................................................................ 483
CHAPTER 66 IP-PBR CONFIGURATION ...................................................................... 485
66.1 IP-PBR CONFIGURATION .................................................................................................................. 485
66.1.1 Enabling or Disabling IP-PBR Globally ................................................................................ 485
66.1.2 ISIS Configuration Task List ................................................................................................. 485
66.1.3 Monitoring and Maintaining MVC ......................................................................................... 486
66.1.4 IP-PBR Configuration Example ............................................................................................ 487
CHAPTER 67 MULTI-VRF CE INTRO ............................................................................ 489
67.1 OVERVIEW ........................................................................................................................................ 489
67.1.1 Establishing Routes with CE ................................................................................................ 489
67.1.2 Establishing Routes with PE ................................................................................................ 490
CHAPTER 68 MULTI-VRF CE CONFIGURATION .......................................................... 491
68.1 DEFAULT VRF CONFIGURATION ......................................................................................................... 491
68.2 MCE CONFIGURATION TASKS ........................................................................................................... 491
68.3 MCE CONFIGURATION ...................................................................................................................... 491
68.3.1 Configuring VRF ................................................................................................................... 491
68.3.2 Configuring VPN Route ........................................................................................................ 492
68.3.3 Configuring the BGP Route Between PE and CE................................................................ 492
68.3.4 Testifying the VRF Connectivity Between PE and CE ......................................................... 493
CHAPTER 69 MCE CONFIGURATION EXAMPLE ........................................................ 494
69.1 CONFIGURING S11 ............................................................................................................................ 494
69.2 CONFIGURING MCE-S1 .................................................................................................................... 494
69.3 CONFIGURING PE ............................................................................................................................. 496
69.4 CONFIGURING MCE-S2 .................................................................................................................... 497
69.5 SETTING S22 .................................................................................................................................... 499
69.6 TESTIFYING VRF CONNECTIVITY ....................................................................................................... 499
CHAPTER 70 VRRP CONFIGURATION ......................................................................... 501
70.1 OVERVIEW ........................................................................................................................................ 501
70.2 VRRP CONFIGURATION TASK LIST .................................................................................................... 501
70.3 VRRP CONFIGURATION TASK ........................................................................................................... 501
70.3.1 Configuring VRRP Virtual IP Address .................................................................................. 501
70.3.2 Configuring VRRP Authentication Mode .............................................................................. 501
70.3.3 Configuring VRRP Description ............................................................................................. 502
25
70.3.4 Configuring VRRP Priority Preemption ................................................................................ 502
70.3.5 Configuring VRRP Protocol Packet MAC Address .............................................................. 502
70.3.6 Configuring VRRP Priority .................................................................................................... 503
70.3.7 Configuring VRRP Clock Value ............................................................................................ 503
70.3.8 Configuring VRRP Monitoring Object .................................................................................. 503
70.3.9 Monitoring and Maintaining VRRP ....................................................................................... 504
70.3.10 VRRP Configuration Example ............................................................................................ 504
CHAPTER 71 MULTICAST OVERVIEW ......................................................................... 508
71.1 MULTICAST ROUTING REALIZATION ................................................................................................... 508
71.2 MULTICAST ROUTING CONFIGURATION TASK LIST .............................................................................. 509
71.2.1 Basic Multicast Configuration Task List ................................................................................ 509
71.2.2 IGMP Configuration Task List ............................................................................................... 509
71.2.3 PIM-DM CONFIGURATION Task List .................................................................................. 509
71.2.4 PIM-SM Configuration Task List ........................................................................................... 510
CHAPTER 72 BASIC MULTICAST ROUTING CONFIGURATION ................................. 511
72.1 STARTI NG UP MULTICAST ROUTING .................................................................................................... 511
72.2 STARTING UP THE MULTICAST FUNCTION ON THE PORT ....................................................................... 511
72.2.1 Starting up PIM-DM ............................................................................................................... 511
72.2.2 Starting up PIM-SM ............................................................................................................... 511
72.3 CONFIGURING TTL THRESHOLD ......................................................................................................... 511
72.4 CONFIGURING IP MULTICAST BOUNDARY ........................................................................................... 512
72.5 CONFIGURING IP MULTICAST HELPER ............................................................................................... 512
72.6 CONFIGURING STUB MULTICAST ROUTE ............................................................................................ 513
72.7 MONITORING AND MAINTAINING MULTICAST ROUTE ............................................................................ 514
CHAPTER 73 IGMP CONFIGURATION ......................................................................... 517
73.1 IGMP OVERVIEW .............................................................................................................................. 517
73.2 IGMP CONFIGURATION ..................................................................................................................... 517
73.3 CHANGING CURRENT IGMP VERSION ................................................................................................ 517
73.3.1 Configuring IGMP Query Interval ......................................................................................... 518
73.3.2 Configuring IGMP Querier Interval ....................................................................................... 518
73.3.3 Configuring Maximum IGMP Response Time ...................................................................... 518
73.3.4 Configuring IGMP Query Interval for the Last Group Member ............................................ 519
73.3.5 Static IGMP Configuration .................................................................................................... 519
73.3.6 Configuring the IGMP Immediate-leave List ........................................................................ 520
73.4 IGMP CHARACTERISTIC CONFIGURATION EXAMPLE ........................................................................... 520
CHAPTER 74 PIM-DM CONFIGURATION ..................................................................... 528
74.1 PIM-DM INTRODUCTION ................................................................................................................... 528
26
74.2
CONFIGURING PIM-DM ..................................................................................................................... 529
74.2.1 Modifying Timer .................................................................................................................... 529
74.2.2 Designating the Version Number ......................................................................................... 529
74.2.3 Configuring State-Refresh.................................................................................................... 529
74.2.4 Configuring Filtration List ..................................................................................................... 529
74.2.5 Setting DR Priority ................................................................................................................ 530
74.2.6 Clearing Item (S,G) .............................................................................................................. 530
74.3 PIM-DM STATE-REFRESH CONFIGURATION EXAMPLE ........................................................................ 530
CHAPTER 75 CONFIGURING PIM-SM .......................................................................... 531
75.1 PIM-SM INTRODUCTION .................................................................................................................... 531
75.2 CONFIGURING PIM-SM ..................................................................................................................... 532
75.2.1 Enabling Global Multicast..................................................................................................... 532
75.2.2 Starting up PIM-SM .............................................................................................................. 532
75.2.3 Configuring Neighbor Filter List ........................................................................................... 532
75.2.4 DR Election .......................................................................................................................... 533
75.2.5 Configuring Candidate RP ................................................................................................... 534
75.2.6 Configuring Candidate BSR ................................................................................................. 534
75.2.7 Configuring SPT-threshhold ................................................................................................. 534
75.2.8 Configuring SSM .................................................................................................................. 534
75.2.9 Configuring Management Domain sz ................................................................................... 535
75.2.10 Configuring Source Address of Registered Packets .......................................................... 536
75.2.11 Configuring anycast-rp ....................................................................................................... 536
75.2.12 Displaying PIM-SM Multicast Route ................................................................................... 536
75.2.13 Clearing Multicast Routes Learned by PIM-SM ................................................................. 537
75.3 CONFIGURATION EXAMPLE ................................................................................................................ 537
75.3.1 PIM-SM Configuration Example (The switch is configured on the VLAN port) .................... 537
75.3.2 BSR Configuration Example (The switch is configured on the VLAN port) ......................... 538
CHAPTER 76 IPV6 PROTOCOL’S CONFIGURATION .................................................. 539
76.1 IPV6 PROTOCOLS CONFIGURATION .................................................................................................. 539
76.2 ENABLING IPV6 ................................................................................................................................ 539
76.2.1 Setting the IPv6 Address ...................................................................................................... 539
CHAPTER 77 SETTING THE IPV6 SERVICES .............................................................. 541
77.1 SETTING THE IPV6 SERVICES ............................................................................................................ 541
77.1.1 Managing the IPv6 Link ........................................................................................................ 541
CHAPTER 78 CONFIGURING THE ROUTING MANAGEMENT MODULES ................. 544
78.1 OVERVIEW ........................................................................................................................................ 544
78.2 CONFIGURATION TASK LIST OF ROUTING MANAGEMENT MODULE ....................................................... 545
78.3 ROUTING MANAGEMENT MODULES CONFIGURATION TASKS ............................................................... 546
27
78.3.1 Setting the Static Route ........................................................................................................ 546
78.3.2 Setting the Threshold of Routes in a Routing Table ............................................................. 546
78.3.3 Monitoring and Maintaining the State of the Routing Table .................................................. 547
78.4 STATIC ROUTE'S CONFIGURATION EXAMPLE ...................................................................................... 549
CHAPTER 79 ND CONFIGURATION ............................................................................. 554
79.1 ND OVERVIEW .................................................................................................................................. 554
79.2 ADDRESS RESOLUTION ..................................................................................................................... 554
79.3 ND CONFIGURATION ......................................................................................................................... 555
CHAPTER 80 OSPFV3 CONFIGURATION .................................................................... 558
80.1 OVERVIEW ........................................................................................................................................ 558
80.2 OSPFV3 CONFIGURATION TASK LIST ................................................................................................ 558
80.3 OSPFV3 CONFIGURATION TASKS ..................................................................................................... 559
80.3.1 Enabling OSPFv3 ................................................................................................................. 559
80.3.2 Setting the Parameters of the OSPFv3 Interface ................................................................ 559
80.3.3 Setting OSPFv3 on Different Physical Networks ................................................................. 560
80.3.4 Setting the OSPF Network Type .......................................................................................... 560
80.3.5 Setting the Parameters of the OSPFv3 Domain .................................................................. 560
80.3.6 Setting the Route Summary in the OSPFv3 Domain ........................................................... 561
80.3.7 Setting the Summary of the Forwarded Routes ................................................................... 561
80.3.8 Generating a Default Route ................................................................................................. 561
80.3.9 Choosing the Route ID on the Loopback Interface .............................................................. 561
80.3.10 Setting the Management Distance of OSPFv3 .................................................................. 562
80.3.11 Setting the Timer of Routing Algorithm ............................................................................... 562
80.3.12 Monitoring and Maintaining OSPFv3 ................................................................................. 562
80.4 OSPFV3 CONFIGURATION EXAMPLE ................................................................................................. 563
80.4.1 Example for OSPFv3 Route Learning Settings ................................................................... 563
CHAPTER 81 OVERVIEW .............................................................................................. 573
81.1 STIPULATION .................................................................................................................................... 573
81.1.1 Format Stipulation in the Command Line ............................................................................. 573
CHAPTER 82 NTP CONFIGURATION ........................................................................... 574
82.1 OVERVIEW ........................................................................................................................................ 574
82.2 NTP CONFIGURATION ....................................................................................................................... 574
82.2.1 Configuring the Equipment As an NTP Server ..................................................................... 574
82.2.2 Configuring NTP Authentication Function ............................................................................ 574
82.2.3 Configuring NTP Association ............................................................................................... 574
CHAPTER 83 IPV6 ACL CONFIGURATION ................................................................... 576
83.1 IPV6 ACL CONFIGURATION ............................................................................................................... 576
28
83.1.1 Filtering IPv6 Packets .......................................................................................................... 576
83.1.2 Setting up IPv6 ACL ............................................................................................................. 576
83.1.3 Applying ACL to the Ports .................................................................................................... 577
83.1.4 Examples of IPv6 ACL ......................................................................................................... 577
CHAPTER 84 CONFIGURING TIME RANGE ................................................................. 578
84.1 TIME RANGE INTRODUCTION ............................................................................................................. 578
84.1.1 Overview .............................................................................................................................. 578
84.1.2 Absolute Time Range ........................................................................................................... 578
84.1.3 Periodic Time Range ............................................................................................................ 578
84.1.4 Isolating Time Range ........................................................................................................... 578
84.1.5 From-to Time Range ............................................................................................................ 578
84.1.6 Activating Time Range ......................................................................................................... 579
84.2 TIME RANGE CONFIGURATION TASK LIST .......................................................................................... 579
84.3 TIME RANGE CONFIGURATION TASK .................................................................................................. 579
84.3.1 Adding/Deleting Time Range ............................................................................................... 579
84.3.2 Adding/Deleting Absolute Time Range ................................................................................. 580
84.3.3 Adding/Deleting Periodic Time Range ................................................................................. 580
84.3.4 Applying Time Range ........................................................................................................... 581
84.3.5 Monitoring the configuration and state of Time Range ........................................................ 581
84.4 CONFIGURATION EXAMPLE ................................................................................................................ 582
29
Chapter 1 INTRODUCTION
Thank you for purchasing PLANET Layer 3 24-/48-Port 10G SFP+ plus 4-Port 100G QSFP28 Managed Switch. The descriptions of these models are shown below:
XGS-6350-24X4C Layer 3 24-Port 10G SFP+ + 4-Port 100G QSFP28 Managed Switch
XGS-6350-48X2Q4C
Layer 3 48-Port 10G SFP+ + 2-Port 40G QSFP+ + 4-Port 100G QSFP28 Managed Switch
1.1 Packet Contents
Unless specified, “Managed Switch” mentioned in this users manual refers to the XGS-6350-24X4C/XGS­6350-48X2Q4C.
Open the box of the Managed Switch and carefully unpack it. The box should contain the following items:
Quick Installation Guide
DB9 to RJ45 Interface RS232
Console Cable
Rack Mount Accessory Kit
AC Power Cord
XGS-6350-24X4C XGS-6350-48X2Q4C
SFP Dust Cap 28 54
If any item is found missing or damaged, please contact your local reseller for replacement.
30
1.2 Product Description
Powerful 100Gbps Solution for All Long-Reach Networks
PLANET XGS-6350-Series is a High-performance Layer 3 Managed Switch that meets the next-generation Metro, Data Center, Campus and Enterprise network requirements.
The administrator can flexibly choose the suitable transceivers according to the transmission distance or the transmission speed required to extend the 1G/10G/40G/100G network efficiently. Besides, with high switching capacity, the XGS-6350-Series can handle extremely large amounts of data in a secure topology linking to backbone or high capacity servers where audio, video streaming and multicast applications are utilized.
Extractive Power Supply Design to Increase Flexibilty
The XGS-6350-Series is equipped with one extractive 100~240V AC power supply unit, so it is easy to replace the power for users. Besides, the XGS-6350-Series reserves another backup power slot on the rear panel where the second AC or DC power can be added to make it a redundant power supply. The redundant power system is specifically designed to handle the demands of high-tech facilities requiring the highest power integrity.
Rich Multi-layer Networking Protocols
The XGS-6350-Series comes with the complete Layer 3 managed function with comprehensive protocols and applications to facilitate the rapid service deployment and management for both the traditional L2 and L3 networks. With support for advanced features, including RIP, RIPng, OSPFv2, OSPFv3, BGP, BGP4+, etc., this switch is ideal for the traditional or fully-virtualized data center.
Strong Multicast
The XGS-6350-Series supports abundant multicast features. In Layer 2, it features IPv4 IGMPv1/v2/v3 snooping and IPv6 MLD v1/v2 snooping. With Multicast VLAN Registration (MVR), multicast receiver/sender control and illegal multicast source detection functions can be had. In Layer 3 multicast protocols, it features
PIM-DM, PIM-SM and PIM-SSM which make the XGS-6350-Series great for any robust networking.
Full IPv6 Support
The XGS-6350-Series supports IPv4-to-IPv6 technologies including IPv4 manual/automatic tunnel, IPv6-to- IPv4 tunnel, and Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) tunnel. It comprehensively
supports IPv6 Neighbor Discovery, DHCPv6, Path MTU Discovery, IPv6-based Telnet, SSH and ACL, meeting the need of IPv6 network device management and service control.
31
High Reliability
The key components of the XGS-6350-Series are management module, power system and the fan system that support redundancy design. All system modules support hot-swap and seamless switching without manual intervention.
It supports In-service Software Upgrade (ISSU) and Graceful Restart (GR) for OSPF/BGP routing protocol, guaranteeing non-stop user data transmission when the system is upgraded. It supports Bidirectional Forwarding Detection (BFD) that realizes fault detection and service recovery in seconds through linking with Layer 2 or Layer 3 protocol.
Excellent and Secure Traffic Control
The XGS-6350-Series is loaded with powerful traffic management and WRR features to enhance services offered by telecoms and enterprises. The WRR functionalities include wire-speed Layer 4 traffic classifiers and bandwidth limitation which are particularly useful for multi-tenant unit, multi-business unit, Telco, or network service applications.
Powerful Security from Layer 2 to Layer 4
The ACL policies supported can classify the traffic by source/destination IP addresses, source/destination MAC addresses, IP protocols, TCP/UDP, IP precedence, time ranges and ToS. Moreover, various policies can be conducted to forward the traffic. The XGS-6350-Series also provides IEEE 802.1x port-based access authentication, which can be deployed with RADIUS, to ensure the port level security and block illegal users. Thus, the XGS-6350-Series empowers enterprises and campuses to take full advantage of the limited network resources and guarantees the best performance in VoIP and video conferencing transmissions.
Robust Layer 2 Features
The XGS-6350-Series can be programmed for basic switch management functions such as port speed configuration, port aggregation, VLAN, Spanning Tree Protocol, WRR, bandwidth control and IGMP snooping. It also supports 802.1Q tagged VLAN, Q-in-Q, voice VLAN and GVRP Protocol. In addition, the number of VLAN interfaces is 1K and the number of VLAN IDs is 4K. By supporting port aggregation, the XGS-6350­Series allows the operation of a high-speed trunk combined with multiple ports, making it an LACP link aggregation.
Efficient and Secure Management
For efficient management, the XGS-6350-Series Managed 100Gigabit Switch is equipped with console, Web and SNMP management interfaces.
With its built-in Web-based management interface, the XGS-6350-Series offers an easy-to-use,
platform-independent management and configuration facility.
The XGS-6350-Series supports standard Simple Network Management Protocol (SNMP) and can be
managed via any standard-based management software.
32
For reducing product learning time, the XGS-6350-Series offers Cisco-like command via Telnet or
console port. Moreover, the XGS-6350-Series offers secure remote management by supporting SSH connection which encrypts the packet content at each session.
Centralized Hardware Stacking Management
The XGS-6350-Series can be used to build a virtually logical facility. The XGS-6350-Series gives the enterprises, service providers and telecoms flexible control over port density, uplinks and switch stack performance. The XGS-6350-Series can connect as a ring for redundancy and ensures that data integrity is retained even if one switch in the stack fails. You can even hot-swap switches without disrupting the network, which greatly simplifies the tasks of upgrading the LAN for catering to increasing bandwidth demands.
Flexibility and Extension Solution
The XGS-6350-Series provides 24/48 10Gbps SFP+, 40Gbps QSFP+ and 100Gbps QSFP28 Fiber interfaces. Each of the SFP+ slots support Dual Speed, 10GBASE-SR/LR or 1000BASE-SX/LX and each of the QSFP28 slots supports native 100 Gigabit Ethernet, 40G and 4 x 10 Gigabit Ethernet modes. Therefore, the administrator can flexibly choose the suitable SFP transceiver according to not only the transmission distance, but also the transmission speed required. The distance can be extended from 550 meters to 2km (multi-mode fiber) or up to 10/20/30/40/50/70/120 km (single-mode fiber or WDM fiber). They are well suited for applications within the enterprise data centers and distributions.
Redundant Ring, Fast Recovery for Critical Network Applications
The XGS-6350-Series supports redundant ring technology and features strong, rapid self-recovery capability to prevent interruptions and external intrusions. It incorporates advanced ITU-T G.8032 ERPS (Ethernet Ring Protection Switching) technology and Spanning Tree Protocol (802.1s MSTP) into customer’s network to enhance system reliability and uptime in harsh environments. In a certain simple Ring network, the recovery time could be less than 50ms to quickly bring the network back to normal operation.
33
1.3 Product Features
XGS-6350-24XC
24 10GBASE-SR/LR SFP+ slots, compatible with 1000BASE-SX/LX/BX SFP  4 QSFP28 slots with each supporting native 100 Gigabit Ethernet, 40G and 4 x 10 Gigabit Ethernet modes RJ45 to DB9 console interface for switch basic management and setup
MNG port for HTTP server access  USB port
XGS-6350-48X2Q4C
48 10GBASE-SR/LR SFP+ slots, compatible with 1000BASE-SX/LX/BX SFP  2 QSFP+ slots with each supporting 40G and 4 x 10 Gigabit Ethernet modes  4 QSFP28 slots with each supporting native 100 Gigabit Ethernet, 40G and 4 x 10 Gigabit Ethernet
modes
RJ45 to DB9 console interface for switch basic management and setup MNG port for HTTP server access USB port
IPv4 Features
Static Routing, RIP v1/v2, OSPF and BGP Policy Routing BFD for OSFP and BGP
IPv6 Features
ICMPv6, DHCPv6, ACLv6,IPv6 Telnet IPv6 Neighbor Discovery Path MTU Discovery MLD and MLD Snooping IPv6 Static Routing, RIPng, OSFPv3 and BGP4+ Manual Tunnel, ISATAP Tunnel and 6-to-4 Tunnel
Multicast Routing Features
Supports Multicast Routing Protocols:
PIM-DM (Protocol Independent Multicast - Dense Mode) PIM-SM (Protocol Independent Multicast - Sparse Mode) PIM-SSM (Protocol Independent Multicast - Source-Specific Multicast Mode)
Supports IGMP v1/v2/v3
Layer 2 Features
Supports VLAN
- IEEE 802.1Q tag-based VLAN
- Provider Bridging (VLAN Q-in-Q, IEEE 802.1ad) supported
- GVRP for dynamic VLAN management
- Private VLAN
Supports Link Aggregation
34
- 802.3ad Link Aggregation Control Protocol (LACP)
- Cisco ether-channel (static trunk)
Supports Spanning Tree Protocol
- STP, IEEE 802.1D (Classic Spanning Tree Protocol)
- RSTP, IEEE 802.1w (Rapid Spanning Tree Protocol)
- MSTP, IEEE 802.1s (Multiple Spanning Tree Protocol, spanning tree by VLAN)
Port mirroring to monitor the incoming or outgoing traffic on a particular port (many to 1) Loop protection to avoid broadcast loops Link Layer Discovery Protocol (LLDP) Ethernet OAM 802.3ah/802.1ag/ITU-Y.1731
Supports G.8032 ERPS (Ethernet Ring Protection Switching)
Quality of Service
Ingress shaper and egress rate limit per port bandwidth control 8 priority queues on all switch ports
- IEEE 802.1p CoS/DSCP/Precedence
- VLAN ID
- Policy-based ingress and egress QoS
Multicast
Supports IPv4 IGMP snooping v1, v2 and v3 Supports IPv6 MLD snooping v1 and v2 Querier mode support MVR (Multicast VLAN Registration)
Security
Authentication
- IEEE 802.1x port-based network access authentication
- Built-in RADIUS client to cooperate with the RADIUS servers
- RADIUS/TACACS+ users access authentication
Access Control List
- IP-based Access Control List (ACL)
- MAC-based Access Control List (ACL)
- Time-based ACL
DHCP Snooping to filter distrusted DHCP messages Dynamic ARP Inspection discards ARP packets with invalid MAC address to IP address binding IP Source Guard prevents IP spoofing attacks
Management
IPv4 and IPv6 dual stack management Switch Management Interfaces
- Console and Telnet Command Line Interface
- HTTP web switch management
- SNMP v1 and v2c switch management
- SSHv2, SSLv3, TLSv1.0 and SNMP v3 secure access
35
SNMP Management
- Four RMON groups (history, statistics, alarms, and events)
- SNMP trap for interface Link Up and Link Down notification
Built-in Trivial File Transfer Protocol (TFTP) client BOOTP and DHCP for IP address assignment System Maintenance
- Firmware upload/download via HTTP
- Reset button for system reboot or reset to factory default
- Dual images
DHCP Functions:
- DHCP Relay
- DHCP Option 82
- DHCP Server
User Privilege levels control Network Time Protocol (NTP), SPAN, RSPAN Network Diagnostic
- SFP-DDM (Digital Diagnostic Monitor)
- ICMP remote IP ping
Syslog remote alarm System Log PLANET NMS System and Smart Discovery Utility for deployment management
Stacking Management
Virtualized multiple XGS-6350-Series switches integrated into one logical device Single IP address stack management, supporting up to 2 hardware units stacked together Stacking architecture supports redundant Ring mode
36
1.4 Product Specifications
XGS-6350-24X4C
Product XGS-6350-24X4C XGS-6350-48X2Q4C
Hardware Specifications
QSFP28 Slots
QSFP+ Slots
SFP+ Slots
Console
Management
USB
Dimensions (W x D x H)
Weight
Power Consumption
4 with each supporting native 100/40 Gigabit Ethernet and 4 x 10 Gigabit Ethernet modes
2, each supports 40 Gigabit
-
24 10GBASE-SR/LR SFP+ interfaces Compatible with 1000BASE­SX/LX/BX SFP transceiver
1 x RJ45-to-DB9 serial port (9600, 8, N, 1)
1 x 10/100/1000BASE-T RJ45 port
1 x USB 2.0
442.5 x 364 x 44 mm, 1U height 442 x 404 x 44 mm, 1U height
5990g 8400g
75 watts/210 BTU (maximum)
Ethernet and 4 x 10 Gigabit Ethernet modes
48 10GBASE-SR/LR SFP+ interfaces Compatible with 1000BASE­SX/LX/BX SFP transceiver
147 watts/504.3 BTU (maximum)
Power Requirements
Number of Power Supply
Bays
Number of Fan Trays
LED
AC 100~240V, 50/60Hz
AC 100~240V, 50/60Hz
2
4 fixed 4
System:
PWR, SYS
Ports:
40G/100G QSFP Port: LNK/ACT
DC 36~72V (Optional power module)
System:
PWRA, PWRB, Green SYS, Green MNG, Green
Ports:
10G SFP+ interfaces: LNK/ACT, Green 40G/100G QSFP28 interfaces: LNK/ACT, Green 40G QSFP+ interfaces:
37
Switching Specifications
LNK/ACT, Green
Switch Architecture
Switch Capacity
Switch Throughput
Address Table
Shared Data Buffer
Flow Control
Jumbo Frame
IPv4 Layer 3 Functions
IP Routing Protocol
Multicast Routing Protocol
Store-and-forward
800Gbps/non-blocking 1.92Tbps/non-blocking
960Mpps 1440Mpps@64bytes
32K MAC address table with auto learning function
64K MAC address table with auto learning function
4MB 9MB
Back pressure for half duplex IEEE 802.3x pause frame for full duplex
9KB
RIP v1/v2 OSPFv2 BGP (Border Gateway Protocol) Static routing
PIM-DM and PIM-SM PIM-SSM
Routing Features
IPv6 Layer 3 Functions
IP Routing Protocol
Routing Features
IPv6 Functions
Layer 2 Functions
VRRP Policy routing Load balance through equal-cost routing BFD (Bidirectional Forwarding Detection) for OSPF and BGP
RIPng OSPFv3 BGP4+
Manual tunnel ISATAP tunnel 6-to-4 tunnel
ICMPv6, DHCPv6, ACLv6, IPv6 Telnet IPv6 Neighbor Discovery Path MTU Discovery
Port disable/enable
Port Configuration
Auto-negotiation 10/100/1000Mbps full and half duplex mode selection Flow control disable/enable Bandwidth control on each port Port loopback detect
38
IEEE 802.1Q tag-based VLAN, IEEE 802.1ad Q-in-Q VLAN stacking/tunneling
VLAN
Spanning Tree Protocol
Ring
IPv4 IGMP Snooping
IPv6 MLD Snooping
Bandwidth Control
GVRP for VLAN management Private VLAN Up to 4K VLAN groups
IEEE 802.1D Spanning Tree Protocol (STP) IEEE 802.1w Rapid Spanning Tree Protocol (RSTP) IEEE 802.1s Multiple Spanning Tree Protocol (MSTP) BPDU protection, root protection
Supports ITU-G G.8032 ERPS
IPv4 IGMP v1/v2/v3 snooping IGMP Fast Leave IPv4 Querier mode support IGMP Filtering and IGMP Throttling IGMP Proxy reporting
IPv6 MLD v1/v2 snooping Multicast VLAN Register (MVR)
Ingress and Egress
At least 64Kbps stream
Link Aggregation
QoS
IEEE 802.3ad LACP/static trunk Supports 8 groups with 8 ports per trunk group
8 priority queues on all switch ports Traffic Supervision and Traffic Shaping Scheduling for priority queues
- Weighted Round Robin (WRR)
- Strict priority (SP)
- SP+WRR
Traffic classification:
- IEEE 802.1p CoS
- DSCP
- DiffServ
- Precedence
- TOS
- VLAN ID
- IP ACL
- MAC ACL
Policy-based ingress and egress QoS
802.1p and DSCP priority remark
IEEE 802.1x port-based network access control AAA authentication: TACACS+ and IPv4/IPv6 over RADIUS
39
Security Function
Supports Standard and Expanded ACL
Access Control List
Security
AAA
Network Access Control
Management Function
System Configuration
IP-based ACL/MAC-based ACL Time-based ACL Up to 1K entries
Port isolation Port security, supports IP + MAC + port binding Identification and filtering of L2/L3/L4 based ACL Defend against DOS or TCP attacks Suppression of broadcast, multicast and unknown unicast packet DHCP Snooping, DHCP Option 82 Command line authority control based on user levels
TACACS+ and IPv4/IPv6 over RADIUS
IEEE 802.1x port-based network access control
Console and Telnet Web browser SNMP v1, v2c
Secure Management
Interfaces
System Management
SSHv2, SSLv3 and SNMPv3
Maximum 8 sessions for SSH and Telnet connection
Supports both IPv4 and IPv6 Protocols Supports the user IP security inspection for IPv4/IPv6 SNMP Supports MIB and TRAP Supports TFTP, FTP Supports IPv4/IPv6 NTP Supports RMON 1, 2, 3, 9 groups Supports the RADIUS authentication for IPv4/IPv6 Telnet user name and password The right configuration for users to adopt RADIUS server’s shell management Supports Security IP safety net management function: avoid unlawful landing at non-restrictive area Supports TACACS+ Supports SPAN, RSPAN
Event Management
SNMP MIBs
Supports syslog server for IPv4 and IPv6
RFC 1213 MIB-II RFC 1215 Internet Engineering Task Force RFC 1271 RMON RFC 1354 IP-Forwarding MIB
40
RFC 1493 Bridge MIB RFC 1643 Ether-like MIB RFC 1907 SNMPv2 RFC 2011 IP/ICMP MIB RFC 2012 TCP MIB RFC 2013 UDP MIB RFC 2096 IP forward MIB RFC 2233 if MIB RFC 2452 TCP6 MIB RFC 2454 UDP6 MIB RFC 2465 IPv6 MIB RFC 2466 ICMP6 MIB RFC 2573 SNMPv3 notification RFC 2574 SNMPv3 VACM RFC 2674 Bridge MIB Extensions
Standard Conformance
Regulatory Compliance
Standards Compliance
FCC Part 15 Class A, CE
IEEE 802.3z Gigabit 1000BASE-SX/LX IEEE 802.3ae 10Gb/s Ethernet IEEE 802.3x flow control and back pressure IEEE 802.3ad port trunk with LACP IEEE 802.1D Spanning Tree Protocol IEEE 802.1w Rapid Spanning Tree Protocol IEEE 802.1s Multiple Spanning Tree Protocol IEEE 802.1p Class of Service IEEE 802.1Q VLAN tagging IEEE 802.1X port authentication network control IEEE 802.1ab LLDP RFC 768 UDP RFC 793 TFTP RFC 791 IP RFC 792 ICMP RFC 2068 HTTP RFC 1112 IGMP v1 RFC 2236 IGMP v2 RFC 3376 IGMP v3 RFC 2710 MLD v1 FRC 3810 MLD v2 RFC 2328 OSPF v2
41
Environment
RFC 1058 RIP v1 RFC 2453 RIP v2
Operating
Storage
Temperature: 0 ~ 50 degrees C Relative Humidity: 10 ~ 85% (non-condensing)
Temperature: -40 ~ 80 degrees C Relative Humidity: 5 ~ 95% (non-condensing)
42
Chapter 2 Installation
This section describes the hardware features and installation of the Managed Switch on the desktop or rack mount. For easier management and control of the Managed Switch, familiarize yourself with its display indicators, and ports. Front panel illustrations in this chapter display the unit LED indicators. Before connecting any network device to the Managed Switch, please read this chapter completely.
2.1 Hardware Description
2.1.1 Switch Front Panel
The unit front panel provides a simple interface monitoring the switch. Figure 2-1-1, 2-1-2, 2-1-3 and 2-1-4 show the front panel of the Managed Switches.
XGS-6350-24X4C Front Panel
Figure 2-1-1 XGS-6350-24X4C front panel
XGS-6350-48X2Q4C Front Panel
Figure 2-1-2 XGS-6350-48X2Q4C front panel
Gigabit TP interface
10/100/1000BASE-T copper, RJ45 twisted-pair: Up to 100 meters.
SFP/SFP+ slots
SFP/SFP+ mini-GBIC slot, SFP (Small Factor Pluggable) transceiver module: From 550 meters (Multi­mode fiber) to 10/30/50/70/120 kilometers (Single-mode fiber).
Console Port
The console port is an RJ45 type, RS232 male serial port connector. It is an interface for connecting a terminal directly. Through the console port, it provides rich diagnostic information including IP address setting, factory reset, port management, link status and system setting. Users can use the attached RS232 cable in the package and connect to the console port on the device. After the connection, users can run any terminal emulation program (Hyper Terminal, ProComm Plus, Telix, Winterm and so on) to enter the startup screen of the device.
USB Interface
The USB port is a USB2.0 type; it is an interface for uploading/restoring the configuration/firmware.
MGMT Port
The MGMT port is an RJ45 type, an independent interface for Telnet or SSH.
43
2.1.2 LED Indications
The front panel LEDs indicate instant status of port links, data activity, system operation, stack status and system power, and helps monitor and troubleshoot when needed.
44
XGS-6350-24X4C
System
LED Color Function
PWR
Green
SYS Green
Interfaces
Lights to indicate that the Switch has power.
Power is off.
Off
Blinks to indicate the system diagnosis is completed; lights to indicate the system is normally starting up.
Figure 2-1-3 XGS-6350-24X4C front panel
LED Color Function
Blinks to indicate the data is transmitting and receiving through the port; lights to indicate
LNK/ACT Green
the link on the port is normal.
40G Status LED (Divided into 4 10G)
LED Color Function
Operating in 100G mode, the LED does not light; when the QSFP+ corresponding port
LNK/ACT
Green
(CG1~CG4)
indicator is lit, 4 indicators indicate the LINK/ACT status of the 4 10GE ports corresponding to the QSFP+ port.
45
XGS-6350-48X2Q4C
Figure 2-1-4 XGS-6350-48X2Q4C front panel
System
LED Color Function
Green
PWRA
Lights to indicate that the Switch has power.
PWRB
SYS Green
MNG
Off
Power is off.
Blinks to indicate the system diagnosis is completed; lights to indicate the system is normally
starting up.
Green
Lights to indicate that the Switch has connected the Ethernet cable to management port.
Off
Lights to indicate that the Switch has not connected the Ethernet cable to management port.
Interfaces
LED Color Function
LNK/ACT Green
Blinks to indicate the data is transmitting and receiving through the port; lights to indicate the
link on the port is normal.
40G BREAKOUT LED
LED Color Function
LNK/ACT
(1~4)
Operating in 100Gbps on 4 QSFP28 ports and 40Gbps on 2 QSFP+ ports, the BREAKOUT
Green
LED does not light; when you configure the interface dividing into 4 10G ports through
configuration, the BREAKOUT LED indicators will light up.
46
2.2 Switch Installation
This section describes how to install your Managed Switch and make connections to the Managed Switch. Please read the following topics and perform the procedures in the order being presented. To install your Managed Switch on a desktop or shelf, simply complete the following steps.
2.2.1 Desktop Installation
To install the Managed Switch on desktop or shelf, please follow these steps:
Step 1: Attach the rubber feet to the recessed areas on the bottom of the Managed Switch. Step 2: Place the Managed Switch on the desktop or the shelf near an AC power source, as shown in Figure
2-2-1.
Figure 2-2-1 Place the Managed Switch on the desktop
Step 3: Keep enough ventilation space between the Managed Switch and the surrounding objects.
When choosing a location, please keep in mind the environmental restrictions discussed in Chapter 1, Section 4 under Specifications.
Step 4: Connect the Managed Switch to network devices.
Connect one end of a standard network cable to the 10/100/1000 RJ45 ports on the front of the Managed Switch and connect the other end of the cable to the network devices such as printer servers, workstations or routers, etc.
Connection to the Managed Switch requires UTP Category 5 network cabling with RJ45 tips. For more information, please see the Cabling Specification in Appendix A.
47
Step 5: Supply power to the Managed Switch.
Connect one end of the power cable to the Managed Switch. Connect the power plug of the power cable to a standard wall outlet. When the Managed Switch receives power, the Power LED should remain solid Green.
2.2.2 Rack Mounting
To install the Managed Switch in a 19-inch standard rack, please follow the instructions described below:
Step 1: Place the Managed Switch on a hard flat surface, with the front panel positioned towards the front side. Step 2: Attach the rack-mount bracket to each side of the Managed Switch with supplied screws attached to
the package.
Figure 2-2-2 shows how to attach brackets to one side of the Managed Switch.
Figure 2-2-2 Attach brackets to the Managed Switch.
You must use the screws supplied with the mounting brackets. Damage caused to the parts by using incorrect screws would invalidate the warranty.
Step 3: Secure the brackets tightly. Step 4: Follow the same steps to attach the second bracket to the opposite side. Step 5: After the brackets are attached to the Managed Switch, use suitable screws to securely attach the
brackets to the rack, as shown in Figure 2-2-3.
48
Figure 2-2-3 Mounting SGS-6341 Series in a Rack
Step 6: Proceed with Steps 4 and 5 of Session 2.2.1 Desktop Installation to connect the network cabling and
supply power to the Managed Switch.
AC Power Receptacle
Compatible with electrical services in most areas of the world, the Managed Switch’s power supply automatically adjusts to line power in the range of 100-240VAC and 50/60 Hz.
Plug the female end of the power cord firmly into the receptacle on the rear panel of the Managed Switch. Plug the other end of the power cord into an electrical outlet and then the power will be ready.
49
Chapter 3 Configuration Preparation
The chapter mainly describes the following preparatory works before you configure the switch at the first time:
Port number of the switch  Preparation before switch startup  How to get help  Command mode  Cancelling a command  Saving configuration
3.1 Port Number of the Switch
The physical port of the switch is numbered in the <type><slot>/<port> form. The type-to-name table is shown as follows:
Interface Type Name Simplified Name
10M Ethernet Ethernet e
100M fast Ethernet FastEthernet f
1000M Ethernet GigaEthernet g
The expansion slot number to mark and set ports must be the number 0. Other expansion slots are numbered from left to right, starting from 1. The ports in the same expansion slot are numbered according to the order from top to bottom and the order from left to right, starting from 1. If only one port exists, the port number is 1.
Note:
Ports in each kind of modulars must be numbered sequently from top to bottom and from left to right.
3.2 Preparation Before Switch Startup
Do the following preparatory works before the switch is configured: (1) Set the switch’s hardware according to the requirements of the manual. (2) Configure a PC terminal simulation program. (3) Determine the IP address layout for the IP network protocols.
3.3 Acquiring Help
Use the question mark (?) and the direction mark to help you enter commands: Enter a question mark. The currently available command list is displayed.
50
Switch> ?
Enter several familiar characters and press the space key. The available command list
starting with the entered familiar characters is displayed. Switch> s?
Enter a command, press the space key and enter the question mark. The command
parameter list is displayed. Switch> show ?
Press the “up” key and the commands entered before can be displayed. Continue to press
the “up” key and more commands are to be displayed. After that, press the “down” key and the next command to be entered is displayed under the current command.
3.4 Command Modes
The command line interfaces for the switch can be classified into several modes. Each command mode enables you to configure different groupware. The command that can be used currently is up to the command mode where you are. You can enter the question mark in different command modes to obtain the available command list. Common command modes are listed in the following table:
Command
Mode
System monitoring mode
User mode Log in. Switch> Run
Management mode
Office configuration mode
Port configuration mode
Login Mode Prompt Exit Mode
Ctrl-p
Enter
power is on.
Enter in user mode.
Enter management mode.
Enter the command in office configuration mode, such as
after the
enter
enable
or
config
interface
interface f0/1
in
monitor# Run
Switch# Run
Switch_config# Run
Switch_config_f0/1# Run
.
quit
exit
exit
exit
directly back to the management mode.
exit
directly back to the management mode.
.
or
or
or
or
quit
quit
quit
quit
.
.
or
or
Ctrl-z
Ctrl-z
to
to
Each command mode is unsuitable to subsets of some commands. If problem occurs when you enter commands, check the prompt and enter the question mark to obtain the available command list. Problem may occur when you run in incorrect command mode or you misspelled the command. Pay attention to the changes of the interface prompt and the relative command mode in the following case:
Switch> enter Password: <enter password> Switch# config Switch_config# interface f0/1 Switch_config_f0/1# quit Switch_config# quit Switch#
51
3.5 Canceling a Command
To cancel a command or resume its default properties, add the keyword “no” before most commands. An example is given as follows:
no ip routing
3.6 Saving Configuration
You need to save configuration in case the system is restarted or the power is suddenly off. Saving configuration can quickly recover the original configuration. You can run write to save configuration in management mode or office configuration mode.
52
Chapter 4 System Management Configuration
4.1 File Management Configuration
4.1.1 Managing the file system
The filename in flash is no more than 20 characters and filenames are case insensitive. GP3616 SWITCH is mainly consisted of MSU. As MSU needs IOS, download BIN file to MSU. Ensure the suffix of the BIN file is .bin. The BIN file name can be arbitrary. In GP3616 file system, IOS file with the suffix .bin is used for MSU startup. The file name is arbitrary. BOOTROM will select a bin startup automatically based on the sequence. tiger.blob file is applied on the PON program of GP3616 board card. startup-config is the system configuration file; config.db is the ONU configuration database file; and if index-config is the port mapping configuration file.
4.1.2 Commands for the file system
The boldfaces in all commands are keywords. Others are parameters. The content in the square brakcet “[ ]” is optional.
Command Purpose
format
dir
[filename] Displays files and directory names. The file name in the symbol “[]” means to
delete
filename Deletes a file. The system will prompt if the file does not exist.
md
dirname Creates a directory.
rd
dirname Deletes a directory. The system will prompt if the directory is not existed.
more
filename Displays the content of a file. If the file content cannot be displayed by one
cd
Changes the path of the current file system.
pwd
Displays the current path.
Formats the file system and delete all data.
display files starting with several letters. The file is displayed in the following format:
Index number file name <FILE> length established time
page, it will be displayed by pages.
4.1.3 Starting up from a file manually
monitor#boot flash <local_filename> The command is to start an SWITCH software in the flash, which may contain multiple SWITCH softwares.
53
Description
Parameters Description
local_filename
file name in the flash, the user must enter the file name
54
Example
monitor#boot flash switch.bin
4.1.4 Updating software
User can use this command to download SWITCH system software locally or remotely to obtain version update or the custom-made function version. There are two ways of software update in monitor mode.
55
Through TFTP protocol
monitor#copy tftp flash [ip_addr] The command is to copy file from the tftp server to the flash in the system. After you enter the command, the system will prompt you to enter the remote server name and the remote filename.
56
Description
Parameters Description
ip_addr
Means the IP address of the TFTP server. If this parameter is not designated, you are prompted to enter the IP address after the copy command is run.
57
Example
The following example shows a main.bin file is read from the server, written into the SWITCH and changed into the name switch. Bin.
monitor#copy tftp flash
Prompt: Source file name[]?main.bin Prompt: Remote-server ip address[]?192.168.20.1 Prompt: Destination file name[main.bin]?switch.bin
please wait ... ###################################################################### ###################################################################### ###################################################################### ###################################################################### ###################################################################### ############################################# TFTP:successfully receive 3377 blocks ,1728902 bytes monitor#
4.1.5 Updating configuration
The SWITCH configuration is saved as a file, the filename is startup-config. You can use commands similar to software update to update the configuration.
58
Through TFTP protocol
monitor#copy tftp flash startup-config
4.1.6 Using ftp to perform the update of software and configuration
switch #copy ftp flash [ip_addr] Use ftp to perform the update of software and configuration in formal program management. Use the copy command to download a file from ftp server to SWITCH, also to upload a file from file system of the SWITCH to ftp server. After you enter the command, the system will prompt you to enter the remote server name and remote filename. copy{ftp:[[[//login-name:[login­password]@]location]/directory]/filename}|flash:filename>}{flash<:filename>|ftp:[[[//login-name:[login­password]@]location]/directory]/filename}<blksize><mode><type>
59
Description
Parameters Description
login-nam Username of the ftp server If this parameter is not designated,
you are prompted to enter the IP address after the copy command is run.
login-password Password of the ftp server If this parameter is not designated,
you are prompted to enter the IP address after the copy command is run.
ip_addr
active Means to connect the ftp server in active mode.
passive Means to connect the ftp server in passive mode.
type Set the data transmission mode (ascii or binary)
IP address of the ftp server If this parameter is not designated, you are prompted to enter the IP address after the copy command is run.
60
Example
The following example shows a main.bin file is read from the server, written into the SWITCH and changed into the name switch.bin.
switch#copy ftp flash
Prompt:ftp user name[anonymous]? login-nam Prompt: Prompt:Source file name[]?main.bin Prompt:Remote-server ip address[]?192.168.20.1 Prompt:Destination file name[main.bin]?switch.bin Or
ftp user password[anonymous]? login-password
switch#copy ftp://login-nam:login-password@192.168.20.1/main.bin flash:switch.bin ###################################################################### ###################################################################### FTP:successfully receive 3377 blocks ,1728902 bytes switch#
Note:
1) When the ftp server is out of service, the wait time is long. If this problem is caused by the tcp timeout time (the default value is 75s), you can configure the global command ip tcp synwait-time to modify the tcp connection time. However, it is not recommended to use it.
2) When you use ftp in some networking conditions, the rate of data transmission might be relatively slow. You can properly adjust the size of the transmission block to obtain the best effect. The default size is 512 characters, which guarantee a relatively high operation rate in most of the networks.
4.2 Basic System Management Configuration
4.2.1 Configuring Ethernet IP Address
monitor#ip address <ip_addr> <net_mask> This command is to configure the IPaddress of the Ethernet.,The default IP address is 192.168.0. 1,and the network mask is255.255.255.0.
61
Description
Parameters Description
ip_addr
IP address of the Ethernet
net_mask
Mask of the Ethernet
62
Example
monitor#ip address 192.168.1.1 255.255.255.0
4.2.2 Setting the Default Route
monitor#ip route default <ip_addr> This command is used to configure the default route. You can configure only one default route.
63
Description
Parameters Description
ip_addr
IP address of the gateway
64
Example
monitor#ip route default 192.168.1.1
4.2.3 Using Ping to Test Network Connection State
monitor#ping <ip_address> This command is to test network connection state.
65
Description
Parameters Description
ip_address
Stands for the destination IP address
66
Example
monitor#ping 192.168.20.100 PING 192.168.20.100: 56 data bytes 64 bytes from 192.168.20.100: icmp_seq=0. time=0. ms 64 bytes from 192.168.20.100: icmp_seq=1. time=0. ms 64 bytes from 192.168.20.100: icmp_seq=2. time=0. ms 64 bytes from 192.168.20.100: icmp_seq=3. time=0. ms
----192.168.20.100 PING Statistics----
4 packets transmitted, 4 packets received, 0% packet loss round-trip (ms) min/avg/max = 0/0/0
67
Chapter 5 Terminal Configuration
5.1 VTY Configuration Overview
The system uses the line command to configure terminal parameters. Through the command, you can configure the width and height that the terminal displays.
5.2 Configuration Tasks
The system has four types of lines: console, aid, asynchronous and virtual terminal. Different systems have different numbers of lines of these types. Refer to the following software and hardware configuration guide for the proper configuration.
Line Type Interface Description Numbering
CON(CTY)
VTY
Console
Virtual and asynchrono us
To log in to the system for configuration.
To connect Telnet, X.25 PAD, HTTP and Rlogin of synchronous ports (such as Ethernet and serial port) on the system
5.2.1 Relationship between Line and Interface
0
32 numbers starting from 1
68
Relationship between Synchronous Interface and VTY Line
The virtual terminal line provides a synchronous interface to access to the system. When you connect to the system through VTY line, you actually connects to a virtual port on an interface. For each synchronous interface, there can be many virtual ports. For example, if several Telnets are connecting to an interface (Ethernet or serial interface). Steps for configuring VTY:
(1) Log in to the line configuration mode. (2) Configure the terminal parameters. Note: The serial port terminal and telnet terminal may log out the system if they log on to SWITCH
without any operation within a certain time. The timeout can be configured.
For VTY configuration, refer to the section “VTY configuration example”.
5.3 Monitor and Maintenance
Runshow line to checkthe VTYconfiguration.
5.4 Browsing Logs
By default, the system will export the logs to the console port. After the terminal monitor command is set on the telnet line, the logs will be exported to this line. By default the logs will not be exported to the cache and cannot be browsed after you run show log. After you run logging buffer size to set the log cache, you can run show log to browse the log information.
5.5 VTY Configuration Example
It shows how to cancel the limit of the line number per screen for all VTYs without more prompt:
config#line vty 0 32 config_line#length 0
32 vty configuration timeout time
Switch_config#line vty 0 31 Switch_config_line#exec-timeout 10 Switch_config_line#exit Switch_config#
69
Chapter 6 SSH Configuration Commands
6.1 Ssh Overview
6.1.1 SSH Server
SSH client can provide a secure and encrypted communication link through SSH server and other devices. This connection has the same functions as those of Telnet. SSH server supports the following encryption algorithms: des, 3des and blowfish.
6.1.2 SSH Client
SSH client runs on the basis of the SSH protocol, providing authentication and encryption. Due to the application of authentication and encryption, SSH client ssh client allows to establish secure communication in unsecure network environment between our’s communication devices or between other devices that support ssh server. SSH client supports the following encryption algorithms: des, 3des and blowfish.
6.1.3 Attribute Realization
SSH server and SSH client support SSH 1.5. Both of them supports the shell application.
6.2 Configuration Tasks
6.2.1 Configuring the Authentication Method List
SSH server adopts the login authentication mode. SSH server uses the default authentication method list by default. In global configuration mode, the following command can be used to configure the authentication method list.
Command Purpose
ip sshd auth-method STRING Configure the authentication method list.
The length of the authentication method's name is no more than 20 characters.
6.2.2 Configuring Access List
In order to control SSH server to access other devices, you can configure ACL for SSH server. In global configuration mode, the following command can be used to configure the timeout time.
Command Purpose
ip sshd access-class STRING Configures ACL. The length of the access list's
name is no more than 19 characters.
6.2.3 Configuring the Authentication Timeout Time
After SSH client connects SSH server successfully, the SSH server will close the connection if the authentication cannot be passed during the configured time.
70
In global configuration mode, the following command can be used to configure the authentication timeout.
Command Purpose
ip sshd timeout <60-65535> Configure the authentication timeout time.
6.2.4 Configuring the Authentication Retry Times
If the times for failed authentications exceed the maximum times, SSH server will not allow you to retry authentication and the system enters the silent period. The maximum times for retrying authentication is 6 by default. In global configuration mode, the following command can be used to configure the authentication retry times.
Command Purpose
ip sshd auth-retries <0-65535> Configures the authentication retry times.
6.2.5 Configuring the Login Silence Period
The system enters in the silent period when the authentication retry times exceed the threshold. The silence period is 60s by default. In global configuration mode, the following command can be used to configure the silence period.
Command Purpose
ip sshd silence-period <0-3600> Configures the login silence period
6.2.6 Enabling Encryption Key Saving Function
Enable ssh server and the initial encryption key needs to be calculated. The process may take one to two minutes. When enabling the encryption key saving function, the initial encryption key is saved in the flash. When enabling ssh server in a second time, the encryption key will be read first. sftp function is disabled by default. Use the following command to enable sftp function in global configuration mode:
Command Purpose
ip sshd save Enable encryption key saving function.
6.2.7 Enabling SFTP Function
The SFTP function refers to the secure file transmission system based on SSH, of which the authentication procedure and data transmission are encrypted. Though it has low transmission efficiency, network security is highly improved. SFTP function is disabled by default. Run following command to enable SFTP function in global configuration mode.
Command Purpose
ip sshd sftp Enable sftp function.
71
6.2.8 Enabling SSH Server
Ssh server is disabled by default. WHEN SSH server is enabled, a RSA key pair will be generated and then listens the connection request from SSH client. The whole process probably requires one or two minutes. The following command can be used in global configuration mode to enable SSH server:
Command Purpose
ip sshd enable Enable SSH server. The digit of the password is
1024.
6.3 Configuration Example of SSH Server
The following configuration allows the host whose IP is 192.168.20.40 to access SSH server, while the local user database will be used to authenticate the user.
6.3.1 ACL
ip access-list standard ssh-acl permit 192.168.20.40
6.3.2 Global Configuration
aaa authentication login ssh-auth local ip sshd auth-method ssh-auth ip sshd access-class ssh-acl
ip sshd enable
72
Chapter 7 Network Management Configuration
7.1 SNMP Configuration
7.1.1 Overview
The SNMP system includes the following 3 parts:
SNMP management server (NMS) SNMP agent (agent) MIB
SNMP is a protocol for the application layer.It provides the format for the packets which are transmitted between NMS and agent. SNMP management server is a part of the network management system, such as CiscoWorks. SNMP agent includes the MIB variable and the SNMP management server can be used to browse or change these variables’ values.The management server can get the values from the agent or save these variables in the agent.The agent collects data from MIB.MIB is the database of equipment parameters and network data.
73
SNMP Notification
When a special event occurs, the system will send an inform to the SNMP management server.For example, when the agent system runs into a incorrect condition, it will send a message to the management server. The SNMP notification can be sent as a trap or a inform request.Because the receiver receives a trap and does not send any response, the transmitter hence cannot confirm whether the trap is received. In this way, the trap is unreliable.Comparatively, the SNMP management server uses SNMP to respond PDU, which is acted as a response of this message.If the management server does not receive the inform request, it will not transmit a response.If the transmitter does not receives the response, it will transmit the inform request again.In this way, the inform has more chance to arrive the planned destination.
7.2 SNMP Tasks
Configuring idle time value Configuring the time value of waiting for acknowledgement Configuring busy time value of remote end Configuring time value of Response Configuring the time of reject
Configuring the redial times
Configuring the size of window for resend
Configuring the size of accumulated data packet  Setting the acknowledgement time-delay  Setting the maximum numbers of acknowledgement
Showing LLC2 link information
Debugging LLC2 link information
7.3 LLC2 Configuration Tast
7.3.1 Configuring Idle Time Value
The command is used for controlling the frequency of query at the idle time (no data exchanged) The command “no” can be used for restoring to the default value.
Command Purpose
llc2 idle-time
[no]
[seconds] Used for controlling the frequency of query at the idle
time (no data exchanged). seconds:The interval seconds of sending RR frame at the idle time. The maximum is 60 seconds, the minimum is 1 second, and the default is 10 seconds.
Configuration mode: Interface Configuration
Notes:
At idle time, no I (information) frame is exchanged and RR (receive ready) frame is sent to the remote end periodically to tell the remote end that the local end is ready to receive data. The relative small value should be set for ensuring the prompt advice to the remote end. If the value is set too small, too many RR frames is likely to be sent on the network.
Example: Setting RR frame sent every 12 seconds
74
int ethernet1/1 llc2 idle-time 12
7.3.2 Configuring the Time Value of Waiting for Acknowledgement
Command Purpose
llc2 t1-time
[no]
Configuration mode: Interface configuration
Notes:
When the local end sends I frame, it will wait for remote acknowledgement. If no acknowledgement is received within a given time, the I-frame will be resent. The relative big value should be set on the network where the data is transmitted at a slow rate.
Example:Setting 12 seconds as the time value of waiting for acknowledgement.
int ethernet1/1 llc2 t1-time 12
[seconds] Used for controlling the waiting time of expecting remote
acknowledgement. The command “no” can be used for restoring to the default value. of waiting for remote acknowledgement. The maximum is 60 seconds, the minimum is 1 second and the default is 1 second.
Seconds The seconds
7.3.3 Configuring Busy Time Value of Remote Terminal
Command Purpose
llc2 tbusy-time
[no]
[seconds] Used for controlling the waiting time when the remote
end is busy. The command “no” can be used for restoring to the default value. Seconds The waiting seconds when the remote end is busy. The maximum is 60 seconds, the minimum is 1 second and the default is 10 seconds.
Configuration mode: Interface configuration
Notes:
a LLC2 connective end is able to inform the opposite end that local end is busy and prevent the opposite end from sending data to local end by sending a RNR (receive not ready) The relative big value can be set for averting the timeout.
Example: Setting 12 seconds as the busy time value of remote end.
int ethernet1/1 llc2 tbusy-time 12
7.3.4 Configuring Time Value of Response
The command is used for controlling the time of waiting for the response of remote end. The command “no” can be used for restoring to the default value.
Command Purpose
llc2 tpf-time
[no]
[seconds] used for controlling the time of waiting for the response
of remote end. The command “no” can be used for restoring to the default value. Seconds :The seconds of waiting for the response of remote end. The maximum is 60 seconds, the minimum is 1 second, and the default is 1 second.
75
Configuration Mode: Interface Configuration
Notes:
A LLC2 connective end sometimes needs to know the status of opposite end. For this purpose, a command frame that requires a response from the opposite end needs to be sent. When the opposite end receives the command frame, it will reply a response frame. If the error occurs in the process, the send end will keep waiting. In order to avoid the situation, a clock needs to be enabled. When the arrival time is hit, the clock will think that the error occurs and it will send a separate command frame. The command is used for setting the time of waiting for the response of the opposite end to the command frame.
Example: Setting 12 seconds as the time of waiting for the response of the opposite end.
int ethernet1/1 llc2 tpf-time 12
7.3.5 Configuring the Time of Rejection
The command is
Command Purpose
llc2 trej-time
[no]
[seconds] Used for controlling the time of waiting for the response
of remote end to the reject frame. The command “no” can be used for restoring to the default value. Seconds: The seconds of waiting when the remote end is busy. The maximum is 60 seconds, the minimum is 1 second and the default is 3 seconds.
Configuration mode: Interface configuration
Notes:
The data receive and send on the two ends of LLC2 link is carried out on the set sequence. When a LLC2 connective end receives I frame of opposite end whose sequence number is not the expected one, it will send a REJ (reject) frame and enable a clock. If no response is made at the arrival time, LLC2 link will be disconnected. The command is used for setting the time of waiting for the response of the opposite end to the REJ (reject) frame.
Example: Setting 12 seconds as the waiting time.
int ethernet1/1 llc2 trej-time 12
7.3.6 Configuring the Redial Times
The command is
Command Purpose
llc2 n2 retry-count
[no]
Used for controlling the times of re-sending the frame.
The command “no” can be used for restoring to the default value. retry-count:The times of resending frame. The maximum is 255, the minimum is 1 and the default is 8.
Configuration mode: Interface configuration
Notes:
When one end of LLC2 sends the data to the opposite end, it will wait for the acknowledgement of the opposite end. If the opposite end does not send the acknowledgement within a given time, the local end will resend the data. But the time of resend shall be limited. When the value of resend times exceeds retry-count, LLC2 will be disconnected. The command is used for setting the times of retry-count.
76
Example: Setting the times of re-send as 12
int ethernet1/1 llc2 n2 12
7.3.7 Configuring the Size Of Window for Resending
The command is
Command Purpose
llc2 local-window packet-count
[no]
Configuration mode: Interface configuration
Notes:
When one end of LLC2 link sends data to the opposite end, it can only send a certain amount of data before waiting for the acknowledgement of the opposite end. The command is used for setting the maximum value. When the set value is too big, it may lead to the loss of data because the opposite end is not able to receive all the data.
Used for controlling the maximum size of I frame send (namely the size of window for resend) when I frame is not confirmed. The command “no” can be used for restoring to the default value. packet-count:The maximum size of I frame send. The maximum is 127, the minimum is 1 and the default is 7.
Example: Setting the size of send window as 12.
int ethernet1/1 llc2 local-window 12
7.3.8 Configuring the Size of Accumulated Data Packet
The command is
Command Purpose
llc2 holdqueue [packet-count
[no]
Configuration mode: Interface configuration
Notes:
When the opposite end is busy, one end of LLC2 link is not able to send data (I frame). All the data shall be reserved before the busyness of the opposite end is cleared. But the reserved amount is limited. The command is used for setting the data amount to be reserved.
Example: Setting maximum data amount to be reserved as 120.
int ethernet1/1 llc2 holdqueue 120
] Used for controlling the maximum local accumulated
size of data packet when I frame (the remote end is busy) cannot be sent. The command “no” can be used for restoring to the default value. packet-count:The maximum size of data packets reserved by I frame when I frame is not confirmed.
7.3.9 Setting the Acknowledgement Time-Delay
When an I-frame (information frame) is received, an acknowledgement frame shall be sent immediately. In order to reduce the unnecessary acknowledgement, the acknowledgement can be delayed. If information frame is sent, an information frame will be sent as an acknowledgement instead of acknowledge frame. When
77
the information frame sent by the opposite end exceeds the acknowledged maximum size, an acknowledge frame will be sent immediately rather than at the timeout. The command below can be used for setting the value.
Command Purpose
llc2 ack-delay-time
seconds Setting the acknowledgement time-delay
7.3.10 Setting the Maximum Numbers of Acknowledgement
When the information frame sent by the opposite end exceeds the maximum number of acknowledgement in the process of acknowledging the time delay, the acknowledgement frame shall be sent immediately for clearing the network timeout perceived by the opposite end. The command below can be used for setting the value.
Command Purpose
llc2 ack-max
number Setting the acknowledgement time-delay.
7.3.11 Showing LLC2 Link Information
Command Purpose
show llc interface [type
Configuration Mode: Interface, configuration and global
Notes:
number] Used for showing the related information of LLC2 link
connection.
Showing the related information of LLC2 link connection. Under interface mode, the command “show llc” is used for displaying LLC2 link information of the interface.
Example: Under interface mode, the command “show llc” is used for showing llc2 information on ethernet1/1.
int ethernet1/1 sho llc ethernet1/1
7.3.12 Debugging LLC2 Link Information
The command is
Command Purpose
debug llc2 [packet|error|state
Configuration mode: Management Mode
Notes:
packet,Opening the debug switch of LLC2 link status information
Example, opening the debug switch of LLC2 link.
debug llc2 packet debug llc2 state debug llc2 error
] Used for opening LLC2 debug switch.
78
7.4 Example of LLC2 Configuration
The number of LLC2 frame received before the response can be configured. For example, it is supposed that two information frames are received at the time 0 rather than at the maximum number 3, the responses of these frames are not sent. If the third frame that makes the router response is not received within 800 ms, the response will be transmitted as the time-delay timer is activated.
interface interface e1/1 llc2 ack-max 3 llc2 ack-delay-time 800
In this connection, as it is told that all the frames are received, the counter that calculates the maximum number of information frame is reset as 0.
7.4.1 Configuring SDLC as Two-Way and Concurrent Mode
SDLC two-way and concurrent mode allows master SDLC link station to use a full duplex serial circuit. When an outstanding polling occurs, the master SDLC link station is able to send the data to the slave station. The two-way and concurrent mode works only on the side of SDLC master station. In the slave link station, it response to the polling sent from the master station. SDLC two-way and concurrent mode runs in the multi-branch link environment or point-to-point link environment. In the multi-branch link environment, a two-way and concurrent master station is able to poll a slave station and receive the data from the slave station and send the data (information frame) to other slave stations. In the point-to-point link environment, so long as no maximum limit on reaching the window, a two-way and concurrent master station is able to send the data (information frame) to the slave station even if there is an outstanding polling. Any one of the commands can be used under interface configuration mode for activating the two-way and concurrent mode:
Command Purpose
sdlc simultaneous full-datamode
sdlc simultaneous half-datamode
Setting the send of data from master station to the
polled slave station and receive of data from it.
Shutting down the master station sending the data to the slave station.
7.4.2 Configuring SDLC Timer and Re-Sending Times
When SDLC workstation sends frame, it will wait for the response of receive end. The response indicates the frame has been received. The response time allowed by the router before re-sending frame can be amended. The times of re-sending the frame by the software can be set before terminating SDLC session process. Through controlling these values, by controlling these values, the network overhead can be reduced in continuing to detect the transmitted frame. One or two commands below can be used under interface configuration mode for configuring SDLC timer and retransmission times:
Command Purpose
79
sdlc t1
milliseconds Controlling the total time of software of waiting for
response.
sdlc n2 retry-count
Configuring the times of software of retrying a timeout
operation.
7.4.3 Configuring the Number of SDLC Frame and Information Frame
The maximum length of input frame and the maximum number of the information frame (or the size of window) received before router sends response to the receive end can be configured. When the configured value is relative big, the network overhead can be reduced. The command below can be used under interface configuration mode for configuring SDLC frame and number of information frame.
Command Purpose
sdlc n1
bit-count Configuring the maximum length of input frame
sdlc k
window-size Configuring the size of local window of router
sdlc
poll-limit-value
count
Configuring the times of master station’s polling to the
slave station.
7.4.4 Controlling the Size of Cache
The size of cache can be controlled. The cache is used for storing the data that is not decided to be sent to remote SDLC station. The command is especially useful in SDLC protocol convert equipment that implements the communication between SNA workstation whose link layer protocol is LLC2 in token-ring local area network (LAN) and SNA workstation whose link layer protocol is SDLC on serial link. The frame length and the size of window on the token-ring are usually much bigger than the acceptable ones on the serial link. What’s more, the serial link is slower than token-ring. In order to control the accumulation problem produced in the high-speed data transmission from token-ring to serial link, the command below can be used on the basis of each address under interface configuration mode:
Command Purpose
sdlc holdqueue address queue-size
Setting the maximum quantity of the data packets stored in the sequence before transmission.
7.4.5 Controlling the polling of slave station
The interval of router’s polling to the slave station, the length of time of sending data from master station to slave station and how long the software polls a slave station before moving to the next station can be controlled. The following points should be noted in using these commands: Only when the slave station is polled by the master station, the data can be transmitted. When the polling terminates and the value of timer is too big, the response time of slave station will add. When the value of the timer is reduced too small, it will lead to the congestion of serial link and data flood due to the excessive and unnecessary polling frames sent from the slave station, which takes the extra CPU time for dealing with them. The communication efficiency between master station and single slave station can be improved by increasing
80
the limit value of polling, but it may delay the polling to other slave stations. One or more commands below can be used under interface configuration mode for controlling the polling of slave station:
Command Purpose
sdlc poll-pause-timer
sdlc poll-limit-value count
milliseconds Configuring the waiting time interval of router’s polling
to two slave stations on some single serial port.
Configuring the times of a master station’s polling to slave station.
The “def” format of these commands can be used for restoring to the default polling value.
7.4.6 Configuring SDLC Interface as Half-Duplex Mode
Under default state, SDLC interface runs under full duplex mode. The command below can be used under interface configuration mode for configuring SDLC interface as half-duplex mode.
Command Purpose
half-duplex
Configuring SDLC interface as half-duplex mode.
7.4.7 Configuring XID Value
XID value set in the router shall be consistent with the corresponding parameter set on token-ring host with which SDLC equipment will communicate and shall match with the corresponding system parameter in IDBLK and IDNUM defined in VTAM of token ring host.
Notes:
Configuring XID value will affect the attribute of the interface. If XID value is configured, it means that the equipment connected with the interface is Pu2.0. XID value can be configured after the port is shut down.
The command below can be used under interface configuration mode for configuring XID value.
Command Purpose
sdlc xid address xid
Designating XID value related to SDLC station.
7.4.8 Configuring the Maximum Value of SDLC Information Frame
Normally, the router and SDLC equipment that interacts with router protocol shall support the same and maximum length of SDLC information frame. The bigger the value is, the more efficient the link is used and the performance will be better. After SDLC equipment is configured with the maximum possible information frame to be sent, the router shall be configured for supporting the same maximum length of information frame. The default value is 265 bytes. The maximum value supported by the software must be smaller than the maximum frame value of LLC2 defined at the time of configuring the maximum length of LLC2 information frame. The command below can be used under interface configuration mode for configuring the maximum value of SDLC information frame:
81
Command Purpose
sdlc sdlc-largest-frame
address size Configuring the maximum length of information frame
that can be sent or received by the designated SDLC station.
7.4.9 Monitoring SDLC Workstation
The command below can be used under management mode for monitoring the configuration of SDLC workstation and deciding which SDLC parameter needs to be adjusted.
Command Purpose
show interfaces
Showing configuration information of SDLC workstation.
82
Chapter 8 AAA Configuration
8.1 AAA Overview
Access control is used to control the users to access SWITCH or NAS and to limit their service types. Authentication, authorization, and accounting (AAA) network security services provide the primary framework through which you set up access control on your SWITCH or access server.
8.1.1 AAA Security Service
AAA is an architectural framework for configuring a set of three independent security functions in a consistent manner. AAA provides a modular way of performing the following services:
Authentication: It is a method of identifying users, including username/password inquiry and
encryption according to the chosen security protocol. Authentication is a method to distinguish the user’s identity before users access the network
and enjoy network services. AAA authentication can be configured through the definition of an authentication method list and then application of this method list on all interfaces. This method list defines the authentication type and the execution order; any defined authentication method list must be applied on a specific interface before it is executed. The only exception is the default authentication method list (which is named default). If there are no other authentication method lists, the default one will be applied on all interfaces automatically. If anyone is defined, it will replace the default one. For how to configure all authentications, see “Authentication Configuration”.
Authorization: it is a remote access control method to limit user’s permissions.
AAA authorization takes effect through a group of features in which a user is authorized with some permissions. Firstly, the features in this group will be compared with the information about a specific user in the database, then the comparison result will be returned to AAA to confirm the actual permissions of this user. This database can be at the accessed local server or SWITCH, or remote Radius/TACACS+ server. The Radius or TACACS+ server conducts user authorization through a user-related attribute-value peer. The attribute value (AV) defines the allowably authorized permissions. All authorization methods are defined through AAA. Like authentication, an authorization method list will be first defined and then this list will be applied on all kinds of interfaces. For how to carry on the authorization configuration, see “Authorization Configuration”.
Accounting: it is a method to collect user’s information and send the information to the
security server. The collected information can be used to open an account sheet, make auditing and form report lists, such as the user ID, start/end time, execution commands, and the number of packets or bytes.
The accounting function can track the services that users access, and at the same time track the service-consumed network resource number. When AAA accounting is activated, the access server can report user’s activities to the TACACS+ or Radius server in way of accounting. Each account contains an AV peer, which is stored on the security server. The data can be used for network management, client's accounting analysis or audit. Like authentication and authorization, an accounting method list must be first defined and then applied on different interfaces. For how to carry on the accounting configuration, see “Accounting Configuration”.
8.1.2 Benefits of Using AAA
AAA provides the following benefits:
Increased flexibility and control of access configuration  Scalability
83
Standardized authentication methods, such as RADIUS, TACACS+, and Kerberos  Multiple backup systems
8.1.3 AAA Principles
AAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.
8.1.4 AAA Method List
To configure AAA, define a named method list first and then apply it to the concrete service or interface. This method list defines the running AAA type and their running sequence. Any defined method list must be applied to a concrete interface or service before running. The only exception is the default method list. The default method list is automatically applied to all interfaces or services. Unless the interface applies other method list explicitly, the method list will replace the default method list. A method list is a sequential list that defines the authentication methods used to authenticate a user. In AAA method list you can specify one or more security protocols. Thus, it provides with a backup authentication system, in case the initial method is failed. Our SWITCH software uses the first method listed to authenticate users; if that method does not respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or the authentication method list is exhausted, in which case authentication fails. It is important to notice that the SWITCH software attempts authentication with the next listed authentication method only when there is no response from the previous method. If authentication fails at any point in this cycle—meaning that the security server or local user name database responds by denying the user access— the authentication process stops and no other authentication methods are attempted. The following figures shows a typical AAA network configuration that includes four security servers: R1 and R2 are RADIUS servers, and T1 and T2 are TACACS+ servers. Take the authentication as an example to demonstrate the relation between AAA service and AAA method list.
Figure 8-1 Typical AAA Network Configuration
In this example, default is the name of the method list, including the protocol in the method list and the request
84
sequence of the method list follows the name. The default method list is automatically applied to all interfaces. When a remote user attempts to dial in to the network, the network access server first queries R1 for authentication information. If R1 authenticates the user, it issues a PASS response to the network access server and the user is allowed to access the network. If R1 returns a FAIL response, the user is denied access and the session is terminated. If R1 does not respond, then the network access server processes that as an ERROR and queries R2 for authentication information. This pattern continues through the remaining designated methods until the user is either authenticated or rejected, or until the session is terminated. A FAIL response is significantly different from an ERROR. A FAIL means that the user has not met the criteria contained in the applicable authentication database to be successfully authenticated. Authentication ends with a FAIL response. An ERROR means that the security server has not responded to an authentication query. Only when an ERROR is detected will AAA select the next authentication method defined in the authentication method list. Suppose the system administrator wants to apply the method list to a certain or a specific port. In such case, the system administrator should create a non-default method list and then apply the list of this name to an appropriate port.
8.1.5 AAA Configuration Process
You must first decide what kind of security solution you want to implement. You need to assess the security risks in your particular network and decide on the appropriate means to prevent unauthorized entry and attack. Before you configure AAA, you need know the basic configuration procedure. To do AAA security configuration on SWITCH or access servers, perform the following steps:
If you decide to use a security server, configure security protocol parameters first, such as
RADIUS, TACACS+, or Kerberos.
Define the method lists for authentication by using an AAA authentication command.  Apply the method lists to a particular interface or line, if required.  (Optional) Configure authorization using the aaa authorization command.  (Optional) Configure accounting using the aaa accounting command.
8.2 Authentication Configuration
8.2.1 AAA Authentication Configuration Task List
Configuring Login Authentication Using AAA  Configuring PPP Authentication Using AAA  Enabling Password Protection at the Privileged Level  Configuring Message Banners for AAA Authentication  Modifying the Notification Character String for Username Input  Modifying AAA authentication password-prompt  Creating local user name authentication database  Creating the Authentication Database with the Local Privilege
85
8.2.2 AAA Authentication Configuration Task
General configuration process of AAA authentication To configure AAA authentication, perform the following configuration processes:
(1) If you decide to use a separate security server, configure security protocol parameters, such
as RADIUS, or TACACS+. Refer to the relevant section for the concrete configuration methods.
(2) Configuring Authentication Method List Using aaa authentication (3) If necessary, apply the accounting method list to a specific interface or line.
86
Configuring Login Authentication Using AAA
The AAA security services facilitate a variety of login authentication methods. Use the aaa authentication login command to enable AAA authentication no matter which of the supported login authentication methods you decide to use. With the aaa authentication login command, you create one or more lists of authentication methods that are tried at login. These lists are applied using the login authentication line configuration command. After the authentication method lists are configured, you can apply these lists by running login authentication. You can run the following command in global configuration mode to start the configuration:
Command Purpose
aaa authentication login {default
name}method1 [method2...]
line
console
{
line-number]
login authentication {default
vty
|
} line-number [ending-
| list-
| list-name}
Enables AAA globally.
Enter the configuration mode of a line.
Applies the authentication list to a line or set of lines. (In the line configuration mode)
The list-name is a character string used to name the list you are creating. The key word method specifies the actual method of the authentication method. The additional methods of authentication are used only if the previous method returns an error, not if it fails. To specify that the authentication should succeed even if all methods return an error, specify none as the final method in the command line. The default parameter can create a default authentication list, which will be automatically applied to all interfaces. For example, to specify that authentication should succeed even if (in this example) the TACACS+ server returns an error, enter the following command:
aaa authentication login default group radius
Note:
Because the none keyword enables any user logging in to successfully authenticate, it should be used only as a backup method of authentication.
If you cannot find the authentication method list, you can only login through the console port. Any other way of login is in accessible. The following table lists the supported login authentication methods:
Keyword Notes:
enable Uses the enable password for authentication. group name Uses named server group for authentication.
group radius Uses RADIUS for authentication.
group tacacs+ Uses group tacacs+ for authentication.
line Uses the line password for authentication.
local Uses the local username database for authentication.
localgroup Uses the local strategy group username database for authentication.
local-case Uses case-sensitive local user name authentication.
none Passes the authentication unconditionally.
(1) Using the enable password to carry on the login authentication:
87
To specify the enable password as the user authentication method, run the following command:
aaa authentication login default enable
(2) Using the line password to login
Use the aaa authentication login command with the line method keyword to specify the line password as the login authentication method. For example, to specify the line password as the method of user authentication at login when no other method list has been defined, enter the following command:
aaa authentication login default line
Before you can use a line password as the login authentication method, you need to define a line password.
(3) Using the local password to carry on the login authentication:
When you run aaa authentication login, you can use the keyword “local” to designate the local database as the login authentication method. For example, if you want to specify the local username database as the user authentication method and not define any other method, run the following command:
aaa authentication login default local For information about adding users into the local username database, refer to the section
"Establishing Username Authentication" in this chapter.
(4) Login Authentication Using RADIUS
Use the aaa authentication login command with the group radius method to specify RADIUS as the login authentication method. For example, to specify RADIUS as the method of user authentication at login when no other method list has been defined, enter the following command:
aaa authentication login default group radius Before you can use RADIUS as the login authentication method, you need to enable
communication with the RADIUS security server. For more information about establishing communication with a RADIUS server, refer to the chapter "Configuring RADIUS."
88
Enabling Password Protection at the Privileged Level
Use the aaa authentication enable default command to create a series of authentication methods that are used to determine whether a user can access the privileged EXEC command level. You can specify up to four authentication methods. The additional methods of authentication are used only if the previous method returns an error, not if it fails. To specify that the authentication should succeed even if all methods return an error, specify none as the final method in the command line. Use the following command in global configuration mode:
Command Purpose
aaa authentication enable default
[method2...]
method1
Enables user ID and password checking for users requesting privileged EXEC level.
The method argument refers to the actual list of methods the authentication algorithm tries, in the sequence entered. The following table lists the supported enable authentication methods:
Keyword Notes
enable Uses the enable password for authentication. group group-name Uses named server group for authentication.
group radius Uses RADIUS authentication.
group tacacs+ Uses tacacs+ for authentication.
line Uses the line password for authentication.
none Passes the authentication unconditionally.
When configuring enable authentication method as the remote authentication, use RADIUS for authentication. Do as follows:
(5) Uses RADIUS for enable authentication:
The user name for authentication is $ENABLElevel$; level is the privileged level the user enters, that is, the number of the privileged level after enable command. For instance, if the user wants to enter the privileged level 7, enter command enable 7; if configuring RADIUS for authentication, the user name presenting to Radius-server host is $ENABLE7$; the privileged level of enable is 15 by default, that is, the user name presenting to Radius-server host in using RADIUS for authentication is $ENABLE15$. The user name and the password need to configured on Radius-server host in advance. The point is that in user database of Radius-server host, the Service-Type of the user specifying the privileged authentication is 6, that is, Admin-User.
89
Configuring Message Banners for AAA Authentication
The banner of configurable, personal logon or failed logon is supported. When AAA authentication fails during system login, the configured message banner will be displayed no matter what the reason of the failed authentication is.
90
Configuring the registration banner
Run the following command in global configuration mode.
Command Purpose
aaa authentication banner
string delimiter
delimiter text-
Configures a personal logon registration banner.
91
Configuring the banner of failed logon
Run the following command in global configuration mode.
Command Purpose
aaa authentication fail-message
text-string delimiter
delimiter
Configures a personal banner about failed logon.
92
Usage Guidelines
When creating a banner, you need to configure a delimiter and then to configure the text string itself. The delimiter is to notify that the following text string will be displayed as the banner. The delimiter appears repeatedly at the end of the text character string, indicating that the banner is ended.
93
Modifying the Notification Character String for Username Input
To modify the default text of the username input prompt, run aaa authentication username-prompt. You can run no aaa authentication username-prompt to resume the password input prompt.
username
The aaa authentication username-prompt command does not change any prompt information provided by the remote TACACS+ server or the RADIUS server. Run the following command in global configuration mode:
Command Purpose
aaa authentication username-prompt
string
text-
Modifies the default text of the username input prompt.
94
Modifying AAA authentication password-prompt
To change the text displayed when users are prompted for a password, use the aaa authentication password­prompt command. To return to the default password prompt text, use the no form of this command. You can run no aaa authentication username-prompt to resume the password input prompt.
password
The aaa authentication password-prompt command does not change any prompt information provided by the remote TACACS+ server or the RADIUS server. Run the following command in global configuration mode:
Command Purpose
aaa authentication password-prompt
string
text-
String of text that will be displayed when the user is prompted to enter a password.
95
Creating the Authentication Database with the Local Privilege
To create the enable password database with the local privilege level, run enable password { [encryption-type] encrypted-password} [level level] in global configuration mode. To cancel the enable password database, run no enable password [level level].
enable password { [encryption-type] encrypted-password} [level level] no enable password [level level]
8.2.3 AAA Authentication Configuration Example
96
RADIUS Authentication Example
The following example shows how to configure the SWITCH to authenticate and authorize using RADIUS:
aaa authentication login radius-login group radius local aaa authorization network radius-network group radius line vty 3 login authentication radius-login
The meaning of each command line is shown below:
The aaa authentication login radius-login group radius local command configures the
SWITCH to use RADIUS for authentication at the login prompt. If RADIUS returns an error, the user is authenticated using the local database.
The aaa authorization network radius-network group radius command queries RADIUS for
network authorization, address assignment, and other access lists.
The login authentication radius-login command enables the radius-login method list for line
3.
8.3 Authorization Configuration
8.3.1 AAA Authorization Configuration Task List
Configuring EXEC authorization through AAA
8.3.2 AAA Authorization Configuration Task
97
General configuration process of AAA authorization
To configure AAA authorization, perform the following configuration processes
(6) If you decide to use a separate security server, configure security protocol parameters, such
as RADIUS, or TACACS+. Refer to the relevant section for the concrete configuration methods.
(7) Run aaa authorization to define the authorization method list. The authorization service is
not provided by default.
(8) If necessary, apply the accounting method list to a specific interface or line.
98
Configuring EXEC authorization through AAA
To enable AAA authorization, run aaa authorization. The aaa authorization exec command can create one or several authorization method lists and enable the EXEC authorization to decide whether the EXEC hull program is run by the users or not, or decide whether the users are authorized with the privilege when entering the EXEC hull program. After the authorization method lists are configured, you can apply these lists by running login authorization. You can run the following command in global configuration mode to start the configuration:
Command Purpose
aaa authorization exec {default
name}method1 [method2...]
line [console
number]
login authorization {default
vty
|
] line-number [ending-line-
| list-
| list-name}
Creates the global authorization list.
Enter the configuration mode of a line.
Applies the authorization list to a line or set of lines. (In the line configuration mode)
The list-name is a character string used to name the list you are creating. The method keyword is used to designate the real method for the authorization process. Only when the previously-used method returns the authorization error can other authorization methods be used. If the authorization fails because of the previous method, other authorization methods will not be used. If you requires the EXEC shell to be entered even when all authorization methods returns the authorization errors, designate none as the last authorization method in the command line. The default parameter can create a default authentication list, which will be automatically applied to all interfaces. For example, you can run the following command to designate RADIUS as the default authorization method of EXEC:
aaa authorization exec default group radius
Note:
If the authorization method list cannot be found during authorization, the authorization will be directly passed without the authorization service conducted. The following table lists currently-supported EXEC authorization methods:
Keyword Notes:
group WORD Uses the named server group to conduct authorization.
group radius Uses RADIUS authorization.
group tacacs+ Uses tacacs+ authorization.
local Uses the local database to perform authorization.
if-authenticated Automatically authorizes the authencated user with all required functions.
none Passes the authorization unconditionally.
8.3.3 AAA Authorization Examples
99
Example of Local EXEC Authorization
The following example shows how to perform the local authorization and local authorization by configuring the SWITCH:
aaa authentication login default local aaa authorization exec default local ! localauthor a1 exec privilege default 15 ! local author-group a1 username exec1 password 0 abc username exec2 password 0 abc author-group a1 username exec3 password 0 abc maxlinks 10 username exec4 password 0 abc autocommand telnet 172.16.20.1 !
The following shows the meaning of each command line:
The aaa authentication login default local command is used to define the default login-
authentication method list, which will be automatically applied to all login authentication services.
The command is used to define the default EXEC authorization method list, which will be
automatically applied to all users requiring to enter the EXEC shell.
Command localauthor al defines a local authority policy named al. Command exec privilege
default 15 means the privileged level of exec login user is 15 by default.
Command local author-group a1 means apply the local authorization policy a1 to global
configuration (the default local policy group).
Command username exec1 password 0 abc defines an account exec1 with password abc
in the global configuration mode.
Command username exec2 password 0 abc author-group a1 defines an account exec 2 with
password abc in the global configuration mode. The account is applied to the local authorization policy a1.
Command username exec3 password 0 abc maxlinks 10 defines an account exec 3 with
password abc in the global configuration mode. The account makes 10 users available simultaneously.
Command username exec4 password 0 abc autocommand telnet 172.16.20.1 defines an
account exec4 with password abc. telnet 172.16.20.1 is automatically run when the user login the account.
8.4 AAA Accounting Configuration
8.4.1 AAA Accounting Configuration Task List
Configuring Connection Accounting using AAA  Configuring Network Accounting using AAA
8.4.2 AAA Accounting Configuration Task
100
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use