Sie sind auf Seite 1von 598

3Com® Switch 4500G Family

Configuration Guide
4500G 24-Port (3CR17761-91)
4500G 48-Port (3CR17762-91)
4500G 24-Port PWR (3CR17771-91)
4500G 48-Port PWR (3CR17772-91)

www.3Com.com
Part Number: 10014900 Rev. AA
Published: October 2006
3Com Corporation Copyright © 2006, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form or
350 Campus Drive by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written
permission from 3Com Corporation.
Marlborough, MA
3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time
USA 01752-3064 without obligation on the part of 3Com Corporation to provide notification of such revision or change.
3Com Corporation provides this documentation without warranty, term, or condition of any kind, either implied or
expressed, including, but not limited to, the implied warranties, terms or conditions of merchantability, satisfactory quality,
and fitness for a particular purpose. 3Com may make improvements or changes in the product(s) and/or the program(s)
described in this documentation at any time.
If there is any software on removable media described in this documentation, it is furnished under a license agreement
included with the product as a separate document, in the hard copy documentation, or on the removable media in a
directory file named LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy, please contact 3Com and a copy will
be provided to you.
UNITED STATES GOVERNMENT LEGEND
If you are a United States government agency, then this documentation and the software described herein are provided to
you subject to the following:
All technical data and computer software are commercial in nature and developed solely at private expense. Software is
delivered as “Commercial Computer Software” as defined in DFARS 252.227-7014 (June 1995) or as a “commercial item”
as defined in FAR 2.101(a) and as such is provided with only such rights as are provided in 3Com’s standard commercial
license for the Software. Technical data is provided with limited rights only as provided in DFAR 252.227-7015 (Nov 1995) or
FAR 52.227-14 (June 1987), whichever is applicable. You agree not to remove or deface any portion of any legend provided
on any licensed program or documentation contained in, or delivered to you in conjunction with, this User Guide.
Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not be registered
in other countries.
3Com and the 3Com logo are registered trademarks of 3Com Corporation.
Cisco is a registered trademark of Cisco Systems, Inc.
Funk RADIUS is a registered trademark of Funk Software, Inc.
Aegis is a registered trademark of Aegis Group PLC.
Intel and Pentium are registered trademarks of Intel Corporation. Microsoft, MS-DOS, Windows, and Windows NT are
registered trademarks of Microsoft Corporation. Novell and NetWare are registered trademarks of Novell, Inc. UNIX is a
registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd.
IEEE and 802 are registered trademarks of the Institute of Electrical and Electronics Engineers, Inc.
All other company and product names may be trademarks of the respective companies with which they are associated.

ENVIRONMENTAL STATEMENT
It is the policy of 3Com Corporation to be environmentally-friendly in all operations. To uphold our policy, we are committed
to:
Establishing environmental performance standards that comply with national legislation and regulations.
Conserving energy, materials and natural resources in all operations.
Reducing the waste generated by all operations. Ensuring that all waste conforms to recognized environmental standards.
Maximizing the recyclable and reusable content of all products.
Ensuring that all products can be recycled, reused and disposed of safely.
Ensuring that all products are labelled according to recognized environmental standards.
Improving our environmental record on a continual basis.
End of Life Statement
3Com processes allow for the recovery, reclamation and safe disposal of all end-of-life electronic components.
Regulated Materials Statement
3Com products do not contain any hazardous or ozone-depleting material.
Environmental Statement about the Documentation
The documentation for this product is printed on paper that comes from sustainable, managed forests; it is fully
biodegradable and recyclable, and is completely chlorine-free. The varnish is environmentally-friendly, and the inks are
vegetable-based with a low heavy-metal content.
CONTENTS

ABOUT THIS GUIDE


Organization of the Manual 13
Intended Readership 14
Conventions 14
Related Documentation 15

1 LOGGING INTO AN ETHERNET SWITCH


Logging into an Ethernet Switch 17
Introduction to the User Interface 17

2 LOGGING IN THROUGH THE CONSOLE PORT


Introduction 21
Setting up the Connection to the Console Port 21
Console Port Login Configuration 24
Console Port Login Configuration with Authentication Mode Being None 26
Console Port Login Configuration with Authentication Mode Being Password 29
Console Port Login Configuration with Authentication Mode Being Scheme 32

3 LOGGING IN THROUGH TELNET


Introduction 37
Telnet Configuration with Authentication Mode Being None 39
Telnet Configuration with Authentication Mode Being Password 42
Telnet Configuration with Authentication Mode Being Scheme 45
Telnet Connection Establishment 49

4 LOGGING IN USING MODEM


Introduction 53
Configuration on the Administrator Side 53
Configuration on the Switch Side 53
Modem Connection Establishment 54

5 LOGGING IN THROUGH WEB-BASED NETWORK MANAGEMENT SYSTEM


Introduction 57
HTTP Connection Establishment 57
Web Server Shutdown/Startup 59
4 CONTENTS

6 LOGGING IN THROUGH NMS


Introduction 61
Connection Establishment Using NMS 61

7 CONTROLLING LOGIN USERS


Introduction 63
Controlling Telnet Users 63
Controlling Network Management Users by Source IP Addresses 66
Controlling Web Users by Source IP Address 68

8 BASIC SYSTEM CONFIGURATION AND MAINTENANCE


Command Line Feature 71
Basic System Configuration 78
Displaying the System Status 83

9 SYSTEM MAINTENANCE AND DEBUGGING


System Maintenance and Debugging Overview 85
System Maintenance and Debugging Configuration 87
System Maintenance Example 88

10 DEVICE MANAGEMENT
Introduction to Device Management 89
BootROM and Host Software Loading 89
Device Management Configuration 102
Displaying the Device Management Configuration 104
Remote Switch Update Configuration Example 104

11 FILE SYSTEM MANAGEMENT


File System Management 107
Configuration File Management 109
FTP Configuration 114
TFTP Configuration 120

12 VLAN CONFIGURATION
VLAN Overview 123
Basic VLAN Configuration 124
Basic VLAN Interface Configuration 125
Port-Based VLAN Configuration 125
Displaying VLAN Configuration 129
VLAN Configuration Example 130
CONTENTS 5

13 VOICE VLAN CONFIGURATION


Voice VLAN Overview 131
Voice VLAN Configuration 133
Displaying and Maintaining Voice VLAN 135
Voice VLAN Configuration Example 136

14 GVRP CONFIGURATION
Introduction to GARP 139
Configuring GVRP 142
Displaying and Maintaining GVRP 143
GVRP Configuration Example 143

15 ETHERNET INTERFACE CONFIGURATION


General Ethernet Interface Configuration 149
Maintaining and Displaying an Ethernet Interface 157

16 LINK AGGREGATION CONFIGURATION


Link Aggregation Overview 159
Configuring Link Aggregation 164
Displaying and Maintaining Link Aggregation 167
Link Aggregation Configuration Example 168

17 PORT ISOLATION CONFIGURATION


Port Isolation Overview 171
Port Isolation Configuration 171
Displaying Port Isolation Configuration 171
Port Isolation Configuration Example 172

18 MAC ADDRESS TABLE MANAGEMENT


Introduction to Managing MAC Address Table 173
Configuring the MAC Address Table 174
Displaying and Maintaining the MAC Address Table 176
MAC Address Table Management Configuration Example 176

19 MSTP CONFIGURATION
MSTP Overview 179
Configuring the Root Bridge 192
Configuring Leaf Nodes 204
Performing mCheck 208
MSTP Configuration Example 212
6 CONTENTS

20 IP ADDRESSING CONFIGURATION
Configuring IP Addresses 219
Displaying IP Addressing 220

21 IP PERFORMANCE CONFIGURATION
Introduction to IP performance 221
Configuring TCP attributes 221
Configuring sending ICMP error packets 222
Permitting Receiving and Forwarding of Directed Broadcast Packets 224
Displaying and maintaining IP performance 226

22 IP ROUTING OVERVIEW
IP Routing and Routing Table 227
Routing Protocol Overview 229
Displaying and Maintaining a Routing Table 231

23 STATIC ROUTING CONFIGURATION


Introduction 233
Configuring Static Route 234
Displaying and Maintaining Static Routes 235
Example of Static Routes Configuration 235

24 RIP CONFIGURATION
RIP Overview 239
RIP Basic Configuration 243
RIP Route Control 245
RIP Configuration Optimization 248
Displaying and Maintaining RIP 250
RIP Configuration Example 251
Troubleshooting RIP Configuration 252

25 ROUTING POLICY CONFIGURATION


Introduction to Routing Policy 255
Defining Filtering Lists 257
Configuring a Routing Policy 257
Displaying and Maintaining the Routing Policy 260
Routing Policy Configuration Example 260
Troubleshooting Routing Policy Configuration 262
CONTENTS 7

26 802.1X CONFIGURATION
802.1x Overview 263
Configuring 802.1x 272
Configuring GuestVlan 274
Displaying and Maintaining 802.1x 274
802.1x Configuration Example 275
Typical GuestVlan Configuration Example 277

27 ABP CONFIGURATION
Introduction to ABP 281
ABP Server Configuration 281
ABP Client Configuration 282
Displaying ABP 282

28 MAC AUTHENTICATION CONFIGURATION


MAC Authentication Overview 283
Configuring MAC Authentication 283
Displaying and Maintaining MAC Authentication 284
MAC Authentication Configuration Example 285

29 AAA, RADIUS, AND TACACS+ CONFIGURATION


Overview 287
Configuration Tasks 296
AAA Configuration 298
RADIUS Configuration 305
TACACS+ Configuration 312
Displaying and Maintaining AAA & RADIUS & TACACS+ Information 316
AAA & RADIUS & TACACS+ Configuration Example 317
Troubleshooting AAA & RADIUS & TACACS+ Configuration 323

30 IGMP SNOOPING CONFIGURATION


IGMP Snooping Overview 325
IGMP Snooping Configuration Tasks 328
Configuring Basic Functions of IGMP Snooping 329
Configuring Port Functions 331
Configuring IGMP-Related Functions 334
Configuring a Multicast Group Policy 337
Displaying and Maintaining IGMP Snooping 340
IGMP Snooping Configuration Examples 341
Troubleshooting IGMP Snooping Configuration 344

31 MULTICAST VLAN CONFIGURATION


Multicast VLAN 347
8 CONTENTS

32 ARP CONFIGURATION
ARP Overview 351
Configuring ARP 352
Configuring Gratuitous ARP 354
Displaying and Maintaining ARP 355

33 PROXY ARP CONFIGURATION


Proxy ARP Overview 357
Enabling Proxy ARP 357
Displaying and Maintaining Proxy ARP 358

34 DHCP OVERVIEW
Introduction to DHCP 359
DHCP Address Allocation 359
DHCP Message Format 361
Protocols and Standards 362

35 DHCP RELAY AGENT CONFIGURATION


Introduction to DHCP Relay Agent 363
Configuring the DHCP Relay Agent 364
Displaying and Maintaining the DHCP Relay Agent Configuration 370
DHCP Relay Agent Configuration Example 371
Troubleshooting DHCP Relay Agent Configuration 372

36 DHCP CLIENT CONFIGURATION


Introduction to DHCP Client 373
Enabling the DHCP Client on an Interface 373
Displaying the DHCP Client 374
DHCP Client Configuration Example 374

37 DHCP SNOOPING CONFIGURATION


DHCP Snooping Overview 375
Configuring DHCP Snooping 376
Displaying DHCP Snooping 376
DHCP Snooping Configuration Example 376

38 BOOTP CLIENT CONFIGURATION


Introduction to BOOTP Client 379
Configuring an Interface to Dynamically Obtain an IP Address through BOOTP 380
Displaying BOOTP Client Configuration 380
CONTENTS 9

39 ACL OVERVIEW
ACL Overview 381
Time-Based ACL 381
IPv4 ACL 381

40 IPV4 ACL CONFIGURATION


Creating a Time Range 385
Configuring a Basic IPv4 ACL 387
Configuring an Advanced IPv4 ACL 388
Configuring an Ethernet Frame Header ACL 390
Displaying and Maintaining IPv4 ACLs 392
IPv4 ACL Configuration Example 392

41 QOS OVERVIEW
Introduction 395
Traditional Packet Delivery Service 395
New Requirements Brought forth by New Services 395
Occurrence and Influence of Congestion and the Countermeasures 396
Major Traffic Management Techniques 397
LR Configuration 402

42 QOS POLICY CONFIGURATION


Overview 405
Configuring QoS Policy 405
Introducing Each QoS Policy 406
Configuring QoS Policy 406
Displaying QoS Policy 411

43 CONGESTION MANAGEMENT
Overview 413
Congestion Management Policy 413
Configuring SP Queue Scheduling 415
Configuring WRR Queue Scheduling 416
Configuring SP+WRR Queue Scheduling 417

44 PRIORITY MAPPING
Overview 419
Configuring Port Priority 420
Displaying Priority Mapping Table 421
10 CONTENTS

45 VLAN POLICY CONFIGURATION


Overview 423
Applying VLAN Policies 423
Displaying and Maintaining VLAN Policy 424
VLAN Policy Configuration Example 424

46 TRAFFIC MIRRORING CONFIGURATION


Overview 425
Configuring Traffic Mirroring to Port 425
Displaying Traffic Mirroring Configuration 426
Traffic Mirroring Configuration Example 426

47 PORT MIRRORING CONFIGURATION


Introduction to Port Mirroring 429
Configuring Local Port Mirroring 430
Displaying Port Mirroring 430
Examples of Typical Port Mirroring Configuration 431

48 GMP V2 CONFIGURATION
Introduction to GMP V2 433
GMP V2 Configuration Task Overview 438
Management Device Configuration 439
Configuring Member Devices 446
Displaying and Maintaining a Cluster 447
GMP V2 Configuration Example 448

49 SNMP CONFIGURATION
SNMP Overview 451
Configuring Basic SNMP Functions 453
Trap Configuration 455
Displaying and Maintaining SNMP 456
SNMP Configuration Example 456

50 RMON CONFIGURATION
RMON Overview 459
Configuring RMON 462
Displaying and Maintaining RMON 463
RMON Configuration 463
CONTENTS 11

51 NTP CONFIGURATION
NTP Overview 465
Configuring the Operation Modes of NTP 469
Configuring Optional Parameters of NTP 472
Configuring Access-Control Rights 473
Configuring NTP Authentication 474
Displaying and Maintaining NTP 476
NTP Configuration Examples 476

52 DNS CONFIGURATION
DNS Overview 489
Configuring Static Domain Name Resolution 491
Configuring Dynamic Domain Name Resolution 491
Displaying and Maintaining DNS 492
Troubleshooting DNS Configuration 492

53 INFORMATION CENTER
Information Center Overview 493
Configuring Information Center 494
Displaying and Maintaining Information Center 500
Information Center Configuration Example 501

54 NQA CONFIGURATION
NQA Overview 507
Configuring NQA Tests 508
Configuring Optional Parameters for NQA Tests 525
Displaying and Maintaining NQA 528

55 SSH TERMINAL SERVICE


SSH Overview 529
Configuring the SSH Server 532
Configuring the SSH Client 537
Configuring the Device as an SSH Client 542
Displaying and Maintaining the SSH Protocol 543
SSH Configuration Example 543
SSH Client Configuration Example 546

56 SFTP SERVICE
SFTP Overview 549
Configuring the SFTP Server 549
Configuring the SFTP Client 550
SFTP Configuration Example 554
12 CONTENTS

57 UDP HELPER CONFIGURATION


Introduction to UDP Helper 557
Configuring UDP Helper 558
Displaying and Maintaining UDP Helper 558
UDP Helper Configuration Example 559

58 SSL CONFIGURATION
SSL Overview 561
Configuring an SSL Server Policy 562
Configuring an SSL Client Policy 564
Displaying and Maintaining SSL 564
Troubleshooting SSL Configuration 565

59 HTTPS SERVER CONFIGURATION


HTTPS Server Overview 567
Enabling the Functions of HTTPS Server 568
Associating HTTPS Server with Certificate Access Control Policy 569
Associating HTTPS Server with ACL 569
Displaying and Maintaining HTTPS Server 569
Configuration Examples for HTTPS Server 570

60 PKI CONFIGURATION
Introduction to PKI 573
Introduction to PKI Configuration Task 575
Configuring PKI Certificate Request 575
Configuring PKI Certificate Validation 582
Configuring a Certificate Attribute Access Control Policy 583
Displaying and Maintaining PKI 584
Typical Configuration Examples 584
Troubleshooting 587

61 POE CONFIGURATION
PoE Overview 589
PoE Configuration Tasks 590
Configuring the PoE Interface 590
Configuring PD Power Management 593
Configuring a Power Alarm Threshold for the PSE 594
Upgrading PSE Processing Software Online 594
Configuring a PD Disconnection Detection Mode 595
Enabling the PSE to Detect Nonstandard PDs 595
Displaying and Maintaining PoE 596
PoE Configuration Example 596
Troubleshooting PoE 598
ABOUT THIS GUIDE

This guide provides information about configuring your network using the
commands supported on the 3Com® Switch 4500G Family.

The descriptions in this guide applies to the Switch 4500G.

Organization of the The Switch 4500G Family Configuration Guide consists of the following chapters:
Manual ■ Logging In—Provides information on the different ways to log into the switch.
■ Basic System Configuration and Maintenance Operation—Details the
basic configuration and maintenance of a switch.
■ File System Management—Details how to manage storage devices.
■ VLAN Operation—Details VLAN, including Voice VLANS and GVRP
configuration.
■ Port Correlation Configuration—Details Ethernet interface, link aggregation
and port isolation configuration.
■ MAC Address Table Management—Details MAC address table
configuration.
■ MSTP—Details multiple spanning tree protocol configuration.
■ IP Address and Performance Operation—Details how to assign IP addresses
to interfaces and to adjust the parameters for the best IP performance.
■ IPV4 Routing Operation—Details IPV4 routing operation, static routing and
policy configuration and RIP configuration
■ 802.1x HABP MAC Authorization Operation—Details HABP, 802.1x and
MAC Authentication Configuration.
■ AAA &RADIUS—Details AAA and RADIUS configuration.
■ Multicast Protocol—Details multicast protocol configuration.
■ ARP—Details address resolution protocol table configuration.
■ DHCP—Details dynamic host configuration protocol.
■ ACL Configuration—Details ACL configuration.
■ QoS—Details quality of service configuration.
■ Port Mirroring—Details local and remote port mirroring configuration.
■ Clustering—Details clustering configuration.
■ SNMP—Details simple network management protocol configuration.
■ RMON—Details remote monitoring configuration.
■ NTP—Details network time protocol configuration.
14 ABOUT THIS GUIDE

■ DNS—Details domain name system configuration.


■ Information Center—Details information center configuration.
■ NQA—Details network quality analyzer configuration.
■ SSH—Details secure shell authentication.
■ UDP—Details UDP helper configuration.
■ SSL—Details secure socket layer configuration.
■ PKI—Details public key infrastructure configuration.
■ PoE—Details power over Ethernet configuration.

Intended Readership The manual is intended for the following readers:


■ Network administrators
■ Network engineers
■ Users who are familiar with the basics of networking

Conventions This manual uses the following conventions:

Table 1 Icons

Icon Notice Type Description


Information note Information that describes important features or instructions.

Caution Information that alerts you to potential loss of data or


potential damage to an application, system, or device.
Warning Information that alerts you to potential personal injury.

Table 2 Text conventions

Convention Description
Screen This typeface represents text as it appears on the screen.
displays
Keyboard key If you must press two or more keys simultaneously, the key names are
names linked with a plus sign (+), for example:
Press Ctrl+Alt+Del
The words “enter” When you see the word “enter” in this guide, you must type something,
and “type” and then press Return or Enter. Do not press Return or Enter when an
instruction simply says “type.”
Fixed command This typeface indicates the fixed part of a command text. You must type
text the command, or this part of the command, exactly as shown, and press
Return or Enter when you are ready to enter the command.
Example: The command display history-command must be
entered exactly as shown.
Variable command This typeface indicates the variable part of a command text. You must
text type a value here, and press Return or Enter when you are ready to enter
the command.
Example: in the command super level, a value in the range 0 to 3 must
be entered in the position indicated by level.
Related Documentation 15

Table 2 Text conventions (Continued)

Convention Description
{x|y|…} Alternative items, one of which must be entered, are grouped in braces
and separated by vertical bars. You must select and enter one of the
items.
Example: in the command flow-control { hardware | none |
software }, the braces and the vertical bars combined indicate that
you must enter one of the parameters. Enter either hardware, or
none, or software.
[ ] Items shown in square brackets [ ] are optional.
Example 1: in the command display users [ all ], the square brackets
indicate that the parameter all is optional. You can enter the command
with or without this parameter.
Example 2: in the command user-interface [ type ]
first-number [ last-number ] the square brackets indicate that
the parameters [ type] and [ last-number ] are both optional. You
can enter a value in place of one, both or neither of these parameters.
Alternative items, one of which can optionally be entered, are grouped
in square brackets and separated by vertical bars.
Example 3: in the command header [ shell | incoming | login ]
text, the square brackets indicate that the parameters shell,
incoming and login are all optional. The vertical bars indicate that
only one of the parameters is allowed.

Related In addition to this guide, the Switch 4500G documentation set includes the
Documentation following:
■ 3Com Switch 4500G Family Quick Reference Guide
This guide contains:
■ a list of the features supported by the switch.
■ a summary of the command line interface commands for the switch. This
guide is also available under the Help button on the web interface.
■ 3Com Switch 4500G Family Command Reference Guide
This guide provides detailed information about the web interface and
command line interface that enable you to manage the switch. It is supplied in
PDF format on the CD-ROM that accompanies the switch.
■ 3Com Switch 4500G Family Getting Started Guide
This guide provides preliminary information about hardware installation and
communication interfaces.
■ Release notes
These notes provide information about the current software release, including
new features, modifications, and known problems. The release notes are
supplied in hard copy with the switch.
16 ABOUT THIS GUIDE
1 LOGGING INTO AN ETHERNET SWITCH

Logging into an You can log into a Switch 4500G Ethernet switch in one of the following ways:
Ethernet Switch ■ Log in locally through the Console port
■ Telnet locally or remotely to an Ethernet port
■ Telnet to the Console port using a modem
■ Log into the Web-based network management system
■ Log in through NMS (network management station)

Introduction to the
User Interface

Supported User Switch 4500G Family Ethernet switch supports two types of user interfaces: AUX and
Interfaces VTY.

Table 3 Description on user interface

User interface Applicable user Port used Description


AUX Users logging in through Console port Each switch can accommodate
the Console port one AUX user.
VTY Telnet users and SSH Ethernet port Each switch can accommodate
users up to five VTY users.

As the AUX port and the Console port of a 3Com Switch 4500G Family series switch are
the same one, you will be in the AUX user interface if you log in through this port.

User Interface Two kinds of user interface index exist: absolute user interface index and relative user
Number interface index.
1 The absolute user interface indexes are as follows:
■ AUX user interface: 0
■ VTY user interfaces: Numbered after AUX user interfaces and increases in the step of
1
2 A relative user interface index can be obtained by appending a number to the identifier
of a user interface type. It is generated by user interface type. The relative user interface
indexes are as follows:
■ AUX user interface: AUX 0
■ VTY user interfaces: VTY 0, VTY 1, VTY 2, and so on.
18 CHAPTER 1: LOGGING INTO AN ETHERNET SWITCH

Common User
Table 4 Common User Interface Configuration
Interface
Configuration To do… Use the command… Remarks
Lock the current user lock Optional
interface
Execute this command in user
view.
A user interface is not locked by
default.
Specify to send messages to send { all | number | type Optional
all user interfaces/a specified number }
Execute this command in user
user interface
view.
Disconnect a specified user free user-interface [ Optional
interface type ] number
Execute this command in user
view.
Enter system view system-view –
Set the banner header { incoming | Optional
legal | login | shell |
motd } text
Set a system name for the sysname string Optional
switch
Enter user interface view user-interface [ type ] –
first-number [
last-number ]
Define a shortcut key for escape-key { default | Optional
aborting tasks character }
The default shortcut key
combination for aborting tasks is
< Ctrl+C >.
Set the history command history-command Optional
buffer size max-size value The default history command
buffer size is 10. That is, a history
command buffer can store up to
10 commands by default.
Set the timeout time for the idle-timeout minutes [ Optional
user interface seconds ]
The default timeout time of a user
interface is 10 minutes.
With the timeout time being 10
minutes, the connection to a user
interface is terminated if no
operation is performed in the user
interface within 10 minutes.
You can use the
idle-timeout 0 command
to disable the timeout function.
Set the maximum number of screen-length Optional
lines the screen can contain screen-length
By default, the screen can contain
up to 24 lines.
You can use the
screen-length 0
command to disable the function
to display information in pages.
Make terminal services shell Optional
available
By default, terminal services are
available in all user interfaces.
Introduction to the User Interface 19

Table 4 Common User Interface Configuration (continued)

To do… Use the command… Remarks


Set the display type of a terminal type { ansi | Optional
terminal vt100 } By default, the terminal display
type is ANSI. The device must use
the same type of display as the
terminal. If the terminal uses VT
100, the device should also use
VT 100.
Display the information about display users [ all ] You can execute this command in
the current user interface/all any view.
user interfaces
Display the physical attributes display You can execute this command in
and configuration of the user-interface [ type any view.
current/a specified user number | number ] [
interface summary ]
Display the information about display web users You can execute this command in
the current web users any view.
20 CHAPTER 1: LOGGING INTO AN ETHERNET SWITCH
2 LOGGING IN THROUGH THE CONSOLE
PORT

Introduction To log in through the Console port is the most common way to log into a switch. It is also
the prerequisite to configure other login methods. By default, you can log into a Switch
4500G Family Ethernet switch through its Console port only.

To log into an Ethernet switch through its Console port, the related configuration of the
user terminal must be in accordance with that of the Console port.

Table 5 lists the default settings of a Console port.

Table 5 The default settings of a Console port

Setting Default
Baud rate 19,200 bps
Flow control Off
Check mode No check bit
Stop bits 1
Data bits 8

After logging into a switch, you can perform configuration for AUX users. Refer to
“Console Port Login Configuration” for more.

Setting up the ■ Connect the serial port of your PC/terminal to the Console port of the switch, as
Connection to the shown in Figure 1.
Console Port
Figure 1 Diagram for setting the connection to the Console port

RS-232 port

Console port

Configuration cable

■ If you use a PC to connect to the Console port, launch a terminal emulation utility
(such as Terminal in Windows 3.X or HyperTerminal in Windows 9X/Windows
2000/Windows XP) and perform the configuration shown in Figure 2 through
Figure 4 for the connection to be created. Normally, the parameters of a terminal are
configured as those listed in Table 5.
22 CHAPTER 2: LOGGING IN THROUGH THE CONSOLE PORT

Figure 2 Create a connection

Figure 3 Specify the port used to establish the connection


Setting up the Connection to the Console Port 23

Figure 4 Set port parameters terminal window

The correct baud rate is 19200 not 9600.


■ Turn on the switch. The user will be prompted to press the Enter key if the switch
successfully completes POST (power-on self test). The prompt (such as <3Com>)
appears after the user presses the Enter key, as shown in Figure 5.

Figure 5 The terminal window

■ You can then configure the switch or check the information about the switch by
executing commands. You can also acquire help by type the ? character. Refer to the
following chapters for information about the commands.
24 CHAPTER 2: LOGGING IN THROUGH THE CONSOLE PORT

Console Port Login


Configuration

Common Table 6 lists the common configuration of Console port login.


Configuration
Table 6 Common configuration of Console port login

Configuration Description
Console port Baud rate Optional
configuration
The default baud rate is 9,600 bps.
Check mode Optional
By default, the check mode of the Console port is set
to “none”, which means no check bit.
Stop bits Optional
The default stop bits of a Console port is 1.
Data bits Optional
The default data bits of a Console port is 8.
AUX user Define a shortcut key for Optional
interface starting terminal sessions
By default, pressing Enter key starts the terminal
configuration
session.
Configure the command Optional
level available to the users
By default, commands of level 3 are available to the
logging into the AUX user
users logging into the AUX user interface.
interface
Terminal Define a shortcut key for Optional
configuration aborting tasks
The default shortcut key combination for aborting
tasks is < Ctrl+C >.
Make terminal services Optional
available
By default, terminal services are available in all user
interfaces
Set the maximum number Optional
of lines the screen can
By default, the screen can contain up to 24 lines.
contain
Set history command Optional
buffer size
By default, the history command buffer can contain up
to 10 commands.
Set the timeout time of a Optional
user interface
The default timeout time is 10 minutes.

CAUTION: Changing of Console port configuration terminates the connection to the


Console port. To establish the connection again, you need to modify the configuration of
the termination emulation utility running on your PC accordingly. Refer to “Setting up the
Connection to the Console Port” for more information.
Console Port Login Configuration 25

Console Port Login Table 7 lists Console port login configurations for different authentication modes.
Configurations for
Different Table 7 Console port login configurations for different authentication modes
Authentication Authentication
Modes mode Console port login configuration Description
None Perform common Perform common Optional
configuration configuration for
Refer to “Common Configuration” for
Console port login
more.
Password Configure the Configure the Required
password password for local
authentication
Perform common Perform common Optional
configuration configuration for
Refer to “Common Configuration” for
Console port login
more.
Scheme Specify to AAA configuration Optional
perform local specifies whether to
Local authentication is performed by
authentication or perform local
default.
RADIUS authentication or
authentication RADIUS Refer to the “AAA, RADIUS, and
authentication TACACS+ Configuration” chapter for
more.
Configure user Configure user Required
name and names and
■ The user name and password of a
password passwords for
local user are configured on the
local/remote users
switch.
■ The user name and password of a
remote user are configured on the
DADIUS server. Refer to user
manual of RADIUS server for more.
Manage AUX Set service type for Required
users AUX users
Perform common Perform common Optional
configuration configuration for
Refer to “Common Configuration” for
Console port login
more.

Changes of the authentication mode of Console port login will not take effect unless you
exit and enter again the CLI.
26 CHAPTER 2: LOGGING IN THROUGH THE CONSOLE PORT

Console Port Login


Configuration with
Authentication
Mode Being None

Configuration
Table 8 Configuration Procedure
Procedure
To do… Use the command… Remarks
Enter system view system-view –
Enter AUX user interface view user-interface aux –
0
Configure not to authenticate authentication-mod Required
users e none By default, users logging in through
the Console port are not
authenticated.
Configure the Set the baud speed speed-value Optional
Console port rate
The default baud rate of an AUX
port (also the Console port) is 9,600
bps.
Set the check parity { even | mark | Optional
mode none | odd | space } By default, the check mode of a
Console port is set to none, that is,
no check bit.
Set the stop bits stopbits { 1 | 1.5 | 2 } Optional
The stop bits of a Console port is 1.
Set the data bits databits { 5 | 6 | 7 | 8 } Optional
The default data bits of a Console
port is 8.
Configure the command level user privilege Optional
available to users logging into level level By default, commands of level 3 are
the user interface
available to users logging into the
AUX user interface.
Define a shortcut key for activation-key Optional
starting terminal sessions character
By default, pressing Enter key starts
the terminal session.
Define a shortcut key for escape-key { Optional
aborting tasks default | character } The default shortcut key
combination for aborting tasks is
< Ctrl+C >.
Make terminal services available shell Optional
By default, terminal services are
available in all user interfaces.
Console Port Login Configuration with Authentication Mode Being None 27

Table 8 Configuration Procedure (continued)

To do… Use the command… Remarks


Set the maximum number of screen-length Optional
lines the screen can contain screen-length
By default, the screen can contain up
to 24 lines.
You can use the
screen-length 0 command to
disable the function to display
information in pages.
Set the history command buffer history-command Optional
size max-size value The default history command buffer
size is 10. That is, a history command
buffer can store up to 10 commands
by default.
Set the timeout time for the idle-timeout Optional
user interface minutes [ seconds ]
The default timeout time of a user
interface is 10 minutes.
With the timeout time being 10
minutes, the connection to a user
interface is terminated if no
operation is performed in the user
interface within 10 minutes.
You can use the
idle-timeout 0 command to
disable the timeout function.

Note that the command level available to users logging into a switch depends on both
the authentication-mode none command and the user privilege level
level command, as listed in the following table.

Table 9 Determine the command level (A)

Scenario
Authentication
mode User type Command Command level
None Users logging in The user privilege Level 3
(authentication- through Console level level command not
mode none) ports executed
The user privilege Determined by
level level command already the level
executed argument

Configuration Network requirements


Example Perform the following configuration for users logging in through the Console port:
■ Do not authenticate users logging in through the Console port.
■ Commands of level 2 are available to users logging into the AUX user interface.
■ The baud rate of the Console port is 19,200 bps.
■ The screen can contain up to 30 lines.
■ The history command buffer can contain up to 20 commands.
■ The timeout time of the AUX user interface is 6 minutes.
28 CHAPTER 2: LOGGING IN THROUGH THE CONSOLE PORT

Network diagram

Figure 6 Network diagram for AUX user interface configuration (with the authentication mode
being none)

RS-232

Console port

Console cable

Configuration procedure
1 Enter system view.
<3Com> system-view
2 Enter AUX user interface view.
[3Com] user-interface aux 0
3 Specify not to authenticate users logging in through the Console port.
[3Com-ui-aux0] authentication-mode none
4 Specify commands of level 2 are available to users logging into the AUX user interface.
[3Com-ui-aux0] user privilege level 2
5 Set the baud rate of the Console port to 19,200 bps.
[3Com-ui-aux0] speed 19200
6 Set the maximum number of lines the screen can contain to 30.
[3Com-ui-aux0] screen-length 30
7 Set the maximum number of commands the history command buffer can store to 20.
[3Com-ui-aux0] history-command max-size 20
8 Set the timeout time of the AUX user interface to 6 minutes.
[3Com-ui-aux0] idle-timeout 6
Console Port Login Configuration with Authentication Mode Being Password 29

Console Port Login


Configuration with
Authentication
Mode Being
Password

Configuration
Table 10 Configuration Procedure
Procedure
To do… Use the command… Remarks
Enter system view system-view —
Enter AUX user interface user-interface —
view aux 0
Configure to authenticate authentication-mo Required
users using the local de password By default, users logging in through the
password
Console port are not authenticated.
Set the local password set Required
authentication
password { cipher |
simple } password
Configure Set the baud speed speed-value Optional
the Console rate
The default baud rate of an AUX port (also
port
the Console port) is 9,600 bps.
Set the parity { even | mark | Optional
check mode none | odd | space } By default, the check mode of a Console
port is set to none, that is, no check bit.
Set the stop stopbits { 1 | 1.5 | 2 Optional
bits }
The default stop bits of a Console port is
1.
Set the data databits { 5 | 6 | 7 | 8 Optional
bits }
The default data bits of a Console port is
8.
Configure the command user privilege Optional
level available to users level level By default, commands of level 3 are
logging into the user
available to users logging into the AUX
interface
user interface.
Define a shortcut key for activation-key Optional
starting terminal sessions character
By default, pressing Enter key starts the
terminal session.
Define a shortcut key for escape-key { Optional
aborting tasks default | character } The default shortcut key combination for
aborting tasks is < Ctrl+C >.
Make terminal services shell Optional
available to the user
By default, terminal services are available
interface
in all user interfaces.
30 CHAPTER 2: LOGGING IN THROUGH THE CONSOLE PORT

Table 10 Configuration Procedure (continued)

To do… Use the command… Remarks


Set the maximum number screen-length Optional
of lines the screen can screen-length
By default, the screen can contain up to
contain
24 lines.
You can use the screen-length 0
command to disable the function to
display information in pages.
Set history command history-command Optional
buffer size max-size value The default history command buffer size is
10. That is, a history command buffer can
store up to 10 commands by default.
Set the timeout time for idle-timeout Optional
the user interface minutes [ seconds ]
The default timeout time of a user
interface is 10 minutes.
With the timeout time being 10 minutes,
the connection to a user interface is
terminated if no operation is performed in
the user interface within 10 minutes.
You can use the idle-timeout 0
command to disable the timeout function.

Note that the level the commands of which are available to users logging into a switch
depends on both the authentication-mode password and the user
privilege level level command, as listed in the following table.

Table 11 Determine the command level (B)

Scenario
Authentication mode User type Command Command level
Local authentication Users logging into The user privilege Level 3
(authentication-mode the AUX user level level command not
password) interface executed
The user privilege Determined by the
level level command level argument
already executed

Configuration Network requirements


Example Perform the following configuration for users logging in through the Console port:
■ Authenticate users logging in through the Console port using the local password.
■ Set the local password to 123456 (in plain text).
■ The commands of level 2 are available to users logging into the AUX user interface.
■ The baud rate of the Console port is 19,200 bps.
■ The screen can contain up to 30 lines.
■ The history command buffer can store up to 20 commands.
■ The timeout time of the AUX user interface is 6 minutes.
Console Port Login Configuration with Authentication Mode Being Password 31

Network diagram

Figure 7 Network diagram for AUX user interface configuration (with the authentication mode
being password)

RS-232

Console port

Console cable

Configuration procedure
1 Enter system view.
<3Com> system-view
2 Enter AUX user interface view.
[3Com] user-interface aux 0
3 Specify to authenticate users logging in through the Console port using the local
password.
[3Com-ui-aux0] authentication-mode password
4 Set the local password to 123456 (in plain text).
[3Com-ui-aux0] set authentication password simple 123456
5 Specify commands of level 2 are available to users logging into the AUX user interface.
[3Com-ui-aux0] user privilege level 2
6 Set the baud rate of the Console port to 19,200 bps.
[3Com-ui-aux0] speed 19200
7 Set the maximum number of lines the screen can contain to 30.
[3Com-ui-aux0] screen-length 30
8 Set the maximum number of commands the history command buffer can store to 20.
[3Com-ui-aux0] history-command max-size 20
9 Set the timeout time of the AUX user interface to 6 minutes.
[3Com-ui-aux0] idle-timeout 6
32 CHAPTER 2: LOGGING IN THROUGH THE CONSOLE PORT

Console Port Login


Configuration with
Authentication
Mode Being
Scheme

Configuration
Table 12 Configuration Procedure
Procedure
To do… Use the command… Remarks
Enter system view system-view —
Configure Enter the domain Domain name Optional
the default ISP
By default, the local AAA scheme is applied.
authentica domain view
If you specify to apply the local AAA scheme,
tion mode
Specify the authentication you need to perform the configuration
AAA default { concerning local user as well.
scheme to hwtacacs- scheme If you specify to apply an existing scheme by
be applied hwtacacs-scheme-name
providing the radius-scheme-name
to the [ local ] | local |
argument, you need to perform the
domain none | following configuration as well:
radius-scheme
radius-scheme-name [ ■ Perform AAA & RADIUS configuration on
local ] } the switch. (Refer to the “AAA, RADIUS,
and TACACS+ Configuration” chapter
Quit to quit for more.)
system view
■ Configure the user name and password
accordingly on the AAA server. (Refer to
the user manual of AAA server.)
Create a local user (Enter local-user Required
local user view.) user-name
No local user exists by default.
Set the authentication password { simple | Required
password for the local cipher } password
user
Specify the service type service-type Required
for AUX users terminal [ level
level ]
Quit to system view quit —
Enter AUX user interface user-interface —
view aux 0
Configure to authentication-mo Required
authenticate users locally de scheme [
The specified AAA scheme determines
or remotely command- whether to authenticate users locally or
authorization ] remotely.
Users are authenticated locally by default.
Console Port Login Configuration with Authentication Mode Being Scheme 33

Table 12 Configuration Procedure (continued)

To do… Use the command… Remarks


Configure Set the speed speed-value Optional
the Console baud rate
The default baud rate of the AUX port (also
port
the Console port) is 9,600 bps.
Set the parity { even | mark | Optional
check none | odd | space } By default, the check mode of a Console port
mode
is set to none, that is, no check bit.
Set the stopbits { 1 | 1.5 | 2 } Optional
stop bits
The default stop bits of a Console port is 1.
Set the databits { 5 | 6 | 7 | 8 Optional
data bits }
The default data bits of a Console port is 8.
Configure the command user privilege Optional
level available to users level level By default, commands of level 3 are available
logging into the user
to users logging into the AUX user interface.
interface
Define a shortcut key for activation-key Optional
starting terminal sessions character
By default, pressing Enter key starts the
terminal session.
Define a shortcut key for escape-key { Optional
aborting tasks default | character } The default shortcut key combination for
aborting tasks is < Ctrl+C >.
Make terminal services shell Optional
available to the user
By default, terminal services are available in
interface
all user interfaces.
Set the maximum screen-length Optional
number of lines the screen-length
By default, the screen can contain up to 24
screen can contain
lines.
You can use the screen-length 0
command to disable the function to display
information in pages.
Set history command history-command Optional
buffer size max-size value The default history command buffer size is
10. That is, a history command buffer can
store up to 10 commands by default.
Set the timeout time for idle-timeout Optional
the user interface minutes [ seconds ]
The default timeout time of a user interface
is 10 minutes.
With the timeout time being 10 minutes, the
connection to a user interface is terminated
if no operation is performed in the user
interface within 10 minutes.
You can use the idle-timeout 0
command to disable the timeout function.

Note that the level the commands of which are available to users logging into a switch
depends on the authentication-mode scheme [ command-authorization ]
command, the user privilege level level command, and the service-type
terminal [ level level ] command, as listed in Table 13.
34 CHAPTER 2: LOGGING IN THROUGH THE CONSOLE PORT

Table 13 Determine the command level

Scenario
Authentication
mode User type Command Command level
authentication-mode Users logging The user privilege level Level 0
scheme [ command- into the level command is not executed, and
authorization ] Console port the service-type terminal
and pass [ level level ] command does not
AAA&RADIUS specify the available command level.
or local
The user privilege level Determined by the
authentication
level command is not executed, and service-typ
the service-type terminal e terminal [
[ level level ] command specifies level level ]
the available command level. command
The user privilege level Level 0
level command is executed, and the
service-type terminal [
level level ] command does not
specify the available command level.
The user privilege level Determined by the
level command is executed, and the service-typ
service-type terminal [ e terminal [
level level ] command specifies level level ]
the available command level. command

Configuration Network requirements


Example Perform the following configuration for users logging in through the Console port:
■ Configure the name of the local user to be “guest”.
■ Set the authentication password of the local user to 123456 (in plain text).
■ Set the service type of the local user to Terminal.
■ Configure to authenticate users logging in through the Console port in the scheme
mode.
■ The commands of level 2 are available to users logging into the AUX user interface.
■ The baud rate of the Console port is 19,200 bps.
■ The screen can contain up to 30 lines.
■ The history command buffer can store up to 20 commands.
■ The timeout time of the AUX user interface is 6 minutes.
Console Port Login Configuration with Authentication Mode Being Scheme 35

Network diagram

Figure 8 Network diagram for AUX user interface configuration (with the authentication mode
being scheme)

RS-232

Console port

Console cable

Configuration procedure
1 Enter system view.
<3Com> system-view
2 Create a local user named guest and enter local user view.
[3Com] local-user guest
3 Set the authentication password to 123456 (in plain text).
[3Com-luser-guest] password simple 123456
4 Set the service type to Terminal, Specify commands of level 2 are available to users
logging into the AUX user interface.
[3Com-luser-guest] service-type terminal level 2
[3Com-luser-guest] quit
5 Enter AUX user interface view.
[3Com] user-interface aux 0
6 Configure to authenticate users logging in through the Console port in the scheme
mode.
[3Com-ui-aux0] authentication-mode scheme
7 Set the baud rate of the Console port to 19,200 bps.
[3Com-ui-aux0] speed 19200
8 Set the maximum number of lines the screen can contain to 30.
[3Com-ui-aux0] screen-length 30
9 Set the maximum number of commands the history command buffer can store to 20.
[3Com-ui-aux0] history-command max-size 20
10 Set the timeout time of the AUX user interface to 6 minutes.
[3Com-ui-aux0] idle-timeout 6
36 CHAPTER 2: LOGGING IN THROUGH THE CONSOLE PORT
3 LOGGING IN THROUGH TELNET

Introduction You can telnet to a remote switch to manage and maintain the switch. To achieve this,
you need to configure both the switch and the Telnet terminal properly.

Table 14 Requirements for Telnet to a switch

Item Requirement
Switch The management VLAN of the switch is created and the route between
the switch and the Telnet terminal is available. (Refer to the VLAN
module for more.)
The authentication mode and other settings are configured. Refer to
Table 15 and Table 16.
Telnet terminal Telnet is running.
The IP address of the management VLAN of the switch is available.

Common Table 15 lists the common Telnet configuration.


Configuration
Table 15 Common Telnet configuration

Configuration Description
VTY user Configure the command level Optional
interface available to users logging into the
By default, commands of level 0 is available to
configuration VTY user interface
users logging into a VTY user interface.
Configure the protocols the user Optional
interface supports
By default, Telnet and SSH protocol are
supported.
Set the command that is Optional
automatically executed when a
By default, no command is automatically
user logs into the user interface
executed when a user logs into a user interface.
VTY terminal Define a shortcut key for aborting Optional
configuration tasks
The default shortcut key combination for
aborting tasks is < Ctrl+C >.
Make terminal services available Optional
By default, terminal services are available in all
user interfaces
Set the maximum number of lines Optional
the screen can contain
By default, the screen can contain up to 24
lines.
Set history command buffer size Optional
By default, the history command buffer can
contain up to 10 commands.
Set the timeout time of a user Optional
interface
The default timeout time is 10 minutes.
38 CHAPTER 3: LOGGING IN THROUGH TELNET

CAUTION:
■ The auto-execute command command may cause you unable to perform
common configuration in the user interface, so use it with caution.
■ Before executing the auto-execute command command and save your
configuration, make sure you can log into the switch in other modes and cancel the
configuration.

Telnet Configurations Table 16 lists Telnet configurations for different authentication modes.
for Different
Authentication Table 16 Telnet configurations for different authentication modes
Modes Authentication
mode Telnet configuration Description
None Perform common Perform common Optional
configuration Telnet configuration
Refer to Table 15.
Password Configure the Configure the Required
password password for local
authentication
Perform common Perform common Optional
configuration Telnet configuration
Refer to Table 15.
Scheme Specify to perform AAA configuration Optional
local specifies whether to
Local authentication is performed
authentication or perform local
by default.
RADIUS authentication or
authentication RADIUS Refer to the “AAA, RADIUS, and
authentication TACACS+ Configuration” chapter
for more information.
Configure user Configure user Required
name and names and
zThe user name and password of
password passwords for
a local user are configured on the
local/remote users
switch.
zThe user name and password of
a remote user are configured on
the DADIUS server. Refer to user
manual of RADIUS server for more.
Manage VTY users Set service type for Required
VTY users
Perform common Perform common Optional
configuration Telnet configuration
Refer to Table 15.
Telnet Configuration with Authentication Mode Being None 39

Telnet
Configuration with
Authentication
Mode Being None

Configuration
Table 17 Configuration Procedure
Procedure
To do… Use the command… Remarks
Enter system view system-view –
Enter one or more VTY user user-interface vty –
interface views first-number [
last-number ]
Configure not to authentication-mod Required
authenticate users logging e none By default, VTY users are authenticated
into VTY user interfaces
after logging in.
Configure the command user privilege Optional
level available to users level level By default, commands of level 0 are
logging into VTY user
available to users logging into VTY user
interface
interfaces.
Configure the protocols to protocol inbound { Optional
be supported by the VTY all | ssh | telnet } By default, both Telnet protocol and SSH
user interface
protocol are supported.
Set the command that is auto-execute Optional
automatically executed command text By default, no command is automatically
when a user logs into the
executed when a user logs into a user
user interface
interface.
Define a shortcut key for escape-key { Optional
aborting tasks default | character } The default shortcut key combination for
aborting tasks is < Ctrl+C >.
Make terminal services shell Optional
available
By default, terminal services are available
in all user interfaces.
Set the maximum number screen-length Optional
of lines the screen can screen-length
By default, the screen can contain up to
contain
24 lines.
You can use the screen-length
0 command to disable the function to
display information in pages.
Set the history command history-command Optional
buffer size max-size value The default history command buffer size
is 10. That is, a history command buffer
can store up to 10 commands by default.
40 CHAPTER 3: LOGGING IN THROUGH TELNET

Table 17 Configuration Procedure (continued)

To do… Use the command… Remarks


Set the timeout time of the idle-timeout Optional
VTY user interface minutes [ seconds ]
The default timeout time of a user
interface is 10 minutes.
With the timeout time being 10 minutes,
the connection to a user interface is
terminated if no operation is performed
in the user interface within 10 minutes.
You can use the idle-timeout 0
command to disable the timeout
function.

Note that if you configure not to authenticate the users, the command level available to
users logging into a switch depends on both the authentication-mode none
command and the user privilege level level command, as listed in Table 18.

Table 18 Determine the command level when users logging into switches are not authenticated

Scenario
Authentication
mode User type Command Command level
None (authentica- VTY users The user privilege level Level 0
tion-mode none) level command not executed
The user privilege level Determined by the
level command already executed level argument

Configuration Network requirements


Example Perform the following configuration for Telnet users logging into VTY 0:
■ Do not authenticate users logging into VTY 0.
■ Commands of level 2 are available to users logging into VTY 0.
■ Telnet protocol is supported.
■ The screen can contain up to 30 lines.
■ The history command buffer can contain up to 20 commands.
■ The timeout time of VTY 0 is 6 minutes.
Telnet Configuration with Authentication Mode Being None 41

Network diagram

Figure 9 Network diagram for Telnet configuration (with the authentication mode being none)

GigabitEthernet1/0/1
Ethernet

User PC running Telnet

Configuration procedure
1 Enter system view.
<3Com> system-view
2 Enter VTY 0 user interface view.
[3Com] user-interface vty 0
3 Configure not to authenticate Telnet users logging into VTY 0.
[3Com-ui-vty0] authentication-mode none
4 Specify commands of level 2 are available to users logging into VTY 0.
[3Com-ui-vty0] user privilege level 2
5 Configure Telnet protocol is supported.
[3Com-ui-vty0] protocol inbound telnet
6 Set the maximum number of lines the screen can contain to 30.
[3Com-ui-vty0] screen-length 30
7 Set the maximum number of commands the history command buffer can store to 20.
[3Com-ui-vty0] history-command max-size 20
8 Set the timeout time to 6 minutes.
[3Com-ui-vty0] idle-timeout 6
42 CHAPTER 3: LOGGING IN THROUGH TELNET

Telnet
Configuration with
Authentication
Mode Being
Password

Configuration
Table 19 Configuration Procedure
Procedure
To do… Use the command… Remarks
Enter system view system-view –
Enter one or more VTY user user-interface vty –
interface views first-number [
last-number ]
Configure to authenticate authentication-mode Required
users logging into VTY user password
interfaces using the local
password
Set the local password set authentication Required
password { cipher |
simple } password
Configure the command user privilege level Optional
level available to users level
By default, commands of level 0 are
logging into the user
available to users logging into VTY
interface
user interface.
Configure the protocol to protocol inbound { Optional
be supported by the user all | ssh | telnet } By default, both Telnet protocol and
interface
SSH protocol are supported.
Set the command that is auto-execute command Optional
automatically executed text
By default, no command is
when a user logs into the
automatically executed when a user
user interface
logs into a user interface.
Define a shortcut key for escape-key { default | Optional
aborting tasks character }
The default shortcut key combination
for aborting tasks is < Ctrl+C >.
Make terminal services shell Optional
available
By default, terminal services are
available in all user interfaces.
Telnet Configuration with Authentication Mode Being Password 43

Table 19 Configuration Procedure (continued)

To do… Use the command… Remarks


Set the maximum number screen-length Optional
of lines the screen can screen-length
By default, the screen can contain up
contain
to 24 lines.
You can use the screen-length
0 command to disable the function to
display information in pages.
Set the history command history-command Optional
buffer size max-size value The default history command buffer
size is 10. That is, a history command
buffer can store up to 10 commands
by default.
Set the timeout time of the idle-timeout minutes [ Optional
user interface seconds ]
The default timeout time of a user
interface is 10 minutes.
With the timeout time being 10
minutes, the connection to a user
interface is terminated if no operation
is performed in the user interface
within 10 minutes.
You can use the idle-timeout
0 command to disable the timeout
function.

Note that if you configure to authenticate the users in the password mode, the
command level available to users logging into a switch depends on both the
authentication-mode password command and the user privilege level
level command, as listed in Table 20.

Table 20 Determine the command level when users logging into switches are authenticated in
the password mode

Scenario
Authentication
mode User type Command Command level
Password (authentica- VTY users The user privilege level Level 0
tion-mode password) level command not executed
The user privilege level Determined by the
level command already executed level argument

Configuration Network requirements


Example Perform the following configuration for Telnet users logging into VTY 0:
■ Authenticate users logging into VTY 0 using the local password.
■ Set the local password to 123456 (in plain text).
■ Commands of level 2 are available to users logging into VTY 0.
■ Telnet protocol is supported.
■ The screen can contain up to 30 lines.
■ The history command buffer can contain up to 20 commands.
■ The timeout time of VTY 0 is 6 minutes.
44 CHAPTER 3: LOGGING IN THROUGH TELNET

Network diagram

Figure 10 Network diagram for Telnet configuration (with the authentication mode being
password)

GigabitEthernet1/0/1
Ethernet

User PC running Telnet

Configuration procedure
1 Enter system view.
<3Com> system-view
2 Enter VTY 0 user interface view.
[3Com] user-interface vty 0
3 Configure to authenticate users logging into VTY 0 using the local password.
[3Com-ui-vty0] authentication-mode password
4 Set the local password to 123456 (in plain text).
[3Com-ui-vty0] set authentication password simple 123456
5 Specify commands of level 2 are available to users logging into VTY 0.
[3Com-ui-vty0] user privilege level 2
6 Configure Telnet protocol is supported.
[3Com-ui-vty0] protocol inbound telnet
7 Set the maximum number of lines the screen can contain to 30.
[3Com-ui-vty0] screen-length 30
8 Set the maximum number of commands the history command buffer can store to 20.
[3Com-ui-vty0] history-command max-size 20
9 Set the timeout time to 6 minutes.
[3Com-ui-vty0] idle-timeout 6
Telnet Configuration with Authentication Mode Being Scheme 45

Telnet
Configuration with
Authentication
Mode Being
Scheme

Configuration
Table 21 Configuration Procedure
Procedure
To do… Use the command… Remarks
Enter system view system-view –
Configure Enter the domain Domain name Optional
the default ISP
By default, the local AAA scheme is
authenticatio domain view
applied. If you specify to apply the local
n scheme
Configure the authentication AAA scheme, you need to perform the
AAA scheme default { configuration concerning local user as
to be applied hwtacacs-scheme well.
to the hwtacacs-scheme- name
If you specify to apply an existing
domain [ local ] | local |
scheme by providing the
none | radius-scheme radius-scheme-name argument, you
radius-scheme-name [
need to perform the following
local ] } configuration as well:
Quit to quit Perform AAA & RADIUS configuration
system view
on the switch. (Refer to the “AAA,
RADIUS, and TACACS+ Configuration”
chapter for more information.
Configure the user name and password
accordingly on the AAA server. (Refer
to the user manual of the AAA server.)
Create a local user and enter local-user No local user exists by default.
local user view user-name
Set the authentication password { simple | Required
password for the local user cipher } password
Specify the service type for service-type Required
VTY users telnet [ level level ]
Quit to system view quit –
Enter one or more VTY user user-interface vty –
interface views first-number [
last-number ]
Configure to authenticate authentication-mod Required
users locally or remotely e scheme The specified AAA scheme determines
whether to authenticate users locally or
remotely.
Users are authenticated locally by
default.
Configure the command user privilege Optional
level available to users level level By default, commands of level 0 are
logging into the user
available to users logging into the VTY
interface
user interfaces.
Configure the supported protocol inbound { Optional
protocol all | ssh | telnet } Both Telnet protocol and SSH protocol
are supported by default.
46 CHAPTER 3: LOGGING IN THROUGH TELNET

Table 21 Configuration Procedure (continued)

To do… Use the command… Remarks


Set the command that is auto-execute Optional
automatically executed when command text
By default, no command is
a user logs into the user
automatically executed when a user
interface
logs into a user interface.
Define a shortcut key for escape-key { default Optional
aborting tasks | character }
The default shortcut key combination
for aborting tasks is < Ctrl+C >.
Make terminal services shell Optional
available
Terminal services are available in all use
interfaces by default.
Set the maximum number of screen-length Optional
lines the screen can contain screen-length
By default, the screen can contain up to
24 lines.
You can use the screen-length
0 command to disable the function to
display information in pages.
Set history command buffer history-command Optional
size max-size value The default history command buffer
size is 10. That is, a history command
buffer can store up to 10 commands by
default.
Set the timeout time for the idle-timeout Optional
user interface minutes [ seconds ]
The default timeout time of a user
interface is 10 minutes.
With the timeout time being 10
minutes, the connection to a user
interface is terminated if no operation
is performed in the user interface
within 10 minutes.
You can use the idle-timeout 0
command to disable the timeout
function.

Note that if you configure to authenticate the users in the scheme mode, the command
level available to users logging into a switch depends on the authentication-mode
scheme [ command-authorization ] command, the user privilege level
level command, and the service-type { ftp [ ftp-directory directory ] |
lan-access | { ssh | telnet | terminal }* [ level level ] } command, as listed in
Table 22.
Telnet Configuration with Authentication Mode Being Scheme 47

Table 22 Determine the command level when users logging into switches are authenticated in
the scheme mode

Scenario
Authentication
mode User type Command Command level
Scheme VTY users that The user privilege level level Level 0
(authentication are command is not executed, and the
-mode scheme AAA&RADIUS service-type command does not
[ authenticated specify the available command level.
command-auth or locally
The user privilege level level Determined by the
orization ]) authenticated
command is not executed, and the service-typ
service-type command specifies the e command
available command level.
The user privilege level level Level 0
command is executed, and the
service-type command does not
specify the available command level.
The user privilege level level Determined by the
command is executed, and the service-type service-typ
command specifies the available command e command
level.
VTY users that The user privilege level level Level 0
are command is not executed, and the
authenticated in service-type command does not
the RSA mode specify the available command level.
of SSH
The user privilege level level
command is not executed, and the
service-type command specifies the
available command level.
The user privilege level level Determined by the
command is executed, and the user
service-type command does not privilege
specify the available command level. level level
command
The user privilege level level
command is executed, and the
service-type command specifies the
available command level.
VTY users that The user privilege level level Level 0
are command is not executed, and the
authenticated in service-type command does not
the password specify the available command level.
mode of SSH
The user privilege level level Determined by the
command is not executed, and the service-typ
service-type command specifies the e command
available command level.
The user privilege level level Level 0
command is executed, and the
service-type command does not
specify the available command level.
The user privilege level level Determined by the
command is executed, and the service-typ
service-type command specifies the e command
available command level.

Refer to the corresponding chapters in this guide for information about AAA, RADIUS,
TACACS+, and SSH.
48 CHAPTER 3: LOGGING IN THROUGH TELNET

Configuration Network requirements


Example Perform the following configuration for Telnet users logging into VTY 0:
■ Configure the name of the local user to be “guest”.
■ Set the authentication password of the local user to 123456 (in plain text).
■ Set the service type of VTY users to Telnet.
■ Configure to authenticate users logging into VTY 0 in scheme mode.
■ The commands of level 2 are available to users logging into VTY 0.
■ Telnet protocol is supported in VTY 0.
■ The screen can contain up to 30 lines.
■ The history command buffer can store up to 20 commands.
■ The timeout time of VTY 0 is 6 minutes.

Network diagram

Figure 11 Network diagram for Telnet configuration (with the authentication mode being
scheme)

GigabitEthernet1/0/1
Ethernet

User PC running Telnet

Configuration procedure
1 Enter system view.
<3Com> system-view
2 Create a local user named “guest” and enter local user view.
[3Com] local-user guest
3 Set the authentication password of the local user to 123456 (in plain text).
[3Com-luser-guest] password simple 123456
4 Set the service type to Telnet, Specify commands of level 2 are available to users logging
into VTY 0.
[3Com-luser-guest] service-type telnet level 2
5 Enter VTY 0 user interface view.
[3Com] user-interface vty 0
6 Configure to authenticate users logging into VTY 0 in the scheme mode.
[3Com-ui-vty0] authentication-mode scheme
Telnet Connection Establishment 49

7 Configure Telnet protocol is supported.


[3Com-ui-vty0] protocol inbound telnet
8 Set the maximum number of lines the screen can contain to 30.
[3Com-ui-vty0] screen-length 30
9 Set the maximum number of commands the history command buffer can store to 20.
[3Com-ui-vty0] history-command max-size 20
10 Set the timeout time to 6 minutes.
[3Com-ui-vty0] idle-timeout 6

Telnet Connection
Establishment

Telneting to a Switch You can Telnet to a switch and then to configure the switch if the interface of the
from a Terminal management VLAN of the switch is assigned an IP address.

Following are procedures to establish a Telnet connection to a switch:

1 Log into the switch through the Console port and assign an IP address to the
management VLAN interface of the switch.
■ Connect to the Console port. Refer to the chapter “Setting up the Connection to the
Console Port”.
■ Execute the following commands in the terminal window to assign an IP address to
the management VLAN interface of the switch.
<3Com> system
a Enter management VLAN interface view.
[3Com] interface Vlan-interface 1
b Remove the existing IP address of the management VLAN interface.
[3Com-Vlan-interface1] undo ip address
c Configure the IP address of the management VLAN interface to be 202.38.160.92.
[3Com-Vlan-interface1] ip address 202.38.160.92 255.255.255.0
2 Configure the user name and password for Telnet on the switch. Refer to “Telnet
Configuration with Authentication Mode Being None”,“Telnet Configuration with
Authentication Mode Being Password”, and “Telnet Configuration with Authentication
Mode Being Scheme”.
3 Connect your PC to the Switch, as shown in Figure 12. Make sure the Ethernet port to
which your PC is connected belongs to the management VLAN of the switch and the
route between your PC and the switch is available.
50 CHAPTER 3: LOGGING IN THROUGH TELNET

Figure 12 Network diagram for Telnet connection establishment

Workstation

Ethernet port
Ethernet

Server Workstation PC w ith Telnet


running on it
(used to configure
the switch)

4 Launch Telnet on your PC, with the IP address of the management VLAN interface of the
switch as the parameter, as shown in the following figure.

Figure 13 Launch Telnet

5 Enter the password when the Telnet window displays “Login authentication” and
prompts for login password. The CLI prompt (such as <3Com>) appears if the password
is correct. If all VTY user interfaces of the switch are in use, you will fail to establish the
connection and receive the message that says “All user interfaces are used, please try
later!”. A 3Com Switch 4500G Family Ethernet switch can accommodate up to five
Telnet connections at same time.
6 After successfully Telneting to a switch, you can configure the switch or display the
information about the switch by executing corresponding commands. You can also type
? at any time for help. Refer to the following chapters for the information about the
commands.

■ A Telnet connection will be terminated if you delete or modify the IP address of the
VLAN interface in the Telnet session.
■ By default, commands of level 0 are available to Telnet users authenticated by
password. Refer to the Basic System Configuration and Maintenance module for
information about command hierarchy.
Telnet Connection Establishment 51

Telneting to Another You can Telnet to another switch from the current switch. In this case, the current switch
Switch from the operates as the client, and the other operates as the server. If the interconnected
Current Switch Ethernet ports of the two switches are in the same LAN segment, make sure the IP
addresses of the two management VLAN interfaces to which the two Ethernet ports
belong to are of the same network segment, or the route between the two VLAN
interfaces is available.

As shown in Figure 14, after Telneting to a switch (labeled as Telnet client), you can
Telnet to another switch (labeled as Telnet server) by executing the telnet command
and then to configure the later.

Figure 14 Network diagram for Telneting to another switch from the current switch

PC Telnet client Telnet server

1 Configure the user name and password for Telnet on the switch operating as the Telnet
server. Refer to “Telnet Configuration with Authentication Mode Being None”, “Telnet
Configuration with Authentication Mode Being Password”, and “Telnet Configuration
with Authentication Mode Being Scheme” for more.
2 Telnet to the switch operating as the Telnet client.
3 Execute the following command on the switch operating as the Telnet client:
<3Com> telnet xxxx

Where xxxx is the IP address or the host name of the switch operating as the Telnet
server. You can use the ip host to assign a host name to a switch.

4 Enter the password. If the password is correct, the CLI prompt (such as <3Com>)
appears. If all VTY user interfaces of the switch are in use, you will fail to establish the
connection and receive the message that says “All user interfaces are used, please try
later!”.
5 After successfully Telneting to the switch, you can configure the switch or display the
information about the switch by executing corresponding commands. You can also type
? at any time for help. Refer to the following chapters for the information about the
commands.
52 CHAPTER 3: LOGGING IN THROUGH TELNET
4 LOGGIN* IN USING MODEM

Introduction The administrator can log into the Console port of a remote switch using a modem
through PSTN (public switched telephone network) if the remote switch is connected to
the PSTN through a modem to configure and maintain the switch remotely. When a
network operates improperly or is inaccessible, you can log into the switches in the
network in this way to configure these switches, to query logs and warning messages,
and to locate problems.

To log into a switch in this way, you need to configure the terminal and the switch
properly, as listed in the following table.

Table 23 Requirements for logging into a switch using a modem

Item Requirement
Administrator side The PC can communicate with the modem connected to it.
The modem is properly connected to PSTN.
The telephone number of the switch side is available.
Switch side The modem is connected to the Console port of the switch properly.
The modem is properly configured.
The modem is properly connected to PSTN and a telephone set.
The authentication mode and other related settings are configured on the switch.
Refer to Table 7.

Configuration on The PC can communicate with the modem connected to it. The modem is properly
the Administrator connected to PSTN. And the telephone number of the switch side is available.
Side

Configuration on
the Switch Side

Modem Perform the following configuration on the modem directly connected to the switch:
Configuration AT&F ----------------------- Restore the factory settings
ATS0=1-----------------------Configure to answer automatically after the
first ring
AT&D ----------------------- Ignore DTR signal
AT&K0 ----------------------- Disable flow control
AT&R1 ----------------------- Ignore RTS signal
AT&S0 ----------------------- Set DSR to high level by force
ATEQ1&W----------------------- Disable the modem from returning command
response and the result, save the changes
54 CHAPTER 4: LOGGING IN USING MODEM

You can verify your configuration by executing the AT&V command.

The above configuration is unnecessary to the modem on the administrator side.

The configuration commands and the output of different modems may differ. Refer to
the user manual of the modem when performing the above configuration.

Switch Configuration

After logging into a switch through its Console port by using a modem, you will enter
the AUX user interface. The corresponding configuration on the switch is the same as
those when logging into the switch locally through its Console port except that:
■ When you log in through the Console port using a modem, the baud rate of the
Console port is usually set to a value lower than the transmission speed of the
modem. Otherwise, packets may get lost.
■ Other settings of the Console port, such as the check mode, the stop bits, and the data
bits, remain the default.

The configuration on the switch depends on the authentication mode the user is in.
Refer to Table 7 for the information about authentication mode configuration.

Configuration on switch when the authentication mode is none


Refer to “Console Port Login Configuration with Authentication Mode Being None”.

Configuration on switch when the authentication mode is password


Refer to “Console Port Login Configuration with Authentication Mode Being Password”.

Configuration on switch when the authentication mode is scheme


Refer to “Console Port Login Configuration with Authentication Mode Being Scheme”.

Modem Connection
Establishment
1 Configure the user name and password on the switch. Refer to “Console Port Login
Configuration with Authentication Mode Being None”, “Console Port Login
Configuration with Authentication Mode Being Password”, and “Console Port Login
Configuration with Authentication Mode Being Scheme” for more information.
2 Perform the following configuration on the modem directly connected to the switch.
AT&F ----------------------- Restore the factory settings
ATS0=1------------------- Configure to answer automatically after the
first ring
AT&D ----------------------- Ignore DTR signal
AT&K0 ----------------------- Disable flow control
AT&R1 ----------------------- Ignore RTS signal
AT&S0 ----------------------- Set DSR to high level by force
ATEQ1&W----------------------- Disable the modem from returning command
response and the result, save the changes

You can verify your configuration by executing the AT&V command.


Modem Connection Establishment 55

■ The configuration commands and the output of different modems may differ. Refer
to the user manual of the modem when performing the above configuration.
■ Set the baud rate of the AUX port (also the Console port) to a value lower than the
transmission speed of the modem. Otherwise, packets may get lost.
3 Connect your PC, the modems, and the switch, as shown in the following figure.

Figure 15 Establish the connection by using modems

Serial cable

Modem PC
Telephone line

PSTN

Modem

Console port Telephone number: 82882285

4 Launch a terminal emulation utility on the PC and set the telephone number to call the
modem directly connected to the switch, as shown in Figure 16 and Figure 17. Note that
you need to set the telephone number to that of the modem directly connected to the
switch.

Figure 16 Set the telephone number


56 CHAPTER 4: LOGGING IN USING MODEM

Figure 17 Call the modem

5 Provide the password when prompted. If the password is correct, the prompt (such as
<3Com>) appears. You can then configure or manage the switch. You can also enter the
character ? at anytime for help. Refer to the following chapters for information about
the configuration commands.

If you perform no AUX user-related configuration on the switch, the commands of level
3 are available to modem users. Refer to the Basic System Configuration and
Maintenance module for information about command level.
5 LOGGING IN THROUGH WEB-BASED
NETWORK MANAGEMENT SYSTEM

Introduction A Switch 4500G Series switch has a Web server built in. You can log into a Switch 4500G
series switch through a Web browser and manage and maintain the switch intuitively by
interacting with the built-in Web server.

To log into an Switch 4500G through the built-in Web-based network management
system, you need to perform the related configuration on both the switch and the PC
operating as the network management terminal.

Table 24 Requirements for logging into a switch through the Web-based network management
system

Item Requirement
Switch The management VLAN of the switch is configured. The route between
the switch and the network management terminal is available. (Refer
to the VLAN module for more.)
The user name and password for logging into the Web-based network
management system are configured.
PC operating as the network IE is available.
management terminal
The IP address of the management VLAN interface of the switch is
available.

HTTP Connection
Establishment
1 Log into the switch through the Console port and assign an IP address to the
management VLAN interface of the switch.
■ Connect to the Console port. Refer to “Setting up the Connection to the Console
Port”.
■ Execute the following commands in the terminal window to assign an IP address to
the management VLAN interface of the switch.
<3Com> system
a Enter management VLAN interface view.
[3Com] interface Vlan-interface 1
b Remove the existing IP address of the management VLAN interface.
[3Com-Vlan-interface1] undo ip address
c Configure the IP address of the management VLAN interface to be 10.153.17.82.
[3Com-Vlan-interface1] ip address 10.153.17.82 255.255.255.0
58 CHAPTER 5: LOGGING IN THROUGH WEB-BASED NETWORK MANAGEMENT SYSTEM

2 Configure the user name and the password for the Web-based network management
system.
a Configure the user name to be admin.
[3Com] local-user admin
b Set the user level to level 3.
[3Com-luser-admin] service-type telnet level 3
c Set the password to admin.
[3Com-luser-admin] password simple admin
3 Establish an HTTP connection between your PC and the switch, as shown in the
following figure.

Figure 18 Establish an HTTP connection between your PC and the switch

Sw itch

HTTP connection
Connection
HTTP Connection

PC
PC

4 Log into the switch through IE. Launch IE on the Web-based network management
terminal (your PC) and enter the IP address of the management VLAN interface of the
switch (here it is http://10.153.17.82). (Make sure the route between the Web-based
network management terminal and the switch is available.)
5 When the login interface (shown in Figure 19) appears, enter the user name and the
password configured in step 2 and click <Login> to bring up the main page of the
Web-based network management system.

Figure 19 The login page of the Web-based network management system


Web Server Shutdown/Startup 59

Web Server You can shut down or start up the Web server.
Shutdown/Startup
Table 25 Web Server Shutdown/Startup

To do… Use the command… Remarks


Shut down the Web ip http shutdown Required
server
Execute this command in system
view.
Start the Web server undo ip http shutdown Required
Execute this command in system
view.

The Web server is started by default.


60 CHAPTER 5: LOGGING IN THROUGH WEB-BASED NETWORK MANAGEMENT SYSTEM
6 LOGGING IN THROUGH NMS

Introduction You can also log into a switch through an NMS (network management station), and then
configure and manage the switch through the agent module on the switch.
■ The agent here refers to the software running on network devices (switches) and as
the server.
■ SNMP (simple network management protocol) is applied between the NMS and the
agent.

To log into a switch through an NMS, you need to perform related configuration on both
the NMS and the switch.

Table 26 Requirements for logging into a switch through an NMS

Item Requirement
Switch The management VLAN of the switch is configured. The route between the
NMS and the switch is available. (Refer to the VLAN module for more.)
The basic SNMP functions are configured. (Refer to the SNMP-RMON module
for more.)
NMS The NMS is properly configured. (Refer to the user manual of your NMS for
more.)

Connection Figure 20 Network diagram for logging in through an NMS


Establishment
Using NMS

Switch

HTTP Connection

PC
62 CHAPTER 6: LOGGING IN THROUGH NMS
7 CONTROLLING LOGIN USERS

Introduction A switch provides ways to control different types of login users, as listed in Table 27.

Table 27 Ways to control different types of login users

Login mode Control method Implementation Related section


Telnet By source IP Through basic ACLs Controlling Telnet Users by Source IP
addresses Addresses
By source and Through advanced Controlling Telnet Users by Source and
destination IP ACLs Destination IP Addresses
addresses
By source MAC Through Layer 2 ACLs Controlling Telnet Users by Source MAC
addresses Addresses
SNMP By source IP Through basic ACLs Controlling Network Management Users
addresses by Source IP Addresses
WEB
By source IP Through basic ACLs Controlling Web Users by Source IP
addresses Addresses
Disconnect Web By executing Disconnecting a Web User by Force
users by force commands in CLI

Controlling Telnet
Users

Prerequisites The controlling policy against Telnet users is determined, including the source and
destination IP addresses to be controlled and the controlling actions (permitting or
denying).
64 CHAPTER 7: CONTROLLING LOGIN USERS

Controlling Telnet Controlling Telnet users by source IP addresses is achieved by applying basic ACLs, which
Users by Source IP are numbered from 2000 to 2999.
Addresses
Table 28 Controlling Telnet Users by Source IP Addresses

To do… Use the command… Remarks


Enter system view system-view —
Create a basic ACL or acl number acl-number [ As for the acl number
enter basic ACL view match-order { config | auto command, the config keyword is
}] specified by default.
Define rules for the rule [ rule-id ] { permit | Required
ACL deny } [ source { sour-addr
sour-wildcard | any } |
time-range time-name |
fragment | logging ]*
Quit to system view quit —
Enter user interface user-interface [ type ] —
view first-number [ last-number ]
Apply the ACL to acl acl-number { inbound | Required
control Telnet users by outbound } The inbound keyword specifies to
source IP addresses
filter the users trying to Telnet to
the current switch.
The outbound keyword specifies
to filter users trying to Telnet to
other switches from the current
switch.

Controlling Telnet Controlling Telnet users by source and destination IP addresses is achieved by applying
Users by Source and advanced ACLs, which are numbered from 3000 to 3999. Refer to the ACL module for
Destination IP information about defining an ACL.
Addresses
Table 29 Controlling Telnet Users by Source and Destination IP Addresses

To do… Use the command… Remarks


Enter system view system-view —
Create an advanced ACL acl number As for the acl number command, the
or enter advanced ACL acl-number [ config keyword is specified by default.
view match-order { config
| auto } ]
Define rules for the ACL rule [ rule-id ] { Required
permit | deny } You can define rules as needed to filter by
rule-string
specific source and destination IP addresses.
Quit to system view quit —
Enter user interface view user-interface [ —
type ] first-number [
last-number ]
Apply the ACL to control acl acl-number { Required
Telnet users by specified inbound | outbound }
The inbound keyword specifies to filter the
source and destination IP
users trying to Telnet to the current switch.
addresses
The outbound keyword specifies to filter
users trying to Telnet to other switches
from the current switch.
Controlling Telnet Users 65

Controlling Telnet Controlling Telnet users by source MAC addresses is achieved by applying Layer 2 ACLs,
Users by Source MAC which are numbered from 4000 to 4999. Refer to the ACL module for information about
Addresses defining an ACL.
Table 30 Controlling Telnet Users by Source MAC Addresses

To do… Use the command… Remarks


Enter system view system-view —
Create a basic ACL acl number acl-number [ As for the acl number command,
or enter basic ACL match-order { config | the config keyword is specified by default.
view auto } ]
Define rules for the rule [ rule-id ] { permit | Required
ACL deny } rule-string You can define rules as needed to filter by
specific source MAC addresses.
Quit to system view quit —
Enter user interface user-interface [ type ] —
view first-number [ last-number
]
Apply the ACL to acl acl-number inbound Required
control Telnet users
The inbound keyword specifies to filter
by source MAC
the users trying to Telnet to the current
addresses
switch.

Configuration Network requirements


Example Only the Telnet users sourced from the IP address of 10.110.100.52 and 10.110.100.46
are permitted to log into the switch.

Network diagram

Figure 21 Network diagram for controlling Telnet users using ACLs

Internet

Sw itch

Configuration procedure
1 Define a basic ACL.
<3Com> system-view
[3Com] acl number 2000 match-order config
[3Com-acl-basic-2000] rule 1 permit source 10.110.100.52 0
[3Com-acl-basic-2000] rule 2 permit source 10.110.100.46 0
[3Com-acl-basic-2000] rule 3 deny source any
[3Com-acl-basic-2000] quit
2 Apply the ACL.
[3Com] user-interface vty 0 4
[3Com-ui-vty0-4] acl 2000 inbound
66 CHAPTER 7: CONTROLLING LOGIN USERS

Controlling You can manage a Switch 4500G Series Ethernet switch through network management
Network software. Network management users can access switches through SNMP.
Management Users You need to perform the following two operations to control network management
by Source IP users by source IP addresses.
Addresses
■ Defining an ACL
■ Applying the ACL to control users accessing the switch through SNMP

Prerequisites The controlling policy against network management users is determined, including the
source IP addresses to be controlled and the controlling actions (permitting or denying).

Controlling Network Controlling network management users by source IP addresses is achieved by applying
Management Users basic ACLs, which are numbered from 2000 to 2999.
by Source IP
Addresses Table 31 Controlling Network Management Users by Source IP Addresses

To do… Use the command… Remarks


Enter system view system-view —
Create a basic ACL or acl number acl-number [ As for the acl number
enter basic ACL view match-order { config | auto } ] command, the config
keyword is specified by
default.
Define rules for the ACL rule [ rule-id ] { permit | deny } [ Required
source { sour-addr sour-wildcard
| any } | time-range time-name |
fragment | logging ]*
Quit to system view quit —
Apply the ACL while snmp-agent community { read | Optional
configuring the SNMP write } community-name [ mib-view
community name view-name | acl acl-number ]*
Apply the ACL while snmp-agent group { v1 | v2c } Optional
configuring the SNMP group-name [ read-view read-view
group name ] [ write-view write-view ] [
notify-view notify-view ] [ acl
acl-number ]
snmp-agent group v3
group-name [ authentication |
privacy ] [ read-view read-view ]
[ write-view write-view ] [
notify-view notify-view ] [ acl
acl-number ]
Apply the ACL while snmp-agent usm-user { v1 | v2c } Optional
configuring the SNMP user-name group-name [ acl
user name acl-number ]
snmp-agent usm-user v3
user-name group-name [
authentication-mode { md5 | sha
} auth-password ] [ privacy-mode
des56 priv-password ] [ acl
acl-number ]

You can specify different ACLs while configuring the SNMP community name, the SNMP
group name and the SNMP user name.
Controlling Network Management Users by Source IP Addresses 67

As SNMP community name is a feature of SNMPv1 and SNMPv2c, the specified ACLs in
the command that configures SNMP community names (the snmp-agent community
command) take effect in the network management systems that adopt SNMPv1 or
SNMPv2c.

Similarly, as SNMP group name and SNMP user name are features of SNMPv2c and the
higher SNMP versions, the specified ACLs in the commands that configure SNMP group
names (the snmp-agent group command and the snmp-agent group v3
command) and SNMP user names (the snmp-agent usm-user command and the
snmp-agent usm-user v3 command) take effect in the network management
systems that adopt SNMPv2c or higher SNMP versions. If you configure both the SNMP
group name and the SNMP user name and specify ACLs in the two operations, the
switch will filter network management users by both SNMP group name and SNMP user
name.

Configuration Network requirements


Example Only SNMP users sourced from the IP addresses of 10.110.100.52 and 10.110.100.46
are permitted to access the switch.

Network diagram

Figure 22 Network diagram for controlling SNMP users using ACLs

Internet

Sw itch

Configuration procedure
1 Define a basic ACL.
<3Com> system-view
[3Com] acl number 2000 match-order config
[3Com-acl-basic-2000] rule 1 permit source 10.110.100.52 0
[3Com-acl-basic-2000] rule 2 permit source 10.110.100.46 0
[3Com-acl-basic-2000] rule 3 deny source any
[3Com-acl-basic-2000] quit
2 Apply the ACL to only permit SNMP users sourced from the IP addresses of
10.110.100.52 and 10.110.100.46 to access the switch.
[3Com] snmp-agent community read 3com acl 2000
[3Com] snmp-agent group v2c 3comgroup acl 2000
[3Com] snmp-agent usm-user v2c 3comuser 3comgroup acl 2000
68 CHAPTER 7: CONTROLLING LOGIN USERS

Controlling Web You can manage a Switch 4500G Series Ethernet switch remotely through Web. Web
Users by Source IP users can access a switch through HTTP connections.
Address
You need to perform the following two operations to control Web users by source IP
addresses.

■ Defining an ACL
■ Applying the ACL to control Web users

Prerequisites The controlling policy against Web users is determined, including the source IP addresses
to be controlled and the controlling actions (permitting or denying).

Controlling Web Controlling Web users by source IP addresses is achieved by applying basic ACLs, which
Users by Source IP are numbered from 2000 to 2999.
Addresses
Table 32 Controlling Web Users by Source IP Addresses

To do… Use the command… Remarks


Enter system view system-view —
Create a basic ACL or enter acl number acl-number [ As for the acl number
basic ACL view match-order { config | auto command, the config keyword
}] is specified by default.
Define rules for the ACL rule [ rule-id ] { permit | Required
deny } [ source { sour-addr
sour-wildcard | any } |
time-range time-name |
fragment | logging ]*
Quit to system view quit —
Apply the ACL to control ip http acl acl-number Optional
Web users

Disconnecting a Web The administrator can disconnect a Web user by force using the related command.
User by Force
Table 33 Disconnecting a Web User by Force

To do… Use the command… Remarks


Disconnect a Web user free web-users { all | Required
by force user-id user-id | Execute this command in user view.
user-name user-name }

Configuration Network requirements


Example Only the users sourced from the IP address of 10.110.100.46 are permitted to access the
switch.
Controlling Web Users by Source IP Address 69

Network diagram

Figure 23 Network diagram for controlling Web users using ACLs

Internet

Sw itch

Configuration procedure
1 Define a basic ACL.
<3Com> system-view
[3Com] acl number 2030 match-order config
[3Com-acl-basic-2030] rule 1 permit source 10.110.100.46 0
[3Com-acl-basic-2030] rule 2 deny source any
2 Apply the ACL to only permit the Web users sourced from the IP address of
10.110.100.46 to access the switch.
[3Com] ip http acl 2030
70 CHAPTER 7: CONTROLLING LOGIN USERS
8 BASIC SYSTEM CONFIGURATION AND
MAINTENANCE

Command Line
Feature

Command Line Switch 4500G Family provides a series of configuration commands and command line
Interface Overview interface for you to configure and maintain the Ethernet switches. The command line
interface is featured by the following:
■ Configure the command levels to make sure that unauthorized users cannot use
related commands to configure a switch.
■ You can enter <?> at any time to get the online help.
■ Provide network test commands, such as tracert, and ping, to help you to
diagnose the network.
■ Provide plenty of detail debugging information to help you to diagnose and locate
the network failures.
■ Provide a function similar to Doskey to execute a history command.
■ Adopt the partial match method to search for the keywords of a command line. You
only need to enter a non-conflicting keyword to execute the command correctly.

Online Help of The command line interface provides the following online help modes.
Command Line ■ Full help
■ Partial help

You can get the help information through these online help commands, which are
described as follows.

1 Input “?” in any view to get all the commands in it and corresponding descriptions.
<Sysname> ?
User view commands:
backup Backup next startup-configuration file to TFTP
server
boot-loader Set boot loader
bootrom Update/read/backup/restore bootrom
cd Change current directory
clock Specify the system clock
cluster Run cluster command
copy Copy from one file to another
debugging Enable system debugging functions
delete Delete a file
dir List files on a file system
display Show running system information
<Omit>
72 CHAPTER 8: BASIC SYSTEM CONFIGURATION AND MAINTENANCE

2 Input a command with a “?” separated by a space. If this position is for keywords, all the
keywords and the corresponding brief descriptions will be listed.
<Sysname> language-mode ?
chinese Chinese environment
english English environment
3 Input a command with a “?” separated by a space. If this position is for parameters, all
the parameters and their brief descriptions will be listed.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface vlan-interface ?
<1-4094> VLAN interface number
[Sysname] interface vlan-interface 1 ?
<cr>

<cr> indicates no parameter in this position. The next command line repeats the
command, you can press <Enter> to execute it directly.

4 Input a character string with a “?”, then all the commands with this character string as
their initials will be listed.
<Sysname>pi?
ping
5 Input a command with a character string and “?”, then all the key words with this
character string as their initials in the command will be listed.
<Sysname> display ver?
version
6 Input the first letters of a keyword of a command and press <Tab> key. If no other
keywords are headed by this letters, then this unique keyword will be displayed
automatically. If other keywords headed by this letter exist, press <Tab> key repeatedly to
display these keywords
7 To switch to the Chinese display for the above information, perform the language-mode
command.

Displaying Command line interface provides the following display characteristics:


Characteristics of ■ For users’ convenience, the instruction and help information can be displayed in both
Command Line English and Chinese.
■ For the information to be displayed exceeding one screen, pausing function is
provided. In this case, users can have three choices, as shown in the table below.

Table 34 Functions of displaying

Key or Command Function


Press <Ctrl+C> when the display pauses Stop displaying and executing command.
Enter a space when the display pauses Continue to display the next screen of information.
Press <Enter> when the display pauses Continue to display the next line of information.
CTRL_E Move the cursor to the end of current line
Command Line Feature 73

History Command of Command line interface provides the function similar to that of DosKey. The CLI can
Command Line automatically save the commands that have been entered. You can invoke and
repeatedly execute them as needed. By default, the CLI can save up to ten commands for
each user. Table 35 lists the operation that you can perform.
Table 35 Retrieve history command

Operation Key Result


Display history command display history-command Display history command by user inputting
Retrieve the previous history Up cursor key <?> or Retrieve the previous history command, if
command <Ctrl+P> there is any.
Retrieve the next history Down cursor key <?> or Retrieve the next history command, if there
command <Ctrl+N> is any.

Cursor keys can be used to retrieve the history commands in Windows 3.X Terminal and
Telnet. However, in Windows 9X HyperTerminal, the cursor keys ? and ? do not work,
because Windows 9X HyperTerminal defines the two keys differently. In this case, use the
combination keys <Ctrl+P> and <Ctrl+N> instead for the same purpose.

Common Command The commands are executed only if they have no syntax error. Otherwise, error
Line Error Messages information is reported. Table 36 lists some common errors.

Table 36 Common command line error messages

Error messages Causes


Unrecognized command Cannot find the command.
Cannot find the keyword.
Wrong parameter type.
The value of the parameter exceeds the range.
Incomplete command The input command is incomplete.
Wrong parameter Enter Wrong parameter
74 CHAPTER 8: BASIC SYSTEM CONFIGURATION AND MAINTENANCE

Editing Command line interface provides the basic command editing function and supports to
Characteristics of edit multiple lines. A command cannot longer than 256 characters. See the table below.
Command Line
Table 37 Editing functions

Key Function
Common keys Insert from the cursor position and the cursor moves to the right, if the
edition buffer still has free space.
Backspace Delete the character preceding the cursor and the cursor moves
backward.
Leftwards cursor key <?> or Move the cursor a character backward
<Ctrl+B>
Rightwards cursor key <?> or Move the cursor a character forward
<Ctrl+F>
Up cursor key <?> or <Ctrl+P> Retrieve the history command.
Down cursor key <?> or
<Ctrl+N>
<Tab> Press <Tab> after typing the incomplete key word and the system will
execute the partial help: If the key word matching the typed one is
unique, the system will replace the typed one with the complete key
word and display it in a new line; if there is not a matched key word or
the matched key word is not unique, the system will do no
modification but display the originally typed word in a new line.

Command Line Different command views are implemented according to different requirements. They are
view related to one another. For example, after logging in the switch, you will enter user view,
in which you can only use some basic functions such as displaying the running state and
statistics information. In user view, key in system-view to enter system view, in which
you can key in different configuration commands and enter the corresponding views.

The command line provides the following views:

■ User view
■ System view
■ Ethernet Port view
■ NULL interface view
■ VLAN view
■ VLAN interface view
■ LoopBack interface view
■ Local-user view
■ User interface view
■ FTP Client view
■ MST region view
■ IGMP-Snooping view
■ Traffic classifier view
■ Traffic behavior view
■ QoS policy view
■ Cluster view
Command Line Feature 75

■ Port group view


■ HWping view
■ TACACS+ scheme view
■ RSA public key view
■ RSA key code view
■ Route policy view
■ Basic ACL view
■ Advanced ACL view
■ Layer 2 ACL view
■ RADIUS scheme view
■ RIP view
■ RIPng view
■ ISP domain view

The following table describes the function features of different views and the ways to
enter or quit.

Table 38 Command view function list

Command Command to
view Function Prompt Command to enter exit
User view Show the basic <Sysname> Enter right after quit
information about connecting the switch disconnects
operation and to the switch
statistics
System view Configure system [Sysname] Key in quit or
parameters system-view in return
user view returns to
user view
Ethernet Port Configure Ethernet [Sysname- GigabitEthernet port quit
view port parameters GigabitEthernet1/0 view returns to
/1] system view
Key in interface
gigabitethernet return
1/0/1 in system view returns to
user view
NULL interface Configure NULL [Sysname-NULL0] Key in interface quit
view interface parameters null 0 in system view returns to
system view
return
returns to
user view
VLAN view Configure VLAN [Sysname-vlan1] Key in vlan 1 in quit
parameters system view returns to
system view
return
returns to
user view
76 CHAPTER 8: BASIC SYSTEM CONFIGURATION AND MAINTENANCE

Table 38 Command view function list (continued)

Command Command to
view Function Prompt Command to enter exit
VLAN interface Configure IP interface [Sysname-Vlan- Key in interface quit
view parameters for a interface1] vlan-interface returns to
VLAN or a VLAN 1 in system view system view
aggregation
return
returns to
user view
LoopBack Configure LoopBack [Sysname- Key in interface quit
interface view interface parameters LoopBack0] loopback 0 in returns to
system view system view
return
returns to
user view
Local-user view Configure local user [Sysname-luser- Key in local-user quit
parameters user1] user1 in system view returns to
system view
return
returns to
user view
User interface Configure user [Sysname-ui0] Key in quit
view interface parameters user-interface returns to
0 in system view system view
return
returns to
user view
FTP Client view Configure FTP Client [ftp] Key in ftp in user view quit
parameters returns to
user view
MST region Configure MST region [Sysname-mst- Key in stp quit
view parameters region] region-configur returns to
ation in system view system view
return
returns to
user view
IGMP-Snoopin Configure [Sysname-igmp- Key in quit
g view IGMP–Snooping snooping] igmp-snooping in returns to
protocol parameters system view system view
return
returns to
user view
Traffic classifier Configure traffic [Sysname-classifier- Key in traffic quit
view classifier related test] classifier test in returns to
parameters system view system view
return
returns to
user view
Traffic Configure traffic [Sysname-behavior Key in traffic quit
behavior view behavior related - test] behavior test in returns to
parameters system view system view
return
returns to
user view
Command Line Feature 77

Table 38 Command view function list (continued)

Command Command to
view Function Prompt Command to enter exit
QoS policy Configure QoS policy [Sysname-qospolicy Key in qos policy quit
view related parameters - test] test in system view returns to
system view
return
returns to
user view
Cluster view Configure cluster [Sysname-cluster] Key in cluster in quit
parameters system view returns to
system view
return
returns to
user view
Port group Configure manual [Sysname-port-gro Key in port-group quit
view port group up- manual-test] manual test in system returns to
parameters view system view
Configure aggregate [Sysname-port-gro Key in port-group return
port group up- aggregation-1] aggregation 1 in returns to
parameters system view user view
HWping view Configure HWping [Sysname-hwping- Key in hwping admin quit
test group parameters admin-test] test in system view returns to
system view
return
returns to
user view
TACACS Configure TACACS+ [Sysname-hwtacacs Key in hwtacacs quit
scheme view parameters - test] scheme test in system returns to
view system view
return
returns to
user view
RSA public key Configure RSA public [Sysname-rsa-publi Key in rsa peer-pub
view key of SSH user c- key] peer-public-key lic-key
003 in system view end returns
to system
view
RSA key code Edit RSA public key of [Sysname-rsa-key- Key in public-k
view SSH user code] public-key-code ey-code
begin in RSA public end returns
key view to RSA public
key view
Route policy Configure route [Sysname-route-pol Key in quit
view policy icy] route-policy returns to
policy1 permit system view
node 10 in system view return
returns to
user view
Basic ACL view Define the sub rule of [Sysname-acl-basic- Key in acl number quit
the basic ACL (in the 2000] 2000 in system view returns to
range of 2,000 to system view
2,999)
return
returns to
user view
78 CHAPTER 8: BASIC SYSTEM CONFIGURATION AND MAINTENANCE

Table 38 Command view function list (continued)

Command Command to
view Function Prompt Command to enter exit
Advanced ACL Define the sub rule of [Sysname-acl-adv- Key in acl number quit
view the advanced ACL (in 3000] 3000 in system view returns to
the range of 3,000 to system view
3,999)
return
returns to
user view
Layer 2 ACL Define the sub rule of [Sysname-acl- Key in acl number quit
view the Layer 2 ACL (in ethernetframe-400 4000 in system view returns to
the range of 4,000 to 0] system view
4,999)
return
returns to
user view
RADIUS Configure RADIUS [Sysname-radius-1] Key in radius quit
scheme view parameters scheme 1 in system returns to
view system view
return
returns to
user view
RIP view Configure RIP [Sysname-rip-1] Key in rip in system quit
parameters view returns to
system view
return
returns to
user view
RIPng view Configure RIPng [Sysname-ripng-1] Key in ripng 1 in quit
parameters system view returns to
system view
return
returns to
user view
ISP domain Configure ISP domain [Sysname-isp- Key in domain quit
view parameters aabbcc.net] aabbcc.net in system returns to
view system view
return
returns to
user view

Basic System
Configuration

Entering System When logging in to the switch, you are in the user view, and the corresponding prompt is
View from User View <Sysname>. Follow these operations and you can enter or exit the system view.

Table 39 Enter or exit system view

To do… Use the command… Remarks


Enter system view from user view system-view –
Exit user view from system view quit –
Basic System Configuration 79

Use the quit command to return from current view to lower level view. Use the
return command to return from current view to user view. The composite key <Ctrl+Z>
has the same effect with the return command.

Setting the CLI The switch can give prompt information either in Chinese or English. You can use the
Language Mode following command to change the language.
Table 40 Set the CLI language mode

To do… Use the command… Remarks


Set the CLI language mode language-mode { chinese | Optional
english } By default, the command
line interface (CLI)
language mode is English.

Setting the System You can define the system name, which corresponds to the prompts in CLI. For example,
Name of the Switch if you define the system name, then the prompt for user view is <3Com>.

Table 41 Set the system name of the switch

To do… Use the command… Remarks


Enter system view system-view –
Set the system name of the sysname sysname Optional
switch
By default, the name is 3Com.

Setting the Date and To ensure the coordination of the switch with other devices, you need to set correct
Time of the System system time as follows:
Table 42 Set the date and time of the system

To do… Use the command… Remarks


Set the current date and clock datetime time date Optional
time of the system
Set the local time zone clock timezone zone-name { add | minus } Optional
time
Set the name and time clock summer-time zone_name one-off Optional
range of the summer time start-time start-date end-time end-date
offset-time
clock summer-time zone_name repeating {
start-time start-date end-time end-date
| start-time start-year start-month
start-week start-day end-time end-year
end-month end-week end-day } offset-time
80 CHAPTER 8: BASIC SYSTEM CONFIGURATION AND MAINTENANCE

Set banner
Table 43 Set banner

To do… Use the command… Remarks


Enter system view system-view –
Sets the login banner for users that log in header incoming text Optional
through modems.
Sets the authentication banner header legal text Optional
Sets the login banner. header login text Optional
Sets the session banner, which appears after header shell text Optional
a session is established.
Sets the login banner. header motd text Optional

Specifying Shortcut The system provides five shortcut keys for you to simplify the operating of common used
Keys for Command commands. As long as you enter the corresponding shortcut key, the system will execute
Lines the corresponding command.
Table 44 Specify shortcut keys for command lines

To do… Use the command… Remarks


Enter system view system-view –
Specify shortcut keys for hotkey [ CTRL_G | CTRL_L | CTRL_O | Optional
command lines CTRL_T | CTRL_U ] command By default, the system
specifies the
corresponding
command line for
CTRL_G, CTRL_L, and
CTRL_O.
Display the shortcut key display hotkey You can execute the
allocation information command in any view.
Refer to Table 45 for
the shortcut keys
reserved by the
system.

By default, the system specifies the corresponding command line for CTRL_G, CTRL_L,
and CTRL_O. The other two shortcut keys CTRL_T, and CTRL_U default to NULL.
■ CTRL_G corresponds to the display current-configuration command
(display the current configuration).
■ CTRL_L corresponds to the display ip routing-table command (display
information about IPv4 routing table).
■ CTRL_O corresponds to the undo debugging all command (disable the
debugging for all modules).

Table 45 Shortcut keys reserved by the system

Shortcut key Function


CTRL_A Moves the cursor to the beginning of the current line
CTRL_B Moves the cursor one character left
CTRL_C Stops the current command function
CTRL_D Deletes the character in the cursor position
CTRL_E Moves the cursor to the end of the current line
CTRL_F Moves the cursor one character right
Basic System Configuration 81

Table 45 Shortcut keys reserved by the system (continued)

Shortcut key Function


CTRL_H Deletes the character left of the cursor
CTRL_K Terminates an outgoing connection.
CTRL_N Displays the next command from the history command buffer.
CTRL_P Displays the previous command from the history command buffer.
CTRL_R Redisplays the current line.
CTRL_V Pastes the content from the clipboard.
CTRL_W Deletes the word left of the cursor.
CTRL_X Deletes all the characters up to the cursor
CTRL_Y Deletes all the characters after the cursor
CTRL_Z Returns to user view
CTRL_] Terminates an incoming connection or a redirect connection
ESC_B Moves the cursor one word back.
ESC_D Deletes remainder of word.
ESC_F Moves the cursor one word forward.
ESC_N Moves the cursor one line down (effective before the Enter key is hit)
ESC_P Moves the cursor one line up (effective before the Enter key is hit)
ESC_< Specifies the cursor position as the beginning of clipboard.
ESC_> Specifies the cursor position as the end of clipboard.

The above shortcut keys are defined by the system of the device. When you use terminal
software on the device, these shortcut keys may be defined as other instructions in the
terminal software. In this case, the shortcut keys defined in the terminal software take
effect.

User Level and All the commands are defaulted to different views and categorized into four levels: visit,
Command Level monitor, system, and manage, identified respectively by 0 through 3. If a user wants to
Configuration acquire a higher privilege, he must switch to a higher user level, and it requires password
to do so for the security’s sake.

The following table describes the default level of the commands.

Table 46 Command level by default

Level Name Command


0 Visit Ping, tracert, telnet and so on
1 Monitor Refresh, reset, send and so on
2 System All configuration command (except Manage level)
3 Manage file system commands, FTP commands, TFTP commands and
XMODEM commands
82 CHAPTER 8: BASIC SYSTEM CONFIGURATION AND MAINTENANCE

Table 47 User level and command level configuration

To do… Use the command… Remarks


Switch user level super [ level ] Optional
Enter system view system-view –
Password configuration super password [ level Optional
user-level ] { simple | cipher
} password
Command privilege level command-privilege level Optional
configuration level view view command

User level determines which commands users can use after login. For example, if the user
level is defined as 3 and the command level for the VTY 0 user interface, the user can use
level 3 commands or lower levels when logging into the switch from VTY 0.

CAUTION: If you do not specify user level in the super password command, the
password is set for switching to the level 3 user.
Displaying the System Status 83

Displaying the You can use the following display commands to check the status and configuration
System Status information about the system.

Table 48 System display commands

To do… Use the command…


Display the version of the system display version
Display the current date and time of the system display clock
Display the information about user terminal display users [ all ]
interfaces
View the configuration files in the flash display saved-configuration [
memory of Ethernet Switch. by-linenum ]
Display the currently effective configuration display current-configuration [
parameters of the switch. interface interface-type [
interface-number ] | configuration [
configuration-type ] ] | [ by-linenum ] | [ | {
begin | include | exclude } text ] ]
display the running configuration of the current display this [ by-linenum ]
view
Display clipboard information. display clipboard
Display memory information. display memory

■ Only the display commands related to global configurations are listed here. For the
display commands about protocols and interfaces, refer to the corresponding
contents.
■ If the switch boots without using any configuration file, nothing will be displayed
when you use the display saved-configuration command; if you have save
the configuration after system booting, the command display
saved-configuration displays the configurations you saved last time.

Displaying Operating When your Ethernet switch is in trouble, you may need to view a lot of operating
Information about information to locate the problem. Each functional module has its own operating
System information display command(s). You can use the command here to display the
current operating information about the modules (settled when this command is
designed) in the system for troubleshooting your system.

Perform the following operation in any view:

Table 49 Display the current operation information about the modules in the system.

To do… Use the command…


Display the current operation information display diagnostic-information
about the modules in the system.

■ The display diagnostic-information command displays all the


configurations you defined with the following commands:
■ display clock
■ display version
■ display device
■ display current-configuration
■ display saved-configuration
84 CHAPTER 8: BASIC SYSTEM CONFIGURATION AND MAINTENANCE

■ display interface
■ display fib
■ display ip interface
■ display ip statistics
■ display memory
■ display logbuffer
■ display history-command
9 SYSTEM MAINTENANCE AND DEBUGGING

System
Maintenance and
Debugging
Overview

System Maintenance You can use the ping command and the tracert command to verify the current
Overview network connectivity.

The ping command


Users can use the ping command to verify whether a device with a specified address is
reachable, and to examine the network connectivity.

Take the following steps when using the ping command:

1 The source device sends ICMP ECHO-REQUEST packets to the destination device.
2 If the network is functioning properly, the destination device will respond by sending the
source device ICMP ECHO-REPLY packets after receiving the ICMP ECHO-REQUEST
packets.
3 If there is network failure, the source device will display information indicating that the
address is unreachable.
4 Display the relative statistics after execution of the ping command.

Output of the ping command includes:

■ Information on how the destination device responds towards each ICMP


ECHO-REQUEST packet: if the source device has received the ICMP ECHO-REPLY
packet within the time-out timer, it will display the number of bytes of the
ECHO-REPLY packet, the packet sequence number, Time To Live (TTL), and the
response time.
■ If within the period set by the time-out timer, the destination device has not received
the response packets, it will display the “Request time out.” information.
■ The ping command applies to the name and IP address of a destination device, if the
device name is unknown, the “Error: Ping: Unknown host host-name”
information will be displayed.
■ The statistics from execution of the command, which include number of sent packets,
number of received ECHO-REPLY packets, percentage of packets that were not
received, the minimum, average, and maximum response time.

For a low-speed network, set a larger value for the time-out timer (indicated by the -t
parameter in the command) when configuring the ping command.
86 CHAPTER 9: SYSTEM MAINTENANCE AND DEBUGGING

The tracert command


Users can use the tracert command to trace the routers used while forwarding
packets from the source to the destination device. In the event of network failure, users
can identify the failed node(s) in this way.

Take the following steps when using the tracert command:

1 The source device sends a packet with a TTL value of 1 to the destination device.
2 The first hop (the router that has received the packet first) responds by sending a
TTL-expired ICMP message with its IP address encapsulated to the source. In this way, the
source device can get the address of the first router.
3 The source device sends a packet with a TTL value of 2 to the destination device.
4 The second hop responds with a TTL-expired ICMP message, which gives the source
device the address of the second router.
5 The above process continues until the ultimate destination device is reached. In this way,
the source device can trace the addresses of all the routers that have been used to get to
the destination device.

System Debugging 3Com Switch 4500G Family provides various ways for debugging most of the supported
Overview protocols and functions and for you to diagnose and locate the problems.

The following switches control the outputs of the debugging information.

■ Protocol debugging switch controls the debugging output of a protocol.


■ Terminal debugging switch controls the debugging output on a specified user screen.

Figure 24 illustrates the relationship between the two switches.

Figure 24 Debugging output

Debugging
information
1

Protocol debugging
switch

ON OFF ON
1

1
3

Screen output switch

OFF ON
3
1
System Maintenance and Debugging Configuration 87

System
Maintenance and
Debugging
Configuration

System Maintenance
Table 50 System Maintenance Configuration
Configuration
To do… Use the command… Remarks
check the ping [ ip ] [ -a source-ip | -c count | -f | -h ttl | -i interface-type Any view
network interface-number | -m interval | -n | -p pad | -q | -r | -s packet-size
connection | -t timeout | -tos tos | -v] * { ip-address | hostname }
The tracert tracert [ -a source-ip | -f first-ttl | -m max-ttl | -p
command port | -q packet-num | -w timeout ] * { ip-address |
hostname }

System Debugging
Table 51 System debugging configuration
Configuration
To do… Use the command… Remarks
Enable specified module debugging { all [ timeout time ] | User view
debugging module-name [ option ] }
Enable terminal debugging terminal debugging
view the enabled display debugging [ interface Any view
debugging process interface-type interface-number ] [
module-name ]

■ The debugging commands are normally used when the administrator is diagnosing
network failure.
■ Output of the debugging information may reduce system efficiency, especially during
execution of the debugging all command.
■ After the debugging is completed, users may use the undo debugging all
command to disable all the debugging functions simultaneously.
■ Use the command debuggingterminal debugging and display
debugging the debug information will display on the screen.
88 CHAPTER 9: SYSTEM MAINTENANCE AND DEBUGGING

System Network requirements


Maintenance The destination IP address is 10.1.1.4.
Example
Display the route from the source to the destination.

Network diagram (omitted here)

Configuration procedure
<3Com> tracert nis.nsf.net
traceroute to nis.nsf.net (10.1.1.4) 30 hops max, 40 bytes packet
1 128.3.112.1 19 ms 19 ms 0 ms
2 128.32.216.1 39 ms 39 ms 19 ms
3 128.32.136.23 39 ms 40 ms 39 ms
4 128.32.168.22 39 ms 39 ms 39 ms
5 128.32.197.4 40 ms 59 ms 59 ms
6 131.119.2.5 59 ms 59 ms 59 ms
7 129.140.70.13 99 ms 99 ms 80 ms
8 129.140.71.6 139 ms 239 ms 319 ms
9 129.140.81.7 220 ms 199 ms 199 ms
10 10.1.1.4 239 ms 239 ms 239 ms
10 DEVICE MANAGEMENT

You can define the file path and filename of .btm file.app file or .cfg file in the following
forms:
■ Path + filename. It is a full filename, a string of 1 to 63 characters, standing for the
file in the specified path.
■ Filename. It has only a filename, string of 1 to 56 characters, standing for the file in
the current path.
■ Those file (.btm file.app file or .cfg file) can only be stored in the root directory in
Flash memory.

Introduction to Through the device management function, you can view the current working state of
Device devices, configure operation parameters, and perform daily device maintenance and
Management management.

Currently, the following device management functions are available:

■ Rebooting a device
■ Specifying a scheduled device reboot.
■ Specifying an .app file for the next device reboot
■ Upgrading a BootROM file.

BootROM and Host Traditionally, the loading of switch software is accomplished through a serial port. This
Software Loading approach is slow, inconvenient, and cannot be used for remote loading. To resolve these
problems, the TFTP and FTP modules are introduced into the switch. With these modules,
you can load/download software/files conveniently to the switch through an Ethernet
port.

This chapter introduces how to load BootROM and host software to a switch locally and
how to do this remotely.

Introduction to You can load software locally by using:


Loading Approaches ■ XMODEM through Console port
■ TFTP through Ethernet port
■ FTP through Ethernet port

You can load software remotely by using:


■ FTP
■ TFTP
90 CHAPTER 10: DEVICE MANAGEMENT

The BootROM software version should be compatible with the host software version
when you load the BootROM and host software.

Local Software If your terminal is directly connected to the switch, you can load the BootROM and host
Loading software locally.

Before loading the software, make sure that your terminal is correctly connected to the
switch to insure successful loading.

The loading process of the BootROM software is the same as that of the host software,
except that during the former process, you should press <Ctrl+U> and <Enter> after
entering the Boot Menu and the system gives different prompts. The following text
mainly describes the BootROM loading process.

Boot Menu
Starting......

***********************************************************
* *
* 3Com Switch 4500G Family BOOTROM, Version 106 *
* *
***********************************************************

Copyright(c) 2004-2006 3Com Corporation.


Creation date : May 10 2006, 15:59:18
CPU Clock Speed : 264MHz
BUS Clock Speed : 33MHz
Memory Size : 128MB
Mac Address : 00e0fc005502

Press Ctrl-B to enter Boot Menu... 5


Press <Ctrl+B>. The system displays:
Password :

To enter the Boot Menu, you should press <Ctrl+B> within five seconds after the
information Press Ctrl-B to enter Boot Menu... appears. Otherwise, the system starts to
decompress the program; and if you want to enter the Boot Menu at this time, you will
have to restart the switch.

Input the correct BootROM password (no password is need by default). The system
enters the Boot Menu:

BOOT MENU

1. Download application file to flash


2. Select application file to boot
3. Display all files in flash
4. Delete file from flash
5. Modify bootrom password
6. Enter bootrom upgrade menu
7. Skip current configuration file
8. Set bootrom password recovery
BootROM and Host Software Loading 91

9. Set switch startup mode


0. Reboot

Enter your choice(0-9):

Loading Software Using XMODEM through Console Port


XMODEM is a file transfer protocol that is widely used due to its simplicity and good
performance. XMODEM transfers files through the console port. It supports two types of
data packets (128 bytes and 1 KB), two check methods (checksum and CRC), and
multiple attempts of error packet retransmission (generally the maximum number of
retransmission attempts is ten).

The XMODEM transmission procedure is completed by a receiving program and a


sending program: The receiving program sends negotiation characters to negotiate a
packet checking method. After the negotiation, the sending program starts to transmit
data packets. When receiving a complete packet, the receiving program checks the
packet using the agreed method. If the check succeeds, the receiving program sends an
acknowledgement character and the sending program proceeds to send another packet;
otherwise, the receiving program sends a negative acknowledgement character and the
sending program retransmits the packet.

1 Loading BootROM software


a At the prompt "Enter your choice (0-9):" in the Boot Menu, press <6> or <Ctrl+U>,
and then press <Enter> to enter the BootROM update menu shown below:
Bootrom update menu:
1. Set TFTP protocol parameter
2. Set FTP protocol parameter
3. Set XMODEM protocol parameter
0. Return to boot menu
Enter your choice(0-3):
b Enter 3 in the above menu to download the BootROM software using XMODEM. The
system displays the following download baud rate setting menu:
Please select your download baudrate:
1.* 9600
2. 19200
3. 38400
4. 57600
5. 115200
0. Return
Enter your choice (0-5):
c Choose an appropriate download baud rate. For example, if you enter 5, the baud
rate 115200 bps is chosen and the system displays the following information:
Download baudrate is 115200 bps
Please change the terminal’s baudrate to 115200 bps and select XMODEM
protocol
Press enter key when ready

If you have chosen 9600 bps as the download baud rate, you need not modify the
HyperTerminal’s baud rate, and therefore you can skip step d and step e below and
proceed to step f directly. In this case, the system will not display the above information.
Following are configurations on PC. Take the Hyperterminal using Windows operating
system as example.
92 CHAPTER 10: DEVICE MANAGEMENT

d Choose [File/Properties] in HyperTerminal, click <Configure> in the pop-up dialog box,


and then select the baud rate of 115200 bps in the Console port configuration dialog
box that appears, as shown in Figure 25, Figure 26.

Figure 25 Properties dialog box

Figure 26 Console port configuration dialog box


BootROM and Host Software Loading 93

e Click the <Disconnect> button to disconnect the HyperTerminal from the switch and
then click the <Connect> button to reconnect the HyperTerminal to the switch, as
shown in Figure 27.

Figure 27 Connect and disconnect buttons

The new baud rate takes effect only after you disconnect and reconnect the
HyperTerminal program.
f Press <Enter> to start downloading the program. The system displays the following
information:
Now please start transfer file with XMODEM protocol.
If you want to exit, Press <Ctrl+X>.
Loading ...CCCCCCCCCC
g Choose [Transfer/Send File] in the HyperTerminal’s window, and click <Browse> in
pop-up dialog box, as shown in Figure 28. Select the software you need to download,
and set the protocol to XMODEM.

Figure 28 Send file dialog box

h Click <Send>. The system displays the page, as shown in Figure 29.
94 CHAPTER 10: DEVICE MANAGEMENT

Figure 29 Sending file page

i After the download completes, the system displays the following information:
Loading ...CCCCCCCCCC done!
j Reset HyperTerminal’s baud rate to 9600 bps (refer to step d and step e). Then, press
any key as prompted. The system will display the following information when it
completes the loading.
Bootrom updating.....................................done!
■ If the HyperTerminal’s baud rate is not reset to 9600 bps, the system prompts "Your
baudrate should be set to 9600 bps again! Press enter key when ready".
■ You need not reset the HyperTerminal’s baud rate and can skip the last step if you
have chosen 9600 bps. In this case, the system upgrades BootROM automatically and
prompts Bootrom updating now.....................................done!.
2 Loading host software
Follow these steps to load the host software:
a Select <1> in Boot Menu and press <Enter>. The system displays the following
information:
1. Set TFTP protocol parameter
2. Set FTP protocol parameter
3. Set XMODEM protocol parameter
0. Return to boot menu
Enter your choice(0-3):
b Enter 3 in the above menu to download the host software using XMODEM.
The subsequent steps are the same as those for loading the BootROM software,
except that the system gives the prompt for host software loading instead of
BootROM loading.
BootROM and Host Software Loading 95

Loading Software Using TFTP through Ethernet Port


TFTP, one protocol in TCP/IP protocol suite, is used for trivial file transfer between client
and server. It uses UDP to provide unreliable data stream transfer service.
1 Loading BootROM software

Figure 30 Local loading using TFTP

Switch
Console port Ethernet port

PC TFTP client TFTP server

a As shown in Figure 30, connect the switch through an Ethernet port to the TFTP
server, and connect the switch through the Console port to the configuration PC.

You can use one PC as both the configuration device and the TFTP server.
b Run the TFTP server program on the TFTP server, and specify the path of the program
to be downloaded.

CAUTION: TFTP server program is not provided with the 3Com Switch 4500G Family
Ethernet Switches.
c Run the HyperTerminal program on the configuration PC. Start the switch. Then enter
the Boot Menu.
At the prompt "Enter your choice(0-9):" in the Boot Menu, press <6> or <Ctrl+U>,
and then press <Enter> to enter the BootROM update menu shown below:
Bootrom update menu:
1. Set TFTP protocol parameter
2. Set FTP protocol parameter
3. Set XMODEM protocol parameter
0. Return to boot menu
Enter your choice(0-3):
d Enter 1 to in the above menu to download the BootROM software using TFTP. Then
set the following TFTP-related parameters as required:
Load File name :4500G.btm
Switch IP address :1.1.1.2
Server IP address :1.1.1.1
e Press <Enter>. The system displays the following information:
Are you sure to update your bootrom? Yes or No(Y/N)
f Enter Y to start file downloading or N to return to the Bootrom update menu. If you
enter Y, the system begins to download and update the BootROM software. Upon
completion, the system displays the following information:
Loading........................................done
Bootrom updating..........done!
96 CHAPTER 10: DEVICE MANAGEMENT

2 Loading host software


a Select <1> in Boot Menu and press <Enter>. The system displays the following
information:
1. Set TFTP protocol parameter
2. Set FTP protocol parameter
3. Set XMODEM protocol parameter
0. Return to boot menu
Enter your choice(0-3):
b Enter 1 in the above menu to download the host software using TFTP.
The subsequent steps are the same as those for loading the BootROM program,
except that the system gives the prompt for host software loading instead of
BootROM loading.

CAUTION: When loading BootROM and host software using Boot menu, you are
recommended to use the PC directly connected to the device as TFTP server to promote
upgrading reliability.

Loading Software Using FTP through Ethernet Port


FTP is an application-layer protocol in the TCP/IP protocol suite. It is used for file transfer
between server and client, and is widely used in IP networks.

You can use the switch as an FTP client or a server, and download software to the switch
through an Ethernet port. The following is an example.

1 Loading BootROM software

Figure 31 Local loading using FTP client

Switch
Console port Ethernet port

PC FTP client FTP server

a As shown in Figure 31, connect the switch through an Ethernet port to the FTP server,
and connect the switch through the Console port to the configuration PC.

You can use one computer as both configuration device and FTP server.
b Run the FTP server program on the FTP server, configure an FTP user name and
password, and copy the program file to the specified FTP directory.
c Run the HyperTerminal program on the configuration PC. Start the switch. Then enter
the Boot Menu.
At the prompt "Enter your choice(0-9):" in the Boot Menu, press <6> or <Ctrl+U>,
and then press <Enter> to enter the BootROM update menu shown below:
Bootrom update menu:

1. Set TFTP protocol parameter


2. Set FTP protocol parameter
3. Set XMODEM protocol parameter
0. Return to boot menu
Enter your choice(0-3):
BootROM and Host Software Loading 97

d Enter 2 in the above menu to download the BootROM software using FTP. Then set
the following FTP-related parameters as required:
Load File name :4500G.btm
Switch IP address :10.1.1.2
Server IP address : 10.1.1.1
FTP User Name :4500G
FTP User Password :abc
e Press <Enter>. The system displays the following information:
Are you sure to update your bootrom?Yes or No(Y/N)
f Enter Y to start file downloading or N to return to the Bootrom update menu. If you
enter Y, the system begins to download and update the program. Upon completion,
the system displays the following information:
Loading........................................done
Bootrom updating..........done!
2 Loading host software
Follow these steps to load the host software:
a Select <1> in Boot Menu and press <Enter>. The system displays the following
information:
1. Set TFTP protocol parameter
2. Set FTP protocol parameter
3. Set XMODEM protocol parameter
0. Return to boot menu
Enter your choice(0-3):
b Enter 2 in the above menu to download the host software using FTP.
The subsequent steps are the same as those for loading the BootROM program, except
for that the system gives the prompt for host software loading instead of BootROM
loading.

When loading BootROM and host software using Boot menu, you are recommended to
use the PC directly connected to the device as TFTP server to promote upgrading
reliability.

Remote Software If your terminal is not directly connected to the switch, you can telnet to the switch, and
Loading use FTP or TFTP to load BootROM and host software remotely.

Remote Loading Using FTP


1 Loading Process Using FTP Client
As shown in Figure 32, a PC is used as both the configuration device and the FTP server.
You can telnet to the switch, and then execute the FTP commands to download the
BootROM program 4500G.btm from the remote FTP server (with an IP address 10.1.1.1)
to the switch.
98 CHAPTER 10: DEVICE MANAGEMENT

Figure 32 Remote loading using FTP

FTP Server
10.1.1.1

PC

Internet
Switch

GigabitEthernet port

FTP Client

a Download the software to the switch using FTP commands.


<3Com> ftp 10.1.1.1
Trying ...
Press CTRL+K to abort
Connected.
220 FTP service ready.
User(none):abc
331 Password required for abc.
Password:
230 User logged in.
[ftp] get 4500G.btm
200 Port command okay.
150 Opening ASCII mode data connection for 4500G.btm.
........226 Transfer complete.
FTP: 184108 byte(s) received in 10.067 second(s) 18.00K byte(s)/sec.
[ftp] bye
221 Server closing.

When using different FTP server software on PC, different information will be output to
the switch.
b Update the BootROM program on the switch.
<3Com> bootrom update file 4500G.btm
This will update BootRom file ,Continue? [Y/N] y
Upgrading BOOTROM, please wait...
Upgrade BOOTROM succeeded!
c Restart the switch.
<3Com> reboot

Before restarting the switch, make sure you have saved all other configurations that you
want, so as to avoid losing configuration information.

Loading the host software is the same as loading the BootROM program, except for that
the file to be downloaded is the host software file, and that you need to use the
boot-loader command to select the host software at reboot of the switch.

After the above operations, the BootROM and host software loading is completed.
BootROM and Host Software Loading 99

Pay attention to the following:

■ The loading of BootROM and host software takes effect only after you restart the
switch with the reboot command.
■ If the space of the Flash memory is not enough, you can delete the useless files in the
Flash memory before software downloading.
■ No power-down is permitted during software loading.
2 Loading Process Using FTP Server
As shown in Figure 33, the switch is used as the FTP server. You can telnet to the switch,
and then execute the FTP commands to download the BootROM program 4500G.btm
from the switch.

Figure 33 Remote loading using FTP server

FTP Client
10.1.1.1

PC

Internet
Switch

Gigabit Ethernet port

FTP Server
192.168.0.39

a As shown in Figure 33, connect the switch through an Ethernet port to the PC (with IP
address 10.1.1.1)
b Configure the IP address of VLAN1 on the switch to 192.168.0.39, and subnet mask
to 255.255.255.0.

You can configure the IP address for any VLAN on the switch for FTP transmission.
However, before configuring the IP address for a VLAN interface, you have to make sure
whether the IP addresses of this VLAN and PC can be routed.
<3Com> system-view
System View: return to User View with Ctrl+Z.
[3Com] interface Vlan-interface 1
[3Com-Vlan-interface1] ip address 192.168.0.39 255.255.255.0
c Enable FTP service on the switch, configure the FTP user name to test and password to
pass.
[3Com-Vlan-interface1] quit
[3Com] ftp server enable
[3Com] local-user test
New local user added.
[3Com-luser-test] password simple pass
[3Com-luser-test] service-type ftp
100 CHAPTER 10: DEVICE MANAGEMENT

d Enable FTP client software on PC. Refer to Figure 34 for the command line interface in
Windows operating system.

Figure 34 Command line interface

e Enter cd in the interface to switch to the path that the BootROM upgrade file is to be
stored, and assume the name of the path is D:\Bootrom, as shown in Figure 35.

Figure 35 Switch to BootROM


BootROM and Host Software Loading 101

f Enter ftp 192.168.0.39 and enter the user name test, password pass, as shown in
Figure 36, to log on the FTP server.

Figure 36 Log on the FTP server

g Use the put command to upload the file 4500G.btm to the switch, as shown in
Figure 37.

Figure 37 Upload file 4500G.btm to the switch

h Configure 4500G.btm to be the BootROM at reboot, and then restart the switch.
<3Com> bootrom update file 4500G.btm
This will update Bootrom on unit 1. Continue? [Y/N] y
Upgrading Bootrom, please wait...
Upgrade Bootrom succeeded!
<3Com> reboot
102 CHAPTER 10: DEVICE MANAGEMENT

When rebooting the switch, use the file 4500G.btm as BootROM to finish BootROM
loading.

Loading the host software is the same as loading the BootROM program, except for that
the file to be downloaded is the host software file, and that you need to use the
boot-loader command to select the host software at reboot of the switch.

■ The steps listed above are performed in the Windows operating system, if you use
other FTP client software, refer to the corresponding user’s guide before operation.
■ Only the configurations steps concerning loading are illustrated here, for detailed
description on the corresponding configuration commands, refer to the chapter File
System Management .

Remote Loading Using TFTP


The remote loading using TFTP is similar to that using FTP. The only difference is that TFTP
is used instead off FTP to load software to the switch, and the switch can only act as a
TFTP client.

Device
Management
Configuration

Rebooting an When a fault occurs to a running device, you can remove the fault by rebooting it,
Ethernet Switch depending on the actual situation. You can also set a time at which the device can
automatically reboot.
Table 52 Reboot an Ethernet switch

To do Use the command Remarks


Reboot an Ethernet switch reboot Optional
Enable the timing reboot schedule reboot at Optional
function for the switch and set hh:mm [ date ]
By default, the timing reboot
the time and date
function for the switch disabled.
Enable the timing reboot schedule reboot delay
function for the switch and set { hh:mm | mm }
the delay period
Check the timing reboot display schedule Optional
configuration reboot Any view

The precision of switch timer is 1 minute. That is, with the timing reboot function
enabled, a switch reboots in one minute after the rebooting time is due.

CAUTION: The reboot, schedule reboot at and schedule reboot delay


commands all cause system rebooting and service interruption. Cautions should be taken
when using these commands.
Device Management Configuration 103

Specifying the App If multiple .app files reside in the Flash, you can specify the one to be used for the next
File to be Used for startup by performing the operation listed in Table 53.
the Next Startup
Table 53 Specify the .app file to be used for the next startup

To do Use the command Remarks


Specify the .app file to be used boot-loader file file-url { Required
for the next startup main | backup }

Upgrading BootROM During the operation of the device, you can use the Bootrom programs in the FLASH to
upgrade the running Bootrom programs.

Since the BootROM files of switching processing units (SRPUs) and line processing units
(LPUs) vary with devices, users are easily confused to make serious mistakes when
upgrading BootROM files. After the validity check function is enabled, the device will
strictly check the BootROM upgrade files for correctness and version configuration
information to ensure a successful upgrade. You are recommended to enable the validity
check function before upgrading BootROM files.

Table 54 Upgrade BootROM

To do Use the command Remarks


Enter system view system-view –
Enable file validity check bootrom-update Optional
for upgrading security-check enable By default, the file validity check
function is not enabled.
Return user view quit –
Upgrade BootROM bootrom update file Required
file-url
By default, all Boot ROM file contents
will be upgraded.

Clearing the Unused In real network, network management software requires the device to provide the
16-Bit Interface Index unified and stable 16-bit interface indexes, that is, it is best to keep one interface name
in the Current System match one interface index on a device.

To ensure the stability of the interface index, the system will keep the 16-bit interface
index for the interface even if the logical interface or the card is removed from the
system. In this way, the interface index keeps unchanged when the interface is created
again.

Repeated insertion and removal of different sub cards or interface cards, or creating or
deleting large amount of logical interfaces of different types may use up the interface
indexes. If so, you may fail to create an interface. To avoid this, you can perform the
following configuration in user view to clear the saved but unused 16-bit interface
indexes in the current system.

After the configuration:

■ For new created interface, its new index cannot be ensured to be identical with the
original one.
■ For the existing interface, its interface index will not be changed.
104 CHAPTER 10: DEVICE MANAGEMENT

Table 55 Clear the unused 16-bit interface index in the current system

To do Use the command


Clear the unused 16-bit interface index in the current reset unused porttag
system

CAUTION: Your conformation is needed when the command is executed. If you do not
confirm during 30 seconds, or input N, the operation will be canceled.

Displaying the After the above configurations, you can execute the display command in any view to
Device display the operating status of the device management to verify the configuration
Management effects.
Configuration
Table 56 Display the operating status of the device management

To do Use the command Remarks


Display the .app to be display boot-loader Any view
adopted at reboot
Display the statistics of CPU display cpu-usage [ number [ offset
usage ] [ verbose ] [ from-device ] ]
Display subslot information of display device [ subslot subslot-no |
device verbose ]
Display environment display environment
information
Display the operating status display fan [ fan-id ]
of the fan
Display memory state display memory
Display the operating status display power [ power-id ]
of the power supply
Display reboot time display schedule reboot

Remote Switch Network requirements


Update ■ Configure an FTP user, whose name and password are switch and hello respectively.
Configuration Authorize the user with the read-write right of the Switch directory on the PC.
Example
■ Make appropriate configuration so that the IP address of a VLAN interface on the
switch is 1.1.1.1, the IP address of the PC is 2.2.2.2, and the switch and the PC is
reachable to each other.
■ Telnet to the switch from a PC remotely and download applications from the FTP
server to the Flash memory of the switch to remotely update the switch software by
using the device management commands through CLI.
Remote Switch Update Configuration Example 105

Network diagram

Figure 38 Network diagram of FTP configuration

User

Telnet

Network

Switch FTP Server


FTP Client

Configuration procedure
1 Configure the FTP-Server
■ Set the FTP username to aaa and password to hello.
■ Configure users to have access to the directory.
2 Configure the switch as follows:

CAUTION: If the Flash memory of the switch is not sufficient, delete the original
applications in it before downloading the new ones.
1 Execute the telnet command on the PC to log into the switch.
<3Com> ftp 2.2.2.2
Trying ...
Press CTRL+K to abort
Connected.
220 FTP service ready.
User(none):switch
331 Password required for switch.
Password:
230 User logged in.
[ftp]
2 Enter the authorized path on the FTP server.
[ftp] cd switch
3 Execute the get command to download the switch.app and boot.btm files on the FTP
server to the Flash memory of the switch.
[ftp] get switch.app
[ftp] get boot.btm
4 Execute the quit command to terminate the FTP connection and return to user view.
[ftp] quit
<3Com>
5 Enter system view
<3Com> system-view
System View: return to User View with Ctrl+Z.
106 CHAPTER 10: DEVICE MANAGEMENT

6 Enable file validity check for upgrading.


[3Com] bootrom-update security-check enable
[3Com] quit
7 Update the BootROM.
<3Com> bootrom update file boot.btm
8 Specified the application for next time.
<3Com> boot-loader file switch.app
9 Restart the switch to update the host software of the switch.
<3Com> reboot
11 FILE SYSTEM MANAGEMENT

Throughout this document, a filename can be entered as either of the following:


■ A fully qualified filename with the path included to indicate a file under a specific
path. The filename can be 1 to 135 characters in length.
■ A short filename with the path excluded to indicate a file in the current path. The
filename can be 1 to 91 characters in length.

File System
Management

Overview A major function of the file system is to manage storage devices. It allows you to perform
operations such as directory create and delete, and file copy and display.

If an operation, delete or overwrite for example, may cause problems such as data loss or
corruption, the file system will ask you to confirm the operation by default.

Depending on the managed object, file system operations fall into directory operations,
file operations, storage device operations, and file system prompt mode setting.

Directory Operations Directory operations include create, delete, display the current directory, display files or
subdirectories in a specific directory as shown in Table 57.

Table 57 Directory operations

To do… Use the command… Remarks


Create a directory mkdir directory Optional
Available in user view
Remove a directory rmdir directory Optional
Available in user view
Display the current directory pwd Optional
Available in user view
Display files or directories dir [ /all ] [ file-url ] Optional
Available in user view
Change the current directory cd directory Optional
Available in user view

File Operations File operations include delete (removing files into the recycle bin), restore the deleted,
permanently delete (deleting files from the recycle bin), display, rename, copy, and move
as shown in Table 58.

CAUTION: You can create a file by using operations such as copy, download or save.
108 CHAPTER 11: FILE SYSTEM MANAGEMENT

Table 58 File operations

To do… Use the command… Remarks


Remove a file to the recycle bin delete [ /unreserved ] Optional
or delete it permanently file-url
Available in user view
Restore a file from the recycle bin undelete file-url Optional
Available in user view
Empty the recycle bin reset recycle-bin Optional
[ file-url ] [ /force ]
Available in user view
Display the contents of a file more file-url Optional
Available in user view
So far, this command is valid
only for txt files.
Rename a file rename fileurl-source Optional
fileurl-dest
Available in user view
Copy a file copy fileurl-source Optional
fileurl-dest
Available in user view
Move a file move fileurl-source Optional
fileurl-dest
Available in user view
Display files or directories dir [ /all ] [ file-url ] Optional
Available in user view
Execute the batch file execute filename Optional
Available in system view

CAUTION:
■ Empty the recycle bin timely with the reset recycle-bin command to save
memory space.
■ As the delete /unreserved file-url command deletes a file permanently
and the action cannot be undone, use it with caution.
■ You can only move a file on the same device. The move command fails if you try to
move a file to another device.

Storage Device Storage device operations include disk fix and format as shown in Table 59. You may use
Operations these two commands when some space of a storage device becomes inaccessible as the
result of some abnormal operations for example.

Table 59 Storage device operations

To do Use the command Remarks


Restore the space of a storage fixdisk device Optional
device
Available in user view
Format a storage device format device Optional
Available in user view

CAUTION: Use caution when formatting the storage device (usually the Flash) where the
configuration file is stored, as the operation can destroy all data on the storage device
and the action cannot be undone.
Configuration File Management 109

File System Prompt The file system provides the following two prompt modes:
Mode Setting ■ Alert, where the system warns you about operations that may bring undesirable
consequence such as file corruption or data loss.
■ Quiet: where the system does not do that in any cases. To prevent undesirable
consequence resulted from mis-operations, the alert mode is preferred.

Table 60 File system prompt mode setting

To do Use the command Remarks


Set the operation prompt mode file prompt { alert | Optional
of the file system quiet } The default is alert.

File System
Operations Example
1 Display the files under the root directory.
<3Com> dir
Directory of flash:/

0 -rw- 6648612 Jan 01 2006 00:00:00 aabbcc.bin


1 -rw- 31181 Apr 27 2000 11:41:08 config.cfg
2 -rw- 234823 Apr 28 2000 12:50:32 default.diag
3 -rw- 31126 Apr 27 2000 11:25:14 test.txt
4 drw- - Apr 27 2000 13:00:10 test
15240 KB total (8449 KB free)
2 Create a new folder called mytest under the test directory.
<3Com> cd test
<3Com> mkdir mytest
.
%Created dir flash:/test/mytest.
3 Display the files under the test directory.
<3Com> dir
Directory of flash:/test/
0 drw- - Apr 27 2000 13:01:04 mytest
15240 KB total (8448 KB free)
4 Return to the upper directory.
<3Com> cd ..

Configuration File
Management

Overview Configuration type


The configuration of a device falls into two types:
■ Startup configuration, which is used for initialization. If no startup configuration is
available, the default parameters are used.
■ Running configuration, which takes effect during system operation and temporarily
saved in the RAM but cannot survive a reboot if not saved.
110 CHAPTER 11: FILE SYSTEM MANAGEMENT

Configuration file format


Configuration files are saved as text files for consulting convenience. They:
■ Save configuration in the form of commands.
■ Save only non-default configuration settings.
■ List commands in sections by view in this view order: system, physical interface,
logical interface, routing protocol, and so on. Sections are separated with one or
multiple blank lines or comment lines that start with a pound sign (#).
■ End with a return.
■ The operating interface provided by the configuration file management function is
user-friendly. With it, you can easily manage your configuration files.

Main/backup attributes
The main and backup attributes allow configuration files that are of the corresponding
attributes. When the main configuration file is corrupted or gets lost, the backup
configuration files can be used to start or configure the device. Compared with the
systems supporting only one type of configuration file, the main/backup configuration
file mechanism enhances the security and reliability of the file system. The main keyword
represents the main attributes of the configuration file, and the backup keyword
represents the backup attribute of the configuration file. You can use corresponding
commands to configure the main/backup attributes of a configuration file. A
configuration file can be configured with both the main attribute and the backup
attribute at the same time. However, a device can have only one configuration file that is
of a specific attribute at a time.

The main and backup attributes are mainly used as follows in file system.

■ You can specify the main/backup/common attribute of the configuration file when
saving the current configuration.
■ You can specify to erase the main configuration file or the backup configuration file
when you erase the configuration file in the device. For the configuration file with
both the main attribute and the backup attribute, you can specify to erase the main
attribute or backup attribute of the configuration file.
■ You can specify the main/backup attribute of a configuration file when you specify
the configuration file to be used the next time.

Selection sequence of configuration files


Configuration files are selected according to the following rules when a device starts.
1 If the main configuration file exists, it is used to initialize the configuration.
2 If the backup configuration file exists while the main configuration file does not exist, the
backup configuration file is used to initialize the configuration.
3 If neither the main configuration file nor the backup configuration file exists, the
following selection sequence is adopted:
■ If the default configuration file exists, it is used to initialize the configuration.
■ If the default configuration file does not exist, the system is started without loading
any configuration.
Configuration File Management 111

Saving Running You can modify running configuration on your device at the command line interface
Configuration (CLI). To use it at next startup, you need to save it to the startup configuration file before
rebooting the system with the save command.

You can save the current configuration files in one of the following two ways:

Ways of saving the configuration files


■ Fast mode: If the safely keyword is not provided, the system saves the configuration
files in the fast mode. In this mode, the configuration files are saved fast. However,
the configuration files will be lost if the device is restarted or the power is off when
the configuration files are being saved.
■ Safe mode: If the safely keyword is provided, the system saves the configuration files
in the safe mode. In this mode, the configuration files are saved slowly. However, the
configuration files will be saved in the Flash if the device is restarted or the power is
off when the configuration files are being saved.

Attributes of the saved configuration files


■ The main attribute. When the save [ [ safely ] [ main ] command is used to save
the current configuration into a configuration file, the attribute of the configuration
file is “main.” If the configuration file is an existing configuration file with the backup
attribute, the configuration file will posses both the main attribute and the backup
attribute at the same time. If a main configuration file is existing in the system, the
main attribute of the existing configuration file will be replaced by the new one, so
that there is only one main configuration file in the system.
■ The backup attribute. When the save [ [ safely ] [ backup ] command is used to
save the current configuration into a configuration file, the attribute of the
configuration file is “backup.” If the configuration file is an existing configuration file
with the main attribute, the configuration file will posses both the main attribute and
the backup attribute at the same time. If a backup configuration file exists in the
system, the backup attribute of the existing configuration file will be replaced by the
new one, so that there is only one backup configuration file in the system.
■ The common attribute. When the save cfgfile command is used to save the
current configuration into a configuration file, if the configuration file named cfgfile
does not exist, the saved configuration file possesses neither the main attribute nor
the backup attribute; if the configuration file cfgfile exists, the attribute of the new
configuration file is determined by its attribute before the saving operation.
Table 61 Saving running configuration

To do Use the command Remarks


Save running configuration save [ cfgfile | [ safely ] [ Available in any view
main | backup ] ]

■ You are recommended to adopt the fast saving mode in the conditions of stable
power and adopt the safe mode in the conditions of unstable power or remote
maintenance.
■ The extension of a configuration file must be cfg.
112 CHAPTER 11: FILE SYSTEM MANAGEMENT

Erasing the Startup You may erase the startup configuration file by using the command showed in Table 62 .
Configuration File If no startup configuration is available, the default parameters are used.

You may need to erase the startup configuration file for one of these reasons:

■ After you upgrade software, the old configuration file does not match the new
software.
■ The startup configuration file is destroied or not the one you needed.

When you erase a configuration file, the following cases may occur:

■ If you use the reset saved-configuration [ main ] command to erase a


configuration file, if the configuration file possesses only the main attribute, the
configuration file will be removed completely; if the configuration file possesses both
the main attribute and the backup attribute, only the main attribute of the
configuration file is removed.
■ If you use the reset saved-configuration backup command to erase a
configuration file, if the configuration file possesses only the backup attribute, the
configuration file will be removed completely; if the configuration file possesses both
the main attribute and the backup attribute, only the backup attribute of the
configuration file is removed.
Table 62 Erasing the startup configuration file

To do Use the command Remarks


Erase the startup configuration reset Available in user view
file from the storage device saved-configuration
[ main | backup ]

Specifying a You can set the main/backup attributes of a configuration file. The attribute of an
Configuration File for configuration file is generated in two ways, as described below.
Next Startup
Set the main attribute of the startup configuration file
■ When the current configuration is saved into the main configuration file, the system
will automatically adopt the main configuration file as the main startup configuration
file.
■ Use the startup saved-configuration cfgfile [ main ] command to set a
configuration file as the main startup configuration file.

Set the backup attribute of the startup configuration file


■ When the current configuration is saved into the backup configuration file, the
system will automatically adopt the backup configuration file as the backup startup
configuration file.
■ Use the startup saved-configuration cfgfile backup command to set a
configuration file as the backup startup configuration file.

Table 63 Specifying a configuration file for next startup

To do Use the command Remarks


Specify a configuration file for startup Available in user view
next startup saved-configuration
cfgfile [ main| backup ]
Configuration File Management 113

CAUTION: This operation can delete the configuration file from the device permanently,
so be careful to perform this operation..

Backing Up/Restoring Feature overview


the Configuration File Through this feature, you can back up and restore the configuration file for next startup
for Next Startup through the command line. TFTP is used to transmit data between the device and the
server. You can back up the configuration file for next startup to the TFTP server, and
download the configuration file saved on the TFTP server to the device and configure it as
the configuration file for next startup.

You can only back up and restore the main configuration file.

Backing up the configuration file for next startup


T
Table 64 Back up the configuration file for next startup

To do Use the command Remarks


Back up the backup Required
configuration file for next startup-configuration
This operation can be executed only
startup to dest-addr [ filename ] in user view

Before backing up the configuration file:


■ Make sure that the route between the device and the server is reachable, TFTP is
enabled at the server end, and the client on which you will perform the backup and
restoration operations obtains the corresponding read/write right.
■ Use the display startup command in user view to check whether the
configuration file for next startup is configured, and then use the dir command to
check whether the configuration file for next startup exists. If the configuration file is
configured as NULL or the configuration file does not exist, the backup operation will
fail.

Restoring the configuration file for next startup


Table 65 Restore the configuration file for next startup

To do Use the command Remarks


Restore the configuration restore Required
file for next startup startup-configuration This operation can be executed only
from src-addr filename in user view

■ Before restoring the configuration file, make sure that the route between the device
and the server is reachable, TFTP is enabled at the server end, and the client on which
you will perform the backup and restoration operations obtains the corresponding
read/write right.
■ After the command is executed successfully, use the display startup command
in user view to check whether the name of the configuration file for next startup is
consistent with the filename argument, and then use the dir command to check
whether the restored configuration file for next startup exists.
114 CHAPTER 11: FILE SYSTEM MANAGEMENT

Displaying and
Table 66 Displaying and maintaining device configuration
Maintaining Device
Configuration To do Use the command Remarks
Display the contents of the display Available in any view
startup configuration file saved-configuration
[ by-linenum ]
Display the configuration file display startup Available in any view
used for this and next startup
Display the running configuration display this Available in any view
in current view [ by-linenum ]
Display running configuration display Available in any view
current-configuration
[ configuration
[ configuration-type ] |
interface
[ interface-type ]
[ interface-number ] ]
[ by-linenum ] [ | { begin |
include | exclude } text ]

Configuration files are displayed in the same format in which they are saved.

FTP Configuration

Overview FTP (file transfer protocol) is commonly used in IP-based networks to transmit files. Before
World Wide Web comes into being, files are transferred through command lines, and the
most popular application is FTP. At present, although E-mail and Web are the usual
methods for file transmission, FTP still has its strongholds.

An Ethernet switch can act as an FTP client or the FTP server in FTP-employed data
transmission:

■ FTP server

An Ethernet switch can operate as an FTP server to provide file transmission services for
FTP clients. You can log into a switch operating as an FTP server by running an FTP client
program on your PC to access files on the FTP server. Before you log into the FTP server,
the administrator must configure an IP address for it.

■ FTP client

A switch can operate as an FTP client, through which you can access files on FTP servers.
In this case, you need to establish a connection between your PC and the switch through
a terminal emulation program or Telnet and then execute the ftp command on your
PC.

Figure 39 Network diagram for FTP


FTP Configuration 115

The configurations needed when a switch operates as an FTP client are showed in
Table 67.

Table 67 Configurations needed when a switch operates as an FTP client

Device Configuration Default Description


Switch Run the ftp command to – To log into a remote FTP server and operates
log into a remote FTP server files and directories on it, you need to obtain
directly a user name and password first.
FTP server Enable the FTP server and – –
configure the corresponding
information including user
names, passwords, and user
authorities

The configurations needed when a switch operates as an FTP server are showed in
Table 68.

Table 68 Configurations needed when a switch operates as an FTP server

Device Configuration Default Description


Switch Enable the FTP server The FTP server You can run the display
function function is ftp-server command to view the
disabled by default FTP server configuration on the switch.
Configure the – Configure user names and passwords.
authentication information
on the FTP server
Configure the connection The default idle –
idle time time is 30 minutes.
PC Log into the switch through – –
an FTP client application.

CAUTION: The FTP-related functions require that the route between a FTP client and the
FTP server is reachable.

Configuring the FTP Table 69 lists the operations that can be performed on an FTP client.
Client
Table 69 Configurations on an FTP client

To do Use the command Remarks


Enter FTP Client view ftp [ ftp-server [ port ] Required
[ -a source-ip ] ]
Use either command
The FTP client will build a
connection with a remote FTP
server first before entering FTP
Client view if ftp-server exists in
this command.
Connect to a remote FTP server open ftp-server [ port ] Optional
in FTP Client view [ -a source-ip ]
Display the on-line help remotehelp Optional
information [ protocol-command ]
Enable verbose function verbose Optional
The verbose function is enabled
by default.
116 CHAPTER 11: FILE SYSTEM MANAGEMENT

Table 69 Configurations on an FTP client (continued)

To do Use the command Remarks


Log into the FTP server again user username [ password ] Optional
using another username
Specify to transfer files in ASCII ascii Optional
characters
By default, files are transferred
in ASCII characters.
Specify to transfer files in binary binary Optional
streams
By default, files are transferred
in ASCII characters.
Change the work directory on cd pathname Optional
the remote FTP server
Change the work directory to be cdup Optional
the parent directory
Query the details of all files and dir [remotefile [ Optional
directories localfile ] ]
Query the name of all files and ls [remotefile [ Optional
directories localfile ] ]
Download a remote file get remotefile [ Optional
localfile ]
Upload a local file to the remote put localfile [ Optional
FTP server remotefile ]
Display the work directory on pwd Optional
the FTP server
Get the local work path on the lcd Optional
FTP client
Create a directory on the remote mkdir pathname Optional
FTP server
Set the data transfer mode to passive Optional
passive
By default, the passive mode is
adopted.
Delete a specified file delete remotefile Optional
Remove a directory on the rmdir pathname Optional
remote FTP server
Terminate the current FTP disconnect Optional
connection without exiting FTP
client view
Terminate the current FTP close Optional
connection without exiting FTP
client view
Terminate the current FTP bye Optional
control connection and data
connection
Terminate the current FTP quit Optional
connection and quit to user view
It is equivalent to bye
command under FTP Client
view.

CAUTION: FTP-based file transmission is performed in the following two modes: Binary
mode for program file transfer and ASCII mode for text file transfer.
■ The ls command can just query the name of all files and directories, while the dir
command can query the details of all files and directories.
FTP Configuration 117

Configuring the FTP Configuring FTP server operating parameters


Server Follow these steps to configure the FTP server:
Table 70 Basic FTP Configurations as an FTP server

To do Use the command Remarks


Enter system view system-view –
Enable the FTP server ftp server enable Required
Disabled by default.
Configure the idle-timeout timer ftp timeout minutes Optional
The default is 30 minutes.
Set the FTP update mode ftp update { fast | Optional
normal } Normal update is used by
default.

Configuring Parameters for FTP Users


To allow an FTP user to access certain directories on the FTP server, you need to create an
account for the user, authorizing access to the directories and associating the username
and password with the account.

Follow these steps to make configuration for an FTP user:

Table 71 Configuring parameters for FTP users

To do Use the command Remarks


Enter system view system-view –
Enter or create a local user view local-user user-name Required
No local user exists by
default.
Assign a password to the user password { simple | cipher } Required
password
Assign the FTP service to the local service-type ftp Required
user
Not assigned by
default.
Authorize the FTP user’s access service-type ftp [ Optional
to a directory ftp-directory directory]
Enter ISP domain view domain [isp-name ] [ default { Optional
disable | enable isp-name } ]
Reference an authentication authentication Optional
scheme to the domain { radius-scheme
radius-scheme-name [ local ] |
hwtacacs-scheme
hwtacacs-scheme-name [ local ] |
local | none }
Reference an authorization authorization Optional
scheme to the domain { hwtacacs-scheme
hwtacacs-scheme-name | none }

For more information about authentication and authorization commands, refer to the
AAA-RADIUS-TACACS+ chapter of this manual.
118 CHAPTER 11: FILE SYSTEM MANAGEMENT

Displaying and Maintaining the FTP Server


Table 72 Displaying and maintaining the FTP server

To do Use the command Remarks


Display the configuration of the display ftp-server Available in any view
FTP server
Display information about display ftp-user Available in any view
logged-in FTP users

FTP Client Network requirements


Configuration Use your device as an FTP client to download an application file (APP file, .bin file) for
Example upgrading purpose from the FTP server with the IP address 10.1.1.1/16.

On the FTP server, an FTP user account has been created for the FTP client, with the
username being abc and the password being pwd.

Network diagram

Figure 40 Network diagram for FTPing a startup file from an FTP Server

cable

Configuration procedure
1 Check files on your device. Remove those redundant to ensure adequate space for the
APP file to be downloaded.
<3Com> dir
Directory of flash:/
0 drw- - Dec 07 2005 10:00:57 filename
1 drw- - Jan 02 2006 14:27:51 logfile
2 -rw- 1216 Jan 02 2006 14:28:59 config.cfg
3 -rw- 1216 Jan 02 2006 16:27:26 backup.cfg
4 -rw- 184108 May 26 2006 18:02:16 aaa.bin
15240 KB total (2511 KB free)
<3Com> delete flash:/backup.cfg
2 Download the APP file from the server.
<3Com> ftp 10.1.1.1
Trying 10.1.1.1...
Press CTRL+K to abort
Connected to 10.1.1.1.
220 FTP service ready.
User(10.1.1.1:(none)):abc
331 Password required for abc.
Password:
230 User logged in.
[ftp] binary
200 Type set to I
[ftp] get aaa.bin bbb.bin
FTP Configuration 119

200 Port command okay.


150 Opening BINARY mode data connection for aaa.bin.
.....226 Transfer complete.
FTP: 184108 byte(s) received in 5.461 second(s) 33.00K byte(s)/sec.
[ftp] bye
221 Server closing.
3 Specify the main APP file for next startup with the boot-loader command.
<3Com> boot-loader file bbb.bin main
<3Com> reboot

The APP file for next startup specified by boot-loader command must be saved
under the root directory. You can use copy or move operation to change its path.

FTP Server Network requirements


Configuration Use your device as an FTP server. Create a user account for an FTP user on it, setting the
Example username to abc and the password to pwd.

Upload an APP file from a PC to the FTP server.

Network diagram

Figure 41 Network diagram for FTPing a startup file to the FTP server

Configuration procedure
1 Configure the Ethernet Switch
a Create an FTP user account, setting its username and password.
<3Com> system-view
[3Com] local-user abc
[3Com-luser-abc] service-type ftp
[3Com-luser-abc] password simple pwd
b Authorize the access of the user account to certain directory.
[3Com-luser-abc] service-type ftp ftp-directory flash:/
c Validate the authorized directory.
[3Com-luser-abc] quit
[3Com] domain system
[3Com-isp-system] authorization login local
d Enable FTP server.
[3Com] ftp server enable
[3Com] quit
120 CHAPTER 11: FILE SYSTEM MANAGEMENT

e Check files on your device. Remove those redundant to ensure adequate space for the
APP file to be uploaded.
<3Com> dirDirectory of flash:/
0 drw- - Dec 07 2005 10:00:57 filename
1 drw- - Jan 02 2006 14:27:51 logfile
2 -rw- 1216 Jan 02 2006 14:28:59 config.cfg
3 -rw- 1216 Jan 02 2006 16:27:26 back.cfg
4 drw- - Jan 02 2006 15:20:21 ftp
5 -rw- 184108 May 26 2006 18:02:16 aaa.bin
15240 KB total (2511 KB free)
<3Com> delete flash:/back.cfg
2 Configure the PC
a Upload the APP file to the FTP server.
c:\> ftp 1.1.1.1
ftp> put aaa.bin bbb.bin
■ When upgrading the configuration file with FTP, put the new file on under the root
directory.
■ When upgrading the Boot ROM program with FTP remotely, you must perform the
bootrom update command after the file transfer is completed.
b Specify the main APP file for next startup with the boot-loader command.
<3Com> boot-loader file bbb.bin main
<3Com> reboot

CAUTION: The APP file for next startup must be saved under the root directory.

TFTP Configuration

Overview The trivial file transfer protocol (TFTP) provides functions similar to those provided by FTP,
but it is not as complex as FTP in interactive access interface and authentication.
Therefore, it is more suitable where complex interaction is not needed between client
and server.

TFTP uses the UDP service for data delivery. In TFTP, file transfer is initiated by the client.

In a normal file downloading process, the client sends a read request to the TFTP server,
receives data from the server, and then sends the acknowledgement to the server.

In a normal file uploading process, the client sends a write request to the TFTP server,
sends data to the server, and receives the acknowledgement from the server.

TFTP transfers files in two modes: binary for programming files and ASCII for text files.

Before performing TFTP-related configurations, you need to configure IP addresses for


the TFPT client and the TFTP server, and make sure the route between the two is
reachable.

A switch can only operate as a TFTP client.


TFTP Configuration 121

Figure 42 Network diagram for TFTP configuration

Table 73 describes the operations needed when a switch operates as a TFTP client.

Table 73 Configurations needed when a switch operates as a TFTP client

Device Configuration Default Description


Switch Configure an IP address for the – TFTP applies to networks where
VLAN interface of the switch so client-server interactions are
that it is reachable for TFTP comparatively simple. It requires the
server. routes between TFTP clients TFTP
servers are reachable.
You can log into a TFTP server
directly for file accessing through
TFTP commands
TFTP server The TFTP server is started and the – –
TFTP work directory is
configured.

Configuring the TFTP Follow these steps to configure the TFTP client:
Client
Table 74 Configurations on an TFTP client

To do Use the command Remarks


Enter system view system-view –
Reference an ACL to control tftp-server acl acl-number Optional
access to the TFTP server
Back to user view quit –
Download a file from a TFTP tftp tftp-server get source-file [ Required
server dest-file | -a source-ip ]*
Download a file from a TFTP tftp tftp-server sget source-file [ Optional
server in secure mode dest-file | -a source-ip ]*
Upload a file to a TFTP server tftp tftp-server put source-file [ Optional
dest-file | -a source-ip ]*

TFTP Client Network requirements


Configuration Use a PC as the TFTP server and your device as the TFTP client.
Example
As shown in the following figure,

■ PC uses IP address 1.2.1.1/16 and a TFTP working directory has been defined for the
client.
■ On your device, VLAN interface 1 is assigned an IP address 1.1.1.1/16, making that
the port connected to PC belongs to the same VLAN.
■ TFTP an APP file from PC for upgrading and a configuration file to PC for backup.
122 CHAPTER 11: FILE SYSTEM MANAGEMENT

Network diagram

Figure 43 Network diagram for TFTP client configuration

Configuration procedure
1 On PC

Enable TFTP server and configure a TFTP working directory for the TFTP client.

2 On Device

CAUTION: If available space on the Flash memory of the switch is not enough to hold
the file to be uploaded, you need to delete files from the Flash memory to make room
for the new file.
a Enter system view.
<Sysname> system-view
b Assign VLAN interface 1 an IP address 1.1.1.1/16, making sure that the port
connected to PC belongs to the same VLAN.
[Sysname] interface vlan-interface 1
[Sysname-vlan-interface1] ip address 1.1.1.1 255.255.0.0
[Sysname-vlan-interface1] return
c Download an application file aaa.bin from the TFTP server. (Before that, make sure
that adequate memory is available.)
<Sysname> tftp 1.2.1.1 get aaa.bin bbb.bin
d Upload a configuration file config.cfg to the TFTP server.
<Sysname> tftp 1.2.1.1 put config.cfg config.cfg
e Specify the APP file for next startup with the boot-loader command.
<Sysname> boot-loader file bbb.bin
<Sysname> reboot

CAUTION: The APP file for next startup must be saved under the root directory. You can
use copy or move operation to change its path.
12 VLAN CONFIGURATION

VLAN Overview

Introduction to VLAN The virtual local area network (VLAN) technology is developed for switches to control
broadcast operations in LANs.

By creating VLANs in a physical LAN, you can divide the LAN into multiple logical LANs,
each of which has a broadcast domain of its own. Hosts in the same VLAN communicate
with each other as if they are in a LAN. However, hosts in different VLANs cannot
communicate with each other directly. In this way, broadcast packets are confined within
a VLAN. Figure 44 illustrates a VLAN implementation.

Figure 44 A VLAN implementation

VLAN A
LAN Switch

VLAN B
VLAN A

LAN Switch VLAN A


VLAN B

VLAN B

Router

A VLAN can span across multiple switches, or even routers. This enables hosts in a VLAN
to be dispersed in a more loose way. That is, hosts in a VLAN can belong to different
physical network segments.

VLAN enjoys the following advantages.

■ Broadcasts are confined to VLANs. This decreases bandwidth utilization and improves
network performance.
■ Network security is improved. VLANs cannot communicate with each other directly.
That is, hosts in different VLANs cannot communicate with each other directly. To
enable communications between different VLANs, network devices operating on
Layer 3 (such as routers or Layer 3 switches) are needed.
■ Configuration workload is reduced. VLAN can be used to group specific hosts. When
the physical position of a host changes, no additional network configuration is
required if the host still belongs to the same VLAN
124 CHAPTER 12: VLAN CONFIGURATION

VLAN Classification Depending on how VLANs are established, VLANs fall into the following six categories:
■ Port-based VLAN
■ MAC-based VLAN
■ Protocol-based VLAN
■ IP sub network-based VLAN
■ Policy-based VLAN
■ Other VLAN

3Com Switch 4500G Ethernet Switch supports the port-based VLAN. This chapter
focuses on the port-based VLAN.

Basic VLAN
Table 75 Basic VLAN configuration
Configuration
To do… Use the command… Remarks
Enter system view system-view –
Create VLAN vlan { vlan-id1 [ to Optional
vlan-id2 ] }
This command is mainly used to create
multiple VLANs
Enter VLAN view vlan vlan-id Required
If the specified VLAN does not exist,
this command will first create the
VLAN, and then enter VLAN view.
Specify the description description text Optional
string of the VLAN
By default, the description string of a
VLAN is its VLAN ID, such as “VLAN
0001”.
Exit VLAN view quit –
Basic VLAN Interface Configuration 125

Basic VLAN VLAN interface is a virtual interface in Layer 3 mode, and mainly used in realizing the
Interface Layer 3 connectivity between different VLANs.
Configuration
Table 76 Configure a VLAN interface

To do… Use the command… Remarks


Enter system view system-view –
Enter VLAN interface view interface Required
vlan-interface If the specified VLAN interface does
vlan-interface-id
not exist, this command will create it
first and then enter VLAN interface
view.
Configure IP address of ip address ip-address { Optional
VLAN interface mask | mask-length }
By default, the IP address of VLAN
interface is null
Specify the description description text Optional
string for the current VLAN
By default, the description string of a
interface
VLAN interface is the name of this
VLAN interface, such as
“Vlan-interface1 interface”.
Enable the VLAN Interface undo shutdown Optional
By default, if all the ports under the
VLAN interface are down, the VLAN
interface is down; if one or more ports
under the VLAN interface are up, the
VLAN interface is up.

Before creating a VLAN interface, the corresponding VLAN must exist. Otherwise, you
cannot create the VLAN interface successfully.

Port-Based VLAN
Configuration

Introduction of Port-based VLAN is the simplest and most effective VLAN division method. It defines its
Port-Based VLAN VLAN members according to the ports of a switch. After a specified port is added into a
specified VLAN, the port can forward the packets of the specified VLAN.

Link Type of the Ethernet Port


According to the different port-to-VLAN binding mode, the link type of the Ethernet port
falls into the following three ones:
■ Access port. An access port carries one VLAN only, used for connecting to the user’s
computer.
■ Trunk port. A trunk port can belong to more than one VLAN and receive/send the
packets on multiple VLANs, used for connection between the switches.
■ Hybrid port. A hybrid port can also carry more than one VLAN and receive/send the
packets on multiple VLANs, used for connecting both the switches and user’s
computers.
126 CHAPTER 12: VLAN CONFIGURATION

The difference between the hybrid port and the trunk port is that:

■ A hybrid port allows the packets from multiple VLANs to be sent without tags.
■ A trunk port only allows the packets from the default VLAN to be sent without tags.

Default VLAN
You can configure some VLANs allowed to pass through a port. In additional, you can
also configure a default VLAN for the port. By default, the default VLAN of all the ports is
VLAN 1. But you can configure it as needed.
■ An access port can only belong to one VLAN, so that its default VLAN is the VLAN it
belongs to, and it is not necessary for you to configure it.
■ Both of the trunk port and hybrid port allow multiple VLANs to pass through. You can
configure the default VLAN for them.
■ After you delete the default VLAN of a port through the undo vlan command, for
an access port, its default VLAN restore to VLAN 1; for a trunk or a hybrid port, its
default VLAN configuration remain unchanged, that is, a trunk port or hybrid port can
use the presently nonexistent VLAN as the default VLAN.

After the default VLAN is configured, a port receives and sends packets in different ways.
Refer to the following table for details:

Table 77 Receive and send packets

Receive packets
When the received
packets are When the received
Port type without tag packets are with tag Send packets
Access port Normally add the Receive the packet when the Send the packet directly for the
default VLAN tag to VLAN ID (recorded in the VLAN ID is just the default VLAN
the packets tag) is the same with the ID.
default VLAN ID.
Drop the packet when the
VLAN ID is different with the
default VLAN ID.
Trunk port Receive the packet when the When the VLAN ID is the same
VLAN ID (recorded in the with the default VLAN ID,
tag) is the same with the remove the tag of the packet
default VLAN ID. first and then send the packet.
Receive the packet when the When the VLAN ID is different
VLAN ID is different with the with the default VLAN ID, keep
default VLAN ID but is the original tag and send the
allowed to pass through the packet.
port.
Hybrid port When the VLAN ID is the same
Drop the packet when the with the default VLAN ID,
VLAN ID is different with the remove the tag of the packet
default ID and is not allowed first and then send the packet.
to pass through the port.
When the VLAN ID is different
with the default VLAN ID, send
the packet, and you can
configure whether the sent
packet is with the tag or not
through the port hybrid
vlan vlan-id-list {
tagged | untagged }
command.
Port-Based VLAN Configuration 127

Configuring an You can add an access port to a specified VLAN in two ways: configure it in VLAN view,
Access Port-Based or configure it in Ethernet port view/port group view.
VLAN
Table 78 Configure an access port-based VLAN (in VLAN view)

To do… Use the command… Remarks


Enter system view system-view –
Enter VLAN view vlan vlan-id Required
If the specified VLAN does not exist,
this command will create the VLAN
first and then enter VLAN view of the
VLAN.
Add an Ethernet port to a port interface-list Required
specified VLAN
By default, the system adds all ports
to VLAN 1.

Table 79 Configure an access port-based VLAN (in Ethernet port view or port group view)

To do… Use the command… Remarks


Enter system view system-view –
Enter Enter Ethernet interface Use either command
Ethernet port port view interface-type
Configured in Ethernet port
view or port interface-number
view, the following settings are
group view
Enter port port-group { manual effective on the current port
group view port-group-name | only; configured in port group
aggregation agg-id } view, the following settings are
effective on all ports in the port
group
Configure a port as an access port link-type access Optional
port
By default, a port is an access
port.
Add the current access port to port access vlan Optional
a specified VLAN vlan-id
By default, the system adds all
ports to VLAN 1.

You must add an access port to an existing VLAN.


128 CHAPTER 12: VLAN CONFIGURATION

Configuring a Trunk A trunk port allows multiple VLANs to pass, but you can only configure it in Ethernet port
Port-Based VLAN view/port group view.

Table 80 Configure a trunk port-based VLAN

To do… Use the command… Remarks


Enter system view system-view –
Enter Ethernet Enter Ethernet interface Use either command
port view or port view interface-type
Configured in Ethernet port
port group interface-number
view, the following settings are
view
Enter port port-group { manual effective on the current port
group view port-group-name | only; configured in port group
aggregation agg-id } view, the following settings are
effective on all ports in the port
group
Configure a port as a trunk port port link-type trunk Required
Add the current trunk port to port trunk permit Required
specified VLANs vlan { vlan-id-list | all } By default, all trunk ports only
allow VLAN 1 to pass.
Set the default VLAN for the port trunk pvid vlan Optional
trunk port vlan-id
By default, the default VLAN of
the trunk port is VLAN 1

■ A trunk port and a hybrid port cannot switch to each other directly but must be
configured as an access port first. For example, a trunk port cannot be configured to
be a hybrid port directly; you must specify it as an access port first, and then specify it
as a hybrid port.
■ The default VLAN ID of the trunk port on the local switch must be the same as that of
the trunk port on the opposite switch. Otherwise, the packets cannot be transmitted
correctly.
Displaying VLAN Configuration 129

Configuring a Hybrid A hybrid port allows multiple VLANs to pass, but you can only configure it in Ethernet
Port-Based VLAN port view/port group view.

Table 81 Configure a hybrid port-based VLAN

To do… Use the command… Remarks


Enter system view system-view –
Enter Enter interface interface-type Use either command
Ethernet port Ethernet port interface-number
Configured in Ethernet port view,
view or port view
the following settings are effective
group view
Enter port port-group { manual on the current port only;
group view port-group-name | configured in port group view, the
aggregation agg-id } following settings are effective on
all ports in the port group
Configure a port as a Hybrid port link-type hybrid Required
port
Add the current hybrid port port hybrid vlan Required
to specified VLANs vlan-id-list { tagged |
You can configure a hybrid port to
untagged } or not to add a tag to specified
VLAN packets when it sends
packets.
Set the default VLAN for the port hybrid pvid vlan Optional
hybrid port. vlan-id
By default, the default VLAN of
the hybrid port is VLAN 1

■ A trunk port and a hybrid port cannot switch to each other directly but must be
configured as an access port first. For example, a trunk port cannot be configured to
be a hybrid port directly. You must specify it as an access port first, and then specify it
to a hybrid port.
■ The VLANs configured to be permitted to pass through a hybrid port must exist.
■ The default VLAN ID of the hybrid port on the local switch must be the same as that
of the hybrid on the opposite switch. Otherwise, the packets cannot be transmitted
correctly.

Displaying VLAN After the above configuration, you can execute the display command in any view to
Configuration view the running of the VLAN configuration, and to verify the effect of the configuration.

Table 82 Display the information about specified VLANs

To do… Use the command… Remarks


Display the information about display vlan [ vlan-id1 [ to Available in any view
specified VLANs vlan-id2 ] | all | static |
dynamic | reserved ]
Display the information about display interface
specified VLAN interface vlan-interface [
vlan-interface-id ]
130 CHAPTER 12: VLAN CONFIGURATION

VLAN
Configuration
Example

Network ■ Switch A connects with Switch B through the trunk port GigabitEthernet1/0/1.
Requirements ■ The default VLAN ID of the port is 100.
■ The port permits the packets from VLAN 2, VLAN 6 through 50, and VLAN 100 to
pass.

Network Diagram Figure 45 Configure packets to pass through the default VLAN
GigabitEthernet1/0/1

Switch A Switch B

Configuration
Procedure
1 Configure Switch A
a Create VLAN 2, VLAN 6 through VLAN 50 and VLAN 100.
<3Com> system-view
System View: return to User View with Ctrl+Z.
[3Com] vlan 2
[3Com-vlan2] vlan 100
[3Com-vlan100] vlan 6 to 50
Please wait... Done.
b Enter Ethernet port view of GigabitEthernet1/0/1.
[3Com] interface GigabitEthernet 1/0/1
c Configure GigabitEthernet1/0/1 as a trunk port, and configure its default VLAN ID as
VLAN 100.
[3Com-GigabitEthernet1/0/1] port link-type trunk
[3Com-GigabitEthernet1/0/1] port trunk pvid vlan 100
d Configure GigabitEthernet1/0/1 to permit the packets from VLAN 2, VLAN 6 through
50, and VLAN 100 to pass.
[3Com-GigabitEthernet1/0/1] port trunk permit vlan 2 6 to 50 100
Please wait... Done.
2 Configuration on Switch B is the same as that on Switch A.
13 VOICE VLAN CONFIGURATION

Voice VLAN Voice VLANs are VLANs configured specially for voice data stream. By adding the ports
Overview with voice devices attached to voice VLANs, you can perform QoS (quality of
service)-related configuration for voice data, ensuring the transmission priority of voice
data stream and voice quality.

The Switch 4500G determines whether a received packet is a voice packet by checking
its source MAC address. If the source MAC addresses of packets comply with the
organizationally unique identifier (OUI) addresses configured by the system, the packets
are determined as voice packets and transmitted in voice VLAN.

You can configure an OUI address for voice packets or specify to use the default OUI
address.

The following table shows the five default OUI addresses of a switch.

Table 83 Default OUI addresses preset by the switch

Number OUI Address Vendor


1 0003-6b00-0000 Cisco phone
2 000f-e200-0000 3Com Aolynk phone
3 00d0-1e00-0000 Pingtel phone
4 00e0-7500-0000 Polycom phone
5 00e0-bb00-0000 3com phone

■ An OUI address is a globally unique identifier assigned to a vendor by IEEE. You can
determine which vendor a device belongs to according to the OUI address which
forms the first 24 bits of a MAC address.
■ You can add or delete the default OUI address manually.

Automatic Mode and A voice VLAN can operate in two modes: automatic mode and manual mode. You can
Manual Mode of configure the operation mode for a voice VLAN according to data stream passing
Voice VLAN through the ports of the voice VLAN.
■ In automatic mode, the system identifies the source MAC address contained in the
untagged packet sent when the IP phone is powered on and matches it against the
OUI addresses. If a match is found, the system will automatically add the port into the
Voice VLAN and send ACL rules to ensure the packet precedence. An aging time can
be configured on the device. The system will remove a port from the voice VLAN if no
voice packets are received from it within the aging time. The adding and deleting of
ports are automatically realized by the system.
132 CHAPTER 13: VOICE VLAN CONFIGURATION

■ In manual mode, administrators add the IP phone access port directly to the voice
VLAN. It then identifies the source MAC address contained in the packet, matches it
against the OUI addresses, and decides whether to forward the packet in the voice
VLAN. The administrators send ACL rules while adding or deleting a port from the
voice VLAN. In this mode, the adding or deleting of ports is realized by the
administrators.
■ Both modes forward tagged packets in the same manner: forward them based on the
VLAN ID contained in the packets.

The above two working modes are only configured under Ethernet interface view. The
working modes for different voice VLAN vary and different ports can be configured to
work in different modes.

The following table lists the co-relation between the working modes of a voice VLAN, the
voice traffic type of an IP phone, and the interface modes of a VLAN interface.

Table 84 Port modes and voice stream types

Voice
Port voice stream
VLAN mode type Port type Supported or not
Automatic Tagged Access Not supported
mode voice stream
Trunk Supported
Make sure the default VLAN of the port exists and is
not a voice VLAN. And the access port permits the
packets of the default VLAN.
Hybrid Supported
Make sure the default VLAN of the port exists and is in
the list of the tagged VLANs whose packets are
permitted by the access port.
Untagged Access Not supported., because the default VLAN of the port
voice stream must be a voice VLAN and the access port is in the
Trunk
voice VLAN. To do so, you can also add the port to the
Hybrid voice VLAN manually.
Manual mode Tagged Access Not supported
voice stream
Trunk Supported
Make sure the default VLAN of the port exists and is
not a voice VLAN. And the access port permits the
packets of the default VLAN.
Hybrid Supported
Make sure the default VLAN of the port exists and is in
the list of the tagged VLANs whose packets are
permitted by the access port.
Untagged Access Supported
voice stream
Make sure the default VLAN of the port is a voice
VLAN.
Trunk Supported
Make sure the default VLAN of the port is a voice
VLAN and the port permits the packets of the VLAN.
Hybrid Supported
Make sure the default VLAN of the port is a voice
VLAN and is in the list of untagged VLANs whose
packets are permitted by the port.
Voice VLAN Configuration 133

CAUTION:
■ If the voice stream transmitted by your IP phone is with VLAN tag and the port which
the IP phone is attached to is enabled with 802.1x authentication and 802.1x guest
VLAN, assign different VLAN IDs for the voice VLAN, the default VLAN of the port,
and the 802.1x guest VLAN to ensure the two functions to operate properly.
■ If the voice stream transmitted by the IP phone is without VLAN tag, the default VLAN
of the port which the IP phone is attached can only be configured as a voice VLAN for
the voice VLAN function to take effect. In this case, 802.1x authentication is
unavailable.
■ The default VLAN of all ports is VLAN 1. You can use the corresponding command to
specify a default VLAN for a port, and allow certain VLAN to pass through the port.
Relate command “1.4 Port-Based VLAN”.
■ Use the display interface command to display the VLANs allowed to pass
through a port and the default VLAN of the port.

Security Mode and Voice VLAN works in security mode or ordinary mode according to the packet filtering
Ordinary Mode of rule of the port enabled with voice VLAN function.
Voice VLAN ■ In security mode, the port with the voice VLAN function enabled allow only the voice
packets with source MAC address being recognizable OUI address. Other packets are
discarded (including some authentication packets, like 802.1x authentication
packets).
■ In ordinary mode, the port with voice VLAN function enabled allow both voice
packets and other types of packets to pass. Voice packets comply with the filtering
rule of the voice VLAN and other types of packets comply with the filtering rule of the
ordinary VLAN.

You are recommended not to transmit voice data and other service data in a voice VLAN
simultaneously. If you need to do so, make sure you have disabled the security mode of
the voice VLAN.

Voice VLAN
Configuration

Configuration ■ Create the corresponding VLAN before configuring a voice VLAN.


Prerequisites ■ VLAN 1 is the default VLAN and do not need to be created. But VLAN 1 does not
support the voice VLAN function.
134 CHAPTER 13: VOICE VLAN CONFIGURATION

Configuring a Voice
Table 85 Configure a voice VLAN to operate in automatic mode
VLAN to Operate in
Automatic Mode To do… Use the command… Remarks
Enter system view system-view –
Set the aging time for the voice voice vlan aging Optional
VLAN minutes
The default aging time is 1,440
minutes, and only effective for the
port in automatic mode.
Enable the voice VLAN security voice vlan security Optional
mode enable By default, the voice VLAN security
mode is enabled.
Set an OUI address that can be voice vlan Optional
identified by the voice VLAN mac-address oui mask A voice VLAN has five default OUI
oui-mask [ description text ]
addresses.
Enable the voice VLAN function voice vlan vlan-id Required
globally enable
Enter port view interface –
interface-type
interface-number
Set the voice VLAN operation voice vlan mode auto Optional
mode to automatic mode
The default voice VLAN operation
mode is automatic mode.
Enable the voice VLAN function voice vlan enable Required
for the port

Execute the voice vlan security enable command and the undo voice
vlan security enable command before you enabled the voice VLAN function
globally. Otherwise, the two commands will not take effect.

Configuring a Voice
Table 86 Configure a voice VLAN to operate in manual mode
VLAN to Operate in
Manual Mode To do… Use the command… Remarks
Enter system view system-view –
Set aging time for the voice voice vlan aging Optional
VLAN minutes
The default aging time is 1,440
minutes, and only effective for
the port in automatic mode.
Enable the voice VLAN security voice vlan security Optional
mode enable By default, the voice VLAN
security mode is enabled.
Set an OUI address to be one voice vlan Optional
that can be identified by the mac-address oui mask If you do not set the address,
voice VLAN oui-mask [ description
the default OUI address is used.
text ]
Enable the voice VLAN function voice vlan vlan-id Required
globally enable
Enter port view interface –
interface-type
interface-number
Displaying and Maintaining Voice VLAN 135

Table 86 Configure a voice VLAN to operate in manual mode (continued)

To do… Use the command… Remarks


Set voice VLAN operation undo voice vlan mode Required
mode to manual mode auto The default voice VLAN
operation mode is automatic
mode.
Add a manual mode port to a Refer to Port-Based VLAN Required
voice VLAN Configuration
Specify the voice VLAN as the Refer to Port-Based VLAN Required
default VLAN of a port Configuration
Enable the voice VLAN function voice vlan enable Required
for the port
By default, the voice VLAN
function is disabled on a port.

■ You can enable the voice VLAN function for only one VLAN on a switch at a time.
■ You cannot enable the voice VLAN function for a port if it has been enabled with the
link aggregation control protocol (LACP).
■ A dynamic VLAN will be changed to a static VLAN after the VLAN is enabled with the
voice VLAN function.
■ Execute the voice vlan security enable command and the undo voice
vlan security enable command before you enabled the voice VLAN function
globally. Otherwise, the two commands will not take effect.

Displaying and After the above configurations, you can execute the display command in any view to
Maintaining Voice view the running status and verify the configuration effect.
VLAN
Table 87 Display and debug a voice VLAN

To do... Use the command... Remarks


Display the voice VLAN state display voice vlan Available in any view
state
Display the OUI addresses currently display voice vlan
supported by system oui
136 CHAPTER 13: VOICE VLAN CONFIGURATION

Voice VLAN
Configuration
Example

Voice VLAN Network requirements


Configuration ■ Create VLAN 2 and configure it as a voice VLAN with an aging time of 100 minutes.
Example (Automatic
Mode) ■ Configure GigabitEthernet1/0/1 port as a trunk port, with VLAN 6 as the default port.
■ The device allows voice packets from GigabitEthernet 1/0/1 with an OUI address of
0011-2200-0000 and a mask of ffff-ff00-0000 to be forwarded through the voice
VLAN.

Configuration procedure
1 Create VLAN 2, VLAN 6.
<3Com> system-view
System View: return to User View with Ctrl+Z.
[3Com] vlan 2
[3Com-vlan2] quit
[3Com] vlan 6
[3Com-vlan6] quit
2 Set aging time for the voice VLAN
[3Com] voice vlan aging 100
3 Set 0011-2200-0000 to be one that can be identified by the voice VLAN
[3Com] voice vlan mac-address 0011-2200-0000 mask ffff-ff00-0000
description test
4 Enable the global voice VLAN feature.
[3Com] voice vlan 2 enable
5 Set the voice VLAN operation mode of GigabitEthernet1/0/1 to automatic mode.(It
default to automatic mode)
[3Com] interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] voice vlan mode auto
6 Specify port GigabitEthternet1/0/1 as a Trunk port.
[3Com-GigabitEthernet1/0/1] port link-type trunk
7 Set the default VLAN of the port to VLAN 6, and the port permits VLAN 6 to pass.
[3Com-GigabitEthernet1/0/1] port trunk permit vlan 6
[3Com-GigabitEthernet1/0/1] port trunk pvid vlan 6
8 Enable the voice VLAN function for the port.
[3Com-GigabitEthernet1/0/1] voice vlan enable
Voice VLAN Configuration Example 137

Voice VLAN Network requirements


Configuration ■ Create VLAN 2 and configure it as a voice VLAN.
Example (Manual
Mode) ■ Set aging time for the voice VLAN to 100 minutes.
■ The voice stream transmitted by the IP phone is untagged, and the port which the IP
phone is attached to is a Hybrid port GigabitEthernet1/0/1.
■ GigbitEthernet1/0/1 works in manual mode, and only permits the voice packets with
the following features to pass: OUI address is 0011-2200-0000; network mask is
ffff-ff00-0000 and description string is test.

Network diagram
None

Configuration procedure
1 Set the voice VALN to work in security mode to permit the legal voice packets to pass
(optional, defaults to security mode).
<3Com> system-view
[3Com] voice vlan security enable
2 Set aging time for the voice VLAN
[3Com] voice vlan aging 100
3 Set 0011-2200-0000 to be one that can be identified by the voice VLAN
[3Com] voice vlan mac-address 0011-2200-0000 mask ffff-ff00-0000
description test
4 Create VLAN 2, and enable the voice VLAN function for it.
[3Com] vlan 2
[3Com-vlan2] quit
[3Com] voice vlan 2 enable
5 Set GigabitEthernet1/0/1 to work in the manual mode.
[3Com] interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] undo voice vlan mode auto
6 Configure GigabitEthernet1/0/1 as a Hybrid port.
[3Com-GigabitEthernet1/0/1] port link-type hybrid
7 Configure the voice VLAN as the default VLAN of port GigabitEthernet1/0/1.
[3Com-GigabitEthernet1/0/1] port hybrid pvid vlan 2
8 Manually add Hybrid port GigabitEthernet1/0/1 in the untagged format to the voice
VLAN.
[3Com-GigabitEthernet1/0/1] port hybrid vlan 2 untagged
9 Enable the voice VLAN function for the port GigabitEthernet1/0/1.
[3Com-GigabitEthernet1/0/1] voice vlan enable
138 CHAPTER 13: VOICE VLAN CONFIGURATION

Displaying and verification


1 display the currently supported OUI addresses and the related information.
<3Com> display voice vlan oui
Oui Address Mask Description
0003-6b00-0000 ffff-ff00-0000 Cisco phone
000f-e200-0000 ffff-ff00-0000 3Com Aolynk phone
0011-2200-0000 ffff-ff00-0000 test
00d0-1e00-0000 ffff-ff00-0000 Pingtel phone
00e0-7500-0000 ffff-ff00-0000 Polycom phone
00e0-bb00-0000 ffff-ff00-0000 3com phone
2 Display current voice vlan state.
<3Com> display voice vlan state
Voice VLAN status: ENABLE
Voice VLAN ID: 2
Voice VLAN configuration mode: MANUAL
Voice VLAN security mode: Security
Voice VLAN aging time: 100 minutes
Voice VLAN enabled port and its mode:
PORT MODE
--------------------------------
GigabitEthernet1/0/1 MANUAL
14 GVRP CONFIGURATION

Introduction to
GARP

Introduction to GARP The generic attribute registration protocol (GARP), provides a mechanism that allows
participants in a GARP application to distribute, propagate, and register with other
participants in a bridged LAN the attributes specific to the GARP application, such as the
VLAN or multicast address attribute.
■ GARP-compliant application entities are called GARP applications. One example is
GVRP. When a GARP application entity is present on a port on your device, this port is
regarded a GARP application entity.

GARP messages and timers


1 GARP messages

GARP participants, which can be endstations or bridges, exchange attributes primarily by


sending the following three types of messages:

■ Join to announce the willingness to register attributes with other participants.


■ Leave to announce the willingness to deregister with other participants. Together with
Join messages, Leave messages guarantee attribute reregistration and deregistration.
■ LeaveAll to deregister all attributes. A LeaveAll message is sent upon expiration of a
LeaveAll timer which starts upon the startup of a GARP application entity.

Through message exchange, all attribute information that needs registration propagates
to all GARP participants throughout a bridged LAN.

2 GARP timers

GARP sets interval for sending GARP messages by using these four timers:

■ Hold timer –– When a GARP application entity receives the first registration request, it
starts a hold timer and collects succeeding requests. When the timer expires, the
entity sends all these requests in one Join message. This can thus help you save
bandwidth.
■ Join timer –– Each GARP application entity sends a Join message twice for reliability
sake and uses a join timer to set the sending interval.
■ Leave timer –– Starts upon receipt of a Leave message. When this timer expires, the
GARP application entity removes attribute information as requested.
■ Leaveall timer –– Starts when a GARP application entity starts. When this timer
expires, the entity sends a LeaveAll message so that other entities can re-register its
attribute information. Then, a leaveall timer starts again.
140 CHAPTER 14: GVRP CONFIGURATION

■ The settings of GARP timers apply to all GARP applications, such as GVRP, running on
a LAN.
■ Unlike other three timers which are set on a port basis, the leaveall timer is set in
system view and takes effect globally.
■ A GARP application entity may send LeaveAll messages at the interval set by its
LeaveAll timer or the leaveall timer of another GARP application entity on the
network, whichever is smaller.

Operating mechanism of GARP


The GARP mechanism allows the configuration of a GARP participant to propagate
throughout a LAN quickly. In GARP, a GARP participant registers or deregisters its
attributes with other participants by making or withdrawing declarations of attributes
and at the same time, based on received declarations or withdrawals handles attributes
of other participants.

GARP application entities send protocol data units (PDU) with a particular multicast MAC
address as destination. Based on this address, a device can identify to which GVRP
application, GVRP for example, should a GARP PDU be delivered.

GARP message format


The following figure illustrates the GARP message format.

Figure 46 GARP message format


Introduction to GARP 141

The following table describes the GARP message fields.

Table 88 Description on the GARP message fields

Field Description Value


Protocol ID Protocol identifier for GARP 1
Message One or multiple messages, each containing an –
attribute type and an attribute list
Attribute Type Defined by the concerned GARP application 0x01 for GVRP,
indicating the VLAN ID
attribute
Attribute List Consists of one or multiple attributes –
Attribute Consists of an Attribute Length, an Attribute –
Event, and an Attribute Value. If the Attribute
Event is LeaveAll, Attribute Value is omitted
Attribute Length Number of octets occupied by an attribute, 2 to 255 in bytes
inclusive of the attribute length field
Attribute Event Event described by the attribute 0: LeaveAll
1: JoinEmpty
2: JoinIn
3: LeaveEmpty
4: LeaveIn
5: Empty
Attribute Value Attribute value VLAN ID for GVRP
End Mark Indicates the end of PDU –

Introduction to GVRP GVRP enables a device to propagate local VLAN registration information to other
participant devices and dynamically update the VLAN registration information from other
devices to its local database. It thus ensures that all GVRP participants on a bridged LAN
maintain the same VLAN registration information. The VLAN registration information
propagated by GVRP includes both manually configured local static entries and dynamic
entries from other devices.

GVRP provides the following three registration types on a port:

■ Normal –– Enables a port to dynamically register and deregister VLANs, and to


propagate both dynamic and static VLAN information.
■ Fixed –– Disables the port to dynamically register/deregister VLANs or propagate
dynamic VLAN information, but allows the port to propagate static VLAN
information. A trunk port with fixed registration type thus allows only manually
configured VLANs to pass through even though it is configured to carry all VLANs.
■ Forbidden –– Disables the port to dynamically register/deregister VLANs, and to
propagate VLAN information except for VLAN 1. A trunk port with forbidden
registration type thus allows only VLAN 1 to pass through even though it is
configured to carry all VLANs.

Protocols and IEEE 802.1Q specifies GVRP.


Standards
142 CHAPTER 14: GVRP CONFIGURATION

Configuring GVRP When configuring GVRP, you need to configure timers, enable GVRP, and configure
GVRP registration mode.

Configuration Use the port link-type trunk command to set the link type of the port on which
Prerequisites you want to use GVRP to trunk.

Configuration Follow these steps to configure GVRP on a trunk port:


Procedure Table 89 Configuration Procedure

To do… Use the command… Remarks


Enter system view system-view –
Enable GVRP globally gvrp Required
Disabled by default
Enter Enter interface interface-type Perform either of the
Ethernet Ethernet interface-number commands.
interface view interface view
Depending on the view you
or port-group
view
Enter port-group { manual accessed, the subsequent
port-group port-group-name | configuration takes effect on a
view aggregation agg-id } port or all ports in a
port-group.
Enable GVRP on the port gvrp Required
Disabled by default
Configure GVRP registration gvrp registration { Optional
mode on the port normal | fixed | forbidden } The default is normal

On the port, BPDU TUNNEL is not compatible with GVRP.

Setting GARP Timer


Table 90 Set GARP timer

To do … Use the command… Remarks


Enter system view system-view –
Set GARP LeaveAll timer garp timer leaveall Optional
timer-value
By default, the LeaveAll timer is
set to 1,000 centiseconds.
Enter Enter interface interface-type Perform either of the
Ethernet Ethernet interface-number commands.
interface view interface view
Depending on the view you
or port-group
view
Enter port-group { manual accessed, the subsequent
port-group port-group-name | configuration takes effect on a
view aggregation agg-id } port or all ports in a
port-group.
Set GARP Hold timer, Join garp timer { hold | join | Optional
timer and Leave timer leave } timer-value By default, the Hold, Join, and
Leave timers are set to 10, 20,
and 60 centiseconds
respectively.
Displaying and Maintaining GVRP 143

When configuring GARP timers, note that their values are dependent on each other and
must be a multiplier of five centiseconds. If the value range for a timer is not desired, you
may change it by tuning the value of another timer as shown in the following table:

Table 91 Dependencies of GARP timers

Timer Lower limit Upper limit


Hold 10 centiseconds Not greater than half of the join timer setting
Join Not less than two times the hold Less than half of the leave timer setting
timer setting
Leave Greater than two times the join timer Less than the leaveall timer setting
setting
Leaveall Greater than the leave timer setting 32,765 centiseconds

Displaying and
Table 92 Display and Maintain GVRP
Maintaining GVRP
To do… Use the command… Remarks
Display statistics about display garp statistics [ Available in any view
GARP interface interface-list ]
Display GARP timers for all display garp timer [
or specified ports interface interface-list ]
Display statistics about display gvrp statistics [
GVRP interface interface-list ]
Display the global GVRP display gvrp status
state
Clear the GARP statistics reset garp statistics [ Available in user view
interface interface-list ]

GVRP Configuration
Example

Example 1 Network requirements


Configure GVRP for dynamic VLAN information registration and update among devices.

Network diagram

Figure 47 Network diagram for GVRP configuration

GE1/0/1 GE1/0/2

Switch A Switch B
144 CHAPTER 14: GVRP CONFIGURATION

Configuration procedure
1 Configure Switch A
a Enable GVRP globally.
<3Com> system-view
[3Com] gvrp
b Configure port GigabitEthernet 1/0/1 as trunk, allowing all VLANs to pass.
[3Com] interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] port link-type trunk
[3Com-GigabitEthernet1/0/1] port trunk permit vlan all
c Enable GVRP on GigabitEthernet 1/0/1.
[3Com-GigabitEthernet1/0/1] gvrp
d Display static VLAN2.
[3Com] vlan 2
2 Configure Switch B
a Enable GVRP globally.
<3Com> system-view
[3Com] gvrp
b Configure port GigabitEthernet 1/0/2 as trunk, allowing all VLANs to pass.
[3Com] interface GigabitEthernet 1/0/2
[3Com-GigabitEthernet1/0/2] port link-type trunk
[3Com-GigabitEthernet1/0/2] port trunk permit vlan all
c Enable GVRP on GigabitEthernet 1/0/2.
[3Com-GigabitEthernet1/0/2] gvrp
d Configure static VLAN3.
[3Com] vlan 3
e Display dynamic VLAN on Switch A.
[3Com] display vlan dynamic
Now, the following dynamic VLAN exist(s):
3
f Display dynamic VLAN on Switch B
[3Com] display vlan dynamic
Now, the following dynamic VLAN exist(s):
2

Example 2 Network requirements


Enable GVRP on devices and configure the port registration mode as fixed to realize
dynamic registration and update of some VLAN information between devices.
GVRP Configuration Example 145

Network diagram

Figure 48 Network diagram for GVRP configuration

GE1/0/1 GE1/0/2

Switch A Switch B

Configuration procedure
1 Configure Switch A
a Enable GVRP globally.
<3Com> system-view
System View: return to User View with Ctrl+Z.
[3Com] gvrp
b Configure port GigabitEthernet1/0/1 as trunk, allowing all VLANs to pass.
[3Com] interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] port link-type trunk
[3Com-GigabitEthernet1/0/1] port trunk permit vlan all
c Enable GVRP on GigabitEthernet1/0/1
[3Com-GigabitEthernet1/0/1] gvrp
d Configure the GVRP registration mode as fixed.
[3Com-GigabitEthernet1/0/1] gvrp registration fixed
e Create static VLAN 2.
[3Com] vlan 2
2 Configure Switch B
a Enable GVRP globally.
<3Com> system-view
System View: return to User View with Ctrl+Z.
[3Com] gvrp
b Configure port GigabitEthernet1/0/2 as trunk, allowing all VLANs to pass.
[3Com] interface GigabitEthernet 1/0/2
[3Com-GigabitEthernet1/0/2] port link-type trunk
[3Com-GigabitEthernet1/0/2] port trunk permit vlan all
c Enable GVRP on GigabitEthernet1/0/2
[3Com-GigabitEthernet1/0/2] gvrp
d Create static VLAN 3.
[3Com] vlan 3
3 Display the configuration
a Display the dynamic VLAN information on Switch A
[3Com] display vlan dynamic
No dynamic vlans exist!
146 CHAPTER 14: GVRP CONFIGURATION

b Display the dynamic VLAN information on Switch B.


[3Com] display vlan dynamic
Now, the following dynamic VLAN exist(s):
2

GVRP Configuration Network requirements


Examples Enable GVRP on devices and configure the port registration mode as forbidden to forbid
dynamic registration and update of VLAN information between devices.

Network diagram

Figure 49 Network diagram for GVRP configuration

GE1/0/1 GE1/0/2

Switch A Switch B

Configuration procedure
1 Configure Switch A
a Enable GVRP globally.
<3Com > system-view
System View: return to User View with Ctrl+Z.
[3Com] gvrp
b Configure GigabitEthernet1/0/1 as a trunk port, allowing all VLANs to pass.
[3Com] interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] port link-type trunk
[3Com-GigabitEthernet1/0/1] port trunk permit vlan all
c Enable GVRP on the trunk port.
[3Com-GigabitEthernet1/0/1] gvrp
d Configure the GVRP registration mode as forbidden.
[3Com-GigabitEthernet1/0/1] gvrp registration forbidden
e Create static VLAN 2.
[3Com] vlan 2
2 Configure Switch B
a Enable GVRP globally.
<3Com > system-view
System View: return to User View with Ctrl+Z.
[3Com] gvrp
b Configure GigabitEthernet1/0/2 as a trunk port, allowing all VLANs to pass.
[3Com] interface GigabitEthernet 1/0/2
[3Com-GigabitEthernet1/0/2] port link-type trunk
[3Com-GigabitEthernet1/0/2] port trunk permit vlan all
GVRP Configuration Example 147

c Enable GVRP on the trunk port.


[3Com-GigabitEthernet1/0/2] gvrp
d Create static VLAN 3.
[3Com] vlan 3
3 Display the configuration
a Display dynamic VLAN information on Switch A
[3Com] display vlan dynamic
No dynamic vlans exist!
b Display dynamic VLAN information on Switch B.
[3Com] display vlan dynamic
No dynamic vlans exist!
148 CHAPTER 14: GVRP CONFIGURATION
15 ETHERNET INTERFACE CONFIGURATION

General Ethernet
Interface
Configuration

Combo Port Introduction to Combo port


Configuration A Combo port refers to two Ethernet interfaces in a device panel (normally one is an
optical port and the other is an electrical port). Inside the device there is only one
forwarding interface. Combo port and its corresponding electrical port work in a TX/SFP
mode. Users can choose one to use depending on the actual network requirements, but
not two simultaneously. When one port is working, the other is disabled, and vice versa.

A Combo port is a logical port with two physical connections, one is called optical port,
the other electrical port. The Combo port corresponds to a single forwarding port inside
the device. Only one port can be active at a time. When one is active, the other is
automatically deactivated.

For ease of management, a Combo port can be categorized into one of the two
following types:

■ Single Combo port: the two Ethernet interfaces in the device panel correspond to
only one interface view, in which the state on the two interfaces can be realized. A
single Combo port can be a Layer 2 Ethernet interface or a Layer 3 Ethernet interface.
■ Double Combo port: the two Ethernet interfaces in the device panel correspond to
two interface views. The state switchover can be realized in user’s own interfaces
view. A double Combo port can only be a layer 2 Ethernet interface.

Currently, the Switch 4500G Family series support double combo ports.
150 CHAPTER 15: ETHERNET INTERFACE CONFIGURATION

Configuring Combo port state


Follow these steps to configure a double Combo port state:
Table 93 Configuring Combo port state

To do... Use the command Remarks


Enter system view system-view –
Enter Ethernet interface view interface –
interface-type
interface-number
Enable a specified double undo shutdown Optional
Combo port
By default, out of the two ports
in a Combo port, the one with a
smaller port ID is enabled.
The port with the smaller port ID
is of electrical type.

Basic Ethernet Three types of duplex modes exist for Ethernet interfaces:
Interface ■ Full-duplex mode (full): in this mode, the sending and receiving of data packets
Configuration happen simultaneously;
■ Half-duplex mode (half): in this mode, at a particular time, either the sending or
receiving of data packets is allowed, but not both;
■ Autonegotiation mode (auto): in this mode, the transmission mode is negotiated
between peer Ethernet interfaces.

If you configure the transmission rate for an Ethernet interface to be auto, then the rate
will be automatically negotiated between peer Ethernet interfaces.

Follow these steps to make basic Ethernet interface configurations:

Table 94 Basic Ethernet Interface Configuration

To do... Use the command Remarks


Enter system view system-view –
Enter Ethernet interface view interface –
interface-type
interface-number
Enable an Ethernet interface undo shutdown Optional
Enabled by default. Use the
shutdown command to
disable a port.
Configure the description for description text Optional
an Ethernet interface
Default to the current interface
name followed by the interface
string.
Configure the duplex mode for duplex { auto | full | Optional
an Ethernet interface half } Default to auto.
Configure the transmission speed { 10 | 100 | 1000 | Optional
rate for an Ethernet interface auto } Default to auto.
General Ethernet Interface Configuration 151

■ For the double combo port, the optical port goes up when you use the undo
shutdown command on it, and the electrical port in pair goes down, and vice versa.
■ The mdi and virtual-cable-test commands are not available on the optical
combo port.
■ The optical combo port cannot work in half-duplex mode, only supports two speed
options: 1000 Mbps and auto.
■ When the port works at 1000 Mbps, you cannot configure it in half-duplex mode,
and vice versa.

Configuring Flow When flow control is turned on between peer Ethernet interfaces, if traffic congestion
Control on an occurs at the ingress interface, it will send a Pause frame notifying the egress interface to
Ethernet Interface temporarily suspend the sending of packets. The egress interface is expected to stop
sending any new packets when it receives the Pause frame. In this way, flow controls
helps to avoid the dropping of packets. Note that only after both the ingress and the
egress interfaces have turned on their flow control will this be possible.

Follow these steps to configure flow control on an Ethernet interface:

Table 95 Configuring Flow Control on an Ethernet Interface

To do... Use the command... Remarks


Enter system view system-view –
Enter Ethernet interface view interface –
interface-type
interface-number
Turn on flow control on an flow-control Required
Ethernet interface
Turned off by default

Currently, the Switch 4500G Family series only support flow control in inbound direction.

Configuring You can enable loopback testing to check whether the Ethernet interface is functioning
Loopback Testing on properly. Note that no data packets can be forwarded during the testing. Loopback
an Ethernet Interface testing falls into the following two categories:
■ Internal loopback testing: The packets from an interface go inside the switch and
then back to the original interface. If the internal loopback test succeeds, the
interface is OK.
■ External loopback testing: a loopback plug needs to be plugged into an Ethernet
interface, if data packets sent from the interface is received by the same interface
through the loopback plug, the external loopback testing is successful indicating that
the interface is functioning properly.
152 CHAPTER 15: ETHERNET INTERFACE CONFIGURATION

Follow the following steps to configure Ethernet interface loopback testing:

Table 96 Configuring Loopback Testing on an Ethernet Interface

To do... Use the command... Remarks


Enter system view system-view –
Enter Ethernet interface view interface interface-type –
interface-number
Configure to enable loopback loopback { external | Optional
testing internal } Disabled by default

■ The loopback testing is not applicable when the interface is in a shutdown state;
■ The speed, duplex, mdi, and shutdown commands are not applicable during a
loopback testing;
■ Loopback testing is not supported on certain interfaces. Performing a loopback
testing on these interfaces will trigger a system prompt indicating as such.

Configuring a Port To make the configuration task easier for users, certain devices allow users to configure
Group on a single port as well as on multiple ports in a port group. In port group view, the user
only needs to input the configuration command once on one port and that
configuration will apply to all ports in the port group. This effectively reduces redundant
configurations.

A Port group could belong to one of the following two categories:

■ Manual port group: manually created by users. Multiple Ethernet interfaces can be
added to the same port group;
■ Dynamic port group: dynamically created by system, currently mainly applied in link
aggregation port groups. A link aggregation port group is automatically created
together with the creation of a link aggregation group and cannot be created by
users through command line input. Adding or deleting of ports in a link aggregation
port group can only be achieved through operations on the link aggregation group.

Follow the following steps to enter port group view:

Table 97 Configuring a Port Group

To do... Use the command... Remarks


Enter system view system-view –
Enter port group Enter manual port port-group manual –
view group view port-group-name
Enter aggregation port-group aggregation –
port group view agg-id
General Ethernet Interface Configuration 153

Follow the following steps to configure manual port group:

Table 98 Configure Manual Port Group

To do... Use the command... Remarks


Enter system view system-view –
Create a manual port group, and port-group manual Required
enter manual port group view port-group-name
Add an Ethernet interface to a group-member interface-list Required
specified manual port group
Display information for a display port-group manual Available in any view
specified port group or all [all | name port-group-name ]
manual port groups

■ For details on configuring link aggregation port group, refer to Link Aggregation.
■ The manual port groups cannot survive a system rebooting.

Configuring Storm You can use the following commands to suppress the broadcast/multicast/unknown
Suppression Ratio on unicast flow.
an Ethernet Interface
Traffic that has exceeded the configured threshold will be discarded so that it remains
below the configured threshold. This effectively prevents storms, avoids network
congestion, and ensures that the network functions properly.

Configure storm suppression ratio on an Ethernet interface:

Table 99 Configuring Storm Suppression Ratio on an Ethernet Interface

To do... Use the command... Remarks


Enter system view system-view –
Enter Ethernet Enter Ethernet interface interface-type At least one required;
interface view interface view interface-number
Configurations made under
or port group
view
Enter port port-group { manual Ethernet interface view apply
group view port-group-name | to the current port only
aggregation agg-id } whereas configurations made
under port group view apply to
all ports in the group.
Configure broadcast storm broadcast-suppression { Optional
suppression ratio ratio | pps pps }
Default to 100%, that is,
broadcast traffic is not
suppressed by default
Configure multicast storm multicast-suppression { Optional
suppression ratio ratio | pps pps }
Default to 100%, that is,
multicast traffic is not
suppressed by default
Configure unknown unicast unicast-suppression { Optional
storm suppression ratio ratio | pps pps }
Default to 100%, that is,
unknown unicast traffic is not
suppressed by default
154 CHAPTER 15: ETHERNET INTERFACE CONFIGURATION

Copying Using the copy configuration command you can easily copy configurations from a
Configurations from specified Ethernet interface to other Ethernet interfaces provided that they all work in
a Specified Port to Layer 2 mode.
Other Ports
Configurations that can be copied include VLAN, QoS, STP, and port configurations, as
illustrated below:

■ VLAN configurations: VLANs that are allowed to pass through the port, default VLAN
ID;
■ QoS configurations: rate limiting, port priority, default 802.1p priorities;
■ STP configuration: STP enabled/disabled, link types (point-to-point or not), STP
priority, route cost, rate limit, looping, root protection, edge ports or not.
■ Port configuration: link type, rate, duplex mode.

Follow the following steps to copy configurations from a specified port to other ports:

Table 100 Copying Configurations from a Specified Port to Other Ports

To do... Use the command... Remarks


Enter system view system-view –
Copy configurations on a specified copy configuration source Required
Layer 2 Ethernet interface to other interface-type
Layer 2 Ethernet interfaces interface-number destination
interface-list

Enabling the Due to tremendous amount of traffic occurred in Ethernet, it is likely that some frames
Forwarding of Jumbo might have a frame size greater than the standard Ethernet frame size. By allowing such
Frames frames (called jumbo frames) to pass through Ethernet interfaces, you can forward
frames with a size greater than the standard Ethernet frame size and yet still within the
specified size range.

Follow the following steps to enable the forwarding of jumbo frames

Table 101 Enabling the Forwarding of Jumbo Frames

To do... Use the command... Remarks


Enter system view system-view –
Enable the Enable the port-group { manual At least one required
forwarding forwarding on port port-group-name |
of jumbo group ports aggregation agg-id }
frames
jumboframe enable
Enable the interface interface-type
forwarding on a interface-number
specified port
jumboframe enable

Configuring an The purpose of loopback detection is to detect loopbacks on an interface.


Ethernet Interface to
Perform Loopback When loopback detection is enabled on an Ethernet interface, the device will routinely
Detection check whether the ports have any external loopback. If it detects a loopback on a port,
the device will turn that port under loopback detection mode.
General Ethernet Interface Configuration 155

■ If an Access port has been detected with loopbacks, it will be shutdown. A Trap
message will be sent to the terminal and the corresponding MAC address forwarding
entries will be deleted.
■ If a Trunk port or Hybrid port has been detected with loopbacks, a Trap messag
loopback detection control feature is enabled on them. In addition, a Trap message
will be sent to the terminal and the corresponding MAC address forwarding entries
will be deleted.

Follow the following steps to configure loopback detection:

Table 102 Configuring an Ethernet Interface to Perform Loopback Detection

To do... Use the command... Remarks


Enter system view system-view –
Enable global loopback loopback-detection Required
detection enable Disabled by default
Configure time interval for loopback-detection Optional
external loopback detection interval-time time Default to 30 seconds
Enter Ethernet interface view interface –
interface-type
interface-number
Enable loopback detection on a loopback-detection Required
specified port enable Disabled by default
Enable loopback detection loopback-detection Optional
control feature on the current control enable Disabled by default
trunk or hybrid port
Enable loopback detection in all loopback-detection Optional
VLANs with Trunk ports or per-vlan enable Enabled only in the default
Hybrid ports
VLAN(s) with Trunk port or
Hybrid ports
Display loopback detection display Available in any view
information on a port loopback-detection

CAUTION:
■ Loopback detection on a given port is enabled only after the
loopback-detection enable command has been issued in both system view
and the interface view of the port.
■ Loopback detection on all ports will be disabled after the issuing of the undo
loopback-detection enable command under system view.
156 CHAPTER 15: ETHERNET INTERFACE CONFIGURATION

Configuring Cable Ethernet interfaces use two types of cable: cross-over cable and straight-through cable.
Type on an Ethernet The former is normally used in connecting data terminal equipment (DTE) and Data
Interface communication equipment (DCE) while the latter connects DTEs only.

Follow the following steps to configure cable type on Ethernet Interface:

Table 103 Configuring Cable Type on an Ethernet Interface

To do... Use the command... Remarks


Enter system view system-view –
Enter Ethernet interface view interface –
interface-type
interface-number
Configure the cable type for an mdi { across | auto | Optional
Ethernet interface normal } Defaults to auto, that is, system
automatically detects the type of
cable in use.

■ The mdi command is not supported in a Combo optical port.


■ For the mdi command, only auto mode can be successfully implemented on the
Switch 4500G Family series.

Ethernet Interface Follow the following steps to test the current working state of Ethernet interface cables.
Cable Testing System will return the testing result within five seconds, indicating the receiving direction
(RX), the transmit direction (TX), any short cut or open cut, and the length of failed
cables.
Table 104 Ethernet Interface Cable Testing

To do... Use the command... Remarks


Enter system view system-view –
Enter Ethernet interface view interface –
interface-type
interface-number
Test the current working state virtual-cable-test Required
of Ethernet interface cables

The virtual-cable-test command is not supported in a Combo optical port.


Maintaining and Displaying an Ethernet Interface 157

Maintaining and
Table 105 Maintaining and Displaying an Ethernet Interface
Displaying an
Ethernet Interface To do... Use the command... Remarks
Display the current state of a display interface [ Available in any view
specified interface and related interface-type [
information interface-number ] ]
Display a summary of a specified display brief interface [ Available in any view
interface interface-type [
interface-number ] ] [ | { begin |
include | exclude}
regular-expression ]
Reset the statistics of a specified reset counters interface [ Available in user view
interface interface-type [
interface-number ] ]
Display the current ports of a display port { hybrid | Available in any view
specified type trunk I combo }
158 CHAPTER 15: ETHERNET INTERFACE CONFIGURATION
16 LINK AGGREGATION CONFIGURATION

Link aggregation aggregates multiple physical Ethernet ports into one logical link, also
called a logical group, to increase reliability and bandwidth.

When configuring this feature, use the following table to identify where to go for
interested information:

Table 106 Information

If you need to… Go to…


Know how link aggregation functions, what protocol is Link Aggregation Overview
involved, and what approaches are adopted to link
aggregation
Configure link aggregation Configuring Link Aggregation
Consult the display and reset commands Displaying and Maintaining Link
available for verifying and maintaining link aggregation Aggregation
configuration
See how to configure link aggregation in typical Link Aggregation Configuration Example
scenarios

Link Aggregation Link aggregation allows you to increase bandwidth by distributing incoming/outgoing
Overview traffic on the member ports in an aggregation group. In addition, it provides reliable
connectivity because these member ports can dynamically back up each other.

To get more information about link aggregation, go to these topics:

■ Consistency Considerations for Ports in an Aggregation


■ LACP
■ Approaches to Link Aggregation
■ Load Sharing in a Link Aggregation Group
■ Aggregation Port Group
160 CHAPTER 16: LINK AGGREGATION CONFIGURATION

Consistency To participate in traffic sharing, member ports in an aggregation must use consistent
Considerations for configurations with respect to STP, QoS, BPDU TUNNEL, GVRP, VLAN, and port attribute,
Ports in an as shown in the following table.
Aggregation
Table 107 Consistency considerations for ports in an aggregation

Item Considerations
STP Enable/disable state of port-level STP
Attribute of the link (point-to-point or otherwise) connected to the port
Port rout metrics STP port cost
STP priority port
Maximum transmission rate
Enable/disable state of loop protection
Enable/disable state of root protection
Whether the port is an edge port
MSTP BPDU format
STP no-agreement-check
STP config-digest-snooping
QoS Rate limiting
Priority remark
Default 802.1p priority
Bandwidth assurance
Congestion avoidance
Traffic redirection
Traffic accounting
Traffic policing, SP queueing, WRR queue scheduling, packet priority trust
mode
GVRP GVRP enable/disable state, GVRP registration type, GVRP timer value
BPDU Tunnel BPDU Tunnel configuration
VLAN VLANs carried on the port
Default VLAN ID on the port
Link type of the port, which can be trunk, hybrid, or access
Tagged VLAN packet or not
Port attribute Port rate
Duplex mode
Up/down state of the link
Inside the isolate group or not

LACP The link aggregation control protocol (LACP), as defined in IEEE 802.3ad, dynamically
aggregates ports and removes aggregations.

LACP interacts with its peer by sending link aggregation control protocol data units
(LACPDUs).
Link Aggregation Overview 161

After LACP is enabled on a port, the port sends an LACPDU to notify the remote system
of its system LACP priority, system MAC address, port LACP priority, port number, and
operational key. Upon receipt of a LACPDU, the remote system compares the received
information with the information received on other ports to make aggregation decision.
This allows the two systems to reach agreement on whether the port could join or leave
a dynamic aggregation group. (Sometimes, local and remote systems are referred to as
actor and partner systems in link aggregation.)

When aggregating ports, link aggregation control automatically assigns each port an
operational key based on its rate, duplex mode, and other basic configurations. In a
dynamic aggregation, all ports share the same operational key; in a manual or static
aggregation, the selected ports share the same operational key.

Approaches to Link When aggregating ports, you may use three approaches: manual link aggregation, static
Aggregation LACP link aggregation, and dynamic LACP link aggregation.

Manual link aggregation


In the manual aggregation approach, aggregation groups are created administratively
and automatic port adding/removal is not available.

Each aggregation group must contain at least one port. When only one port is
contained, you can remove it only by removing the group.

On the ports in a manual aggregation, LACP is disabled and cannot be administratively


enabled. To ensure consistency, you need to synchronize their basic configurations
manually.

In a manual aggregation group, ports can be selected or unselected, where selected


ports can receive and transmit data frames whereas unselected ones cannot.

The port in the Selected state and with the least port ID is the master port of the
aggregation group, and other ports in the aggregation group are member ports.

When setting the state of the ports in a manual aggregation group, the system performs
the following:

■ When ports in up state are present in the group, select a master port in the order of
full duplex/high speed, full duplex/low speed, half duplex/high speed, and half
duplex/low speed, with the full duplex/high speed being the most preferred. When
two ports with the same duplex mode/speed pair are present, the one with the lower
port number wins out. Then, place those ports with the same speed/duplex pair, link
state and basic configuration in selected state and others in unselected state.
■ When all ports in the group are down, select the port with the lowest port number as
the master port and set all ports (including the master) in unselected state.
■ Place the ports that cannot aggregate with the master in unselected state.

Manual aggregation limits the number of selected ports in an aggregation group. When
the limit is exceeded, the system changes the state of selected ports with greater port
numbers to unselected until the number of selected ports drops under the limit. In
addition, to ensure the ongoing service on current selected ports, a port that joins the
group after the limit is reached will not be placed in selected state as it should be in
normal cases.
162 CHAPTER 16: LINK AGGREGATION CONFIGURATION

When the duplex mode/speed pair of some port in a manual aggregation group
changes, the system does not remove the aggregation; instead, it re-sets the
selected/unselected state of the member ports and re-selects a master port.

Static LACP link aggregation


In the static aggregation approach, aggregation groups are created administratively and
the system cannot automatically add or remove ports.

Each aggregation group must contain at least one port. On the ports in the group, LACP
is enabled and cannot be administratively disabled. Like in manual aggregation, you need
to synchronize their basic configurations manually to ensure consistency.

When only one port is contained in a static aggregation group, you can remove the port
only by removing the group. After the group is removed, all the ports in up state form
one or multiple dynamic aggregations with LACP enabled.

In a static aggregation group, ports can be selected or unselected, where both can
receive and transmit LACPDUs but only selected ports can receive and transmit data
frames. The selected port with the lowest port number is the master port.

All member ports that cannot aggregate with the master are placed in unselected state.
These ports include those using the basic configurations different from the master port ..

Member ports in up state can be selected if they have the configuration same as that of
the master port. The number of selected ports however, is limited in a static aggregation
group. When the limit is exceeded, the local and remote systems negotiate the state of
their ports as follows:

1 Compare the actor and partner system IDs that each comprises a two-byte system LACP
priority plus a six-byte system MAC address as follow:
■ First compare the system LACP priorities.
■ If they are the same, compare the MAC addresses. The system with the smaller ID has
higher priority.
2 Compare the port IDs that each comprises a two-byte port LACP priority and a two-byte
port number on the system with higher ID as follows:
■ Compare the port LACP priorities
■ If two ports with the same port LACP priority are present, compare their port
numbers. The state of the ports with higher IDs then changes to unselected, so does
the state of the corresponding remote ports.

Dynamic LACP link aggregation


In the dynamic aggregation approach, aggregation groups are created and removed
automatically and you cannot add or remove member ports.

The ports in a dynamic aggregation group must terminate at the same device, and have
the same speed/duplex pair and other basic configurations. Disabling LACP on one port
can result in the removal of all ports from the group. It is possible for a single port to
form a dynamic aggregation group. This is called single aggregation.

In a dynamic aggregation group, ports can be selected or unselected, where both can
receive and transmit LACPDUs but only selected ports can receive and transmit data
frames. The selected port with the lowest port number is the master port.
Link Aggregation Overview 163

■ Dynamic aggregation limits the number of selected ports in an aggregation group.


Under the limit, all ports in up state can be selected if they have the configuration
same as that of the master port. When the limit is exceeded, the local and remote
systems negotiate the state of their ports as described in the previous section.

Load Sharing in a Link A link aggregation group performs load sharing upon its creation if hardware resources
Aggregation Group are available for aggregation. After these resources, 10GE ports for example, are
exhausted, the created aggregation groups perform non-load sharing.

The difference between the groups that perform these two types of load sharing is that a
load sharing aggregation group can contain more than one selected port while a
non-load sharing aggregation group cannot. Note that a load sharing aggregation group
may contain only one port.

When an aggregation group has two or more ports inside, load-sharing are implemented
on the aggregation groups. When the aggregation resources are used up, the
aggregation groups created later will be non-load sharing.

When an aggregation group has only one port, it is non-load sharing. These ports can
only form single-port aggregation groups: loopback port, half-duplex port, the
LACP-disabled port.

Note that:

When only one single port is left in an aggregation group, the group will be become
non-load sharing.

Aggregation Port As mentioned earlier, in a manual or static aggregation group, a port can be selected
Group only when its configuration is the same as that of the master port in terms of
duplex/speed pair, link state, and other basic configurations. Their configuration
consistency requires administrative maintenance, which is troublesome after you change
some configuration.

To simplify configuration, port-groups are provided allowing you to configure for all ports
in individual groups at one time. One example of port-groups is aggregation port group.

Upon creation or removal of a link aggregation group, an aggregation port-group which


cannot be administratively created or removed is automatically created or removed. In
addition, you can only assign/remove a member port to/from an aggregation port-group
by assigning/removing it from the corresponding link aggregation group.

For more information about port-groups, refer to the “Configuring a Port Group”
section in “Ethernet Interface Configuration”chapter in this manual.
164 CHAPTER 16: LINK AGGREGATION CONFIGURATION

Configuring Link
Aggregation
CAUTION:
■ Do not create a manual or static aggregation group without any member port. This
may cause no aggregation group ID available for dynamic groups.
■ When you change the configurations for a member port of an aggregation group in
the port view, the change will not be synchronized to other member ports of the
group; to realize configuration synchronization, you must make configuration in port
group view.
■ For two connected ports, they must both in the aggregation group.

This section includes:

■ Configuring a Manual Link Aggregation Group


■ Configuring a Static LACP Link Aggregation Group
■ Configuring a Dynamic LACP Link Aggregation Group
■ Configuring an Aggregation Group Name
■ Entering Aggregation Port Group View

Configuring a Manual Follow these steps to configure a manual aggregation group:


Link Aggregation
Group Table 108 Configuring a Manual Link Aggregation Group

To do… Use the command… Remarks


Enter system view system-view –
Create a manual aggregation link-aggregation group Required
group agg-id mode manual
Enter Ethernet interface view interface interface-type –
interface-number
Assign the Ethernet port to the port link-aggregation Required
aggregation group group agg-id

You may create a manual aggregation group by changing the type of a static or dynamic
aggregation group that has existed. If the specified group contains ports, its group type
changes to manual with LACP disabled on its member ports; if not, its group type directly
changes to manual.

When you create an aggregation group, consider the following:

• The aggregation group type is changed to the new type you configured if there is no
port in the group.

• If there are ports in the aggregation group, you can only change the dynamic or static
aggregation group to the manual one, or change the dynamic aggregation group to the
static one.
Configuring Link Aggregation 165

When assigning an Ethernet port to a manual aggregation group, consider the following:

■ An aggregation group cannot include monitor ports in mirroring, ports with static
MAC addresses, or 802.1x-enabled ports.
■ After you assign an LACP-enabled port to a manual aggregation group, its LACP is
disabled.

You can remove all ports in a manual aggregation group by removing the group. If this
group contains only one port, you can remove the port only by removing the group.

Configuring a Static Follow these steps to configure a static aggregation group:


LACP Link
Aggregation Group Table 109 Configuring a Static LACP Link Aggregation Group

To do… Use the command… Remarks


Enter system view system-view –
Configure the system LACP lacp system-priority Optional
priority system-priority-value
32768 by default
Create a static LACP link-aggregation Required
aggregation group group agg-id mode
static
Enter Ethernet interface view interface –
interface-type
interface-number
Configure the port LACP priority lacp port-priority Optional
port-priority-value
32768 by default
Assign the Ethernet port to the port Required
aggregation group link-aggregation
group agg-id

You may create a static aggregation group by changing the type of an existing link
aggregation group. If this group exists with ports, its type can be manual or dynamic
LACP; if not, its type must be dynamic LACP. Creating a static aggregation group from a
dynamic one does not affect the enabling state of LACP on the member ports.

When assigning an Ethernet port to a static aggregation group, consider the following:

■ An aggregation group cannot include ports with static MAC addresses, or


802.1x-enabled ports.
■ After you assign an LACP-disabled port to a static aggregation group, its LACP is
enabled.

After you remove a static LACP aggregation group, all its ports in up state form one or
multiple dynamic LACP aggregations with LACP enabled. If this group contains only one
port, you can remove the port only by removing the group.
166 CHAPTER 16: LINK AGGREGATION CONFIGURATION

Configuring a Follow these steps to configure a dynamic aggregation group:


Dynamic LACP Link
Aggregation Group Table 110 Configuring a Dynamic LACP Link Aggregation Group

To do… Use the command… Remarks


Enter system view system-view –
Configure the system LACP lacp system-priority Optional
priority system-priority-value
32768 by default
Enter Ethernet interface view interface –
interface-type
interface-number
Enable LACP on the port lacp enable Required
Disabled by default
Configure the port LACP priority lacp port-priority Optional
port-priority-value
32768 by default

After you remove a dynamic aggregation group, all its member ports form a new
dynamic aggregation group.

CAUTION:
■ An aggregation group cannot include ports with static MAC addresses or
802.1x-enabled ports.
■ Enabling LACP on a member port in manual aggregation group will fail.

Configuring an Follow these steps to configure a name for an aggregation group:


Aggregation Group
Name Table 111 Configuring an Aggregation Group Name

To do… Use the command… Remarks


Enter system view system-view –
Configure a name for a link link-aggregation Required
aggregation group group agg-id None is configured by default.
description agg-name

CAUTION:
■ When configuring a name for a link aggregation group, make sure that the group has
existed. You may check for existing link aggregation groups with the display
link-aggregation summary command or the display
link-aggregation interface command.
■ The configuration of dynamic aggregation groups including their group names
cannot survive a reboot even if you have saved configuration before that.
Displaying and Maintaining Link Aggregation 167

Entering Aggregation In aggregation port group view, you can configure for all the member ports in a link
Port Group View aggregation group at one time.

Follow these steps to enter aggregation port group view:

Table 112 Entering Aggregation Port Group View

To do… Use the command… Remarks


Enter system view system-view –
Enter aggregation port group port-group aggregation –
view agg-id

CAUTION: In aggregation port group view, you can configure aggregation related
settings such as STP, VLAN, QoS, GVRP, multicast, but cannot add or remove member
ports.

Displaying and
Table 113 Displaying and Maintaining Link Aggregation
Maintaining Link
Aggregation To do… Use the command Remarks
Display the local system ID display lacp system-id Available in any view
Display detailed information on display
link aggregation for the specified link-aggregation
port or ports interface interface-type
interface-number [ to
interface-type
interface-number ]
Display summaries for all link display
aggregation groups link-aggregation
summary
Display detailed information display
about specified or all link link-aggregation
aggregation groups verbose [ agg-id ]
Clear the statistics about LACP reset lacp statistics [ Available in user view
for specified or all ports interface interface-type
interface-number [ to
interface-type
interface-number ] ]
168 CHAPTER 16: LINK AGGREGATION CONFIGURATION

Link Aggregation Network requirements


Configuration Switch A aggregates ports GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to form
Example one link connected to Switch B, achieving load sharing among these ports.

Network diagram

Figure 50 Network diagram for link aggregation

Switch A
Link aggregation

Switch B

Configuration procedure

This example only describes how to configure on Switch A. To achieve link aggregation,
do the same on Switch B.
1 In manual aggregation approach
a Create manual aggregation group 1.
<3Com> system-view
[3Com] sysname SwitchA
[SwitchA] link-aggregation group 1 mode manual
b Assign ports GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to the group.
[SwitchA] interface GigabitEthernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-aggregation group 1
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface GigabitEthernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-aggregation group 1
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface GigabitEthernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-aggregation group 1
2 In static aggregation approach
a Create static aggregation group 1.
<SwitchA> system-view
[SwitchA] link-aggregation group 1 mode static
b Assign ports GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to the group.
[SwitchA] interface GigabitEthernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-aggregation group 1
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface GigabitEthernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-aggregation group 1
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface GigabitEthernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-aggregation group 1
Link Aggregation Configuration Example 169

3 In dynamic aggregation approach


a Enable LACP on ports GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3.
<SwitchA> system-view
[SwitchA] interface GigabitEthernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] lacp enable
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface GigabitEthernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] lacp enable
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface GigabitEthernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] lacp enable

The three ports can form one dynamic aggregation group only when they share the
same basic configuration.
170 CHAPTER 16: LINK AGGREGATION CONFIGURATION
17 PORT ISOLATION CONFIGURATION

Port Isolation Through the port isolation feature, you can add the ports to be controlled into an
Overview isolation group to isolate the Layer 2 and Layer 3 data between each port in the isolation
group. Thus, you can improve the network security and network in a more flexible way.

Currently, you can configure only one isolation group on a switch. The number of
Ethernet ports an isolation group can accommodate is not limited.

The port isolation function is independent of VLAN configuration.

Port Isolation Figure 51 lists the operations to add an Ethernet port to an isolation group
Configuration
Table 114 Configure port isolation

Operation Command Description


Enter system view system-view –
Enter Ethernet Enter Ethernet interface At least one required;
interface view port view interface-type
Configurations made under
or port group interface-number
Ethernet interface view apply to
view
Enter port port-group { manual the current port only whereas
group view port-group-name | configurations made under port
aggregation agg-id } group view apply to all ports in
the group.
Add the Ethernet port to the port-isolate enable Required
isolation group
By default, an isolation group
contains no port.

Displaying Port After the above configuration, you can execute the display command in any view to
Isolation display the running state after port isolation configuration. You can verify the
Configuration configuration effect through checking the displayed information.

Table 115 Display port isolation configuration

Operation Command Description


Display the information about display port-isolate You can execute the display
the Ethernet ports added to the group command in any view
isolation group
172 CHAPTER 17: PORT ISOLATION CONFIGURATION

Port Isolation Network requirements


Configuration ■ PC 2, PC 3 and PC 4 are connected to GigabitEthernet1/0/2, GigabitEthernet1/0/3,
Example and GigabitEthernet1/0/4 ports.
■ The switch connects to the Internet through GigabitEthernet1/0/1 port.
■ It is desired that PC 2, PC 3 and PC 4 cannot communicate with each other.

Network diagram

Figure 51 Network diagram for port isolation configuration

Internet

GE1/0/1
Switch

GE1/0/2 GE1/0/4

GE1/0/3

PC2 PC3 PC4

Configuration procedure
1 Add GigabitEthernet1/0/2, GigabitEthernet1/0/3, and GigabitEthernet1/0/4 ports to the
isolation group.
<3Com> system-view
System View: return to User View with Ctrl+Z.
[3Com] interface GigabitEthernet1/0/2
[3Com-GigabitEthernet1/0/2] port-isolate enable
[3Com-GigabitEthernet1/0/2] quit
[3Com] interface GigabitEthernet1/0/3
[3Com-GigabitEthernet1/0/3] port-isolate enable
[3Com-GigabitEthernet1/0/3] quit
[3Com] interface GigabitEthernet1/0/4
[3Com-GigabitEthernet1/0/4] port-isolate enable
2 Display the information about the ports in the isolation group.
<3Com> display port-isolate group
Port-isolate group information:
Uplink port support: NO
Group ID: 1
GigabitEthernet1/0/2 GigabitEthernet1/0/3 GigabitEthernet1/0/4
18 MAC ADDRESS TABLE MANAGEMENT

Introduction to A Ethernet switch needs to maintain a MAC address table to speed up packet
Managing MAC forwarding. A table entry includes the MAC address of a device connected to the
Address Table Ethernet switch, the interface number and VLAN ID of the Ethernet switch connected to
the device. A MAC address table includes both static and dynamic address entries. The
static entries are manually configured by users whereas the dynamic entries can be
manually configured by users, or dynamically learned by the Ethernet switch. The static
entries will not be aged whereas the dynamic entries can be aged (if the entry has its
aging time configured as aging, it will be aged; if it is configured as no-aging, it will not
be aged).

A Ethernet switch learns a MAC address in the following way: after receiving a data
frame from a port (assumed as port A), the Ethernet switch analyzes its source MAC
address (assumed as MAC-SOURCE) and considers that the packets destined for
MAC-SOURCE can be forwarded through port A. If the table contains the
MAC-SOURCE, the Ethernet switch will update the corresponding entry, otherwise, it will
add the new MAC address and the related forwarding port as a new entry to the table.

During MAC address learning, static MAC addresses that are manually configured by
users will not be overwritten by dynamic MAC addresses. However, the latter can be
overwritten by the former.

The Ethernet switch forwards packets whose destination MAC addresses can be found in
the MAC address table and broadcasts those whose destination MAC addresses are not
in the table. Upon receipt of the broadcast packet, the destination network device sends
a response packet back which contains the MAC address of the device. The Ethernet
switch learns and adds this new MAC address to the MAC address table of the device.
The consequent packets destined for the same MAC address can be forwarded directly
thereafter.
174 CHAPTER 18: MAC ADDRESS TABLE MANAGEMENT

Figure 52 A Ethernet switch forwards packets according to the MAC address tab

MAC AddressPort
MACA 1
MACB 1
MACC 2
MACD 2

MACDMACA ......

Port 1 Port 2

MACDMACA ......

The Ethernet switch also provides the function of MAC address aging. If the Ethernet
switch does not receive a packet from a network device within a period of time, it will
delete the corresponding entry from the MAC address table.

You can configure (add or modify) the MAC address entries manually according to the
actual network environment. The entries can be static ones or dynamic ones.

Configuring the
MAC Address Table

Configuring MAC Administrators can manually add, modify, or delete the entries in a MAC address table
Address Table Entries according to actual needs.

Table 116 Configure MAC Address Table Entries

To do… Use the command… Remarks


Enter system view system-view –
Add/modify an address entry mac-address { blackhole | Required
dynamic | static }
mac-address interface
interface-type
interface-number vlan
vlan-id
Enter the interface view of a interface interface-type –
specified interface interface-number
Add/modify address entries mac-address { blackhole | Required
under the specified interface dynamic | static }
view mac-address vlan vlan-id
Configuring the MAC Address Table 175

Configuring MAC Setting the aging time too long results in a large number of outdated table entries being
Address Aging Time kept in the MAC address table, and thereby exhausting the MAC address table resources
for the System and making it impossible for the Ethernet switch to update the MAC address table
according to the network change. On the other hand, if the aging time is set too short,
valid MAC address table entries may be deleted by the the Ethernet switch, resulting in
flooding a large number of data packets and degrades the switch performance.
Therefore, it is important that subscribers set an appropriate aging time according to the
actual network environment in order to implement MAC address aging effectively.
Table 117 Configure MAC address aging time for the system

To do Use the command Remarks


Enter system view system-view –
Configure the dynamic MAC mac-address timer { Optional
address aging time aging seconds | 300 seconds by default
no-aging }

This command takes effect on all ports. However, the address aging only functions on
the dynamic addresses (the learned or configured as age entries by the user).

Configuring the Use the following commands, users can set an amount limit on MAC address table
Maximum MAC entries maintained by the Ethernet switch. Setting the number too big may degrade the
Addresses that an forwarding performance. If the maximum number of MAC address is set to count, then
Ethernet Port or a after the number of learned MAC addresses has reached to count, the interface will no
Port Group Can Learn longer learn any more MAC addresses.
Table 118 Configuring the maximum MAC addresses that an Ethernet port or a port group can
learn

To do Use the command Remarks


Enter system view system-view –
Enter the Enter the interface interface At least one required
interface view of a specified interface-type
The consequent configurations
view of a port interface-number
apply to the current interface
port or port
Enter the port group port-group { maual only after entering its interface
group view
view of a specified port-group-name | view; the consequent
of a port
group
port group aggregation agg-id } configurations apply to all ports
in a port group after entering
the port group view
Configure the maximum MAC mac-address Required
addresses that can be learned by max-mac-count count
By default, the Maximum MAC
an Ethernet port. Configure
Addresses that an Ethernet Port
whether to forward packets when
or a Port Group Can Learn is not
the number of MAC addresses has
configured
reached count.
176 CHAPTER 18: MAC ADDRESS TABLE MANAGEMENT

Displaying and
Table 119 Display and maintain the MAC address table
Maintaining the
MAC Address Table To do... Use the command… Remarks
Display the information in the display mac-address [ Available in any view
address table mac-address [ vlan
vlan-id ] | [ blackhole |
dynamic | static ] [
interface
interface-type
interface-number ] [
vlan vlan-id ] [ count ] ]
Display the aging time of display mac-address Available in any view
dynamic address table entries aging-time

MAC Address Table


Management
Configuration
Example

Network The user logs on the switch through the Console port. Configure the MAC address table
requirements management function. Configure the aging time for dynamic table entries to be 500
seconds. Add a static address table entry “00e0-fc35-dc71” to the interface Gigabit
Ethernet 1/0/7 in VLAN 1.

Network diagram Figure 53 Typical configuration of address table management

Internet

Network Port

Console Port

Switch
MAC Address Table Management Configuration Example 177

Configuration
procedure
1 Enter the system view of the switch.
<3Com> system-view
2 Add a static MAC address (specify the native VLAN, port, and state).
[3Com] mac-address static 00e0-fc35-dc71 interface GigabitEthernet 1/0/7
vlan 1
3 Configure the aging time for dynamic MAC address table entries to be 500 seconds.
[3Com] mac-address timer aging 500
4 Display the MAC address configurations under any view.
[3Com] display mac-address interface gigabitEthernet 1/0/7
MAC ADDR VLAN ID STATE PORT INDEX AGING
TIME(s)

00e0-fc35-dc71 1 Config static GigabitEthernet 1/0/7


NOAGED

--- 1 mac address(es) found ---


178 CHAPTER 18: MAC ADDRESS TABLE MANAGEMENT
19 MSTP CONFIGURATION

MSTP Overview

Introduction to STP Functions of STP


The spanning tree protocol (STP) is a protocol used to eliminate loops in a local area
network (LAN). Devices running this protocol detects any loop in the network by
exchanging information with one another and eliminate the loop by properly blocking
certain ports until the loop network is pruned into a loop-free tree, thereby avoiding
proliferation and infinite recycling of packets in a loop network.

Basic concepts in STP


1 Root bridge

A tree network must have a root; hence the concept of “root bridge” has been
introduced in STP.

There is one and only one root bridge in the entire network, and the root bridge can
change alone with changes of the network topology. Therefore, the root bridge is not
fixed.

Upon network convergence, the root bridge generates and sends out at a certain interval
a BPDU and other devices just forward this BPDU. This mechanism ensures the
topological stability.

2 Root port

On a non-root bridge device, the root port is the port with the lowest path cost to the
root bridge. The root port is responsible for forwarding data to the root bridge. A
non-root-bridge device has one and only one root port. The root bridge has no root port.

3 Designated bridge and designated port

Refer to the following table for the description of designated bridge and designated
port.

Table 120 Description of designated bridge and designated port

Classification Designated bridge Designated port


For a device The device directly connected with this The port through which the
device and responsible for forwarding designated bridge forwards
BPDUs BPDUs to this device
For a LAN The device responsible for forwarding The port through which the
BPDUs to this LAN segment designated forwards BPDUs to
this LAN segment
180 CHAPTER 19: MSTP CONFIGURATION

Figure 54 shows designated bridges and designated ports. In the figure, AP1 and AP2,
BP1 and BP2, and CP1 and CP2 are ports on Switch A, Switch B, and Switch C
respectively.

■ If Switch A forwards BPDUs to Switch B through AP1, the designated bridge for
Switch B is Switch A, and the designated port is the port AP1 on Switch A.
■ Two devices are connected to the LAN: Switch B and Switch C. If Switch B forwards
BPDUs to the LAN, the designated bridge for the LAN is Switch B, and the designated
port is the port BP2 on Switch B.

Figure 54 A schematic diagram of designated bridges and designated ports


Switch A

AP1 AP2

BP1 CP1

Switch B Switch C

BP2 CP2

LAN

All the ports on the root bridge are designated ports.

How STP works


STP identifies the network topology by transmitting configuration BPDUs between
network devices. Configuration BPDUs contain sufficient information for network
devices to complete the spanning tree computing. Important fields in a configuration
BPDU include:
■ Root bridge ID: consisting of root bridge priority and MAC address.
■ Root path cost: the cost of the shortest path to the root bridge.
■ Designated bridge ID: designated bridge priority plus MAC address.
■ Designated port ID, designated port priority plus port name.
■ Message age: age of the configuration BPDU
■ Max age: maximum age of the configuration BPDU.
■ Hello time: configuration BPDU interval.
■ Forward delay: forward delay of the port.
MSTP Overview 181

For the convenience of description, the description and examples below involve only four
parts of a configuration BPDU:
■ Root bridge ID (in the form of device priority)
■ Root path cost
■ Designated bridge ID (in the form of device priority)
■ Designated port ID (in the form of port name)
1 Specific computing process of the STP algorithm
■ Initial state

Upon initialization of a device, each port generates a BPDU with itself as the root, in
which the root path cost is 0, designated bridge ID is the device ID, and the designated
port is the local port.

■ Selection of the optimum configuration BPDU

Each device sends out its configuration BPDU and receives configuration BPDUs from
other devices.

The process of selecting the optimum configuration BPDU is as follows:

Table 121 Selection of the optimum configuration BPDU


Step Description
1 Upon receiving a configuration BPDU on a port, the device performs the following
processing:
■ If the received configuration BPDU has a lower priority than that of the configuration
BPDU generated by the port, the device will discard the received configuration BPDU
without doing any processing on the configuration BPDU of this port.
■ If the received configuration BPDU has a higher priority than that of the configuration
BPDU generated by the port, the device will replace the content of the configuration
BPDU generated by the port with the content of the received configuration BPDU.
2 The device compares the configuration BPDUs of all the ports and chooses the optimum
configuration BPDU.

Principle for configuration BPDU comparison:


■ The configuration BPDU that has the lowest root bridge ID has the highest priority.
■ If all the configuration BPDUs have the same root bridge ID, they will be compared for
their root path costs. If the root path cost in a configuration BPDU plus the path cost
corresponding to this port is S, the configuration BPDU with the smallest S value has
the highest priority.
■ If all configuration BPDU have the same root path cost, they will be compared for
their designated bridge IDs, then their designated port IDs, and then the IDs of the
ports on which they are received. The smaller the ID, the higher message priority.
■ Selection of the root bridge

At network initialization, each STP-compliant device on the network assumes itself to be


the root bridge, with the root bridge ID being their own device ID. By exchanging
configuration BPDUs, the devices compare one another’s root bridge ID. The device with
the smallest root bridge ID is elected as the root bridge.
182 CHAPTER 19: MSTP CONFIGURATION

■ Selection of the root port and designated ports

The process of selecting the root port and designated ports is as follows:

Table 122 Selection of the root port and designated ports


Step Description
1 The root port is the port on which the optimum configuration BPDU was received.
2 Based on the configuration BPDU and the path cost of the root port, the device calculates a
designated port configuration BPDU for each of the rest ports.
■ The root bridge ID is replaced with that of the configuration BPDU of the root port.
■ The root path cost is replaced with that of the configuration BPDU of the root port plus
the path cost corresponding to the root port.
■ The designated bridge ID is replaced with the ID of this device.
■ The designated port ID is replaced with the ID of this port.
3 The device compares the computed configuration BPDU with the configuration BPDU on
the corresponding port, and performs processing accordingly based on the comparison
result:
■ If the configuration BPDU is superior, the device will block this port without changing its
configuration BPDU, so that the port will only receive BPDUs, but not send any, and will
not forward data.
■ If the computed configuration BPDU is superior, this port will serve as the designated
port, and the configuration BPDU on the port will be replaced with the computed
configuration BPDU, which will be sent out periodically.

When the network topology is stable, only the root port and designated ports forward
traffic, while other ports are all in the blocked state – they only receive STP packets but
do not forward user traffic.

Once the root bridge, the root port on each non-root bridge and designated ports have
been successfully elected, the entire tree-shaped topology has been constructed.

The following is an example of how the STP algorithm works. The specific network
diagram is shown in Figure 55. In the feature, the priority of Switch A is 0, the priority of
Switch B is 1, the priority of Switch C is 2, and the path costs of these links are 5, 10 and
4 respectively.

Figure 55 Network diagram for STP algorithm

Switch A
Switch A
with priority 0 0
AP1 AP2

5
BP1 10

Switch
Switch BB
with priority 11 CP1
BP2 4
CP2

Switch C
Switch C
with priority 22
MSTP Overview 183

■ Initial state of each device

The following table shows the initial state of each device.

Table 123 Initial state of each device

Device Port name BPDU of port


Switch A AP1 {0, 0, 0, AP1}
AP2 {0, 0, 0, AP2}
Switch B BP1 {1, 0, 1, BP1}
BP2 {1, 0, 1, BP2}
Switch C CP1 {2, 0, 2, CP1}
CP2 {2, 0, 2, CP2}

■ Comparison process and result on each device


184 CHAPTER 19: MSTP CONFIGURATION

The following table shows the comparison process and result on each device.

Table 124 Comparison process and result on each device

BPDU of port after


Device Comparison process comparison
Switch A ■ Port AP1 receives the configuration BPDU of Switch B {1, AP1: {0, 0, 0, AP1}
0, 1, BP1}. Switch A finds that the configuration BPDU of
AP2: {0, 0, 0, AP2}
the local port {0, 0, 0, AP1} is superior to the configuration
received message, and discards the received configuration
BPDU.
■ Port AP2 receives the configuration BPDU of Switch C {2,
0, 2, CP1}. Switch A finds that the BPDU of the local port
{0, 0, 0, AP2} is superior to the received configuration
BPDU, and discards the received configuration BPDU.
■ Switch A finds that both the root bridge and designated
bridge in the configuration BPDUs of all its ports are
Switch A itself, so it assumes itself to be the root bridge. In
this case, it does not make any change to the
configuration BPDU of each port, and starts sending out
configuration BPDUs periodically.
Switch B ■ Port BP1 receives the configuration BPDU of Switch A {0, BP1: {0, 0, 0, AP1}
0, 0, AP1}. Switch B finds that the received configuration
BP2: {1, 0, 1, BP2}
BPDU is superior to the configuration BPDU of the local
port {1, 0,1, BP1}, and updates the configuration BPDU of
BP1.
■ Port BP2 receives the configuration BPDU of Switch C {2,
0, 2, CP2}. Switch B finds that the configuration BPDU of
the local port {1, 0, 1, BP2} is superior to the received
configuration BPDU, and discards the received
configuration BPDU.
■ Switch B compares the configuration BPDUs of all its ports, Root port BP1:
and determines that the configuration BPDU of BP1 is the
{0, 0, 0, AP1}
optimum configuration BPDU. Then, it uses BP1 as the root
port, the configuration BPDUs of which will not be Designated port BP2:
changed.
{0, 5, 1, BP2}
■ Based on the configuration BPDU of BP1 and the path cost
of the root port (5), Switch B calculates a designated port
configuration BPDU for BP2 {0, 5, 1, BP2}.
■ Switch B compares the computed configuration BPDU {0,
5, 1, BP2} with the configuration BPDU of BP2. If the
computed BPDU is superior, BP2 will act as the designated
port, and the configuration BPDU on this port will be
replaced with the computed configuration BPDU, which
will be sent out periodically.
MSTP Overview 185

Table 124 Comparison process and result on each device (continued)

BPDU of port after


Device Comparison process comparison
Switch C ■ Port CP1 receives the configuration BPDU of Switch A {0, CP1: {0, 0, 0, AP2}
0, 0, AP2}. Switch C finds that the received configuration
CP2: {1, 0, 1, BP2}
BPDU is superior to the configuration BPDU of the local
port {2, 0, 2, CP1}, and updates the configuration BPDU of
CP1.
■ Port CP2 receives the configuration BPDU of port BP2 of
Switch B {1, 0, 1, BP2} before the message was updated.
Switch C finds that the received configuration BPDU is
superior to the configuration BPDU of the local port {2, 0,
2, CP2}, and updates the configuration BPDU of CP2.

By comparison: Root port CP1:


■ The configuration BPDUs of CP1 is elected as the optimum {0, 0, 0, AP2}
configuration BPDU, so CP1 is identified as the root port,
the configuration BPDUs of which will not be changed. Designated port CP2:
Switch C compares the computed designated port
{0, 10, 2, CP2}

configuration BPDU {0, 10, 2, CP2} with the configuration


BPDU of CP2, and CP2 becomes the designated port, and
the configuration BPDU of this port will be replaced with
the computed configuration BPDU.
■ Next, port CP2 receives the updated configuration BPDU CP1: {0, 0, 0, AP2}
of Switch B {0, 5, 1, BP2}. Because the received
CP2: {0, 5, 1, BP2}
configuration BPDU is superior to its old one, Switch C
launches a BPDU update process.
■ At the same time, port CP1 receives configuration BPDUs
periodically from Switch A. Switch C does not launch an
update process after comparison.
By comparison: Blocked port CP2:
■ Because the root path cost of CP2 (9) (root path cost of {0, 0, 0, AP2}
the BPDU (5) + path cost corresponding to CP2 (4)) is
Root port CP2:
smaller than the root path cost of CP1 (10) (root path cost
of the BPDU (0) + path cost corresponding to CP2 (10)), {0, 5, 1, BP2}
the BPDU of CP2 is elected as the optimum BPDU, and CP2
is elected as the root port, the messages of which will not
be changed.
■ After comparison between the configuration BPDU of CP1
and the computed designated port configuration BPDU,
port CP1 is blocked, with the configuration BPDU of the
port remaining unchanged, and the port will not receive
data from Switch A until a spanning tree computing
process is triggered by a new condition, for example, the
link from Switch B to Switch C becomes down.
186 CHAPTER 19: MSTP CONFIGURATION

After the comparison processes described in the table above, a spanning tree with
Switch A as the root bridge is stabilized, as shown in Figure 56

Figure 56 The final computed spanning tree


Switch
Switch A A
with priority0 0

AP1
5
BP1

SwitchBB
Switch
with priority11
BP2 4
CP2

SwitchCC
Switch
with priority22

To facilitate description, the spanning tree computing process in this example is


simplified, while the actual process is more complicated.
2 The BPDU forwarding mechanism in STP
■ Upon network initiation, every switch regards itself as the root bridge, generates
configuration BPDUs with itself as the root, and sends the configuration BPDUs at a
regular interval of hello time.
■ If it is the root port that received the configuration BPDU and the received
configuration BPDU is superior to the configuration BPDU of the port, the device will
increase message age carried in the configuration BPDU by a certain rule and start a
timer to time the configuration BPDU while it sends out this configuration BPDU
through the designated port.
■ If the configuration BPDU received on the designated port has a lower priority than
the configuration BPDU of the local port, the port will immediately sends out its
better configuration BPDU in response.
■ If a path becomes faulty, the root port on this path will no longer receive new
configuration BPDUs and the old configuration BPDUs will be discarded due to
timeout. In this case, the device will generate a configuration BPDU with itself as the
root and sends out the BPDU. This triggers a new spanning tree computing process so
that a new path is established to restore the network connectivity.

However, the newly computed configuration BPDU will not be propagated throughout
the network immediately, so the old root ports and designated ports that have not
detected the topology change continue forwarding data through the old path. If the
new root port and designated port begin to forward data as soon as they are elected, a
temporary loop may occur. For this reason, STP uses a state transition mechanism.
Namely, a newly elected root port or designated port requires twice the forward delay
time before transitioning to the forwarding state, when the new configuration BPDU has
been propagated throughout the network.
MSTP Overview 187

Introduction to MSTP Why MSTP


1 Disadvantages of STP and RSTP

STP does not support rapid state transition of ports. A newly elected root port or
designated port must wait twice the forward delay time before transitioning to the
forwarding state, even if it is a port on a point-to-point link or it is an edge port, which
directly connects to a user terminal rather than to another device or a shared LAN
segment.

The rapid spanning tree protocol (RSTP) is an optimized version of STP. RSTP allows a
newly elected root port or designated port to enter the forwarding state much quicker
under certain conditions than in STP. As a result, it takes a shorter time for the network
to reach the final topology stability.

■ In RSTP, a newly elected root port can enter the forwarding state rapidly if this
condition is met: The old root port on the device has stopped forwarding data and
the upstream designated port has started forwarding data.
■ In RSTP, a newly elected designated port can enter the forwarding state rapidly if this
condition is met: The designated port is an edge port or a port connected with a
point-to-point link. If the designated port is an edge port, it can enter the forwarding
state directly; if the designated port is connected with a point-to-point link, it can
enter the forwarding state immediately after the device undergoes handshake with
the downstream device and gets a response.

Although RSTP support rapid network convergence, it has the same drawback as STP
does: All bridges within a LAN share the same spanning tree, so redundant links cannot
be blocked based on VLANs, and the packets of all VLANs are forwarded along the same
spanning tree.

2 Features of MSTP

The multiple spanning tree protocol (MSTP) overcomes the shortcomings of STP and
RSTP. In addition to support for rapid network convergence, it also allows data flows of
different VLANs to be forwarded along their own paths, thus providing a better load
sharing mechanism for redundant links.

MSTP features the following:

■ MSTP supports mapping VLANs to MST instances by means of a VLAN-to-instance


mapping table.
■ MSTP divides a switched network into multiple regions, each containing multiple
spanning trees that are independent of one another.
■ MSTP prunes loop networks into a loop-free tree, thus avoiding proliferation and
endless recycling of packets in a loop network. In addition, it provides multiple
redundant paths for data forwarding, thus supporting load balancing of VLAN data in
the data forwarding process.
■ MSTP is compatible with STP and RSTP.
188 CHAPTER 19: MSTP CONFIGURATION

Some concepts in MSTP


As shown in Figure 57 there are four multiple spanning tree (MST) regions, each made
up of four switches running MSTP. In light with the diagram, the following paragraphs
will present some concepts of MSTP.

Figure 57 Basic concepts in MSTP

Region A0
VLAN 1 mapped to instance 1
VLAN 2 mapped to instance 2
Other VLANs mapped CIST

BPDU BPDU

CST
B
C
D
Region D0 BPDU
VLAN 1 mapped to instance 1, Region B0
B as regional root bridge VLAN 1 mapped to instance 1
VLAN 2 mapped to instance 2, VLAN 2 mapped to instance 2
C as regional root bridge Other VLANs mapped CIST
Region C0
Other VLANs mapped CIST VLAN 1 mapped to instance 1
VLANs 2 and 3 mapped to instance 2
Other VLANs mapped CIST

1 MST region

An MST region is composed of multiple devices in a switched network and network


segments among them. These devices have the following characteristics:

■ All are MSTP-enabled,


■ They have the same region name,
■ They have the same VLAN-to-instance mapping configuration,
■ They have the same MSTP revision level configuration, and
■ They are physically linked with one another.
In area A0 in Figure 57, for example, all the device have the same MST region
configuration: the same region name, the same VLAN-to-instance mapping (VLAN1 is
mapped to MST instance 1, VLAN2 to MST instance 2, and the rest to the command and
internal spanning tree (CIST). CIST refers to MST instance 0), and the same MSTP revision
level (not shown in the figure).
Multiple MST regions can exist in a switched network. You can use an MSTP command to
group multiple devices to the same MST region.
2 VLAN-to-instance mapping table

As an attribute of an MST region, the VLAN-to-instance mapping table describes the


mapping relationships between VLANs and MST instances. In Figure 57, for example, the
VLAN-to-instance mapping table of region A0 describes that the same region name, the
same VLAN-to-instance mapping (VLAN1 is mapped to MST instance 1, VLAN2 to MST
instance 2, and the rest to CIST.
MSTP Overview 189

3 IST

Internal spanning tree (IST) is a spanning tree that runs in an MSTP region, with the
instance number of 0. ISTs in all MST regions the common spanning tree (CST) jointly
constitute the common and internal spanning tree (CIST) of the entire network. An IST is
a section of the CIST in an MST region. In Figure 57, for example, the CIST has a section
is each MST region, and this section is the IST in each MST region.

4 CST

The CST is a single spanning tree that connects all MST regions in a switched network. If
you regard each MST region as a “device”, the CST is a spanning tree computed by these
devices through MSTP. For example, the red lines in Figure 57 describe the CST.

5 CIST

Jointly constituted by ISTs and the CST, the CIST is a single spanning tree that connects all
devices in a switched network. In Figure 57, for example, the ISTs in all MST regions plus
the inter-region CST constitute the CIST of the entire network.

6 MSTI

Multiple spanning trees can be generated in an MST region through MSTP, one spanning
tree being independent of another. Each spanning tree is referred to as a multiple
spanning tree instance (MSTI). In Figure 57, for example, multiple spanning tree can exist
in each MST region, each spanning tree corresponding to a VLAN. These spanning trees
are called MSTIs.

7 Regional root bridge

The root bridge of the IST or an MSTI within an MST region is the regional root bridge of
the MST or that MSTI. Based on the topology, different spanning trees in an MST region
may have different regional roots. For example, in region D0 in Figure 57, the regional
root of instance 1 is device B, while that of instance 2 is device C.

8 Common root bridge

The root bridge of the CIST is the common root bridge. In Figure 57, for example, the
common root bridge is a device in region A0.

9 Boundary port

A boundary port is a port that connects an MST region to another MST configuration, or
to a single spanning-tree region running STP, or to a single spanning-tree region running
RSTP.

During MSTP computing, a boundary port assumes the same role on the CIST and on
MST instances. Namely, if a boundary port is master port on the CIST, it is also the master
port on all MST instances within this region. In Figure 57, for example, if a device in
region A0 is interconnected with the first port of a device in region D0 and the common
root bridge of the entire switched network is located in region A0, the first port of that
device in region D0 is the boundary port of region D0.
190 CHAPTER 19: MSTP CONFIGURATION

10 Roles of ports

In the MSTP computing process, port roles include designated port, root port, master
port, alternate port, backup port, and so on.

■ Root port: a port responsible for forwarding data to the root bridge.
■ Designated port: a port responsible for forwarding data to the downstream network
segment or device.
■ Master port: A port on the shortest path from the entire region to the common root
bridge, connect the MST region to the common root bridge.
■ Alternate port: The standby port for a root port or master port. If a root port or
master port is blocked, the alternate port becomes the new root port or master port.
■ Backup port: If a loop occurs when two ports of the same device are interconnected,
the device will block either of the two ports, and the backup port is that port to be
blocked.

A port can assume different roles in different MST instances.

Figure 58 Port roles

Figure 58 helps understand these concepts. Where,

■ Devices A, B, C, and D constitute an MST region.


■ Port 1 and port 2 of device A connect to the common root bridge.
■ Port 5 and port 6 of device C form a loop.
■ Port 3 and port 4 of device D connect downstream to other MST regions.
MSTP Overview 191

How MSTP works


MSTP divides an entire Layer 2 network into multiple MST regions, which are
interconnected by a computed CST. Inside an MST region, multiple spanning trees are
generated through computing, each spanning tree called a MST instance. Among these
MST instances, instance 0 is the IST, while all the others are MSTIs. Similar to RSTP, MSTP
uses configuration BPDUs to compute spanning trees. The only difference between the
two protocols being in that what is carried in an MSTP BPDU is the MSTP configuration
on the device from which this BPDU is sent.
1 CIST computing

By comparison of “configuration BPDUs”, one device with the highest priority is elected
as the root bridge of the CIST. MSTP generates an IST within each MST region through
computing, and, at the same time, MSTP regards each MST region as a single device and
generates a CST among these MST regions through computing. The CST and ISTs
constitute the CIST of the entire network.

2 MSTI computing

Within an MST region, MSTP generates different MSTIs for different VLANs based on the
VLAN-to-instance mappings.

MSTP performs a separate computing process, which is similar to spanning tree


computing in STP, for each spanning tree. For details, refer to “How STP works”.

In MSTP, a VLAN packet is forwarded along the following paths:

■ Within an MST region, the packet is forwarded along the corresponding MSTI.
■ Between two MST regions, the packet is forwarded along the CST.

Implementation of MSTP on devices


MSTP is compatible with STP and RSTP. STP and RSTP protocol packets can be recognized
by devices running MSTP and used for spanning tree computing.

In addition to basic MSTP functions, many management-facilitating special functions


are provided, as follows:

■ Root bridge hold


■ Root bridge backup
■ Root guard
■ BPDU guard
■ Loop guard
■ Support for hot swapping of interface cards and active/standby changeover.
192 CHAPTER 19: MSTP CONFIGURATION

Configuring the
Root Bridge

Configuration Tasks Before configuring the root bridge, you need to know the position of each device in each
MST instances: root bridge or leave node. In each instance, one, and only one device acts
as the root bridge, while all others as leaf nodes. Complete these tasks to configure a
device that acts as the root bridge:
Table 125 Configuration Tasks

Task Remarks
Configuring an MST Region Required
Specifying the Root Bridge or a Secondary Root Bridge Optional
Configuring the Work Mode of MSTP Optional
Configuring the Priority of the Current Device Optional
Configuring the Maximum Hops of an MST Region Optional
Configuring the Network Diameter of a Switched Network Optional
Configuring Timers of MSTP Optional
Configuring the Timeout Factor Optional
Configuring the Maximum Transmission Rate of Ports Optional
Configuring Ports as Edge Ports Optional
Configuring Whether Ports Connect to Point-to-Point Links Optional
Configuring the MSTP Packet Format for Ports Optional
Enabling the MSTP Feature Required

If both GVRP and MSTP are enabled on a device at the same time, GVRP packets will be
forwarded along the CIST. Therefore, if both GVRP and MSTP are running on the same
device and you wish to advertise an certain VLAN within the network through GVRP,
make sure that this VLAN is mapped to the CIST (instance 0) when configuring the
VLAN-to-instance mapping table.
Configuring the Root Bridge 193

Configuring an MST Configuration procedure


Region Follow these steps to configure an MST region:
Table 126 Configuring an MST Region

To do... Use the command... Remarks


Enter system view system-view –
Enter MST region view stp region-configuration –
Configure the MST region region-name name Required
name
The MST region name is the
MAC address by default
Configure the instance instance-id vlan Use either command
VLAN-to-instance mapping vlan-list
All VLANs in an MST region
table
vlan-mapping modulo modulo are mapped to MST instance 0
Configure the MSTP revision-level level Optional
revision level of the MST
0 by default
region
Activate MST region active Required
configuration manually region-configuration
Display all the check Optional
configuration information region-configuration
of the MST region
Display the currently display stp The display command can
effective MST region region-configuration be executed in any view
configuration information

CAUTION: Two device belong to the same MST region only if they are configure to have
the same MST region name, the same VLAN-to-instance mapping entries in the MST
region and the same MST region revision level, and they are interconnected via a physical
link.

Your configuration of MST region–related parameters, especially the VLAN-to-instance


mapping table, will cause MSTP to launch a new spanning tree computing process,
which may result in network topology instability. To reduce the possibility of topology
instability caused by configuration, MSTP will not immediately launch a new spanning
tree computing process when processing MST region–related configurations; instead,
such configurations will take effect only if you:

■ activate the MST region–related parameters suing the active


region-configuration command, or
■ enable MSTP using the stp enable command.

Configuration example
1 Configure the MST region name to be “info”, the MSTP revision level to be 1, and VLAN
2 through VLAN 10 to be mapped to instance 1 and VLAN 20 through VLAN 30 to
instance 2.
<3Com> system-view
[3Com] stp region-configuration
[3Com-mst-region] region-name info
[3Com-mst-region] instance 1 vlan 2 to 10
[3Com-mst-region] instance 2 vlan 20 to 30
[3Com-mst-region] revision-level 1
[3Com-mst-region] active region-configuration
194 CHAPTER 19: MSTP CONFIGURATION

Specifying the Root MSTP can determine the root bridge of a spanning tree through MSTP computing.
Bridge or a Secondary Alternatively, you can specify the current device as the root bridge using the commands
Root Bridge provided by the system.

Specifying the current device as the root bridge of a specific spanning tree
Follow these steps to specify the current device as the root bridge of a specific spanning
tree:

Table 127 Specifying the current device as the root bridge of a specific spanning tree

To do... Use the command... Remarks


Enter system view system-view –
Specify the current device as stp [ instance instance-id ] Required
the root bridge of a specific root primary [ bridge-diameter
spanning tree bridge-number ] [ hello-time
centi-seconds ]

Specifying the current device as a secondary root bridge of a specific spanning


tree
Follow these steps to specify the current device as a secondary root bridge of a specific
spanning tree:

Table 128 Specifying the current device as a secondary root bridge of a specific spanning tree

To do... Use the command... Remarks


Enter system view system-view –
Specify the current device as a stp [ instance instance-id ] root Required
secondary root bridge of a secondary [ bridge-diameter
specific spanning tree bridge-number ] [ hello-time
centi-seconds ]

Note that:

■ Upon specifying the current device as the root bridge or a secondary root bridge, you
cannot change the priority of the device.
■ You can configure the current device as the root bridge or a secondary root bridge of
an MST instance, which is specified by instance instance-id in the command. If
you set instance-id to 0, the current device will be the root bridge or a secondary root
bridge of the CIST.
■ The current device has independent roles in different instances. It can act as the root
bridge or a secondary root bridge of one instance while it can also act as the root
bridge or a secondary root bridge of another instance. However, the same device
cannot be the root bridge and a secondary root bridge in the same instance at the
same time.
■ You can specify the current device as the root bridge of different MST instances, but
you cannot specify two or more root bridges for the same instance at the same time.
Namely, do not use the same command on two or more devices to specify root
bridges for the same instance.
■ You can specify multiple secondary root bridges for the same instance. Namely, you
can specify secondary root bridges for the same instance on two or more than two
device.
Configuring the Root Bridge 195

■ When the root bridge of an instance fails or is shut down, the secondary root bridge
(if you have specified one) can take over the role of the instance. However, if you
specify a new root bridge for the instance at this time, the secondary root bridge will
not become the root bridge. If you have specified multiple secondary root bridges for
an instance, when the root bridge fails, MSTP will select the secondary root bridge
with the lowest MAC address as the new root bridge.
■ When specifying the root bridge or a secondary root bridge, you can specify the
network diameter and hello time. However, these two options are effective only for
MST instance 0, namely the CIST. If you include these two options in your command
for any other instance, your configuration can succeed, but they will not actually
work. For the description of network diameter and hello time, refer to “Configuring
the Network Diameter of a Switched Network” and “Configuring Timers of MSTP”.
■ Alternatively, you can also specify the current device as the root bridge by setting by
priority of the device to 0. For the device priority configuration, refer to “Configuring
the Priority of the Current Device”.

Configuration example
1 Specify the current device as the root bridge of MST instance 1 and a secondary root
bridge of MST instance 2.
<3Com> system-view
[3Com] stp instance 1 root primary
[3Com] stp instance 2 root secondary

Configuring the MSTP and RSTP can recognize each other’s protocol packets, so they are mutually
Work Mode of compatible. However, STP is unable to recognize MSTP packets. For hybrid networking
MSTP Device with legacy STP devices and full inter operability with RSTP-compliant devices, MSTP
supports three work modes: STP-compatible mode, RSTP mode, and MSTP mode.
■ In STP-compatible mode, all ports of the device send out STP BPDUs,
■ In RSTP mode, all ports of the device send out RSTP BPDUs. If the device detects that
it is connected with a legacy STP device, the port connecting with the legacy STP
device will automatically migrate to STP-compatible mode.
■ In MSTP mode, all ports of the device send out MSTP BPDUs. If the device detects that
it is connected with a legacy STP device, the port connecting with the legacy STP
device will automatically migrate to STP-compatible mode.

Configuration procedure
Follow these steps to configure the MSTP work mode:
Table 129 Configuring the Work Mode of MSTP Device

To do... Use the command... Remarks


Enter system view system-view –
Configure the work mode stp mode { stp | rstp | mstp } Optional
of MSTP
MSTP mode by default

Configuration example
1 Configure MSTP to work in STP-compatible mode.
<3Com> system-view
[3Com] stp mode stp
196 CHAPTER 19: MSTP CONFIGURATION

Configuring the The priority of a device determines whether it can be elected as the root bridge of a
Priority of the spanning tree. A lower value indicates a higher priority. By setting the priority of a device
Current Device to a low value, you can specify the device as the root bridge of spanning tree. An
MSTP-compliant device can have different priorities in different MST instances.

Configuration procedure
Follow these steps to configure the priority of the current device:

Table 130 Configuring the Priority of the Current Device

To do... Use the command... Remarks


Enter system view system-view –
Configure the priority of stp [ instance instance-id ] Optional
the current device priority priority 32768 by default

CAUTION:
■ Upon specifying the current device as the root bridge or a secondary root bridge, you
cannot change the priority of the device.
■ During root bridge selection, if all devices in a spanning tree have the same priority,
the one with the lowest MAC address will be selected as the root bridge of the
spanning tree.

Configuration example
1 Set the device priority in MST instance 1 to 4096.
<3Com> system-view
[3Com] stp instance 1 priority 4096

Configuring the By setting the maximum hops of an MST region, you can restrict the region size. The
Maximum Hops of maximum hops setting configured on the regional root bridge will be used as the
an MST Region maximum hops of the MST region.

After a configuration BPDU leaves the root bridge of the spanning tree in the region, its
hop count is decremented by 1 whenever it passes a device. When its hop count reaches
0, it will be discarded by the device that has received it. As a result, devices beyond the
maximum hops are unable to take part in spanning tree computing, and thereby the size
of the MST region is restricted.

Configuration procedure
Follow these steps to configure the maximum hops of the MST region

Table 131 Configuring the Maximum Hops of an MST Region

To do... Use the command... Remarks


Enter system view system-view –
Configure the maximum stp max-hops hops Optional
hops of the MST region
20 by default

A larger maximum hops setting means a larger size of the MST region. Only the
maximum hops configured on the regional root bridge can restrict the size of the MST
region.
Configuring the Root Bridge 197

Configuration example
1 Set the maximum hops of the MST region to 30.
<3Com> system-view
[3Com] stp max-hops 30

Configuring the Any two stations in a switched network are interconnected through specific paths, which
Network Diameter of are composed of a series of devices. Represented by the number of devices on a path,
a Switched Network the network diameter is the path that comprises more devices than any other among
these paths.

Configuration procedure
Follow these steps to configure the network diameter of the switched network:
Table 132 Configuring the Network Diameter of a Switched Network

To do... Use the command... Remarks


Enter system view system-view –
Configure the network stp bridge-diameter Optional
diameter of the switched bridge-number
7 by default
network

CAUTION: zNetwork diameter is a parameter that indicates network size. A bigger


network diameter represents a larger network size.
■ Based on the network diameter you configured, MSTP automatically sets an optimal
hello time, forward delay, and max age for the device.
■ The configured network diameter is effective for the CIST only, and not for MSTIs.

Configuration example
1 Set the network diameter of the switched network to 6.
<3Com> system-view
[3Com] stp bridge-diameter 6

Configuring Timers of MSTP involves three timers: forward delay, hello time and max age.
MSTP ■ Forward delay: the time a device will wait before changing states. A link failure can
trigger a spanning tree computing process, and the spanning tree structure will
change accordingly. However, as a new configuration BPDU cannot be propagated
throughout the network immediately, if the new root port and designated port begin
to forward data as soon as they are elected, a temporary loop may occur. For this
reason, the protocol uses a state transition mechanism. Namely, a newly elected root
port or designated port must wait twice the forward delay time before transitioning
to the forwarding state, when the new configuration BPDU has been propagated
throughout the network.
■ Hello time is sued to detect whether a link is faulty. A device sends a hello packet to
the devices around it at a regular interval of hello time to check whether any link is
faulty.
■ Max time is a used for determining whether a configuration BPDU has “expired”. A
BPDU that has “expired” will be discarded by the device.
198 CHAPTER 19: MSTP CONFIGURATION

Configuration procedure
Follow these steps to configure the timers of MSTP:
Table 133 Configuring Timers of MSTP

To do... Use the command... Remarks


Enter system view system-view –
Configure the forward stp timer Optional
delay timer forward-delay 1,500 centiseconds (15 seconds) by
centiseconds
default
Configure the hello time stp timer hello Optional
timer centiseconds
200 centiseconds (2 seconds) by default
Configuring the max age stp timer max-age Optional
timer centiseconds
2,000 centiseconds (20 seconds) by
default

These three timers set on the root bridge of the CIST apply on all the devices on the
entire switched network.

CAUTION:
■ The length of the forward delay time is related to the network diameter of the
switched network. Typically, the larger the network diameter is, the longer the
forward delay time should be. Note that if the forward delay setting is too small,
temporary redundant paths may be introduced; if the forward delay setting is too big,
it may take a long time for the network to resume connectivity. We recommend that
you use the default setting.
■ An appropriate hello time setting enables the device to timely detect link failures on
the network without using excessive network resources. If the hello time is set too
long, the device will take packet loss on a link for link failure and trigger a new
spanning tree computing process; if the hello time is set too short, the device will
send repeated configuration BPDUs frequently, which adds to the device burden and
causes waste of network resources. We recommend that you use the default setting.
■ If the max age time setting is too small, the network devices will frequently launch
spanning tree computing and may take network congestion to a link failure; if the
max age setting is too large, the network may fail to timely detect link failures and fail
to timely launch spanning tree computing, thus reducing the auto-sensing capability
of the network. We recommend that you use the default setting.

The setting of hello time, forward delay and max age must meet the following formulae;
otherwise network instability will frequently occur.

■ 2 × (forward delay – 1 second) ƒ max age


■ Max age ƒ 2 × (hello time + 1 second)

We recommend that you specify the network diameter in the stp root primary
command and let MSTP automatically calculate an optimal setting of these three timers.
Configuring the Root Bridge 199

Configuration example
1 Set the forward delay to 1,600 centiseconds, hello time to 300 centiseconds, and max
age to 2,100 centiseconds.
<3Com> system-view
[3Com] stp timer forward-delay 1600
[3Com] stp timer hello 300
[3Com] stp timer max-age 2100

Configuring the A device sends a BPDU to the devices around it at a regular interval of hello time to check
Timeout Factor whether any link is faulty. Typically, if a device does not receive a BPDU from the
upstream device within nine times the hello time, it will assume that the upstream device
has failed and start a new spanning tree computing process.

In a very stable network, this kind of spanning tree computing may occur because the
upstream device is busy. In this case, you can avoid such unwanted spanning tree
computing by lengthening the timeout time.

Configuration procedure
Follow these steps to configure the timeout factor:
Table 134 Configuring the Timeout Factor

To do... Use the command... Remarks


Enter system view system-view –
Configure the timeout factor of stp timer-factor number Optional
the device
3 by default

■ Timeout time = timeout factor × 3 × hello time.


■ Typically, we recommend that you set the timeout factor to 5, or 6, or 7 for a stable
network.

Configuration example
1 Set the timeout factor to 6.
<3Com> system-view
[3Com] stp timer-factor 6

Configuring the The maximum transmission rate of a port refers to the maximum number of MSTP
Maximum packets that the port can send within each hello time.
Transmission Rate of
Ports The maximum transmission rate of an Ethernet port is related to the physical status of
the port and the network structure. You can make your configuration based on the
actual networking condition.
200 CHAPTER 19: MSTP CONFIGURATION

Configuration procedure
Following these steps to configure the maximum transmission rate of a port or a group
of ports:

Table 135 Configuring the Maximum Transmission Rate of Port

To do... Use the command... Remarks


Enter system view system-view –
Enter Enter interface User either command
Ethernet port Ethernet port interface-type
Configured in Ethernet port view, the
view or port view interface-number
setting is effective on the current port
group view
Enter port port-group { only; configured in port group view, the
group view manual setting is effective on all ports in the port
port-group-name | group
aggregation agg-id }
Configure the maximum stp Optional
transmission rate of the transmit-limit 3 by default
port(s) packet-number

If the maximum transmission rate setting of a port is too big, the port will send a large
number of MSTP packets within each hello time, thus using excessive network resources.
We recommend that you use the default setting.

Configuration example
1 Set the maximum transmission rate of port GigabitEthernet 1/0/1 to 5.
<3Com> system-view
[3Com] interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] stp transmit-limit 5

Configuring Ports If a port directly connects to a user terminal rather than another device or a shared LAN
as Edge Ports segment, this port is regarded as an edge port. When the network topology changes, an
edge port will not cause a temporary loop. Therefore, if you specify a port as an edge
port, this port can transition rapidly from the blocked state to the forwarding state
without delay.

Configuration procedure
Following these steps to specify a port or a group of ports as edge port(s):
Table 136 Configuring Ports as Edge Ports

To do... Use the command... Remarks


Enter system view system-view –
Enter Enter interface User either command
Ethernet Ethernet port interface-type
Configured in Ethernet port view, the
port view or view interface-number
setting is effective on the current port
port group
view
Enter port port-group { manual only; configured in port group view,
group view port-group-name | the setting is effective on all ports in
aggregation agg-id } the port group
Configure the port(s) as stp edged-port Required
edge port(s) enable All Ethernet ports are non-edge ports
by default
Configuring the Root Bridge 201

■ With BPDU guard disabled, when a port set as an edge port receives a BPDU from
another port, it will become a non-edge port again. In this case, you must reset the
port before you can configure it to be an edge port again.
■ If a port directly connects to a user terminal, configure it to be an edge port and
enable BPDU guard for it. This enables the port to transition to the forwarding state
while ensuring network security.

Configuration example
1 Configure GigabitEthernet1/0 /1to be an edge port.
<3Com> system-view
[3Com] interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] stp edged-port enable

Configuring Whether A point-to-point link is a link directly connecting with two devices. If the two ports across
Ports Connect to a point-to-point link are root ports or designated ports, the ports can rapidly transition to
Point-to-Point Links the forwarding state by transmitting synchronization packets.

Configuration procedure
Following these steps to configure whether a port or a group of ports connect to
point-to-point links:

Table 137 Configuring Whether Ports Connect to Point-to-Point Links

To do... Use the command... Remarks


Enter system view system-view –
Enter Enter Ethernet interface User either command
Ethernet port view interface-type
Configured in Ethernet port view, the
port view interface-number
setting is effective on the current port
or port
group view
Enter port port-group { manual only; configured in port group view, the
group view port-group-name | setting is effective on all ports in the port
aggregation agg-id } group
Configure whether the stp point-to-point Optional
port(s) connect to { force-true |
point-to-point links force-false | auto The default setting is auto; namely the
device automatically detects whether an
}
Ethernet port connects to a
point-to-point link

■ As for aggregated ports, all ports can be configured as connecting to point-to-point


links. If a port works in auto-negotiation mode and the negotiation result is full
duplex, this port can be configured as connecting to a point-to-point link.
■ If a port is configured as connecting to a point-to-point link, the setting takes effect
for the port in all MST instances. If the physical link to which the port connects is not
a point-to-point link and you force it to be a point-to-point link by configuration, your
configuration may incur a temporary loop.

Configuration example
1 Configure port GigabitEthernet 1/0/1 as connecting to a point-to-point link.
<3Com> system-view
[3Com] interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] stp point-to-point force-true
202 CHAPTER 19: MSTP CONFIGURATION

Configuring the A port support two types of MSTP packets:


MSTP Packet ■ 02.1s-compliant standard format
Format for Ports
■ Compatible format

The default packet format setting is auto, namely a port recognizes the two MSTP
packet formats automatically. You can configure the MSTP packet format to be used by a
port on your command line. After your configuration, when working in MSTP mode, the
port sends and receives only MSTP packets of the format you have configured.

Configuration procedure
Follow these steps to configure the MSTP packet format for a port or a group of ports:
Table 138 Configuring the MSTP Packet Format for Ports

To do... Use the command... Remarks


Enter system view system-view –
Enter Enter Ethernet interface User either command
Ethernet port view interface-type
Configured in Ethernet port view, the
port view interface-number
setting is effective on the current port
or port
group view
Enter port port-group { manual only; configured in port group view, the
group view port-group-name | setting is effective on all ports in the port
aggregation agg-id } group
Configure the MSTP packet stp compliance { Optional
format for the port(s) auto | dot1s | legacy auto by default
}

■ If the port is configured not to detect the packet format automatically while it works
in the MSTP mode, and if it receives a packet in the format other than as configured,
that port will become a designated port, and the port will remain in the discarding
state to prevent the occurrence of a loop.
■ If a port receives MSTP packets of different formats frequently, this means that the
MSTP packet formation configuration contains error. In this case, if the port is
working in MSTP mode, it will be disabled for protection. Those ports closed thereby
can be restored only by the network administers.

Configuration example
1 Configure port GigabitEthernet 1/0/1 to receive and send standard-format MSTP
packets.
<3Com> system-view
[3Com] interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] stp compliance dot1s
Configuring the Root Bridge 203

Enabling the MSTP Configuration procedure


Feature Follow these steps to enable the MSTP feature:
Table 139 Enabling the MSTP Feature

To do... Use the command... Remarks


Enter system view system-view –
Enable the MSTP feature stp enable Required
for the device
Whether a device is MSTP-enabled by
default depends on the specific device
model.
Enter Enter interface User either command
Ethernet Ethernet port interface-type
Configured in Ethernet port view, the
port view view interface-number
setting is effective on the current port only;
or port
group view
Enter port port-group { configured in port group view, the setting is
group view manual effective on all ports in the port group
port-group-name |
aggregation agg-id
}
Enable the MSTP feature stp enable Optional
for the port(s)
By default, MSTP is enabled for all ports
after it is enabled for the device globally
Disable the MSTP feature stp disable Optional
for the port(s)
or undo stp To control MSTP flexibly, you can disable
the MSTP feature for certain Ethernet ports
so that these ports will not take part in
spanning tree computing and thus to save
the device’s CPU resources

You must enable MSTP for the device before any other MSTP-related configuration can
take effect.

Configuration example
1 Enable MSTP for the device and disable MSTP for port GigabitEthernet 1/0/1.
<3Com> system-view
[3Com] stp enable
[3Com] interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] stp disable
204 CHAPTER 19: MSTP CONFIGURATION

Configuring Leaf
Nodes

Configuration Tasks Before configuring the root bridge, you need to know the position of each device in each
MST instances: root bridge or leaf node. In each instance, one and only one device acts
as the root bridge, while all others as leaf nodes. Complete these tasks to configure a
device that acts as a leaf node:
Table 140 Configuring Leaf Nodes

Task Remarks
Configuring an MST Region Required
Configuring the Work Mode of MSTP Optional
Configuring the Timeout Factor Optional
Configuring the Maximum Transmission Rate of Ports Optional
Configuring Ports as Edge Ports Optional
Configuring Path Costs of Ports Optional
Configuring Port Priority Optional
Configuring Whether Ports Connect to Point-to-Point Links Optional
Configuring the MSTP Packet Format for Ports Optional
Enabling the MSTP Feature Required

If both GVRP and MSTP are enabled on a device, GVRP packets will be forwarded along
the CIST. Therefore, if both GVRP and MSTP are running on the same device and you
wish to advertise an certain VLAN within the network through GVRP, make sure that this
VLAN is mapped to the CIST (instance 0) when configuring the VLAN-to-instance
mapping table.

Configuring an MST Refer to section “Configuring an MST Region”.


Region

Configuring the Work Refer to section “Configuring the Work Mode of MSTP Device”.
Mode of MSTP

Configuring the Refer to section “Configuring the Timeout Factor”.


Timeout Factor

Configuring the Refer to section “Configuring the Maximum Transmission Rate of Ports”.
Maximum
Transmission Rate of
Ports

Configuring Ports as Refer to section “Configuring Ports as Edge Ports”.


Edge Ports

Configuring Path Path cost is a parameter related to the rate of port-connected links. On an
Costs of Ports MSTP-compliant device, ports can have different priorities in different MST instances.
Setting an appropriate path cost allows VLAN traffic flows to be forwarded along
different physical links, thus to enable per-VLAN load balancing.
Configuring Leaf Nodes 205

The device can automatically calculate the default path cost; alternatively, you can also
configure the path cost for ports.

Specifying a standard that the device uses when calculating the default path
cost
You can specify a standard for the device to use in automatic calculation for the default
path cost. The device supports the following standards:
■ dot1d-1998: The device calculates the default path cost for ports based on IEEE
802.1D-1998.
■ dot1t: The device calculates the default path cost for ports based on IEEE 802.1t.
■ legacy: The device calculates the default path cost for ports based on a private
standard.

Follow these steps to specify a standard for the device to use when calculating the
default path cost:

Table 141 Specifying a standard that the device uses when calculating the default path cost

To do... Use the command... Remarks


Enter system view system-view –
Specify a standard for the stp Optional
device to use when pathcost-standard { The default standard used by the device
calculating the default path dot1d-1998 | dot1t |
depends on the specific device model.
cost of the link connected legacy }
with the device

Table 142 Link speed vs. path cost

Private
Link speed Duplex state 802.1D-1998 802.1t standard
0 — 65535 200,000,000 200,000
10Mbit/s Half-Duplex/Full-Duplex 100 2,000,000 2,000
Aggregated Link 2 Ports 100 1,000,000 1,800
Aggregated Link 3 Ports 100 666,666 1,600
Aggregated Link 4 Ports 100 500,000 1,400
100Mbit/s Half-Duplex/Full-Duplex 19 200,000 200
Aggregated Link 2 Ports 19 100,000 180
Aggregated Link 3 Ports 19 66,666 160
Aggregated Link 4 Ports 19 50,000 140
1000Mbit/s Full-Duplex 4 20,000 20
Aggregated Link 2 Ports 4 10,000 18
Aggregated Link 3 Ports 4 6,666 16
Aggregated Link 4 Ports 4 5,000 14
10Gbit/s Full-Duplex 2 2,000 2
Aggregated Link 2 Ports 2 1,000 1
Aggregated Link 3 Ports 2 666 1
Aggregated Link 4 Ports 2 500 1
206 CHAPTER 19: MSTP CONFIGURATION

In the calculation of the path cost value of an aggregated link, 802.1D-1998 does not
take into account the number of ports in the aggregated link. Whereas, 802.1T takes the
number of ports in the aggregated link into account. The calculation formula is: Path
Cost = 200,000,000/link speed in 100 kbps, where link speed is the sum of the link
speed values of the non-blocked ports in the aggregated link.

Configuring Path Costs of Ports


Follow these steps to configure the path cost of ports:

Table 143 Configuring Path Costs of Ports

To do... Use the command... Remarks


Enter system view system-view –
Enter Ethernet Enter Ethernet interface User either command
port view or port view interface-type
Configured in Ethernet port
port group interface-number
view, the setting is effective on
view
Enter port port-group { manual the current port only;
group view port-group-name | configured in port group view,
aggregation agg-id } the setting is effective on all
ports in the port group
Configure the path cost of the stp [ instance Required
port(s) instance-id ] cost cost
By default, MSTP automatically
calculates the path cost of
each port

CAUTION:
■ If you change the standard that the device uses in calculating the default path cost,
the port path cost value set through the stp cost command will be out of effect.
■ When the path cost of a port is changed, MSTP will re-compute the role of the port
and initiate a state transition. If you use 0 as instance-id, you are setting the path cost
of the CIST.

Configuration example(1)
1 Set the path cost of GigabitEthernet 1/0/1 in MST instance 1 to 2000.
<3Com> system-view
[3Com] interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] stp instance 1 cost 2000

Configuration example (2)


1 Configure the path cost of GigabitEthernet 1/0/1 in MST instance 1 to be calculated by
MSTP as per IEEE 802.1D-1998.
<3Com> system-view
[3Com] interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] undo stp instance 1 cost
[3Com-GigabitEthernet1/0/1] quit
[3Com] stp pathcost-standard dot1d-1998

Configuring Port The priority of a port is an import basis that determines whether the port can be elected
Priority as the root port of device. If all other conditions are the same, the port with the highest
priority will be elected as the root port.
Configuring Leaf Nodes 207

On an MSTP-compliant device, a port can have different priorities in different MST


instances, and the same port can play different roles in different MST instances, so that
data of different VLANs can be propagated along different physical paths, thus
implementing per-VLAN load balancing. You can set port priority values based on the
actual networking requirements.

Configuration procedure
Follow these steps to configure the priority of a port or a group of ports:

Table 144 Configuring Port Priority

To do... Use the command... Remarks


Enter system view system-view –
Enter Enter Ethernet interface User either command
Ethernet port view interface-type
Configured in Ethernet port view, the
port view interface-number
setting is effective on the current port
or port
group view
Enter port port-group { manual only; configured in port group view, the
group view port-group-name | setting is effective on all ports in the port
aggregation agg-id } group
Configure port priority stp [ instance Optional
instance-id ] port
128 for all Ethernet ports by default
priority priority

■ When the priority of a port is changed, MSTP will re-compute the role of the port and
initiate a state transition.
■ Generally, a lower configured value priority indicates a higher priority of the port. If
you configure the same priority value for all the Ethernet ports on the a device, the
specific priority of a port depends on the index number of that port. Changing the
priority of an Ethernet port triggers a new spanning tree computing process.

Configuration example
1 Set the priority of port GigabitEthernet 1/0/1 to 16 in MST instance 1.
<3Com> system-view
[3Com] interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] stp instance 1 port priority 16

Configuring Whether Refer to “Configuring Whether Ports Connect to Point-to-Point Links”.


Ports Connect to
Point-to-Point Links

Configuring the Refer to “Configuring the MSTP Packet Format for Ports”.
MSTP Packet Format
for Ports

Enabling the MSTP Refer to “Enabling the MSTP Feature”.


Feature
208 CHAPTER 19: MSTP CONFIGURATION

Performing mCheck Ports on an MSTP-compliant device have three working modes: STP compatible mode,
RSTP mode, and MSTP mode.

In a switched network, if a port on the device running MSTP (or RSTP) connects to a
device running STP, this port will automatically migrate to the STP-compatible mode.
However, if the device running STP is removed, this will not be able to migrate
automatically to the MSTP (or RSTP) mode, but will remain working in the
STP-compatible mode. In this case, you can perform an mCheck operation to force the
port to migrate to the MSTP (or RSTP) mode.

You can perform mCheck on a port through two approaches, which lead to the same
result.

Configuration prerequisites
MSTP has been correctly configured on the device.

Performing mCheck globally


Follow these steps to perform mCheck:
Table 145 Performing mCheck globally

To do... Use the command... Remarks


Enter system view system-view –
Perform mCheck stp mcheck Required

Performing mCheck in Ethernet port view


Follow these steps to perform mCheck in Ethernet port view:

Table 146 Performing mCheck in Ethernet port view

To do... Use the command... Remarks


Enter system view system-view –
Enter Ethernet port view interface interface-type –
interface-number
Perform mCheck stp mcheck Required

CAUTION: The stp mcheck command is meaningful only when the device works in
the MSTP (or RSTP) mode, not in the STP-compatible mode.

Configuration example
1 Perform mCheck on port GigabitEthernet 1/0/1.
a Method 1: Perform mCheck globally.
<3Com> system-view
[3Com] stp mcheck
b Method 2: Perform mCheck in Ethernet port view
<3Com> system-view
[3Com] interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] stp mcheck
Performing mCheck 209

Configuring An MSTP-compliant device supports the following protection functions:


Protection Functions ■ BPDU guard
■ Root guard
■ Loop guard
■ TC-BPDU attack guard

Among loop guard, root guard and edge port setting, only one function can take effect
on the same port at the same time.

The purposes of these protection functions are as follows:

■ BPDU guard

For access layer devices, the access ports generally connect directly with user terminals
(such as PCs) or file servers. In this case, the access ports are configured as edge ports to
allow rapid transition of these ports. When these ports receive configuration BPDUs, the
system will automatically set these ports as non-edge ports and starts a new spanning
tree computing process. This will cause network topology instability. Under normal
conditions, these ports should not receive configuration

BPDUs. However, if someone forges configuration BPDUs maliciously to attack the


devices, network instability will occur.

MSTP provides the BPDU guard function to protect the system against such attacks.
With the BPDU guard function enabled on the devices, when edge ports receive
configuration BPDUs, the system will close these ports and notify the NMS that these
ports have been closed by MSTP.Those ports closed thereby can be restored only by the
network administers.

■ Root guard

The root bridge and secondary root bridge of a panning tree should be located in the
same MST region. Especially for the CIST, the root bridge and secondary root bridge are
generally put in a high-bandwidth core region during network design. However, due to
possible configuration errors or malicious attacks in the network, the legal root bridge
may receive a configuration BPDU with a higher priority. In this case, the current root
bridge will be superseded by another device, causing undesired change of the network
topology. As a result of this kind of illegal topology change, the traffic that should go
over high-speed links is drawn to low-speed links, resulting in network congestion.

To prevent this situation from happening, MSTP provides the root guard function to
protect the root bridge. If the root guard function is enabled on a port, this port will
keep playing the role of designated port on all MST instances. Once this port receives a
configuration BPDU with a higher priority from an MST instance, it immediate sets that
instance port to the listening state, without forwarding the packet (this is equivalent to
disconnecting the link connected with this port). If the port receives no BPDUs with a
higher priority within a sufficiently long time, the port will revert to its original state.
210 CHAPTER 19: MSTP CONFIGURATION

■ Loop guard

By keeping receiving BPDUs from the upstream device, a device can maintain the state of
the root port and other blocked ports. However, due to link congestion or unidirectional
link failures, these ports may fail to receive BPDUs from the upstream device. In this case,
the downstream device will reselect the port roles: those ports failed to receive upstream
BPDUs will become designated ports and the blocked ports will transition to the
forwarding state, resulting in loops in the switched network. The loop guard function
can suppress the occurrence of such loops.

If a loop guard–enabled port fails to receive BPDUs from the upstream device, and if the
port took part in STP computing, all the instances on the port, no matter what roles they
play, will be set to, and stay in, the Discarding state.

■ TC-BPDU attack guard

When receiving a TC-BPDU packet (a packet used as notification of topology change),


the device will delete the corresponding MAC address entry and ARP entry. If someone
forges TC-BPDUs to attack the device, the device will receive a larger number of
TC-BPDUs within a short time, and frequent deletion operations bring a big burden to
the device and hazard network stability.

With the TC-BPDU guard function enabled, the device performs a deletion operation
only once within a certain period of time (typically 10 seconds) after it receives a
TC-BPDU, and monitors whether a new TC-BPDU is received within that period of time. If
a new TC-BPDU is received within that period of time, the device will perform another
deletion operation after that period of time elapses. This prevents frequent deletion of
MAC address entries and ARP entries.

Configuration MSTP has been correctly configured on the device.


prerequisites

Enabling BPDU Guard


■ The support for this feature depends on the specific device model.
■ We recommend that you enable BPDU guard if your device supports this function.

Configuration procedure
Following these steps to enable BPDU guard:
Table 147 Enabling BPDU Guard

To do... Use the command... Remarks


Enter system view system-view –
Enable the BPDU guard stp bpdu-protection Required
function for the device
Disabled by the default

Configuration example
1 Enable BPDU protection.
<3Com> system-view
[3Com] stp bpdu-protection
Performing mCheck 211

Enabling Root Guard


■ The support for this feature depends on the specific device model.
■ We recommend that you enable root guard if your device supports this function.

Configuration procedure
Follow these steps to enable root guard:

Table 148 Enabling Root Guard

To do... Use the command... Remarks


Enter system view system-view –
Enter Ethernet Enter Ethernet interface User either command
port view or port view interface-type
Configured in Ethernet port
port group interface-number
view, the setting is effective on
view
Enter port port-group { manual the current port only;
group view port-group-name | configured in port group view,
aggregation agg-id } the setting is effective on all
ports in the port group
Enable the root guard function stp root-protection Required
for the ports(s)
Disabled by the default

Configuration example
1 Enable the root guard function for port GigabitEthernet 1/0/1.
<3Com> system-view
[3Com] interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] stp root-protection

Enabling Loop Guard


■ The support for this feature depends on the specific device model.
■ We recommend that you enable loop guard if your device supports this function.

Configuration procedure
Follow these steps to enable loop guard:
Table 149 Enabling Loop Guard

To do... Use the command... Remarks


Enter system view system-view –
Enter Ethernet Enter Ethernet interface User either command
port view or port view interface-type
Configured in Ethernet port
port group interface-number
view, the setting is effective on
view
Enter port port-group { manual the current port only;
group view port-group-name | configured in port group view,
aggregation agg-id } the setting is effective on all
ports in the port group
Enable the loop guard function stp loop-protection Required
for the ports(s)
Disabled by the default
212 CHAPTER 19: MSTP CONFIGURATION

Configuration example
1 Enable the loop guard function for port GigabitEthernet 1/0/1.
<3Com> system-view
[3Com] interface GigabitEthernet 1/0/1
[3Com-GigabitEthernet1/0/1] stp loop-protection

Enabling TC-BPDU Configuration procedure


Attack Guard Follow these steps to enable TC-BPDU attack guard

Table 150 Enabling TC-BPDU Attack Guard

To do... Use the command... Remarks


Enter system view system-view –
Enable the TC-BPDU attack stp tc-protection Optional
guard function enable Enabled by the default

We recommend that this function should not be disabled.

Configuration example
1 Enable the TC-BPDU attack guard function.
<3Com> system-view
[3Com] stp tc-protection enable

Displaying and
Table 151 Displaying and Maintaining MSTP
Maintaining MSTP
To do... Use the command... Remarks
View the status information display stp [ instance Available in any
and statistics information of instance-id ] [ interface view
MSTP interface-list | slot slot-number ] [
brief ]
View the MST region display stp Available in any
configuration information that region-configuration view
has taken effect
Clear the statistics information reset stp [ interface Available in user
of MSTP interface-list ] view

MSTP Network requirements


Configuration Configure MSTP so that packets of different VLANs are forwarded along different
Example spanning trees. The specific configuration requirements are as follows:
■ All devices on the network are in the same MST regions.
■ Packets of VLAN 10 are forwarded along MST region 1, those of VLAN 30 are
forwarded along MST instance 3, those of VLAN 40 are forwarded along MST
instance 4, and those of VLAN 20 are forwarded along MST instance 0.
■ Switch A and Switch B are convergence layer devices, while Switch C and Switch D
are access layer devices. VLAN 10 and VLAN 30 are terminated on the convergence
layer devices, and VLAN 40 is terminated on the access layer devices, so the root
bridges of MST instance 1 and MST instance 3 are Switch A and Switch B respectively,
while the root bridge of MST instance 4 is Switch C.
MSTP Configuration Example 213

Network diagram

Figure 59 Network diagram for MSTP configuration

Permit :all VLAN

Switch A Switch B

Permit : Permit :
VLAN 10, 20 VLAN 20, 30
Permit : Permit :
VLAN 10, 20 VLAN 20, 30

Switch D
Switch C
Permit :VLAN 20, 40

“Permit:“ beside each link in the figure is followed by the VLANs the packets of which are
permitted to pass this link.

Configuration procedure
1 Configuration on Switch A
a Configure an MST region.
<3Com> system-view
[3Com] stp region-configuration
[3Com-mst-region] region-name example
[3Com-mst-region] instance 1 vlan 10
[3Com-mst-region] instance 3 vlan 30
[3Com-mst-region] instance 4 vlan 40
[3Com-mst-region] revision-level 0
b Activate MST region configuration manually.
[3Com-mst-region] active region-configuration
c Define Switch A as the root bridge of MST instance 1.
[3Com] stp instance 1 root primary
d View the MST region configuration information that has taken effect.
[3Com] display stp region-configuration
Oper configuration
Format selector :0
Region name :example
Revision level :0

Instance Vlans Mapped


0 1 to 9, 11 to 29, 31 to 39, 41 to 4094
1 10
3 30
4 40
214 CHAPTER 19: MSTP CONFIGURATION

2 Configuration on Switch B
a Configure an MST region.
<3Com> system-view
[3Com] stp region-configuration
[3Com-mst-region] region-name example
[3Com-mst-region] instance 1 vlan 10
[3Com-mst-region] instance 3 vlan 30
[3Com-mst-region] instance 4 vlan 40
[3Com-mst-region] revision-level 0
b Activate MST region configuration manually.
[3Com-mst-region] active region-configuration
c Define Switch B as the root bridge of MST instance 3.
[3Com] stp instance 3 root primary
d View the MST region configuration information that has taken effect.
[3Com] display stp region-configuration
Oper configuration
Format selector :0
Region name :example
Revision level :0

Instance Vlans Mapped


0 1 to 9, 11 to 29, 31 to 39, 41 to 4094
1 10
3 30
4 40
3 Configuration on Switch C
a Configure an MST region.
<3Com> system-view
[3Com] stp region-configuration
[3Com-mst-region] region-name example
[3Com-mst-region] instance 1 vlan 10
[3Com-mst-region] instance 3 vlan 30
[3Com-mst-region] instance 4 vlan 40
[3Com-mst-region] revision-level 0
b Activate MST region configuration manually.
[3Com-mst-region] active region-configuration
c Define Switch C as the root bridge of MST instance 4.
[3Com] stp instance 4 root primary
MSTP Configuration Example 215

d View the MST region configuration information that has taken effect.
[3Com] display stp region-configuration
Oper configuration
Format selector :0
Region name :example
Revision level :0

Instance Vlans Mapped


0 1 to 9, 11 to 29, 31 to 39, 41 to 4094
1 10
3 30
4 40
4 Configuration on Switch D
a Configure an MST region.
<3Com> system-view
[3Com] stp region-configuration
[3Com-mst-region] region-name example
[3Com-mst-region] instance 1 vlan 10
[3Com-mst-region] instance 3 vlan 30
[3Com-mst-region] instance 4 vlan 40
[3Com-mst-region] revision-level 0
b Activate MST region configuration manually.
[3Com-mst-region] active region-configuration
c View the MST region configuration information that has taken effect.
[3Com] display stp region-configuration
Oper configuration
Format selector :0
Region name :example
Revision level :0

Instance Vlans Mapped


0 1 to 9, 11 to 29, 31 to 39, 41 to 4094
1 10
3 30
4 40
216 CHAPTER 19: MSTP CONFIGURATION
20 IP ADDRESSING CONFIGURATION

IP addressing uses a 32-bit address to identify each host on the network.

This chapter tells you how to assign IP addresses to interfaces on your device. When
doing that, use the following table to identify where to go for interested information.

Table 152 Information

If you need to… Go to…


Know how IP addresses are expressed and classified, how IP Addressing Overview
subnetting works, and what IP unnumbered is
Assign IP addresses to interfaces Configuring IP Addresses
Consult the display commands available for verifying IP Displaying and Maintaining IP
addressing configuration Addressing

IP Addressing To get more information about IP addressing, go to these topics:


Overview ■ IP Address Classes
■ Subnetting and Masking

IP Address Classes IP addresses are represented in dotted decimal notation, each being four octets in length,
for example, 10.1.1.1.

Each IP address breaks down into two parts:

■ Net-id, the first several bits of the IP address defining a network, also known as class
bits.
■ Host-id, identifies a host on a network.

For administration sake, IP addresses are divided into five classes. Which class an IP
address belongs to depends on the first one to four bits of the net-id, as shown in the
following figure.
218 CHAPTER 20: IP ADDRESSING CONFIGURATION

Figure 60 IP address classes

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Class A 0 Net-id Host-id

Class B 1 0 Net-id Host-id

Class C 1 1 0 Net-id Host-id

Class D 1 1 1 0 Multicast address

Class E 1 1 1 1 0 Reserved address

The following table describes the address ranges of these five classes.

Table 153 IP address classes

Class Address range Description


A 0.0.0.0 to 127.255.255.255 Addresses starting with 127 are reserved for
loopback test. Packets destined to these
addresses are processed internally as input
packets rather than sent to the line.
B 128.0.0.0 to 191.255.255.255 —
C 192.0.0.0 to 223.255.255.255 —
D 224.0.0.0 to 239.255.255.255 Unlike Class A, B, and C addresses, Class D
addresses are used for multicast addressing.
E 240.0.0.0 to 255.255.255.255 Reserved for future use except for the broadcast
address 255.255.255.255

Subnetting and In 1980s, subnetting was developed to address the risk of IP address exhaustion resulted
Masking from fast expansion of the Internet. The idea is to break a network down into smaller
networks called subnets by using some bits of the host-id to create a subnet-id. To
identify the boundary between the net-id and the host-id, masking is used.

Each subnet mask comprises 32 bits related to the corresponding bits in an IP address. In
a mask, the part containing consecutive ones identifies the net-id whereas the part
containing consecutive zeros identifies the host-id.

Figure 61 shows how a Class B address is subnetted.

Figure 61 Subnetting a Class B address

0 7 15 21 31
Class B address Net-id Host-id

Mask 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Subneting Net-id Subnet-id Host-id

Mask 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0
Configuring IP Addresses 219

While allowing you to create multiple logical networks within a single Class A, B, or C
network, subnetting is transparent to the rest of the Internet. All these networks still
appear as one. As subnetting adds an additional level, subnet-id, to the two-level
hierarchy with IP addressing, IP routing now involves three steps: delivery to the site,
delivery to the subnet, and delivery to the host.

Subnetting is a trade-off between subnets and accommodated hosts. For example, a


Class B network can accommodate 65,534 hosts before being subnetted. After you
break it down into 64 subnets by using the first 6 bits of the host-id for the subnet, you
have only 10 bits for the host-id and thus have only 1022 (210 – 2) hosts in each subnet.
The maximum number of hosts is thus 65,408 (64 x 1022), 126 less after the network is
subnetted.

Class A, B, and C networks, before being subnetted, use these default masks (also called
natural masks): 255.0.0.0, 255.255.0.0, and 255.255.255.0 respectively.

Configuring IP For a VLAN interface, an IP address can be obtained in one of the three ways:
Addresses ■ Manually configured by using the IP address configuration command
■ Allocated by the BOOTP server
■ Allocated by the DHCP server

The three methods are mutually exclusive and the use of a new method will result in the
IP address obtained by the old method being released. For example, if you obtain an IP
address by using the IP address configuration command, and then use the ip address
bootp-alloc command to apply for an IP address, the originally configured IP address
is deleted and a new IP address will be allocated by BOOTP for the VLAN interface.

This chapter only covers how to assign an IP address manually.

This chapter only introduces how to configure an IP address manually. For the other two
methods of obtaining IP addresses, refer to the DHCP module.

This section includes:

■ Assigning an IP Address to an Interface


■ IP Addressing Configuration Example

Assigning an IP Follow these steps to assign an IP address to an interface:


Address to an
Interface Table 154 Assigning an IP Address to an Interface

To do… Use the command… Remarks


Enter system view system-view —
Enter interface view interface —
interface-type
interface-number
Assign an IP address to the ip address ip-address Required
Interface { mask | mask-length }
No IP address is assigned by
default.
220 CHAPTER 20: IP ADDRESSING CONFIGURATION

You can configure IP addresses for VLAN interface and Loopback interface on Switch
4500G Switches.

IP Addressing Network requirements


Configuration Set the IP address and subnet mask of VLAN interface 1 to 129.2.2.1 and 255.255.255.0
Example respectively.

Network diagram

Figure 62 IP address configuration

Console cable

Sw itch
PC

Configuration procedure
Configure an IP address for VLAN interface 1.
<3Com> system-view
[3Com] interface Vlan-interface 1
[3Com-Vlan-interface1] ip address 129.2.2.1 255.255.255.0

Displaying IP
Table 155 Displaying IP Addressing
Addressing
To do… Use the command… Remarks
Display detailed information display ip interface [ Available in any view
about the IP configuration of a interface-type
specified interface interface-number ]
Display brief information about display ip interface Available in any view
the basic IP configuration of a brief [ interface-type
specified or all interfaces interface-number ]
21 IP PERFORMANCE CONFIGURATION

Introduction to IP In some network environments, you need to adjust the parameters for the best IP
performance performance. IP performance configuration includes:
■ TCP timer
■ Size of TCP receiving/sending buffer
■ Sending ICMP error packets
■ Permitting Receiving and Forwarding of Directed Broadcast Packets

Configuring TCP TCP attributes that can be configured include:


attributes ■ synwait timer: Before sending a SYN packet, TCP starts the synwait timer. If no
response packets are received before synwait timeout, TCP connection is not
successfully created.
■ finwait timer: When the TCP connection is in FIN_WAIT_2 state, finwait timer will be
started. If no FIN packets are received before the timer timeouts, the TCP connection
will be terminated. If FIN packets are received, the TCP connection state changes to
TIME_WAIT, and it recounts time from receiving the last non-FIN packet until the
connection is broken after the timer timeouts.
■ Size of TCP receiving/sending buffer
Table 156 Configuring TCP attributes

To do… Use the command… Remarks


Enter system view system-view —
Configure TCP synwait tcp timer syn-timeout Optional
timer’s timeout value time-value
By default, the timeout value is 75
seconds.
Configure TCP finwait tcp timer fin-timeout Optional
timer’s timeout value time-value
By default, the timeout value is
675 seconds.
Configure the size of TCP tcp window window-size Optional
receiving/sending buffer
By default, the buffer is 8k bytes.
222 CHAPTER 21: IP PERFORMANCE CONFIGURATION

Configuring Sending error packets is a major function of ICMP protocol. ICMP packets are typically
sending ICMP error sent by protocols on the network or transfer layer to notify corresponding devices so as
packets to facilitate control and management.

Advantage of sending ICMP error packets


There are three kinds of ICMP error packets: redirection packets, timeout packets and
destination unreachable packets. Their sending conditions and functions are as follows.
1 Sending ICMP redirect packets

It may have only one default route to the default gateway in the routing table when the
host starts. The default gateway will send ICMP redirect packets to the source host and
notify it to reselect a correct router for the next hop in order to send the following
packets, if the following conditions are satisfied:

■ The device finds that the receiving and sending interfaces are the same while
forwarding data packets.
■ The selected router has not been created or modified by ICMP redirect packets.
■ The selected router is not the default router of the host.
■ The source IP address of the data packets and the next hop’s IP address in the selected
router belong to the same network section.

You can use ICMP redirect packets to simplify host administration and find out the best
routing by establishing a sound routing table for hosts with little routing information.

2 Sending ICMP timeout packets

Sending ICMP timeout packet will enable the device to drop the data packet and send an
ICMP error packet to the source when there is a timeout error after a device received an
IP data packet.

The device will send an ICMP timeout packet under the following conditions:

■ If a device finds the destination of the packet is not local after receiving a data packet
whose TTL field is 1, it will send a “TTL timeout” ICMP error message.
■ When the device receives the first fragment IP packets whose destination address is
local, it will start the timer. If the timer timeouts before receiving all the fragments,
the device will send a “reassembly timeout” ICMP error packets.
3 Sending ICMP destination unreachable packets

Sending ICMP destination unreachable packet means when there happens a destination
timeout error after a device received an IP data packet, the device will drop the data
packet and send an ICMP error packet to the source.

The device will send an ICMP destination unreachable packet under the following
conditions:

■ When forwarding a packet, if the device finds no corresponding forward route and
default route in the routing table, it will send a “network unreachable” ICMP error
packets.,
Configuring sending ICMP error packets 223

■ When receiving a data packet whose destination address is local, if the transfer layer
protocol is unavailable for the device, then the device sends a “protocol
unreachable” ICMP error packets.
■ When receiving a data packet with the destination address as local and transfer layer
as UDP, if the packet’s port number does not match with the running process, the
device will send source a “port unreachable” ICMP error packet.
■ When sending packets using “strict source routing", if the intermediate finds that the
source point to a device not directly connected to the network, it will send source a
“source routing fails” ICMP error packets.
■ When forwarding a packet, if the MTU of the forward interface is smaller than the
packet but the packet has been set unfragmentable, the device sends the source a
“fragmenting is required but unavailable” ICMP error packet.

Disadvantage of sending ICMP error packets


Although sending ICMP error packets facilitate control and management, it still has the
following disadvantage:
■ Sending a lot of ICMP packets will increase network traffic.
■ If the device receives a lot of malicious packets that sends much ICMP error packets, it
will reduce the device's performance.
■ As redirecting increases a host’s routing, it will reduce the host’s performance if there
is a great increase in the hosting.
■ As ICMP destination unreachable packets are unreachable to users' process, if there
are malicious attacks, end users may be affected.

In order to prevent such phenomena, you can disable the device sending ICMP error
packets to reduce network flows and avoid malicious attacks.

Table 157 Disable sending ICMP error packets

To do… Use the command… Remarks


Enter system view system-view —
Disable sending ICMP redirect undo ip redirects Required
packets
Sending a device’s ICMP redirection
packet is enabled by default
Disable sending ICMP timeout undo ip Required
packets ttl-expires Sending a device’s ICMP timeout
packet is enabled by default.
Disable sending ICMP undo ip Required
destination unreachable unreachables Sending a device’s ICMP destination
packets
unreachable packet is enabled by
default

■ The device stops sending “network unreachable” and “source route unsuccessful”
ICMP error packets after sending ICMP destination unreachable packets is disabled.
But other destination unreachable packets will be sent normally.
■ The device stops sending “TTL timeout” ICMP error packets after sending ICMP
timeout packets is disabled. But “reassembly timeout” error packets will be sent
normally.
224 CHAPTER 21: IP PERFORMANCE CONFIGURATION

Permitting
Receiving and
Forwarding of
Directed Broadcast
Packets

Permitting Receiving Directed broadcasts packets include: network directed broadcast packets, subnetwork
and Forwarding of directed broadcast packets and all-subnetwork directed broadcast packets. As specified
Directed Broadcast in RFC 2644, the device can receive and forward directed broadcast packets by default.
Packets However, hackers can use such packets to attack the network system, thus bringing forth
great potential dangers to the network.

Switch 4500G series switches do not receive and forward directed broadcast packets by
default. You can configure to permit Switch 4500G series switches to receive and
forward directed broadcast packets.

Table 158 Configure to permit the receiving and forwarding of directed broadcast packets

To do… Use the command… Remarks


Enter system view system-view —
Enable the switch to receive ip forward-broadcast Optional
directed broadcast packets
By default, directed broadcast
packets are not received.
Enter VLAN interface view interface —
Vlan-interface
vlan-id
Enable the specified VLAN ip forward-broadcast Optional
interface to forward directed [ acl-number ]
By default, directed broadcast
broadcast packets
packets are not forwarded on
VLAN interfaces.

If ACL rules are configured when VLAN interfaces are enabled to forward directed
broadcast packets, the directed broadcast packets to be forwarded must be filtered by
the configured ACL rule. The directed broadcast packets which do not match the ACL
rule will be dropped.

CAUTION: If the ip forward-broadcast [ acl acl-number ] command is


configured on one interface repeatedly, the latest configured acl-number argument will
replace these configured previously. If the acl-number argument is not provided in this
command, the acl-number arguments configured previously will be disabled.

Configuration Network requirements


Example As shown in Figure 63, PC1 and PC2 are in the same network segment 1.1.1.0/24 with
VLAN-interface 1 of Switch A, while VLAN-interface 2 of Switch A and VLAN-interface 2
of Switch B are in the network segment 2.2.2.0/24. Static routes are configured on
Switch B. As a result, both PC 1 and PC 2 are reachable to Switch B.
Permitting Receiving and Forwarding of Directed Broadcast Packets 225

Configure Switch A and Switch B with the purpose that:

■ When the ping 2.2.2.255 command is executed on PC 1, PC 1 can receive response


packets from both Switch A and Switch B.
■ When the ping 2.2.2.255 command is executed on PC 2, PC 2 can receive response
packets from only Switch A.

Network diagram

Figure 63 Network diagram for permitting receiving and forwarding of directed broadcast
packets
PC
PC1
1.1.1.1/24
VLAN1 VLAN2 VLAN2
1.1.1.2/24 2.2.2.1/24 2.2.2.2/24

Switch A Switch B

PC2
PC
1.1.1.3/24

Configuration procedure
1 Configure Switch A
a Permit the receiving of directed broadcast packets.
<3Com> system-view
[3Com] ip forward-broadcast
b Define ACL 2000.
[3Com] acl number 2000
[3Com-acl-basic-2000] rule permit source 1.1.1.1 0
[3Com-acl-basic-2000] rule deny source any
c Configure to permit VLAN-interface 2 to forward directed broadcast packets matching
ACL 2000.
[3Com] interface vlan-interface 2
[3Com-Vlan-interface2] ip forward-broadcast acl 2000
2 Configure Switch B
a Permit the receiving of directed broadcast packets.
<3Com> system-view
[3Com] ip forward-broadcast

After this configuration, use the ping command on PC 1 to ping the broadcast address
2.2.2.255 of the subnetwork segment where VLAN-interface 2 of Switch A resides, as a
result, PC 1 receives response packets from both Switch A and Switch B; use the ping
command on PC 2 to ping the broadcast address 2.2.2.255 of the subnetwork segment
where VLAN-interface 2 of Switch A resides, as a result, PC 2 receives response packets
from only Switch A.
226 CHAPTER 21: IP PERFORMANCE CONFIGURATION

Displaying and After finishing the configuration, run the display command in any view to display
maintaining IP running status and configuration effect of the IP performance.
performance
In user view, you can run the reset command to clear statistics of IP, TCP and UDP
flows.

Table 159 Displaying and maintaining IP performance

To do… Use the command…


Display current TCP connection state display tcp status
Display statistics of TCP connection display tcp statistics
Display statistics of UDP flows display udp statistics
Display statistics of IP packets display ip statistics
Display statistics of ICMP flows display icmp statistics
Display current socket information of the display ip socket [ socktype
system sock-type ] [ task-id socket-id ]
Display FIB forward information display fib [ | { begin | include |
exclude } text | acl number | ip-prefix
listname ]
Display FIB forward information matching display fib ip-address1 [ { mask1 |
the specified destination IP address mask-length1 } [ ip-address2 { mask2 |
mask-length2 } | longer ] | longer ]
Display statistics about the FIB items display fib statistics
Clear statistics of IP packets reset ip statistics
Clear statistics of TCP flows reset tcp statistics
Clear statistics of UDP flows reset udp statistics
22 IP ROUTING OVERVIEW

Go to these sections for information about IP routing that you are interested in:
■ IP Routing and Routing Table
■ Routing Protocol Overview
■ Displaying and Maintaining a Routing Table

A router in this chapter refers to a generic router or a Layer 3 switch running routing
protocols. To improve readability, this will not be described in the present manual again.

IP Routing and
Routing Table

Routing Routing in the Internet is achieved through routers. Upon receiving a packet, a router
identifies an optimal route based on the destination address and forwards the packet to
the next router in the path until the packet reaches the last router, which forwards the
packet to the intended destination host.

Routing Through a Routing table


Routing Table Routing table plays a key role in allowing routers to forward packets. Each router
maintains a routing table, and each entry in the table specifies which physical interface a
packet destined for a certain destination should go out to reach the next hop (the next
router) or the directly connected destination.

Routes in a routing table can be divided into three categories by origin:

■ Direct routes: Routes discovered by data link protocols, also known as interface
routes.
■ Static routes: Routes that are manually configured.
■ Dynamic routes: Routes that are discovered dynamically by routing protocols.

Contents of a routing table


A routing table includes the following key items:
■ Destination address: Indicates the destination address or destination network of an IP
packet.
■ Network mask: Specifies, in company with the destination address, the address of the
destination network. A logical AND operation between the destination address and
the network mask yields the address of the destination network. For example, if the
destination address is 129.102.8.10 and the mask 255.255.0.0, the address of the
destination network is 129.102.0.0. A network mask is made of a certain number of
consecutive 1s. It can be expressed in dotted decimal format or by the number of the
1s.
228 CHAPTER 22: IP ROUTING OVERVIEW

■ Outbound interface: Specifies the interface through which the IP packets are to be
forwarded.
■ IP address of the next hop: Specifies the address of the next router on the route. If
only the outbound interface is configured, its address will be the IP address of the
next hop.
■ Priority for the route. Multiple routes may exist to the same destination, each of
which has a different next hop and may be generated by various routing protocols or
be manually configured. The optimal route is the one with the highest priority (with
the smallest metric).

Routes can be divided into two categories by destination:

■ Subnet routes: The destination is a subnet.


■ Host routes: The destination is a host.

Based on whether the destination is directly connected to a given router, routes can be
divided into:

■ Direct routes: The destination is directly connected to the router.


■ Indirect routes: The destination is not directly connected to the router.

To prevent the routing table from getting too large, you can configure a default route. All
packets with no matching entry in the routing table will be forwarded through the
default route.

In Figure 64, the IP address on each cloud represents the address of the network. Router
R8 resides in three networks and therefore has three IP addresses for its three physical
interfaces. Its routing table is shown on the right of the network topology.

Figure 64 A sample routing table


Routing Protocol Overview 229

Routing Protocol
Overview

Static Routing and Static routing is easy to configure and requires less system resources. It works well in
Dynamic Routing small, stable networks with simple topologies. Its major drawback is that you must
perform routing configuration again whenever the network topology changes; it cannot
adjust to network changes by itself.

Dynamic routing, on the other hand, is based on dynamic routing protocols, which can
detect network topology changes and recalculate the routes accordingly. Therefore,
dynamic routing is suitable for large networks. Its disadvantages are that it is complicated
to configure, and that it not only imposes higher requirements on the system, but also
eats away a certain amount of network resources.

Classification of Dynamic routing protocols can be classified based on the following standards:
Dynamic Routing
Protocols Operational scope
■ Interior gateway protocols (IGPs): Work within an autonomous system, typically
includes RIP, OSPF, and IS-IS.
■ Exterior gateway protocols (EGPs): Work between autonomous systems. The most
popular one is BGP.

An autonomous system refers to a group of routers that share the same routing policy
and work under the same administration.

Routing algorithm
■ Distance-vector protocols: Includes mainly RIP and BGP. BGP is also considered a
path-vector protocol.
■ Link-state protocols: Includes mainly OSPF and IS-IS.

The main differences between the above two types of routing algorithms lie in the way
routes are discovered and calculated.

Type of the destination address


■ Unicast routing protocols: Includes RIP, OSPF, BGP, and IS-IS.
■ Multicast routing protocols: Includes PIM-SM and PIM-DM.

This chapter focuses on unicast routing protocols. For information on multicast routing
protocols, refer to “Multicast Configuration”.

Routing Protocols Different routing protocols may find different routes to the same destination. However,
and Routing Priority not all of those routes are optimal. In fact, at a particular moment, only one protocol can
uniquely determine the current optimal routing to the destination. For the purpose of
route selection, every route (including static routes) is assigned a priority according to its
origin. The route with the highest priority is preferred.
230 CHAPTER 22: IP ROUTING OVERVIEW

The following table lists some routing protocols and the default priorities for routes
found by them:

Table 160 Routing Protocols and Routing Priority

Routing approach Priority


DIRECT 0
OSPF 10
IS-IS 15
STATIC 60
RIP 100
OSPF ASE 150
OSPF NSSA 150
IBGP 256
EBGP 256
UNKNOWN 255

■ The smaller the priority value, the higher the priority.


■ The priority for a direct route is always 0, which you cannot change. Any other type of
routes can have their priorities manually configured.
■ Each static route can be configured with a different priority.

Load Balancing and Load Balancing


Route Backup In multi-route mode, multiple routes from the same routing protocol may exist to the
same destination. These routes have the same priority and will all be used to accomplish
load balancing if there is no other route with a higher priority available.

A given routing protocol may find several routes with the same metric to the same
destination, and if this protocol has the highest priority among all the active protocols,
then all its routes will be regarded as valid current routes. Therefore, realizes load
balancing of network traffic.

In current implementations, routing protocols supporting load balancing are RIP, OSPF,
and IS-IS. In addition, load balancing is also supported for static routes.

The number of routes for load balancing varies by device.

Route backup
Route backup can help in improving network reliability. With route backup, you can
configure multiple routes to the same destination, expecting the one with the highest
priority to be the main routes and all the rest backup routes.

Under normal circumstances, packets are forwarded through the main route. When the
main route goes down, the route with the highest priority among the backup routes is
selected to forward packets. When the main route recovers, the route selection process is
performed again and the main route is selected again to forward packets.
Displaying and Maintaining a Routing Table 231

Sharing of Routing As different routing protocols use different algorithms to calculate routes, they may find
Information different routes. In a large network with multiple routing protocols, routing protocols
must share their routing information. Each routing protocol has its own route
redistribution mechanism. For detailed information, refer to “IP Routing Configuration”.

Displaying and
Table 161 Displaying and Maintaining a Routing Table
Maintaining a
Routing Table To do… Use the command… Remarks
Display summary information display ip routing-table Available in any view
about the active routes in the
routing table
Display detailed information display ip routing-table Available in any view
about the specified routes in the ip-address [ mask ] [
routing table longer-match ] [ verbose ]| | {
begin | exclude | include }
regular-expression]
Display information about routes display ip routing-table Available in any view
to the specified destination ip-address [ mask-length | mask ]
[ longer-match ] [ verbose ]
Display information about routes display ip routing-table Available in any view
with destination addresses in the ip-address1 { mask-length |
specified range mask } ip-address2 {
mask-length | mask } [ verbose ]
Display information about routes display ip routing-table Available in any view
permitted by a specified basic acl acl-number [ verbose ]
ACL
Display information about routes display ip routing-table Available in any view
selected by a specified prefix list ip-prefix ip-prefix-name [
verbose ]
Display protocol specific routes display ip routing-table Available in any view
protocol protocol [ inactive
| verbose ]
Display statistics about the display ip routing-table Available in any view
routing table statistics
Clear statistics for the routing reset ip routing-table Available in user view
table statistics protocol { all
| protocol }
232 CHAPTER 22: IP ROUTING OVERVIEW
23 STATIC ROUTING CONFIGURATION

A router in this chapter refers to a generic router or a Layer 3 switch running routing
protocols. To improve readability, this will not be described in the present manual again.

Introduction

Static Routing A static route is a special route that is manually configured by the network administrator.
If a network is relatively simple, you only need to configure static routes for the network
to work normally. The proper configuration and usage of static routes can improve a
network’s performance and ensure bandwidth for important network applications.

The disadvantage of static routing is that, if a fault or a topological change occurs to the
network, the route will be unreachable and the network breaks. In this case, the network
administrator has to modify the configuration manually.

Default Routes A default route is another special route generated from a static route or some dynamic
routes, such as OSPF and IS-IS.

Generally, a router selects the default route only when it cannot find any matching entry
in the routing table. In a routing table, the default route is in the form of the route to the
network 0.0.0.0 (with the mask 0.0.0.0). You can check whether a default route has
been configured by running the display ip routing-table command.

If the destination address of a packet fails to match any entry in the routing table, the
router selects the default route to forward the packet. If there is no default route and the
destination address of the packet is not in the routing table, the packet will be discarded
and an ICMP packet is sent to the source reporting that the destination or the network is
unreachable.

Application Switch 4500G Family supports general static routing.


Environment of Static
Routing You need to be familiar with the following contents while configuring static routes:

1 Destination address and masks

In the ip route-static command, the IPv4 address is in dotted decimal format and
the mask can be in either dotted decimal format or the mask length (the digits of
consecutive 1s in the mask).

2 Output interface and the next hop address

While configuring static routes, you can specify either the output interface or next hop
address. Whether you should specify the output interface or the next hop address
depends on the specific occasion.
234 CHAPTER 23: STATIC ROUTING CONFIGURATION

In fact, all the route entries must specify the next hop address. While forwarding a
packet, the corresponding route is determined by searching the routing table for the
packet’s destination address. Only after the next hop address is specified, the
corresponding link-layer address can be found for the link-layer to forward the packet.

3 Other attributes

You can configure different preferences for different static routes for the purpose of easy
routing management policy. For example, while configuring multiple routes to the same
destination, using identical preference allows for load sharing while using different
preference allows for routing backup.

While running the ip route-static command to configure static, configuring


all-zero destination address and mask specifies using the default route.

Switch 4500G Family does not support load sharing.

Configuring Static
Route

Configuration Before configuring a static route, you need to finish the following tasks:
Prerequisites ■ Configuring the physical parameters for relative interfaces
■ Configuring the link-layer attribute for relative interfaces
■ Configuring the IP address for relative interfaces

Configuring Static Follow these steps to configure a static route:


Routes
Table 162 Configuring Static Routes

Operation Command Description


Enter system view system-view —
Configure a static route ip route-static Required
ip-address { mask |
mask-length } { [
vlan-interface
vlan-id ] nexthop-address
| NULL interface-number } [
preference preference |
description
description-info | tag
tag-value ]*
Configure the default preference ip route-static Optional
for a static route default-preference
The preference is 60 by
default-preference-value
default.

■ While configuring a static route, it will use the default preference if no value is
specified. After resetting the default preference, it is valid only for the newly created
static route.
■ The description text can describe the usage and function of some specific routes, thus
make it easy for you to classify and manage different static routes.
■ You can easily control the routes by using the tag set in the routing policy.
Displaying and Maintaining Static Routes 235

Displaying and After the configuration, you can run the display command in any view to display the
Maintaining Static running status and configuration effect of the static route configuration.
Routes
You can use the delete command in the system view to delete all the static routes
configured.

Follow these steps to display and maintain a static route:

Table 163 Displaying and Maintaining Static Routes

Operation Command
Display the current configuration display current-configuration
Display the summary of the IP routing table display ip routing-table
Display the details of the IP routing table display ip routing-table verbose
Display the information of a static route display ip routing-table protocol
static [ inactive | verbose ]
Delete all static routes delete static-routes all

You can use the undo ip route-static demand in the system view to delete a static route,
and use the delete state-routes all demand in the system view to delete all the static
routes configured (including the default IPv4 routes configured manually) at the same
time.

Example of Static Network requirements


Routes The switches’ interfaces and the hosts’ IP addresses and masks are shown in the
Configuration following figure. It requires static routes to connect the hosts for inter-communication.

Network diagram

Figure 65 Network diagram for static routes

PC2
1.1.2. 2/24

Vlan- interf ace10 2


1.1.2. 1/24

Vlan- interf ace10 0 Vlan- interf ace10 1


1.1.4. 2/30 1.1.4. 5/30
Sw itc hB
Vlan- interf ace30 0
Vlan- interf ace20 0Vlan- interf ace10 0 1.1.3. 1/24
1.1.1. 1/24 1.1.4. 1/30Vlan- interf ace10 1
1.1.4. 6/30
PC1 Switc hA SwitchC PC3
1.1.1. 2/24 1.1.3. 2/24
236 CHAPTER 23: STATIC ROUTING CONFIGURATION

Configuration procedure
1 Configuring the interfaces’ IP addresses

Omitted.

2 Configuring the static route


a Configure a default route on Switch A.
[Switch A] ip route-static 0.0.0.0 0.0.0.0 1.1.4.2
b Configure two static routes on Switch B.
[Switch B] ip route-static 1.1.1.0 255.255.255.0 1.1.4.1
[Switch B] ip route-static 1.1.3.0 255.255.255.0 1.1.4.6
c Configure a default route on Switch C.
[Switch B] ip route-static 0.0.0.0 0.0.0.0 1.1.4.5
3 Configure the hosts

The default gateways for the three hosts PC1, PC2 and PC3 are configured as 1.1.1.1,
1.1.2.1 and 1.1.3.1 respectively.

4 Display the configuration result


a Display the IP route table of Switch A.
[Switch A]display ip routing-table
Routing Tables: Public
Destinations : 7 Routes : 7

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/0 Static 60 0 1.1.4.2 Vlan100


1.1.1.0/24 Direct 0 0 1.1.1.1 Vlan200
1.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0
1.1.4.0/30 Direct 0 0 1.1.4.1 Vlan100
1.1.4.1/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
b Use the ping command to check the connectivity.
[Switch A] ping 1.1.3.1
PING 1.1.3.1: 56 data bytes, press CTRL_C to break
Reply from 1.1.3.1: bytes=56 Sequence=1 ttl=254 time=62 ms
Reply from 1.1.3.1: bytes=56 Sequence=2 ttl=254 time=63 ms
Reply from 1.1.3.1: bytes=56 Sequence=3 ttl=254 time=63 ms
Reply from 1.1.3.1: bytes=56 Sequence=4 ttl=254 time=62 ms
Reply from 1.1.3.1: bytes=56 Sequence=5 ttl=254 time=62 ms

--- 1.1.3.1 ping statistics ---


5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 62/62/63 ms
Example of Static Routes Configuration 237

c Use the tracert command to check the connectivity.


[Switch A] tracert 1.1.3.1
traceroute to 1.1.3.1(1.1.3.1) 30 hops max,40 bytes packet
1 1.1.4.2 31 ms 32 ms 31 ms
2 1.1.4.6 62 ms 63 ms 62 ms
238 CHAPTER 23: STATIC ROUTING CONFIGURATION
24 RIP CONFIGURATION

The term "router" in this document refers to a router in a generic sense or a Layer 3
switch. To improve readability, this will not be described in the present manual again.

RIP Overview RIP is a simple Interior Gateway Protocol (IGP), which is mainly used in small-size
networks, such as academic networks and simple structured LANs.

RIP is still widely used in practical networking due to its simple implementation, and
easier configuration and maintenance than OSPF and IS-IS.

RIP Mechanism Basic concept of RIP


RIP is a distance-vector-based routing protocol, using UDP messages for exchanging
information on port 520.

RIP uses a routing metric (Hop Count) to measure the distance to the destination. The
Hop Count value of a router to its directly connected network is 0. Networks which are
reachable through one other router are one hop etc. To reduce the convergence time, RIP
limits the metric value from 0 to 15. It is considered infinity if the value is equal or larger
than 16, which means the destination network is unreachable. That is why RIP cannot be
used in large scale networks.

RIP prevents routing loops by implementing Split Horizon and Poison Reverse functions.

RIP routing table


Each RIP router has a routing table, containing routing entries of all reachable
destinations.
■ Destination address: the IP address of a host or a network.
■ Next hop: IP address of the adjacent router to the destination network.
■ Interface: The interface for forwarding
■ Metric: Cost from the local router to the destination
■ Routing time: The amount of time since the entry was last updated. The time is reset
to 0 when the routing entry is updated every time.
■ Route change tag: Indicates that the information about this route has changed.

RIP timers
RIP uses four timers to control its operation. They are Update, Timeout, Suppress, and
Garbage-Collect.
■ Update timer triggers sending new update messages periodically.
240 CHAPTER 24: RIP CONFIGURATION

■ Timeout timer controls the validity of a route. A route is considered as unreachable


when the RIP router does not receive update messages within the aged time from any
neighbor.
■ Suppress timer. A route changes to the suppress status when no updated messages
are send within the timeout-value or the metric value reaches 16. In the suppress
status, the router only accepts update messages with the metric value less than 16
and from the same neighbor to replace the unreachable route.
■ Garbage-Collect timer. The period from the metric value of a route reaches 16 to the
route is purged from the table is defined as the garbage collection time in RFC.
During the Garbage-Collect time, RIP keeps advertising the route with a metric value
of 16. Once the Garbage-Collect time expires and the route is not updated, the route
is deleted from the table.

RIP initialization and running procedure


Following procedures describe how RIP works.
1 After enabling RIP, the router sends Request messages to neighboring routers.
Neighboring routers return Response messages including all information about the
routing table.
2 The router updates its local routing table, and broadcasts the routing updates to its
neighbors with triggered updating messages. All routers on the network do the same to
keep the latest routing table.

In RIP, the routing table on each router is updated upon receipt of RIP messages
periodically advertised by neighboring routers. The aged routes are deleted to make sure
routes are always valid. The procedure is as follows: RIP periodically advertises the local
routing table to neighboring routers, which update their local routes upon receipt of the
packets. This procedure repeats on all RIP-enabled routers.

Routing loops prevention


RIP is a D-V based routing protocol. Each router calculates the distance to a destination
based on the routing information from its neighbors. When a connection to a
destination goes down, there is no way for the router on that connection to notify the
others about its metric changes. The other routers still use the old routing information to
calculate the distance to that destination. Therefore, routing loops can occur in this case.

RIP uses the following mechanisms to prevent routing loops.

■ Counting to infinity. The metric value of 16 is defined as infinity. When a routing loop
occurs, the route is considered as unreachable when the metric value reaches 16.
■ Split Horizon. The router does not send the routing table to neighboring routers via
the same interface on which it receives. Split Horizon can definitely prevent routing
loops and save the bandwidth.
■ Poison Reverse. The router sends routing tables through the same interface from
which the tables are received with a metric value of 16 (means infinite). This method
can remove useless information in routing tables of neighboring routers.
■ Triggered Updates. Each router sends out its new routing table as long as it receives
an update, rather than waiting until the usual update period expires. This can speed
up the network convergence.
RIP Overview 241

RIP Version RIP has two versions: RIP-1 and RIP-2.

RIP-1, a Classful Routing Protocol, supports broadcasting protocol messages. RIP-1


protocol messages do not carry mask information, which means it can only recognize
routing information on segments with natural addresses such as Class A, B, and C. That
is why RIP-1 does not support routing convergence and Discontiguous Subnet.

RIP-2 is a Classless Routing Protocol. Compared with RIP-1, RIP-2 has the following
advantages.

■ Supports Route Tag. The Route Tag is intended to differentiate the internal RIP routes
from the external RIP routes.
■ Supports masks, route summarization and CIDR (Classless Inter-Domain Routing).
■ Supports next hop, which must be directly reachable on the broadcast network.
■ Supports multicasting to reduce unnecessary load on hosts that do not need to listen
to RIP-2 messages.
■ Supports authentication to enhance security. Plain text authentication and MD5
(Message Digest 5) are two authentication methods.

RIP-2 has two types of message transmission: broadcasting and multicasting.


Multicasting is the default type using 224.0.0.9 as the multicast address. The interfaces
running RIP-2 broadcasting can also receive RIP-1 messages.

RIP Message Format RIP-1 message format


A RIP message consists of Header and Route Entries which can be up to 25.

The format of RIP-1 message is shown in Figure 66.

Figure 66 RIP-1 Message Format


0 7 15 31
Header command version must be zero
address family identifier must be zero
IP address
Route
must be zero
Entries
must be zero
metric

■ Command: The type of message. 1 indicates Request, 2 indicates Response.


■ Version: The version of RIP. RIP-1 is 0x01.
■ AFI (Address Family Identifier): The family of protocol. 2 is for IP.
■ IP Address: IP address of the destination. Only natural addresses are acceptable here.
■ Metric: The cost of the route.
242 CHAPTER 24: RIP CONFIGURATION

RIP-2 message format


The format of RIP-2 message is similar with RIP-1, as shown in Figure 67.

Figure 67 RIP-2 Message Format


0 7 15 31
Header Command Version unused
Address Family Identifier Route Tag
IP Address
Route
Subnet Mask
Entries
Next Hop
Metric

The differences from RIP-1 are stated as following.

■ Version: The version of RIP. For RIP-2 the value is 0x02.


■ Route Tag: An attribution to indicate from where the routes are imported.
■ IP Address: The destination IP address. It could be a natural address, subnet address or
host address.
■ Subnet Mask: Mask of the destination address.
■ Next Hop: The address of the best next hop. 0.0.0.0 indicates that the originator of
the route is the best next hop.

RIP-2 authentication
RIP-2 supports plain text authentication, which uses the first Route Entry for
authentication. The value of 0xFFFF indicates that the entry is authentication information
rather than routing information. See Figure 68

Figure 68 RIP-2 Authentication Message


0 7 15 31
command version unused
0xFFFF Authentication Type

Authentication (16 octets)

■ Authentication Type: 2 represents plain text authentication, while 3 represents MD5.


■ Authentication: The actual authentication data. It includes the password information
when using plain text authentication.

FC 1723 only defines plain text authentication. For information about MD5
authentication, see RFC2082 “RIP-2 MD5 Authentication”.

RIP Feature Currently, Comware 5.0 supports the following RIP features.
Supported ■ RIP-1
■ RIP-2
RIP Basic Configuration 243

RIP Related RFC ■ RFC 1058: Routing Information Protocol


■ RFC 1723: RIP Version 2 - Carrying Additional Information
■ RFC 1721: RIP Version 2 Protocol Analysis
■ RFC 1722: RIP Version 2 Protocol Applicability Statement
■ RFC 1724: RIP Version 2 MIB Extension
■ RFC 2082: RIP-2 MD5 Authentication

RIP Basic In this section, you are presented with the information needed to configure the basic RIP
Configuration features.

Configuration Before configuring RIP features, please first configure IP address on each interface, and
Prerequisites make sure all routers are reachable.

Configuring RIP Basic Enabling RIP and specify networks


Function Follow these steps to enable RIP:

Table 164 Configuring RIP Basic Function

Operation Command Description


Enter system view system-view ––
Enable RIP and enter RIP view rip [ process-id ] ––
Enable RIP on specified network network network-address Required
Disabled by default

■ If you perform some RIP configurations in interface view before enabling RIP, those
configurations will take effect after RIP is enabled.
■ The router does not send, receive or forward any routing information if you do not
enable RIP on that network.
■ You can enable RIP on all interfaces of the network by using the network 0.0.0.0
command.
244 CHAPTER 24: RIP CONFIGURATION

Configuring the interface behavior


Follow these steps to configure interface behavior:
Table 165 Configuring the interface behavior

Operation Command Description


Enter system view system-view ––
Enter RIP view rip [ process-id ] ––
Stop routing updates on all silent-interface all Optional
interfaces
All interfaces can receive
Stop routing updates on one silent-interface routing updates by default
interface interface-type
interface-number
Enter interface view interface interface-type ––
interface-number
Configure an interface to rip input Optional
receive routing updates
By default, the router receives
Configure an interface to rip output and send RIP messages
send routing updates

Stopping routing updates means that the router receives routing updates without
forwarding them.

Configuring the RIP version


Follow these steps to configure the RIP version:

Table 166 Configuring the RIP version

Operation Command Description


Enter system view system-view ––
Enter RIP view rip [ process-id ] ––
Specify a global RIP version version { 1 | 2 } Optional
RIP-1 by default
Enter interface view interface interface-type ––
interface-number
Specify a RIP version on the rip version { 1 | 2 [ Optional
interface broadcast | multicast ] } By default, the router receives
RIP-1 and RIP-2 messages, but
only sends RIP-1 messages. If
the RIP version is 2, you can
specify the message is
broadcast or multicast.

If the RIP version specified on the interface and the global RIP version are inconsistent,
the RIP version specified on the interface is used.

If no RIP version is specified on the interface, the global RIP version is used.
RIP Route Control 245

RIP Route Control In some complex network environments, you need to make the RIP configuration more
precise.

This section covers the following topics:

■ Configuring additional routing metrics to affect routing options.


■ Configuring the route summarization to reduce the size of routing tables.
■ Configuring host routes to reduce the size of routing tables
■ Configuring default routes
■ Configuring filtering policies
■ Configuring the protocol priority
■ Redistributing routes

Before configuring RIP routing information, finish the following tasks first:

■ Configure IP address on each interface, and make sure all routers are reachable.
■ Configure basic RIP functions

Configuring RIP Configuring additional routing metric


Route Control To increase the value of routing metrics, you can add a value to the incoming or outgoing
routing metric learned by RIP.

Follow these steps to configure additional routing metrics:

Table 167 Configuring RIP Route Control

Operation Command Description


Enter system view system-view ––
Enter interface view interface interface-type ––
interface-number
Define an additional routing rip metricin value Optional
metric for incoming routes
0 by default
Define an additional routing rip metricout value Optional
metric for outgoing routes
1 by default

rip metricout is only applied to its own routing and those learned by RIP. For those
imported from other routing protocols, this command is not applicable.

Configuring route summarization


The route summarization is that subnet routes in a natural network are summarized until
the whole network is advertised as a single natural mask route. This function can reduce
the size of the routing tables so that to reduce the network load.

RIP-1 does not support route summarization. So when RIP-2 is running, you need to
disable the route summarization function if you want to advertise all subnet routes.
246 CHAPTER 24: RIP CONFIGURATION

Follow these steps to configure RIP route summarization:

Table 168 Configuring route summarization

Operation Command Description


Enter system view system-view ––
Enter RIP view rip [ process-id ] ––
Enable RIP-2 automatic summary Optional
route summarization
Enabled by default
Enter interface view interface interface-type ––
interface-number
Assign an IP address and rip summary-address Optional
network mask for the network-address network-mask
summarized routes to be
advertised

Disabling the receiving of host routes


In some cases, the router can get lots of routing information from the same network
hosts, which are not helpful for routing but taking large of the network resources. After
disabling the host route function, the router discards the host route information.

Follow these steps to configure host route:

Table 169 Disabling the receiving of host routes

Operation Command Description


Enter system view system-view ––
Enter RIP view rip [ process-id ] ––
Disabling the receiving of host undo host-route Optional
routes
Enabled by default

Configuring default route


Follow these steps to configure RIP default route:
Table 170 Configuring default rout

Operation Command Description


Enter system view system-view ––
Enter RIP view rip [ process-id ] ––
Configure a RIP default route default-route originate Required
cost value
RIP Route Control 247

Configuring route filtering


Route filtering is supported by the router. You can filter incoming and outgoing routes by
setting the inbound and outbound filter policies in the access list and IP address prefixes
list. You can also specify the incoming routes from particular neighbors.

Follow these steps to configure route filtering:

Table 171 Configuring route filtering

Operation Command Description


Enter system view system-view ––
Enter RIP view rip [ process-id ] ––
Define the filtering policy filter-policy { acl-number | Required
ip-prefix ip-prefix-name [
gateway ip-prefix-name ] } import [
interface-type interface-number ]

Configuring protocol priority


Follow these steps to configure protocol priorities:

Table 172 Configuring protocol priority

Operation Command Description


Enter system view system-view ––
Enter RIP view rip [ process-id ] ––
Set the protocol priority preference [ route-policy Optional
route-policy-name ] value
100 by default

Redistributing route
Follow these steps to import exterior route:
Table 173 Redistributing route

Operation Command Description


Enter system view system-view ––
Enter RIP view rip [ process-id ] ––
Define a value for the default-cost value Optional
default cost of the imported
If no value is set during
route
importing, use this default
value as the route cost.
Import a route import-route protocol [ Required
process-id ] [ cost cost-value |
route-policy
route-policy-name | tag
tag-value ]*
Define the filtering policy for filter-policy { acl-number | Optional
the redistributed route ip-prefix ip-prefix-name }
export [ protocol [ process-id ]
| interface-type
interface-number ]
248 CHAPTER 24: RIP CONFIGURATION

When advertising routing information, you can set the protocol parameter to filter those
routing information imported from other protocols. If the no protocol parameter is set,
all routing information including RIP routes (directly connected routes) and imported
routes are advertised.

RIP Configuration In special network environment, you need to configure some other RIP features to
Optimization optimize the network performance.

This section covers the following topics:

■ Configuring RIP timer


■ Configuring split horizon and poison reverse
■ Configuring RIP updating message validation
■ Configuring RIP-2 message authentication
■ Configuring RIP peer

Finish the following tasks before starting RIP optimization.

■ Configure network addresses on interfaces, make sure neighboring nodes are


reachable
■ Configure RIP basic functions.

Configuration Configuring RIP timer


Procedure Follow these steps to configure the RIP timer:

Table 174 Configuring RIP timer

Operation Command Description


Enter system view system-view ––
Enter RIP view rip [ process-id ] ––
Assign a value to each timers { garbage-collect Optional
timer garbage-collect-value |
By default, 30s for update timer,