HP 1910 Switch Series User Guide Part number: 5998-2269 Software version: Release 1511 Document version: 6W100-20120528...
Page 2
The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
Contents Overview ······································································································································································ 1 Configuration through the Web interface ·················································································································· 2 Logging in to the Web interface······································································································································ 2 Logging out of the Web interface ··································································································································· 3 Introduction to the Web interface ···································································································································· 3 Web user level ·································································································································································· 4 ...
Page 4
Displaying system and device information ················································································································· 1 Displaying system information ········································································································································· 1 Displaying basic system information ······················································································································ 1 Displaying the system resource state ······················································································································ 2 Displaying recent system logs ································································································································· 2 Displaying the refresh period ·································································································································· 2 ...
Page 5
Port mirroring implementation ······································································································································ 34 Recommended configuration procedures ···················································································································· 35 Configuring a mirroring group ···························································································································· 35 Configuring ports for a mirroring group ············································································································· 36 Local port mirroring configuration example ················································································································ 38 Network requirements ··········································································································································· 38 ...
Page 6
Enabling SNMP agent ·········································································································································· 74 Configuring an SNMP view ·········································································································································· 76 Creating an SNMP view······································································································································· 76 Adding rules to an SNMP view ··························································································································· 77 Configuring an SNMP community ······························································································································· 78 Configuring an SNMP group ········································································································································ 79 ...
Page 7
Types of MAC address table entries ················································································································· 139 Displaying and configuring MAC address entries ··································································································· 139 Setting the aging time of MAC address entries ········································································································ 140 MAC address configuration example ························································································································ 141 Configuring MSTP ··················································································································································· 143 ...
Page 10
Configuring 802.1X ··············································································································································· 302 Overview ······································································································································································· 302 802.1X architecture ············································································································································ 302 Access control methods ······································································································································ 302 Controlled/uncontrolled port and port authorization status ··········································································· 303 802.1X-related protocols ···································································································································· 303 Packet formats ······················································································································································ 304 EAP over RADIUS ················································································································································ 305 ...
Page 11
Security and authentication mechanisms ·········································································································· 374 Basic RADIUS message exchange process ······································································································ 375 RADIUS packet format ········································································································································ 376 Extended RADIUS attributes ······························································································································· 378 Protocols and standards ····································································································································· 379 Recommended RADIUS configuration procedure ····································································································· 379 Configuring RADIUS servers ·······································································································································...
Page 12
PoE configuration example ········································································································································· 478 Network requirements ········································································································································· 478 Configuration procedure ···································································································································· 479 Support and other resources ·································································································································· 481 Contacting HP ······························································································································································ 481 Subscription service ············································································································································ 481 Related information ······················································································································································ 481 Documents ···························································································································································· 481 ...
Overview The HP 1910 Switch Series can be configured through the command line interface (CLI), Web interface, and SNMP/MIB. These configuration methods are suitable for different application scenarios. • The Web interface supports all 1910 Switch Series configurations. The CLI provides some configuration commands to facilitate your operation. To perform other •...
Configuration through the Web interface The device provides web-based configuration interfaces for visual device management and maintenance. Figure 1 Web-based network management operating environment Logging in to the Web interface You can use the following default settings to log in to the web interface through HTTP: Username—admin •...
For example, assign the PC an IP address (for example, 169.254.52.1) within 169.254.0.0/16 (except for the default IP address of the device). Open the browser, and input the login information. Type the IP address http:// 169.254.52.86 in the address bar and press Enter. The login page of the web interface (see Figure 3) appears.
Figure 4 Web-based configuration interface (1) Navigation tree (2) Body area (3) Title area • Navigation tree—Organizes the Web-based NM functions as a navigation tree, where you can select and configure functions as needed. The result is displayed in the body area. Body area—Allows you to configure and display features.
Page 17
Table 1 Web-based NM function description Function menu Description User level Wizard IP Setup Perform quick configuration of the device. Management Display global settings and port settings of a stack. Configure Setup Configure global parameters and stack ports. Management Topology Stack Display the topology summary of a stack.
Page 18
Function menu Description User level Summary Display port information by features. Monitor Port Detail Display feature information by ports. Monitor Manageme Create, modify, delete, and enable/disable a port, Setup Configure and clear port statistics. Display the configuration information about a port Summary Monitor mirroring group.
Page 19
Function menu Description User level Display and refresh SNMP configuration and Monitor statistics information. Setup Configure SNMP. Configure Display SNMP community information. Monitor Community Create, modify, and delete an SNMP community. Configure Display SNMP group information. Monitor Group Create, modify, and delete an SNMP group. Configure SNMP Display SNMP user information.
Page 20
Function menu Description User level Add the address of an OUI that can be identified OUI Add Configure by voice VLAN. Remove the address of an OUI that can be OUI Remove Configure identified by voice VLAN. Display MAC address information. Monitor Create and remove MAC addresses.
Page 21
Function menu Description User level Display global MLD snooping configuration information or the MLD snooping configuration Monitor information in a VLAN, and the MLD snooping Basic multicast entry information. Configure MLD snooping globally or in a VLAN. Configure Snooping Display the MLD snooping configuration Monitor information on a port.
Page 22
Function menu Description User level Configure gratuitous ARP. Configure Display ARP detection configuration information. Monitor ARP Detection Anti-Attack Configure ARP detection. Configure Display 802.1X configuration information globally Monitor or on a port. 802.1X 802.1X Configure 802.1X globally or on a port. Configure Display configuration information about the portal server and advanced parameters for portal...
Page 23
Function menu Description User level Generate a key pair, destroy a key pair, retrieve a certificate, request a certificate, and delete a Configure certificate. Display the contents of the CRL. Monitor Receive the CRL of a domain. Configure Summary Display port isolation group information. Monitor Port Isolate Group...
Page 24
Function menu Description User level Configure traffic mirroring and traffic redirecting Port Setup Configure for a traffic behavior Remove Delete a traffic behavior. Configure Summary Display QoS policy configuration information. Monitor Create Create a QoS policy. Configure Configure the classifier-behavior associations for a QoS Policy Setup Configure...
Page 25
Button and ico Function Used to se elect all the ent tries on a list, o or all the ports on the device panel. Used to de eselect all the e entries on a list, , or all the ports s on the device panel.
Page 26
Search function On some list pages, the web interface provides basic and advanced search functions. You can use the search function to display those entries matching certain search criteria. • Basic search function—As shown in Figure 5, input the keyword in the text box above the list, select a search item from the drop-down list and click the Search button to display the entries that match the criteria.
Page 27
Figure 8 Advanced search function example (I) Click the Advanced Search link, specify the search criteria on the advanced search page as shown Figure 9, and click Apply. The ARP entries with interface being GigabitEthernet1/0/19 and IP address range being 192.168.1.50 to 192.168.1.59 are displayed as shown in Figure Figure 9 Advanced search function example (II) Figure 10 Advanced search function example (III)
As shown in Figure 1 1, you can click the blue heading item of each column to sort the entries based on the heading item you selected. Then, the heading item is displayed with an arrow beside it. The upward arrow indicates the ascending order, and the downward arrow indicates the descending order.
Troubleshooting web console Unable to access devices through the web console Symptom You can ping and Telnet to a device, on which the HTTP service is running and the versions of the used operating system and IE browser comply with the requirements of the web console. However, you are unable to access the web console of the device.
Page 30
Click Custom Level. The Security Settings dialog box appears, as shown in Figure Enable Run ActiveX controls and plug-ins, Script ActiveX controls marked safe for scripting, and Active scripting. Figure 13 Internet Explorer settings (II) Click OK to save your settings. For Firefox Browser Launch the Firefox browser, and select Tools >...
Page 31
Figure 14 Firefox browser settings Click OK to save your settings.
Configuration at the CLI The HP 1910 Switch Series can be configured through the CLI, Web interface, and SNMP/MIB, among which the Web interface supports all 1910 Switch Series configurations. These configuration methods are suitable for different application scenarios. As a supplementary to the Web interface, the CLI provides some configuration commands to facilitate your operation, which are described in this chapter.
NOTE: The serial port on a PC does not support hot swapping. When you connect a PC to a powered-on switch, • connect the DB-9 connector of the console cable to the PC before connecting the RJ-45 connector to the switch.
Page 34
Figure 17 Setting the serial port used by the HyperTerminal connection Set Bits per second to 38400, Data bits to 8, Parity to None, Stop bits to 1, and Flow control to None, and click OK. Figure 18 Setting the serial port parameters Select File >...
Page 35
Figure 19 HyperTerminal window Click the Settings tab, set the emulation to VT100, and click OK in the Switch Properties dialog box. Figure 20 Setting terminal emulation in Switch Properties dialog box...
Username:admin Press Enter. The Password prompt appears. Password: The login information is verified, and the following CLI menu appears: <HP 1910 Switch> If the password is invalid, the following message appears and process restarts. % Login failed! CLI commands This section contains the following commands:...
initialize Syntax initialize Parameters None Description Use initialize to delete the configuration file to be used at the next startup and reboot the device with the default configuration being used during reboot. Use the command with caution because this command deletes the configuration file to be used at the next startup and restores the factory default settings.
Change password for user: admin Old password: *** Enter new password: ** Retype password: ** The password has been successfully changed. ping Syntax ping host Parameters host: Destination IPv4 address (in dotted decimal notation) or host name (a string of 1 to 255 characters). Description Use ping to ping a specified destination.
Examples # Ping IPv6 address 2001::4. <Sysname> ping ipv6 2001::4 PING 2001::4 : 56 data bytes, press CTRL_C to break Reply from 2001::4 bytes=56 Sequence=1 hop limit=64 time = 15 ms Reply from 2001::4 bytes=56 Sequence=2 hop limit=64 time = 2 ms Reply from 2001::4 bytes=56 Sequence=3 hop limit=64 time = 11 ms...
reboot Syntax reboot Parameters None Description Use reboot to reboot the device and run the main configuration file. Use the command with caution because reboot results in service interruption. If the main configuration file is corrupted or does not exist, the device cannot be rebooted with the reboot command.
To validate the downloaded software package file, reboot the device. NOTE: The HP 1910 Switch Series does not provide an independent Boot ROM image. Instead, it integrates the Boot ROM image with the system software image file together in a software package file with the extension name of .bin.
192.168.10.1/24. The gateway and the switch can reach each other. The administrator upgrades the Boot ROM image and the system software image file of the 1910 switch through the PC and sets the IP address of the switch to 192.168.1.2/24.
Page 45
File downloaded successfully. BootRom file updating finished! # Reboot the switch. <Switch> reboot After getting the new image file, reboot the switch to validate the upgraded image.
Configuration wizard Overview The configuration wizard guides you through configuring the basic service parameters, including the system name, the system location, the contact information, and the management IP address. Basic service setup Entering the configuration wizard homepage Select Wizard from the navigation tree. Figure 22 Configuration wizard homepage Configuring system parameters On the wizard homepage, click Next.
Figure 23 System parameter configuration page Configure the parameters as described in Table Table 3 Configuration items Item Description Specify the system name. The system name appears at the top of the navigation tree. Sysname You can also set the system name in the System Name page you enter by selecting Device >...
Page 48
On the system parameter configuration page, click Next. Figure 24 Management IP address configuration page Configure the parameters as described in Table Table 4 Configuration items Item Description Select a VLAN interface. Available VLAN interfaces are those configured in the page that you enter by selecting Network >...
Item Description DHCP Configure how the VLAN interface obtains an IPv4 address. • DHCP—Specifies the VLAN interface to obtain an IPv4 address by BOOTP DHCP. • BOOTP—Specifies the VLAN interface to obtain an IPv4 address through BOOTP. Manual • Manual—Allows you to specify an IPv4 address and a mask length. Configure IPv4 address IPv4...
Configuring stack Overview The stack management feature enables you to configure and monitor a group of connected switches by logging in to one switch in the stack, as shown in Figure Figure 26 Network diagram To set up a stack for a group of connected switches, you must log in to one switch to create the stack. This switch is the master switch for the stack, and you configure and monitor all other member switches on the master switch.
Task Remarks Optional. Displaying topology summary of a stack Display stack member information. Optional. Display the control panels of stack members. IMPORTANT: Displaying device summary of a stack To successfully display control panel information, make sure that the user account you are logged in with to the master has also been created on each member device.
Page 53
Figure 27 Setting up a fabric Table 5 Configuration items Item Description Configure a private IP address pool for the stack. The master device automatically picks an IP address from this pool for each member device for intra-stack communication. Private Net IP IMPORTANT: Mask Make sure the number of IP addresses in the address pool is equal to or greater than the...
Item Description Create the stack. As the result, the device becomes the master device of the stack and automatically adds the devices connected to its stack ports to the stack. Build Stack IMPORTANT: You can delete the stack only on the master device. The Global Settings area is grayed out for stack member devices.
View interfaces and power socket layout on the panel of each stack member by clicking their respective tabs. Figure 29 Device Summary tab (on the master device) Return to Configuration task list. Logging in to a member device from the master Select Stack from the navigation tree.
Page 56
Figure 31 Network diagram Switch A: Master device Eth1/0/1 Eth1/0/2 Stack Eth1/0/1 Eth1/0/3 Switch B: Slave device Eth1/0/1 Eth1/0/1 Switch C: Slave device Switch D: Slave device Configuration procedure Configure global stack parameters on Switch A: Select Stack from the navigation tree of Switch A to enter the page of the Setup tab, and then perform the following configurations, as shown in Figure...
Page 57
Figure 32 Configuring global stack parameters on Switch A Type 192.168.1.1 in the field of Private Net IP. Type 255.255.255.0 in the field of Mask. Select Enable from the Build Stack list. Click Apply. Now, switch A becomes the master device. Configure the stack port on Switch A:...
Page 58
On the Setup tab, select the box before Ethernet1/0/1 in the Port Settings area. Click Enable. Figure 33 Configuring a stack port on Switch A On Switch B, configure ports Ethernet 1/0/2, Ethernet 1/0/1, and Ethernet 1/0/3 as stack ports. Select Stack from the navigation tree of Switch B.
Page 59
Click Enable. Figure 34 Configuring stack ports on Switch B On Switch C, configure port Ethernet 1/0/1 as a stack port. Select Stack from the navigation tree of Switch C. On the Setup tab, select the box before Ethernet1/0/1 in the Port Settings area. Click Enable.
Page 60
Figure 35 Configuring a stack port on Switch C On Switch D, configure port Ethernet 1/0/1 as a stack port. Select Stack from the navigation tree of Switch D. On the Setup tab, select the box before Ethernet1/0/1 in the Port Settings area. Click Enable.
Verifying the configuration Select Stack from the navigation tree and click the Topology Summary tab to display the stack topology on Switch A. Figure 36 Verifying the configuration Configuration guidelines If a device is already configured as a stack master device, you cannot modify the private IP address •...
Displaying system and device information Displaying system information Select Summary from the navigation tree to enter the System Information tab to view the basic system information, system resource state, and recent system logs. Figure 37 System information Displaying basic system information Table 7 Field description Item Description...
Item Description Product Information Display the description about the device. Display the device location, which you can configure on the Device Location page you enter by selecting Device > SNMP > Setup Display the contact information, which you can configure on Contact Information the page you enter by selecting Device >...
Page 64
Figure 38. For the description about the port number and its color, see Figure 38. Similarly, you can also view the power type and operating status and the fan operating status. Figure 38 Device information Select from the Refresh Period list: If you select a certain period, the system refreshes the information at the specified interval.
Configuring basic device settings Overview The device basic information feature provides the following functions: Set the system name of the device. The configured system name is displayed on the top of the • navigation bar. Set the idle timeout period for logged-in users. The system logs an idle user off the web for security •...
Page 66
Figure 40 Configuring idle timeout period Set the idle timeout period for logged-in users. Click Apply.
Maintaining devices Software upgrade A boot file, also known as the system software or device software, is an application file used to boot the device. Software upgrade allows you to obtain a target application file from the local host and set the file as the boot file with the original file name to be used at the next reboot.
Item Description Specify whether to overwrite the file with the same name. If a file with the same name already exists, If you do not select the option, when a file with the same name exists, a dialog box overwrite it without any appears, telling you that the file already exists and you cannot continue the prompt upgrade.
Electronic label You can view information about the device electronic label, which is also known as the permanent configuration data or archive information. The information is written into the storage medium of a device or a card during the debugging and testing processes, and includes card name, product bar code, MAC address, debugging and testing date(s), and vendor name.
Page 70
Click Create Diagnostic Information File. The system begins to generate a diagnostic information file. Click Click to Download. The File Download dialog box appears. Open this file or save it to the local host. Figure 45 Finishing creating the diagnostic information file After the diagnostic file is successfully generated, you can view this file, or download it to the local host on the page you enter by selecting Device >...
Configuring system time System time overview You must configure a correct system time so that the device can work with other devices properly. System time allows you to display and set the device system time and system zone on the web interface. The device supports setting system time through manual configuration and automatic synchronization of NTP server time.
Figure 47 Calendar page Enter the system date and time in the field, or select the date and time in the calendar, where you can: Click Today. The date setting in the calendar is synchronized to the current local date configuration, and the time setting does not change.
Table 10 Configuration items Item Description Clock status Display the synchronization status of the system clock. Set the source interface for an NTP message. If you do not want the IP address of a certain interface on the local device to become the destination address of response messages, you can specify Source Interface the source interface for NTP messages, so that the source IP address in the...
Configuring date and time Configure the local clock as the reference clock, with the stratum of 2. Enable NTP authentication, set the key ID to 24, and specify the created authentication key aNiceKey is a trusted key. (Details not shown.) On Switch B, configure Device A as the NTP server.
Configuring syslogs Overview System logs contain a large amount of network and device information, including running status and configuration changes. System logs are an important way for administrators to know network and device running status. With system logs, administrators can take corresponding actions against network problems and security problems.
TIP: You can click Reset to clear all system logs saved in the log buffer on the web interface. • You can click Refresh to manually refresh the page, or you can set the refresh interval on the Log Setup •...
Figure 52 Setting loghost Configure the IPv4 address of the log host. Click Apply. Setting buffer capacity and refresh interval Select Device > Syslog from the navigation tree. Click the Log Setup tab. The syslog configuration page appears. Figure 53 Syslog configuration page Configure buffer capacity and refresh interval as described in Table...
Page 78
Click Apply. Table 12 Configuration items Item Description Buffer Capacity Set the number of logs that can be stored in the log buffer of the web interface. Set the refresh period on the log information displayed on the web interface. You can select manual refresh or automatic refresh: •...
Managing the configuration You can backup, restore, save, and reset the configuration of the device. Backing up configuration With the configuration backup function, you can perform the following tasks: Open and view the configuration file (.cfg file) for the next startup •...
Figure 55 Restoring the configuration Click the upper Browse button. The file upload dialog box appears. Select the .cfg file to be uploaded, and click Apply. Saving configuration The save configuration module provides the function to save the current configuration to the configuration file (.cfg file) to be used at the next startup.
Resetting configuration This operation will restore the system to factory defaults, delete the current configuration file, and reboot the device. To reset the configuration: Select Device > Configuration from the navigation tree. Click the Initialize tab to enter the initialize confirmation page. Click the Restore Factory-D button to restore the system to factory defaults.
Managing files The device saves files such as the host software file and configuration file on its storage media. The file management function allows you to manage the files on the storage media. Displaying files Select Device > File Management from the navigation tree. Figure 58 File management page Select a medium from the Please select disk list.
Uploading a file NOTE: Uploading a file may take some time. HP does not recommend performing any operation on the web interface during the upgrade. Select Device > File Management from the navigation tree to enter the file management page.
Managing ports Overview You can use the port management feature to set and view the operation parameters of a Layer 2 Ethernet port and an aggregate interface. For a Layer 2 Ethernet port, these operation parameters include its state, rate, duplex mode, link •...
Page 85
Figure 59 The Setup tab Set the operation parameters for the port as described in Table Click Apply. Table 13 Configuration items Item Description Enable or disable the port. Sometimes, after you modify the operation parameters of a Port State port, you need to disable and then enable the port to have the modifications take effect.
Page 86
Item Description Set the transmission rate of the port. Available options include: • 10—10 Mbps. • 100—100 Mbps. • 1000—1000 Mbps. • Auto—Auto-negotiation. • Speed Auto 10—Auto-negotiated to 10 Mbps. • Auto 100—Auto-negotiated to 100 Mbps. • Auto 1000—Auto-negotiated to 1000 Mbps. •...
Page 87
Item Description Set the Medium Dependent Interface (MDI) mode of the port. Two types of Ethernet cables can be used to connect Ethernet devices: crossover cable and straight-through cable. To accommodate these two types of cables, an Ethernet port can operate in one of the following three MDI modes: across, normal, and auto.
Page 88
Item Description Set broadcast suppression on the port. You can suppress broadcast traffic by percentage or by PPS as follows: • ratio—Sets the maximum percentage of broadcast traffic to the total bandwidth of an Ethernet port. When this option is selected, you need to input a percentage in the box below.
Item Description Interface or interfaces that you have selected from the chassis front panel and the aggregate interface list below, for which you have set operation parameters. Selected Ports IMPORTANT: You can set only the state and MAC learning limit for an aggregate interface. NOTE: If you set operation parameters that a port does not support, you are notified of invalid settings and may fail to set the supported operation parameters for the port or other ports.
Click the Detail tab. Select a port whose operation parameters you want to view in the chassis front panel, as shown Figure 61. The operation parameter settings of the selected port are displayed on the lower part of the page. Whether the parameter takes effect is displayed in the square brackets. Figure 61 The Detail tab Port management configuration example Network requirements...
Page 91
Figure 62 Network diagram Configuring the switch Set the rate of GigabitEthernet 1/0/4 to 1000 Mbps. Select Device > Port Management from the navigation tree Click the Setup tab to enter the page shown in Figure 63. Select 1000 from the Speed list.
Page 92
Figure 63 Configure the rate of GigabitEthernet 1/0/4 Batch configure the auto-negotiation rate range on GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 as 100 Mbps. On the Setup tab, select Auto 100 from the Speed list, as shown in Figure Select 1, 2, and 3 on the chassis front panel.
Page 93
Figure 64 Batch configure port rate Display the rate settings of ports. Click the Summary tab. Click the Speed button to display the rate information of all ports on the lower part of the page, as shown in Figure...
Page 94
Figure 65 Display the rate settings of ports...
Port mirroring implementation HP 1910 switch series supports local port mirroring, in which case the mirroring source and the mirroring destination are on the same device. A mirroring group that contains the mirroring source and the...
Figure 66 Local port mirroring implementation As shown in Figure 66, the source port GigabitEthernet 1/0/1 and monitor port GigabitEthernet 1/0/2 reside on the same device. Packets of GigabitEthernet 1/0/1 are copied to GigabitEthernet 1/0/2, which then forwards the packets to the data monitoring device for analysis. Recommended configuration procedures Step Remarks...
Figure 67 Adding a mirroring group Configure the mirroring group as described in Table Click Apply. Table 14 Configuration items Item Description ID of the mirroring group to be added. Mirroring Group ID The range of the mirroring group ID varies with devices. Specify the type of the mirroring group to be added: Type Local—Adds a local mirroring group.
Page 98
Figure 68 The Modify Port tab Configure ports for the mirroring group as described in Table Click Apply. A progress dialog box appears. After the success notification appears, click Close. Table 15 Configuration items Item Description ID of the mirroring group to be configured. Mirroring The available groups were added previously.
Local port mirroring configuration example Network requirements As shown in Figure 69, configure local port mirroring on Switch A to monitor the packets received and sent by the Marketing department and Technical department. Figure 69 Network diagram Adding a local mirroring group Select Device >...
Figure 70 Adding a local mirroring group Configuring the mirroring ports as GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 Click the Modify Port tab to enter the page, as shown in Figure Select 1 – Local from the Mirroring Group ID list, select Mirror Port from the Port Type list, select both from the Stream Orientation list, and select 1 (GigabitEthernet 1/0/1) and 2 (GigabitEthernet 1/0/2) on the chassis front panel.
Figure 71 Configuring the mirroring ports Configuring the monitor port as GigabitEthernet 1/0/3 Click the Modify Port tab to enter the page, as shown in Figure Select 1 – Local from the Mirroring Group ID list, select Monitor Port from the Port Type list, and select 3 (GigabitEthernet 1/0/3) on the chassis front panel.
Figure 72 Configuring the monitor port Configuration guidelines Follow these guidelines when you configure port mirroring: You can configure multiple source ports but only one monitor port for a local mirroring group. To ensure normal operation of mirroring, do not enable the spanning tree feature on the monitor port.
Managing users The device provides the following user management functions: Add a local user, and specify the password, access level, and service types for the user. • Set the super password for non-management level users to switch to the management level. •...
Table 16 Configuration items Item Description Username Set a username for the user. Select an access level for the user. Users of different levels can perform different operations. User levels, in order from low to high, are as follows: • Visitor—Users of this level can only perform ping and traceroute operations.
Table 17 Configuration items Item Description Select the operation type: • Create—Configure or modify the super password. Create/Remove • Remove—Remove the current super password. Password Set the password for non-management level users to switch to the management level. Enter the same password again. Otherwise, the system will prompt that the two Confirm Password passwords entered are not consistent when you apply the configuration.
Configuring a loopback test Overview You can check whether an Ethernet port works normally by performing the Ethernet port loopback test, during which the port cannot forward data packets normally. Ethernet port loopback test can be an internal loopback test or an external loopback test. •...
Figure 77 Loopback test result Configuration guidelines Follow these guidelines when you configure a loopback test: • You can perform an internal loopback test but not an external loopback test on a port that is physically down, while you can perform neither test on a port that is manually shut down. The system does not allow Rate, Duplex, Cable Type and Port Status configuration on a port under •...
Configuring VCT Overview You can use the Virtual Cable Test (VCT) function to check the status of the cable connected to an Ethernet port on the device. The result is returned in less than 5 seconds. The test covers whether short circuit or open circuit occurs on the cable and the length of the faulty cable.
Configuring the flow interval Overview With the flow interval module, you can view the number of packets and bytes sent/received by a port and the bandwidth utilization of the port over the specified interval. Setting the traffic statistics generating interval Select Device >...
Page 110
Figure 80 Port traffic statistics NOTE: When the bandwidth utilization is lower than 1%, 1% is displayed.
Configuring storm constrain Overview The storm constrain function limits traffic of a port within a predefined upper threshold to suppress packet storms in an Ethernet. With this function enabled on a port, the system detects the amount of broadcast traffic, multicast traffic, and unknown unicast traffic reaching the port periodically. When a type of traffic exceeds the threshold for it, the function, as configured, blocks or shuts down the port, and optionally, sends trap messages and logs.
Figure 81 The storm constrain tab NOTE: For network stability sake, set the traffic statistics generating interval for the storm constrain function to the default or a greater value. Configuring storm constrain Select Device > Storm Constrain from the navigation tree to enter the storm constrain configuration page.
Page 113
Table 19 Configuration items Item Remarks Specify the action to be performed when a type of traffic exceeds the upper threshold. Available options include: • None—Performs no action. • Block—Blocks the traffic of this type on a port when the type of traffic exceeds the upper threshold.
RMON agent implementations only provide four groups of MIB information, alarm, event, history, and statistics. HP devices provide the embedded RMON agent function. You can configure your device to collect and report traffic statistics, error statistics, and performance statistics.
the management device. The statistics data includes bandwidth utilization, number of error packets, and total number of packets. A history group collects statistics on packets received on the interface during each period, which can be configured through the command line interface (CLI). Event group The event group defines event indexes and controls the generation and notifications of the events triggered by the alarms defined in the alarm group.
RMON configuration task list Configuring the RMON statistics function RMON statistics function can be implemented by either the statistics group or the history group, but the objects of the statistics are different. You can choose to configure a statistics group or a history group accordingly.
Table 22 RMON alarm configuration task list Task Remarks Required. You can create up to 100 statistics entries in a statistics table. As the alarm variables that can be configured through the web interface are MIB variables that defined in the history group or the statistics group, you must make sure that the RMON Ethernet statistics function or the RMON history statistics function is configured on the monitored Ethernet interface.
Task Remarks If you have configured the system to log an event after the event is triggered when you configure the event group, the event is recorded into Displaying RMON event logs the RMON log. You can perform this task to display the details of the log table.
Item Description Owner Set the owner of the statistics entry. Configuring a history entry Select Device > RMON from the navigation tree. Click the History tab. The History tab page appears. Figure 86 History tab Click Add. The page for adding a history entry appears. Figure 87 Adding a history entry Configure a history entry as described in Table...
Item Description Set the capacity of the history record list corresponding to this history entry, namely, the maximum number of records that can be saved in the history record list. If the current number of the entries in the table has reached the maximum number, the Buckets Granted system will delete the earliest entry to save the latest one.
Click Apply. Table 26 Configuration items Item Description Description Set the description for the event. Owner Set the owner of the entry. Set the actions that the system will take when the event is triggered: • Log—The system will log the event. Event Type •...
Page 122
Figure 91 Adding an alarm entry Configure an alarm entry as described in Table Click Apply. Table 27 Configuration items Item Description Alarm variable: Set the traffic statistics that will be collected and monitored, see Table 28 Static Item details. Set the name of the interface whose traffic statistics will be collected and Interface Name monitored.
Descriptio Select whe ether to create a a default event Description n of the default t event is defau ult event, the ac ction is log-and d-trap, and the ow wner is default owner. Create Default E Event If there is n no event, you ca an select to cre eate the default...
Page 124
Table 28 Field description Field Description Total number of octets received by the interface, Number of Received Bytes corresponding to the MIB node etherStatsOctets. Total number of packets received by the interface, Number of Received Packets corresponding to the MIB node etherStatsPkts. Total number of broadcast packets received by the Number of Received Broadcasting Packets interface, corresponding to the MIB node...
ield Descrip ption Total nu umber of receiv ved packets wi th 1024 to 15 Number of Rece eived 1024 to 1 1518 Bytes Pac ckets octets o on the interface e, correspondin ng to the MIB n etherSta atsPkts1024to1 518Octets.
Field Description Number of undersize packets received during the sampling period, UndersizePkts corresponding to the MIB node etherHistoryUndersizePkts. Number of oversize packets received during the sampling period, corresponding OversizePkts to the MIB node etherHistoryOversizePkts. Number of fragments received during the sampling period, corresponding to the Fragments MIB node etherHistoryFragments.
Page 127
gure 95 Netw ork diagram Configuratio on procedure Configure RMON to ga ather statistics for interface GigabitEther rnet 1/0/1: Select D Device > RMO ON from the n navigation tre The Sta atistics tab pa age appears. Click A Add. The pa ge in Figure...
Page 128
Figure 97 Displaying RMON statistics Create an event to start logging after the event is triggered: Click the Event tab. Click Add. The page in Figure 98 appears. Type user1-rmon in the Owner field, select the box before Log, and click Apply. The page displays the event entry, and you can see that the entry index of the new event is 1, as shown in Figure...
Page 129
Figure 99 Displaying the index of a event entry Configure an alarm group to sample received bytes on GigabitEthernet 1/0/1. When the received bytes exceed the rising or falling threshold, logging is enabled: Click the Alarm tab. Click Add. The page in Figure 100 appears.
Page 130
Select Device > RMON from the navigation tree. Click the Log tab. The page displaying log information appears. The displayed information indicates that event 1 has generated one log, which is triggered because the alarm value (22050) exceeds the rising threshold (1000).
Configuring energy saving Energy saving overview Energy saving enables a port to work at the lowest transmission speed, disable PoE, or go down during a specific time range on certain days of a week. The port resumes working normally when the effective time period ends.
Page 132
Item Description Set the port to transmit data at the lowest speed. IMPORTANT: Lowest Speed If you configure the lowest speed limit on a port that does not support 10 Mbps, the configuration cannot take effect. Shut down the port. IMPORTANT: Shutdown An energy saving policy can have all the three energy saving schemes configured, of...
Configuring SNMP Overview Simple Network Management Protocol (SNMP) is an Internet standard protocol widely used for a management station to access and operate the devices on a network, regardless of their vendors, physical characteristics and interconnect technologies. SNMP enables network administrators to read and set the variables on managed devices for state monitoring, troubleshooting, statistics collection, and other management purposes.
The device supports only traps. SNMP protocol versions HP supports SNMPv1, SNMPv2c, and SNMPv3. An NMS and an SNMP agent must use the same SNMP version to communicate with each other. SNMPv1—Uses community names for authentication. To access an SNMP agent, an NMS must use •...
Table 32 SNMPv3 configuration task list Task Remarks Required. By default, the SNMP agent function is disabled. Enabling SNMP agent IMPORTANT: If SNMP agent is disabled, all SNMP agent-related configurations will be removed. Optional. Configuring an SNMP view After creating SNMP views, you can specify an SNMP view for an SNMP group to limit the MIB objects that can be accessed by the SNMP group.
Page 136
Figure 105 Setup tab Configure SNMP settings on the upper part of the page as described in Table Click Apply. Table 33 Configuration items Item Description SNMP Specify to enable or disable SNMP agent. Configure the local engine ID. Validity of a user depends on the engine ID of the SNMP agent. If the engine ID Local Engine ID when the user is created is not identical to the current engine ID, the user is invalid.
Item Description Set a character string to describe the contact information for system maintenance. Contact If the device is faulty, the maintainer can contact the manufacture factory according to the contact information of the device. Location Set a character string to describe the physical location of the device. SNMP Version Set the SNMP version run by the system.
Type the v iew name. Click Appl The page i Figure 108 appears. gure 108 Crea ating an SNM MP view (2) Configure the paramete ers as describ bed in Table 3 Click Add to add the ru le into the list t box at the lo ower part of t the page.
The Add ru ule for the vie ew ViewDefau ult window ap ppears. gure 109 Add ding rules to a an SNMP view Configure the paramete ers as describ bed in Table 3 Click Appl modify a view w, click the icon for the e view on the View tab (see...
Figure 111 Creating an SNMP Community Configure the SNMP community as described in Table Click Apply. Table 35 Configuration items Item Description Community Name Set the SNMP community name. Configure SNMP NMS access right: • Read only—The NMS can perform read-only operations to the MIB objects when it uses this community name to access the agent.
Page 141
Figure 112 Group tab Click Add. The Add SNMP Group page appears. Figure 113 Creating an SNMP group Configure SNMP group as described in Table Click Apply. Table 36 Configuration items Item Description Group Name Set the SNMP group name. Select the security level for the SNMP group: •...
Item Description Select the write view of the SNMP group. Write View If no write view is configured, the NMS cannot perform the write operations to all MIB objects on the device. Select the notify view of the SNMP group, that is, the view that can send trap messages. Notify View If no notify view is configured, the agent does not send traps to the NMS.
Page 143
Figure 115 Creating an SNMP user Configure the SNMP user as described in Table Click Apply. Table 37 Configuration items Item Description User Name Set the SNMP user name. Select the security level for the SNMP group. Available security levels are: •...
Item Description Auth/Priv. Confirm Authentication Password Confirm authentication password must be the same with the authentication password. Select a privacy mode (including DES56, AES128, and 3DES) when the Privacy Mode security level is Auth/Priv. Privacy Password Set the privacy password when the security level is Auth/Priv. Confirm Privacy Password Confirm privacy password must be the same with the privacy password.
Figure 117 Adding a target host of SNMP traps Configure the settings for the target host as described in Table Click Apply. Table 38 Configuration items Item Description Destination IP Address Select the IPv4 or IPv6 option, and enter the specific type of destination IP address. Set the security name, which can be an SNMPv1 community name, an SNMPv2c Security Name community name, or an SNMPv3 user name.
Figure 118 SNMP Statistics SNMPv1/v2c configuration example Network requirements As shown in Figure 1 19, the NMS at 1.1.1.2/24 uses SNMPv1 or SNMPv2c to manage the switch (agent) at 1.1.1.1/24, and the switch automatically sends traps to report events to the NMS. Figure 119 Network diagram Configuring the agent Enable SNMP:...
Page 147
Figure 120 Configuring the SNMP agent Select the Enable option, and select the v1 and v2 options. Set Hewlett-Packard Development Company,L.P. as the contact person, and HP as the physical location. Click Apply. Configure a read-only community: Click the Community tab.
Page 148
Configure a read and write community: Click Add on the Community tab page. The Add SNMP Community page appears. Figure 122 Configuring an SNMP read and write community Enter private in the Community Name field, and select Read and write from the Access Right list.
Figure 124 Adding a trap target host Type 1.1.1.2 in the following field, type public in the Security Name field, and select v1 from the Security Model list. Click Apply. Configuring the NMS To avoid communication failures, make sure the NMS use the same SNMP settings as the agent. Configure the SNMP version for the NMS as v1 or v2c.
Page 150
The SNMP configuration page appears. Figure 126 Configuring the SNMP agent Select the Enable option, and select the v3 option. Set Hewlett-Packard Development Company,L.P. as the contact person, and HP as the physical location. Click Apply. Configure an SNMP view: Click the View tab.
Page 151
Figure 127 Creating an SNMP view (1) Type view1 in the View Name field. Click Apply. The page in Figure 128 appears. Select the Included option, type the MIB subtree OID interfaces, and click Add. Click Apply. A configuration progress dialog box appears. Click Close after the configuration process is complete.
Page 152
Figure 129 Creating an SNMP group Configure an SNMP user: Click the User tab. Click Add. The page in Figure 130 appears. Type user1 in the User Name field, select Auth/Priv from the Security Level list, select group1 from the Group Name list, select MD5 from the Authentication Mode list, type authkey in the Authentication Password and Confirm Authentication Password fields, select DES56 from the Privacy Mode list, and type prikey in the Privacy Password and Confirm Privacy Password fields.
Page 153
Figure 130 Creating an SNMP user Enable SNMP traps: Click the Trap tab. The Trap tab page appears. Figure 131 Enabling SNMP traps Select the box of Enable SNMP Trap. Click Apply. Configure a target host SNMP traps: Click Add on the Trap tab page. The page for adding a target host of SNMP traps appears.
Page 154
Figure 132 Adding a trap target host Type 1.1.1.2 in the following field, type user1 in the Security Name field, select v3 from the Security Model list, and select Auth/Priv from the Security Level list. Click Apply. Configuring the NMS To avoid communication failures, make sure the NMS use the same SNMP settings as the agent.
Displaying interface statistics Overview The interface statistics module displays statistics about the packets received and sent through interfaces. Displaying interface statistics Select Device > Interface Statistics from the navigation tree to enter the interface statistics display page, as shown in Figure 133.
Configuring VLANs VLAN overview Ethernet is a network technology based on the Carrier Sense Multiple Access/Collision Detect (CSMA/CD) mechanism. As the medium is shared, collisions and excessive broadcasts are common on an Ethernet. To address the issue, virtual LAN (VLAN) was introduced to break a LAN down into separate VLANs.
Figure 135 Traditional Ethernet frame format IEEE 802.1Q inserts a four-byte VLAN tag after the DA&SA field, as shown in Figure 136. Figure 136 Position and format of VLAN tag A VLAN tag comprises the following fields: tag protocol identifier (TPID), priority, canonical format indicator (CFI), and VLAN ID.
VLAN, see "Configuring a voice VLAN." HP recommends that you set the same PVID for local and remote ports. • Make sure that a port permits its PVID. Otherwise, when the port receives frames tagged with the PVID •...
Actions Access Trunk Hybrid • Receives the frame if its VLAN ID is the In the inbound • same as the PVID. Receives the frame if its VLAN is permitted on the port. direction for a • • Drops the frame if its Drops the frame if its VLAN is not permitted on the port.
Assigning a trunk port to a VLAN Step Remarks (Required.) 1. Creating VLANs Create one or multiple VLANs. (Optional.) 2. Configuring the link type of a port Configure the link type of the port as trunk. By default, the link type of a port is access. Configure the PVID of (Required.) 3.
Step Remarks (Optional.) Configure the link type of the port as hybrid. If you configure multiple untagged VLANs for a trunk 2. Configuring the link type of a port port at the same time, the trunk port automatically becomes a hybrid port. By default, the link type of a port is access.
Figure 137 Creating VLANs Table 40 Configuration items Item Description VLAN IDs IDs of the VLANs to be created • Select the ID of the VLAN whose description string is to be modified. Click the ID of the VLAN to be modified in the list in the middle of the page. Modify the description of the •...
Figure 138 Modifying ports NOTE: You can also configure the link type of a port on the Setup tab of Device > Port Management. For more information, see "Managing ports." Setting the PVID for a port Select Network > VLAN from the navigation tree. Click the Modify Port tab.
Figure 139 Modifying the PVID for a port NOTE: You can also configure the PVID of a port on the Setup tab of Device > Port Management. For more information, see "Managing ports." Selecting VLANs Select Network > VLAN from the navigation tree. The Select VLAN tab is displayed by default for you to select VLANs.
Figure 140 Selecting VLANs Select the Display all VLANs option to display all VLANs or select the Display a subnet of all configured VLANs option to enter the VLAN IDs to be displayed. Click Select. Modifying a VLAN Select Network > VLAN from the navigation tree. Click Modify VLAN to enter the page for modifying a VLAN.
Page 167
Figure 141 Modifying a VLAN Modify the member ports of a VLAN as described in Table Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the dialog box prompts that the configuration succeeds. Table 41 Configuration items Item Description Select the VLAN to be modified.
Modifying ports Select Network > VLAN from the navigation tree. Click Modify Port to enter the page for modifying ports. Figure 142 Modifying ports Modify the VLANs of a port as described in Table Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the dialog box prompts that the configuration succeeds.
Item Description Set the IDs of the VLANs to/from which the selected ports are to be assigned/removed. NOTE: • You cannot configure an access port as an untagged member of a nonexistent VLAN. • When you configure an access port as a tagged member of a VLAN, or configure a trunk VLAN IDs port as an untagged member of multiple VLANs in bulk, the link type of the port is automatically changed into hybrid.
Page 170
Figure 144 Configuring GigabitEthernet 1/0/1 as a trunk port and its PVID as 100 Create VLAN 2, VLAN 6 through VLAN 50, and VLAN 100: Select Network > VLAN from the navigation tree. Click Create to enter the page for creating VLANs. Enter VLAN IDs 2, 6-50, 100.
Page 171
Figure 145 Creating VLAN 2, VLAN 6 through VLAN 50, and VLAN 100 Assign GigabitEthernet 1/0/1 to VLAN 100 as an untagged member: Click Select VLAN to enter the page for selecting VLANs. Select the option before Display a subnet of all configured VLANs and enter 1-100 in the field. Click Select.
Page 172
Click Modify VLAN to enter the page for modifying the ports in a VLAN. Select 100 – VLAN 0100 in the Please select a VLAN to modify: list, select the Untagged option, and select GigabitEthernet 1/0/1 on the chassis front device panel. Click Apply.
Figure 148 Assigning GigabitEthernet 1/0/1 to VLAN 2 and to VLANs 6 through 50 as a tagged member Configuring Switch B Configure Switch B as you configure Switch A. Configuration guidelines Follow these guidelines when you configure VLANs: • As the default VLAN, VLAN 1 can be neither created nor removed manually. You cannot manually create or remove VLANs reserved for special purposes.
Configuring VLAN interfaces Overview For hosts of different VLANs to communicate at Layer 3, you can use VLAN interfaces. VLAN interfaces are virtual interfaces used for Layer 3 communication between different VLANs. They do not exist as physical entities on devices. For each VLAN, you can create one VLAN interface. You can assign the VLAN interface an IP address and specify the IP address as the gateway address for the devices in the VLAN, so that traffic can be routed to other IP subnets.
Page 175
Figure 149 Creating a VLAN interface Configure the VLAN interface as described in Table Click Apply. Table 43 Configuration items Item Description Enter the ID of the VLAN interface to be created. Before creating a VLAN interface, Input a VLAN ID: make sure that the corresponding VLAN exists.
Item Description Address box. Configure an IPv6 link-local address for the VLAN interface. IPv6 This field is available after you select the Manual option. The prefix of Address the IPv6 link-local address you enter must be FE80::/64. Modifying a VLAN interface By modifying a VLAN interface, you can assign an IPv4 address, an IPv6 link-local address, and an IPv6 site-local address, or global unicast address to the VLAN interface, and shut down or bring up the VLAN interface.
Page 177
Table 44 Configuration items Item Description Select the VLAN interface to be configured. Select VLAN Interface The VLAN interfaces available for selection in the list are those created on the page for creating VLAN interfaces. DHCP Configure the way in which the VLAN interface gets an IPv4 address. Allow the VLAN interface to obtain an IP address automatically by selecting the DHCP BOOTP or BOOTP option, or manually assign the VLAN interface an IP address by selecting...
Item Description Auto Configure the way in which the VLAN interface obtains an IPv6 link-local address. Select the Auto or Manual option: • Auto—Indicates that the device automatically assigns a link-local address for the VLAN interface according to the link-local address prefix (FE80::/64) and the Manual link-layer address of the VLAN interface.
Page 179
For IPv6 link-local address configuration, manual assignment takes precedence over automatic • generation. If you first adopt the manual assignment and then the automatic generation, the automatically generated link-local address will not take effect and the link-local address of the interface is still the manually assigned one.
Configuring a voice VLAN Overview The voice technology is developing quickly, and more and more voice devices are in use. In broadband communities, data traffic and voice traffic are usually transmitted in the network at the same time. Usually, voice traffic needs higher priority than data traffic to reduce the transmission delay and packet loss ratio. A voice VLAN is configured for voice traffic.
Voice VLAN assignment modes A port connected to a voice device, an IP phone for example, can be assigned to a voice VLAN in one of the following modes: Automatic mode—The system matches the source MAC addresses in the protocol packets •...
Table 46 Required configurations on ports of different link types for them to support tagged voice traffic Voice VLAN assignment mode Port link type Configuration requirements supported for tagged voice traffic Access In automatic mode, the PVID of the port cannot be the voice VLAN.
MAC addresses checking. HP does not recommend you transmit both voice packets and non-voice packets in a voice VLAN. If you have to, first make sure that the voice VLAN security mode is disabled.
Step Remarks (Required.) Configure the voice VLAN assignment mode of a port as automatic 2. Configuring voice VLAN on ports and enable the voice VLAN function on the port. By default, the voice VLAN assignment mode of a port is automatic, and the voice VLAN function is disabled on a port.
Figure 153 Configuring voice VLAN Configure the global voice VLAN settings as described in Table Click Apply. Table 49 Configuration items Item Description Select Enable or Disable in the list to enable or disable the voice VLAN security mode. Voice VLAN security By default, the voice VLANs operate in security mode.
Configure the voice VLAN function for ports as described in Table Click Apply. Table 50 Configuration items Item Description Set the voice VLAN assignment mode of a port to: • Voice VLAN port mode Auto—Automatic voice VLAN assignment mode • Manual—Manual voice VLAN assignment mode Select Enable or Disable in the list to enable or disable the voice VLAN function Voice VLAN port state...
Table 51 Configuration items Item Description OUI Address Set the source MAC address of voice traffic. Mask Set the mask length of the source MAC address. Description Set the description of the OUI address entry. Voice VLAN configuration examples Configuring voice VLAN on a port in automatic voice VLAN assignment mode Network requirements As shown in...
Page 188
Figure 157 Creating VLAN 2 Configure GigabitEthernet 1/0/1 as a hybrid port: Select Device > Port Management from the navigation tree. Click the Setup tab. Select Hybrid from the Link Type list. Select GigabitEthernet 1/0/1 from the chassis front panel. Click Apply.
Page 189
Figure 158 Configuring GigabitEthernet 1/0/1 as a hybrid port Configure the voice VLAN function globally: Select Network > Voice VLAN from the navigation tree. Click the Setup tab. Select Enable in the Voice VLAN security list. Set the voice VLAN aging timer to 30 minutes. Click Apply.
Page 190
Click the Port Setup tab. Select Auto in the Voice VLAN port mode list. Select Enable in the Voice VLAN port state list. Enter voice VLAN ID 2. Select GigabitEthernet 1/0/1 on the chassis front panel. Click Apply. Figure 160 Configuring voice VLAN on GigabitEthernet 1/0/1 Add OUI addresses to the OUI list: Click the OUI Add tab.
Page 191
Figure 161 Adding OUI addresses to the OUI list Verifying the configuration When the preceding configurations are completed, the OUI Summary tab is displayed by default, as shown in Figure 162. You can view the information about the newly-added OUI address. Figure 162 Displaying the current OUI list of the device Click the Summary tab, where you can view the current voice VLAN information.
Figure 163 Displaying voice VLAN information Configuring a voice VLAN on a port in manual voice VLAN assignment mode Network requirements As shown in Figure 164: Configure VLAN 2 as a voice VLAN that carries only voice traffic. • • The IP phone connected to hybrid port GigabitEthernet 1/0/1 sends untagged voice traffic.
Page 193
Configuring Switch A Create VLAN 2: Select Network > VLAN from the navigation tree. Click the Create tab. Enter VLAN ID 2. Click Create. Figure 165 Creating VLAN 2 Configure GigabitEthernet 1/0/1 as a hybrid port and configure its PVID as VLAN 2: Select Device >...
Page 194
Figure 166 Configuring GigabitEthernet 1/0/1 as a hybrid port Assign GigabitEthernet 1/0/1 to VLAN 2 as an untagged member: Select Network > VLAN from the navigation tree. Click the Modify Port tab. Select GigabitEthernet 1/0/1 from the chassis front panel. Select the Untagged option.
Page 195
Figure 167 Assigning GigabitEthernet 1/0/1 to VLAN 2 as an untagged member Configure voice VLAN on GigabitEthernet 1/0/1: Select Network > Voice VLAN from the navigation tree. Click the Port Setup tab. Select Manual in the Voice VLAN port mode list. Select Enable in the Voice VLAN port state list.
Page 196
Figure 168 Configuring voice VLAN on GigabitEthernet 1/0/1 Add OUI addresses to the OUI list: Click the OUI Add tab. Enter OUI address 0011-2200-0000. Select FFFF-FF00-0000 as the mask. Enter description string test. Click Apply. Figure 169 Adding OUI addresses to the OUI list...
Verifying the configuration When the preceding configurations are complete, the OUI Summary tab is displayed by default, as shown in Figure 170. You can view the information about the newly-added OUI address. Figure 170 Displaying the current OUI list of the device Click the Summary tab, where you can view the current voice VLAN information.
Page 198
Only one VLAN is supported and only an existing static VLAN can be configured as the voice • VLAN. Do not enable the voice VLAN function on a link aggregation group member port. • After you assign a port operating in manual voice VLAN assignment mode to the voice VLAN, the •...
Configuring MAC address tables NOTE: MAC address configurations related to interfaces apply only to Layer 2 Ethernet interfaces. • This document covers only the management of static, dynamic, and blackhole MAC address entries, not • multicast MAC address entries. Overview To reduce single-destination packet floodings in a switched LAN, an Ethernet device uses a MAC address table for forwarding frames.
Types of MAC address table entries A MAC address table can contain the following types of entries: Static entries—Manually added and never age out. • Dynamic entries—Manually added or dynamically learned, and might age out. • Blackhole entries—Manually configured and never age out. Blackhole entries are configured for •...
Figure 173 Create a MAC address entry Configure a MAC address entry. Click Apply. Table 52 Configuration items Item Description Set the MAC address to be added. Set the type of the MAC address entry: • Static—Static MAC address entries that never age out. •...
Figure 174 Set the aging time for MAC address entries Configure the aging time for MAC address entries. Click Apply. Table 53 Configuration items Item Description No-aging Specify that the MAC address entry never ages out. Aging time Set the aging time for the MAC address entry MAC address configuration example Network requirements Use the Web-based NMS to configure the MAC address table of the device.
Page 203
Figure 175 Create a static MAC address entry...
Configuring MSTP As a Layer 2 management protocol, the Spanning Tree Protocol (STP) eliminates Layer 2 loops by selectively blocking redundant links in a network, and in the mean time, allows for link redundancy. Like many other protocols, STP evolves as the network grows. The later versions of STP are Rapid Spanning Tree Protocol (RSTP) and Multiple Spanning Tree Protocol (MSTP).
Designated bridge and designated port Table 54 Description of designated bridges and designated ports: Classification Designated bridge Designated port A device directly connected to the local The port through which the designated For a device device and responsible for forwarding bridge forwards BPDUs to the local BPDUs to the local device.
Page 206
Designated bridge ID—Consisting of the priority and MAC address of the designated bridge. • • Designated port ID—Designated port priority plus port name. Message age—Age of the configuration BPDU while it propagates in the network. • Max age—Maximum age of the configuration BPDU can be maintained on a device. •...
Page 207
NOTE: Configuration BPDU comparison uses the following principles: The configuration BPDU that has the lowest root bridge ID has the highest priority. • If all the configuration BPDUs have the same root bridge ID, their root path costs are compared. For •...
Page 208
Figure 177 STP network Initial state of each device • Table 57 Initial state of each device Device Port name BPDU of port {0, 0, 0, AP1} Device A {0, 0, 0, AP2} {1, 0, 1, BP1} Device B {1, 0, 1, BP2} {2, 0, 2, CP1} Device C {2, 0, 2, CP2}...
Page 209
BPDU of port after Device Comparison process comparison • Port BP1 receives the configuration BPDU of Device A {0, 0, 0, AP1}. Device B finds that the received configuration BPDU is superior to the configuration BPDU of the local port {1, 0, 1, BP1}, and updates the configuration BPDU of BP1.
Page 210
BPDU of port after Device Comparison process comparison After comparison: • Because the root path cost of CP2 (9) (root path cost of the BPDU (5) plus path cost corresponding to CP2 (4)) is smaller than the root path cost of CP1 (10) (root path cost of the BPDU (0) + path cost corresponding to CP2 (10)), the BPDU of CP2 is Blocked port CP2: elected as the optimum BPDU, and CP2 is elected as the root...
If a path becomes faulty, the root port on this path will no longer receive new configuration BPDUs • and the old configuration BPDUs will be discarded due to timeout. The device will generate configuration BPDUs with itself as the root. This triggers a new spanning tree calculation process to establish a new path to restore the network connectivity.
point-to-point link or an edge port, which directly connects to a user terminal rather than to another device or a shared LAN segment. Although RSTP supports rapid network convergence, it has the same drawback as STP—All bridges within a LAN share the same spanning tree, so redundant links cannot be blocked based on VLAN, and the packets of all VLANs are forwarded along the same spanning tree.
Page 213
Figure 179 Basic concepts in MSTP Figure 180 Network diagram and topology of MST region 3 MST region A multiple spanning tree region (MST region) consists of multiple devices in a switched network and the network segments among them. All these devices have the following characteristics: A spanning tree protocol enabled •...
Page 214
Same VLAN-to-instance mapping configuration • • Same MSTP revision level Physically linked together • Multiple MST regions can exist in a switched network. You can assign multiple devices to the same MST region. In Figure 179, the switched network comprises four MST regions, MST region 1 through MST region 4, and all devices in each MST region have the same MST region configuration.
Page 215
Port roles A port can play different roles in different MSTIs. As shown in Figure 181, an MST region comprises Device A, Device B, Device C, and Device D. Port A1 and port A2 of Device A connect to the common root bridge.
Forwarding—The port receives and sends BPDUs, learns MAC addresses, and forwards user • traffic. Learning—The port receives and sends BPDUs, learns MAC addresses, but does not forward user • traffic. Learning is an intermediate port state. Discarding—The port receives and sends BPDUs, but does not learn MAC addresses or forward •...
Implementation of MSTP on devices MSTP is compatible with STP and RSTP. STP and RSTP protocol packets can be recognized by devices running MSTP and used for spanning tree calculation. In addition to basic MSTP functions, the device provides the following functions for ease of management: •...
Page 218
Figure 182 MST region Click Modify to enter the page for configuring MST regions. Figure 183 Configuring an MST region Configure the MST region information as described in Table 60, and click Apply. Click Activate. Table 60 Configuration items Item Description MST region name.
Configuring MSTP globally Select Network > MSTP from the navigation tree. Click the Global tab to enter the page for configuring MSTP globally. Figure 184 Configuring MSTP globally Configure the global MSTP configuration as described in Table Click Apply. Table 61 Configuration items Item Description Select whether to enable STP globally.
Page 220
• The settings of hello time, forward delay and max age must meet a certain formula. Otherwise, the network topology will not be stable. HP recommends you to set the network diameter and then have the device automatically calculate the forward delay, hello time, and max age.
With the TC-BPDU guard function, you can prevent frequent flushing of forwarding address entries. NOTE: HP does not recommend you to disable this function. Set the maximum number of immediate forwarding address entry flushes the device tc-protection threshold can perform within a certain period of time after receiving the first TC-BPDU.
Page 222
Transmit Limit Configure the maximum number of MSTP packets that can be sent during each Hello interval. The larger the transmit limit is, the more network resources will be occupied. HP recommends that you use the default value. • MSTP Mode Set whether the port migrates to the MSTP mode.
BPDUs. You can set these ports as edge ports to achieve fast Edged Port transition for these ports. HP recommends that you enable the BPDU guard function in conjunction with the edged port function to avoid network topology changes when the edge ports receive configuration BPDUs.
Page 224
Figure 186 The port summary tab Table 64 Field description Field Description The port is in forwarding state, so the port learns MAC addresses and forwards [FORWARDING] user traffic. The port is in learning state, so the port learns MAC addresses but does not [LEARNING] forward user traffic.
Field Description Whether the port is connected to a point-to-point link: • Point-to-point Config—Indicates the configured value. • Active—Indicates the actual value. Transmit Limit The maximum number of packets sent within each Hello time. Protection type on the port,: • Root—Root guard •...
Page 226
Packets of VLAN 10, VLAN 20, VLAN 30, and VLAN 40 are forwarded along MSTI 1, MSTI 2, • MSTI 3, and MSTI 0, respectively. Switch A and Switch B operate at the distribution layer; Switch C and Switch D operate at the •...
Page 227
Click Apply to map VLAN 10 to MSTI 1 and add the VLAN-to-MSTI mapping entry to the VLAN-to-MSTI mapping list. Repeat the preceding three steps to map VLAN 20 to MSTI 2 and VLAN 30 to MSTI 3 and add the VLAN-to-MSTI mapping entries to the VLAN-to-MSTI mapping list.
Page 228
Figure 190 Configuring MSTP globally (on Switch A) Configuring Switch B Configure an MST region. (The procedure here is the same as that of configuring an MST region on Switch A.) Configure MSTP globally: Select Network > MSTP from the navigation tree. Click the Global tab to enter the page for configuring MSTP globally.
Page 229
Configuring Switch C Configure an MST region. (The procedure here is the same as that of configuring an MST region on Switch A.) Configure MSTP globally: Select Network > MSTP from the navigation tree. Click Global to enter the page for configuring MSTP globally. Select Enable in the Enable STP Globally list.
Figure 191 Configuring MSTP globally (on Switch D) Configuration guidelines Follow these guidelines when you configure MSTP: Two devices belong to the same MST region only if they are interconnected through physical links, • and share the same region name, the same MSTP revision level, and the same VLAN-to-MSTI mappings.
Configuring link aggregation and LACP Overview Link aggregation aggregates multiple physical Ethernet ports into one logical link, also called an aggregation group. It allows you to increase bandwidth by distributing traffic across the member ports in the aggregation group. In addition, it provides reliable connectivity because these member ports can dynamically back up each other.
Class-two configurations The contents of class-two configurations are listed in Table 65. In an aggregation group, a member port different from the aggregate interface in the class-two configurations cannot be a Selected port. Table 65 Class-two configurations Type Considerations Whether a port has joined an isolation group, and the isolation group that the port Port isolation belongs to Permitted VLAN IDs, default VLAN, link type (trunk, hybrid, or access), IP...
Page 233
Changing a port attribute or class-two configuration setting of a port may cause the select state of the • port and other member ports to change and affect services. HP recommends that you do that with caution.
Recommended link aggregation and LACP configuration procedures Recommended static aggregation group configuration procedure Step Remarks Required. Create a static aggregate interface and configure member Creating a link aggregation group ports for the static aggregation group automatically created by the system when you create the aggregate interface. By default, no link aggregation group exists.
Configure a link aggregation group. Click Apply. Table 66 Configuration items Item Description Assign an ID to the link aggregation group to be created. Enter Link Aggregation Interface ID You can view the result in the Summary area at the bottom of the page. Set the type of the link aggregation interface to be created: •...
Page 236
The list on the lower part of the page displays the detailed information about the member ports of the corresponding link aggregation group. Figure 193 Displaying information of an aggregate interface Table 67 Field description Field Description Type and ID of the aggregate interface. Aggregation interface Bridge-Aggregation indicates a Layer 2 aggregate interface.
Setting LACP priority Select Network > LACP from the navigation tree. Click Setup to enter the page shown in Figure 194. Figure 194 The Setup tab In the Set LACP enabled port(s) parameters area, set the port priority, and select the ports in the chassis front panel.
Page 238
Click View Details. Detailed information about the peer port will be displayed on the lower part of the page. Table 70 describes the fields. Figure 195 Displaying the information of LACP-enabled ports Table 69 Field description Field Description Unit ID of a device in an IRF. Port Port where LACP is enabled.
Field Description Partner Port Name of the peer port. State information of the peer port, represented by letters A through H. • A indicates that LACP is enabled. • B indicates that LACP short timeout has occurred. If B does not appear, it indicates that LACP long timeout has occurred.
Page 240
You can create a static or dynamic link aggregation group to achieve load balancing. Approach 1: Create static link aggregation group 1 Select Network > Link Aggregation from the navigation tree. Click Create to enter the page as shown in Figure 197.
Select GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 on the chassis front panel. Click Apply. Figure 198 Creating dynamic link aggregation group 1 Configuration guidelines Follow these guidelines when you configure a link aggregation group: • In an aggregation group, the port to be a Selected port must be the same as the reference port in port attributes, and class-two configurations.
Page 242
aggregation, make sure that the peer ports of the ports aggregated at one end are also aggregated. The two ends can automatically negotiate the Selected state of the ports. Removing a Layer 2 aggregate interface also removes the corresponding aggregation group. •...
Configuring LLDP Overview Background In a heterogeneous network, a standard configuration exchange platform ensures that different types of network devices from different vendors can discover one another and exchange configuration for the sake of interoperability and management. The IETF drafted the Link Layer Discovery Protocol (LLDP) in IEEE 802.1AB. The protocol operates on the data link layer to exchange device information between directly connected devices.
Page 244
Field Description Type Ethernet type for the upper layer protocol. It is 0x88CC for LLDP. Data LLDP data. Frame check sequence, a 32-bit CRC value used to determine the validity of the received Ethernet frame. LLDPDUs encapsulated in SNAP Figure 200 LLDPDU encapsulated in SNAP Table 72 Description of the fields in a SNAP-encapsulated LLDPDU Field Description...
Page 245
TLVs TLVs are type, length, and value sequences that carry information elements, where the type field identifies the type of information, the length field indicates the length of the information field in octets, and the value field contains the information itself. LLDPDU TLVs fall into the following categories: basic management TLVs, organizationally (IEEE 802.1 and IEEE 802.3) specific TLVs, and LLDP-MED (media endpoint discovery) TLVs.
Page 246
NOTE: The Power Stateful Control TLV is defined in IEEE P802.3at D1.0. The later versions no longer support this TLV. HP devices send this type of TLVs only after receiving them. LLDP-MED TLVs LLDP-MED TLVs provide multiple advanced applications for voice over IP (VoIP), such as basic configuration, network policy configuration, and address and directory management.
Type Description Extended Allows a network device or terminal device to advertise power supply capability. Power-via-MDI This TLV is an extension of the Power Via MDI TLV. Hardware Revision Allows a terminal device to advertise its hardware version. Firmware Revision Allows a terminal device to advertise its firmware version.
A new neighbor is discovered. A new LLDPDU is received carrying device information new to the • local device. The LLDP operating mode of the port changes from Disable/Rx to TxRx or Tx. • This is the fast sending mechanism of LLDP. With this mechanism, a specific number of LLDPDUs are sent successively at the 1-second interval to help LLDP neighbors discover the local device as soon as possible.
Step Remarks (Optional.) LLDP settings include LLDP operating mode, packet encapsulation, CDP compatibility, device information polling, trapping, and advertisable TLVs. The default settings are as follows: 2. Configuring LLDP settings on ports • The LLDP operating mode is TxRx. • The encapsulation format is Ethernet II.
gure 202 The Port Setup ta Config guring g LLDP setting gs on p ports e web interfa ace allows yo ou to set LLDP P parameters for a single port and set LLDP parame eters for ultiple ports in n batch.
Page 251
Figure 203 Modifying LLDP settings on a port Modify the LLDP parameters for the port as described in Table Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
Page 252
Item Description Set the LLDP operating mode on the port or ports you are configuring. Available options include: • TxRx—Sends and receives LLDPDUs. LLDP Operating Mode • Tx—Sends but not receives LLDPDUs. • Rx—Receives but not sends LLDPDUs. • Disable—Neither sends nor receives LLDPDUs. Set the encapsulation for LLDPDUs.
Item Description Port VLAN ID Select to include the PVID TLV in transmitted LLDPDUs. Select to include port and protocol VLAN ID TLVs in transmitted LLDPDUs and specify the VLAN IDs to be advertised. Protocol VLAN ID DOT1 TLV If no VLAN is specified, the lowest protocol VLAN ID is transmitted. Setting Select to include VLAN name TLVs in transmitted LLDPDUs and specify the VLAN IDs to be advertised.
Figure 204 Modifying LLDP settings on ports in batch Set the LLDP settings for these ports as described in Table Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
Page 255
Figure 205 The Global Setup tab Set the global LLDP setup as described in Table Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds. Table 78 Configuration items Item Description LLDP Enable...
Item Description Set the TTL multiplier. The TTL TLV carried in an LLDPDU determines how long the device information carried in the LLDPDU can be saved on a recipient device. You can configure the TTL of locally sent LLDPDUs to determine how long information about the local device can be saved on a neighbor device by setting the TTL multiplier.
Page 257
By default, the Local Information tab is displayed, as shown in Figure 206. Table 79 describes the fields. Figure 206 The Local Information tab Table 79 Field description Field Description Port ID type: • Interface alias • Port component • MAC address Port ID subtype •...
Page 258
Field Description Power supply priority on a PSE: • Unknown—Unknown priority • Critical—Priority 1 Power priority • High—Priority 2 • Low—Priority 3 Media policy type: • Unknown • Voice • Voice signaling • Guest voice Media policy type • Guest voice signaling •...
Page 259
Table 80 Field description Field Description Chassis ID type: • Chassis component • Interface alias • Port component Chassis type • MAC address • Network address • Interface name • Locally assigned, or the local configuration Chassis ID depending on the chassis type, which can be a MAC address of Chassis ID the device Port ID type:...
Page 260
Field Description Power supply priority on a PD: • Unknown—Unknown priority. • Critical—Priority 1. Power priority • High—Priority 2. • Low—Priority 3. PD requested power value Power (in watts) required by the PD that connects to the port. PSE allocated power value Power (in watts) supplied by the PSE to the connecting port.
Page 261
Field Description SerialNum The serial number advertised by the neighbor. Manufacturer name The manufacturer name advertised by the neighbor. Model name The model name advertised by the neighbor. Asset ID advertised by the neighbor. This ID is used for the purpose of Asset tracking identifier inventory management and asset tracking.
Figure 209 The Status Information tab Displaying global LLDP information Select Network > LLDP from the navigation tree. Click the Global Summary tab to display global local LLDP information and statistics, as shown Figure 210. Table 81 describes the fields.
Page 263
Figure 210 The Global Summary tab Table 81 Field description Field Description Chassis ID The local chassis ID depending on the chassis type defined. The primary network function advertised by the local device: • Repeater System capabilities supported • Bridge •...
Field Description The device class advertised by the local device: • Connectivity device—An intermediate device that provide network connectivity. • Class I—a generic endpoint device. All endpoints that require the discovery service of LLDP belong to this category. • Class II—A media endpoint device. The class II endpoint devices support the Device class media stream capabilities in addition to the capabilities of generic endpoint devices.
LLDP configuration examples LLDP basic settings configuration example Network requirements As shown in Figure 212, configure LLDP on Switch A and Switch B so that the network management station (NMS) can determine the status of the link between Switch A and MED and the link between Switch A and Switch B.
Page 266
Figure 213 The Port Setup tab Select Rx from the LLDP Operating Mode list. Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
Page 267
Figure 214 Setting LLDP on multiple ports Enable global LLDP: Click the Global Setup tab. Select Enable from the LLDP Enable list. Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
Page 268
gure 215 Enab bling global L LLDP Configuring Switch B Enable LLD DP on port Gig gabitEthernet 1/0/1. (Op tional. By def fault, LLDP is e enabled on E Ethernet ports.) Set the LLD DP operating m mode to Tx on n GigabitEthe ernet 1/0/1: Select N...
Page 269
Figure 216 Setting the LLDP operating mode to Tx Enable global LLDP: Click the Global Setup tab. Select Enable from the LLDP Enable list. Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
Page 270
Figure 217 Viewing the status of port GigabitEthernet 1/0/1 Display the status information of port GigabitEthernet1/0/2 on Switch A: Click the GigabitEthernet1/0/2 port name in the port list. Click the Status Information tab at the lower half of the page. The output shows that port GigabitEthernet 1/0/2 is connected to a non-MED neighbor device (Switch B).
Figure 219 Viewing the updated port status information CDP-compatible LLDP configuration example Network requirements As shown in Figure 220, on Switch A, configure VLAN 2 as a voice VLAN and configure CDP-compatible LLDP to enable the Cisco IP phones to automatically configure the voice VLAN, confining their voice traffic within the voice VLAN to be separate from other types of traffic.
Page 272
Figure 221 Creating VLANs Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as trunk ports: Select Device > Port Management from the navigation tree. Click the Setup tab to enter the page for configuring ports. Select Trunk in the Link Type list. Select port GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 from the chassis front panel.
Page 273
Figure 222 Configuring ports Configure the voice VLAN function on the two ports: Select Network > Voice VLAN from the navigation tree. Click the Port Setup tab to enter the page for configuring the voice VLAN function on ports. Select Auto in the Voice VLAN port mode list, select Enable in the Voice VLAN port state list, enter the voice VLAN ID 2, and select port GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 from the chassis front panel.
Page 274
Figure 223 Configuring the voice VLAN function on ports Enable LLDP on ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. Skip this step if LLDP is enabled (the default). Set both the LLDP operating mode and the CDP operating mode to TxRx on ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2: Select Network >...
Page 275
Figure 224 Selecting ports Select TxRx from the LLDP Operating Mode list, and select TxRx from the CDP Operating Mode list. Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
Page 276
Figure 225 Modifying LLDP settings on ports Enable global LLDP and CDP compatibility of LLDP: Click the Global Setup tab. Select Enable from the LLDP Enable list. Select Enable from the CDP Compatibility list. Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
Figure 226 Enabling global LLDP and CDP compatibility Verifying the configuration Display information about LLDP neighbors on Switch A after completing the configuration. You can see that Switch A has discovered the Cisco IP phones attached to ports GigabitEthernet1/0/1 and GigabitEthernet1/0/2 and obtained their device information.
Configuring ARP This chapter describes how to configure the Address Resolution Protocol (ARP). Overview ARP resolves IP addresses into MAC addresses on Ethernet networks. ARP message format ARP messages are classified into ARP requests and ARP replies. Figure 227 shows the format of the ARP request/reply.
If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request using the following information: Source IP address and source MAC address—Host A’s own IP address and the MAC address Target IP address—Host B’s IP address Target MAC address—An all-zero MAC address Because the ARP request is a broadcast, all hosts on this subnet can receive the request, but only the requested host (Host B) will process the request.
Static ARP entry A static ARP entry is manually configured and maintained. It cannot get aged or be overwritten by a dynamic ARP entry. Using static ARP entries enhances communication security. After a static ARP entry is specified, only a specific MAC address is associated with the specified IP address.
Figure 229 ARP table configuration page Creating a static ARP entry Select Network > ARP Management from the navigation tree to enter the ARP Table page shown Figure 229. Click Add to enter the New Static ARP Entry page. Figure 230 Adding a static ARP entry Configure the static ARP entry as described in Table Click Apply.
Table 82 Configuration items Item Description IP Address Enter an IP address for the static ARP entry. MAC Address Enter a MAC address for the static ARP entry. Enter a VLAN ID and specify a port for the static ARP entry. VLAN ID Advanced IMPORTANT:...
Static ARP configuration example Network Requirements As shown in Figure 232, hosts are connected to Switch A, which is connected to Router B through interface GigabitEthernet 1/0/1 belonging to VLAN 100. Configure static ARP entries on Switch A to enhance communication security between Switch A and Router B.
Page 284
Figure 233 Creating VLAN 100 Add GigabitEthernet 1/0/1 to VLAN 100: Click the Modify Port tab Select interface GigabitEthernet 1/0/1 in the Select Ports area, select the Untagged option in the Select membership type area, enter 100 for VLAN Ids, and, click Apply. After the configuration process is complete, click Close.
Page 285
Figure 234 Adding GigabitEthernet 1/0/1 to VLAN 100 Create VLAN-interface 100: Select Network > VLAN Interface from the navigation tree. Click the Create tab. On the page that appears, enter 100 for VLAN ID, select the Configure Primary IPv4 Address box, select the Manual option, enter 192.168.1.2 for IPv4 Address, and enter 24 or 255.255.255.0 for Mask Length.
Page 286
Figure 235 Creating VLAN-interface 100 Create a static ARP entry: Select Network > ARP Management from the navigation tree to enter the ARP Table page. Click Add. On the page that appears, enter 192.168.1.1 for IP Address, enter 00e0-fc01-0000 for MAC Address, select the Advanced Options box, enter 100 for VLAN ID, and select GigabitEthernet1/0/1 for Port.
Configuring ARP attack defense Overview Although ARP is easy to implement, it provides no security mechanism and thus is prone to network attacks. The ARP detection feature enables access devices to block ARP packets from unauthorized clients to prevent user spoofing and gateway spoofing attacks. ARP detection provides the following functions: user validity check and ARP packet validity check.
Page 288
Select Network > ARP Anti-Attack from the navigation tree to enter the ARP detection configuration page. Figure 237 ARP detection configuration page Configure ARP detection as described in Table 84. Click Apply. Table 84 Configuration items Item Description Select VLANs on which ARP detection is to be enabled. To add VLANs to the Enabled VLANs list box, select one or multiple VLANs from the VLAN Settings Disabled VLANs list box and click the <<...
Configuring IGMP snooping Overview Internet Group Management Protocol (IGMP) snooping is a multicast constraining mechanism that runs on Layer 2 devices to manage and control multicast groups. By analyzing received IGMP messages, a Layer 2 device running IGMP snooping establishes mappings between ports and multicast MAC addresses and forwards multicast data based on these mappings.
Page 290
Figure 239 IGMP snooping related ports IGMP snooping related ports include the following types: Router port—Port on an Ethernet switch that leads the switch toward a Layer 3 multicast device • (designated router or IGMP querier). In Figure 239, GigabitEthernet 1/0/1 of Switch A and Ethernet 1/0/1 of Switch B are router ports.
Timer Description Message before expiry Action after expiry When a port dynamically joins a multicast group, The switch removes this the switch sets an aging Dynamic member port port from the IGMP timer for the port. When IGMP membership report aging timer snooping forwarding the timer expires, the...
receiving this report. This makes the switch unable to know whether the reported multicast group still has active members attached to that port. When receiving a leave group message When an IGMPv1 host leaves a multicast group, the host does not send an IGMP leave message, so the switch cannot know immediately that the host has left the multicast group.
Step Remarks (Required.) Enable IGMP snooping for the VLAN and configure the IGMP snooping version and querier. By default, IGMP snooping is disabled in a VLAN. Configuring IGMP snooping in a VLAN IMPORTANT: • IGMP snooping must be enabled globally before you enable it for a VLAN.
Configuring IGMP snooping in a VLAN Select Network > IGMP snooping from the navigation tree. Click the icon corresponding to the VLAN. Figure 241 VLAN configuration Configure the parameters as described in Table Click Apply. Table 85 Configuration items Item Description Enable or disable IGMP snooping in the VLAN.
Item Description Enable or disable the function of dropping unknown multicast packets. Unknown multicast data refers to multicast data for which no entries exist in the IGMP snooping forwarding table. • If the function of dropping unknown multicast data is enabled, the switch forwards the unknown multicast packets to the router ports instead of flooding Drop Unknown them in the VLAN.
Page 296
Figure 242 Advanced configuration Configure the parameters as described in Table Click Apply. Table 86 Configuration items Item Description Select the port on which advanced IGMP snooping features will be configured. The port can be an Ethernet port or Layer-2 aggregate port. After a port is selected, advanced features configured on this port are displayed at the lower part of this page.
Item Description Enable or disable the fast-leave function for the port. With the fast-leave function enabled on a port, when the switch receives an IGMP leave message on the port, it immediately deletes that port from the outgoing port list of the corresponding forwarding table entry.
IGMP snooping configuration example Network requirements As shown in Figure 245, IGMPv2 runs on Router A and IGMPv2 snooping runs on Switch A. Router A acts as the IGMP querier. Perform the configuration so that Host A can receive the multicast data destined for the multicast group (224.1.1.1), and Switch A drops the unknown multicast data rather than flooding it in the VLAN.
Page 299
Figure 246 Creating VLAN 100 Assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to VLAN 100: Click the Modify Port tab. Select GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 in the Select Ports field. Select the Untagged option for Select membership type. Enter 100 as the VLAN ID.
Page 300
Figure 247 Assigning a port to the VLAN Enable IGMP snooping globally: Select Network > IGMP snooping from the navigation tree. Select the Enable option. Click Apply.
Page 301
Figure 248 Enabling IGMP snooping globally Enable IGMP snooping and the function of dropping unknown multicast data for VLAN 100: Click the icon corresponding to VLAN 100. Select the Enable option for IGMP snooping. Select the 2 option for Version. Select the Enable option for Drop Unknown.
Page 302
Verifying th e configurat tion Select Netw work > IGMP P snooping fro om the naviga ation tree. Click Show w Entries in th e basic VLAN N configuratio on page to di splay informa ation about IG snooping m multicast entri ies.
Configuring MLD snooping Overview Multicast Listener Discovery (MLD) snooping is a multicast constraining mechanism that runs on Layer 2 devices to manage and control IPv6 multicast groups. By analyzing received MLD messages, a Layer 2 device running MLD snooping establishes mappings between ports and multicast MAC addresses and forwards IPv6 multicast data based on these mappings.
Page 304
Figure 253 MLD snooping related ports MLD snooping related ports include the following types: Router port—Port on an Ethernet switch that leads the switch toward a Layer 3 multicast device • (designated router or MLD querier). As shown in Figure 253, GigabitEthernet 1/0/1 of Switch A and Ethernet 1/0/1 of Switch B are router ports.
Timer Description Message before expiry Action after expiry When a port dynamically joins an IPv6 multicast The switch removes this group, the switch sets an Dynamic member port port from the MLD aging timer for the port. MLD membership report aging timer snooping forwarding When the timer expires,...
receiving this report. This makes the switch unable to know whether the reported IPv6 multicast group still has active members attached to that port. When receiving a done message When a host leaves an IPv6 multicast group, the host sends an MLD done message to the multicast router. When the switch receives an MLD done message on a member port, it first checks whether a forwarding entry matches the IPv6 group address in the message, and, if a match is found, whether the forwarding entry contains the dynamic member port.
Step Remarks (Required.) Enable MLD snooping for the VLAN and configure the MLD snooping version and querier. By default, MLD snooping is disabled in a VLAN. Configuring MLD snooping in a VLAN IMPORTANT: • MLD snooping must be enabled globally before you enable it for a VLAN.
Configuring MLD snooping in a VLAN Select Network > MLD snooping from the navigation tree. Click the icon corresponding to the VLAN. Figure 255 VLAN configuration Configure the parameters as described in Table Click Apply. Table 88 Configuration items Item Description Enable or disable MLD snooping in the VLAN.
Item Description Enable or disable the function of dropping unknown IPv6 multicast packets. Unknown IPv6 multicast data refers to IPv6 multicast data for which no entries exist in the MLD snooping forwarding table. • If the function of dropping unknown IPv6 multicast data is enabled, the switch forwards the unknown IPv6 multicast packets to the router ports instead of Drop Unknown flooding them in the VLAN.
Page 310
Figure 256 Advanced configuration Configure the parameters as described in Table Click Apply. Table 89 Configuration items Item Description Select the port on which advanced MLD snooping features will be configured. The port can be an Ethernet port or Layer-2 aggregate port. After a port is selected, advanced features configured on this port are displayed at the lower part of this page.
Item Description Enable or disable the fast-leave function for the port. With the fast-leave function enabled on a port, when the switch receives an MLD done message on the port, it immediately deletes that port from the outgoing port list of the corresponding IPv6 forwarding table entry.
Field Description Group Address Multicast group address. Router Ports All router ports. Member Ports All member ports. MLD snooping configuration example Network requirements As shown in Figure 259, MLDv1 runs on Router A and MLDv1 snooping runs on Switch A. Router A acts as the MLD querier.
Page 313
Figure 260 Creating VLAN 100 Assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to VLAN 100: Click the Modify Port tab. Select GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 in the Select Ports field. Select the Untagged option for Select membership type. Enter 100 as the VLAN ID.
Page 314
Figure 261 Assigning a port to the VLAN Enable MLD snooping globally: Select Network > MLD snooping from the navigation tree. Select the Enable option. Click Apply. Figure 262 Enabling MLD snooping globally...
Page 315
Enable ML LD snooping a and the functio on of droppin ng unknown I Pv6 multicast data for VLA AN 100: Click th icon co orresponding to VLAN 100 Select t the Enable op ption for MLD snooping. Select t the 1 option f for Version.
Page 316
Figure 265 MLD snooping multicast entry information The output shows that GigabitEthernet 1/0/3 of Switch A is listening to multicast streams destined for IPv6 multicast group (FF1E::101).
Configuring IPv4 and IPv6 routing NOTE: router The term in this document refers to both routers and Layer 3 switches. Overview A router selects an appropriate route according to the destination address of a received packet and forwards the packet to the next router. The last router on the path is responsible for sending the packet to the destination host.
Static routes cannot adapt to network topology changes. If a fault or a topological change occurs in the network, the network administrator must modify the static routes manually. Default route A default route is used to forward packets that match no entry in the routing table. Without a default route, a packet that does not match any routing entries is discarded and an Internet Control Message Protocol (ICMP) destination-unreachable packet is sent to the source.
Field Description Next Hop Next hop IP address of the IPv4 route. Outgoing interface of the IPv4 route. Packets destined for the specified Interface network segment will be sent out of the interface. Creating an IPv4 static route Select Network > IPv4 Routing from the navigation tree. Click the Create tab.
Item Description Enter the mask of the destination IP address. Mask You can enter a mask length or a mask in dotted decimal notation. Set a preference value for the static route. The smaller the number, the higher the preference. Preference For example, specifying the same preference for multiple static routes to the same destination enables load sharing on the routes, while specifying different...
Field Description Next Hop Next hop IP address of the IPv6 route Outgoing interface of the IPv6 route. Packets destined for the specified Interface network segment will be sent out of the interface. Creating an IPv6 static route Select Network > IPv6 Routing from the navigation tree. Click the Create tab.
Item Description Set a preference value for the static route. The smaller the number, the higher the preference. Preference For example, specifying the same preference for multiple static routes to the same destination enables load sharing on the routes, while specifying different priorities for them enables route backup.
Page 323
Figure 271 Configuring a default route Configure a static route to Switch A and Switch C on Switch B: Select Network > IPv4 Routing from the navigation tree of Switch B. Click the Create tab. The page for configuring a static route appears. Enter 1.1.2.0 for Destination IP Address, 24 for Mask, and 1.1.4.1 for Next Hop.
Page 324
Figure 272 Configuring a static route Enter 1.1.3.0 for Destination IP Address, enter 24 for Mask, and enter 1.1.5.6 for Next Hop. Click Apply. Configure a default route to Switch B on Switch C: Select Network > IPv4 Routing from the navigation tree of Switch C. Click the Create tab.
Page 325
Figure 273 Configuring a default route Verifying the configuration Display the routing table: Enter the IPv4 route page of Switch A, Switch B, and Switch C to verify that the newly configured static routes are displayed as active routes on the page. Ping Host C from Host A (assuming both hosts run Windows XP): C:\Documents and Settings\Administrator>ping 1.1.3.2 Pinging 1.1.3.2 with 32 bytes of data:...
IPv6 static route configuration example Network requirements The IP addresses of devices are shown in Figure 274. Configure IPv6 static routes on Switch A, Switch B and Switch C for any two hosts to communicate with each other. Figure 274 Network diagram Host B 2::2/64 Vlan-int400...
Page 327
Figure 275 Configuring a default route Configure a static route to Switch A and Switch C on Switch B: Select Network > IPv6 Routing from the navigation tree of Switch B. Click the Create tab. The page for configuring a static route appears. Enter 1:: for Destination IP Address, select 64 from the Prefix Length list, and enter 4::1 for Next Hop.
Page 328
Figure 276 Configuring a static route Enter 3:: for Destination IP Address, select 64 from the Prefix Length list, and enter 5::1 for Next Hop. Click Apply. Configure a default route to Switch B on Switch C: Select Network > IPv6 Routing from the navigation tree of Switch C. Click the Create tab.
Page 329
Figure 277 Configuring a default route Verifying the configuration Display the routing table: Enter the IPv6 route page of Switch A, Switch B, and Switch C respectively to verify that the newly configured static routes are displayed as active routes on the page. Ping Host C from Switch A: <SwitchA>...
0.00% packet loss round-trip min/avg/max = 62/62/63 ms Configuration guidelines When you configure a static route, follow these guidelines: If you do not specify the preference, the default preference will be used. Reconfiguration of the • default preference applies only to newly created static routes. Currently, the Web interface does not support configuration of the default preference.
DHCP overview NOTE: After the DHCP client is enabled on an interface, the interface can dynamically obtain an IP address and other configuration parameters from the DHCP server. This facilitates configuration and centralized management. For more information about the DHCP client configuration, see "Configuring VLAN interfaces"...
Dynamic IP address allocation process Figure 279 Dynamic IP address allocation process The client broadcasts a DHCP-DISCOVER message to locate a DHCP server. A DHCP server offers configuration parameters such as an IP address to the client in a DHCP-OFFER message. The sending mode of the DHCP-OFFER is determined by the flag field in the DHCP-DISCOVER message.
DHCP message format Figure 280 gives the DHCP message format, which is based on the BOOTP message format and involves eight types. These types of messages have the same format except that some fields have different values. The numbers in parentheses indicate the size of each field in bytes. Figure 280 DHCP message format op (1) htype (1)
DHCP options DHCP options overview DHCP uses the same message format as BOOTP, but DHCP uses the Option field to carry information for dynamic address allocation and to provide additional configuration information to clients. Figure 281 DHCP option format Introduction to DHCP options Common DHCP options: Option 3—Router option.
The administrator can locate the DHCP client to further implement security control and accounting. The Option 82 supporting server can also use such information to define individual assignment policies of IP address and other parameters for the clients. Option 82 involves at most 255 sub-options. At least one sub-option is defined. Currently the DHCP relay agent supports two sub-options: sub-option 1 (Circuit ID) and sub-option 2 (Remote ID).
Configuring DHCP relay agent Introduction to DHCP relay agent Application environment Since DHCP clients request IP addresses via broadcast messages, the DHCP server and clients must be on the same subnet. Therefore, a DHCP server must be available on each subnet, which is not practical. DHCP relay agent solves the problem.
Figure 285 DHCP relay agent work process As shown in Figure 285, the DHCP relay agent works as follows: After receiving a DHCP-DISCOVER or DHCP-REQUEST broadcast message from a DHCP client, the DHCP relay agent fills the giaddr field of the message with its IP address and forwards the message to the designated DHCP server in unicast mode.
Step Remarks (Optional) Create a static IP-to-MAC binding, and view static and dynamic bindings. The DHCP relay agent can dynamically record clients’ IP-to-MAC Configuring and displaying bindings after clients get IP addresses. It also supports static bindings, clients' IP-to-MAC bindings that is, you can manually configure IP-to-MAC bindings on the DHCP relay agent, so that users can access external network using fixed IP addresses.
Page 339
Figure 286 DHCP relay agent configuration page Enable DHCP service and configure advanced parameters for DHCP relay agent as described Table 95. Click Apply.
Table 95 Configuration items Item Description DHCP Service Enable or disable global DHCP. Enable or disable unauthorized DHCP server detection. There are unauthorized DHCP servers on networks, which reply DHCP clients with wrong IP addresses. With this feature enabled, upon receiving a DHCP request, the DHCP relay agent will Unauthorized Server record the IP address of any DHCP server that assigned an IP address to the DHCP Detect...
Click Apply. Table 96 Configuration items Item Description Enter the ID of a DHCP server group. Server Group ID You can create up to 20 DHCP server groups. Enter the IP address of a server in the DHCP server group. IP Address The server IP address cannot be on the same subnet as the IP address of the DHCP relay agent;...
Configuring and displaying clients' IP-to-MAC bindings Select Network > DHCP from the navigation tree to enter the DHCP Relay page shown in Figure 286. In the User Information area, click User Information to view static and dynamic bindings. Figure 289 Displaying clients' IP-to-MAC bindings Click Add to enter the page for creating a static IP-to-MAC binding.
DHCP relay agent configuration example Network requirements As shown in Figure 291, VLAN-interface 1 on the DHCP relay agent (Switch A) connects to the network where DHCP clients reside. VLAN-interface 2 is connected to the DHCP server whose IP address is 10.1.1.1/24.
Page 344
Figure 292 Enabling DHCP Configure a DHCP server group: In the Server Group area, click Add. On the page that appears, enter 1 for Server Group ID, and enter 10.1.1.1 for IP Address. Click Apply. Figure 293 Adding a DHCP server group Enable the DHCP relay agent on VLAN-interface 1:...
Page 345
In the I nterface Conf fig field, click k the icon for VLAN-inte erface 1. On tha t page that ap ppears, select t the Enable o ption next to D DHCP Relay a and select 1 fo or Server Group Click A Apply.
Configuring DHCP snooping NOTE: A DHCP snooping enabled device does not work if it is between the DHCP relay agent and DHCP server, and it can work when it is between the DHCP client and relay agent or between the DHCP client and server.
Application of trusted ports Configuring a trusted port connected to a DHCP server Figure 295 Configuring trusted and untrusted ports As shown in Figure 295, a DHCP snooping device’s port that is connected to an authorized DHCP server should be configured as a trusted port to forward reply messages from the DHCP server, so that the DHCP client can obtain an IP address from the authorized DHCP server.
Table 99 Roles of ports Trusted port disabled from Trusted port enabled to Device Untrusted port recording binding entries record binding entries Switch A GigabitEthernet 1/0/1 GigabitEthernet 1/0/3 GigabitEthernet 1/0/2 GigabitEthernet 1/0/3 and Switch B GigabitEthernet 1/0/1 GigabitEthernet 1/0/2 GigabitEthernet 1/0/4 GigabitEthernet 1/0/3 and Switch C GigabitEthernet 1/0/1...
Step Remarks (Required) Specify an interface as trusted and configure DHCP snooping to support Option 82. By default, an interface is untrusted and DHCP snooping does not support Configuring DHCP snooping Option 82. functions on an interface IMPORTANT: You need to specify the ports connected to the authorized DHCP servers as trusted to make sure that DHCP clients can obtain valid IP addresses.
Configuring DHCP snooping functions on an interface Select Network > DHCP from the navigation tree. Click the DHCP Snooping tab to enter the page shown in Figure 297. Click the icon for a specific interface in the Interface Config area. Figure 298 DHCP snooping interface configuration page Configure DHCP snooping on the interface as described in Table 101.
Figure 299 DHCP snooping user information Table 102 Field description Field Description IP Address Displays the IP address assigned by the DHCP server to the client. MAC Address Displays the MAC address of the client. Displays the client type, which can be: •...
Figure 300 Network diagram Configuring Switch B Enable DHCP snooping: Select Network > DHCP from the navigation tree. Click the DHCP Snooping tab. Select the Enable option next to DHCP Snooping to enable DHCP snooping. Figure 301 Enabling DHCP snooping Configure DHCP snooping functions on GigabitEthernet 1/0/1: Click the icon for GigabitEthernet 1/0/1 on the interface list.
Page 353
Select the Trust option next to Interface State. Click Apply. Figure 302 Configuring DHCP snooping functions on GigabitEthernet 1/0/1 Configure DHCP snooping functions on GigabitEthernet 1/0/2: Click the icon for GigabitEthernet 1/0/2 on the interface list. Select the Untrust option for Interface State, select the Enable option next to Option 82 Support, and select Replace for Option 82 Strategy.
Managing services Overview The service management module provides six types of services: FTP, Telnet, SSH, SFTP, HTTP and HTTPS. You can enable or disable the services as needed. In this way, the performance and security of the system can be enhanced, thus secure management of the device can be achieved. The service management module also provides the function to modify HTTP and HTTPS port numbers, and the function to associate the FTP, HTTP, or HTTPS service with an ACL, thus reducing attacks of illegal users on these services.
Defines certificate attribute-based access control policy for the device to control the access right of • the client, in order to further avoid attacks from illegal clients. Managing services Select Network > Service from the navigation tree. The service management configuration page appears. Figure 305 Service management Manage services as described in Table...
Page 356
Item Description Enable or disable the HTTP service. Enable HTTP service The HTTP service is enabled by default. Set the port number for HTTP service. You can view this configuration item by clicking the expanding button in front of HTTP. Port Number IMPORTANT: HTTP...
Using diagnostic tools Overview Ping Use ping to test connectivity to a specified address. Ping operates as follows: The source device sends an ICMP echo request (ECHO-REQUEST) to the destination device. The destination device responds by sending an ICMP echo reply (ECHO-REPLY) to the source device after receiving the ICMP echo request.
Ping operation IPv4 ping operation Select Network > Diagnostic Tools from the navigation tree. The IPv4 ping configuration page appears. Figure 306 IPv4 ping configuration page Type the IPv4 address or the host name of the destination device in the Destination IP address or host name field.
IPv6 ping operation Select Network > Diagnostic Tools from the navigation tree. Click the IPv6 Ping tab. The IPv6 ping configuration page appears. Figure 308 IPv6 ping configuration page Type the IPv6 address or the host name of the destination device in the Destination IPv6 address or host name field.
NOTE: Before performing the traceroute operation, execute the ip ttl-expires enable command on intermediate devices to enable the sending of ICMP timeout packets, and execute the ip unreachables enable command on the destination device to enable the sending of ICMP destination unreachable packets. IPv4 traceroute operation Select Network >...
Figure 311 IPv4 traceroute operation result IPv6 traceroute operation Select Network > Diagnostic Tools from the navigation tree. Click the IPv6 Traceroute tab. The IPv6 traceroute configuration page appears. Figure 312 IPv6 traceroute configuration page Type the IPv6 address or host name of the destination device in the Destination IPv6 address or host name field.
LAN, you can also use the network access device as the authentication server. Access control methods HP implements port-based access control as defined in the 802.1X protocol, and extends the protocol to support MAC-based access control. Port-based access control—once an 802.1X user passes authentication on a port, any subsequent •...
Controlled/uncontrolled port and port authorization status 802.1X defines two logical ports for the network access port: controlled port and uncontrolled port. Any packet arriving at the network access port is visible to both logical ports. The controlled port allows incoming and outgoing traffic to pass through when it is in the authorized •...
Protocol version—The EAPOL protocol version used by the EAPOL packet sender. • Type—Type of the EAPOL packet. Table 104 lists the types of EAPOL packets that the HP • implementation of 802.1X supports. Table 104 Types of EAPOL packets Value...
01-80-C2-00-00-03 or the broadcast MAC address. If any intermediate device between the client and the authentication server does not support the multicast address, you must use an 802.1X client, the HP iNode 802.1X client for example, that can send broadcast EAPOL-Start packets.
Access device as the initiator The access device initiates authentication, if a client, the 802.1X client available with Windows XP for example, cannot send EAPOL-Start packets. The access device supports the following modes: Multicast trigger mode—The access device multicasts Identity EAP-Request packets periodically •...
Page 368
If the client is using only MD5-Challenge EAP authentication or the "username + password" EAP • authentication initiated by an HP iNode 802.1X client, you can use both EAP termination and EAP relay. To use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay.
Page 369
Figure 322 802.1X authentication procedure in EAP relay mode When a user launches the 802.1X client software and enters a registered username and password, the 802.1X client software sends an EAPOL-Start packet to the network access device. The network access device responds with an Identity EAP-Request packet to ask for the client username.
Page 370
The authentication server compares the received encrypted password with the one it generated at step 5. If the two are identical, the authentication server considers the client valid and sends a RADIUS Access-Accept packet to the network access device. Upon receiving the RADIUS Access-Accept packet, the network access device sends an EAP-Success packet to the client, and sets the controlled port in the authorized state so the client can access the network.
Figure 323 802.1X authentication procedure in EAP termination mode In EAP termination mode, it is the network access device rather than the authentication server generates an MD5 challenge for password encryption (see Step 4). The network access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.
Handshake timer—Sets the interval at which the access device sends client handshake requests to • check the online status of a client that has passed authentication. If the device receives no response after sending the maximum number of handshake requests, it considers that the client has logged off.
Page 373
Authentication status VLAN manipulation Assigns the 802.1X guest VLAN to the port as the PVID. All 802.1X users on No 802.1X user has this port can access only resources in the guest VLAN. performed authentication within 90 seconds after If no 802.1X guest VLAN is configured, the access device does not perform 802.1X is enabled any VLAN operation.
NOTE: The network device assigns a hybrid port to an 802.1X Auth-Fail VLAN as an untagged member. ACL assignment You can specify an ACL for an 802.1X user to control its access to network resources. After the user passes 802.1X authentication, the authentication server, either the local access device or a RADIUS server, assigns the ACL to the port to filter the traffic from this user.
Page 375
Figure 324 802.1X global configuration In the 802.1X Configuration area, select the Enable 802.1X box. Select an authentication method. Options include CHAP, PAP, and EAP. For more information about EAP relay and EAP termination, see "A comparison of EAP relay and EAP termination."...
Table 105 Configuration items Item Description Specify whether to enable the quiet timer. The quiet timer enables the network access device to wait a period of time Quiet defined by the Quiet Period option before it can process any authentication request from a client that has failed an 802.1X authentication.
Page 377
In the Ports With 802.1X Enabled area, click Add. Figure 326 802.1X configuration on a port Configure the 802.1X feature on a port as described in Table 106. Click Apply. Table 106 Configuration items Item Description Select a port where you want to enable 802.1X. Only 802.1X-disabled ports are Port available.
Item Description Select the box to enable the online user handshake function. The online user handshake function checks the connectivity status of online 802.1X users. The network access device sends handshake messages to online Enable Handshake users at the interval specified by the Handshake Period option. If no response is received from an online user after the maximum number of handshake attempts (set by the Retry Times option) has been made, the network access device sets the user in the offline state.
Configuration examples 802.1X configuration example Network requirements As shown in Figure 327, the access device performs 802.1X authentication for users that connect to port GigabitEthernet 1/0/1. Implement MAC-based access control on the port, so the logoff of one user does not affect other online 802.1X users.
Page 380
Figure 328 Global 802.1X configuration In the Ports With 802.1X Enabled area, click Add. Select GigabitEthernet1/0/1 from the Port list. Select the Enable Re-Authentication box, and click Apply. Figure 329 802.1X configuration of GigabitEthernet 1/0/1 Configuring a RADIUS scheme From the navigation tree, select Authentication > RADIUS. The RADIUS server configuration page appears.
Page 381
Select the server type Authentication Server. Enter the IP address 10.1.1.1, enter the port number 1812, and select the primary server status active. Enter the IP address 10.1.1.2, enter the port number 1813, and select the secondary server status active. Click Apply.
Page 382
Figure 331 Configuring a RADIUS scheme Configuring AAA From the navigation tree, select Authentication > AAA. The domain setup page appears. Enter test in the Domain Name field, and select Enable from the Default Domain list. Click Apply.
Page 383
Figure 332 Creating an ISP domain On the Authentication tab, select the ISP domain test, select the Default AuthN box, select the authentication method RADIUS, select the authentication scheme system from the Name list, and click Apply. A configuration progress dialog box appears, as shown in Figure 334.
Page 384
Figure 334 Configuration progress dialog box On the Authorization tab, select the ISP domain test, select the Default AuthZ box, select the authorization method RADIUS, select the authorization scheme system from the Name list, and click Apply. After the configuration process is complete, click Close. Figure 335 Configuring the AAA authorization method for the ISP domain On the Accounting tab, select the domain name test, select the Default Accounting box, select the accounting method RADIUS, select the accounting scheme system from the Name list, and click...
Figure 336 Configuring the AAA accounting method for the ISP domain ACL assignment configuration example Network requirements As shown in Figure 337, the host at 192.168.1.10 connects to port GigabitEthernet 1/0/1 of the network access device. Perform 802.1X authentication on the port. Use the RADIUS server at 10.1.1.1 as the authentication and authorization server and the RADIUS server at 10.1.1.2 as the accounting server.
Page 386
Enter the IP address 10.1.1.1, enter the port number 1812, and select the primary server status active. Click Apply. Figure 338 Configuring the RADIUS primary authentication server Configure the RADIUS primary accounting server: Select the server type Accounting Server. Enter the IP address 10.1.1.2, enter the port number 1813, and select the primary server status active.
Page 387
Select the Accounting Server Shared Key box, enter abc in the field next to the box and the Confirm Accounting Shared Key field. Select with-domain from the Username Format list. Click Apply. Figure 340 Configuring a RADIUS scheme Configuring AAA From the navigation tree, select Authentication >...
Page 388
Figure 341 Creating an ISP domain On the Authentication tab, select the ISP domain test, select the Default AuthN box, select the authentication method RADIUS as mode, select the authentication scheme system from the Name list, and click Apply. A configuration progress dialog box appears, as shown in Figure 343.
Page 389
Figure 343 Configuration progress dialog box On the Authorization tab, select the ISP domain test, Select the Default AuthZ box, select the authorization method RADIUS, select the authorization scheme system from the Name list, and click Apply. After the configuration process is complete, click Close. Figure 344 Configuring the AAA authorization method for the ISP domain On the Accounting tab, select the domain name test, select the Accounting Optional box, select Enable from the list, select the Default Accounting box, select the accounting method RADIUS,...
Page 390
Figure 345 Configuring the AAA accounting method for the ISP domain Configuring an ACL From the navigation tree, select QoS > ACL IPv4. On the Add tab, enter the ACL number 3000, and click Apply. Figure 346 Creating ACL 3000 On the Advanced Setup tab, configure an ACL rule: Select 3000 from the ACL list.
Page 391
Figure 347 ACL rule configuration Configuring the 802.1X feature From the navigation tree, select Authentication > 802.1X. Select the Enable 802.1X box. Select the authentication method CHAP. Click Apply.
Page 392
Figure 348 Global 802.1X globally In the Ports With 802.1X Enabled area, click Add. Select GigabitEthernet1/0/1 from the Port list. Click Apply. Figure 349 802.1X configuration of GigabitEthernet 1/0/1 Verifying the configuration After the user passes authentication and gets online, use the ping command to test whether ACL 3000 takes effect.
Page 393
The ping page appears. Enter the destination IP address 10.0.0.1. Click Start to start the ping operation. Figure 350 shows the ping operation summary. Figure 350 Ping operation summary...
Configuring AAA AAA overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It provides the following security functions: Authentication—Identifies users and determines whether a user is valid. • Authorization—Grants different users different rights and controls their access to resources and •...
Figure 352 Determining the ISP domain of a user by the username The authentication, authorization, and accounting of a user depends on the AAA methods configured for the domain that the user belongs to. If no specific AAA methods are configured for the domain, the default methods are used.
Step Remarks (Optional.) Configuring authorization Specify the authorization methods for various types of users. methods for the ISP domain By default, all types of users use local authorization. (Optional.) Configuring accounting methods Specify the accounting methods for various types of users. for the ISP domain By default, all types of users use local accounting.
Item Description Specify whether to use the ISP domain as the default domain. Options include: • Enable—Uses the domain as the default domain. Default Domain • Disable—Uses the domain as a non-default domain. There can only be one default domain at a time. If you specify a second domain as the default domain, the original default domain becomes a non-default domain.
Item Description Configure the default authentication method and secondary authentication method for all types of users. Options include: • HWTACACS—Performs HWTACACS authentication based on an HWTACACS scheme. The switch series does not support this option. Default AuthN • Local—Performs local authentication. Name •...
Page 399
Figure 355 Authorization method configuration page Select the ISP domain and specify authorization methods for the ISP domain as described in Table 109. Click Apply. Click Close in the success message dialog box that appears. Table 109 Configuration items Item Description Select an ISP domain Select the ISP domain for which you want to specify authentication methods.
Item Description Configure the authorization method and secondary authorization method for login users. Options include: • HWTACACS—Performs authorization based on an HWTACACS scheme. The switch series does not support this option. Login AuthZ • Local—Performs local authorization. Name • None—All users are trusted and authorized. A user gets the default rights of the Secondary Method system.
Item Description Specify whether to enable the accounting optional feature. With the feature enabled, a user who would otherwise be disconnected can use the network resources even when there is no accounting server available or when Accounting Optional communication with the current accounting server fails. If accounting for such a user fails, the switch no longer sends real-time accounting updates for the user.
Page 402
Figure 357 Network diagram Configuration procedure Enable the Telnet server function, and configure the switch to use AAA for Telnet users. (Details not shown.) Configure IP addresses for the interfaces. (Details not shown.) Configure a local user: Select Device > Users from the navigation tree. Click the Create tab.
Page 403
Figure 359 Configuring an ISP domain Configure the ISP domain to use local authentication: Select Authentication > AAA from the navigation tree. Click the Authentication tab. Select the domain test. Select Login AuthN and select the authentication method Local. Figure 360 Configuring the ISP domain to use local authentication Click Apply.
Page 404
Figure 361 Configuration progress dialog box Configure the ISP domain to use local authorization: Select Authentication > AAA from the navigation tree. Click the Authorization tab. Select the domain test. Select Login AuthZ and select the authorization method Local. Click Apply. A configuration progress dialog box appears.
Page 405
After the configuration process is complete, click Close. Figure 363 Configuring the ISP domain to use local accounting Verifying the configuration Telnet to the switch and enter the username telnet@test and password abcd. You should be serviced as a user in domain test.
Configuring portal authentication Overview Portal authentication helps control access to the Internet. It is also called "web authentication." A website implementing portal authentication is called a "portal website." With portal authentication, an access device redirects all users to the portal authentication page. All users can access the free services provided on the portal website.
Page 407
Figure 364 Portal system components Authentication client Security policy server Authentication client Portal server Access device Authentication/accounting Authentication client server Authentication client An authentication client is an entity seeking access to network resources. It is typically an end-user terminal, such as a PC. The client can use a browser or a portal client software for portal authentication. Client security check is implemented through communications between the client and the security policy server.
To implement security check, the client must be the HP iNode client. Portal authentication supports NAT traversal whether it is initiated by a web client or an HP iNode client. When the portal authentication client is on a private network, but the portal server is on a public network and the access device is enabled with NAT, network address translations performed on the access device do not affect portal authentication.
Protocols used for interaction between the client and local portal server HTTP and HTTPS can be used for communication between an authentication client and an access device providing the local portal server function. If HTTP is used, there are potential security problems because HTTP packets are transferred in plain text.
Therefore, no additional configuration is needed on the access device. NOTE: • This function requires the cooperation of the HP IMC portal server and HP iNode portal client. Only Layer 3 portal authentication that uses a remote portal server supports EAP authentication. •...
the access port according to the authorized ACL. You must configure the authorized ACLs on the access device if you specify authorized ACLs on the authentication server. To change the access right of a user, you can specify a different authorized ACL on the authentication server or change the rules of the corresponding authorized ACL on the device.
Page 412
Based on the security check result, the security policy server authorizes the user to access certain resources, and sends the authorization information to the access device. The access device then controls access of the user based on the authorization information. Authentication process with the local portal server Figure 369 Authentication process with local portal server With local portal server, the direct/cross-subnet authentication process is as follows:...
The authentication client sends an EAP Request/Identity message to the portal server to initiate an EAP authentication process. The portal server sends a portal authentication request to the access device, and starts a timer to wait for the portal authentication reply. The portal authentication request contains several EAP-Message attributes, which are used to encapsulate the EAP packet sent from the authentication client and carry the certificate information of the client.
To implement extended portal functions, install and configure IMC EAD, and make sure the ACLs • configured on the access device correspond to those specified for the resources in the quarantined area and for the restricted resources on the security policy server. On the access device, the security policy server address is the same as the authentication server address.
Step Remarks Optional. Configure a portal-free rule, specifying the source and destination information for packet filtering Configuring a portal-free A portal-free rule allows specified users to access specified external rule websites without portal authentication. Packets matching a portal-free rule will not trigger portal authentication and the users can directly access the specified external websites.
Page 416
TIP: The portal service applied on an interface may be in the following states: Running—Indicates that portal authentication has taken effect on the interface. • Enabled—Indicates that portal authentication has been enabled on the interface but has not taken • effect.
Item Description Set the Layer 2 portal user detection interval. After a Layer 2 portal user gets online, the device starts a detection timer for the user, and checks whether the user's MAC address entry has been aged out or the user's MAC Online Detection address entry has been matched (a match means a packet has been received from the Interval...
Page 418
Figure 373 Applying a portal server to a Layer 3 interface Configure Layer 3 portal authentication as described in Table 112. Click Apply. Table 112 Configuration items Item Description Interface Select the Layer 3 interface to be enabled with portal authentication. Select the portal server to be applied on the selected interface.
Page 419
Item Description Auth Network IP Enter the IP address and mask of the authentication subnet. This field is configurable when you select the Layer3 mode (cross-subnet portal authentication). By configuring an authentication subnet, you specify that only HTTP packets from users on the authentication subnet can trigger portal authentication.
Figure 375 Configuring the local portal server Table 114 Configuration items Item Description Server Name Type a name for the local portal server. Type the IP address of the local portal server. You need to specify the IP address of the interface where the local portal server is applied.
Page 421
Table 115 Configuration items Item Description Configure the web proxy server ports to allow HTTP requests proxied by the specified proxy servers to trigger portal authentication. By default, only HTTP requests that are not proxied can trigger portal authentication. To make sure that a user using a web proxy server can trigger portal authentication, you need to add the port number of the proxy server on the device and the user needs to specify the listening IP address of the local portal server as a proxy exception in the browser.
Configuring a portal-free rule Select Authentication > Portal from the navigation tree Click the Free Rule tab to enter the portal-free rule list page. Figure 377 Portal-free rule list Click Add. The page for adding a new portal-free rule appears. Figure 378 Adding a portal-free rule Configure a portal-free rule as described in Table...
Item Description Specify a source MAC address for the portal-free rule. IMPORTANT: Source MAC If you configure both the source IP address and the source MAC address, make sure that the mask of the specified source IP address is 255.255.255.255. Otherwise, the specified source MAC address will not take effect.
Page 424
Configure the RADIUS server properly to provide authentication and accounting functions for users. Perform the following configuration on the switch to implement direct portal authentication: Configure the RADIUS authentication server: Select Authentication > RADIUS from the navigation tree. The RADIUS server configuration page appears, as shown in Figure 380.
Page 425
Configure RADIUS scheme system for exchanges between the device and the RADIUS servers: Click the RADIUS Setup tab. Select extended as the server type. Select the Authentication Server Shared Key box, enter the key expert, and then enter the key again in the Confirm Authentication Shared Key field.
Page 426
Figure 383 Creating an ISP domain On the Authentication tab, select the ISP domain test, select the Default AuthN box, select RADIUS from the Default AuthN list, select system from the Name list to use it as the authentication scheme, and click Apply. A configuration progress dialog box appears.
Page 427
A configuration progress dialog box appears. After the configuration process is complete, click Close. Figure 385 Configuring the authorization method for the ISP domain On the Accounting tab, select the ISP domain test, select the Default Accounting box, select RADIUS from Default Accounting list, select system from the Name list to use it as the accounting scheme, and click Apply.
number 50100, and the redirection URL http://192.168.0.111:8080/portal for portal authentication, and click Apply. Figure 387 Applying the portal server to a Layer 3 interface Configuring cross-subnet portal authentication Network requirements As shown in Figure 388, configure Switch A to perform cross-subnet portal authentication for users. Before passing portal authentication, the host can access only the portal server.
Page 429
Figure 388 Network diagram Switch A Vlan-int2 192.168.0.100/24 Portal server 192.168.0.111/24 Vlan-int4 20.20.20.1/24 Vlan-int4 20.20.20.2/24 Vlan-int2 8.8.8.1/24 Switch B Host 8.8.8.2/24 RADIUS server 192.168.0.112/24 Configuration procedure Make sure that the IP address of the access device added on the portal server is the IP address of the interface connected to the host (20.20.20.1 in this example), and the IP address group associated with the access device is the subnet where the host resides (8.8.8.0/24 in this example).
Page 430
On the RADIUS server configuration page, select Accounting Server as the server type, and enter the IP address 192.168.0.112 and port number 1813, select active from the Primary Server Status list, and click Apply. Figure 390 Configuring a RADIUS accounting server Configure RADIUS scheme system for exchanges between the device and the RADIUS servers: Click the RADIUS Setup tab.
Page 431
Figure 391 Configuring the RADIUS scheme Configure AAA: Select Authentication > AAA from the navigation tree. On the Domain Setup tab, enter the domain name test, select Enable for the Default Domain field, and click Apply.
Page 432
Figure 392 Creating an ISP domain On the Authentication tab, select the ISP domain test, select the Default AuthN box, select RADIUS from the Default AuthN list, select system from the Name list to use it as the authentication scheme, and click Apply. A configuration progress dialog box appears.
Page 433
A configuration progress dialog box appears. After the configuration process is complete, click Close. Figure 394 Configuring the authorization method for the ISP domain On the Accounting tab, select the ISP domain test, select the Default Accounting box, select RADIUS from Default Accounting list, select system from the Name list to use it as the accounting scheme, and click Apply.
Page 434
50100, and the redirection URL http://192.168.0.111:8080/portal for portal authentication, and click Apply. Figure 396 Applying the portal server to a Layer 3 interface On Switch B, you must configure a default route to subnet 192.168.0.0/24 with the next hop as 20.20.20.1.
Configuring RADIUS RADIUS is a protocol for implementing Authentication, Authorization, and Accounting (AAA). For more information about AAA, see "Configuring AAA." Overview Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. It can protect networks against unauthorized access and is often used in network environments with requirements for both high security and remote user access.
security mechanism improves the security of RADIUS communication and prevents user passwords from being intercepted on insecure networks. A RADIUS server supports multiple user authentication methods. A RADIUS server can also act as the client of another AAA server to provide authentication proxy services. Basic RADIUS message exchange process Figure 398 illustrates the interactions between the host, the RADIUS client, and the RADIUS server.
RADIUS packet format RADIUS uses UDP to transmit messages. To ensure smooth message exchange between the RADIUS server and the client, RADIUS uses a series of mechanisms, including the timer management mechanism, the retransmission mechanism, and the backup server mechanism. Figure 399 shows the RADIUS packet format.
Page 438
The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS server and • to encrypt user passwords. There are two types of authenticators: request authenticator and response authenticator. • The Attributes field (variable in length) carries the specific authentication, authorization, and accounting information that defines the configuration details of the request or response.
Figure 400 Format of attribute 26 Protocols and standards RFC 2865, Remote Authentication Dial In User Service (RADIUS) • RFC 2866, RADIUS Accounting • RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support • RFC 2868, RADIUS Attributes for Tunnel Protocol Support •...
Page 441
Figure 401 RADIUS Server page Configure the RADIUS server parameters as described in Table 119. Click Apply. Table 119 Configuration items Item Description Specify the type of the server to be configured, which can be Authentication Server Type Server and Accounting Sever. Specify the IP address of the primary server.
Item Description Status of the secondary server, including: • Active—The server is working normally. Secondary Server Status • Blocked—The server is down. If the IP address of the secondary server is not specified or the specified IP address is to be removed, the status is Blocked. Configuring RADIUS communication parameters Select Authentication >...
Page 443
Table 120 Configuration items Item Description Specify the type of the RADIUS server supported by the switch, including: • Extended—Specifies an extended RADIUS server (offered by IMC). The RADIUS client and RADIUS server communicate using the proprietary RADIUS protocol and packet format. Server Type •...
Item Description Set the format of username sent to the RADIUS server. A username is generally in the format of userid@isp-name, of which isp-name is used by the switch to determine the ISP domain to which a user belongs. If a RADIUS server does not accept a username including an ISP domain name, you can configure the switch to remove the domain name of a username before sending it to the Username Format...
Page 445
Figure 403 Network diagram Configuration procedure Enable the Telnet server function, and configure the switch to use AAA for Telnet users. (Details not shown.) Configure IP addresses for the interfaces. (Details not shown.) Configure RADIUS scheme system: # Configure the RADIUS authentication server. Select Authentication >...
Page 446
Select active as the primary server status. Click Apply. Figure 405 Configuring the RADIUS accounting server # Configure the RADIUS communication parameters. Select Authentication > RADIUS from the navigation tree and then click the RADIUS Setup tab. The RADIUS parameter configuration page appears. Configure the following parameters, as shown in Figure 406.
Page 447
Figure 406 Configuring RADIUS communication parameters Configure AAA: # Create an ISP domain. Select Authentication > AAA from the navigation tree. The domain setup page appears. Configure the following parameters, as shown in Figure 407. Enter test in the Domain Name field. Select Enable to use the domain as the default domain.
Page 448
Figure 407 Adding an ISP domain # Configure the authentication method for the ISP domain. Select Authentication > AAA from the navigation tree, and then click the Authentication tab. Configure the following parameters, as shown in Figure 408. Select the domain name test. Select the Default AuthN box and then select RADIUS as the authentication mode.
Page 449
Figure 409 Configuration progress dialog box # Configure the authorization method for the ISP domain. Select Authentication > AAA from the navigation tree, and then click the Authorization tab. Configure the following parameters, as shown in Figure 410. Select the domain name test. Select the Default AuthZ box and then select RADIUS as the authorization mode.
Click Apply. A configuration progress dialog box appears. After the configuration process is complete, click Close. Figure 411 Configuring the accounting method for the ISP domain Configuration guidelines When you configure the RADIUS client, follow these guidelines: The specified server status is dynamic information, which cannot be saved in the configuration file. •...
Page 451
communication, you need to manually change the status of the secondary server to active; otherwise, no primary/secondary server switchover will take place.
Configuring users and user groups Overview You can configure local users and user groups on the switch series. A local user represents a set of user attributes configured on a switch (such as the user password, use type, service type, and authorization attribute), and is uniquely identified by the username. For a user requesting a network service to pass local authentication, you must add an entry as required in the local user database of the switch.
Page 453
Password IMPORTANT: Confirm HP recommends that you do not specify a password starting with spaces because spaces at the beginning of the password string will be ignored, but they count at the user login page. Select a user group for the local user.
Item Description Select an authorization level for the local user, which can be Visitor, Monitor, Configure, or Management, in ascending order of priority. Level This option is effective only for FTP, Telnet, and SSH users. Specify the VLAN to be authorized to the local user after the user passes authentication. VLAN This option is effective only for LAN-access and portal users.
Page 455
Figure 415 User group configuration page Configure the user group as described in Table 123. Click Apply. Table 123 Configuration items Item Description Group-name Specify a name for the user group. Select an authorization level for the user group, which can be Visitor, Monitor, Level Configure, or Management, in ascending order of priority.
Configuring PKI PKI overview The Public Key Infrastructure (PKI) is a hierarchical framework designed for providing information security through public key technologies and digital certificates and verifying the identities of the digital certificate owners. PKI employs digital certificates, which are bindings of certificate owner identity information and public keys.
Figure 416 PKI architecture Entity An entity is an end user of PKI products or services, such as a person, an organization, a device like a router or a switch, or a process running on a computer. A certificate authority (CA) is a trusted authority responsible for issuing and managing digital certificates. A CA issues certificates, specifies the validity periods of certificates, and revokes certificates as needed by publishing CRLs.
Secure email Emails require confidentiality, integrity, authentication, and non-repudiation. PKI can address these needs. The secure email protocol that is developing rapidly is Secure/Multipurpose Internet Mail Extensions (S/MIME), which is based on PKI and allows for transfer of encrypted mails with signature. Web security For Web security, two peers can establish a Secure Sockets Layer (SSL) connection first for transparent and secure communications at the application layer.
Page 459
Step Remarks (Required.) Create a PKI entity and configure the identity information. A certificate is the binding of a public key and the identity information of an entity, where the identity information is identified by an entity distinguished Creating a PKI entity name (DN).
Step Remarks (Required.) When requesting a certificate, an entity introduces itself to the CA by providing its identity information and public key, which will be the major components of the certificate. A certificate request can be submitted to a CA in online mode or offline mode.
Task Remarks (Optional.) Destroy the existing RSA key pair and the corresponding local certificate. Destroying the RSA key pair If the certificate to be retrieved contains an RSA key pair, you need to destroy the existing key pair. Otherwise, the retrieving operation will fail. (Optional.) Retrieving and displaying a certificate...
Figure 418 PKI entity configuration page Configure the parameters as described in Table 124. Click Apply. Table 124 Configuration items Item Description Entity Name Enter the name for the PKI entity. Common Name Enter the common name for the entity. IP Address Enter the IP address of the entity.
Page 463
Figure 419 PKI domain list Click Add. Click Advanced Configuration to display the advanced configuration items. Figure 420 PKI domain configuration page Configure the parameters as described in Table 125. Click Apply.
Page 464
Table 125 Configuration items Item Description Domain Name Enter the name for the PKI domain. Enter the identifier of the trusted CA. An entity requests a certificate from a trusted CA. The trusted CA takes the responsibility CA Identifier of certificate registration, distribution, and revocation, and query. In offline mode, this item is optional.
Item Description After an entity makes a certificate request, the CA might need a long period of time if it verifies the certificate request in manual mode. During this period, the applicant needs to Polling Interval query the status of the request periodically to get the certificate as soon as possible after the certificate is signed.
Figure 422 Key pair parameter configuration page Destroying the RSA key pair Select Authentication > PKI from the navigation tree. Click the Certificate tab. Click Destroy Key. Click Apply to destroy the existing RSA key pair and the corresponding local certificate. Figure 423 Key pair destruction page Retrieving and displaying a certificate You can retrieve an existing CA certificate or local certificate from the CA server and save it locally.
Page 467
Figure 424 PKI certificate retrieval page Configure the parameters as described in Table 126. Click Apply. Table 126 Configuration items Item Description Domain Name Select the PKI domain for the certificate. Certificate Type Select the type of the certificate to be retrieved, which can be CA or local. Click this box to retrieve a certificate in offline mode (that is, by an out-of-band means like Enable Offline FTP, disk, or email) and then import the certificate into the local PKI system.
Figure 425 Certificate information Requesting a local certificate Select Authentication > PKI from the navigation tree. Click the Certificate tab. Click Request Cert. Figure 426 Local certificate request page...
Configure the parameters as described in Table 127. Table 127 Configuration items Item Description Domain Name Select the PKI domain for the certificate. Password Enter the password for certificate revocation. Select this box to request a certificate in offline mode, that is, by an out-of-band Enable Offline Mode means like FTP, disk, or email.
Page 470
Figure 429 CRL information Table 128 Field description Field Description Version CRL version number Signature Algorithm Signature algorithm that the CRL uses Issuer CA that issued the CRL Last Update Last update time Next Update Next update time Identifier of the CA that issued the certificate and the certificate version X509v3 Authority Key Identifier (X509v3).
PKI configuration example Network requirements As shown in Figure 430, configure the switch that acts as the PKI entity, so that: The switch submits a local certificate request to the CA server, which runs the RSA Keon software. • • The switch retrieves CRLs for certificate verification.
Page 472
Figure 431 Creating a PKI entity Create a PKI domain: Click the Domain tab. Click Add. The page in Figure 432 appears. Enter torsa as the PKI domain name, enter myca as the CA identifier, select aaa as the local entity, select CA as the authority for certificate request, enter http://4.4.4.133:446/c95e970f632d27be5e8cbf80e971d9c4a9a93337 as the URL for certificate request (the URL must be in the format of http://host:port/Issuing Jurisdiction ID,...
Page 473
Figure 432 Creating a PKI domain Generate an RSA key pair: Click the Certificate tab. Click Create Key. Enter 1024 as the key length, and click Apply to generate an RSA key pair. Figure 433 Generating an RSA key pair Retrieve the CA certificate: Click the Certificate tab.
Page 474
Figure 434 Retrieving the CA certificate Request a local certificate: Click the Certificate tab. Click Request Cert. Select torsa as the PKI domain, select Password , and enter challenge-word as the password. Click Apply. The system displays "Certificate request has been submitted." Click OK to finish the operation.
Verifying the configuration After the configuration, select Authentication > PKI > Certificate from the navigation tree to view detailed information about the retrieved CA certificate and local certificate, or select Authentication > PKI > CRL from the navigation tree to view detailed information about the retrieved CRL. Configuration guidelines When you configure PKI, follow these guidelines: Make sure the clocks of entities and the CA are synchronous.
Configuring authorized IP Overview The authorized IP function is to associate the HTTP or Telnet service with an ACL to filter the requests of clients. Only the clients that pass the ACL filtering can access the device. Configuring authorized IP Select Security >...
Table 129 Configuration items Item Description Associate the Telnet service with an IPv4 ACL. IPv4 ACL You can configure the IPv4 ACL to be selected by selecting QoS > ACL IPv4. Telnet Associate the Telnet service with an IPv6 ACL. IPv6 ACL You can configure the IPv6 ACL to be selected by selecting QoS >...
Page 478
Figure 439 Creating an ACL Configure an ACL rule to permit Host B: Click the Basic Setup tab The page for configuring an ACL rule appears. Select 2001 from the ACL list, select Permit from the Action list, select the Source IP Address box and then enter 10.1.1.3, and enter 0.0.0.0 in the Source Wildcard field.
Page 479
Select 2001 for IPv4 ACL in the Telnet field, and select 2001 for IPv4 ACL in the Web (HTTP) field. Click Apply. Figure 441 Configuring authorized IP...
Configuring port isolation Overview Usually, Layer 2 traffic isolation is achieved by assigning ports to different VLANs. To save VLAN resources, port isolation is introduced to isolate ports within a VLAN, allowing for great flexibility and security. The switch series supports only one isolation group that is created automatically by the system as isolation group 1.
Table 130 Configuration items Item Description Specify the role of the port or ports in the isolation group. • Isolated port—Assign the port or ports to the isolation group as an isolated port or ports. Config type • Uplink port—Assign the port to the isolation group as the uplink port. This option is not available for the switch series.
Page 482
Select 2, 3, and 4 on the chassis front panel. The numbers represent ports GigabitEthernet 1/0/2, GigabitEthernet 1/0/3, and GigabitEthernet 1/0/4 respectively. Figure 444 Configure isolated ports for the isolation group Click Apply. A configuration progress dialog box appears. After the configuration process is complete, click Close. Viewing information about the isolation group Click Summary.
Configuring ACLs NOTE: Unless otherwise stated, ACLs refer to both IPv4 and IPv6 ACLs throughout this document. ACL overview An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on criteria such as source IP address, destination IP address, and port number. ACLs are essentially used for packet filtering.
Table 132 Depth-first match for ACLs ACL category Sequence of tie breakers More 0s in the source IP address wildcard (more 0s means a narrower IP address range) IPv4 basic ACL Smaller rule ID Specific protocol type rather than IP (IP represents any protocol over IP) More 0s in the source IP address wildcard mask More 0s in the destination IP address wildcard IPv4 advanced ACL...
Attackers can fabricate non-first fragments to attack networks. To avoid the risks, the HP ACL implementation filters unfragmented packets and all fragments (including non-first fragments) by default. To improve the match efficiency, you can change the default packet matching policy.
Step Remarks Required 2. Adding an IPv6 ACL Add an IPv6 ACL. The category of the added IPv6 ACL depends on the ACL number that you specify. 3. Configuring a rule for a basic IPv6 ACL Required 4. Configuring a rule for an advanced IPv6 Complete one of the tasks according to the ACL category.
Item Description Start Time Set the start time of the periodic time range. Set the end time of the periodic time range. The end End Time time must be greater than the start time. Periodic You can define both a Time Range Sun, Mon, Select the day or days of the week on which the...
Item Description Set the match order of the ACL. Available values are: • Config—Packets are compared against ACL rules in the order that the rules are Match Order configured. • Auto—Packets are compared against ACL rules in the depth-first match order. Configuring a rule for a basic IPv4 ACL Select QoS >...
Item Description Select the Rule ID box and enter a number for the rule. If you do not specify the rule number, the system will assign one automatically. Rule ID NOTE: If the rule number you specify already exists, the following operations modify the configuration of the rule.
Page 490
Figure 449 Configuring an advanced IPv4 ACL Configure a rule for an advanced IPv4 ACL as described in Table 136. Click Add. Table 136 Configuration items Item Description Select the advanced IPv4 ACL for which you want to configure rules. Available ACLs are advanced IPv4 ACLs.
Page 491
Item Description Select the Rule ID box and enter a number for the rule. If you do not specify the rule number, the system will assign one automatically. Rule ID NOTE: If the rule number you specify already exists, the following operations modify the configuration of the rule.
Item Description • Not Check—The following port number fields cannot be configured. • Range—The following port number fields must be configured to define a port range. • Other values—The first port number field must be configured and the second must not. IMPORTANT: DSCP Specify the DSCP value.
Page 493
Figure 450 Configuring a rule for an Ethernet frame header ACL Configure a rule for an Ethernet frame header IPv4 ACL as described in Table 137. Click Add. Table 137 Configuration items Item Description Select the Ethernet frame header IPv4 ACL for which you want to configure rules.
Item Description Select the action to be performed for packets matching the rule. • Action Permit—Allows matched packets to pass. • Deny—Drops matched packets. Source MAC Select the Source MAC Address box and enter a source MAC address and Address a mask.
Click Apply. Table 138 Configuration items Item Description ACL Number Enter a number for the IPv6 ACL. Select a match order for the ACL. Available values are: • Config—Packets are compared against ACL rules in the order the rules are Match Order configured.
Item Description Select the Rule ID box and enter a number for the rule. If you do not specify the rule number, the system will assign one automatically. Rule ID IMPORTANT: If the rule number you specify already exists, the following operations modify the configuration of the rule.
Page 497
Figure 453 Configuring a rule for an advanced IPv6 ACL Add a rule for an advanced IPv6 ACL. Click Add. Table 140 Configuration items Item Description Select Access Control List (ACL) Select the advanced IPv6 ACL for which you want to configure rules. Select the Rule ID box and enter a number for the rule.
Page 498
Item Description Select the operation to be performed for IPv6 packets matching the rule. Operation • Permit—Allows matched packets to pass. • Deny—Drops matched packets. Select this box to apply the rule to only non-first fragments. Check Fragment If you do no select this box, the rule applies to all fragments and non-fragments.
Configuration guidelines When you configure an ACL, follow these guidelines: You cannot add a rule with, or modify a rule to have, the same permit/deny statement as an • existing rule in the ACL. You can only modify the existing rules of an ACL that uses the match order of config. When •...
Configuring QoS Introduction to QoS Quality of Service (QoS) reflects the ability of a network to meet customer needs. In an internet, QoS evaluates the ability of the network to forward packets of different services. The evaluation can be based on different criteria because the network may provide various services. Generally, QoS performance is measured with respect to bandwidth, delay, jitter, and packet loss ratio during packet forwarding process.
Page 501
Causes Congestion easily occurs in complex packet switching circumstances in the Internet. Figure 454 shows two common cases: Figure 454 Traffic congestion causes • The traffic enters a device from a high speed link and is forwarded over a low speed link. The packet flows enter a device from several incoming interfaces and are forwarded out of an •...
When packets are classified on the network boundary, the precedence bits in the ToS field of the IP packet header are generally re-set. In this way, IP precedence can be directly used to classify the packets in the network. IP precedence can also be used in queuing to prioritize traffic. The downstream network can either use the classification results from its upstream network or classify the packets again according to its own criteria.
Page 506
Figure 459 SP queuing A typical switch provides eight queues per port. As shown in Figure 459, SP queuing classifies eight queues on a port into eight classes, numbered 7 to 0 in descending priority order. SP queuing schedules the eight queues strictly according to the descending order of priority. It sends packets in the queue with the highest priority first.
A typical switch provides eight output queues per port. WRR assigns each queue a weight value (represented by w7, w6, w5, w4, w3, w2, w1, or w0) to decide the proportion of resources assigned to the queue. On a 100 Mbps port, you can set the weight values of WRR queuing to 50, 30, 10, 10, 50, 30, 10, and 10 (corresponding to w7, w6, w5, w4, w3, w2, w1, and w0, respectively).
A token bucket has the following configurable parameters: • Mean rate—Rate at which tokens are put into the bucket, or the permitted average rate of traffic. It is usually set to the committed information rate (CIR). Burst size—The capacity of the token bucket, or the maximum traffic size permitted in each burst. It •...
Local precedence is a locally significant precedence that the device assigns to a packet. A local • precedence value corresponds to an output queue. Packets with the highest local precedence are processed preferentially. The device provides the following priority trust modes on a port: Trust packet priority—The device assigns to the packet the priority parameters corresponding to the •...
Input CoS value Local precedence (Queue) DSCP Table 145 The default DSCP to CoS/DSCP to Queue mapping table Input DSCP value Local precedence (Queue) 0 to 7 8 to 15 16 to 23 24 to 31 32 to 39 40 to 47 48 to 55 56 to 63 NOTE:...
Page 511
Table 146 Recommended QoS policy configuration procedure Step Remarks (Required) 1. Adding a class Add a class and specify the logical relationship between the match criteria in the class. (Required) 2. Configuring classification rules Configure match criteria for the class. (Required) 3.
Recommended priority trust mode configuration procedure Step Remarks (Required) 1. Configuring priority trust mode on a port Set the priority trust mode of a port. Adding a class Select QoS > Classifier from the navigation tree. Click the Create tab to enter the page for adding a class. Figure 464 Adding a class Add a class as described in Table...
Configuring classification rules Select QoS > Classifier from the navigation tree. Click Setup to enter the page for setting a class. Figure 465 Configuring classification rules Configure classification rules for a class as described in Table 148. Click Apply.
Page 514
Table 148 Configuration items Item Description Please select a classifier Select an existing classifier from the list. Define a rule to match all packets. Select the box to match all packets. Define a rule to match DSCP values. If multiple such rules are configured for a class, the new configuration does not overwrite the previous one.
Item Description Define a rule to match service VLAN IDs. If multiple such rules are configured for a class, the new configuration does not overwrite the previous one. You can configure multiple VLAN IDs each time. If the same VLAN ID is specified multiple times, the system considers them as one.
Add a traffic behavior as described in Table 149. Click Create. Table 149 Configuration items Item Description Behavior name Specify a name for the behavior to be added. Configuring traffic redirecting for a traffic behavior Select QoS > Behavior from the navigation tree. Click Port Setup to enter the port setup page for a traffic behavior.
Configuring other actions for a traffic behavior Select QoS > Behavior from the navigation tree. Click Setup to enter the page for setting a traffic behavior. Figure 468 Setting a traffic behavior Configure other actions for a traffic behavior as described in Table 151.
Table 151 Configuration items Item Description Please select a behavior Select an existing behavior in the list. Configure the action of marking IP precedence for packets. Select the IP Precedence box and then select the IP precedence IP Precedence value to be marked for packets in the following list. Select Not Set to cancel the action of marking IP precedence.
Figure 469 Adding a policy Add a policy as described in Table 152. Click Create. Table 152 Configuration items Item Description Policy Name Specify a name for the policy to be added. Configuring classifier-behavior associations for the policy Select QoS > QoS Policy from the navigation tree. Click Setup to enter the page for setting a policy.
Configure a classifier-behavior association for a policy as described in Table 153. Click Apply. Table 153 Configuration items Item Description Please select a policy Select an existing policy in the list. Classifier Name Select an existing classifier in the list. Behavior Name Select an existing behavior in the list.
Figure 472 Configuring queue scheduling Configure queue scheduling on a port as described in Table 155. Click Apply. Table 155 Configuration items Item Description Enable or disable the WRR queue scheduling mechanism on selected ports. The following options are available: •...
Figure 473 Configuring line rate on a port Configure line rate on a port as described in Table 156. Click Apply. Table 156 Configuration items Item Description Please select an interface type Select the types of interfaces to be configured with line rate. Rate Limit Enable or disable line rate on the specified port.
Figure 474 Configuring priority mapping tables Configure a priority mapping table as described in Table 157. Click Apply. Table 157 Configuration items Item Description Select the priority mapping table to be configured, which can be CoS to Mapping Type DSCP, CoS to Queue, DSCP to CoS, DSCP to DSCP, or DSCP to Queue. Input Priority Value Set the output priority value for an input priority value.
Page 524
gure 475 Conf figuring port priority Click the icon for a port to enter the page for modifying po ort priority. gure 476 The page for mod difying port p priority Configure the port prior rity for a port as described d in Table 158 Click Appl...
Configuration guidelines If an ACL is referenced by a QoS policy for defining traffic classification rules, packets matching the referenced ACL rule are organized as a class and the behavior defined in the QoS policy applies to the class regardless of whether the referenced ACL rule is a deny or permit clause.
ACL and QoS configuration example Network requirements As shown in Figure 477, the FTP server (10.1.1.1/24) is connected to the Switch, and the clients access the FTP server through GigabitEthernet 1/0/1 of the Switch. Configure an ACL and a QoS policy as follows to prevent the hosts from accessing the FTP server from 8:00 to 18:00 every day: Add an ACL to prohibit the hosts from accessing the FTP server from 8:00 to 18:00 every day.
Page 527
Figure 478 Defining a time range covering 8:00 to 18:00 every day Add an advanced IPv4 ACL: Select QoS > ACL IPv4 from the navigation tree. Click the Create tab. Enter the ACL number 3000. Click Apply.
Page 528
Figure 479 Adding an advanced IPv4 ACL Define an ACL rule for traffic to the FTP server: Click the Advanced Setup tab. Select 3000 from the ACL list. Select the Rule ID box, and enter rule ID 2. Select Permit from the Action list. Select the Destination IP Address box, and enter IP address 10.1.1.1 and destination wildcard 0.0.0.0.
Page 529
Figure 480 Defining an ACL rule for traffic to the FTP server Add a class: Select QoS > Classifier from the navigation tree. Click the Create tab. Enter the class name class1. Click Add.
Page 530
Figure 481 Adding a class Define classification rules: Click the Setup tab. Select the class name class1 from the list. Select the ACL IPv4 box, and select ACL 3000 from the following list.
Page 531
Figure 482 Defining classification rules Click Apply. A progress dialog box appears, as shown in Figure 483. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
Page 532
Figure 483 Configuration progress dialog box Add a traffic behavior: Select QoS > Behavior from the navigation tree. Click the Create tab. Enter the behavior name behavior1. Click Create. Figure 484 Adding a traffic behavior Configure actions for the traffic behavior: Click the Setup tab.
Page 533
Click Close when the progress dialog box prompts that the configuration succeeds. Figure 485 Configuring actions for the behavior Add a policy: Select QoS > QoS Policy from the navigation tree. Click the Add tab. Enter the policy name policy1. Click Add.
Page 534
Figure 486 Adding a policy Configure classifier-behavior associations for the policy: Click the Setup tab. Select policy1. Select class1 from the Classifier Name list. Select behavior1 from the Behavior Name list. Click Apply. Figure 487 Configuring classifier-behavior associations for the policy Apply the QoS policy in the inbound direction of interface GigabitEthernet 1/0/1: Select QoS >...
Page 535
Select port GigabitEthernet 1/0/1. Click Apply. A configuration progress dialog box appears. Click Close when the progress dialog box prompts that the configuration succeeds. Figure 488 Applying the QoS policy in the inbound direction of GigabitEthernet 1/0/1...
A PD can also use a different power source from the PSE at the same time for power redundancy. A 1910 switch has a build-in PSE to supply DC power to PDs over the data pairs (pins 1, 2 and 3, 6) of...
Page 537
Figure 490 Port Setup tab Configure the PoE ports as described in Table 159. Click Apply. Table 159 Configuration items Item Description Select Port Select ports to be configured. They will be displayed in the Selected Ports area. Enable or disable PoE on the selected ports. •...
Item Description Set the power supply priority for a PoE port. The priority levels of a PoE port include low, high, and critical in ascending order. • When the PoE power is insufficient, power is first supplied to PoE ports with a higher priority level.
Disabling the non-standard PD detection function for a PSE Perform one of the following tasks on the PSE Setup tab to disable the non-standard PD detection function: • Select Disable in the Non-Standard PD Compatibility column, and click Apply. Click Disable All. •...
Figure 493 Network diagram Configuration procedure Enable PoE on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2, and set their power supply priority to critical: Select PoE > PoE from the navigation tree. Click the Setup tab. On the tab, click to select ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 from the chassis front panel, select Enable from the Power State list, and select Critical from the Power Priority list.
Page 541
On the tab, click to select port GigabitEthernet 1/0/3 from the chassis front panel, select Enable from the Power State list, and select the box before Power Max and enter 9000. Click Apply. Figure 495 Configuring the PoE port supplying power to AP After the configuration takes effect, the IP telephones and the AP are powered and can work properly.
Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
Page 544
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Index A B C D E G I L M O P R S T U V W Configuring 802.1X globally,313 Configuring 802.1X on a port,315 AAA configuration example,340 Configuring a local user,391 overview,333 Configuring a loopback test,45 overview,422 Configuring a port,23 Adding a class,451...
Page 546
Configuring voice VLAN globally,123 parameters for the DHCP relay agent,277 Configuring voice VLAN on ports,124 Enabling DHCP snooping,288 Contacting HP,481 Enabling LLDP on ports,188 Conventions,482 Enabling the DHCP relay agent on an interface,280 Creating a DHCP server group,279 Energy saving...
Page 547
Logging out of the Web interface,3 Ping operation,297 PKI configuration example,410 MAC address configuration example,141 overview,395 Managing services,294 PoE configuration example,478 Manually configuring the system date and time,10 Port isolation configuration example,420 MLD snooping configuration example,251 Port management configuration example,29 Modifying a VLAN,105 Port mirroring...
Page 548
Setting LACP priority,176 Terminologies of port mirroring,34 Setting the aging time of MAC address entries,140 Testing cable status,47 Setting the log host,15 Traceroute operation,298 Setting the PVID for a port,103 Troubleshooting web console,17 Setting the super password,43 Setting the traffic statistics generating interval,50 Uploading a file,22...