Page 1
HP 830 Series PoE+ Unified Wired-WLAN Switch Switching Engine Web-Based Configuration Guide Part number: 5998-3947 Software version: 3308P26 Document version: 6W101-20130628...
Page 2
The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an...
Contents Web overview ······························································································································································ 1 Web interface ··································································································································································· 1 Web user level ·································································································································································· 2 Web-based NM functions ················································································································································ 2 Common items on the Web pages ······························································································································ 10 Logging in to the Web interface ······························································································································· 15 ...
Page 4
Managing logs ··························································································································································· 39 Displaying syslogs ·························································································································································· 39 Setting the log host························································································································································· 41 Setting buffer capacity and refresh interval ················································································································ 42 Managing the configuration······································································································································ 43 Backing up the configuration ········································································································································ 43 Restoring the configuration ··········································································································································· 43 ...
Page 5
RMON groups ······················································································································································· 79 Recommended configuration procedure······················································································································ 81 Configuring the RMON statistics function ·········································································································· 81 Configuring the RMON alarm function ·············································································································· 81 Displaying RMON running status ························································································································ 82 Configuring a statistics entry ········································································································································· 83 Configuring a history entry ···········································································································································...
Page 6
Modifying a VLAN interface ······································································································································· 135 Configuring a voice VLAN ····································································································································· 137 Overview ······································································································································································· 137 OUI addresses ····················································································································································· 137 Voice VLAN assignment modes ························································································································· 137 Security mode and normal mode of voice VLANs ··························································································· 139 ...
Page 7
Configuring link aggregation and LACP ··············································································································· 180 Overview ······································································································································································· 180 Basic concepts ····················································································································································· 180 Link aggregation modes ····································································································································· 181 Load sharing mode of an aggregation group ·································································································· 183 Configuration guidelines ············································································································································· 183 Recommended link aggregation and LACP configuration procedures ·································································· 184 ...
Page 8
How IGMP snooping works ······························································································································· 238 Protocols and standards ····································································································································· 239 Recommended configuration procedure···················································································································· 239 Enabling IGMP snooping globally ····························································································································· 240 Configuring IGMP snooping in a VLAN ···················································································································· 240 Configuring IGMP snooping port functions ··············································································································· 242 ...
Page 10
Portal authentication modes ······························································································································· 353 Portal support for EAP ········································································································································· 353 Layer 2 portal authentication process ··············································································································· 354 Layer 3 portal authentication process ··············································································································· 355 Configuring portal authentication ······························································································································ 357 Configuration prerequisites ································································································································ 357 Configuration task list ·········································································································································...
Page 11
Configuration procedure for automatic requests ····························································································· 426 Creating a PKI entity ···················································································································································· 427 Creating a PKI domain ················································································································································ 428 Generating an RSA key pair······································································································································· 431 Destroying the RSA key pair ······································································································································· 432 Retrieving and displaying a certificate ······················································································································ 432 ...
Page 12
Displaying information about PSE and PoE ports ···························································································· 509 PoE configuration example ········································································································································· 509 Support and other resources ·································································································································· 512 Contacting HP ······························································································································································ 512 Subscription service ············································································································································ 512 Related information ······················································································································································ 512 Documents ···························································································································································· 512 ...
Web overview This chapter describes the Web interface, functions available on the Web interface, Web user levels you must have to perform a function, and common icons and buttons on the Web pages. Web interface CAUTION: The Web network management functions not supported by the device are not displayed in the navigation tree.
Web user level Web user levels, from low to high, are visitor, monitor, configure, and management. A user with a higher level has all the operating rights of a user with a lower level. Visitor—Users can use the network diagnostic tools ping and Trace Route, but they can neither •...
Page 15
Function menu Description User level Upload the configuration file to be used at Restore the next startup from the host of the current Management user to the device. Save the current configuration to the Save configuration file to be used at the next Configure startup.
Page 16
Function menu Description User level Display and set the interval for collecting storm constrain statistics. Storm Storm Constrain Configure Constrain Display, create, modify, and remove the port traffic threshold. Display, create, modify, and clear RMON Statistics Configure statistics. Display, create, modify, and clear RMON History Configure history sampling information.
Page 17
Function menu Description User level Modify the description and member ports Modify VLAN Configure of a VLAN. Change the VLAN to which a port belongs, Modify Port Configure the connection type and PVID of the port. Remove Remove VLANs. Configure Display information about VLAN interfaces Summary Monitor...
Page 18
Function menu Description User level Display the LLDP configuration information, local information, neighbor information, Monitor statistics information, and status Port Setup information of a port. Modify LLDP configuration on a port. Configure Display global LLDP configuration Monitor LLDP information. Global Setup Configure global LLDP parameters.
Page 19
Function menu Description User level Summary Display the IPv6 active route table. Monitor IPv6 Create Create an IPv6 static route. Configure Routing Remove Delete the selected IPv6 static routes. Configure IPv6 Manage IPv6 Service Enable or disable IPv6 packet forwarding. Configure ment Display the DHCP service status, the DHCP...
Page 20
Function menu Description User level Display port security configuration Monitor Port information. Port Security Security Configure port security. Configure Display configuration information about the portal server and advanced parameters Monitor for portal authentication. Portal Server Add and delete a portal server, and modify advanced parameters for portal Configure Portal...
Page 21
Function menu Description User level Display the certificate information of PKI Monitor domains and the contents of a certificate. Certificate Generate a key pair, destroy a key pair, retrieve a certificate, request a certificate, Configure and delete a certificate. Display the contents of the CRL. Monitor Receive the CRL of a domain.
Function menu Description User level Add a class. Configure Configure the classification rules for a Setup Configure class. Remove Delete a class or its classification rules. Configure Display traffic behavior configuration Summary Monitor information. Add a traffic behavior. Configure Behavior Setup Configure actions for a traffic behavior.
Page 23
Button and icon Function Refreshes the current page. Clears all entries in a list or all statistics. Adds an item. Removes the selected items. Selects all the entries in a list, or selects all ports on the device panel. Clears all the entries in a list, or clears all ports on the device panel. Buffers settings you made and proceeds to the next step without applying the settings.
Page 24
Figure 2 Content display by pages Search function On some list pages, the Web interface provides basic and advanced search functions. You can use the search function to display those entries matching certain search criteria. Basic search function—As shown in Figure 2, input the keyword in the text box above the list, select •...
Page 25
Figure 4 Advanced search Take the ARP table shown in Figure 2 as an example. If you want to search for the ARP entries with interface being GigabitEthernet1/0/1, and IP address range 192.168.1 1.0 to 192.168.1 1.100, follow these steps: Click the Advanced Search link, specify the search criteria on the advanced search page as shown Figure 5, and click Apply.
Page 26
Figure 6 Advanced search function example (2) Figure 7 Advanced search function example (3) Sorting function On some list pages, the Web interface provides the sorting function to display the entries in certain orders. On a list page, you can click the blue heading item of each column to sort the entries based on the heading item you selected.
Logging in to the Web interface You can log in to the Web interface of the switching engine through HTTP or from the controller engine of the switch. Figure 9 Web-based network management environment Restrictions and guidelines To ensure a successful login, verify that your operating system and Web browser meet the requirements, and follow the guidelines in this section.
Page 28
Enabling securing settings in a Microsoft Internet Explorer browser Launch the Internet Explorer, and select Tools > Internet Options from the main menu. Select the Security tab, and select the content zone where the target Website resides, as shown Figure Figure 10 Internet Explorer settings (I) Click Custom Level.
Page 29
Figure 11 Internet Explorer settings (II) Click OK to save your settings. Enabling JavaScript in a Firefox browser Launch the Firefox browser, and select Tools > Options. In the Options dialog box, click the Content icon, and select Enable JavaScript.
Figure 12 Firefox browser settings Click OK to save your settings. Others Make sure the management PC and the device can reach each other. • Do not use the Back, Next, Refresh buttons provided by the browser. Using these buttons might •...
Table 3 Default Web login settings Item Controller engine Switching engine Username admin admin Password admin admin Default IP address 192.168.0.100/24 192.168.0.101/24 To log in to the switching engine through HTTP: Connect the GigabitEthernet interface of the device to a PC by using a crossover Ethernet cable. By default, all interfaces belong to VLAN 1.
You cannot log out by directly closing the browser. Save the current configuration. Because the system does not save the current configuration automatically, HP recommends that you perform this step to avoid loss of configuration. Click Logout in the upper-right corner of the Web interface.
Configuration wizard The configuration wizard guides you through configuring the basic service parameters, including the system name, system location, contact information, and management IP address. Basic service setup Entering the configuration wizard homepage Select Wizard from the navigation tree. Figure 15 Configuration wizard homepage Configuring system parameters On the wizard homepage, click Next.
Figure 16 System parameter configuration page Configure the parameters as described in Table Table 4 Configuration items Item Description Specify the system name. The system name appears at the top of the navigation tree. Sysname You can also set the system name in the System Name page you enter by selecting Device >...
Page 35
On the system parameter configuration page, click Next. Figure 17 Management IP address configuration page Configure the parameters as described in Table Table 5 Configuration items Item Description Select a VLAN interface. Available VLAN interfaces are those configured in the page that you enter by selecting Network >...
Item Description DHCP Configure how the VLAN interface obtains an IPv4 address: • DHCP—Select this option to obtain an IPv4 address for the VLAN BOOTP interface through DHCP. • BOOTP—Select this option to obtain an IPv4 address for the VLAN interface through BOOTP.
CLI. From the perspective of SNMP, they are different entities. To access each other's Web interfaces, they must have each other's IP address. To enable automatic toggling between their Web interfaces, HP already specified the default management IP address of the switching engine on the controller engine, and specified the default IP address of the controller engine on the switching engine.
Accessing the controller engine from the switching engine's Web interface IMPORTANT: Toggle between the Web interfaces of the switching engine and the controller engine only if necessary. Frequent toggling can cause TCP connections to exceed the upper limit. If the connections exceed the upper limit, wait for several minutes (the Web idle timeout), and then log in to the Web interface again.
Displaying information summary Displaying system information Select Summary from the navigation tree to enter the System Information page to view the basic system information, system resource state, and recent system logs. You can also select the interval for refreshing the system information in the Refresh Period list. •...
Field Description Device location, which you can configure on the page you enter by Device Location selecting Device > SNMP > Setup. Contact information, which you can configure on the page you enter Contact Information by selecting Device > SNMP > Setup. SerialNum Serial number of the device.
Page 42
If you select Manual, the system refreshes the information only when you click the Refresh button • Figure 22 Device information...
Configuring basic device settings The device basic information feature allows you to: Set the system name of the device. The configured system name is displayed at the top of the • navigation bar. Set the idle timeout period for logged-in users. The system logs an idle user off the Web for security •...
Maintaining devices Rebooting the device CAUTION: Before rebooting the device, save the configuration. Otherwise, all unsaved configuration will be lost after device reboot. To reboot a device: Select Device > Device Maintenance from the navigation tree. Click the Reboot tab. The device reboot configuration page appears.
Displaying the electronic label information Electronic label allows you to view information about the device electronic label, which is also known as the permanent configuration data or archive information. The information is written into the storage medium of a device or a card during the debugging and testing processes, and includes card name, product bar code, MAC address, debugging and testing dates, and manufacture name.
Page 46
Figure 28 The diagnostic information file is created NOTE: During the generation of the diagnostic file, do not perform any operation on the Web interface. • • To view this file after the diagnostic file is generated successfully, select Device > File Management, or download this file to the local host.
Configuring the system time Configure a correct system time so that the device can work with other devices correctly. System time allows you to display and set the device system time on the Web interface. You can set the system time using manual configuration or automatic synchronization of NTP server time. Changing the system clock on each device within a network is time-consuming and does not guarantee clock precision.
Figure 30 Calendar page Either enter the system date and time in the field, or select the date and time in the calendar, where you can do one of the following: Click Today to set the current date on the calendar to the current system date of the local host. The time is not changed.
Table 9 Configuration items Item Description Clock status Display the synchronization status of the system clock. Set the source interface for an NTP message. If you do not want the IP address of a specific interface on the local device to become the destination address of response messages, specify the Source Interface source interface for NTP messages so that the source IP address in the NTP...
Configuration procedure On Device A, configure the local clock as the reference clock, with the stratum of 2. Enable NTP authentication, set the key ID to 24, and specify the created authentication key aNiceKey is a trusted key. (Details not shown.) On Switch B, configure Device A as the NTP server: Select Device >...
Managing logs System logs contain a large amount of network and device information, including running status and configuration changes. System logs allow administrators to access network and device status. With system logs, administrators can take corresponding actions against network and security problems. The system sends system logs to the following destinations: Console.
Page 52
Figure 34 Displaying syslogs Table 10 Field description Field Description Time/Date Time/date when the system log was generated. Source Module that generated the system log.
Field Description Severity level of the system log. The information is classified into eight levels depending on severity: • Emergency—The system is unusable. • Alert—Action must be taken immediately. • Critical—Critical condition. Level • Error—Error condition. • Warning—Warning condition. • Notification—Normal but significant condition.
Click Apply. Table 11 Configuration items Item Description IPv4 Set the IPv4 address of the log host. IPv6 Set the IPv6 address of the log host. Loghost IP Enter the IP address of the log host. IMPORTANT: You can specify a maximum of four log hosts. Setting buffer capacity and refresh interval Select Device >...
Managing the configuration Administrators can back up, restore, save, or initialize the device configuration. Backing up the configuration Configuration backup provides the following functions: Open and view the configuration file for the next startup. • • Back up the configuration file for the next startup to the host of the administrator. To back up the configuration: Select Device >...
This module allows administrators to save the running configuration to the configuration file to be used at the next startup. IMPORTANT: HP recommends that you do not perform any operation on the Web interface while the configuration is • being saved.
Initializing the configuration This operation restores the device's factory defaults, deletes the current configuration file, and reboots the device. To initialize the configuration: Select Device > Configuration from the navigation tree. Click the Initialize tab. The initialization confirmation page appears. Click Restore Factory-Default Settings to restore the factory defaults.
Managing files The file management function allows you to manage the files on the storage media. Displaying files Select Device > File Management from the navigation tree. The page shown in Figure 42 appears. Figure 42 File management page Select a medium from the Please select disk list. Two categories of information are displayed: Medium Information, including the used space, free space, and the capacity of the medium.
Open the file or save the file to a specified path. Uploading a file IMPORTANT: HP recommends that you do not perform any operation on the Web interface during the upgrade procedure. To upload a file: Select Device > File Management from the navigation tree.
Managing ports You can use the port management feature to set and view the operation parameters of a Layer 2 Ethernet port and an aggregate interface. • For a Layer 2 Ethernet port, these operation parameters include its state, rate, duplex mode, link type, PVID, MDI mode, flow control settings, power saving mode, MAC learning limit, and storm suppression ratios.
Page 61
Figure 43 Setup page Set the operation parameters for the port as described in Table Click Apply. Table 13 Configuration items Item Description Enable or disable the port. In some cases, modification to the interface parameters does not take effect immediately. Port State You need to shut down and then bring up the interface to make the modification take effect.
Page 62
Item Description Set the transmission rate of the port: • 10—10 Mbps. • 100—100 Mbps. • 1000—1000 Mbps. • Auto—Autonegotiation. • Auto 10—Autonegotiated to 10 Mbps. Speed • Auto 100—Autonegotiated to 100 Mbps. • Auto 1000—Autonegotiated to 1000 Mbps. • Auto 10 100—Autonegotiated to 10 or 100 Mbps.
Page 63
Item Description Set the Medium Dependent Interface (MDI) mode for the interface. Two types of Ethernet cables can be used to connect Ethernet devices: crossover and straight-through. To accommodate these two types of cables, an Ethernet interface on the device can operate in one of the following MDI modes: •...
Page 64
Item Description Set broadcast suppression on the port. You can suppress broadcast traffic by percentage or by PPS: • ratio—Sets the maximum percentage of broadcast traffic to the total bandwidth of an Ethernet port. When you select this option, you must enter a percentage in the box below this option.
Item Description Interface or interfaces that you have selected from the chassis front panel and the aggregate interface list below, for which you have set operation parameters. Selected Ports IMPORTANT: You can set only the state and MAC learning limit for an aggregate interface. Displaying port operation parameters Displaying a specified operation parameter for all ports Select Device >...
Click the Detail tab. Select a port whose operation parameters you want to view in the chassis front panel. The operation parameter settings of the selected port are displayed on the lower part of the page. Whether the parameter takes effect is displayed in the square brackets. Figure 45 Detail page Port management configuration example Network requirements...
Figure 46 Network diagram Configuration procedure Set the rate of GigabitEthernet 1/0/4 to 1000 Mbps: Select Device > Port Management from the navigation tree. Click the Setup tab. Select 1000 from the Speed list. Select 4 on the chassis front panel. 4 represents port GigabitEthernet 1/0/4. Click Apply.
Page 68
Figure 47 Configuring the rate of GigabitEthernet 1/0/4 Batch configure the autonegotiation rate range on GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 as 100 Mbps: On the Setup page, select Auto 100 from the Speed list. Select 1, 2, and 3 on the chassis front panel. 1, 2, and 3 represent ports GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3.
Page 69
Figure 48 Batch configuring port rate Display the rate settings of ports: Click the Summary tab. Select Speed to display the rate information of all ports on the lower part of the page, as shown Figure...
Page 70
Figure 49 Displaying the rate settings of ports...
According to the locations of the mirroring source and the mirroring destination, port mirroring includes local port mirroring and remote port mirroring. The switching engine of the HP 830 24-port PoE+ unified wired-WLAN switch supports only local port mirroring. In local port mirroring, the mirroring source and the mirroring destination are on the same device. A mirroring group that contains the mirroring source and the mirroring destination on the device is called a local mirroring group.
Figure 50 Local port mirroring implementation Configuration guidelines When you configure port mirroring, follow these guidelines: Layer 2 Ethernet ports can be configured as either mirroring ports or monitor ports. • • You can configure multiple source ports, but only one monitor port for a local mirroring group. To ensure normal operation of mirroring, do not enable the spanning tree feature on the monitor •...
Creating a mirroring group Select Device > Port Mirroring from the navigation tree. Click the Create tab. The page for creating a mirroring group appears. Figure 51 Creating a mirroring group Create the mirroring group as described in Table Click Apply. Table 14 Configuration items Item Description...
Page 74
Figure 52 Configuring ports for a mirroring group Configure ports for the mirroring group as described in Table Click Apply. A progress dialog box appears. After the success notification appears, click Close. Table 15 Configuration items Item Description Mirroring Group ID ID of the local mirroring group to be configured.
Local port mirroring configuration example Network requirements As shown in Figure 53, configure local port mirroring on Switch C to monitor the packets received and sent by Department 1 and Department 2. To meet the network requirements, perform the following configuration on Switch C: Configure GigabitEthernet 1/0/1 and GigabitEthernet1/0/2 as mirroring ports.
Figure 54 Creating a local mirroring group Configuring the mirroring ports Click the Modify Port tab. Select 1 – Local from the Mirroring Group ID list, select Mirror Port from the Port Type list, select both from the Stream Orientation list, select 1 (GigabitEthernet 1/0/1) and 2 (GigabitEthernet 1/0/2) on the chassis front panel, and click Apply.
Figure 55 Configuring the mirroring ports Configuring the monitor port Click the Modify Port tab. Select 1 – Local from the Mirroring Group ID list, select Monitor Port from the Port Type list, Select 3 (GigabitEthernet 1/0/3) on the chassis front panel, and click Apply. A configuration progress dialog box appears.
Managing users The device provides the following user management functions: Creating a local user, and specifying the password, access level, and service types for the user. • Setting the super password for non-management level users to switch to the management level. •...
Item Description Select an access level for the user. The following Web user levels, from low to high, are available:. • Visitor—Users of this level can perform the ping and traceroute operations, but they cannot access the device data or configure the device. •...
Figure 58 Setting the super password Configure a super password as described in Table Click Apply. Table 17 Configuration items Item Description Select the operation type: • Create/Remove Create—Configure or change the super password. • Remove—Remove the current super password. Password Set the password for non-management level users to switch to the management level.
Page 82
Figure 59 Switching to the management level...
Configuring a loopback test You can examine whether an Ethernet port operates properly by performing the Ethernet port loopback test, during which the port cannot forward data packets normally. Ethernet port loopback test can be one of the following types: Internal loopback test—Self loop is established in the switching chip to check whether there is a •...
Page 84
Figure 61 Loopback test result When you configure a loopback test, follow these guidelines: You can perform an internal loopback test but not an external loopback test on a port that is • physically down. You can perform neither test on a port that is manually shut down. The system does not allow Rate, Duplex, Cable Type, and Port Status configuration on a port under •...
Configuring VCT You can use the Virtual Cable Test (VCT) function to check the status of the cable connected to an Ethernet port on the device. The result is returned in less than 5 seconds. The test covers whether short circuit or open circuit occurs on the cable and the length of the faulty cable.
Configuring the flow interval With the flow interval module, you can view the number of packets and bytes sent and received by a port over the specified interval. Setting the traffic statistics generating interval Select Device > Flow Interval from the navigation tree. Click the Interval Configuration tab.
Page 87
Figure 64 Displaying port traffic statistics...
Configuring storm constrain The storm constrain function limits traffic of a port within a predefined upper threshold to suppress packet storms in an Ethernet. With this function enabled on a port, the system detects the amount of broadcast traffic, multicast traffic, and unknown unicast traffic reaching the port periodically. When a type of traffic exceeds the threshold for it, the function, as configured, blocks or shuts down the port.
Figure 65 Storm constrain configuration page Configuring storm constrain Select Device > Storm Constrain from the navigation tree. The page shown in Figure 65 appears. In the Port Storm Constrain area, click Add. The page for adding port storm constrain configuration appears. Figure 66 Adding storm constrain settings for ports...
Page 90
Set the storm constraint function as described in Table Click Apply. Table 19 Configuration items Item Remarks Specify the action to be performed when a type of traffic exceeds the upper threshold. Available options include: • None—Performs no action. • Block—Blocks the traffic of this type on a port when the type of traffic exceeds the upper threshold.
RMON groups Among the RFC 2819 defined RMON groups, HP implements the statistics group, history group, event group, and alarm group supported by the public MIB. HP also implements a private alarm group, which enhances the standard alarm group. Ethernet statistics group...
History group The history group defines that the system periodically collects traffic statistics on interfaces and saves the statistics in the history record table (ethernetHistoryTable). The statistics include bandwidth utilization, number of error packets, and total number of packets. The history statistics table record traffic statistics collected for each sampling interval. The sampling interval is user-configurable.
Recommended configuration procedure Configuring the RMON statistics function The RMON statistics function can be implemented by either the Ethernet statistics group or the history group, but the objects of the statistics are different, as follows: A statistics object of the Ethernet statistics group is a variable defined in the Ethernet statistics table, •...
Table 22 Configuring the RMON alarm function Step Remarks Required. You can create up to 100 statistics entries in a statistics table. As the alarm variables that can be configured through the Web interface are MIB variables that defined in the history group or the statistics group, configure the RMON Ethernet statistics function or the RMON history statistics function on the monitored Ethernet interface.
Task Remarks After you create a history control entry on an interface, the system calculates the information of the interface periodically and saves the Displaying RMON history sampling information to the etherHistoryEntry table. You can perform this task to information view the entries in this table.
Table 24 Configuration items Item Description Select the name of the interface on which the statistics entry is created. Interface Name Only one statistics entry can be created on one interface. Owner Set the owner of the statistics entry. Configuring a history entry Select Device >...
Table 25 Configuration items Item Description Interface Name Select the name of the interface on which the history entry is created. Set the capacity of the history record list corresponding to this history entry (the maximum number of records that can be saved in the history record list). If the current number of the entries in the table has reached the maximum number, the Buckets Granted system deletes the earliest entry to save the latest one.
Click Apply. Table 26 Configuration items Item Description Description Set the description for the event. Owner Set the entry owner. Set the actions that the system takes when the event is triggered: • Log—The system logs the event. Event Type •...
Page 99
Figure 75 Adding an alarm entry Configure an alarm entry as described in Table Click Apply. Table 27 Configuration items Item Description Alarm variable Set the traffic statistics that are collected and monitored. For more Static Item information, see Table Set the name of the interface whose traffic statistics are collected Interface Name and monitored.
Item Description Select whether to create a default event. The description of the default event is default event, the action is log-and-trap, and the owner is default owner. Create Default Event If there is no event, you can create the default event. And when the value of the alarm variable is higher than the alarm rising threshold or lower than the alarm falling threshold, the system adopts the default action, that is, log-and-trap.
Page 101
Figure 76 RMON statistics Table 28 Field description Field Description Total number of octets received by the interface, corresponding to the Number of Received Bytes MIB node etherStatsOctets. Total number of packets received by the interface, corresponding to Number of Received Packets the MIB node etherStatsPkts.
Field Description Number of Received Packets Larger Number of oversize packets (longer than 1518 octets) with CRC Than 1518 Bytes And FCS Check errors received by the interface, corresponding to the MIB node Failed etherStatsJabbers. Total number of collisions received on the interface, corresponding to Number of Network Conflicts the MIB node etherStatsCollisions.
Table 29 Field description Field Description Number of the entry in the system buffer. Statistics are numbered chronologically when they are saved to the system buffer. Time Time at which the information is saved. Dropped packets during the sampling period, corresponding to the MIB node DropEvents etherHistoryDropEvents.
Figure 78 Log RMON configuration example Network requirements As shown in Figure 79, create an entry in the RMON Ethernet statistics table to gather statistics on GigabitEthernet 1/0/1, and perform corresponding configurations so that the system logs the event when the number of bytes received on the interface exceeds the configured threshold within a specific period.
Page 105
Figure 80 Adding a statistics entry Display RMON statistics for GigabitEthernet 1/0/1: Click the icon corresponding to GigabitEthernet 1/0/1. View this information shown in Figure Figure 81 Displaying RMON statistics Create an event to start logging after the event is triggered: Click the Event tab.
Page 106
Click Add. The page in Figure 82 appears. Enter 1-rmon in the Owner field and select the box before Log. Click Apply. The page displays the event entry, and you can see that the entry index of the new event is 1, as shown in Figure Figure 82 Configuring an event group...
Figure 84 Configuring an alarm group Verifying the configuration After the above configuration, when the alarm event is triggered, you can view the log information about event 1 on the Web interface. Select Device > RMON from the navigation tree. Click the Log tab.
Configuring energy saving Energy saving enables a port to work at the lowest transmission speed, disable PoE, or go down during a specific time range on certain days of a week. The port resumes when the effective time period ends. To configure energy saving on a port: Select Device >...
Page 109
Item Description Set the port to transmit data at the lowest speed. Lowest Speed If you configure the lowest speed limit on a port that does not support 10 Mbps, the configuration cannot take effect. Shut down the port. Shutdown An energy saving policy can have all the three energy saving schemes configured, of which the shutdown scheme takes the highest priority.
Configuring SNMP This chapter provides an overview of the Simple Network Management Protocol (SNMP) and guides you through the configuration procedure. Overview SNMP is an Internet standard protocol widely used for a management station to access and operate the devices on a network, regardless of their vendors, physical characteristics and interconnect technologies. SNMP enables network administrators to read and set the variables on managed devices for state monitoring, troubleshooting, statistics collection, and other management purposes.
NMS. The difference between these two types of notification is that informs require acknowledgement but traps do not. The device supports only traps. SNMP protocol versions HP devices support SNMPv1, SNMPv2c, and SNMPv3. An NMS and an SNMP agent must use the same SNMP version to communicate with each other. •...
Table 32 Configuring SNMPv3 Step Remarks Required. The SNMP agent function is disabled by default. Enabling SNMP agent IMPORTANT: If SNMP agent is disabled, all SNMP agent-related configurations are removed. Optional. Configuring an SNMP view After creating SNMP views, you can specify an SNMP view for an SNMP group to limit the MIB objects that can be accessed by the SNMP group.
Page 113
Figure 89 Setup page Configure SNMP settings on the upper part of the page as described in Table Click Apply. Table 33 Configuration items Item Description SNMP Specify to enable or disable SNMP agent. Configure the local engine ID. The validity of a user after it is created depends on the engine ID of the SNMP Local Engine ID agent.
Item Description SNMP Version Set the SNMP version run by the system. Configuring an SNMP view Creating an SNMP view Select Device > SNMP from the navigation tree. Click the View tab. The View page appears. Figure 90 View page Click Add.
Figure 92 Creating an SNMP view (2) Configure the parameters as described in Table Click Add to add the rule into the list at the lower part of the page. Repeat steps 6 and 7 to add more rules for the SNMP view. Click Apply.
Figure 93 Adding rules to an SNMP view Configure the parameters as described in Table Click Apply. NOTE: You can also click the icon corresponding to the specified view on the page shown in Figure 90, and then you can enter the page to modify the view. Configuring an SNMP community Select Device >...
Figure 95 Creating an SNMP community Configure the SNMP community as described in Table Click Apply. Table 35 Configuration items Item Description Community Name Set the SNMP community name. Configure the access rights: • Read only—The NMS can perform read-only operations to the MIB objects Access Right when it uses this community name to access the agent.
The page for creating an SNMP group appears. Figure 97 Creating an SNMP group Configure SNMP group as described in Table Click Apply. Table 36 Configuration items Item Description Group Name Set the SNMP group name. Select the security level for the SNMP group: •...
Page 119
Figure 98 SNMP user Click Add. The page for creating an SNMP user appears. Figure 99 Creating an SNMP user Configure the SNMP user as described in Table Click Apply. Table 37 Configuration items Item Description User Name Set the SNMP user name. Select the security level for the SNMP group: •...
Item Description Select an SNMP group to which the user belongs: • When the security level is NoAuth/NoPriv, you can select an SNMP group with no authentication no privacy. • When the security level is Auth/NoPriv, you can select an SNMP Group Name group with no authentication no privacy or authentication without privacy.
Click Add. The page for adding a target host of SNMP traps appears. Figure 101 Adding a target host of SNMP traps Configure the settings for the target host as described in Table Click Apply. Table 38 Configuration items Item Description Set the destination IP address.
Figure 102 Displaying SNMP packet statistics SNMPv1/v2c configuration example Network requirements As shown in Figure 103, the NMS at 1.1.1.2/24 uses SNMPv1 or SNMPv2c to manage the switch (agent) at 1.1.1.1/24, and the switch automatically sends traps to report events to the NMS. Figure 103 Network diagram Configuring the agent Enable SNMP:...
Page 123
Figure 104 Configuring the SNMP agent Select the Enable option and select the v1 and v2 options. Click Apply. Configure a read-only community: Click the Community tab. Click Add. The page for adding an SNMP community appears. Figure 105 Configuring an SNMP read-only community Enter public in the Community Name field and select Read only from the Access Right list.
Page 124
Figure 106 Configuring an SNMP read and write community Enter private in the Community Name field and select Read and write from the Access Right list. Click Apply. Enable SNMP traps: Click the Trap tab. The Trap page appears. Figure 107 Enabling SNMP traps Select Enable SNMP Trap.
Figure 108 Adding a trap target host Select the IPv4 option, enter 1.1.1.2 in the subsequent field, enter public in the Security Name field, and select v1 from the Security Model list. Click Apply. Configuring the NMS CAUTION: The configuration on the NMS must be consistent with the configuration on the agent. Otherwise, you cannot perform corresponding operations.
Page 126
Figure 109 Network diagram Configuring the agent Enable SNMP agent: Select Device > SNMP from the navigation tree. The SNMP configuration page appears. Figure 110 Configuring the SNMP agent Select the Enable option, and select the v3 option. Click Apply. Configure an SNMP view: Click the View tab.
Page 127
Click Apply. A configuration progress dialog box appears. Click Close after the configuration process is complete. Figure 112 Creating an SNMP view (2) Configure an SNMP group: Click the Group tab. Click Add. The page in Figure 113 appears. Enter group1 in the Group Name field, select view1 from the Read View list, and select view1 from the Write View list.
Page 128
Enter user1 in the User Name field, select Auth/Priv from the Security Level list, select group1 from the Group Name list, select MD5 from the Authentication Mode list, enter authkey in the Authentication Password and Confirm Authentication Password fields, select DES56 from the Privacy Mode list, and enter prikey in the Privacy Password and Confirm Privacy Password fields.
Page 129
Configure a target host SNMP traps: Click Add on the Trap tab page. The page for adding a target host of SNMP traps appears. Figure 116 Adding a trap target host Select the IPv4 option, enter 1.1.1.2 in the subsequent field, enter user1 in the Security Name field, select v3 from the Security Model list, and select Auth/Priv from the Security Level list.
Displaying interface statistics The interface statistics module displays statistics about the packets received and sent through interfaces. To display interface statistics, select Device > Interface Statistics from the navigation tree. Figure 117 Displaying interface statistics Table 39 Field description Field Description InOctets Total octets of all packets received on the interface.
Configuring VLANs Overview Ethernet is a network technology based on the Carrier Sense Multiple Access/Collision Detect (CSMA/CD) mechanism. The medium is shared, so collisions and excessive broadcasts are common on an Ethernet. To address this issue, virtual LAN (VLAN) was introduced to break a LAN down into separate VLANs.
Figure 119 Traditional Ethernet frame format IEEE 802.1Q inserts a four-byte VLAN tag after the DA&SA field, as shown in Figure 120. Figure 120 Position and format of VLAN tag A VLAN tag comprises the following fields: Tag protocol identifier (TPID)—The 16-bit TPID field indicates whether the frame is VLAN-tagged •...
Port-based VLAN Port-based VLANs group VLAN members by port. A port forwards traffic for a VLAN only after it is assigned to the VLAN. Port link type You can configure the link type of a port as access, trunk, or hybrid. The link types use the following VLAN tag handling methods: Access port—An access port belongs to only one VLAN and sends traffic untagged.
"Configuring a voice VLAN." • HP recommends that you set the same PVID for local and remote ports. Make sure a port permits its PVID. Otherwise, when the port receives frames tagged with the PVID • or untagged frames, the port drops these frames.
Recommended VLAN configuration procedures You can configure VLANs either of the following procedures. Recommended configuration procedure (modifying ports in a VLAN) Step Remarks Required. Creating VLANs. Create one or multiple VLANs. Required. Specify the range of VLANs available for selection during related operations.
Figure 122 Creating VLANs Table 40 Configuration items Item Description VLAN IDs IDs of the VLANs to be created. • ID—Select the ID of the VLAN whose description string is to be modified. Click the ID of the VLAN to be modified in the list in the middle of the page. Modify the description of the •...
Figure 123 Selecting VLANs Select the Display all VLANs option to display all VLANs, or select the Display a subnet of all configured VLANs option to enter the VLAN IDs to be displayed. Click Select. Modifying a VLAN Select Network > VLAN from the navigation tree. Click Modify VLAN to enter the page for modifying a VLAN.
Page 138
Figure 124 Modifying a VLAN Configure member ports of a VLAN as described in Table Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the dialog box prompts that the configuration succeeds. Table 41 Configuration items Item Description Select the VLAN to be modified.
Item Description Set the member type of the port to be modified in the VLAN: • Untagged—Configures the port to send the traffic of the VLAN after removing the VLAN tag. Select membership type • Tagged—Configures the port to send the traffic of the VLAN without removing the VLAN tag.
Click Close on the progress dialog box when the dialog box prompts that the configuration succeeds. Table 42 Configuration items Item Description Select the ports to be modified on the device panel. You can select multiple ports at a time. Select Ports If aggregation ports are configured, they are displayed below the device panel.
Page 141
Select GigabitEthernet 1/0/1 on the chassis front device panel. Click Apply. Figure 127 Configuring GigabitEthernet 1/0/1 as a trunk port and its PVID as 100 Create VLAN 2, VLAN 6 through VLAN 50, and VLAN 100: Select Network > VLAN from the navigation tree. Click Create to enter the page for creating VLANs.
Page 142
Figure 128 Creating VLAN 2, VLAN 6 through VLAN 50, and VLAN 100 Assign GigabitEthernet 1/0/1 to VLAN 100 as an untagged member: Click Select VLAN to enter the page for selecting VLANs. Select the option before Display a subnet of all configured VLANs, and enter 1-100 in the field. Click Select.
Page 143
Select 100 – VLAN 0100 in the Please select a VLAN to modify: list, select the Untagged option, and select GigabitEthernet 1/0/1 on the chassis front device panel. Click Apply. A configuration progress dialog box appears. After the configuration process is complete, click Close. Figure 130 Assigning GigabitEthernet 1/0/1 to VLAN 100 as an untagged member Assign GigabitEthernet 1/0/1 to VLAN2, and VLAN 6 through VLAN 50 as a tagged member: Click Modify Port to enter the page for modifying the VLANs to which a port belongs.
Page 144
Figure 131 Assigning GigabitEthernet 1/0/1 to VLAN 2 and to VLANs 6 through 50 as a tagged member Configuring Switch B Configure Switch B as you configure Switch A.
Configuring VLAN interfaces Before creating a VLAN interface, you must create the corresponding VLAN in Network > VLAN. For more information, see "Configuring VLANs." Overview For hosts of different VLANs to communicate, you must use a router or Layer 3 switch to perform layer 3 forwarding.
Page 146
Figure 132 Creating a VLAN interface Configure the VLAN interface as described in Table Click Apply. Table 43 Configuration items Item Description Enter the ID of the VLAN interface to be created. Before creating a VLAN interface, Input a VLAN ID: make sure the corresponding VLAN exists.
Modifying a VLAN interface By modifying a VLAN interface, you can assign an IPv4 address, an IPv6 link-local address, and an IPv6 site-local address, or global unicast address to the VLAN interface, and shut down or bring up the VLAN interface.
Page 148
Item Description DHCP Configure the way in which the VLAN interface gets an IPv4 address. Allow the VLAN interface to get an IP address automatically by selecting the DHCP or BOOTP BOOTP option, or manually assign the VLAN interface an IP address by selecting the Manual option.
Configuring a voice VLAN Overview A voice VLAN is dedicated to voice traffic. After the ports connecting to voice devices are assigned to a voice VLAN, the system automatically modifies the QoS parameters for the voice traffic. This improves transmission priority and ensures voice quality. Common voice devices include IP phones and integrated access devices (IADs).
Page 150
Assigning ports to and removing ports from a voice VLAN are automatically performed. Automatic mode is suitable for scenarios where PCs and IP phones connected in series access the network through the device and ports on the device transmit both voice traffic and data traffic at the same time, as shown in Figure 134.
MAC addresses checking. HP does not recommend that you transmit both voice packets and non-voice packets in a voice VLAN. If you have to, first make sure the voice VLAN security mode is disabled.
Table 48 How a voice VLAN-enable port processes packets in security/normal mode Voice VLAN operating mode Packet type Packet processing mode Untagged packets If the source MAC address of a packet matches an OUI address configured for the device, it is Packets carrying the voice VLAN forwarded in the voice VLAN.
Recommended configuration procedure for a port in automatic voice VLAN assignment mode Step Remarks Optional. Configuring voice VLAN Configure the voice VLAN to operate in security mode, and configure globally. the aging timer. Required. Configure the voice VLAN assignment mode of a port as automatic, Configuring voice VLAN on and enable the voice VLAN function on the port.
Figure 136 Configuring voice VLAN Configure the global voice VLAN settings as described in Table Click Apply. Table 49 Configuration items Item Description Select Enable or Disable in the list to enable or disable the voice VLAN security mode. Voice VLAN security By default, the voice VLANs operate in security mode.
Figure 137 Configuring voice VLAN on ports Configure the voice VLAN function for ports as described in Table Click Apply. Table 50 Configuration items Item Description Set the voice VLAN assignment mode of a port to: • Voice VLAN port mode Auto—Automatic voice VLAN assignment mode.
Figure 138 Adding OUI addresses to the OUI list Add an OUI address to the list as described in Table Click Apply. Table 51 Configuration items Item Description OUI Address Set the source MAC address of voice traffic. Mask Set the mask length of the source MAC address. Description Set the description of the OUI address entry.
Page 157
Figure 139 Network diagram Configuring Switch A Create VLAN 2: Select Network > VLAN from the navigation tree. Click the Create tab. Enter VLAN ID 2. Click Create. Figure 140 Creating VLAN 2 Configure GigabitEthernet 1/0/1 as a hybrid port: Select Device >...
Page 158
Click Apply. Figure 141 Configuring GigabitEthernet 1/0/1 as a hybrid port Configure the voice VLAN function globally: Select Network > Voice VLAN from the navigation tree. Click the Setup tab. Select Enable from the Voice VLAN security list. Set the voice VLAN aging timer to 30 minutes. Click Apply.
Page 159
Figure 142 Configuring the voice VLAN function globally Configure voice VLAN on GigabitEthernet 1/0/1: Click the Port Setup tab. Select Auto from the Voice VLAN port mode list. Select Enable from the Voice VLAN port state list. Enter voice VLAN ID 2. Select GigabitEthernet 1/0/1 from the chassis front panel.
Page 160
Figure 144 Adding OUI addresses to the OUI list Verifying the configuration When you complete the preceding configurations, the OUI Summary tab is displayed by default, as shown in Figure 145. You can view the information about the newly-added OUI address. Figure 145 Displaying the current OUI list of the device Click the Summary tab to enter the page shown in Figure...
Figure 146 Displaying voice VLAN information Configuring voice VLAN on a port in manual voice VLAN assignment mode Network requirements As shown in Figure 147: Configure VLAN 2 as a voice VLAN that carries only voice traffic. • • The IP phone connected to hybrid port GigabitEthernet 1/0/1 sends untagged voice traffic. GigabitEthernet 1/0/1 operates in manual voice VLAN assignment mode, and allows voice •...
Page 162
Configuring Switch A Create VLAN 2: Select Network > VLAN from the navigation tree. Click the Create tab. Enter VLAN ID 2. Click Create. Figure 148 Creating VLAN 2 Configure GigabitEthernet 1/0/1 as a hybrid port, and configure its default VLAN as VLAN 2: Select Device >...
Page 163
Figure 149 Configuring GigabitEthernet 1/0/1 as a hybrid port Assign GigabitEthernet 1/0/1 to VLAN 2 as an untagged member: Select Network > VLAN from the navigation tree. Click the Modify Port tab. Select GigabitEthernet 1/0/1 from the chassis front panel. Select the Untagged option.
Page 164
Figure 150 Assigning GigabitEthernet 1/0/1 to VLAN 2 as an untagged member Configure voice VLAN on GigabitEthernet 1/0/1: Select Network > Voice VLAN from the navigation tree. Click the Port Setup tab. Select Manual from the Voice VLAN port mode list. Select Enable from the Voice VLAN port state list.
Page 165
Figure 151 Configuring voice VLAN on GigabitEthernet 1/0/1 Add OUI addresses to the OUI list: Click the OUI Add tab. Enter OUI address 0011-2200-0000. Select FFFF-FF00-0000 as the mask. Enter description string test. Click Apply.
Page 166
Figure 152 Adding OUI addresses to the OUI list Verifying the configuration When you complete the preceding configurations, the OUI Summary tab is displayed by default, as shown in Figure 153. You can view the information about the newly-added OUI address. Figure 153 Displaying the current OUI list of the device Click the Summary tab to enter the page shown in Figure...
Page 167
Figure 154 Displaying the current voice VLAN information...
Configuring the MAC address table MAC address configurations related to interfaces apply to Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces only. This chapter provides information about the management of static and dynamic MAC address entries. It does not provide information about multicast MAC address entries. Overview To reduce single-destination packet flooding in a switched LAN, an Ethernet device uses a MAC address table for forwarding frames.
Static entries—Manually added and never age out. • • Dynamic entries—Manually added or dynamically learned, and might age out. Blackhole entries—Manually configured and never age out. They are configured for filtering out • frames with specific destination MAC addresses. For example, to block all packets destined for a specific user for security concerns, you can configure the MAC address of this user as a blackhole MAC address entry.
Page 170
Figure 155 The MAC tab Click Add in the bottom to enter the page for creating MAC address entries. Figure 156 Creating a MAC address entry Configure a MAC address entry. Click Apply. Table 52 Configuration items Item Description Set the MAC address to be added.
Item Description Set the type of the MAC address entry: • Static—Static MAC address entries that never age out. • Dynamic—Dynamic MAC address entries that will age out. • Blackhole—Blackhole MAC address entries that never age out. The tab displays the following types of MAC address entries: Type •...
MAC address table configuration example Network requirements Use the Web-based NMS to configure the MAC address table of the device. Add a static MAC address 00e0-fc35-dc71 under GigabitEthernet 1/0/1 in VLAN 1. Creating a static MAC address entry Select Network > MAC from the navigation tree. By default, the MAC tab is displayed.
LAN share the same spanning tree, so redundant links cannot be blocked based on VLAN, and the packets of all VLANs are forwarded along the same spanning tree. For more information about STP and RSTP, see HP 830 Series PoE+ Unified Wired-WLAN Switch Switching Engine Layer 2 Configuration Guide.
Basic concepts in MSTP Assume that all the four devices in Figure 159 are running MSTP. This section explains some basic concepts of MSTP based on the figure. Figure 159 Basic concepts in MSTP MST region A multiple spanning tree region (MST region) consists of multiple devices in a switched network and the network segments among them.
The same MSTP revision level (not shown in the figure). • Multiple MST regions can exist in a switched network. You can assign multiple devices to the same MST region. VLAN-to-MSTI mapping table As an attribute of an MST region, the VLAN-to-MSTI mapping table describes the mapping relationships between VLANs and MSTIs.
Common root bridge The common root bridge is the root bridge of the CIST. Figure 159, for example, the common root bridge is a device in region A0. Boundary port A boundary port is a port that connects an MST region to another MST region, or to a single spanning-tree region running STP, or to a single spanning-tree region running RSTP.
Figure 160 Port roles Figure 160, devices A, B, C, and D constitute an MST region. Port 1 and port 2 of device A are connected to the common root bridge, port 5 and port 6 of device C form a loop, and port 3 and port 4 of Device D are connected downstream to the other MST regions.
How MSTP works MSTP divides an entire Layer 2 network into multiple MST regions, which are interconnected by a calculated CST. Inside an MST region, multiple spanning trees are calculated, each being an MSTI. Among these MSTIs, MSTI 0 is called the CIST. Similar to RSTP, MSTP uses configuration BPDUs to calculate spanning trees.
Configuration guidelines Follow these guidelines when you configure MSTP: Two devices belong to the same MST region only if they are interconnected through physical links, • and share the same region name, the same MSTP revision level, and the same VLAN-to-MSTI mappings.
Page 180
Figure 161 MST region Click Modify to enter the page for configuring MST regions. Figure 162 Configuring an MST region Configure the MST region information as described in Table 55, and click Apply. Click Activate. Table 55 Configuration items Item Description MST region name.
Configuring MSTP globally Select Network > MSTP from the navigation tree. Click the Global tab to enter the page for configuring MSTP globally. Figure 163 Configuring MSTP globally Configure the global MSTP configuration as described in Table Click Apply. Table 56 Configuration items Item Description Select whether to enable STP globally.
Page 182
• The settings of hello time, forward delay and max age must meet a certain formula. Otherwise, the network topology will not be stable. HP recommends that you set the network diameter and then have the device automatically calculate the forward delay, hello time, and max age.
This affects network stability. With the TC-BPDU guard function, you can prevent frequent flushing of forwarding address entries. HP does not recommend that you disable this function. Set the maximum number of immediate forwarding address entry flushes the device tc-protection threshold can perform within a certain period of time after receiving the first TC-BPDU.
Page 184
• Transmit Limit—Configure the maximum number of MSTP packets that can be sent during each Hello interval. The larger the transmit limit is, the more network resources will be occupied. HP recommends that you use the default value. • MSTP Mode—Set whether the port migrates to the MSTP mode.
BPDUs. You can set these ports as edge ports to achieve fast Edged Port transition for these ports. HP recommends that you enable the BPDU guard function in conjunction with the edged port function to avoid network topology changes when the edge ports receive configuration BPDUs.
Page 186
Figure 165 The port summary tab Table 59 Field description Field Description The port is in forwarding state, so the port learns MAC addresses and forwards [FORWARDING] user traffic. The port is in learning state, so the port learns MAC addresses but does not [LEARNING] forward user traffic.
Page 187
Field Description Indicates whether the port is an edge port: • Port Edged Config—Indicates the configured value. • Active—Indicates the actual value. Indicates whether the port is connected to a point-to-point link: • Point-to-point Config—Indicates the configured value. • Active—Indicates the actual value. Transmit Limit Maximum number of packets sent within each Hello time.
MSTP configuration example Network requirements As shown in Figure 166, configure MSTP so that: All devices on the network are in the same MST region. • • Packets of VLAN 10, VLAN 20, VLAN 30, and VLAN 40 are forwarded along MSTI 1, MSTI 2, MSTI 3, and MSTI 0, respectively.
Page 189
Select 3 in the Instance ID list. Set the VLAN ID to 10. Click Apply to map VLAN 10 to MSTI 1 and add the VLAN-to-MSTI mapping entry to the VLAN-to-MSTI mapping list. Repeat the preceding three steps to map VLAN 20 to MSTI 2 and VLAN 30 to MSTI 3 and add the VLAN-to-MSTI mapping entries to the VLAN-to-MSTI mapping list.
Page 190
Figure 169 Configuring MSTP globally (on Switch A) Configuring Switch B Configure an MST region. (The procedure here is the same as that of configuring an MST region on Switch A.) Configure MSTP globally: Select Network > MSTP from the navigation tree. Click the Global tab to enter the page for configuring MSTP globally.
Page 191
Click Global to enter the page for configuring MSTP globally. Select Enable from the Enable STP Globally list. Select MSTP from the Mode list. Select the box to the left of Instance. Set the Instance ID field to 3. Set the Root Type field to Primary. Click Apply.
Configuring link aggregation and LACP Overview Link aggregation aggregates multiple physical Ethernet ports into one logical link, also called an aggregation group. It allows you to increase bandwidth by distributing traffic across the member ports in the aggregation group. In addition, it provides reliable connectivity because these member ports can dynamically back up each other.
Operational key When aggregating ports, link aggregation control automatically assigns each port an operational key based on port attributes, including the port rate, duplex mode and link state configuration. In an aggregation group, all Selected ports are assigned the same operational key. Class-two configurations The contents of class-two configurations are listed in Table...
Page 194
Static aggregation limits the number of Selected ports in an aggregation group. When the number • of the candidate selected ports is under the limit, all the candidate selected ports become Selected ports. When the limit is exceeded, set the candidate selected ports with smaller port numbers in Selected state and those with greater port numbers in Unselected state.
• Change a port attribute or class-two configuration setting of a port may cause the select state of the port and other member ports to change and affects services. HP recommends that you do that with caution. Load sharing mode of an aggregation group A link aggregation groups operates in load sharing aggregation mode or non-load sharing mode.
HP does not recommend that you add a mirroring reflector to an aggregation group. For more • information about reflectors, see "Configuring port mirroring." Removing a Layer 2 aggregate interface also removes the corresponding aggregation group. • Meanwhile, the member ports of the aggregation group, if any, leave the aggregation group.
Step Remarks Optional. Displaying information about Perform the task to view detailed information of LACP-enabled ports LACP-enabled ports. and the corresponding remote (partner) ports. Creating a link aggregation group Select Network > Link Aggregation from the navigation tree. Click Create. Figure 171 Creating a link aggregation group Configure a link aggregation group as described in Table...
Table 61 Configuration items Item Description Assign an ID to the link aggregation group to be created. Enter Link Aggregation Interface ID You can view the result in the Summary area at the bottom of the page. Set the type of the link aggregation interface to be created: •...
Table 62 Field description Field Description Type and ID of the aggregate interface. Aggregation interface Bridge-Aggregation indicates a Layer 2 aggregate interface. Link Type Type of the aggregate interface, which can be static or dynamic. Partner ID ID of the remote device, including its LACP priority and MAC address. Number of Selected ports in each link aggregation group (Only Selected ports Selected Ports can transmit and receive user data).
In the Set LACP enabled port(s) parameters area, set the port priority, and select the ports in the chassis front panel. Click Apply in the area. Table 63 Configuration items Item Description Port Priority Set a port LACP priority. Select the ports where the port LACP priority you set will apply on the chassis front panel. Select port(s) to apply Port Priority You can set LACP priority not only on LACP-enabled ports but also on LACP-disabled ports.
Page 201
Figure 174 Displaying information about LACP-enabled ports Table 64 Field description Field Description Port Port where LACP is enabled. LACP State State of LACP on the port. Port Priority LACP priority of the port. Active state of the port. If a port is Selected, its state is active and the ID of the State aggregation group it belongs to will be displayed.
Field Description State information of the peer port: • A—Indicates that LACP is enabled. • B—Indicates that LACP short timeout has occurred. If B does not appear, it —Indicates that LACP long timeout has occurred. • C—Indicates that the link is considered aggregatable by the sending system.
Page 203
You can create a static or dynamic link aggregation group to achieve load balancing. Approach 1: Create static link aggregation group 1 Select Network > Link Aggregation from the navigation tree. Click Create. Configure static link aggregation group 1: Enter link aggregation interface ID 1. Select the Static (LACP Disabled) option for the aggregate interface type.
Page 204
Enter link aggregation interface ID 1. Select the Dynamic (LACP Enabled) option for aggregate interface type. Select GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 on the chassis front panel. Click Apply. Figure 177 Creating dynamic link aggregation group 1...
Configuring LLDP Overview In a heterogeneous network, a standard configuration exchange platform makes sure different types of network devices from different vendors can discover one another, and exchange configuration for the sake of interoperability and management. The IETF drafted the Link Layer Discovery Protocol (LLDP) in IEEE 802.1AB. The protocol operates on the data link layer to exchange device information between directly connected devices.
Page 206
Field Description Data LLDP data. Frame check sequence, a 32-bit CRC value used to determine the validity of the received Ethernet frame. LLDPDUs encapsulated in SNAP Figure 179 LLDPDU encapsulated in SNAP Table 67 Description of the fields in a SNAP-encapsulated LLDPDU Field Description MAC address to which the LLDPDU is advertised.
Page 207
LLDPDU TLVs fall into the following categories: basic management TLVs, organizationally (IEEE 802.1 and IEEE 802.3) specific TLVs, and LLDP-MED (media endpoint discovery) TLVs. Basic management TLVs are essential to device management. Organizationally specific TLVs and LLDP-MED TLVs are used for improved device management.
Page 208
Layer 3 Ethernet interfaces do not support IEEE 802.1 organizationally specific TLVs. IEEE 802.3 organizationally specific TLVs Table 70 IEEE 802.3 organizationally specific TLVs Type Description Contains the rate and duplex capabilities of the sending port, support for auto MAC/PHY negotiation, enabling status of auto negotiation, and the current rate and duplex Configuration/Status mode.
For more information about LLDPDU TLVs, see the IEEE standard (LLDP) 802.1AB-2005 and the LLDP-MED standard (ANSI/TIA- 1 057). Management address The management address of a device is used by the network management system to identify and manage the device for topology maintenance and network management. The management address is encapsulated in the management address TLV.
cause a requesting Cisco IP phone to send voice traffic untagged to your device, disabling your device to differentiate voice traffic from other types of traffic. CDP compatibility enables LLDP on your device to receive and recognize CDP packets from Cisco IP phones and respond with CDP packets carrying the voice VLAN configuration TLV for the IP phones to configure the voice VLAN automatically.
Step Remarks Optional. LLDP settings include LLDP operating mode, packet encapsulation, CDP compatibility, device information polling, trapping, and advertisable TLVs. By default: Configuring LLDP settings on ports. • The LLDP operating mode is TxRx. • The encapsulation format is Ethernet II. •...
Figure 181 The port setup tab Configuring LLDP settings on ports The Web interface allows you to set LLDP parameters for a single port, and set LLDP parameters for multiple ports in batch. Setting LLDP parameters for a single port Select Network >...
Page 213
Figure 182 Modifying LLDP settings on a port Modify the LLDP parameters for the port as described in Table Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
Page 214
Item Description Set the encapsulation for LLDPDUs: • ETHII—Encapsulates outgoing LLDPDUs in Ethernet II frames and processes an incoming LLDPDU only if its encapsulation is Ethernet II. Encapsulation Format • SNAP—Encapsulates outgoing LLDPDUs in Ethernet II frames and processes an incoming LLDPDU only if its encapsulation is Ethernet II. LLDP-CDP PDUs use only SNAP encapsulation.
Item Description MAC/PHY Select the box to include the MAC/PHY configuration/status TLV in Configuration/Status transmitted LLDPDUs. Select the box to include the maximum frame size TLV in transmitted Maximum Frame Size LLDPDUs. Select the box to include the power via MDI TLV and power stateful Power via MDI control TLV in transmitted LLDPDUs.
Figure 183 Modifying LLDP settings on ports in batch Set the LLDP settings for these ports as described in Table Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
Page 217
Figure 184 The global setup tab Set the global LLDP setup as described in Table Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds. Table 73 Configuration items Item Description LLDP Enable...
Item Description Set the minimum interval for sending traps. With the LLDP trapping function enabled on a port, traps are sent out of the port to Trap Interval advertise the topology changes detected over the trap interval to neighbors. By tuning this interval, you can prevent excessive traps from being sent when topology is instable.
Page 219
Table 74 Field description Field Description Port ID type: • Interface alias. • Port component. • MAC address. Port ID subtype • Network address. • Interface name. • Agent circuit ID. • Locally assigned, or the local configuration. Power over Ethernet port class: •...
Page 220
Figure 186 The Neighbor Information tab Table 75 Field description Field Description Chassis ID type: • Chassis component. • Interface alias. • Port component. Chassis type • MAC address. • Network address. • Interface name. • Locally assigned, or the local configuration. Chassis ID depending on the chassis type, which can be a MAC address of Chassis ID the device.
Page 221
Field Description Auto-negotiation supported Support of the neighbor for auto negotiation. Auto-negotiation enabled Enabling status of auto negotiation on the neighbor. OperMau Current speed and duplex mode of the neighbor. Link aggregation supported Support of the neighbor for link aggregation. Link aggregation enabled Enabling status of link aggregation on the neighbor.
Field Description Asset ID advertised by the neighbor. This ID is used for the purpose of Asset tracking identifier inventory management and asset tracking. Type of PSE power source advertised by the neighbor: • PoE PSE power source Primary. • Backup.
Page 223
Table 76 describes the fields. Figure 189 The global summary tab Table 76 Field description Field Description Chassis ID Local chassis ID depending on the chassis type defined. Primary network function advertised by the local device: • Repeater. System capabilities supported •...
Field Description Device class advertised by the local device: • Connectivity device—An intermediate device that provide network connectivity. • Class I—A generic endpoint device. All endpoints that require the discovery service of LLDP belong to this category. • Class II—A media endpoint device. The class II endpoint devices support the Device class media stream capabilities and the capabilities of generic endpoint devices.
Page 225
Figure 191 Network diagram GE1/0/1 GE1/0/2 GE1/0/1 Switch A Switch B Configuring Switch A (Optional.) Enable LLDP on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. (By default, LLDP is enabled on Ethernet ports.) Set the LLDP operating mode to Rx on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2: Select Network >...
Page 226
Figure 192 The port setup tab Select Rx from the LLDP Operating Mode list. Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
Page 227
Figure 193 Setting LLDP on multiple ports Enable global LLDP: Click the Global Setup tab, as shown in Figure 194. Select Enable from the LLDP Enable list. Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
Page 228
Figure 194 The global setup tab Configuring Switch B (Optional.) Enable LLDP on port GigabitEthernet 1/0/1. (By default, LLDP is enabled on Ethernet ports.) Set the LLDP operating mode to Tx on GigabitEthernet 1/0/1: Select Network > LLDP from the navigation tree. By default, the Port Setup tab is displayed.
Page 229
Figure 195 Setting the LLDP operating mode to Tx Enable global LLDP: Click the Global Setup tab. Select Enable from the LLDP Enable list. Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
Page 230
Figure 196 The status information tab (1) Display the status information of port GigabitEthernet1/0/2 on Switch A: Click the GigabitEthernet1/0/2 port name in the port list. Click the Status Information tab at the lower half of the page. The output shows that port GigabitEthernet 1/0/2 is connected to a non-MED neighbor device (Switch B), as shown in Figure 197.
Figure 198 The status information tab displaying the updated port status information CDP-compatible LLDP configuration example Network requirements As shown in Figure 199, on Switch A, configure VLAN 2 as a voice VLAN and configure CDP-compatible LLDP to enable the Cisco IP phones to automatically configure the voice VLAN, confining their voice traffic within the voice VLAN to be separate from other types of traffic.
Page 232
Figure 200 Creating VLANs Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as trunk ports: Select Device > Port Management from the navigation tree. Click the Setup tab to enter the page for configuring ports. Select Trunk from the Link Type list. Select port GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 from the chassis front panel.
Page 233
Figure 201 Configuring ports Configure the voice VLAN function on the two ports: Select Network > Voice VLAN from the navigation tree. Click the Port Setup tab to enter the page for configuring the voice VLAN function on ports. Select Auto from the Voice VLAN port mode list, select Enable from the Voice VLAN port state list, enter the voice VLAN ID 2, and select port GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 from the chassis front panel.
Page 234
Figure 202 Configuring the voice VLAN function on ports Enable LLDP on ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. Skip this step if LLDP is enabled (the default). Set both the LLDP operating mode and the CDP operating mode to TxRx on ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2: Select Network >...
Page 235
Figure 203 The port setup tab Select TxRx from the LLDP Operating Mode list, and select TxRx from the CDP Operating Mode list. Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
Page 236
Figure 204 Modifying LLDP settings on ports Enable global LLDP and CDP compatibility of LLDP: Click the Global Setup tab. Select Enable from the LLDP Enable list. Select Enable from the CDP Compatibility list. Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
Page 237
Figure 205 The global setup tab Verifying the configuration Display information about LLDP neighbors on Switch A after completing the configuration. The output shows Switch A has discovered the Cisco IP phones attached to ports GigabitEthernet1/0/1 and GigabitEthernet1/0/2 and obtained their device information.
Configuring ARP Overview ARP resolves an IP address into a physical address, such as an Ethernet MAC address. On an Ethernet LAN, a device uses ARP to get the MAC address of the target device for a packet. ARP message format ARP uses two types of messages, ARP request and ARP reply.
If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request. The payload of the ARP request comprises the following information: Sender IP address and sender MAC address—Host A's IP address and MAC address Target IP address—Host B's IP address Target MAC address—An all-zero MAC address All hosts on this subnet can receive the broadcast request, but only the requested host (Host B)
Dynamic ARP entry ARP automatically creates and updates dynamic entries. A dynamic ARP entry is removed when its aging timer expires or the output interface goes down, and it can be overwritten by a static ARP entry. Static ARP entry A static ARP entry is manually configured and maintained.
Creating a static ARP entry Select Network > ARP Management from the navigation tree to enter the default ARP Table page shown in Figure 208. Click Add. Figure 209 Adding a static ARP entry Configure the static ARP entry as described in Table Click Apply.
Click the Gratuitous ARP tab. Figure 210 Gratuitous Configuring ARP page Configure gratuitous ARP as described in Table Click Apply. Table 78 Configuration items Item Description Disable learning of ARP entries according to gratuitous ARP packets. Disable gratuitous ARP packets learning function Enabled by default.
Page 243
Configuring Switch A Create VLAN 100: Select Network > VLAN from the navigation tree. Click the Add tab. Enter 100 for VLAN ID. Click Create. Figure 212 Creating VLAN 100 Add GigabitEthernet 1/0/1 to VLAN 100: Click the Modify Port tab. Select interface GigabitEthernet 1/0/1 in the Select Ports field.
Page 244
Figure 213 Adding GigabitEthernet 1/0/1 to VLAN 100 Create VLAN-interface 100: Select Network > VLAN Interface from the navigation tree. Click the Create tab. Enter 100 for VLAN ID. Select the Configure Primary IPv4 Address box. Select the Manual option. Enter 192.168.1.2 for IPv4 Address.
Page 245
Figure 214 Creating VLAN-interface 100 Create a static ARP entry: Select Network > ARP Management from the navigation tree to enter the default ARP Table page. Click Add. Perform the following operations, as shown in Figure 215. Click Add. Enter 192.168.1.1 for IP Address. Enter 00e0-fc01-0000 for MAC Address.
Configuring ARP attack defense Overview ARP is easy to implement, but it provides no security mechanism. Therefore, it is prone to network attacks. The ARP detection feature enables access devices to block ARP packets from unauthorized clients to prevent user spoofing and gateway spoofing attacks. ARP detection provides the following functions: user validity check and ARP packet validity check.
Page 247
Figure 216 Configuring ARP detection Configure ARP detection as described in Table Click Apply. Table 79 Configuration items Item Description Select VLANs on which ARP detection is to be enabled. To add VLANs to the Enabled VLANs list box, select one or multiple VLANs from the VLAN Settings Disabled VLANs list box and click the <<...
Configuring IGMP snooping Overview Internet Group Management Protocol (IGMP) snooping is a multicast constraining mechanism that runs on Layer 2 devices to manage and control multicast groups. By analyzing received IGMP messages, a Layer 2 device running IGMP snooping establishes mappings between ports and multicast MAC addresses and forwards multicast data based on these mappings.
Page 249
Figure 218 IGMP snooping related ports As shown in Figure 218, IGMP snooping divides the ports on Layer 2 switch into the following types: • Router port—Layer 3 multicast device-side port. Layer 3 multicast devices include designated routers and IGMP queriers. In Figure 218, Ethernet 1/1 of Switch A and Ethernet 1/1 of Switch B are router ports.
NOTE: In IGMP snooping, only dynamic ports age out. How IGMP snooping works An IGMP snooping–enabled switch performs different actions when it receives different IGMP messages. The ports in this section are dynamic ports. When receiving a general query The IGMP querier periodically sends IGMP general queries to all hosts and routers (224.0.0.1) on the local subnet to examine whether any active multicast group members exist on the subnet.
When the switch receives an IGMP leave message on a dynamic member port, the switch first examines whether a forwarding entry matches the group address in the message, and, if a match is found, whether the forwarding entry for the group contains the dynamic member port. •...
Step Remarks Optional. Configure the maximum number of multicast groups allowed and the fast-leave function for ports in the specified VLAN. Configuring IGMP IMPORTANT: snooping port functions • Multicast routing or IGMP snooping must be enabled globally before IGMP snooping can be enabled on a port. •...
Page 253
Figure 220 Configuring IGMP snooping in a VLAN Configure the parameters as described in Table Click Apply. Table 80 Configuration items Item Description VLAN ID This field displays the ID of the VLAN to be configured. Enable or disable IGMP snooping in the VLAN. IGMP snooping You can proceed with the subsequent configurations only if Enable is selected here.
Item Description Enable or disable the IGMP snooping querier function. On an IP multicast network that runs IGMP, a Layer 3 device acts as an IGMP querier to send IGMP queries and establish and maintain multicast forwarding entries for correct multicast traffic forwarding at the network layer. Querier On a network without Layer 3 multicast devices, IGMP querier cannot work because a Layer 2 device does not support IGMP.
Table 81 Configuration items Item Description Select the port on which advanced IGMP snooping features will be configured. The port can be an Ethernet port or Layer-2 aggregate port. After a port is selected, advanced features configured on this port are displayed at the lower part of this page.
Figure 222 Displaying entry information To display detailed information of an entry, click the icon corresponding to the entry. Figure 223 Information about an IGMP snooping multicast entry Table 82 Field description Field Description VLAN ID ID of the VLAN to which the entry belongs. Source Address Multicast source address, where "0.0.0.0"...
Page 257
Figure 224 Network diagram VLAN 100 Host B 1.1.1.1/24 GE1/0/2 Eth1/2 Eth1/1 GE1/0/1 GE1/0/3 1.1.1.2/24 10.1.1.1/24 Router A Switch A Host A Source IGMP querier Receiver Configuring Router A Enable IP multicast routing globally, enable PIM-DM on each interface, and enable IGMP on Ethernet 1/1.
Page 258
Assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to VLAN 100: Click the Modify Port tab. Select GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 in the Select Ports field. Select the Untagged option for Select membership type. Enter 100 as the VLAN ID. Click Apply.
Page 259
Figure 227 Enabling IGMP snooping globally Enable IGMP snooping and the function of dropping unknown multicast data for VLAN 100: Click the icon corresponding to VLAN 100. Select the Enable option for IGMP snooping. Select the 2 option for Version. Select the Enable option for Drop Unknown.
Page 260
Figure 229 Enabling fast leave Verifying the configuration From the navigation tree, select Network > IGMP snooping. Click Show Entries in the basic VLAN configuration page to display information about IGMP snooping multicast entries. Figure 230 IGMP snooping multicast entry list Click the icon corresponding to the multicast entry (0.0.0.0, 224.1.1.1) to display information about this entry.
Configuring IPv4 and IPv6 routing Overview A router selects an appropriate route according to the destination address of a received packet and forwards the packet to the next router. The last router on the path is responsible for sending the packet to the destination host.
Default route A default route is used to forward packets that match no entry in the routing table. Without a default route, a packet that does not match any routing entries is discarded and an Internet Control Message Protocol (ICMP) destination-unreachable packet is sent to the source. You can configure default routes in the Web interface in the following ways: Configure an IPv4 static default route and specify both its destination IP address and mask as •...
Table 83 Field description Field Description Destination IP Address Destination IP address and subnet mask of the IPv4 route.. Mask Protocol Protocol that discovered the IPv4 route. Preference value for the IPv4 route. Preference The smaller the number, the higher the preference. Next Hop Next hop IP address of the IPv4 route.
Item Description Set a preference value for the static route. The smaller the number, the higher the preference. Preference For example, specifying the same preference for multiple static routes to the same destination enables load sharing on the routes, while specifying different preferences enables route backup.
Click the Create tab. The page for configuring IPv6 static route appears. Figure 235 Creating an IPv6 static route Create an IPv6 static route as described in Table Click Apply. Table 86 Configuration items Item Description Enter the destination host or network IP address, in the X:X::X:X format. The 128-bit destination IPv6 address is a hexadecimal address with eight parts Destination IP Address separated by colons (:).
Page 266
Figure 236 Network diagram Configuration considerations On Switch A, configure a default route with Switch B as the next hop. On Switch B, configure one static route with Switch A as the next hop and the other with Switch C as the next hop.
Page 267
Figure 237 Configuring a default route Configure a static route to Switch A and Switch C on Switch B: Select Network > IPv4 Routing from the navigation tree of Switch B. Click the Create tab. The page for configuring a static route appears. Enter 1.1.2.0 for Destination IP Address, 24 for Mask, and 1.1.4.1 for Next Hop.
Page 268
Enter 1.1.3.0 for Destination IP Address, enter 24 for Mask, and enter 1.1.5.6 for Next Hop. Click Apply. Configure a default route to Switch B on Switch C: Select Network > IPv4 Routing from the navigation tree of Switch C. Click the Create tab.
IPv6 static route configuration example Network requirements The IP addresses of devices are shown in Figure 240. IPv6 static routes need to be configured on Switch A, Switch B and Switch C for any two hosts to communicate with each other. Figure 240 Network diagram Host B 2::2/64...
Page 270
Figure 241 Configuring a default route Configure a static route to Switch A and Switch C on Switch B: Select Network > IPv6 Routing from the navigation tree of Switch B. Click the Create tab. The page for configuring a static route appears. Enter 1:: for Destination IP Address, select 64 from the Prefix Length list, and enter 4::1 for Next Hop.
Page 271
Select Network > IPv6 Routing from the navigation tree of Switch C. Click the Create tab. Enter :: for Destination IP Address, select 0 from the Prefix Length list, and enter 5::2 for Next Hop. Click Apply. Figure 243 Configuring a default route Verifying the configuration Display the routing table: Enter the IPv6 route page of Switch A, Switch B, and Switch C to verify that the newly configured...
Configuring IPv6 services Before performing IPv6 configurations, enable IPv6 packet forwarding. Otherwise, IPv6 packets cannot be forwarded even if you configure an IPv6 address on an interface. To configure IPv6 services: Select Network > IPv6 Service from the navigation tree, and you are placed in the IPv6 Service tab.
DHCP overview After the DHCP client is enabled on an interface, the interface can dynamically obtain an IP address and other configuration parameters from the DHCP server. This facilitates configuration and centralized management. For more information about the DHCP client configuration, see "Configuring VLAN interfaces"...
Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers If there is an unauthorized DHCP server on a network, DHCP clients may obtain invalid IP addresses and network configuration parameters, and cannot normally communicate with other network devices. With DHCP snooping, the ports of a device can be configured as trusted or untrusted, ensuring the clients to obtain IP addresses from authorized DHCP servers.
Figure 246 DHCP configuration page Creating a static address pool for the DHCP server Select Network > DHCP from the navigation tree to enter the default DHCP Server page shown Figure 246. Select the Static option in the Address Pool field to view all static address pools. Click Add to enter the static address pool configuration page.
Table 87 Configuration items Item Description IP Pool Name Enter the name of a static address pool. IP Address Enter an IP address and select a subnet mask for the static address pool. The IP address cannot be the IP address of any interface on the DHCP server. Otherwise, an IP address conflict may occur and the bound client cannot obtain an Mask IP address correctly.
Page 277
Figure 248 Creating a dynamic address pool Configure the dynamic address pool as described in Table 88 Click Apply. Table 88 Configuration items Item Description IP Pool Name Enter the name of a dynamic address pool. Enter an IP address segment for dynamic allocation. IP Address To avoid address conflicts, the DHCP server excludes the IP addresses used by gateways or FTP servers from dynamic...
Item Description Enter the DNS server addresses for the client. To allow the client to access a host on the Internet via the host DNS Server Address name, you need to specify DNS server addresses. Up to eight DNS servers can be specified in a DHCP address pool, separated by commas.
Configuring the DHCP relay agent Recommended configuration procedure Task Remarks Required. Enabling DHCP and configuring advanced parameters for the DHCP Enable DHCP globally and configure advanced DHCP parameters. relay agent By default, global DHCP is disabled. Required. To improve reliability, you can specify several DHCP servers as a group on the DHCP relay agent and correlate a relay agent interface Creating a DHCP server group with the server group.
Page 280
Click Display Advanced Configuration to expand the advanced DHCP relay agent configuration field, as shown in Figure 250. Figure 250 DHCP relay agent configuration page Enable DHCP service and configure advanced parameters for DHCP relay agent as shown Table Click Apply. Table 90 Configuration items Item Description...
Item Description Enable or disable unauthorized DHCP server detection. There are unauthorized DHCP servers on networks, which reply DHCP clients with wrong IP addresses. With this feature enabled, upon receiving a DHCP request, the DHCP relay agent Unauthorized Server records the IP address of any DHCP server that assigned an IP address to the DHCP Detect client and the receiving interface.
Table 91 Configuration items Item Description Enter the ID of a DHCP server group. Server Group ID You can create up to 20 DHCP server groups. Enter the IP address of a server in the DHCP server group. IP Address The server IP address cannot be on the same subnet as the IP address of the DHCP relay agent.
Configuring and displaying clients' IP-to-MAC bindings Select Network > DHCP from the navigation tree and click DHCP Relay. In the User Information field, click User Information to view static and dynamic bindings, as shown Figure 253. Figure 253 Displaying clients' IP-to-MAC bindings Click Add to enter the page as shown in Figure 254.
Configuring DHCP snooping A DHCP snooping enabled device does not work if it is between the DHCP relay agent and DHCP server, and it can work when it is between the DHCP client and relay agent or between the DHCP client and server.
Figure 255 DHCP snooping configuration page Configuring DHCP snooping functions on an interface Select Network > DHCP from the navigation tree, Click the DHCP Snooping tab to enter the page shown in Figure 255. Click the icon of a specific interface in the Interface Config field to enter the page shown Figure 256.
Figure 256 DHCP snooping interface configuration page Configure DHCP snooping on the interface as described in Table Click Apply. Table 94 Configuration items Item Description Interface Name This field displays the name of a specific interface. Interface State Configure the interface as trusted or untrusted. Option 82 Support Configure DHCP snooping to support Option 82 or not.
Table 95 Field description Item Description IP Address Displays the IP address assigned by the DHCP server to the client. MAC Address Displays the MAC address of the client. Displays the client type: • Dynamic—The IP-to-MAC binding is generated dynamically. Type •...
Page 288
Figure 259 Enabling DHCP Configure a static address pool: Click Add to enter the page shown in Figure 260 (the Static option is selected by default). Enter static-pool for IP Pool Name. Enter 10.1.1.5 for IP Address. Enter 255.255.255.128 for Mask. Enter 000f-e200-0002 for Client MAC Address.
Figure 260 Configuring a static address pool Enable the DHCP server on VLAN-interface 9 (you can skip this step because the DHCP server is enabled on the interface by default): Click the icon of VLAN-interface 9 in the Interface Configuration field to enter the page as shown in Figure 261.
Page 290
10.1.1.0/24. Subnet 10.1.1.0/25 and 10.1.1.128/25 can inherit the configuration of subnet 10.1.1.0/24. HP recommends that you configure up to 122 clients to obtain IP addresses from VLAN-interface 1 and up to 124 clients to obtain IP addresses from VLAN-interface 9.
Page 291
Select the Dynamic option in the Address Pool field. Click Add to enter the page as shown in Figure 264. Enter pool0 for IP Pool Name. Enter 10.1.1.0 for IP Address. Enter 255.255.255.0 for Mask. Enter aabbcc.com for Client Domain Name. Enter 10.1.1.2 for DNS Server Address.
Page 292
Figure 265 Configuring attributes for pool1 Configure the dynamic DHCP address pool named pool2: Click Add to perform the following configurations, as shown in Figure 266. Enter pool2 for IP Pool Name. Enter 10.1.1.128 for IP Address. Enter 255.255.255.128 for Mask. Enter 5 days 0 hours 0 minutes 0 seconds for Lease Duration.
Figure 266 Configuring attributes for pool2 DHCP relay agent configuration example Network requirements As shown in Figure 267, VLAN-interface 1 on the DHCP relay agent (Switch A) connects to the network where DHCP clients reside. The IP address of VLAN-interface 1 is 10.10.1.1/24 and the IP address of VLAN-interface 2 is 10.1.1.1/24.
Page 294
Select Network > DHCP from the navigation tree to enter the default DHCP Relay page. Select Enable for DHCP Service, as shown in Figure 268. Click Apply. Figure 268 Enabling DHCP Configure a DHCP server group: In the Server Group field, click Add. Enter 1 for Server Group ID, and enter 10.1.1.1 for IP Address, as shown in Figure 269.
Enable the DHCP relay agent on VLAN-interface 1: In the Interface Config field, click the icon of VLAN-interface 1. Select the Enable option for DHCP Relay, and select 1 for Server Group ID, as shown in Figure 270. Click Apply. Figure 270 Enabling the DHCP relay agent on an interface and correlate it with a server group NOTE: Because the DHCP relay agent and server are on different subnets, you need to configure a static route or...
Page 296
Configuring Switch B Enable DHCP snooping: Select Network > DHCP from the navigation tree. Click the DHCP Snooping tab. Select the Enable option next to DHCP Snooping to enable DHCP snooping. Figure 272 Enabling DHCP snooping Configure DHCP snooping functions on GigabitEthernet 1/0/1: Click the icon of GigabitEthernet 1/0/1 on the interface list.
Page 297
Figure 273 Configuring DHCP snooping functions on GigabitEthernet 1/0/1 Configure DHCP snooping functions on GigabitEthernet 1/0/2: Click the icon of GigabitEthernet 1/0/2 on the interface list. Select the Untrust option for Interface State shown in Figure 274. Select the Enable option next to Option 82 Support. Select Replace for Option 82 Strategy.
Managing services Overview Service management allows you to manage the following types of services: FTP, Telnet, SSH, SFTP, HTTP and HTTPS. You can enable or disable the services, modify HTTP and HTTPS port numbers, and associate the FTP, HTTP, or HTTPS service with an ACL to block illegal users. FTP service FTP is an application layer protocol for sharing files between server and client over a TCP/IP network.
Configuring service management Select Network > Service from the navigation tree to enter the service management configuration page, as shown in Figure 276. Figure 276 Service management Enable or disable various services on the page. Table 96 describes the detailed configuration items.
Page 300
Item Description Set the port number for HTTP service. You can view this configuration item by clicking the expanding button in front of HTTP. Port Number IMPORTANT: When you modify a port, make sure the port is not used by any other service. Associate the HTTP service with an ACL.
Using diagnostic tools This chapter describes how to use the ping and traceroute facilities. Ping You can ping the IP address or the host name of a device. If the host name cannot be resolved, a prompt appears. If the source device does not receive an ICMP echo reply within the timeout time, it displays a prompt and ping statistics.
Page 302
Select Network > Diagnostic Tools from the navigation tree. The IPv4 Ping tab appears. Figure 277 Ping configuration page Type the IP address or the host name of the destination device in the Destination IP address or host name field. Click Start.
Traceroute operation This section uses the IPv4 traceroute operation as an example. The IPv6 traceroute operation is the same as IPv4 traceroute operation. Before performing a traceroute operation, execute the ip ttl-expires enable command on intermediate devices to enable the sending of ICMP timeout packets and execute the ip unreachables enable command on the destination device to enable the sending of ICMP destination unreachable packets.
Configuring MAC authentication Overview MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software. A user is not required to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication enabled port.
MAC authentication timers MAC authentication uses the following timers: Offline detect timer—Sets the interval for the device to wait for traffic from a user before it considers • the user as idle. If a user connection has been idle for two consecutive intervals, the device logs out the user and stops accounting for the user.
A hybrid port is always assigned to an Auth-Fail VLAN as an untagged member. After the assignment, do not reconfigure the port as a tagged member in the VLAN. Configuration prerequisites Before you configure MAC authentication, complete the following tasks: Disable port security globally.
Page 308
Figure 281 MAC authentication configuration page Configure MAC authentication global settings as described in Table Click Apply. Table 97 Configuration items Item Description Enable MAC Authentication Select the box to enable MAC authentication globally. Set the period for the device to wait for traffic from a user before it Offline Detection Period regards the user idle.
Item Description Configure the properties of MAC authentication user accounts. • MAC without hyphen—Uses MAC-based accounts, and excludes hyphens from the MAC address, for example, XXXXXXXXXXXX. • Authentication Information Format MAC with hyphen—Uses MAC-based accounts, and hyphenates the MAC address, for example, XX-XX-XX-XX-XX-XX. •...
MAC authentication configuration examples Local MAC authentication configuration example Network requirements As shown in Figure 283, perform local MAC authentication on port GigabitEthernet 1/0/1 to control Internet access. All users belong to the domain aabbcc.net. • • Local users use their MAC addresses as the username and password for MAC authentication. The MAC addresses are hyphenated and in lower case.
Page 311
Figure 284 Creating an ISP domain Click the Authentication tab. Select the ISP domain aabbcc.net, the LAN-access AuthN box, and Local from the list. Figure 285 Configuring the authentication method for the ISP domain Click Apply. A configuration progress dialog box appears, as shown in Figure 286.
Page 312
Figure 286 Configuration progress dialog box Configuring MAC authentication From the navigation tree, select Authentication > MAC Authentication. The MAC Authentication page appears. Select the Enable MAC Authentication box. Click Advanced to configure advanced MAC authentication settings. Set the offline detection period to 180 seconds, set the quiet timer to 180 seconds, and select aabbcc.net from the Authentication ISP Domain list.
In the Ports With MAC Authentication Enabled area, click Add. The MAC Authentication page appears. Select GigabitEthernet1/0/1 from the Port list, and click Apply. Figure 288 Enabling MAC authentication for port GigabitEthernet 1/0/1 ACL assignment configuration example Network requirements As shown in Figure 289, a host connects to port GigabitEthernet 1/0/1 on the switch and the switch uses RADIUS servers to perform authentication, authorization, and accounting.
Page 314
Select Authentication Server from the Server Type list, enter 10.1.1.1 in the Primary Server IP box and 1812 in the Primary Server UDP Port box, and select active from the Primary Server Status list. Click Apply. Figure 290 Configuring a RADIUS authentication server On the RADIUS Server tab, select Accounting Server from the Server Type list, enter 10.1.1.2 in the Primary Server IP box and 1813 in the Primary Server UDP Port box, and select active from the Primary Server Status list.
Page 315
Figure 292 Configuring RADIUS parameters Configuring AAA From the navigation tree, select Authentication > AAA. The Domain Setup tab appears. Enter test in the Domain Name field. Click Apply.
Page 316
Figure 293 Creating an ISP domain Click the Authentication tab. Select the ISP domain test, the Default AuthN box, authentication method RADIUS, and authentication scheme system from the Name list. Figure 294 Configuring the authentication method for the ISP domain Click Apply.
Page 317
Figure 295 Configuration progress dialog box After the configuration process is complete, click Close. Click the Authorization tab. Select the ISP domain test, the Default AuthZ box, authorization mode RADIUS, and authorization scheme system from the Name list. Figure 296 Configuring the authorization method for the ISP domain Click Apply.
Page 318
Figure 297 Configuring the accounting method for the ISP domain Click Apply. A configuration progress dialog box appears. After the configuration process is complete, click Close. Configuring an ACL From the navigation tree, select QoS > ACL IPv4. The Create tab appears. Enter the ACL number 3000.
Page 319
Select the Destination IP Address box, enter the destination IP address 10.0.0.1, and enter the destination address wildcard 0.0.0.0. Click Add. Figure 299 Configuring an ACL rule Configuring MAC authentication From the navigation tree, select Authentication > MAC Authentication. Select the Enable MAC Authentication box. Click Advanced.
Page 320
Figure 300 Configuring global MAC authentication settings In the Ports With MAC Authentication Enabled area, click Add. Select the port GigabitEthernet1/0/1 and click Apply. Figure 301 Enabling MAC authentication for port GigabitEthernet 1/0/1 Verifying the configuration # After the host passes the authentication, ping the FTP server from the host to see whether ACL 3000 assigned by the authentication server takes effect.
Page 321
Request timed out. Ping statistics for 10.0.0.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),...
802.1X controls network access by authenticating devices connected to the 802.1X-enabled LAN ports. This chapter describes how to configure 802.1X on an HP device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network that requires different authentication methods for different users on a port, such as a WLAN.
MAC-based access control—Each user is separately authenticated on a port. When a user logs off, • no other online users are affected. 802.1X timers This section describes the timers used on an 802.1X device to guarantee that the client, the device, and the RADIUS server can interact with each other correctly.
Configuration procedure Step Description Required. Enable 802.1X authentication globally and configure the Configuring 802.1X globally authentication method and advanced parameters. By default, 802.1X authentication is disabled globally. Required. Enable 802.1X authentication on the specified port and configure Configuring 802.1X on a port 802.1X parameters for the port.
If the client is using only MD5-Challenge EAP authentication or the "username + password" EAP authentication initiated by an HP iNode 802.1X client, you can use both EAP termination and EAP relay. To use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay.
Page 326
Figure 305 802.1X configuration on a port Configure 802.1X features on a port as described in Table 100. Click Apply. Table 100 Configuration items Item Description Select a port where you want to enable 802.1X. Only ports not enabled with 802.1X authentication are available.
Item Description Select the box to enable the online user handshake function. This function enables the network access device to send handshake messages to online users at the interval set by the Handshake Period setting. If the device does not receive a response from an online user after the maximum number of handshake attempts (set by the Retry Times setting), the network access device sets the user in the Enable Handshake...
If the 802.1X-enabled port performs MAC-based access control, configure the port as a hybrid port, • enable MAC-based VLAN on the port, and assign the port to the 802.1X guest VLAN as an untagged member. Configuration guidelines • The 802.1X guest VLANs on different ports can be different. Assign different IDs to the voice VLAN, the port VLAN, and the 802.1X guest VLAN on a port, so •...
Feature Relationship description The 802.1X Auth-Fail VLAN function has higher priority Port intrusion protection on a port that performs than the block MAC action but lower priority than the shut MAC-based access control down port action of the port intrusion protection feature. 802.1X configuration example Network requirements As shown in...
Page 330
Figure 307 Configuring global 802.1X In the Ports With 802.1X Enabled area, click Add. Select GigabitEthernet1/0/1 from the Port list. Select the Enable Re-Authentication box, and click Apply. Figure 308 802.1X configuration of GigabitEthernet 1/0/1 Configuring a RADIUS scheme From the navigation tree, select Authentication > RADIUS. The RADIUS Server tab appears.
Page 331
Click Apply. Figure 309 Configuring RADIUS authentication servers On the RADIUS Server tab, select Accounting Server from the Server Type list, enter 10.1.1.2 in the Primary Server IP box and 1813 in the Primary Server UDP Port box, select active from the Primary Server Status list, enter 10.1.1.1 in the Secondary Server IP box and 1813 in the Secondary Server UDP Port box, and select active from the Secondary Server Status list.
Page 332
Figure 311 Configuring RADIUS parameters Configuring AAA From the navigation tree, select Authentication > AAA. The Domain Setup tab appears. Enter test in the Domain Name field and select Enable from the Default Domain list. Click Apply.
Page 333
Figure 312 Creating an ISP domain Click the Authentication tab. Select the ISP domain test, the Default AuthN box, authentication method RADIUS, and authentication scheme system from the Name list. Figure 313 Configuring the authentication method for the ISP domain Click Apply.
Page 334
Figure 314 Configuration progress dialog box After the configuration process is complete, click Close. Click the Authorization tab. Select the ISP domain test, the Default AuthZ box, authorization method RADIUS, and authorization scheme system from the Name list. Figure 315 Configuring the authorization method for the ISP domain Click Apply.
Figure 316 Configuring the accounting method for the ISP domain Click Apply. A configuration progress dialog box appears. After the configuration process is complete, click Close. ACL assignment configuration example Network requirements As shown in Figure 317, the host at 192.168.1.10 connects to port GigabitEthernet 1/0/1 of the network access device.
Page 336
The RADIUS Server tab appears. Select Authentication Server from the Server Type list, enter 10.1.1.1 in the Primary Server IP box and 1812 in the Primary Server UDP Port box, and select active from the Primary Server Status list. Click Apply. Figure 318 Configuring the RADIUS authentication server On the RADIUS Server tab, select Accounting Server from the Server Type list, enter 10.1.1.2 in the Primary Server IP box and 1813 in the Primary Server UDP Port box, and select active from the...
Page 337
Figure 320 Configuring RADIUS parameters Configuring AAA From the navigation tree, select Authentication > AAA. The Domain Setup tab appears. Enter test in the Domain Name field and select Enable from the Default Domain list. Click Apply.
Page 338
Figure 321 Creating an ISP domain Click the Authentication tab. Select the ISP domain test, the Default AuthN box, authentication method RADIUS, and authentication scheme system from the Name list. Figure 322 Configuring the authentication method for the ISP domain After the configuration process is complete, click Close.
Page 339
Figure 323 Configuration progress dialog box Click the Authorization tab. Select the ISP domain test, the Default AuthZ box, authorization method RADIUS, and authorization scheme system from the Name list. Figure 324 Configuring the AAA authorization method for the ISP domain Click Apply.
Page 340
Figure 325 Configuring the AAA accounting method for the ISP domain Click Apply. A configuration progress dialog box appears. After the configuration process is complete, click Close. Configuring an ACL From the navigation tree, select QoS > ACL IPv4. Click the Create tab, enter the ACL number 3000, and click Apply. Figure 326 Creating ACL 3000 Click the Advanced Setup tab to configure an ACL rule: Select 3000 from the ACL list.
Page 341
Figure 327 ACL rule configuration Configuring 802.1X From the navigation tree, select Authentication > 802.1X. Select the Enable 802.1X box. Select the authentication method CHAP. Click Apply.
Page 342
Figure 328 Global 802.1X globally In the Ports With 802.1X Enabled area, click Add. Select GigabitEthernet1/0/1 from the Port list. Click Apply. Figure 329 802.1X configuration of GigabitEthernet 1/0/1 Verifying the configuration After the user passes authentication and is online, use the ping command to test whether ACL 3000 takes effect.
This automatic mechanism enhances network security and reduces the need for human intervention. For scenarios that require only 802.1X authentication or MAC authentication, HP recommends that you configure 802.1X authentication or MAC authentication rather than port security.
Page 345
addresses or configured static MAC addresses. When the number of secure MAC addresses reaches the upper limit, no more secure MAC addresses can be added. Advanced mode—Port security supports 802.1X and MAC authentication. Different port security • modes represent different combinations of the two methods. Table 103 describes the advanced security modes.
An OUI, as defined by the IEEE, is the first 24 bits of a MAC address. OUI uniquely identifies a device vendor. Configuration guidelines • Before you enable port security, disable 802.1X and MAC authentication globally. Only one port security mode can be configured on a port. •...
Step Remarks Optional. This setting is available only with the 802.1X MAC Based Or OUI mode. You can configure a maximum of 16 permitted OUI values. However, Configuring permitted OUIs a port in 802.1X MAC Based Or OUI mode allows only one 802.1X user and one user whose MAC address contains a specified OUI to pass authentication at the same time.
Table 104 Configuration items Item Description Select the box to enable the port security feature globally. Enable Port Security Disabled by default. Configure the following advanced port security settings: • Temporarily Disabling Port Time—Set the time length for the port to be Advanced disabled upon receiving illegal frames.
Item Description Set the maximum number of secure MAC addresses on the port. The number of authenticated users on the port cannot exceed the specified upper limit. You can set the maximum number of MAC addresses that port security allows on a port for the following purposes: Max Number of MAC •...
Figure 335 Secure MAC address list Click Add. Figure 336 Secure MAC address configuration page Configure a secure MAC address as described in Table 104. Click Apply. Table 106 Configuration items Item Description Port Select a port where the secure MAC address is configured. Secure MAC Address Enter the MAC address that you want to configure as a secure MAC address.
Page 351
Figure 337 Ports Enabled With Advanced Features area Click Add. Figure 338 Configuring advanced port security control Configure advanced port security control as described in Table 107. Click Apply. Table 107 Configuration items Item Description Select a port where you want to configure port security. Port By default, port security is disabled on all ports and access to the ports is not restricted.
Item Description Select the box to enable the outbound traffic control, and select a control method. Available control methods include: • Only MAC-Known Unicasts—Allows only unicasts frames with their destination MAC addresses being authenticated to pass through. Enable Outbound • Only Broadcasts and MAC-Known Unicasts—Allows only broadcast and unicasts Restriction packets with their destination MAC addresses being authenticated to pass through.
Page 353
Figure 340 Network diagram Configuring global port security settings From the navigation tree, select Authentication > Port Security. In the Port Security Configuration area, configure global port security settings: Select the Enable Port Security box. Click Advanced. Specify the system to disable the port temporarily for 30 seconds. Select the Intrusion box.
Page 354
Figure 342 Applying the port security feature Verifying the configuration After the configuration is completed, display the secure MAC address entries learned and manually configured on port GigabitEthernet 1/0/1. The Security MAC Address List area displays the learned secure MAC addresses, as shown Figure 343.
Page 355
Figure 344 Port management – port inactive Wait approximately 30 seconds, and reselect GigabitEthernet 1/0/1 to view its latest data. Figure 345 shows that the port state is active. Figure 345 Port management – port active If you remove MAC addresses from the secure MAC address list, the port will still continue to learn new MAC addresses.
Advanced port security mode configuration example Network requirements As shown in Figure 346, a client is connected to the switch through port GigabitEthernet 1/0/1. The switch authenticates the client with a RADIUS server. If the authentication succeeds, the client is authorized to access the Internet.
Page 357
Figure 347 Configuring a RADIUS authentication server On the RADIUS Server tab, select Accounting Server from the Server Type list, enter 192.168.1.2 in the Primary Server IP box and 1813 in the Primary Server UDP Port box, and select active from the Primary Server Status list.
Page 358
Figure 349 Configuring RADIUS parameters Configuring AAA From the navigation tree, select Authentication > AAA. Click the Authentication tab. Select the ISP domain system, the Default AuthN box, authentication method RADIUS from the list, and authentication scheme system from the Name list. Figure 350 Configuring AAA authentication Click Apply.
Page 359
A configuration progress dialog box appears. When the configuration process is complete, click Close. Figure 351 Configuration progress dialog box Click the Authorization tab. Select the ISP domain system, the Default AuthZ box, authorization method RADIUS from the list, and authorization scheme system from the Name list. Figure 352 Configuring AAA authorization Click Apply.
Page 360
Figure 353 Configuring AAA accounting Click Apply. A configuration progress dialog box appears. When the configuration process is complete, click Close. Configuring port security From the navigation tree, select Authentication > Port Security. Select the Enable Port Security box, and click Apply. Figure 354 Configuring global port security settings In the Advanced Port Security Configuration area, click Ports Enabled With Advanced Features, and then click Add.
Page 361
Figure 355 Configuring advanced port security control settings on GigabitEthernet 1/0/1 In the Advanced Port Security Configuration area, click Permitted OUIs. Enter 1234-0100-0000 in the OUI Value field and click Add. Figure 356 Configuring permitted OUI values Repeat the previous two steps to add OUI values of the MAC addresses 1234-0200-0000 and 1234-0300-0000 to the permitted OUI list.
Configuring portal authentication Overview Portal authentication helps control access to the Internet. It is also called "web authentication." A website implementing portal authentication is called a "portal website." With portal authentication, an access device redirects all users to the portal authentication page. All users can access the free services provided on the portal website.
Page 363
Figure 357 Portal system components Authentication client Security policy server Authentication client Portal server Access device Authentication/accounting Authentication client server Authentication client An authentication client is an entity seeking access to network resources. It is typically an end-user terminal, such as a PC. The client can use a browser or a portal client software for portal authentication. Client security check is implemented through communications between the client and the security policy server.
To implement security check, the client must be the HP iNode client. Portal authentication supports NAT traversal whether it is initiated by a web client or an HP iNode client. When the portal authentication client is on a private network, but the portal server is on a public network and the access device is enabled with NAT, network address translations performed on the access device do not affect portal authentication.
Protocols used for interaction between the client and local portal server HTTP and HTTPS can be used for communication between an authentication client and an access device providing the local portal server function. If HTTP is used, there are potential security problems because HTTP packets are transferred in plain text.
Therefore, no additional configuration is needed on the access device. NOTE: • This function requires the cooperation of the HP IMC portal server and HP iNode portal client. Only Layer 3 portal authentication that uses a remote portal server supports EAP authentication. •...
the access port according to the authorized ACL. You must configure the authorized ACLs on the access device if you specify authorized ACLs on the authentication server. To change the access right of a user, you can specify a different authorized ACL on the authentication server or change the rules of the corresponding authorized ACL on the device.
Page 368
Based on the security check result, the security policy server authorizes the user to access certain resources, and sends the authorization information to the access device. The access device then controls access of the user based on the authorization information. Authentication process with the local portal server Figure 362 Authentication process with local portal server With local portal server, the direct/cross-subnet authentication process is as follows:...
The authentication client sends an EAP Request/Identity message to the portal server to initiate an EAP authentication process. The portal server sends a portal authentication request to the access device, and starts a timer to wait for the portal authentication reply. The portal authentication request contains several EAP-Message attributes, which are used to encapsulate the EAP packet sent from the authentication client and carry the certificate information of the client.
To implement extended portal functions, install and configure IMC EAD, and make sure the ACLs • configured on the access device correspond to those specified for the resources in the quarantined area and for the restricted resources on the security policy server. On the access device, the security policy server address is the same as the authentication server address.
Step Remarks Optional. Configure a portal-free rule, specifying the source and destination information for packet filtering Configuring a portal-free A portal-free rule allows specified users to access specified external rule websites without portal authentication. Packets matching a portal-free rule will not trigger portal authentication and the users can directly access the specified external websites.
Page 372
TIP: The portal service applied on an interface may be in the following states: Running—Indicates that portal authentication has taken effect on the interface. • Enabled—Indicates that portal authentication has been enabled on the interface but has not taken • effect.
Item Description Set the Layer 2 portal user detection interval. After a Layer 2 portal user gets online, the device starts a detection timer for the user, and checks whether the user's MAC address entry has been aged out or the user's MAC Online Detection address entry has been matched (a match means a packet has been received from the Interval...
Page 374
Figure 366 Applying a portal server to a Layer 3 interface Configure Layer 3 portal authentication as described in Table 109. Click Apply. Table 109 Configuration items Item Description Interface Select the Layer 3 interface to be enabled with portal authentication. Select the portal server to be applied on the selected interface.
Page 375
Item Description Specify an authentication domain for Layer 3 portal users. After you specify an authentication domain on a Layer 3 interface, the device uses the authentication domain for authentication, authorization, and accounting (AAA) of the Authentication portal users on the interface, ignoring the domain names carried in the usernames. You Domain can specify different authentication domains for different interfaces as needed.
Table 111 Configuration items Item Description Server Name Type a name for the local portal server. Type the IP address of the local portal server. You need to specify the IP address of the interface where the local portal server is applied. Specify the protocol to be used for authentication information exchange between the local portal server and the client.
Table 112 Configuration items Item Description Configure the web proxy server ports to allow HTTP requests proxied by the specified proxy servers to trigger portal authentication. By default, only HTTP requests that are not proxied can trigger portal authentication. To make sure that a user using a web proxy server can trigger portal authentication, you need to add the port number of the proxy server on the device and the user needs to specify the listening IP address of the local portal server as a proxy exception in the browser.
Page 378
Click the Free Rule tab to enter the portal-free rule list page. Figure 370 Portal-free rule list Click Add. The page for adding a new portal-free rule appears. Figure 371 Adding a portal-free rule Configure a portal-free rule as described in Table 113.
Item Description Specify a source VLAN for the portal-free rule. IMPORTANT: Source-VLAN If you configure both a source interface and a source VLAN for a portal-free rule, make sure that the source interface is in the source VLAN. Otherwise, the portal-free rule will not take effect.
Page 380
Configuration procedure Add Ethernet ports to related VLANs and assign IP addresses to the VLAN interfaces. (Details not shown.) Configure the RADIUS authentication server: Select Authentication > RADIUS from the navigation tree. The RADIUS server configuration page appears, as shown in Figure 373.
Page 381
Click the RADIUS Setup tab. Select extended as the server type. Select the Authentication Server Shared Key box, enter the key expert, and then enter the key again in the Confirm Authentication Shared Key field. Select the Accounting Server Shared Key box, enter the key expert, and then enter the key again in the Confirm Accounting Shared Key field.
Page 382
Figure 376 Creating an ISP domain On the Authentication tab, select the ISP domain test, select the Default AuthN box, select RADIUS from the Default AuthN list, select system from the Name list to use it as the authentication scheme, and click Apply. A configuration progress dialog box appears.
Page 383
Figure 377 Configuring the authentication method for the ISP domain On the Authorization tab, select the ISP domain test, select the Default AuthZ box, select RADIUS from the Default AuthZ list, select system from the Name list to use it as the authorization scheme, and click Apply.
Page 384
Figure 379 Configuring the accounting method for the ISP domain Configure DHCP relay: Select Network > DHCP from the navigation tree. Click the DHCP Relay tab. Select Enable for the DHCP Service field. Click Apply.
Page 385
Figure 380 Enabling the DHCP service In the Server Group area, click Add. On the page that appears, enter the server group ID 1 and the IP address 1.1.1.3, and click Apply. Figure 381 Configuring a DHCP server group In the Interface Config area, click the icon of interface VLAN-interface 8.
Page 386
Figure 382 Configuring VLAN-interface 8 to work in the DHCP relay mode Configure Layer 2 portal authentication: Select Authentication > Portal from the navigation tree. The Portal Server tab appears. In the Portal Application: Layer 2 Interfaces area, click Add. On the page that appears, select interface GigabitEthernet1/0/1, enter the server IP address 4.4.4.4, select protocol HTTP, and click Apply.
When the user tries to access a web page on the external network, the web request is redirected to authentication page http://4.4.4.4/portal/logon.htm. After the user enters the correct username and password, the user passes portal authentication. Then, the user can access external network resources. Configuring direct portal authentication Network requirements As shown in...
Page 388
Figure 385 Configuring the RADIUS authentication server Configure a RADIUS accounting server: On the RADIUS server configuration page, select Accounting Server as the server type, and enter the IP address 192.168.0.112 and port number 1813, select active from the Primary Server Status list, and click Apply.
Page 389
Figure 387 Configuring the RADIUS scheme Configure AAA: Select Authentication > AAA from the navigation tree. On the Domain Setup tab, enter the domain name test, select Enable for the Default Domain field, and click Apply.
Page 390
Figure 388 Creating an ISP domain On the Authentication tab, select the ISP domain test, select the Default AuthN box, select RADIUS from the Default AuthN list, select system from the Name list to use it as the authentication scheme, and click Apply. A configuration progress dialog box appears.
Page 391
Figure 390 Configuration progress dialog box After the configuration process is complete, click Close. Figure 391 Configuring the authorization method for the ISP domain On the Accounting tab, select the ISP domain test, select the Default Accounting box, select RADIUS from Default Accounting list, select system from the Name list to use it as the accounting scheme, and click Apply.
Page 392
Figure 392 Configuring the accounting method for the ISP domain Configure Layer 3 portal authentication: From the navigation tree select Authentication > Portal. The portal server configuration page appears. In the Portal Application: Layer 3 Interfaces area, click Add. On the page that appears, select the interface Vlan-interface100, select Add for Portal Server to add a portal server, select the Direct portal authentication mode, enter the portal server name newpt, the portal server IP address 192.168.0.111, the shared key portal, the port number 50100, and the redirection URL http://192.168.0.111:8080/portal for portal...
Figure 393 Applying the portal server to a Layer 3 interface Configuring cross-subnet portal authentication Network requirements As shown in Figure 394, configure Switch A to perform cross-subnet portal authentication for users. Before passing portal authentication, the host can access only the portal server. After passing portal authentication, the host can access Internet resources.
Page 394
Configuration procedure Make sure that the IP address of the access device added on the portal server is the IP address of the interface connected to the host (20.20.20.1 in this example), and the IP address group associated with the access device is the subnet where the host resides (8.8.8.0/24 in this example). Assign IP addresses to the host, switches, and servers as shown in Figure 394 and make sure that they...
Page 395
Figure 396 Configuring a RADIUS accounting server Configure RADIUS scheme system for exchanges between the device and the RADIUS servers: Click the RADIUS Setup tab. Select extended as the server type. Select the Authentication Server Shared Key box, enter the key expert, and then enter the key again in the Confirm Authentication Shared Key field.
Page 396
Figure 397 Configuring the RADIUS scheme Configure AAA: Select Authentication > AAA from the navigation tree. On the Domain Setup tab, enter the domain name test, select Enable for the Default Domain field, and click Apply.
Page 397
Figure 398 Creating an ISP domain On the Authentication tab, select the ISP domain test, select the Default AuthN box, select RADIUS from the Default AuthN list, select system from the Name list to use it as the authentication scheme, and click Apply. A configuration progress dialog box appears.
Page 398
Figure 400 Configuration progress dialog box After the configuration process is complete, click Close. Figure 401 Configuring the authorization method for the ISP domain On the Accounting tab, select the ISP domain test, select the Default Accounting box, select RADIUS from Default Accounting list, select system from the Name list to use it as the accounting scheme, and click Apply.
Page 399
Figure 402 Configuring the accounting method for the ISP domain Configure Layer 3 portal authentication: Select Authentication > Portal from the navigation tree. The portal server configuration page appears. In the Portal Application: Layer 3 Interfaces area, click Add. On the page that appears, select the interface Vlan-interface4, select Add for Portal Server to add a portal server, select the Layer3 portal authentication mode, enter the portal server name newpt, the portal server IP address 192.168.0.111, the shared key portal, the port number 50100, and the redirection URL http://192.168.0.111:8080/portal for portal authentication,...
Page 400
Figure 403 Applying the portal server to a Layer 3 interface On Switch B, you must configure a default route to subnet 192.168.0.0/24 with the next hop as 20.20.20.1. (Details not shown.)
Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It provides the following security functions: Authentication—Identifies users and determines whether a user is valid. • Authorization—Grants user rights and controls user access to resources and services. For example, •...
AAA can be implemented through multiple protocols, such as RADIUS, HWTACACS, and LDAP. The device supports RADIUS, which is most commonly used. For more information about RADIUS, see "Configuring RADIUS." Domain-based user management A NAS manages users based on ISP domains. On a NAS, each user belongs to one ISP domain. A NAS determines the ISP domain for a user by the username entered by the user at login, as shown in Figure 405.
Configuration procedure Step Remarks Optional. Create ISP domains and specify one as the default ISP domain. Configuring an ISP domain By default, there is an ISP domain named system, which is the default ISP domain. Optional. Configuring authentication Configure authentication methods for different types of users. methods for the ISP domain By default, all types of users use local authentication.
Create an ISP domain, as described in Table 115. Click Apply. Table 115 Configuration items Item Description Enter the ISP domain name to identify the domain. Domain Name You can enter a new domain name to create a domain or specify an existing domain as the default domain.
Page 405
Default AuthN • Local—Local authentication (default setting). Name • None—No authentication. This method trusts all users and HP does not Secondary Method recommend it for general use. • RADIUS—RADIUS authentication. You must specify the RADIUS scheme to be used. •...
Configuring authorization methods for the ISP domain Select Authentication > AAA from the navigation tree. Click the Authorization tab. Figure 408 Authorization method configuration page Select an ISP domain and specify authorization methods for the ISP domain, as described in Table 117.
Item Description Configure the authorization method and secondary authorization method for login users by using one of the following options: • HWTACACS—HWTACACS authorization. You must specify the HWTACACS Login AuthZ scheme to be used. Name • Local—Local authorization. Secondary Method •...
Page 408
Figure 409 Accounting method configuration page Select an ISP domain and specify accounting methods for the ISP domain, as described in Table 118. Click Apply. Table 118 Configuration items Item Description Select an ISP domain Select the ISP domain for which you want to specify authentication methods. Specify whether to enable the accounting optional feature.
Item Description Configure the accounting method and secondary accounting method for login users by using one of the following options: • HWTACACS—HWTACACS accounting. You must specify the HWTACACS Login Accounting scheme to be used. • Local—Local accounting. Name • None—No accounting. Secondary Method •...
Page 410
Click the Create tab. Enter the username telnet. Select the access level Management, enter the password abc, confirm the password, and select the service type Telnet Service. Click Apply. Figure 411 Configuring a local user Configure ISP domain test: Select Authentication > AAA from the navigation tree. The Domain Setup tab appears.
Page 411
Figure 412 Configuring ISP domain test Configure the ISP domain to use local authentication: Click the Authentication tab. Select the domain test, the Login AuthN box, and authentication method Local. Figure 413 Configuring the ISP domain to use local authentication Click Apply.
Page 412
Figure 414 Configuration progress dialog box Configure the ISP domain to use local authorization: Click the Authorization tab. Select the domain test, the Login AuthZ box, and authorization method Local. Click Apply. A configuration progress dialog box appears. After the configuration progress is complete, click Close. Figure 415 Configuring the ISP domain to use local authorization Configure the ISP domain to use local accounting: Click the Accounting tab.
Page 413
Figure 416 Configuring the ISP domain to use local accounting Verifying the configuration Telnet to the switch and enter the username telnet@test and password abc. You are serviced as a user in domain test.
Configuring RADIUS Overview Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model to implement AAA. It can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access. For more information about AAA, see "Configuring AAA."...
RADIUS servers support multiple authentication protocols, including PPP PAP and CHAP. A RADIUS server can act as the client of another AAA server to provide authentication proxy services. Basic RADIUS message exchange process Figure 418 illustrates the interactions between the host, the RADIUS client, and the RADIUS server. Figure 418 Basic RADIUS message exchange process RADIUS uses the following workflow: The host initiates a connection request that carries the user's username and password to the...
RADIUS packet format RADIUS uses UDP to transmit messages. To ensure smooth message exchange between the RADIUS server and the client, RADIUS uses a timer management mechanism, a retransmission mechanism, and a backup server mechanism. Figure 419 shows the RADIUS packet format. Figure 419 RADIUS packet format Code Identifier...
Page 417
The Authenticator field (16 bytes long) is used to authenticate replies from the RADIUS server and to • encrypt user passwords. There are two types of authenticators: request authenticator and response authenticator. • The Attributes field, variable in length, carries the specific authentication, authorization, and accounting information that defines the configuration details of the request or response.
420, a sub-attribute encapsulated in Attribute 26 has the following parts: Vendor-ID—ID of the vendor. Its most significant byte is 0. The other three bytes contains a code • that is compliant to RFC 1700. The vendor ID of HP is 201 1. Vendor-Type—Type of the sub-attribute. •...
Figure 420 Format of attribute 26 Protocols and standards RFC 2865, Remote Authentication Dial In User Service (RADIUS) • RFC 2866, RADIUS Accounting • • RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support RFC 2868, RADIUS Attributes for Tunnel Protocol Support •...
If you remove an authentication or accounting server in use, the communication of the device with the server will soon time out, and the device will look for a server in the active state by checking any primary server first and then the secondary servers in the order they are configured.
Page 421
Figure 421 RADIUS server configuration Configure RADIUS servers as described in Table 122. Click Apply. Table 122 Configuration items Item Description Select the type of the server to be configured: Authentication Server or Server Type Accounting Sever. Specify the IP address of the primary server. If no primary server is specified, this field displays 0.0.0.0.
Item Description Set the status of the secondary server. Options are: • active—The server is normally operating. Secondary Server Status • blocked—The server is down. If the IP address of the secondary server is not specified or the specified IP address is to be removed, the status is blocked.
Page 423
RADIUS server. NAS-IP HP recommends using a loopback interface address instead of a physical interface address as the source IP address. If the physical interface is down, the response packets from the server cannot reach the device.
Item Description Select the format of usernames to be sent to the RADIUS server. Typically, a username is in the format of userid@isp-name, of which isp-name is used by the device to determine the ISP domain for the user. If a RADIUS server (such as old RADIUS servers) does not accept a username that contains an ISP domain name, you can configure the device to remove the domain name of a username before sending it to the RADIUS server.
Page 425
Configuring a RADIUS scheme Select Authentication > RADIUS from the navigation tree. The RADIUS Server tab appears. Select Authentication Server from the Server Type list, enter 10.110.91.146 in the Primary Server IP box and 1812 in the Primary Server UDP Port box, and select active from the Primary Server Status list.
Page 426
Figure 426 Configuring RADIUS parameters Configuring AAA From the navigation tree, select Authentication > AAA. The Domain Setup tab appears. Enter test in the Domain Name field and select Enable from the Default Domain list. Click Apply.
Page 427
Figure 427 Creating an ISP domain Click the Authentication tab. Select the ISP domain test, the Default AuthN box, authentication method RADIUS, and authentication scheme system from the Name list. Figure 428 Configuring the authentication method for the ISP domain Click Apply.
Page 428
Figure 429 Configuration progress dialog box After the configuration process is complete, click Close. Click the Authorization tab. Select the ISP domain test, the Default AuthZ box, authorization method RADIUS, and authorization scheme system from the Name list. Figure 430 Configuring the authorization method for the ISP domain Click Apply.
Page 429
Figure 431 Configuring the accounting method for the ISP domain Click Apply. A configuration progress dialog box appears. After the configuration process is complete, click Close.
Configuring users This chapter describes how to configure local users and user groups. A local user represents a set of user attributes configured on a device (such as the user password, use type, service type, and authorization attribute), and is uniquely identified by the username. For a user to pass local authentication, you must add an entry for the user in the local user database of the device.
Page 431
Figure 433 Local user configuration page Configure the local user as described in Table 124. Click Apply. Table 124 Configuration items Item Description Username Specify a name for the local user. Specify and confirm the password of the local user. Password The settings of these two fields must be the same.
Item Description Select an authorization level for the local user: Visitor, Monitor, Configure, or Management, in ascending order of priority. A local user has the rights of the specified level and all levels lower than any specified level. • Visitor—A user can perform ping and trace route operations but cannot read any data from the device or configure the device.
Page 433
Figure 435 User group configuration page Configure the user group as described in Table 125. Click Apply. Table 125 Configuration items Item Description Group-name Specify a name for the user group. Select an authorization level for the user group: Visitor, Monitor, Configure, or Level Management, in ascending order of priority.
Managing PKI Overview The Public Key Infrastructure (PKI) offers an infrastructure for securing network services through public key technologies and digital certificates, and for verifying the identities of the digital certificate owners. A digital certificate is a binding of certificate owner identity information and a public key. Users can obtain certificates, use certificates, and revoke certificates.
Figure 436 PKI architecture Entity An entity is an end user of PKI products or services, such as a person, an organization, a device such as a router or a switch, or a process running on a computer. A CA is a trusted authority responsible for issuing and managing digital certificates. A CA issues certificates, specifies the validity periods of certificates, and revokes certificates as needed by publishing CRLs.
The entity retrieves the certificate. The entity can use the certificate to communicate with other entities safely through encryption and digital signature. The entity makes a request to the CA when it needs to revoke its certificate. The CA approves the request, updates the CRLs and publishes the CRLs on the LDAP server.
Configuration procedure for manual requests Step Remarks Required. Create a PKI entity and configure the identity information. A certificate is the binding of a public key and the identity information of an entity, where the distinguished name (DN) shows the identity information of Creating a PKI entity the entity.
Step Remarks Required. When requesting a certificate, an entity introduces itself to the CA by providing its identity information and public key. The identity information and public key are the major components of the certificate. A certificate request can be submitted to a CA in online mode or offline mode.
Task Remarks Optional. Delete the existing RSA key pair and the corresponding local certificate. Destroying the RSA key pair If the certificate to be retrieved contains an RSA key pair, you must delete the existing key pair. Otherwise, the retrieving operation will fail. Optional.
Table 126 Configuration items Item Description Entity Name Enter the name for the PKI entity. Common Name Enter the common name for the entity. IP Address Enter the IP address of the entity. Enter the FQDN for the entity. An FQDN is a unique identifier of an entity on the network. It consists of a host FQDN name and a domain name and can be resolved to an IP address.
Page 441
Figure 440 PKI domain configuration page Configure the parameters, as described in Table 127. Click Apply. Table 127 Configuration items Item Description Domain Name Enter the name for the PKI domain. Enter the identifier of the trusted CA. An entity requests a certificate from a trusted CA. The trusted CA takes the responsibility CA Identifier of certificate registration, distribution, and revocation, and query.
Page 442
Item Description Enter the URL of the RA. The entity will submit the certificate request to the server at this URL through the SCEP protocol. The SCEP protocol is intended for communication between an entity and an authentication authority. Requesting URL In offline mode, this item is optional.
Item Description Enter the URL of the CRL distribution point. The URL can be an IP address or a domain name. This item is available after you click the Enable CRL Checking box. If the URL of the CRL distribution point is not set, you should receive the CA certificate and CRL URL a local certificate, and then receive a CRL through SCEP.
Figure 442 Key pair parameter configuration page Destroying the RSA key pair From the navigation tree, select Authentication > PKI. Click the Certificate tab. Click Destroy Key. Click Apply to destroy the existing RSA key pair and the corresponding local certificate. Figure 443 Key pair destruction page Retrieving and displaying a certificate You can retrieve an existing CA certificate or local certificate from the CA server and save it locally in...
Page 445
Figure 444 PKI certificate retrieval page Configure the parameters, as described in Table 128. Click Apply. Table 128 Configuration items Item Description Domain Name Select the PKI domain for the certificate. Certificate Type Select the type of the certificate to be retrieved: CA or Local. Click this box to retrieve a certificate in offline mode (using an out-of-band means such as FTP, disk, or email), and then import the certificate into the local PKI system.
Figure 445 Certificate information Requesting a local certificate From the navigation tree, select Authentication > PKI. Click the Certificate tab. Click Request Cert. Figure 446 Local certificate request page...
Configure the parameters, as described in Table 129. Table 129 Configuration items Item Description Domain Name Select the PKI domain for the certificate. Password Enter the password for certificate revocation. Select this box to request a certificate in offline mode, that is, by an out-of-band Enable Offline Mode means like FTP, disk, or email.
Page 448
Figure 449 CRL information Table 130 Field description Field Description Version CRL version number. Signature Algorithm Signature algorithm that the CRL uses. Issuer CA that issued the CRL. Last Update Last update time. Next Update Next update time. Identifier of the CA that issued the certificate and the certificate version X509v3 Authority Key Identifier (X509v3).
PKI configuration example Network requirements As shown in Figure 450, configure the switch working as the PKI entity, so that: The switch submits a local certificate request to the CA server, which runs the RSA Keon software. • • The switch retrieves CRLs for certificate verification. Figure 450 Network diagram Configuring the CA server Create a CA server named myca:...
Page 450
Figure 451 Creating a PKI entity Create a PKI domain: Click the Domain tab. Click Add. The page in Figure 452 appears. Enter torsa as the PKI domain name, enter myca as the CA identifier, select aaa as the local entity, select CA as the authority for certificate request, enter http://4.4.4.133:446/c95e970f632d27be5e8cbf80e971d9c4a9a93337 as the URL for certificate request (the URL must be in the format of http://host:port/Issuing Jurisdiction ID,...
Page 451
Figure 452 Creating a PKI domain Generate an RSA key pair: Click the Certificate tab. Click Create Key. Enter 1024 as the key length, and click Apply to generate an RSA key pair. Figure 453 Generating an RSA key pair Retrieve the CA certificate: Click Retrieve Cert on the Certificate tab.
Page 452
Figure 454 Retrieving the CA certificate Request a local certificate: Click Request Cert on the Certificate tab. Select torsa as the PKI domain, select Password, and enter challenge-word as the password. Click Apply. The system displays Certificate request has been submitted. Click OK to finish the operation.
Configuring port isolation Overview Usually, Layer 2 traffic isolation is achieved by assigning ports to different VLANs. To save VLAN resources, port isolation isolates ports within a VLAN, allowing for great flexibility and security. The device supports multiple isolation groups that can be configured manually. There is no restriction on the number of ports assigned to an isolation group.
Figure 457 Group setup Add port isolation groups as described in Table 131. Click Apply. Table 131 Configuration item Item Description Isolate group ID Enter the IDs of the port isolation groups you want to add. Configuring member ports for a port isolation group Select Security >...
Page 455
Figure 458 Port setup Configure member ports for a port isolation group as described in Table 132. Click Apply. When the success notification appears, click Close. Table 132 Configuration items Item Description Isolate group ID Select the ID of the port isolation group to be configured. Specify the role of the port or ports in the isolation group.
On an HP 830 8-port PoE+ unified wired-WLAN switch switching engine, ports GE 1/0/10 and GE 1/0/1 1 are aggregated into interface BAGG1. • On an HP 830 series PoE+ unified wired-WLAN switch controller engine, ports GE 1/0/1 and GE 1/0/2 are aggregated into interface BAGG1. Port isolation configuration example...
Page 457
Figure 460 Adding a port isolation group Assign GigabitEthernet 1/0/2, GigabitEthernet 1/0/3, and GigabitEthernet 1/0/4 to port isolation group 1: Click the Port Setup tab. Select 1 from the Isolate group ID list. Select Isolated port for Config Type. Select 2, 3, 4 on the chassis front panel. 2, 3, 4 represent ports GigabitEthernet 1/0/2, GigabitEthernet 1/0/3, and GigabitEthernet 1/0/4, respectively.
Figure 461 Configuring isolated ports for port isolation group 1 Viewing information about the isolation group Click Summary. Display port isolation group 1, which contains isolated ports GigabitEthernet 1/0/2, GigabitEthernet 1/0/3, and GigabitEthernet 1/0/4. Figure 462 Information about port isolation group 1...
Configuring authorized IP The authorized IP function associates the HTTP or Telnet service with an ACL to filter the requests of clients. Only the clients that pass the ACL filtering can access the device. Configuration procedure Select Security > Authorized IP from the navigation tree. Click the Setup tab to enter the authorized IP configuration page.
Authorized IP configuration example Network requirements Figure 464, configure Switch to deny Telnet and HTTP requests from Host A, and permit Telnet and HTTP requests from Host B. Figure 464 Network diagram Configuration procedure Create an ACL: Select QoS > ACL IPv4 from the navigation tree. Click the Create tab.
Page 461
Select 2001 from the ACL list, select Permit from the Action list, select the Source IP Address box and enter 10.1.1.3, and then enter 0.0.0.0 in the Source Wildcard field. Click Add. Figure 466 Configuring an ACL rule to permit Host B Configure authorized IP: Select Security >...
Configuring ACLs Unless otherwise stated, ACLs refer to both IPv4 and IPv6 ACLs throughout this document. Overview An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on criteria such as source IP address, destination IP address, and port number. ACLs are essentially used for packet filtering.
ACL category Sequence of tie breakers Specific protocol type rather than IP (IP represents any protocol over IP). More 0s in the source IP address wildcard mask. More 0s in the destination IP address wildcard. IPv4 advanced ACL Narrower TCP/UDP service port number range. Smaller ID.
Traditional packet filtering matches only first fragments of IPv4 packets, and allows all subsequent non-first fragments to pass through. Attackers can fabricate non-first fragments to attack networks. To avoid risks, the HP ACL implementation filters all fragments based on Layer 3 attributes. Configuration guidelines When you configure an ACL, follow these guidelines: •...
IPv6 ACL configuration procedure Step Remarks Optional. Configuring a time range. Add a time range. A rule referencing a time range takes effect only during the specified time range. Required. Adding an IPv6 ACL. Add an IPv6 ACL. The category of the added IPv6 ACL depends on the ACL number that you specify.
Table 135 Configuration items Item Description Time Range Name Set the name for the time range. • Start Time—Set the start time of the periodic time range. • End Time—Set the end time of the periodic time range. The end time must be later than the start time.
Table 136 Configuration items Item Description ACL Number Set the number of the IPv4 ACL. Set the match order of the ACL. Available values are: • Config—Packets are compared against ACL rules in the order that the rules are Match Order configured.
Item Description Select the Rule ID box and enter a number for the rule. If you do not specify the rule number, the system assigns one automatically. Rule ID If the rule number you specify already exists, this procedure modifies the configuration of the existing rule.
Page 470
Figure 471 Configuring an advanced IPv4 ACL Configure a rule for an advanced IPv4 ACL as described in Table 138. Click Add. Table 138 Configuration items Item Description Select the advanced IPv4 ACL for which you want to configure rules. Available ACLs are advanced IPv4 ACLs.
Page 471
Item Description Select the Rule ID box and enter a number for the rule. If you do not specify the rule number, the system will assign Rule ID one automatically. If the rule number you specify already exists, this procedure modifies the configuration of the existing rule.
Item Description • Not Check—The following port number fields cannot be configured. • Range—The following port number fields must be configured to define a port range. • Other values—The first port number field must be configured and the second port number field must not. DSCP Specify the DSCP value.
Page 473
Figure 472 Configuring a rule for an Ethernet frame header ACL Configure a rule for an Ethernet frame header ACL as described in Table 139. Click Add. Table 139 Configuration items Item Description Select the Ethernet frame header ACL for which you want to configure rules. Available ACLs are Ethernet frame header ACLs.
Item Description Select the action to be performed for packets matching the rule: • Action Permit—Allows matched packets to pass. • Deny—Drops matched packets. Source MAC Select the Source MAC Address box and enter a source MAC address and Address a mask.
Click Apply. Table 140 Configuration items Item Description ACL Number Enter a number for the IPv6 ACL. Select a match order for the ACL. Available values are: • Config—Packets are compared against ACL rules in the order the rules are Match Order configured.
Item Description Select the Rule ID box and enter a number for the rule. If you do not specify the rule number, the system will assign one Rule ID automatically. If the rule number you specify already exists, this procedure modifies the configuration of the existing rule.
Page 477
Figure 475 Configuring a rule for an advanced IPv6 ACL Add a rule for an advanced IPv6 ACL as described in Table 142. Click Add. Table 142 Configuration items Item Description Select Access Control List (ACL) Select the advanced IPv6 ACL for which you want to configure rules. Select the Rule ID box and enter a number for the rule.
Page 478
Item Description Select this box to apply the rule to only non-first fragments. Check Fragment If you do no select this box, the rule applies to all fragments and non-fragments. Select this box to keep a log of matched IPv6 packets. A log entry contains the ACL rule number, operation for the matched Check Logging packets, protocol that the IP carries, source/destination address,...
Configuring QoS Overview Quality of Service (QoS) reflects the ability of a network to meet customer needs. In an internet, QoS evaluates the ability of the network to forward packets of different services. The evaluation can be based on different criteria because the network may provide various services. Generally, QoS performance is measured with respect to bandwidth, delay, jitter, and packet loss ratio during packet forwarding process.
Page 480
Figure 476 Traffic congestion causes The traffic enters a device from a high speed link and is forwarded over a low speed link. • The packet flows enter a device from several incoming interfaces and are forwarded out of an •...
End-to-end QoS Figure 477 End-to-end QoS model As shown in Figure 477, traffic classification and congestion management provide the foundation for a network to provide differentiated services: • Traffic classification—Uses specific match criteria to organize packets with different characteristics into different classes. Traffic classification is typically applied to the inbound direction of a port. Congestion management—Provides a resource scheduling policy to arrange the forwarding •...
Packet precedences IP precedence and DSCP values Figure 478 ToS field and DS field As shown in Figure 478, the ToS field of the IP header contains eight bits: the first three bits (0 to 2) represent IP precedence from 0 to 7. The subsequent four bits (3 to 6) represent a ToS value from 0 to 15. According to RFC 2474, the ToS field of the IP header is redefined as the differentiated services (DS) field, where a differentiated services code point (DSCP) value is represented by the first six bits (0 to 5) and is in the range 0 to 63.
Page 483
DSCP value (decimal) DSCP value (binary) Description 011100 af32 011110 af33 100010 af41 100100 af42 100110 af43 001000 010000 011000 100000 101000 110000 111000 000000 be (default) 802.1p priority 802.1p priority lies in Layer 2 packet headers and applies to situations where Layer 3 header analysis is not needed and QoS must be assured at Layer 2.
Table 145 Description on 802.1p priority 802.1p priority (decimal) 802.1p priority (binary) Description best-effort background spare excellent-effort controlled-load video voice network-management Queue scheduling In general, congestion management uses queuing technology. The system uses a queuing algorithm for traffic classification, and then uses a precedence algorithm to send the traffic. Each queuing algorithm handles a particular network traffic problem and has significant impacts on bandwidth resource assignment, delay, and jitter.
packets in the queue with the second highest priority, and so on. You can assign mission-critical packets to the high priority queue to make sure the high priority queue packets are always served first and assign common service (such as Email) packets to the low priority queues so they are sent when the high priority queues are empty.
Page 486
Figure 483 Evaluate traffic with the token bucket The evaluation for the traffic specification is based on whether the number of tokens in the bucket can meet the needs of packet forwarding. If the number of tokens in the bucket is enough to forward the packets (typically, one token is associated with a 1-bit forwarding authority), the traffic conforms to the specification, and the traffic is called "conforming traffic."...
Figure 484 Rate limit implementation When a token bucket is used for traffic control, the bursty packets can be transmitted when the token bucket has tokens. When no tokens are available, packets cannot be transmitted until new tokens are generated in the token bucket. In this way, the traffic rate is restricted to the rate for generating tokens, the traffic rate is limited, and bursty traffic is allowed.
Figure 485 Priority mapping process Introduction to priority mapping tables The device provides the following types of priority mapping tables: CoS to DSCP—802.1p--to-DSCP mapping table. • • CoS to Queue—802.1p--to-local mapping table. DSCP to CoS—DSCP-to-802.1p mapping table, which applies to only IP packets. •...
Input DSCP value Local precedence (Queue) 40 to 47 48 to 55 56 to 63 In the default DSCP to DSCP mapping table, an input value yields a target value equal to it. Configuration guidelines When you configure QoS, follow these guidelines: When you configure rate limit and traffic policing for a behavior, make sure the ratio of CBS to CIR •...
or—The device considers a packet belongs to a class as long as the packet matches one of the criteria in the class. Traffic behavior: A traffic behavior, identified by a name, defines a set of QoS actions for packets. Policy: You can apply a QoS policy to a VLAN or a port.
Add a class as described in Table 149. Click Create. Table 149 Configuration items Item Description Specify a name for the classifier to be added. Some devices have their own system-defined classifiers. The classifier name you specify cannot overlap with system-defined ones. The system-defined classifiers Classifier Name include: default-class, ef, af1, af2, af3, af4, ip-prec0, ip-prec1, ip-prec2, ip-prec3, ip-prec4, ip-prec5, ip-prec6, ip-prec7, mpls-exp0, mpls-exp1, mpls-exp2, mpls-exp3,...
Page 493
Figure 487 Configuring classification rules Configure classification rules for a class as described in Table 150. Click Apply. Table 150 Configuration items Item Description Please select a classifier Select an existing classifier in the list. Define a rule to match all packets. Select the box to match all packets.
Page 494
Item Description Define a rule to match IP precedence values. If multiple rules are configured for a class, the new configuration does not overwrite the previous. You can configure up to eight IP precedence values at a time. If multiple IP Precedence identical IP precedence values are specified, the system considers them as a single value.
Item Description Define a rule to match service VLAN IDs. If multiple rules are configured for a class, the new configuration does not overwrite the previous. You can configure multiple VLAN IDs at a time. If the same VLAN ID is specified multiple times, the system considers them as a single value.
Add a traffic behavior as described in Table 151. Click Create. Table 151 Configuration items Item Description Specify a name for the behavior to be added. Some devices have their own system-defined behaviors. The behavior name you Behavior name specify cannot overlap with system-defined behaviors. The system-defined behaviors include ef, af, and be.
Item Description Set the action of mirroring traffic to the specified destination port. Mirror To Traffic can be mirrored to only one destination port. The most recent configuration overwrites the previous. Redirect Set the action of redirecting traffic to the specified destination port. Specify the port to be configured as the destination port of traffic mirroring or Please select a port traffic directing on the chassis front panel.
Page 498
Figure 490 Setting a traffic behavior Configure other actions for a traffic behavior as described in Table 153. Click Apply.
Page 499
Table 153 Configuration items Item Description Please select a behavior Select an existing behavior in the list. Enable/Disable Enable or disable CAR. Set the committed information rate (CIR), the average traffic rate. Set the committed burst size (CBS), number of bytes that can be sent in each interval.
Item Description Configure the traffic accounting action. Accounting Select the Accounting box and select Enable or Disable in the following list to enable/disable the traffic accounting action. Adding a policy Select QoS > QoS Policy from the navigation tree. Click the Create tab to enter the page for adding a policy. Figure 491 Adding a policy Add a policy as described in Table...
Figure 492 Setting a policy Configure a classifier-behavior association for a policy as described in Table 155. Click Apply. Table 155 Configuration items Item Description Please select a policy Select an existing policy in the list. Classifier Name Select an existing classifier in the list. Behavior Name Select an existing behavior in the list.
Apply a policy to a port as described in Table 156. Click Apply. Table 156 Configuration items Item Description Please select a policy Select an existing policy in the list. Set the direction in which the policy is to be applied. •...
Table 157 Configuration items Item Description Enable or disable the WRR queue scheduling mechanism on selected ports. The following options are available: • Enable—Enables WRR on selected ports. • Not Set—Restores the default queuing algorithm on selected ports. Select the queue to be configured. Queue A queue ID ranges from 0 to n-1 (n is the maximum number of queues on an interface and varies by device).
Page 504
Figure 495 Configuring rate limit on a port Configure rate limit on a port as described in Table 158. Click Apply. Table 158 Configuration items Item Description Please select an interface type Select the types of interfaces to be configured with rate limit. Rate Limit Enable or disable rate limit on the specified port.
Item Description Specify the ports to be configured with rate limit. Please select port(s) Click the ports to be configured with rate limit in the port list. You can select one or more ports. Configuring priority mapping tables Select QoS > Priority Mapping from the navigation tree. Figure 496 Configuring priority mapping tables Configure a priority mapping table as described in Table...
Page 506
Figure 497 Configuring port priority Click the icon for a port. Figure 498 The page for modifying port priority Configure the port priority for a port as described in Table 160. Click Apply. Table 160 Configuration items Item Description Interface Interface to be configured.
Page 507
Item Description Select a priority trust mode for the port: • Untrust—Packet priority is not trusted. Trust Mode • CoS—802.1p priority of the incoming packets is trusted and used for priority mapping. • DSCP—DSCP value of the incoming packets is trusted and used for priority mapping.
ACL and QoS configuration example Network requirements As shown in Figure 499, the FTP server (10.1.1.1/24) is connected to the Switch, and the clients access the FTP server through GigabitEthernet 1/0/1 of the Switch. Configure an ACL and a QoS policy as follows to prevent the hosts from accessing the FTP server from 8:00 to 18:00 every day: Add an ACL to prohibit the hosts from accessing the FTP server from 8:00 to 18:00 every day.
Page 509
Figure 500 Defining a time range covering 8:00 to 18:00 every day Add an advanced IPv4 ACL: Select QoS > ACL IPv4 from the navigation tree. Click the Create tab. Enter the ACL number 3000. Click Apply.
Page 510
Figure 501 Adding an advanced IPv4 ACL Define an ACL rule for traffic to the FTP server: Click the Advanced Setup tab. Select 3000 in the ACL list. Select the Rule ID box, and enter rule ID 2. Select Permit in the Action list. Select the Destination IP Address box, and enter IP address 10.1.1.1 and destination wildcard 0.0.0.0.
Page 511
Figure 502 Defining an ACL rule for traffic to the FTP server Add a class: Select QoS > Classifier from the navigation tree. Click the Create tab. Enter the class name class1. Click Create.
Page 512
Figure 503 Adding a class Define classification rules: Click the Setup tab. Select the class name class1 in the list. Select the ACL IPv4 box, and select ACL 3000 in the following list.
Page 513
Figure 504 Defining classification rules Click Apply. A progress dialog box appears, as shown in Figure 505. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
Page 514
Figure 505 Configuration progress dialog box Add a traffic behavior: Select QoS > Behavior from the navigation tree. Click the Create tab. Enter the behavior name behavior1. Click Create. Figure 506 Adding a traffic behavior Configure actions for the traffic behavior: Click the Setup tab.
Page 515
Figure 507 Configuring actions for the behavior Add a policy: Select QoS > QoS Policy from the navigation tree. Click the Create tab. Enter the policy name policy1. Click Create.
Page 516
Figure 508 Adding a policy Configure classifier-behavior associations for the policy: Click the Setup tab. Select policy1. Select class1 from the Classifier Name list. Select behavior1 from the Behavior Name list. Click Apply. Figure 509 Configuring classifier-behavior associations for the policy Apply the QoS policy in the inbound direction of interface GigabitEthernet 1/0/1: Select QoS >...
Page 517
Select port GigabitEthernet 1/0/1. Click Apply. A configuration progress dialog box appears. Click Close when the progress dialog box prompts that the configuration succeeds. Figure 510 Applying the QoS policy in the inbound direction of GigabitEthernet 1/0/1...
Over spare wires—The PSE uses spare pairs (pins 4, 5 and 7, 8) to supply DC power to PDs. • NOTE: The switching engine of the HP 830 switch supports only power over signal wires. Figure 511 PoE system diagram Configuring PoE Before configuring PoE, make sure the PoE power supply and PSE are operating correctly.
Configuring PoE ports Select PoE > PoE from the navigation tree. Click the Port Setup tab. Figure 512 Port Setup tab Configure the PoE ports as described in Table 161. Click Apply. Table 161 Configuration items Item Description Select Port Select ports to be configured and they are displayed in the Selected Ports area.
Item Description Set the power supply priority for a PoE port. In descending order, the power-supply priority levels of a PoE port are critical, high, and low. • When the PoE power is insufficient, power is first supplied to PoE ports with a higher priority level.
Click Apply. Disabling the non-standard PD detection function for a PSE Select Disable in the corresponding Non-Standard PD Compatibility column. Click Apply. Enabling the non-standard PD detection for all PSEs Click Enable All. Disabling the non-standard PD detection for all PSEs Click Disable All.
Page 522
GigabitEthernet 1/0/1 1 is connected to AP whose maximum power does not exceed 12950 • milliwatts. The IP telephones have a higher power supply priority than the AP so the PSE supplies power to the • IP telephones first if the PSE power is overloaded. Figure 515 Network diagram Configuring PoE Enable PoE on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2, and set their power supply...
Page 523
Enable PoE on GigabitEthernet 1/0/11 and set the maximum power of the port to 12950 milliwatts: Click the Setup tab. On the tab, click to select port GigabitEthernet 1/0/11 from the chassis front panel, select Enable from the Power State list, and select the box before Power Max and enter 12950. Click Apply.
Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
Page 526
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Index A B C D E G H I L M N O P Q R S T U V W Configuration procedure,391 Configuration procedure,447 AAA configuration example,397 Configuration procedure,295 Accessing the controller engine from the switching Configuration procedure,312 engine's Web interface,27 Configuration procedures,334...
Page 528
Displaying the system time,35 Configuring voice VLAN globally,141 Downloading a file,46 Configuring voice VLAN on ports,142 Configuring Web idle timeout period,31 Contacting HP,512 Enabling DHCP,262 Conventions,513 Enabling IGMP snooping globally,240 Creating a link aggregation group,185 Enabling LLDP on ports,199 Creating a mirroring...
Page 529
Link aggregation and LACP configuration Ping operation,289 example,190 PKI configuration example,437 LLDP configuration examples,212 PoE configuration example,509 Local port mirroring configuration example,63 Port isolation configuration example,444 Logging out of the Web interface,20 Port management configuration example,54 Port security configuration examples,340 Portal authentication configuration examples,367 MAC address table configuration...
Page 530
Setting the log host,41 Setting the super password,68 Uploading a file,47 Setting the traffic statistics generating interval,74 Using MAC authentication with other features,294 Setting the traffic statistics generating interval,76 SNMPv1/v2c configuration example,1 10 VLAN configuration example,128 SNMPv3 configuration example,1 13 Voice VLAN configuration examples,144 Specifying management IP addresses at the...