HP 1920 Gigabit Ethernet Switch Series User Guide Part number: 5998-5627 Software version: Release 1102 Document version: 5W100-20140620
viii Configuring 802.1X ······························································································································
87 Item Description Access Level Select an access level for the user. Users of different levels can perform different operations. User levels, in or
88 4. Click Apply. Table 19 Configuration items Item Description Create/Remove Select the operation type: • Create—Configure or change the super pa
89 Configuring a loopback test You can check whether an Ethernet port operates correctly by performing Ethernet port loopback test. During the test t
90 4. Click Test. After the test is complete, the system displays the loopback test result. Figure 76 Loopback test result
91 Configuring VCT Overview You can use the Virtual Cable Test (VCT) function to check the status of the cable connected to an Ethernet port on the d
92 Configuring the flow interval With the flow interval module, you can view the number of packets and bytes sent and received by a port, and the ban
93 Configuring RMON Overview Remote Network Monitoring (RMON) is an enhancement to SNMP. It enables proactive remote monitoring and management of net
94 History group The history group defines that the system periodically collects traffic statistics on interfaces and saves the statistics in the his
95 RMON configuration task list Configuring the RMON statistics function The RMON statistics function can be implemented by either the Ethernet stati
96 Table 22 RMON alarm configuration task list Task Remarks Configuring a statistics entry Required. You can create up to 100 statistics entries in a
ix PKI applications ··································································································································
97 Task Remarks Displaying RMON event logs If you configure the system to log an event after the event is triggered when you configure the event grou
98 Configuring a history entry 1. Select Device > RMON from the navigation tree. 2. Click the History tab. Figure 82 History entry 3. Click A
99 Configuring an event entry 1. Select Device > RMON from the navigation tree. 2. Click the Event tab. Figure 84 Event entry 3. Click Add. F
100 Configuring an alarm entry 1. Select Device > RMON from the navigation tree. 2. Click the Alarm tab. Figure 86 Alarm entry 3. Click Add.
101 Item Description Interval Set the sampling interval. Sample Type Set the sampling type: • Absolute—Absolute sampling to obtain the value of the
102 Figure 88 RMON statistics Table 28 Field description Field Description Number of Received Bytes Total number of octets received by the interfac
103 Field Description Number of Network Conflicts Total number of collisions received on the interface, corresponding to the MIB node etherStatsColli
104 Table 29 Field description Field Description NO Number of the entry in the system buffer. Statistics are numbered chronologically when they are s
105 Figure 90 Log tab In this example, event 1 has generated one log, which is triggered because the alarm value (11779194) exceeds the rising thre
106 Figure 92 Adding a statistics entry 2. Display RMON statistics for GigabitEthernet 1/0/1: a. Click the icon corresponding to GigabitEtherne
x Configuring loopback detection ·····················································································································
107 Figure 94 Configuring an event group Figure 95 Displaying the index of an event entry 4. Configure an alarm group to sample received bytes o
108 Figure 96 Configuring an alarm group Verifying the configuration After the above configuration, when the alarm event is triggered, you can disp
109 Configuring energy saving Energy saving enables a port to operate at the lowest transmission speed, disable PoE, or go down during a specific tim
110 Item Description Lowest Speed Set the port to transmit data at the lowest speed. If you configure the lowest speed limit on a port that does not
111 Configuring SNMP This chapter provides an overview of the Simple Network Management Protocol (SNMP) and guides you through the configuration proc
112 • Set—The NMS modifies the value of an object node in an agent MIB. • Notifications—Includes traps and informs. SNMP agent sends traps or infor
113 Table 32 SNMPv3 configuration task list Task Remarks 1. Enabling SNMP agent Required. The SNMP agent function is disabled by default. IMPORTANT
114 Figure 101 Setup tab 2. Configure SNMP settings on the upper part of the page as described in Table 33. 3. Click Apply. Table 33 Configuratio
115 Item Description Location Set a character string to describe the physical location of the device. SNMP Version Set the SNMP version run by the
116 8. Repeat steps 6 and 7 to add more rules for the SNMP view. 9. Click Apply. To cancel the view, click Cancel. Figure 104 Creating an SNMP view
xi Configuring PoE ···································································································································
117 Figure 105 Adding rules to an SNMP view 4. Configure the parameters as described in Table 34. 5. Click Apply. NOTE: You can also click the
118 Figure 107 Creating an SNMP Community 4. Configure the SNMP community as described in Table 35. 5. Click Apply. Table 35 Configuration items
119 3. Click Add. The Add SNMP Group page appears. Figure 109 Creating an SNMP group 4. Configure SNMP group as described in Table 36. 5. Click
120 Configuring an SNMP user 1. Select Device > SNMP from the navigation tree. 2. Click the User tab. The User tab appears. Figure 110 SNMP user
121 Table 37 Configuration items Item Description User Name Set the SNMP user name. Security Level Select the security level for the SNMP group. The
122 Figure 112 Traps configuration 3. Select Enable SNMP Trap. 4. Click Apply to enable the SNMP trap function. 5. Click Add. The page for addin
123 Item Description Security Name Set the security name, which can be an SNMPv1 community name, an SNMPv2c community name, or an SNMPv3 user name. U
124 SNMPv1/v2c configuration example Network requirements As shown in Figure 115 , the NMS at 1.1.1.2/24 uses SNMPv1 or SNMPv2c to manage the switch
125 Figure 117 Configuring an SNMP read-only community 3. Configure a read and write community: a. Click Add on the Community tab page. The Add S
126 Figure 119 Enabling SNMP traps 5. Configure a target host SNMP traps: a. Click Add on the Trap tab page. The page for adding a target host of
1 Overview The HP 1920 Switch Series can be configured through the command line interface (CLI), Web interface, and SNMP/MIB. These configuration meth
127 For information about how to configure the NMS, see the NMS manual. Verifying the configuration After the above configuration, an SNMP connection
128 2. Configure an SNMP view: a. Click the View tab. b. Click Add. The page for creating an SNMP view appears. c. Type view1 in the View Name fi
129 Figure 125 Creating an SNMP group 4. Configure an SNMP user: a. Click the User tab. b. Click Add. The page in Figure 126 appears. c. Type u
130 Figure 126 Creating an SNMP user 5. Enable SNMP traps: a. Click the Trap tab. The Trap tab page appears. b. Select Enable SNMP Trap. c. Cli
131 b. Select the IPv4/Domain option and type 1.1.1.2 in the following field, type user1 in the Security Name field, select v3 from the Security Mod
132 Displaying interface statistics The interface statistics module displays statistics about the packets received and sent through interfaces. To di
133 Configuring VLANs Overview Ethernet is a network technology based on the CSMA/CD mechanism. As the medium is shared, collisions and excessive bro
134 Figure 131 Traditional Ethernet frame format IEEE 802.1Q inserts a four-byte VLAN tag after the DA&SA field, as shown in Figure 132. Figur
135 Port-based VLAN Port-based VLANs group VLAN members by port. A port forwards traffic for a VLAN only after it is assigned to the VLAN. Port link
136 PVID By default, VLAN 1 is the PVID for all ports. You can change the PVID for a port, as required. Use the following guidelines when you configu
2 Configuring the switch in the Web interface Restrictions and guidelines To ensure a successful login, verify that your operating system and Web brow
137 Recommended VLAN configuration procedures Recommended configuration procedure for assigning an access port to a VLAN Step Remarks 1. Creating VL
138 Step Remarks 3. Setting the PVID for a port. Configure the PVID of the trunk port. Required. A trunk port has only one untagged VLAN and the unt
139 Step Remarks 3. Setting the PVID for a port. Optional. Configure the PVID of the hybrid port. By default, the PVID of a hybrid port is VLAN 1.
140 Figure 134 Creating VLANs Table 40 Configuration items Item Description VLAN IDs IDs of the VLANs to be created. Modify the description of the
141 Figure 135 Modifying ports Setting the PVID for a port You can also configure the PVID of a port on the Setup tab of Device > Port Managemen
142 Figure 136 Modifying the PVID for a port Selecting VLANs 1. From the navigation tree, select Network > VLAN. The Select VLAN tab is displa
143 Modifying a VLAN 1. From the navigation tree, select Network > VLAN. 2. Click Modify VLAN to enter the page for modifying a VLAN. Figure 1
144 Item Description Select ports to be modified and assigned to this VLAN Select the ports to be modified in the selected VLAN. When you configure
145 Item Description Select membership type Set the member types of the selected ports to be modified in the specified VLANs: • Untagged—Configures
146 Figure 141 Configuring GigabitEthernet 1/0/1 as a trunk port and its PVID as 100 2. Create VLAN 2, VLAN 6 through VLAN 50, and VLAN 100: a.
3 Figure 1 Internet Explorer settings (1) 3. Click Custom Level. 4. In the Security Settings dialog box, enable Run ActiveX controls and plug-ins,
147 Figure 142 Creating VLAN 2, VLAN 6 through VLAN 50, and VLAN 100 3. Assign GigabitEthernet 1/0/1 to VLAN 100 as an untagged member: a. Click
148 A configuration progress dialog box appears. g. After the configuration process is complete, click Close. Figure 144 Assigning GigabitEthernet
149 Figure 145 Assigning GigabitEthernet 1/0/1 to VLAN 2 and to VLANs 6 through 50 as a tagged member Configuring Switch B Configure Switch B in th
150 Configuring VLAN interfaces Before creating a VLAN interface, you must create the corresponding VLAN in Network > VLAN. For more information,
151 Figure 146 Creating a VLAN interface 3. Configure the VLAN interface as described in Table 43. 4. Click Apply. Table 43 Configuration items
152 Item Description Configure IPv6 Link Local Address Auto Configure the way in which the VLAN interface gets an IPv6 link-local address. Select t
153 Figure 147 Modifying a VLAN interface 3. Modify a VLAN interface as described in Table 44. 4. Click Apply. Table 44 Configuration items Ite
154 Item Description Modify IPv4 Address DHCP Configure the way in which the VLAN interface gets an IPv4 address. Allow the VLAN interface to get
155 Configuration guidelines When you configure VLAN interfaces, follow these guidelines: • A link-local address is automatically generated for an I
156 Configuring a voice VLAN Overview The voice technology is developing quickly, and more and more voice devices are in use. In broadband communitie
4 Figure 2 Internet Explorer settings (2) 5. Click OK to save your settings. Enabling JavaScript in a Firefox browser 1. Launch the Firefox brows
157 automatically assigns the receiving port to a voice VLAN, issues ACL rules and configures the packet precedence. You can configure an aging timer
158 Table 46 Required configurations on ports of different link types for them to support tagged voice traffic Port link type Voice VLAN assignment m
159 the PVID of the port is the voice VLAN and the port operates in manual VLAN assignment mode, the port forwards all received untagged packets in t
160 Recommended configuration procedure for a port in automatic voice VLAN assignment mode Step Remarks 1. Configuring voice VLAN globally (Optional
161 3. Configure the global voice VLAN settings as described in Table 49. 4. Click Apply. Table 49 Configuration items Item Description Voice VLA
162 Item Description Voice VLAN port state Select Enable or Disable in the list to enable or disable the voice VLAN function on the port. Voice VLAN
163 Voice VLAN configuration examples Configuring voice VLAN on a port in automatic voice VLAN assignment mode Network requirements As shown in Figur
164 Figure 154 Creating VLAN 2 2. Configure GigabitEthernet 1/0/1 as a hybrid port: a. Select Device > Port Management from the navigation tr
165 Figure 155 Configuring GigabitEthernet 1/0/1 as a hybrid port 3. Configure the voice VLAN function globally: a. Select Network > Voice VL
166 a. Click the Port Setup tab. b. Select Auto in the Voice VLAN port mode list. c. Select Enable in the Voice VLAN port state list. d. Enter
5 Figure 3 Firefox browser settings 3. Click OK to save your settings. Others • The Web interface does not support the Back, Next, and Refresh bu
167 Verifying the configuration 1. When the preceding configurations are completed, the OUI Summary tab is displayed by default, as shown in Figure
168 0011-2200-0000 and mask ffff-ff00-0000 to pass through. The description of the OUI address entry is test. Figure 161 Network diagram Configuri
169 d. Select the PVID box and enter 2 in the field. e. Select GigabitEthernet 1/0/1 from the chassis front panel. f. Click Apply. Figure 163 Co
170 Figure 164 Assigning GigabitEthernet 1/0/1 to VLAN 2 as an untagged member 4. Configure voice VLAN on GigabitEthernet 1/0/1: a. Select Networ
171 Figure 165 Configuring voice VLAN on GigabitEthernet 1/0/1 5. Add OUI addresses to the OUI list: a. Click the OUI Add tab. b. Enter OUI addr
172 Figure 167 Displaying the current OUI list of the device 2. Click the Summary tab, where you can view the current voice VLAN information. Fig
173 Configuring the MAC address table MAC address configurations related to interfaces apply to Layer 2 Ethernet interfaces and Layer 2 aggregate int
174 Types of MAC address entries A MAC address table can contain the following types of entries: • Static entries—Manually added and never age out.
175 Item Description Type Set the type of the MAC address entry: • Static—Static MAC address entries that never age out. • Dynamic—Dynamic MAC addr
176 Creating a static MAC address entry 1. Select Network > MAC from the navigation tree. By default, the MAC tab is displayed. 2. Click Add. 3
6 Overview The device provides web-based configuration interfaces for visual device management and maintenance. Figure 4 Web-based network management
177 Configuring MSTP Overview Spanning tree protocols eliminate loops in a physical link-redundant network by selectively blocking redundant links an
178 • Forward delay—Delay that STP bridges use to transit port state. The descriptions and examples in this chapter only use the following fields in
179 Figure 173 Designated bridges and designated ports Path cost Path cost is a reference value used for link selection in STP. STP calculates path
180 Step Description 2 Based on the configuration BPDU and the path cost of the root port, the device calculates a designated port configuration BPD
181 Figure 174 STP network As shown in Figure 174, the priority values of Device A, Device B, and Device C are 0, 1, and 2, and the path costs of l
182 Table 56 Comparison process and result on each device Device Comparison process Configuration BPDU on ports after comparison Device A • Port AP
183 Device Comparison process Configuration BPDU on ports after comparison After comparison: • The configuration BPDU of CP1 is elected as the opt
184 The configuration BPDU forwarding mechanism of STP The configuration BPDUs of STP are forwarded according to these guidelines: • Upon network in
185 Introduction to MSTP MSTP overcomes the following STP and RSTP limitations: • STP limitations—STP does not support rapid state transition of por
186 Figure 176 Basic concepts in MSTP MST region A multiple spanning tree region (MST region) consists of multiple devices in a switched network an
Legal and notice information © Copyright 2014 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitt
7 b. Enter the username admin and the verification code, leave the password blank, and click Login. Figure 5 Login page of the Web interface Loggin
187 VLAN-to-instance mapping table As an attribute of an MST region, the VLAN-to-instance mapping table describes the mapping relationships between V
188 Figure 177 Port roles MSTP calculation involves the following port roles: • Root port—Forwards data for a non-root bridge to the root bridge.
189 port state is available for the corresponding port role, and a dash [—] indicates that the port state is not available for the corresponding port
190 • Loop guard • TC-BPDU (a message that notifies the device of topology changes) guard • Support for the hot swapping of interface boards and
191 Step Remarks 4. Displaying MSTP information of a port. Optional. Display MSTP information of a port in MSTI 0, the MSTI to which the port belon
192 Table 58 Configuration items Item Description Region Name MST region name. The MST region name is the bridge MAC address of the device by defaul
193 Figure 180 Configuring MSTP globally 3. Configure the global MSTP configuration as described in Table 59, and then click Apply. Table 59 Confi
194 Item Description Mode Sets the operating mode of STP: • STP—Each port on a device sends out STP BPDUs. • RSTP—Each port on a device sends out
195 Item Description tc-protection Selects whether to enable TC-BPDU guard. When receiving topology change (TC) BPDUs, the device flushes its forwa
196 Item Description Instance (Instance ID, Port Priority, Auto Path Cost, and Manual Path Cost) Sets the priority and path cost of the port in the
8 • Navigation tree—Organizes the Web-based NM functions as a navigation tree, where you can select and configure functions as needed. The result is
197 Protection type Description Root Protection Enables the root guard function. Configuration errors or attacks might result in configuration BPDU
198 Table 62 Field description Field Description [FORWARDING] The port is in forwarding state, so the port learns MAC addresses and forwards user tr
199 Field Description PortTimes Major parameters for the port: • Hello—Hello timer. • MaxAge—Max Age timer. • FWDly—Forward delay timer. • MsgAg
200 Figure 183 Network diagram "Permit:" next to a link in the figure is followed by the VLANs the packets of which are permitted to pass
201 j. Click Activate. Figure 185 Configuring an MST region 2. Configure MSTP globally: a. From the navigation tree, select Network > MSTP.
202 Figure 186 Configuring MSTP globally (on Switch A) Configuring Switch B 1. Configure an MST region on the switch in the same way the MST regio
203 Configuring Switch C 1. Configure an MST region on the switch in the same way the MST region is configured on Switch A. 2. Configure MSTP globa
204 Figure 187 Configuring MSTP globally (on Switch D)
205 Configuring link aggregation and LACP Overview Ethernet link aggregation bundles multiple physical Ethernet links into one logical link, called a
206 Configuration classes Port configurations include the following classes: • Class-two configurations—A member port can be placed in the Selected
9 Function menu Description User level Electronic Label Display the electronic label of the device. Monitor Diagnostic Information Generate diagnost
207 exceeded, places the ports with smaller port numbers in the Selected state and those with greater port numbers in the Unselected state. 4. Plac
208 Configuration procedures Configuring a static aggregation group Step Remarks 1. Creating a link aggregation group. Create a static aggregate int
209 Figure 188 Creating a link aggregation group 3. Configure a link aggregation group as described in Table 64. 4. Click Apply. Table 64 Confi
210 2. Choose an aggregate interface from the list. The list on the lower part of the page displays the detailed information about the member ports
211 Setting LACP priority 1. From the navigation tree, select Network > LACP. 2. Click Setup. 3. In the Set LACP enabled port(s) parameters a
212 Detailed information about the peer port appears on the lower part of the page. Table 68 describes the fields. Figure 191 Displaying the informa
213 Field Description Partner Port ID of the peer port. Partner Port State States of the peer port: • A—LACP is enabled. • B—LACP short timeout. I
214 a. Enter link aggregation interface ID 1. b. Select Static (LACP Disabled) for the aggregate interface type. c. Select GigabitEthernet 1/0/1,
215 Figure 194 Creating dynamic link aggregation group 1 Configuration guidelines When you configure a link aggregation group, follow these guideli
216 • Do not assign the following types of ports to Layer 2 aggregate groups: { MAC address authentication-enabled ports. { port security-enabled
10 Function menu Description User level Switch To Management Switch the current user level to the management level. Visitor Loopback Loopback Perfo
217 Configuring LLDP Overview In a heterogeneous network, a standard configuration exchange platform makes sure different types of network devices fr
218 Field Description Data LLDPDU. FCS Frame check sequence, a 32-bit CRC value used to determine the validity of the received Ethernet frame. •
219 • Basic management TLVs • Organizationally (IEEE 802.1 and IEEE 802.3) specific TLVs • LLDP-MED (media endpoint discovery) TLVs Basic manageme
220 Type Description Protocol Identity Indicates protocols supported on the port. An LLDPDU can carry multiple different TLVs of this type. DCBX Dat
221 Type Description Extended Power-via-MDI Allows a network device or terminal device to advertise power supply capability. This TLV is an extension
222 • A new neighbor is discovered. A new LLDP frame is received carrying device information new to the local device. • The LLDP operating mode of
223 Step Remarks 5. Displaying global LLDP information. Optional. You can display the local global LLDP information and statistics. 6. Displaying
224 Setting LLDP parameters on ports The Web interface allows you to set LLDP parameters for a single port or for multiple ports in batch. Setting LL
225 Item Description Encapsulation Format Set the encapsulation for LLDP frames: • ETHII—Encapsulates outgoing LLDP frames in Ethernet II frames and
226 Item Description DOT1 TLV Setting Port VLAN ID Select the box to include the PVID TLV in transmitted LLDP frames. Protocol VLAN ID Select the b
11 Function menu Description User level Network VLAN Select VLAN Select a VLAN range. Monitor Create Create VLANs. Configure Port Detail Display
227 Setting LLDP parameters for ports in batch 1. From the navigation tree, select Network > LLDP. By default, the Port Setup tab is displayed. 2
228 Figure 201 The global setup tab 3. Set the global LLDP setup as described in Table 76. 4. Click Apply. A progress dialog box appears. 5. C
229 Item Description TTL Multiplier Set the TTL multiplier. The TTL TLV carried in an LLDPDU determines how long the device information carried in t
230 By default, the Local Information tab is displayed. Table 77 describes the fields. Figure 202 The local information tab Table 77 Field descrip
231 Field Description PoE PSE power source PSE power source type: • Primary. • Backup. Port PSE priority PoE power supply priority of PSE ports: •
232 Field Description Port ID type Port ID type: • Interface alias. • Port component. • MAC address. • Network address. • Interface name. • Age
233 Field Description Media policy type Media policy type: • Unknown. • Voice. • Voice signaling. • Guest voice. • Guest voice signaling. • Sof
234 Figure 204 The statistic information tab 5. Click the Status Information tab to display the LLDP status information. Figure 205 The status in
235 Figure 206 The global summary tab Table 79 Field description Field Description Chassis ID Local chassis ID depending on the chassis type defin
236 Displaying LLDP information received from LLDP neighbors 1. From the navigation tree, select Network > LLDP. 2. Click the Neighbor Summary
12 Function menu Description User level LACP Summary Display information about LACP-enabled ports and their partner ports. Monitor Setup Set LACP pr
237 The page shown in Figure 210 appears. Figure 209 The port setup tab d. Select Rx from the LLDP Operating Mode list. 3. Click Apply. A progr
238 Figure 210 Setting LLDP on multiple ports 5. Enable global LLDP: a. Click the Global Setup tab, as shown in Figure 211. b. Select Enable fr
239 Configuring Switch B 1. (Optional.) Enable LLDP on port GigabitEthernet 1/0/1. By default, LLDP is enabled on Ethernet ports. 2. Set the LLDP o
240 b. Click the GigabitEthernet1/0/1 port name in the port list. c. Click the Status Information tab at the lower half of the page. The output s
241 LLDP configuration guidelines When you configure LLDP, follow these guidelines: • To make LLDP take effect on a port, enable LLDP both globally
242 Configuring ARP Overview ARP resolves IP addresses into MAC addresses on Ethernet networks. ARP message format ARP uses two types of messages: AR
243 2. If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request. The payload of the ARP request contains the fol
244 Dynamic ARP entry ARP automatically creates and updates dynamic entries. A dynamic ARP entry is removed when its aging timer expires or the outpu
245 Creating a static ARP entry 1. From the navigation tree, select Network > ARP Management. The default ARP Table page appears, as shown in Fig
246 Configuring gratuitous ARP 1. From the navigation tree, select Network > ARP Management. 2. Click the Gratuitous ARP tab. Figure 220 Gratuit
13 Function menu Description User level IPv6 Routing Summary Display the IPv6 active route table. Monitor Create Create an IPv6 static route. Con
247 Figure 221 Network diagram Configuring Switch A 1. Create VLAN 100: a. From the navigation tree, select Network > VLAN. b. Click the Add
248 c. Select Untagged for Select membership type. d. Enter 100 in the VLAN IDs field. e. Click Apply. A configuration process dialog box appears
249 Figure 224 Creating VLAN-interface 100 4. Create a static ARP entry: a. From the navigation tree, select Network > ARP Management. The def
250 Configuring ARP attack protection Overview Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network atta
251 Figure 226 ARP detection configuration page 2. Configure ARP detection as described in Table 82. 3. Click Apply. Table 82 Configuration items
252 Configuring IGMP snooping Overview IGMP snooping runs on a Layer 2 switch as a multicast constraining mechanism to improve multicast forwarding e
253 Figure 228 IGMP snooping related ports The following describes the ports involved in IGMP snooping: • Router port—Layer 3 multicast device-si
254 Timer Description Message received before the timer expires Action after the timer expires Dynamic member port aging timer When a port dynamicall
255 switch cannot determine whether the reported multicast group still has active members attached to that port. Leave message An IGMPv1 host silent
256 Step Remarks 2. Configuring IGMP snooping in a VLAN Required. Enable IGMP snooping in the VLAN and configure the IGMP snooping version and queri
14 Function menu Description User level Accounting Display the accounting method configuration information about an ISP domain. Monitor Specify accou
257 Configuring IGMP snooping in a VLAN 1. From the navigation tree, select Network > IGMP snooping. 2. Click the icon for the VLAN. Figure
258 Item Description Querier Enable or disable the IGMP snooping querier function. On an IP multicast network that runs IGMP, a Layer 3 device acts a
259 Table 84 Configuration items Item Description Port Select the port on which advanced IGMP snooping features will be configured. The port can be a
260 Figure 233 Displaying detailed information about the entry Table 85 Field description Field Description VLAN ID ID of the VLAN to which the en
261 Figure 234 Network diagram Configuration procedure Configuring Router A Enable IP multicast routing globally, enable PIM-DM on each interface,
262 Figure 235 Creating VLAN 100 2. Assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to VLAN 100: a. Click the Modify Port tab. b. Se
263 Figure 236 Assigning ports to the VLAN 3. Enable IGMP snooping globally: a. From the navigation tree, select Network > IGMP snooping. b.
264 Figure 238 Configuring IGMP snooping in VLAN 100 Verifying the configuration 1. From the navigation tree, select Network > IGMP snooping.
265 The output shows that GigabitEthernet 1/0/3 of Switch A is listening to the multicast streams destined for multicast group 224.1.1.1.
266 Configuring MLD snooping Overview MLD snooping runs on a Layer 2 switch as an IPv6 multicast constraining mechanism to improve multicast forwardi
15 Function menu Description User level Link Setup Create a rule for a link layer ACL. Configure Remove Delete an IPv4 ACL or its rules. Configur
267 Figure 242 MLD snooping related ports The following describes the ports involved in MLD snooping: • Router port—Layer 3 multicast device-side
268 Timer Description Message received before the timer expires Action after the timer expires Dynamic member port aging timer When a port dynamicall
269 the reported IPv6 multicast group address to suppress their own reports. In this case, the switch cannot determine whether the reported IPv6 mult
270 Step Remarks 2. Configuring MLD snooping in a VLAN Required. Enable MLD snooping in the VLAN and configure the MLD snooping version and querier.
271 2. Click the icon for the VLAN. Figure 244 Configuring MLD snooping in a VLAN 3. Configure the parameters as described in Table 86. 4. Cl
272 Configuring MLD snooping port functions 1. Select Network > MLD snooping from the navigation tree. 2. Click the Advanced tab. Figure 245 Co
273 Item Description Fast Leave Enable or disable fast-leave processing on the port. When a port that is enabled with the MLD snooping fast-leave pr
274 Field Description Member Ports All member ports. MLD snooping configuration example Network requirements As shown in Figure 247, MLDv1 runs on
275 Figure 248 Creating VLAN 100 2. Assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to VLAN 100: a. Click the Modify Port tab. b. Se
276 Figure 249 Assigning ports to VLAN 100 3. Enable MLD snooping globally: a. Select Network > MLD snooping from the navigation tree. b. Se
16 Function menu Description User level PoE PoE Summary Display PSE information and PoE interface information. Monitor PSE Setup Configure a PoE int
277 d. Click Apply. Figure 251 Enabling MLD snooping in VLAN 100 Verifying the configuration 1. Select Network > MLD snooping from the navigat
278 Configuring IPv4 and IPv6 routing The term "router" in this chapter refers to both routers and Layer 3 switches. Overview A router sele
279 Static routes cannot adapt to network topology changes. If a fault or a topological change occurs in the network, the network administrator must
280 Creating an IPv4 static route 1. Select Network > IPv4 Routing from the navigation tree. 2. Click the Create tab. The page for configuring
281 Item Description Interface Select the output interface. You can select any available Layer 3 interface, for example, a virtual interface, of the
282 The page for configuring an IPv6 static route appears. Figure 257 Creating an IPv6 static route 3. Create an IPv6 static route as described i
283 IPv4 static route configuration example Network requirements As shown in Figure 258, configure IPv4 static routes on Switch A, Switch B, and Swit
284 Figure 259 Configuring a default route 2. Configure a static route to Switch A and Switch C on Switch B: a. Select Network > IPv4 Routing
285 Figure 260 Configuring a static route e. Enter 1.1.3.0 for Destination IP Address, enter 24 for Mask, and enter 1.1.5.6 for Next Hop. f. Cli
286 Figure 261 Configuring a default route Verifying the configuration 1. Display the routing table. Enter the IPv4 route page of Switch A, Switc
i Contents Overview ··································································································································
17 Figure 7 Content display by pages Search function The Web interface provides you with the basic and advanced searching functions to display only
287 IPv6 static route configuration example Network requirements As shown in Figure 262, configure IPv6 static routes on Switch A, Switch B, and Swit
288 Figure 263 Configuring a default route 2. Configure a static route to Switch A and Switch C on Switch B: a. Select Network > IPv6 Routing
289 Figure 264 Configuring a static route e. Enter 3:: for Destination IP Address, select 64 from the Prefix Length list, and enter 5::1 for Next
290 Figure 265 Configuring a default route Verifying the configuration 1. Display the routing table. Enter the IPv6 route page of Switch A, Switc
291 round-trip min/avg/max = 62/62/63 ms Configuration guidelines When you configure a static route, follow these guidelines: • If you do not s
292 DHCP overview The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices. DHCP us
293 IP address allocation process Figure 267 Dynamic IP address allocation process 1. The client broadcasts a DHCP-DISCOVER message to locate a DH
294 DHCP message format Figure 268 shows the DHCP message format. DHCP uses some of the fields in significantly different ways. The numbers in parent
295 DHCP options DHCP defines the message format as an extension to BOOTP for compatibility. DHCP uses the Option field to carry information for dyna
296 The administrator can use Option 82 to locate the DHCP client and further implement security control and accounting. The DHCP server can use Opti
18 Figure 9 Advanced search Take the LLDP table shown in Figure 7 as an example. To search for the LLDP entries with LLDP Work Mode TxRx, and LLDP
297 Configuring DHCP relay agent Overview Since the DHCP clients request IP addresses through broadcast messages, the DHCP server and clients must be
298 Figure 273 DHCP relay agent operation Recommended configuration procedure Task Remarks Enabling DHCP and configuring advanced parameters for th
299 Enabling DHCP and configuring advanced parameters for the DHCP relay agent 1. From the navigation tree, select Network > DHCP to enter the de
300 4. Click Apply. Table 94 Configuration items Item Description DHCP Service Enable or disable global DHCP. Unauthorized Server Detect Enable or
301 3. Configure the DHCP server group as shown in Table 95. 4. Click Apply. Table 95 Configuration items Item Description Server Group ID Enter th
302 Configuring and displaying clients' IP-to-MAC bindings 1. From the navigation tree, select Network > DHCP to enter the default DHCP Rela
303 DHCP relay agent configuration example Network requirements As shown in Figure 279, VLAN-interface 1 on the DHCP relay agent (Switch A) connects
304 Figure 280 Enabling DHCP 2. Configure a DHCP server group: a. In the Server Group area, click Add and then perform the following operations,
305 3. Enable the DHCP relay agent on VLAN-interface 1: a. In the Interface Config field, click the icon of VLAN-interface 1, and then perform th
306 Configuring DHCP snooping DHCP snooping works between the DHCP client and server, or between the DHCP client and DHCP relay agent. It guarantees
19 Figure 12 Advanced search function example (3) Sort function On some list pages, the Web interface provides the sorting function to display the e
307 Figure 283 Trusted and untrusted ports In a cascaded network as shown in Figure 284, configure each DHCP snooping device's ports connected
308 Device Untrusted port Trusted port disabled from recording binding entries Trusted port enabled to record binding entries Switch B GigabitEtherne
309 Task Remarks Displaying clients' IP-to-MAC bindings Optional. Display clients' IP-to-MAC bindings recorded by DHCP snooping. Enabling
310 Figure 286 DHCP snooping interface configuration page 4. Configure DHCP snooping on the interface as described in Table 100. 5. Click Apply.
311 Item Description Type Displays the client type: • Dynamic—The IP-to-MAC binding is generated dynamically. • Static—The IP-to-MAC binding is con
312 Figure 289 Enabling DHCP snooping 2. Configure DHCP snooping functions on GigabitEthernet 1/0/1: a. Click the icon of GigabitEthernet 1/0/1
313 4. Configure DHCP snooping functions on GigabitEthernet 1/0/3: a. Click the icon of GigabitEthernet 1/0/3 on the interface list. b. Select t
314 Managing services Overview Service management allows you to manage the following types of services: FTP, Telnet, SSH, SFTP, HTTP and HTTPS. You
315 Managing services 1. Select Network > Service from the navigation tree to enter the service management configuration page, as shown in Figure
316 Item Description Port Number Set the port number for HTTP service. You can view this configuration item by clicking the expanding button in fron
20 Configuring the switch at the CLI The HP 1920 Switch Series can be configured through the CLI, Web interface, and SNMP/MIB, among which the Web int
317 Using diagnostic tools This chapter describes how to use the ping and traceroute utilities. Ping Use the ping utility to determine if a specific
318 2. The first hop device responds with an ICMP TTL-expired message to the source. In this way, the source device gets the address of the first de
319 Figure 295 Ping operation result Traceroute operation The Web interface does not support IPv6 traceroute. Before performing a traceroute operat
320 3. Enter the IP address or host name of the destination device in the Trace Route field. 4. Click Start. 5. View the output in the Summary ar
321 Configuring 802.1X 802.1X overview 802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN committee fo
322 • MAC-based access control—Each user is separately authenticated on a port. When a user logs off, no other online users are affected. Controlled
323 • Code—Type of the EAP packet. Options include Request (1), Response (2), Success (3), or Failure (4). • Identifier—Used for matching Responses
324 EAP-Message RADIUS encapsulates EAP packets in the EAP-Message attribute, as shown in Figure 302. The Type field takes 79, and the Value field ca
325 802.1X authentication procedures 802.1X provides the following methods for authentication: • EAP relay. • EAP termination. You choose either
326 Packet exchange method Benefits Limitations EAP termination Works with any RADIUS server that supports PAP or CHAP authentication. • Supports o
21 NOTE: • The serial port on a PC does not support hot swapping. When you connect a PC to a powered-on switch,connect the DB-9 connector of the co
327 5. The authentication server uses the identity information in the RADIUS Access-Request to search its user database. If a matching entry is foun
328 Figure 307 802.1X authentication procedure in EAP termination mode In EAP termination mode, the network access device rather than the authentic
329 • Handshake timer—Sets the interval at which the access device sends client handshake requests to check the online status of a client that has p
330 Authentication status VLAN manipulation No 802.1X user has performed authentication within 90 seconds after 802.1X is enabled. The device assigns
331 Authentication status VLAN manipulation A user fails 802.1X authentication. The device assigns the Auth-Fail VLAN to the port as the PVID. All 8
332 Recommended configuration procedure Step Remarks 1. Configuring 802.1X globally Required. This function enables 802.1X authentication globally.
333 { The support of the RADIUS server for EAP packets. { The authentication methods supported by the 802.1X client and the RADIUS server. 4. Clic
334 Figure 310 Configuring 802.1X on a port Table 105 describes the configuration items. Table 105 Configuration items Item Description Port Select
335 Item Description Enable Re-Authentication Specifies whether to enable periodic online user re-authentication on the port. Periodic online user re
336 Table 106 Relationships of the 802.1X guest VLAN and other security features Feature Relationship description MAC authentication guest VLAN on a
22 Figure 16 Setting the serial port used by the HyperTerminal connection 4. Set Bits per second to 38400, Data bits to 8, Parity to None, Stop bit
337 Use RADIUS servers to perform authentication, authorization, and accounting for the 802.1X users. If RADIUS accounting fails, the access device l
338 2. Configure 802.1X for GigabitEthernet 1/0/1: a. In the Ports With 802.1X Enabled area, click Add. b. Select GigabitEthernet1/0/1 from the Po
339 Figure 314 Configuring the RADIUS scheme 2. Configure the primary authentication server in the RADIUS scheme: a. In the RADIUS Server Configu
340 d. Click Apply. The RADIUS Server Configuration area displays the primary authentication server you have configured. 3. Configure the backup
341 Figure 315 Creating an ISP domain 2. Configure AAA authentication method for the ISP domain: a. Click the Authentication tab. b. Select test
342 Figure 317 Configuration progress dialog box e. After the configuration process is complete, click Close. 3. Configure AAA authorization meth
343 Figure 319 Configuring the AAA accounting method for the ISP domain d. Click Apply. e. After the configuration process is complete, click Clo
344 d. Select Without domain name from the Username Format list. e. Click Apply. 2. Configure the primary authentication server in the RADIUS sche
345 Figure 323 Configuring the RADIUS scheme 4. Click Apply. Configuring AAA 1. Create an ISP domain: a. From the navigation tree, select Authen
346 Figure 324 Creating an ISP domain 2. Configure AAA authentication method for the ISP domain: a. Click the Authentication tab. b. Select test
23 Figure 18 HyperTerminal window 6. Click the Settings tab, set the emulation to VT100, and click OK in the Switch Properties dialog box. Figure 1
347 Figure 326 Configuration progress dialog box e. After the configuration process is complete, click Close. 3. Configure AAA authorization meth
348 Figure 328 Configuring the AAA accounting method for the ISP domain f. After the configuration process is complete, click Close. Configuring a
349 c. In the IP Address Filter area, select Destination IP Address: − Enter 10.0.0.1 as the destination IP address. − Enter 0.0.0.0 as the destin
350 c. Select the authentication method CHAP. d. Click Apply. Figure 331 Configuring 802.1X globally 2. Configure 802.1X for GigabitEthernet 1/0
351 Figure 333 shows the ping operation summary. Figure 333 Ping operation summary
352 Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access managem
353 AAA can be implemented through multiple protocols. The device supports RADIUS, which is most often used. For more information about RADIUS, see &
354 Step Remarks 3. Configuring authorization methods for the ISP domain Optional. Specify the authorization methods for various types of users. By
355 Item Description Default Domain Specify whether to use the ISP domain as the default domain. Options include: • Enable—Uses the domain as the de
356 Item Description LAN-access AuthN Name Secondary Method Configure the authentication method and secondary authentication method for LAN access us
24 Logging in to the CLI The login process requires a username and password. The default username for first time configuration is admin, no password i
357 Table 110 Configuration items Item Description Select an ISP domain Select the ISP domain for which you want to specify authentication methods.
358 Figure 338 Accounting method configuration page 3. Select the ISP domain and specify accounting methods for the ISP domain, as described in Ta
359 Item Description Login Accounting Name Secondary Method Configure the accounting method and secondary accounting method for login users. Options
360 Figure 340 Configuring a local user 4. Configure ISP domain test: a. Select Authentication > AAA from the navigation tree. The domain con
361 5. Configure the ISP domain to use local authentication: a. Select Authentication > AAA from the navigation tree. b. Click the Authenticati
362 f. After the configuration progress is complete, click Close. Figure 344 Configuring the ISP domain to use local authorization 7. Configure t
363 Configuring RADIUS Overview Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a cli
364 Security and authentication mechanisms The RADIUS client and the RADIUS server use a shared key to authenticate RADIUS packets and encrypt user p
365 7. The host requests the RADIUS client to tear down the connection and the RADIUS client sends a stop-accounting request (Accounting-Request) to
366 • The Length field (2 bytes long) indicates the length of the entire packet, including the Code, Identifier, Length, Authenticator, and Attribut
25 initialize Syntax initialize Parameters None Description Use initialize to delete the configuration file to be used at the next startup and reboot
367 No. Attribute No. Attribute 23 Framed-IPX-Network 70 ARAP-Password 24 State 71 ARAP-Features 25 Class 72 ARAP-Zone-Access 26 Vendor-Specif
368 Figure 349 Format of attribute 26 Protocols and standards • RFC 2865, Remote Authentication Dial In User Service (RADIUS) • RFC 2866, RADIUS
369 Figure 351 RADIUS scheme configuration page 3. Configure the parameters as described in Table 114. 4. Click Apply. Table 114 Configuration it
370 Figure 352 Common configuration 2. Configure the parameters, as described in Table 115. Table 115 Configuration items Item Description Server
371 Item Description Username Format Select the format of usernames to be sent to the RADIUS server. Typically, a username is in the format of userid
372 Item Description Request Transmission Attempts Set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server. If
373 Item Description Stop-Accounting Attempts Set the maximum number of stop-accounting attempts. The maximum number of stop-accounting attempts, to
374 Table 116 Configuration items Item Description Server Type Select the type of the RADIUS server to be configured. Options include primary authent
375 c. Select Without domain name for the username format. 3. In the RADIUS Server Configuration area, click Add to configure the primary authenti
376 Figure 357 RADIUS scheme configuration Configuring AAA 1. Select Authentication > AAA in the navigation tree. The domain setup page appear
26 # Create VLAN-interface 1 and assign 192.168.1.2 to the interface, and specify 192.168.1.1 as the default gateway. <Sysname> ipsetup ip-addre
377 3. Select the Authentication tab to configure the authentication scheme: a. Select the domain name test. b. Select Default AuthN and select RA
378 Figure 361 Configuring the AAA authorization method for the ISP domain 5. Select the Accounting tab to configure the accounting scheme: a. Se
379 • If you remove the accounting server used for online users, the device cannot send real-time accounting requests and stop-accounting messages f
380 Configuring users You can configure local users and create groups to manage them. A local user represents a set of user attributes configured on
381 Figure 364 Local user configuration page 3. Configure the local user as described in Table 118. 4. Click Apply. Table 118 Configuration items
382 Item Description Expire-time Specify an expiration time for the local user, in the HH:MM:SS-YYYY/MM/DD format. To authenticate a local user with
383 Figure 366 User group configuration page 4. Configure the user group as described in Table 119. 5. Click Apply. Table 119 Configuration items
384 Managing certificates Overview The Public Key Infrastructure (PKI) offers an infrastructure for securing network services through public key tech
385 Figure 367 PKI architecture Entity An entity is an end user of PKI products or services, such as a person, an organization, a device like a rou
386 4. The RA receives the certificate from the CA, sends it to the LDAP server to provide directory navigation service, and notifies the entity tha
ii Displaying system and device information ··········································································································
27 Change password for user: admin Old password: *** Enter new password: ** Retype password: ** The password has been successfully changed. ping Synta
387 Step Remarks 2. Creating a PKI domain Required. Create a PKI domain, setting the certificate request mode to Manual. Before requesting a PKI cer
388 Step Remarks 6. Destroying the RSA key pair Optional. Destroy the existing RSA key pair and the corresponding local certificate. If the certific
389 Figure 368 PKI entity list 2. Click Add on the page. Figure 369 PKI entity configuration page 3. Configure the parameters, as described in
390 Item Description State Enter the state or province for the entity. Locality Enter the locality for the entity. Organization Enter the organizatio
391 Figure 371 PKI domain configuration page 5. Configure the parameters, as described in Table 121. 6. Click Apply. Table 121 Configuration item
392 Item Description Requesting URL Enter the URL of the RA. The entity will submit the certificate request to the server at this URL through the SCE
393 Item Description CRL URL Enter the URL of the CRL distribution point. The URL can be an IP address or a domain name. This item is available after
394 Figure 373 Key pair parameter configuration page Destroying the RSA key pair 1. From the navigation tree, select Authentication > Certifica
395 Figure 375 PKI certificate retrieval page 4. Configure the parameters, as described in Table 122. 5. Click Apply. Table 122 Configuration it
396 Figure 376 Certificate information Requesting a local certificate 1. From the navigation tree, select Authentication > Certificate Manageme
28 Examples # Ping IPv6 address 2001::4. <Sysname> ping ipv6 2001::4 PING 2001::4 : 56 data bytes, press CTRL_C to break Reply from 2001:
397 Figure 377 Local certificate request page 4. Configure the parameters, as described in Table 123. Table 123 Configuration items Item Descripti
398 Retrieving and displaying a CRL 1. From the navigation tree, select Authentication > Certificate Management. 2. Click the CRL tab. Figure 37
399 Field Description Last Update Last update time. Next Update Next update time. X509v3 CRL Number CRL sequence number X509v3 Authority Key Iden
400 Configuring the switch 1. Create a PKI entity: a. From the navigation tree, select Authentication > Certificate Management. The PKI entity
401 Figure 383 Creating a PKI domain 3. Generate an RSA key pair: a. Click the Certificate tab. b. Click Create Key. c. Enter 1024 as the key
402 Figure 385 Retrieving the CA certificate 5. Request a local certificate: a. Click the Certificate tab. b. Click Request Cert. c. Select to
403 Authentication > Certificate Management > CRL from the navigation tree to view detailed information about the retrieved CRL. Configuration
404 Configuring MAC authentication Overview MAC authentication controls network access by authenticating source MAC addresses on a port. It does not
405 MAC authentication timers MAC authentication uses the following timers: • Offline detect timer—Sets the interval that the device waits for traff
406 If a user in the Auth-Fail VLAN passes MAC authentication, it is removed from the Auth-Fail VLAN and can access all authorized network resources.
29 reboot Syntax reboot Parameters None Description Use reboot to reboot the device and run the main configuration file. Use the command with caution
407 Figure 388 MAC authentication configuration page 3. Configure MAC authentication global settings as described in Table 125, and then click App
408 Configuring MAC authentication on a port 1. From the navigation tree, select Authentication > MAC Authentication. 2. In the Ports With MAC A
409 • Configure all users to belong to the domain aabbcc.net, and specify local authentication for users in the domain. • Use the MAC address of e
410 Figure 392 Configuring the authentication method for the ISP domain 6. Click Apply. A configuration progress dialog box appears, as shown in
411 Figure 394 Configuring MAC authentication globally 2. Configure MAC authentication for GigabitEthernet 1/0/1: a. In the Ports With MAC Authen
412 Figure 396 Network diagram Configuring IP addresses # Assign an IP address to each interface. Make sure the RADIUS servers, host, and switch ca
413 Figure 397 Configuring a RADIUS authentication server 3. Configure the primary accounting server in the RADIUS scheme: a. In the RADIUS Serve
414 Figure 399 RADIUS configuration Configuring AAA for the scheme 1. Create an ISP domain: a. From the navigation tree, select Authentication &g
415 Figure 400 Creating an ISP domain 2. Configure AAA authentication method for the ISP domain: a. Click the Authentication tab. b. Select the
416 Figure 402 Configuration progress dialog box e. After the configuration process is complete, click Close. 3. Configure AAA authorization meth
30 Select menu option: Summary IP Method: Manual
417 Figure 404 Configuring the accounting method for the ISP domain e. After the configuration process is complete, click Close. Configuring an AC
418 c. Select the action Deny. d. In the IP Address Filter area, select Destination IP Address: − Enter the destination IP address 10.0.0.1. − E
419 b. Select Enable MAC Authentication. c. Click Advanced. d. Select the authentication ISP domain test, select the authentication information fo
420 Request timed out. Request timed out. Ping statistics for 10.0.0.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
421 Configuring port security Overview Port security combines and extends 802.1X and MAC authentication to provide MAC-based network access control.
422 • Basic mode—In this mode, a port can learn the specified number of MAC addresses and save those addresses as secure MAC addresses. It permits o
423 The maximum number of users a port supports equals the maximum number of secure MAC addresses that port security allows or the maximum number of
424 Step Remarks 1. Configuring global settings for port security Required. This function enables port security globally and configures intrusion pr
425 Figure 410 Port security configuration 3. Configure global port security settings as described in Table 128. 4. Click Apply. Table 128 Config
426 The page for applying port security control appears. Figure 412 Configuring basic port security control 3. Configure basic port security contr
31 Use upgrade server-address source-filename runtime to upgrade the system software image file. If the system software image file in the downloaded s
427 Item Description Enable Outbound Restriction Specifies whether to enable outbound traffic control, and selects a control method. Available cont
428 Table 130 Configuration items Item Description Port Selects a port where the secure MAC address is configured. Secure MAC Address Enters the MA
429 Item Description Enable Intrusion Protection Specifies whether to enable intrusion protection, and selects an action to be taken upon detection
430 Port security configuration examples Basic port security mode configuration example Network requirements As shown in Figure 418, configure port G
431 Figure 419 Configuring port security Configuring the basic port security control 1. In the Security Ports And Secure MAC Address List area, cl
432 Figure 421 Secure MAC address list 2. When the maximum number of MAC addresses is reached, intrusion protection is triggered. Select Device &g
433 Figure 423 Displaying port state If you remove MAC addresses from the secure MAC address list, the port can continue to learn MAC addresses. A
434 NOTE: Configurations on the host and RADIUS servers are not shown. Configuring a RADIUS scheme 1. Create a RADIUS scheme: a. From the naviga
435 Figure 426 Configuring the RADIUS accounting server c. Click Apply. The RADIUS Server Configuration area displays the servers you have configu
436 Figure 428 Configuring AAA authentication e. Click Apply. A dialog box appears, displaying the configuration progress, as shown in Figure 429.
32 Examples # Download software package file main.bin from the TFTP server and use the Boot ROM image in the package as the startup configuration file
437 Figure 430 Configuring AAA authorization e. When the configuration process is complete, click Close. 3. Configure AAA accounting method: a.
438 Figure 432 Configuring global port security settings 2. Configure advanced port security control: a. In the Advanced Port Security Configurat
439 Figure 434 Configuring permitted OUI values d. Repeat previous three steps to add the OUI values of the MAC addresses 1234-0200-0000 and 1234-
440 Configuring port isolation The port isolation feature isolates Layer 2 traffic for data privacy and security without using VLANs. You can also us
441 Port isolation configuration example Network requirements As shown in Figure 436: • Campus network users Host A, Host B, and Host C are connecte
442 Figure 437 Assigning ports to the isolation group e. Click Apply. A configuration progress dialog box appears. f. After the configuration p
443 Configuring authorized IP The authorized IP function associates the HTTP or Telnet service with an ACL to filter the requests of clients. Only th
444 Authorized IP configuration example Network requirements In Figure 440, configure Switch to deny Telnet and HTTP requests from Host A, and permit
445 a. Click Basic Setup. The page for configuring an ACL rule appears. b. Select 2001 from the ACL list, select Permit from the Action list, selec
446 Figure 443 Configuring authorized IP
33 Deleting the old file, please wait... File will be transferred in binary mode Downloading file from remote TFTP server, please wait.../ TFT
447 Configuring loopback detection A loop occurs when a port receives a packet sent by itself. Loops might cause broadcast storms. The purpose of loo
448 Figure 444 Loopback detection configuration page 2. Configure the global loopback detection settings as described in Table 134, and then click
449 Item Description Detection in VLAN Sets whether the system performs loopback detection in all VLANs for the target trunk or hybrid port. If you
450 Configuring ACLs Unless otherwise stated, ACLs refer to both IPv4 and IPv6 ACLs throughout this document. Grayed-out options on Web configuration
451 Table 136 Depth-first match for ACLs ACL category Sequence of tie breakers IPv4 basic ACL 1. More 0s in the source IP address wildcard (more 0s
452 For example, if the numbering step is 5 (the default), and there are five ACL rules numbered 0, 5, 9, 10, and 12, the newly defined rule is numbe
453 Step Remarks 3. Configuring a rule for a basic IPv4 ACL. Required. Complete one of the following tasks according to the ACL category. 4. Confi
454 4. Click Apply. Table 137 Configuration items Item Description Time Range Name Set the name for the time range. Periodic Time Range Start Time
455 Table 138 Configuration items Item Description ACL Number Set the number of the IPv4 ACL. Match Order Set the match order of the ACL. Available
456 Table 139 Configuration items Item Description ACL Select the basic IPv4 ACL for which you want to configure rules. Available ACLs are basic IPv
34 Configuration wizard The configuration wizard guides you through configuring the basic service parameters, including the system name, system locat
457 Figure 448 Configuring an advanced IPv4 ACL 3. Configure a rule for an advanced IPv4 ACL as described in Table 140. 4. Click Add. Table 140
458 Item Description Rule ID Select the Rule ID box and enter a number for the rule. If you do not specify the rule number, the system will assign o
459 Item Description TCP/UDP Port TCP Connection Established Select this box to make the rule match packets used for establishing and maintaining TC
460 Figure 449 Configuring a rule for an Ethernet frame header ACL 3. Configure a rule for an Ethernet frame header IPv4 ACL as described in Table
461 Item Description MAC Address Filter Source MAC Address Select the Source MAC Address box and enter a source MAC address and a mask. Source Mask
462 Table 142 Configuration items Item Description ACL Number Enter a number for the IPv6 ACL. Match Order Select a match order for the ACL. Availab
463 Item Description Rule ID Select the Rule ID box and enter a number for the rule. If you do not specify the rule number, the system will assign o
464 Figure 452 Configuring a rule for an advanced IPv6 ACL 3. Add a rule for an advanced IPv6 ACL as described in Table 144. 4. Click Add. Table
465 Item Description Check Fragment Select this box to apply the rule to only non-first fragments. If you do no select this box, the rule applies to
466 Configuring QoS Grayed-out options on Web configuration pages cannot be configured. Overview Quality of Service (QoS) reflects the ability of a n
35 Figure 22 System parameter configuration page 2. Configure the parameters as described in Table 3. Table 3 Configuration items Item Description
467 Congestion: causes, impacts, and countermeasures Network congestion is a major factor contributed to service quality degrading on a traditional n
468 End-to-end QoS Figure 454 End-to-end QoS model As shown in Figure 454, traffic classification, traffic policing, traffic shaping, congestion ma
469 When packets are classified on the network boundary, the precedence bits in the ToS field of the IP packet header are generally re-set. In this w
470 Table 146 Description on DSCP values DSCP value (decimal) DSCP value (binary) Description 46 101110 ef 10 001010 af11 12 001100 af12 14 001110
471 Figure 457 802.1Q tag header Table 147 Description on 802.1p priority 802.1p priority (decimal) 802.1p priority (binary) Description 0 000 be
472 Figure 458 SP queuing A typical switch provides eight queues per port. As shown in Figure 458, SP queuing classifies eight queues on a port int
473 A typical switch provides eight output queues per port. WRR assigns each queue a weight value (represented by w7, w6, w5, w4, w3, w2, w1, or w0)
474 specification, and the traffic is called "conforming traffic." Otherwise, the traffic does not conform to the specification, and the tr
475 • For more information about 802.1p priority and DSCP values, see "Packet precedences." • Local precedence is a locally significant p
476 Table 149 Default DSCP to Queue mapping table Input DSCP value Local precedence (Queue) 0 to 7 0 8 to 15 1 16 to 23 2 24 to 31 3 32 to 39 4
36 Configuring management IP address CAUTION: Modifying the management IP address used for the current login terminates the connection to the devic
477 Table 150 Recommended QoS policy configuration procedure Step Remarks 1. Adding a class Required. Add a class and specify the logical relations
478 Recommended priority trust mode configuration procedure Step Remarks 1. Configuring priority trust mode on a port Required. Set the priority t
479 Configuring classification rules 1. Select QoS > Classifier from the navigation tree. 2. Click Setup to enter the page for setting a class.
480 Table 152 Configuration items Item Description VLAN Customer VLAN Define a rule to match customer VLAN IDs. If multiple such rules are configure
481 Configuring traffic mirroring and traffic redirecting for a traffic behavior 1. Select QoS > Behavior from the navigation tree. 2. Click Po
482 Figure 467 Setting a traffic behavior 3. Configure other actions for a traffic behavior as described in Table 155. 4. Click Apply. Table 155
483 Item Description CIR Set the committed information rate (CIR), the average traffic rate. CBS Set the committed burst size (CBS), number of byt
484 Table 156 Configuration items Item Description Policy Name Specify a name for the policy to be added. Some devices have their own system-defined
485 Figure 470 Applying a policy to a port 3. Apply a policy to a port as described in Table 158. 4. Click Apply. Table 158 Configuration items
486 Table 159 Configuration items Item Description WRR Setup WRR Enable or disable the WRR queue scheduling mechanism on selected ports. The followi
iii Mirroring source ·································································································································
37 Item Description Admin status Enable or disable the VLAN interface. When errors occurred in the VLAN interface, disable the interface and then ena
487 Item Description Rate Limit Enable or disable rate limit on the specified port. Direction Select a direction in which the rate limit is to be a
488 Configuring priority trust mode on a port 1. Select QoS > Port Priority from the navigation tree. Figure 474 Configuring port priorities 2
489 ACL and QoS configuration example Network requirements As shown in Figure 476, the FTP server (10.1.1.1/24) is connected to the Switch, and the c
490 Figure 477 Defining a time range covering 8:00 to 18:00 every day 2. Add an advanced IPv4 ACL: a. Select QoS > ACL IPv4 from the navigatio
491 c. Select the Rule ID box, and enter rule ID 2. d. Select Permit in the Action list. e. Select the Destination IP Address box, and enter IP ad
492 c. Enter the class name class1. d. Click Add. Figure 480 Adding a class 5. Define classification rules: a. Click the Setup tab. b. Select
493 Figure 481 Defining classification rules d. Click Apply. A progress dialog box appears, as shown in Figure 482. e. Click Close on the progre
494 Figure 482 Configuration progress dialog box 6. Add a traffic behavior: a. Select QoS > Behavior from the navigation tree. b. Click the A
495 Figure 484 Configuring actions for the behavior 8. Add a policy: a. Select QoS > QoS Policy from the navigation tree. b. Click the Add ta
496 a. Click the Setup tab. b. Select policy1. c. Select class1 from the Classifier Name list. d. Select behavior1 from the Behavior Name list.
38 Figure 24 Configuration complete
497 Configuring PoE Only a device with a mark of PoE supports the PoE feature. Overview IEEE 802.3af-compliant power over Ethernet (PoE) enables a po
498 Configuring PoE Before configuring PoE, make sure the PoE power supply and PSE are operating correctly. Otherwise, either you cannot configure Po
499 Item Description Power Max Set the maximum power for the PoE port. The maximum PoE interface power is the maximum power that the PoE interface ca
500 Figure 490 PSE Setup tab Enabling the non-standard PD detection function for a PSE 1. Select Enable in the corresponding Non-Standard PD Compa
501 PoE configuration example Network requirements As shown in Figure 492, GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 are connected to IP teleph
502 Figure 493 Configuring the PoE ports supplying power to the IP telephones 2. Enable PoE on GigabitEthernet 1/0/11 and set the maximum power of
503 Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.com/support Befo
504 Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text
505 Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as
506 Index Numerics 802.1X access control methods, 321 ACL assignment, 331 architecture, 321 authentication, 325 authentication (access device initiat
39 Configuring stack Overview The stack management feature allows you to configure and monitor a group of connected devices by logging in to one devi
507 match order, 450 packet fragment filtering, 452 rule numbering step, 451 security MAC authentication, 411 time range configuration, 453 time-base
508 port security advanced mode configuration, 433 port security authentication modes, 421 port security basic control configuration, 425 port securi
509 choosing Ethernet link aggregation selected state, 205 Ethernet link aggregation unselected state, 205 CIST calculation, 189 network device conn
510 IGMP snooping port function, 258 IP routing (IPv4), 278 IP routing (IPv6), 278 IP services ARP entry, 244 isolation group, 440 LLDP, 217 , 236 LL
511 system time (by using NTP), 57, 58 system time (manually), 56 user group, 382 VCT, 91 VLAN interface, 150 Web device configuration management,
512 Web stack configuration, 39 Web user level, 8 Web-based NM functions, 8 device information displaying device information, 47, 48 device managemen
513 Web device file, 67 DSCP QoS packet IP precedence and DSCP values, 469 dst-mac validity check (ARP), 250 dynamic ARP table entry, 244 DHCP addres
514 group configuration, 208 group creation, 208 LACP, 205 LACP priority, 211 LACP-enabled port, 211 member port state, 205 modes, 206 operational ke
515 NMM local port mirroring group monitor port, 84 NMM local port mirroring group port, 81 NMM local port mirroring group source port, 84 NMM port
516 IP services ARP entry configuration, 244 IP services ARP entry removal, 245 security ARP attack protection configuration, 250 traceroute, 317 IP
40 Task Remarks Configuring member devices of a stack: Configuring stack ports Required. Configure a port of a member device that connects to the mas
517 Ethernet link aggregation group creation, 208 Ethernet link dynamic aggregation group configuration, 208 Ethernet link static aggregation group c
518 MSTP configuration, 177 , 190 , 199 loopback detection configuration, 447, 447 configuration (global), 447 configuration (port-specific), 448 loo
519 membership report IGMP snooping, 254 MLD snooping, 268 message ARP configuration, 242 ARP message format, 242 ARP static configuration, 246 DHCP
520 displaying IGMP snooping multicast forwarding entries, 259 enabling IGMP snooping (globally), 256 enabling IGMP snooping (in a VLAN), 257 IGMP sn
521 Web device file upload, 68 Web device local user adding, 86 Web device main boot file specifying, 68 Web device privilege level switching, 88 Web
522 Web service management, 314 , 315 Web stack configuration, 39, 43 Web user level, 8 Web-based NM functions, 8 NMM local port mirroring configura
523 ping address reachability determination, 317 , 318 system maintenance, 317 PoE configuration, 497, 501, 501 detect nonstandard PDs enable, 499
524 security MAC authentication configuration, 404, 406, 408 security MAC local authentication configuration, 408 specified operation parameter for a
525 configuring AAA authentication methods for ISP domain, 355 configuring AAA authorization methods for ISP domain, 356 configuring AAA ISP domain,
526 configuring QoS traffic redirecting, 481 configuring queue scheduling, 477 configuring queue scheduling on port, 485, 486 configuring RADIUS comm
41 Figure 26 Setting up Table 6 Configuration items Item Description Private Net IP Mask Configure a private IP address pool for the stack. The mas
527 enabling PSE detect nonstandard PDs, 499 enabling SNMP agent, 113 entering configuration wizard homepage, 34 finishing configuration wizard, 37
528 AAA implementation, 363, 374 assigning MAC authentication ACL assignment, 405 assigning MAC authentication VLAN assignment, 405 client/server mod
529 IGMP snooping router port, 252 MLD snooping router port, 266 routing ACL configuration, 450 ACL configuration (advanced), 456, 463 ACL configurat
530 buffer capacity and refresh interval, 63 configuration environment, 20 LACP priority, 211 LLDP parameters for a single port, 224 LLDP parameters
531 algorithm calculation, 179 basic concepts, 178 BPDU forwarding, 184 CIST, 187 CST, 187 designated bridge, 178 designated port, 178 IST, 187
532 configuring system time (manually), 56 displaying current system time, 56 T table active route table (IPv4), 279 active route table (IPv6), 281 A
533 user level Web user level, 8 user management AAA management by ISP domains, 353 V validity check security ARP packet, 250 security ARP user, 250
534 device file management, 67 device file removing, 68 device file upload, 68 device idle timeout period configuration, 50 device local user adding,
42 Displaying topology summary of a stack Select Stack from the navigation tree and click the Topology Summary tab to enter the page shown in Figure
43 Figure 29 Device summary (a member device) Stack configuration example Network requirements As shown in Figure 30, Switch A, Switch B, Switch C,
44 Figure 31 Configuring global parameters for the stack on Switch A Switch A becomes the master device. 2. Configure a stack port on Switch A: a.
45 Figure 33 Configuring stack ports on Switch B Switch B becomes a member device. 4. On Switch C, configure GigabitEthernet 1/0/1 (the port conne
46 Verifying the configuration To verify the stack topology on Switch A: 1. Select Stack from the navigation tree of Switch A. 2. Click the Topolog
iv Configuring an SNMP user ··························································································································
47 Displaying system and device information Displaying system information Select Summary from the navigation tree to enter the System Information pag
48 Displaying the system resource state The System Resource State area displays the most recent CPU usage, memory usage, and temperature. Displaying
49 Figure 37 Device information To set the interval for refreshing device information, select one of the following options from the Refresh Period
50 Configuring basic device settings The device basic information feature provides the following functions: • Set the system name of the device. The
51 3. Set the idle timeout period for logged-in users. 4. Click Apply.
52 Maintaining devices Software upgrade CAUTION: Software upgrade takes some time. Avoid performing any operation on the Web interface during the u
53 Item Description If a file with the same name already exists, overwrite it without any prompt Specify whether to overwrite the file with the same
54 Electronic label Electronic label allows you to view information about the device electronic label, which is also known as the permanent configura
55 Figure 44 The diagnostic information file is created The generation of the diagnostic file takes a period of time. During this process, do not p
56 Configuring system time Overview You must configure a correct system time so that the device can operate correctly with other devices. The system
v Creating a static MAC address entry················································································································
57 Figure 46 Calendar page 3. Enter the system date and time in the Time field, or select the date and time in the calendar. To set the time on th
58 Table 11 Configuration items Item Description Clock status Display the synchronization status of the system clock. Source Interface Set the sou
59 Figure 48 Network diagram Configuring the system time 1. Configure the local clock as the reference clock, with the stratum of 2. Enable NTP au
60 • The synchronization process takes some time. The clock status might be displayed as unsynchronized after your configuration. In this case, refr
61 Configuring syslog System logs record network and device information, including running status and configuration changes. With system logs, admini
62 Table 12 Field description Field Description Time/Date Displays the time/date when the system log was generated. Source Displays the module that g
63 4. Click Apply. Table 13 Configuration items Item Description IPv4/Domain Specify the IPv4 address or domain name of the log host. IMPORTANT: Yo
64 Managing the configuration You can back up, restore, save, or reset the device configuration. Backing up the configuration Configuration backup al
65 To restore the configuration: 1. Select Device > Configuration from the navigation tree. 2. Click the Restore tab. Figure 54 Restoring the co
66 Figure 55 Saving the configuration • Common mode. To save the configuration in common mode: a. Select Device > Configuration from the navig
vi Configuring Switch A ······························································································································
67 Managing files The device requires a series of files for correct operation, including boot files and configuration files. These files are saved on
68 4. Click Download File. The File Download dialog box appears. 5. Open the file or save the file to a path. Uploading a file IMPORTANT: Upload
69 Managing ports You can use the port management feature to set and view the operation parameters of a Layer 2 Ethernet port and an aggregate interf
70 Figure 58 The Setup tab 3. Set the operation parameters for the port as described in Table 15. 4. Click Apply. Table 15 Configuration items It
71 Item Description Speed Set the transmission speed of the port: • 10—10 Mbps. • 100—100 Mbps. • 1000—1000 Mbps. • Auto—Autonegotiation. • Auto
72 Item Description Flow Control Enable or disable flow control on the port. With flow control enabled at both sides, when traffic congestion occurs
73 Item Description Unicast Suppression Set unicast suppression on the port: • ratio—Sets the maximum percentage of unicast traffic to the total ban
74 Figure 59 The Summary tab Displaying all the operation parameters for a port 1. Select Device > Port Management from the navigation tree 2.
75 Port management configuration example Network requirements As shown in Figure 61: • Server A, Server B, and Server C are connected to GigabitEthe
76 Figure 62 Configuring the speed of GigabitEthernet 1/0/4 2. Batch configure the autonegotiation speed range on GigabitEthernet 1/0/1, GigabitEt
vii Static route ·····································································································································
77 Figure 63 Batch configuring the port speed 3. Display the speed settings of ports: a. Click the Summary tab. b. Click the Speed button to dis
78 Figure 64 Displaying the speed settings of ports
79 Configuring port mirroring Port mirroring refers to the process of copying the packets passing through a port/VLAN/CPU to the monitor port connect
80 Figure 65 Local port mirroring implementation As shown in Figure 65, the source port GigabitEthernet 1/0/1 and monitor port GigabitEthernet 1/0/
81 2. Click Add to enter the page for adding a mirroring group. Figure 66 Adding a mirroring group 3. Configure the mirroring group as described
82 Figure 67 Modifying ports 3. Configure ports for the mirroring group as described in Table 17. 4. Click Apply. A progress dialog box appears.
83 Local port mirroring configuration example Network requirements As shown in Figure 68, configure local port mirroring on Switch A so the server ca
84 3. Enter 1 for Mirroring Group ID, and select Local from the Type list. 4. Click Apply. Configuring GigabitEthernet 1/0/1 and GigabitEthernet 1/
85 Figure 71 Configuring the monitor port 5. Click Apply. A configuration progress dialog box appears. 6. After the success notification appears,
86 Managing users The user management function allows you to do the following: • Adding a local user, and specifying the password, access level, and
Kommentare zu diesen Handbüchern