HP 1920-24G-PoE+ Bedienungsanleitung

HP 1920 Gigabit Ethernet Switch Series User Guide Part number: 5998-5627 Software version: Release 1102 Document version: 5W100-20140620

viii Configuring 802.1X ······························································································································

87 Item Description Access Level Select an access level for the user. Users of different levels can perform different operations. User levels, in or

88 4. Click Apply. Table 19 Configuration items Item Description Create/Remove Select the operation type: • Create—Configure or change the super pa

89 Configuring a loopback test You can check whether an Ethernet port operates correctly by performing Ethernet port loopback test. During the test t

90 4. Click Test. After the test is complete, the system displays the loopback test result. Figure 76 Loopback test result

91 Configuring VCT Overview You can use the Virtual Cable Test (VCT) function to check the status of the cable connected to an Ethernet port on the d

92 Configuring the flow interval With the flow interval module, you can view the number of packets and bytes sent and received by a port, and the ban

93 Configuring RMON Overview Remote Network Monitoring (RMON) is an enhancement to SNMP. It enables proactive remote monitoring and management of net

94 History group The history group defines that the system periodically collects traffic statistics on interfaces and saves the statistics in the his

95 RMON configuration task list Configuring the RMON statistics function The RMON statistics function can be implemented by either the Ethernet stati

96 Table 22 RMON alarm configuration task list Task Remarks Configuring a statistics entry Required. You can create up to 100 statistics entries in a

ix PKI applications ··································································································································

97 Task Remarks Displaying RMON event logs If you configure the system to log an event after the event is triggered when you configure the event grou

98 Configuring a history entry 1. Select Device > RMON from the navigation tree. 2. Click the History tab. Figure 82 History entry 3. Click A

99 Configuring an event entry 1. Select Device > RMON from the navigation tree. 2. Click the Event tab. Figure 84 Event entry 3. Click Add. F

100 Configuring an alarm entry 1. Select Device > RMON from the navigation tree. 2. Click the Alarm tab. Figure 86 Alarm entry 3. Click Add.

101 Item Description Interval Set the sampling interval. Sample Type Set the sampling type: • Absolute—Absolute sampling to obtain the value of the

102 Figure 88 RMON statistics Table 28 Field description Field Description Number of Received Bytes Total number of octets received by the interfac

103 Field Description Number of Network Conflicts Total number of collisions received on the interface, corresponding to the MIB node etherStatsColli

104 Table 29 Field description Field Description NO Number of the entry in the system buffer. Statistics are numbered chronologically when they are s

105 Figure 90 Log tab In this example, event 1 has generated one log, which is triggered because the alarm value (11779194) exceeds the rising thre

106 Figure 92 Adding a statistics entry 2. Display RMON statistics for GigabitEthernet 1/0/1: a. Click the icon corresponding to GigabitEtherne

x Configuring loopback detection ·····················································································································

107 Figure 94 Configuring an event group Figure 95 Displaying the index of an event entry 4. Configure an alarm group to sample received bytes o

108 Figure 96 Configuring an alarm group Verifying the configuration After the above configuration, when the alarm event is triggered, you can disp

109 Configuring energy saving Energy saving enables a port to operate at the lowest transmission speed, disable PoE, or go down during a specific tim

110 Item Description Lowest Speed Set the port to transmit data at the lowest speed. If you configure the lowest speed limit on a port that does not

111 Configuring SNMP This chapter provides an overview of the Simple Network Management Protocol (SNMP) and guides you through the configuration proc

112 • Set—The NMS modifies the value of an object node in an agent MIB. • Notifications—Includes traps and informs. SNMP agent sends traps or infor

113 Table 32 SNMPv3 configuration task list Task Remarks 1. Enabling SNMP agent Required. The SNMP agent function is disabled by default. IMPORTANT

114 Figure 101 Setup tab 2. Configure SNMP settings on the upper part of the page as described in Table 33. 3. Click Apply. Table 33 Configuratio

115 Item Description Location Set a character string to describe the physical location of the device. SNMP Version Set the SNMP version run by the

116 8. Repeat steps 6 and 7 to add more rules for the SNMP view. 9. Click Apply. To cancel the view, click Cancel. Figure 104 Creating an SNMP view

xi Configuring PoE ···································································································································

117 Figure 105 Adding rules to an SNMP view 4. Configure the parameters as described in Table 34. 5. Click Apply. NOTE: You can also click the

118 Figure 107 Creating an SNMP Community 4. Configure the SNMP community as described in Table 35. 5. Click Apply. Table 35 Configuration items

119 3. Click Add. The Add SNMP Group page appears. Figure 109 Creating an SNMP group 4. Configure SNMP group as described in Table 36. 5. Click

120 Configuring an SNMP user 1. Select Device > SNMP from the navigation tree. 2. Click the User tab. The User tab appears. Figure 110 SNMP user

121 Table 37 Configuration items Item Description User Name Set the SNMP user name. Security Level Select the security level for the SNMP group. The

122 Figure 112 Traps configuration 3. Select Enable SNMP Trap. 4. Click Apply to enable the SNMP trap function. 5. Click Add. The page for addin

123 Item Description Security Name Set the security name, which can be an SNMPv1 community name, an SNMPv2c community name, or an SNMPv3 user name. U

124 SNMPv1/v2c configuration example Network requirements As shown in Figure 115 , the NMS at 1.1.1.2/24 uses SNMPv1 or SNMPv2c to manage the switch

125 Figure 117 Configuring an SNMP read-only community 3. Configure a read and write community: a. Click Add on the Community tab page. The Add S

126 Figure 119 Enabling SNMP traps 5. Configure a target host SNMP traps: a. Click Add on the Trap tab page. The page for adding a target host of

1 Overview The HP 1920 Switch Series can be configured through the command line interface (CLI), Web interface, and SNMP/MIB. These configuration meth

127 For information about how to configure the NMS, see the NMS manual. Verifying the configuration After the above configuration, an SNMP connection

128 2. Configure an SNMP view: a. Click the View tab. b. Click Add. The page for creating an SNMP view appears. c. Type view1 in the View Name fi

129 Figure 125 Creating an SNMP group 4. Configure an SNMP user: a. Click the User tab. b. Click Add. The page in Figure 126 appears. c. Type u

130 Figure 126 Creating an SNMP user 5. Enable SNMP traps: a. Click the Trap tab. The Trap tab page appears. b. Select Enable SNMP Trap. c. Cli

131 b. Select the IPv4/Domain option and type 1.1.1.2 in the following field, type user1 in the Security Name field, select v3 from the Security Mod

132 Displaying interface statistics The interface statistics module displays statistics about the packets received and sent through interfaces. To di

133 Configuring VLANs Overview Ethernet is a network technology based on the CSMA/CD mechanism. As the medium is shared, collisions and excessive bro

134 Figure 131 Traditional Ethernet frame format IEEE 802.1Q inserts a four-byte VLAN tag after the DA&SA field, as shown in Figure 132. Figur

135 Port-based VLAN Port-based VLANs group VLAN members by port. A port forwards traffic for a VLAN only after it is assigned to the VLAN. Port link

136 PVID By default, VLAN 1 is the PVID for all ports. You can change the PVID for a port, as required. Use the following guidelines when you configu

2 Configuring the switch in the Web interface Restrictions and guidelines To ensure a successful login, verify that your operating system and Web brow

137 Recommended VLAN configuration procedures Recommended configuration procedure for assigning an access port to a VLAN Step Remarks 1. Creating VL

138 Step Remarks 3. Setting the PVID for a port. Configure the PVID of the trunk port. Required. A trunk port has only one untagged VLAN and the unt

139 Step Remarks 3. Setting the PVID for a port. Optional. Configure the PVID of the hybrid port. By default, the PVID of a hybrid port is VLAN 1.

140 Figure 134 Creating VLANs Table 40 Configuration items Item Description VLAN IDs IDs of the VLANs to be created. Modify the description of the

141 Figure 135 Modifying ports Setting the PVID for a port You can also configure the PVID of a port on the Setup tab of Device > Port Managemen

142 Figure 136 Modifying the PVID for a port Selecting VLANs 1. From the navigation tree, select Network > VLAN. The Select VLAN tab is displa

143 Modifying a VLAN 1. From the navigation tree, select Network > VLAN. 2. Click Modify VLAN to enter the page for modifying a VLAN. Figure 1

144 Item Description Select ports to be modified and assigned to this VLAN Select the ports to be modified in the selected VLAN. When you configure

145 Item Description Select membership type Set the member types of the selected ports to be modified in the specified VLANs: • Untagged—Configures

146 Figure 141 Configuring GigabitEthernet 1/0/1 as a trunk port and its PVID as 100 2. Create VLAN 2, VLAN 6 through VLAN 50, and VLAN 100: a.

3 Figure 1 Internet Explorer settings (1) 3. Click Custom Level. 4. In the Security Settings dialog box, enable Run ActiveX controls and plug-ins,

147 Figure 142 Creating VLAN 2, VLAN 6 through VLAN 50, and VLAN 100 3. Assign GigabitEthernet 1/0/1 to VLAN 100 as an untagged member: a. Click

148 A configuration progress dialog box appears. g. After the configuration process is complete, click Close. Figure 144 Assigning GigabitEthernet

149 Figure 145 Assigning GigabitEthernet 1/0/1 to VLAN 2 and to VLANs 6 through 50 as a tagged member Configuring Switch B Configure Switch B in th

150 Configuring VLAN interfaces Before creating a VLAN interface, you must create the corresponding VLAN in Network > VLAN. For more information,

151 Figure 146 Creating a VLAN interface 3. Configure the VLAN interface as described in Table 43. 4. Click Apply. Table 43 Configuration items

152 Item Description Configure IPv6 Link Local Address Auto Configure the way in which the VLAN interface gets an IPv6 link-local address. Select t

153 Figure 147 Modifying a VLAN interface 3. Modify a VLAN interface as described in Table 44. 4. Click Apply. Table 44 Configuration items Ite

154 Item Description Modify IPv4 Address DHCP Configure the way in which the VLAN interface gets an IPv4 address. Allow the VLAN interface to get

155 Configuration guidelines When you configure VLAN interfaces, follow these guidelines: • A link-local address is automatically generated for an I

156 Configuring a voice VLAN Overview The voice technology is developing quickly, and more and more voice devices are in use. In broadband communitie

4 Figure 2 Internet Explorer settings (2) 5. Click OK to save your settings. Enabling JavaScript in a Firefox browser 1. Launch the Firefox brows

157 automatically assigns the receiving port to a voice VLAN, issues ACL rules and configures the packet precedence. You can configure an aging timer

158 Table 46 Required configurations on ports of different link types for them to support tagged voice traffic Port link type Voice VLAN assignment m

159 the PVID of the port is the voice VLAN and the port operates in manual VLAN assignment mode, the port forwards all received untagged packets in t

160 Recommended configuration procedure for a port in automatic voice VLAN assignment mode Step Remarks 1. Configuring voice VLAN globally (Optional

161 3. Configure the global voice VLAN settings as described in Table 49. 4. Click Apply. Table 49 Configuration items Item Description Voice VLA

162 Item Description Voice VLAN port state Select Enable or Disable in the list to enable or disable the voice VLAN function on the port. Voice VLAN

163 Voice VLAN configuration examples Configuring voice VLAN on a port in automatic voice VLAN assignment mode Network requirements As shown in Figur

164 Figure 154 Creating VLAN 2 2. Configure GigabitEthernet 1/0/1 as a hybrid port: a. Select Device > Port Management from the navigation tr

165 Figure 155 Configuring GigabitEthernet 1/0/1 as a hybrid port 3. Configure the voice VLAN function globally: a. Select Network > Voice VL

166 a. Click the Port Setup tab. b. Select Auto in the Voice VLAN port mode list. c. Select Enable in the Voice VLAN port state list. d. Enter

5 Figure 3 Firefox browser settings 3. Click OK to save your settings. Others • The Web interface does not support the Back, Next, and Refresh bu

167 Verifying the configuration 1. When the preceding configurations are completed, the OUI Summary tab is displayed by default, as shown in Figure

168 0011-2200-0000 and mask ffff-ff00-0000 to pass through. The description of the OUI address entry is test. Figure 161 Network diagram Configuri

169 d. Select the PVID box and enter 2 in the field. e. Select GigabitEthernet 1/0/1 from the chassis front panel. f. Click Apply. Figure 163 Co

170 Figure 164 Assigning GigabitEthernet 1/0/1 to VLAN 2 as an untagged member 4. Configure voice VLAN on GigabitEthernet 1/0/1: a. Select Networ

171 Figure 165 Configuring voice VLAN on GigabitEthernet 1/0/1 5. Add OUI addresses to the OUI list: a. Click the OUI Add tab. b. Enter OUI addr

172 Figure 167 Displaying the current OUI list of the device 2. Click the Summary tab, where you can view the current voice VLAN information. Fig

173 Configuring the MAC address table MAC address configurations related to interfaces apply to Layer 2 Ethernet interfaces and Layer 2 aggregate int

174 Types of MAC address entries A MAC address table can contain the following types of entries: • Static entries—Manually added and never age out.

175 Item Description Type Set the type of the MAC address entry: • Static—Static MAC address entries that never age out. • Dynamic—Dynamic MAC addr

176 Creating a static MAC address entry 1. Select Network > MAC from the navigation tree. By default, the MAC tab is displayed. 2. Click Add. 3

6 Overview The device provides web-based configuration interfaces for visual device management and maintenance. Figure 4 Web-based network management

177 Configuring MSTP Overview Spanning tree protocols eliminate loops in a physical link-redundant network by selectively blocking redundant links an

178 • Forward delay—Delay that STP bridges use to transit port state. The descriptions and examples in this chapter only use the following fields in

179 Figure 173 Designated bridges and designated ports Path cost Path cost is a reference value used for link selection in STP. STP calculates path

180 Step Description 2 Based on the configuration BPDU and the path cost of the root port, the device calculates a designated port configuration BPD

181 Figure 174 STP network As shown in Figure 174, the priority values of Device A, Device B, and Device C are 0, 1, and 2, and the path costs of l

182 Table 56 Comparison process and result on each device Device Comparison process Configuration BPDU on ports after comparison Device A • Port AP

183 Device Comparison process Configuration BPDU on ports after comparison After comparison: • The configuration BPDU of CP1 is elected as the opt

184 The configuration BPDU forwarding mechanism of STP The configuration BPDUs of STP are forwarded according to these guidelines: • Upon network in

185 Introduction to MSTP MSTP overcomes the following STP and RSTP limitations: • STP limitations—STP does not support rapid state transition of por

186 Figure 176 Basic concepts in MSTP MST region A multiple spanning tree region (MST region) consists of multiple devices in a switched network an

Legal and notice information © Copyright 2014 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitt

7 b. Enter the username admin and the verification code, leave the password blank, and click Login. Figure 5 Login page of the Web interface Loggin

187 VLAN-to-instance mapping table As an attribute of an MST region, the VLAN-to-instance mapping table describes the mapping relationships between V

188 Figure 177 Port roles MSTP calculation involves the following port roles: • Root port—Forwards data for a non-root bridge to the root bridge.

189 port state is available for the corresponding port role, and a dash [—] indicates that the port state is not available for the corresponding port

190 • Loop guard • TC-BPDU (a message that notifies the device of topology changes) guard • Support for the hot swapping of interface boards and

191 Step Remarks 4. Displaying MSTP information of a port. Optional. Display MSTP information of a port in MSTI 0, the MSTI to which the port belon

192 Table 58 Configuration items Item Description Region Name MST region name. The MST region name is the bridge MAC address of the device by defaul

193 Figure 180 Configuring MSTP globally 3. Configure the global MSTP configuration as described in Table 59, and then click Apply. Table 59 Confi

194 Item Description Mode Sets the operating mode of STP: • STP—Each port on a device sends out STP BPDUs. • RSTP—Each port on a device sends out

195 Item Description tc-protection Selects whether to enable TC-BPDU guard. When receiving topology change (TC) BPDUs, the device flushes its forwa

196 Item Description Instance (Instance ID, Port Priority, Auto Path Cost, and Manual Path Cost) Sets the priority and path cost of the port in the

8 • Navigation tree—Organizes the Web-based NM functions as a navigation tree, where you can select and configure functions as needed. The result is

197 Protection type Description Root Protection Enables the root guard function. Configuration errors or attacks might result in configuration BPDU

198 Table 62 Field description Field Description [FORWARDING] The port is in forwarding state, so the port learns MAC addresses and forwards user tr

199 Field Description PortTimes Major parameters for the port: • Hello—Hello timer. • MaxAge—Max Age timer. • FWDly—Forward delay timer. • MsgAg

200 Figure 183 Network diagram "Permit:" next to a link in the figure is followed by the VLANs the packets of which are permitted to pass

201 j. Click Activate. Figure 185 Configuring an MST region 2. Configure MSTP globally: a. From the navigation tree, select Network > MSTP.

202 Figure 186 Configuring MSTP globally (on Switch A) Configuring Switch B 1. Configure an MST region on the switch in the same way the MST regio

203 Configuring Switch C 1. Configure an MST region on the switch in the same way the MST region is configured on Switch A. 2. Configure MSTP globa

204 Figure 187 Configuring MSTP globally (on Switch D)

205 Configuring link aggregation and LACP Overview Ethernet link aggregation bundles multiple physical Ethernet links into one logical link, called a

206 Configuration classes Port configurations include the following classes: • Class-two configurations—A member port can be placed in the Selected

9 Function menu Description User level Electronic Label Display the electronic label of the device. Monitor Diagnostic Information Generate diagnost

207 exceeded, places the ports with smaller port numbers in the Selected state and those with greater port numbers in the Unselected state. 4. Plac

208 Configuration procedures Configuring a static aggregation group Step Remarks 1. Creating a link aggregation group. Create a static aggregate int

209 Figure 188 Creating a link aggregation group 3. Configure a link aggregation group as described in Table 64. 4. Click Apply. Table 64 Confi

210 2. Choose an aggregate interface from the list. The list on the lower part of the page displays the detailed information about the member ports

211 Setting LACP priority 1. From the navigation tree, select Network > LACP. 2. Click Setup. 3. In the Set LACP enabled port(s) parameters a

212 Detailed information about the peer port appears on the lower part of the page. Table 68 describes the fields. Figure 191 Displaying the informa

213 Field Description Partner Port ID of the peer port. Partner Port State States of the peer port: • A—LACP is enabled. • B—LACP short timeout. I

214 a. Enter link aggregation interface ID 1. b. Select Static (LACP Disabled) for the aggregate interface type. c. Select GigabitEthernet 1/0/1,

215 Figure 194 Creating dynamic link aggregation group 1 Configuration guidelines When you configure a link aggregation group, follow these guideli

216 • Do not assign the following types of ports to Layer 2 aggregate groups: { MAC address authentication-enabled ports. { port security-enabled

10 Function menu Description User level Switch To Management Switch the current user level to the management level. Visitor Loopback Loopback Perfo

217 Configuring LLDP Overview In a heterogeneous network, a standard configuration exchange platform makes sure different types of network devices fr

218 Field Description Data LLDPDU. FCS Frame check sequence, a 32-bit CRC value used to determine the validity of the received Ethernet frame. •

219 • Basic management TLVs • Organizationally (IEEE 802.1 and IEEE 802.3) specific TLVs • LLDP-MED (media endpoint discovery) TLVs Basic manageme

220 Type Description Protocol Identity Indicates protocols supported on the port. An LLDPDU can carry multiple different TLVs of this type. DCBX Dat

221 Type Description Extended Power-via-MDI Allows a network device or terminal device to advertise power supply capability. This TLV is an extension

222 • A new neighbor is discovered. A new LLDP frame is received carrying device information new to the local device. • The LLDP operating mode of

223 Step Remarks 5. Displaying global LLDP information. Optional. You can display the local global LLDP information and statistics. 6. Displaying

224 Setting LLDP parameters on ports The Web interface allows you to set LLDP parameters for a single port or for multiple ports in batch. Setting LL

225 Item Description Encapsulation Format Set the encapsulation for LLDP frames: • ETHII—Encapsulates outgoing LLDP frames in Ethernet II frames and

226 Item Description DOT1 TLV Setting Port VLAN ID Select the box to include the PVID TLV in transmitted LLDP frames. Protocol VLAN ID Select the b

11 Function menu Description User level Network VLAN Select VLAN Select a VLAN range. Monitor Create Create VLANs. Configure Port Detail Display

227 Setting LLDP parameters for ports in batch 1. From the navigation tree, select Network > LLDP. By default, the Port Setup tab is displayed. 2

228 Figure 201 The global setup tab 3. Set the global LLDP setup as described in Table 76. 4. Click Apply. A progress dialog box appears. 5. C

229 Item Description TTL Multiplier Set the TTL multiplier. The TTL TLV carried in an LLDPDU determines how long the device information carried in t

230 By default, the Local Information tab is displayed. Table 77 describes the fields. Figure 202 The local information tab Table 77 Field descrip

231 Field Description PoE PSE power source PSE power source type: • Primary. • Backup. Port PSE priority PoE power supply priority of PSE ports: •

232 Field Description Port ID type Port ID type: • Interface alias. • Port component. • MAC address. • Network address. • Interface name. • Age

233 Field Description Media policy type Media policy type: • Unknown. • Voice. • Voice signaling. • Guest voice. • Guest voice signaling. • Sof

234 Figure 204 The statistic information tab 5. Click the Status Information tab to display the LLDP status information. Figure 205 The status in

235 Figure 206 The global summary tab Table 79 Field description Field Description Chassis ID Local chassis ID depending on the chassis type defin

236 Displaying LLDP information received from LLDP neighbors 1. From the navigation tree, select Network > LLDP. 2. Click the Neighbor Summary

12 Function menu Description User level LACP Summary Display information about LACP-enabled ports and their partner ports. Monitor Setup Set LACP pr

237 The page shown in Figure 210 appears. Figure 209 The port setup tab d. Select Rx from the LLDP Operating Mode list. 3. Click Apply. A progr

238 Figure 210 Setting LLDP on multiple ports 5. Enable global LLDP: a. Click the Global Setup tab, as shown in Figure 211. b. Select Enable fr

239 Configuring Switch B 1. (Optional.) Enable LLDP on port GigabitEthernet 1/0/1. By default, LLDP is enabled on Ethernet ports. 2. Set the LLDP o

240 b. Click the GigabitEthernet1/0/1 port name in the port list. c. Click the Status Information tab at the lower half of the page. The output s

241 LLDP configuration guidelines When you configure LLDP, follow these guidelines: • To make LLDP take effect on a port, enable LLDP both globally

242 Configuring ARP Overview ARP resolves IP addresses into MAC addresses on Ethernet networks. ARP message format ARP uses two types of messages: AR

243 2. If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request. The payload of the ARP request contains the fol

244 Dynamic ARP entry ARP automatically creates and updates dynamic entries. A dynamic ARP entry is removed when its aging timer expires or the outpu

245 Creating a static ARP entry 1. From the navigation tree, select Network > ARP Management. The default ARP Table page appears, as shown in Fig

246 Configuring gratuitous ARP 1. From the navigation tree, select Network > ARP Management. 2. Click the Gratuitous ARP tab. Figure 220 Gratuit

13 Function menu Description User level IPv6 Routing Summary Display the IPv6 active route table. Monitor Create Create an IPv6 static route. Con

247 Figure 221 Network diagram Configuring Switch A 1. Create VLAN 100: a. From the navigation tree, select Network > VLAN. b. Click the Add

248 c. Select Untagged for Select membership type. d. Enter 100 in the VLAN IDs field. e. Click Apply. A configuration process dialog box appears

249 Figure 224 Creating VLAN-interface 100 4. Create a static ARP entry: a. From the navigation tree, select Network > ARP Management. The def

250 Configuring ARP attack protection Overview Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network atta

251 Figure 226 ARP detection configuration page 2. Configure ARP detection as described in Table 82. 3. Click Apply. Table 82 Configuration items

252 Configuring IGMP snooping Overview IGMP snooping runs on a Layer 2 switch as a multicast constraining mechanism to improve multicast forwarding e

253 Figure 228 IGMP snooping related ports The following describes the ports involved in IGMP snooping: • Router port—Layer 3 multicast device-si

254 Timer Description Message received before the timer expires Action after the timer expires Dynamic member port aging timer When a port dynamicall

255 switch cannot determine whether the reported multicast group still has active members attached to that port. Leave message An IGMPv1 host silent

256 Step Remarks 2. Configuring IGMP snooping in a VLAN Required. Enable IGMP snooping in the VLAN and configure the IGMP snooping version and queri

14 Function menu Description User level Accounting Display the accounting method configuration information about an ISP domain. Monitor Specify accou

257 Configuring IGMP snooping in a VLAN 1. From the navigation tree, select Network > IGMP snooping. 2. Click the icon for the VLAN. Figure

258 Item Description Querier Enable or disable the IGMP snooping querier function. On an IP multicast network that runs IGMP, a Layer 3 device acts a

259 Table 84 Configuration items Item Description Port Select the port on which advanced IGMP snooping features will be configured. The port can be a

260 Figure 233 Displaying detailed information about the entry Table 85 Field description Field Description VLAN ID ID of the VLAN to which the en

261 Figure 234 Network diagram Configuration procedure Configuring Router A Enable IP multicast routing globally, enable PIM-DM on each interface,

262 Figure 235 Creating VLAN 100 2. Assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to VLAN 100: a. Click the Modify Port tab. b. Se

263 Figure 236 Assigning ports to the VLAN 3. Enable IGMP snooping globally: a. From the navigation tree, select Network > IGMP snooping. b.

264 Figure 238 Configuring IGMP snooping in VLAN 100 Verifying the configuration 1. From the navigation tree, select Network > IGMP snooping.

265 The output shows that GigabitEthernet 1/0/3 of Switch A is listening to the multicast streams destined for multicast group 224.1.1.1.

266 Configuring MLD snooping Overview MLD snooping runs on a Layer 2 switch as an IPv6 multicast constraining mechanism to improve multicast forwardi

15 Function menu Description User level Link Setup Create a rule for a link layer ACL. Configure Remove Delete an IPv4 ACL or its rules. Configur

267 Figure 242 MLD snooping related ports The following describes the ports involved in MLD snooping: • Router port—Layer 3 multicast device-side

268 Timer Description Message received before the timer expires Action after the timer expires Dynamic member port aging timer When a port dynamicall

269 the reported IPv6 multicast group address to suppress their own reports. In this case, the switch cannot determine whether the reported IPv6 mult

270 Step Remarks 2. Configuring MLD snooping in a VLAN Required. Enable MLD snooping in the VLAN and configure the MLD snooping version and querier.

271 2. Click the icon for the VLAN. Figure 244 Configuring MLD snooping in a VLAN 3. Configure the parameters as described in Table 86. 4. Cl

272 Configuring MLD snooping port functions 1. Select Network > MLD snooping from the navigation tree. 2. Click the Advanced tab. Figure 245 Co

273 Item Description Fast Leave Enable or disable fast-leave processing on the port. When a port that is enabled with the MLD snooping fast-leave pr

274 Field Description Member Ports All member ports. MLD snooping configuration example Network requirements As shown in Figure 247, MLDv1 runs on

275 Figure 248 Creating VLAN 100 2. Assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to VLAN 100: a. Click the Modify Port tab. b. Se

276 Figure 249 Assigning ports to VLAN 100 3. Enable MLD snooping globally: a. Select Network > MLD snooping from the navigation tree. b. Se

16 Function menu Description User level PoE PoE Summary Display PSE information and PoE interface information. Monitor PSE Setup Configure a PoE int

277 d. Click Apply. Figure 251 Enabling MLD snooping in VLAN 100 Verifying the configuration 1. Select Network > MLD snooping from the navigat

278 Configuring IPv4 and IPv6 routing The term "router" in this chapter refers to both routers and Layer 3 switches. Overview A router sele

279 Static routes cannot adapt to network topology changes. If a fault or a topological change occurs in the network, the network administrator must

280 Creating an IPv4 static route 1. Select Network > IPv4 Routing from the navigation tree. 2. Click the Create tab. The page for configuring

281 Item Description Interface Select the output interface. You can select any available Layer 3 interface, for example, a virtual interface, of the

282 The page for configuring an IPv6 static route appears. Figure 257 Creating an IPv6 static route 3. Create an IPv6 static route as described i

283 IPv4 static route configuration example Network requirements As shown in Figure 258, configure IPv4 static routes on Switch A, Switch B, and Swit

284 Figure 259 Configuring a default route 2. Configure a static route to Switch A and Switch C on Switch B: a. Select Network > IPv4 Routing

285 Figure 260 Configuring a static route e. Enter 1.1.3.0 for Destination IP Address, enter 24 for Mask, and enter 1.1.5.6 for Next Hop. f. Cli

286 Figure 261 Configuring a default route Verifying the configuration 1. Display the routing table. Enter the IPv4 route page of Switch A, Switc

i Contents Overview ··································································································································

17 Figure 7 Content display by pages Search function The Web interface provides you with the basic and advanced searching functions to display only

287 IPv6 static route configuration example Network requirements As shown in Figure 262, configure IPv6 static routes on Switch A, Switch B, and Swit

288 Figure 263 Configuring a default route 2. Configure a static route to Switch A and Switch C on Switch B: a. Select Network > IPv6 Routing

289 Figure 264 Configuring a static route e. Enter 3:: for Destination IP Address, select 64 from the Prefix Length list, and enter 5::1 for Next

290 Figure 265 Configuring a default route Verifying the configuration 1. Display the routing table. Enter the IPv6 route page of Switch A, Switc

291 round-trip min/avg/max = 62/62/63 ms Configuration guidelines When you configure a static route, follow these guidelines: • If you do not s

292 DHCP overview The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices. DHCP us

293 IP address allocation process Figure 267 Dynamic IP address allocation process 1. The client broadcasts a DHCP-DISCOVER message to locate a DH

294 DHCP message format Figure 268 shows the DHCP message format. DHCP uses some of the fields in significantly different ways. The numbers in parent

295 DHCP options DHCP defines the message format as an extension to BOOTP for compatibility. DHCP uses the Option field to carry information for dyna

296 The administrator can use Option 82 to locate the DHCP client and further implement security control and accounting. The DHCP server can use Opti

18 Figure 9 Advanced search Take the LLDP table shown in Figure 7 as an example. To search for the LLDP entries with LLDP Work Mode TxRx, and LLDP

297 Configuring DHCP relay agent Overview Since the DHCP clients request IP addresses through broadcast messages, the DHCP server and clients must be

298 Figure 273 DHCP relay agent operation Recommended configuration procedure Task Remarks Enabling DHCP and configuring advanced parameters for th

299 Enabling DHCP and configuring advanced parameters for the DHCP relay agent 1. From the navigation tree, select Network > DHCP to enter the de

300 4. Click Apply. Table 94 Configuration items Item Description DHCP Service Enable or disable global DHCP. Unauthorized Server Detect Enable or

301 3. Configure the DHCP server group as shown in Table 95. 4. Click Apply. Table 95 Configuration items Item Description Server Group ID Enter th

302 Configuring and displaying clients' IP-to-MAC bindings 1. From the navigation tree, select Network > DHCP to enter the default DHCP Rela

303 DHCP relay agent configuration example Network requirements As shown in Figure 279, VLAN-interface 1 on the DHCP relay agent (Switch A) connects

304 Figure 280 Enabling DHCP 2. Configure a DHCP server group: a. In the Server Group area, click Add and then perform the following operations,

305 3. Enable the DHCP relay agent on VLAN-interface 1: a. In the Interface Config field, click the icon of VLAN-interface 1, and then perform th

306 Configuring DHCP snooping DHCP snooping works between the DHCP client and server, or between the DHCP client and DHCP relay agent. It guarantees

19 Figure 12 Advanced search function example (3) Sort function On some list pages, the Web interface provides the sorting function to display the e

307 Figure 283 Trusted and untrusted ports In a cascaded network as shown in Figure 284, configure each DHCP snooping device's ports connected

308 Device Untrusted port Trusted port disabled from recording binding entries Trusted port enabled to record binding entries Switch B GigabitEtherne

309 Task Remarks Displaying clients' IP-to-MAC bindings Optional. Display clients' IP-to-MAC bindings recorded by DHCP snooping. Enabling

310 Figure 286 DHCP snooping interface configuration page 4. Configure DHCP snooping on the interface as described in Table 100. 5. Click Apply.

311 Item Description Type Displays the client type: • Dynamic—The IP-to-MAC binding is generated dynamically. • Static—The IP-to-MAC binding is con

312 Figure 289 Enabling DHCP snooping 2. Configure DHCP snooping functions on GigabitEthernet 1/0/1: a. Click the icon of GigabitEthernet 1/0/1

313 4. Configure DHCP snooping functions on GigabitEthernet 1/0/3: a. Click the icon of GigabitEthernet 1/0/3 on the interface list. b. Select t

314 Managing services Overview Service management allows you to manage the following types of services: FTP, Telnet, SSH, SFTP, HTTP and HTTPS. You

315 Managing services 1. Select Network > Service from the navigation tree to enter the service management configuration page, as shown in Figure

316 Item Description Port Number Set the port number for HTTP service. You can view this configuration item by clicking the expanding button in fron

20 Configuring the switch at the CLI The HP 1920 Switch Series can be configured through the CLI, Web interface, and SNMP/MIB, among which the Web int

317 Using diagnostic tools This chapter describes how to use the ping and traceroute utilities. Ping Use the ping utility to determine if a specific

318 2. The first hop device responds with an ICMP TTL-expired message to the source. In this way, the source device gets the address of the first de

319 Figure 295 Ping operation result Traceroute operation The Web interface does not support IPv6 traceroute. Before performing a traceroute operat

320 3. Enter the IP address or host name of the destination device in the Trace Route field. 4. Click Start. 5. View the output in the Summary ar

321 Configuring 802.1X 802.1X overview 802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN committee fo

322 • MAC-based access control—Each user is separately authenticated on a port. When a user logs off, no other online users are affected. Controlled

323 • Code—Type of the EAP packet. Options include Request (1), Response (2), Success (3), or Failure (4). • Identifier—Used for matching Responses

324 EAP-Message RADIUS encapsulates EAP packets in the EAP-Message attribute, as shown in Figure 302. The Type field takes 79, and the Value field ca

325 802.1X authentication procedures 802.1X provides the following methods for authentication: • EAP relay. • EAP termination. You choose either

326 Packet exchange method Benefits Limitations EAP termination Works with any RADIUS server that supports PAP or CHAP authentication. • Supports o

21 NOTE: • The serial port on a PC does not support hot swapping. When you connect a PC to a powered-on switch,connect the DB-9 connector of the co

327 5. The authentication server uses the identity information in the RADIUS Access-Request to search its user database. If a matching entry is foun

328 Figure 307 802.1X authentication procedure in EAP termination mode In EAP termination mode, the network access device rather than the authentic

329 • Handshake timer—Sets the interval at which the access device sends client handshake requests to check the online status of a client that has p

330 Authentication status VLAN manipulation No 802.1X user has performed authentication within 90 seconds after 802.1X is enabled. The device assigns

331 Authentication status VLAN manipulation A user fails 802.1X authentication. The device assigns the Auth-Fail VLAN to the port as the PVID. All 8

332 Recommended configuration procedure Step Remarks 1. Configuring 802.1X globally Required. This function enables 802.1X authentication globally.

333 { The support of the RADIUS server for EAP packets. { The authentication methods supported by the 802.1X client and the RADIUS server. 4. Clic

334 Figure 310 Configuring 802.1X on a port Table 105 describes the configuration items. Table 105 Configuration items Item Description Port Select

335 Item Description Enable Re-Authentication Specifies whether to enable periodic online user re-authentication on the port. Periodic online user re

336 Table 106 Relationships of the 802.1X guest VLAN and other security features Feature Relationship description MAC authentication guest VLAN on a

22 Figure 16 Setting the serial port used by the HyperTerminal connection 4. Set Bits per second to 38400, Data bits to 8, Parity to None, Stop bit

337 Use RADIUS servers to perform authentication, authorization, and accounting for the 802.1X users. If RADIUS accounting fails, the access device l

338 2. Configure 802.1X for GigabitEthernet 1/0/1: a. In the Ports With 802.1X Enabled area, click Add. b. Select GigabitEthernet1/0/1 from the Po

339 Figure 314 Configuring the RADIUS scheme 2. Configure the primary authentication server in the RADIUS scheme: a. In the RADIUS Server Configu

340 d. Click Apply. The RADIUS Server Configuration area displays the primary authentication server you have configured. 3. Configure the backup

341 Figure 315 Creating an ISP domain 2. Configure AAA authentication method for the ISP domain: a. Click the Authentication tab. b. Select test

342 Figure 317 Configuration progress dialog box e. After the configuration process is complete, click Close. 3. Configure AAA authorization meth

343 Figure 319 Configuring the AAA accounting method for the ISP domain d. Click Apply. e. After the configuration process is complete, click Clo

344 d. Select Without domain name from the Username Format list. e. Click Apply. 2. Configure the primary authentication server in the RADIUS sche

345 Figure 323 Configuring the RADIUS scheme 4. Click Apply. Configuring AAA 1. Create an ISP domain: a. From the navigation tree, select Authen

346 Figure 324 Creating an ISP domain 2. Configure AAA authentication method for the ISP domain: a. Click the Authentication tab. b. Select test

23 Figure 18 HyperTerminal window 6. Click the Settings tab, set the emulation to VT100, and click OK in the Switch Properties dialog box. Figure 1

347 Figure 326 Configuration progress dialog box e. After the configuration process is complete, click Close. 3. Configure AAA authorization meth

348 Figure 328 Configuring the AAA accounting method for the ISP domain f. After the configuration process is complete, click Close. Configuring a

349 c. In the IP Address Filter area, select Destination IP Address: − Enter 10.0.0.1 as the destination IP address. − Enter 0.0.0.0 as the destin

350 c. Select the authentication method CHAP. d. Click Apply. Figure 331 Configuring 802.1X globally 2. Configure 802.1X for GigabitEthernet 1/0

351 Figure 333 shows the ping operation summary. Figure 333 Ping operation summary

352 Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access managem

353 AAA can be implemented through multiple protocols. The device supports RADIUS, which is most often used. For more information about RADIUS, see &

354 Step Remarks 3. Configuring authorization methods for the ISP domain Optional. Specify the authorization methods for various types of users. By

355 Item Description Default Domain Specify whether to use the ISP domain as the default domain. Options include: • Enable—Uses the domain as the de

356 Item Description LAN-access AuthN Name Secondary Method Configure the authentication method and secondary authentication method for LAN access us

24 Logging in to the CLI The login process requires a username and password. The default username for first time configuration is admin, no password i

357 Table 110 Configuration items Item Description Select an ISP domain Select the ISP domain for which you want to specify authentication methods.

358 Figure 338 Accounting method configuration page 3. Select the ISP domain and specify accounting methods for the ISP domain, as described in Ta

359 Item Description Login Accounting Name Secondary Method Configure the accounting method and secondary accounting method for login users. Options

360 Figure 340 Configuring a local user 4. Configure ISP domain test: a. Select Authentication > AAA from the navigation tree. The domain con

361 5. Configure the ISP domain to use local authentication: a. Select Authentication > AAA from the navigation tree. b. Click the Authenticati

362 f. After the configuration progress is complete, click Close. Figure 344 Configuring the ISP domain to use local authorization 7. Configure t

363 Configuring RADIUS Overview Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a cli

364 Security and authentication mechanisms The RADIUS client and the RADIUS server use a shared key to authenticate RADIUS packets and encrypt user p

365 7. The host requests the RADIUS client to tear down the connection and the RADIUS client sends a stop-accounting request (Accounting-Request) to

366 • The Length field (2 bytes long) indicates the length of the entire packet, including the Code, Identifier, Length, Authenticator, and Attribut

25 initialize Syntax initialize Parameters None Description Use initialize to delete the configuration file to be used at the next startup and reboot

367 No. Attribute No. Attribute 23 Framed-IPX-Network 70 ARAP-Password 24 State 71 ARAP-Features 25 Class 72 ARAP-Zone-Access 26 Vendor-Specif

368 Figure 349 Format of attribute 26 Protocols and standards • RFC 2865, Remote Authentication Dial In User Service (RADIUS) • RFC 2866, RADIUS

369 Figure 351 RADIUS scheme configuration page 3. Configure the parameters as described in Table 114. 4. Click Apply. Table 114 Configuration it

370 Figure 352 Common configuration 2. Configure the parameters, as described in Table 115. Table 115 Configuration items Item Description Server

371 Item Description Username Format Select the format of usernames to be sent to the RADIUS server. Typically, a username is in the format of userid

372 Item Description Request Transmission Attempts Set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server. If

373 Item Description Stop-Accounting Attempts Set the maximum number of stop-accounting attempts. The maximum number of stop-accounting attempts, to

374 Table 116 Configuration items Item Description Server Type Select the type of the RADIUS server to be configured. Options include primary authent

375 c. Select Without domain name for the username format. 3. In the RADIUS Server Configuration area, click Add to configure the primary authenti

376 Figure 357 RADIUS scheme configuration Configuring AAA 1. Select Authentication > AAA in the navigation tree. The domain setup page appear

26 # Create VLAN-interface 1 and assign 192.168.1.2 to the interface, and specify 192.168.1.1 as the default gateway. <Sysname> ipsetup ip-addre

377 3. Select the Authentication tab to configure the authentication scheme: a. Select the domain name test. b. Select Default AuthN and select RA

378 Figure 361 Configuring the AAA authorization method for the ISP domain 5. Select the Accounting tab to configure the accounting scheme: a. Se

379 • If you remove the accounting server used for online users, the device cannot send real-time accounting requests and stop-accounting messages f

380 Configuring users You can configure local users and create groups to manage them. A local user represents a set of user attributes configured on

381 Figure 364 Local user configuration page 3. Configure the local user as described in Table 118. 4. Click Apply. Table 118 Configuration items

382 Item Description Expire-time Specify an expiration time for the local user, in the HH:MM:SS-YYYY/MM/DD format. To authenticate a local user with

383 Figure 366 User group configuration page 4. Configure the user group as described in Table 119. 5. Click Apply. Table 119 Configuration items

384 Managing certificates Overview The Public Key Infrastructure (PKI) offers an infrastructure for securing network services through public key tech

385 Figure 367 PKI architecture Entity An entity is an end user of PKI products or services, such as a person, an organization, a device like a rou

386 4. The RA receives the certificate from the CA, sends it to the LDAP server to provide directory navigation service, and notifies the entity tha

ii Displaying system and device information ··········································································································

27 Change password for user: admin Old password: *** Enter new password: ** Retype password: ** The password has been successfully changed. ping Synta

387 Step Remarks 2. Creating a PKI domain Required. Create a PKI domain, setting the certificate request mode to Manual. Before requesting a PKI cer

388 Step Remarks 6. Destroying the RSA key pair Optional. Destroy the existing RSA key pair and the corresponding local certificate. If the certific

389 Figure 368 PKI entity list 2. Click Add on the page. Figure 369 PKI entity configuration page 3. Configure the parameters, as described in

390 Item Description State Enter the state or province for the entity. Locality Enter the locality for the entity. Organization Enter the organizatio

391 Figure 371 PKI domain configuration page 5. Configure the parameters, as described in Table 121. 6. Click Apply. Table 121 Configuration item

392 Item Description Requesting URL Enter the URL of the RA. The entity will submit the certificate request to the server at this URL through the SCE

393 Item Description CRL URL Enter the URL of the CRL distribution point. The URL can be an IP address or a domain name. This item is available after

394 Figure 373 Key pair parameter configuration page Destroying the RSA key pair 1. From the navigation tree, select Authentication > Certifica

395 Figure 375 PKI certificate retrieval page 4. Configure the parameters, as described in Table 122. 5. Click Apply. Table 122 Configuration it

396 Figure 376 Certificate information Requesting a local certificate 1. From the navigation tree, select Authentication > Certificate Manageme

28 Examples # Ping IPv6 address 2001::4. <Sysname> ping ipv6 2001::4 PING 2001::4 : 56 data bytes, press CTRL_C to break Reply from 2001:

397 Figure 377 Local certificate request page 4. Configure the parameters, as described in Table 123. Table 123 Configuration items Item Descripti

398 Retrieving and displaying a CRL 1. From the navigation tree, select Authentication > Certificate Management. 2. Click the CRL tab. Figure 37

399 Field Description Last Update Last update time. Next Update Next update time. X509v3 CRL Number CRL sequence number X509v3 Authority Key Iden

400 Configuring the switch 1. Create a PKI entity: a. From the navigation tree, select Authentication > Certificate Management. The PKI entity

401 Figure 383 Creating a PKI domain 3. Generate an RSA key pair: a. Click the Certificate tab. b. Click Create Key. c. Enter 1024 as the key

402 Figure 385 Retrieving the CA certificate 5. Request a local certificate: a. Click the Certificate tab. b. Click Request Cert. c. Select to

403 Authentication > Certificate Management > CRL from the navigation tree to view detailed information about the retrieved CRL. Configuration

404 Configuring MAC authentication Overview MAC authentication controls network access by authenticating source MAC addresses on a port. It does not

405 MAC authentication timers MAC authentication uses the following timers: • Offline detect timer—Sets the interval that the device waits for traff

406 If a user in the Auth-Fail VLAN passes MAC authentication, it is removed from the Auth-Fail VLAN and can access all authorized network resources.

29 reboot Syntax reboot Parameters None Description Use reboot to reboot the device and run the main configuration file. Use the command with caution

407 Figure 388 MAC authentication configuration page 3. Configure MAC authentication global settings as described in Table 125, and then click App

408 Configuring MAC authentication on a port 1. From the navigation tree, select Authentication > MAC Authentication. 2. In the Ports With MAC A

409 • Configure all users to belong to the domain aabbcc.net, and specify local authentication for users in the domain. • Use the MAC address of e

410 Figure 392 Configuring the authentication method for the ISP domain 6. Click Apply. A configuration progress dialog box appears, as shown in

411 Figure 394 Configuring MAC authentication globally 2. Configure MAC authentication for GigabitEthernet 1/0/1: a. In the Ports With MAC Authen

412 Figure 396 Network diagram Configuring IP addresses # Assign an IP address to each interface. Make sure the RADIUS servers, host, and switch ca

413 Figure 397 Configuring a RADIUS authentication server 3. Configure the primary accounting server in the RADIUS scheme: a. In the RADIUS Serve

414 Figure 399 RADIUS configuration Configuring AAA for the scheme 1. Create an ISP domain: a. From the navigation tree, select Authentication &g

415 Figure 400 Creating an ISP domain 2. Configure AAA authentication method for the ISP domain: a. Click the Authentication tab. b. Select the

416 Figure 402 Configuration progress dialog box e. After the configuration process is complete, click Close. 3. Configure AAA authorization meth

30 Select menu option: Summary IP Method: Manual

417 Figure 404 Configuring the accounting method for the ISP domain e. After the configuration process is complete, click Close. Configuring an AC

418 c. Select the action Deny. d. In the IP Address Filter area, select Destination IP Address: − Enter the destination IP address 10.0.0.1. − E

419 b. Select Enable MAC Authentication. c. Click Advanced. d. Select the authentication ISP domain test, select the authentication information fo

420 Request timed out. Request timed out. Ping statistics for 10.0.0.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

421 Configuring port security Overview Port security combines and extends 802.1X and MAC authentication to provide MAC-based network access control.

422 • Basic mode—In this mode, a port can learn the specified number of MAC addresses and save those addresses as secure MAC addresses. It permits o

423 The maximum number of users a port supports equals the maximum number of secure MAC addresses that port security allows or the maximum number of

424 Step Remarks 1. Configuring global settings for port security Required. This function enables port security globally and configures intrusion pr

425 Figure 410 Port security configuration 3. Configure global port security settings as described in Table 128. 4. Click Apply. Table 128 Config

426 The page for applying port security control appears. Figure 412 Configuring basic port security control 3. Configure basic port security contr

31 Use upgrade server-address source-filename runtime to upgrade the system software image file. If the system software image file in the downloaded s

427 Item Description Enable Outbound Restriction Specifies whether to enable outbound traffic control, and selects a control method. Available cont

428 Table 130 Configuration items Item Description Port Selects a port where the secure MAC address is configured. Secure MAC Address Enters the MA

429 Item Description Enable Intrusion Protection Specifies whether to enable intrusion protection, and selects an action to be taken upon detection

430 Port security configuration examples Basic port security mode configuration example Network requirements As shown in Figure 418, configure port G

431 Figure 419 Configuring port security Configuring the basic port security control 1. In the Security Ports And Secure MAC Address List area, cl

432 Figure 421 Secure MAC address list 2. When the maximum number of MAC addresses is reached, intrusion protection is triggered. Select Device &g

433 Figure 423 Displaying port state If you remove MAC addresses from the secure MAC address list, the port can continue to learn MAC addresses. A

434 NOTE: Configurations on the host and RADIUS servers are not shown. Configuring a RADIUS scheme 1. Create a RADIUS scheme: a. From the naviga

435 Figure 426 Configuring the RADIUS accounting server c. Click Apply. The RADIUS Server Configuration area displays the servers you have configu

436 Figure 428 Configuring AAA authentication e. Click Apply. A dialog box appears, displaying the configuration progress, as shown in Figure 429.

32 Examples # Download software package file main.bin from the TFTP server and use the Boot ROM image in the package as the startup configuration file

437 Figure 430 Configuring AAA authorization e. When the configuration process is complete, click Close. 3. Configure AAA accounting method: a.

438 Figure 432 Configuring global port security settings 2. Configure advanced port security control: a. In the Advanced Port Security Configurat

439 Figure 434 Configuring permitted OUI values d. Repeat previous three steps to add the OUI values of the MAC addresses 1234-0200-0000 and 1234-

440 Configuring port isolation The port isolation feature isolates Layer 2 traffic for data privacy and security without using VLANs. You can also us

441 Port isolation configuration example Network requirements As shown in Figure 436: • Campus network users Host A, Host B, and Host C are connecte

442 Figure 437 Assigning ports to the isolation group e. Click Apply. A configuration progress dialog box appears. f. After the configuration p

443 Configuring authorized IP The authorized IP function associates the HTTP or Telnet service with an ACL to filter the requests of clients. Only th

444 Authorized IP configuration example Network requirements In Figure 440, configure Switch to deny Telnet and HTTP requests from Host A, and permit

445 a. Click Basic Setup. The page for configuring an ACL rule appears. b. Select 2001 from the ACL list, select Permit from the Action list, selec

446 Figure 443 Configuring authorized IP

33 Deleting the old file, please wait... File will be transferred in binary mode Downloading file from remote TFTP server, please wait.../ TFT

447 Configuring loopback detection A loop occurs when a port receives a packet sent by itself. Loops might cause broadcast storms. The purpose of loo

448 Figure 444 Loopback detection configuration page 2. Configure the global loopback detection settings as described in Table 134, and then click

449 Item Description Detection in VLAN Sets whether the system performs loopback detection in all VLANs for the target trunk or hybrid port. If you

450 Configuring ACLs Unless otherwise stated, ACLs refer to both IPv4 and IPv6 ACLs throughout this document. Grayed-out options on Web configuration

451 Table 136 Depth-first match for ACLs ACL category Sequence of tie breakers IPv4 basic ACL 1. More 0s in the source IP address wildcard (more 0s

452 For example, if the numbering step is 5 (the default), and there are five ACL rules numbered 0, 5, 9, 10, and 12, the newly defined rule is numbe

453 Step Remarks 3. Configuring a rule for a basic IPv4 ACL. Required. Complete one of the following tasks according to the ACL category. 4. Confi

454 4. Click Apply. Table 137 Configuration items Item Description Time Range Name Set the name for the time range. Periodic Time Range Start Time

455 Table 138 Configuration items Item Description ACL Number Set the number of the IPv4 ACL. Match Order Set the match order of the ACL. Available

456 Table 139 Configuration items Item Description ACL Select the basic IPv4 ACL for which you want to configure rules. Available ACLs are basic IPv

34 Configuration wizard The configuration wizard guides you through configuring the basic service parameters, including the system name, system locat

457 Figure 448 Configuring an advanced IPv4 ACL 3. Configure a rule for an advanced IPv4 ACL as described in Table 140. 4. Click Add. Table 140

458 Item Description Rule ID Select the Rule ID box and enter a number for the rule. If you do not specify the rule number, the system will assign o

459 Item Description TCP/UDP Port TCP Connection Established Select this box to make the rule match packets used for establishing and maintaining TC

460 Figure 449 Configuring a rule for an Ethernet frame header ACL 3. Configure a rule for an Ethernet frame header IPv4 ACL as described in Table

461 Item Description MAC Address Filter Source MAC Address Select the Source MAC Address box and enter a source MAC address and a mask. Source Mask

462 Table 142 Configuration items Item Description ACL Number Enter a number for the IPv6 ACL. Match Order Select a match order for the ACL. Availab

463 Item Description Rule ID Select the Rule ID box and enter a number for the rule. If you do not specify the rule number, the system will assign o

464 Figure 452 Configuring a rule for an advanced IPv6 ACL 3. Add a rule for an advanced IPv6 ACL as described in Table 144. 4. Click Add. Table

465 Item Description Check Fragment Select this box to apply the rule to only non-first fragments. If you do no select this box, the rule applies to

466 Configuring QoS Grayed-out options on Web configuration pages cannot be configured. Overview Quality of Service (QoS) reflects the ability of a n

35 Figure 22 System parameter configuration page 2. Configure the parameters as described in Table 3. Table 3 Configuration items Item Description

467 Congestion: causes, impacts, and countermeasures Network congestion is a major factor contributed to service quality degrading on a traditional n

468 End-to-end QoS Figure 454 End-to-end QoS model As shown in Figure 454, traffic classification, traffic policing, traffic shaping, congestion ma

469 When packets are classified on the network boundary, the precedence bits in the ToS field of the IP packet header are generally re-set. In this w

470 Table 146 Description on DSCP values DSCP value (decimal) DSCP value (binary) Description 46 101110 ef 10 001010 af11 12 001100 af12 14 001110

471 Figure 457 802.1Q tag header Table 147 Description on 802.1p priority 802.1p priority (decimal) 802.1p priority (binary) Description 0 000 be

472 Figure 458 SP queuing A typical switch provides eight queues per port. As shown in Figure 458, SP queuing classifies eight queues on a port int

473 A typical switch provides eight output queues per port. WRR assigns each queue a weight value (represented by w7, w6, w5, w4, w3, w2, w1, or w0)

474 specification, and the traffic is called "conforming traffic." Otherwise, the traffic does not conform to the specification, and the tr

475 • For more information about 802.1p priority and DSCP values, see "Packet precedences." • Local precedence is a locally significant p

476 Table 149 Default DSCP to Queue mapping table Input DSCP value Local precedence (Queue) 0 to 7 0 8 to 15 1 16 to 23 2 24 to 31 3 32 to 39 4

36 Configuring management IP address CAUTION: Modifying the management IP address used for the current login terminates the connection to the devic

477 Table 150 Recommended QoS policy configuration procedure Step Remarks 1. Adding a class Required. Add a class and specify the logical relations

478 Recommended priority trust mode configuration procedure Step Remarks 1. Configuring priority trust mode on a port Required. Set the priority t

479 Configuring classification rules 1. Select QoS > Classifier from the navigation tree. 2. Click Setup to enter the page for setting a class.

480 Table 152 Configuration items Item Description VLAN Customer VLAN Define a rule to match customer VLAN IDs. If multiple such rules are configure

481 Configuring traffic mirroring and traffic redirecting for a traffic behavior 1. Select QoS > Behavior from the navigation tree. 2. Click Po

482 Figure 467 Setting a traffic behavior 3. Configure other actions for a traffic behavior as described in Table 155. 4. Click Apply. Table 155

483 Item Description CIR Set the committed information rate (CIR), the average traffic rate. CBS Set the committed burst size (CBS), number of byt

484 Table 156 Configuration items Item Description Policy Name Specify a name for the policy to be added. Some devices have their own system-defined

485 Figure 470 Applying a policy to a port 3. Apply a policy to a port as described in Table 158. 4. Click Apply. Table 158 Configuration items

486 Table 159 Configuration items Item Description WRR Setup WRR Enable or disable the WRR queue scheduling mechanism on selected ports. The followi

iii Mirroring source ·································································································································

37 Item Description Admin status Enable or disable the VLAN interface. When errors occurred in the VLAN interface, disable the interface and then ena

487 Item Description Rate Limit Enable or disable rate limit on the specified port. Direction Select a direction in which the rate limit is to be a

488 Configuring priority trust mode on a port 1. Select QoS > Port Priority from the navigation tree. Figure 474 Configuring port priorities 2

489 ACL and QoS configuration example Network requirements As shown in Figure 476, the FTP server (10.1.1.1/24) is connected to the Switch, and the c

490 Figure 477 Defining a time range covering 8:00 to 18:00 every day 2. Add an advanced IPv4 ACL: a. Select QoS > ACL IPv4 from the navigatio

491 c. Select the Rule ID box, and enter rule ID 2. d. Select Permit in the Action list. e. Select the Destination IP Address box, and enter IP ad

492 c. Enter the class name class1. d. Click Add. Figure 480 Adding a class 5. Define classification rules: a. Click the Setup tab. b. Select

493 Figure 481 Defining classification rules d. Click Apply. A progress dialog box appears, as shown in Figure 482. e. Click Close on the progre

494 Figure 482 Configuration progress dialog box 6. Add a traffic behavior: a. Select QoS > Behavior from the navigation tree. b. Click the A

495 Figure 484 Configuring actions for the behavior 8. Add a policy: a. Select QoS > QoS Policy from the navigation tree. b. Click the Add ta

496 a. Click the Setup tab. b. Select policy1. c. Select class1 from the Classifier Name list. d. Select behavior1 from the Behavior Name list.

38 Figure 24 Configuration complete

497 Configuring PoE Only a device with a mark of PoE supports the PoE feature. Overview IEEE 802.3af-compliant power over Ethernet (PoE) enables a po

498 Configuring PoE Before configuring PoE, make sure the PoE power supply and PSE are operating correctly. Otherwise, either you cannot configure Po

499 Item Description Power Max Set the maximum power for the PoE port. The maximum PoE interface power is the maximum power that the PoE interface ca

500 Figure 490 PSE Setup tab Enabling the non-standard PD detection function for a PSE 1. Select Enable in the corresponding Non-Standard PD Compa

501 PoE configuration example Network requirements As shown in Figure 492, GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 are connected to IP teleph

502 Figure 493 Configuring the PoE ports supplying power to the IP telephones 2. Enable PoE on GigabitEthernet 1/0/11 and set the maximum power of

503 Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.com/support Befo

504 Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text

505 Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as

506 Index Numerics 802.1X access control methods, 321 ACL assignment, 331 architecture, 321 authentication, 325 authentication (access device initiat

39 Configuring stack Overview The stack management feature allows you to configure and monitor a group of connected devices by logging in to one devi

507 match order, 450 packet fragment filtering, 452 rule numbering step, 451 security MAC authentication, 411 time range configuration, 453 time-base

508 port security advanced mode configuration, 433 port security authentication modes, 421 port security basic control configuration, 425 port securi

509 choosing Ethernet link aggregation selected state, 205 Ethernet link aggregation unselected state, 205 CIST calculation, 189 network device conn

510 IGMP snooping port function, 258 IP routing (IPv4), 278 IP routing (IPv6), 278 IP services ARP entry, 244 isolation group, 440 LLDP, 217 , 236 LL

511 system time (by using NTP), 57, 58 system time (manually), 56 user group, 382 VCT, 91 VLAN interface, 150 Web device configuration management,

512 Web stack configuration, 39 Web user level, 8 Web-based NM functions, 8 device information displaying device information, 47, 48 device managemen

513 Web device file, 67 DSCP QoS packet IP precedence and DSCP values, 469 dst-mac validity check (ARP), 250 dynamic ARP table entry, 244 DHCP addres

514 group configuration, 208 group creation, 208 LACP, 205 LACP priority, 211 LACP-enabled port, 211 member port state, 205 modes, 206 operational ke

515 NMM local port mirroring group monitor port, 84 NMM local port mirroring group port, 81 NMM local port mirroring group source port, 84 NMM port

516 IP services ARP entry configuration, 244 IP services ARP entry removal, 245 security ARP attack protection configuration, 250 traceroute, 317 IP

40 Task Remarks Configuring member devices of a stack: Configuring stack ports Required. Configure a port of a member device that connects to the mas

517 Ethernet link aggregation group creation, 208 Ethernet link dynamic aggregation group configuration, 208 Ethernet link static aggregation group c

518 MSTP configuration, 177 , 190 , 199 loopback detection configuration, 447, 447 configuration (global), 447 configuration (port-specific), 448 loo

519 membership report IGMP snooping, 254 MLD snooping, 268 message ARP configuration, 242 ARP message format, 242 ARP static configuration, 246 DHCP

520 displaying IGMP snooping multicast forwarding entries, 259 enabling IGMP snooping (globally), 256 enabling IGMP snooping (in a VLAN), 257 IGMP sn

521 Web device file upload, 68 Web device local user adding, 86 Web device main boot file specifying, 68 Web device privilege level switching, 88 Web

522 Web service management, 314 , 315 Web stack configuration, 39, 43 Web user level, 8 Web-based NM functions, 8 NMM local port mirroring configura

523 ping address reachability determination, 317 , 318 system maintenance, 317 PoE configuration, 497, 501, 501 detect nonstandard PDs enable, 499

524 security MAC authentication configuration, 404, 406, 408 security MAC local authentication configuration, 408 specified operation parameter for a

525 configuring AAA authentication methods for ISP domain, 355 configuring AAA authorization methods for ISP domain, 356 configuring AAA ISP domain,

526 configuring QoS traffic redirecting, 481 configuring queue scheduling, 477 configuring queue scheduling on port, 485, 486 configuring RADIUS comm

41 Figure 26 Setting up Table 6 Configuration items Item Description Private Net IP Mask Configure a private IP address pool for the stack. The mas

527 enabling PSE detect nonstandard PDs, 499 enabling SNMP agent, 113 entering configuration wizard homepage, 34 finishing configuration wizard, 37

528 AAA implementation, 363, 374 assigning MAC authentication ACL assignment, 405 assigning MAC authentication VLAN assignment, 405 client/server mod

529 IGMP snooping router port, 252 MLD snooping router port, 266 routing ACL configuration, 450 ACL configuration (advanced), 456, 463 ACL configurat

530 buffer capacity and refresh interval, 63 configuration environment, 20 LACP priority, 211 LLDP parameters for a single port, 224 LLDP parameters

531 algorithm calculation, 179 basic concepts, 178 BPDU forwarding, 184 CIST, 187 CST, 187 designated bridge, 178 designated port, 178 IST, 187

532 configuring system time (manually), 56 displaying current system time, 56 T table active route table (IPv4), 279 active route table (IPv6), 281 A

533 user level Web user level, 8 user management AAA management by ISP domains, 353 V validity check security ARP packet, 250 security ARP user, 250

534 device file management, 67 device file removing, 68 device file upload, 68 device idle timeout period configuration, 50 device local user adding,

42 Displaying topology summary of a stack Select Stack from the navigation tree and click the Topology Summary tab to enter the page shown in Figure

43 Figure 29 Device summary (a member device) Stack configuration example Network requirements As shown in Figure 30, Switch A, Switch B, Switch C,

44 Figure 31 Configuring global parameters for the stack on Switch A Switch A becomes the master device. 2. Configure a stack port on Switch A: a.

45 Figure 33 Configuring stack ports on Switch B Switch B becomes a member device. 4. On Switch C, configure GigabitEthernet 1/0/1 (the port conne

46 Verifying the configuration To verify the stack topology on Switch A: 1. Select Stack from the navigation tree of Switch A. 2. Click the Topolog

iv Configuring an SNMP user ··························································································································

47 Displaying system and device information Displaying system information Select Summary from the navigation tree to enter the System Information pag

48 Displaying the system resource state The System Resource State area displays the most recent CPU usage, memory usage, and temperature. Displaying

49 Figure 37 Device information To set the interval for refreshing device information, select one of the following options from the Refresh Period

50 Configuring basic device settings The device basic information feature provides the following functions: • Set the system name of the device. The

51 3. Set the idle timeout period for logged-in users. 4. Click Apply.

52 Maintaining devices Software upgrade CAUTION: Software upgrade takes some time. Avoid performing any operation on the Web interface during the u

53 Item Description If a file with the same name already exists, overwrite it without any prompt Specify whether to overwrite the file with the same

54 Electronic label Electronic label allows you to view information about the device electronic label, which is also known as the permanent configura

55 Figure 44 The diagnostic information file is created The generation of the diagnostic file takes a period of time. During this process, do not p

56 Configuring system time Overview You must configure a correct system time so that the device can operate correctly with other devices. The system

v Creating a static MAC address entry················································································································

57 Figure 46 Calendar page 3. Enter the system date and time in the Time field, or select the date and time in the calendar. To set the time on th

58 Table 11 Configuration items Item Description Clock status Display the synchronization status of the system clock. Source Interface Set the sou

59 Figure 48 Network diagram Configuring the system time 1. Configure the local clock as the reference clock, with the stratum of 2. Enable NTP au

60 • The synchronization process takes some time. The clock status might be displayed as unsynchronized after your configuration. In this case, refr

61 Configuring syslog System logs record network and device information, including running status and configuration changes. With system logs, admini

62 Table 12 Field description Field Description Time/Date Displays the time/date when the system log was generated. Source Displays the module that g

63 4. Click Apply. Table 13 Configuration items Item Description IPv4/Domain Specify the IPv4 address or domain name of the log host. IMPORTANT: Yo

64 Managing the configuration You can back up, restore, save, or reset the device configuration. Backing up the configuration Configuration backup al

65 To restore the configuration: 1. Select Device > Configuration from the navigation tree. 2. Click the Restore tab. Figure 54 Restoring the co

66 Figure 55 Saving the configuration • Common mode. To save the configuration in common mode: a. Select Device > Configuration from the navig

vi Configuring Switch A ······························································································································

67 Managing files The device requires a series of files for correct operation, including boot files and configuration files. These files are saved on

68 4. Click Download File. The File Download dialog box appears. 5. Open the file or save the file to a path. Uploading a file IMPORTANT: Upload

69 Managing ports You can use the port management feature to set and view the operation parameters of a Layer 2 Ethernet port and an aggregate interf

70 Figure 58 The Setup tab 3. Set the operation parameters for the port as described in Table 15. 4. Click Apply. Table 15 Configuration items It

71 Item Description Speed Set the transmission speed of the port: • 10—10 Mbps. • 100—100 Mbps. • 1000—1000 Mbps. • Auto—Autonegotiation. • Auto

72 Item Description Flow Control Enable or disable flow control on the port. With flow control enabled at both sides, when traffic congestion occurs

73 Item Description Unicast Suppression Set unicast suppression on the port: • ratio—Sets the maximum percentage of unicast traffic to the total ban

74 Figure 59 The Summary tab Displaying all the operation parameters for a port 1. Select Device > Port Management from the navigation tree 2.

75 Port management configuration example Network requirements As shown in Figure 61: • Server A, Server B, and Server C are connected to GigabitEthe

76 Figure 62 Configuring the speed of GigabitEthernet 1/0/4 2. Batch configure the autonegotiation speed range on GigabitEthernet 1/0/1, GigabitEt

vii Static route ·····································································································································

77 Figure 63 Batch configuring the port speed 3. Display the speed settings of ports: a. Click the Summary tab. b. Click the Speed button to dis

78 Figure 64 Displaying the speed settings of ports

79 Configuring port mirroring Port mirroring refers to the process of copying the packets passing through a port/VLAN/CPU to the monitor port connect

80 Figure 65 Local port mirroring implementation As shown in Figure 65, the source port GigabitEthernet 1/0/1 and monitor port GigabitEthernet 1/0/

81 2. Click Add to enter the page for adding a mirroring group. Figure 66 Adding a mirroring group 3. Configure the mirroring group as described

82 Figure 67 Modifying ports 3. Configure ports for the mirroring group as described in Table 17. 4. Click Apply. A progress dialog box appears.

83 Local port mirroring configuration example Network requirements As shown in Figure 68, configure local port mirroring on Switch A so the server ca

84 3. Enter 1 for Mirroring Group ID, and select Local from the Type list. 4. Click Apply. Configuring GigabitEthernet 1/0/1 and GigabitEthernet 1/

85 Figure 71 Configuring the monitor port 5. Click Apply. A configuration progress dialog box appears. 6. After the success notification appears,

86 Managing users The user management function allows you to do the following: • Adding a local user, and specifying the password, access level, and