3Com Switch 8800 Family Configuration Guide

7/31/2019 3Com Switch 8800 Family Configuration Guide

1/881

3Com Switch 8800 FamilyConfiguration Guide

Switch 8807

Switch 8810Switch 8814

www.3Com.comPart No. 10015594, Rev. AAPublished: January 2007


2/881

3Com Corporation350 Campus DriveMarlborough, MAUSA 01752-3064

Copyright 2007, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form orby any means or used to make any derivative work (such as translation, transformation, or adaptation) without writtenpermission from 3Com Corporation.

3Com Corporation reserves the right to revise this documentation and to make changes in content from time to timewithout obligation on the part of 3Com Corporation to provide notification of such revision or change.

3Com Corporation provides this documentation without warranty, term, or condition of any kind, either implied orexpressed, including, but not limited to, the implied warranties, terms or conditions of merchantability, satisfactory quality,and fitness for a particular purpose. 3Com may make improvements or changes in the product(s) and/or the program(s)

described in this documentation at any time.If there is any software on removable media described in this documentation, it is furnished under a license agreementincluded with the product as a separate document, in the hard copy documentation, or on the removable media in adirectory file named LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy, please contact 3Com and a copy willbe provided to you.

UNITED STATES GOVERNMENT LEGEND

If you are a United States government agency, then this documentation and the software described herein are provided toyou subject to the following:

All technical data and computer software are commercial in nature and developed solely at private expense. Software isdelivered as Commercial Computer Software as defined in DFARS 252.227-7014 (June 1995) or as a commercial itemas defined in FAR 2.101(a) and as such is provided with only such rights as are provided in 3Coms standard commerciallicense for the Software. Technical data is provided with limited rights only as provided in DFAR 252.227-7015 (Nov 1995) orFAR 52.227-14 (June 1987), whichever is applicable. You agree not to remove or deface any portion of any legend providedon any licensed program or documentation contained in, or delivered to you in conjunction with, this User Guide.

Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not be registeredin other countries.

3Com and the 3Com logo are registered trademarks of 3Com Corporation.

Cisco is a registered trademark of Cisco Systems, Inc.

Funk RADIUS is a registered trademark of Funk Software, Inc.

Aegis is a registered trademark of Aegis Group PLC.

Intel and Pentium are registered trademarks of Intel Corporation. Microsoft, MS-DOS, Windows, and Windows NT areregistered trademarks of Microsoft Corporation. Novell and NetWare are registered trademarks of Novell, Inc. UN IX is aregistered trademark in the United States and other countries, l icensed exclusively through X/Open Company, Ltd.

IEEE and 802 are registered trademarks of the Institute of Electrical and Electronics Engineers, Inc.

All other company and product names may be trademarks of the respective companies with which they are associated.

ENVIRONMENTAL STATEMENT

It is the policy of 3Com Corporation to be environmentally-friendly in all operations. To uphold our policy, we are committedto:

Establishing environmental performance standards that comply with national legislation and regulations.

Conserving energy, materials and natural resources in all operations.

Reducing the waste generated by all operations. Ensuring that all waste conforms to recognized environmental standards.Maximizing the recyclable and reusable content of all products.

Ensuring that all products can be recycled, reused and disposed of safely.

Ensuring that all products are labelled according to recognized environmental standards.

Improving our environmental record on a continual basis.

End of Life Statement

3Com processes allow for the recovery, reclamation and safe disposal of all end-of-life electronic components.

Regulated Materials Statement

3Com products do not contain any hazardous or ozone-depleting material.


3/881

CONTENTS

ABOUT THIS GUIDEConventions 15Related Documentation 16

1 PRODUCT OVERVIEWProduct Overview 17Function Features 18

2 COMMAND LINE INTERFACECommand Line Interface 21Command Line View 21Features and Functions of Command Line 29

3 LOGGINGINTO SWITCHSetting Up Configuration Environment through the Console Port 33Setting up Configuration Environment through Telnet 34Setting Up Configuration Environment through Modem Dial-up 37

4 USER INTERFACE CONFIGURATIONUser Interface Overview 39User Interface Configuration 40Displaying and Debugging User Interface 48

5 MANAGEMENT INTERFACE CONFIGURATIONManagement Interface Overview 49Management Interface Configuration 49

6 CONFIGURATION FILE MANAGEMENTConfiguration File Management 51

7 VLAN CONFIGURATIONVLAN Overview 55Configuring VLAN 55Configuring Protocol-Based VLAN 57

Configuring IP Subnet-Based VLAN 58


4/881

Configure the CPU Port in an VLAN 58Displaying and Debugging a VLAN 59VLAN Configuration Example 59

8 SUPER

VLAN CONFIGURATION

Super VLAN Overview 61

Configuring a Super VLAN 61

9 ISOLATE-USER-VLAN CONFIGURATIONIsolate-user-VLAN Overview 65

Isolate-use-vlan Configuration Task 65Displaying and Debugging an isolate-user-VLAN 67Isolate-user-VLAN Configuration Example 68

10 IP ADDRESS CONFIGURATIONIntroduction to IP Addresses 71Configuring IP Address 73Displaying IP Address 76IP Address Configuration Example 76

Troubleshooting IP Address Configuration 77

11 IP PERFORMANCE CONFIGURATIONConfiguring IP Performance 79

Displaying and Debugging IP Performance 79Troubleshooting IP Performance 81

12 GARP&GVRP CONFIGURATIONConfiguring GARP 83Configuring GVRP 85

13 ETHERNET PORT CONFIGURATIONEthernet Port Overview 89Ethernet Port Configuration 89

Setting the Interval of Performing Statistics on Ports 92

Displaying and Debugging Ethernet Port 98Ethernet Port Configuration Example 98Ethernet Port Troubleshooting 99

14 LINK AGGREGATION CONFIGURATIONOverview 101Link Aggregation Configuration 104Displaying and Debugging Link Aggregation 108

Link Aggregation Configuration Example 108


5/881

15 PORT ISOLATION CONFIGURATIONPort Isolation Overview 111Configuration Tasks 111

Port Isolation Configuration Example 113

16 MAC ADDRESS TABLE MANAGEMENTMAC Address Table Management Overview 115

MAC Address Table Management Configuration 116Maximum MAC Address Number Learned by Ethernet Port and Forwarding OptionConfiguration 117Configuring Max Number of MAC Addresses that can be Learned in a VLAN 118Displaying and Debugging MAC Address Tables 119Resetting MAC Addresses 119

MAC Address Table Management Configuration Example 119

17 MSTP REGION-CONFIGURATIONIntroduction to MSTP 121Configuring MSTP 132Displaying and Debugging MSTP 150Typical MSTP Configuration Example 152

18 DIGEST SNOOPING CONFIGURATIONIntroduction to Digest Snooping 155

Digest Snooping Configuration 155

19 FAST TRANSITIONIntroduction 159Configuring Fast transition 160

20 BPDU TUNNEL CONFIGURATIONBPDU Tunnel Overview 163Configuring BPDU Tunnel 163BPDU Tunnel Configuration Example 164

21 ACL CONFIGURATIONACL Overview 167ACL Configuration Tasks 169Displaying and Debugging ACL Configurations 176ACL Configuration Example 177

22 QOS CONFIGURATIONQoS Overview 181Introduction to QoS Configuration Based on Port Groups 184QoS Configuration 188


6/881

QoS Configuration Example 202

23 LOGON USER ACL CONTROL CONFIGURATIONOverview 209

Configuring ACL for Telnet/SSH Users 209Configuring ACL for SNMP Users 212

24 VLAN-ACL CONFIGURATIONVLAN-ACL Overview 215VLAN-ACL Configuration 215

25 802.1X CONFIGURATION802.1x Overview 221802.1x Configuration 223

Displaying and Debugging 802.1x 229Packet Attack Prevention Configuration 230802.1x Configuration Example 230

26 AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATIONAAA and RADIUS/HWTACACS Protocol Overview 235AAA Configuration 239Configuring RADIUS Protocol 245Configuring HWTACACS Protocol 256

Displaying and Debugging AAA and RADIUS Protocol 261AAA and RADIUS/HWTACACS Protocol Configuration Examples 262Troubleshooting AAA and RADIUS/HWTACACS 265

27 PORTAL CONFIGURATIONPortal Overview 267

Basic Portal Configuration 270Portal Authentication-free User and Free IP Address Configuration 276Portal Rate Limit Function Configuration 278Portal User Deletion 278

28 IP ROUTING

PROTOCOL

OVERVIEW

Introduction to IP Route and Routing Table 279Routing Management Policy 282

29 STATIC ROUTE CONFIGURATIONIntroduction to Static Route 285Configuring Static Route 286Displaying and Debugging Static Route 287

Typical Static Route Configuration Example 288Troubleshooting Static Route Faults 289


7/881

30 RIP CONFIGURATIONIntroduction to RIP 291Configuring RIP 292

Displaying and Debugging RIP 300Typical RIP Configuration Example 300Troubleshooting RIP Faults 301

31 OSPF CONFIGURATIONOSPF Overview 303OSPF GR Overview 307Configuring OSPF 311Displaying and Debugging OSPF 330Typical OSPF Configuration Example 331

Troubleshooting OSPF Faults 336

32 INTEGRATED IS-IS CONFIGURATIONIntroduction to Integrated IS-IS 339Configuring Integrated IS-IS 343Displaying and Debugging Integrated IS-IS 358

Typical Integrated IS-IS Configuration Example 359

33 BGP CONFIGURATIONBGP/MBGP Overview 361

Configuring BGP 364Displaying and Debugging BGP 383

Typical BGP Configuration Examples 384Troubleshooting BGP 390

34 IP ROUTING POLICY CONFIGURATIONIntroduction to IP Routing Policy 393Configuring IP Routing Policy 394Displaying and Debugging the Routing Policy 401

Typical IP Routing Policy Configuration Example 401Troubleshooting Routing Policy 402

35 ROUTE CAPACITY CONFIGURATIONRoute Capacity Configuration 405

36 RECURSIVE ROUTING CONFIGURATIONRecursive Routing Configuration 407

37 IP MULTICAST OVERVIEWIP Multicast Overview 409


8/881

Implementation of IP Multicast 411RPF Mechanism for IP Multicast Packets 414

38 STATIC MULTICAST MAC ADDRESS CONFIGURATION

Static Multicast MAC Address Overview 417Configuring a Static Multicast MAC Address 417

Displaying and Maintaining Static Multicast MAC Address Configuration 418

39 IGMP SNOOPING CONFIGURATIONIGMP Snooping Overview 419

IGMP Snooping Configuration 422Multicast Static Routing Port Configuration 426Displaying and Maintaining IGMP Snooping 427IGMP Snooping Configuration Example 427Troubleshooting IGMP Snooping 428

40 MULTICAST VLAN CONFIGURATIONMulticast VLAN Overview 431Multicast VLAN Configuration 431

Multicast VLAN Configuration Example 432

41 COMMON MULTICAST CONFIGURATIONIntroduction to Common Multicast Configuration 435

Common Multicast Configuration 435Managed multicast Configuration 437Configuring Broadcast/Multicast Suppression 439Displaying and Debugging Common Multicast Configuration 440

42 IGMP CONFIGURATIONIGMP Overview 441Introduction to IGMP Proxy 442IGMP Configuration 444Displaying and Debugging IGMP 453

43 PIM-DM CONFIGURATION

PIM-DM Overview 455PIM-DM Configuration 456Displaying and Debugging PIM-DM 459PIM-DM Configuration Example 460

44 PIM-SM CONFIGURATIONPIM-SM Overview 463

PIM-SM Configuration 465Displaying and Debugging PIM-SM 469


9/881

PIM-SM Configuration Example 469

45 MSDP CONFIGURATIONMSDP Overview 473

MSDP Configuration 476Displaying and Debugging MSDP 482MSDP Configuration Examples 483

46 MBGP MULTICAST EXTENSION CONFIGURATIONMBGP Multicast Extension Overview 493MBGP Multicast Extension Configuration 494

Displaying and Debugging MBGP Configuration 501MBGP Multicast Extension Configuration Example 501

47 MPLS ARCHITECTUREMPLS Overview 507MPLS Basic Concepts 507MPLS Architecture 510

48 MPLS BASIC CAPABILITY CONFIGURATIONMPLS Basic Capability Overview 515MPLS Configuration 515LDP Configuration 517

Displaying and Debugging MPLS Basic Capability 521Typical MPLS Configuration Example 523Troubleshooting MPLS Configuration 526

49 BGP/MPLS VPN CONFIGURATIONBGP/MPLS VPN Overview 529BGP/MPLS VPN Configuration 537Displaying and Debugging BGP/MPLS VPN 550Typical BGP/MPLS VPN Configuration Example 552

Troubleshooting BGP/MPLS VPN Configuration 599

50 CARD INTERMIXINGFOR MPLS SUPPORTOverview 601Restrictions in Intermixing Networking 602Intermixing Configuration Task 603Restrictions in Networking of Various MPLS Cards 611

51 MPLS VLLMPLS L2VPN Overview 613

CCC MPLS L2VPN Configuration 616Martini MPLS L2VPN Configuration 621


10/881

Kompella MPLS L2VPN Configuration 625Displaying and Debugging MPLS L2VPN 629Troubleshooting MPLS L2VPN 630

52 VPLS CONFIGURATION

VPLS Overview 633

Basic VPLS Network Architectures 634VPLS Operational Principle 635Concepts Related to VPLS 637VPLS Basic Configuration 638Displaying and Debugging VPLS 646VPLS Basic Configuration Example 646

Troubleshooting VPLS 650

53 VRRP CONFIGURATIONIntroduction to VRRP 653Configuring VRRP 654Displaying and debugging VRRP 659VRRP Configuration Example 660Troubleshooting VRRP 664

54 HA CONFIGURATIONIntroduction to HA 667Configuring HA 667Displaying and Debugging HA Configuration 669

HA Configuration Example 670

55 ARP CONFIGURATIONIntroduction to ARP 671

Configuring ARP 672Displaying and Debugging ARP 675

56 ARP TABLE SIZE CONFIGURATIONIntroduction to ARP Table Size Configuration 677Configuring ARP Table Size Dynamically 678

Displaying ARP Table Size Configuration 678Configuration Example 679

57 DHCP CONFIGURATIONSome Concepts about DHCP 681Configuring General DHCP 684Configuring DHCP Server 686Configuring DHCP Relay 698DHCP Option 82 Configuration 702


11/881

58 DNS CONFIGURATIONIntroduction to DNS 709Configuring Static Domain Name Resolution 710

Configuring Dynamic Domain Name Resolution 710Displaying and Debugging Domain Name Resolution 711DNS Configuration Example 711Troubleshooting Domain Name Resolution Configuration 712

59 NETSTREAM CONFIGURATIONNetstream Overview 713Netstream Configuration 714Netstream Configuration Examples 716

60 NDP CONFIGURATION

Introduction to NDP 719Introduction to NDP Configuration Tasks 719NDP Configuration Example 721

61 POE CONFIGURATIONPoE Overview 723PoE Configuration 724Comprehensive Configuration Example 726

62 POE PSU SUPERVISION CONFIGURATION

Introduction to PoE PSU Supervision 729AC Input Alarm Thresholds Configuration 729

DC Output Alarm Thresholds Configuration 730Displaying PoE Supervision Information 731PoE PSU Supervision Configuration Example 731

63 UDP HELPER CONFIGURATIONOverview 733Configuring UDP Helper 733Displaying UDP Helper 735

64 SNMP CONFIGURATIONSNMP Overview 737

SNMP Versions and Supported MIB 737Configuring SNMP 738Displaying and Debugging SNMP 743SNMP Configuration Example 743


12/881

65 RMON CONFIGURATIONRMON Overview 747Configuring RMON 747Displaying and Debugging RMON 750

RMON Configuration Example 751

66 NTP CONFIGURATIONBrief Introduction to NTP 753NTP Configuration 755Displaying and Debugging NTP 760

NTP Configuration Example 761

67 SSH TERMINAL SERVICESSH Terminal Service 769

SFTP Service 781

68 FILE SYSTEM MANAGEMENTFile System Configuration 789

69 DEVICEMANAGEMENTDevice Management Overview 793

Device Management Configuration 793Displaying and Debugging Device Management 796Device Management Configuration Example 796

70 FTP&TFTP CONFIGURATIONFTP Configuration 801

TFTP Configuration 806

71 INFORMATION CENTERInformation Center Function 811

72 SYSTEM MAINTENANCEAND DEBUGGINGBasic System Configuration 835

Displaying the Status and Information of the System 836System Debugging 836Testing Tools for Network Connection 838

73 PROTOCOL PORT SECURITY CONFIGURATIONIntroduction to Protocol Port Security 841


13/881

74 PACKET STATISTICS CONFIGURATIONIntroduction to Egress Packet Statistics 843

75 ETHERNET PORT LOOPBACK DETECTION

Ethernet Port Loopback Detection Function 845Configuring the Loopback Detection Function 845Displaying and Maintaining the Loopback Detection Function 845

76 QINQ CONFIGURATIONQinQ Overview 847VLAN VPN Configuration 849VLAN VPN Configuration 849Traffic Classification-Based Nested VLAN Configuration 850Adjusting TPID Values for QinQ Packets 853

VLAN-VPN Tunnel Configuration 855

77 NQA CONFIGURATIONIntroduction to NQA 861NQA Configuration 861Displaying and Maintaining NQA 865

78 PASSWORD CONTROL CONFIGURATIONIntroduction to Password Control Configuration 867

79 ACRONYMS


14/881


15/881

Conventions 15

ABOUT THIS GUIDE

This guide describes the 3Com Switch 8800 and how to install hardware,configure and boot software, and maintain software and hardware. This guidealso provides troubleshooting and support information for your switch.

This guide is intended for Qualified Service personnel who are responsible forconfiguring, using, and managing the switches. It assumes a working knowledgeof local area network (LAN) operations and familiarity with communicationprotocols that are used to interconnect LANs.

nAlways download the Release Notes for your product from the 3Com World WideWeb site and check for the latest updates to software and product

documentation:http://www.3com.com

Conventions Table 1 lists icon conventions that are used throughout this guide.

Table 2 lists text conventions that are used throughout this guide.

Table 1 Notice Icons

Icon Notice Type Description

nInformation note Information that describes important features or

instructions.

cCaution Information that alerts you to potential loss of dataor potential damage to an application, system, or

device.

wWarning Information that alerts you to potential personal

injury.

Table 2 Text Conventions

Convention Description

Screen displays This typeface represents information as it appears on the

screen.Keyboard key names If you must press two or more keys simultaneously, the key

names are linked with a plus sign (+), for example:

Press Ctrl+Alt+Del

The words enter and type When you see the word enter in this guide, you must typesomething, and then press Return or Enter. Do not pressReturn or Enter when an instruction simply says type.


16/881


17/881

1PRODUCT OVERVIEW

Product Overview The 3Com Switch 8800 Family Series Routing Switches (hereinafter referred to asSwitch 8800 Family series) are a series of large capacity, modularized L2/L3switches. They are mainly designed for broadband MAN, backbone, switchingcore and convergence center of large-sized enterprise network and campusnetwork. They provide diverse services and can be used in constructing stable andhigh-performance IP network. The series include the following main models:

Switch 8807 routing switch

Switch 8810 routing switch Switch 8814 routing switch

Switch 8800 Family series use integrated chassis, which can be subdivided intopower supply area, module area, backplane and fan area.

For Switch 8807, in the module area, there are seven slots: the top two (slot0,slot1) accommodate fabric modules, which are in 1+1 redundancy; the remainingfive accommodate I/O Modules.

For Switch 8810, in the module area, there are 10 slots: the two (slot4, slot5) inthe middle accommodate fabric modules, which are in 1+1 redundancy; the

remaining 8 accommodate I/O Modules.

For Switch 8814, in the module area, there are 14 slots: the two (slot6, slot7) inthe middle accommodate fabric modules, which are in 1+1 redundancy; theremaining 12 accommodate I/O Modules, which can be hybrid. For specificconfigurations of the hybrid modules, refer to the "BGP/MPLS VPN Configuration"section of the MPLS module.

Switch 8800 Family series support the following services:

Internet broadband access

MAN, enterprise/campus networking

Providing multicast service and multicast routing and supporting multicastaudio and video services.


18/881


19/881

Function Features 19

MPLS

L3 multiprotocol label switching (MPLS) VPN (option1/2/3),embedded MPLS VPN, hierarchical PE (HoPE), CE dualhoming, MCE, and multi-role host

VLL, including Martini, Kompella and CCC modesVPLS

Quality of service (QoS)

Supports different types of traffic classification, includingport-based, VLAN-based, COS priority-based, IPaddress-based, TOS priority-based, DSCP priority-based,TCP/UDP port-based, protocol type-based, and class ofservice (CoS)-based traffic classification

Traffic supervision. The granularity is 8 Kbps

Traffic shaping

Priority mark/Remark

Queue scheduling: supports strict priority queuing (SP),weighted round robin (WRR), and SP+WRR

Congestion avoidance algorithms Tail-Drop and WRED

Supports up to eight priority queues per port

Security features

Multi-level user management and password protection

Password control

802.1X authentication

Packet filtering

Port-based receiving broadcast frame control and supportsrate calculation in terms of bytes or packets

Guards against attack through anti-virus protocol packets,such as DOS attack

AAA/RADIUS/HWTACACS

SSH 2.0

Firewall Application Module and IPsec Application Module

Portal

Accounting of education networks

Dedicated service processing Netstream

QinQPort-based VLAN VPN

Selective QinQ

Table 1 Function features

Features Implementation


20/881

20 CHAPTER 1: PRODUCT OVERVIEW

Management and Maintenance

Command line interface configuration

Local configuration through the Console port and the AUXport

Local and remote configuration through Telnet on anEthernet port

Remote configuration through modem dialup through theAUX port.

SNMP management (supports 3Coms networkmanagement products, remote monitoring (RMON) MIBgroup 1, 2, 3 and 9)

VPN manager (a MPLS VPN network management tool

System logs

Hierarchical alarms

Output of the debugging information

Ping and TracertNetwork Quality Assurance (NQA)

Loading and updating

Supports to load and upgrade software through theXModem protocol

Supports to load and upgrade software through the filetransfer protocol (FTP) and the trivial file transfer protocol(TFTP)

Simultaneous loading of BootROM and host software

Table 1 Function features

Features Implementation


21/881

2COMMAND LINE INTERFACE

Command LineInterface

3Com series switches provide a series of configuration commands and commandline interfaces for configuring and managing the switch. The command lineinterface has the following characteristics:

Local configuration via the Console port and AUX port.

Local or remote configuration via Telnet.

Remote configuration through dialing with modem via the AUX port.

Hierarchy command protection to avoid the unauthorized users accessingswitch.

Enter a "?" to get immediate online help.

Provide network testing commands, such as Tracert and Ping, to fasttroubleshoot the network.

Provide various detailed debugging information to help with networktroubleshooting.

Log in and manage other switch directly, using the Telnet command.

Provide FTP service for the users to upload and download files.

Provide the function similar to Doskey to execute a history command.

The command line interpreter searches for target not fully matching thekeywords. It is ok for you to key in the whole keyword or part of it, as long as itis unique and not ambiguous.

Command Line View 3Com series switches provide hierarchy protection for the command lines to avoidunauthorized user accessing illegally.

Commands are classified into four levels, namely visit level, monitoring level,configuration level and management level. They are introduced as follows:

Visit level: Commands of this level involve command of network diagnosis tool

(such as ping and tracert), command of switch between different languageenvironments of user interface (language-mode) and the telnet command.The operation of saving configuration file is not allowed on this level ofcommands.

Monitoring level: Commands of this level, including the display command andthe debugging command, are used to system maintenance, service faultdiagnosis, etc. The operation of saving configuration file is not allowed on thislevel of commands.


22/881

22 CHAPTER 2: COMMAND LINE INTERFACE

Configuration level: Service configuration commands, including routingcommand and commands on each network layer, are used to provide directnetwork service to the user.

Management level: They are commands that influence basis operation of thesystem and system support module, which plays a support role on service.

Commands of this level involve file system commands, FTP commands, TFTPcommands, XModem downloading commands, user management commands,and level setting commands.

At the same time, login users are classified into four levels that correspond to thefour command levels respectively. After users of different levels log in, they canonly use commands at the levels that are equal to or lower than its own level.

In order to prevent unauthorized users from illegal intrusion, user will be identifiedwhen switching from a lower level to a higher level with super [ level] command.User ID authentication is performed when users at lower level switch to users athigher level. In other words, user password of the higher level is needed (Suppose

the user has set the super password [ levellevel] { simple | cipher }password.)For the sake of confidentiality, on the screen the user cannot see the passwordthat he entered. Only when correct password is input for three times, can the userswitch to the higher level. Otherwise, the original user level will remainunchanged.

Different command views are implemented according to different requirements.They are related to one another. For example, after logging in the switch, you willenter user view, in which you can only use some basic functions such as displayingthe running state and statistics information. In user view, key in system-view toenter system view, in which you can key in different configuration commands andenter the corresponding views.

The command line provides the following views:

User view

System view

Port view

VLAN view

VLAN interface view

Local-user view

User interface view

FTP Client command view SFTP Client view

MST region view

PIM view

MSDP view

IPv4 multicast sub-address family view

RIP view

OSPF view


23/881

Command Line View 23

OSPF area view

BGP view

IS-IS view

Route policy view

Basic ACL view Advanced ACL view

Layer-2 ACL view

Conform-level view

WRED index view

RADIUS server group view

ISP domain view

MPLS view

VPNv4 sub-address family view

VPN-instance sub-address family view

BGP-VPNv4 sub-address family view

MPLS L2VPN view

L2VPN address family view

Route-Policy view

vpn-instance view

OSPF protocol view

Remote-peer view

VSI-LDP view

VSI view

HWTACACS view

Port group view

The following table describes the function features of different views and the waysto enter or quit. Port numbers are only for examples.

Table 2 Function feature of command view

Commandview Function Prompt

Command toenter

Command toexit

User viewShow the basicinformationabout operationand statistics

Enter right afterconnecting theswitch

Use quit to endthedisconnectionwith the switch

System view Configure systemparameters [SW8800]Key insystem-view inuser view

Use quit orreturn to returnto user view


24/881


Port view

Ethernet portview:

ConfigureEthernet portparameters

[3Com-Ethernet2/1/1]

100M Ethernetport view

Key in interfaceethernet 2/1/1in system view

Use quit toreturn to systemview

Use return toreturn to userview

[3Com-GigabitEthernet2/1/1]

GigabitEthernetport view

Key in interfacegigabitethernet2/1/1 in systemview

[3Com-GigabitEthernet2/1/1]

10G Ethernetport view

Key in interfacegigabitethernet

2/1/1 in systemview

VLAN view Configure VLANparameters [3Com-Vlan1]Key in vlan 1 insystem view



VLAN interfaceview

Configure IPinterfaceparameters for aVLAN or a VLANaggregation

[3Com-Vlan-interface1]

Key in interfacevlan-interface 1in system view

Use quit to

return to systemview


Local-user view Configure localuser parameters [3Com-luser-user1]Key in local-useruser1 in systemview



User interfaceview

Configure user

interfaceparameters

[3Com-ui0]

Key in

user-interface 0in system view



FTP clientcommand view

Configure FTPClientparameters

[ftp] Key in ftp in userview




Command toenter

Command toexit


25/881


SFTP Clientview

Configure SFTPClientparameters

Key in sftpip-address insystem view

Use quit toreturn to system

viewUse return toreturn to userview

MST regionview

Configure MSTregionparameters

[3Com-mst-region]

Key in stpregion-configuration in systemview



PIM view Configure PIM

parameters

[3Com-PIM] Key in pim in

system view



MSDP viewConfigure MSDPparameters [3Com-msdp]

Key in msdp insystem view



IPv4 multicastsub-address

family view

Enter the IPv4multicastsub-addressfamily view toconfigure MBGP

multicastextensionparameters

[3Com-bgp-af-mul]

Key inipv4-familymulticast in BGP

view

Use quit toreturn to BGPview


RIP view Configure RIPparameters [3Com-rip]Key in rip insystem view



OSPF viewConfigure OSPFparameters [3Com-ospf-1]

Key in ospf insystem view


Use return to

return to userview

OSPF area viewConfigure OSPFarea parameters

[3Com-ospf-1-area-0.0.0.1]

Key in area 1 inOSPF view

Use quit toreturn to OSPFview




Command toenter

Command toexit


26/881


BGP view Configure BGPparameters [3Com-bgp] Key inbgp 100in system view



IS-IS view Configure IS-ISparameters [3Com-isis]Key in isis insystem view



Route policy

view

Configure route

policy parameters

[3Com-route-policy]

Key inroute-policypolicy1 permitnode 10 insystem view



Basic ACL view Define the rule ofbasic ACL[3Com-acl-basic-2000]

Key in aclnumber 2000 insystem view



Advanced ACLview

Define the rule ofadvanced ACL [3Com-acl-adv-3000]



Use return to

return to userview

Layer-2 ACLview

Define the rule oflayer-2 ACL [3Com-acl-link-4000]




Conform-levelview

Configure the"DSCP +Conform-levelService group"mapping tableand"EXP +

Conform-level->serviceparameters"mapping table and"Local-precedence +Conform-level802.1p priority"mapping table

[3Com-conform-level-0]

Key in qosconform-level 0in system view





Command toenter

Command toexit


27/881


WRED indexview Configure WREDparameters [3Com-wred-0] Key in wred 0 insystem view



RADIUS servergroup view

Configure radiusparameters [3Com-radius-1]

Key in radiusscheme 1 insystem view



ISP domainview

Configure ISPdomain

parameters

[3Com-isp-3Com163.net]

Key in domain3Com163.net in

system view

Use to return tosystem view

Use return to

return to userview

MPLS view Configure MPLSparameters [3Com-mpls]Key in mpls insystem view



VPNv4sub-addressfamily view

Configure VPNv4address familyparameters

[3Com-bgp-af-vpn]

Key inipv4-familyvpnv4 in BGPview


Use return toreturn to user

view

VPN-instancesub-addressfamily view

Configure VPNinstancesub-addressfamilyparameters

[3Com-bgp-af-vpn-instance]

Key inipv4-familyvpn-instancevpna in BGP/RIPview



BGP-VPNv4sub-addressfamily view

ConfigureBGP-VPNv4sub-addressfamilyparameters

[3Com-bgp-af-vpn]

Key inipv4-familyvpn-instance inBGP/RIP view



MPLS L2VPNview

Configure MPLSL2VPN serviceparameters

[3Com-mpls-l2vpn-vpna]

Key in mplsl2vpn vpnaencapsulationEthernet insystem view



L2VPN addressfamily view

Configure L2VPNserviceparameters

[3Com-bgp-af-l2vpn]Key inl2vpn-family inBGP view





Command toenter

Command toexit


28/881


Route-Policyview

Configure

Route-Policyserviceparameters

[3Com-route-policy]

Key inroute-policy

route-policy-name { permit | deny} nodenode-numberinsystem view



vpn-instanceview

Configurevpn-instanceparameters

[3Com-vpn-vpn-instance_blue]

Key in ipvpn-instancevpn-instance_vpna in systemview



OSPF protocolview

Configure OSPFprotocolparameters

[3Com-ospf-100]

Key in ospfprocess-id[router-id

router-id-number] [ vpn-instancevpn-instance-name ] in systemview



Remote-peerview

Configure MPLSpeer groupparameters

[3Com-mpls-remote1]

Key in mplsremote1



VSI-LDP viewConfigure someVPLS features [8500-vsi-3Com-ldp]

Key in vsi 3Comin system view

Key in pwsignalldp in vsi view

Use quit toreturn to vsiview


VSI view Specify VPLSmode [8500-vsi-3Com]Key in vsi 3Comin system view



HWTACACSview

ConfigureHWTACACSprotocol

parameters

[8500-hwtacacs-3Com]

Key in hwtacacsscheme 3Com in

system view



Port groupview

Combine theports with thesameconfiguration,omittingrepeatedconfigurationprocedure

[8500-port-group X]Key inport-group X insystem view





Command toenter

Command toexit


29/881

Features and Functions of Command Line 29

Features andFunctions ofCommand Line

Online Help ofCommand Line The command line interface provides the following online help modes. Full help

Partial help

You can get the help information through these online help commands, which aredescribed as follows.

1 Input "?" in any view to get all the commands in it and correspondingdescriptions.

?

User view commands:

language-mode Specify the language environment

ping Ping functionquit Exit from current command viewsuper Privilege current user a specified priority level

telnet Establish one TELNET connection

tracert Trace route function

2 Input a command with a "?" separated by a space. If this position is for keywords,all the keywords and the corresponding brief descriptions will be listed.

language-mode ?

chinese Chinese environment

english English environment

3 Input a command with a "?" separated by a space. If this position is forparameters, all the parameters and their brief descriptions will be listed.

[SW8800] garp timer leaveall ?

INTEGER Value of timer in centiseconds

(LeaveAllTime > (LeaveTime [On all ports]))

Time must be multiple of 5 centiseconds

[SW8800] garp timer leaveall 300 ?

indicates no parameter in this position. The next command line repeats thecommand, you can press to execute it directly.

4 Input a character string with a "?", then all the commands with this characterstring as their initials will be listed.

p?ping pwd

5 Input a command with a character string and "?", then all the key words with thischaracter string as their initials in the command will be listed.

display ver?

version

6 Input the first letters of a keyword of a command and press key. If no otherkeywords are headed by this letters, then this unique keyword will be displayedautomatically.


30/881


7 To switch to the Chinese display for the above information, perform thelanguage-mode command.

DisplayingCharacteristics of

Command Line

Command line interface provides the following display characteristics:

For users convenience, the instruction and help information can be displayedin both English and Chinese.

For the information to be displayed exceeding one screen, pausing function isprovided. In this case, users can have three choices, as shown in the tablebelow.

History Command ofCommand Line

Command line interface provides the function similar to that of DosKey. Thecommands entered by users can be automatically saved by the command lineinterface and you can invoke and execute them at any time later. Historycommand buffer is defaulted as 10. The operations are shown in the table below.

nCursor keys can be used to retrieve the history commands in Windows 3.XTerminal and Telnet. However, in Windows 9X HyperTerminal, the cursor keys and do not work, because Windows 9X HyperTerminal defines the two keysdifferently. In this case, use the combination keys and insteadfor the same purpose.

Common Command Line

Error Messages

All the input commands by users can be correctly executed, if they have passed

the grammar check. Otherwise, error messages will be reported to users. Thecommon error messages are listed in the following table.

Table 3 Functions of displaying

Key or Command Function

Press when the display pauses Stop displaying and executing command.

Enter a space when the display pauses Continue to display the next screen ofinformation.

Press when the display pauses

Continue to display the next line of

information.

Table 4 Retrieve history command

Operation Key Result

Display history command display history-command Display history command byuser inputting

Retrieve the previous historycommand Up cursor key or Retrieve the previous historycommand, if there is any.

Retrieve the next historycommand

Down cursor key or

Retrieve the next historycommand, if there is any.

Table 5 Common command line error messages

Error messages Causes

Unrecognized command

Cannot find the command.

Cannot find the keyword.

Wrong parameter type.

The value of the parameter exceeds the range.


31/881

Features and Functions of Command Line 31

Editing Characteristics ofCommand Line

Command line interface provides the basic command editing function andsupports to edit multiple lines. A command cannot longer than 256 characters.See the table below.

Incomplete command The input command is incomplete.

Too many parameters Enter too many parameters.

Ambiguous command The parameters entered are not specific.

Table 5 Common command line error messages

Error messages Causes

Table 6 Editing functions

Key Function

Common keysInsert from the cursor position and the cursormoves to the right, if the edition buffer stillhas free space.

Backspace

Delete the character preceding the cursor and

the cursor moves backward.Leftwards cursor key or Move the cursor a character backward

Rightwards cursor key or Move the cursor a character forward

Up cursor key or

Down cursor key or Retrieve the history command.

Press after typing the incomplete keyword and the system will execute the partialhelp: If the key word matching the typed oneis unique, the system will replace the typedone with the complete key word and display itin a new line; if there is not a matched keyword or the matched key word is not unique,the system will do no modification but display

the originally typed word in a new line.


32/881



33/881

3LOGGINGINTO SWITCH

Setting UpConfigurationEnvironment throughthe Console Port

Step 1: As shown in the figure below, to set up the local configurationenvironment, connect the serial port of a PC (or a terminal) to the Console port ofthe switch with the Console cable.

Figure 1 Set up the local configuration environment through the Console port

Step 2: Run a terminal emulator (such as Terminal of Windows 3X orHyperTerminal of Windows 9X) on the computer. Set the terminal communicationparameters as follows: Set "Bits per second" to "9600", "Data bits" to "8","Parity" to "none", "Stop bits" to "1", and "Flow control" to "none", and selectthe "VT100" as the terminal type.

Figure 2 Set up new connection

Console port

RS-232 Serial port

Console cable


34/881

34 CHAPTER 3: LOGGINGINTO SWITCH

Figure 3 Configure the port for connection

Figure 4 Set communication parameters

Step 3: The switch is powered on. Display self-test information of the switch andprompt you to press Enter to show the command line prompt such as .

Step 4: Input a command to configure the switch or view the operation state.Input a "?" for help. For details of specific commands, refer to the followingchapters.

Setting upConfigurationEnvironment throughTelnet

Connecting a PC to theSwitch through Telnet

After you have correctly configured IP address of a VLAN interface for a switch viaConsole port (using ip address command in VLAN interface view), and added theport (that connects to a terminal) to this VLAN (using port command in VLANview), you can telnet this switch and configure it.


35/881

Setting up Configuration Environment through Telnet 35

Step 1: Before logging into the switch through telnet, you need to configure theTelnet user name and password on the switch through the console port.

nBy default, the password is required for authenticating the Telnet user to log in tothe switch. If a user logs in via the Telnet without password, he will see the prompt"Login password has not been set !".

system-view

Enter system view , return user view with Ctrl+Z.

[SW8800] user-interface vty 0

[3Com-ui-vty0] set authentication password simple xxxx (xxxx is the

login password of Telnet user)

Step 2: To set up the configuration environment, connect the Ethernet port of thePC to that of the switch via the LAN, as shown in Figure 5.

Figure 5 Set up configuration environment through telnet

Step 3: Run Telnet on the PC and input the IP address of the VLAN connected to

the PC port, as shown in Figure 6.

Figure 6 Run Telnet

Step 4: The terminal displays "Login authentication!" and prompts the user toinput the logon password. After you input the correct password, it displays thecommand line prompt (such as ). If the prompt "All user interfaces areused, please try later! The connection was closed by the remote host!" appears, itindicates that the maximum number of Telnet users that can be accessed to theswitch is reached at this moment. In this case, please reconnect later. At most 5Telnet users are allowed to log on to the 3Com series switches simultaneously.

Step 5: Use the corresponding commands to configure the switch or to monitorthe running state. Enter "?" to get the immediate help. For details of specificcommands, refer to the following chapters.

Workstation

WorkstationServer PC ( for configuring the switch

via Telnet )

Ethernet port

Ethernet

Workstation

WorkstationServer PC ( for configuring the switch

via Telnet )

Ethernet port

Ethernet


36/881


n When configuring the switch via Telnet, do not modify the IP address of it

unless necessary, for the modification might cut the Telnet connection.

By default, when a Telnet user passes the password authentication to log on tothe switch, he can access the commands at Level 0.

Accessing a Switchthrough another Switch

via Telnet

After a user has logged in to a switch, he or she can configure another switchthrough the switch via Telnet. The local switch serves as Telnet client and the peerswitch serves as Telnet server. If the ports connecting these two switches are in asame local network, their IP addresses must be configured in the same networksegment. Otherwise, the two switches must establish a route that can reach eachother.

As shown in the figure below, after you telnet to a switch, you can run telnetcommand to log in and configure another switch.

Figure 7 Provide Telnet Client service

Step 1: Configure the Telnet user name and password on the Telnet Serverthrough the console port.

nBy default, the password is required for authenticating the Telnet user to log in to

the switch. If a user logs in via the Telnet without password, he will see the prompt"Login password has not been set !.".

system-view

System View: return to User View with Ctrl+Z[SW8800] user-interface vty 0

[3Com-ui-vty0] set authentication password simple xxxx (xxxx is the

login password of Telnet user)

Step 2: The user logs in the Telnet Client (switch). For the login process, refer tothe section describing "Connecting a PC to the Switch through Telnet".

Step 3: Perform the following operations on the Telnet Client:

telnet xxxx (xxxx can be the hostname or IP address of the Telnet Server. If it is the hostname, you need to use the ip host command to specify.)

Step 4: Enter the preset login password and you will see the prompt such. If the prompt "All user interfaces are used, please try later! Theconnection was closed by the remote host!" appears, it indicates that themaximum number of Telnet users that can be accessed to the switch is reached atthis moment. In this case, please connect later.

Step 5: Use the corresponding commands to configure the switch or view itrunning state. Enter "?" to get the immediate help. For details of specificcommands, refer to the following chapters.

Telnet ClientPC Telnet Server


37/881

Setting Up Configuration Environment through Modem Dial-up 37

Setting UpConfigurationEnvironment throughModem Dial-up

Step 1: The modem user is authenticated via the Console port of the switch beforehe or she logs in to the switch through a dial-up Modem.

n By default, the password is required for authenticating the Modem user to log into the switch. If a user logs in via the Modem without password, he or she will seethe prompt "Login password has not been set !.".

system-view

System View: return to User View with Ctrl+Z..

[SW8800] user-interface aux 0

[3Com-ui-aux0] set authentication password simple xxxx (xxxx is the

login password of the Modem user.)

Step 2: As shown in the figure below, to set up the remote configurationenvironment, connect the Modems to a PC (or a terminal) serial port and theswitch AUX port respectively.

Figure 8 Set up remote configuration environment

Step 3: Dial for connection to the switch, using the terminal emulator and Modemon the remote end. The number dialed shall be the telephone number of theModem connected to the switch. See the two figures below.

Figure 9 Set the dialed number


38/881


Figure 10 Dial on the remote PC

Step 4: Enter the preset login password on the remote terminal emulator and waitfor the prompt such as . Then you can configure and manage theswitch. Enter "?" to get the immediate help. For details of specific commands,

refer to the following chapters.

nBy default, when a Modem user logs in, he can access the commands at Level 0.


39/881

4USER INTERFACE CONFIGURATION

User InterfaceOverview

To facilitate system management, the switches support user interface basedconfiguration for the configuration and management of port attributes. Presently,the Switch 8800 Family series switches support the following user interface basedconfiguration methods:

Local configuration via the Console port and AUX port

Local and remote configuration through Telnet on Ethernet port

Remote configuration through dialing with modem via the AUX port.According to the above-mentioned configuration methods, there are three typesof user interfaces:

Console user interface

Console user interface is used to log in to the switch via the Console port. Aswitch can only have one Console user interface.

AUX user interface

AUX user interface is used to log in to the switch locally or remotely with a modem

via the AUX port. A switch can only have one AUX user interface. The localconfiguration for it is similar to that for the Console user interface.

VTY user interface

VTY user interface is used to telnet the switch. A switch can have up to five VTYuser interface.

User interface is numbered in the following two ways: absolute number andrelative number.

Absolute number

The user interfaces of the Switch 8800 Family routing switch include three types,which are sequenced as follows: console interface (CON), auxiliary interface (AUX)and virtual interface (VTY). A switch has one CON, one AUX and multiple VTYs.The first absolute number is designated as 0; the second one is designated as 1;and so on. This method can specify a unique user interface or a group ofinterfaces.

It follows the rules below.

Console user interface is numbered as the first interface designated as userinterface 0.


40/881

40 CHAPTER 4: USER INTERFACE CONFIGURATION

AUX user interface is numbered as the second interface designated as userinterface 1.

VTY is numbered after AUX user interface. The absolute number of the firstVTY is incremented by 1 than the AUX user interface number.

Relative numberThe relative number is in the format of "user interface type" + "number". The"number" refers to the internal number for each user interface type. This methodcan only specify one interface or one group of interfaces for a user interface typeinstead of different user interface types.

It follows the rules below:

Number of Console user interface: console 0.

Number of AUX user interface: AUX 0.

Number of VTY: The first VTY interface is designated as VTY 0; the second one

is designated as VTY 1, and so on.

User InterfaceConfiguration

The following sections describe the user interface configuration tasks.

Entering User Interface View

Define the Login Header

Configuring Asynchronous Port Attributes

Configuring Terminal Attributes

Managing Users

Configuring Modem Attributes

Configuring Redirection

Entering User InterfaceView

The following command is used for entering a user interface view. You can enter asingle user interface view or multi user interface view to configure one or moreuser interfaces respectively.

Perform the following configuration in system view.

Define the Login Header The following command is used for configuring the displayed header when userlogin.

When the users log in to the switch, if a connection is activated, the login headerwill be displayed. After the user successfully logs in the switch, the shell headerwill be displayed.


Table 7 Enter user interface view

Operation Command

Enter a single user interface view or multi user

interface views

user-interface [ type ] first-number[

last-number]


41/881

User Interface Configuration 41

Note that if you press after typing any of the three keywords shell, loginand incoming in the command, then what you type after the word header is thecontents of the login information, instead of identifying header type.

ConfiguringAsynchronous Port

Attributes

The following commands can be used for configuring the attributes of theasynchronous port in asynchronous interactive mode, including speed, flowcontrol, parity, stop bit and data bit.

Perform the following configurations in user interface (Console and AUX userinterface only) view.

Configuring the transmission speed

By default, the transmission speed on an asynchronous port is 9600bps.

Configuring flow control

By default, the flow control on an asynchronous port is none, that is, no flowcontrol will be performed.

Configuring parity

By default, the parity on an asynchronous port is none, that is, no parity bit.

Configuring the stop bit

Table 8 Configure the login header.

Operation Command

Configure the login header header [ shell | incoming | login ] text

Remove the login header configured undo header [ shell | incoming | login ]

Table 9 Configure the transmission speed

Operation Command

Configure the transmission speed speedspeed-value

Restore the default transmission speed undo speed

Table 10 Configure flow control

Operation CommandConfigure the flow control flow-control { hardware | none | software }

Restore the default flow control mode undo flow-control

Table 11 Configure parity

Operation Command

Configure parity mode parity { even | mark | none | odd | space }

Restore the default parity mode undo parity

Table 12 Configure the stop bit

Operation Command

Configure the stop bit stopbits { 1 | 1.5 | 2 }

Restore the default stop bit undo stopbits


42/881


By default, an asynchronous port supports 1 stop bit.

Note that setting 1.5 stop bits is not available on Switch 8800 Family series atpresent.

Configuring the data bit

By default, an asynchronous port supports 8 data bits.

Configuring TerminalAttributes

The following commands can be used for configuring the terminal attributes,including enabling/disabling terminal service, disconnection upon timeout,lockable user interface, configuring terminal screen length and history command

buffer size.

Perform the following configuration in user interface view. Perform lockcommand in user view.

Enabling/disabling terminal service

After the terminal service is disabled on a user interface, you cannot log in to theswitch through the user interface. However, the user logged in through the userinterface before disabling the terminal service can continue his operation. Aftersuch user logs out, he cannot log in again. In this case, a user can log in to theswitch through the user interface only when the terminal service is enabled again.

By default, terminal service is enabled on all the user interfaces.

Note the following points:

For the sake of security, the undo shell command can only be used on the userinterfaces other than Console user interface.

You cannot use this command on the user interface via which you log in.

You will be asked to confirm before using undo shell on any legal userinterface.

Configuring idle-timeout

Table 13 Configure the data bit

Operation Command

Configure the data bit databits { 7 | 8 }

Restore the default data bit undo databits

Table 14 Enable/disable terminal service

Operation Command

Enable terminal service shell

Disable terminal service undo shell

Table 15 Configure idle-timeout

Operation Command

Configure idle-timeout idle-timeoutminutes [seconds ]

Restore the default idle-timeout undo idle-timeout


43/881


By default, idle-timeout is enabled and set to 10 minutes on all the user interfaces.That is, the user interface will be disconnected automatically after 10 minuteswithout any operation.

idle-timeout 0 means disabling idle-timeout.

Locking user interface

This configuration is to lock the current user interface and prompt the user toenter the password. This makes it impossible for others to operate in the interfaceafter the user leaves.

Setting the screen length

If a command displays more than one screen of information, you can use the

following command to set how many lines to be displayed in a screen, so that theinformation can be separated in different screens and you can view it moreconveniently.

Note that the number of lines that can be displayed in each screen remains thesame when screen-length is set to 1 or 2.

By default, 24 lines (including the multi-screen identifier lines) are displayed in onescreen when the multi-screen display function is enabled .

Use screen-length 0 to disable the multi-screen display function.

Setting the history command buffer size

By default, the size of the history command buffer is 10, that is, 10 historycommands can be saved.

Managing Users The management of users includes the setting of user logon authenticationmethod, level of command which a user can use after logging on, level ofcommand which a user can use after logging on from the specifically userinterface, and command level.

Table 16 Lock user interface

Operation Command

Lock user interface lock

Table 17 Set the screen length

Operation Command

Set the screen length screen-lengthscreen-length

Restore the default screen length undo screen-length

Table 18 Set the history command buffer size

Operation Command

Set the history command buffer size history-command max-sizevalue

Restore the default history command buffer size undo history-command max-size


44/881


Configuring the authentication method

The following command is used for configuring the user login authenticationmethod to deny the access of an unauthorized user.

Perform the following configuration in user interface view.

By default, terminal authentication is not required for local users log in via theConsole port. However, password authentication is required for local users andremote Modem users to log in via the AUX port, and for Telnet users and the VTYusers to log in through Ethernet port.

n

If the Console port is configured for local password authentication, the user can

directly log in to the system even without a password configured; if other userinterfaces, such as the AUX port and VTY interface, are configured for local

password authentication, users cannot log in to the system without a password.

1 Perform local password authentication to the user interface

Using authentication-mode password command, you can perform localpassword authentication. That is, you need use the command below to configurea login password in order to login successfully.


# Configure for password authentication when a user logs in through a VTY 0 userinterface and set the password to 3Com.

[SW8800] user-interface vty 0

[3Com-ui-vty0] authentication-mode password

[3Com-ui-vty0] set authentication password simple 3Com

2 Perform local or remote authentication of username and password to the userinterface

Using authentication-modescheme [ command-authorization ] command,you can perform local or remote authentication of username and password. Thetype of the authentication depends on your configuration. For detailedinformation, see "Security" section.

In the following example, local username and password authentication areconfigured.

Table 19 Configure the authentication method

Operation Command

Configure the authentication method authentication-mode { password | scheme[ command-authorization ] | none }

Table 20 Configure the local authentication password

Operation Command

Configure the local authentication password set authentication password { cipher |simple }password

Remove the local authentication password undo set authentication password


45/881


# Perform username and password authentication when a user logs in throughVTY 0 user interface and set the username and password to zbr and 3Comrespectively.

[3Com-ui-vty0] authentication-mode scheme

[3Com-ui-vty0] quit

[SW8800] local-user zbr[3Com-luser-zbr] password simple 3Com

[3Com-luser-zbr] service-type telnet

3 No authentication

[3Com-ui-vty0] authentication-mode none

nBy default, password is required to be set for authenticating local users andremote Modem users log in via the AUX port, and Telnet users log in throughEthernet port. If no password has been set, the following prompt will be displayed"Login password has not been set !."

If the authentication-mode none command is used, the local and Modem users

via the AUX port and Telnet users will not be required to input password.

Setting the command level used after a user logging in

The following command is used for setting the command level used after a userlogging in.

Perform the following configuration in local-user view.

By default, the specified logon user can access the commands at Level 2.

Setting the command level used after a user logs in from a user interface

You can use the following command to set the command level after a user logs infrom a specific user interface, so that a user is able to execute the commands atsuch command level.


By default, you can access the commands at Level 3 after logging in through theConsole user interface, and the commands at Level 0 after logging in through theAUX or VTY user interface.

Table 21 Set the command level used after a user logging in

Operation Command

Set command level used after a user logging in service-type telnet [ levellevel]

Restore the default command level used after a userlogging in undo service-type telnet

Table 22 Set the command level used after a user logging in from a user interface

Operation Command

Set command level used after a user loggingin from a user interface user privilege levellevel

Restore the default command level used aftera user logging in from a user interface undo user privilege level


46/881


nWhen a user logs in the switch, the command level that it can access depends ontwo points. One is the command level that the user itself can access, the other isthe set command level of this user interface. If the two levels are different, theformer will be taken. For example, the command level of VTY 0 user interface is 1,however, you have the right to access commands of level 3; if you log in from VTY

0 user interface, you can access commands of level 3 and lower.Setting the command priority

The following command is used for setting the priority of a specified command ina certain view. The command levels include visit, monitoring, configuration, andmanagement, which are identified with 0 through 3 respectively. An administratorassigns authorities as per user requirements.


Setting input protocol for a user terminal

You can use the following command to set input protocol for a user terminal. Theinput protocol type can be TELNET, SSH or all.


By default, the input protocol type for a user terminal is all.

Configuring ModemAttributes

When logging in the switch via the Modem, you can use the following commandsto configure these parameters.

Perform the following configuration in AUX user interface view.

Table 23 Set the command priority

Operation Command

Set the command priority in a specified view. command-privilege levellevelviewviewcommand

Restore the default command level in aspecified view.

Undo command-privilegeviewviewcommand

Table 24 Set input protocol for a user terminal

Operation Command

Set input protocol for a user terminal protocol inbound { all | telnet | ssh }

Table 25 Configure Modem attributes

Operation Command

Set the interval since the system receives theRING until CD_UP modem timer answerseconds

Restore the default interval since the systemreceives the RING until CD_UP undo modem timer answer

Configure auto answer modem auto-answer

Configure manual answer undo modem auto-answer

Configure to allow call-in modem call-in

Configure to bar call-in undo modem call-in


47/881


Configuring Redirection Send command

The following command can be used for sending messages between userinterfaces.

Perform the following configuration in user view.

Auto-execute command

The following command is used to automatically run a command after you log in.After a command is configured to be run automatically, it will be automaticallyexecuted when you log in again.

This command is usually used to automatically execute telnet command on theterminal, which will connect the user to a designated device automatically.


Note the following points:

After executing this command, the user interface can no longer be used tocarry out the routine configurations for the local system. Use this commandwith caution.

Make sure that you will be able to log in to the system in some other way andcancel the configuration, before you use the auto-execute commandcommand and save the configuration.

# Telnet 10.110.100.1 after the user logs in through VTY0 automatically.

[3Com-ui-vty0] auto-execute command telnet 10.110.100.1

When a user logs on via VTY 0, the system will run telnet 10.110.100.1automatically.

Configure to permit call-in and call-out. modem both

Configure to disable call-in and call-out undo modem both

Table 25 Configure Modem attributes

Operation Command

Table 26 Configure to send messages between different user interfaces.

Operation Command

Configure to send messages betweendifferent user interfaces. send { all | number | typenumber}

Table 27 Configure to automatically run the command

Operation Command

Configure to automatically run the command auto-execute commandtext

Configure not to automatically run the command undo auto-execute command


48/881


Displaying andDebugging UserInterface

After the above configuration, execute display command in any view to displaythe running of the user interface configuration, and to verify the effect of theconfiguration.

Execute free command in user view to release the user interface connection.

Table 28 Display and debug user interface

Operation Command

Release a specified user interface connection free user-interface [ type ] number

Display the user application information of theuser interface display users

[ all ]

Display the physical attributes and someconfigurations of the user interface

display user-interface [ type number|number] [ summary ]

Query history commands selectivelydisplay history-command [Command-Number] [ | { begin | include |exclude } Match-string ]


49/881

5MANAGEMENT INTERFACECONFIGURATION

ManagementInterface Overview

Switch 8800 Family series provides a 10/100Base-TX management interface on theFabric. The management interface can connect a background PC for softwareloading and system debugging, or a remote network management station forremote system management.

ManagementInterfaceConfiguration

The following sections describe management interface configuration tasks.

Configuring interface IP address Enabling/disabling the interface

Setting interface description

Displaying current system information

Test network connectivity (ping, tracert)

See the Port and System Management parts of this manual for details.

cCAUTION: Only the management interface configured with an IP address can runnormally.


50/881

50 CHAPTER 5: MANAGEMENT INTERFACE CONFIGURATION


51/881

6CONFIGURATION FILE MANAGEMENT

Configuration FileManagement

Configuration FileManagement Overview

The management module of configuration file provides a user-friendly operationinterface. It saves the configuration of the switch in the text format of commandline to record the whole configuration process. Thus you can view theconfiguration information conveniently.

The format of configuration file includes:

It is saved in the command format.

Only the non-default constants will be saved

The organization of commands is based on command views. The commands inthe same command mode are sorted in one section. The sections are separatedwith a blank line or a comment line (A comment line begins with exclamationmark "#").

Generally, the sections in the file are arranged in the following order: systemconfiguration, Ethernet port configuration, VLAN interface configuration,routing protocol configuration and so on.

It ends with "end".

The following sections describe configuration file management tasks.

Displaying the Current-Configuration and Saved-Configuration of Switch

Modifying and Saving the Current-Configuration

Erasing Configuration Files from Flash Memory

Configuring the Name of the Configuration File Used for the Next Startup.

Displaying the

Current-Configurationand

Saved-Configuration ofSwitch

When the switch is being powered on, the system will read the configuration files

from Flash Memory for the initialization of the switch. (Such configuration files arecalled saved-configuration files). If there is no configuration file in Flash Memory,the system will begin the initialization with the default parameters. Relative to thesaved-configuration, the configuration in effect during the operating process ofthe system is called current-configuration. You can use the following commandsto display the current-configuration and saved-configuration information of theswitch.

Perform the following configuration in any view.


52/881

52 CHAPTER 6: CONFIGURATION FILE MANAGEMENT

nThe configuration files are displayed in their corresponding saving formats.

Modifying and Savingthe

Current-Configuration

You can modify the current configuration of the switch through the CLI. Use thesave command to save the current-configuration in the Flash Memory, and the

configurations will become the saved-configuration when the system is poweredon for the next time.


Even if the problems like reboot and power-off occur during , the configurationfile can be still saved to Flash.

Erasing ConfigurationFiles from Flash Memory

The reset saved-configuration command can be used to erase configurationfiles from Flash Memory. The system will use the default configuration parametersfor initialization when the switch is powered on for the next time.


You may erase the configuration files from the Flash in the following cases:

After being upgraded, the software does not match with the configurationfiles.

The configuration files in flash are damaged. (A common case is that a wrongconfiguration file has been downloaded.)

Configuring the Name ofthe Configuration File

Used for the NextStartup.


Table 29 Display the configurations of the switch

Operation Command

Display the saved-configuration informationof the switch display saved-configuration

Display the current-configuration informationof the Ethernet switch

displaycurrent-configuration [ controller |interfaceinterface-typeinterface-number|configuration [ configuration ] ] [ | { begin |exclude | include } regular-expression ]

Display the running configuration of thecurrent view display this

Table 30 Save the current-configuration

Operation Command

Save the current-configuration save [ file-name ]

Table 31 Erase configuration files from Flash Memory

Operation Command

Erase configuration files from Flash Memory reset saved-configuration


53/881

Configuration File Management 53

cfgfile is the name of the configuration file and its extension name can be ".cfg".The file is stored in the root directory of the storage devices.

After the above configuration, execute display command in any view to displaythe running of the configuration files, and to verify the effect of the configuration.

Table 32 Configure the name of the configuration file used for the next startup

Operation Command

Configure the name of the configuration fileused for the next startup startup

saved-configurationcfgfile

Table 33 Display the information of the file used at startup

Operation Command

Display the information of the file used at startup display startup


54/881

54 CHAPTER 6: CONFIGURATION FILE MANAGEMENT


55/881

7VLAN CONFIGURATION

VLAN Overview Virtual local area network (VLAN) groups the devices in a LAN logically, notphysically, into segments to form virtual workgroups. IEEE issued the IEEE 802.1Qin 1999 to standardize the VLAN implementations.

The VLAN technology allows network administrators to logically divide a physicalLAN into different broadcast domains or the so-called virtual LANs. Every VLANcontains a group of workstations with the same demands. The workstations,physically separated, are not necessarily on the same physical LAN segment.

You can establish VLANs of the following types on switches:

Port-based

IP multicast-based (A multicast group can be a VLAN.)

Network layer-based (A VLAN can be established by the network layeraddresses or protocols of the hosts.)

With the VLAN technology, the broadcast and unicast traffic within a VLAN willnot be forwarded to other VLANs. This is helpful to control network traffic, savedevice investment, simplify network management and enhance security.

Configuring VLAN The following sections describe VLAN configuration tasks:

Creating/Deleting a VLAN

Specifying a Description Character String for a VLAN or VLAN interface

Naming the Current VLAN

Shutting down/Bringing up a VLAN Interface

Configuring Port-Based VLAN

Creating/Deleting a

VLAN

You can use the following commands to create/delete a VLAN. If the VLAN to be

created exists, the system will enter the VLAN view directly. Otherwise, the systemwill create the VLAN first, and then enter the VLAN view.


Table 34 Create/Delete a VLAN or VLANs

Operation Command

Create a VLAN and enter the VLAN view vlanvlan-id

Create VLANs in batch vlanvlan-id-list

Delete an VLAN or VLANs undovlan { vlan-id[ tovlan-id] |all }


56/881

56 CHAPTER 7: VLAN CONFIGURATION

cCAUTION:

VLAN 1 is the system-default VLAN and cannot be removed.

VLANs with their ports being VLAN VPN-enabled cannot be removed.

Guest VLANs cannot be deleted.

Protocol-enabled VLANs cannot be deleted.

Specifying a DescriptionCharacter String for a

VLAN or VLAN interface

You can use the following commands to specify a description character string for aVLAN or VLAN interface.

Perform the following configuration in VLAN view or VLAN interface view.

By default, the description character string of a VLAN is the VLAN ID of the VLAN,such as VLAN 0001. The description character string of a VLAN interface is theVLAN interface name, such as Vlan-interface1 Interface.

Naming the CurrentVLAN

You can use the following command to name the current VLAN.

Perform the following configuration in VLAN view.

By default, the name of the current VLAN is its VLAN ID.

Shutting down/Bringingup a VLAN Interface

You can use the following commands to shut down/bring up a VLAN interface.

Perform the following configuration in VLAN interface view.

Shutting down or bringing up a VLAN interface has no effect on the status of anyEthernet port in this VLAN.

By default, when all the Ethernet ports in a VLAN are in the Down state, this VLANinterface is also Down. When there are one or more Ethernet ports in the Up state,this VLAN interface is also Up.

Table 35 Specify a description character string for a VLAN or VLAN interface

Operation Command

Specify a description character string for aVLAN or VLAN interface descriptionstring

Restore the default description of the currentVLAN or VLAN interface undodescription

Table 36 Name the current VLAN

Operation Command

Name the current VLAN name

Restore the default name of the current VLAN undo name

Table 37 Shut down/bring up a VLAN interface

Operation Command

Shut down a VLAN interface shutdown

Bring up a VLAN interface undo shutdown


57/881

Configuring Protocol-Based VLAN 57

Configuring Port-BasedVLAN

You can use the following commands to specify Ethernet ports for a VLAN.


By default, the system adds all the ports to a default VLAN whose ID is 1.

Note that you can add/remove the trunk and Hybrid ports to/from a VLAN by theport/undo port commands in Ethernet port view, but not in VLAN view.

ConfiguringProtocol-Based VLAN

The following sections describe the protocol-based VLAN configuration tasks:

Creating/Deleting a VLAN Protocol Type

Associating/Dissociating a Port with/from a Protocol-Based VLAN

Creating/Deleting aVLAN Protocol Type

You can use the following commands to create/delete a VLAN protocol type.


Associating/Dissociatinga Port with/from a

Protocol-Based VLAN

Perform the following configuration in Ethernet port view.

n The port to be associated with a protocol-based VLAN must be of Hybrid type

and in this VLAN.

The same protocol can be configured in the different VLANs, but cannot beconfigured repeatedly in the same VLAN.

A port cannot be associated with different VLANs with the same protocolsconfigured.

Table 38 Specify Ethernet ports for a VLAN

Operation Command

Add Ethernet ports to a VLAN portinterface-list

Remove Ethernet ports from a VLAN undo portinterface-list

Table 39 Create/Delete a VLAN protocol type

Operation Command

Create a VLAN protocol type

protocol-vlan [protocol-index] { at | ipx {ethernetii | llc | raw | snap } | mode {ethernetiietypeetype-id| llc dsapdsap-idssapssap-id| snapetypeetype-id} }

Delete an existing VLAN protocol type undo protocol-vlan {protocol-index[ toprotocol-end] | all }

Table 40 Associate/Dissociate a port with/from a protocol-based VLAN

Operation Command

Associate a port with a protocol-based VLAN port hybrid protocol-vlan vlanvlan-id{vlan-protocol-list|all }

Remove a port from a protocol-based VLAN undo port hybrid protocol-vlan vlan {

vlan-id{ vlan-protocol-list|all } |all }


58/881

58 CHAPTER 7: VLAN CONFIGURATION

You cannot delete a protocol-based VLAN that has ports associated with.

You cannot delete a protocol-based VLAN on a port while the port is associatedwith the VLAN.

Configuring IPSubnet-Based VLAN

The following sections describe the IP subnet-based VLAN configuration tasks: Associating/dissociating a specified port with/from an IP subnet-based VLAN

Configuring an IP subnet-based VLAN

Associating/Dissociatinga Specified Portwith/from an IP

Subnet-Based VLAN

Use the following commands to associate/dissociate a specified port with/from anIP subnet-based VLAN.

Perform the following configuration in Ethernet port view.

Configuring/deleting anIP Subnet-Based VLAN


Configure the CPUPort in an VLAN

The CPU is a special port in the Switch 8800 Family series routing switches. Bydefault, because the CPU port is in a VLAN, when common broadcast packets andunknown multicast packets are broadcast within a VLAN, these packets will alsobe broadcast to the CPU. To prevent waste of CPU resources, you can move theCPU port out of the VLAN, so that common broadcast packets and unknownmulticast packets will not be handed to the CPU for processing.

You can use the following command to move the CPU port out of the VLAN.


By default, the CPU port is in the VLAN.

Table 41 Associate/dissociate a port with/from an IP subnet-based VLAN

Operation Command

Associate a specified port

3Com Switch 8800 Family Configuration Guide

Documents

Transcript of 3Com Switch 8800 Family Configuration Guide