DHCP Configuration Examples H3C S7500 Series Ethernet Switches Release Table of Contents

Size: px
Start display at page:

Download "DHCP Configuration Examples H3C S7500 Series Ethernet Switches Release Table of Contents"

Transcription

1 DHCP Configuration Examples Table of Contents Table of Contents Chapter 1 DHCP Functions Overview Supported DHCP Functions Configuration Guide Configuring the DHCP Server Configuring the DHCP Relay Agent Configuring DHCP Snooping Chapter 2 Configuration Examples DHCP Server Configuration Example Network Requirements Network Diagram Configuration Procedure DHCP Relay Agent/Snooping Configuration Example Network Requirements Network Diagram Configuration Procedure Chapter 3 Related Documents Protocols and Standards i

2 DHCP Configuration Examples Abstract DHCP Configuration Examples Keywords: DHCP, Option 82 Abstract: This document describes DHCP configuration and application on Ethernet switches in specific networking environments. Based on the different roles played by the devices in the network, the functions and applications of DHCP server, DHCP relay agent, DHCP snooping, and DHCP Option 82 are covered. Acronym: DHCP (Dynamic Host Configuration Protocol). ii

3 DHCP Configuration Examples Chapter 1 DHCP Functions Overview Chapter 1 DHCP Functions Overview Note: The configuration procedures and commands described in this manual are tested on H3C S7500 series switches running Release If you encounter any configuration failure on a device running a different release, refer to the corresponding configuration and command manuals. 1.1 Supported DHCP Functions H3C S7500 series Ethernet switches can support the following DHCP functions: DHCP server: DHCP server using global address pool/interface address pool IP address lease configuration Allocation of gateway addresses, DNS server addresses, WINS server addresses to DHCP clients Static bindings for special addresses DHCP server security functions: detection of unauthorized DHCP servers and detection of duplicate IP addresses DHCP self-defined options DHCP relay agent: DHCP relay agent DHCP relay agent address check DHCP Option 82 DHCP snooping: DHCP snooping DHCP snooping trusted ports DHCP Option 82 Note: For details about DHCP, refer to the configuration and command manuals of S7500 series switches. 1-1

4 DHCP Configuration Examples Chapter 1 DHCP Functions Overview 1.2 Configuration Guide Configuring the DHCP Server The DHCP server can be configured to assign IP addresses from a global or interface address pool. These two configuration methods are applicable to the following environments: If the DHCP server and DHCP clients are on the same network segment, both methods can be applied. If the DHCP server and DHCP clients are on different network segments, the DHCP server can only be configured to assign IP addresses from a global address pool. 1) Use the following commands to configure the DHCP server to assign IP addresses from a global address pool. Table 1-1 Configure IP address allocation from a global address pool Operation Command Description Enter system view system-view Enable the DHCP service Create a DHCP address pool and enter DHCP address pool view Configure an IP address range for dynamic allocation Configure the lease period of dynamically allocated IP addresses Configure a domain name for DHCP clients Configure DNS server addresses for DHCP clients dhcp enable dhcp server ip-pool pool-name network ip-address [ mask mask ] expired { day day [ hour hour [ minute minute ] ] unlimited } domain-name domain-name dns-list ip-address&<1-8> By default, the DHCP service is enabled. By default, no global DHCP address pool is created. By default, no IP address range is configured for dynamic allocation. IP address lease period defaults to one day. By default, no domain name is configured for DHCP clients. By default, no DNS server addresses are configured. 1-2

5 DHCP Configuration Examples Chapter 1 DHCP Functions Overview Operation Command Description Configure WINS server addresses for DHCP clients Specify a NetBIOS node type for DHCP clients Configure gateway addresses for DHCP clients Configure a self-defined DHCP option Return to system view nbns-list ip-address&<1-8> netbios-type { b-node h-node m-node p-node } gateway-list ip-address&<1-8> option code { ascii ascii-string hex hex-string&<1-10> ip-address ip-address&<1-8> } quit By default, no WINS server addresses are configured. By default, the DHCP clients are h-nodes if the command is not specified. By default, no gateway address is configured. By default, no self-defined option is configured. Configure a static binding Create an address pool for the static address binding Specify the IP address of the static binding dhcp server ip-pool pool-name static-bind ip-address ip-address [ mask mask ] By default, no IP address is specified. Specify the client s MAC address of the static binding static-bind mac-address mac-address Return to system view quit Specify the IP addresses to be excluded from automatic allocation dhcp server forbidden-ip low-ip-address [ high-ip-address ] By default, all the IP addresses in a DHCP address pool are available for dynamic allocation. 1-3

6 DHCP Configuration Examples Chapter 1 DHCP Functions Overview Operation Command Description Configure the global address pool mode On the current interface On multiple interfaces in system view interface interface-type interface-number dhcp select global quit dhcp select global { interface interface-type interface-number [ to interface-type interface-number ] all } By default, an interface operates in the global address pool mode. Enable the detection of unauthorized DHCP servers dhcp server detect By default, the detection of unauthorized DHCP servers is disabled. Configure duplicate IP address detection Set the maximum number of ping packets sent by the DHCP server for each IP address Set a response timeout for each ping packet dhcp server ping packets number dhcp server ping timeout milliseconds The default maximum number is 2. The default timeout is 500 milliseconds. Enable the DHCP server to support Option 82 dhcp server relay information enable By default, the DHCP server supports Option 82. 2) Use the following commands to configure IP address allocation through the interface address pool. Table 1-2 Configure IP address allocation through the interface address pool Operation Command Description Enter system view system-view Enable the DHCP service Configure multiple or all the VLAN interfaces to operate in interface address pool mode dhcp enable dhcp select interface { interface interface-type interface-number [ to interface-type interface-number ] all } By default, the DHCP service is enabled. 1-4

7 DHCP Configuration Examples Chapter 1 DHCP Functions Overview Operation Command Description Configure a VLAN interface to operate in interface address pool mode Bind an IP address statically to a client MAC address or client ID interface interface-type interface-number dhcp select interface dhcp server static-bind ip-address ip-address mac-address mac-address By default, a VLAN interface operates in global address pool mode. By default, no static binding is configured Configure the lease period of dynamically allocated IP addresses On the current interface On multiple interfaces in system view dhcp server expired { day day [ hour hour [ minute minute ] ] unlimited } quit dhcp server expired { day day [ hour hour [ minute minute ] ] unlimited } { interface interface-type interface-number [ to interface-type interface-number ] all } IP address lease period defaults to one day. Return to system view quit Specify the IP addresses to be excluded from automatic allocation dhcp server forbidden-ip low-ip-address [ high-ip-address ] By default, all the IP addresses in an interface address pool are available for dynamic allocation. Configure a domain name for DHCP clients On one interface On multiple interfaces interface interface-type interface-number dhcp server domain-name domain-name quit dhcp server domain-name domain-name { interface interface-type interface-number [ to interface-type interface-number ] all } By default, no domain name is configured for DHCP clients. 1-5

8 DHCP Configuration Examples Chapter 1 DHCP Functions Overview Operation Command Description Configure DNS server addresses for DHCP clients On one interface On multiple interfaces interface interface-type interface-number dhcp server dns-list ip-address&<1-8> quit dhcp server dns-list ip-address&<1-8> { interface interface-type interface-number [ to interface-type interface-number ] all } By default, no DNS server address is configured. Configure WINS server addresses for DHCP clients On one interface On multiple interfaces interface interface-type interface-number dhcp server nbns-list ip-address&<1-8> quit dhcp server nbns-list ip-address&<1-8> { interface interface-type interface-number [ to interface-type interface-number ] all } By default, no WINS server addresses are configured. interface interface-type interface-number Define a NetBIOS node type for DHCP clients On one interface On multiple interfaces dhcp server netbios-type { b-node h-node m-node p-node } quit dhcp server netbios-type { b-node h-node m-node p-node } { interface interface-type interface-number [ to interface-type interface-number ] all } By default, no NetBIOS node type is specified and a DHCP client uses the h-node type. 1-6

9 DHCP Configuration Examples Chapter 1 DHCP Functions Overview Operation Command Description interface interface-type interface-number Configure a self-defined DHCP option On one interface On multiple interfaces dhcp server option code { ascii ascii-string hex hex-string&<1-10> ip-address ip-address&<1-8> } quit dhcp server option code { ascii ascii-string hex hex-string&<1-10> ip-address ip-address&<1-8> } { interface interface-type interface-number [ to interface-type interface-number ] all } By default, no self-defined option is configured. Enable the detection of unauthorized DHCP servers dhcp server detect By default, the detection of unauthorized DHCP servers is disabled. Configure duplicate IP address detection Set the maximum number of ping packets sent by the DHCP server for each IP address dhcp server ping packets number The default maximum number is 2. Set a response timeout for each ping packet dhcp server ping timeout milliseconds The default timeout is 500 milliseconds. Enable the DHCP server to support Option 82 dhcp server relay information enable By default, the DHCP server supports Option Configuring the DHCP Relay Agent Use the following commands to configure the DHCP relay agent. 1-7

10 DHCP Configuration Examples Chapter 1 DHCP Functions Overview Table 1-3 Configure DHCP relay agent Operation Command Description Enter system view system-view Enable the DHCP service Configure DHCP server IP addresses for a DHCP server group Configure a DHCP user address entry Enable the DHCP relay agent to support Option 82 Configure a strategy for the DHCP relay agent to handle request packets containing Option 82 Enter VLAN interface view Associate the interface to a DHCP server group Enable the address check function for the DHCP relay agent dhcp enable dhcp-server groupno ip ip-address&<1-8> dhcp-security static ip-address mac-address dhcp relay information enable dhcp relay information strategy { drop keep replace } interface interface-type interface-number dhcp-server groupno address-check enable By default, the DHCP service is enabled. By default, no DHCP server IP address is configured for a DHCP server group. By default, no DHCP user address entry is configured. By default, the DHCP relay agent does not support Option 82. By default, the strategy is replace. By default, a VLAN interface is not associated to any DHCP server group. By default, the address check function is disabled for the DHCP relay agent Configuring DHCP Snooping Use the following commands to configure DHCP snooping: 1-8

11 DHCP Configuration Examples Chapter 1 DHCP Functions Overview Table 1-4 Configure DHCP snooping Operation Command Description Enter system view system-view Enable DHCP snooping Enable Option 82 support on the DHCP snooping device Enter Ethernet port view Specify the port connected to the DHCP server as a trusted port dhcp-snooping dhcp-snooping information enable interface interface-type interface-number dhcp-snooping trust By default, DHCP snooping is disabled. This function is disabled by default. By default, all the ports of a switch are untrusted ports. 1-9

12 DHCP Configuration Examples Chapter 2 Configuration Examples Chapter 2 Configuration Examples 2.1 DHCP Server Configuration Example Network Requirements An S7500 switch serves as the DHCP server in the corporate headquarters (HQ) to allocate IP addresses to the workstations in the HQ and Branch, and it also acts as the gateway to forward packets from the HQ. The network requirements are as follows: Connect the DHCP server to the HQ through VLAN-interface 10, and assign the IP addresses in the /24 network segment, with a lease period of two days, and exclude the IP addresses of the DNS server, WINS server, and mail server from allocation. Assign IP addresses to the DNS server, WINS server, and the mail server in HQ through static bindings. Connect the DHCP server to the public network through VLAN-interface 100, and assign the workstations in the Branch the IP addresses in the /24 network segment, with a lease period of three days. Assign the file server in the Branch an IP address through a static IP-to-MAC binding. Assign the addresses of the gateway, DNS server, and the WINS server along with an IP address to each workstation in the HQ and Branch. Enable the detection of unauthorized DHCP servers to prevent any unauthorized DHCP server from allocating invalid addresses. 2-1

13 DHCP Configuration Examples Chapter 2 Configuration Examples Network Diagram e-8d20-54c6 000d-85c7-4e ca8-9b71 Mail Server DNS Server WINS Server DHCP Client IP network VLAN-int10 HQ Gateway VLAN-int100 DHCP Relay DHCP Client1 DHCP Client2 File Server d-88f8-4e71 Branch Figure 2-1 Network diagram for DHCP server configuration Configuration Procedure I. Configuring DHCP server Configure address allocation for the devices in the HQ. Configure the IP address of VLAN-interface10 on the DHCP server in the HQ. <H3C> system-view [H3C] interface Vlan-interface 10 [H3C-Vlan-interface10] ip address Configure the interface to operate in the interface address pool mode, assigning the IP addresses in the /24 network segment to the devices in the HQ. [H3C-Vlan-interface10] dhcp select interface Configure the address lease period of the address pool, and configure the IP addresses of the DNS server and WINS server. [H3C-Vlan-interface10] dhcp server expired day 2 [H3C-Vlan-interface10] dhcp server dns-list [H3C-Vlan-interface10] dhcp server nbst-list

14 DHCP Configuration Examples Chapter 2 Configuration Examples No gateway needs to be configured for the clients because an interface operating in the interface address pool mode automatically serves as the gateway for DHCP clients and sends the requested information to the clients. Assign IP addresses to the DNS server, WINS server, and mail server through IP-to-MAC bindings. [H3C-Vlan-interface10] dhcp server static-bind ip-address mac-address 000d-85c7-4e20 [H3C-Vlan-interface10] dhcp server static-bind ip-address mac-address ca8-9b71 [H3C-Vlan-interface10] dhcp server static-bind ip-address mac-address 002e08d20-54c6 Exclude the static IP addresses of the DNS server, WINS server, and mail server from allocation. [H3C-Vlan-interface10] quit [H3C] dhcp server forbidden-ip Configure address allocation for the devices in the Branch. Create a global address pool named br for the Branch, and specify the range and lease period of the IP addresses for allocation. [H3C] dhcp server ip-pool br [H3C-dhcp-pool-br] network mask [H3C-dhcp-pool-br] expired day 3 Create a static binding address pool named br-static, and assign the file server in the Branch an IP address through an IP-to-MAC binding. [H3C-dhcp-pool-br] quit [H3C] dhcp server ip-pool br-static [H3C-dhcp-pool-br-static] static-bind ip-address mask [H3C-dhcp-pool-br-static] static-bind mac-address 000d-88f8-4e71 Specify the gateway address, DNS server address, and the WINS server address for the workstations in the Branch. [H3C-dhcp-pool-br-static] quit [H3C] dhcp server ip-pool br [H3C-dhcp-pool-br] gateway-list [H3C-dhcp-pool-br] dns-list [H3C-dhcp-pool-br] nbst-list Exclude the static IP address of the gateway in the Branch from allocation. [H3C-dhcp-pool-br] quit [H3C] dhcp server forbidden-ip Enable the detection of unauthorized DHCP servers. 2-3

15 DHCP Configuration Examples Chapter 2 Configuration Examples [H3C] dhcp server detect Configure VLAN-interface100 to operate in the global address pool mode. [H3C] interface Vlan-interface 100 [H3C-Vlan-interface100] dhcp select global Note that: After DHCP configuration is complete, IP addresses can be assigned to the workstations in the Branch only when a route is active between the HQ and the Branch. II. Configuring the DHCP relay agent This section mainly describes the DHCP server configuration. The following shows the basic DHCP relay agent configuration that ensures the DHCP relay agent to relay DHCP requests to the DHCP server. For details about DHCP relay agent configuration, see section 2.2 "DHCP Relay Agent/Snooping Configuration Example". <H3C> system-view [H3C] dhcp-server 1 ip [H3C] interface Vlan-interface 5 [H3C-Vlan-interface5] dhcp-server DHCP Relay Agent/Snooping Configuration Example Network Requirements A Cisco Catalyst 3745 switch is deployed in the HQ and serves as the DHCP server to assign IP addresses to the workstations in the Office branch. The branches are connected to an S7506R switch that serves as the central node and as the DHCP relay agent to forward the DHCP requests from the workstations. Meanwhile, an S7502 switch that serves as the DHCP server is used to assign IP addresses to the devices in the labs. The network requirements are as follows: Configure the DHCP server in the HQ to assign the IP addresses in the /24 network segment to the workstations in the Office branch, with a lease period of 12 hours. Configure the IP addresses of the DNS server and WINS server as and respectively. The S7506R switch that serves as the DHCP relay agent forwards DHCP requests from the workstations in the Office and the devices in the labs. A server is deployed in the Office to provide access for hosts with manually configured IP addresses. An S7502 Ethernet switch in Lab1 serves as the Lab DHCP server to assign the IP addresses in the /24 network segment to the devices in Lab1, with a lease period of one day, and to assign the IP addresses in the /24 network segment to Lab2, with a lease period of two days. The lab DHCP server 2-4

16 DHCP Configuration Examples Chapter 2 Configuration Examples and the DHCP relay agent are interconnected through the /30 network segment. Configure the address check function on the DHCP relay agent so that only the devices that are assigned legal IP addresses from the DHCP server are allowed to access the external network. Enable Option 82 support on the DHCP snooping device (S7502), adding local port information to the Option 82 field in DHCP messages. Enable the DHCP relay agent to support DHCP Option 82 so that the DHCP relay agent keeps the original filed unchanged upon receiving DHCP messages carrying Option 82. Enable the DHCP server to support DHCP Option 82 so that it assigns through to the DHCP clients connected to Ethernet 2/0/12 of the DHCP snooping device, and assigns through to the DHCP clients connected to Ethernet 2/0/13 of the DHCP snooping device Network Diagram Lab2 Cisco Catalyst DHCP Relay VLAN-int IP network HQ VLAN-int VLAN-int /30 DHCP Snooping Eth2/0/1 000F-E234-BC66 Eth2/0/11 Eth2/0/13 Eth2/0/12 Lab DHCP Server VLAN-int ce9-1dea Office server c-aa-69 Office Lab1 Figure 2-2 Network diagram for DHCP relay agent/snooping integrated configuration 2-5

17 DHCP Configuration Examples Chapter 2 Configuration Examples Configuration Procedure I. Configuring the DHCP relay agent Figure 2-3 Network diagram for DHCP relay agent configuration Configure to forward the DHCP requests from the Office to the DHCP server in the HQ. <SwitchA> system-view [SwitchA] dhcp-server 1 ip [SwitchA] interface vlan-interface10 [SwitchA-Vlan-interface10] ip address [SwitchA-Vlan-interface10] dhcp-server 1 Configure to forward the DHCP requests from Lab2 to the Lab DHCP server. [SwitchA-Vlan-interface10] quit [SwitchA] dhcp-server 2 ip [SwitchA] interface Vlan-interface 25 [SwitchA-Vlan-interface25] ip address [SwitchA-Vlan-interface25] dhcp-server 2 Configure the IP address of VLAN-interface 17 as /30 for forwarding DHCP packets from the Lab DHCP Server to a non-local segment. [SwitchA-Vlan-interface25] quit [SwitchA] interface Vlan-interface 17 [SwitchA-Vlan-interface17] ip address Configure the address check function on the DHCP relay agent. Make sure you configure the IP addresses and MAC addresses of the DHCP server in the lab and that in the office as static entries for the security function. The addresses of these static entries will not be checked. [SwitchA-Vlan-interface17] quit [SwitchA] dhcp-security static c-aa69 [SwitchA] dhcp-security static ce9-1dea [SwitchA] interface Vlan-interface 10 [SwitchA-Vlan-interface10] address-check enable [SwitchA-Vlan-interface10] quit [SwitchA] interface vlan-interface 25 [SwitchA-Vlan-interface25] address-check enable [SwitchA-Vlan-interface25] quit 2-6

18 DHCP Configuration Examples Chapter 2 Configuration Examples Enable the DHCP relay agent to support DHCP Option 82 and adopt the strategy of keeping the original filed upon receiving DHCP messages carrying Option 82. [SwitchA] dhcp relay information enable [SwitchA] dhcp relay information strategy keep To ensure normal forwarding of DHCP packets across network segments, you need configure a routing protocol and advertise the network segments of interfaces. The following configuration uses RIP as an example. For the configuration of other routing protocols, see the parts covering routing protocols in product manuals. [SwitchA] rip [SwitchA-rip] network [SwitchA-rip] network [SwitchA-rip] network II. Configuring the Lab DHCP server Lab2 DHCP Relay VLAN-int 17 VLAN-int / Lab DHCP Server VLAN-int ce9-1dea Lab1 Figure 2-4 Network diagram for the Lab DHCP server configuration Configure an address pool for Lab2 and specify the address range, lease period, and the gateway address. <LAB> system-view [LAB] dhcp enable [LAB] dhcp server ip-pool lab2 [LAB-dhcp-lab2] network [LAB-dhcp-lab2] expired day 2 [LAB-dhcp-lab2] gateway-list Configure the IP address of VLAN-interface17 as /30 and enable it to operate in global address pool mode. [LAB-dhcp-lab2] quit [LAB] interface Vlan-interface

19 DHCP Configuration Examples Chapter 2 Configuration Examples [LAB-Vlan-interface17] ip address [LAB-Vlan-interface17] dhcp select global Lab1 is connected to VLAN-interface15. Therefore, to assign the IP addresses in the /24 network segment to the devices in Lab1, you only need to configure VLAN-interface15 to operate in the interface address pool mode. [LAB-Vlan-interface17] quit [LAB] interface vlan-interface 15 [LAB-Vlan-interface15] ip address [LAB-Vlan-interface15] dhcp select interface [LAB-Vlan-interface15] dhcp server expired day 1 [LAB-Vlan-interface15] quit To ensure that the lab DHCP server forwards DHCP packets normally, you need configure a routing protocol. The following configuration uses RIP as an example. For the configuration of other routing protocols, see the related parts in product manuals. [LAB] rip [LAB-rip] network [LAB-rip] network III. Configuring DHCP snooping Figure 2-5 Network diagram for DHCP snooping configuration Enable DHCP snooping and enable Option 82 support for DHCP snooping. <Snooping> system-view [Snooping] dhcp-snooping [Snooping] dhcp-snooping information enable Configure Ethernet 2/0/1 that connects to the DHCP server as a DHCP trusted port. [Snooping] interface Ethernet 2/0/1 [Snooping-Ethernet2/0/1] dhcp-snooping trust 2-8

20 DHCP Configuration Examples Chapter 2 Configuration Examples IV. Configuring the DHCP server in the HQ On the H3C series switches, port numbers, VLAN numbers, and the MAC addresses of the DHCP snooping device and the DHCP relay agent are added to DHCP Option 82. A complete piece of Option 82 information is a combination of the values of two suboptions: Circuit ID suboption: It identifies the VLAN to which the clients belong and the port to which the DHCP snooping device is connected Type(1) Length(6) 0 4 VLAN ID Port Index Figure 2-6 Packet structure of Circuit ID suboption For example, the DHCP messages from clients connected to Ethernet 2/0/12 are added with Option 82, whose Circuit ID suboption should be 0x , where is a fixed value, 0001 indicates the access port s VLAN is VLAN 1, and 0011 is the absolute number of the port, which is less than the actual port number by 1, indicating the actual port is Ethernet 2/0/12. Remote ID suboption: It identifies the MAC address of the DHCP snooping device connected to the client Type(2) Length(8) 0 6 Bridge MAC Address Figure 2-7 Packet structure of Remote ID suboption For example, the DHCP messages from clients connected to the DHCP snooping device with MAC 000f-e234-bc66 are added with Option 82, whose Remote ID suboption should be fe234bc66, where is a fixed value and 000fe234bc66 is the MAC address of the DHCP snooping device. In this example, IP addresses are assigned based on port number only. Therefore, on the DHCP server, only a matching port number field in the Circuit ID suboption needs to be found. 2-9

21 DHCP Configuration Examples Chapter 2 Configuration Examples Note: The following configuration is performed on the Cisco Catalyst 3745 switch running IOS version 12.3(11)T2. If you are using any other models or devices running any other version, see the user manuals provided with the devices. Enable DHCP server and allocate IP addresses using Option 82 information. Switch> enable Switch(config) configure terminal Enter Configuration commands, one per line. End with CNTL/Z. Switch(config) service dhcp Switch(config) ip dhcp use class Create a DHCP class for the client connected to Ethernet 2/0/12 of the DHCP snooping device and match the port number in the Circuit ID suboption of Option82, and replace the contents without match need with a wildcard "*". Switch(config) ip dhcp class office1 Switch(dhcp-class) relay agent information hex * Switch(dhcp-class) exit Configure a DHCP class for the client connected to Etherent 2/0/13 of the DHCP snooping device and match the port number in the Circuit ID suboption of Option82. Switch(config) ip dhcp class office2 Switch(dhcp-class) relay agent information hex * Create an address pool for Office and specify address ranges for the two DHCP classes. Switch(config) ip dhcp pool office Switch(dhcp-pool) network Switch(dhcp-pool) class office1 Switch(dhcp-pool-class) address range Switch(dhcp-pool-class) exit Switch(dhcp-pool) class office2 Switch(dhcp-pool-class) address range Switch(dhcp-pool-class) exit Configure the lease period, gateway address, DNS server address, and WINS server address for the address pool. Switch(dhcp-pool) lease 0 12 Switch(dhcp-pool) default-router Switch(dhcp-pool) dns-server Switch(dhcp-pool) netbios-name-server

22 DHCP Configuration Examples Chapter 2 Configuration Examples After the above-mentioned configuration, the DHCP server can automatically assign an IP address, the gateway address, DNS server address, and the WINS server address for each device in Office. 2-11

23 DHCP Configuration Examples Chapter 3 Related Documents Chapter 3 Related Documents 3.1 Protocols and Standards RFC2131: Dynamic Host Configuration Protocol RFC2132: DHCP Options and BOOTP Vendor Extensions RFC3046: DHCP Relay Agent Information Option 3-1

24 QACL Configuration Examples Table of Contents Table of Contents Chapter 1 QACL Overview QACL Support Matrix Configuration Guide Chapter 2 QACL Configuration Examples Configuration Examples in an Enterprise Network Time-Based ACL and Traffic Accounting Configuration Example Line Rate and Traffic Policing Configuration Example Traffic Redirecting and Traffic Mirroring Configuration Example Configuring Priority Marking and Queue Scheduling Configuration Example in a Service Provider Network Flow-Based Selective QinQ Configuration Example Precautions Referencing ACLs for Other Purposes i

25 QACL Configuration Examples Abstract QACL Configuration Examples Keywords: ACL, QoS Abstract: This document introduces how QACL of the H3C series Ethernet switches is applied and configured in real network scenarios. In the document, time-based ACLs, line rates, traffic policing, traffic redirecting, traffic mirroring, traffic accounting, priority marking, queue scheduling, and flow-based selective QinQ are introduced. Acronyms: Access Control List (ACL), Quality of Service (QoS) ii

26 QACL Configuration Examples Chapter 1 QACL Overview Chapter 1 QACL Overview 1.1 QACL Support Matrix The LPUs of the S7500 series Ethernet switches fall into type-a LPUs and non-type-a LPUs. The following table describes different LPUs support for ACL/QoS functions. Table 1-1 Type-A LPUs and non-type-a LPUs support for ACL/QoS LPU type (right) Feature (below) Type-A LPUs Non-type-A LPUs Basic ACL Supported Supported Advanced ACL Supported Supported Layer-2 ACL Supported Supported User-defined ACL Not supported Supported Traffic classification Supported Supported Priority marking Supported Supported Line rate Not supported Supported Traffic policing Supported Supported Bandwidth guarantee Supported Not supported Bidirectional CAR Supported Not supported Traffic redirecting Not supported Supported Queue scheduling Not supported Supported Congestion avoidance Supported Not supported Traffic mirroring Not supported Supported Traffic accounting Supported Supported Flow-based selective QinQ Not supported Supported Note: Type-A LPUs include LS81FT48A, LS81FM24A, LS81FS24A, LS81GB8UA, LS81GT8UA, LS81FT48, LS81FM24, LS81FS24, LS81GB8U, and LS81GT8U. The prompt for QoS view is qoss on a type-a LPU and qosb on a non-type-a LPU. 1-1

27 QACL Configuration Examples Chapter 1 QACL Overview 1.2 Configuration Guide Note: This guide provides only general configuration procedures. For detailed information about the involved functions and parameters, refer to the operation manual and command manual for your device. Follow these steps to configure ACL/QoS in system view: To do Use the command... Remarks Enter system view system-view Configure an ACL Create an ACL and enter ACL view Define an ACL rule Return to system view acl { number acl-number name acl-name [ advanced basic link user ] } [ match-order { config auto } ] rule [ rule-id ] { permit deny } rule-string quit By default, the match order in an ACL is config. That is, the rules in an ACL are matched in the order in which they are configured. The rule-string argument varies by ACL type. For detailed information, refer to the command manual. Specify the trusted priority type when packets are assigned to output queues Configure the 802.1p-precedence-to-local-p recedence mapping table priority-trust { dscp ip-precedence cos local-precedence } qos cos-local-precedencemap cos0-map-local-prec cos1-map-local-prec cos2-map-local-prec cos3-map-local-prec cos4-map-local-prec cos5-map-local-prec cos6-map-local-prec cos7-map-local-prec By default, the switch assigns packets to output queues based on local precedence. Table 1-2 shows the default 802.1p-precedence-to-l ocal-precedence mapping table of the switch. 1-2

28 QACL Configuration Examples Chapter 1 QACL Overview Follow these steps to configure ACL/QoS in QoS view on a type-a LPU: To do Use the command... Remarks Enter Ethernet port view interface interface-type interface-number Enter QoS view qos Configure packet filtering Configure bandwidth guarantee Configure traffic policing Configure priority marking Configure congestion avoidance Configure traffic accounting packet-filter { inbound outbound } acl-rule [ system-index ] [ not-care-for-interface ] traffic-bandwidth outbound acl-rule [ system-index ] min-guaranteed-bandwidth max-guaranteed-bandwidth weight traffic-limit { inbound outbound } acl-rule [ system-index ] target-rate traffic-priority { inbound outbound } acl-rule [ system-index ] { { dscp dscp-value ip-precedence pre-value } local-precedence pre-value }* traffic-red outbound acl-rule [ system-index ] qstart qstop probability traffic-statistic { inbound outbound } acl-rule [ system-index ] The acl-rule argument ranges from 2000 to The min-guaranteed-bandwidt h argument and the max-guaranteed-bandwid th argument must be a multiple of 64. The target-rate argument must be a multiple of 64. You can mark DSCP precedence, IP precedence, and local precedence for packets. The qstart argument and the qstop argument must be a multiple of 16. Follow these steps to configure ACL/QoS in QoS view on a non-type-a LPU: To do Use the command... Remarks Enter Ethernet port view interface interface-type interface-number Enter QoS view qos Configure the line rate line-rate [ kbps ] target-rate With the kbps keyword specified, the rate limit granularity is 64 kbps. That is, if you input a value in the range of N 64 to (N+1) 64 (N is a natural number), the switch sets the value to (N+1) 64 kbps automatically. 1-3

29 QACL Configuration Examples Chapter 1 QACL Overview To do Use the command... Remarks Configure traffic mirroring Configure packet filtering Configure queue scheduling Configure traffic policing Configure priority marking Configure traffic redirecting Configure flow-based selective QinQ mirrored-to inbound acl-rule [ system-index ] { interface interface-type interface-number [ reflector ] mirroring-group group-id } packet-filter inbound acl-rule [ system-index ] queue-scheduler { rr strict-priority wrr queue1-weight queue2-weight queue3-weight queue4-weight queue5-weight queue6-weight queue7-weight queue8-weight } traffic-limit inbound acl-rule [ system-index ] [ kbps ] target-rate [ exceed action ] traffic-priority inbound acl-rule [ system-index ] { { dscp dscp-value ip-precedence pre-value } { cos cos local-precedence pre-value } }* traffic-redirect inbound acl-rule [ system-index ] { cpu interface interface-type interface-number } traffic-remark-vlanid inbound acl-rule [ system-index ] remark-vlan vlan-id The acl-rule argument ranges from 2000 to By default, the switch adopts the SP queue scheduling algorithm. With the kbps keyword specified, the rate limit granularity is 64 Kbps. That is, if you input a value in the range of N*64 to (N+1)*64 (N is a natural number), the switch sets the value to (N+1)*64 kbps automatically. You can mark DSCP precedence, IP precedence, 802.1p precedence, and local precedence for packets. In traffic redirecting configuration, the source port and the destination port must reside on the same LPU. Before configuring flow-based selective QinQ, execute the vlan-vpn enable command in the corresponding Ethernet port view first. You cannot execute the vlan-vpn enable command on a voice VLAN-enabled port. Type-A LPUs, LS82GT20, and LS82GP20 do not support flow-based selective QinQ. 1-4

30 QACL Configuration Examples Chapter 1 QACL Overview To do Use the command... Remarks Configure traffic accounting traffic-statistic inbound acl-rule [ system-index ] Note that: Table 1-2 is the default 802.1p-precedence-to-local-precedence mapping table of the S7500 series. Table 1-2 The default 802.1p-precedence-to-local-precedence mapping table 802.1p precedence (CoS) Local precedence The acl-rule argument can be a combination of various ACL rules. Table 1-3 and Table 1-4 shows the ACL rule combinations that you can apply on type-a LPUs and non-type-a LPUs respectively. Table 1-5 explains the form that the acl-rule argument takes for the combinations. Table 1-3 Combinations of ACL rules on a type-a LPU Combination mode Apply all rules in an IP-based ACL (a basic ACL or advanced ACL) Apply one rule in an IP-based ACL (a basic ACL or advanced ACL) Form of acl-rule ip-group { acl-number acl-name } ip-group { acl-number acl-name } rule rule-id Apply all rules in a Layer-2 ACL link-group { acl-number acl-name } Apply one rule in a Layer-2 ACL link-group { acl-number acl-name } rule rule-id 1-5

31 QACL Configuration Examples Chapter 1 QACL Overview Table 1-4 Non-type-A LPUs ways of applying combined ACLs Combination mode Apply all rules in an IP-based ACL (a basic ACL or advanced ACL) Apply one rule in an IP-based ACL (a basic ACL or advanced ACL) Form of acl-rule ip-group { acl-number acl-name } ip-group { acl-number acl-name } rule rule-id Apply all rules in a Layer-2 ACL link-group { acl-number acl-name } Apply one rule in a Layer-2 ACL link-group { acl-number acl-name } rule rule-id Apply all rules in a user-defined ACL user-group { acl-number acl-name } Apply one rule in a user-defined ACL Apply one rule in an IP-based ACL and one rule in a Layer-2 ACL user-group { acl-number acl-name } rule rule-id ip-group { acl-number acl-name } rule rule-id link-group { acl-number acl-name } rule rule-id Table 1-5 Description on the forms of the acl-rule argument Parameter ip-group { acl-number acl-name } link-group { acl-number acl-name } user-group { acl-number acl-name } rule-id Description Specifies a basic ACL or advanced ACL. acl-number: ACL number, in the range of 2000 to acl-name: ACL name, a case-insensitive string of up to 32 characters. It must start with an English letter (a-z, or A-Z) and cannot contain any spaces or quotation mark. Specifies a Layer-2 ACL acl-number: ACL number, in the range of 4000 to acl-name: ACL name, a case-insensitive string of up to 32 characters. It must start with an English letter (a-z, or A-Z) and cannot contain any space or quotation mark. Specifies a user-defined ACL acl-number: ACL number, in the range of 5000 to acl-name: ACL name, a case-insensitive string of up to 32 characters. It must start with an English letter (a-z, or A-Z) and cannot contain any space or quotation mark. Specifies an ACL rule ID, in the range of 0 to 127. If the rule-id argument is not specified, the rule keyword refers to all the rules in the ACL. 1-6

32 QACL Configuration Examples Chapter 2 QACL Configuration Examples Chapter 2 QACL Configuration Examples Note: Non-type-A LPUs are used in all configurations in this chapter. Go to these sections for information you are interested in: Network scenarios Task Time-Based ACL and Traffic Accounting Configuration Example Enterprise network Line Rate and Traffic Policing Configuration Example Traffic Redirecting and Traffic Mirroring Configuration Example Configuring Priority Marking and Queue Scheduling Service provider network Flow-Based Selective QinQ Configuration Example 2-1

33 QACL Configuration Examples Chapter 2 QACL Configuration Examples 2.1 Configuration Examples in an Enterprise Network / /24 GE2/0/ /24 GE2/0/1 GE2/0/ / /24 GE2/0/2 GE2/0/3 GE2/0/4 GE2/0/6 GE2/0/ / / /24 Figure 2-1 Topology of an enterprise network Figure 2-1 shows the network topology of a company: An S7500 switch whose software version is Release 3135 interconnects all departments of the company. It provides access to the Internet through GigabitEthernet 2/0/10. The R&D department belongs to VLAN 2. It is on the network segment /24 and accesses the switch through GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2. The customer service department belongs to VLAN 3. It is on the network segment /24 and accesses the switch through GigabitEthernet 2/0/3. The marketing department belongs to VLAN 4. It is on the network segment /24 and accesses the switch through GigabitEthernet 2/0/4, GigabitEthernet 2/0/5, and GigabitEthernet 2/0/6. Data detect server is a data monitoring device. The administration department belongs to VLAN 5. It is on the network segment /24 and accesses the switch through GigabitEthernet 2/0/7. 2-2

34 QACL Configuration Examples Chapter 2 QACL Configuration Examples Time-Based ACL and Traffic Accounting Configuration Example I. Network requirements In the R&D department, the IP address of PC 1 is and that of PC 2 is The gateway IP address is set to (the IP address of VLAN-interface 2) for both PC 1 and PC 2. Configure time-based ACLs and traffic accounting to satisfy the following requirements: Through advanced ACL configuration, filter the virus packets from the Internet. Through user-defined ACL configuration, filter the ARP packets that PC 1 sends with the gateway IP address as the source IP address within the time range from 8:00 to 18:00 everyday. Through traffic accounting configuration, account the HTTP packets that PC 2 sends to the Internet within the time range from 8:00 to 18:00 every day. II. Network diagram Internet PC /24 R&D department VLAN 2 PC /24 GE2/0/1 GE2/0/2 GE2/0/10 Switch Figure 2-2 Network diagram for time-based ACL and traffic accounting configuration III. Configuration procedure Define a time range trname to cover the time range from 8:00 to 18:00 every day. <H3C> system-view [H3C] time-range trname 8:00 to 18:00 daily Create advanced ACL 3000 to filter the virus packets from the Internet. You can also configure other rules in the ACL as required. [H3C] acl number 3000 [H3C-acl-adv-3000] rule 1 deny icmp [H3C-acl-adv-3000] rule 2 deny udp destination-port eq 69 [H3C-acl-adv-3000] rule 3 deny tcp destination-port eq 4444 [H3C-acl-adv-3000] rule 4 deny tcp destination-port eq 135 [H3C-acl-adv-3000] rule 5 deny udp destination-port eq

35 QACL Configuration Examples Chapter 2 QACL Configuration Examples [H3C-acl-adv-3000] rule 6 deny udp destination-port eq 137 [H3C-acl-adv-3000] rule 7 deny udp destination-port eq 138 [H3C-acl-adv-3000] rule 8 deny udp destination-port eq 139 [H3C-acl-adv-3000] rule 9 deny tcp destination-port eq 139 [H3C-acl-adv-3000] rule 10 deny tcp destination-port eq 445 [H3C-acl-adv-3000] rule 11 deny udp destination-port eq 445 [H3C-acl-adv-3000] rule 12 deny tcp destination-port eq 593 [H3C-acl-adv-3000] rule 13 deny udp destination-port eq 593 [H3C-acl-adv-3000] rule 14 deny tcp destination-port eq 5554 [H3C-acl-adv-3000] rule 15 deny tcp destination-port eq 9995 [H3C-acl-adv-3000] rule 16 deny tcp destination-port eq 9996 [H3C-acl-adv-3000] rule 17 deny udp destination-port eq 1434 [H3C-acl-adv-3000] quit Create advanced ACL 3001 to sort out the HTTP packets sourced from IP address [H3C] acl number 3001 [H3C-acl-adv-3001] rule 0 permit tcp source destination-port eq 80 time-range trname Create user-defined ACL 5000 to filter out the ARP packets with the source IP address Among the fields of the rule defined in ACL 5000, 0806 is the ARP protocol number, 16 is the offset value of the protocol type field for internally processed packets, c0a80264 is the hexadecimal form of , and 32 is the offset value of the source IP address field for internally processed ARP packets. [H3C] acl number 5000 [H3C-acl-user-5000] rule 0 deny 0806 ffff 16 c0a80264 ffffffff 32 time-range trname [H3C-acl-user-5000] quit Configure packet filtering in the inbound direction of GigabitEthernet 2/0/10 by referencing ACL [H3C] interface GigabitEthernet 2/0/10 [H3C-GigabitEthernet2/0/10] qos [H3C-qosb-GigabitEthernet2/0/10] packet-filter inbound ip-group 3000 [H3C-qosb-GigabitEthernet2/0/10] quit [H3C-GigabitEthernet2/0/10] quit Configure packet filtering in the inbound direction of GigabitEthernet 2/0/1 by referencing ACL [H3C] interface GigabitEthernet 2/0/1 [H3C-GigabitEthernet2/0/1] qos [H3C-qosb-GigabitEthernet2/0/1] packet-filter inbound user-group 5000 [H3C-qosb-GigabitEthernet2/0/1] quit 2-4

36 QACL Configuration Examples Chapter 2 QACL Configuration Examples [H3C-GigabitEthernet2/0/1] quit Configure traffic accounting on GigabitEthernet 2/0/2. [H3C] interface GigabitEthernet 2/0/2 [H3C-GigabitEthernet2/0/2] qos [H3C-qosb-GigabitEthernet2/0/2] traffic-statistic inbound ip-group Line Rate and Traffic Policing Configuration Example I. Network requirements In the customer service department, the IP address of PC 3 is Configure line rate and traffic policing to satisfy the following requirements: Limit the rate of Internet-accessing traffic of all the departments to 2 Mbps, and drop the exceeding traffic. Limit the outbound traffic rate of PC 3 in the customer service department to 640 kbps, and drop the exceeding traffic. II. Network diagram Internet GE2/0/10 GE2/0/3 Switch Server PC /24 Customer service department VLAN 3 Figure 2-3 Network diagram for line rate and traffic policing configuration III. Configuration procedure Create basic ACL 2000 to sort out the packets with the source IP address <H3C> system-view 2-5

37 QACL Configuration Examples Chapter 2 QACL Configuration Examples [H3C] acl number 2000 [H3C-acl-basic-2000] rule permit source [H3C-acl-basic-2000] quit Configure traffic policing to limit the outbound traffic rate of PC 3 in the customer service department to 640 kbps and drop the exceeding traffic. [H3C] interface GigabitEthernet 2/0/3 [H3C-GigabitEthernet2/0/3] qos [H3C-qosb-GigabitEthernet2/0/3] traffic-limit inbound ip-group 2000 kbps 640 [H3C-qosb-GigabitEthernet2/0/3] quit [H3C-GigabitEthernet2/0/3] quit Configure line rate to limit the rate of Internet-accessing traffic of all the departments to 2 Mbps and drop the exceeding traffic. [H3C] interface GigabitEthernet 2/0/10 [H3C-GigabitEthernet2/0/10] qos [H3C-qosb-GigabitEthernet2/0/10] line-rate Traffic Redirecting and Traffic Mirroring Configuration Example I. Network requirements In the marketing department, the IP address of PC 4 is and that of PC 5 is Configure traffic redirecting and traffic mirroring to satisfy the following requirements: Redirect the HTTP packets that PC 4 sends to the Internet to the data monitoring device within the time range from 8:00 to 18:00 in working days. Mirror the HTTP packets that PC 5 sends to the Internet to the data monitoring device within the time range from 8:00 to 18:00 in working days. 2-6

38 QACL Configuration Examples Chapter 2 QACL Configuration Examples II. Network diagram Internet Switch GE2/0/6 GE2/0/5 GE2/0/4 Data detect PC 5 server /24 PC /24 Marketing department VLAN 4 Figure 2-4 Network diagram for traffic redirecting and traffic mirroring configuration III. Configuration procedure Define the time range from 8:00 to 18:00 in working days. <H3C> system-view [H3C] time-range tr1 8:00 to 18:00 working-day Create advanced ACL 3000 to sort out the HTTP packets from PC 4 and PC 5. [H3C] acl number 3000 [H3C-acl-adv-3000] rule 0 permit tcp source destination-port eq 80 time-range tr1 [H3C-acl-adv-3000] rule 1 permit tcp source destination-port eq 80 time-range tr1 [H3C-acl-adv-3000] quit Configure traffic redirecting on GigabitEthernet 2/04 to redirect the Internet-accessing traffic from PC 4 to the data monitoring device. [H3C] interface GigabitEthernet 2/0/4 [H3C-GigabitEthernet2/0/4] qos [H3C-qosb-GigabitEthernet2/0/4] traffic-redirect inbound ip-group 3000 rule 0 interface GigabitEthernet 2/0/6 [H3C-qosb-GigabitEthernet2/0/4] quit [H3C-GigabitEthernet2/0/4] quit 2-7

39 QACL Configuration Examples Chapter 2 QACL Configuration Examples Configure traffic mirroring on GigabitEthernet 2/0/5 to mirror the Internet-accessing traffic from PC 5 to the data monitoring device. [H3C] mirroring-group 1 local [H3C] mirroring-group 1 monitor-port GigabitEthernet 2/0/6 [H3C] interface GigabitEthernet 2/0/5 [H3C-GigabitEthernet2/0/5] qos [H3C-qosb-GigabitEthernet2/0/5] mirrored-to inbound ip-group 3000 rule 1 interface GigabitEthernet 2/0/ Configuring Priority Marking and Queue Scheduling I. Network requirements In the administration department, the IP address of PC 6 is , that of PC 7 is , and that of PC 8 is PC 6, PC 7, and PC 8 must access the station with the IP address Configure priority marking and queue scheduling for the traffic from PC 6, PC 7, and PC 8 to the station at to satisfy the following requirements: The IP traffic from the three PCs to is processed in the descending priority order of PC 6, PC 7, and PC 8. II. Network diagram Figure 2-5 Network diagram for priority marking and queue scheduling configuration III. Configuration procedure Create advanced ACL 3000 to classify packets from PCs 6 through 8 based on their source IP addresses. <H3C> system-view 2-8

40 QACL Configuration Examples Chapter 2 QACL Configuration Examples [H3C] acl number 3000 [H3C-acl-adv-3000] rule 0 permit ip source destination [H3C-acl-adv-3000] rule 1 permit ip source destination [H3C-acl-adv-3000] rule 2 permit ip source destination [H3C-acl-adv-3000] quit Mark the traffic matching a rule of ACL 3000 with a local precedence value on GigabitEthernet 2/0/7. [H3C] interface GigabitEthernet 2/0/7 [H3C-GigabitEthernet2/0/7] qos [H3C-qosb-GigabitEthernet2/0/7] traffic-priority inbound ip-group 3000 rule 0 local-precedence 5 [H3C-qosb-GigabitEthernet2/0/7] traffic-priority inbound ip-group 3000 rule 1 local-precedence 4 [H3C-qosb-GigabitEthernet2/0/7] traffic-priority inbound ip-group 3000 rule 2 local-precedence 3 [H3C-qosb-GigabitEthernet2/0/7] quit [H3C-GigabitEthernet2/0/7] quit Configure GigabitEthernet 2/0/10 to adopt the SP queue scheduling algorithm. Because SP is the default, you do not need to configure it unless you have changed the scheduling algorithm. [H3C] interface GigabitEthernet 2/0/10 [H3C-GigabitEthernet2/0/10] qos [H3C-qosb-GigabitEthernet2/0/10] queue-scheduler strict-priority 2-9

41 QACL Configuration Examples Chapter 2 QACL Configuration Examples 2.2 Configuration Example in a Service Provider Network VLAN 20 Server-side network VLAN 200 GE2/0/1 GE2/0/2 Switch C VLAN 10 Service provider network VLAN100/VLAN200 VLAN 100 GE2/0/2 Switch B GE2/0/1 Switch A GE2/0/2 GE2/0/1 VLAN 20 Server-side network VLAN 10 VLAN to FF Client-side network Figure 2-6 Topology of a service provider network Figure 2-6 shows the network topology of the service provider network: The S7500 switches (Switch A, Switch B, and Switch C in the network diagram) operate as the edge devices of the service provider network and are connected to server-side or client-side networks. The service provider network permits the packets of VLAN 100 and VLAN 200 to pass through. Switch B is connected to the service provider network through GigabitEthernet 2/0/2, which permits the packets of VLAN 100 to pass through. Switch C is connected to the service provider network through GigabitEthernet 2/0/2, which permits the packets of VLAN 200 to pass through. 2-10

42 QACL Configuration Examples Chapter 2 QACL Configuration Examples VLAN 10 and VLAN 20 of the client-side network are connected to GigabitEthernet 2/0/1 of Switch A. In VLAN 20, there are some devices whose MAC addresses are in the range of to FF. Packets of VLAN 10 and VLAN 20 in the client-side network arrive at GigabitEthernet 2/0/1 single-tagged Flow-Based Selective QinQ Configuration Example I. Network requirements Configure flow-based selective QinQ to satisfy the following requirements: Tag VLAN 10 packets with VLAN 100. Thus, the clients in VLAN 10 can access servers in VLAN 10 in the network connected to Switch B across the service provider network. Tag VLAN 20 packets whose source MAC addresses are in the range of to FF with VLAN 200. Thus, the sending clients can access servers in VLAN 20 in the network connected to Switch C across the service provider network. Tag VLAN 20 packets whose source MAC addresses are beyond the range of to FF with VLAN 100. Thus, the sending clients can access servers in VLAN 20 in the network connected to Switch B across the service provider network. II. Network diagram Refer to Figure 2-6. III. Configuration procedure 1) Configuration on Switch A Create Layer-2 ACL 4000 to sort out the packets with source MAC addresses in the range of to FF. <H3C> system-view [H3C] acl number 4000 [H3C-acl-link-4000] rule permit ingress ffff-ffff-ff00 [H3C-acl-link-4000] quit Configure GigabitEthernet 2/0/2 to be a hybrid port and to forward packets of VLAN 100 and VLAN 200 without removing the outer VLAN tag. [H3C] interface GigabitEthernet 2/0/2 [H3C-GigabitEthernet2/0/2] port link-type hybrid [H3C-GigabitEthernet2/0/2] port hybrid vlan tagged [H3C-GigabitEthernet2/0/2] quit 2-11

43 QACL Configuration Examples Chapter 2 QACL Configuration Examples Configure GigabitEthernet 2/0/1 as a hybrid port and configure VLAN 100 as its default VLAN. Configure GigabitEthernet 2/0/1 to forward packets of VLAN 100 and VLAN 200 with the outer VLAN tag removed. [H3C] interface GigabitEthernet 2/0/1 [H3C-GigabitEthernet2/0/1] port link-type hybrid [H3C-GigabitEthernet2/0/1] port hybrid pvid vlan 100 [H3C-GigabitEthernet2/0/1] port hybrid vlan untagged Enable QinQ on GigabitEthernet 2/0/1. [H3C-GigabitEthernet2/0/1] vlan-vpn enable Configure flow-based selective QinQ on GigabitEthernet 2/0/1 to tag packets whose source MAC addresses are in the range of to FF with VLAN 200. [H3C-GigabitEthernet2/0/1] qos [H3C-qosb-GigabitEthernet2/0/1] traffic-remark-vlanid inbound link-group 4000 remark-vlan 200 2) Configuration on Switch B Configure GigabitEthernet 2/0/2 to be a hybrid port and to forward packets of VLAN 100 without removing the outer VLAN tag. [H3C] interface GigabitEthernet 2/0/2 [H3C-GigabitEthernet2/0/2] port link-type hybrid [H3C-GigabitEthernet2/0/2] port hybrid vlan 100 tagged [H3C-GigabitEthernet2/0/2] quit Configure GigabitEthernet 2/0/1 as a hybrid port and configure VLAN 100 as its default VLAN. Configure GigabitEthernet 2/0/1 to forward packets of VLAN 100 with the outer VLAN tag removed. <H3C> system-view [H3C] interface GigabitEthernet 2/0/1 [H3C-GigabitEthernet2/0/1] port link-type hybrid [H3C-GigabitEthernet2/0/1] port hybrid pvid vlan 100 [H3C-GigabitEthernet2/0/1] port hybrid vlan 100 untagged Enable QinQ on GigabitEthernet 2/0/1. [H3C-GigabitEthernet2/0/1] vlan-vpn enable 3) Configuration on Switch C Configure GigabitEthernet 2/0/2 to be a hybrid port and to forward packets of VLAN 200 without removing the outer VLAN tag. [H3C] interface GigabitEthernet 2/0/2 [H3C-GigabitEthernet2/0/2] port link-type hybrid [H3C-GigabitEthernet2/0/2] port hybrid vlan 200 tagged [H3C-GigabitEthernet2/0/2] quit 2-12

44 QACL Configuration Examples Chapter 2 QACL Configuration Examples Configure GigabitEthernet 2/0/1 as a hybrid port and configure VLAN 200 as its default VLAN. Configure GigabitEthernet 2/0/1 to forward packets of VLAN 200 with the outer VLAN tag removed. <H3C> system-view [H3C] interface GigabitEthernet 2/0/1 [H3C-GigabitEthernet2/0/1] port link-type hybrid [H3C-GigabitEthernet2/0/1] port hybrid pvid vlan 200 [H3C-GigabitEthernet2/0/1] port hybrid vlan 200 untagged Enable QinQ on GigabitEthernet 2/0/1. [H3C-GigabitEthernet2/0/1] vlan-vpn enable 2.3 Precautions Pay attention to the following when making configuration: 1) Advanced ACLs 3998 and 3999 are reserved for cluster management and therefore are not user-configurable. 2) You can use the acl order command to specify the match order for the ACL rules applied to the hardware. The S7500 series support three match orders: depth-first, first-config-first-match, and last-config-first-match. 3) On a type-a LPU, basic ACL rules with the fragment keyword and advanced ACL rules with the tos or fragment keyword cannot be applied to hardware. 4) On a non-type-a LPU, advanced ACL rules with the range keyword for TCP/UDP ports cannot be applied to hardware. 5) Table 2-1 lists the offset values of some common protocols you can define in user-defined ACLs for packet matching on a non-type-a LPU. Table 2-1 Offset values of common protocols Protocol type Protocol number Offset value for ports with QinQ disabled Offset value for ports with QinQ enabled ARP 0x RARP 0x IP 0x IPX 0x AppleTalk 0x809B ICMP 0x IGMP 0x TCP 0x UDP 0x

45 QACL Configuration Examples Chapter 2 QACL Configuration Examples 6) The ACL rules configured for traffic policing, traffic redirecting, traffic mirroring, traffic accounting, priority marking, or flow-based selective QinQ must be permit statements. 7) On a non-type-a LPU, if a traffic policing rule is configured with the kbps keyword specified, the rate limit granularity is 64 kbps. That is, if the rate value you input is in the range of N 64 to (N+1) 64 (N is a natural number), the switch sets the value to (N+1) 64 kbps automatically. 8) In traffic redirecting configuration, the source port and the destination port must reside on the same LPU. 9) In traffic mirroring configuration, for centralized LPUs, all the involved ports must reside on the same LPU; for distributed systems, all the involved ports must reside in the same distributed system. 10) For an S7500 switch, you can configure multiple mirrored ports but only one monitor port for traffic mirroring. You are recommended to use the monitor port only for traffic mirroring. If you use it as a service port at the same time, service traffic may be affected. 11) Non-type-A LPUs of the S7500 series support three queue scheduling algorithms: round robin (RR), strict priority (SP), and weighted round robin (WRR). When configuring WRR, you can set some weight values to 0, thus implementing the SP + WRR queue scheduling algorithm. 12) With the SP + WRR queue scheduling algorithm enabled, the switch schedules SP queues preferentially. For example, suppose queues 0 through 3 adopt SP (with the weight being 0), and queues 4 through 7 adopt WRR. The switch will schedule queues 0 through 3 with the SP algorithm preferentially, and then schedule queues 4 through 7 with the WRR algorithm when the SP queues are empty. 13) Flow-based selective QinQ is usually configured on the customer-side port on the edge device connecting the service provider network to the customer network. Usually, the customer-side port is configured as a hybrid port. 2.4 Referencing ACLs for Other Purposes You can reference ACLs to do the following in addition to filtering packets: Using ACL 2000 through ACL 3999 for Telnet access control, and ACL 2000 through ACL 2999 for SNMP/Web login control. Using ACL 2000 through ACL 3999 as match criteria in routing policies. Using ACL 2000 through ACL 3999 for routing information filtering. Using ACL 2000 through ACL 2999 for filtering routing entries to be displayed. Using ACL 2000 through ACL 2999 for filtering FIB entries to be displayed. Using ACL 2000 through ACL 2999 to control access to a TFTP server. 2-14

46 802.1x Configuration Examples Table of Contents Table of Contents Chapter X Overview Introduction to 802.1X Features Configuration Global Configuration Configuration in Port View Precautions Chapter X Configuration Commands Chapter 3 Enterprise Network Access Authentication Configuration Example Network Application Analysis Network Diagram Configuration Procedure Configuring the Switch Configuring the RADIUS Server Configuring the Supplicant System Verifying Configuration Troubleshooting i

47 802.1x Configuration Examples Abstract 802.1x Configuration Example Keywords: 802.1x and AAA Abstract: This article introduces the application of 802.1x on Ethernet switches in real network environments, and then presents detailed configurations of the 802.1x client, LAN Switch and AAA server respectively. Acronyms: AAA (Authentication, Authorization and Accounting) ii

48 802.1x Configuration Examples Chapter X Overview Chapter X Overview Note: The use of this document is restricted to H3C S7500 Series Ethernet switches. 1.1 Introduction to 802.1X The LAN defined in IEEE 802 protocols does not provide access authentication. In general, users can access network devices or resources in a LAN as long as they access the LAN. When it comes to application circumstances like telecom network access, building, LAN and mobile office, however, administrators need to control and configure the access of user devices. Therefore, port- or user-based access control comes into being x is a port-based network access control protocol. It is widely accepted by vendors, service providers and end users for its low cost, superior service continuity and scalability, and high security and flexibility. 1.2 Features Configuration Global Configuration Enable 802.1x globally Set time parameters Set the maximum number of authentication request attempts Enable the quiet timer Enable re-authentication upon reboot Configuration in Port View Enable dot1x on the port Enable Guest VLAN Set the maximum number of users supported on the port Set a port access control method (port-based or MAC-based) Set a port access control mode (force-authorized, force-unauthorized or auto) Enable client version checking Enable proxy detection 1-1

49 802.1x Configuration Examples Chapter X Overview Precautions The configuration of dot1x on a specific port takes effect only after the dot1x feature is enabled globally and on the port. You can configure dot1x parameters associated with Ethernet ports or devices before enabling dot1x. However, the configured dot1x parameters only take effect after dot1x is enabled. The configured dot1x parameters are reserved after dot1x is disabled and will take effect if dot1x is re-enabled. 1-2

50 802.1x Configuration Examples Chapter X Configuration Commands Chapter X Configuration Commands To implement 802.1x, you need to configure the supplicant system (client), authenticator system (switch) and authentication/authorization server correctly. Supplicant system: Ensures that the PC uses a right client. Authenticator system: Configuring 802.1x and AAA on the authenticator system is required. Authentication/authorization server: Configuring the authentication/authorization server correctly is required. The following table shows 802.1x configuration commands necessary for configuring the switch (authenticator system). For configuration information on other devices, refer to related manuals. Table x configuration commands To do Use the command Remarks Enter system view system-view Enable 802.1x globally Enable 802.1x for one or more ports Set a port access control method for the specified or all ports Enable Guest VLAN on the specified or all ports dot1x In system view dot1x [ interface interface-list ] In port view dot1x In system view: dot1x port-method { macbased portbased } [ interface interface-list ] In port view: dot1x port-method { macbased portbased } In system view: dot1x guest-vlan vlan-id [ interface interface-list ] In port view: dot1x guest-vlan vlan-id Disabled by default Disabled on a port by default 802.1x must be enabled both globally in system view and on the intended port in system view or port view. Otherwise, it does not function. macbased by default Port-based access control is required for Guest VLAN. Not enabled by default The vlan-id of the Guest VLAN must be created beforehand. 2-1

51 802.1x Configuration Examples Chapter 3 Enterprise Network Access Authentication Configuration Example Chapter 3 Enterprise Network Access Authentication Configuration Example Note: The configuration or information displayed may vary with devices. The following takes the H3C S7500 series switch (using software Release 3135) as an example. 3.1 Network Application Analysis An administrator of an enterprise network needs to authenticate users accessing the network on a per-port basis on the switch to control access to network resources. Table 3-1 shows the details of network application analysis. Table 3-1 Network application analysis Network requirements Solution Access of users is controlled by authentication. Users can only access VLAN 10 before the authentication succeeds. Users can access VLAN 100 after the authentication succeeds. Users select the monthly payment service of 50 dollars and use 2M bandwidth to access the network. IP address and MAC address are bound after a user logs in. Tear down the connection by force if it is idle for 20 minutes. Users can be re-authenticated successfully after the switch reboots abnormally. Enable 802.1x Enable Guest VLAN Enable dynamic VLAN assignment Configure an accounting policy and bandwidth restraint policy on the RADIUS server Set MAC-to-IP binding Enable idle cut Enable re-authentication upon reboot 3-1

52 802.1x Configuration Examples Chapter 3 Enterprise Network Access Authentication Configuration Example 3.2 Network Diagram Figure 3-1 Network diagram for enterprise network application 3.3 Configuration Procedure Configuring the Switch Create a RADIUS scheme named cams, and specify the primary and secondary authentication/accounting servers. <H3C> system-view [H3C] radius scheme cams [H3C-radius-cams] primary authentication [H3C-radius-cams] primary accounting [H3C-radius-cams] secondary authentication [H3C-radius-cams] secondary accounting Set the password to expert for the switch to exchange messages with the RADIUS authentication and accounting servers. [H3C-radius-cams] key authentication expert [H3C-radius-cams] key accounting expert Set the username format to fully qualified username with domain name. [H3C-radius-cams] user-name-format with-domain Set the server type to extended. [H3C-radius-cams] server-type extended Enable re-authentication upon reboot. [H3C-radius-cams] accounting-on enable 3-2

53 802.1x Configuration Examples Chapter 3 Enterprise Network Access Authentication Configuration Example Create an ISP domain named abc and adopt the RADIUS scheme cams for authentication. [H3C] domain abc [H3C-isp-abc] radius-scheme cams Set the dynamic VLAN assignment mode. [H3C-isp-abc] vlan-assignment-mode integer [H3C-isp-abc] quit Set the ISP domain abc as the default ISP domain. [H3C] domain default enable abc Enable Guest VLAN 10 on the specified port. [H3C] vlan 10 [H3C-Ethernet3/0/3] dot1x port-method portbased [H3C-Ehternet3/0/3] dot1x guest-vlan 10 Enable 802.1x globally. [H3C] dot1x Enable dot1x for port Ethernet 3/0/3. [H3C] dot1x interface ethernet3/0/3 Use the display command to view the configuration associated with 802.1x and AAA parameters. [H3C] display dot1x interface ethernet3/0/3 Equipment 802.1x protocol is enabled CHAP authentication is enabled DHCP-launch is disabled Proxy trap checker is disabled Proxy logoff checker is disabled Guest Vlan is enabled Configuration: Transmit Period 30 s, Handshake Period 15 s ReAuth Period s Quiet Period 60 s, Quiet Period Timer is disabled Supp Timeout 30 s, Server Timeout 100 s Interval between version requests is 30s maximal request times for version information is 3 The maximal retransmitting times 2 Total maximum 802.1x user resource number is 4096 Total current used 802.1x resource number is 0 Ethernet3/0/3 is link-up 3-3

54 802.1x Configuration Examples Chapter 3 Enterprise Network Access Authentication Configuration Example 802.1x protocol is enabled Proxy trap checker is disabled Proxy logoff checker is disabled Guest Vlan: 10 Version-Check is disabled The port is a(n) authenticator Authentication Mode is Auto Port Control Type is Port-based ReAuthenticate is disabled Max on-line user number is 1024 Authentication Success: 0, Failed: 0 EAPOL Packets: Tx 0, Rx 0 Sent EAP Request/Identity Packets : 0 EAP Request/Challenge Packets: 0 Received EAPOL Start Packets : 0 EAPOL LogOff Packets: 0 EAP Response/Identity Packets : 0 EAP Response/Challenge Packets: 0 Error Packets: 0 Controlled User(s) amount to 0 [H3C] display radius cams SchemeName =cams Index=1 Type=extended Primary Auth IP = Port=1812 Primary Acct IP = Port=1813 Second Auth IP = Port=1812 Second Acct IP = Port=1813 Auth Server Encryption Key= expert Acct Server Encryption Key= expert Accounting method = required Accounting-On packet enable, send times = 40, interval = 3s TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12 Permitted send realtime PKT failed counts =5 Retry sending times of noresponse acct-stop-pkt =500 Quiet-interval(min) =5 Username format =with-domain Data flow unit =Byte Packet unit =1 [H3C] display domain abc The contents of Domain abc: State = Active 3-4

55 802.1x Configuration Examples Chapter 3 Enterprise Network Access Authentication Configuration Example RADIUS Scheme = cams Access-limit = Disable Vlan-assignment-mode = Integer accounting-mode = time Domain User Template: Idle-cut = Disable Self-service = Disable Messenger Time = Disable Configuring the RADIUS Server The configuration of CAMS authentication, authorization and accounting server consists of four parts: Creating an accounting policy Adding a service Adding an account user Configuring the access device The following parts take CAMS server V1.20 (standard version) as an example to introduce CAMS configuration. I. Logging in the CAMS configuration console 1) Enter the correct username and password on the login page to log in to the CAMS configuration console. Figure 3-2 Login page of CAMS configuration console 3-5

56 802.1x Configuration Examples Chapter 3 Enterprise Network Access Authentication Configuration Example 2) After login, the following page appears: Figure 3-3 CAMS configuration console II. Creating an accounting policy 1) Enter the Accounting Policy Management page. Log in the CAMS configuration console. On the navigation tree, select Charges Management > Accounting Policy to enter the Accounting Policy Management page, as shown in Figure 3-4. Figure 3-4 Accounting Policy Management The list shows the created accounting policies. You can query, modify or copy these policies. 2) Create an accounting policy. Click Add to enter the Accounting Policy Basic Information page and create a monthly payment accounting policy, as shown in Figure

57 802.1x Configuration Examples Chapter 3 Enterprise Network Access Authentication Configuration Example Figure 3-5 Accounting Policy Basic Information 3) Click Next to enter the Accounting Attribute Settings page, and set Accounting Type to By duration, Monthly Cycle to Monthly and Monthly Fixed Fee to 50 dollars, as shown in Figure 3-6. Figure 3-6 Accounting Attribute Settings Click OK. A monthly payment accounting policy is created. III. Adding a service 1) Enter the Service Config page. Log in the CAMS configuration console. On the navigation tree, select Service Management > Service Config to enter the Service Config page, as shown in Figure 3-7. Figure 3-7 Service Config The list shows the created service types. You can query, modify or delete these service types. 2) Add a service. Click Add to enter the Add Service page and configure as follows: 3-7

58 802.1x Configuration Examples Chapter 3 Enterprise Network Access Authentication Configuration Example Service Name: abc Service Suffix Name: abc Accounting Policy: Monthly Fixed Payment Upstream Rate Limitation: 2M (2048 Kbps) Downstream Rate Limitation: 2M (2048 Kbps) VLAN Assignment: VLAN 100 Authentication Binding: Bind user IP address and bind user MAC address Figure 3-8 Add Service Click OK. A service type is added. IV. Adding an account user 1) Enter the Account Management page. Log in the CAMS configuration console. On the navigation tree, select User Management > Account User to enter the Account Management page, as shown in Figure 3-9. Figure 3-9 Account Management The list shows the created account users. You can maintain these account users. 3-8

59 802.1x Configuration Examples Chapter 3 Enterprise Network Access Authentication Configuration Example 2) Add an account user. Click Add to enter the Add Account page and configure as follows: Account: info Password: info Full Name: Bruce Prepaid Money: 100 dollars Bind multiple IP address and MAC address: enable Online Limit: 1 Max. Idle Time: 20 minutes Service Information: abc Figure 3-10 Add Account Click OK. An account user is added. V. Configuring the access device 1) Enter the System Configuration page. Log in the CAMS configuration console. On the navigation tree, select System Management > System Configuration to enter the System Configuration page, as shown in Figure

60 802.1x Configuration Examples Chapter 3 Enterprise Network Access Authentication Configuration Example Figure 3-11 System Configuration 2) Click the Modify link for the Access Device item to enter the Access Device Configuration page to modify access device configuration like IP address, shared key, and authentication and accounting ports. Figure 3-12 Access Device Configuration VI. Adding configuration item 1) Click Add to enter the Add Access Device page and add configuration items, as shown in Figure Figure 3-13 Add Access Device 3-10

61 802.1x Configuration Examples Chapter 3 Enterprise Network Access Authentication Configuration Example 2) Click OK. The prompt page appears as shown in Figure Figure 3-14 Page prompting that system configuration is modified successfully 3) Return to the System Configuration page and click Validate Now to make the configuration take effect immediately. Figure 3-15 Validate Now on System Management page Configuring the Supplicant System You need to install an 802.1x client on the PC, which may be H3C s 802.1x client, the client shipped with Windows XP or other client from the third party. The following takes H3C s inode client as an example to introduce how to configure the supplicant system. 3-11

62 802.1x Configuration Examples Chapter 3 Enterprise Network Access Authentication Configuration Example I. Starting up H3C inode intelligent client Figure 3-16 H3C inode intelligent client II. Creating a connection To create a connection, follow the steps below: 1) Click the New Connection link in the left pane of the client interface to launch the Create New Connection Wizard dialog box. 2) Click Next in the wizard dialog box, and then select 802.1x protocol as the authentication protocol. 3) Click Next and then select Common connection as the connection type. 4) Click Next to enter the Account Information page, as shown in Figure

63 802.1x Configuration Examples Chapter 3 Enterprise Network Access Authentication Configuration Example Figure 3-17 Create an 802.1x connection 5) Enter a connection name, username and password, and check/uncheck the Save password checkbox as required. 6) Click Next to enter the Network Property Settings page, as shown in Figure 3-18, to configure the connection attributes. 3-13

64 802.1x Configuration Examples Chapter 3 Enterprise Network Access Authentication Configuration Example Figure 3-18 Set special properties 7) Keep the default settings and click OK, and then click Create after confirming the settings. The connection is created and the connection icon is displayed on the client interface. III. Initiating the connection Double click the Info connection icon on the client interface, and then click Connect in the popup dialog box, as shown in Figure

65 802.1x Configuration Examples Chapter 3 Enterprise Network Access Authentication Configuration Example Figure 3-19 Connection dialog box The connection is established after successful authentication Verifying Configuration To verify that the configuration of Guest VLAN is taking effect, check that users can access VLAN 10 before 802.1x authentication or the 802.1x authentication fails. To verify that the dynamically assigned VLAN is taking effect, check that users can access VLAN 100 after 802.1x authentication succeeds. At the same time, 802.1x authentication cooperates with CAMS to complete accounting and real time monitoring. To verify that the configuration of IP-to-MAC binding is taking effect, check that users can be re-authenticated and access the Internet when the device reboots abnormally. If the configured IP-to-MAC binding is different from that on the CAMS, the user cannot access the Internet Troubleshooting I. Symptom: 802.1x authentication failed Solution: Use the display dot1x command to verify 802.1x is enabled globally and on the specified ports. Verify that the username and password are set correctly. Verify that the connection works well. 3-15

66 802.1x Configuration Examples Chapter 3 Enterprise Network Access Authentication Configuration Example Use the debugging dot1x packet command to verify that the switch receives and sends EAP packets and EAPoL frames normally. II. Symptom: Users can access network resources without 802.1x authentication Use the display dot1x command to verify 802.1x is enabled globally and on the specified ports. Use the display interface command to verify the statistics of incoming packets are available for the specified port x authentication applies only to incoming packets, not outgoing packets. 3-16

67 SSH Configuration Examples Table of Contents Table of Contents Chapter 1 SSH Overview Introduction to SSH Support for SSH Functions SSH Configuration Configuring an SSH Server Configuring an SSH Client Precautions Chapter 2 SSH Configuration Commands SSH Configuration Commands Configuring an H3C Switch as an SSH Server Configuration Procedure Configuration Commands Configuring an H3C Switch as an SSH Client Configuration Procedure Configuration Commands Chapter 3 SSH Configuration Examples SSH Configuration Examples When the Switch Acts as the SSH Server and the Authentication Type is Password When the Switch Acts as an SSH Server and the Authentication Type is RSA When the Switch Acts as an SSH Client and the Authentication Type is Password When the Switch Acts as an SSH Client and the Authentication Type is RSA When the Switch Acts as an SSH Client and First-time authentication is not Supported i

68 SSH Configuration Examples Abstract SSH Configuration Example Keywords: SSH, RSA Abstract: This article introduces the application of SSH on the H3C S7500 series Ethernet switches in real network environments, and then presents detailed configurations of the involved SSH client and Ethernet switches respectively. Acronyms: SSH (Secure Shell), RSA (Rivest Shamir Adleman) ii

69 SSH Configuration Examples Chapter 1 SSH Overview Chapter 1 SSH Overview 1.1 Introduction to SSH Secure Shell (SSH) is designed to provide secure remote login and other security services in insecure network environments. When users remotely access the switch across an insecure network, SSH will automatically encrypt data before transmission and decrypt data after they reach the destination to guarantee information security and protect switches from such attacks as plain-text password interception. In addition, SSH provides powerful authentication to defend against the man-in-the-middle attacks. SSH uses the client/server mode, by which the SSH server accepts the connection requests from SSH clients and provides authentication. SSH clients can establish SSH connections and log into the SSH server through the SSH connections. SSH also provides other functions, such as compressing the data to be transmitted to speed up the transmission speed, functioning as Telnet, and providing secure channels for FTP, PoP and even PPP. Note: For details about SSH functions supported on Ethernet switches, refer to related user manuals. 1.2 Support for SSH Functions Currently, an S7500 switch can function as an SSH client or an SSH server. 1.3 SSH Configuration Configuring an SSH Server I. For a H3C switch to be the SSH server Configure the protocols supported on user interfaces Create or destroy an RSA key pair Create an SSH user and specify an authentication type Specify a service type for the SSH user Configure the SSH management function on the SSH server Configure a client public key on the SSH server Specify a public key for the SSH user 1-1

70 SSH Configuration Examples Chapter 1 SSH Overview II. For a non H3C device to be the SSH server For such configuration, refer to the related user manual Configuring an SSH Client I. Using SSH client software There are many kinds of SSH client software, such as PuTTY and OpenSSH. You can select one as required and refer to the attached manual for configuration. II. Using an SSH2-capable switch Configure whether first-time authentication is supported Establish a connection between the SSH client and the SSH server Precautions If you have configured a user interface to support the SSH protocol, you must configure AAA authentication for the user interface by using the authentication-mode scheme command to ensure successful login. Creating an RSA key pair on the SSH server is necessary for successful SSH login. 1-2

71 SSH Configuration Examples Chapter 2 SSH Configuration Commands Chapter 2 SSH Configuration Commands 2.1 SSH Configuration Commands To implement SSH, you need to configure the SSH client and the SSH server correctly. The subsequent sections describe SSH configuration commands on the switch. For more information, refer to the SSH Operation Manual. 2.2 Configuring an H3C Switch as an SSH Server Configuration Procedure Table 2-1 Configure the switch as an SSH server Role Common configura tion Authenticatio n type Public key configuration Remarks SSH server For detailed command, refer to Common configurat ion. Password authentication RSA authentication Configure a public key manually: copy the public key from the client public key file to the SSH server. Associat e the client public key saved on the SSH server to the SSH client For detailed command, refer to Password authentication configuration. For detailed commands, refer to Configuring the client RSA public key manually. I. Precautions for authentication type configuration The above table introduces the password authentication and RSA authentication separately. In practice, you can combine the two authentication types. Executing the ssh authentication-type default password-publickey command or the ssh user authentication-type password-publickey command means that users must not only pass the password authentication but also pass the RSA authentication to login the SSH server. 2-1

72 SSH Configuration Examples Chapter 2 SSH Configuration Commands Executing the ssh authentication-type default all command or the ssh user authentication-type all command means that users can login the SSH server as long as they pass either the password or RSA authentication. II. Public key configuration procedure and precautions As shown in Table 2-1, you need to copy or import the public key from the client to the server. When a host acts as the SSH client, use the SSH client program to generate an RSA key pair and display the RSA public key. When a switch acts as the SSH client, use the display rsa local-key-pair public command to display the RSA public key after creating RSA key pair through the corresponding commands. Manually copy the RSA public key to the SSH server. Thus, the SSH server has the same public key as the SSH client, and can authenticate the SSH client when the SSH client establishes a connection with it Configuration Commands I. Common configuration Table 2-2 Common configuration Operation Command Remarks Enter system view system-view Enter the view of one or multiple user interfaces Configure the authentication mode as scheme Specify the supported protocol(s) user-interface [ type-keyword ] number [ ending-number ] authentication-mode scheme [ command-authorization ] protocol inbound { all ssh telnet } By default, the user interface authentication mode is password. By default, both Telnet and SSH are supported. Return to the system view quit Create an RSA key pair Destroy the RSA key pair Specify a service type for the SSH user rsa local-key-pair create rsa local-key-pair destroy ssh user username service-type { stelnet sftp all } By default, no RSA key pair is created. stelnet by default 2-2

73 SSH Configuration Examples Chapter 2 SSH Configuration Commands Operation Command Remarks Set SSH authentication timeout time Set SSH authentication retry times Set RSA server key update interval Configure SSH server to be compatible with SSH1.x clients ssh server timeout seconds ssh server authentication-retries times ssh server rekey-interval hours ssh server compatible-ssh1x enable By default, the timeout time is 60 seconds. By default, the number of retry times is 3. By default, the system does not update RSA server keys. By default, SSH server is compatible with SSH1.x clients. II. Password authentication configuration Table 2-3 Configure password authentication Operation Command Description Create an SSH User and specify an authentication type Specify the default authentication type for all SSH users Create an SSH user, and specify an authentication type for the user ssh authenticatio n-type default password ssh user username ssh user username authenticatio n-type password By default, the authentication type is password. Note that: If both commands are used and different authentication types are specified, the authentication type specified with the ssh user authentication-type command takes precedence. Note: For common configuration commands, refer to Table

74 SSH Configuration Examples Chapter 2 SSH Configuration Commands III. Configuring the client RSA public key manually Table 2-4 Configure the client RSA public key manually Operation Command Description Create an SSH user and specify an authentication type Specify the default authentication type for all SSH users Create an SSH user, and specify an authentication type for it ssh authenticatio n-type default rsa ssh user username ssh user username authenticatio n-typ rsa Use either command. By default, the authentication type is password. Note that: If both commands are used and different authentication types are specified, the authentication type specified with the ssh user authentication-type command takes precedence. Enter public key view rsa peer-public-key keyname Enter public key edit view public-key-code begin Configure the client RSA public key Return from public key code view to public key view Enter the content of the RSA public key public-key-code end The content must be a hexadecimal string that is generated randomly by the SSH-supported client software and coded compliant to PKCS. Spaces and carriage returns are allowed between characters. When you exit public key code view, the system automatically saves the public key. Return from public key view to system view peer-public-key end Assign a public key to an SSH user ssh user username assign rsa-key keyname If you issue this command multiple times, the last command overrides the previous ones 2-4

75 SSH Configuration Examples Chapter 2 SSH Configuration Commands Note: For common configuration commands, refer to Table Configuring an H3C Switch as an SSH Client When the device connects to the SSH server as an SSH client, you can configure whether the device supports first-time authentication. First-time authentication means that when the SSH client accesses the server for the first time and is not configured with the server host public key, the user can continue accessing the server, and will save the host public key on the client for use in subsequent authentications. When first-time authentication is not supported, a client, if not configured with the server host public key, will be denied of access to the server. To access the server, a user must configure in advance the server host public key locally and specify the public key name for authentication Configuration Procedure Table 2-5 Configure the switch as an SSH client Role Common configura tion First-time authenticat ion support Public key configuration Access the SSH server Remarks SSH Client Refer to Common configurat ion Yes No Configur e a public key manually : copy the server public key from the public key file to the SSH client Specify the host public key of the SSH server to be connected Establish a connecti on between the SSH client and the SSH server Refer to Enabling first-time authentic ation. Refer to Disabling first-time authentic ation. 2-5

76 SSH Configuration Examples Chapter 2 SSH Configuration Commands As shown in Table 2-5, you need to configure the server public key to the client in the case that the SSH client does not support first-time authentication. On the SSH server, use the display rsa local-key-pair public command to display the RSA public key. Configure the public key to the SSH client. Thus, the SSH client can authenticate the SSH server using the public key when establishing a connection with the SSH server Configuration Commands I. Enabling first-time authentication Table 2-6 Enable first-time authentication Operation Command Description Enter system view system-view Enable first-time authentication Establish a connection with the SSH server ssh client first-time enable ssh2 { host-ip host-name } [ port-num ] [ prefer_kex { dh_group1 dh_exchange_group } prefer_ctos_cipher { des aes128 } prefer_stoc_cipher { des aes128 } prefer_ctos_hmac { sha1 sha1_96 md5 md5_96 } prefer_stoc_hmac { sha1 sha1_96 md5 md5_96 } ] * Enabled by default In this command, you can also specify the preferred key exchange algorithm, encryption algorithms and HMAC algorithms between the server and client. II. Disabling first-time authentication Table 2-7 Disable first-time authentication Operation Command Description Enter system view system-view Disable first-time authentication Enter public key view undo ssh client first-time rsa peer-public-key keyname Enabled by default Enter public key edit view public-key-code begin 2-6

77 SSH Configuration Examples Chapter 2 SSH Configuration Commands Operation Command Description Configure server public key Return to public key view from public key edit view Enter the content of the public key public-key-code end When you input the key data, spaces are allowed between the characters you input (because the system can remove the spaces automatically); you can also press <Enter> to continue your input at the next line. But the key you input should be a hexadecimal digit string coded in the public key format. When you exit public key code view, the system automatically saves the public key Exit public key view and return to system view peer-public-key end Specify the host key name of the server Start the client to establish a connection with an SSH server ssh client { server-ip server-name } assign rsa-key keyname ssh2 { host-ip host-name } [ port-num ] [ prefer_kex { dh_group1 dh_exchange_group } prefer_ctos_cipher { des aes128 } prefer_stoc_cipher { des aes128 } prefer_ctos_hmac { sha1 sha1_96 md5 md5_96 } prefer_stoc_hmac { sha1 sha1_96 md5 md5_96 } ] * when the SSH client does not support first-time authentication You need to copy the server public key to the SSH client before performing this configuration. In this command, you can also specify the preferred key exchange algorithm, encryption algorithms and HMAC algorithms between the server and client. 2-7

78 SSH Configuration Examples Chapter 3 SSH Configuration Examples Chapter 3 SSH Configuration Examples Note: The S7500 software version in this configuration example is Release SSH Configuration Examples When the Switch Acts as the SSH Server and the Authentication Type is Password I. Network requirements As shown in Figure 3-1, establish an SSH connection between the host (SSH Client) and the switch (SSH Server) for secure data exchange. The host runs SSH2.0 client software. Password authentication is required. II. Network diagram Figure 3-1 Network diagram of SSH server configuration using password authentication III. Configuration procedure 1) Configure the SSH server Create a VLAN interface on the switch and assign an IP address, which the SSH client will use to connect with the SSH server. <H3C> system-view [H3C] interface vlan-interface 1 [H3C-Vlan-interface1] ip address [H3C-Vlan-interface1] quit Generate an RSA key pair. [H3C] rsa local-key-pair create The key name will be: H3C_Host 3-1

79 SSH Configuration Examples Chapter 3 SSH Configuration Examples The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus[default = 1024]: Generating keys Set the authentication mode for the user interface to AAA. [H3C] user-interface vty 0 4 [H3C-ui-vty0-4] authentication-mode scheme Enable the user interface to support SSH. [H3C-ui-vty0-4] protocol inbound ssh [H3C-ui-vty0-4] quit Create local client client001, and set the authentication password to abc, protocol type to SSH, and command privilege level to 3 for the client. [H3C] local-user client001 [H3C-luser-client001] password simple abc [H3C-luser-client001] service-type ssh level 3 [H3C-luser-client001] quit Caution: This example configures the server to use local authentication, therefore the AAA scheme referenced by the ISP domain must be a local authentication scheme. Otherwise, the client cannot log into the server. Specify the authentication type for user client001 as password. [H3C] ssh user client001 authentication-type password 2) Configure the SSH client Configure an IP address ( in this case) for the SSH client. This IP address and that of the VLAN interface on the switch must be in the same network segment. Configure the SSH client software to establish a connection to the SSH server. Take SSH client software Putty (version 0.58) as an example: Run PuTTY.exe to enter the following configuration interface. 3-2

80 SSH Configuration Examples Chapter 3 SSH Configuration Examples Figure 3-2 SSH client configuration interface In the Host Name (or IP address) text box, enter the IP address of the SSH server. From the category on the left pane of the window, select SSH under Connection. The window as shown in Figure 3-3 appears. 3-3

81 SSH Configuration Examples Chapter 3 SSH Configuration Examples Figure 3-3 SSH client configuration interface 2 Under Protocol options, select 2 from Preferred SSH protocol version. As shown in Figure 3-4, click Open to enter the following interface. If the connection is normal, you will be prompted to enter the user name client001 and password abc. Once authentication succeeds, you will log onto the server. 3-4

82 SSH Configuration Examples Chapter 3 SSH Configuration Examples Figure 3-4 SSH client interface When the Switch Acts as an SSH Server and the Authentication Type is RSA I. Network requirements As shown in Figure 3-5, establish an SSH connection between the host (SSH client) and the switch (SSH Server) for secure data exchange. The host runs SSH2.0 client software. RSA authentication is required. II. Network diagram Figure 3-5 Network diagram of SSH server configuration III. Configuration procedure 1) Configure the SSH server Create a VLAN interface on the switch and assign an IP address, which the SSH client will use as the destination for SSH connection. <H3C> system-view [H3C] interface vlan-interface 1 [H3C-Vlan-interface1] ip address

83 SSH Configuration Examples Chapter 3 SSH Configuration Examples [H3C-Vlan-interface1] quit Generate an RSA key pair. [H3C] rsa local-key-pair create Set the authentication mode for the user interface to AAA. [H3C] user-interface vty 0 4 [H3C-ui-vty0-4] authentication-mode scheme Enable the user interface to support SSH. [H3C-ui-vty0-4] protocol inbound ssh Set the client s command privilege level to 3 [H3C-ui-vty0-4] user privilege level 3 [H3C-ui-vty0-4] quit Configure the authentication type of the SSH client named client 001 as RSA. [H3C] ssh user client001 authentication-type rsa Note: Before performing the following steps, you must generate an RSA key pair (using the client software) on the client, and configure the public key on the server. For details, refer to Configuring the SSH Client. Configure the client s public key named Switch001 on the server. [H3C] rsa peer-public-key Switch001 RSA public key view: return to System View with "peer-public-key end". [H3C-rsa-public-key] public-key-code begin RSA key code view: return to last view with "public-key-code end". [H3C-rsa-key-code] CF 442CE3EC 1119A454 E020AD94 E7D65B09 [H3C-rsa-key-code]B04455B3 9D7BFA D98 F5D4ACFE B32C4CDF 01DF3C40 [H3C-rsa-key-code]CB55B76C D1A0F5FF A 0910CAA8 DF4BCBFD 5BA9B4AA [H3C-rsa-key-code]BF23531A 2A09DBB E16BFA2 D01607AC 56B82B9A [H3C-rsa-key-code]D8435E7B 0CBD897F 930A105E 06D91AFB A9F548FC 566A3463 [H3C-rsa-key-code]419AC3E0 A3C26A33 8D9B0C32 ED2D [H3C-rsa-key-code] public-key-code end [H3C-rsa-public-key] peer-public-key end Assign the public key Switch001 to client client001. [H3C] ssh user client001 assign rsa-key Switch001 2) Configure the SSH client Generate an RSA key pair, taking PuTTYGen as example. 3-6

84 SSH Configuration Examples Chapter 3 SSH Configuration Examples Run PuTTYGen.exe, choose SSH-2 RSA and click Generate. Figure 3-6 Generate a client key pair (1) Note: While generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 3-7. Otherwise, the process bar stops moving and the key pair generating process is stopped. 3-7

85 SSH Configuration Examples Chapter 3 SSH Configuration Examples Figure 3-7 Generate a client key pair (2) After the key pair is generated, click Save public key and enter the name of the file for saving the public key ( public in this case). 3-8

86 SSH Configuration Examples Chapter 3 SSH Configuration Examples Figure 3-8 Generate a client key pair (3) Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any protection. Click Yes and enter the name of the file for saving the private key ( private.ppk in this case). Figure 3-9 Generate a client key pair (4) Run SSHKEY.exe and click Browse to select the public file public. Then, click Convert to convert the RSA public key to the PKCS format. 3-9

87 SSH Configuration Examples Chapter 3 SSH Configuration Examples Figure 3-10 Generate a client key pair (5) Note: After the public key is converted to the PKCS format, you need to manually configure the RSA public key in the PKCS format on the server, and complete the server end configuration before continuing to configure the client. Establish a connection with the SSH server. The following takes the SSH client software Putty (version 0.58) as an example. Launch PuTTY.exe to enter the following interface. 3-10

88 SSH Configuration Examples Chapter 3 SSH Configuration Examples Figure 3-11 SSH client configuration interface 1 In the Host Name (or IP address) text box, enter the IP address of the server. From the category on the left pane of the window, select SSH under Connection. The window as shown in Figure 3-12appears. 3-11

89 SSH Configuration Examples Chapter 3 SSH Configuration Examples Figure 3-12 SSH client configuration interface 2 Under Protocol options, select 2 from Preferred SSH protocol version. Select Connection > SSH > Auth. The following window appears. 3-12

90 SSH Configuration Examples Chapter 3 SSH Configuration Examples Figure 3-13 SSH client configuration interface (2) Click Browse to bring up the file selection window, navigate to the private key file and click OK. From the window shown in Figure 3-13, click Open. The following SSH client interface appears. If the connection is normal, you will be prompted to enter the username and password, as shown in Figure

91 SSH Configuration Examples Chapter 3 SSH Configuration Examples Figure 3-14 SSH client interface When the Switch Acts as an SSH Client and the Authentication Type is Password I. Network requirements As shown in Figure 3-15, establish an SSH connection between Switch A (SSH Client) and Switch B (SSH Server) for secure data exchange. The user name for login is client001 and the SSH server s IP address is Password authentication is required. II. Network diagram Figure 3-15 Network diagram of SSH client configuration when using password authentication III. Configuration procedure 1) Configure Switch B Create a VLAN interface on the switch and assign an IP address, which the SSH client will use to connect with the SSH server. 3-14

DHCP H3C Low-End Ethernet Switches Configuration Examples. Table of Contents

DHCP H3C Low-End Ethernet Switches Configuration Examples. Table of Contents DHCP Table of Contents Table of Contents Chapter 1 DHCP Functions Overview... 1-1 1.1 Supported DHCP Functions... 1-1 1.1.1 DHCP Functions Supported by the H3C Low-End Ethernet Switches... 1-1 1.2 Configuration

More information

DHCP H3C Low-End Ethernet Switches Configuration Examples. Table of Contents

DHCP H3C Low-End Ethernet Switches Configuration Examples. Table of Contents Table of Contents Table of Contents Chapter 1 DHCP Functions Overview... 1-1 1.1 Supported DHCP Functions... 1-1 1.1.1 DHCP Functions Supported by the H3C Low-End Ethernet Switches... 1-1 1.2 Configuration

More information

DHCP Overview. Introduction to DHCP

DHCP Overview. Introduction to DHCP Table of Contents DHCP Overview 1 Introduction to DHCP 1 DHCP Address Allocation 2 Allocation Mechanisms 2 Dynamic IP Address Allocation Process 2 IP Address Lease Extension 3 DHCP Message Format 3 DHCP

More information

Table of Contents 1 DHCP Overview DHCP Server Configuration 2-1

Table of Contents 1 DHCP Overview DHCP Server Configuration 2-1 Table of Contents 1 DHCP Overview 1-1 Introduction to DHCP 1-1 DHCP Address Allocation 1-2 Allocation Mechanisms 1-2 Dynamic IP Address Allocation Process 1-2 IP Address Lease Extension 1-3 DHCP Message

More information

Troubleshooting DHCP server configuration 28

Troubleshooting DHCP server configuration 28 Contents DHCP overview 1 Introduction to DHCP 1 DHCP address allocation 1 Allocation mechanisms 1 Dynamic IP address allocation process 2 IP address lease extension 2 DHCP message format 3 DHCP options

More information

Contents. QoS overview 1

Contents. QoS overview 1 Contents QoS overview 1 QoS service models 1 Best-effort service model 1 IntServ model 1 DiffServ model 1 QoS techniques overview 1 Deploying QoS in a network 2 QoS processing flow in a device 2 Configuring

More information

Operation Manual DHCP. Table of Contents

Operation Manual DHCP. Table of Contents Table of Contents Table of Contents Chapter 1 DHCP Overview... 1-1 1.1 DHCP Principles... 1-1 1.1.1 BOOTP Relay Agent... 1-3 1.1.2 DHCP and BOOTP Relay Agent... 1-4 1.2 General DHCP Configuration... 1-4

More information

Operation Manual DHCP. Table of Contents

Operation Manual DHCP. Table of Contents Table of Contents Table of Contents Chapter 1 DHCP Overview... 1-1 1.1 Introduction to DHCP... 1-1 1.2 DHCP IP Address Assignment... 1-2 1.2.1 IP Address Assignment Policy... 1-2 1.2.2 Obtaining IP Addresses

More information

Command Manual Network Protocol. Table of Contents

Command Manual Network Protocol. Table of Contents Table of Contents Table of Contents Chapter 1 IP Address Configuration Commands... 1-1 1.1 IP Address Configuration Commands... 1-1 1.1.1 display ip host... 1-1 1.1.2 display ip interface... 1-1 1.1.3

More information

H3C S9500 QoS Technology White Paper

H3C S9500 QoS Technology White Paper H3C Key words: QoS, quality of service Abstract: The Ethernet technology is widely applied currently. At present, Ethernet is the leading technology in various independent local area networks (LANs), and

More information

Configuring DHCP. About DHCP Snooping, page 2 About the DHCPv6 Relay Agent, page 8

Configuring DHCP. About DHCP Snooping, page 2 About the DHCPv6 Relay Agent, page 8 This chapter describes how to configure the Dynamic Host Configuration Protocol (DHCP) on a Cisco NX-OS device. This chapter includes the following sections: About DHCP Snooping, page 2 About the DHCP

More information

Configuring DHCP Features and IP Source Guard

Configuring DHCP Features and IP Source Guard CHAPTER 21 This chapter describes how to configure DHCP snooping and the option-82 data insertion features on the switch. It also describes how to configure the IP source guard feature.unless otherwise

More information

Configuring the Cisco IOS XE DHCP Server

Configuring the Cisco IOS XE DHCP Server Configuring the Cisco IOS XE DHCP Server Last Updated: December 20, 2011 Cisco routers running Cisco IOS XE software include Dynamic Host Configuration Protocol (DHCP) server and relay agent software.

More information

Configuring DHCP Features

Configuring DHCP Features CHAPTER 19 This chapter describes how to configure Dynamic Host Configuration Protocol (DHCP) snooping and the option-82 data insertion features on the Catalyst 3750 switch. Unless otherwise noted, the

More information

Configuring DHCP Features and IP Source Guard

Configuring DHCP Features and IP Source Guard CHAPTER 23 This chapter describes how to configure DHCP snooping and option-82 data insertion, and the DHCP server port-based address allocation features on the IE 3000 switch. It also describes how to

More information

Operation Manual DHCP H3C S3600 Series Ethernet Switches-Release Table of Contents

Operation Manual DHCP H3C S3600 Series Ethernet Switches-Release Table of Contents Table of Contents Table of Contents Chapter 1 DHCP Overview... 1-1 1.1 Introduction to DHCP... 1-1 1.2 DHCP IP Address Assignment... 1-1 1.2.1 IP Address Assignment Policy... 1-1 1.2.2 Obtaining IP Addresses

More information

Configuration Examples for DHCP, on page 37 Configuration Examples for DHCP Client, on page 38 Additional References for DHCP, on page 38

Configuration Examples for DHCP, on page 37 Configuration Examples for DHCP Client, on page 38 Additional References for DHCP, on page 38 This chapter describes how to configure the Dynamic Host Configuration Protocol (DHCP) on a Cisco NX-OS device. This chapter includes the following sections: About DHCP Snooping About DHCP Snooping, on

More information

DHCP and DDNS Services

DHCP and DDNS Services This chapter describes how to configure the DHCP server or DHCP relay as well as dynamic DNS (DDNS) update methods. About, page 1 Guidelines for, page 3 Configure the DHCP Server, page 4 Configure the

More information

Sections Describing Standard Software Features

Sections Describing Standard Software Features 27 CHAPTER This chapter describes how to configure quality of service (QoS) by using automatic-qos (auto-qos) commands or by using standard QoS commands. With QoS, you can give preferential treatment to

More information

Table of Contents 1 Port Mirroring Configuration 1-1

Table of Contents 1 Port Mirroring Configuration 1-1 Table of Contents 1 Port Mirroring Configuration 1-1 Introduction to Port Mirroring 1-1 Classification of Port Mirroring 1-1 Implementing Port Mirroring 1-2 Other Functions Supported by Port Mirroring

More information

Table of Contents 1 QoS Overview QoS Policy Configuration Priority Mapping Configuration 3-1

Table of Contents 1 QoS Overview QoS Policy Configuration Priority Mapping Configuration 3-1 Table of Contents 1 QoS Overview 1-1 Introduction to QoS 1-1 Networks Without QoS Guarantee 1-1 QoS Requirements of New Applications 1-1 Congestion: Causes, Impacts, and Countermeasures 1-2 Causes 1-2

More information

Cisco IOS Commands for the Catalyst 4500 Series Switches

Cisco IOS Commands for the Catalyst 4500 Series Switches CHAPTER 2 Cisco IOS Commands for the Catalyst 4500 Series Switches This chapter contains an alphabetical listing of Cisco IOS commands for the Catalyst 4500 series switches. For information about Cisco

More information

HP FlexFabric 5930 Switch Series

HP FlexFabric 5930 Switch Series HP FlexFabric 5930 Switch Series Layer 3 IP Services Command Reference Part number: 5998-4568 Software version: Release 2406 & Release 2407P01 Document version: 6W101-20140404 Legal and notice information

More information

HP 3600 v2 Switch Series

HP 3600 v2 Switch Series HP 3600 v2 Switch Series Layer 3 - IP Services Configuration Guide Part number: 5998-2351 Software version: Release 2108P01 Document version: 6W100-20131130 Legal and notice information Copyright 2013

More information

Configuring DHCP Features and IP Source Guard

Configuring DHCP Features and IP Source Guard CHAPTER 21 This chapter describes how to configure DHCP snooping and option-82 data insertion, and the DHCP server port-based address allocation features on the switch. It also describes how to configure

More information

Configuring the Cisco IOS DHCP Server

Configuring the Cisco IOS DHCP Server Cisco devices running Cisco software include Dynamic Host Configuration Protocol (DHCP) server and the relay agent software. The Cisco IOS DHCP server is a full DHCP server implementation that assigns

More information

Configuring ACLs. ACL overview. ACL categories. ACL numbering and naming

Configuring ACLs. ACL overview. ACL categories. ACL numbering and naming Contents Configuring ACLs 1 ACL overview 1 ACL categories 1 ACL numbering and naming 1 Match order 2 ACL rule numbering 3 Implementing time-based ACL rules 3 IPv4 fragments filtering with ACLs 3 Flow templates

More information

Sections Describing Standard Software Features

Sections Describing Standard Software Features 30 CHAPTER This chapter describes how to configure quality of service (QoS) by using automatic-qos (auto-qos) commands or by using standard QoS commands. With QoS, you can give preferential treatment to

More information

Table of Contents 1 IPv6 Configuration IPv6 Application Configuration 2-1

Table of Contents 1 IPv6 Configuration IPv6 Application Configuration 2-1 Table of Contents 1 IPv6 Configuration 1-1 IPv6 Overview 1-1 IPv6 Features 1-1 Introduction to IPv6 Address 1-2 Introduction to IPv6 Neighbor Discovery Protocol 1-5 Introduction to ND Snooping 1-7 Introduction

More information

Finding Feature Information, page 2 Information About DHCP Snooping, page 2 Information About the DHCPv6 Relay Agent, page 8

Finding Feature Information, page 2 Information About DHCP Snooping, page 2 Information About the DHCPv6 Relay Agent, page 8 This chapter describes how to configure the Dynamic Host Configuration Protocol (DHCP) on a Cisco NX-OS device. This chapter includes the following sections: Finding Feature Information, page 2 Information

More information

Configuring DHCP. Finding Feature Information. Information About DHCP. DHCP Server. DHCP Relay Agent

Configuring DHCP. Finding Feature Information. Information About DHCP. DHCP Server. DHCP Relay Agent Finding Feature Information, on page 1 Information About DHCP, on page 1 How to Configure DHCP Features, on page 8 Server Port-Based Address Allocation, on page 17 Finding Feature Information Your software

More information

HP 3600 v2 Switch Series

HP 3600 v2 Switch Series HP 3600 v2 Switch Series ACL and QoS Configuration Guide Part number: 5998-2354 Software version: Release 2101 Document version: 6W101-20130930 Legal and notice information Copyright 2013 Hewlett-Packard

More information

HP 5120 SI Switch Series

HP 5120 SI Switch Series HP 5120 SI Switch Series Layer 3 - IP Services Configuration Guide Part number: 5998-1807 Software version: Release 1513 Document version: 6W100-20130830 Legal and notice information Copyright 2013 Hewlett-Packard

More information

HP 5130 EI Switch Series

HP 5130 EI Switch Series HP 5130 EI Switch Series ACL and QoS Configuration Guide Part number: 5998-5471a Software version: Release 31xx Document version: 6W100-20150731 Legal and notice information Copyright 2015 Hewlett-Packard

More information

SecBlade Firewall Cards NAT Configuration Examples

SecBlade Firewall Cards NAT Configuration Examples SecBlade Firewall Cards NAT Configuration Examples Keywords: NAT, PAT, private IP address, public IP address, IP address pool Abstract: This document describes the characteristics, applications scenarios,

More information

Configuring DHCP Snooping

Configuring DHCP Snooping 15 CHAPTER This chapter describes how to configure Dynamic Host Configuration Protocol (DHCP) snooping on an NX-OS device. This chapter includes the following sections: Information About DHCP Snooping,

More information

Agenda. DHCP Overview DHCP Basic. DHCP Additional. DHCP Relay DHCP Snooping DHCP Server. DHCP Security SAVI ND Snooping

Agenda. DHCP Overview DHCP Basic. DHCP Additional. DHCP Relay DHCP Snooping DHCP Server. DHCP Security SAVI ND Snooping DHCP Agenda DHCP Overview DHCP Basic DHCP Relay DHCP Snooping DHCP Server DHCP Additional DHCP Security SAVI ND Snooping 1 Concepts of DHCP DHCP Dynamic Host Configuration Protocol (DHCP) enables a client

More information

Configuring ARP attack protection 1

Configuring ARP attack protection 1 Contents Configuring ARP attack protection 1 ARP attack protection configuration task list 1 Configuring unresolvable IP attack protection 1 Configuring ARP source suppression 2 Configuring ARP blackhole

More information

H3C S5500-HI Switch Series

H3C S5500-HI Switch Series H3C S5500-HI Switch Series ACL and QoS Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 5501 Document version: 6W100-20140103 Copyright 2014, Hangzhou

More information

DHCP Technology White Paper

DHCP Technology White Paper DHCP Technology White Paper Keywords: DHCP, DHCP server, DHCP relay agent, DHCP client, BOOTP client. Abstract: This document describes DHCP basic concepts and applications, as well as the main functions

More information

HP 6125 Blade Switch Series

HP 6125 Blade Switch Series HP 6125 Blade Switch Series Layer 3 - IP Services Configuration Guide Part number: 5998-3156 Software version: Release 2103 Document version: 6W100-20120907 Legal and notice information Copyright 2012

More information

Configuring DHCP. Finding Feature Information

Configuring DHCP. Finding Feature Information This chapter describes how to configure the Dynamic Host Configuration Protocol (DHCP) on a Cisco NX-OS device. This chapter includes the following sections: Finding Feature Information, page 1 Information

More information

Configuring DHCP. Information About DHCP. DHCP Server. DHCP Relay Agent. DHCP Snooping

Configuring DHCP. Information About DHCP. DHCP Server. DHCP Relay Agent. DHCP Snooping Information About DHCP DHCP Server DHCP Relay Agent DHCP Snooping Information About DHCP, on page 1 How to Configure DHCP Features, on page 7 Server Port-Based Address Allocation, on page 13 Feature Information

More information

Configuring DHCP. Finding Feature Information. Information About DHCP. DHCP Server. DHCP Relay Agent

Configuring DHCP. Finding Feature Information. Information About DHCP. DHCP Server. DHCP Relay Agent Finding Feature Information, page 1 Information About DHCP, page 1 How to Configure DHCP Features, page 8 Server Port-Based Address Allocation, page 18 Finding Feature Information Your software release

More information

HP Switch Series

HP Switch Series HP 10500 Switch Series ACL and QoS Configuration Guide Part number: 5998-5230 Software version: Release 2111P01 and later Document version: 6W101-20140331 Legal and notice information Copyright 2014 Hewlett-Packard

More information

Configuring DHCP. Finding Feature Information. Information About DHCP. DHCP Server. DHCP Relay Agent

Configuring DHCP. Finding Feature Information. Information About DHCP. DHCP Server. DHCP Relay Agent Finding Feature Information, page 1 Information About DHCP, page 1 How to Configure DHCP Features, page 8 Server Port-Based Address Allocation, page 17 Finding Feature Information Your software release

More information

HP A3100 v2 Switch Series

HP A3100 v2 Switch Series HP A3100 v2 Switch Series Layer 3 - IP Services Configuration Guide HP A3100-8 v2 SI Switch (JG221A) HP A3100-16 v2 SI Switch (JG222A) HP A3100-24 v2 SI Switch (JG223A) HP A3100-8 v2 EI Switch (JD318B)

More information

H3C S9500 Series Routing Switches

H3C S9500 Series Routing Switches Command Manual Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Manual Version: T2-08194S-20081225-C-1.24 Product Version: S9500-CMW310-R1648 Copyright 2007-2008, Hangzhou H3C Technologies Co., Ltd.

More information

Configuring DHCP. Finding Feature Information. Information About DHCP. DHCP Server. DHCP Relay Agent

Configuring DHCP. Finding Feature Information. Information About DHCP. DHCP Server. DHCP Relay Agent Finding Feature Information, page 1 Information About DHCP, page 1 How to Configure DHCP Features, page 8 Server Port-Based Address Allocation, page 18 Finding Feature Information Your software release

More information

ACL Rule Configuration on the WAP371

ACL Rule Configuration on the WAP371 Article ID: 5089 ACL Rule Configuration on the WAP371 Objective A network access control list (ACL) is an optional layer of security that acts as a firewall for controlling traffic in and out of a subnet.

More information

Table of Contents 1 QoS Overview QoS Policy Configuration Priority Mapping Configuration 3-1

Table of Contents 1 QoS Overview QoS Policy Configuration Priority Mapping Configuration 3-1 Table of Contents 1 QoS Overview 1-1 Introduction to QoS 1-1 Introduction to QoS Service Models 1-1 Best-Effort Service Model 1-1 IntServ Service Model 1-2 DiffServ Service Model 1-2 QoS Techniques Overview

More information

DHCP Configuration. Page 1 of 14

DHCP Configuration. Page 1 of 14 DHCP Configuration Page 1 of 14 Content Chapter 1 DHCP Configuration...1 1.1 DHCP Overview...1 1.2 DHCP IP Address Assignment... 1 1.2.1 IP Address Assignment Policy...1 1.2.2 Obtaining IP Addresses Dynamically...2

More information

Quality of Service. Understanding Quality of Service

Quality of Service. Understanding Quality of Service The following sections describe support for features on the Cisco ASR 920 Series Router. Understanding, page 1 Configuring, page 2 Global QoS Limitations, page 2 Classification, page 3 Marking, page 6

More information

Chapter 7. IP Addressing Services. IP Addressing Services. Part I

Chapter 7. IP Addressing Services. IP Addressing Services. Part I Chapter 7 IP Addressing Services Part I CCNA4-1 Chapter 7-1 IP Addressing Services Dynamic Host Configuration Protocol (DHCP) CCNA4-2 Chapter 7-1 Dynamic Host Configuration Protocol (DHCP) Every device

More information

HP 3100 v2 Switch Series

HP 3100 v2 Switch Series HP 3100 v2 Switch Series ACL and QoS Configuration Guide HP 3100-8 v2 SI Switch (JG221A) HP 3100-16 v2 SI Switch (JG222A) HP 3100-24 v2 SI Switch (JG223A) HP 3100-8 v2 EI Switch (JD318B) HP 3100-16 v2

More information

DHCP and DDNS Services for Threat Defense

DHCP and DDNS Services for Threat Defense The following topics explain DHCP and DDNS services and how to configure them on Threat Defense devices. About DHCP and DDNS Services, on page 1 Guidelines for DHCP and DDNS Services, on page 3 Configure

More information

Operation Manual ARP H3C S5500-SI Series Ethernet Switches. Table of Contents

Operation Manual ARP H3C S5500-SI Series Ethernet Switches. Table of Contents Table of Contents Table of Contents... 1-1 1.1 ARP Overview... 1-1 1.1.1 ARP Function... 1-1 1.1.2 ARP Message Format... 1-1 1.1.3 ARP Address Resolution Process... 1-2 1.1.4 ARP Mapping Table... 1-3 1.2

More information

Configuring PFC QoS CHAPTER

Configuring PFC QoS CHAPTER 38 CHAPTER This chapter describes how to configure quality of service (QoS) as implemented on the Policy Feature Card 3B (PFC3B) on the Supervisor Engine 32 PISA. Note For complete syntax and usage information

More information

HP 5920 & 5900 Switch Series

HP 5920 & 5900 Switch Series HP 5920 & 5900 Switch Series ACL and QoS Configuration Guide Part number: 5998-2897 Software version: Release2207 Document version: 6W100-20121130 Legal and notice information Copyright 2012 Hewlett-Packard

More information

Configuring DHCP, DDNS, and WCCP Services

Configuring DHCP, DDNS, and WCCP Services CHAPTER 10 This chapter describes how to configure the DHCP server, dynamic DNS (DDNS) update methods, and WCCP on the security appliance. DHCP provides network configuration parameters, such as IP addresses,

More information

Configuring global CAR 73 Overview 73 Configuring aggregate CAR 73 Configuration procedure 73 Configuration example 73

Configuring global CAR 73 Overview 73 Configuring aggregate CAR 73 Configuration procedure 73 Configuration example 73 Contents QoS overview 1 Introduction to QoS 1 QoS service models 1 Best-effort service model 1 IntServ model 1 DiffServ model 2 QoS techniques overview 2 Deploying QoS in a network 2 QoS processing flow

More information

DHCP and DDNS Services

DHCP and DDNS Services This chapter describes how to configure the DHCP server or DHCP relay as well as dynamic DNS (DDNS) update methods. About, on page 1 Guidelines for, on page 3 Configure the DHCP Server, on page 4 Configure

More information

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

Actual4Test.   Actual4test - actual test exam dumps-pass for IT exams Actual4Test http://www.actual4test.com Actual4test - actual test exam dumps-pass for IT exams Exam : 200-125 Title : CCNA Cisco Certified Network Associate CCNA (v3.0) Vendor : Cisco Version : DEMO Get

More information

Recommendations for Upgrading a Catalyst 2950 Switch to a Catalyst 2960 Switch

Recommendations for Upgrading a Catalyst 2950 Switch to a Catalyst 2960 Switch APPENDIXC Recommendations for Upgrading a Catalyst 2950 Switch to a Catalyst 2960 Switch This appendix describes the configuration compatibility issues and the feature behavior differences that you might

More information

HPE FlexNetwork 5510 HI Switch Series

HPE FlexNetwork 5510 HI Switch Series HPE FlexNetwork 5510 HI Switch Series Layer 3 IP Services Command Reference Part number: 5200-0078b Software version: Release 11xx Document version: 6W102-20171020 Copyright 2015, 2017 Hewlett Packard

More information

22 Cisco IOS Commands for the Catalyst 4500 Series Switches interface

22 Cisco IOS Commands for the Catalyst 4500 Series Switches interface Chapter 2 22 interface interface To select an interface to configure and to enter interface configuration mode, use the interface command. interface type number type number Type of interface to be configured;

More information

H3C S5120-EI Switch Series

H3C S5120-EI Switch Series H3C S5120-EI Switch Series Layer 3 - IP Services Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 2220 Document version: 6W100-20130810 Copyright 2013,

More information

Configuring Control Plane Policing

Configuring Control Plane Policing 32 CHAPTER This chapter contains information on how to protect your Catalyst 4500 series switch using control plane policing (CoPP). The information covered in this chapter is unique to the Catalyst 4500

More information

HP High-End Firewalls

HP High-End Firewalls HP High-End Firewalls Access Control Configuration Guide Part number: 5998-2648 Software version: F1000-A-EI&F1000-S-EI: R3721 F5000: F3210 F1000-E: F3171 Firewall module: F3171 Document version: 6PW101-20120719

More information

HPE 5920 & 5900 Switch Series

HPE 5920 & 5900 Switch Series HPE 5920 & 5900 Switch Series Layer 3 IP Services Command Reference Part number: 5998-6643t Software version: Release 2422P01 Document version: 6W101-20171030 Copyright 2016, 2017 Hewlett Packard Enterprise

More information

Operation Manual DHCP H3C S5500-SI Series Ethernet Switches. Table of Contents. Table of Contents

Operation Manual DHCP H3C S5500-SI Series Ethernet Switches. Table of Contents. Table of Contents Table of Contents Table of Contents Chapter 1 DHCP Overview... 1-1 1.1 Introduction to DHCP... 1-1 1.2 DHCP Address Allocation... 1-1 1.2.1 Allocation Mechanisms... 1-1 1.2.2 Dynamic IP Address Allocation

More information

DHCPv6 Overview 1. DHCPv6 Server Configuration 1

DHCPv6 Overview 1. DHCPv6 Server Configuration 1 Table of Contents DHCPv6 Overview 1 Introduction to DHCPv6 1 DHCPv6 Address/Prefix Assignment 1 Rapid Assignment Involving Two Messages 1 Assignment Involving Four Messages 2 Address/Prefix Lease Renewal

More information

Contents. Configuring LLDP 2

Contents. Configuring LLDP 2 Contents Configuring LLDP 2 Overview 2 Basic concepts 2 Working mechanism 7 Protocols and standards 8 LLDP configuration task list 8 Performing basic LLDP configurations 9 Enabling LLDP 9 Setting the LLDP

More information

Contents. Configuring LLDP 2

Contents. Configuring LLDP 2 Contents Configuring LLDP 2 Overview 2 Basic concepts 2 Working mechanism 8 Protocols and standards 9 LLDP configuration task list 9 Performing basic LLDP configurations 10 Enabling LLDP 10 Configuring

More information

Configuring QoS. Finding Feature Information. Prerequisites for QoS

Configuring QoS. Finding Feature Information. Prerequisites for QoS Finding Feature Information, page 1 Prerequisites for QoS, page 1 Restrictions for QoS, page 3 Information About QoS, page 4 How to Configure QoS, page 28 Monitoring Standard QoS, page 80 Configuration

More information

H3C S10500 Switch Series

H3C S10500 Switch Series H3C S10500 Switch Series ACL and QoS Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 1126 and Later Document version: 20111130-C-1.01 Copyright 2011,

More information

Contents. Configuring LLDP 2

Contents. Configuring LLDP 2 Contents Configuring LLDP 2 Overview 2 Basic concepts 2 Working mechanism 7 Protocols and standards 8 LLDP configuration task list 8 Performing basic LLDP configurations 9 Enabling LLDP 9 Setting the LLDP

More information

Configuring Control Plane Policing

Configuring Control Plane Policing 21 CHAPTER This chapter describes how to configure control plane policing (CoPP) on the NX-OS device. This chapter includes the following sections: Information About CoPP, page 21-1 Guidelines and Limitations,

More information

Committed Access Rate

Committed Access Rate Committed Access Rate Feature Summary The Committed Access Rate (CAR) feature performs the following functions: Limits the input or output transmission rate on an interface or subinterface based on a flexible

More information

HP FlexFabric 5930 Switch Series

HP FlexFabric 5930 Switch Series HP FlexFabric 5930 Switch Series ACL and QoS Configuration Guide Part number: 5998-7761a Software version: Release 241x Document version: 6W102-20151210 Legal and notice information Copyright 2015 Hewlett-Packard

More information

Access Rules. Controlling Network Access

Access Rules. Controlling Network Access This chapter describes how to control network access through or to the ASA using access rules. You use access rules to control network access in both routed and transparent firewall modes. In transparent

More information

Introduction to DHCP. DHCP Overview

Introduction to DHCP. DHCP Overview Table of Contents Introduction to DHCP 1 DHCP Overview 1 DHCP Address Allocation 2 Allocation Mechanisms 2 Dynamic IP Address Allocation Process 2 DHCP Message Format 3 Protocols and Standards 4 DHCP Server

More information

VLAN Access Control Lists

VLAN Access Control Lists VLAN access control lists (ACLs) or VLAN maps access-control all packets (bridged and routed). You can use VLAN maps to filter traffic between devices in the same VLAN. VLAN maps are configured to provide

More information

Configuring ARP attack protection 1

Configuring ARP attack protection 1 Contents Configuring ARP attack protection 1 ARP attack protection configuration task list 1 Configuring unresolvable IP attack protection 1 Configuring ARP source suppression 2 Configuring ARP blackhole

More information

Cisco IOS Commands for the Catalyst 4500 Series Switches

Cisco IOS Commands for the Catalyst 4500 Series Switches 2 CHAPTER Cisco IOS Commands for the Catalyst 4500 Series Switches This chapter contains an alphabetical listing of Cisco IOS commands for the Catalyst 4500 series switches. For information about Cisco

More information

HPE FlexFabric 5940 Switch Series

HPE FlexFabric 5940 Switch Series HPE FlexFabric 5940 Switch Series Layer 3 IP Services Configuration Guide Part number: 5200-1022a Software version: Release 2508 and later verison Document version: 6W101-20161101 Copyright 2016 Hewlett

More information

HP A5830 Switch Series Layer 3 - IP Services. Configuration Guide. Abstract

HP A5830 Switch Series Layer 3 - IP Services. Configuration Guide. Abstract HP A5830 Switch Series Layer 3 - IP Services Configuration Guide Abstract This document describes the software features for the HP A Series products and guides you through the software configuration procedures.

More information

Understanding How Routing Updates and Layer 2 Control Packets Are Queued on an Interface with a QoS Service Policy

Understanding How Routing Updates and Layer 2 Control Packets Are Queued on an Interface with a QoS Service Policy Understanding How Routing Updates and Layer 2 Control Packets Are Queued on an Interface with a QoS Service Policy Document ID: 18664 Contents Introduction Prerequisites Requirements Components Used Conventions

More information

GoCertify Advanced Cisco CCIE Lab Scenario # 1

GoCertify Advanced Cisco CCIE Lab Scenario # 1 GoCertify Advanced Cisco CCIE Lab Scenario # 1 (http://www.gocertify.com) IPexpert, Inc. is a leading provider in on-line Cisco CCNA, CCNP and CCIE training material. For more information please visit

More information

Cisco IOS Commands for the Catalyst 4500 Series Switches

Cisco IOS Commands for the Catalyst 4500 Series Switches CHAPTER 2 Cisco IOS Commands for the Catalyst 4500 Series Switches This chapter contains an alphabetical listing of Cisco IOS commands for the Catalyst 4500 series switches. For information about Cisco

More information

H3C S5120-SI Switch Series

H3C S5120-SI Switch Series H3C S5120-SI Switch Series ACL and QoS Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 1513 Document version: 6W100-20130425 Copyright 2013, Hangzhou

More information

Table of Contents 1 ARP Configuration Guide 1-1

Table of Contents 1 ARP Configuration Guide 1-1 Table of Contents 1 ARP Configuration Guide 1-1 Configuring ARP Basics 1-1 Network Diagram 1-1 Networking and Configuration Requirements 1-1 Applicable Product Matrix 1-1 Configuration Procedure 1-1 Complete

More information

Configuring Network Security with ACLs

Configuring Network Security with ACLs 26 CHAPTER This chapter describes how to use access control lists (ACLs) to configure network security on the Catalyst 4500 series switches. Note For complete syntax and usage information for the switch

More information

Access Control List Overview

Access Control List Overview Access lists filter network traffic by controlling the forwarding or blocking of packets at the interface of a device. A device examines each packet to determine whether to forward or drop that packet,

More information

Configuring DHCP Features

Configuring DHCP Features This chapter describes how to configure DHCP snooping and option-82 data insertion on the Cisco ASR 920 Series Router. Finding Feature Information, page 1 Limitations and Restrictions, page 1 DHCP Features,

More information

Chapter 4 Software-Based IP Access Control Lists (ACLs)

Chapter 4 Software-Based IP Access Control Lists (ACLs) Chapter 4 Software-Based IP Access Control Lists (ACLs) This chapter describes software-based ACLs, which are ACLs that processed traffic in software or CPU. (This type of ACL was also referred to as flow-based

More information

Configuring priority marking 63 Priority marking overview 63 Configuring priority marking 63 Priority marking configuration example 64

Configuring priority marking 63 Priority marking overview 63 Configuring priority marking 63 Priority marking configuration example 64 Contents QoS overview 1 Introduction to QoS 1 QoS service models 1 Best-effort service model 1 IntServ model 1 DiffServ model 2 QoS techniques overview 2 Deploying QoS in a network 2 QoS processing flow

More information

Configuring Control Plane Policing

Configuring Control Plane Policing 34 CHAPTER This chapter contains information on how to protect your Catalyst 4500 series switch using control plane policing (CoPP). The information covered in this chapter is unique to the Catalyst 4500

More information

Configuring IPv6 ACLs

Configuring IPv6 ACLs CHAPTER 37 When the Cisco ME 3400 Ethernet Access switch is running the metro IP access image, you can filter IP Version 6 (IPv6) traffic by creating IPv6 access control lists (ACLs) and applying them

More information

HPE FlexNetwork MSR Router Series

HPE FlexNetwork MSR Router Series HPE FlexNetwork MSR Router Series Comware 5 Layer 3 - IP Services Command Reference Part number: 5200-2337 Software version: CMW710-R2516 Document version: 6W107-20160831 Copyright 2016 Hewlett Packard

More information