H3C Access Points Cloud Mode Web-Based Configuration Guide(E2442 R2442)-6W100

HomeSupportResource CenterH3C Access Points Cloud Mode Web-Based Configuration Guide(E2442 R2442)-6W100
04-System features
Title Size Download
04-System features 426.10 KB

Contents

Network services features· 1

Link aggregation· 1

Aggregation group· 2

Aggregation states of member ports in an aggregation group· 2

Operational key· 2

Attribute settings· 2

Link aggregation modes· 2

PPPoE· 6

Overview· 6

PPPoE network structure· 6

VLAN· 7

Port-based VLANs· 7

VLAN interface· 8

MAC· 8

Types of MAC address entries· 8

Aging timer for dynamic MAC address entries· 8

MAC address learning· 9

STP· 9

Spanning tree modes· 9

MSTP basic concepts· 9

Port roles· 10

Port states· 10

Routing table· 11

Static routing· 11

IP· 11

IP address classes· 11

Subnetting and masking· 11

IP address configuration methods· 12

MTU for an interface· 12

IPv6· 12

IPv6 address formats· 12

IPv6 address types· 13

EUI-64 address-based interface identifiers· 14

IPv6 global unicast address configuration methods· 14

IPv6 link-local address configuration methods· 14

NAT· 15

Dynamic NAT· 15

Static NAT· 15

Advanced settings· 15

Restrictions and guidelines· 16

DHCP· 16

DHCP server 16

DHCP relay agent 18

DNS· 19

Dynamic domain name resolution· 19

Static domain name resolution· 19

DNS proxy· 19

IGMP snooping· 20

MLD snooping· 20

ARP· 20

Types of ARP table entries· 20

Proxy ARP· 21

Gratuitous ARP· 21

ARP attack protection· 22

ND·· 24

Neighbor entries· 25

RA messages· 25

ND proxy· 26

HTTP/HTTPS· 27

Telnet 28

SSH· 28

NTP· 28

LLDP· 29

LLDP agent 29

Transmitting LLDP frames· 29

Receiving LLDP frames· 29

LLDP reinitialization delay· 30

LLDP trapping· 30

LLDP TLVs· 30

Log· 30

Log levels· 30

Log destinations· 31

Security features· 32

Packet filter 32

QoS· 32

QoS policies· 32

Priority mapping· 32

802.1X· 33

802.1X architecture· 33

802.1X authentication methods· 33

Access control methods· 33

Periodic online user reauthentication· 34

Online user handshake· 34

EAD assistant 34

802.1X SmartOn· 34

ISP domains· 35

RADIUS· 36

RADIUS protocol 36

RADIUS servers· 36

RADIUS timers· 36

Source IP address of outgoing RADIUS packets· 37

Enhanced RADIUS features· 38

Local users· 38

System features· 39

Event logs· 39

Log types· 39

Log levels· 39

ACL· 39

ACL types and match criteria· 40

Match order 40

Rule numbering· 41

Time range· 42

Administrators· 42

User account management 42

Role-based access control 42

Password control 47

Settings· 50

System time sources· 50

Clock synchronization protocols· 50

NTP/SNTP operating modes· 51

NTP/SNTP time source authentication· 52

Configuration file management 52

Configuration types· 52

Configuration file types and file selection process at startup· 53

Next-startup configuration file redundancy· 53

Configuration file content organization and format 53

Software upgrade· 54

Software types· 54

Software release forms· 55

Tools· 56

 


Network services features

Link aggregation

The following compatibility matrix shows the support of hardware platforms for link aggregation:

 

Hardware series

Model

Link aggregation compatibility

WA6600 series

WA6638

WA6638i

WA6636

WA6630X

WA6628

WA6628X

WA6628E-T

WA6622

WA6620

WA6620X

Yes:

·     WA6638

·     WA6638i

·     WA6636

·     WA6630X

·     WA6628

·     WA6622

·     WA6620

·     WA6620X

No:

·     WA6628X

·     WA6628E-T

WA6300 series

WA6338

WA6338-HI

WA6338-LI

WA6330

WA6330-LI

WA6322

WA6322H

WA6322H-HI

WA6322H-LI

WA6320

WA6320-C

WA6320-D

WA6320-SI

WA6320H

WA6320H-LI

WA6320H-XEPON

Yes:

·     WA6338

·     WA6338-HI

·     WA6338-LI

·     WA6330

·     WA6330-LI

·     WA6322

·     WA6322H-HI

·     WA6320H

·     WA6320H-LI

·     WA6320H-XEPON

No:

·     WA6322H

·     WA6322H-LI

·     WA6320

·     WA6320-C

·     WA6320-D

·     WA6320-SI

WAP922 series

WAP922E

No

WAP923 series

WAP923

Yes

 

Ethernet link aggregation bundles multiple physical Ethernet links into one logical link, called an aggregate link. Link aggregation provides the following benefits:

·     Increased bandwidth beyond the limits of any single link. In an aggregate link, traffic is distributed across the member ports.

·     Improved link reliability. The member ports dynamically back up one another. When a member port fails, its traffic is automatically switched to other member ports.

Aggregation group

Link bundling is implemented through interface bundling. An aggregation group is a group of Ethernet interfaces bundled together. These Ethernet interfaces are called member ports of the aggregation group. Each aggregation group has a corresponding logical interface (called an aggregate interface).

When you create an aggregate interface, the device automatically creates an aggregation group of the same type and number as the aggregate interface. For example, when you create Layer 2 aggregate interface 1, Layer 2 aggregation group 1 is created.

You can assign Layer 2 Ethernet interfaces only to a Layer 2 aggregation group.

The port rate of an aggregate interface equals the total rate of its Selected member ports. Its duplex mode is the same as that of the Selected member ports.

Aggregation states of member ports in an aggregation group

A member port in an aggregation group can be in either of the following aggregation states:

·     SelectedA Selected port can forward traffic.

·     UnselectedAn Unselected port cannot forward traffic.

Operational key

When aggregating ports, the system automatically assigns each port an operational key based on port information, such as port rate and duplex mode. Any change to this information triggers a recalculation of the operational key.

In an aggregation group, all Selected ports have the same operational key.

Attribute settings

To become a Selected port, a member port must have the same attribute settings as the aggregate interface.

 

Feature

Considerations

VLAN

VLAN attribute settings include:

·     Permitted VLAN IDs.

·     PVID.

·     Port link type.

·     VLAN tagging mode.

 

Link aggregation modes

An aggregation group operates in either of the following modes:

·     StaticStatic aggregation is stable. An aggregation group in static mode is called a static aggregation group. The aggregation states of the member ports in a static aggregation group are not affected by the peer ports.

·     DynamicAn aggregation group in dynamic mode is called a dynamic aggregation group. The local system and the peer system automatically maintain the aggregation states of the member ports, which reduces the administrators' workload.

An aggregation group in either mode must choose a reference port and then set the aggregation state of its member ports.

Aggregating links in static mode

When setting the aggregation states of the ports in an aggregation group, the system automatically picks a member port as the reference port. A Selected port must have the same operational key and attribute settings as the reference port.

The system chooses a reference port from the member ports that are in up state and have the same attribute settings as the aggregate interface.

The candidate ports are sorted in the following order:

1.     Port priority

2.     Full duplex/high speed

3.     Full duplex/low speed

4.     Half duplex/high speed

5.     Half duplex/low speed

The candidate port at the top is chosen as the reference port.

·     If multiple ports have the same port priority, duplex mode, and speed, the port that has been a Selected port (if any) is chosen. If multiple ports have been Selected ports, the one with the smallest port number is chosen.

·     If multiple ports have the same port priority, duplex mode, and speed and none of them has been a Selected port, the port with the smallest port number is chosen.

After the reference port is chosen, the system sets the aggregation state of each member port in the static aggregation group.

Figure 1 Setting the aggregation state of a member port in a static aggregation group

 

Aggregating links in dynamic mode

Dynamic aggregation is implemented through IEEE 802.3ad Link Aggregation Control Protocol (LACP).

LACP uses LACPDUs to exchange aggregation information between LACP-enabled devices.

Each member port in an LACP-enabled aggregation group exchanges information with its peer. When a member port receives an LACPDU, it compares the received information with information received on the other member ports. In this way, the two systems reach an agreement on which ports are placed in Selected state.

The system chooses a reference port from the member ports that are in up state and have the same attribute settings as the aggregate interface. A Selected port must have the same operational key and attribute settings as the reference port.

The local system (the actor) and the peer system (the partner) negotiate a reference port by using the following workflow:

1.     The two systems compare their system IDs to determine the system with the smaller system ID.

A system ID contains the system LACP priority and the system MAC address.

a.     The two systems compare their LACP priority values.

The lower the LACP priority, the smaller the system ID. If LACP priority values are the same, the two systems proceed to the next step.

b.     The two systems compare their MAC addresses.

The lower the MAC address, the smaller the system ID.

2.     The system with the smaller system ID chooses the port with the smallest port ID as the reference port.

A port ID contains a port priority and a port number. The lower the port priority, the smaller the port ID.

a.     The system chooses the port with the lowest priority value as the reference port.

If ports have the same priority, the system proceeds to the next step.

b.     The system compares their port numbers.

The smaller the port number, the smaller the port ID.

The port with the smallest port number and the same attribute settings as the aggregate interface is chosen as the reference port.

After the reference port is chosen, the system with the smaller system ID sets the state of each member port on its side.

Figure 2 Setting the state of a member port in a dynamic aggregation group

 

Meanwhile, the system with the higher system ID is aware of the aggregation state changes on the peer system. The system sets the aggregation state of local member ports the same as their peer ports.

PPPoE

Point-to-Point Protocol over Ethernet (PPPoE) extends PPP by transporting PPP frames encapsulated in Ethernet over point-to-point links.

Overview

PPPoE specifies the methods for establishing PPPoE sessions and encapsulating PPP frames over Ethernet. PPPoE requires a point-to-point relationship between peers instead of a point-to-multipoint relationship as in multi-access environments such as Ethernet. PPPoE provides Internet access for the hosts in an Ethernet through a remote access device and implement access control, authentication, and accounting on a per-host basis. Integrating the low cost of Ethernet and scalability and management functions of PPP, PPPoE gained popularity in various application environments, such as residential access networks.

For more information about PPPoE, see RFC 2516.

PPPoE network structure

IMPORTANT

IMPORTANT:

The device can act only as a PPPoE client.

 

PPPoE uses the client/server model. The PPPoE client initiates a connection request to the PPPoE server. After session negotiation between them is complete, a session is established between them, and the PPPoE server provides access control, authentication, and accounting to the PPPoE client.

As shown in Figure 3, the PPPoE session is established between devices (Device A and Device B). All hosts share one PPPoE session for data transmission without being installed with PPPoE client software. This network structure is typically used by enterprises.

Figure 3 PPPoE network structure

VLAN

The Virtual Local Area Network (VLAN) technology breaks a LAN down into multiple logical LANs, which is called VLANs. Each VLAN is a broadcast domain. Hosts in the same VLAN can directly communicate with one another. Hosts in different VLANs are isolated from one another at Layer 2.

Port-based VLANs

Port-based VLANs group VLAN members by port. A port forwards packets from a VLAN only after it is assigned to the VLAN.

You can configure a port as an untagged or tagged port of a VLAN.

·     To configure the port as an untagged port of a VLAN, assign it to the untagged port list of the VLAN. The untagged port of a VLAN forwards packets from the VLAN without VLAN tags.

·     To configure the port as a tagged port of a VLAN, assign it to the tagged port list of the VLAN. The tagged port of a VLAN forwards packets from the VLAN with VLAN tags.

You can configure the link type of a port as access, trunk, or hybrid. Ports of different link types use different VLAN tag handling methods.

·     Access—An access port can forward packets from only one VLAN and send them untagged. Assign an access port to only the untagged port list of a VLAN.

·     TrunkA trunk port can forward packets from multiple VLANs. Except packets from the port VLAN ID (PVID), packets sent out of a trunk port are VLAN-tagged. Assign a trunk port to the untagged port list of the PVID of the port, and to the tagged port lists of other VLANs.

·     HybridA hybrid port can forward packets from multiple VLANs. You can assign a hybrid port to the untagged port lists of some VLANs, and to the tagged port lists of other VLANs. An untagged hybrid port of a VLAN forwards packets from the VLAN without VLAN tags. A tagged hybrid port of a VLAN forwards packets from the VLAN with VLAN tags.

VLAN interface

For hosts of different VLANs to communicate at Layer 3, you can use VLAN interfaces. VLAN interfaces are virtual interfaces used for Layer 3 communication between different VLANs. They do not exist as physical entities on devices. For each VLAN, you can create one VLAN interface and assign an IP address to it. The VLAN interface acts as the gateway of the VLAN to forward packets destined for another IP subnet.

MAC

An Ethernet device uses a MAC address table to forward frames. A MAC address entry includes a destination MAC address, an outgoing interface (or egress RB), and a VLAN ID. When the device receives a frame, it uses the destination MAC address of the frame to look for a match in the MAC address table.

·     The device forwards the frame out of the outgoing interface in the matching entry if a match is found.

·     The device floods the frame in the VLAN of the frame if no match is found.

Types of MAC address entries

A MAC address table can contain the following types of entries:

·     Dynamic entries—A dynamic entry can be manually configured or dynamically learned to forward frames with a specific destination MAC address out of the associated interface. A dynamic entry might age out. A manually configured dynamic entry has the same priority as a dynamically learned one.

·     Static entries—A static entry is manually added to forward frames with a specific destination MAC address out of the associated interface, and it never ages out. A static entry has higher priority than a dynamically learned one.

·     Blackhole entries—A blackhole entry is manually configured and never ages out. A blackhole entry is configured for filtering out frames with a specific source or destination MAC address. For example, to block all frames destined for or sourced from a user, you can configure the MAC address of the user as a blackhole MAC address entry. The blackhole entry of a MAC address has a higher priority than the dynamic entry of the MAC address.

Aging timer for dynamic MAC address entries

For security and efficient use of table space, the MAC address table uses an aging timer for dynamic entries learned on all interfaces. If a dynamic MAC address entry is not updated before the aging timer expires, the device deletes the entry. This aging mechanism ensures that the MAC address table can promptly update to accommodate latest network topology changes.

A stable network requires a longer aging interval, and an unstable network requires a shorter aging interval.

An aging interval that is too long might cause the MAC address table to retain outdated entries. As a result, the MAC address table resources might be exhausted, and the MAC address table might fail to update its entries to accommodate the latest network changes.

An interval that is too short might result in removal of valid entries, which would cause unnecessary floods and possibly affect the device performance.

To reduce floods on a stable network, set a long aging timer or disable the timer to prevent dynamic entries from unnecessarily aging out. Reducing floods improves the network performance. Reducing flooding also improves the security because it reduces the chances for a data frame to reach unintended destinations.

MAC address learning

MAC address learning is enabled by default. To prevent the MAC address table from being saturated when the device is experiencing attacks, disable MAC address learning. For example, you can disable MAC address learning to prevent the device from being attacked by a large number of frames with different source MAC addresses.

When global MAC address learning is enabled, you can disable MAC address learning on a single interface.

You can also configure the MAC learning limit on an interface to limit the MAC address table size. A large MAC address table will degrade forwarding performance. When the limit is reached, the interface stops learning any MAC addresses. You can also configure whether to forward frames whose source MAC address is not in the MAC address table.

STP

Spanning tree protocols perform the following tasks:

·     Prune the loop structure into a loop-free tree structure for a Layer 2 network by selectively blocking ports.

·     Maintain the tree structure for the live network.

Spanning tree protocols include STP, RSTP, PVST, and MSTP.

·     STP—Defined in IEEE 802.1d.

·     RSTP—Defined in IEEE 802.1w. RSTP achieves rapid network convergence by allowing a newly elected root port or designated port to enter the forwarding state much faster than STP.

·     PVST—PVST allows every VLAN to have its own spanning tree, which increases usage of links and bandwidth. Because each VLAN runs RSTP independently, a spanning tree only serves its VLAN.

·     MSTP—Defined in IEEE 802.1s. MSTP overcomes the limitations of STP and RSTP. It supports rapid network convergence and allows data flows of different VLANs to be forwarded along separate paths. This provides a better load sharing mechanism for redundant links.

Spanning tree modes

The spanning tree modes include the following:

·     STP mode—All ports of the device send STP BPDUs. Select this mode when the peer device of a port supports only STP.

·     RSTP mode—All ports of the device send RSTP BPDUs. A port in this mode automatically transits to the STP mode when it receives STP BPDUs from a peer device. The port does not transit to the MSTP mode when it receives MSTP BPDUs from a peer device.

·     PVST mode—On an access port, the PVST mode is compatible with other spanning tree modes in all VLANs. On a trunk port or hybrid port, the PVST mode is compatible with other spanning tree modes only in the default VLAN.

·     MSTP mode—All ports of the device send MSTP BPDUs. A port in this mode automatically transits to the STP mode when it receives STP BPDUs from a peer device. The port does not transit to the RSTP mode when it receives RSTP BPDUs from a peer device.

MSTP basic concepts

MSTP divides a switched network into multiple spanning tree regions (MST regions). MSTP maintains multiple independent spanning trees in an MST region, and each spanning tree is mapped to specific VLANs. Such a spanning tree is referred to as a multiple spanning tree instance (MSTI). The common spanning tree (CST) is a single spanning tree that connects all MST regions in the switched network. An internal spanning tree (IST) is a spanning tree that runs in an MST region. It is also called MSTI 0, a special MSTI to which all VLANs are mapped by default. The common and internal spanning tree (CIST) is a single spanning tree that connects all devices in the switched network. It consists of the ISTs in all MST regions and the CST.

Devices in an MST region have the following characteristics:

·     A spanning tree protocol enabled.

·     Same region name.

·     Same VLAN-to-instance mapping configuration.

·     Same MSTP revision level.

·     Physically linked together.

Port roles

Spanning tree calculation involves the following port roles:

·     Root port—Forwards data for a non-root bridge to the root bridge. The root bridge does not have any root port.

·     Designated port—Forwards data to the downstream network segment or device.

·     Alternate portActs as the backup port for a root port or master port. When the root port or master port is blocked, the alternate port takes over.

·     Backup portActs as the backup port of a designated port. When the designated port is invalid, the backup port becomes the new designated port. A loop occurs when two ports of the same spanning tree device are connected, so the device blocks one of the ports. The blocked port acts as the backup.

·     Master portActs as a port on the shortest path from the local MST region to the common root bridge. The master port is not always located on the regional root. It is a root port on the IST or CIST and still a master port on the other MSTIs.

STP calculation involves root ports, designated ports, and alternate ports. RSTP calculation involves root ports, designated ports, alternate ports, and backup ports. MSTP calculation involves all port roles.

Port states

RSTP and MSTP define the following port states:

 

State

Description

Forwarding

The port receives and sends BPDUs, and forwards user traffic.

Learning

The port receives and sends BPDUs, but does not forward user traffic. Learning is an intermediate port state.

Discarding

The port receives and sends BPDUs, but does not forward user traffic.

 

STP defines the following port states: Disabled, Blocking, Listening, Learning, and Forwarding. The Disabled, Blocking, and Listening states correspond to the Discarding state in RSTP and MSTP.

Routing table

You can display routing table information, including brief routing table information and route statistics.

Static routing

Static routes are manually configured. If a network's topology is simple, you only need to configure static routes for the network to work correctly.

Static routes cannot adapt to network topology changes. If a fault or a topological change occurs in the network, the network administrator must modify the static routes manually.

A default route is used to forward packets that do not match any specific routing entry in the routing table. You can configure a default IPv4 route with destination address 0.0.0.0/0 and configure a default IPv6 route with destination address ::/0.

IP

IP address classes

IP addressing uses a 32-bit address to identify each host on an IPv4 network. To make addresses easier to read, they are written in dotted decimal notation, each address being four octets in length. For example, address 00001010000000010000000100000001 in binary is written as 10.1.1.1.

Each IP address breaks down into the following sections:

·     Net IDIdentifies a network. The first several bits of a net ID, known as the class field or class bits, identify the class of the IP address.

·     Host IDIdentifies a host on a network.

IP addresses are divided into five classes. The following table shows IP address classes and ranges. The first three classes are most commonly used.

 

Class

Address range

Remarks

A

0.0.0.0 to 127.255.255.255

The IP address 0.0.0.0 is used by a host at startup for temporary communication. This address is never a valid destination address.

Addresses starting with 127 are reserved for loopback test. Packets destined to these addresses are processed locally as input packets rather than sent to the link.

B

128.0.0.0 to 191.255.255.255

N/A

C

192.0.0.0 to 223.255.255.255

N/A

D

224.0.0.0 to 239.255.255.255

Multicast addresses.

E

240.0.0.0 to 255.255.255.255

Reserved for future use, except for the broadcast address 255.255.255.255.

 

Subnetting and masking

Subnetting divides a network into smaller networks called subnets by using some bits of the host ID to create a subnet ID.

Masking identifies the boundary between the host ID and the combination of net ID and subnet ID.

Each subnet mask contains 32 bits that correspond to the bits in an IP address. In a subnet mask, consecutive ones represent the net ID and subnet ID, and consecutive zeros represent the host ID.

Before being subnetted, Class A, B, and C networks use these default masks (also called natural masks): 255.0.0.0, 255.255.0.0, and 255.255.255.0, respectively.

Subnetting increases the number of addresses that cannot be assigned to hosts. Therefore, using subnets means accommodating fewer hosts.

For example, a Class B network without subnetting can accommodate 1022 more hosts than the same network subnetted into 512 subnets.

·     Without subnetting65534 (216 – 2) hosts. (The two deducted addresses are the broadcast address, which has an all-one host ID, and the network address, which has an all-zero host ID.)

·     With subnettingUsing the first nine bits of the host-id for subnetting provides 512 (29) subnets. However, only seven bits remain available for the host ID. This allows 126 (27 – 2) hosts in each subnet, a total of 64512 (512 × 126) hosts.

IP address configuration methods

You can use the following methods to enable an interface to obtain an IP address:

·     Manually assign an IP address to the interface.

·     Configure the interface to obtain an IP address through DHCP.

MTU for an interface

When a packet exceeds the MTU of the output interface, the device processes the packet in one of the following ways:

·     If the packet disallows fragmentation, the device discards it.

·     If the packet allows fragmentation, the device fragments it and forwards the fragments.

Fragmentation and reassembling consume system resources, so set an appropriate MTU for an interface based on the network environment to avoid fragmentation.

IPv6

IPv6, also called IP next generation (IPng), was designed by the IETF as the successor to IPv4. One significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits.

IPv6 address formats

An IPv6 address is represented as a set of 16-bit hexadecimals separated by colons (:). An IPv6 address is divided into eight groups, and each 16-bit group is represented by four hexadecimal numbers, for example, 2001:0000:130F:0000:0000:09C0:876A:130B.

To simplify the representation of IPv6 addresses, you can handle zeros in IPv6 addresses by using the following methods:

·     The leading zeros in each group can be removed. For example, the above address can be represented in a shorter format as 2001:0:130F:0:0:9C0:876A:130B.

·     If an IPv6 address contains one or more consecutive groups of zeros, they can be replaced by a double colon (::). For example, the above address can be represented in the shortest format as 2001:0:130F::9C0:876A:130B.

An IPv6 address consists of an address prefix and an interface ID, which are equivalent to the network ID and the host ID of an IPv4 address.

An IPv6 address prefix is written in IPv6-address/prefix-length notation. The prefix-length is a decimal number indicating how many leftmost bits of the IPv6 address are in the address prefix.

IPv6 address types

IPv6 addresses include the following types:

·     Unicast addressAn identifier for a single interface, similar to an IPv4 unicast address. A packet sent to a unicast address is delivered to the interface identified by that address.

·     Multicast addressAn identifier for a set of interfaces (typically belonging to different nodes), similar to an IPv4 multicast address. A packet sent to a multicast address is delivered to all interfaces identified by that address.

·     Broadcast addresses are replaced by multicast addresses in IPv6.

·     Anycast addressAn identifier for a set of interfaces (typically belonging to different nodes). A packet sent to an anycast address is delivered to the nearest interface among the interfaces identified by that address. The nearest interface is chosen according to the routing protocol's measure of distance.

The type of an IPv6 address is designated by the first several bits, called the format prefix. The following table shows mappings between address types and format prefixes:

 

Type

Format prefix (binary)

IPv6 prefix ID

Remarks

Unicast address

Unspecified address

00...0 (128 bits)

::/128

It cannot be assigned to any node. Before acquiring a valid IPv6 address, a node fills this address in the source address field of IPv6 packets. The unspecified address cannot be used as a destination IPv6 address.

Loopback address

00...1 (128 bits)

::1/128

It has the same function as the loopback address in IPv4. It cannot be assigned to any physical interface. A node uses this address to send an IPv6 packet to itself.

Link-local address

1111111010

FE80::/10

Used for communication among link-local nodes for neighbor discovery and stateless autoconfiguration. Packets with link-local source or destination addresses are not forwarded to other links.

Global unicast address

Other forms

N/A

Equivalent to public IPv4 addresses, global unicast addresses are provided for Internet service providers. This type of address allows for prefix aggregation to restrict the number of global routing entries.

Multicast address

11111111

FF00::/8

N/A

Anycast address

Anycast addresses use the unicast address space and have the identical structure of unicast addresses.

N/A

 

EUI-64 address-based interface identifiers

An interface identifier is 64-bit long and uniquely identifies an interface on a link. Interfaces generate EUI-64 address-based interface identifiers differently.

·     On an IEEE 802 interface (such as an Ethernet interface and a VLAN interface)—The interface identifier is derived from the link-layer address (typically a MAC address) of the interface. The MAC address is 48-bit long.

To obtain an EUI-64 address-based interface identifier, follow these steps:

a.     Insert the 16-bit binary number 1111111111111110 (hexadecimal value of FFFE) behind the 24th high-order bit of the MAC address.

b.     Invert the universal/local (U/L) bit (the seventh high-order bit). This operation makes the interface identifier have the same local or global significance as the MAC address.

·     On a tunnel interface—The lower 32 bits of the EUI-64 address-based interface identifier are the source IPv4 address of the tunnel interface. The higher 32 bits of the EUI-64 address-based interface identifier of an ISATAP tunnel interface are 0000:5EFE, whereas those of other tunnel interfaces are all zeros.

·     On an interface of another type (such as a serial interface)—The EUI-64 address-based interface identifier is generated randomly by the device.

IPv6 global unicast address configuration methods

Use one of the following methods to configure an IPv6 global unicast address for an interface:

·     EUI-64 IPv6 addressThe IPv6 address prefix of the interface is manually configured, and the interface identifier is generated automatically by the interface.

·     Manual configurationThe IPv6 global unicast address is manually configured.

·     Stateless address autoconfigurationThe IPv6 global unicast address is generated automatically according to the address prefix information contained in the RA message and the EUI-64 address-based interface identifier.

·     Stateful address autoconfiguration—Enables a host to acquire an IPv6 address from a DHCPv6 server.

You can configure multiple IPv6 global unicast addresses on an interface.

IPv6 link-local address configuration methods

Configure IPv6 link-local addresses by using one of the following methods for an interface:

·     Automatic generationThe device automatically generates a link-local address for an interface according to the link-local address prefix (FE80::/10) and the EUI-64 address-based interface identifier.

·     Manual assignment—An IPv6 link-local address is manually configured.

An interface can have only one link-local address. As a best practice to avoid link-local address conflicts, use the automatic generation method. If both methods are used, manual assignment takes precedence over automatic generation.

·     If you first use automatic generation and then manual assignment, the manually assigned link-local address overwrites the automatically generated one.

·     If you first use manual assignment and then automatic generation, both of the following occur:

¡     The link-local address is still the manually assigned one.

¡     The automatically generated link-local address does not take effect. If you delete the manually assigned address, the automatically generated link-local address takes effect.

NAT

Network Address Translation (NAT) translates an IP address in the IP packet header to another IP address. Typically, NAT is configured on gateways to enable private hosts to access external networks and external hosts to access private network resources such as a Web server.

Dynamic NAT

Dynamic NAT uses an address pool to translate addresses. It applies to the scenario where a large number of internal users access the external network.

NO-PAT

Not Port Address Translation (NO-PAT) translates a private IP address to a public IP address by mapping the private IP address to the public IP address. The public IP address cannot be used by another internal host until it is released.

NO-PAT supports all IP packets and creates a NO-PAT entry for each IP address mapping.

PAT

Port Address Translation (PAT) translates multiple private IP addresses to a single public IP address by mapping the private IP addresses and source ports to the public IP address and a unique port.

PAT supports only TCP and UDP packets, and ICMP request packets.

Static NAT

Static NAT creates a fixed mapping between a private address and a public address. It supports connections initiated from internal users to the external network and from external users to the internal network. Static NAT applies to regular communications.

Advanced settings

NAT address group

A NAT address group is a set of address ranges. Dynamic NAT uses a NAT address group to translate a large group of private IP addresses.

PAT mappings

PAT supports the following mappings:

·     Endpoint-Independent Mapping (EIM)—Uses the same IP and port mapping (EIM entry) for packets from the same source IP and port to any destinations. EIM allows external hosts to initiate connections to the translated IP addresses and ports of internal hosts. It allows internal hosts behind different NAT gateways to access each other.

·     Address and Port-Dependent Mapping (APDM)—Uses different IP and port mappings for packets from the same source IP and port to different destination IP addresses and ports. APDM allows an external host to initiate connections to an internal host only under the condition that the internal host has previously accessed the external host. It is secure, but it does not allow internal hosts behind different NAT gateways to access each other.

NAT ALG

NAT Application Level Gateway (ALG) translates address or port information in the application layer payloads to ensure connection establishment.

NAT logging

NAT session logging records NAT session information, including translation information, access information, and flow information.

A NAT device generates NAT session logs for the following events:

·     NAT session establishment.

·     NAT session removal. This event occurs when you add a configuration with a higher priority, remove a configuration, and change ACLs, when a NAT session ages out, or when you manually delete a NAT session.

·     Active NAT session logging.

Restrictions and guidelines

When you configure NAT, follow these restrictions and guidelines:

·     Do not configure inbound static NAT alone. Typically, inbound static NAT functions with outbound dynamic NAT or outbound static NAT to implement bidirectional NAT.

·     The following shows the priorities of different NAT features in descending order:

¡     Static NAT.

¡     Dynamic NAT.

·     The address ranges in a NAT address group cannot overlap with each other.

DHCP

The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices.

A typical DHCP application scenario has a DHCP server and multiple DHCP clients deployed on the same subnet. DHCP clients can also obtain configuration parameters from a DHCP server on another subnet through a DHCP relay agent.

DHCP server

The DHCP server is well suited to networks where:

·     Manual configuration and centralized management are difficult to implement.

·     IP addresses are limited. For example, an ISP limits the number of concurrent online users, and users must acquire IP addresses dynamically.

·     Most hosts do not need fixed IP addresses.

The DHCP server selects IP addresses and other parameters from an address pool and assigns them to DHCP clients. A DHCP address pool contains the following items:

·     Assignable IP addresses.

·     Lease duration.

·     Gateway addresses.

·     Domain name suffix.

·     DNS server addresses.

·     WINS server addresses.

·     NetBIOS node type.

·     DHCP options.

Before assigning an IP address, the DHCP server performs IP address conflict detection to verify that the IP address is not in use.

DHCP address pool

The DHCP server supports the following address assignment mechanisms:

·     Static address allocation—Manually bind the MAC address or ID of a client to an IP address in a DHCP address pool. When the client requests an IP address, the DHCP server assigns the IP address in the static binding to the client.

·     Dynamic address allocation—Specify IP address ranges in a DHCP address pool. Upon receiving a DHCP request, the DHCP server dynamically selects an IP address from the matching IP address range in the address pool.

You can specify the lease duration for IP addresses in the DHCP address pool.

The DHCP server observes the following principles to select an address pool for a client:

·     If there is an address pool where an IP address is statically bound to the MAC address or ID of the client, the DHCP server selects this address pool and assigns the statically bound IP address and other configuration parameters to the client.

·     If no static address pool is configured, the DHCP server selects an address pool depending on the client location.

¡     Client on the same subnet as the serverThe DHCP server compares the IP address of the receiving interface with the subnets of all address pools. If a match is found, the server selects the address pool with the longest-matching subnet.

¡     Client on a different subnet than the serverThe DHCP server compares the IP address in the giaddr field of the DHCP request with the subnets of all address pools. If a match is found, the server selects the address pool with the longest-matching subnet.

IP address allocation sequence

The DHCP server selects an IP address for a client in the following sequence:

1.     IP address statically bound to the client's MAC address or ID.

2.     IP address that was ever assigned to the client.

3.     IP address designated by the Option 50 field in the DHCP-DISCOVER message sent by the client. Option 50 is the Requested IP Address option. The client uses this option to specify the wanted IP address in a DHCP-DISCOVER message. The content of Option 50 is user defined.

4.     First assignable IP address found in the way of selecting an address pool.

5.     IP address that was a conflict or passed its lease duration. If no IP address is assignable, the server does not respond.

DHCP options

DHCP uses the options field to carry information for dynamic address allocation and provide additional configuration information for clients.

You can customize options for the following purposes:

·     Add newly released DHCP options.

·     Add options for which the vendor defines the contents, for example, Option 43. DHCP servers and clients can use vendor-specific options to exchange vendor-specific configuration information.

·     Add options for which the Web interface does not provide a dedicated configuration page. For example, you can use Option 4 to specify the time server address 1.1.1.1 for DHCP clients.

·     Add all option values if the actual requirement exceeds the limit for a dedicated option configuration page. For example, on the DNS server configuration page, you can specify up to eight DNS servers. To specify more than eight DNS servers, you can use Option 6 to specify all DNS servers.

The following table shows the most commonly used DHCP options.

 

Option number

Option name

Recommended padding format

3

Router

IP address

6

Domain Name Server

IP address

15

Domain Name

ASCII string

44

NetBIOS over TCP/IP Name Server

IP address

46

NetBIOS over TCP/IP Node Type

Hexadecimal string

66

TFTP server name

ASCII string

67

Bootfile name

ASCII string

43

Vendor Specific Information

Hexadecimal string

 

IP address conflict detection

Before assigning an IP address, the DHCP server pings the IP address.

·     If the server receives a response within the specified period, it selects and pings another IP address.

·     If it receives no response, the server continues to ping the IP address until a specific number of ping packets are sent. If still no response is received, the server assigns the IP address to the requesting client.

DHCP relay agent

The DHCP relay agent enables clients to get IP addresses from a DHCP server on another subnet. This feature avoids deploying a DHCP server for each subnet to centralize management and reduce investment.

DHCP relay entry recording

This function enables the DHCP relay agent to automatically record clients' IP-to-MAC bindings (relay entries) after they obtain IP addresses through DHCP.

Some security functions use the relay entries to check incoming packets and block packets that do not match any entry. In this way, illegal hosts are not able to access external networks through the relay agent. Examples of the security functions are ARP address check and authorized ARP.

Periodic refreshing of dynamic DHCP relay entries

A DHCP client unicasts a DHCP-RELEASE message to the DHCP server to release its IP address. The DHCP relay agent conveys the message to the DHCP server and does not remove the IP-to-MAC entry of the client.

With this feature, the DHCP relay agent uses the following information to periodically send a DHCP-REQUEST message to the DHCP server:

·     The IP address of a relay entry.

·     The MAC address of the DHCP relay interface.

The relay agent maintains the relay entries depending on what it receives from the DHCP server:

·     If the server returns a DHCP-ACK message or does not return any message within an interval, the DHCP relay agent removes the relay entry. In addition, upon receiving the DHCP-ACK message, the relay agent sends a DHCP-RELEASE message to release the IP address.

·     If the server returns a DHCP-NAK message, the relay agent keeps the relay entry.

DNS

Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain names into IP addresses. IPv4 DNS translates domain names into IPv4 addresses. IPv6 DNS translates domain names into IPv6 addresses. The domain name-to-IP address mapping is called a DNS entry.

Dynamic domain name resolution

To use dynamic domain name resolution, you must specify a DNS server address for a device. The device sends DNS queries to the DNS server for domain name resolution.

You can configure a domain name suffix list so that the resolver can use the list to supply the missing part of an incomplete name. For example, you can configure com as the suffix for aabbcc.com. The user only needs to enter aabbcc to obtain the IP address of aabbcc.com. The resolver adds the suffix and delimiter before passing the name to the DNS server.

The name resolver handles the queries based on the domain names that the user enters.

·     If the user enters a domain name without a dot (.) (for example, aabbcc), the resolver determines that the domain name is a host name. It adds a DNS suffix to the host name before performing the query operation. If no match is found for any host name and suffix combination, the resolver uses the user-entered domain name (for example, aabbcc) for the IP address query.

·     If the user enters a domain name with a dot (.) among the letters (for example, www.aabbcc), the resolver directly uses this domain name for the query operation. If the query fails, the resolver adds a DNS suffix for another query operation.

·     If the user enters a domain name with a dot (.) at the end (for example, aabbcc.com.), the resolver determines that the domain name is an FQDN and returns a successful or failed query result. The dot at the end of the domain name is determined as a terminating symbol.

Static domain name resolution

Static domain name resolution means manually creating mappings between domain names and IP addresses. For example, you can create a static DNS mapping for a device so that you can Telnet to the device by using the domain name.

After a user specifies a name, the device checks the static name resolution table for an IP address. If no IP address is available, it contacts the DNS server for dynamic name resolution, which takes more time than static name resolution. To improve efficiency, you can put frequently queried name-to-IP address mappings in the local static name resolution table.

DNS proxy

The DNS proxy performs the following tasks:

·     Forwards the request from the DNS client to the designated DNS server.

·     Conveys the reply from the DNS server to the client.

The DNS proxy simplifies network management. When the DNS server address is changed, you can change the configuration on only the DNS proxy instead of on each DNS client.

IGMP snooping

Internet Group Management Protocol snooping (IGMP snooping) runs on a Layer 2 device as a multicast constraining mechanism. It creates Layer 2 multicast forwarding entries from IGMP packets that are exchanged between the hosts and the Layer 3 device.

The Layer 2 device forwards multicast data based on Layer 2 multicast forwarding entries. A Layer 2 multicast forwarding entry contains the VLAN, multicast group address, multicast source address, and host ports. A host port is a multicast receiver-side port on the Layer 2 multicast device.

MLD snooping

Multicast Listener Discovery snooping (MLD snooping) runs on a Layer 2 device as an IPv6 multicast constraining mechanism. It creates Layer 2 IPv6 multicast forwarding entries from MLD packets that are exchanged between the hosts and the Layer 3 device.

The Layer 2 device forwards multicast data based on Layer 2 IPv6 multicast forwarding entries. A Layer 2 IPv6 multicast forwarding entry contains the VLAN, IPv6 multicast group address, IPv6 multicast source address, and host ports. A host port is a multicast receiver-side port on the Layer 2 multicast device.

ARP

Address Resolution Protocol (ARP) resolves IP addresses into MAC addresses on Ethernet networks.

Types of ARP table entries

An ARP table stores dynamic and static ARP entries.

Dynamic ARP entry

ARP automatically creates and updates dynamic entries. A dynamic ARP entry is removed when its aging timer expires or when the output interface goes down. In addition, a dynamic ARP entry can be overwritten by a static ARP entry.

Dynamic ARP entries can be converted to static ARP entries. These static ARP entries cannot be converted back to dynamic entries.

To prevent an interface from holding too many ARP entries, you can set the maximum number of dynamic ARP entries that the interface can learn.

Static ARP entry

A static ARP entry is manually configured or converted from a dynamic ARP entry. It does not age out and cannot be overwritten by any dynamic ARP entry.

Static ARP entries protect communication between devices because attack packets cannot modify the IP-to-MAC mapping in a static ARP entry.

To communicate with a host by using a fixed IP-to-MAC mapping, configure a static ARP entry on the device.

To communicate with a host by using a fixed IP-to-MAC mapping through an interface in a VLAN, you must specify the VLAN and the output interface in the ARP entry. Make sure the IP address is on the same subnet as the IP address of the VLAN interface.

Proxy ARP

Proxy ARP enables a device on one network to answer ARP requests for an IP address on another network. With proxy ARP, hosts on different broadcast domains can communicate with each other as they would on the same broadcast domain.

Proxy ARP includes common proxy ARP and local proxy ARP.

·     Common proxy ARP—Allows communication between hosts that connect to different Layer 3 interfaces and reside in different broadcast domains.

·     Local proxy ARP—Allows communication between hosts that connect to the same Layer 3 interface and reside in different broadcast domains.

You can specify an IP address range for which local proxy ARP is enabled.

Gratuitous ARP

In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the sending device.

A device sends a gratuitous ARP packet for either of the following purposes:

·     Determine whether its IP address is already used by another device. If the IP address is already used, the device is informed of the conflict by an ARP reply.

·     Inform other devices of a MAC address change.

IP conflict detection

When an interface obtains an IP address, the device broadcasts gratuitous ARP packets in the LAN where the interface resides. If the device receives an ARP reply, its IP address conflicts with the IP address of another device in the LAN. The device displays a log message about the conflict and informs the administrator to change the IP address. The device will not use the conflicting IP address. If no ARP reply is received, the device uses the IP address.

Gratuitous ARP packet learning

This function enables a device to create or update ARP entries by using the sender IP and MAC addresses in received gratuitous ARP packets.

When this function is disabled, the device uses received gratuitous ARP packets to update existing ARP entries only. ARP entries are not created based on the received gratuitous ARP packets, which saves ARP table space.

Periodic sending of gratuitous ARP packets

Enabling periodic sending of gratuitous ARP packets helps downstream devices update ARP entries or MAC entries in a timely manner.

This feature can implement the following functions:

·     Prevent gateway spoofing.

Gateway spoofing occurs when an attacker uses the gateway address to send gratuitous ARP packets to the hosts on a network. The traffic destined for the gateway from the hosts is sent to the attacker instead. As a result, the hosts cannot access the external network.

To prevent such gateway spoofing attacks, you can enable the gateway to send gratuitous ARP packets at intervals. Gratuitous ARP packets contain the primary IP address and manually configured secondary IP addresses of the gateway, so hosts can learn correct gateway information.

·     Prevent ARP entries from aging out.

If network traffic is heavy or if the host CPU usage is high, received ARP packets can be discarded or are not promptly processed. Eventually, the dynamic ARP entries on the receiving host age out. The traffic between the host and the corresponding devices is interrupted until the host re-creates the ARP entries.

To resolve this issue, you can enable the gateway to send gratuitous ARP packets periodically. Gratuitous ARP packets contain the primary IP address and manually configured secondary IP addresses of the gateway, so the receiving hosts can update ARP entries in a timely manner.

ARP attack protection

ARP attacks and viruses are threatening LAN security. Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks. Multiple features are used to detect and prevent ARP attacks.

·     The gateway supports the following features:

¡     Unresolvable IP attack protection

¡     ARP packet source MAC consistency check

¡     ARP active acknowledgement

¡     Source MAC-based ARP attack detection

¡     Authorized ARP

¡     ARP scanning and fixed ARP

·     The access device supports the following features:

¡     ARP packet rate limit

¡     ARP gateway protection

¡     ARP filtering

¡     ARP detection

Unresolvable IP attack protection

If a device receives a large number of unresolvable IP packets from a host, the following situations can occur:

·     The device sends a large number of ARP requests, overloading the target subnets.

·     The device keeps trying to resolve the destination IP addresses, overloading its CPU.

To protect the device from such IP attacks, you can configure the following features:

·     ARP source suppression—Stops resolving packets from an IP address if the number of unresolvable IP packets from the IP address exceeds the upper limit within 5 seconds. The device continues ARP resolution when the interval elapses. This feature is applicable if the attack packets have the same source addresses.

·     ARP blackhole routing—Creates a blackhole route destined for an unresolvable IP address. The device drops all matching packets until the blackhole route ages out. This feature is applicable regardless of whether the attack packets have the same source addresses.

ARP packet source MAC consistency check

This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body. This feature allows the gateway to learn correct ARP entries.

ARP active acknowledgement

Configure this feature on gateways to prevent user spoofing.

ARP active acknowledgement prevents a gateway from generating incorrect ARP entries.

In strict mode, a gateway performs more strict validity checks before creating an ARP entry:

·     Upon receiving an ARP request destined for the gateway, the gateway sends an ARP reply but does not create an ARP entry.

·     Upon receiving an ARP reply, the gateway determines whether it has resolved the sender IP address:

¡     If yes, the gateway performs active acknowledgement. When the ARP reply is verified as valid, the gateway creates an ARP entry.

¡     If not, the gateway discards the packet.

Source MAC-based ARP attack detection

This feature checks the number of ARP packets delivered to the CPU. If the number of packets from the same MAC address within 5 seconds exceeds a threshold, the device generates an ARP attack entry for the MAC address. Before the entry ages out, the device handles the attack by using either of the following methods:

·     MonitorOnly generates log messages.

·     Filter—Generates log messages and filters out subsequent ARP packets from that MAC address.

You can exclude the MAC addresses of some gateways and servers from this detection. This feature does not inspect ARP packets from those devices even if they are attackers.

Authorized ARP

Authorized ARP entries are generated based on the DHCP clients' address leases on the DHCP server or dynamic client entries on the DHCP relay agent.

With authorized ARP enabled, an interface is disabled from learning dynamic ARP entries. This feature prevents user spoofing and allows only authorized clients to access network resources.

ARP scanning and fixed ARP

ARP scanning is typically used together with the fixed ARP feature in small-scale and stable networks.

ARP scanning automatically creates ARP entries for devices in an address range. The device performs ARP scanning by using the following steps:

1.     Sends ARP requests for each IP address in the address range.

2.     Obtains their MAC addresses through received ARP replies.

3.     Creates dynamic ARP entries.

Fixed ARP converts existing dynamic ARP entries (including those generated through ARP scanning) to static ARP entries. This feature prevents ARP entries from being modified by attackers.

ARP packet rate limit

The ARP packet rate limit feature allows you to limit the rate of ARP packets delivered to the CPU. An ARP detection enabled device will send all received ARP packets to the CPU for inspection. Processing excessive ARP packets will make the device malfunction or even crash. To resolve this issue, configure ARP packet rate limit.

Configure this feature when ARP detection is enabled or when ARP flood attacks are detected.

If logging for ARP packet rate limit is enabled, the device sends the highest threshold-crossed ARP packet rate within the sending interval in a log message to the information center. You can configure the information center module to set the log output rules.

ARP gateway protection

Configure this feature on interfaces not connected with a gateway to prevent gateway spoofing attacks.

When such an interface receives an ARP packet, it checks whether the sender IP address in the packet is consistent with that of any protected gateway. If yes, it discards the packet. If not, it handles the packet correctly.

ARP filtering

The ARP filtering feature can prevent gateway spoofing and user spoofing attacks.

An interface enabled with this feature checks the sender IP and MAC addresses in a received ARP packet against permitted entries. If a match is found, the packet is handled correctly. If not, the packet is discarded.

ARP detection

ARP detection enables access devices to block ARP packets from unauthorized clients to prevent user spoofing and gateway spoofing attacks. ARP detection does not check ARP packets received from ARP trusted ports.

ARP detection provides the following functions:

·     User validity check

If you only enable ARP detection for a VLAN, ARP detection provides only the user validity check.

Upon receiving an ARP packet from an ARP untrusted interface, the device matches the sender IP and MAC addresses with valid entries including static IP source guard binding entries.

If a match is found, the ARP packet is considered valid and is forwarded. If no match is found, the ARP packet is considered invalid and is discarded.

·     ARP packet validity check

Enable validity check for ARP packets received on untrusted ports and specify the following objects to be checked:

¡     Sender MAC—Checks whether the sender MAC address in the message body is identical to the source MAC address in the Ethernet header. If they are identical, the packet is forwarded. Otherwise, the packet is discarded.

¡     Target MAC—Checks the target MAC address of ARP replies. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded.

¡     IP—Checks the sender and target IP addresses of ARP replies, and the sender IP address of ARP requests. All-one or multicast IP addresses are considered invalid and the corresponding packets are discarded.

·     ARP restricted forwarding

ARP restricted forwarding controls the forwarding of ARP packets that are received on untrusted interfaces and have passed user validity check as follows:

¡     If the packets are ARP requests, they are forwarded through the trusted interface.

¡     If the packets are ARP replies, they are forwarded according to their destination MAC address. If no match is found in the MAC address table, they are forwarded through the trusted interface.

ND

The IPv6 Neighbor Discovery (ND) protocol uses ICMPv6 messages to provide the following functions:

·     Address resolution.

·     Neighbor reachability detection.

·     DAD.

·     Router/prefix discovery.

·     Stateless address autoconfiguration.

·     Redirection.

Table 1 describes the ICMPv6 messages used by ND.

Table 1 ICMPv6 messages used by ND

ICMPv6 message

Type

Function

Neighbor Solicitation (NS)

135

Acquires the link-layer address of a neighbor.

Verifies whether a neighbor is reachable.

Detects duplicate addresses.

Neighbor Advertisement (NA)

136

Responds to an NS message.

Notifies the neighboring nodes of link layer changes.

Router Solicitation (RS)

133

Requests an address prefix and other configuration information for autoconfiguration after startup.

Router Advertisement (RA)

134

Responds to an RS message.

Advertises information, such as the Prefix Information options and flag bits.

Redirect

137

Informs the source host of a better next hop on the path to a particular destination when certain conditions are met.

 

Neighbor entries

A neighbor entry stores information about a neighboring node on the link. Neighbor entries can be dynamically configured through NS and NA messages or manually configured.

You can configure a static neighbor entry by using one of the following methods:

·     Method 1Associate a neighbor's IPv6 address and link-layer address with the local Layer 3 interface.

If you use Method 1, the device automatically finds the Layer 2 port connected to the neighbor.

·     Method 2Associate a neighbor's IPv6 address and link-layer address with a Layer 2 port in a VLAN.

If you use Method 2, make sure the corresponding VLAN interface exists and the Layer 2 port belongs to the VLAN.

RA messages

An RA message is advertised by a router to all hosts on the same link. The RA message contains the address prefix and other configuration information for the hosts to generate IPv6 addresses through stateless address autoconfiguration.

You can enable an interface to send RA messages, specify the maximum and minimum sending intervals and configure parameters in RA messages. The device sends RA messages at random intervals between the maximum and minimum intervals. The minimum interval must be less than or equal to 0.75 times the maximum interval.

Table 2 describes the configurable parameters in an RA message.

Table 2 Parameters in an RA message and their descriptions

Parameter

Description

IPv6 prefix/prefix length

The IPv6 prefix/prefix length for a host to generate an IPv6 global unicast address through stateless autoconfiguration.

Valid lifetime

Specifies the valid lifetime of a prefix. The generated IPv6 address is valid within the valid lifetime and becomes invalid when the valid lifetime expires.

Preferred lifetime

Specifies the preferred lifetime of a prefix used for stateless autoconfiguration. After the preferred lifetime expires, the node cannot use the generated IPv6 address to establish new connections, but can receive packets destined for the IPv6 address. The preferred lifetime cannot be greater than the valid lifetime.

No-autoconfig flag

Notifies the hosts to not use the address prefix for stateless autoconfiguration.

Off-link flag

Specifies the address with the prefix to be indirectly reachable on the link.

MTU

Guarantees that all nodes on the link use the same MTU.

Unlimited hops flag

Specifies unlimited hops in RA messages.

M flag

Determines whether a host uses stateful autoconfiguration to obtain an IPv6 address.

If the M flag is set, the host uses stateful autoconfiguration (for example, from a DHCPv6 server) to obtain an IPv6 address. If the flag is not set, the host uses stateless autoconfiguration to generate an IPv6 address according to its link-layer address and the prefix information in the RA message.

O flag

Determines whether a host uses stateful autoconfiguration to obtain configuration information other than IPv6 address.

If the O flag is set, the host uses stateful autoconfiguration (for example, from a DHCPv6 server) to obtain configuration information other than IPv6 address. If the flag is not set, the host uses stateless autoconfiguration.

Router Lifetime

Advertises the lifetime of an advertising router. If the lifetime is 0, the router cannot be used as the default gateway.

Retrans Timer

Specifies the interval for retransmitting the NS message after the device does not receive a response for an NS message within a time period.

Router Preference

Specifies the router preference in an RA message. A host selects a router as the default gateway according to the router preference. If router preferences are the same, the host selects the router from which the first RA message is received.

Reachable Time

Specifies the reachable period for a neighbor after the device detects that a neighbor is reachable. If the device needs to send a packet to the neighbor after the reachable period, the device reconfirms whether the neighbor is reachable.

 

ND proxy

ND proxy enables a device to answer an NS message requesting the hardware address of a host on another network. With ND proxy, hosts in different broadcast domains can communicate with each other as they would on the same network.

ND proxy includes common ND proxy and local ND proxy.

Common ND proxy

As shown in Figure 4, Interface A with IPv6 address 4:1::96/64 and Interface B with IPv6 address 4:2::99/64 belong to different subnets. Host A and Host reside on the same network but in different broadcast domains.

Figure 4 Application environment of common ND proxy

 

Because Host A's IPv6 address is on the same subnet as Host B's, Host A directly sends an NS message to obtain Host B's MAC address. However, Host B cannot receive the NS message because they belong to different broadcast domains.

To solve this problem, enable common ND proxy on Interface A and Interface B of the Device. The Device replies to the NS message from Host A, and forwards packets from other hosts to Host B.

Local ND proxy

As shown in Figure 5, Host A belongs to VLAN 2 and Host B belongs to VLAN 3. Host A and Host B connect to Interface A and Interface C, respectively.

Figure 5 Application environment of local ND proxy

 

Because Host A's IPv6 address is on the same subnet as Host B's, Host A directly sends an NS message to obtain Host B's MAC address. However, Host B cannot receive the NS message because they are in different VLANs.

To solve this problem, enable local ND proxy on Interface B of the router so that the router can forward messages between Host A and Host B.

HTTP/HTTPS

The device provides a built-in Web server. After you enable the Web server on the device, users can log in to the Web interface to manage and monitor the device.

The device's built-in Web server supports both Hypertext Transfer Protocol (HTTP) (version 1) and Hypertext Transfer Protocol Secure (HTTPS). HTTPS is more secure than HTTP because of the following items:

·     HTTPS uses SSL to ensure the integrity and security of data exchanged between the client and the server.

·     HTTPS allows you to define a certificate attribute-based access control policy to allow only legal clients to access the Web interface.

You can also specify a basic ACL for HTTP or HTTPS to prevent unauthorized Web access.

·     If you do not specify an ACL for HTTP or HTTPS, or the specified ACL does not exist or does not have rules, the device permits all HTTP or HTTPS logins.

·     If the specifies ACL has rules, only users permitted by the ACL can log in to the Web interface through HTTP or HTTPS.

Telnet

The device can act as a Telnet server to allow Telnet login. After you configure Telnet service on the device, users can remotely log in to the device to manage and monitor the device.

To prevent unauthorized Telnet logins, you can use ACLs to filter Telnet logins.

·     If you do not specify an ACL for Telnet service, or the specified ACL does not exist or does not have rules, the device permits all Telnet logins.

·     If the specified ACL has rules, only users permitted by the ACL can Telnet to the device.

SSH

Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH can implement secure remote access and file transfer over an insecure network.

SSH uses the typical client-server model to establish a channel for secure data transfer based on TCP.

The device can act as an SSH server and provide the following services for SSH clients:

·     Secure Telnet—Stelnet provides secure and reliable network terminal access services.

·     Secure FTP—SFTP uses SSH connections to provide secure file transfer based on SSH2.

·     Secure Copy—SCP offers a secure method to copy files based on SSH2.

SSH includes two versions: SSH1.x and SSH2.0 (hereinafter referred to as SSH1 and SSH2), which are not compatible. SSH2 provides better performance and security than SSH1.

When the device acts as an SSH server, it supports using local password authentication to examine the validity of the username and password of an SSH client. After the SSH client passes the authentication, the two parties establish a session for data exchange.

NTP

Synchronize your device with a trusted time source by using the Network Time Protocol (NTP) or changing the system time before you run it on a live network.

NTP uses stratum to define the accuracy of each server. The value is in the range of 1 to 15. A smaller value represents a higher accuracy.

If the devices in a network cannot synchronize to an authoritative time source, you can perform the following tasks:

·     Select a device that has a relatively accurate clock from the network.

·     Use the local clock of the device as the reference clock to synchronize other devices in the network.

You can configure the local clock as a reference clock in the Web interface.

LLDP

The Link Layer Discovery Protocol (LLDP) operates on the data link layer to exchange device information between directly connected devices. With LLDP, a device sends local device information as TLV (type, length, and value) triplets in LLDP Data Units (LLDPDUs) to the directly connected devices. Local device information includes its system capabilities, management IP address, device ID, port ID, and so on. The device stores the device information in LLDPDUs from the LLDP neighbors in a standard MIB. LLDP enables a network management system to quickly detect and identify Layer 2 network topology changes.

LLDP agent

An LLDP agent is a mapping of an entity where LLDP runs. Multiple LLDP agents can run on the same interface.

LLDP agents are divided into the following types:

·     Nearest bridge agent.

·     Nearest customer bridge agent.

·     Nearest non-TPMR bridge agent.

LLDP exchanges packets between neighbor agents and creates and maintains neighbor information for them.

Transmitting LLDP frames

An LLDP agent operating in TxRx mode or Tx mode sends LLDP frames to its directly connected devices both periodically and when the local configuration changes. To prevent LLDP frames from overwhelming the network during times of frequent changes to local device information, LLDP uses the token bucket mechanism to rate limit LLDP frames.

LLDP automatically enables the fast LLDP frame transmission mechanism in either of the following cases:

·     A new LLDP frame is received and carries device information new to the local device.

·     The LLDP operating mode of the LLDP agent changes from Disable or Rx to TxRx or Tx.

The fast LLDP frame transmission mechanism successively sends the specified number of LLDP frames at a configurable fast LLDP frame transmission interval. The mechanism helps LLDP neighbors discover the local device as soon as possible. Then, the normal LLDP frame transmission interval resumes.

Receiving LLDP frames

An LLDP agent operating in TxRx mode or Rx mode confirms the validity of TLVs carried in every received LLDP frame. If the TLVs are valid, the LLDP agent saves the information and starts an aging timer. When the TTL value in the Time To Live TLV carried in the LLDP frame becomes zero, the information ages out immediately.

By setting the TTL multiplier, you can configure the TTL of locally sent LLDPDUs. The TTL is expressed by using the following formula:

TTL = Min (65535, (TTL multiplier × LLDP frame transmission interval + 1))

As the expression shows, the TTL can be up to 65535 seconds. TTLs greater than 65535 will be rounded down to 65535 seconds.

LLDP reinitialization delay

When the LLDP operating mode changes on a port, the port initializes the protocol state machines after an LLDP reinitialization delay. By adjusting the delay, you can avoid frequent initializations caused by frequent changes to the LLDP operating mode on a port.

LLDP trapping

LLDP trapping notifies the network management system of events such as newly detected neighboring devices and link failures.

LLDP TLVs

A TLV is an information element that contains the type, length, and value fields. LLDPDU TLVs include the following categories:

·     Basic management TLVs

·     Organizationally (IEEE 802.1 and IEEE 802.3) specific TLVs

·     LLDP-MED (media endpoint discovery) TLVs

Basic management TLVs are essential to device management.

Organizationally specific TLVs and LLDP-MED TLVs are used for enhanced device management. They are defined by standardization or other organizations and are optional for LLDPDUs.

Log

Log levels

Logs are classified into eight severity levels from 0 through 7 in descending order.

Table 3 Log levels

Severity value

Level

Description

0

Emergency

The system is unusable. For example, the system authorization has expired.

1

Alert

Action must be taken immediately. For example, traffic on an interface exceeds the upper limit.

2

Critical

Critical condition. For example, the device temperature exceeds the upper limit, the power module fails, or the fan tray fails.

3

Error

Error condition. For example, the link state changes or a storage card is unplugged.

4

Warning

Warning condition. For example, an interface is disconnected, or the memory resources are used up.

5

Notification

Normal but significant condition. For example, a terminal logs in to the device, or the device reboots.

6

Informational

Informational message. For example, a command or a ping operation is executed.

7

Debugging

Debug message.

 

Log destinations

The system outputs logs to destinations such as the log buffer and log host. Log output destinations are independent and you can configure them in the Web interface.


Security features

Packet filter

Packet filter uses ACLs to filter incoming or outgoing packets on interfaces. An interface permits packets that match permit statements to pass through, and denies packets that match deny statements. The default action applies to packets that do not match any ACL rules.

QoS

QoS policies

In data communications, Quality of Service (QoS) provides differentiated service guarantees for diversified traffic in terms of bandwidth, delay, jitter, and drop rate, all of which can affect QoS.

By associating a traffic behavior with a traffic class in a QoS policy, you apply QoS actions in the traffic behavior to the traffic class.

Traffic class

A traffic class defines a set of match criteria for classifying traffic.

Traffic behavior

A traffic behavior defines a set of QoS actions to take on packets.

QoS policy

A QoS policy associates traffic classes with traffic behaviors and performs the actions in each behavior on its associated traffic class.

Applying a QoS policy

You can apply a QoS policy to an interface. The QoS policy takes effect on the traffic sent or received on the interface. An QoS policy can be applied to multiple interfaces. However, each direction (inbound or outbound) of an interface supports only one QoS policy.

The QoS policy applied to the outgoing traffic on an interface does not regulate local packets. Local packets refer to critical protocol packets sent by the local system for operation maintenance. The most common local packets include link maintenance and SSH packets.

Priority mapping

When a packet arrives, the device assigns values of priority parameters to the packet for the purpose of queue scheduling and congestion control.

Priority mapping allows you to modify the priority values of the packet according to priority mapping rules. The priority parameters decide the scheduling priority and forwarding priority of the packet.

Port priority

When a port is configured with a priority trust mode, the device trusts the priorities included in incoming packets. The device automatically resolves the priorities or flag bits included in packets. The device then maps the trusted priority to the target priority types and values according to the priority maps.

When a port is not configured with a priority trust mode and is configured with a port priority, the device does not trust the priorities included in incoming packets. The device uses its port priority to look for priority parameters for the incoming packets.

The available priority trust modes include the following types:

·     Untrust—Does not trust any priority included in packets.

·     Dot1p—Trusts the 802.1p priorities included in packets.

·     DSCP—Trusts the DSCP priorities included in IP packets.

Priority maps

The device provides multiple priority maps. If a default priority map cannot meet your requirements, you can modify the priority map as required.

802.1X

802.1X is a port-based network access control protocol that controls network access by authenticating the devices connected to 802.1X-enabled LAN ports.

802.1X architecture

802.1X includes the following entities:

·     Client—A user terminal seeking access to the LAN. The terminal must have 802.1X software to authenticate to the access device.

·     Access device—Authenticates the client to control access to the LAN. In a typical 802.1X environment, the access device uses an authentication server to perform authentication.

·     Authentication server—Provides authentication services for the access device. The authentication server first authenticates 802.1X clients by using the data sent from the access device. Then, the server returns the authentication results to the access device to make access decisions. The authentication server is typically a RADIUS server. In a small LAN, you can use the access device as the authentication server.

802.1X authentication methods

The access device can perform EAP relay or EAP termination to communicate with the RADIUS server.

·     EAP termination—The access device performs the following operations in EAP termination mode:

a.     Terminates the EAP packets received from the client.

b.     Encapsulates the client authentication information in standard RADIUS packets.

c.     Uses PAP or CHAP to authenticate to the RADIUS server.

CHAP does not send plaintext password to the RADIUS server, and PAP sends plaintext password to the RADIUS server.

·     EAP relay—The access device uses EAPOR packets to send authentication information to the RADIUS server.

Access control methods

Comware implements port-based access control as defined in the 802.1X protocol, and extends the protocol to support MAC-based access control.

·     Port-based access control—Once an 802.1X user passes authentication on a port, all subsequent users can access the network through the port without authentication. When the authenticated user logs off, all other users are logged off.

·     MAC-based access control—Each user is separately authenticated on a port. When a user logs off, no other online users are affected.

Periodic online user reauthentication

Periodic online user reauthentication tracks the connection status of online users, and updates the authorization attributes assigned by the server. The attributes include the ACL and VLAN. The reauthentication interval is user configurable.

Online user handshake

The online user handshake feature checks the connectivity status of online 802.1X users. The access device sends handshake messages to online users at the handshake interval. If the device does not receive any responses from an online user after it has made the maximum handshake attempts, the device sets the user to offline state.

EAD assistant

Endpoint Admission Defense (EAD) is an integrated endpoint access control solution to improve the threat defensive capability of a network. The solution enables the security client, security policy server, access device, and third-party server to operate together. If a terminal device seeks to access an EAD network, it must have an EAD client, which performs 802.1X authentication.

The EAD assistant feature enables the access device to redirect a user who is seeking to access the network to download and install an EAD client. This feature eliminates the administrative task to deploy EAD clients.

802.1X SmartOn

The SmartOn feature is mutually exclusive with the 802.1X online user handshake feature.

The device performs SmartOn authentication before 802.1X authentication. The following shows the authentication process:

1.     When a SmartOn-enabled port receives an EAPOL-Start packet from an 802.1X client, it sends a unicast EAP-Request/Notification packet to the client for SmartOn authentication.

2.     Upon receiving an EAP-Response/Notification from the client, the device compares the switch ID and password in the packet with the switch ID and password configured on the device.

¡     If they are the same, 802.1X authentication can continue.

¡     If they do not match, SmartOn authentication fails. The access device stops 802.1X authentication for the client.

If the user attempts to use another 802.1X client for authentication, it will fail SmartOn authentication. The access device stops 802.1X authentication for the user.

 

 

NOTE:

After you install the SmartOn client software, add two values QX_ID and QX_PASSWORD to the Windows registry key [HKEY_LOCAL_MACHINE\SOFTWARE\Soliton Systems K.K.\SmartOn Client\Clients\1XGate]. Specify the switch ID and password for the QX_ID and QX_PASSWORD, respectively. The switch ID and password must be the same as the switch ID and password configured on the device.

 

ISP domains

The device manages users based on ISP domains. An ISP domain includes authentication, authorization, and accounting methods for users. The device determines the ISP domain and access type of a user. It also uses the methods configured for the access type in the domain to control the user's access.

The device supports the following authentication methods:

·     No authenticationThis method trusts all users and does not perform authentication. For security purposes, do not use this method.

·     Local authenticationThe device authenticates users by itself, based on the locally configured user information including the usernames, passwords, and attributes. Local authentication allows high speed and low cost, but the amount of information that can be stored is limited by the size of the storage space.

·     Remote RADIUS authentication—The device works with a remote RADIUS server to authenticate users. The server manages user information in a centralized manner. Remote authentication provides high capacity, reliable, and centralized authentication services for multiple devices. You can configure backup methods to be used when the remote server is not available.

The device supports the following authorization methods:

·     No authorization—The device performs no authorization exchange. The following default authorization information applies after users pass authentication:

¡     Login users obtain the level-0 user role.

¡     The working directory for FTP, SFTP, and SCP login users is the root directory of the device. However, the users do not have permission to access the root directory.

¡     Non-login users can access the network.

·     Local authorization—The device performs authorization according to the user attributes locally configured for users.

·     Remote RADIUS authorization—The device works with a remote RADIUS server to authorize users. RADIUS authorization is bound with RADIUS authentication. RADIUS authorization can work only after RADIUS authentication is successful, and the authorization information is included in the Access-Accept packet. You can configure backup methods to be used when the remote server is not available.

The device supports the following accounting methods:

·     No accounting—The device does not perform accounting for the users.

·     Local accounting—Local accounting is implemented on the device. It counts and controls the number of concurrent users who use the same local user account, but does not provide statistics for charging.

·     Remote RADIUS accounting—The device works with a remote RADIUS server for accounting. You can configure backup methods to be used when the remote server is not available.

On the device, each user belongs to one ISP domain. AAA manages users in the same ISP domain based on the users' access types. The device supports the following user access types:

·     LANLAN users must pass 802.1X authentication to come online.

·     Login—Login users include Telnet, FTP, and terminal users who log in to the device. Terminal users can access through a console port.

·     PortalPortal users.

In a networking scenario with multiple ISPs, the device can connect to users of different ISPs. These users can have different user attributes, such as different username and password structures, different service types, and different rights. To manage users of different ISPs, configure authentication, authorization, and accounting methods and domain attributes for each ISP domain as needed.

The device chooses an authentication domain for each user in the following order:

1.     The authentication domain specified for the access module. (Support for the authentication domain configuration depends on the access module.)

2.     The ISP domain in the username.

3.     The default ISP domain of the device.

If the chosen domain does not exist on the device, the device searches for the ISP domain that accommodates users assigned to nonexistent domains. If no such ISP domain is configured, user authentication fails.

An ISP domain cannot be deleted when it is the default ISP domain. Before you delete the ISP domain, change the domain to a non-default ISP domain.

You can modify the settings of the system-defined ISP domain system, but you cannot delete the domain.

To avoid RADIUS authentication, authorization, or accounting failures, use short domain names to ensure that usernames containing a domain name do not exceed 253 characters.

RADIUS

RADIUS protocol

Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. The protocol can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access.

The RADIUS authorization process is combined with the RADIUS authentication process, and user authorization information is piggybacked in authentication responses. RADIUS defines the protocol packet format and message transmission mechanisms, and it uses UDP port 1812 for authentication and UDP port 1813 for accounting.

RADIUS servers

The system supports a maximum of 16 RADIUS schemes. A RADIUS scheme can be used by multiple ISP domains.

You can specify one primary server and multiple secondary servers in a RADIUS scheme. If redundancy is not required, specify only the primary authentication and accounting servers.

A RADIUS server can function as the primary authentication or accounting server for one scheme and a secondary authentication or accounting server for another scheme at the same time.

Two authentication or accounting servers in a scheme, primary or secondary, cannot have the same combination of IP address and port number.

RADIUS does not support accounting for FTP, SFTP, and SCP users.

RADIUS timers

The device uses the following types of timers to control communication with a RADIUS server:

·     Server response timeout timer (response-timeout)—Defines the RADIUS request retransmission interval. The timer starts immediately after a RADIUS request is sent. If the device does not receive a response from the RADIUS server before the timer expires, it resends the request.

·     Server quiet timer (quiet)—Defines the duration to keep an unreachable server in blocked state. If one server is not reachable, the device changes the server status to blocked, starts this timer for the server, and tries to communicate with another server in active state. After the server quiet timer expires, the device changes the status of the server back to active.

·     Real-time accounting timer (realtime-accounting)—Defines the interval at which the device sends real-time accounting packets to the RADIUS accounting server for online users.

When you configure the timers, follow these restrictions and guidelines:

·     Consider the number of secondary servers when you configure the maximum number of RADIUS packet transmission attempts and the RADIUS server response timeout timer. If the RADIUS scheme includes many secondary servers, the retransmission process might be too long and the client connection in the access module, such as Telnet, can time out.

When the client connections have a short timeout period, a large number of secondary servers can cause the initial authentication or accounting attempt to fail. In this case, reconnect the client rather than adjusting the RADIUS packet transmission attempts and server response timeout timer. Typically, the next attempt will succeed, because the device has blocked the unreachable servers to shorten the time to find a reachable server.

·     Make sure the server quiet timer is set correctly. A timer that is too short might result in frequent authentication or accounting failures. This is because the device will continue to attempt to communicate with an unreachable server that is in active state. A timer that is too long might temporarily block a reachable server that has recovered from a failure. This is because the server will remain in blocked state until the timer expires.

·     A short real-time accounting interval helps improve accounting precision but requires many system resources. When there are 1000 or more users, set the interval to 15 minutes or longer.

Source IP address of outgoing RADIUS packets

A RADIUS server identifies a NAS by its IP address. Upon receiving a RADIUS packet, the RADIUS server checks the source IP address of the packet.

·     If it is the IP address of a managed NAS, the server processes the packet.

·     If it is not the IP address of a managed NAS, the server drops the packet.

Before sending a RADIUS packet, the NAS selects a source IP address for the RADIUS packet in the following order:

1.     The source IP address specified for the RADIUS scheme.

2.     The source IP address configured by using the radius nas-ip command in system view.

3.     The IP address of the routing outbound interface.

You can specify a source IP address for outgoing RADIUS packets in a RADIUS scheme or in system view.

·     The IP address specified for the RADIUS scheme applies only to that RADIUS scheme.

·     The IP address configured by using the radius nas-ip command in system view applies to all RADIUS schemes.

The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS configured on the RADIUS server.

The source address of outgoing RADIUS packets is typically the IP address of an egress interface on the NAS to communicate with the RADIUS server. As a best practice, specify a loopback interface address as the source IP address for outgoing RADIUS packets to avoid RADIUS packet loss caused by physical port errors.

Enhanced RADIUS features

The device supports the following enhanced RADIUS features:

·     Accounting-on—This feature enables the device to automatically send an accounting-on packet to the RADIUS server after a reboot. Upon receiving the accounting-on packet, the RADIUS server logs out all online users so they can log in again through the device. Without this feature, users cannot log in again after the reboot, because the RADIUS server considers them to come online.

You can configure the interval for which the device waits to resend the accounting-on packet and the maximum number of retries.

·     Session-control—A RADIUS server running on H3C IMC can use session-control packets to inform disconnect or dynamic authorization change requests. Enable session-control on the device to receive RADIUS session-control packets on UDP port 1812. The RADIUS session-control feature can only work with RADIUS servers running H3C IMC.

Local users

The device performs local authentication, authorization, and accounting based on the locally configured user information, including the username, password, and authorization attributes. Each local user is identified by the username.

User groups simplify local user configuration and management. A user group contains a group of local users and has a set of local user attributes. The user attributes of a user group apply to all users in this group.


System features

Event logs

Log types

Logs are classified into the following types:

·     Standard system logs—Record common system information. Unless otherwise specified, the term "logs" in this document refers to standard system logs.

·     Diagnostic logs—Record debugging messages.

·     Security logs—Record security information, such as authentication and authorization information.

·     Hidden logs—Record log information not displayed on the terminal, such as input commands.

·     Trace logs—Record system tracing and debugging messages, which can be viewed only after the devkit package is installed.

Log levels

Logs are classified into eight severity levels from 0 through 7 in descending order, as shown in Table 4. The information center outputs logs with a severity level that is higher than or equal to the specified level. For example, if you specify a severity level of 6 (informational), logs that have a severity level from 0 to 6 are output.

Table 4 Log levels

Severity value

Level

Description

0

Emergency

The system is unusable. For example, the system authorization has expired.

1

Alert

Action must be taken immediately. For example, traffic on an interface exceeds the upper limit.

2

Critical

Critical condition. For example, the device temperature exceeds the upper limit, the power module fails, or the fan tray fails.

3

Error

Error condition. For example, the link state changes is unplugged.

4

Warning

Warning condition. For example, an interface is disconnected, or the memory resources are used up.

5

Notification

Normal but significant condition. For example, a terminal logs in to the device, or the device reboots.

6

Informational

Informational message. For example, a command or a ping operation is executed.

7

Debugging

Debug message.

 

ACL

An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on criteria such as source IP address, destination IP address, and port number.

ACLs are primarily used for packet filtering. You can use ACLs in QoS, security, routing, and other feature modules for identifying traffic. The packet drop or forwarding decisions depend on the modules that use ACLs.

ACL types and match criteria

Table 5 shows the ACL types available on the switch and the fields that can be used to filter or match traffic.

Table 5 ACL types and match criteria

Type

ACL number

IP version

Match criteria

Basic ACLs

2000 to 2999

IPv4

Source IPv4 address.

IPv6

Source IPv6 address.

Advanced ACLs

3000 to 3999

IPv4

·     Source IPv4 address.

·     Destination IPv4 address.

·     Packet priority.

·     Protocol number.

·     Other Layer 3 and Layer 4 header fields.

IPv6

·     Source IPv6 address.

·     Destination IPv6 address.

·     Packet priority.

·     Protocol number.

·     Other Layer 3 and Layer 4 header fields.

Ethernet frame header ACLs

4000 to 4999

IPv4 and IPv6

Layer 2 header fields, including:

·     Source and destination MAC addresses.

·     802.1p priority.

·     Link layer protocol type.

 

Match order

The rules in an ACL are sorted in a specific order. When a packet matches a rule, the device stops the match process and performs the action defined in the rule. If an ACL contains overlapping or conflicting rules, the matching result and action to take depend on the rule order.

The following ACL match orders are available:

·     config—Sorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before a rule with a higher ID. If you use this method, check the rules and their order carefully.

·     auto—Sorts ACL rules in depth-first order. Depth-first ordering makes sure any subset of a rule is always matched before the rule. Table 6 lists the sequence of tie breakers that depth-first ordering uses to sort rules for each type of ACL.

Table 6 Sort ACL rules in depth-first order

ACL category

Sequence of tie breakers

IPv4 basic ACL

1.     More 0s in the source IPv4 address wildcard (more 0s means a narrower IPv4 address range).

2.     Rule configured earlier.

IPv4 advanced ACL

1.     Specific protocol number.

2.     More 0s in the source IPv4 address wildcard mask.

3.     More 0s in the destination IPv4 address wildcard.

4.     Narrower TCP/UDP service port number range.

5.     Rule configured earlier.

IPv6 basic ACL

1.     Longer prefix for the source IPv6 address (a longer prefix means a narrower IPv6 address range).

2.     Rule configured earlier.

IPv6 advanced ACL

1.     Specific protocol number.

2.     Longer prefix for the source IPv6 address.

3.     Longer prefix for the destination IPv6 address.

4.     Narrower TCP/UDP service port number range.

5.     Rule configured earlier.

Ethernet frame header ACL

1.     More 1s in the source MAC address mask (more 1s means a smaller MAC address).

2.     More 1s in the destination MAC address mask.

3.     Rule configured earlier.

 

 

NOTE:

A wildcard mask, also called an inverse mask, is a 32-bit binary number represented in dotted decimal notation. In contrast to a network mask, the 0 bits in a wildcard mask represent "do care" bits, and the 1 bits represent "don't care" bits. If the "do care" bits in an IP address are identical to the "do care" bits in an IP address criterion, the IP address matches the criterion. All "don't care" bits are ignored. The 0s and 1s in a wildcard mask can be noncontiguous. For example, 0.255.0.255 is a valid wildcard mask.

 

Rule numbering

ACL rules can be manually numbered or automatically numbered.

Rule numbering step

If you do not assign an ID to the rule you are creating, the system automatically assigns it a rule ID. The rule numbering step sets the increment by which the system automatically numbers rules. For example, the default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are automatically numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can insert between two rules.

By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility of inserting rules in an ACL. This feature is important for a config-order ACL, where ACL rules are matched in ascending order of rule ID.

Automatic rule numbering and renumbering

The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step to the current highest rule ID, starting with 0.

For example, if the numbering step is 5 (the default), and there are five ACL rules numbered 0, 5, 9, 10, and 12, the newly defined rule is numbered 15. If the ACL does not contain any rule, the first rule is numbered 0.

Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five rules numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered 0, 2, 4, 6, and 8.

Time range

You can implement a service based on the time of the day by applying a time range to it. A time-based service only takes effect in any time periods specified by the time range. For example, you can implement time-based ACL rules by applying a time range to them. If a time range does not exist or has been deleted, the service based on the time range does not take effect.

The following basic types of time ranges are available:

·     Periodic time range—Recurs periodically on a day or days of the week.

·     Absolute time range—Represents only a period of time and does not recur.

A time range is uniquely identified by the time range name. A time range can include multiple periodic statements and absolute statements. The active period of a time range is calculated as follows:

1.     Combining all periodic statements.

2.     Combining all absolute statements.

3.     Taking the intersection of the two statement sets as the active period of the time range.

Administrators

An administrator configures and manages the device from the following aspects:

·     User account management—Manages user account information and attributes (for example, username and password).

·     Role-based access control—Manages user privileges and accessible resources by user role.

·     Password control—Manages user passwords and controls user login status based on predefined policies.

The service type of an administrator can be HTTP, HTTPS, SSH, Telnet, FTP, PAD, or terminal. A terminal user can access the device through a console port.

User account management

A user account on the device manages attributes for users that log in to the device with the same username. The attributes include the username, password, services, and password control parameters.

Role-based access control

This feature controls user access to items and system resources based on user role. Items include commands, features, feature groups, Web pages, XML elements, and MIB nodes. System resources include interfaces and VLANs.

On devices that have a large number of login users, this feature is used to assign access permissions to user roles that are created for different job functions. Users are given permission to access a set of items and resources based on the users' user roles. Because user roles are persistent, in contrast to users, separating permissions from users enables easy permission authorization management. When the job responsibilities of a user changes, new users are added, or old users are removed, you only need to change the user roles or assign new user roles.

Permission assignment

Assigning permissions to a user role includes the following:

·     Defines a set of rules to determine accessible or inaccessible system items for the user role.

·     Configure resource access policies to specify which interfaces and VLANs are accessible to the user role.

To configure an item related to a resource (an interface or VLAN), a user role must have access to both the item and the resource.

For example, a user role has a rule to permit VLAN 10 and has access permission to all VLANs. With this user role, you can create VLAN 10 and access VLAN 10. However, you cannot create any other VLAN or access any other VLAN. If the user role has access permission to all VLANs but does not have a rule to permit any VLAN, you cannot configure any VLAN.

User role rules

User role rules permit or deny access to commands, features, feature groups, Web pages, XML elements, or MIB nodes. You can define the following types of rules for different access control granularities:

·     Command rule—Controls access to a command or a set of commands that match a regular expression.

·     Feature rule—Controls access to the commands of a feature by command type. All features and their commands are predefined.

·     Feature group rule—Controls access to the commands of a feature group by command type. You can define a feature group and assign features to the group. The system has two predefined feature groups named L2 and L3. The L2 feature group includes all Layer 2 commands, and the L3 feature group includes all Layer 3 commands. These predefined feature groups are not user configurable. Features in feature groups can overlap.

·     Web menu rule—Controls access to Web pages by Web type. A Web page is identified by the Web menu that can open the Web page.

·     XML element rule—Controls access to XML elements by XML element type. An XML element is identified by its Xpath.

·     OID rule—Controls SNMP access to a MIB node and its child nodes by node type. The path from the root node to that node is uniquely identified by OID.

The commands, features, feature groups, Web menus, XML elements, or MIB nodes are divided into the following types:

·     ReadCommands, features, feature groups, Web menus, XML elements, or MIB nodes that display configuration and maintenance information.

·     Write—Commands, features, feature groups, Web menus, XML elements, or MIB nodes that configure features in the system.

·     Execute—Commands, features, feature groups, Web menus, XML elements, or MIB nodes that execute specific functions.

A user role can access the set of permitted items specified in the user role rules. The user role rules include predefined and user-defined user role rules. For more information about the user role rule priority, see "Rule configuration guidelines."

Resource access policies

Resource access policies control access of user roles to system resources and include the following types:

·     Interface policy—Controls access to interfaces.

·     VLAN policy—Controls access to VLANs.

A CLI login user can perform the following tasks on an accessible interface or VLAN:

·     Create, remove, or configure the interface or VLAN.

·     Enter the interface or VLAN view.

·     Apply the interface or VLAN to other objects.

Resource access policies do not control access to the interface or VLAN options in the display commands. The CLI login user can specify these options in the display commands if the options are permitted by any user role rule.

A Web login user can perform the following tasks on an accessible interface or VLAN:

·     Create, remove, or configure the interface or VLAN.

·     Apply the interface or VLAN to other objects.

Predefined user roles

The system provides predefined user roles. These user roles have access to all system resources. However, their access permissions differ, as shown in Table 7.

Among all of the predefined user roles, only the network-admin and level-15 user roles have the following access permissions:

·     Access the RBAC feature.

·     Modify settings on user lines, including the user-role, authentication-mode, protocol inbound, and set authentication password command settings.

·     Create, modify, and delete local users and local user groups.

User roles except network-admin and level-15 can only modify their own passwords if they have permissions to configure local users and local user groups.

The access permissions of the level-0 to level-14 user roles can be modified through user role rules and resource access policies. However, you cannot make changes on the predefined access permissions of these user roles. For example, you cannot change the access permission of these user roles to the display history-command all command.

Table 7 Predefined roles and permissions matrix

User role name

Permissions

network-admin

Accesses all features and resources in the system, except for the display security-logfile summary, info-center security-logfile directory, and security-logfile save commands.

network-operator

·     Accesses the display commands for features and resources in the system. To display all accessible commands of the user role, use the display role command.

·     Enables local authentication login users to change their own passwords.

·     Accesses the command used for entering XML view.

·     Accesses all read-type Web menu items.

·     Accesses all read-type XML elements.

·     Accesses all read-type MIB nodes.

level-n (n = 0 to 15)

·     level-0—Has access to commands including ping, tracert, ssh2, telnet, and super. Level-0 access rights are configurable.

·     level-1—Has access to the display commands of features and resources in the system. The level-1 user role also has all access rights of the level-0 user role. Level-1 access rights are configurable.

·     level-2 to level-8, and level-10 to level-14—Have no access rights by default. Access rights are configurable.

·     level-9—Has access to most of the features and resources in the system. If you are logged in with a local user account that has a level-9 user role, you can change the password in the local user account. The following are the major features and commands that the level-9 user role cannot access:

¡     RBAC non-debugging commands.

¡     Local users.

¡     File management.

¡     Device management.

¡     The display history-command all command.

·     level-15—Has the same rights as network-admin.

security-audit

Security log manager. The user role has the following access rights to security log files:

·     Accesses the commands for displaying and maintaining security log files (for example, the dir, display security-logfile summary, and more commands).

·     Accesses the commands for managing security log files and security log file system (for example, the info-center security-logfile directory, mkdir, and security-logfile save commands).

For more information about security log management commands, see information center in System Management Command Reference. For more information about file system management commands, see Fundamentals Command Reference.

IMPORTANT IMPORTANT:

Only the security-audit user role has access to security log files.

guest-manager

Accesses only guest-related Web pages, and has no access to commands.

 

User role assignment

Depending on the authentication method, user role assignment has the following methods:

·     Local authorization—If the user passes local authorization, the device assigns the user roles specified in the local user account.

·     Remote authorization—If the user passes remote authorization, the remote AAA server assigns the user roles specified on the server.

A user that fails to obtain a user role is logged out of the device.

If multiple user roles are assigned to a user, the user can use the collection of items and resources accessible to all the user roles.

Rule configuration guidelines

When you specify a command string for a command line rule, follow the guidelines in Table 8.

Table 8 Command string configuration rules

Rule

Guidelines

Semicolon (;) is the delimiter.

Use a semicolon to separate the command of each view that you must enter before you access a command or a set of commands. However, do not use a semicolon to separate commands available in user view or any view, for example, display and dir.

Each semicolon-separated segment must have a minimum of one printable character.

To specify the commands in a view but not the commands in the view's subviews, use a semicolon as the last printable character in the last segment. To specify the commands in a view and the view's subviews, the last printable character in the last segment must not be a semicolon.

For example, you must enter system view before you enter interface view. To specify all commands starting with the ip keyword in any interface view, you must use the "system ; interface * ; ip * ;" command string.

For another example, the "system ; radius scheme * ;" command string represents all commands that start with the radius scheme keywords in system view. The "system ; radius scheme *" command string represents all commands that start with the radius scheme keywords in system view and all commands in RADIUS scheme view.

Asterisk (*) is the wildcard.

An asterisk represents zero or multiple characters.

In a non-last segment, you can use an asterisk only at the end of the segment.

In the last segment, you can use an asterisk in any position of the segment. If the asterisk appears at the beginning, you cannot specify a printable character behind the asterisk.

For example, the "system ; *" command string represents all commands available in system view and all subviews of the system view. The "debugging * event" command string represents all event debugging commands available in user view.

Keyword abbreviation is allowed.

You can specify a keyword by entering the first few characters of the keyword. Any command that starts with this character string matches the rule.

For example, "rule 1 deny command dis arp source *" denies access to the display arp source-mac interface and display arp source-suppression commands.

To control the access to a command, you must specify the command immediately after the view that has the command.

To control access to a command, you must specify the command immediately behind the view to which the command is assigned. The rules that control command access for any subview do not apply to the command.

For example, the "rule 1 deny command system ; interface * ; *" command string disables access to any command that is assigned to interface view. However, you can still execute the acl basic 3000 command in interface view, because this command is assigned to system view rather than interface view. To disable access to this command, use "rule 1 deny command system ; acl *;".

Do not include the vertical bar (|), greater-than sign (>), or double greater-than sign (>>) when you specify display commands in a user role command rule.

The system does not treat the redirect signs and the parameters that follow the signs as part of command lines. However, in user role command rules, these redirect signs and parameters are handled as part of command lines. As a result, no rule that includes any of these signs can find a match.

For example, "rule 1 permit command display debugging > log" can never find a match. This is because the system has a display debugging command but not a display debugging > log command.

 

The following guidelines apply to non-OID rules:

·     If two user-defined rules of the same type conflict, the rule with the higher ID takes effect. For example, the user role can use the tracert command but not the ping command if the user role contains rules configured by using the following commands:

¡     rule 1 permit command ping.

¡     rule 2 permit command tracert.

¡     rule 3 deny command ping.

·     If a predefined user role rule and a user-defined user role rule conflict, the user-defined user role rule takes effect.

The following guidelines apply to OID rules:

·     If the MIB node specified in a rule is a child node of the MIB nodes specified in other rules, only this rule takes effect. For example, a user role cannot access the MIB node with OID 1.3.6.1.4.1.25506.141.3.0.1 if the user role contains rules configured by using the following commands:

¡     rule 1 permit read write oid 1.3.6.

¡     rule 2 deny read write oid 1.3.6.1.4.1.

¡     rule 3 permit read write oid 1.3.6.1.4.

·     If the same OID is specified in multiple rules, the rule with the higher ID takes effect. For example, the user role can access the MIB node with OID 1.3.6.1.4.1.25506.141.3.0.1 if the user role contains rules configured by using the following commands:

¡     rule 1 permit read write oid 1.3.6.

¡     rule 2 deny read write oid 1.3.6.1.4.1.

¡     rule 3 permit read write oid 1.3.6.1.4.1.

Password control

Password control allows you to implement the following features:

·     Manage login and super password setup, expirations, and updates for device management users.

·     Control user login status based on predefined policies.

Minimum password length

You can define the minimum length of user passwords. If a user enters a password that is shorter than the minimum length, the system rejects the password.

Password composition policy

A password can be a combination of characters from the following types:

·     Uppercase letters A to Z.

·     Lowercase letters a to z.

·     Digits 0 to 9.

·     Special characters. See Table 9.

Table 9 Special characters

Character name

Symbol

Character name

Symbol

Ampersand sign

&

Apostrophe

'

Asterisk

*

At sign

@

Back quote

`

Back slash

\

Blank space

N/A

Caret

^

Colon

:

Comma

,

Dollar sign

$

Dot

.

Equal sign

=

Exclamation point

!

Left angle bracket

Left brace

{

Left bracket

[

Left parenthesis

(

Minus sign

-

Percent sign

%

Plus sign

+

Pound sign

#

Quotation marks

"

Right angle bracket

Right brace

}

Right bracket

]

Right parenthesis

)

Semi-colon

;

Slash

/

Tilde

~

Underscore

_

Vertical bar

|

 

Depending on the system's security requirements, you can set the minimum number of character types a password must contain and the minimum number of characters for each type, as shown in Table 10.

Table 10 Password composition policy

Password combination level

Minimum number of character types

Minimum number of characters for each type

Level 1

One

One

Level 2

Two

One

Level 3

Three

One

Level 4

Four

One

 

When a user sets or changes a password, the system examines whether the password meets the combination requirement. If the password does not meet the requirement, the operation fails.

Password complexity checking policy

A less complicated password such as a password containing the username or repeated characters is more likely to be cracked. For higher security, you can configure a password complexity checking policy to ensure that all user passwords are relatively complicated. With such a policy configured, when a user configures a password, the system checks the complexity of the password. If the password is complexity-incompliant, the configuration will fail.

You can apply the following password complexity requirements:

·     A password cannot contain the username or the reverse of the username. For example, if the username is abc, a password such as abc982 or 2cba is not complex enough.

·     A character or number cannot be included three or more times consecutively. For example, password a111 is not complex enough.

Password updating

This function allows you to set the minimum interval at which users can change their passwords. If a user logs in to change the password but the time passed since the last change is less than this interval, the system denies the request. For example, if you set this interval to 48 hours, a user cannot change the password twice within 48 hours.

The minimum interval does not apply to the following situations:

·     A user is prompted to change the password at first login.

·     The password aging time expires.

Password expiration

Password expiration imposes a lifecycle on a user password. After the password expires, the user needs to change the password.

If a user enters an expired password when logging in, the system displays an error message. The user is prompted to provide a new password and to confirm it by entering it again. The new password must be valid, and the user must enter exactly the same password when confirming it.

Telnet users, SSH users, and console users can change their own passwords. FTP users must have their passwords changed by the administrator.

Early notice on pending password expiration

When a user logs in, the system examines whether the password will expire in a time equal to or less than the specified notification period. If so, the system notifies the user when the password will expire and provides a choice for the user to change the password. If the user sets a new password that is complexity-compliant, the system records the new password and the setup time. If the user chooses not to change the password or the user fails to change it, the system allows the user to log in using the current password.

Telnet users, SSH users, and console users can change their own passwords. FTP users must have their passwords changed by the administrator.

Login with an expired password

You can allow a user to log in a certain number of times within a period of time after the password expires. For example, if you set the maximum number of logins with an expired password to 3 and the time period to 15 days, a user can log in three times within 15 days after the password expires.

Password history

With this feature enabled, the system stores passwords that a user has used. When a user changes the password, the system checks the new password against the current password and those stored in the password history records. The new password must be different from the current one and those stored in the history records by at least four characters. The four characters must be different from one another. Otherwise, the system will display an error message, and the password will not be changed.

You can set the maximum number of history password records for the system to maintain for each user. When the number of history password records exceeds your setting, the most recent record overwrites the earliest one.

Current login passwords are not stored in the password history for device management users (administrators). Device management users have their passwords saved in cipher text, which cannot be recovered to plaintext passwords.

Login attempt limit

Limiting the number of consecutive login failures can effectively prevent password guessing.

Login attempt limit takes effect on FTP and VTY users. It does not take effect on the following types of users:

·     Nonexistent users (users not configured on the device).

·     Users logging in to the device through console ports.

When a user fails the maximum number of consecutive attempts, login attempt limit limits the user and user account in any of the following ways:

·     The system prohibits the user from using the user account to log in through the user's IP address. The locked user can use their own account to log in to the device only after the account is manually removed from the password control blacklist.

·     Allows the user to continue using the user account. The user account is removed from the password control blacklist when the user uses this account to successfully log in to the device.

·     Locks the user account and the user's IP address for a period of time.

The user can use the account to log in when either of the following conditions exists:

¡     The locking timer expires.

¡     The account is manually removed from the password control blacklist before the locking timer expires.

 

NOTE:

This account is locked only for the user at the locked IP address. A user from an unlocked IP address can still use this account, and the user at the locked IP address can use other unlocked user accounts.

Maximum account idle time

You can set the maximum account idle time for user accounts. When an account is idle for this period of time since the last successful login, the account becomes invalid.

Settings

Access the Settings page to change the device name, location, and system time.

System time sources

Correct system time settings are essential for the device to cooperate with other devices on the network. The system time is calculated based on the GMT, time zone, and daylight saving time.

You can use the following methods to obtain the GMT:

·     Manually set the GMT.

·     Configure NTP or SNTP to obtain the GMT.

The GMT obtained through NTP or SNTP is more secure than the GMT configured at the CLI.

Clock synchronization protocols

The device supports the following clock synchronization protocols:

·     NTP—Network Time Protocol. NTP is typically used in large networks to dynamically synchronize time among network devices. It provides higher clock accuracy than manual system time configuration.

·     SNTP—Simple NTP, a simpler implementation of NTP. SNTP uses the same packet formats and exchange procedures as NTP. However, SNTP simplifies the clock synchronization procedure. Compared with NTP, SNTP uses less resources and implements clock synchronization in shorter time, but it provides lower time accuracy.

NTP/SNTP operating modes

NTP supports two operating modes: client/server mode and symmetric active/passive mode. The device can act only as a client in client/server mode or the active peer in symmetric active/passive mode.

SNTP supports only the client/server mode. The device can act only as a client.

Table 11 NTP/SNTP operating modes

Mode

Operating process

Principle

Application scenario

Client/server

1.     A client sends a clock synchronization message to the NTP servers.

2.     Upon receiving the message, the servers automatically operate in server mode and send a reply.

3.     If the client is synchronized to multiple time servers, it selects an optimal clock and synchronizes its local clock to the optimal reference source.

You can configure multiple time servers for a client.

This operating mode requires that you specify the IP addresses of the NTP servers on the client.

A client can synchronize to a server, but a server cannot synchronize to a client.

This mode is intended for scenarios where devices of a higher stratum synchronize to devices with a lower stratum.

Symmetric active/passive

1.     A symmetric active peer periodically sends clock synchronization messages to a symmetric passive peer.

2.     The symmetric passive peer automatically operates in symmetric passive mode and sends a reply.

3.     If the symmetric active peer can be synchronized to multiple time servers, it selects an optimal clock and synchronizes its local clock to the optimal reference source.

This operating mode requires you to specify the IP address of the symmetric passive peer on the symmetric active peer.

A symmetric active peer and a symmetric passive peer can be synchronized to each other. If both of them are synchronized, the peer with a higher stratum is synchronized to the peer with a lower stratum.

This mode is most often used between servers with the same stratum to operate as a backup for one another. If a server fails to communicate with all the servers of a lower stratum, the server can still synchronize to the servers of the same stratum.

 

NTP/SNTP time source authentication

The time source authentication feature enables the device to authenticate the received NTP or SNTP packets. This feature ensures that the device obtains the correct GMT.

Configuration file management

A configuration file saves a set of commands for configuring software features on the device. You can save any configuration to a configuration file so the configuration can survive a reboot. You can also back up configuration files to a host for future use.

Configuration types

Initial configuration

Initial configuration is the collection of initial default settings for the configuration commands in software.

The device starts up with the initial configuration if you access the BootWare menu and select the Skip Current System Configuration option. In this situation, the device might also be described as starting up with empty configuration.

No commands are available to display the initial configuration. To view the initial default settings for the configuration commands in a software version, see the Default sections in the command references for the software version.

Factory defaults

Factory defaults are custom basic settings that came with the device. Factory defaults vary by device models and might differ from the initial default settings for the commands.

The device starts up with the factory defaults if no next-startup configuration files are available.

To display the factory defaults, use the display default-configuration command.

Startup configuration

The device uses startup configuration to configure software features during startup. After the device starts up, you can specify the configuration file to be loaded at the next startup. This configuration file is called the next-startup configuration file. The configuration file that has been loaded is called the current startup configuration file.

You can display the startup configuration by using one of the following methods:

·     To display the contents of the current startup configuration file, execute the display current-configuration command before changing the configuration after the device reboots.

·     To display the contents of the next-startup configuration file, use the display saved-configuration command.

·     Use the display startup command to display names of the current startup configuration file and next-startup configuration files. Then, you can use the more command to display the contents of the specified startup configuration file. For more information about the more command, see file system management commands in Fundamentals Command Reference.

Running configuration

The running configuration includes unchanged startup settings and new settings. The running configuration is stored in memory and is cleared at a device reboot or power off. To use the running configuration after a power cycling or reboot, save it to a configuration file.

To display the running configuration, use the display current-configuration command.

Configuration file types and file selection process at startup

When you save the configuration, the system saves the settings to a .cfg configuration file and to an .mdb file.

·     A .cfg configuration file is a human-readable text file and its contents can be displayed by using the more command. Configuration files you specify for saving the configuration must use the .cfg extension.

·     An .mdb file is a user-inaccessible binary file that has the same name as the .cfg file. The device loads an .mdb file faster than loading a .cfg file.

At startup, the device uses the following procedure to identify the configuration file to load:

1.     The device searches for a valid .cfg next-startup configuration file. For more information about the file selection rules, see "Next-startup configuration file redundancy."

2.     If a valid .cfg next-startup configuration file is found, the device searches for an .mdb file that has the same name and checksum as the .cfg file.

3.     If a matching .mdb file is found, the device starts up with the .mdb file. If none is found, the device starts up with the .cfg file.

If no .cfg next-startup configuration files are available, the device starts up with the factory defaults.

Unless otherwise stated, the term "configuration file" in this document refers to a .cfg configuration file.

Next-startup configuration file redundancy

You can specify one main next-startup configuration file and one backup next-startup configuration file for redundancy.

At startup, the device tries to select the .cfg startup configuration in the following order:

1.     The main next-startup configuration file.

2.     The backup next-startup configuration file if the main next-startup configuration file does not exist or is corrupt.

If no next-startup configuration files are available, the device starts up with the factory defaults.

Configuration file content organization and format

IMPORTANT

IMPORTANT:

To run on the device, a configuration file must meet the content and format requirements. As a best practice, use a configuration file created on the device. If you edit the configuration file, make sure all edits are compliant with the requirements.

A configuration file must meet the following requirements:

·     All commands are saved in their complete form.

·     Commands are sorted into sections by different command views, including system view, interface views, protocol views, and user line views.

·     Two adjacent sections are separated by a pound sign (#).

·     The configuration file ends with the word return.

The following is a sample configuration file excerpt:

#

local-user root class manage

 password hash $h$6$Twd73mLrN8O2vvD5$Cz1vgdpR4KoTiRQNE9pg33gU14Br2p1VguczLSVyJLO2huV5Syx/LfDIf8ROLtVErJ/C31oq2rFtmNuyZf4STw==

 service-type ssh telnet terminal

 authorization-attribute user-role network-admin

 authorization-attribute user-role network-operator

#

interface Vlan-interface1

 ip address 192.168.1.84 255.255.255.0

#

Software upgrade

Software upgrade enables you to upgrade a software version, add new features, and fix software bugs. This section describes software types and release forms.

Software types

The following software types are available:

·     BootWare image—Also called the Boot ROM image. This image contains a basic segment and an extended segment.

¡     The basic segment is the minimum code that bootstraps the system.

¡     The extended segment enables hardware initialization and provides system management menus. When the device cannot start up correctly, you can use the menus to load software and the startup configuration file or manage files.

Typically, the BootWare image is integrated into the Boot image to avoid software compatibility errors.

·     Comware image—Includes the following image subcategories:

¡     Boot image—A .bin file that contains the Linux operating system kernel. It provides process management, memory management, file system management, and the emergency shell.

¡     System image—A .bin file that contains the Comware kernel and standard features, including device management, interface management, configuration management, and routing.

¡     Feature image—A .bin file that contains advanced or customized software features. You can purchase feature images as needed.

¡     Patch image—A .bin file that is released for fixing bugs without rebooting the device. A patch image does not add or remove features.

Patch images have the following types:

-     Incremental patch images—A new patch image can cover all, part, or none of the functions provided by an old patch image. A new patch image can coexist with an old patch image on the device only when the former covers none of the functions provided by the latter.

-     Non-incremental patch images—A new non-incremental patch image covers all functions provided by an old non-incremental patch image. Each boot, system, or feature image can have one non-incremental patch image, and these patch images can coexist on the device. The device uninstalls the old non-incremental patch image before installing a new non-incremental patch image.

An incremental patch image and a non-incremental patch image can coexist on the device.

Comware images that have been loaded are called current software images. Comware images specified to load at the next startup are called startup software images.

BootWare image, boot image, and system image are required for the device to operate.

Software release forms

Software images are released in one of the following forms:

·     Separate .bin files. You must verify compatibility between software images.

·     As a whole in one .ipe package file. The images in an .ipe package file are compatible. The system decompresses the file automatically, loads the .bin images and sets them as startup software images.

 

 

NOTE:

Software image file names use the model-comware version-image type-release format.

 


Tools

To diagnose and locate faults, the system provides the diagnostic information collection feature.