HP 7500 Switch Series
Configuration Examples
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Part Number: 5998-4952
i
Contents
802.1X configuration examples 1
AAA configuration examples 32
Example: Allowing a specific host to access the network 49
Example: Denying a specific host to access the network 51
Example: Allowing access between specific subnets 53
Example: Denying Telnet packets 55
Example: Allowing TCP connections initiated from a specific subnet 56
Example: Denying FTP traffic 59
Example: Allowing FTP traffic (active FTP) 60
Example: Allowing FTP traffic (passive FTP) 63
Example: Allowing ICMP requests from a specific direction 66
Example: Allowing HTTP/Email/DNS traffic 67
Example: Filtering packets by MAC address 69
Example: Applying ACLs in device management 71
ARP attack protection configuration examples 75
ARP configuration examples 85
Proxy ARP configuration examples 88
Basic MPLS configuration examples 94
BPDU tunneling configuration examples 106
CFD configuration examples 111
DHCP configuration examples 120
DLDP configuration examples 132
DNS configuration examples 141
Ethernet OAM configuration examples 157
IGMP configuration examples 160
IGMP snooping configuration example 172
IP addressing configuration examples 187
IP performance optimization configuration examples 190
IP source guard configuration examples 195
IPv6 basics configuration examples 201
IPv6 multicast VLAN configuration examples 205
IPv6 PIM configuration examples 215
ii
IRF configuration examples 248
Link aggregation configuration examples 298
LLDP configuration examples 312
MAC address table configuration examples 319
MAC authentication configuration examples 325
MFF configuration examples 340
Mirroring configuration examples 353
MLD configuration examples 383
MLD snooping configuration examples 395
MPLS L2VPN configuration examples 410
Multicast VLAN configuration examples 451
NetStream configuration examples 461
NQA configuration examples 467
NTP configuration examples 492
OSPF configuration examples 505
PIM configuration examples 548
Port isolation configuration examples 579
Port security configuration examples 586
QinQ configuration examples 602
Traffic policing configuration examples 623
GTS and rate limiting configuration examples 646
Priority and queue scheduling configuration examples 651
User profile configuration examples 665
Control plane protection configuration examples 671
QoS policy-based routing configuration examples 677
Configuration examples for implementing HQoS through marking local QoS IDs 689
RRPP configuration examples 695
Sampler configuration examples 759
sFlow configuration examples 761
Smart Link and CFD collaboration configuration examples 765
Smart Link configuration examples 783
Monitor Link configuration examples 801
Spanning tree configuration examples 806
SSH configuration examples 828
Static multicast route configuration examples 852
iii
Static routing configuration examples 869
Tunnel configuration examples 882
UDP helper configuration examples 920
URPF configuration examples 923
VLAN configuration examples 926
VLAN mapping configuration examples 935
VPLS configuration examples 952
IPv4-based VRRP configuration examples 997
IPv6-based VRRP configuration examples 1031
1
802.1X configuration examples
This chapter provides examples for configuring 802.1X authentication to control network access of LAN access users.
Example: Configuring RADIUS-based 802.1X authentication (non-IMC server)
Applicable product matrix Product series Software version
HP 7500
Release series 6620
Release series 6630
Release series 6700
Network requirements As shown in Figure 1:
Users must pass 802.1X authentication to access the Internet, and they use the HP iNode client to initiate 802.1X authentication.
Switch A uses a RADIUS server (Switch B) to perform RADIUS-based 802.1X authentication and authorization.
The HP 5500 HI switch functions as the RADIUS server.
Configure GigabitEthernet 1/0/1 to implement MAC-based access control so each user is separately authenticated. When a user logs off, no other online users are affected.
Figure 1 Network diagram
Configuration restrictions and guidelines When you configure RADIUS-based 802.1X authentication, follow these restrictions and guidelines:
The authentication port (UDP) used by RADIUS servers is 1812 according to standard RADIUS protocols. However, the port (UDP) is set to 1645 on an HP device that functions as the RADIUS
2
authentication server. Configure the port used for RADIUS authentication to 1645 for the RADIUS scheme on the access device.
Enable 802.1X globally only after you have configured the authentication-related parameters. Otherwise, users might fail to pass 802.1X authentication.
The 802.1X configuration takes effect on a port only after you enable 802.1X globally and on the port.
Configuration procedures Configuring IP addresses
# Assign an IP address to each interface as shown in Figure 1. Make sure the client, Switch A, and the RADIUS server can reach each other. (Details not shown.)
Configuring Switch A
1. Configure the RADIUS scheme:
# Create RADIUS scheme radius1 and enter RADIUS scheme view. [SwitchA] radius scheme radius1
New Radius scheme
[SwitchA-radius-radius1]
# Specify the RADIUS server at 10.1.1.1 as the primary authentication server, set the authentication port to 1645, and specify the shared key as abc. [SwitchA-radius-radius1] primary authentication 10.1.1.1 1645 key abc
# Exclude the ISP domain name from the username sent to the RADIUS server. [SwitchA-radius-radius1] user-name-format without-domain
NOTE:
The access device must use the same username format as the RADIUS server. If the RADIUS server includesthe ISP domain name in the username, so must the access device.
# Set the source IP address for outgoing RADIUS packets to 10.1.1.2. [SwitchA-radius-radius1] nas-ip 10.1.1.2
[SwitchA-radius-radius1] quit
2. Configure the ISP domain:
# Create ISP domain test and enter ISP domain view. [SwitchA] domain test
[SwitchA-isp-test]
# Configure ISP domain test to use RADIUS scheme radius1 for authentication and authorization of all 802.1X users. [SwitchA-isp-test] authentication lan-access radius-scheme radius1
[SwitchA-isp-test] authorization lan-access radius-scheme radius1
[SwitchA-isp-test] quit
# Specify domain test as the default ISP domain. If a user does not provide any ISP domain name, it is assigned to the default ISP domain. [SwitchA] domain default enable test
3. Configure 802.1X:
# Enable 802.1X on port GigabitEthernet 1/0/1.
3
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] dot1x
802.1x is enabled on port GigabitEthernet1/0/1.
[SwitchA-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/1 to implement MAC-based access control. This step is optional, because the port implements MAC-based access control by default. [SwitchA] dot1x port-method macbased interface gigabitethernet 1/0/1
# Enable 802.1X globally. [SwitchA] dot1x
802.1x is enabled globally.
Configuring the RADIUS server
# Create RADIUS user guest and enter RADIUS server user view. system-view
[Sysname] radius-server user guest
[Sysname-rdsuser-guest]
# Set the password to 123456 in plain text for RADIUS user guest. [Sysname-rdsuser-guest] password simple 123456
[Sysname-rdsuser-guest] quit
# Specify RADIUS client 10.1.1.2, and set the shared key to abc in plain text. [Sysname] radius-server client-ip 10.1.1.2 key simple abc
Configuring the 802.1X client
1. Open the iNode client as shown in Figure 2.
4
Figure 2 Opening iNode client
2. Click New.
3. On the Create New Connection Wizard window, select 802.1X protocol(X), and then click Next(N)>.
5
Figure 3 Creating a new connection
4. Configure the connection name, username, and password, and then click Next(N)>.
6
Figure 4 Configuring the connection name, username, and password
The following details must comply with the correlation rules shown in Table 1:
The username specified on the iNode client.
The domain and RADIUS scheme configuration on the access device.
The suffix of the service on the UAM.
Table 1 Parameter correlation
Username format on the iNode client
Domain on the access device Username format configured on the access device
Service suffix on UAM
X@Y Y with-domain Y
X@Y Y without-domain No suffix
X Default domain
(the default dom