H3C - Typical L2 Configuration Commands

1.1.   VLAN Configuration

# Configure VLANs vlan 10  description Data vlan 20  description Voice vlan 5  description Mgmt #Add access ports to VLAN. vlan 10  port eth1/0/1 to eth1/0/24 #For VoIP phones: Create the VoIP access (trunk) ports for all access ports that will have phones attached. VLAN 10 will be the untaqged native VLAN. VLAN 20 will be tagged for voice traffic. VLAN 1 will be removed from the trunk. interface Ethernet1/0/1  port link-type trunk  port trunk permit vlan 10  port trunk pvid vlan 10  port trunk permit vlan 20  undo port trunk permit vlan 1 # Display configured VLANs display vlan all

1.2. Bridge Aggregation

Order is important in LAG group configuration: - Clear out current port config - Create LAG group and set it to dynamic if LACP is desired - Add the ports to the LAG - Do remaining config on the LAG system-view interface bridge-aggregation 1  description LAG to EDGE_5800  link-aggregation mode dynamic (enables LACP)  quit interface ten 1/2/0/8 (interface added to LAG)  port link-aggregation group 1  quit interface ten 2/2/0/8 (interface added to LAG)  port link-aggregation group 1  quit interface bridge-aggregation 1  port link-type trunk  port trunk permit vlan 10 to 11  undo port trunk permit vlan 1 display link-aggregation verbose All interfaces should have a status of S (selected).  If they say U (unselected), something is wrong.

1.3. Trunk Ports (802.1Q tag)

Configure interfaces as trunk ports between switches according to reference topology. interface gi1/1/1 port link-type trunk port trunk permit vlan 10 port trunk pvid vlan 10 port trunk permit vlan 20 port trunk permit vlan 5 undo port trunk permit vlan 1 Repeat the above configuration on relevant ports. Use the below command to verify the trunk configuration. display port trunk display int <interface name>

1.4. Spanning Tree - MSTP interoperability with PVST+

If you want PVST to interoperate with MSTP, you need to the Cisco to interoperate with an ieee 802.1 standard BPDU packet and not the proprietary PVST packet. The only way to have the Cisco running PVST+ to send standard 802.1 packets is to ensure that the native vlan is equal to 1. The other possibility is to do nothing and have each pass-through their bpdu packets which are unknown in the other environment. To make your life easier, have only one connection between both environments. The spanning tree configuration on each switch is using the CST of the MSTP to interoperate with Cisco PVST+ vlan 1 ieee RSTP BPDU’s.  Apply these commands to all HP switches stp bpdu-protection stp enable Configure the access ports for stp edge mode: #Edge Port: Interface eth1/0/1 stp edged-port enable All H3C switches should agree that the root bridge is the Cisco root bridge for the CST Also, standardize the STP port costs in both platforms. On the HP-A switches: [H3C] stp pathcost-standard dot1t On Cisco: (config)# spanning-tree pathcost method long Verify with the following commands: display stp brief display stp root display stp interface Ethernet 1/0/1 After connecting PC, the access port should move to forwarding state immediately.

1.5. Voice VLAN

Configure ports to support Cisco VoIP phones. Interfaces will carry voice and data VLANs. Place phones in voice VLAN via LLDP CDP compliance.  Place in appropriate IDF-VoIP-VLAN id per site configuration.  To avoid stp issues, remove vlan 1 from the interface and set as an edge port. Interface commands: interface GigabitEthernet1/0/18  port link-type hybrid  undo port hybrid vlan 1  port hybrid vlan <IDF-VoIP-VLAN> tagged  port hybrid vlan <USER-VLAN> untagged  port hybrid pvid vlan <USER-VLAN>  undo voice vlan mode auto  poe enable  stp edged-port enable  lldp compliance admin-status cdp txrx  qos trust dscp Configure additional ports as necessary. Connect IP Phone to interface configured in Voice VLAN. Data VLAN traffic will pass traffic untagged while voice traffic will be tagged. Interfaces in the voice vlan will trust the QOS (802.1p or DSCP) markings on voice packets given preferential treatment/classified based on packet/frame markings.

1.6. Layer 3 VLAN Interface Configuration

Assign IP addresses to the Management VLAN interfaces: interface Vlan-interface5  ip address 10.0.1.2 24 To show the configured interface address display ip interface Neighboring interfaces should be reachable

1.7. Interface Options and Port Security

1.7.1. Jumbo Frames

Jumbo’s are on by default, but to manually enable switch to pass jumbo frames on a given interface. interface gi1/0/1 jumboframe enable

1.7.2. DHCP Snooping

Enable DHCP Snooping on the switch and display results of client DHCP requests. system-view dhcp-snooping With DHCP-Snooping enabled, a switch will block all DHCP ACKs preventing rogue DHCP servers from affecting the network. In order for a trusted DHCP server to function correctly and respond to requests, the interface must be configured as ‘trust’. # Specify GigabitEthernet 1/0/1 as trusted. interface gigabitethernet 1/0/1 dhcp-snooping trust quit Switch should maintain DHCP snooping database thru snooping DHCP requests and responses. Use the following to verify. display dhcp-snooping <ip address> display dhcp-snooping trust display dhcp-snooping information all|interface

1.7.3. IP Source Guard

Enable IP Source Guard to allow only hosts that have received their IP address thru DHCP to be allowed on the network. In this example we will use DHCP Snooping database to verify client traffic. The client IP to MAC binding must match the DHCP database in order for packets to be forwarded. # Make sure DHCP snooping is enabled. system-view dhcp-snooping # Set source guard interface vlan 10 ip check source ip-address mac-address quit Verify the configuration and statistics by using the following: display ip check source display ip check source interface Clients with statically configured IP address connected to ports not configured as dhcp-trust will not be allowed to communicate.

1.7.4.   ARP Inspection

Configure Dynamic ARP Inspection and verify the results: system-view vlan 10 arp detection enable quit arp detection mode dhcp-snooping ARP Inspection can also be configured to validate the source and destination MAC addresses, as well as the IP information in the packet header. To configure ARP detection based on source MAC, Destination MAC, or IP address, do the following: arp detection validate {dst-mac | src-mac | ip} To configure a port as trusted, do the following: interface gi1/0/2 arp detection trust Use the following commands to verify the configuration and statistics: display arp detection display arp detection statistics interface Hosts whose bindings do not exist in the DHCP snooping database, or those that fail the validity check, will not be allowed to communicate.

1.7.5.   BPDU Protection

BPDU Protection is enabled globally and applies to ports configured as “edge-port  enabled” system-view stp bpdu-protection Make sure edge-port is enabled on interfaces with BPDU-Protection: Interface eth1/0/1 stp edged-port enable Using another switch with STP enabled, connect it to the switch with BPDU Protection enabled. This will inject a BPDU into an access port forcing it to shut down. With this function enabled on a switch, the switch shuts down the edge ports that receive configuration BPDUs. If a port is shut down, only the administrator can restore it. Use this command to verify port status display stp down-port display interface eth1/0/1 Re-enable the interface with undo shutdown

1.7.6.   LLDP (Link Layer Discovery Protocol)

# enable globally lldp enable By default LLDP is enabled on every interface. In the event it was previously disabled, the following command will enable LLDP on an interface: interface gi1/1/1 lldp enable lldp admin-status txrx Enable LLDP on Cisco device. After completing this configuration on neighboring switches, the following commands can be used to see status and LLDP neighbor information. display lldp status display lldp neighbor-information Neighbor information should be displayed.

1.8. Device Access and Management

1.8.1.   SSH

Assign an IP address to Mgmt VLAN prior to configuring SSH access. #Create Public Keys First: public-key local create rsa public-key local create dsa local-user ssh  password cipher <password>  authorization-attribute level 3  service-type ssh user-interface vty 0 4  authentication-mode scheme  set authentication password cipher <password>  protocol inbound ssh  quit ssh user admin authentication-type password Access device via SSH from client PC. Access via SSH should be successful.

1.8.2.   Telnet

Assign an IP address to Mgmt VLAN prior to configuring vty access. Create local user account for testing: local-user admin  password cipher <password>  service-type telnet ssh terminal level 3  quit Configure vty Telnet access: user-interface vty 0 4  authentication-mode scheme  protocol inbound telnet  quit Access via telnet should be successful

1.8.3.   ACL Configuration (Control SNMP Access)

Create ACL’s for controlling SNMP access in the next section. acl number 2000  description SNMP-RO  rule permit source x.x.x.x 0.0.0.0  rule permit source y.y.y.y 0.0.0.0  rule permit source z.z.z.z 0.0.0.24  quit acl number 2001  description SNMP-RW  rule permit source a.a.a.a 0.0.0.0  rule permit source b.b.b.b 0.0.0.0  rule permit source c.c.c.c 0.0.0.24  quit When applied to the SNMP configuration, only allowed hosts will have SNMP access

1.8.4.   SNMP

Configure SNMP parameters and apply ACL’s configured ion the previous section to control access. snmp-agent trap enable standard authentication warmstart linkdown linkup coldstart snmp-agent trap enable configuration snmp-agent trap enable flash snmp-agent trap enable system snmp-agent target-host trap address udp-domain 1.1.1.1 params securityname 123456 snmp-agent target-host trap address udp-domain 2.2.2.2 params securityname 123456 snmp-agent target-host trap address udp-domain 3.3.3.3 params securityname 123456 snmp-agent target-host trap address udp-domain 4.4.4.4 params securityname 123456 snmp-agent community read public acl 2000 snmp-agent community write private acl 2001 Only hosts or networks identified in ACL 2000 and 2001 should have read and write access respectively.

1.8.5.   Syslog

Configure syslog target hosts. info-center loghost 10.1.1.1 info-center loghost 10.1.1.2 info-center loghost 10.1.1.3 info-center enable Syslog servers at the defined addresses will receive log messages.

1.8.6.   TACACS

Configure TACACS AAA hwtacacs scheme tac-scheme  primary authentication 10.1.1.1  primary authorization 10.1.1.1  primary accounting 10.1.1.1  secondary authentication 10.1.1.2  secondary authorization 10.1.1.2  secondary accounting 10.1.1.2  key authentication 12345  key authorization 12345  key accounting 12345  user-name-format without-domain  nas-ip <ip address of switch>  quit domain cardinalhealth.net authentication login hwtacacs-scheme tacacs  authorization login hwtacacs-scheme tacacs  accounting login hwtacacs-scheme tacacs  access-limit disable  state active domain default enable cardinalhealth.net ssh authentication-type default password Users logging in to the switch via Telnet or SSH will be authenticated via TACACS. Users not defined locally on TACACS, or a configured backend directory will be unable to authenticate.

1.8.7.   sFlow Configuration

# Send sFlow data to predefined collector system-view sflow agent ip ip-address <- can be VLAN sflow collector ip <ip-address> port <port-num> sflow interval interval-time (default is every 20 sec) # enable sFlow on each interface required: int ten 1/2/0/1 sflow enable { inbound | outbound } sflow sampling-rate rate (default is 16384) Verify collector receives flow data.

1.8.8.   Port Mirroring

Local Port mirroring interface eth1/0/24 stp disable quit mirroring-group 1 local mirroring-group 1 mirroring-port eth1/0/1 to eth1/0/5 both mirroring-group 1 monitor-port eth1/0/24 Display mirroring configuration display mirroring-group 1 Connect host to mirroring port and generate traffic. Connect Ethereal host to monitor port and observe packet capture. Ethereal application should capture packet data from source mirroring port.